CCNA Routing & Switching v3 LAB Guide
1
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA RnS, CCNA Sec, CCNP RnS, CCNP Sec, CCIE Sec (written)
CCNA Routing & Switching v3 LAB Guide
2
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
I have dedicated this book to my sweet angel Arshia
and
to my beloved Eva !
Special thanks to Mony, Opu and Tapos who has given me encourage to write this book.
All rights reserved. No part of this book may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopying, recording, or by any
information storage and retrieval system, without written permission from the publisher,
except for the inclusion of brief quotations in a review.
Published in the Bangladesh
First Edition November 2017
Copyright® 2017 akhtechnologypark ltd.
Published by:
ATech Press
42, Kawran Bazar
Dhaka-1215
Cell:+88-01830618474
CCNA Routing & Switching v3 LAB Guide
3
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Contents
1. Cisco CLI mode ----------------------------------------------------------------------------- 5
2. Basic Configuration of Router and Switch ------------------------------------------------------- 7
3. Configuring SSH Access to Cisco Device -------------------------------------------------------- 14
4. Backup and restoring your configuration ------------------------------------------------------- 18
5. VLAN, Access and Trunk Port Configuration ----------------------------------------------------- 20
6. VTP Configuration ------------------------------------------------------------------------------ 27
7. Etherchannel Configuration ------------------------------------------------------------------------ 30
8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration----------------------------- 33
9. Inter-Vlan Routing Configuration on L3 Switch (SVI) -------------------------------------------- 42
10. Configure Port Security ----------------------------------------------------------------------------- 45
11. Configure portfast ---------------------------------------------------------------------------------- 51
12. Configure BPDU Guard on Cisco Switch ------------------------------------------------------------ 52
13. Configure Root Guard on Cisco Switch ------------------------------------------------------------- 53
14. Spanning tree behavior - mode , priority value, root bridge ---------------------------------- 56
15. DHCP Configuration on Cisco Router ----------------------------------------------------------------58
16. DHCP Configuration on Cisco Switch --------------------------------------------------------------- 61
17. Static route and Static default route configuration --------------------------------------------- 63
18. Static default route configuration --------------------------------------------- ----------------- - -67
19. RIPv2 Basic configuration -----------------------------------------------------------------------------71
20. RIP Passive Interface ------------------------------------------------------------------------------- 75
21. Configure RIP Authentication -----------------------------------------------------------------------76
22. EIGRP configuration (EIGRP Neighbor Adjacency) -------------------------------------------- --- 84
23. EIGRP Passive Interface ---------------------------------------------------------------------- ---- - 86
24. EIGRP Authentication -------------------------------------------------------------------------- -- - -89
25. EIGRP Hold time and Hello time ----------------------------------------------------------- -- -91
26. EIGRP Summarization ------------------------------------------------------------------------- ----- - 92
27. EIGRP Project LAB --------------------------------------------------------------------------------- - 95
28. OSPF Configuration --------------------------------------------------------------------------------- 107
29. OSPF Virtual LAB ------------------------------------------------------------------------------------- 108
30. OSPF Authentication --------------------------------------------------------------------------------- 110
CCNA Routing & Switching v3 LAB Guide
4
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
31. OSPF summarization --------------------------------------------------------------------------------- 112
32. PPP and HDLC ---------------------------------------------------------------------------------------- 113
33. BGP Basic Configuration -----------------------------------------------------------------------------117
34. BGP peering with loopback Address ----- ---------------------------------------------------------120
35. BGP Single Homed Design ---------------------------------------------------------------------------123
36. BGP Redundancy with Load Sharing ---------------------------------------------------------------129
37. HSRP Configuration ----------------------------------------------------------------------------------131
38. Standard ACL -----------------------------------------------------------------------------------------137
39. Extended ACL -----------------------------------------------------------------------------------------140
40. Named ACL --------------------------------------------------------------------------------------------144
41. Staci NAT ---------------------------------------------------------------------------------------------146
42. ICMP Configuration -----------------------------------------------------------------------------------150
43. Dynamic NAT -----------------------------------------------------------------------------------------154
44. Static PAT ---------------------------------------------------------------------------------------------155
45. Dynamic PAT -----------------------------------------------------------------------------------------159
46. Configure GRE Tunnel ------------------------------------------------------------------------------160
47. AAA configuration ----------------------------------------------------------------------------- 163
48. Syslog Server ---------------------------------------------------------------------------------------169
49. SNMPv3 Configurtion ---------------------------------------------------------------------------------173
50. Password Recovery ---------------------------------------------------------------------------------- 175
51. Final Project ----------------------------------------------------------------------------------------177
52. Configure IPv6 -------------------------------------------------------------------------------------- 193
53. Configure IPv6 Static Route ----------------------------------------------------------------------- 196
54. Configure RIPNG on Cisco Router ----------------------------------------------------------------- -199
55. Dual-Stack Example ----------------------------------------------------------------------------------201
56. Site-to-Site VPN Configuration ------------------------------------------------------------------- --203
==============================================================================
Appendix
Subnetting----------------------------------------------------------209
CCNA Routing & Switching v3 LAB Guide
5
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 1: CISCO CLI MODE
Cisco routers have different configuration modes based on the model. Mainly two modes :
EXEC Mode Prompt Typical Use
User ccna> Check the router status
Privileged ccna # Accessing the router
From privileged Mode we enter into the Global Configuration mode with "config ternminal" command.
To be access either User Exec or Privileged mode a password is needed if we set password. From Global
Configuration Mode (password is not needed here) we can configure interfaces, routing protocols,
access lists and many more.
Some of the specific configuration modes can be entered from Global Configuration Mode and other
from Privileged mode:
User Exec Mode ( ">" prompt) : It is used to get statistics from router, see which version IOS you're
running, check memory resources and a few more things.
Privileged Mode ( "#" prompt): Here you can enable or disable interfaces on the router, get more
detailed information on the router, for example, view the running configuration of the router, copy the
CCNA Routing & Switching v3 LAB Guide
6
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
configuration, load a new configuration to the router, backup or delete the configuration, backup or
delete the IOS and a lot more.
Global Configuration Mode ("config# " prompt): It is accessible via Privileged Mode. In this mode we
can configure each interface individually, setup banners and passwords, enable secrets (encrypted
passwords), enable and configure routing protocols and a lot more. Every time we want to configure or
change something on the router, we will need to be in this mode.
Examples :
Router>------------------------- User Exec Mode
Router>enable ----------------- Enter Privileged Mode
Router#-------------------------- Privileged Mode
Router#disable ---------------- Enter User Exec Mode
Router>-------------------------- User Exec Mode
Router#conf ig terminal------ Enter Global Configuration Mode
Router(config)#----------------- Global Configuration Mode
Router(config)#interface fastEthernet 0/0---- Enter Interface Configuration Mode
CCNA Routing & Switching v3 LAB Guide
7
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Router(config-if)#-------------------------------- Interface Configuration Mode
Router(config)#interface fastEthernet 0/0.10-- Enter Sub-Interface Configuration Mode
Router(config-subif)#------------------------------ Sub-Interface Configuration Mode
Router(config)#line vty 0 4----------------------- Enter Line Mode
Router(config-line)#------------------------------- Line Mode
================================================================================
LAB2. BASIC CONFIGURATION OF ROUTER AND SWITCH
Objective:
2. Configure the Switch (DU)as follows:
 hostname
 login banner
 enable password for accessing privilege mode
 assign console password to prevent console login
 assign IP for vlan 1 (Management VLAN)
 configure virtual terminal for telnet session
 set default gateway for the switch
1. Configure the Router (BUET) as follows:
 hostname
CCNA Routing & Switching v3 LAB Guide
8
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 login banner
 enable password for accessing privilege mode
 Assign IP Address on Router Interface
 assign console password to prevent console login
 configure virtual terminal for telnet session

3. Assign IP for the PC
4. Save all configurations
5. Verification
Switch – DU Configuration
1. First check the startup-config and running-config…If there any configuration is exist
When you type a command in the global configuration mode it is stored in the running configuration. A
running configuration resides in a device’s RAM, so if a device loses power, all configured commands
will be lost.
So you need to copy your current configuration into a startup configuration. A startup configuration is
stored in the NVRAM of a device, now all configurations are saved even if the device loses power.
Check the startup-config and running-config
Switch#show startup-config
Startup-config is not present
Switch#show running-config
There are two ways to save your configuration:
Switch#copy running-config startup-config
or
Switch# write memory
2. Enter global configuration mode and configure Hostname as DU
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch (config) #hostname DU
DU(config)#
3. Assign password cisco123
Enable password will restrict one's access to privilege mode which is like a root user's password. We can
set it in two ways: enable password / enable secret command.
CCNA Routing & Switching v3 LAB Guide
9
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
enable secret password provides encryption automatically using MD5 hash algorithm.
The enable password password does not encrypt the password and can be view in clear text in the
running-config. In order to encrypt the enable password password , use the service password-
encryption command. Actually, the enable secret password command provides stronger encryption
than the service password-encryption command.
DU(config)#enable secret cisco123
4. Configure login banner
A login banner is displayed whenever someone connects to the router by telnet or console connections
DU(config)#banner motd "Unauthorized Users are highly Prohibited to login
here"
DU(config)#
5. Console Password
We can protect console port of Cisco devices using console port password.
DU(config)#line console 0
DU(config-line)#password ashish123
DU(config-line)#login
DU(config-line)#exit
DU(config)#
6. Telnet configuration for remote access
Telnet is a user command and an underlying TCP/IP protocol for accessing remote devices.
The VTY lines are the Virtual Terminal lines of the router. They are Virtual in the sense that they are a
function of software - there is no hardware associated with them. They appear in the configuration as
line vty 0 4.
DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DU(config)#line vty 0 4
DU(config-line)#password ashish@123#
DU(config-line)#login
DU(config-line)#exit
7. Configure management vlan for remotely access on the switch
By default, all switch ports are part of VLAN 1. VLAN 1 contains control plane traffic and can contain
user traffic.
By default, VLAN 1 is the management VLAN. Management VLAN is used for purposes such as telnet,
SNMP, and syslog.
CCNA Routing & Switching v3 LAB Guide
10
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DU(config)#interface vlan 1
DU(config-if)#ip address 192.168.10.10 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
DU(config)#
8. Configure default-gateway for the switch
The switch should be configured with a default gateway if the switch will be managed remotely from
networks not directly connected. The default gateway is the first Layer 3 device (such as a router) on
the same management VLAN network to which the switch connects. The switch will forward IP packets
with destination IP addresses outside the local network to the default gateway.
DU(config)#ip default-gateway 192.168.10.1
----------------------------------------------------------------------------------------------------------------------------
Router – BUET Configuration
1. First check the startup-config and running-config
Router#show startup-config
startup-config is not present
Router#show running-config
2. Configure Hostname as BUET
Router #conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router (config)#hostname BUET
BUET(config)#
3. Assign enable secret password cisco123
BUET(config)#enable secret cisco123
BUET(config)#
4. Configure login banner
BUET(config)#banner motd "Do not try to access here"
5. Console password
BUET(config)#line console 0
BUET(config-line)#password ashish123
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#
CCNA Routing & Switching v3 LAB Guide
11
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
6. Enter Virtual Terminal lines and give a password ashish@123#, to login remotely
BUET(config)#line vty 0 4
BUET(config-line)#password ashish@123#
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#
7. Configure IP Address Router's on Interface
Enter global configuration mode
BUET# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#
Enter FastEthernet 0/0 interface configuration mode :
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#
Enter IP address and subnet mask:
BUET(config-if)#ip address 192.168.10.1 255.255.255.0
By default, all interfaces on a Cisco router are “Administratively Down”. To bring an interface up, issue
the no shutdown command.
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#
8. Save Configuration
BUET#write memory
Building configuration...
[OK]
BUET#
DU#write memory
Building configuration...
[OK]
you can also save configuration using
BUET# copy running-config start-up config
But be sure about the command, cannot be reversed as:
copy start-up config running-config
CCNA Routing & Switching v3 LAB Guide
12
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Then your entire configuration will be lost or backup from NVRAM.
9. Assign IP to all hosts
11. Now ping to all devices from any PC
C:>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
C:>ping 192.168.10.3
Pinging 192.168.10.3 with 32 bytes of data:
Reply from 192.168.10.3: bytes=32 time=1ms TTL=128
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
CCNA Routing & Switching v3 LAB Guide
13
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
C:>ping 192.168.10.1
Pinging 192.168.10.1 with 32 bytes of data:
Reply from 192.168.10.1: bytes=32 time=1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time=1ms TTL=255
14. Now logon to the router remotely
C:>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
Do not try to access here
User Access Verification
Password:
Password:
BUET>
16. Now logon to the switch remotely
C:>telnet 192.168.10.10
Trying 192.168.10.10 ...Open
Unauthorized Users are highly prohibited to login here
User Access Verification
Password:
DU>
N.B. if the switch is L3 you can assign IP address to its interfaces as follows:
DU(config)#interface fastEthernet 0/2
DU(config-if)# no switchport
DU(config-if)# ip address 192.168.10.10 255.255.255.0
DU(config-if)# no shutdown
For routing capabilities you can also follow the rules
DU(config)# ip routing
LAB 3: CONFIGURING SSH ON CISCO SWITCH AND ROUTER
CCNA Routing & Switching v3 LAB Guide
14
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Telnet was designed to work within a private network and not across a public network where
threats can appear. Because of this, all the data is transmitted in plain text, including
passwords. This is a major security issue and the developers of SSH used encryptions to make
it harder for other people to sniff the password and other relevant information.
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network
devices. Communication between the client and server is encrypted in SSH. To do this, it uses
a RSA public/private keypair.
There are two versions: version 1 and 2. Version 2 is more secure and commonly used.
Enable SSH on Cisco Switch
Step 1: Configure Management IP
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.10.10 255.255.255.0
Switch(config-if)#no shutdown
Step 2 : Configure default gateway points to the router
Switch(config)#ip default-gateway 192.168.10.1
Step 3: Configure hostname and domain name
The name of the RSA keypair will be the hostname and domain name of the router.
CCNA Routing & Switching v3 LAB Guide
15
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Switch(config)#hostname ASHISH-SW
ASHISH-SW(config)#ip domain-name ashish.com
Step 4 :Generate the RSA Keys
ASHISH-SW(config)#crypto key generate rsa
The name for the keys will be: ASHISH-SW.ashish.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
ASHISH-SW(config)#
Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate
and enhance more security
Step 5: SSH version 1 is the default version. So change it to version 2
ASHISH-SW(config)#ip ssh version 2
Step 6 : Setup the Line VTY configurations
ASHISH-SW(config)#line vty 0 4
ASHISH-SW(config-line)#transport input ssh
ASHISH-SW(config-line)#login local
Step 7: Create the username password
ASHISH-SW(config)#username ashish privilege 15 password cisco123
Step 8: Create enable password
ASHISH-SW(config)#enable secret cisco123
Step 9: create console password
ASHISH-SW(config)#line console 0
ASHISH-SW(config-line)#logging synchronous
ASHISH-SW(config-line)#login local
Step 10: Verify SSH
C:>ssh -l ashish 192.168.10.10
Password:
ASHISH-SW#conf t
CCNA Routing & Switching v3 LAB Guide
16
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
ASHISH-SW(config)#
Enable SSH on Router (same as before)
Router>en
Router#conf t
Router(config)#hostname Venus
Venus(config)#interface fastEthernet 0/0
Venus(config-if)#ip address 192.168.10.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
Venus(config)#ip domain-name cisco.com
Venus(config)#username ashish privilege 15 password cisco123
Venus(config)#crypto key generate rsa
The name for the keys will be: Venus.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
Venus(config)#
*Mar 1 0:34:31.790: %SSH-5-ENABLED: SSH 1.99 has been enabled
Venus(config)#ip ssh version 2
Venus(config)#enable secret cisco
Venus(config)#line console 0
Venus(config-line)#logging synchronous
Venus(config-line)#login local
Venus(config-line)#exit
Venus(config)#line vty 0 4
Venus(config-line)#transport input ssh
Venus(config-line)#login local
CCNA Routing & Switching v3 LAB Guide
17
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Venus#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Venus#
C:>ssh -l ashish 192.168.10.1
Password:
Venus#conf t
Venus(config)#
Key Note:
----------------------------------------------------------------------------
"logging synchronous" prevents every logging output from immediately interrupting your console
session.
Say for example when you tried to telnet your Router or switch you will see lot of log messages before
you logged in with username and password.
---------------------------------------------------------------------------------------------------------------------------------
RSA is algorithm used by modern computers to encrypt and decrypt messages. It is an asymmetric
cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public
key cryptography, because one of them can be given to everyone.
============================================================================
LAB 4: BACKUP AND RESTORING CONFIGURATION
CCNA Routing & Switching v3 LAB Guide
18
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Configure tftp server (In your physical Lab you can download tftp server in your PC then
configure it. And rest of the configurations are same)
Verify configuration file is saved in NVRAM
Denver#show startup-config
DU#show startup-config
Now backup configuration file to tftp server (From Switch)
Denver#copy startup-config tftp
Address or name of remote host []? 192.168.10.4 (TFTP Server IP)
Destination filename [Denver-confg]? (Press Enter to save it as default name)
Writing startup-config...!!
CCNA Routing & Switching v3 LAB Guide
19
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
[OK - 653 bytes]
653 bytes copied in 0.012 secs (54416 bytes/sec)
Denver#
Now backup configuration file to tftp server (From Router)
DU#copy startup-config tftp:
Address or name of remote host []? 192.168.10.4
Destination filename [DU-confg]?
Writing startup-config...!!
[OK - 1178 bytes]
1178 bytes copied in 0.032 secs (36812 bytes/sec)
DU#
Erase startup-configuration file and reboot or reload the router and switch
DU#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
DU#
DU#reload
Proceed with reload? [confirm]
Denver#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
BUET#
Denver #reload
Proceed with reload? [confirm]
Configure IP address to router and switch
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
20
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.10.10 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#ip default-gateway 192.168.10.1
Now restore configuration from tftp server to switch and router
Switch#copy tftp running-config
Address or name of remote host []? 192.168.10.4 (TFTP Server IP)
Source filename []? Denver-confg (Backup file name on tftp server)
Destination filename [running-config]? (Press enter)
Denver#write
Building configuration...
[OK]
Denver#
Router#copy tftp running-config
Address or name of remote host []? 192.168.10.4 (TFTP Server IP)
Source filename []? DU-confg (Backup file name on tftp server)
Destination filename [running-config]? (Press enter)
Now save the configuration to NVRAM
Switch# write memory
Router# write memory
============================================================================
LAB 5: Configure VLAN, Access and Trunk Port
The design of layer-2 switched network is a flat network. Each and every device on the
Network can see the transmission of every broadcast packet even if it does not need to
receive the data. But we can create multiple/ separate broadcast domain logically in a L2
switch. This is possible with VLAN technology. VLAN means Virtual LAN.
CCNA Routing & Switching v3 LAB Guide
21
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
The segregation of vlan is only to reduce the broadcast domain. Every vlan means you are
using one subnet for each vlan.
The VLANs makes network management easy with number of ways:
 The VLAN can categorize many broadcast domains into number of logical subnets.
 The network needs to configure a port into the suitable VLAN in order to achieve
change, add or move.
 In the VLAN a group of users with the demand of high security can be included so that
the external users out the VLAN cannot interact with them.
 When it comes to logical classification of users in terms of function, we can consider
VLAN as independent from their geographic or physical locations.
 Even the security of network can be enhanced by VLAN.
 The number of broadcast domains are increased with VLANs while the size decreases.
Trunk Ports: Between switches we are going to create a trunk. A trunk connection is an
interface carries multiple VLANs.
Access Ports : Carries data, generally connected to hosts or Servers
There are two trunking protocols we can use:
1. IEEE 802.1Q: Open standard, support switch of any vendor.
2. Cisco ISL (Inter-Switch Link): Cisco proprietary protocol that is only supported on
some Cisco switches.
On a Cisco switch, VLAN 1 is by default. 802.1Q will not tag the native VLAN while ISL does
tag the native VLAN.
By default all switch ports are on VLAN1.
VLAN information is not saved in the running-config or startup-config but in separate file
vlan.dat on flash memory. To delete the VLAN information , delete the file by delete
flash:vlan.dat command.
CCNA Routing & Switching v3 LAB Guide
22
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Objective
1. Basic configuration of switch
2. Create VLANs
3. configuration of trunk ports
4. Configuration of Access ports
5. Assign IP to hosts
6. Verification
Data sheet
VLAN ID VLAN Name Ports Switch Subnet
10 Cisco F0/1 - f0/9 DU 192.168.10.0/24
20 Solaris F 0/10 - F 0/20 BUET 172.16.20.0/24
1. Basic configuration of switch
Switch(config)#hostname DU
DU(config)#enable secret cisco
DU(config)#line console 0
DU(config-line)#password cisco
DU(config-line)#login
DU(config-line)#exit
CCNA Routing & Switching v3 LAB Guide
23
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Switch(config)#hostname BUET
BUET(config)#enable secret cisco
BUET(config)#line console 0
BUET(config-line)#password cisco
BUET(config-line)#login
BUET(config-line)#exit
2. Create VLANs
DU(config)#vlan 10
DU(config-vlan)#name cisco
DU(config-vlan)#exit
DU(config)#vlan 20
DU(config-vlan)#name solaris
DU(config-vlan)#exit
DU(config)#
BUET(config)#vlan 10
BUET(config-vlan)#name cisco
BUET(config-vlan)#exit
BUET(config)#vlan 20
BUET(config-vlan)#name solaris
BUET(config-vlan)#exit
BUET(config)#
3. configuration of trunk ports
DU(config)#interface gigabitEthernet 0/1
DU(config-if)#switchport mode trunk
DU(config-if)#no shutdown
DU(config-if)#exit
BUET(config)#interface gigabitEthernet 0/1
BUET(config-if)#switchport mode trunk
BUET(config-if)#no shutdown
DU#show interfaces gigabitEthernet 0/1 switchport
Name: Gig0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
CCNA Routing & Switching v3 LAB Guide
24
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
4. Configuration of Access ports
BUET#conf t
BUET(config)#interface range fastEthernet 0/1 - 9
BUET(config-if-range)#switchport mode access
BUET(config-if-range)#switchport access vlan 10
BUET(config-if-range)#exit
BUET(config)#interface range fastEthernet 0/10 - 20
BUET(config-if-range)#switchport mode access
BUET(config-if-range)#switchport access vlan 20
BUET(config-if-range)#exit
BUET(config)#exit
BUET#
DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CCNA Routing & Switching v3 LAB Guide
25
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DU(config)#interface range fastEthernet 0/1 - 9
DU(config-if-range)#switchport mode access
DU(config-if-range)#switchport access vlan 10
DU(config-if-range)#exit
DU(config)#interface range fastEthernet 0/10 - 20
DU(config-if-range)#switchport mode access
DU(config-if-range)#switchport access vlan 20
DU(config-if-range)#end
DU#
5. Assign IP to hosts
CCNA Routing & Switching v3 LAB Guide
26
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Ping to same VLAN..............PC0 to PC2
C:>ping 192.168.10.3
Pinging 192.168.10.3 with 32 bytes of data:
Reply from 192.168.10.3: bytes=32 time=11ms TTL=128
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
C:>ping 172.16.20.3 (PC1 to PC 3)
Pinging 172.16.20.3 with 32 bytes of data:
Reply from 172.16.20.3: bytes=32 time=11ms TTL=128
Reply from 172.16.20.3: bytes=32 time<1ms TTL=128
Reply from 172.16.20.3: bytes=32 time<1ms TTL=128
Reply from 172.16.20.3: bytes=32 time=1ms TTL=128
Ping to different VLAN......................... (PC1 to PC0)
C:>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
CCNA Routing & Switching v3 LAB Guide
27
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 6: VTP Configuration
VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used by Cisco switches to
exchange VLAN information. VTP replicates configured VLANs to all participating switches.
Consider a network with 50 switches. Without VTP, if you want to create a VLAN on each
switch, you would have to manually enter commands to create the VLAN on each switch! VTP
enables you to create the VLAN only on one switch. That switch can then propagate
information about that VLAN to each switch on a network and cause other switches to create
that VLAN too. If you want to delete a VLAN, you only need to delete it on one switch, and
the change is automatically propagated to every other switch inside the same VTP domain.
Cisco switches can be configured in one of three VTP modes:
 Server
 Client
 Transparent
Server mode is the default for Cisco switches.
Client mode takes VLAN configuration from the Server. It doesn’t place the VLANs in a
vlan.dat file.
Switches in Transparent mode never updated themselves. If they receive VTP advertisements
they will forward them along. In Transparent mode you can configure VLANs normally as you
would on a Server switch.
Be careful, if a switch is deployed with a higher VTP revision number than the rest of the VTP
switches. Because of that, switches in Client mode will download whatever VLAN
configuration that switch has, remove your current configuration. So before use them in a
production network , configure them as Transparent mode. You can also omit VTP
Configuration to avoid these situation.
CCNA Routing & Switching v3 LAB Guide
28
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Objective:
1. Create VTP Server and VTP Client
2. Configure Trunk port
3. Create VLAN on Server
4. Verify
1. Create VTP Server and VTP Client
Switch(config)#hostname SERVER
SERVER(config)#vtp domain cisco.com
SERVER(config)#vtp mode server
SERVER(config)#vtp password cisco
SERVER(config)#vtp version 2
SERVER(config)#
Switch(config)#hostname Client
Client(config)#vtp domain cisco.com
Client(config)#vtp version 2
Client(config)#vtp mode client
Client(config)#vtp password cisco
NOTES
 The VTP domain name must match and it is case sensitive.
 Make sure that If any password is set, the password is the same on both sides.
 Every switch in the VTP domain must use the same VTP version. VTP V1 and VTP V2 are not
compatible on switches in the same VTP domain. But VTP v2 and v3 are compatible.
2. Configure Trunk port
SERVER(config)#interface gigabitEthernet 0/1
SERVER(config-if)#switchport mode trunk
SERVER(config-if)#no shut
Client(config)#interface gigabitEthernet 0/1
Client(config-if)#switchport mode trunk
Client(config-if)# no shut
3. Create VLAN on Server only
SERVER(config)#vlan 100
SERVER(config-vlan)#name cisco
SERVER(config-vlan)#exit
SERVER(config)#vlan 200
CCNA Routing & Switching v3 LAB Guide
29
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
SERVER(config-vlan)#name solaris
SERVER(config-vlan)#end
4. Verify the VLANs are propagated on Client Switch
Here we can see that we have created VLAN on Server switch and it has been seen on Client
Switch Vlan 100 and Vlan 200.
Other Verification Command of VTP
CCNA Routing & Switching v3 LAB Guide
30
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
From here we can check the VTP Mode, VTP Domain Name and revision Number. Revision
number must be same. If not same, Updates are not considered propagated successfully.
LAB 7: ETHERCHANNEL Configuration
 EtherChannel is a port link aggregation technology or port-channel architecture which
is a bundle of multiple physical links into a single logical link.
 Etherchannel is great for improving redundancy in your network.
 In this way you can increase the bandwidth of a particular connection.
 With EtherChannel the links that are aggregated are not blocked by STP.
Link aggregation is very common and is usually seen in the following scenarios:
 Switch to switch connectivity in an access block (non-stackable)
 Access switch connectivity to distribution switches.
 Server connectivity to the data center LAN fabric
If you are going to create an etherchannel you need to make sure that all ports have the same
configuration:
 Duplex has to be the same.
 Speed has to be there same.
 Same native AND allowed VLANs.
 Same switchport mode (access or trunk).
There’s a maximum to the number of links you can use: 8 physical interfaces.
If you want to configure an Etherchannel there are two protocols you can choose from:
PAGP – port aggregation protocol
 Developed by Cisco
 The port modes are defined as either auto or desirable
LACP – link aggregation control protocol
 Open standard as defined by IEEE 802.3ad standard
CCNA Routing & Switching v3 LAB Guide
31
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 The port modes are either passive or active. Passive is the equivalent of the PAGP auto
and active is the equivalent of PAGP desirable mode.
S1(config)#int range fa0/7-12
S1(config-if-range)##channel-group 1 mode desirable
or
S1(config-if-range)##channel-group 1 mode active
We can use desirable so that the switch will actively negotiate to form a PAgP link(Cisco
Proprietary EtherChannel).
or we can use active so that the switch will actively negotiate to form a LACP link(open
standard EtherChannel).
To verify the configuration, you can use show etherchannel summary.
Objective
1. Create Etherchannel
2. Configure Trunk
CCNA Routing & Switching v3 LAB Guide
32
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
3. Verification
Create Etherchannel
Switch(config)#hostname DU
DU(config)#interface range gigabitEthernet 0/1 - 2
DU(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
DU(config-if-range)#exit
Switch(config)#hostname ASHISH
ASHISH(config)#interface range gigabitEthernet 0/1 - 2
ASHISH(config-if-range)#channel-group 1 mode passive
ASHISH(config-if-range)#
Configure Trunk
DU(config)#interface port-channel 1
DU(config-if)#switchport mode trunk
DU(config-if)# no shut
ASHISH(config)#interface port-channel 1
ASHISH(config-if)#switchport mode trunk
ASHISH(config-if)# no shutdown
Verification
CCNA Routing & Switching v3 LAB Guide
33
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Po1 = Port channel 1 , Channel group must be same for both switch
S = Capital S means L2
U = in Use
LACP = which Etherchannel Protol is used
P = in port Channel
if these appears, be sure your configuration is correct
LAB 8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration
Inter-VLAN Routing
In our previous lab, we only can communicate with same VLAN. For example, PCs within VLAN
10 or VLAN 20. In order to communicate with different VLAN we must need routing with
different VLAN as each VLAN is now a separate broadcast domain. So we need a L3 switch or
Router for Routing. Here we will use a Router.
SWITCH VLAN ID VLAN NAME SWITCH PORTS SUBNET
DU 100 CISCO F 0/3 - 15 192.168.100.0/24
200 SOLARIS F 0/16 - 21 172.16.200.0/24
BUET 100 CISCO F 0/ 6 - 10 192.168.100.0/24
200 SOLARIS F 0/14 - 20 172.16.200.0/24
CCNA Routing & Switching v3 LAB Guide
34
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
OBJECTIVE:
BASIC CONFIGURATION OF SWITCH AND ROUTER
ETHER-CHANNEL & TRUNK PORT CONFIGUARTION
VTP CONFIGURATION
CONFIGURATION OF VLAN
VERIFY VTP, TRUNK PORTS AND ETHERCHANNEL CONFIGURATION
CONFIGURE ACCESS-PORTS
CONFIGURE IP TO HOSTS
VERIFICATION
CONFIGURE INTER-VLAN ROUTING
VERIFY CONFIGURATION
BASIC CONFIGURATION OF SWITCH AND ROUTER
==========================================
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname DU
DU(config)#banner motd "Do not try to login my Switch"
DU(config)#enable secret cisco123
DU(config)#line console 0
DU(config-line)#password cisco123
DU(config-line)#login
DU(config-line)#exit
========================================
Switch#conf t
Switch(config)#hostname BUET
BUET(config)#hostname BUET
BUET(config)#banner motd "This is the switch of BUET"
BUET(config)#enable secret cisco123
BUET(config)#line console 0
BUET(config-line)#password cisco123
BUET(config-line)#login
BUET(config-line)#end
BUET#
=====================================================
Router>en
Router#conf t
CCNA Routing & Switching v3 LAB Guide
35
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Router(config)#hostname DENVER
DENVER(config)#enable secret cisco123
DENVER(config)#banner motd "This Router belongs to VENUS TELECOM LTD"
DENVER(config)#line console 0
DENVER(config-line)#password cisco123
DENVER(config-line)#login
DENVER(config-line)#end
ETHER-CHANNEL & TRUNK PORT CONFIGUARTION
DU(config)#interface range fastEthernet 0/1 - 2
DU(config-if-range)#channel-group 1 mode active
DU(config-if-range)#no shutdown
DU(config-if-range)#exit
TRUNK PORT CONFIGUARTION
DU(config)#interface port-channel 1
DU(config-if)#sw
DU(config-if)#switchport mo
DU(config-if)#switchport mode trunk
DU(config-if)#no shutdown
====================================================
BUET(config)#interface range fastEthernet 0/1 - 2
BUET(config-if-range)#channel-group 1 mode passive
BUET(config-if-range)#no shutdown
BUET(config-if-range)#exit
TRUNK PORT CONFIGUARTION
BUET(config)#interface port-channel 1
BUET(config-if)#switchport mode trunk
BUET(config-if)#no shutdown '
VTP CONFIGURATION
DU(config)#vtp domain cisco.com
DU(config)#vtp mode server
DU(config)#vtp version 2
DU(config)#vtp password cisco
DU(config)#exit
CCNA Routing & Switching v3 LAB Guide
36
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
BUET(config)#vtp domain cisco.com
BUET(config)#vtp mode client
BUET(config)#vtp version 2
BUET(config)#vtp password cisco
BUET(config)#
CONFIGURATION OF VLAN
DU(config)#vlan 100
DU(config-vlan)#name CISCO
DU(config-vlan)#EXIT
DU(config)#VLan 200
DU(config-vlan)#NAMe SOLARIS
DU(config-vlan)#exit
VERIFY
==========
DU#show etherchannel summary
Group Port-channel Protocol Ports
------+-------------+-----------+------
1 Po1(SU) LACP Fa0/1(P) Fa0/2(P)
DU#
CONFIGURE ACCESS-PORTS
DU#conf t
DU(config)#interface range fastEthernet 0/3 - 15
DU(config-if-range)#switchport mode access
CCNA Routing & Switching v3 LAB Guide
37
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DU(config-if-range)#switchport access vlan 100
DU(config-if-range)#exit
DU(config)#interface range fastEthernet 0/16 - 21
DU(config-if-range)#switchport mode access
DU(config-if-range)#switchport access vlan 200
DU(config-if-range)#exit
BUET(config)#interface range fastEthernet 0/6 - 10
BUET(config-if-range)#switchport mode access
BUET(config-if-range)#switchport access vlan 100
BUET(config-if-range)#exit
BUET(config)#interface range fastEthernet 0/14 - 20
BUET(config-if-range)#switchport mode access
BUET(config-if-range)#switchport access vlan 200
BUET(config-if-range)#end
BUET#
CONFIGURE IP TO HOSTS
CCNA Routing & Switching v3 LAB Guide
38
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Verify
ping to same VLAN
C:>ping 192.168.100.3
Pinging 192.168.100.3 with 32 bytes of data:
Reply from 192.168.100.3: bytes=32 time=1ms TTL=128
Reply from 192.168.100.3: bytes=32 time=1ms TTL=128
Reply from 192.168.100.3: bytes=32 time<1ms TTL=128
Reply from 192.168.100.3: bytes=32 time<1ms TTL=128
C:>ping 172.16.200.3
Pinging 172.16.200.3 with 32 bytes of data:
Reply from 172.16.200.3: bytes=32 time=12ms TTL=128
Reply from 172.16.200.3: bytes=32 time=1ms TTL=128
Reply from 172.16.200.3: bytes=32 time=1ms TTL=128
Reply from 172.16.200.3: bytes=32 time<1ms TTL=128
PING to different VLAN
C:>ping 192.168.100.2
CCNA Routing & Switching v3 LAB Guide
39
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Pinging 192.168.100.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Not successful, Right ? So we will now configure Inter-Vlan Routing to get access to different
VLAN.
CONFIGURE INTER-VLAN ROUTING
BUET#conf t
BUET(config)#interface gigabitEthernet 0/1
BUET(config-if)#no shutdown
BUET(config-if)#switchport mode trunk
BUET(config-if)#exit
DENVER#conf t
DENVER(config)#interface fastEthernet 0/0
DENVER(config-if)#no shutdown
DENVER(config-if)#exit
DENVER(config)#interface fastEthernet 0/0.100
DENVER(config-subif)#encapsulation dot1Q 100
DENVER(config-subif)#ip address 192.168.100.1 255.255.255.0
DENVER(config-subif)#no shutdown
DENVER(config-subif)#exit
DENVER(config)#interface fastEthernet 0/0.200
DENVER(config-subif)#encapsulation dot1Q 200
DENVER(config-subif)#ip address 172.16.200.1 255.255.255.0
DENVER(config-subif)#no shutdown
DENVER(config-subif)#exit
Here we have created two sub-interface 0/0.100 and 0/0.200 for respective VLANs. For
encapsulation dot1Q is used.
Verify
Now ping to different VLAN
C:>ping 172.16.200.2
Pinging 172.16.200.2 with 32 bytes of data:
CCNA Routing & Switching v3 LAB Guide
40
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Reply from 172.16.200.2: bytes=32 time=1ms TTL=127
Reply from 172.16.200.2: bytes=32 time=12ms TTL=127
Reply from 172.16.200.2: bytes=32 time=11ms TTL=127
Reply from 172.16.200.2: bytes=32 time=10ms TTL=127
C:>ping 192.168.100.2
Pinging 192.168.100.2 with 32 bytes of data:
Reply from 192.168.100.2: bytes=32 time=11ms TTL=127
Reply from 192.168.100.2: bytes=32 time=11ms TTL=127
Reply from 192.168.100.2: bytes=32 time=1ms TTL=127
Reply from 192.168.100.2: bytes=32 time=10ms TTL=127
====================================================================
TELNET ACCESS to Switch
======================
VTP SERVER
============
DU#conf t
DU(config)#vlan 99
DU(config-vlan)#name admin
DU(config-vlan)#exit
DU(config)#vlan 199
DU(config-vlan)#name admin2
DU(config)#interface fastEthernet 0/23
DU(config-if)#switchport mode access
DU(config-if)#switchport access vlan 99
DU(config-if)#exit
DU(config)#interface vlan 99
DU(config-if)#ip address 192.168.10.1 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
Telnet Configuration
DU(config)#line vty 0 4
DU(config-line)#password cisco123
DU(config-line)#login
DU(config-line)#exit
CCNA Routing & Switching v3 LAB Guide
41
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
BUET(config)#interface fastEthernet 0/23
BUET(config-if)#switchport mode access
BUET(config-if)#switchport access vlan 199
BUET(config-if)#exit
BUET(config)#interface vlan 199
BUET(config-if)#ip address 192.168.20.1 255.255.255.0
BUET(config-if)#no shutdown
Telnet Configuration
BUET(config)#line vty 0 4
BUET(config-line)#password cisco123
BUET(config-line)#login
BUET(config-line)#exit
DENVER(config)#line vty 0 4
DENVER(config-line)#password cisco123
DENVER(config-line)#login
DENVER(config-line)#exit
DENVER(config)#interface fastEthernet 0/0.99
DENVER(config-subif)#encapsulation dot1Q 99
DENVER(config-subif)#ip address 192.168.10.1 255.255.255.0
DENVER(config-subif)#no shutdown
DENVER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/8 ms
DENVER#telnet 192.168.10.1
Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD
User Access Verification
Password:
% Password: timeout expired!
[Connection to 192.168.10.1 closed by foreign host]
==============================================================
DENVER#conf t
DENVER(config)#interface fastEthernet 0/0.199
DENVER(config-subif)#encapsulation dot1Q 199
DENVER(config-subif)#ip address 192.168.20.1 255.255.255.0
CCNA Routing & Switching v3 LAB Guide
42
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DENVER(config-subif)#no shutdown
DENVER(config-subif)#exit
DENVER(config)#end
=======================================================
DENVER#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/9 ms
DENVER#telnet 192.168.20.1
Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD
User Access Verification
Password:
LAB 9 : Inter-Vlan Routing Configuration on L3 Switch
SVI - Switched Virtual Interface. There is no physical interface for the VLAN, hence it is
virtual.
Technique is, Assign IP address of each VLAN Interface (suppose Interface vlan 10), then
issue the " ip routing " command on global configuration mode.
Generally, routers do the routing between different broadcast domains that is, Different
VLANs. But SVI provides the routing capabilities of different VLANs.
Example switch models that support layer 3 routing are the 3550, 3750, 3560 etc.
CCNA Routing & Switching v3 LAB Guide
43
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Our Tasks (All configuration is only on L3 switch here)
1. Creating vlan 10 and vlan 20
2. Naming these two vlans:
vlan 10 = cisco
vlan 20 = solaris
3. Configuration of Access ports
4. Assigning IP to Hosts
5. Assigning IP to Vlan Interface
6. Verification
CREATE VLAN
Switch#conf t
Switch(config)#vlan 10
Switch(config-vlan)#name cisco
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name solaris
Switch(config-vlan)#exit
ACCESS-PORT CONFIGURATION
Switch(config)#interface range fastEthernet 0/3 - 9
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#exit
Switch(config)#interface range fastEthernet 0/10 - 15
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#exit
ASSIGN IP TO VLAN INTERFACE
Switch(config)#interface vlan 10
Switch(config-if)#ip address 192.168.10.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#interface vlan 20
Switch(config-if)#ip address 192.168.20.1 255.255.255.0
CCNA Routing & Switching v3 LAB Guide
44
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Switch(config-if)#no shutdown
Switch(config-if)#exit
ENABLE ROUTING
Switch(config)#ip routing
Switch(config)#exit
ASSIGN IP TO HOSTS
CCNA Routing & Switching v3 LAB Guide
45
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
VERIFICATION
Ping to different vlan
LAB 10 : Port Security
Port Security
One can access unsecure network resources by plugging his laptop into one of our available
switch ports. He can also change his physical location in LAN network without telling the admin.
But you can secure layer two accesses by using port security.
First in our LAB we will plug one PC, and other PC will remain unplugged as shown in figure:
CCNA Routing & Switching v3 LAB Guide
46
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Assign IP to hosts
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 1
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#exit
Port security is disabled by default. switchport port-security command enables it.
According to our requirements we can limit hosts that can be associated with an interface.
We can set this limit anywhere from 1 to 132. Maximum number of devices that can be
associated with the interface is 132. By default it is set to 1. switchport port-security
maximum value command will set the maximum number of hosts.
We have two options static and dynamic to associate mac address with interface.
In static method we have to manually define exact host mac address with switchport port-
security mac-address MAC_address command.
CCNA Routing & Switching v3 LAB Guide
47
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
In dynamic mode we use sticky feature that allows interface to learn mac address
automatically
We need to specify what action; it should take in security violation. Three possible modes are
available:
Protect: - This mode only work with sticky option. In this mode frames from non-allowed
address would be dropped.
Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this
mode, switch will make a log entry and generate a security violation alert.
Shutdown: - In this mode switch will generate the violation alert and disable the port. Only
way to re-enable the port is to manually enter no shutdown command. This is the default
violation mode.
Switchport port security explained
Command Description
Switch>enable Move in privilege exec mode
Switch#configure terminal Move in global configuration mode
Switch(config)#interface fastethernet
0/1
Move in interface mode
Switch(config-if)#switchport mode
access
Assign port as host port
Switch(config-if)#switchport port-
security
Enable port security feature on this port
Switch(config-if)#switchport port-
security maximum 1
Set limit for hosts that can be associated with
interface. Default value is 1. Skip this command to
use default value.
Switch(config-if)#switchport port-
security violation shutdown
Set security violation mode. Default mode is
shutdown. Skip this command to use default mode.
Switch(config-if)#switchport port-
security mac-address sticky
Enable sticky feature.
CCNA Routing & Switching v3 LAB Guide
48
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
We have secured F0/1 port of switch. We used dynamic address learning feature. Switch will
remember first learned mac address (on interface F0/1) with this port. We can check MAC
Address table for currently associated address.
No mac address is associated with F0/1 port. Switch learns mac address from incoming
frames.
We need to generate frame from PC0 that would be receive on F0/1 port of switch. We can
use ping to generate frames from PC0 to Server.
Switch learns this address dynamically but it is showing as STATIC. Sticky option automatically
converts dynamically learned address in static address.
CCNA Routing & Switching v3 LAB Guide
49
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Switchport port security testing
Now we unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1).
Now try to ping from PC1 to Server
Why ping is not success ? Because switch detected the mac address change and shutdown the
port.
Verify port security
We have three commands to verify the port security
show port-security
This command displays port security information about all the interfaces on switch.
CCNA Routing & Switching v3 LAB Guide
50
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
show port-security address
Display statically defined or dynamically learned address with port security.
show port-security interface interface
Display port security information about the specific interface.
Here is a useful command to check your port security configuration. Use show port-security
interface to see the port security details per interface. We can see the violation mode is
shutdown and that the last violation was caused by MAC address 0002.1622.CB46:1 The
aging time is 0 mins which means it will stay in err-disable state forever.
How to reset an interface that is disabled due to violation of port security
Manually restart the interface. Unplugged cable from PC1 and plugged back it to PC0
Run following commands on switch and test connectivity from pc
CCNA Routing & Switching v3 LAB Guide
51
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
First go to the interface, shutdown and then apply no shutdown.
LAB 11: Configure Portfast
Advantages
 Interfaces which is portfast enabled will go to forwarding mode immediately, the
interface will skip the listening and learning state.
 A switch will never generate a topology change notification.
 The PortFast feature will only have effect when the interface is in a non-trunking mode.
So, enabling the PortFast feature on a trunk port is useless. Only in access mode.
Configure PortFast on Cisco Switch (First unplug the two PCs as shown in figure)
Next, execute the following command on Switch to enable the PortFast feature on the Fa0/1
interface.
Switch(config)#interface fa0/1
CCNA Routing & Switching v3 LAB Guide
52
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Switch(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
Switch(config-if)#
Now, connect PC0 to the fa0/1 interface and PC1 to the fa0/2 interface, as shown in the
following figure.
We notice that the Fa0/1 interface will be activated within 5 seconds because it will not
participate in the STP convergence process.
LAB 12 : Configure BPDU Guard on Cisco Switch
 The BPDU Guard is used to protect the Spanning Tree domain from external influence.
BPDU Guard is disabled by default. But it is recommended to apply BPDU guard enable
for all ports on which the Port Fast is enabled.
 BPDU guard should be applied toward user-facing ports to prevent rogue switch
network extensions by an attacker.
 BPDU Guard can be configured either in Global mode or Interface mode
 On an interface BPDU guard will put the port into err disable state if a BPDU is
received
In global configuration mode BPDU guard will disable port fast on any interface if a BPDU is
received.
SW2(config)# spanning-tree portfast bpduguard default
SW2(config-if)# spanning-tree bpduguard enable
CCNA Routing & Switching v3 LAB Guide
53
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 1
Switch(config-if)#spanning-tree portfast
Switch(config-if)#spanning-tree bpduguard enable
Switch#show spanning-tree interface fastEthernet 0/1 portfast
VLAN0001 enabled
LAB 13: Configure Root Guard on Cisco Switch
Root-guard will stop a superior bpdu from becoming the root.
Note: Root guard is best deployed towards ports that connect to switches which should
not be the root bridge
For example, a port on the distribution layer switch which is connected to an access layer
switch can be Root Guard enabled, because the access layer switch should never become the
Root Bridge.
CCNA Routing & Switching v3 LAB Guide
54
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Switch1(config)#hostname DU
Switch2(config)#hostname ASHISH
Now check which switch is the root bridge
Switch DU becomes the root bridge...right ?
Now we will enable root guard on switch DU on port G 0/1 so that if the Switch ASHISH want
to become root bridge then the port G0/1 of DU switch will shutdown.
DU(config)#interface gigabitEthernet 0/1
DU(config-if)#spanning-tree guard root
Now apply ping to PC1 to PC2 to verify connectivity
C:>ping 192.168.10.2
Reply from 192.168.10.2: bytes=32 time=12ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
CCNA Routing & Switching v3 LAB Guide
55
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Now we will change the priority value of Switch ASHISH ....to check what happen !!
ASHISH(config)#spanning-tree vlan 1 priority 4096
now ping....
C:>ping 192.168.10.2
Request timed out.
Request timed out.
Request timed out.
The port beomes red colored......that indicates the port is shutdown when switch ASHISH
wants to root bridge
%SPANTREE-2-ROOTGUARDBLOCK: Port 0/1 tried to become non-designated in VLAN 1.
Moved to root-inconsistent state
--------------------------------- And the above message is generated on switch DU-------------------------------
To recover from this ..............
Reset the priority value of switch ASHISH
ASHISH(config)#spanning-tree vlan 1 priority 32768
On DU switch
DU(config)#interface gigabitEthernet 0/1
DU(config-if)#shutdown
CCNA Routing & Switching v3 LAB Guide
56
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DU(config-if)#no shutdown
Now apply ping to PC1 to PC2 to verify connectivity
C:>ping 192.168.10.2
Reply from 192.168.10.2: bytes=32 time=12ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
LAB 14 : Spanning tree behavior - mode , priority value, root bridge
Here Switch DU is the root bridge as its all the ports are forwarding mode. (Indicates green
signal)
By default Cisco switches run a separate STP instance for every VLAN configured on the
switch; this mode is called PVST.
We will configure Switch ASHISH as a root switch for the default VLAN (1) using one method
then DU switch in another method :
Method 1 (Switch ASHISH will be the root bridge )
First verify switch ASHISH if it is root or not..................
The switch is not the roor bridge
CCNA Routing & Switching v3 LAB Guide
57
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Now we will make it root bridge by using the following command:
spanning-tree vlan [list] root [primary | secondary]
Using this command will automatically lower the priority of the switch to a very significant
value in order to make sure that the switch is elected as a root switch.
ASHISH(config)#spanning-tree vlan 1 root primary
We can see that the switch is now the root bridge.
Method2 (Switch DU will be the root bridge now):
Setting the Bridge priority using the command spanning-tree vlan [list] priority
[value].
DU(config)#spanning-tree vlan 1 priority 4096
DU is now the root switch.
CCNA Routing & Switching v3 LAB Guide
58
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 15 : DHCP CONFIGURATION ON CISCO ROUTER
DHCP (Dynamic Host Configuration Protocol) is a part of the Application Layer protocol. DHCP
is used by network devices (For example- PCs, network printers, etc) to automatically obtain
an IP Address, Default Gateway, Domain Name, DNS Servers and more.
DHCP is available on Cisco IOS routers and switches. But DHCP is only available on newer IOS-
based switches such as Catalyst 3550 and 3750.
 The Client sends a DHCP Discover (broadcast message) message to find a DHCP server.
 The DHCP server responds with a DHCP Offer message (Unicast Message)- which includes the
IP address, default gateway and lease time for the IP address offered; also includes DNS
server, TFTP server and many more.
 The client responds with a DHCP Request message (broadcast message) which is a formal
request.
 Then the server responds with a DHCP Ack message (unicast message) confirming that the IP
address has been leased to the client
CCNA Routing & Switching v3 LAB Guide
59
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Here the router will act as a DHCP server. An IP Address 192.168.20.20 is already assigned to
the switch. So this IP Address will be excluded from the DHCP pool to avoid IP address
conflict.
Configure an IP address on the router's Interface
Router#conf t
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.20.1 255.255.255.0
Router(config-if)#no shutdown
Assign an IP Address and default gateway for the switch
Switch#conf t
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.20.20 255.255.255.0
Switch(config-if)#no shutdown
Switch(config)#ip default-gateway 192.168.20.1
DHCP Configuration on the Router
1. Create a DHCP pool that defines the network of IP addresses and will be given out to
the clients
Router(config)#ip dhcp pool ashish-pool
2. Define the network and subnet for the address-pool to be used
Router(dhcp-config)#network 192.168.20.0 255.255.255.0
3. Define the primary and secondary DNS servers.
Router(dhcp-config)# dns-server 192.168.20.1
4. Define the default router (i.e., default gateway)
Router(dhcp-config)#default-router 192.168.20.1
5. Exclude the IP addresses we don't want our DHCP server giving you.
Router(config)#ip dhcp excluded-address 192.168.20.20 192.168.20.30
CCNA Routing & Switching v3 LAB Guide
60
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Verification:
On PC0 and PC1 Enable DHCP
Here we see that both PC gets IP Addresses and other parameters Dynamically.
Apply ping from Host to host and Host to Router or Switch
CCNA Routing & Switching v3 LAB Guide
61
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 16: DHCP SERVER CONFIGURATION ON CISCO SWITCH
Here the Switch will act as a DHCP server. An IP Address 192.168.20.2 is already assigned to
the Server. So this IP Address will be excluded from the DHCP pool to avoid IP address
conflict.
CCNA Routing & Switching v3 LAB Guide
62
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Switch#conf t
Switch(config)#ip dhcp pool ashish-pool
Switch(dhcp-config)#network 192.168.20.0 255.255.255.0
Switch(dhcp-config)#default-router 192.168.20.1
Switch(dhcp-config)#dns-server 192.168.20.1
Switch(dhcp-config)#exit
Switch(config)#ip dhcp excluded-address 192.168.20.10 192.168.20.20
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.20.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Verification
On PC0 and PC1 Enable DHCP
CCNA Routing & Switching v3 LAB Guide
63
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Also ping from PC0 to PC1 and Default Gateway
LAB 17: Static route configuration
Overview of Static Routing
 Routes are configured Manually
 Administrative distance value 0
 Reducing CPU/RAM overhead and saving bandwidth.
 Static routes are not advertised over the network
 Not fault-tolerant
CCNA Routing & Switching v3 LAB Guide
64
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 Initial configuration and maintenance is time-consuming.
 Not appropriate for complex topologies
DU Router (Basic Configuration)
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname DU
DU(config)#enable secret cisco123
DU(config)#line console 0
DU(config-line)#password cisco
DU(config-line)#login
DU(config-line)#exit
DU(config)#line vty 0 5
DU(config-line)#password cisco
DU(config-line)#login
DU(config-line)#exit
DU(config)#interface fastEthernet 0/0
DU(config-if)#description conectivity from DU to BUET
DU(config-if)#ip address 192.168.20.1 255.255.255.0
DU(config-if)#no shutdown
DU(config)#interface fastEthernet 0/1
DU(config-if)#description connectivity to Local Network
DU(config-if)#ip address 192.168.10.1 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
65
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
BUET Router (Basic Configuration)
Router(config)#hostname BUET
BUET(config)#enable secret cisco123
BUET(config)#line console 0
BUET(config-line)#password cisco
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#line vty 0 5
BUET(config-line)#password cisco
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#description Connectivity from BUET to DU
BUET(config-if)#ip address 192.168.20.2 255.255.255.0
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#interface fastEthernet 0/1
BUET(config-if)#description connectivity from BUET to it's Local Network
BUET(config-if)#ip address 192.168.30.1 255.255.255.0
BUET(config-if)#no shutdown
BUET(config-if)#exit
Now Assign IP Address to Hosts
CCNA Routing & Switching v3 LAB Guide
66
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Try to Ping from PC0 to PC1
C:>ping 192.168.30.2
Pinging 192.168.30.2 with 32 bytes of data:
Reply from 192.168.10.1: Destination host unreachable.
Reply from 192.168.10.1: Destination host unreachable.
Reply from 192.168.10.1: Destination host unreachable.
Reply from 192.168.10.1: Destination host unreachable.
Thus we need routing either static or dynamic, right ?
Let us start with static routing...............
DU Router
DU(config)#ip route 192.168.30.0 255.255.255.0 192.168.20.2
BUET Router
BUET(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1
Rules of Static route
Router(config)# ip route [destination_network] [subnet_mask] [next-hop]
On point-to-point links, an exit-interface can be specified instead of a next-hop address.
Router(config)# ip route [destination_network] [subnet_mask] [Exit-Interface ]
So for the previous example instead of IP Address we can write exit-interface as follows but if
the 2 routers are connected point-to-point
DU(config)#ip route 192.168.30.0 255.255.255.0 fastEthernet 0/0
BUET(config)#ip route 192.168.10.0 255.255.255.0 fastEthernet 0/0
Now ping again,
CCNA Routing & Switching v3 LAB Guide
67
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
C:>ping 192.168.30.2
Reply from 192.168.30.2: bytes=32 time<1ms TTL=126
Reply from 192.168.30.2: bytes=32 time<1ms TTL=126
Reply from 192.168.30.2: bytes=32 time<1ms TTL=126
Reply from 192.168.30.2: bytes=32 time<1ms TTL=126
Telnet to BUET Router..............
C:>telnet 192.168.20.2
Trying 192.168.20.2 ...Open
User Access Verification
Password:
Password:
BUET>
Success...right ..
Other verification command
BUET#show ip route
Gateway of last resort is not set
S 192.168.10.0/24 [1/0] via 192.168.20.1
C 192.168.20.0/24 is directly connected, FastEthernet0/0
C 192.168.30.0/24 is directly connected, FastEthernet0/1
S ----- represent Static route
C------Directly connected route
LAB 18 : Static Default Routing
It is a special type of static route. Default routing is used in stub networks. The stub network
has only one way for the traffic to go, to reach several different networks.
A DEFAULT ROUTE is sometime called Zero/Zero Route because the network and subnet we
are specifying as the destination for the traffic that it would match are all zeros.
A DEFAULT ROUTE says "for any traffic that DOES NOT match a specific route in the routing
table ,then forward that traffic to this destination (next-hop-router-IP Address)".Other
words default route is a "CATCH ALL"
On default route, both the network and subnet mask will be zero (0.0.0.0 0.0.0.0).
ip route 0.0.0.0 0.0.0.0 next-hop-router-IP address
CCNA Routing & Switching v3 LAB Guide
68
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Normally Customer route to ISP is default route and ISP route to Customer is normal static
route as shown below :
Objective:
 Basic Configuration on Router CUSTOMER and ISP
 Static default route to INTERNET on CUSTOMER Router
 Static route to CUSTOMER LAN on ISP Router
 Verification
Configuration
Basic Configuration on Router CUSTOMER and ISP
CUSTOMER Router
Router(config)#hostname CUSTOMER
CUSTOMER(config)#interface fastEthernet 0/1
CUSTOMER(config-if)#description CUSTOMER LAN
CUSTOMER(config-if)#ip address 192.168.10.1 255.255.255.0
CUSTOMER(config-if)#no shutdown
CUSTOMER(config-if)#exit
CUSTOMER(config)#interface fastEthernet 0/0
CUSTOMER(config-if)#description Connectivity to ISP
CUSTOMER(config-if)#ip address 103.13.148.1 255.255.255.248
CUSTOMER(config-if)#no shutdown
CCNA Routing & Switching v3 LAB Guide
69
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
ISP ROUTER
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#description Connectivity to CUSTOMER ROUTER
ISP(config-if)#ip address 103.13.148.2 255.255.255.248
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface fastEthernet 1/0
ISP(config-if)#description Connectivity to INTERNET
ISP(config-if)#ip address 100.100.100.1 255.255.255.0
ISP(config-if)#no shutdown
default route to INTERNET on CUSTOMER Router
CUSTOMER(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Static route to CUSTOMER LAN on ISP Router
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
Assign IP Address to hosts.............................
CCNA Routing & Switching v3 LAB Guide
70
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Verification
Apply Ping from PC0 to PC1
C:>ping 100.100.100.2
Reply from 100.100.100.2: bytes=32 time=1ms TTL=126
Reply from 100.100.100.2: bytes=32 time<1ms TTL=126
Reply from 100.100.100.2: bytes=32 time<1ms TTL=126
Reply from 100.100.100.2: bytes=32 time<1ms TTL=126
Successfull.....................
Now on Customer Router
S* indicates default route
On ISP Router
..................S indicates Static route
CCNA Routing & Switching v3 LAB Guide
71
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 19: RIPv2 Configuration
Dynamic Routing Protocol
 Interior Gateway Protocol - RIP, IGRP, EIGRP, OSPF, IS-IS
 Distance vector - RIP, IGRP
 Link-state - OSPF, IS-IS
 Hybrid - EIGRP
 Exterior Gateway Protocol - BGP
IGPs are used for routing within networks that are under a common network administration,
whereas EGP (exterior gateway protocols) are used to exchange routing information between
networks.
RIP - Distance Vector Routing Protocol
RIP Fundamentals (RIPv2)
 Distance-vector protocol.
 Uses UDP port 520.
 Classless protocol (support for CIDR).
 Supports VLSMs.
 Metric is router hop count.
 Maximum hop count is 15; infinite (unreachable) routes have a metric of 16.
 Periodic route updates sent every 30 seconds to multicast address 224.0.0.9.
 25 routes per RIP message (24 if you use authentication).
 Supports authentication.
 Implements split horizon with poison reverse.
 Implements triggered updates.
 Subnet mask included in route entry.
 Administrative distance for RIPv2 is 120.
 Used in small, flat networks or at the edge of larger networks.
 Prevents routing loops (Split Horizon, Route poisoning, Hold-down Timers and
Maximum hop Count)
CCNA Routing & Switching v3 LAB Guide
72
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Hello and Dead Time
RIPv2 EIGRP OSPF
Hello interval = 30 sec
Dead interval = 30*6 = 180
Hold down timers = 180 sec
Flush timers = 240 sec
Hello sends every 5 sec, dead 15
sec (point to point)
In NBMA , hello interval = 60 sec
and dead = 180 sec
ppp hello 10 dead 40
brodcast same
But in point to multipoing hello
is 30 sec, dead 120 sec
RIPV2 CONFIGURATION LAB
Objective:
 Basic Configuration of Router
 Assign IP Address to Hosts
 RIP Configuration
 Configure Passive Interface
 Configure Authentication (MD5)
1. Basic Configuration of Router
DU Router
Router(config)#hostname DU
DU(config)#interface fastEthernet 0/1
CCNA Routing & Switching v3 LAB Guide
73
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DU(config-if)#description Connected to LAN
DU(config-if)#ip address 192.168.10.1 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip address 103.13.148.1 255.255.255.248
DU(config-if)#no shutdown
DU(config-if)#description Connected to BUET router
BUET
Router(config)#hostname BUET
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#description to DU Router
BUET(config-if)#ip address 103.13.148.2 255.255.255.248
BUET(config-if)#no shutdown
BUET(config)#interface fastEthernet 0/1
BUET(config-if)#description connected to BUET LAN
BUET(config-if)#ip address 100.100.100.1 255.255.255.0
BUET(config-if)#no shutdown
2. Assign IP Address to Hosts
CCNA Routing & Switching v3 LAB Guide
74
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
RIP Configuration
DU(config)#router rip
DU(config-router)#version 2
DU(config-router)#network 192.168.10.0
DU(config-router)#network 103.13.148.248
DU(config-router)#no auto-summary
BUET(config)#router rip
BUET(config-router)#version 2
BUET(config-router)#network 100.100.100.0
BUET(config-router)#network 103.13.148.248
BUET(config-router)#no auto-summary
Network command sends RIP updates to the associated Network. we specify only the directly
connected networks of this router.
Auto Summarization is turned on by default for RIPv2 and EIGRP, altough these are Classless
Routing protocols. So you manually have to make them Classless with the "no auto-summary"
command.
Verification
R indicates RIP generated Routes
Apply ping from DU LAN to BUET LAN
C:>ping 100.100.100.100
Pinging 100.100.100.100 with 32 bytes of data:
CCNA Routing & Switching v3 LAB Guide
75
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Reply from 100.100.100.100: bytes=32 time=2ms TTL=126
Reply from 100.100.100.100: bytes=32 time<1ms TTL=126
Reply from 100.100.100.100: bytes=32 time<1ms TTL=126
Reply from 100.100.100.100: bytes=32 time<1ms TTL=126
LAB 20 : Configure Passive Interface
RIP updates will be sent to all interfaces when we use network command on that interfaces.
But, we don’t need to send updates everywhere. In our LAB on DU Router does not need to
send RIP updates to a the LAN switch.
We can use use the passive-interface command to prevent RIP updates to send.
DU(config-router)#passive-interface f
DU(config-router)#passive-interface fastEthernet 0/1
Verification
DU#show ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 17 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 2, receive 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
103.0.0.0
192.168.10.0
Passive Interface(s):
FastEthernet0/1
Routing Information Sources:
Gateway Distance Last Update
103.13.148.2 120 00:00:04
Distance: (default is 120)
DU#
CCNA Routing & Switching v3 LAB Guide
76
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
RIP send updates only to 224.0.0.9 (multicast address) Via F0/0 (103.13.148.1).....not
192.168.10.0/24
BUET#show ip route rip
103.0.0.0/29 is subnetted, 1 subnets
R 192.168.10.0/24 [120/1] via 103.13.148.1, 00:00:15, FastEthernet0/0
We can see that the network is advertised but not send any RIP updates
towards DU LAN.
LAB 21: Configure RIP Authentication
Plain text authentication mode is the default setting in every RIPv2 packet, when
authentication is enabled. Plain text authentication should not be used when security is an
issue, because the unencrypted authentication password is sent in every RIPv2 packet. Note:
RIP version 1 (RIPv1) does not support authentication.
I have used GNS3 to configure this LAB
CCNA Routing & Switching v3 LAB Guide
77
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Objective:
1. Basic configuration of Router R1 and R2
2. Configure RIP
3. Assign IP address to hosts
4. Verify Configuration
5. Configure Authentication
6. Verify
Basic configuration of Router R1
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip address 192.168.10.1 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
DU(config)#interface fastEthernet 0/1
DU(config-if)#ip address 192.168.20.1 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
RIP Configuration
DU(config)#router rip
DU(config-router)#version 2
DU(config-router)#network 192.168.10.0
DU(config-router)#network 192.168.20.0
DU(config-router)#no auto-summary
DU(config-router)#end
Basic configuration of Router R2
BUET#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ip address 192.168.10.2 255.255.255.0
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#interface fastEthernet 0/1
BUET(config-if)#ip address 192.168.30.1 255.255.255.0
BUET(config-if)#no shutdown
BUET(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
78
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Configure RIP on R2
BUET(config)#router rip
BUET(config-router)#version 2
BUET(config-router)#network 192.168.10.0
BUET(config-router)#network 192.168.30.0
BUET(config-router)#no auto-summary
BUET(config-router)#end
BUET#
Assign IP address to hosts and verify connectivity using ping command
DU#show ip route rip
R 192.168.30.0/24 [120/1] via 192.168.10.2, 00:00:26, FastEthernet0/0
DU#
R2#show ip route rip
R 192.168.20.0/24 [120/1] via 192.168.10.1, 00:00:27, FastEthernet0/0
R2#
CCNA Routing & Switching v3 LAB Guide
79
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Configure Authentication
MD5 Authentication
The Cisco implementation of RIP v2 supports MD5 authentication. This provides a higher level
of security over clear text. Both router interfaces need to be configured with MD5
authentication. The key number and key string must match on both sides, or authentication
will fail.
DU Router
DU(config)#key chain venus
(Name a key chain)
DU(config-keychain)#key 1
(This is the Identification number of an authentication key on a key chain)
DU(config-keychain-key)#key-string ashish
(The actual password or key-string.It needs to be identical to the key-string
on the remote router)
DU(config-keychain-key)#exit
DU(config-keychain)#exit
BUET Router
BUET(config)#key chain venus
BUET(config-keychain)#key 1
BUET(config-keychain-key)#key-string ashish
BUET(config-keychain-key)#exit
BUET(config-keychain)#exit
BUET(config)#
Apply it to Interface
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip rip authentication mode md5
Now check using debug command what is happened if MD5 is enable in DU router and
BUET Router is not..............
BUET#debug ip rip
RIP protocol debugging is on
BUET#
CCNA Routing & Switching v3 LAB Guide
80
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
*Mar 1 00:09:03.883: RIP: ignored v2 packet from 192.168.10.1 (invalid authentication)
*Mar 1 00:09:03.951: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.2)
*Mar 1 00:09:03.951: RIP: build update entries
*Mar 1 00:09:03.951: 192.168.30.0/24 via 0.0.0.0, metric 1, tag 0
*Mar 1 00:09:09.847: 192.168.20.0/24 via 0.0.0.0, metric 2, tag 0u
BUET#undebug all
BUET ROUTER
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ip rip authentication mode md5
BUET(config-if)#end
Now verify
BUET#debug ip rip
RIP protocol debugging is on
BUET#
*Mar 1 00:09:58.267: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.2)
*Mar 1 00:09:58.267: RIP: build update entries
*Mar 1 00:09:58.267: 192.168.30.0/24 via 0.0.0.0, metric 1, tag 0
*Mar 1 00:09:59.131: RIP: received packet with MD5 authentication
*Mar 1 00:09:59.131: RIP: received v2 update from 192.168.10.1 on FastEthernet0/0
*Mar 1 00:09:59.135: 192.168.20.0/24 via 0.0.0.0 in 1 hops
BUET #undebug all
All possible debugging has been turned off
Plain text Authentication
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip rip authentication key-chain venus
DU(config-if)#end
BUET(config)#int fastEthernet 0/0
BUET(config-if)#ip rip authentication key-chain venus
BUET(config-if)#end
CCNA Routing & Switching v3 LAB Guide
81
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Verification
DU#debug ip rip
RIP protocol debugging is on
DU#
*Mar 1 00:07:21.115: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1
(192.168.20.1)
*Mar 1 00:07:21.115: RIP: build update entries
*Mar 1 00:07:21.115: 192.168.10.0/24 via 0.0.0.0, metric 1, tag 0
*Mar 1 00:07:21.119: 192.168.30.0/24 via 0.0.0.0, metric 2, tag 0
DU#
*Mar 1 00:07:39.775: RIP: received packet with text authentication ashish
*Mar 1 00:07:39.775: RIP: received v2 update from 192.168.10.2 on FastEthernet0/0
*Mar 1 00:07:39.779: 192.168.30.0/24 via 0.0.0.0 in 1 hops
DU#
*Mar 1 00:07:41.939: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0
(192.168.10.1)
*Mar 1 00:07:41.939: RIP: build update entries
*Mar 1 00:07:41.939: 192.168.20.0/24 via 0.0.0.0, metric 1, tag 0
DU#
*Mar 1 00:07:48.647: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1
(192.168.20.1)
*Mar 1 00:07:48.647: RIP: build update entries
*Mar 1 00:07:48.647: 192.168.10.0/24 via 0.0.0.0, metric 1, tag 0
*Mar 1 00:07:48.651: 192.168.30.0/24 via 0.0.0.0, metric 2, tag 0
DU#undebug all
Introduction to EIGRP
 Distance vector routing protocols.
 EIGRP was created by Cisco which means you can only run it on Cisco hardware.
 Cisco added some of the features from link-state routing protocols to EIGRP which
makes it far more advanced than a true distance vector routing protocol like RIP.
 EIGRP does not use broadcast packets to send information to other neighbors but will
use multicast or unicast.
 IPv4 you can also use EIGRP to route IPv6 or even some older network layer protocols
like IPX or AppleTalk
 EIGRP is 100% loop-free
 EIGRP has its own protocol number which is 88. Other protocol numbers you are
familiar with are TCP (6) and UDP (17).
 EIGRP Table:
1. Neigbor Table
2. Topology Table
3. Routing Table
CCNA Routing & Switching v3 LAB Guide
82
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 EIGRP routers will start sending hello packets to other routers just like OSPF does, if
you send hello packets and you receive them you will become neighbors.
 EIGRP uses a rich set of metrics namely bandwidth, delay, load and reliability. The
lower these metrics the better.
 Sophisticated metric that supports load-balancing across unequal-cost paths.
 Support for authentication only MD5 authentication
 Manual summarization at any interface
 Uses multicast 224.0.0.10.
 EIGRP max hop count 255 (all 8 bits 11111111)
 Neighbor discovery and maintenance: Periodic hello messages
 EIGRP neighbor-ship condition:
 Both routers must be in the same primary subnet
 Both routers must be configured to use the same k-values
 Both routers must in the same AS
 Both routers must have the same authentication configuration (within reason)
 The interfaces facing each other must not be passive
EIGRP’s function is controlled by four key technologies:
 Neighbor discovery and maintenance: Periodic hello messages
 The Reliable Transport Protocol (RTP): Controls sending, tracking, and
acknowledging EIGRP messages
 Diffusing Update Algorithm (DUAL): Determines the best loop-free route
 Protocol-independent modules (PDM): Modules are “plug-ins” for IP, IPX, and
AppleTalk versions of EIGRP
EIGRP Neighborship Requirements and Conditions
EIGRP Router doesn’t trust anyone blindly. It checks following configuration values to insure
that requesting router is eligible to become his neighbor or not.
1. Active Hello packets
2. AS Number
3. K-Values
CCNA Routing & Switching v3 LAB Guide
83
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 If you lose the successor because of a link failure EIGRP will copy/paste the feasible
successor in the routing table. This is what makes EIGRP a FAST routing protocol…but
only if you have feasible successor in the topology table.
 RIP and OSPF both can do load balancing but the paths have to be equal. EIGRP can do
unequal load balancing
EIGRP Packets and Metrics
EIGRP packets:
Hello
Update
Query
Reply
ACK (Acknowledgement)
Neighbor Discovery and Route Exchange
Step 1. Router A sends out a hello.
Step 2. Router B sends back a hello and an update.The update contains routing information.
Step 3. Router A acknowledges the update.
Step 4. Router A sends its update.
Step 5. Router B acknowledges.
A neighbor is considered lost if no hello is received within three hello periods (called the hold
time). The default hello/hold timers are as follows:
 5 seconds/15 seconds for multipoint circuits with bandwidth greater than T1 and for
point-to-point media
 60 seconds/180 seconds for multipoint circuits with bandwidth less than or equal to T1
EIGRP Summarization
EIGRP has two ways of summarizing networks:
Automatic summarization:
 Subnets are summarized to the classful network.
 This is the default for EIGRP.
And Manual summarization.
CCNA Routing & Switching v3 LAB Guide
84
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
What if I entered a wrong key-string?
authentication mismatch
What are the k-values that EIGRP uses?
k1 = bandwidth
k2 = load
k3 = delay
k4 = reliability
k5 = MTU
LAB 22: EIGRP Neighbor Adjacency
loopback interface is a virtual interface—an interface not associated with any hardware or
network
Basic Configuration
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
R2(config)#interface loopback 0
R2(config-if)#ip address 11.11.11.1 255.255.255.0
R2(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
85
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
EIGRP Configuration
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end
------------------------------------------------
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#network 11.11.11.0 0.0.0.255
R2(config-router)#no auto-summary
R2(config-router)#end
Verification
R1#debug eigrp packets hello
R1#
*Mar 1 00:21:05.583: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.2
*Mar 1 00:21:05.583: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
*Mar 1 00:21:06.139: EIGRP: Sending HELLO on Loopback0
*Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 1 00:21:06.139: EIGRP: Received HELLO on Loopback0 nbr 10.10.10.1
*Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0
R1#undegug all
CCNA Routing & Switching v3 LAB Guide
86
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 23 : EIGRP Passive Interface
If we want to advertise a network in EIGRP but we don’t want to send hello packets
everywhere, in this case we can use this features.
Basic Configuration
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
R2(config)#interface loopback 0
R2(config-if)#ip address 11.11.11.1 255.255.255.0
R2(config-if)#exit
EIGRP Configuration
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end
------------------------------------------------
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#network 11.11.11.0 0.0.0.255
CCNA Routing & Switching v3 LAB Guide
87
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R2(config-router)#no auto-summary
R2(config-router)#end
We can configure passive Interface in two ways. First we apply first method in router R1
and the 2nd method in router R2.
R1#conf t
R1(config)#router eigrp 10
R1(config-router)#passive-interface default
*Mar 1 00:27:50.875: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
192.168.10.2 (FastEthernet0/0) is down: interface passive
R1(config-router)#no passive-interface fastEthernet 0/0
*Mar 1 00:28:00.727: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
192.168.10.2 (FastEthernet0/0) is up: new adjacency
R1(config-router)#
Passive-interface default command will make all the interface passive and then we will
disable the specific interface with "no passive-interface" command
N.B. Neighborship Interface should be not passive,otherwise no neighborship will be formed
with neighbor routers
Verification
R1#show ip protocols
Routing Protocol is "eigrp 10"
Routing for Networks:
10.10.10.0/24
192.168.10.0
Passive Interface(s):
Serial0/0
FastEthernet0/1
Serial0/1
Serial0/2
FastEthernet1/0
Loopback0
VoIP-Null0
Second Method
R2(config)#router eigrp 10
R2(config-router)#passive-interface loopback 0
R2(config-router)#
CCNA Routing & Switching v3 LAB Guide
88
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
This is the another way to make the interface passive.
R2#show ip protocols
Routing Protocol is "eigrp 10"
Routing for Networks:
11.11.11.0/24
192.168.10.0
Passive Interface(s):
Loopback0
Routing Information Sources:
Gateway Distance Last Update
(this router) 90 00:23:10
192.168.10.1 90 00:05:44
Distance: internal 90 external 170
-------------------------------------------------------------------------------------------------
R2#debug eigrp packets hello
EIGRP Packets debugging is on
(HELLO)
R2#
*Mar 1 00:37:39.787: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:37:39.787: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#
*Mar 1 00:37:42.255: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1
*Mar 1 00:37:42.259: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R2#
*Mar 1 00:37:44.567: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:37:44.567: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#
*Mar 1 00:37:46.671: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1
*Mar 1 00:37:46.671: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R2#
*Mar 1 00:37:49.563: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:37:49.563: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#undebu
*Mar 1 00:37:51.143: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1
*Mar 1 00:37:51.147: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R2#undebug all
All possible debugging has been turned off
R2#
*Mar 1 00:37:53.871: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:37:53.871: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#
------------------------------------------------------------------------------------------------------------------------------------------
CCNA Routing & Switching v3 LAB Guide
89
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 24: EIGRP Authentication
EIGRP only supports the MD5 authentication method.
EIGRP provides benefits like fast convergence, incremental updates and support for multiple
network layer protocols. EIGRP supports Message Digest 5 (MD5) authentication to prevent
malicious and incorrect routing information from being introduced into the routing table of a
Cisco router.
Basic Configuration
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
R2(config)#interface loopback 0
R2(config-if)#ip address 11.11.11.1 255.255.255.0
R2(config-if)#exit
EIGRP Configuration
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end
CCNA Routing & Switching v3 LAB Guide
90
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#network 11.11.11.0 0.0.0.255
R2(config-router)#no auto-summary
R2(config-router)#end
EIGRP Authentication
R1(config)#key chain venus
Specify the keychain name
R1(config-keychain)#key 1
Specify the keychain id
R1(config-keychain-key)#key-string ccnp
Specify the password
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip authentication mode eigrp 10 md5
Specify MD5 authentication for the EIGRP packets
R1(config-if)#ip authentication key-chain eigrp 10 venus
Apply key chain on the interface connecting to the other router.
N.B. A shared authentication key which is same on both routes must be configured. The
password is known as the ‘key’.
R2(config)#key chain venus
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string ccnp
R2(config-keychain-key)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip authentication mode eigrp 10 md5
R2(config-if)#ip authentication key-chain eigrp 10 venus
*Mar 1 01:31:02.455: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
192.168.10.1 (FastEthernet0/0) is up: new adjacency
R2(config-if)#
R1#show ip eigrp interfaces detail
IP-EIGRP interfaces for process 10
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/0 1 0/0 29 0/2 144 0
Hello interval is 5 sec
CCNA Routing & Switching v3 LAB Guide
91
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Next xmit serial <none>
Un/reliable mcasts: 0/5 Un/reliable ucasts: 10/13
Mcast exceptions: 5 CR packets: 4 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 1
Authentication mode is md5, key-chain is "venus"
Use multicast
LAB 25: Configure EIGRP Hold time and Hello time
Basic Configuration
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
R2(config)#interface loopback 0
R2(config-if)#ip address 11.11.11.1 255.255.255.0
EIGRP Configuration
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#no auto-summary
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#network 11.11.11.0 0.0.0.255
R2(config-router)#no auto-summary
CCNA Routing & Switching v3 LAB Guide
92
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
EIGRP uses two hello and hold timer :
Hello/Hold timer 5/15 (point to point / Broadcast Network)
Hello/Hold timer 60/180 (NBMA)
But it can be changed as following :
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip hello-interval eigrp 10 30
R1(config-if)#ip hold-time eigrp 10 90
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip hello-interval eigrp 10 300
R2(config-if)#ip hold-time eigrp 10 3600
N.B. It is possible for two routers to become EIGRP neighbors even though the hello and hold
timers do not match.
LAB 26: EIGRP Summarization
Summarization is used to reduce the size of a routing table thus reducing the load on CPU and
memory.
There are two types of summarization:
 Auto summarization - it will advertise the classful A, B or C network to its neighbors.
By default, the “auto-summary” command is enabled.
 Manual summarization - Here we will describe it........
CCNA Routing & Switching v3 LAB Guide
93
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Basic Configuration of R1 and R2
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 172.16.0.1 255.255.255.0
R1(config-if)#interface loopback 1
R1(config-if)#ip address 172.16.1.1 255.255.255.0
R1(config-if)#interface loopback 2
R1(config-if)#ip address 172.16.2.1 255.255.255.0
R1(config-if)#interface loopback 3
R1(config-if)#ip address 172.16.3.1 255.255.255.0
R1(config-if)#interface loopback 4
R1(config-if)#ip address 172.16.4.1 255.255.255.0
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
EIGRP Configuration
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 172.16.0.0
R1(config-router)#network 172.16.1.0
R1(config-router)#network 172.16.2.0
R1(config-router)#network 172.16.3.0
R1(config-router)#network 172.16.4.0
R1(config-router)#no auto-summary
-------------------------------------------------------------------
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#no auto-summary
R2(config-router)#end
Now see the routing table
CCNA Routing & Switching v3 LAB Guide
94
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R1#show ip route
C 192.168.10.0/24 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.16.4.0/24 is directly connected, Loopback4
C 172.16.0.0/24 is directly connected, Loopback0
D 172.16.0.0/16 is a summary, 00:00:30, Null0
C 172.16.1.0/24 is directly connected, Loopback1
C 172.16.2.0/24 is directly connected, Loopback2
C 172.16.3.0/24 is directly connected, Loopback3
R2#show ip route
C 192.168.10.0/24 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 5 subnets
D 172.16.4.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0
D 172.16.0.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0
D 172.16.1.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0
D 172.16.2.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0
D 172.16.3.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0
Router R2 gets a number of EIGRP Route from R1, So we will now reduce the size of routing
table of R2
We will create the summary (Manual Summarization)
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip summary-address eigrp 10 172.16.0.0 255.255.248.0
Verification
R2#show ip route
C 192.168.10.0/24 is directly connected, FastEthernet0/0
172.16.0.0/21 is subnetted, 1 subnets
D 172.16.0.0 [90/409600] via 192.168.10.1, 00:00:15, FastEthernet0/0
R2#show ip route eigrp
172.16.0.0/21 is subnetted, 1 subnets
D 172.16.0.0 [90/409600] via 192.168.10.1, 00:05:05, FastEthernet0/0
Now we can see that R2 Router has only one summary route......
CCNA Routing & Switching v3 LAB Guide
95
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 27 : ADVANCED EIGRP LAB
DU Router
1. Basic Configuration
DU>en
DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DU(config)#hostname DU
DU(config)#enable password cisco
2. Line console password
DU(config)#line console 0
DU(config-line)#password cisco
DU(config-line)#login
DU(config-line)#exit
3. Telnet configuration for remote login
DU(config)#line vty 0 4
DU(config-line)#password cisco
DU(config-line)#login
DU(config-line)#exit
4. IP configuration on router Interface
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip address 192.168.20.1 255.255.255.0
DU(config-if)#no shutdown
CCNA Routing & Switching v3 LAB Guide
96
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DU(config-if)#exit
DU(config)#interface fastEthernet 0/1
DU(config-if)#ip address 192.168.10.1 255.255.255.0
DU(config-if)#no shutdown
5. Configure Loopback Interface
DU(config)#interface loopback 1
DU(config-if)#ip address 172.16.0.1 255.255.255.0
DU(config-if)#interface loopback 2
DU(config-if)#ip address 172.16.1.1 255.255.255.0
DU(config-if)#interface loopback 3
DU(config-if)#ip address 172.16.2.1 255.255.255.0
DU(config-if)#interface loopback 4
DU(config-if)#ip address 172.16.3.1 255.255.255.0
BUET Router
1. Basic Configuration
BUET (config)#hostname BUET
BUET(config)#enable secret cisco
2. Line console password
BUET(config)#line console 0
BUET(config-line)#password cisco
BUET(config-line)#login
BUET(config-line)#exit
3. Telnet configuration for remote login
BUET(config)#line vty 0 4
BUET(config-line)#password cisco
BUET(config-line)#login
4. IP configuration on router Interface
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ip address 192.168.20.2 255.255.255.0
BUET(config-if)#no shutdown
BUET(config)#interface fastEthernet 0/1
BUET(config-if)#ip address 192.168.30.1 255.255.255.0
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#
CCNA Routing & Switching v3 LAB Guide
97
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Main Configuration
EIGRP Configuration and advertise network
DU(config)#router eigrp 10
DU(config-router)#network 192.168.10.0
DU(config-router)#network 192.168.20.0
DU(config-router)#network 172.16.1.0
DU(config-router)#network 172.16.2.0
DU(config-router)#network 172.16.3.0
DU(config-router)#network 172.16.0.0 0.0.0.255
DU(config-router)#no auto-summary
BUET(config)#router eigrp 10
BUET(config-router)#network 192.168.20.0
BUET(config-router)#network 192.168.30.0
BUET(config-router)#no auto-summary
BUET(config-router)#
Configure EIGRP Authentication
==========================
DU(config)#key chain ashishkey
DU(config-keychain)#key 1
DU(config-keychain-key)#key-string ashish
DU(config-keychain-key)#exit
DU(config-keychain)#exit
DU(config)#
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip authentication mode eigrp 10 md5
DU(config-if)#ip authentication key-chain eigrp 10 ashishkey
BUET(config)#key chain ashishkey
BUET(config-keychain)#key 1
BUET(config-keychain-key)#key-string ashish
BUET(config-keychain-key)#exit
BUET(config-keychain)#exit
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ip authentication mode eigrp 10 md5
BUET(config-if)#ip authentication key-chain eigrp 10 ashishkey
CCNA Routing & Switching v3 LAB Guide
98
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Configure EIGRP Summary Address
==========================
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip summary-address eigrp 10 172.16.0.0 255.255.252.0
Configure EIGRP Passive Interface
=========================
BUET(config)#router eigrp 10
BUET(config-router)#passive-interface fastEthernet 0/1
Troubleshooting commands
# show ip route
# show ip eigrp neighbors / topology / interfaces
# show ip interface F0/0
# show ip protocols
OSPF Fundamentals
 Open standard Protocol
 It is a Link state Protocol
 It uses the Dijkstra shortest Path algorithm (construct a shortest path tree and then
populate the routing table with best routes)
 No limit on hop count
 Metric is cost ( cost = 10^8 / Bandwidth)
 Administrative distance is 110
 It is a Classless Routing Protocol
 Support VLSM and CIDR
 Supports only IP routing
 Supports only Equal cost load-balancing
 Uses the concept of Areas for easy management, hierarchical design
 Must have one area as Area 0, which is called backbone area
 All other areas must connect to this Area 0
 Scalability is better than of Distance Vector Routing Protocols
 Supports authentication
 Update are sent through multicast address 224.0.0.5 ( all routers) and 224.0.0.6( all
Designated Routers)
 Faster convergence
CCNA Routing & Switching v3 LAB Guide
99
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 Sends Hello packets every 10 seconds
 Triggered / Incremental updates : Sends update when change triggers in network and
sends only information about the change not complete routing table, LSAs are sent
when change occurs and only about the change.
 LSAs refresh every 30 minutes
 Forms neighbors with adjacent routers in same area
 LSAs used to advertises directly connected links
Link: That’s the interface of our router.
State: Description of the interface and how it’s connected to neighbor routers.
Link-state routing protocols operate by sending link-state advertisements (LSA) to all
other link-state routers. All the routers need to have these link-state advertisements so they
can build their link state database or LSDB. This LSDB is our full picture of the network, in
network terms we call this the topology.
OSPF maintains three tables :
Neighbor Table: Contains the list of directly connected neighbors (Routers).We can see
the table using the command ‘show ip ospf neighbors’.
Database Table: It is known as the Link state Database (LSDB). All possible routes to any
network in the same area are contained in this table. " show ip ospf database"
Routing Table: The best paths to reach each destination. The routing table can be seen
using the ‘show ip route’ command.
All the routers in OSPF have a common database.
The two level of hierarchy consist of:
 Transit Area ( backbone or Area 0)
 Regular Area ( non-backbone area)
OSPF works with the concepts of areas and by default you will always have a single area,
normally this is area 0 or also called the backbone area.
 Internal Router: The router for which all its interface belong to one area.
 Area Border Router (ABRs): The router that contains interfaces in more than one
area.
 Backbone Router: The router that has all or at least one interface in Area 0.
CCNA Routing & Switching v3 LAB Guide
100
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 Autonomous System Boundary Router (ASBR): The routers with connection to a
separate autonomous system.
Advantages of OSPF
 Open Standard this can be used by all vendors
 No limitations for hop count
 Provides a loop free network
 Provides faster convergence
Disadvantages of OSPF
 More CPU intensive, uses more CPU resources
 Design and Implementation is complex
 It only supports Equal cost load-balancing
 Only Supports IP and not others like IPX or Apple Talk
Once you configure OSPF your router will start sending hello packets. If you also receive
hello packets from the other router you will become neighbors.
Parameters to match to become neighbors
For two or more OSPF routers to become neighbors there are some parameters that need to
match / be identical:
- Area ID
- Area Type ( NSSA, Stub)
- Subnet Mask
- Hello Interval
- Dead Interval
- Prefix
CCNA Routing & Switching v3 LAB Guide
101
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
- Network Type ( broadcast, point-to-point, etc)
- Authentication
OSPF Metric
Cost = Reference Bandwidth / Interface Bandwidth
Cost = 100Mbps / Bandwidth
Some things worth knowing about OSPF load balancing:
 Paths must have an equal cost.
 4 equal cost paths will be placed in routing table.
 Maximum of 16 paths.
 To make paths equal cost, change the “cost” of a link
Each LSA has an aging timer which carries the link-state age field. By default each OSPF LSA
is only valid for 30 minutes.
If the LSA expires then the router that created the LSA will resend the LSA and increase the
sequence number
OSPF has to get through 7 states in order to become neighbors…here they are:
1. Down: no OSPF neighbors detected at this moment.
2. Init: Hello packet received.
3. Two-way: own router ID found in received hello packet.
4. Exstart: master and slave roles determined.
5. Exchange: database description packets (DBD) are sent.
6. Loading: exchange of LSRs (Link state request) and LSUs (Link state update) packets.
7. Full: OSPF routers now have an adjacency.
OSPF Packet Types
1. Hello: to build and maintain neighbor relationship or adjacencies and as keepalives.
2. DBD – Database Descriptor: Used to verify if the LSDB between two routers is same. It
is a summary of the Link State Database (LSDB)
3. Link State Request (LSR): Any request made to other routers for some information is
using this packet.
4. Link State Update (LSU): Contains the information requested in the LSR.
5. Links State Acknowledgement (LSAck): Acknowledgement for all the OSPF packets
except the Hello packet.
CCNA Routing & Switching v3 LAB Guide
102
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Hellos are the keepalives for OSPF. If a Hello is not received in 4 Hello periods, then the
neighbor is considered Dead. 4 Hello Periods = Dead Time. The hello and dead timers are as
follows:
 LAN and point-to-point interfaces : Hello 10 seconds , Dead timer 40 seconds
 Non-broadcast Multi-access (NBMA) interfaces: Hello 30 seconds, Dead timer120
seconds
There are total 11 types of LSA but famous types are as follow.
LSA Type-1| Router LSA from one network: Each router generates a Type 1 LSA that lists its
active interfaces, IP addresses, neighbors and the cost to each. Flooded inside the router's
area. Link ID is router's ID.
LSA Type-2| Network LSA from more network (DR Generated): Type 2 LSA is created by the
DR on the network, and represents the subnet and the router interfaces connected to that
network. Link ID interface IP address. Does not cross area.
LSA Type-3| Summary LSA (ABR summary Route): Generated by Area Border Routers (ABRs).
In type 3 LSAs are advertised networks from an area to the rest of the areas in AS. The link-
state id used by this LSA is the network number advertised.
Describe how to reach from one area to another area, does the summary of network. Type 3
is called inter-area link, represented by O IA
LSA Type-4| Summary LSA (just IP address of ASBR): Describe how to reach ASBR. ABR says
other area's router if you want to go ASBR use me. ABR passes the ASBR summary route.
LSA Type-5| External LSA (ASBR summary Route): ASBR creates the route to go to external
routers. And says if you want to go to external routes use me. I know the path. Type 4 tells
other router how to go ASBR. These routes appear as O E1 or O E2
NSSA External LSA (Type 7): Type 7 LSA allow injection of external routes through Not-so-
Stubby-Areas (NSSA). Generally external routes are advertised by type 5 LSA but they are not
allowed inside any stub area. That’s why Type 7 LSA is used, to trick OSPF. Type 7 LSA is
generated by NSSA ASBR and is translated into type 5 LSA as it leaves the area by NSSA ABR,
which is then propagated throughout the network as type 5 LSA.
Stub area prevents external routers to go through it. So NSSA is used that allows type7 LSA
only
CCNA Routing & Switching v3 LAB Guide
103
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Area Types
Normal Areas: These areas can either be standard areas or transit (backbone) areas. Standard
areas are defined as areas that can accept intra-area, inter-area and external routes. The
backbone area is the central area to which all other areas in OSPF connect.
Stub Areas: These areas do not accept routes belonging to external autonomous systems (AS);
however, these areas have inter-area and intra-area routes. In order to reach the outside
networks, the routers in the stub area use a default route which is injected into the area by
the Area Border Router (ABR).
Totally Stub Areas: These areas do not accept routes belonging to external autonomous
systems (AS); and even inter-area routes (summary routes) are not propagated inside the
totally stubby areas. The default routes to be propagated within the area. The ABR injects a
default route into the area and all the routers belonging to this area use the default route to
send any traffic outside the area.
NSSA: This type of area allows the flexibility of importing a few external routes into the area
while still trying to retain the stub characteristic.
OSPF can do summarization
OSPF can do summarization but it’s impossible to summarize within an area. This means we
have to configure summarization on an ABR or ASBR. OSPF can only summarize our LSA type 3
and 5.
OSPF does not support auto summarization, only manual. OSPF route summarization can be of
two types:
1. Internal route summarization;
ABR(config-router)#area 15 range 192.168.0.0 255.255.254.0
1. External route summarization.
ASBR(config-router)# summary-address 172.16.32.0 255.255.224.0
OSPF Supports two types of Authentication:
 Plaintext authentication
 MD5 authentication!
OSPF Network types:
CCNA Routing & Switching v3 LAB Guide
104
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Point-to-Point
High-Level Data Link Control (HDLC) and Point-to-Point Protocol (PPP), Open Shortest Path
First (OSPF) runs as a point-to-point network type.
Broadcast
An Ethernet segment is an example of such a network. Ethernet networks support broadcasts;
a single packet transmitted by a device can be multiplied by the medium (in this case an
Ethernet switch) so that every other end point receives a copy.
Non-Broadcast
Frame relay and ATM are probably the most common examples of non-broadcast transport,
requiring individual permanent virtual circuits (PVCs) to be configured between end points.
Non-Broadcast Multi-Access (NBMA)
An NBMA segment emulates the function of a broadcast network. Every router on the segment
must be configured with the IP address of each of its neighbors. OSPF hello packets are then
individually transmitted as unicast packets to each adjacent neighbor.
point-to-multipoint
No DR/BDR election since OSPF sees the network as a collection of point-to-point links.
Only a single IP subnet is used in the topology above.
DR/BDR Election Process
 DR/BDR election is per multi-access segment…not per area. Each multi-access segment
(ex: Ethernet Segment), will have a Designated Router (DR) and a Backup Designated
Router (BDR).
 The other Router who will be not the DR or BDR will be the DROTHER. DROTHER router
on the segment forms a Full adjacency with the DR/BDR. DR/BDR is a property of a
router’s interface, not the entire router.
 DR’s reduce network traffic as only they maintain the complete ospf database and
then send updates to the other routers on the shared network segment.
 The router with the highest priority on the data link wins the election, but by default
priorities are 1. In this case the router with the highest Router ID will win.
CCNA Routing & Switching v3 LAB Guide
105
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Consider, all OSPF router processes start at the same time, Router0 and Router1 win the
election for DR and BDR respectively because they have the highest Router ID’s on the
segment. Others routers will be the DROTHER.
Here Router2 and Router3 will make it full adjacency with router Router0(DR) or Router1(BDR)
 We can use show ip ospf neighbor command to verify this.
 The default priority is 1 but the priority can be changed by
Router(config-if)# ip ospf priority <priority number>
 If we do not want a router to participate in the DR / BDR election, then its priority
must be set as 0.
 We need to use clear ip ospf process before this change takes effect.
LAB --- OSPF
CCNA Routing & Switching v3 LAB Guide
106
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1. BASIC CONFIGURATION
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
R1#conf t
R1(config)#interface loopback 0
R1(config-if)#ip address 172.16.0.1 255.255.255.0
R1(config-if)#interface loopback 1
R1(config-if)#ip address 172.16.0.1 255.255.255.0
R1(config-if)#interface loopback 2
R1(config-if)#ip address 172.16.2.1 255.255.255.0
R1(config-if)#interface loopback 3
R1(config-if)#ip address 172.16.3.1 255.255.255.0
R1(config-if)#exit
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
===================================================================
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#
===================================================================
R3#conf t
R3(config)#interface fastEthernet 0/1
R3(config-if)#ip address 192.168.23.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#
CCNA Routing & Switching v3 LAB Guide
107
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB 28 : OSPF BASIC CONFIGURATION
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
R1(config)#router ospf 1
R1(config-router)#network 172.16.0.0 0.0.3.255 area 0
R1(config-router)#network 192.168.12.0 0.0.0.255 area 1
R2#conf t
R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 1
R2(config-router)#network 192.168.23.0 0.0.0.255 area 2
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#network 192.168.23.0 0.0.0.255 area 2
R3(config-router)#exit
Wild card Mask
Wildcard masks are used to specify a range of network addresses. They are commonly used
with routing protocols (like OSPF) and access lists.
 To indicate the size of a network or subnet for some routing protocols, such as OSPF.
 To indicate what IP addresses should be permitted or denied in access control lists
(ACLs).
Slash Netmask Wildcard Mask
/32 255.255.255.255 0.0.0.0
/31 255.255.255.254 0.0.0.1
/30 255.255.255.252 0.0.0.3
/29 255.255.255.248 0.0.0.7
/28 255.255.255.240 0.0.0.15
/27 255.255.255.224 0.0.0.31
/26 255.255.255.192 0.0.0.63
/25 255.255.255.128 0.0.0.127
/24 255.255.255.0 0.0.0.255
/23 255.255.254.0 0.0.1.255
Rules :
If all bit 1 then all bit zero and vice versa ;
CCNA Routing & Switching v3 LAB Guide
108
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
255.255.255.255 0.0.0.0
255.255.255.0 0.0.0.255
if other value (not 0 or 255) then find out the block size
255.255.255.248 ...... block size = 256-248 = 8
And wildcard bit will be "blocksize - 1" = 8 - 1 = 7
And thus here 255.255.255.248 0.0.0.7
===========================================================================
Verification
=============
Here we can see that neighbor ship is formed but no route to area 0 and area1
So we have to configure now virtual link on R1 and R2 through area 1.........................
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB 29 : OSPF VIRTUAL-LINK
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In OSPF all other area must be connected with area 0 (Backbone area) either physically or
virtually. In our figure area 1 is directly connected with area 0 but area 2 is not connected
with area 0. So here area 2 have to be connected with area 0 virtually. In this Lab we will see
it :
First we configure Router ID on R1 and R2 Router
CCNA Routing & Switching v3 LAB Guide
109
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R1(config-router)#router-id 1.1.1.1
R1(config-router)#
R2(config-router)#router-id 2.2.2.2
Reload or use "clear ip ospf process" command, for this to take effect
R2#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
We must run this command to take effect on this configuration (also called soft reset)
Now we will configure virtual link through area 1
R1(config)#router ospf 1
R1(config-router)#area 1 virtual-link 2.2.2.2
R2(config)#router ospf 1
R2(config-router)#area 1 virtual-link 1.1.1.1
===========
Now verify
============
Ping to any loopback IP
R3#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
CCNA Routing & Switching v3 LAB Guide
110
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/38/52 ms
--------------------------------------------------------------------------
R2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 1.1.1.1 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 1, via interface FastEthernet0/0, Cost of using 10
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07
Adjacency State FULL (Hello suppressed)
Index 1/3, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB 30: OSPF authentication
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Plaintext authentication on Router R1 and R2---F0/0 interface (Area 1)
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key mypass
---------------------------------------------------------
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key mypass
============
Verification
===========
R1#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 1
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 192.168.12.2
CCNA Routing & Switching v3 LAB Guide
111
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Backup Designated router (ID) 1.1.1.1, Interface address 192.168.12.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:02
Cisco NSF helper support enabled
Index 1/5, flood queue length 0
Last flood scan length is 3, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
R1#
MD5 authentication on Router R2 and R3---F0/0 interface (Area 2)
R2(config-if)#ip ospf message-digest-key 1 md5 mypass1
R2(config-if)#ip ospf authentication message-digest
-------------------------------------------------------
R3(config-if)#ip ospf message-digest-key 1 md5 mypass1
R3(config-if)#ip ospf authentication message-digest
=====================================================================
Verification
===========
R2#show ip ospf interface f0/1
FastEthernet0/1 is up, line protocol is up
Internet Address 192.168.23.2/24, Area 2
Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.23.3, Interface address 192.168.23.3
Backup Designated router (ID) 2.2.2.2, Interface address 192.168.23.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Last flood scan length is 1, maximum is 4
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.23.3 (Designated Router)
CCNA Routing & Switching v3 LAB Guide
112
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
LAB 31: OSPF Summarization
OSPF does not support auto summarization, only manual. OSPF route summarization can be of
two types:
1. Internal route summarization;
2. External route summarization.
I’m going to show you an example of interarea route summarization on Router R1
First we will check the Routing table of R3
R1(config)#router ospf 1
R1(config-router)#area 0 range 172.16.0.0 255.255.252.0
R1(config-router)#end
-------------------------------------------------
R1#clear ip ospf process
R2#clear ip ospf process
R3#clear ip ospf process
CCNA Routing & Switching v3 LAB Guide
113
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 32 : PPP Configuration
Designing a wide area network (WAN) is one of the most challenging issues. We must have to
choose the correct connection type. Most carriers offer three connection types:
1. Circuit-switched connections
2. Packet-switched or cell-switched connections
3. Dedicated connection
Circuit-switched connections:
Asynchronous dial-in (PSTN) and ISDN services, the telephone companies use circuit switching.
Packet-switched or cell-switched connections
Examples of packet-switched and cell-switched networks include Frame Relay (packet-
switched), X.25 (packet-switched), and Asynchronous Transfer Mode or ATM (cell-switched).
Leased Line(Dedicated connection):
A permanent communication path exists between a Customer Premise Equipment (CPE) on
one site and a CPE at the remote site communicating through a Data Communicating
Equipment (DCE) within the providers' site. Synchronous serial lines are used for this
connection and the most frequent protocols observed in these lines are HDLC (High-Level
Data Link Control) and PPP (Point-to-Point Protocol). When cost in not an issue, you should
use this type of connection.
CCNA Routing & Switching v3 LAB Guide
114
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
HDLC
 HDLC stands for High-Level Data Link Control protocol.
 HDLC is a Layer 2 protocol.
 HDLC would be the protocol with the least amount of configuration required to
connect these two locations. HDLC would be running over the WAN, between the two
locations.
 HDLC performs error correction, just like Ethernet.
 HDLC is actually proprietary because they added a protocol type field.
 HDLC is actually the default protocol on all Cisco serial interfaces.
PPP
PPP or Point-to-Point Protocol is a type of Layer 2 protocol (Data-link layer) used mainly for
WAN. PPP features two methods of authentication:
 PAP (Password Authentication Protocol) and
 CHAP (Challenge Handshake Authentication Protocol)
 PAP sends the password in clear text and CHAP sends the encrypted password
 PPP encapsulation is possible only over a serial link.
 PPP encapsulates Layer 3 data over point-to-point links.
 PPP uses a Network Control Protocol (NCP) component to encapsulate multiple
protocols and uses Link Control Protocol (LCP) to set up and negotiate control options
on the data link.
 PPP supports multivendor devices.
CCNA Routing & Switching v3 LAB Guide
115
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Configuration on Ashish Router
Basic Configuration
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 0/1/0
Router(config-if)#ip address 103.13.148.1 255.255.255.248
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#hostname Ashish
Ashish(config)#interface fastEthernet 0/0
Ashish(config-if)#ip add
Ashish(config-if)#ip address 192.168.10.1 255.255.255.0
Ashish(config-if)#no shut
Ashish(config-if)#no shutdown
PPP Configuration
Ashish(config)#username buet privilege 15 password cisco
Ashish(config)#interface serial 0/1/0
Ashish(config-if)#encapsulation ppp
Ashish(config-if)#ppp authentication chap
Ashish(config-if)#exit
For PPP configuration we must configure hostname and username. In this router username
will be the hostname of peer router , i.e. buet
Configure Static Route
Ashish(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2
Ashish(config)#
BUET Router
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname buet
buet(config)#interface serial 0/1/0
buet(config-if)#ip address 103.13.148.2 255.255.255.248
buet(config-if)#no shutdown
buet(config)#interface fastEthernet 0/0
buet(config-if)#ip address 192.168.20.1 255.255.255.0
CCNA Routing & Switching v3 LAB Guide
116
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
buet(config-if)#no shutdown
buet(config)#username Ashish privilege 15 password cisco
buet(config)#interface serial 0/1/0
buet(config-if)#encapsulation ppp
buet(config-if)#ppp authentication chap
buet(config-if)#end
buet#
In this router username will be the hostname of peer router , i.e. Ashish
buet(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
Verification :
Ashish#show interfaces serial 0/1/0
Serial0/1/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 103.13.148.1/29
MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 96 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
8 packets input, 1024 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9 packets output, 1152 bytes, 0 underruns
CCNA Routing & Switching v3 LAB Guide
117
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
C:>ping 192.168.20.2
Reply from 192.168.20.2: bytes=32 time=1ms TTL=126
Reply from 192.168.20.2: bytes=32 time=1ms TTL=126
Reply from 192.168.20.2: bytes=32 time=1ms TTL=126
Reply from 192.168.20.2: bytes=32 time=1ms TTL=126
The clock rate will set the speed. It doesn’t matter much what clock speed we use. We can
use a command to verify that the DTE router has received the clock rate:
Ashish# show controllers serial 0/1/0
Interface Serial0/1/0
Hardware is PowerQUICC MPC860
DTE V.35 TX and RX clocks detected
idb at 0x81081AC4, driver data structure at 0x81084AC0
In the example above Ashish is the DTE side and it has received a clock rate. Show controllers
is a useful command when you don’t have physical access to your hardware so you don’t know
which side of the cable is DTE or DCE
LAB 33: BGP Basic Configuration
BGP is an external gateway protocol, It is used between different networks. It is the protocol
used between Internet service providers (ISPs) and also can be used between an Enterprise
and an ISP.
BGP was built for reliability, scalability, and control, not speed.
BGP stands for Border Gateway Protocol. Routers running BGP are termed BGP speakers.
 BGP uses the concept of autonomous systems (AS). An autonomous system is a group of
networks under a common administration. The Internet Assigned Numbers Authority
(IANA) assigns AS numbers: 1 to 64511 are public AS numbers and 64512 to 65535 are
private AS numbers.
CCNA Routing & Switching v3 LAB Guide
118
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 Autonomous systems run Interior Gateway Protocols (IGP) within the system. They run
an Exterior Gateway Protocol (EGP) between them. BGP version 4 is the only EGP
currently in use.
 Routing between autonomous systems is called interdomain routing.
 The administrative distance for EBGP routes is 20. The administrative distance for
IBGP routes is 200.
 BGP neighbors are called peers and must be statically configured.
 BGP uses TCP port 179. BGP peers exchange incremental, triggered route updates and
periodic keepalives.
 Routers can run only one instance of BGP at a time.
 BGP is a path-vector protocol.
BGP neighbors can be of two types:
 IBGP neighbors – when two neighbors are in the same AS;
 EBGP neighbors – when two neighbors belong to different AS.
CCNA Routing & Switching v3 LAB Guide
119
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Basic Configuration
ISP1
Router#conf t
Router(config)#hostname ISP1
ISP1(config)#interface fastEthernet 0/0
ISP1(config-if)#ip address 192.168.10.1 255.255.255.0
ISP1(config-if)#no shutdown
ISP1(config-if)#exit
ISP1(config)#interface fastEthernet 0/1
ISP1(config-if)#ip address 10.10.10.1 255.255.255.0
ISP1(config-if)#no shutdown
ISP1(config-if)#exit
ISP2
Router(config)#hostname ISP2
ISP2(config)#interface fastEthernet 0/0
ISP2(config-if)#ip address 192.168.10.2 255.255.255.0
ISP2(config-if)#no shutdown
ISP2(config-if)#exit
ISP2(config)#interface fastEthernet 0/1
ISP2(config-if)#ip address 11.11.11.1 255.255.255.0
ISP2(config-if)#no shutdown
BGP Configuration
ISP1(config)#router bgp 100 *100 is the AS Number of ISP1*
ISP1(config-router)#neighbor 192.168.10.2 remote-as 200 * Declare neighbor,
200 is the AS of ISP2, 192.168.10.2 is the IP Address of ISP2's F0/0
Interface*
ISP1(config-router)#network 10.10.10.0 mask 255.255.255.0 * advertise
network*
ISP1(config-router)#exit
ISP2(config)#router bgp 200
ISP2(config-router)#neighbor 192.168.10.1 remote-as 100
ISP2(config-router)#%BGP-5-ADJCHANGE: neighbor 192.168.10.1 Up
ISP2(config-router)#network 11.11.11.0 mask 255.255.255.0
ISP2(config-router)#
CCNA Routing & Switching v3 LAB Guide
120
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Verification
Show ip bgp summary command shows if the neighborship is formed
We can see the bgp route with show ip bgp command
LAB 34: BGP PEERING WITH LOOPBACK ADDRESS
To establish eBGP/iBGP connection if loopback is used as the following command is needed
neighbor <peer’s ip address> update-source loopback<id>
By default BGP will use the interface IP as the source address to establish TCP connection. If
update-source is not used then the BGP adjacency will never be formed, and will always stuck
in Active state.
Another is , If we want to establish connections to peers which are not directly connected
use this following command:
neighbor <peer’s ip address> ebgp-multihop <value>
The "value" indicates the number of hops. The range of "value" is 1 to 255.
CCNA Routing & Switching v3 LAB Guide
121
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R1: Configure IP Address to All Interface
R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 103.13.148.5 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 10.10.10.10 255.255.255.255
R1(config-if)#exit
R2: Configure IP Address to All Interface
R2#conf t
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 103.13.148.6 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface loopback 0
R2(config-if)#ip address 11.11.11.11 255.255.255.255
R2(config-if)#exit
BGP Configuration on R1 and R2
R1(config)#router bgp 100
R1(config-router)#neighbor 11.11.11.11 remote-as 200
R1(config-router)#neighbor 11.11.11.11 update-source loopback 0
CCNA Routing & Switching v3 LAB Guide
122
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R1(config-router)#neighbor 11.11.11.11 ebgp-multihop 2
R1(config-router)#exit
R2(config)#router bgp 200
R2(config-router)#neighbor 10.10.10.10 remote-as 100
R2(config-router)#neighbor 10.10.10.10 update-source loopback 0
R2(config-router)#neighbor 10.10.10.10 ebgp-multihop 2
R2(config-router)#exit
Now we will check if BGP neighborship is established or not !
R1#show ip bgp summary
Not established, The BGP Session is still in Active Mode
Let us check with ping command if the loopback IP of R2 Router is reachable
Ping is also not successful. Check the routing table
CCNA Routing & Switching v3 LAB Guide
123
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
The 11.11.11.11 route is not in the routing table. Let us create static route on both routers.
R1(config)#ip route 11.11.11.11 255.255.255.255 103.13.148.6
R2(config)#ip route 10.10.10.10 255.255.255.255 103.13.148.5
Now check the BGP Status..............Established..Right ??
N.B. ebgp-multihop command is required only for eBGP Router, if both Routers are in iBGP
then the command is not required !
LAB 35: BGP REDUNDANCY WITH LOAD SHARING
BGP load sharing is commonly done using loopback's Peering between two BGP Routers.
CCNA Routing & Switching v3 LAB Guide
124
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R1 Router : Configure IP Address to each Interface
Venus(config)#interface fastEthernet 0/1
Venus(config-if)#ip address 192.168.10.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
Venus(config)#interface fastEthernet 0/0
Venus(config-if)#ip address 192.168.20.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
Venus(config)#interface loopback 0
Venus(config-if)#ip address 5.5.5.5 255.255.255.0
Venus(config-if)#exit
Venus(config)#interface fastEthernet 1/0
Venus(config-if)#ip address 172.16.10.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
R2 Router: Configure IP Address to each Interface
Gvtl(config)#interface fastEthernet 0/1
Gvtl(config-if)#ip address 192.168.10.2 255.255.255.0
Gvtl(config-if)#no shutdown
Gvtl(config-if)#exit
Gvtl(config)#interface fastEthernet 0/0
Gvtl(config-if)#ip address 192.168.20.2 255.255.255.0
Gvtl(config-if)#no shutdown
Gvtl(config-if)#exit
Gvtl(config)#interface loopback 0
Gvtl(config-if)#ip address 6.6.6.6 255.255.255.0
Gvtl(config-if)#exit
Gvtl(config)#interface fastEthernet 1/0
Gvtl(config-if)#ip address 172.16.20.1 255.255.255.0
Gvtl(config-if)#no shutdown
Gvtl(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
125
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Configure OSPF as an IGP on both routers for reachability issue
Venus(config)#router ospf 1
Venus(config-router)#network 192.168.10.0 0.0.0.255 area 0
Venus(config-router)#network 192.168.20.0 0.0.0.255 area 0
Venus(config-router)#network 172.16.10.0 0.0.0.255 area 0
Venus(config-router)#network 5.5.5.0 0.0.0.255 area 0
Venus(config-router)#exit
Gvtl(config)#router ospf 1
Gvtl(config-router)#network 192.168.10.0 0.0.0.255 area 0
Gvtl(config-router)#network 192.168.20.0 0.0.0.255 area 0
Gvtl(config-router)#network 6.6.0 0.0.0.255 area 0
Gvtl(config-router)#network 172.16.20.0 0.0.0.255 area 0
Gvtl(config-router)#exit
Gvtl(config)#
OSPF Neighborship Verification
# show ip ospf neighbor
Assign IP to Hosts and apply ping to its default gateway
CCNA Routing & Switching v3 LAB Guide
126
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Also ping from PC2 to PC1
BGP Configuration on Venus and Gvtl Router
(BGP Peering with loopback Address)
Venus(config)#router bgp 100
Venus(config-router)#neighbor 6.6.6.6 remote-as 200
Venus(config-router)#neighbor 6.6.6.6 update-source loopback 0
Venus(config-router)#neighbor 6.6.6.6 ebgp-multihop 2
Venus(config-router)#neighbor 6.6.6.6 soft-reconfiguration inbound
Venus(config-router)#maximum-paths 2
Venus(config-router)#no auto-summary
Venus(config-router)#exit
Gvtl(config)#router bgp 200
Gvtl(config-router)#neighbor 5.5.5.5 remote-as 100
Gvtl(config-router)#neighbor 5.5.5.5 ebgp-multihop 2
Gvtl(config-router)#neighbor 5.5.5.5 update-source loopback 0
Gvtl(config-router)#neighbor 5.5.5.5 soft-reconfiguration inbound
Gvtl(config-router)#maximum-paths 2
Gvtl(config-router)#no auto-summary
CCNA Routing & Switching v3 LAB Guide
127
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Gvtl(config-router)#exit
Note:
Soft-reconfiguration inbound allows the router to receive and save the updates from a
neighbor it its memory regardless of any policy applied in inbound direction. There is no need
to clear the bgp session if we have soft-reconfiguration enabled, one of its purposes is to
allow us to change the policy without clearing the session off.
BGP Peering with loopback Address added an extra benifit. Loopback is never down. So when
we make neighborship with loopback IP our BGP Session will remain up if one of the physical
link is getting down.
Verification of BGP
Venus#show ip bgp summary
We see that BGP State is UP (shows value means active)
Here we can see that at first 192.168.20.2 route is used and in the second time 192.168.10.2
is used. This proves that load is shared !!!
Now we will verify if one link is down other link is active or not !
Let us shutdown F0/0 Interface of Router Venus and at the same time issue continue ping
from PC1 to PC2
Venus(config)#interface fastEthernet 0/0
Venus(config-if)#shutdown
CCNA Routing & Switching v3 LAB Guide
128
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Some packets will be drop during shifting the link as F0/0 Interface is used as a (IP Address
corresponding to 192.168.20.0/24 Network) primary link. Look the following traceroute
Result..........
But if we shutdown the F0/1 link no packets will be dropped, as it is used here as the
secondary link.
CCNA Routing & Switching v3 LAB Guide
129
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 36: BGP Single Homed Design
R1 is in our enterprise core and has OSPF as its IGP.
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface fastEthernet 0/1
R1(config-if)#ip address 192.168.10.2 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#router ospf 1
R1(config-router)#network 192.168.10.0 0.0.0.255 area 0
R2 is in our enterprise edge and has OSPF for IGP and BGP for EGP.
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip address 192.168.10.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.20.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#router ospf 1
R2(config-router)#network 192.168.10.0 0.0.0.255 area 0
R2(config-router)#exit
R2(config)#router ospf 1
R2(config-router)#default-information originate
CCNA Routing & Switching v3 LAB Guide
130
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R2(config-router)#exit
R2(config)#router bgp 100
R2(config-router)#neighbor 192.168.20.2 remote-as 200
R2(config-router)#network 1.1.1.0 mask 255.255.255.0
R2(config-router)#exit
R2(config)#ip route 1.1.1.0 255.255.255.0 null 0
R2 is in the service provider edge. R2 has a couple of static routes to advertise into BGP and is
advertising a default route to R1 which will then propagated throughout the enterprise core.
R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 192.168.20.2 255.255.255.0
R3(config-if)#no shutdown
R3(config)#ip route 0.0.0.0 0.0.0.0 null 0
R3(config)#ip route 2.2.2.0 255.255.255.0 null 0
R3(config)#router bgp 200
R3(config-router)#neighbor 192.168.20.1 remote-as 100
R3(config-router)#network 2.2.2.0 mask 255.255.255.0
R3(config-router)#neighbor 192.168.20.1 default-originate
R3(config-router)#exit
Verification
R3#show ip bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.20.1 4 100 23 24 3 0 0 00:19:33 1
R2#show ip route
..................<output omitted>...................
1.0.0.0/24 is subnetted, 1 subnets
S 1.1.1.0 is directly connected, Null0
2.0.0.0/24 is subnetted, 1 subnets
B 2.2.2.0 [20/0] via 192.168.20.2, 00:17:59 ** BGP learned route **
C 192.168.10.0/24 is directly connected, FastEthernet0/1
C 192.168.20.0/24 is directly connected, FastEthernet0/0
B* 0.0.0.0/0 [20/0] via 192.168.20.2, 00:20:18 ** default route from BGP
because of the default originate command in R3 **
R2#show ip bgp
-------------------<output omitted>.........................
Network Next Hop Metric LocPrf Weight Path
CCNA Routing & Switching v3 LAB Guide
131
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
*> 0.0.0.0 192.168.20.2 0 0 200 i
*> 1.1.1.0/24 0.0.0.0 0 32768 i
*> 2.2.2.0/24 192.168.20.2 0 0 200 i
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.20.1 1 FULL/BDR 00:00:31 192.168.10.1 FastEthernet0/1
R1#show ip route
------------------<outputs are omitted>--------------
Gateway of last resort is 192.168.10.1 to network 0.0.0.0
C 192.168.10.0/24 is directly connected, FastEthernet0/1
O*E2 0.0.0.0/0 [110/1] via 192.168.10.1, 00:06:16, FastEthernet0/1
Here we can see R2 is BGP (Single homed) with R3 advertising a /24 (1.1.1.0/24) and R2 is
advertising a default to the enterprise core (R1).
Explaination
default-information originate, the router is going to Redistribute a default route it got from
another Router (OSPF)
neighbor x.x.x.x default-originate (BGP)
If you want to advertise default route to a specific peer, this is the method for that
requirement.
 Add ‘neighbor x.x.x.x default-originate’ under router bgp <ASN>
 It does not even check for the existence of a default route in the IP routing table
 The ‘default-information originate’ command should not be configured with the
‘neighbor x.x.x.x default-originate’ command on the same router
The Null interface is typically used for preventing routing loops.
Also prevent DoS Aattack. An example of where this traffic to unused IP addresses might come
from could be denial of service attacks, scanning of IP blocks to find vulnerable hosts, etc
LAB 37 : HSRP (Hot Standby Router Protocol) Configuration
HSRP provides layer 3 redundancy in our network through active and standby router
assignment, interface tracking, and load balancing. A group of physical routers, acting as a
single virtual router, advertise a single IP address and MAC address into our network. By
tracking interfaces and managing multiple groups, we can optimize speed as well as add
CCNA Routing & Switching v3 LAB Guide
132
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
redundancy to our networks. And we can use VRRP or GLBP based on our individual network
needs. The services that HSRP provides are a great addition to any network.
Characteristics
 HSRP is Cisco proprietary
 HSRP has 5 states: Initial, listen, speak, standby and active.
 HSRP allows multiple routers to share a virtual IP and MAC address so that the end-
user hosts do not realize when a failure occurs.
 The active (or Master) router uses the virtual IP and MAC addresses.
 Standby routers listen for Hellos from the Active router. A hello packet is sent every 3
seconds by default. The hold time (dead interval) is 10 seconds.
 Virtual MAC of 0000.0C07.ACxx , where xx is the hexadecimal number of HSRP group.
 The group numbers of HSRP version 1 range from 0 to 255. HSRP does support group
number of 0 (we do check it and in fact, it is the default group number if you don’t
enter group number in the configuration) so HSRP version 1 supports up to 256 group
numbers. HSRP version 2 supports 4096 group numbers.
CCNA Routing & Switching v3 LAB Guide
133
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Assign IP Address to Venus
Switch#conf t
Switch(config)#hostname venus
venus(config)#int fastEthernet 0/10
venus(config-if)#no switchport
venus(config-if)#ip address 192.168.1.1 255.255.255.0
venus(config-if)#no shutdown
venus(config-if)#exit
venus(config)#int fastEthernet 0/1
venus(config-if)#no switchport
venus(config-if)#ip address 192.168.30.2 255.255.255.0
venus(config-if)#no shutdown
venus(config-if)#
Assign IP Address to Denver
Switch#conf t
Switch(config)#hostname Denver
Denver(config)#int fastEthernet 0/11
Denver(config-if)#no switchport
Denver(config-if)#ip address 192.168.1.2 255.255.255.0
Denver(config-if)#no shutdown
Denver(config-if)#exit
Denver(config)#int fastEthernet 0/1
Denver(config-if)#no switchport
Denver(config-if)#ip address 192.168.40.2 255.255.255.0
Denver(config-if)#no shutdown
Denver(config-if)#end
Assign IP Address to Toronto
=============================
Router>en
Router#conf t
Router(config)#hostname Toronto
Toronto(config)#interface fastEthernet 0/0
Toronto(config-if)#ip address 192.168.30.1 255.255.255.0
Toronto(config-if)#no shutdown
Toronto(config-if)#exit
Toronto(config)#int fastEthernet 0/1
CCNA Routing & Switching v3 LAB Guide
134
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Toronto(config-if)#ip add
Toronto(config-if)#ip address 192.168.40.1 255.255.255.0
Toronto(config-if)#no shutdown
Toronto(config-if)#exit
Toronto(config)#int loopback 1
Toronto(config-if)#ip address 1.1.1.1 255.255.255.0
Toronto(config-if)#exit
Toronto(config)#int loopback 1
Toronto(config-if)#ip address 1.1.1.1 255.255.255.0
Toronto(config-if)#exit
Create static route to 1.1.1.0/24 network from Venus and Denver
=====================================================================
venus(config)#ip route 1.1.1.0 255.255.255.0 192.168.30.1
Denver(config)#ip route 1.1.1.0 255.255.255.0 192.168.40.1
Create static route to 192.168.1.0/24 network from Toronto
================================================================
Toronto(config)#ip route 192.168.1.0 255.255.255.0 192.168.30.2
Toronto(config)#ip route 192.168.1.0 255.255.255.0 192.168.40.2
Apply ip routing command on venus and Denver
=================================================
venus(config)#ip routing
Denver(config)#ip routing
Assign IP address to host with default Gateway 192.168.1.1 and
192.168.1.2 and apply ping command to 1.1.1.0 Network
======================================================================
C:>ping 1.1.1.1
Reply from 1.1.1.1: bytes=32 time=1ms TTL=254
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254
Reply from 1.1.1.1: bytes=32 time=1ms TTL=254
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254
Configure HSRP
venus(config)#int fastEthernet 0/10
venus(config-if)#standby 10 ip 192.168.1.3
venus(config-if)#standby 10 priority 110
venus(config-if)#standby 10 preempt
Denver(config)#int fastEthernet 0/11
Denver(config-if)#standby 10 ip 192.168.1.3
CCNA Routing & Switching v3 LAB Guide
135
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Denver(config-if)#standby 10 priority 100
Denver(config-if)#standby 10 preempt
Denver(config-if)#end
Verify
============
venus#show standby
FastEthernet0/10 - Group 10
State is Active
12 state changes, last state change 01:01:47
Virtual IP address is 192.168.1.3
Active virtual MAC address is 0000.0C07.AC0A
Local virtual MAC address is 0000.0C07.AC0A (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.461 secs
Preemption enabled
Active router is local
Standby router is 192.168.1.2
Priority 110 (configured 110)
Group name is hsrp-Fa0/10-10 (default)
venus#
-------------------------------------------------------------------
Denver#show standby
FastEthernet0/11 - Group 10
State is Standby
3 state changes, last state change 01:17:54
Virtual IP address is 192.168.1.3
Active virtual MAC address is 0000.0C07.AC0A
Local virtual MAC address is 0000.0C07.AC0A (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.757 secs
Preemption enabled
Active router is 192.168.1.1
Standby router is local
Priority 100 (default 100)
Group name is hsrp-Fa0/11-10 (default)
Denver#
Now change the default gateway of both PC to 192.168.1.3 and ping to 1.1.1.1
CCNA Routing & Switching v3 LAB Guide
136
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
======================================================================
Successful...
now shutdown one of the interface F0/10 or F0/11 that has the highest
priority (110)
======================================================================
and verify by standby command...
also see that ping to 1.1.1.1 is even successful
------------------------------------------------------
Denver#show standby
FastEthernet0/11 - Group 10
State is Active
4 state changes, last state change 01:28:33
Virtual IP address is 192.168.1.3
Active virtual MAC address is 0000.0C07.AC0A
Local virtual MAC address is 0000.0C07.AC0A (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.754 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 100 (default 100)
Group name is hsrp-Fa0/11-10 (default)
Denver#
Now the Denver switch is Active
-----------------------------------------------------------------
C:>ping 1.1.1.1
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254
IP Access Control List (ACL)
Access-lists work on the network (layer 3) and the transport (layer 4) layer and can be used
for two different things:
 Filtering traffic
 Identifying traffic
CCNA Routing & Switching v3 LAB Guide
137
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Filtering is used to permit or deny traffic.
Identify means - selecting traffic. It can be used when we configure VPN. The traffic is
identified and then it passes through VPN Tunnels.
IP ACLs are the most popular as IP is the most common type of traffic. There are two types of
IP ACLs:
 Standard IP ACLs: 1 to 99 and 1300 to 1999
 Extended IP ACLs: 100 to 199 and 2000 to 2699
Standard IP ACLs can only control traffic based on the SOURCE IP address where Extended IP
ACLs identify traffic based on source IP, source port, destination IP, and destination port.
We can use ACLs to filter traffic according per protocol, per interface, and per direction. We
can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g.,
FastEthernet0/0), and one ACL per direction (i.e., IN or OUT).
LAB 38 : Standard IP access-lists
Standard IP access-lists are based upon the source host or network IP address, and should be
placed closest to the destination network.
CCNA Routing & Switching v3 LAB Guide
138
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Router R1 (IP Address and EIGRP Configuration)
R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/1
R1(config-if)#ip address 192.168.20.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#router eigrp 10
R1(config-router)#network 192.168.20.0
R1(config-router)#network 192.168.10.0
R1(config-router)#no auto-summary
R1(config-router)#exit
Router R2 (IP Address and EIGRP Configuration)
R2#conf t
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface loopback 0
R2(config-if)#ip address 12.12.12.12 255.255.255.0
R2(config-if)#exit
R2(config)#interface loopback 1
R2(config-if)#ip address 11.11.11.11 255.255.255.0
R2(config-if)#exit
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#network 11.11.11.0
R2(config-router)#network 12.12.12.0
R2(config-router)#no auto-summary
R2(config-router)#exit
R2(config)#
OK, Now we will create ACL rules so that.........
CCNA Routing & Switching v3 LAB Guide
139
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
only PC 1, PC 2, PC3 can ping loopback IP
R1(config)#access-list 50 permit host 192.168.20.2
R1(config)#access-list 50 permit host 192.168.20.3
R1(config)#access-list 50 permit host 192.168.20.4
R1(config)#access-list 50 deny any
Apply it to R2 Router (closest to the destination)
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 50 in
Verification
R2#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.10.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 50
Now ping from PC4
PC4> ping 11.11.11.11
*192.168.20.1 icmp_seq=1 ttl=255 time=15.600 ms (ICMP type:3, code:13,
Communication administratively prohibited)
*192.168.20.1 icmp_seq=2 ttl=255 time=15.600 ms (ICMP type:3, code:13,
Communication administratively prohibited)
*192.168.20.1 icmp_seq=3 ttl=255 time=15.600 ms (ICMP type:3, code:13,
Communication administratively prohibited)
*192.168.20.1 icmp_seq=4 ttl=255 time=15.600 ms (ICMP type:3, code:13,
Communication administratively prohibited)
And from PC1 / PC2 / PC3
PC1> ping 11.11.11.11
84 bytes from 11.11.11.11 icmp_seq=1 ttl=254 time=46.800 ms
84 bytes from 11.11.11.11 icmp_seq=2 ttl=254 time=46.801 ms
CCNA Routing & Switching v3 LAB Guide
140
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
84 bytes from 11.11.11.11 icmp_seq=3 ttl=254 time=46.800 ms
84 bytes from 11.11.11.11 icmp_seq=4 ttl=254 time=46.800 ms
PC2> ping 12.12.12.12
84 bytes from 12.12.12.12 icmp_seq=1 ttl=254 time=31.200 ms
84 bytes from 12.12.12.12 icmp_seq=2 ttl=254 time=31.200 ms
84 bytes from 12.12.12.12 icmp_seq=3 ttl=254 time=31.200 ms
84 bytes from 12.12.12.12 icmp_seq=4 ttl=254 time=31.200 ms
PC3> ping 12.12.12.12
84 bytes from 12.12.12.12 icmp_seq=1 ttl=254 time=31.200 ms
84 bytes from 12.12.12.12 icmp_seq=2 ttl=254 time=31.200 ms
84 bytes from 12.12.12.12 icmp_seq=3 ttl=254 time=31.200 ms
84 bytes from 12.12.12.12 icmp_seq=4 ttl=254 time=31.200 ms
R2#show access-lists
Standard IP access list 50
10 permit 192.168.10.0, wildcard bits 0.0.0.255 (27 matches)
LAB 39 : EXTENDED IP ACCESS-LIST
Extended IP access-lists block based upon the source IP address, destination IP address, and TCP
or UDP port number. Extended access-lists should be placed closest to the source network.
CCNA Routing & Switching v3 LAB Guide
141
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Objective:
We will configure Extended ACL so that
PC0 can only posseses Telnet service
PC2 can only posseses HTTP Service and
PC1 can only posseses Mail service
IP Configuration
Router(config)#hostname LOCAL
LOCAL(config)#interface fastEthernet 0/1
LOCAL(config-if)#ip address 192.168.10.1 255.255.255.0
LOCAL(config-if)#no shutdown
LOCAL(config-if)#exit
LOCAL(config)#interface fastEthernet 0/0
LOCAL(config-if)#ip address 103.13.148.1 255.255.255.240
LOCAL(config-if)#no shutdown
LOCAL(config-if)#exit
Static Default Route
LOCAL(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Telnet Access
LOCAL(config)#line vty 0 5
LOCAL(config-line)#password cisco
LOCAL(config-line)#login
LOCAL(config-line)#exit
LOCAL(config)#enable secret cisco
IP Configuration
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 103.13.148.2 255.255.255.240
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface fastEthernet 0/1
ISP(config-if)#ip address 100.100.100.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
142
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Static Route
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
Switch(config)#ip default-gateway 100.100.100.1
Extended ACL Configuration
ISP(config)#access-list 101 permit tcp host 100.100.100.2 any eq telnet
ISP(config)#access-list 101 permit tcp host 100.100.100.4 any eq www
ISP(config)#access-list 101 permit tcp host 100.100.100.3 any eq smtp
Apply it to its Inside Interface
ISP(config)#interface fastEthernet 0/1
ISP(config-if)#ip access-group 101 in
ISP#show ip interface fastEthernet 0/1
FastEthernet0/1 is up, line protocol is up (connected)
Internet address is 100.100.100.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 101
ISP#show access-lists 101
Extended IP access list 101
permit tcp host 100.100.100.2 any eq telnet (37 match(es))
permit tcp host 100.100.100.4 any eq www (11 match(es))
permit tcp host 100.100.100.3 any eq smtp (2 match(es))
From PC0 login to Router LOCAL using telnet is possible
CCNA Routing & Switching v3 LAB Guide
143
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
But from others PC it is not possible
From PC2 we can browse ....................
But PC0 or PC1 cannot browse to HTTP Server
From PC1 we can see that SMTP service is open but others PC not...
CCNA Routing & Switching v3 LAB Guide
144
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 40: Named IP Access List
This allows standard and extended ACLs to be given names instead of numbers
Objective:
We will configure Named ACL to ensure that only PC0 can be logged in throughTelnet to
router BUET but PC1 can not..........
Basic Configuration of Router and Switch:
Router>en
Router#conf t
Router(config)#hostname DU
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip address 192.168.10.1 255.255.255.0
CCNA Routing & Switching v3 LAB Guide
145
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DU(config-if)#no shutdown
DU(config-if)#exit
DU(config)#interface fastEthernet 0/1
DU(config-if)#ip address 172.16.10.1 255.255.255.0
DU(config-if)#no shutdown
DU(config)#router eigrp 10
DU(config-router)#network 192.168.10.0
DU(config-router)#network 172.16.10.0
DU(config-router)#no auto-summary
DU(config-router)#exit
DU(config-if)#exit
Router(config)#hostname BUET
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ip address 192.168.10.2 255.255.255.0
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#router eigrp 10
BUET(config-router)#network 192.168.10.0
BUET(config-router)#no auto-summary
BUET(config-router)#exit
BUET(config)#no ip domain-lookup
BUET(config)#line vty 0 4
BUET(config-line)#password cisco
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#enable secret cisco
BUET(config)#exit
DEFINE NAMED ACL
DU(config)#ip access-list extended venus
DU(config-ext-nacl)#permit tcp host 172.16.10.2 any eq telnet
DU(config-ext-nacl)#deny tcp host 172.16.10.3 any eq telnet
DU(config-ext-nacl)#permit ip any any
DU(config-ext-nacl)#exit
Apply ACL to Router's Interface
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip access-group venus out
CCNA Routing & Switching v3 LAB Guide
146
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DU(config-if)#end
Switch(config)#ip default-gateway 172.16.10.1
From PC0
C:>ping 192.168.10.2
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254
Reply from 192.168.10.2: bytes=32 time=1ms TTL=254
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254
C:>telnet 192.168.10.2 (Success)
Trying 192.168.10.2 ...Open
User Access Verification
Password:
From PC1
C:>ping 192.168.10.2
Reply from 192.168.10.2: bytes=32 time=2ms TTL=254
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254
C:>telnet 192.168.10.2 (Not Success)
Trying 192.168.10.2 ...
% Connection timed out; remote host not responding
C:>
DU#show ip access-lists
Extended IP access list venus
10 permit tcp host 172.16.10.2 any eq telnet (4 match(es))
20 deny tcp host 172.16.10.3 any eq telnet (12 match(es))
30 permit ip any any (4 match(es))
LAB 41: HOW TO BLOCKED ICMP ECHO AND ECHO-REQUEST
ICMP is a network layer protocol (ICMP has its own protocol number in the header, IP protocol
number 1). It does not rely on TCP or UDP.
Echo is simply call a 'ping'. The Echo Reply is the 'ping reply'. ICMP Echo's are used for
Network troubleshooting.
CCNA Routing & Switching v3 LAB Guide
147
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
ICMP traffic is critical network traffic, but it can also cause security issues if used against your
network by a malicious attacker.
GW and ISP Router: Interface Configuration
Router#conf t
Router(config)#hostname GW
GW(config)#interface fastEthernet 0/0
GW(config-if)#ip address 103.13.148.1 255.255.255.240
GW(config-if)#no shutdown
GW(config-if)#exit
GW(config)#interface fastEthernet 0/1
GW(config-if)#ip address 172.16.10.1 255.255.255.0
GW(config-if)#no shutdown
GW(config-if)#exit
ISP#conf t
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 103.13.148.2 255.255.255.240
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface fastEthernet 0/1
ISP(config-if)#ip address 100.100.100.1 255.255.255.0
ISP(config-if)#no shutdown
CCNA Routing & Switching v3 LAB Guide
148
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
ISP(config-if)#exit
Configure Static default route to Internet and Static route to Local LAN
GW(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
ISP(config)#ip route 172.16.10.0 255.255.255.0 103.13.148.1
Assign IP to Server PC (LAN Host)
Assign IP to Outside Host PC1
Apply ping from outside to our local LAN Server
CCNA Routing & Switching v3 LAB Guide
149
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
But we do not want this. So we have to block ICMP Reply from inside LAN for outside hosts
GW(config)#ip access-list extended inside-in
GW(config-ext-nacl)#deny icmp any any echo-reply
GW(config-ext-nacl)#permit ip any any
GW(config-ext-nacl)#exit
Also block ICMP echo request from outside to inside LAN
GW(config)#ip access-list extended outside-in
GW(config-ext-nacl)#deny icmp any any echo
GW(config-ext-nacl)#permit ip any any
GW(config-ext-nacl)#exit
Apply these rules to both Interface
GW(config)#interface fastEthernet 0/1
GW(config-if)#ip access-group inside-in in
GW(config-if)#exit
GW(config)#interface fastEthernet 0/0
GW(config-if)#ip access-group outside-in in
GW(config-if)#end
Verification
Now Apply ping from outside host to inside Server - 172.16.10.2
But other Service such as WEB Service is permitted as we have not block it, only ICMP echo-
reply is blocked.
CCNA Routing & Switching v3 LAB Guide
150
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 42 : STATIC NAT
We use Static NAT for one-to-one mapping between an inside address and an outside address.
Static NAT allows connections from an outside host to an inside host. Generally, static NAT is
used for servers inside our network.
Suppose, we have a web or a mail server with the inside IP address 192.168.10.2 and we want
it to be accessible from Internet i.e. when a remote host makes a request to 103.13.148.10.
In this case we must do a static NAT mapping between Inside (192.168.10.2) and Outside IPs
(103.13.148.10).
CCNA Routing & Switching v3 LAB Guide
151
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
IP Configuration to router Interface and Hosts
Router>en
Router#conf t
Gateway(config)#hostname Gateway
Gateway(config)#interface fastEthernet 0/0
Gateway(config-if)#ip address 103.13.148.1 255.255.255.0
Gateway(config-if)#no shutdown
Gateway(config-if)#exit
Gateway(config)#interface fastEthernet 0/1
Gateway(config-if)#ip address 192.168.10.1 255.255.255.0
Gateway(config-if)#no shutdown
Gateway(config-if)#exit
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 103.13.148.2 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface fastEthernet 0/1
ISP(config-if)#ip address 10.10.10.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
152
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Configure default-route to Internet on Gateway Router
Gateway(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Configure static route to LAN on ISP
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
Specify default gateway on switch
Switch(config)#ip default-gateway 192.168.10.1
Static NAT Configuration
Gateway(config)#ip nat inside source static 192.168.10.2 103.13.148.10
Gateway(config)#interface fastEthernet 0/1
Gateway(config-if)#ip nat inside
Gateway(config-if)#exit
Gateway(config)#interface fastEthernet 0/0
Gateway(config-if)#ip nat outside
Verification
Gateway# show ip route
ISP# show ip route
CCNA Routing & Switching v3 LAB Guide
153
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Ping from PC0 to Server PC
On Server PC ---- Activate the http service ;
From Internet PC (PC0 under ISP Router) browse using 103.13.148.10 IP (through Public
IP that is assigned for static mapping)
CCNA Routing & Switching v3 LAB Guide
154
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 43 : Dynamic NAT (Like many to many)
(We will do Dynamic NAT Configuration following Static NAT , So all the configuration of
previous LAB will remain same)
When we have a pool of public IP addresses, Dynamic NAT is used.
Never use dynamic NAT for servers or other devices that need to be accessible from the
Internet.
Suppose our internal network is 192.168.10.0/24. We also have the pool of public IP
addresses from 103.13.148.20-103.13.148.30 and Net Mask is 255.255.255.0. The procedure
will be as follows:
Create an ACL for LAN traffic
-------------------------------------
Gateway(config)#access-list 1 permit 192.168.10.0 0.0.0.255
Create a nat pool which Public IP addresses are used for translations
Gateway(config)#ip nat pool venus 103.13.148.20 103.13.148.30 netmask
255.255.255.0
Apply the NAT with ACL and nat pool
Gateway(config)#ip nat inside source list 1 pool venus
Apply it to interface
Gateway(config)#interface fastEthernet 0/1
Gateway(config-if)#ip nat inside
Gateway(config-if)#exit
Gateway(config)#interface fastEthernet 0/0
Gateway(config-if)#ip nat outside
Verification
PING PC0 from PC1 / PC2.................
Gateway#show ip nat translations
Dynamic NAT
icmp 103.13.148.20:3 192.168.10.11:3 10.10.10.2:3 10.10.10.2:3
icmp 103.13.148.20:4 192.168.10.11:4 10.10.10.2:4 10.10.10.2:4
icmp 103.13.148.21:5 192.168.10.10:5 10.10.10.2:5 10.10.10.2:5
icmp 103.13.148.21:6 192.168.10.10:6 10.10.10.2:6 10.10.10.2:6
icmp 103.13.148.21:7 192.168.10.10:7 10.10.10.2:7 10.10.10.2:7
CCNA Routing & Switching v3 LAB Guide
155
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Static NAT
--- 103.13.148.10 192.168.10.2 --- ---
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1025 10.10.10.2:1025
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1026 10.10.10.2:1026
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1027 10.10.10.2:1027
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1028 10.10.10.2:1028
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1029 10.10.10.2:1029
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1030 10.10.10.2:1030
An inside host makes a request to an outside host and the router dynamically assigns an
available IP address from the pool for the translation of the private IP address. If there’s no
public IP address available, the router rejects new connections until you clear the NAT
mappings. However, you have as many public IP addresses as hosts in your network, you won’t
be faced this problem.
NAT Overload
NAT Overload, also called PAT, probably the most used type of NAT. We can configure NAT
overload in two ways, depending on how many public IP address we have..
LAB 44 : Static PAT
Suppose, we have only one public IP address allocated by our ISP. Here we have to map all our
inside hosts to the available IP address. The configuration is almost the same as for dynamic
NAT, but in this case we specify the outside interface instead of a NAT pool.
CCNA Routing & Switching v3 LAB Guide
156
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Router(config)#hostname GW
GW(config)#interface fastEthernet 0/0
GW(config-if)#ip address 103.13.148.1 255.255.255.240
GW(config-if)#no shutdown
GW(config-if)#exit
GW(config)#interface fastEthernet 0/1
GW(config-if)#ip address 192.168.10.1 255.255.255.0
GW(config-if)#no shutdown
GW(config-if)#exit
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 103.13.148.2 255.255.255.240
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface fastEthernet 0/1
ISP(config-if)#ip address 100.100.100.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
Static default route to Internet on GW Router
GW(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Static route to LAN on ISP Router
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
Assign IP address to Hosts and verify connectivity
CCNA Routing & Switching v3 LAB Guide
157
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
C:>ping 192.168.10.10
Reply from 192.168.10.10: bytes=32 time=1ms TTL=126
Reply from 192.168.10.10: bytes=32 time=10ms TTL=126
Reply from 192.168.10.10: bytes=32 time<1ms TTL=126
Reply from 192.168.10.10: bytes=32 time<1ms TTL=126
C:>ping 192.168.10.20
Reply from 192.168.10.20: bytes=32 time=11ms TTL=126
Reply from 192.168.10.20: bytes=32 time<1ms TTL=126
Reply from 192.168.10.20: bytes=32 time<1ms TTL=126
Reply from 192.168.10.20: bytes=32 time<1ms TTL=126
Configure NAT overload
GW(config)#access-list 1 permit 192.168.10.0 0.0.0.255
GW(config)#ip nat inside source list 1 interface fastEthernet 0/0 overload
GW(config)#interface fastEthernet 0/0
GW(config-if)#ip nat outside
GW(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
158
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
GW(config)#interface fastEthernet 0/1
GW(config-if)#ip nat inside
GW(config-if)#exit
Verification
Apply ping from PC0 to OUTSIDE SERVER
C:>ping 100.100.100.30
Reply from 100.100.100.30: bytes=32 time=11ms TTL=126
Reply from 100.100.100.30: bytes=32 time<1ms TTL=126
Reply from 100.100.100.30: bytes=32 time<1ms TTL=126
Reply from 100.100.100.30: bytes=32 time=10ms TTL=126
Browse the OUTSIDE SERVER
The router automatically determines what public IP address to use for the mappings by
checking what IP is assigned to the Serial 0/0/0 interface. All the inside addresses are
translated to the only public IP address available on our router. Routers are able to recognize
the traffic flows by using port numbers, specified by the overload keyword.
CCNA Routing & Switching v3 LAB Guide
159
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 45 : DYNAMIC PAT
The second way: If ISP gave you more than one public IP addresses, but not enough for a
dynamic or static mapping.
The configuration is same as dynamic NAT, but this time we will add overload for the router
to know to use traffic flow identification using port numbers, instead of mapping a private to
a public IP address dynamically.
Configure NAT overload
GW(config)# ip nat pool venus 103.13.148.5 103.13.148.10 netmask
255.255.255.240
GW(config)#access-list 1 permit 192.168.10.0 0.0.0.255
GW(config)#ip nat inside source list 1 pool venus overload
GW(config)#interface fastEthernet 0/0
GW(config-if)#ip nat outside
GW(config-if)#exit
GW(config)#interface fastEthernet 0/1
GW(config-if)#ip nat inside
Verification
C:>ping 100.100.100.30
Reply from 100.100.100.30: bytes=32 time=1ms TTL=126
Reply from 100.100.100.30: bytes=32 time<1ms TTL=126
Reply from 100.100.100.30: bytes=32 time=11ms TTL=126
Reply from 100.100.100.30: bytes=32 time<1ms TTL=126
CCNA Routing & Switching v3 LAB Guide
160
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 103.13.148.5:10 192.168.10.20:10 100.100.100.30:10 100.100.100.30:10
icmp 103.13.148.5:11 192.168.10.20:11 100.100.100.30:11 100.100.100.30:11
icmp 103.13.148.5:12 192.168.10.20:12 100.100.100.30:12 100.100.100.30:12
icmp 103.13.148.5:9 192.168.10.20:9 100.100.100.30:9 100.100.100.30:9
tcp 103.13.148.5:1027 192.168.10.10:1027 100.100.100.30:80 100.100.100.30:80
tcp 103.13.148.5:1028 192.168.10.10:1028 100.100.100.30:80 100.100.100.30:80
We can clear the NAT translation table with the following commands:
Router#clear ip nat translation *
Router#show ip nat translations
LAB 46 : Configure GRE Tunnel
Generic Routing Encapsulation (GRE) is developed by Cisco is a simple IP packet
encapsulation protocol. GRE encapsulates the original IP packet with a new IP header also
appending an additional GRE header. A GRE tunnel creates a point-to-point link between two
routers that are otherwise not directly connected to each other.
When packets require to be sent from one network to another over the Internet or an
insecure network, We can use GRE Tunnel. A virtual tunnel is created between the two Cisco
routers and packets are sent through the tunnel.
GRE tunnels allow multicast packets but IPSec VPN does not support multicast packets. In
large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels
are the best to utilize.
CCNA Routing & Switching v3 LAB Guide
161
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Configuring GRE Tunnel:
Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface.
Then you must configure the tunnel endpoints for the tunnel interface.
Configuring Router Interface :
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.20.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/1
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.20.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip address 192.168.30.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
162
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Creating a Cisco GRE Tunnel
GRE tunnel uses a tunnel interface – a logical interface configured on the router with an IP
address where packets are encapsulated and de encapsulated as they enter or exit the GRE
tunnel.
First step is to create our tunnel interface on R1:
R1(config)# interface Tunnel0
R1(config-if)# ip address 172.16.10.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 192.168.20.1
R1(config-if)# tunnel destination 192.168.20.2
R2(config)# interface Tunnel0
R2(config-if)# ip address 172.16.10.2 255.255.255.0
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360
R2(config-if)# tunnel source 192.168.20.2
R2(config-if)# tunnel destination 192.168.20.1
All Tunnel interfaces must be configured with an IP address. Each Tunnel interface is
configured with an IP address within the same subnet(172.16.10.0/24).
Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400
bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500
bytes and we have an added overhead because of GRE, we must reduce the MTU to account
for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary
packet fragmentation is kept to a minimum.
Now we will configure static route to make the reachability of two hosts:
Here next hope will be the tunnel Interface IP
R1(config)# ip route 192.168.30.0 255.255.255.0 172.16.10.2
R2(config)# ip route 192.168.10.0 255.255.255.0 172.16.10.1
n.b. We can also write tunnel source as an interface like
# tunnel source fastEthernet 0/0
CCNA Routing & Switching v3 LAB Guide
163
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R1#show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.10.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.20.1, destination 192.168.20.2
Tunnel protocol/transport GRE/IP
PC1#ping 192.168.30.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/34/44 ms
LAB 47: AAA Configuration
AAA(Authentication, Authorization & Accounting ) provides the basic security framework
setting up access control on a network device.
Authentication = who is permitted to access a network
Provides the method of identifying users, including login and password dialog, challenge and
response, messaging support, and, depending on the security protocol you select, encryption.
Authorization = Control what they can do while they are there
Provides the method for remote access control, including one-time authorization or
authorization for each service, per-user account list and profile, user group support, and
support of IP, IPX, ARA, and Telnet.
Accounting =audit what actions they performed while accessing the network
Provides the method for collecting and sending security server information used for billing,
auditing, and reporting, such as user identities, start and stop times, executed commands
(such as PPP), number of packets, and number of bytes.
CCNA Routing & Switching v3 LAB Guide
164
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
AAA uses two common methods :
1) Local AAA authentication:
This method stores usernames and passwords locally in the Cisco router, and users
authenticate against the local database.
2) Server-based AAA authentication:
A central AAA server contains the usernames and pass- words for all users.
AAA can be used with both RADIUS & TACACS+ servers to provide secure services. But there
are some difference between the two protocols.
AAA Lab (Server-based AAA authentication)
CCNA Routing & Switching v3 LAB Guide
165
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Objective :
Any one telnet the router must be authenticated through AAA server and in case AAA server
is down , routers will use the local user accounts database.
RADIUS SERVER CONFIGURATION
Configuration:
Router#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Radius
Radius(config)#interface fastEthernet 0/0
Radius(config-if)#ip address 192.168.10.1 255.255.255.0
Radius(config-if)#no shutdown
Radius(config-if)#exit
Telnet Access from local database
Radius(config)#enable secret cisco123
Radius(config)#line vty 0 4
Radius(config-line)#login authentication default
Radius(config-line)#login
Radius(config-line)#exit
Radius(config)#username ashish password ashish123
Radius(config)#exit
AAA Server Configuration
To enable AAA, you need to configure the aaa new-model command in global configuration.
Until this command is enabled, all other AAA commands are hidden.
Radius(config)#aaa new-model
Set authentication for login using two methods: the Radius server (the first method). If the
Radius server doesn’t respond, then the router’s local database is used (the second method).
Radius(config)#aaa authentication login default group radius local
Tell the router what is the IP address for Radius server and key (password) to connect to:
Radius(config)#radius-server host 192.168.10.3 auth-port 1645 key cisco
CCNA Routing & Switching v3 LAB Guide
166
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Here,
Client name = any
Client IP = Rouer IP
Key = That is defined in previous command line
From the PC
C:>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
User Access Verification
Username: admin
Password:
Radius>en
Password:
Radius#
Here username: admin and password: admin123 that was created in Radius Server
Now disconnect the ACS server or just remove the cable and try to Telnet the router using
ashish (local database) and it will work .
CCNA Routing & Switching v3 LAB Guide
167
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Be remember, If method 1 fail , you will not go to method 2, but if method 1 is not available
then you can go to method 2 and use it.
C:>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
User Access Verification
Username: ashish
Password:
Radius>
Radius#show AAA user all
Unique id 4 is currently in use.
Accounting:
log=0x18001
Events recorded :
CALL START
INTERIM START
INTERIM STOP
update method(s) :
NONE
update interval = 0
Outstanding Stop Records : 0
Radius#show aaa sessions
Total sessions since last reload: 3
Session Id:4
Unique Id:4
User Name:admin
IP Address:0.0.0.0
Idle Time: 0
CT Call Handle: 0
Radius#
OR , TACACS+ Configuration
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Tacacs
Tacacs(config)#interface fastEthernet 0/0
Tacacs(config-if)#ip address 192.168.10.2 255.255.255.0
Tacacs(config-if)#no shutdown
Tacacs(config-if)#exit
Tacacs(config)#aaa new-model
CCNA Routing & Switching v3 LAB Guide
168
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Tacacs(config)#aaa authentication login default group tacacs+ local
Tacacs(config)#tacacs-server host 192.168.10.4 key 8888
Tacacs(config)#enable secret cisco123
Tacacs(config)#line vty 0 4
Tacacs(config-line)#login authentication default
Tacacs(config-line)#login
AAA is enabled. Command not supported. Use an aaa authentication methodlist
Tacacs(config-line)#exit
Tacacs(config)#username ashish password ashish123
C:>telnet 192.168.10.2
Trying 192.168.10.2 ...Open
User Access Verification
Username: admin
Password:
Tacacs>en
Password:
Tacacs#
CCNA Routing & Switching v3 LAB Guide
169
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 48: Syslog Server
Cisco devices use the syslog protocol to manage system logs and alerts. Syslog Server collects
all the logs in a central location and then we can use these logs for the troubleshooting
devices.
There are 8 levels of logs that is generated. these are called severity level. Lower severity
level is more critical.
Message Logging Level Keywords
Level Keyword Level Description Syslog Definition
emergencies 0 System unstable LOG_EMERG
alerts 1 Immediate action needed LOG_ALERT
critical 2 Critical conditions LOG_CRIT
errors 3 Error conditions LOG_ERR
warnings 4 Warning conditions LOG_WARNING
notifications 5 Normal but significant condition LOG_NOTICE
informational 6 Informational messages only LOG_INFO
debugging 7 Debugging messages LOG_DEBUG
The software generates four other categories of messages:
CCNA Routing & Switching v3 LAB Guide
170
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 Error messages about software or hardware malfunctions, displayed at levels warnings
through emergencies: these types of messages mean that the functionality of the
access point is affected.
 Output from the debug commands, displayed at the debugging level: debug
commands are typically used only by the Technical Assistance Center (TAC).
 Interface up or down transitions and system restart messages, displayed at the
notifications level: this message is only for information; access point functionality is
not affected.
 Reload requests and low-process stack messages, displayed at the informational level:
this message is only for information; access point functionality is not affected.
Part of syslog messages
 Timestamp
 Log Message Name and Severity Level
 Message Text
LAB :
Router>
CCNA Routing & Switching v3 LAB Guide
171
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Router>enable
Router#conf t
Router(config)#hostname DU
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip address 192.168.10.1 255.255.255.0
DU(config-if)#no shutdown
Go to the service and be sure syslog service is on
Syslog configuration on DU Router
We will use the logging host <syslog server IP address> command to specify the Syslog
server address on Cisco router.
DU(config)#logging host 192.168.10.2
CCNA Routing & Switching v3 LAB Guide
172
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Then apply the logging trap <severity level> command to specify the log types and category
(called severity level). For example, use the debug log (severity level 7). We may use any
other severity level that we wish to test.
DU(config)#logging trap debugging
Then we will use the debug ip <protocol> command to enable debugging for a protocol. In
this case, we will use ICMP protocol.
DU#debug ip icmp
Apply ping 192.168.1.100 command to generate some ICMP packets to test your configuration.
C:>ping 192.168.10.1
Pinging 192.168.10.1 with 32 bytes of data:
Reply from 192.168.10.1: bytes=32 time=1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
C:>
Next, move on to Syslog Server console, and examine the output. In the following figure, you
can see the sample output of the Syslog server.
We can see the logs collected by Syslog Server for Cisco router.
CCNA Routing & Switching v3 LAB Guide
173
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 49: SNMPv3
Simple Network Management Protocol (SNMP) is an application-layer protocol.
The Simple Network Management Protocol (SNMP) is used for network monitoring and
management. The network device send some informations to the NMS server to trace
graphics who permit to analysing the CPU, memory, I/O…
It is made up of 3 parts, the SNMP manager, SNMP agent and Management Information Base
(MIB).
 The SNMP manager is the software that is running on a pc or server that will monitor
the network devices
 The SNMP agent runs on the network device.
 The database that I just described is called the MIB (Manament Information Base) and
an object could be the interface status on the router (up or down) or perhaps the CPU
load at a certain moment. An object in the MIB is called an OID (Object Identifier).
Configure SNMP
Enable SNMP on Router
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.0
CCNA Routing & Switching v3 LAB Guide
174
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#snmp-server community V1 ro
%SNMP-5-WARMSTART: SNMP agent on host Router is undergoing a warm start
Router(config)#snmp-server community V1rw rw
Router(config)#exit
Router#
Here,
Read Community: V1. It has taken from read only (ro) community name.
Write Community: V1rw, it is the name of read and write (rw) community.
Testing SNMP from a PC
Click on PC0 and click Desktop tab, then open MIB Browser
Now go to Advanced tab and enter the following Information:
Address: 192.168.10.1
Read Community: V1
Write Community: V1rw
SNMP Version, select V3 and click OK.
CCNA Routing & Switching v3 LAB Guide
175
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Now on the MIB browser page expend MIB tree to system and select each value then hit the
GO button to display the exact information on Router0.
LAB 50: Password Recovery
Method 1
1. Shut the router down.
2. Remove the compact flash from the back of the router.
3. Turn the router back on.
4. When you see the Rommon1> prompt, enter the command of confreg 0x2142
5. Insert the compact flash.
6. Type reset.
7. When prompted to enter the initial configuration, type no and press enter.
8. At the router> prompt, type enable
9. At the Router# prompt, enter the configure memory command, and press Enter in
order to copy the startup configuration to the running configuration.
10. Use the config t command in order to enter global configuration mode.
CCNA Routing & Switching v3 LAB Guide
176
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
11. Use this command in order to create a new user name and password:
router(config) #username cisco123 privilege 15 password cisco123
12. Use this command in order to change the boot statement:
config-register 0x2102
13. Use this command in order to save the configuration:
write memory
14. Reload the router, and then use your new user name and password to log in to the
router.
Method 2
1. Connect a terminal or PC with terminal emulation to the console port of the router
and ensure you have the correct terminal settings. They include no flow control, 1
stop bit, 8 data bits, no parity and 9600 baud rate.
2. If you are able to access the router, enter in show version at the prompt screen, and
document the configuration register setting.
3. Next, turn off the router and wait about 5 seconds and turn it back on.
4. Press break on the terminal keyboard within 1 minute of power up in order to the
router into ROMmon.
5. Enter in confreg 0x2142 at the rommon 1> prompot in order to boot the from Flash.
6. Type reset at the rommon 2> prompt.
7. Type no after each setup question or press Ctrl+C to bypass all questions.
8. Type enable at the Router> prompt
9. Type configure memory or copy startup-config running-config in order to copy
NVRAM into memory.
10. Type show running-config
11. Type configure terminal
12. Type enable secret <enter in a password that you will remember> in order to change
the enable secret password.
13. Issue the no shutdown command on every single interface that you use.
14. Type config-register . This typically is 0x2102.
15. Press Ctrl-z or end to leave config mode.
16. Type write memory or copy running-config startup-config to commit the
modifications
CCNA Routing & Switching v3 LAB Guide
177
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 51 : PROJECT
1. VLAN Information
Switch VLAN ID VLAN Name IP Ports
DENVER 10 Cisco 172.16.10.0/24 F0/1-9
20 Solaris 172.16.20.0/24 F0/10 - 15
99 MGT 10.10.10.10/24 F0/24
TORONTO 30 Admin 172.16.30.0/24 F0/1 - 9
40 Accounts 172.16.40.0/24 F0/10 - 15
88 Management 11.11.11.11/24 F0/24
2. Router Information
Router Name Interface IP Address Description
LAN F0/0 (.1) 192.168.10.0/24 To GWY Router
F0/1.10 (Sub interface) 172.16.10.1/24 To VLAN 10
F0/1.20 (Sub interface) 172.16.20.1/24 To VLAN 20
F0/1.99 (Sub interface) 10.10.10.10/24 To VLAN 99 (MGT)
GWY F0/0 (.2) 192.168.20.0/24 To LAN Router
F0/1.30 (Sub interface) 172.16.30.1/24 To VLAN 30
F0/1.40 (Sub interface) 172.16.40.1/24 To VLAN 40
F0/1.88 (Sub interface) 11.11.11.11/24 To VLAN 88(Management)
F1/0 (.1) 192.168.30.0/24 To ISP Router
ISP F0/0 (.2) 192.168.30.0/24 To GWY Router
F0/1 (.1) 172.16.50.0/24 To LAN Switch
CCNA Routing & Switching v3 LAB Guide
178
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
2. DENVER
a. hostname, enable password, telnet access & VLAN configuration
b. Management VLAN Configuration
3. Router : LAN
a. Interface, hostname, enable password, telnet access configuration
b. Inter-Vlan Routing Configuration
4. TORONTO
a. Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
b. Management VLAN Configuration
5. Router : GWY
a. Interface, hostname, enable password, telnet access configuration
b. Inter-Vlan Routing Configuration
6. EIGRP Configuration on LAN and GWY Router only
7. Router ISP
a. Interface, hostname, enable password, telnet access configuration
b. static route to LAN router
8. GWY
Static default route to ISP
9. Redistribute static route into EIGRP
10. ACL Configuration
Condition : for the Internet hosts the following service is disabled to Inside but http service is
enabled
a. Telnet, FTP, SMTP, SSH, ping
11. Static NAT Configuration
condition : only Inside HTTP Server's private IP is translated to public IP : 103.13.148.20
12. Configure Inside Server as a HTTP Server
13. Verification
CCNA Routing & Switching v3 LAB Guide
179
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Configuration
DENVER
Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
================================================================================
Switch(config)#hostname DENVER
DENVER(config)#enable secret cisco
DENVER(config)#username admin password admin123
DENVER(config)#line vty 0 4
DENVER(config-line)#login local
DENVER(config-line)#exit
DENVER(config)#
DENVER(config)#vlan 10
DENVER(config-vlan)#name cisco
DENVER(config-vlan)#exit
DENVER(config)#vlan 20
DENVER(config-vlan)#name solaris
DENVER(config-vlan)#exit
DENVER(config)#interface range fastEthernet 0/1 - 9
DENVER(config-if-range)#switchport mode access
DENVER(config-if-range)#switchport access vlan 10
DENVER(config-if-range)#exit
DENVER(config)#interface range fastEthernet 0/10 - 15
DENVER(config-if-range)#switchport mode access
DENVER(config-if-range)#switchport access vlan 20
DENVER(config-if-range)#exit
Management VLAN Configuration
=============================
DENVER(config)#vlan 99
DENVER(config-vlan)#name MGT
DENVER(config-vlan)#exit
DENVER(config)#interface fastEthernet 0/24
DENVER(config-if)#switchport access vlan 99
DENVER(config-if)#exit
DENVER(config)#interface vlan 99
DENVER(config-if)#ip address 10.10.10.10 255.255.255.0
DENVER(config-if)#no shutdown
CCNA Routing & Switching v3 LAB Guide
180
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Router : LAN
=============
Interface, hostname, enable password, telnet access configuration
=========================================================
Router(config)#hostname LAN
LAN(config)#interface fastEthernet 0/1
LAN(config-if)#no shutdown
LAN(config-if)#exit
LAN(config)#interface fastEthernet 0/0
LAN(config-if)#ip address 192.168.10.1 255.255.255.0
LAN(config-if)#no shutdown
LAN(config-if)#exit
LAN(config)#enable password cisco
LAN(config)#username admin password admin123
LAN(config)#line vty 0 4
LAN(config-line)#login local
LAN(config-line)#exit
Inter-Vlan Routing Configuration
==========================
LAN(config)#interface fastEthernet 0/1.10
LAN(config-subif)#encapsulation dot1Q 10
LAN(config-subif)#ip address 172.16.10.1 255.255.255.0
LAN(config-subif)#no shutdown
LAN(config-subif)#exit
LAN(config)#interface fastEthernet 0/1.20
LAN(config-subif)#encapsulation dot1Q 20
LAN(config-subif)#ip address 172.16.20.1 255.255.255.0
LAN(config-subif)#no shutdown
LAN(config)#interface fastEthernet 0/1.99
LAN(config-subif)#encapsulation dot1Q 99
LAN(config-subif)#ip address 10.10.10.10 255.255.255.0
LAN(config-subif)#no shutdown
LAN(config-subif)#exit
LAN(config)#
DENVER
========
DENVER(config)#interface fastEthernet 0/24
DENVER(config-if)#switchport mode trunk
DENVER(config-if)#no shutdown
DENVER(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
181
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
IP Assign to Hosts
==============
Verification
==========
Ping : VLAN 10 host to VLAN 20 host
C:>ping 172.16.20.2
Reply from 172.16.20.2: bytes=32 time<1ms TTL=127
Reply from 172.16.20.2: bytes=32 time<1ms TTL=127
Reply from 172.16.20.2: bytes=32 time=4ms TTL=127
Reply from 172.16.20.2: bytes=32 time<1ms TTL=127
LAN>en
Password:
LAN#ping 10.10.10.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/11 ms
CCNA Routing & Switching v3 LAB Guide
182
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAN#telnet 10.10.10.10
Trying 10.10.10.10 ...Open
User Access Verification
Username: admin
Password:
LAN>
TORONTO
Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
================================================================================
Switch#conf t
Switch(config)#hostname TORONTO
TORONTO(config)#enable secret cisco
TORONTO(config)#username admin password admin123
TORONTO(config)#line vty 0 4
TORONTO(config-line)#login local
TORONTO(config-line)#exit
TORONTO(config-vlan)#name admin
TORONTO(config-vlan)#exit
TORONTO(config)#vlan 40
TORONTO(config-vlan)#name Accounts
TORONTO(config-vlan)#exit
TORONTO(config)#interface range fastEthernet 0/1 - 9
TORONTO(config-if-range)#switchport mode access
TORONTO(config-if-range)#switchport access vlan 30
TORONTO(config-if-range)#exit
TORONTO(config)#interface range fastEthernet 0/10 - 15
TORONTO(config-if-range)#switchport mode access
TORONTO(config-if-range)#switchport access vlan 40
TORONTO(config-if-range)#exit
TORONTO(config)#
Management VLAN Configuration
=============================
TORONTO(config)#vlan 88
TORONTO(config-vlan)#name Management
TORONTO(config-vlan)#exit
TORONTO(config)#interface fastEthernet 0/24
TORONTO(config-if)#switchport access vlan 88
TORONTO(config-if)#exit
TORONTO(config)#interface vlan 88
TORONTO(config-if)#ip address 11.11.11.11 255.255.255.0
TORONTO(config-if)#no shutdown
TORONTO(config-if)#exit
CCNA Routing & Switching v3 LAB Guide
183
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
TORONTO(config)#
Router : GWY
=============
Interface, hostname, enable password, telnet access configuration
=========================================================
Router(config)#hostname GWY
GWY(config)#interface fastEthernet 0/0
GWY(config-if)#ip address 192.168.10.2 255.255.255.0
GWY(config-if)#no shutdown
GWY(config-if)#exit
GWY(config)#interface fastEthernet 1/0
GWY(config-if)#ip address 192.168.20.1 255.255.255.0
GWY(config-if)#no shutdown
GWY(config-if)#exit
GWY(config)#enable secret cisco
GWY(config)#username admin password admin123
GWY(config)#line vty 0 4
GWY(config-line)#login local
GWY(config-line)#exit
GWY(config)#
Inter-Vlan Routing Configuration
==========================
GWY(config)#interface fastEthernet 0/1
GWY(config-if)#no shutdown
GWY(config-if)#exit
GWY(config)#interface fastEthernet 0/1.30
GWY(config-subif)#encapsulation dot1Q 30
GWY(config-subif)#ip address 172.16.30.1 255.255.255.0
GWY(config-subif)#no shutdown
GWY(config-subif)#exit
GWY(config)#interface fastEthernet 0/1.40
GWY(config-subif)#encapsulation dot1Q 40
GWY(config-subif)#ip address 172.16.40.1 255.255.255.0
GWY(config-subif)#no shutdown
GWY(config-subif)#exit
GWY(config)#interface fastEthernet 0/1.88
GWY(config-subif)#encapsulation dot1Q 88
GWY(config-subif)#ip address 11.11.11.11 255.255.255.0
GWY(config-subif)#no shutdown
TORONTO
===========
CCNA Routing & Switching v3 LAB Guide
184
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
TORONTO(config)#interface fastEthernet 0/24
TORONTO(config-if)#switchport mode trunk
IP Assign to Hosts
==============
Verification
===========
C:>ping 172.16.40.2
Reply from 172.16.40.2: bytes=32 time<1ms TTL=127
Reply from 172.16.40.2: bytes=32 time<1ms TTL=127
Reply from 172.16.40.2: bytes=32 time<1ms TTL=127
Reply from 172.16.40.2: bytes=32 time<1ms TTL=127
GWY#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/7 ms
GWY#telnet 11.11.11.11
Trying 11.11.11.11 ...Open
User Access Verification
Username: admin
CCNA Routing & Switching v3 LAB Guide
185
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Password:
GWY>
EIGRP Configuration on LAN and GWY Router only (except GWY to ISP)
=========================================================
LAN#conf t
LAN(config)#router eigrp 10
LAN(config-router)#network 172.16.10.0
LAN(config-router)#network 172.16.20.0
LAN(config-router)#network 10.10.10.0
LAN(config-router)#network 192.168.10.0
LAN(config-router)#no auto-summary
GWY(config)#router eigrp 10
GWY(config-router)#network 172.16.30.0
GWY(config-router)#network 172.16.40.0
GWY(config-router)#network 11.11.11.0
GWY(config-router)#network 192.168.10.0
GWY(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 10: Neighbor 192.168.10.1 (FastEthernet0/0) is up: new
adjacency
GWY(config-router)#no auto-summary
Verification EIGRP
Ping: Server PC to host on the Toronto
C:>ping 172.16.30.2
Pinging 172.16.30.2 with 32 bytes of data:
CCNA Routing & Switching v3 LAB Guide
186
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Reply from 172.16.30.2: bytes=32 time=11ms TTL=126
Reply from 172.16.30.2: bytes=32 time<1ms TTL=126
Reply from 172.16.30.2: bytes=32 time=11ms TTL=126
Reply from 172.16.30.2: bytes=32 time=12ms TTL=126
C:>ping 172.16.40.2
Pinging 172.16.40.2 with 32 bytes of data:
Reply from 172.16.40.2: bytes=32 time<1ms TTL=126
Reply from 172.16.40.2: bytes=32 time=1ms TTL=126
Reply from 172.16.40.2: bytes=32 time=12ms TTL=126
Reply from 172.16.40.2: bytes=32 time=12ms TTL=126
Telnet to DENVER switch from GWY
=============================
GWY#telnet 10.10.10.10
Trying 10.10.10.10 ...Open
User Access Verification
Username: admin
Password:
LAN>
7. Router ISP
a. Interface, hostname, enable password, telnet access configuration
============================================================
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 192.168.20.2 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#do ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms
ISP(config)#enable secret cisco
ISP(config)#username admin password admin123
ISP(config)#line vty 0 4
ISP(config-line)#login local
ISP(config-line)#exit
CCNA Routing & Switching v3 LAB Guide
187
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
ISP(config)#interface fastEthernet 0/1
ISP(config-if)#no shutdown
ISP(config-if)#ip address 192.168.30.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
b. static route to LAN router
========================
ISP(config)#ip route 172.16.40.0 255.255.255.0 192.168.20.1
ISP(config)#ip route 172.16.30.0 255.255.255.0 192.168.20.1
ISP(config)#ip route 172.16.20.0 255.255.255.0 192.168.20.1
ISP(config)#ip route 172.16.10.0 255.255.255.0 192.168.20.1
ISP(config)#ip route 10.10.10.0 255.255.255.0 192.168.20.1
8. GWY
Static default route to ISP
GWY(config)#ip route 0.0.0.0 0.0.0.0 192.168.20.2
9. Redistribute static route into EIGRP on router GWY
GWY(config-router)#redistribute static
GWY(config-router)#redistribute connected
Verification
ISP#ping 172.16.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/12 ms
ISP#ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/2 ms
ISP#telnet 10.10.10.10
Trying 10.10.10.10 ...Open
User Access Verification
CCNA Routing & Switching v3 LAB Guide
188
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Username: admin
Password:
LAN>
Assign IP address to outside PC
Verification
C:>ping 192.168.30.1
Reply from 192.168.30.1: bytes=32 time=2ms TTL=255
Reply from 192.168.30.1: bytes=32 time=1ms TTL=255
Reply from 192.168.30.1: bytes=32 time<1ms TTL=255
Reply from 192.168.30.1: bytes=32 time=1ms TTL=255
C:>ping 172.16.10.2
Reply from 172.16.10.2: bytes=32 time=11ms TTL=125
Reply from 172.16.10.2: bytes=32 time=11ms TTL=125
Reply from 172.16.10.2: bytes=32 time=11ms TTL=125
Reply from 172.16.10.2: bytes=32 time=12ms TTL=125
CCNA Routing & Switching v3 LAB Guide
189
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
10. ACL Configuration
Condition : for the Internet hosts the following service is disabled to Inside but http service is enabled
a. Telnet, FTP, SMTP, SSH, ping
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq telnet
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq ftp
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq smtp
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq pop3
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq 22
GWY(config)#access-list 101 deny icmp host 192.168.30.2 any echo
GWY(config)#access-list 101 deny icmp any host 192.168.30.2 echo-reply
GWY(config)#access-list 101 permit ip any any
GWY(config)#interface fastEthernet 1/0
GWY(config-if)#ip access-group 101 in
11. Static NAT Configuration
condition : only Inside HTTP Server's private IP is translated to public IP : 103.13.148.20
ISP(config)#ip route 103.13.148.20 255.255.255.255 192.168.20.1
GWY(config)#interface fastEthernet 1/0
GWY(config-if)#ip nat outside
GWY(config-if)#exit
GWY(config)#interface fastEthernet 0/0
GWY(config-if)#ip nat inside
GWY(config-if)#exit
GWY(config)#ip nat inside source static 172.16.10.2 103.13.148.20
GWY(config)#
CCNA Routing & Switching v3 LAB Guide
190
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
IPV6 Address
IPv6 uses 128-bit addresses, which means that for each person on the Earth there are
48,000,000,000,000,000,000,000,000,000 addresses !
Advantages:
 Enhanced security
 Header improvements
 No need for NAT
 Stateless address autoconfiguration
IPv6 uses eight groups of four hexadecimal digits separated by colons. For example, this is a
valid IPv6 address:
1234:4523:EDBA:0A01:0056:5054:5ABC:ABBD
IPv6 address shortening
1. a leading zero can be omitted
1240:0023:CCBA:0A01:0065:5054:9ABC:ABB4
will be------------
1240:23:CCBA:A01:65:5054:9ABC:ABB4
2. String of of zero's can be represented as two colons (::)
1240:0000:0000:0000:0456:0000:CCCB:11DC
can be written as
CCNA Routing & Switching v3 LAB Guide
191
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
1240::456:0000:CCCB:11DC (But this can be for one time)
Here the 0000 can be written as single zero, not double ::
1240::456:0:CCCB:11DC
Three categories of IPv6 addresses exist:
 Unicast
 Anycast
 Multicast
There are three types of IPv6 unicast addresses
global unicast – similar to IPv4 public IP addresses. These addresses are assigned by the IANA
and used on public networks. They have a prefix of 2000::/3, meaning all the addresses that
begin with binary 001.
unique local – similar to IPv4 private addresses. They are used in private networks and aren’t
routable on the Internet. These addresses have a prefix of FD00::/8.
link local – these addresses are used for sending packets over the local subnet. Routers do not
forward packets with this addresses to other subnets. IPv6 requires a link-local address to be
assigned to every network interface on which the IPv6 protocol is enabled. These addresses
have a prefix of FE80::/10.
Loopback Address ::1/128
Unspecified Address ::/0
IPv6 multicast addresses
Multicast addresses in IPv6 are similar to multicast addresses in IPv4. They are used to
communicate with dynamic groupings of hosts, for example all routers on the link (“one-to-
many distribution”).
IPv6 multicast addresses start with FF00::/8
Here is a table of some of the most common link local multicast addresses:
CCNA Routing & Switching v3 LAB Guide
192
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Here is a summary of the most common address prefixes in IPv6:
IPv6 transition options
IPv4 and IPv6 networks are not interoperable and the number of devices that use IPv4 number
is still great. Some of these devices do not support IPv6 at all, so the migration process is
necessary since IPv4 and IPv6 will likely coexist for some time.
Many transition mechanisms have been proposes. We will introduce the main ones and
describe them in the next sections:
1. IPv4/IPv6 Dual Stacks
2. NAT64
3. Tunneling
IPv6 supports the following routing protocols:
 RIPng (RIP New Generation)
 OSPFv3
 EIGRP for IPv6
 IS-IS for IPv6
 MP-BGP4 (Multiprotocol BGP-4)
The following table summarizes the major differences between IPv4 and IPv6:
CCNA Routing & Switching v3 LAB Guide
193
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 52: Configure IPv6
Cisco Routers do not have IPv6 routing enabled by default. To configure IPv6 on a Cisco DUs
you need to do two things:
1. Apply "ipv6 unicast-routing" in global configuration command.
2. We can assign IP to Interface on different method. We will describe here the following
methods:
 With eui-64 parameter
 Manually Assigned
 Link-local Addressing
eui-64 Parameter
BASIC Configuration
DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DU(config)#ipv6 unicast-routing
DU(config)#interface fastEthernet 0/0
DU(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64
DU(config-if)#no shutdown
DU(config-if)#end
BUET>en
BUET#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#ipv6 unicast-routing
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64
BUET(config-if)#no shutdown
BUET(config-if)#end
Verification
CCNA Routing & Switching v3 LAB Guide
194
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DU#show ipv6 interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::2E0:8FFF:FED5:BD01
No Virtual link-local address(es):
Global unicast address(es):
2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01, subnet is 2001:BB9:AABB:1234::/64
[EUI]
Joined group address(es):
DU#show ipv6 route
IPv6 Routing Table - 3 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
C 2001:BB9:AABB:1234::/64 [0/0]
via ::, FastEthernet0/0
L 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01/128 [0/0]
via ::, FastEthernet0/0
L FF00::/8 [0/0]
via ::, Null0
DU#
BUET#show ipv6 interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::202:4AFF:FEA8:2D01
No Virtual link-local address(es):
Global unicast address(es):
2001:BB9:AABB:1234:202:4AFF:FEA8:2D01, subnet is 2001:BB9:AABB:1234::/64
[EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFA8:2D01
Ping from BUET to DU
CCNA Routing & Switching v3 LAB Guide
195
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
BUET#ping ipv6 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01,
timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/4/24 ms
Manually Assigned and Link-local Addressing
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname APECE
APECE(config)#ipv6 unicast-routing
APECE(config)#interface loopback 1
APECE(config-if)#ipv6 address 2001::2/128
APECE(config-if)#exit
APECE(config)#interface fastEthernet 0/0
APECE(config-if)#ipv6 enable
APECE(config-if)#no shutdown
APECE(config-if)#exit
with "ipv6 enable" command we will get IP address automatically to the router's Interface
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Ashish
Ashish(config)#ipv6 unicast-routing
Ashish(config)#interface loopback 1
Ashish(config-if)#ipv6 address 2001::1/128
CCNA Routing & Switching v3 LAB Guide
196
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Ashish(config-if)#exit
Ashish(config)#interface fastEthernet 0/0
Ashish(config-if)#ipv6 enable
Ashish(config-if)#no shutdown
Ashish(config-if)#end
Ashish#show ipv6 interface brief
FastEthernet0/0 [up/up]
FE80::202:17FF:FE09:E901 (IP Address - link local Address, getting by ipv6 enable command)
FastEthernet0/1 [administratively down/down]
Loopback1 [up/up]
FE80::210:11FF:FE65:7A37
2001::1
Vlan1 [administratively down/down]
APECE#ping ipv6 FE80::202:17FF:FE09:E901
Output Interface: fastethernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::202:17FF:FE09:E901, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
LAB 53 : Configure IPv6 Static Route
CCNA Routing & Switching v3 LAB Guide
197
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
The configuration and syntax are same as IPv4 Static routing, Just we will find some minor
differences than that of IPv4.
DU Router
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname DU
DU(config)#ipv6 unicast-routing
DU(config)#interface fastEthernet 0/0
DU(config-if)#ipv6 address 2001:AD8:23:45::1/64
DU(config-if)#no shutdown
DU(config-if)#exit
BUET Router
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname BUET
BUET(config)#ipv6 unicast-routing
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#interface fastEthernet 0/1
BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64
BUET(config-if)#no shutdown
BUET(config-if)#end
BUET#
Veirfication
BUET#show ipv6 interface brief
FastEthernet0/0 [up/up]
FE80::260:3EFF:FEAE:5901
2001:AD8:23:45::2
CCNA Routing & Switching v3 LAB Guide
198
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
FastEthernet0/1 [administratively down/down]
Vlan1 [administratively down/down]
BUET#
Verify Connectivity using ping
DU#ping ipv6 2001:AD8:23:45::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:AD8:23:45::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/2 ms
DU#
Assign IPv6 Address to host
Ping to Router BUET from host
C:>ping 2001:BD55:1234:DC4::1
Reply from 2001:BD55:1234:DC4::1: bytes=32 time=1ms TTL=255
Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255
Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255
Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255
Now ping to Router DU
C:>ping 2001:AD8:23:45::1
Request timed out.
Request timed out.
Request timed out.
Request timed out.
CCNA Routing & Switching v3 LAB Guide
199
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Not success...so we need routing. We will configure static route here......
DU(config)#ipv6 route 2001:BD55:1234:DC4::/64 2001:AD8:23:45::2
Now ping to Host IP
DU#ping ipv6 2001:BD55:1234:DC4::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BD55:1234:DC4::1, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
DU#
And ping to DU from host
C:>ping 2001:AD8:23:45::1
Pinging 2001:AD8:23:45::1 with 32 bytes of data:
Reply from 2001:AD8:23:45::1: bytes=32 time=2ms TTL=254
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254
LAB 54 :Configure RIPNG on Cisco Router
Basic Configuration
DU Router
Router#conf t
Router(config)#hostname DU
CCNA Routing & Switching v3 LAB Guide
200
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
DU(config)#ipv6 unicast-routing
DU(config)#interface fastEthernet 0/0
DU(config-if)#ipv6 address 2001:AD8:23:45::1/64
DU(config-if)#no shutdown
DU(config-if)#exit
BUET Router
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname BUET
BUET(config)#ipv6 unicast-routing
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#interface fastEthernet 0/1
BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64
BUET(config-if)#no shutdown
BUET(config-if)#end
Configure RIPNGN
DU(config)#ipv6 router rip ashish
DU(config-rtr)#exit
DU(config)#interface fastEthernet 0/0
DU(config-if)#ipv6 rip ashish enable
DU(config-if)#exit
BUET(config)#ipv6 router rip ashish
BUET(config-rtr)#exit
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ipv6 rip ashish enable
BUET(config-if)#exit
BUET(config)#interface fastEthernet 0/1
BUET(config-if)#ipv6 rip ashish enable
BUET(config-if)#end
Verification
DU#ping ipv6 2001:BD55:1234:DC4::2
CCNA Routing & Switching v3 LAB Guide
201
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Sending 5, 100-byte ICMP Echos to 2001:BD55:1234:DC4::2, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
DU#show ipv6 route
IPv6 Routing Table - 4 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
C 2001:AD8:23:45::/64 [0/0]
via ::, FastEthernet0/0
L 2001:AD8:23:45::1/128 [0/0]
via ::, FastEthernet0/0
R 2001:BD55:1234:DC4::/64 [120/2]
via FE80::260:3EFF:FEAE:5901, FastEthernet0/0
L FF00::/8 [0/0]
via ::, Null0
DU#
*** Don’t forget to enable IPv6 unicast routing otherwise no routing protocol will work for IPv6.
LAB 55 : Dual-Stack Example
Hosts and network devices run both IPv4 and IPv6 at the same time.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ipv6 unicast-routing
CCNA Routing & Switching v3 LAB Guide
202
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#ipv6 address 2001:12::1/64
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#hostname DU
DU(config)#ipv6 unicast-routing
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip address 192.168.10.2 255.255.255.0
DU(config-if)#ipv6 address 2001:12::2/64
DU(config-if)#no shutdown
DU(config-if)#end
 FastEthernet 0/0 interfaces of two routers are dual stacked.
 It is configured with an IPv4 and an IPv6 address.
 For each protocol, the addresses on two routers are on the same network.
Verification
DU#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.10.2/24 (IPv4 Address)
Broadcast address is 255.255.255.255
------------------------------------
DU#show ipv6 interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::2D0:97FF:FE08:1301 (IPv6 Address)
----------------------------------------
DU#ping ipv6 2001:12::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:12::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/2 ms
CCNA Routing & Switching v3 LAB Guide
203
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
LAB 56 : Configuration of IPSEC VPN
A Virtual Private Network (VPN) provides a secure tunnel across a public network such as
Internet. for organizations to connect users and offices together, without the high costs of
dedicated leased lines.
VPNs are used generally for :
 Client VPNs (Remote Access VPN)- To connect Office to home or “roaming” users
 Site-to-Site VPNs - To connect branch offices to a head office.
Types of VPN protocols
1. Internet Protocol Security or IPSec:
2. Layer 2 Tunneling Protocol (L2TP):
3. Point – to – Point Tunneling Protocol (PPTP):
4. Secure Sockets Layer (SSL) and Transport Layer Security (TLS):
5. OpenVPN:
6. Secure Shell (SSH)
Here we describe only IPSec Site-to-Site VPN
IPSec:
IPSEC (Internet Protocol Security), is a suite of protocols, helps us to protect IP traffic on the
network layer.
4 core IPsec services:
 Confidentiality – It means encrypt the data.
 Integrity – It ensures that data has not been tampered or altered using hashing
algorithm.
 Authentication – It confirms the identity of the host sending data, using
 pre-shared keys or CA (Certificate Authority)
 Anti-replay – prevents duplication of encrypted packets
CCNA Routing & Switching v3 LAB Guide
204
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Configuration of IPSEC VPN
5 Phases of IPSec VPN:
1. Define interesting traffic.
2. IKE phase 1
Creates the first tunnel, which protects later ISAKMP negotiation message.
3. IKE phase 2
Creates the tunnel that protects data.
4. Transfer data
5. Tear down tunnel.
Basic Configuration
DU ROUTER
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 103.13.148.1 255.255.255.240
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/1
CCNA Routing & Switching v3 LAB Guide
205
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2
Configuring IKE Phase 1
1. Enable ISAKMP
R1(config)#crypto isakmp enable
2. Create ISAKMP Policy
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash md5
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#exit
3. Configure pre-shared keys:
R1(config)#crypto isakmp key cisco123 address 103.13.148.2
Configuring IKE Phase 2
1. Create transform sets:
R1(config)#crypto ipsec transform-set ashish esp-3des esp-md5-hmac
2. (optional) Configure IPSec lifetime:
R1(config)#crypto ipsec security-association lifetime seconds 3600
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be
received encrypted
R1(config)#access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0
0.0.0.255
4. Set up IPSec crypto-map:
R1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#match address 101
CCNA Routing & Switching v3 LAB Guide
206
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
R1(config-crypto-map)#set peer 103.13.148.2
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#set transform-set ashish
R1(config-crypto-map)#
Apply Cypto Map to Interface
R1(config)#interface fastEthernet 0/0
R1(config-if)#crypto map mymap
The Configuration is same for R2 Router
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#hash md5
R2(config-isakmp)#group 2
R2(config-isakmp)#lifetime 3600
R2(config)#crypto isakmp key cisco123 address 103.13.148.1
R2(config)#crypto ipsec transform-set ashish esp-3des esp-md5-hmac
R2(cfg-crypto-trans)#exit
R2(config)#crypto ipsec security-association lifetime seconds 3600
R2(config)#access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0
0.0.0.255
R2(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#match address 101
R2(config-crypto-map)#set peer 103.13.148.1
R2(config-crypto-map)#set pfs group2
R2(config-crypto-map)#set transform-set ashish
R2(config-crypto-map)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#crypto map mymap
R2(config-if)#
*Mar 1 00:34:26.911: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#
CCNA Routing & Switching v3 LAB Guide
207
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Verification and testing
Apply ping from R1 to PC2
R1#ping 192.168.20.2 source 192.168.10.1
Be sure we apply ping from inside IP address while testing the VPN tunnel from the router. We
can also ping from PC1 to PC2.
Now the ping has setup the VPN because of its “interesting” traffic (the first ping is lost in the
VPN creation). We can verify with “show crypto engine connections active”
Verify the IPSec Phase 1 connection
R1#show crypto isakmp sa
Verify IPSec Phase 2 connection
R1# show crypto ipsec sa
CCNA Routing & Switching v3 LAB Guide
208
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
We can also view active IPSec sessions using show crypto session command
APPENDIX -------
-----------------------------------------------------------SUBNETTING TECHNIQUE
CCNA Routing & Switching v3 LAB Guide
209
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
IPv4 Address and Subnetting
IP or IP address or Internet Protocol address, is a number used to indicate the location of a
computer or other device on a network using TCP/IP.
Evolving the Internet technology there has been a high increasing demand for IP addresses.
IPv4 can only provide only 4.3 billion IP Addresses (approx). So there comes IPv6 and can
provide about 3.4*104
IP Addresses.
IP address classes (IPv4)
There are five classes of available IP ranges: Class A, Class B, Class C, Class D and Class E,
while only A, B, and C are commonly used. Each class allows for a range of valid IP addresses,
shown in the following table.
Class Address Range Supports
Class A
1.0.0.1 to
126.255.255.254
Supports 16 million hosts on each of 127 networks.
Class B
128.1.0.1 to
191.255.255.254
Supports 65,000 hosts on each of 16,000 networks.
Class C
192.0.1.1 to
223.255.254.254
Supports 254 hosts on each of 2 million networks.
Class D
224.0.0.0 to
239.255.255.255
Reserved for multicast groups.
Class E
240.0.0.0 to
254.255.255.254
Reserved for future use, or Research and Development
Purposes.
Ranges 127.x.x.x are reserved for the loopback or localhost, for example, 127.0.0.1 is the
loopback address. Range 255.255.255.255 broadcasts to all hosts on the local network.
CCNA Routing & Switching v3 LAB Guide
210
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
127.0.0.1 is the loopback Internet protocol (IP) address also referred to as the “localhost.”
The address is used to establish an IP connection to the same machine or computer being
used by the end-user.
IPv4 network standards reserve the entire 127.0.0.0/8 address block for loopback purposes.
That means any packet sent to any of those addresses (127.0.0.1 through 127.255.255.255) is
looped back. The address 127.0.0.1 is the standard address normally used for IPv4 loopback
traffic; the rest are rarely used in practice. The IPv6 standard assigns only a single address for
loopback: ::1.
Private IP Addresses
The Internet Assigned Numbers Authority (IANA) reserves the following IP address blocks for
use as private IP addresses:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
The first set of IP addresses from above allow for over 16 million addresses, the second for
over 1 million, and over 65,000 for the last range.
Another range of private IP addresses is 169.254.0.0 to 169.254.255.255 but is for Automatic
Private IP Addressing (APIPA) use only.
Reserved IP Addresses
Technically, the entire range from 127.0.0.0 to 127.255.255.255 is reserved for loopback
purposes but you'll almost never see anything but 127.0.0.1 used in the real world.
The range from 0.0.0.0 to 0.255.255.255 are also reserved but don't do anything at all.
If you're even able to assign a device an IP address in this range, it would not function
properly no matter where on the network it was installed.
CCNA Routing & Switching v3 LAB Guide
211
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Subnet Mask
The subnet mask is the value assigned during subnetting. If, for example, your Internet
Service Provider has given you an IP address of 192.168.0.1/24, it means that your subnet
mask is 255.255.255.0. The 24 value represents the 24 1's of the binary equivalent of
255.255.255.0
A subnet mask is helpful to identify the network portion and host portion in an IP address.
The host portion further helps in calculating the number of IP addresses.
For e.g. 192.168.99.0 255.255.255.0
Here, in the subnet mask ‘255.255.255.0′, the last octet ‘0’ is the host portion which states
that the network can hold 2^8 = 256 IP addresses out of which the first one is ‘network ID’
and last one is called ‘broadcast ID’. So, the usable IP addresses are (256–2 = 254) IP
addresses.
Benefits of Subnetting
If we have whole room shared by all office staff without partition. And same office room
shared by staff after partitioning. Now they will get separate room.
Same case, when a large Network is divided into some small networks then number of
broadcast domain will be increased and performance will be better.
 Improve network performance and speed
 Reduce network congestion
 Boost network security
 Control network growth
 Ease administration
 Subnetting allows you to make efficient use of your address space.
CCNA Routing & Switching v3 LAB Guide
212
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
Given Subnet is 192.168.10.0/24
We have to Subnet it so that there can have
1. At least 5 Subnets
2. 25 Hosts per subnet
And also find out the
3. Subnet Mask
4. What are the valid Subnets
5. The Valid Hosts Range for each Subnet
6. The broadcast Address for each Subnet
7. Find the Subnet and broadcast Address for 192.168.10.191 IP Address
192 168 10 0
8 bits 8 bits 8 bits 8 zeros
255 255 255 0 0 0 0 0 0 0 0
We will create New subnet and hosts /subnet using these 8
bits. As our CIDR is 24 so First 24 bits will not be used for
subnetting
Network bits will be taken from left side an Hosts bits will
be taken from Right side
We need at least 5 subnets.
Formula to find out Valid Subnet = 2^n - 2;
where n is the number of bits
If n = 1; Subnet = 2^1 - 2 =0
If n = 2; Subnet = 2^2 -2 = 2
If n = 3; Subnet = 2^3 - 2 = 6 (our desired value)
If n = 4; Subnet = 2^4 - 2 = 14
The Number of valid Subnets = 6
So we will take 3 bits from left side of the octet and make
these value to all three bits are 1
1 1 1 0 0 0 0 0
Here rest of the 5 bits are used for hosts / subnet
So The Number of Hosts / Subnet = 2^5 - 2 = 30
CCNA Routing & Switching v3 LAB Guide
213
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
1. The Number of valid Subnets = 6
2. The Number of Valid Hosts / Subnet = 30
3. The Subnet Mask = 255.255.255.224
Subnet MASK 255.255.255. 1 1 1 0 0 0 0 0
255.255.255.224
Binary to Decimal 1 1 1 0 0 0 0 0
Have to memorize this 128 64 32 16 8 4 2 1
Consider the values where the value are 1's so here .........128, 64 and 32
Now Adding these values we have = 128 + 64 + 32 = 224 (Mask)
Decimal to Binary 248
128 64 32 16 8 4 2 1
1 1 1 1 1 0 0 0
248 = 128 + 64 + 32 + 16 + 8 (Have to find out which values are needed to form the value 248,
make these values are all ones as described above)
4. To find out the subnets we will first find the GAP between two subnets
This can be by using the following formula
Subnet Gap = 256 - mask value = 256 - 224 = 32
Also called incremental value just like 0---32----64----etc.
But zero subnet is not used normally in Cisco. If we want to use this we have to apply "ip-
subnet zero" command.
in details.....................
Subnet 32 64 96 128 160 196 our next value is 224, as it is mask
bit value we will not use this. ***
First Host 33 65 97 129 161 197
Last Host 62 94 126 158 194 222
Broadcast 63 95 127 159 195 223
CCNA Routing & Switching v3 LAB Guide
214
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 Broadcast will be the previous value of next subnet.
 First host = subnet +1, Last host = Broadcast-1
 So when we use subnet 32 i.e. 192.168.10.32 Subnet, then IP Addresses will be
192.168.10.33 through 192.168.10.62 total 30 IP Addresses which can be used in Host.
 Broadcast and Subnet IP would never be used as host IP Address
 Subnet Mask for these Addresses will be 255.255.255.224 and it is for all subnets
 From our formula, to find out the number of subnets we have subtract 2 (0ne is zero
subnet and other is 224 -mask bit value)
 WE also subtract 2 when we find the number of valid hosts , one is subnet value and
other is broadcast
7. We will do a simple calculation to find out ---
191/32 = 5 remainder is 191 - 160 (this value will be the always subnet) = 31 (must
be lower than 32)
i.e. Subnet = 192.168.10.160
Broadcast will be = 196-1 = 195 (Next Subnet = 160+32 =196)
CCNA Routing & Switching v3 LAB Guide
215
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
ASHISH HALDER
APPLIED PHYSICS, ELECTRONICS AND COMMUNICATION ENGINEERING
UNIVERSITY OF DHAKA
EMAIL -glakh2010@gmail.com
skype: ashish.halder312

CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf

  • 1.
    CCNA Routing &Switching v3 LAB Guide 1 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved CCNA RnS, CCNA Sec, CCNP RnS, CCNP Sec, CCIE Sec (written)
  • 2.
    CCNA Routing &Switching v3 LAB Guide 2 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved I have dedicated this book to my sweet angel Arshia and to my beloved Eva ! Special thanks to Mony, Opu and Tapos who has given me encourage to write this book. All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Published in the Bangladesh First Edition November 2017 Copyright® 2017 akhtechnologypark ltd. Published by: ATech Press 42, Kawran Bazar Dhaka-1215 Cell:+88-01830618474
  • 3.
    CCNA Routing &Switching v3 LAB Guide 3 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Contents 1. Cisco CLI mode ----------------------------------------------------------------------------- 5 2. Basic Configuration of Router and Switch ------------------------------------------------------- 7 3. Configuring SSH Access to Cisco Device -------------------------------------------------------- 14 4. Backup and restoring your configuration ------------------------------------------------------- 18 5. VLAN, Access and Trunk Port Configuration ----------------------------------------------------- 20 6. VTP Configuration ------------------------------------------------------------------------------ 27 7. Etherchannel Configuration ------------------------------------------------------------------------ 30 8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration----------------------------- 33 9. Inter-Vlan Routing Configuration on L3 Switch (SVI) -------------------------------------------- 42 10. Configure Port Security ----------------------------------------------------------------------------- 45 11. Configure portfast ---------------------------------------------------------------------------------- 51 12. Configure BPDU Guard on Cisco Switch ------------------------------------------------------------ 52 13. Configure Root Guard on Cisco Switch ------------------------------------------------------------- 53 14. Spanning tree behavior - mode , priority value, root bridge ---------------------------------- 56 15. DHCP Configuration on Cisco Router ----------------------------------------------------------------58 16. DHCP Configuration on Cisco Switch --------------------------------------------------------------- 61 17. Static route and Static default route configuration --------------------------------------------- 63 18. Static default route configuration --------------------------------------------- ----------------- - -67 19. RIPv2 Basic configuration -----------------------------------------------------------------------------71 20. RIP Passive Interface ------------------------------------------------------------------------------- 75 21. Configure RIP Authentication -----------------------------------------------------------------------76 22. EIGRP configuration (EIGRP Neighbor Adjacency) -------------------------------------------- --- 84 23. EIGRP Passive Interface ---------------------------------------------------------------------- ---- - 86 24. EIGRP Authentication -------------------------------------------------------------------------- -- - -89 25. EIGRP Hold time and Hello time ----------------------------------------------------------- -- -91 26. EIGRP Summarization ------------------------------------------------------------------------- ----- - 92 27. EIGRP Project LAB --------------------------------------------------------------------------------- - 95 28. OSPF Configuration --------------------------------------------------------------------------------- 107 29. OSPF Virtual LAB ------------------------------------------------------------------------------------- 108 30. OSPF Authentication --------------------------------------------------------------------------------- 110
  • 4.
    CCNA Routing &Switching v3 LAB Guide 4 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 31. OSPF summarization --------------------------------------------------------------------------------- 112 32. PPP and HDLC ---------------------------------------------------------------------------------------- 113 33. BGP Basic Configuration -----------------------------------------------------------------------------117 34. BGP peering with loopback Address ----- ---------------------------------------------------------120 35. BGP Single Homed Design ---------------------------------------------------------------------------123 36. BGP Redundancy with Load Sharing ---------------------------------------------------------------129 37. HSRP Configuration ----------------------------------------------------------------------------------131 38. Standard ACL -----------------------------------------------------------------------------------------137 39. Extended ACL -----------------------------------------------------------------------------------------140 40. Named ACL --------------------------------------------------------------------------------------------144 41. Staci NAT ---------------------------------------------------------------------------------------------146 42. ICMP Configuration -----------------------------------------------------------------------------------150 43. Dynamic NAT -----------------------------------------------------------------------------------------154 44. Static PAT ---------------------------------------------------------------------------------------------155 45. Dynamic PAT -----------------------------------------------------------------------------------------159 46. Configure GRE Tunnel ------------------------------------------------------------------------------160 47. AAA configuration ----------------------------------------------------------------------------- 163 48. Syslog Server ---------------------------------------------------------------------------------------169 49. SNMPv3 Configurtion ---------------------------------------------------------------------------------173 50. Password Recovery ---------------------------------------------------------------------------------- 175 51. Final Project ----------------------------------------------------------------------------------------177 52. Configure IPv6 -------------------------------------------------------------------------------------- 193 53. Configure IPv6 Static Route ----------------------------------------------------------------------- 196 54. Configure RIPNG on Cisco Router ----------------------------------------------------------------- -199 55. Dual-Stack Example ----------------------------------------------------------------------------------201 56. Site-to-Site VPN Configuration ------------------------------------------------------------------- --203 ============================================================================== Appendix Subnetting----------------------------------------------------------209
  • 5.
    CCNA Routing &Switching v3 LAB Guide 5 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 1: CISCO CLI MODE Cisco routers have different configuration modes based on the model. Mainly two modes : EXEC Mode Prompt Typical Use User ccna> Check the router status Privileged ccna # Accessing the router From privileged Mode we enter into the Global Configuration mode with "config ternminal" command. To be access either User Exec or Privileged mode a password is needed if we set password. From Global Configuration Mode (password is not needed here) we can configure interfaces, routing protocols, access lists and many more. Some of the specific configuration modes can be entered from Global Configuration Mode and other from Privileged mode: User Exec Mode ( ">" prompt) : It is used to get statistics from router, see which version IOS you're running, check memory resources and a few more things. Privileged Mode ( "#" prompt): Here you can enable or disable interfaces on the router, get more detailed information on the router, for example, view the running configuration of the router, copy the
  • 6.
    CCNA Routing &Switching v3 LAB Guide 6 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved configuration, load a new configuration to the router, backup or delete the configuration, backup or delete the IOS and a lot more. Global Configuration Mode ("config# " prompt): It is accessible via Privileged Mode. In this mode we can configure each interface individually, setup banners and passwords, enable secrets (encrypted passwords), enable and configure routing protocols and a lot more. Every time we want to configure or change something on the router, we will need to be in this mode. Examples : Router>------------------------- User Exec Mode Router>enable ----------------- Enter Privileged Mode Router#-------------------------- Privileged Mode Router#disable ---------------- Enter User Exec Mode Router>-------------------------- User Exec Mode Router#conf ig terminal------ Enter Global Configuration Mode Router(config)#----------------- Global Configuration Mode Router(config)#interface fastEthernet 0/0---- Enter Interface Configuration Mode
  • 7.
    CCNA Routing &Switching v3 LAB Guide 7 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Router(config-if)#-------------------------------- Interface Configuration Mode Router(config)#interface fastEthernet 0/0.10-- Enter Sub-Interface Configuration Mode Router(config-subif)#------------------------------ Sub-Interface Configuration Mode Router(config)#line vty 0 4----------------------- Enter Line Mode Router(config-line)#------------------------------- Line Mode ================================================================================ LAB2. BASIC CONFIGURATION OF ROUTER AND SWITCH Objective: 2. Configure the Switch (DU)as follows:  hostname  login banner  enable password for accessing privilege mode  assign console password to prevent console login  assign IP for vlan 1 (Management VLAN)  configure virtual terminal for telnet session  set default gateway for the switch 1. Configure the Router (BUET) as follows:  hostname
  • 8.
    CCNA Routing &Switching v3 LAB Guide 8 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved  login banner  enable password for accessing privilege mode  Assign IP Address on Router Interface  assign console password to prevent console login  configure virtual terminal for telnet session  3. Assign IP for the PC 4. Save all configurations 5. Verification Switch – DU Configuration 1. First check the startup-config and running-config…If there any configuration is exist When you type a command in the global configuration mode it is stored in the running configuration. A running configuration resides in a device’s RAM, so if a device loses power, all configured commands will be lost. So you need to copy your current configuration into a startup configuration. A startup configuration is stored in the NVRAM of a device, now all configurations are saved even if the device loses power. Check the startup-config and running-config Switch#show startup-config Startup-config is not present Switch#show running-config There are two ways to save your configuration: Switch#copy running-config startup-config or Switch# write memory 2. Enter global configuration mode and configure Hostname as DU Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch (config) #hostname DU DU(config)# 3. Assign password cisco123 Enable password will restrict one's access to privilege mode which is like a root user's password. We can set it in two ways: enable password / enable secret command.
  • 9.
    CCNA Routing &Switching v3 LAB Guide 9 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved enable secret password provides encryption automatically using MD5 hash algorithm. The enable password password does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the enable password password , use the service password- encryption command. Actually, the enable secret password command provides stronger encryption than the service password-encryption command. DU(config)#enable secret cisco123 4. Configure login banner A login banner is displayed whenever someone connects to the router by telnet or console connections DU(config)#banner motd "Unauthorized Users are highly Prohibited to login here" DU(config)# 5. Console Password We can protect console port of Cisco devices using console port password. DU(config)#line console 0 DU(config-line)#password ashish123 DU(config-line)#login DU(config-line)#exit DU(config)# 6. Telnet configuration for remote access Telnet is a user command and an underlying TCP/IP protocol for accessing remote devices. The VTY lines are the Virtual Terminal lines of the router. They are Virtual in the sense that they are a function of software - there is no hardware associated with them. They appear in the configuration as line vty 0 4. DU#conf t Enter configuration commands, one per line. End with CNTL/Z. DU(config)#line vty 0 4 DU(config-line)#password ashish@123# DU(config-line)#login DU(config-line)#exit 7. Configure management vlan for remotely access on the switch By default, all switch ports are part of VLAN 1. VLAN 1 contains control plane traffic and can contain user traffic. By default, VLAN 1 is the management VLAN. Management VLAN is used for purposes such as telnet, SNMP, and syslog.
  • 10.
    CCNA Routing &Switching v3 LAB Guide 10 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DU(config)#interface vlan 1 DU(config-if)#ip address 192.168.10.10 255.255.255.0 DU(config-if)#no shutdown DU(config-if)#exit DU(config)# 8. Configure default-gateway for the switch The switch should be configured with a default gateway if the switch will be managed remotely from networks not directly connected. The default gateway is the first Layer 3 device (such as a router) on the same management VLAN network to which the switch connects. The switch will forward IP packets with destination IP addresses outside the local network to the default gateway. DU(config)#ip default-gateway 192.168.10.1 ---------------------------------------------------------------------------------------------------------------------------- Router – BUET Configuration 1. First check the startup-config and running-config Router#show startup-config startup-config is not present Router#show running-config 2. Configure Hostname as BUET Router #conf t Enter configuration commands, one per line. End with CNTL/Z. Router (config)#hostname BUET BUET(config)# 3. Assign enable secret password cisco123 BUET(config)#enable secret cisco123 BUET(config)# 4. Configure login banner BUET(config)#banner motd "Do not try to access here" 5. Console password BUET(config)#line console 0 BUET(config-line)#password ashish123 BUET(config-line)#login BUET(config-line)#exit BUET(config)#
  • 11.
    CCNA Routing &Switching v3 LAB Guide 11 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 6. Enter Virtual Terminal lines and give a password ashish@123#, to login remotely BUET(config)#line vty 0 4 BUET(config-line)#password ashish@123# BUET(config-line)#login BUET(config-line)#exit BUET(config)# 7. Configure IP Address Router's on Interface Enter global configuration mode BUET# config terminal Enter configuration commands, one per line. End with CNTL/Z. BUET(config)# Enter FastEthernet 0/0 interface configuration mode : BUET(config)#interface fastEthernet 0/0 BUET(config-if)# Enter IP address and subnet mask: BUET(config-if)#ip address 192.168.10.1 255.255.255.0 By default, all interfaces on a Cisco router are “Administratively Down”. To bring an interface up, issue the no shutdown command. BUET(config-if)#no shutdown BUET(config-if)#exit BUET(config)# 8. Save Configuration BUET#write memory Building configuration... [OK] BUET# DU#write memory Building configuration... [OK] you can also save configuration using BUET# copy running-config start-up config But be sure about the command, cannot be reversed as: copy start-up config running-config
  • 12.
    CCNA Routing &Switching v3 LAB Guide 12 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Then your entire configuration will be lost or backup from NVRAM. 9. Assign IP to all hosts 11. Now ping to all devices from any PC C:>ping 192.168.10.2 Pinging 192.168.10.2 with 32 bytes of data: Reply from 192.168.10.2: bytes=32 time=1ms TTL=128 Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 C:>ping 192.168.10.3 Pinging 192.168.10.3 with 32 bytes of data: Reply from 192.168.10.3: bytes=32 time=1ms TTL=128 Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
  • 13.
    CCNA Routing &Switching v3 LAB Guide 13 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved C:>ping 192.168.10.1 Pinging 192.168.10.1 with 32 bytes of data: Reply from 192.168.10.1: bytes=32 time=1ms TTL=255 Reply from 192.168.10.1: bytes=32 time<1ms TTL=255 Reply from 192.168.10.1: bytes=32 time<1ms TTL=255 Reply from 192.168.10.1: bytes=32 time=1ms TTL=255 14. Now logon to the router remotely C:>telnet 192.168.10.1 Trying 192.168.10.1 ...Open Do not try to access here User Access Verification Password: Password: BUET> 16. Now logon to the switch remotely C:>telnet 192.168.10.10 Trying 192.168.10.10 ...Open Unauthorized Users are highly prohibited to login here User Access Verification Password: DU> N.B. if the switch is L3 you can assign IP address to its interfaces as follows: DU(config)#interface fastEthernet 0/2 DU(config-if)# no switchport DU(config-if)# ip address 192.168.10.10 255.255.255.0 DU(config-if)# no shutdown For routing capabilities you can also follow the rules DU(config)# ip routing LAB 3: CONFIGURING SSH ON CISCO SWITCH AND ROUTER
  • 14.
    CCNA Routing &Switching v3 LAB Guide 14 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Telnet was designed to work within a private network and not across a public network where threats can appear. Because of this, all the data is transmitted in plain text, including passwords. This is a major security issue and the developers of SSH used encryptions to make it harder for other people to sniff the password and other relevant information. Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in SSH. To do this, it uses a RSA public/private keypair. There are two versions: version 1 and 2. Version 2 is more secure and commonly used. Enable SSH on Cisco Switch Step 1: Configure Management IP Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface vlan 1 Switch(config-if)#ip address 192.168.10.10 255.255.255.0 Switch(config-if)#no shutdown Step 2 : Configure default gateway points to the router Switch(config)#ip default-gateway 192.168.10.1 Step 3: Configure hostname and domain name The name of the RSA keypair will be the hostname and domain name of the router.
  • 15.
    CCNA Routing &Switching v3 LAB Guide 15 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Switch(config)#hostname ASHISH-SW ASHISH-SW(config)#ip domain-name ashish.com Step 4 :Generate the RSA Keys ASHISH-SW(config)#crypto key generate rsa The name for the keys will be: ASHISH-SW.ashish.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable...[OK] ASHISH-SW(config)# Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate and enhance more security Step 5: SSH version 1 is the default version. So change it to version 2 ASHISH-SW(config)#ip ssh version 2 Step 6 : Setup the Line VTY configurations ASHISH-SW(config)#line vty 0 4 ASHISH-SW(config-line)#transport input ssh ASHISH-SW(config-line)#login local Step 7: Create the username password ASHISH-SW(config)#username ashish privilege 15 password cisco123 Step 8: Create enable password ASHISH-SW(config)#enable secret cisco123 Step 9: create console password ASHISH-SW(config)#line console 0 ASHISH-SW(config-line)#logging synchronous ASHISH-SW(config-line)#login local Step 10: Verify SSH C:>ssh -l ashish 192.168.10.10 Password: ASHISH-SW#conf t
  • 16.
    CCNA Routing &Switching v3 LAB Guide 16 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved ASHISH-SW(config)# Enable SSH on Router (same as before) Router>en Router#conf t Router(config)#hostname Venus Venus(config)#interface fastEthernet 0/0 Venus(config-if)#ip address 192.168.10.1 255.255.255.0 Venus(config-if)#no shutdown Venus(config-if)#exit Venus(config)#ip domain-name cisco.com Venus(config)#username ashish privilege 15 password cisco123 Venus(config)#crypto key generate rsa The name for the keys will be: Venus.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable...[OK] Venus(config)# *Mar 1 0:34:31.790: %SSH-5-ENABLED: SSH 1.99 has been enabled Venus(config)#ip ssh version 2 Venus(config)#enable secret cisco Venus(config)#line console 0 Venus(config-line)#logging synchronous Venus(config-line)#login local Venus(config-line)#exit Venus(config)#line vty 0 4 Venus(config-line)#transport input ssh Venus(config-line)#login local
  • 17.
    CCNA Routing &Switching v3 LAB Guide 17 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Venus#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 Venus# C:>ssh -l ashish 192.168.10.1 Password: Venus#conf t Venus(config)# Key Note: ---------------------------------------------------------------------------- "logging synchronous" prevents every logging output from immediately interrupting your console session. Say for example when you tried to telnet your Router or switch you will see lot of log messages before you logged in with username and password. --------------------------------------------------------------------------------------------------------------------------------- RSA is algorithm used by modern computers to encrypt and decrypt messages. It is an asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public key cryptography, because one of them can be given to everyone. ============================================================================ LAB 4: BACKUP AND RESTORING CONFIGURATION
  • 18.
    CCNA Routing &Switching v3 LAB Guide 18 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Configure tftp server (In your physical Lab you can download tftp server in your PC then configure it. And rest of the configurations are same) Verify configuration file is saved in NVRAM Denver#show startup-config DU#show startup-config Now backup configuration file to tftp server (From Switch) Denver#copy startup-config tftp Address or name of remote host []? 192.168.10.4 (TFTP Server IP) Destination filename [Denver-confg]? (Press Enter to save it as default name) Writing startup-config...!!
  • 19.
    CCNA Routing &Switching v3 LAB Guide 19 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved [OK - 653 bytes] 653 bytes copied in 0.012 secs (54416 bytes/sec) Denver# Now backup configuration file to tftp server (From Router) DU#copy startup-config tftp: Address or name of remote host []? 192.168.10.4 Destination filename [DU-confg]? Writing startup-config...!! [OK - 1178 bytes] 1178 bytes copied in 0.032 secs (36812 bytes/sec) DU# Erase startup-configuration file and reboot or reload the router and switch DU#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram DU# DU#reload Proceed with reload? [confirm] Denver#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram BUET# Denver #reload Proceed with reload? [confirm] Configure IP address to router and switch Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastEthernet 0/0 Router(config-if)#ip address 192.168.10.1 255.255.255.0 Router(config-if)#no shutdown Router(config-if)#exit
  • 20.
    CCNA Routing &Switching v3 LAB Guide 20 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface vlan 1 Switch(config-if)#ip address 192.168.10.10 255.255.255.0 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#ip default-gateway 192.168.10.1 Now restore configuration from tftp server to switch and router Switch#copy tftp running-config Address or name of remote host []? 192.168.10.4 (TFTP Server IP) Source filename []? Denver-confg (Backup file name on tftp server) Destination filename [running-config]? (Press enter) Denver#write Building configuration... [OK] Denver# Router#copy tftp running-config Address or name of remote host []? 192.168.10.4 (TFTP Server IP) Source filename []? DU-confg (Backup file name on tftp server) Destination filename [running-config]? (Press enter) Now save the configuration to NVRAM Switch# write memory Router# write memory ============================================================================ LAB 5: Configure VLAN, Access and Trunk Port The design of layer-2 switched network is a flat network. Each and every device on the Network can see the transmission of every broadcast packet even if it does not need to receive the data. But we can create multiple/ separate broadcast domain logically in a L2 switch. This is possible with VLAN technology. VLAN means Virtual LAN.
  • 21.
    CCNA Routing &Switching v3 LAB Guide 21 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved The segregation of vlan is only to reduce the broadcast domain. Every vlan means you are using one subnet for each vlan. The VLANs makes network management easy with number of ways:  The VLAN can categorize many broadcast domains into number of logical subnets.  The network needs to configure a port into the suitable VLAN in order to achieve change, add or move.  In the VLAN a group of users with the demand of high security can be included so that the external users out the VLAN cannot interact with them.  When it comes to logical classification of users in terms of function, we can consider VLAN as independent from their geographic or physical locations.  Even the security of network can be enhanced by VLAN.  The number of broadcast domains are increased with VLANs while the size decreases. Trunk Ports: Between switches we are going to create a trunk. A trunk connection is an interface carries multiple VLANs. Access Ports : Carries data, generally connected to hosts or Servers There are two trunking protocols we can use: 1. IEEE 802.1Q: Open standard, support switch of any vendor. 2. Cisco ISL (Inter-Switch Link): Cisco proprietary protocol that is only supported on some Cisco switches. On a Cisco switch, VLAN 1 is by default. 802.1Q will not tag the native VLAN while ISL does tag the native VLAN. By default all switch ports are on VLAN1. VLAN information is not saved in the running-config or startup-config but in separate file vlan.dat on flash memory. To delete the VLAN information , delete the file by delete flash:vlan.dat command.
  • 22.
    CCNA Routing &Switching v3 LAB Guide 22 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Objective 1. Basic configuration of switch 2. Create VLANs 3. configuration of trunk ports 4. Configuration of Access ports 5. Assign IP to hosts 6. Verification Data sheet VLAN ID VLAN Name Ports Switch Subnet 10 Cisco F0/1 - f0/9 DU 192.168.10.0/24 20 Solaris F 0/10 - F 0/20 BUET 172.16.20.0/24 1. Basic configuration of switch Switch(config)#hostname DU DU(config)#enable secret cisco DU(config)#line console 0 DU(config-line)#password cisco DU(config-line)#login DU(config-line)#exit
  • 23.
    CCNA Routing &Switching v3 LAB Guide 23 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Switch(config)#hostname BUET BUET(config)#enable secret cisco BUET(config)#line console 0 BUET(config-line)#password cisco BUET(config-line)#login BUET(config-line)#exit 2. Create VLANs DU(config)#vlan 10 DU(config-vlan)#name cisco DU(config-vlan)#exit DU(config)#vlan 20 DU(config-vlan)#name solaris DU(config-vlan)#exit DU(config)# BUET(config)#vlan 10 BUET(config-vlan)#name cisco BUET(config-vlan)#exit BUET(config)#vlan 20 BUET(config-vlan)#name solaris BUET(config-vlan)#exit BUET(config)# 3. configuration of trunk ports DU(config)#interface gigabitEthernet 0/1 DU(config-if)#switchport mode trunk DU(config-if)#no shutdown DU(config-if)#exit BUET(config)#interface gigabitEthernet 0/1 BUET(config-if)#switchport mode trunk BUET(config-if)#no shutdown DU#show interfaces gigabitEthernet 0/1 switchport Name: Gig0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk
  • 24.
    CCNA Routing &Switching v3 LAB Guide 24 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false 4. Configuration of Access ports BUET#conf t BUET(config)#interface range fastEthernet 0/1 - 9 BUET(config-if-range)#switchport mode access BUET(config-if-range)#switchport access vlan 10 BUET(config-if-range)#exit BUET(config)#interface range fastEthernet 0/10 - 20 BUET(config-if-range)#switchport mode access BUET(config-if-range)#switchport access vlan 20 BUET(config-if-range)#exit BUET(config)#exit BUET# DU#conf t Enter configuration commands, one per line. End with CNTL/Z.
  • 25.
    CCNA Routing &Switching v3 LAB Guide 25 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DU(config)#interface range fastEthernet 0/1 - 9 DU(config-if-range)#switchport mode access DU(config-if-range)#switchport access vlan 10 DU(config-if-range)#exit DU(config)#interface range fastEthernet 0/10 - 20 DU(config-if-range)#switchport mode access DU(config-if-range)#switchport access vlan 20 DU(config-if-range)#end DU# 5. Assign IP to hosts
  • 26.
    CCNA Routing &Switching v3 LAB Guide 26 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Ping to same VLAN..............PC0 to PC2 C:>ping 192.168.10.3 Pinging 192.168.10.3 with 32 bytes of data: Reply from 192.168.10.3: bytes=32 time=11ms TTL=128 Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 C:>ping 172.16.20.3 (PC1 to PC 3) Pinging 172.16.20.3 with 32 bytes of data: Reply from 172.16.20.3: bytes=32 time=11ms TTL=128 Reply from 172.16.20.3: bytes=32 time<1ms TTL=128 Reply from 172.16.20.3: bytes=32 time<1ms TTL=128 Reply from 172.16.20.3: bytes=32 time=1ms TTL=128 Ping to different VLAN......................... (PC1 to PC0) C:>ping 192.168.10.2 Pinging 192.168.10.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.
  • 27.
    CCNA Routing &Switching v3 LAB Guide 27 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 6: VTP Configuration VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used by Cisco switches to exchange VLAN information. VTP replicates configured VLANs to all participating switches. Consider a network with 50 switches. Without VTP, if you want to create a VLAN on each switch, you would have to manually enter commands to create the VLAN on each switch! VTP enables you to create the VLAN only on one switch. That switch can then propagate information about that VLAN to each switch on a network and cause other switches to create that VLAN too. If you want to delete a VLAN, you only need to delete it on one switch, and the change is automatically propagated to every other switch inside the same VTP domain. Cisco switches can be configured in one of three VTP modes:  Server  Client  Transparent Server mode is the default for Cisco switches. Client mode takes VLAN configuration from the Server. It doesn’t place the VLANs in a vlan.dat file. Switches in Transparent mode never updated themselves. If they receive VTP advertisements they will forward them along. In Transparent mode you can configure VLANs normally as you would on a Server switch. Be careful, if a switch is deployed with a higher VTP revision number than the rest of the VTP switches. Because of that, switches in Client mode will download whatever VLAN configuration that switch has, remove your current configuration. So before use them in a production network , configure them as Transparent mode. You can also omit VTP Configuration to avoid these situation.
  • 28.
    CCNA Routing &Switching v3 LAB Guide 28 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Objective: 1. Create VTP Server and VTP Client 2. Configure Trunk port 3. Create VLAN on Server 4. Verify 1. Create VTP Server and VTP Client Switch(config)#hostname SERVER SERVER(config)#vtp domain cisco.com SERVER(config)#vtp mode server SERVER(config)#vtp password cisco SERVER(config)#vtp version 2 SERVER(config)# Switch(config)#hostname Client Client(config)#vtp domain cisco.com Client(config)#vtp version 2 Client(config)#vtp mode client Client(config)#vtp password cisco NOTES  The VTP domain name must match and it is case sensitive.  Make sure that If any password is set, the password is the same on both sides.  Every switch in the VTP domain must use the same VTP version. VTP V1 and VTP V2 are not compatible on switches in the same VTP domain. But VTP v2 and v3 are compatible. 2. Configure Trunk port SERVER(config)#interface gigabitEthernet 0/1 SERVER(config-if)#switchport mode trunk SERVER(config-if)#no shut Client(config)#interface gigabitEthernet 0/1 Client(config-if)#switchport mode trunk Client(config-if)# no shut 3. Create VLAN on Server only SERVER(config)#vlan 100 SERVER(config-vlan)#name cisco SERVER(config-vlan)#exit SERVER(config)#vlan 200
  • 29.
    CCNA Routing &Switching v3 LAB Guide 29 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved SERVER(config-vlan)#name solaris SERVER(config-vlan)#end 4. Verify the VLANs are propagated on Client Switch Here we can see that we have created VLAN on Server switch and it has been seen on Client Switch Vlan 100 and Vlan 200. Other Verification Command of VTP
  • 30.
    CCNA Routing &Switching v3 LAB Guide 30 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved From here we can check the VTP Mode, VTP Domain Name and revision Number. Revision number must be same. If not same, Updates are not considered propagated successfully. LAB 7: ETHERCHANNEL Configuration  EtherChannel is a port link aggregation technology or port-channel architecture which is a bundle of multiple physical links into a single logical link.  Etherchannel is great for improving redundancy in your network.  In this way you can increase the bandwidth of a particular connection.  With EtherChannel the links that are aggregated are not blocked by STP. Link aggregation is very common and is usually seen in the following scenarios:  Switch to switch connectivity in an access block (non-stackable)  Access switch connectivity to distribution switches.  Server connectivity to the data center LAN fabric If you are going to create an etherchannel you need to make sure that all ports have the same configuration:  Duplex has to be the same.  Speed has to be there same.  Same native AND allowed VLANs.  Same switchport mode (access or trunk). There’s a maximum to the number of links you can use: 8 physical interfaces. If you want to configure an Etherchannel there are two protocols you can choose from: PAGP – port aggregation protocol  Developed by Cisco  The port modes are defined as either auto or desirable LACP – link aggregation control protocol  Open standard as defined by IEEE 802.3ad standard
  • 31.
    CCNA Routing &Switching v3 LAB Guide 31 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved  The port modes are either passive or active. Passive is the equivalent of the PAGP auto and active is the equivalent of PAGP desirable mode. S1(config)#int range fa0/7-12 S1(config-if-range)##channel-group 1 mode desirable or S1(config-if-range)##channel-group 1 mode active We can use desirable so that the switch will actively negotiate to form a PAgP link(Cisco Proprietary EtherChannel). or we can use active so that the switch will actively negotiate to form a LACP link(open standard EtherChannel). To verify the configuration, you can use show etherchannel summary. Objective 1. Create Etherchannel 2. Configure Trunk
  • 32.
    CCNA Routing &Switching v3 LAB Guide 32 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 3. Verification Create Etherchannel Switch(config)#hostname DU DU(config)#interface range gigabitEthernet 0/1 - 2 DU(config-if-range)#channel-group 1 mode active Creating a port-channel interface Port-channel 1 DU(config-if-range)#exit Switch(config)#hostname ASHISH ASHISH(config)#interface range gigabitEthernet 0/1 - 2 ASHISH(config-if-range)#channel-group 1 mode passive ASHISH(config-if-range)# Configure Trunk DU(config)#interface port-channel 1 DU(config-if)#switchport mode trunk DU(config-if)# no shut ASHISH(config)#interface port-channel 1 ASHISH(config-if)#switchport mode trunk ASHISH(config-if)# no shutdown Verification
  • 33.
    CCNA Routing &Switching v3 LAB Guide 33 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Po1 = Port channel 1 , Channel group must be same for both switch S = Capital S means L2 U = in Use LACP = which Etherchannel Protol is used P = in port Channel if these appears, be sure your configuration is correct LAB 8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration Inter-VLAN Routing In our previous lab, we only can communicate with same VLAN. For example, PCs within VLAN 10 or VLAN 20. In order to communicate with different VLAN we must need routing with different VLAN as each VLAN is now a separate broadcast domain. So we need a L3 switch or Router for Routing. Here we will use a Router. SWITCH VLAN ID VLAN NAME SWITCH PORTS SUBNET DU 100 CISCO F 0/3 - 15 192.168.100.0/24 200 SOLARIS F 0/16 - 21 172.16.200.0/24 BUET 100 CISCO F 0/ 6 - 10 192.168.100.0/24 200 SOLARIS F 0/14 - 20 172.16.200.0/24
  • 34.
    CCNA Routing &Switching v3 LAB Guide 34 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved OBJECTIVE: BASIC CONFIGURATION OF SWITCH AND ROUTER ETHER-CHANNEL & TRUNK PORT CONFIGUARTION VTP CONFIGURATION CONFIGURATION OF VLAN VERIFY VTP, TRUNK PORTS AND ETHERCHANNEL CONFIGURATION CONFIGURE ACCESS-PORTS CONFIGURE IP TO HOSTS VERIFICATION CONFIGURE INTER-VLAN ROUTING VERIFY CONFIGURATION BASIC CONFIGURATION OF SWITCH AND ROUTER ========================================== Switch>en Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname DU DU(config)#banner motd "Do not try to login my Switch" DU(config)#enable secret cisco123 DU(config)#line console 0 DU(config-line)#password cisco123 DU(config-line)#login DU(config-line)#exit ======================================== Switch#conf t Switch(config)#hostname BUET BUET(config)#hostname BUET BUET(config)#banner motd "This is the switch of BUET" BUET(config)#enable secret cisco123 BUET(config)#line console 0 BUET(config-line)#password cisco123 BUET(config-line)#login BUET(config-line)#end BUET# ===================================================== Router>en Router#conf t
  • 35.
    CCNA Routing &Switching v3 LAB Guide 35 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Router(config)#hostname DENVER DENVER(config)#enable secret cisco123 DENVER(config)#banner motd "This Router belongs to VENUS TELECOM LTD" DENVER(config)#line console 0 DENVER(config-line)#password cisco123 DENVER(config-line)#login DENVER(config-line)#end ETHER-CHANNEL & TRUNK PORT CONFIGUARTION DU(config)#interface range fastEthernet 0/1 - 2 DU(config-if-range)#channel-group 1 mode active DU(config-if-range)#no shutdown DU(config-if-range)#exit TRUNK PORT CONFIGUARTION DU(config)#interface port-channel 1 DU(config-if)#sw DU(config-if)#switchport mo DU(config-if)#switchport mode trunk DU(config-if)#no shutdown ==================================================== BUET(config)#interface range fastEthernet 0/1 - 2 BUET(config-if-range)#channel-group 1 mode passive BUET(config-if-range)#no shutdown BUET(config-if-range)#exit TRUNK PORT CONFIGUARTION BUET(config)#interface port-channel 1 BUET(config-if)#switchport mode trunk BUET(config-if)#no shutdown ' VTP CONFIGURATION DU(config)#vtp domain cisco.com DU(config)#vtp mode server DU(config)#vtp version 2 DU(config)#vtp password cisco DU(config)#exit
  • 36.
    CCNA Routing &Switching v3 LAB Guide 36 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved BUET(config)#vtp domain cisco.com BUET(config)#vtp mode client BUET(config)#vtp version 2 BUET(config)#vtp password cisco BUET(config)# CONFIGURATION OF VLAN DU(config)#vlan 100 DU(config-vlan)#name CISCO DU(config-vlan)#EXIT DU(config)#VLan 200 DU(config-vlan)#NAMe SOLARIS DU(config-vlan)#exit VERIFY ========== DU#show etherchannel summary Group Port-channel Protocol Ports ------+-------------+-----------+------ 1 Po1(SU) LACP Fa0/1(P) Fa0/2(P) DU# CONFIGURE ACCESS-PORTS DU#conf t DU(config)#interface range fastEthernet 0/3 - 15 DU(config-if-range)#switchport mode access
  • 37.
    CCNA Routing &Switching v3 LAB Guide 37 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DU(config-if-range)#switchport access vlan 100 DU(config-if-range)#exit DU(config)#interface range fastEthernet 0/16 - 21 DU(config-if-range)#switchport mode access DU(config-if-range)#switchport access vlan 200 DU(config-if-range)#exit BUET(config)#interface range fastEthernet 0/6 - 10 BUET(config-if-range)#switchport mode access BUET(config-if-range)#switchport access vlan 100 BUET(config-if-range)#exit BUET(config)#interface range fastEthernet 0/14 - 20 BUET(config-if-range)#switchport mode access BUET(config-if-range)#switchport access vlan 200 BUET(config-if-range)#end BUET# CONFIGURE IP TO HOSTS
  • 38.
    CCNA Routing &Switching v3 LAB Guide 38 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Verify ping to same VLAN C:>ping 192.168.100.3 Pinging 192.168.100.3 with 32 bytes of data: Reply from 192.168.100.3: bytes=32 time=1ms TTL=128 Reply from 192.168.100.3: bytes=32 time=1ms TTL=128 Reply from 192.168.100.3: bytes=32 time<1ms TTL=128 Reply from 192.168.100.3: bytes=32 time<1ms TTL=128 C:>ping 172.16.200.3 Pinging 172.16.200.3 with 32 bytes of data: Reply from 172.16.200.3: bytes=32 time=12ms TTL=128 Reply from 172.16.200.3: bytes=32 time=1ms TTL=128 Reply from 172.16.200.3: bytes=32 time=1ms TTL=128 Reply from 172.16.200.3: bytes=32 time<1ms TTL=128 PING to different VLAN C:>ping 192.168.100.2
  • 39.
    CCNA Routing &Switching v3 LAB Guide 39 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Pinging 192.168.100.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Not successful, Right ? So we will now configure Inter-Vlan Routing to get access to different VLAN. CONFIGURE INTER-VLAN ROUTING BUET#conf t BUET(config)#interface gigabitEthernet 0/1 BUET(config-if)#no shutdown BUET(config-if)#switchport mode trunk BUET(config-if)#exit DENVER#conf t DENVER(config)#interface fastEthernet 0/0 DENVER(config-if)#no shutdown DENVER(config-if)#exit DENVER(config)#interface fastEthernet 0/0.100 DENVER(config-subif)#encapsulation dot1Q 100 DENVER(config-subif)#ip address 192.168.100.1 255.255.255.0 DENVER(config-subif)#no shutdown DENVER(config-subif)#exit DENVER(config)#interface fastEthernet 0/0.200 DENVER(config-subif)#encapsulation dot1Q 200 DENVER(config-subif)#ip address 172.16.200.1 255.255.255.0 DENVER(config-subif)#no shutdown DENVER(config-subif)#exit Here we have created two sub-interface 0/0.100 and 0/0.200 for respective VLANs. For encapsulation dot1Q is used. Verify Now ping to different VLAN C:>ping 172.16.200.2 Pinging 172.16.200.2 with 32 bytes of data:
  • 40.
    CCNA Routing &Switching v3 LAB Guide 40 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Reply from 172.16.200.2: bytes=32 time=1ms TTL=127 Reply from 172.16.200.2: bytes=32 time=12ms TTL=127 Reply from 172.16.200.2: bytes=32 time=11ms TTL=127 Reply from 172.16.200.2: bytes=32 time=10ms TTL=127 C:>ping 192.168.100.2 Pinging 192.168.100.2 with 32 bytes of data: Reply from 192.168.100.2: bytes=32 time=11ms TTL=127 Reply from 192.168.100.2: bytes=32 time=11ms TTL=127 Reply from 192.168.100.2: bytes=32 time=1ms TTL=127 Reply from 192.168.100.2: bytes=32 time=10ms TTL=127 ==================================================================== TELNET ACCESS to Switch ====================== VTP SERVER ============ DU#conf t DU(config)#vlan 99 DU(config-vlan)#name admin DU(config-vlan)#exit DU(config)#vlan 199 DU(config-vlan)#name admin2 DU(config)#interface fastEthernet 0/23 DU(config-if)#switchport mode access DU(config-if)#switchport access vlan 99 DU(config-if)#exit DU(config)#interface vlan 99 DU(config-if)#ip address 192.168.10.1 255.255.255.0 DU(config-if)#no shutdown DU(config-if)#exit Telnet Configuration DU(config)#line vty 0 4 DU(config-line)#password cisco123 DU(config-line)#login DU(config-line)#exit
  • 41.
    CCNA Routing &Switching v3 LAB Guide 41 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved BUET(config)#interface fastEthernet 0/23 BUET(config-if)#switchport mode access BUET(config-if)#switchport access vlan 199 BUET(config-if)#exit BUET(config)#interface vlan 199 BUET(config-if)#ip address 192.168.20.1 255.255.255.0 BUET(config-if)#no shutdown Telnet Configuration BUET(config)#line vty 0 4 BUET(config-line)#password cisco123 BUET(config-line)#login BUET(config-line)#exit DENVER(config)#line vty 0 4 DENVER(config-line)#password cisco123 DENVER(config-line)#login DENVER(config-line)#exit DENVER(config)#interface fastEthernet 0/0.99 DENVER(config-subif)#encapsulation dot1Q 99 DENVER(config-subif)#ip address 192.168.10.1 255.255.255.0 DENVER(config-subif)#no shutdown DENVER#ping 192.168.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/8 ms DENVER#telnet 192.168.10.1 Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD User Access Verification Password: % Password: timeout expired! [Connection to 192.168.10.1 closed by foreign host] ============================================================== DENVER#conf t DENVER(config)#interface fastEthernet 0/0.199 DENVER(config-subif)#encapsulation dot1Q 199 DENVER(config-subif)#ip address 192.168.20.1 255.255.255.0
  • 42.
    CCNA Routing &Switching v3 LAB Guide 42 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DENVER(config-subif)#no shutdown DENVER(config-subif)#exit DENVER(config)#end ======================================================= DENVER#ping 192.168.20.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/9 ms DENVER#telnet 192.168.20.1 Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD User Access Verification Password: LAB 9 : Inter-Vlan Routing Configuration on L3 Switch SVI - Switched Virtual Interface. There is no physical interface for the VLAN, hence it is virtual. Technique is, Assign IP address of each VLAN Interface (suppose Interface vlan 10), then issue the " ip routing " command on global configuration mode. Generally, routers do the routing between different broadcast domains that is, Different VLANs. But SVI provides the routing capabilities of different VLANs. Example switch models that support layer 3 routing are the 3550, 3750, 3560 etc.
  • 43.
    CCNA Routing &Switching v3 LAB Guide 43 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Our Tasks (All configuration is only on L3 switch here) 1. Creating vlan 10 and vlan 20 2. Naming these two vlans: vlan 10 = cisco vlan 20 = solaris 3. Configuration of Access ports 4. Assigning IP to Hosts 5. Assigning IP to Vlan Interface 6. Verification CREATE VLAN Switch#conf t Switch(config)#vlan 10 Switch(config-vlan)#name cisco Switch(config-vlan)#exit Switch(config)#vlan 20 Switch(config-vlan)#name solaris Switch(config-vlan)#exit ACCESS-PORT CONFIGURATION Switch(config)#interface range fastEthernet 0/3 - 9 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 10 Switch(config-if-range)#exit Switch(config)#interface range fastEthernet 0/10 - 15 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 20 Switch(config-if-range)#exit ASSIGN IP TO VLAN INTERFACE Switch(config)#interface vlan 10 Switch(config-if)#ip address 192.168.10.1 255.255.255.0 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#interface vlan 20 Switch(config-if)#ip address 192.168.20.1 255.255.255.0
  • 44.
    CCNA Routing &Switching v3 LAB Guide 44 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Switch(config-if)#no shutdown Switch(config-if)#exit ENABLE ROUTING Switch(config)#ip routing Switch(config)#exit ASSIGN IP TO HOSTS
  • 45.
    CCNA Routing &Switching v3 LAB Guide 45 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved VERIFICATION Ping to different vlan LAB 10 : Port Security Port Security One can access unsecure network resources by plugging his laptop into one of our available switch ports. He can also change his physical location in LAN network without telling the admin. But you can secure layer two accesses by using port security. First in our LAB we will plug one PC, and other PC will remain unplugged as shown in figure:
  • 46.
    CCNA Routing &Switching v3 LAB Guide 46 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Assign IP to hosts Switch(config)#interface fastEthernet 0/1 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 1 Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 1 Switch(config-if)#switchport port-security violation shutdown Switch(config-if)#switchport port-security mac-address sticky Switch(config-if)#exit Port security is disabled by default. switchport port-security command enables it. According to our requirements we can limit hosts that can be associated with an interface. We can set this limit anywhere from 1 to 132. Maximum number of devices that can be associated with the interface is 132. By default it is set to 1. switchport port-security maximum value command will set the maximum number of hosts. We have two options static and dynamic to associate mac address with interface. In static method we have to manually define exact host mac address with switchport port- security mac-address MAC_address command.
  • 47.
    CCNA Routing &Switching v3 LAB Guide 47 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved In dynamic mode we use sticky feature that allows interface to learn mac address automatically We need to specify what action; it should take in security violation. Three possible modes are available: Protect: - This mode only work with sticky option. In this mode frames from non-allowed address would be dropped. Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this mode, switch will make a log entry and generate a security violation alert. Shutdown: - In this mode switch will generate the violation alert and disable the port. Only way to re-enable the port is to manually enter no shutdown command. This is the default violation mode. Switchport port security explained Command Description Switch>enable Move in privilege exec mode Switch#configure terminal Move in global configuration mode Switch(config)#interface fastethernet 0/1 Move in interface mode Switch(config-if)#switchport mode access Assign port as host port Switch(config-if)#switchport port- security Enable port security feature on this port Switch(config-if)#switchport port- security maximum 1 Set limit for hosts that can be associated with interface. Default value is 1. Skip this command to use default value. Switch(config-if)#switchport port- security violation shutdown Set security violation mode. Default mode is shutdown. Skip this command to use default mode. Switch(config-if)#switchport port- security mac-address sticky Enable sticky feature.
  • 48.
    CCNA Routing &Switching v3 LAB Guide 48 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved We have secured F0/1 port of switch. We used dynamic address learning feature. Switch will remember first learned mac address (on interface F0/1) with this port. We can check MAC Address table for currently associated address. No mac address is associated with F0/1 port. Switch learns mac address from incoming frames. We need to generate frame from PC0 that would be receive on F0/1 port of switch. We can use ping to generate frames from PC0 to Server. Switch learns this address dynamically but it is showing as STATIC. Sticky option automatically converts dynamically learned address in static address.
  • 49.
    CCNA Routing &Switching v3 LAB Guide 49 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Switchport port security testing Now we unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1). Now try to ping from PC1 to Server Why ping is not success ? Because switch detected the mac address change and shutdown the port. Verify port security We have three commands to verify the port security show port-security This command displays port security information about all the interfaces on switch.
  • 50.
    CCNA Routing &Switching v3 LAB Guide 50 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved show port-security address Display statically defined or dynamically learned address with port security. show port-security interface interface Display port security information about the specific interface. Here is a useful command to check your port security configuration. Use show port-security interface to see the port security details per interface. We can see the violation mode is shutdown and that the last violation was caused by MAC address 0002.1622.CB46:1 The aging time is 0 mins which means it will stay in err-disable state forever. How to reset an interface that is disabled due to violation of port security Manually restart the interface. Unplugged cable from PC1 and plugged back it to PC0 Run following commands on switch and test connectivity from pc
  • 51.
    CCNA Routing &Switching v3 LAB Guide 51 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved First go to the interface, shutdown and then apply no shutdown. LAB 11: Configure Portfast Advantages  Interfaces which is portfast enabled will go to forwarding mode immediately, the interface will skip the listening and learning state.  A switch will never generate a topology change notification.  The PortFast feature will only have effect when the interface is in a non-trunking mode. So, enabling the PortFast feature on a trunk port is useless. Only in access mode. Configure PortFast on Cisco Switch (First unplug the two PCs as shown in figure) Next, execute the following command on Switch to enable the PortFast feature on the Fa0/1 interface. Switch(config)#interface fa0/1
  • 52.
    CCNA Routing &Switching v3 LAB Guide 52 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Switch(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on FastEthernet0/1 but will only have effect when the interface is in a non-trunking mode. Switch(config-if)# Now, connect PC0 to the fa0/1 interface and PC1 to the fa0/2 interface, as shown in the following figure. We notice that the Fa0/1 interface will be activated within 5 seconds because it will not participate in the STP convergence process. LAB 12 : Configure BPDU Guard on Cisco Switch  The BPDU Guard is used to protect the Spanning Tree domain from external influence. BPDU Guard is disabled by default. But it is recommended to apply BPDU guard enable for all ports on which the Port Fast is enabled.  BPDU guard should be applied toward user-facing ports to prevent rogue switch network extensions by an attacker.  BPDU Guard can be configured either in Global mode or Interface mode  On an interface BPDU guard will put the port into err disable state if a BPDU is received In global configuration mode BPDU guard will disable port fast on any interface if a BPDU is received. SW2(config)# spanning-tree portfast bpduguard default SW2(config-if)# spanning-tree bpduguard enable
  • 53.
    CCNA Routing &Switching v3 LAB Guide 53 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Switch(config)#interface fastEthernet 0/1 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 1 Switch(config-if)#spanning-tree portfast Switch(config-if)#spanning-tree bpduguard enable Switch#show spanning-tree interface fastEthernet 0/1 portfast VLAN0001 enabled LAB 13: Configure Root Guard on Cisco Switch Root-guard will stop a superior bpdu from becoming the root. Note: Root guard is best deployed towards ports that connect to switches which should not be the root bridge For example, a port on the distribution layer switch which is connected to an access layer switch can be Root Guard enabled, because the access layer switch should never become the Root Bridge.
  • 54.
    CCNA Routing &Switching v3 LAB Guide 54 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Switch1(config)#hostname DU Switch2(config)#hostname ASHISH Now check which switch is the root bridge Switch DU becomes the root bridge...right ? Now we will enable root guard on switch DU on port G 0/1 so that if the Switch ASHISH want to become root bridge then the port G0/1 of DU switch will shutdown. DU(config)#interface gigabitEthernet 0/1 DU(config-if)#spanning-tree guard root Now apply ping to PC1 to PC2 to verify connectivity C:>ping 192.168.10.2 Reply from 192.168.10.2: bytes=32 time=12ms TTL=128 Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
  • 55.
    CCNA Routing &Switching v3 LAB Guide 55 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Now we will change the priority value of Switch ASHISH ....to check what happen !! ASHISH(config)#spanning-tree vlan 1 priority 4096 now ping.... C:>ping 192.168.10.2 Request timed out. Request timed out. Request timed out. The port beomes red colored......that indicates the port is shutdown when switch ASHISH wants to root bridge %SPANTREE-2-ROOTGUARDBLOCK: Port 0/1 tried to become non-designated in VLAN 1. Moved to root-inconsistent state --------------------------------- And the above message is generated on switch DU------------------------------- To recover from this .............. Reset the priority value of switch ASHISH ASHISH(config)#spanning-tree vlan 1 priority 32768 On DU switch DU(config)#interface gigabitEthernet 0/1 DU(config-if)#shutdown
  • 56.
    CCNA Routing &Switching v3 LAB Guide 56 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DU(config-if)#no shutdown Now apply ping to PC1 to PC2 to verify connectivity C:>ping 192.168.10.2 Reply from 192.168.10.2: bytes=32 time=12ms TTL=128 Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 LAB 14 : Spanning tree behavior - mode , priority value, root bridge Here Switch DU is the root bridge as its all the ports are forwarding mode. (Indicates green signal) By default Cisco switches run a separate STP instance for every VLAN configured on the switch; this mode is called PVST. We will configure Switch ASHISH as a root switch for the default VLAN (1) using one method then DU switch in another method : Method 1 (Switch ASHISH will be the root bridge ) First verify switch ASHISH if it is root or not.................. The switch is not the roor bridge
  • 57.
    CCNA Routing &Switching v3 LAB Guide 57 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Now we will make it root bridge by using the following command: spanning-tree vlan [list] root [primary | secondary] Using this command will automatically lower the priority of the switch to a very significant value in order to make sure that the switch is elected as a root switch. ASHISH(config)#spanning-tree vlan 1 root primary We can see that the switch is now the root bridge. Method2 (Switch DU will be the root bridge now): Setting the Bridge priority using the command spanning-tree vlan [list] priority [value]. DU(config)#spanning-tree vlan 1 priority 4096 DU is now the root switch.
  • 58.
    CCNA Routing &Switching v3 LAB Guide 58 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 15 : DHCP CONFIGURATION ON CISCO ROUTER DHCP (Dynamic Host Configuration Protocol) is a part of the Application Layer protocol. DHCP is used by network devices (For example- PCs, network printers, etc) to automatically obtain an IP Address, Default Gateway, Domain Name, DNS Servers and more. DHCP is available on Cisco IOS routers and switches. But DHCP is only available on newer IOS- based switches such as Catalyst 3550 and 3750.  The Client sends a DHCP Discover (broadcast message) message to find a DHCP server.  The DHCP server responds with a DHCP Offer message (Unicast Message)- which includes the IP address, default gateway and lease time for the IP address offered; also includes DNS server, TFTP server and many more.  The client responds with a DHCP Request message (broadcast message) which is a formal request.  Then the server responds with a DHCP Ack message (unicast message) confirming that the IP address has been leased to the client
  • 59.
    CCNA Routing &Switching v3 LAB Guide 59 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Here the router will act as a DHCP server. An IP Address 192.168.20.20 is already assigned to the switch. So this IP Address will be excluded from the DHCP pool to avoid IP address conflict. Configure an IP address on the router's Interface Router#conf t Router(config)#interface fastEthernet 0/0 Router(config-if)#ip address 192.168.20.1 255.255.255.0 Router(config-if)#no shutdown Assign an IP Address and default gateway for the switch Switch#conf t Switch(config)#interface vlan 1 Switch(config-if)#ip address 192.168.20.20 255.255.255.0 Switch(config-if)#no shutdown Switch(config)#ip default-gateway 192.168.20.1 DHCP Configuration on the Router 1. Create a DHCP pool that defines the network of IP addresses and will be given out to the clients Router(config)#ip dhcp pool ashish-pool 2. Define the network and subnet for the address-pool to be used Router(dhcp-config)#network 192.168.20.0 255.255.255.0 3. Define the primary and secondary DNS servers. Router(dhcp-config)# dns-server 192.168.20.1 4. Define the default router (i.e., default gateway) Router(dhcp-config)#default-router 192.168.20.1 5. Exclude the IP addresses we don't want our DHCP server giving you. Router(config)#ip dhcp excluded-address 192.168.20.20 192.168.20.30
  • 60.
    CCNA Routing &Switching v3 LAB Guide 60 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Verification: On PC0 and PC1 Enable DHCP Here we see that both PC gets IP Addresses and other parameters Dynamically. Apply ping from Host to host and Host to Router or Switch
  • 61.
    CCNA Routing &Switching v3 LAB Guide 61 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 16: DHCP SERVER CONFIGURATION ON CISCO SWITCH Here the Switch will act as a DHCP server. An IP Address 192.168.20.2 is already assigned to the Server. So this IP Address will be excluded from the DHCP pool to avoid IP address conflict.
  • 62.
    CCNA Routing &Switching v3 LAB Guide 62 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Switch#conf t Switch(config)#ip dhcp pool ashish-pool Switch(dhcp-config)#network 192.168.20.0 255.255.255.0 Switch(dhcp-config)#default-router 192.168.20.1 Switch(dhcp-config)#dns-server 192.168.20.1 Switch(dhcp-config)#exit Switch(config)#ip dhcp excluded-address 192.168.20.10 192.168.20.20 Switch(config)#interface vlan 1 Switch(config-if)#ip address 192.168.20.1 255.255.255.0 Switch(config-if)#no shutdown Switch(config-if)#exit Verification On PC0 and PC1 Enable DHCP
  • 63.
    CCNA Routing &Switching v3 LAB Guide 63 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Also ping from PC0 to PC1 and Default Gateway LAB 17: Static route configuration Overview of Static Routing  Routes are configured Manually  Administrative distance value 0  Reducing CPU/RAM overhead and saving bandwidth.  Static routes are not advertised over the network  Not fault-tolerant
  • 64.
    CCNA Routing &Switching v3 LAB Guide 64 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved  Initial configuration and maintenance is time-consuming.  Not appropriate for complex topologies DU Router (Basic Configuration) Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname DU DU(config)#enable secret cisco123 DU(config)#line console 0 DU(config-line)#password cisco DU(config-line)#login DU(config-line)#exit DU(config)#line vty 0 5 DU(config-line)#password cisco DU(config-line)#login DU(config-line)#exit DU(config)#interface fastEthernet 0/0 DU(config-if)#description conectivity from DU to BUET DU(config-if)#ip address 192.168.20.1 255.255.255.0 DU(config-if)#no shutdown DU(config)#interface fastEthernet 0/1 DU(config-if)#description connectivity to Local Network DU(config-if)#ip address 192.168.10.1 255.255.255.0 DU(config-if)#no shutdown DU(config-if)#exit
  • 65.
    CCNA Routing &Switching v3 LAB Guide 65 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved BUET Router (Basic Configuration) Router(config)#hostname BUET BUET(config)#enable secret cisco123 BUET(config)#line console 0 BUET(config-line)#password cisco BUET(config-line)#login BUET(config-line)#exit BUET(config)#line vty 0 5 BUET(config-line)#password cisco BUET(config-line)#login BUET(config-line)#exit BUET(config)#interface fastEthernet 0/0 BUET(config-if)#description Connectivity from BUET to DU BUET(config-if)#ip address 192.168.20.2 255.255.255.0 BUET(config-if)#no shutdown BUET(config-if)#exit BUET(config)#interface fastEthernet 0/1 BUET(config-if)#description connectivity from BUET to it's Local Network BUET(config-if)#ip address 192.168.30.1 255.255.255.0 BUET(config-if)#no shutdown BUET(config-if)#exit Now Assign IP Address to Hosts
  • 66.
    CCNA Routing &Switching v3 LAB Guide 66 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Try to Ping from PC0 to PC1 C:>ping 192.168.30.2 Pinging 192.168.30.2 with 32 bytes of data: Reply from 192.168.10.1: Destination host unreachable. Reply from 192.168.10.1: Destination host unreachable. Reply from 192.168.10.1: Destination host unreachable. Reply from 192.168.10.1: Destination host unreachable. Thus we need routing either static or dynamic, right ? Let us start with static routing............... DU Router DU(config)#ip route 192.168.30.0 255.255.255.0 192.168.20.2 BUET Router BUET(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1 Rules of Static route Router(config)# ip route [destination_network] [subnet_mask] [next-hop] On point-to-point links, an exit-interface can be specified instead of a next-hop address. Router(config)# ip route [destination_network] [subnet_mask] [Exit-Interface ] So for the previous example instead of IP Address we can write exit-interface as follows but if the 2 routers are connected point-to-point DU(config)#ip route 192.168.30.0 255.255.255.0 fastEthernet 0/0 BUET(config)#ip route 192.168.10.0 255.255.255.0 fastEthernet 0/0 Now ping again,
  • 67.
    CCNA Routing &Switching v3 LAB Guide 67 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved C:>ping 192.168.30.2 Reply from 192.168.30.2: bytes=32 time<1ms TTL=126 Reply from 192.168.30.2: bytes=32 time<1ms TTL=126 Reply from 192.168.30.2: bytes=32 time<1ms TTL=126 Reply from 192.168.30.2: bytes=32 time<1ms TTL=126 Telnet to BUET Router.............. C:>telnet 192.168.20.2 Trying 192.168.20.2 ...Open User Access Verification Password: Password: BUET> Success...right .. Other verification command BUET#show ip route Gateway of last resort is not set S 192.168.10.0/24 [1/0] via 192.168.20.1 C 192.168.20.0/24 is directly connected, FastEthernet0/0 C 192.168.30.0/24 is directly connected, FastEthernet0/1 S ----- represent Static route C------Directly connected route LAB 18 : Static Default Routing It is a special type of static route. Default routing is used in stub networks. The stub network has only one way for the traffic to go, to reach several different networks. A DEFAULT ROUTE is sometime called Zero/Zero Route because the network and subnet we are specifying as the destination for the traffic that it would match are all zeros. A DEFAULT ROUTE says "for any traffic that DOES NOT match a specific route in the routing table ,then forward that traffic to this destination (next-hop-router-IP Address)".Other words default route is a "CATCH ALL" On default route, both the network and subnet mask will be zero (0.0.0.0 0.0.0.0). ip route 0.0.0.0 0.0.0.0 next-hop-router-IP address
  • 68.
    CCNA Routing &Switching v3 LAB Guide 68 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Normally Customer route to ISP is default route and ISP route to Customer is normal static route as shown below : Objective:  Basic Configuration on Router CUSTOMER and ISP  Static default route to INTERNET on CUSTOMER Router  Static route to CUSTOMER LAN on ISP Router  Verification Configuration Basic Configuration on Router CUSTOMER and ISP CUSTOMER Router Router(config)#hostname CUSTOMER CUSTOMER(config)#interface fastEthernet 0/1 CUSTOMER(config-if)#description CUSTOMER LAN CUSTOMER(config-if)#ip address 192.168.10.1 255.255.255.0 CUSTOMER(config-if)#no shutdown CUSTOMER(config-if)#exit CUSTOMER(config)#interface fastEthernet 0/0 CUSTOMER(config-if)#description Connectivity to ISP CUSTOMER(config-if)#ip address 103.13.148.1 255.255.255.248 CUSTOMER(config-if)#no shutdown
  • 69.
    CCNA Routing &Switching v3 LAB Guide 69 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved ISP ROUTER Router(config)#hostname ISP ISP(config)#interface fastEthernet 0/0 ISP(config-if)#description Connectivity to CUSTOMER ROUTER ISP(config-if)#ip address 103.13.148.2 255.255.255.248 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#interface fastEthernet 1/0 ISP(config-if)#description Connectivity to INTERNET ISP(config-if)#ip address 100.100.100.1 255.255.255.0 ISP(config-if)#no shutdown default route to INTERNET on CUSTOMER Router CUSTOMER(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2 Static route to CUSTOMER LAN on ISP Router ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 Assign IP Address to hosts.............................
  • 70.
    CCNA Routing &Switching v3 LAB Guide 70 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Verification Apply Ping from PC0 to PC1 C:>ping 100.100.100.2 Reply from 100.100.100.2: bytes=32 time=1ms TTL=126 Reply from 100.100.100.2: bytes=32 time<1ms TTL=126 Reply from 100.100.100.2: bytes=32 time<1ms TTL=126 Reply from 100.100.100.2: bytes=32 time<1ms TTL=126 Successfull..................... Now on Customer Router S* indicates default route On ISP Router ..................S indicates Static route
  • 71.
    CCNA Routing &Switching v3 LAB Guide 71 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 19: RIPv2 Configuration Dynamic Routing Protocol  Interior Gateway Protocol - RIP, IGRP, EIGRP, OSPF, IS-IS  Distance vector - RIP, IGRP  Link-state - OSPF, IS-IS  Hybrid - EIGRP  Exterior Gateway Protocol - BGP IGPs are used for routing within networks that are under a common network administration, whereas EGP (exterior gateway protocols) are used to exchange routing information between networks. RIP - Distance Vector Routing Protocol RIP Fundamentals (RIPv2)  Distance-vector protocol.  Uses UDP port 520.  Classless protocol (support for CIDR).  Supports VLSMs.  Metric is router hop count.  Maximum hop count is 15; infinite (unreachable) routes have a metric of 16.  Periodic route updates sent every 30 seconds to multicast address 224.0.0.9.  25 routes per RIP message (24 if you use authentication).  Supports authentication.  Implements split horizon with poison reverse.  Implements triggered updates.  Subnet mask included in route entry.  Administrative distance for RIPv2 is 120.  Used in small, flat networks or at the edge of larger networks.  Prevents routing loops (Split Horizon, Route poisoning, Hold-down Timers and Maximum hop Count)
  • 72.
    CCNA Routing &Switching v3 LAB Guide 72 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Hello and Dead Time RIPv2 EIGRP OSPF Hello interval = 30 sec Dead interval = 30*6 = 180 Hold down timers = 180 sec Flush timers = 240 sec Hello sends every 5 sec, dead 15 sec (point to point) In NBMA , hello interval = 60 sec and dead = 180 sec ppp hello 10 dead 40 brodcast same But in point to multipoing hello is 30 sec, dead 120 sec RIPV2 CONFIGURATION LAB Objective:  Basic Configuration of Router  Assign IP Address to Hosts  RIP Configuration  Configure Passive Interface  Configure Authentication (MD5) 1. Basic Configuration of Router DU Router Router(config)#hostname DU DU(config)#interface fastEthernet 0/1
  • 73.
    CCNA Routing &Switching v3 LAB Guide 73 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DU(config-if)#description Connected to LAN DU(config-if)#ip address 192.168.10.1 255.255.255.0 DU(config-if)#no shutdown DU(config-if)#exit DU(config)#interface fastEthernet 0/0 DU(config-if)#ip address 103.13.148.1 255.255.255.248 DU(config-if)#no shutdown DU(config-if)#description Connected to BUET router BUET Router(config)#hostname BUET BUET(config)#interface fastEthernet 0/0 BUET(config-if)#description to DU Router BUET(config-if)#ip address 103.13.148.2 255.255.255.248 BUET(config-if)#no shutdown BUET(config)#interface fastEthernet 0/1 BUET(config-if)#description connected to BUET LAN BUET(config-if)#ip address 100.100.100.1 255.255.255.0 BUET(config-if)#no shutdown 2. Assign IP Address to Hosts
  • 74.
    CCNA Routing &Switching v3 LAB Guide 74 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved RIP Configuration DU(config)#router rip DU(config-router)#version 2 DU(config-router)#network 192.168.10.0 DU(config-router)#network 103.13.148.248 DU(config-router)#no auto-summary BUET(config)#router rip BUET(config-router)#version 2 BUET(config-router)#network 100.100.100.0 BUET(config-router)#network 103.13.148.248 BUET(config-router)#no auto-summary Network command sends RIP updates to the associated Network. we specify only the directly connected networks of this router. Auto Summarization is turned on by default for RIPv2 and EIGRP, altough these are Classless Routing protocols. So you manually have to make them Classless with the "no auto-summary" command. Verification R indicates RIP generated Routes Apply ping from DU LAN to BUET LAN C:>ping 100.100.100.100 Pinging 100.100.100.100 with 32 bytes of data:
  • 75.
    CCNA Routing &Switching v3 LAB Guide 75 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Reply from 100.100.100.100: bytes=32 time=2ms TTL=126 Reply from 100.100.100.100: bytes=32 time<1ms TTL=126 Reply from 100.100.100.100: bytes=32 time<1ms TTL=126 Reply from 100.100.100.100: bytes=32 time<1ms TTL=126 LAB 20 : Configure Passive Interface RIP updates will be sent to all interfaces when we use network command on that interfaces. But, we don’t need to send updates everywhere. In our LAB on DU Router does not need to send RIP updates to a the LAN switch. We can use use the passive-interface command to prevent RIP updates to send. DU(config-router)#passive-interface f DU(config-router)#passive-interface fastEthernet 0/1 Verification DU#show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds, next due in 17 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Redistributing: rip Default version control: send version 2, receive 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 103.0.0.0 192.168.10.0 Passive Interface(s): FastEthernet0/1 Routing Information Sources: Gateway Distance Last Update 103.13.148.2 120 00:00:04 Distance: (default is 120) DU#
  • 76.
    CCNA Routing &Switching v3 LAB Guide 76 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved RIP send updates only to 224.0.0.9 (multicast address) Via F0/0 (103.13.148.1).....not 192.168.10.0/24 BUET#show ip route rip 103.0.0.0/29 is subnetted, 1 subnets R 192.168.10.0/24 [120/1] via 103.13.148.1, 00:00:15, FastEthernet0/0 We can see that the network is advertised but not send any RIP updates towards DU LAN. LAB 21: Configure RIP Authentication Plain text authentication mode is the default setting in every RIPv2 packet, when authentication is enabled. Plain text authentication should not be used when security is an issue, because the unencrypted authentication password is sent in every RIPv2 packet. Note: RIP version 1 (RIPv1) does not support authentication. I have used GNS3 to configure this LAB
  • 77.
    CCNA Routing &Switching v3 LAB Guide 77 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Objective: 1. Basic configuration of Router R1 and R2 2. Configure RIP 3. Assign IP address to hosts 4. Verify Configuration 5. Configure Authentication 6. Verify Basic configuration of Router R1 DU(config)#interface fastEthernet 0/0 DU(config-if)#ip address 192.168.10.1 255.255.255.0 DU(config-if)#no shutdown DU(config-if)#exit DU(config)#interface fastEthernet 0/1 DU(config-if)#ip address 192.168.20.1 255.255.255.0 DU(config-if)#no shutdown DU(config-if)#exit RIP Configuration DU(config)#router rip DU(config-router)#version 2 DU(config-router)#network 192.168.10.0 DU(config-router)#network 192.168.20.0 DU(config-router)#no auto-summary DU(config-router)#end Basic configuration of Router R2 BUET#conf t Enter configuration commands, one per line. End with CNTL/Z. BUET(config)#interface fastEthernet 0/0 BUET(config-if)#ip address 192.168.10.2 255.255.255.0 BUET(config-if)#no shutdown BUET(config-if)#exit BUET(config)#interface fastEthernet 0/1 BUET(config-if)#ip address 192.168.30.1 255.255.255.0 BUET(config-if)#no shutdown BUET(config-if)#exit
  • 78.
    CCNA Routing &Switching v3 LAB Guide 78 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Configure RIP on R2 BUET(config)#router rip BUET(config-router)#version 2 BUET(config-router)#network 192.168.10.0 BUET(config-router)#network 192.168.30.0 BUET(config-router)#no auto-summary BUET(config-router)#end BUET# Assign IP address to hosts and verify connectivity using ping command DU#show ip route rip R 192.168.30.0/24 [120/1] via 192.168.10.2, 00:00:26, FastEthernet0/0 DU# R2#show ip route rip R 192.168.20.0/24 [120/1] via 192.168.10.1, 00:00:27, FastEthernet0/0 R2#
  • 79.
    CCNA Routing &Switching v3 LAB Guide 79 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Configure Authentication MD5 Authentication The Cisco implementation of RIP v2 supports MD5 authentication. This provides a higher level of security over clear text. Both router interfaces need to be configured with MD5 authentication. The key number and key string must match on both sides, or authentication will fail. DU Router DU(config)#key chain venus (Name a key chain) DU(config-keychain)#key 1 (This is the Identification number of an authentication key on a key chain) DU(config-keychain-key)#key-string ashish (The actual password or key-string.It needs to be identical to the key-string on the remote router) DU(config-keychain-key)#exit DU(config-keychain)#exit BUET Router BUET(config)#key chain venus BUET(config-keychain)#key 1 BUET(config-keychain-key)#key-string ashish BUET(config-keychain-key)#exit BUET(config-keychain)#exit BUET(config)# Apply it to Interface DU(config)#interface fastEthernet 0/0 DU(config-if)#ip rip authentication mode md5 Now check using debug command what is happened if MD5 is enable in DU router and BUET Router is not.............. BUET#debug ip rip RIP protocol debugging is on BUET#
  • 80.
    CCNA Routing &Switching v3 LAB Guide 80 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved *Mar 1 00:09:03.883: RIP: ignored v2 packet from 192.168.10.1 (invalid authentication) *Mar 1 00:09:03.951: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.2) *Mar 1 00:09:03.951: RIP: build update entries *Mar 1 00:09:03.951: 192.168.30.0/24 via 0.0.0.0, metric 1, tag 0 *Mar 1 00:09:09.847: 192.168.20.0/24 via 0.0.0.0, metric 2, tag 0u BUET#undebug all BUET ROUTER BUET(config)#interface fastEthernet 0/0 BUET(config-if)#ip rip authentication mode md5 BUET(config-if)#end Now verify BUET#debug ip rip RIP protocol debugging is on BUET# *Mar 1 00:09:58.267: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.2) *Mar 1 00:09:58.267: RIP: build update entries *Mar 1 00:09:58.267: 192.168.30.0/24 via 0.0.0.0, metric 1, tag 0 *Mar 1 00:09:59.131: RIP: received packet with MD5 authentication *Mar 1 00:09:59.131: RIP: received v2 update from 192.168.10.1 on FastEthernet0/0 *Mar 1 00:09:59.135: 192.168.20.0/24 via 0.0.0.0 in 1 hops BUET #undebug all All possible debugging has been turned off Plain text Authentication DU(config)#interface fastEthernet 0/0 DU(config-if)#ip rip authentication key-chain venus DU(config-if)#end BUET(config)#int fastEthernet 0/0 BUET(config-if)#ip rip authentication key-chain venus BUET(config-if)#end
  • 81.
    CCNA Routing &Switching v3 LAB Guide 81 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Verification DU#debug ip rip RIP protocol debugging is on DU# *Mar 1 00:07:21.115: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1 (192.168.20.1) *Mar 1 00:07:21.115: RIP: build update entries *Mar 1 00:07:21.115: 192.168.10.0/24 via 0.0.0.0, metric 1, tag 0 *Mar 1 00:07:21.119: 192.168.30.0/24 via 0.0.0.0, metric 2, tag 0 DU# *Mar 1 00:07:39.775: RIP: received packet with text authentication ashish *Mar 1 00:07:39.775: RIP: received v2 update from 192.168.10.2 on FastEthernet0/0 *Mar 1 00:07:39.779: 192.168.30.0/24 via 0.0.0.0 in 1 hops DU# *Mar 1 00:07:41.939: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.1) *Mar 1 00:07:41.939: RIP: build update entries *Mar 1 00:07:41.939: 192.168.20.0/24 via 0.0.0.0, metric 1, tag 0 DU# *Mar 1 00:07:48.647: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1 (192.168.20.1) *Mar 1 00:07:48.647: RIP: build update entries *Mar 1 00:07:48.647: 192.168.10.0/24 via 0.0.0.0, metric 1, tag 0 *Mar 1 00:07:48.651: 192.168.30.0/24 via 0.0.0.0, metric 2, tag 0 DU#undebug all Introduction to EIGRP  Distance vector routing protocols.  EIGRP was created by Cisco which means you can only run it on Cisco hardware.  Cisco added some of the features from link-state routing protocols to EIGRP which makes it far more advanced than a true distance vector routing protocol like RIP.  EIGRP does not use broadcast packets to send information to other neighbors but will use multicast or unicast.  IPv4 you can also use EIGRP to route IPv6 or even some older network layer protocols like IPX or AppleTalk  EIGRP is 100% loop-free  EIGRP has its own protocol number which is 88. Other protocol numbers you are familiar with are TCP (6) and UDP (17).  EIGRP Table: 1. Neigbor Table 2. Topology Table 3. Routing Table
  • 82.
    CCNA Routing &Switching v3 LAB Guide 82 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved  EIGRP routers will start sending hello packets to other routers just like OSPF does, if you send hello packets and you receive them you will become neighbors.  EIGRP uses a rich set of metrics namely bandwidth, delay, load and reliability. The lower these metrics the better.  Sophisticated metric that supports load-balancing across unequal-cost paths.  Support for authentication only MD5 authentication  Manual summarization at any interface  Uses multicast 224.0.0.10.  EIGRP max hop count 255 (all 8 bits 11111111)  Neighbor discovery and maintenance: Periodic hello messages  EIGRP neighbor-ship condition:  Both routers must be in the same primary subnet  Both routers must be configured to use the same k-values  Both routers must in the same AS  Both routers must have the same authentication configuration (within reason)  The interfaces facing each other must not be passive EIGRP’s function is controlled by four key technologies:  Neighbor discovery and maintenance: Periodic hello messages  The Reliable Transport Protocol (RTP): Controls sending, tracking, and acknowledging EIGRP messages  Diffusing Update Algorithm (DUAL): Determines the best loop-free route  Protocol-independent modules (PDM): Modules are “plug-ins” for IP, IPX, and AppleTalk versions of EIGRP EIGRP Neighborship Requirements and Conditions EIGRP Router doesn’t trust anyone blindly. It checks following configuration values to insure that requesting router is eligible to become his neighbor or not. 1. Active Hello packets 2. AS Number 3. K-Values
  • 83.
    CCNA Routing &Switching v3 LAB Guide 83 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved  If you lose the successor because of a link failure EIGRP will copy/paste the feasible successor in the routing table. This is what makes EIGRP a FAST routing protocol…but only if you have feasible successor in the topology table.  RIP and OSPF both can do load balancing but the paths have to be equal. EIGRP can do unequal load balancing EIGRP Packets and Metrics EIGRP packets: Hello Update Query Reply ACK (Acknowledgement) Neighbor Discovery and Route Exchange Step 1. Router A sends out a hello. Step 2. Router B sends back a hello and an update.The update contains routing information. Step 3. Router A acknowledges the update. Step 4. Router A sends its update. Step 5. Router B acknowledges. A neighbor is considered lost if no hello is received within three hello periods (called the hold time). The default hello/hold timers are as follows:  5 seconds/15 seconds for multipoint circuits with bandwidth greater than T1 and for point-to-point media  60 seconds/180 seconds for multipoint circuits with bandwidth less than or equal to T1 EIGRP Summarization EIGRP has two ways of summarizing networks: Automatic summarization:  Subnets are summarized to the classful network.  This is the default for EIGRP. And Manual summarization.
  • 84.
    CCNA Routing &Switching v3 LAB Guide 84 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved What if I entered a wrong key-string? authentication mismatch What are the k-values that EIGRP uses? k1 = bandwidth k2 = load k3 = delay k4 = reliability k5 = MTU LAB 22: EIGRP Neighbor Adjacency loopback interface is a virtual interface—an interface not associated with any hardware or network Basic Configuration R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface loopback 0 R1(config-if)#ip address 10.10.10.1 255.255.255.0 R1(config-if)#exit R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 192.168.10.2 255.255.255.0 R2(config-if)#no shutdown R2(config)#interface loopback 0 R2(config-if)#ip address 11.11.11.1 255.255.255.0 R2(config-if)#exit
  • 85.
    CCNA Routing &Switching v3 LAB Guide 85 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved EIGRP Configuration R1(config)#router eigrp 10 R1(config-router)#network 192.168.10.0 R1(config-router)#network 10.10.10.0 0.0.0.255 R1(config-router)#no auto-summary R1(config-router)#end ------------------------------------------------ R2(config)#router eigrp 10 R2(config-router)#network 192.168.10.0 R2(config-router)#network 11.11.11.0 0.0.0.255 R2(config-router)#no auto-summary R2(config-router)#end Verification R1#debug eigrp packets hello R1# *Mar 1 00:21:05.583: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.2 *Mar 1 00:21:05.583: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 *Mar 1 00:21:06.139: EIGRP: Sending HELLO on Loopback0 *Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 *Mar 1 00:21:06.139: EIGRP: Received HELLO on Loopback0 nbr 10.10.10.1 *Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 R1#undegug all
  • 86.
    CCNA Routing &Switching v3 LAB Guide 86 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 23 : EIGRP Passive Interface If we want to advertise a network in EIGRP but we don’t want to send hello packets everywhere, in this case we can use this features. Basic Configuration R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface loopback 0 R1(config-if)#ip address 10.10.10.1 255.255.255.0 R1(config-if)#exit R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 192.168.10.2 255.255.255.0 R2(config-if)#no shutdown R2(config)#interface loopback 0 R2(config-if)#ip address 11.11.11.1 255.255.255.0 R2(config-if)#exit EIGRP Configuration R1(config)#router eigrp 10 R1(config-router)#network 192.168.10.0 R1(config-router)#network 10.10.10.0 0.0.0.255 R1(config-router)#no auto-summary R1(config-router)#end ------------------------------------------------ R2(config)#router eigrp 10 R2(config-router)#network 192.168.10.0 R2(config-router)#network 11.11.11.0 0.0.0.255
  • 87.
    CCNA Routing &Switching v3 LAB Guide 87 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R2(config-router)#no auto-summary R2(config-router)#end We can configure passive Interface in two ways. First we apply first method in router R1 and the 2nd method in router R2. R1#conf t R1(config)#router eigrp 10 R1(config-router)#passive-interface default *Mar 1 00:27:50.875: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.168.10.2 (FastEthernet0/0) is down: interface passive R1(config-router)#no passive-interface fastEthernet 0/0 *Mar 1 00:28:00.727: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.168.10.2 (FastEthernet0/0) is up: new adjacency R1(config-router)# Passive-interface default command will make all the interface passive and then we will disable the specific interface with "no passive-interface" command N.B. Neighborship Interface should be not passive,otherwise no neighborship will be formed with neighbor routers Verification R1#show ip protocols Routing Protocol is "eigrp 10" Routing for Networks: 10.10.10.0/24 192.168.10.0 Passive Interface(s): Serial0/0 FastEthernet0/1 Serial0/1 Serial0/2 FastEthernet1/0 Loopback0 VoIP-Null0 Second Method R2(config)#router eigrp 10 R2(config-router)#passive-interface loopback 0 R2(config-router)#
  • 88.
    CCNA Routing &Switching v3 LAB Guide 88 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved This is the another way to make the interface passive. R2#show ip protocols Routing Protocol is "eigrp 10" Routing for Networks: 11.11.11.0/24 192.168.10.0 Passive Interface(s): Loopback0 Routing Information Sources: Gateway Distance Last Update (this router) 90 00:23:10 192.168.10.1 90 00:05:44 Distance: internal 90 external 170 ------------------------------------------------------------------------------------------------- R2#debug eigrp packets hello EIGRP Packets debugging is on (HELLO) R2# *Mar 1 00:37:39.787: EIGRP: Sending HELLO on FastEthernet0/0 *Mar 1 00:37:39.787: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 R2# *Mar 1 00:37:42.255: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1 *Mar 1 00:37:42.259: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 R2# *Mar 1 00:37:44.567: EIGRP: Sending HELLO on FastEthernet0/0 *Mar 1 00:37:44.567: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 R2# *Mar 1 00:37:46.671: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1 *Mar 1 00:37:46.671: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 R2# *Mar 1 00:37:49.563: EIGRP: Sending HELLO on FastEthernet0/0 *Mar 1 00:37:49.563: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 R2#undebu *Mar 1 00:37:51.143: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1 *Mar 1 00:37:51.147: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 R2#undebug all All possible debugging has been turned off R2# *Mar 1 00:37:53.871: EIGRP: Sending HELLO on FastEthernet0/0 *Mar 1 00:37:53.871: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 R2# ------------------------------------------------------------------------------------------------------------------------------------------
  • 89.
    CCNA Routing &Switching v3 LAB Guide 89 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 24: EIGRP Authentication EIGRP only supports the MD5 authentication method. EIGRP provides benefits like fast convergence, incremental updates and support for multiple network layer protocols. EIGRP supports Message Digest 5 (MD5) authentication to prevent malicious and incorrect routing information from being introduced into the routing table of a Cisco router. Basic Configuration R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface loopback 0 R1(config-if)#ip address 10.10.10.1 255.255.255.0 R1(config-if)#exit R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 192.168.10.2 255.255.255.0 R2(config-if)#no shutdown R2(config)#interface loopback 0 R2(config-if)#ip address 11.11.11.1 255.255.255.0 R2(config-if)#exit EIGRP Configuration R1(config)#router eigrp 10 R1(config-router)#network 192.168.10.0 R1(config-router)#network 10.10.10.0 0.0.0.255 R1(config-router)#no auto-summary R1(config-router)#end
  • 90.
    CCNA Routing &Switching v3 LAB Guide 90 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R2(config)#router eigrp 10 R2(config-router)#network 192.168.10.0 R2(config-router)#network 11.11.11.0 0.0.0.255 R2(config-router)#no auto-summary R2(config-router)#end EIGRP Authentication R1(config)#key chain venus Specify the keychain name R1(config-keychain)#key 1 Specify the keychain id R1(config-keychain-key)#key-string ccnp Specify the password R1(config)#interface fastEthernet 0/0 R1(config-if)#ip authentication mode eigrp 10 md5 Specify MD5 authentication for the EIGRP packets R1(config-if)#ip authentication key-chain eigrp 10 venus Apply key chain on the interface connecting to the other router. N.B. A shared authentication key which is same on both routes must be configured. The password is known as the ‘key’. R2(config)#key chain venus R2(config-keychain)#key 1 R2(config-keychain-key)#key-string ccnp R2(config-keychain-key)#exit R2(config)#interface fastEthernet 0/0 R2(config-if)#ip authentication mode eigrp 10 md5 R2(config-if)#ip authentication key-chain eigrp 10 venus *Mar 1 01:31:02.455: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.168.10.1 (FastEthernet0/0) is up: new adjacency R2(config-if)# R1#show ip eigrp interfaces detail IP-EIGRP interfaces for process 10 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Fa0/0 1 0/0 29 0/2 144 0 Hello interval is 5 sec
  • 91.
    CCNA Routing &Switching v3 LAB Guide 91 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Next xmit serial <none> Un/reliable mcasts: 0/5 Un/reliable ucasts: 10/13 Mcast exceptions: 5 CR packets: 4 ACKs suppressed: 0 Retransmissions sent: 3 Out-of-sequence rcvd: 1 Authentication mode is md5, key-chain is "venus" Use multicast LAB 25: Configure EIGRP Hold time and Hello time Basic Configuration R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface loopback 0 R1(config-if)#ip address 10.10.10.1 255.255.255.0 R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 192.168.10.2 255.255.255.0 R2(config-if)#no shutdown R2(config)#interface loopback 0 R2(config-if)#ip address 11.11.11.1 255.255.255.0 EIGRP Configuration R1(config)#router eigrp 10 R1(config-router)#network 192.168.10.0 R1(config-router)#network 10.10.10.0 0.0.0.255 R1(config-router)#no auto-summary R2(config)#router eigrp 10 R2(config-router)#network 192.168.10.0 R2(config-router)#network 11.11.11.0 0.0.0.255 R2(config-router)#no auto-summary
  • 92.
    CCNA Routing &Switching v3 LAB Guide 92 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved EIGRP uses two hello and hold timer : Hello/Hold timer 5/15 (point to point / Broadcast Network) Hello/Hold timer 60/180 (NBMA) But it can be changed as following : R1(config)#interface fastEthernet 0/0 R1(config-if)#ip hello-interval eigrp 10 30 R1(config-if)#ip hold-time eigrp 10 90 R2(config)#interface fastEthernet 0/0 R2(config-if)#ip hello-interval eigrp 10 300 R2(config-if)#ip hold-time eigrp 10 3600 N.B. It is possible for two routers to become EIGRP neighbors even though the hello and hold timers do not match. LAB 26: EIGRP Summarization Summarization is used to reduce the size of a routing table thus reducing the load on CPU and memory. There are two types of summarization:  Auto summarization - it will advertise the classful A, B or C network to its neighbors. By default, the “auto-summary” command is enabled.  Manual summarization - Here we will describe it........
  • 93.
    CCNA Routing &Switching v3 LAB Guide 93 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Basic Configuration of R1 and R2 R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface loopback 0 R1(config-if)#ip address 172.16.0.1 255.255.255.0 R1(config-if)#interface loopback 1 R1(config-if)#ip address 172.16.1.1 255.255.255.0 R1(config-if)#interface loopback 2 R1(config-if)#ip address 172.16.2.1 255.255.255.0 R1(config-if)#interface loopback 3 R1(config-if)#ip address 172.16.3.1 255.255.255.0 R1(config-if)#interface loopback 4 R1(config-if)#ip address 172.16.4.1 255.255.255.0 R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 192.168.10.2 255.255.255.0 R2(config-if)#no shutdown EIGRP Configuration R1(config)#router eigrp 10 R1(config-router)#network 192.168.10.0 R1(config-router)#network 172.16.0.0 R1(config-router)#network 172.16.1.0 R1(config-router)#network 172.16.2.0 R1(config-router)#network 172.16.3.0 R1(config-router)#network 172.16.4.0 R1(config-router)#no auto-summary ------------------------------------------------------------------- R2(config)#router eigrp 10 R2(config-router)#network 192.168.10.0 R2(config-router)#no auto-summary R2(config-router)#end Now see the routing table
  • 94.
    CCNA Routing &Switching v3 LAB Guide 94 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R1#show ip route C 192.168.10.0/24 is directly connected, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks C 172.16.4.0/24 is directly connected, Loopback4 C 172.16.0.0/24 is directly connected, Loopback0 D 172.16.0.0/16 is a summary, 00:00:30, Null0 C 172.16.1.0/24 is directly connected, Loopback1 C 172.16.2.0/24 is directly connected, Loopback2 C 172.16.3.0/24 is directly connected, Loopback3 R2#show ip route C 192.168.10.0/24 is directly connected, FastEthernet0/0 172.16.0.0/24 is subnetted, 5 subnets D 172.16.4.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0 D 172.16.0.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0 D 172.16.1.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0 D 172.16.2.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0 D 172.16.3.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0 Router R2 gets a number of EIGRP Route from R1, So we will now reduce the size of routing table of R2 We will create the summary (Manual Summarization) R1(config)#interface fastEthernet 0/0 R1(config-if)#ip summary-address eigrp 10 172.16.0.0 255.255.248.0 Verification R2#show ip route C 192.168.10.0/24 is directly connected, FastEthernet0/0 172.16.0.0/21 is subnetted, 1 subnets D 172.16.0.0 [90/409600] via 192.168.10.1, 00:00:15, FastEthernet0/0 R2#show ip route eigrp 172.16.0.0/21 is subnetted, 1 subnets D 172.16.0.0 [90/409600] via 192.168.10.1, 00:05:05, FastEthernet0/0 Now we can see that R2 Router has only one summary route......
  • 95.
    CCNA Routing &Switching v3 LAB Guide 95 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 27 : ADVANCED EIGRP LAB DU Router 1. Basic Configuration DU>en DU#conf t Enter configuration commands, one per line. End with CNTL/Z. DU(config)#hostname DU DU(config)#enable password cisco 2. Line console password DU(config)#line console 0 DU(config-line)#password cisco DU(config-line)#login DU(config-line)#exit 3. Telnet configuration for remote login DU(config)#line vty 0 4 DU(config-line)#password cisco DU(config-line)#login DU(config-line)#exit 4. IP configuration on router Interface DU(config)#interface fastEthernet 0/0 DU(config-if)#ip address 192.168.20.1 255.255.255.0 DU(config-if)#no shutdown
  • 96.
    CCNA Routing &Switching v3 LAB Guide 96 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DU(config-if)#exit DU(config)#interface fastEthernet 0/1 DU(config-if)#ip address 192.168.10.1 255.255.255.0 DU(config-if)#no shutdown 5. Configure Loopback Interface DU(config)#interface loopback 1 DU(config-if)#ip address 172.16.0.1 255.255.255.0 DU(config-if)#interface loopback 2 DU(config-if)#ip address 172.16.1.1 255.255.255.0 DU(config-if)#interface loopback 3 DU(config-if)#ip address 172.16.2.1 255.255.255.0 DU(config-if)#interface loopback 4 DU(config-if)#ip address 172.16.3.1 255.255.255.0 BUET Router 1. Basic Configuration BUET (config)#hostname BUET BUET(config)#enable secret cisco 2. Line console password BUET(config)#line console 0 BUET(config-line)#password cisco BUET(config-line)#login BUET(config-line)#exit 3. Telnet configuration for remote login BUET(config)#line vty 0 4 BUET(config-line)#password cisco BUET(config-line)#login 4. IP configuration on router Interface BUET(config)#interface fastEthernet 0/0 BUET(config-if)#ip address 192.168.20.2 255.255.255.0 BUET(config-if)#no shutdown BUET(config)#interface fastEthernet 0/1 BUET(config-if)#ip address 192.168.30.1 255.255.255.0 BUET(config-if)#no shutdown BUET(config-if)#exit BUET(config)#
  • 97.
    CCNA Routing &Switching v3 LAB Guide 97 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Main Configuration EIGRP Configuration and advertise network DU(config)#router eigrp 10 DU(config-router)#network 192.168.10.0 DU(config-router)#network 192.168.20.0 DU(config-router)#network 172.16.1.0 DU(config-router)#network 172.16.2.0 DU(config-router)#network 172.16.3.0 DU(config-router)#network 172.16.0.0 0.0.0.255 DU(config-router)#no auto-summary BUET(config)#router eigrp 10 BUET(config-router)#network 192.168.20.0 BUET(config-router)#network 192.168.30.0 BUET(config-router)#no auto-summary BUET(config-router)# Configure EIGRP Authentication ========================== DU(config)#key chain ashishkey DU(config-keychain)#key 1 DU(config-keychain-key)#key-string ashish DU(config-keychain-key)#exit DU(config-keychain)#exit DU(config)# DU(config)#interface fastEthernet 0/0 DU(config-if)#ip authentication mode eigrp 10 md5 DU(config-if)#ip authentication key-chain eigrp 10 ashishkey BUET(config)#key chain ashishkey BUET(config-keychain)#key 1 BUET(config-keychain-key)#key-string ashish BUET(config-keychain-key)#exit BUET(config-keychain)#exit BUET(config)#interface fastEthernet 0/0 BUET(config-if)#ip authentication mode eigrp 10 md5 BUET(config-if)#ip authentication key-chain eigrp 10 ashishkey
  • 98.
    CCNA Routing &Switching v3 LAB Guide 98 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Configure EIGRP Summary Address ========================== DU(config)#interface fastEthernet 0/0 DU(config-if)#ip summary-address eigrp 10 172.16.0.0 255.255.252.0 Configure EIGRP Passive Interface ========================= BUET(config)#router eigrp 10 BUET(config-router)#passive-interface fastEthernet 0/1 Troubleshooting commands # show ip route # show ip eigrp neighbors / topology / interfaces # show ip interface F0/0 # show ip protocols OSPF Fundamentals  Open standard Protocol  It is a Link state Protocol  It uses the Dijkstra shortest Path algorithm (construct a shortest path tree and then populate the routing table with best routes)  No limit on hop count  Metric is cost ( cost = 10^8 / Bandwidth)  Administrative distance is 110  It is a Classless Routing Protocol  Support VLSM and CIDR  Supports only IP routing  Supports only Equal cost load-balancing  Uses the concept of Areas for easy management, hierarchical design  Must have one area as Area 0, which is called backbone area  All other areas must connect to this Area 0  Scalability is better than of Distance Vector Routing Protocols  Supports authentication  Update are sent through multicast address 224.0.0.5 ( all routers) and 224.0.0.6( all Designated Routers)  Faster convergence
  • 99.
    CCNA Routing &Switching v3 LAB Guide 99 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved  Sends Hello packets every 10 seconds  Triggered / Incremental updates : Sends update when change triggers in network and sends only information about the change not complete routing table, LSAs are sent when change occurs and only about the change.  LSAs refresh every 30 minutes  Forms neighbors with adjacent routers in same area  LSAs used to advertises directly connected links Link: That’s the interface of our router. State: Description of the interface and how it’s connected to neighbor routers. Link-state routing protocols operate by sending link-state advertisements (LSA) to all other link-state routers. All the routers need to have these link-state advertisements so they can build their link state database or LSDB. This LSDB is our full picture of the network, in network terms we call this the topology. OSPF maintains three tables : Neighbor Table: Contains the list of directly connected neighbors (Routers).We can see the table using the command ‘show ip ospf neighbors’. Database Table: It is known as the Link state Database (LSDB). All possible routes to any network in the same area are contained in this table. " show ip ospf database" Routing Table: The best paths to reach each destination. The routing table can be seen using the ‘show ip route’ command. All the routers in OSPF have a common database. The two level of hierarchy consist of:  Transit Area ( backbone or Area 0)  Regular Area ( non-backbone area) OSPF works with the concepts of areas and by default you will always have a single area, normally this is area 0 or also called the backbone area.  Internal Router: The router for which all its interface belong to one area.  Area Border Router (ABRs): The router that contains interfaces in more than one area.  Backbone Router: The router that has all or at least one interface in Area 0.
  • 100.
    CCNA Routing &Switching v3 LAB Guide 100 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved  Autonomous System Boundary Router (ASBR): The routers with connection to a separate autonomous system. Advantages of OSPF  Open Standard this can be used by all vendors  No limitations for hop count  Provides a loop free network  Provides faster convergence Disadvantages of OSPF  More CPU intensive, uses more CPU resources  Design and Implementation is complex  It only supports Equal cost load-balancing  Only Supports IP and not others like IPX or Apple Talk Once you configure OSPF your router will start sending hello packets. If you also receive hello packets from the other router you will become neighbors. Parameters to match to become neighbors For two or more OSPF routers to become neighbors there are some parameters that need to match / be identical: - Area ID - Area Type ( NSSA, Stub) - Subnet Mask - Hello Interval - Dead Interval - Prefix
  • 101.
    CCNA Routing &Switching v3 LAB Guide 101 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved - Network Type ( broadcast, point-to-point, etc) - Authentication OSPF Metric Cost = Reference Bandwidth / Interface Bandwidth Cost = 100Mbps / Bandwidth Some things worth knowing about OSPF load balancing:  Paths must have an equal cost.  4 equal cost paths will be placed in routing table.  Maximum of 16 paths.  To make paths equal cost, change the “cost” of a link Each LSA has an aging timer which carries the link-state age field. By default each OSPF LSA is only valid for 30 minutes. If the LSA expires then the router that created the LSA will resend the LSA and increase the sequence number OSPF has to get through 7 states in order to become neighbors…here they are: 1. Down: no OSPF neighbors detected at this moment. 2. Init: Hello packet received. 3. Two-way: own router ID found in received hello packet. 4. Exstart: master and slave roles determined. 5. Exchange: database description packets (DBD) are sent. 6. Loading: exchange of LSRs (Link state request) and LSUs (Link state update) packets. 7. Full: OSPF routers now have an adjacency. OSPF Packet Types 1. Hello: to build and maintain neighbor relationship or adjacencies and as keepalives. 2. DBD – Database Descriptor: Used to verify if the LSDB between two routers is same. It is a summary of the Link State Database (LSDB) 3. Link State Request (LSR): Any request made to other routers for some information is using this packet. 4. Link State Update (LSU): Contains the information requested in the LSR. 5. Links State Acknowledgement (LSAck): Acknowledgement for all the OSPF packets except the Hello packet.
  • 102.
    CCNA Routing &Switching v3 LAB Guide 102 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Hellos are the keepalives for OSPF. If a Hello is not received in 4 Hello periods, then the neighbor is considered Dead. 4 Hello Periods = Dead Time. The hello and dead timers are as follows:  LAN and point-to-point interfaces : Hello 10 seconds , Dead timer 40 seconds  Non-broadcast Multi-access (NBMA) interfaces: Hello 30 seconds, Dead timer120 seconds There are total 11 types of LSA but famous types are as follow. LSA Type-1| Router LSA from one network: Each router generates a Type 1 LSA that lists its active interfaces, IP addresses, neighbors and the cost to each. Flooded inside the router's area. Link ID is router's ID. LSA Type-2| Network LSA from more network (DR Generated): Type 2 LSA is created by the DR on the network, and represents the subnet and the router interfaces connected to that network. Link ID interface IP address. Does not cross area. LSA Type-3| Summary LSA (ABR summary Route): Generated by Area Border Routers (ABRs). In type 3 LSAs are advertised networks from an area to the rest of the areas in AS. The link- state id used by this LSA is the network number advertised. Describe how to reach from one area to another area, does the summary of network. Type 3 is called inter-area link, represented by O IA LSA Type-4| Summary LSA (just IP address of ASBR): Describe how to reach ASBR. ABR says other area's router if you want to go ASBR use me. ABR passes the ASBR summary route. LSA Type-5| External LSA (ASBR summary Route): ASBR creates the route to go to external routers. And says if you want to go to external routes use me. I know the path. Type 4 tells other router how to go ASBR. These routes appear as O E1 or O E2 NSSA External LSA (Type 7): Type 7 LSA allow injection of external routes through Not-so- Stubby-Areas (NSSA). Generally external routes are advertised by type 5 LSA but they are not allowed inside any stub area. That’s why Type 7 LSA is used, to trick OSPF. Type 7 LSA is generated by NSSA ASBR and is translated into type 5 LSA as it leaves the area by NSSA ABR, which is then propagated throughout the network as type 5 LSA. Stub area prevents external routers to go through it. So NSSA is used that allows type7 LSA only
  • 103.
    CCNA Routing &Switching v3 LAB Guide 103 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Area Types Normal Areas: These areas can either be standard areas or transit (backbone) areas. Standard areas are defined as areas that can accept intra-area, inter-area and external routes. The backbone area is the central area to which all other areas in OSPF connect. Stub Areas: These areas do not accept routes belonging to external autonomous systems (AS); however, these areas have inter-area and intra-area routes. In order to reach the outside networks, the routers in the stub area use a default route which is injected into the area by the Area Border Router (ABR). Totally Stub Areas: These areas do not accept routes belonging to external autonomous systems (AS); and even inter-area routes (summary routes) are not propagated inside the totally stubby areas. The default routes to be propagated within the area. The ABR injects a default route into the area and all the routers belonging to this area use the default route to send any traffic outside the area. NSSA: This type of area allows the flexibility of importing a few external routes into the area while still trying to retain the stub characteristic. OSPF can do summarization OSPF can do summarization but it’s impossible to summarize within an area. This means we have to configure summarization on an ABR or ASBR. OSPF can only summarize our LSA type 3 and 5. OSPF does not support auto summarization, only manual. OSPF route summarization can be of two types: 1. Internal route summarization; ABR(config-router)#area 15 range 192.168.0.0 255.255.254.0 1. External route summarization. ASBR(config-router)# summary-address 172.16.32.0 255.255.224.0 OSPF Supports two types of Authentication:  Plaintext authentication  MD5 authentication! OSPF Network types:
  • 104.
    CCNA Routing &Switching v3 LAB Guide 104 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Point-to-Point High-Level Data Link Control (HDLC) and Point-to-Point Protocol (PPP), Open Shortest Path First (OSPF) runs as a point-to-point network type. Broadcast An Ethernet segment is an example of such a network. Ethernet networks support broadcasts; a single packet transmitted by a device can be multiplied by the medium (in this case an Ethernet switch) so that every other end point receives a copy. Non-Broadcast Frame relay and ATM are probably the most common examples of non-broadcast transport, requiring individual permanent virtual circuits (PVCs) to be configured between end points. Non-Broadcast Multi-Access (NBMA) An NBMA segment emulates the function of a broadcast network. Every router on the segment must be configured with the IP address of each of its neighbors. OSPF hello packets are then individually transmitted as unicast packets to each adjacent neighbor. point-to-multipoint No DR/BDR election since OSPF sees the network as a collection of point-to-point links. Only a single IP subnet is used in the topology above. DR/BDR Election Process  DR/BDR election is per multi-access segment…not per area. Each multi-access segment (ex: Ethernet Segment), will have a Designated Router (DR) and a Backup Designated Router (BDR).  The other Router who will be not the DR or BDR will be the DROTHER. DROTHER router on the segment forms a Full adjacency with the DR/BDR. DR/BDR is a property of a router’s interface, not the entire router.  DR’s reduce network traffic as only they maintain the complete ospf database and then send updates to the other routers on the shared network segment.  The router with the highest priority on the data link wins the election, but by default priorities are 1. In this case the router with the highest Router ID will win.
  • 105.
    CCNA Routing &Switching v3 LAB Guide 105 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Consider, all OSPF router processes start at the same time, Router0 and Router1 win the election for DR and BDR respectively because they have the highest Router ID’s on the segment. Others routers will be the DROTHER. Here Router2 and Router3 will make it full adjacency with router Router0(DR) or Router1(BDR)  We can use show ip ospf neighbor command to verify this.  The default priority is 1 but the priority can be changed by Router(config-if)# ip ospf priority <priority number>  If we do not want a router to participate in the DR / BDR election, then its priority must be set as 0.  We need to use clear ip ospf process before this change takes effect. LAB --- OSPF
  • 106.
    CCNA Routing &Switching v3 LAB Guide 106 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1. BASIC CONFIGURATION ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ R1#conf t R1(config)#interface loopback 0 R1(config-if)#ip address 172.16.0.1 255.255.255.0 R1(config-if)#interface loopback 1 R1(config-if)#ip address 172.16.0.1 255.255.255.0 R1(config-if)#interface loopback 2 R1(config-if)#ip address 172.16.2.1 255.255.255.0 R1(config-if)#interface loopback 3 R1(config-if)#ip address 172.16.3.1 255.255.255.0 R1(config-if)#exit R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.12.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit =================================================================== R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 192.168.12.2 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#interface fastEthernet 0/1 R2(config-if)#ip address 192.168.23.2 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)# =================================================================== R3#conf t R3(config)#interface fastEthernet 0/1 R3(config-if)#ip address 192.168.23.3 255.255.255.0 R3(config-if)#no shutdown R3(config-if)#exit R3(config)#
  • 107.
    CCNA Routing &Switching v3 LAB Guide 107 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ LAB 28 : OSPF BASIC CONFIGURATION ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ R1(config)#router ospf 1 R1(config-router)#network 172.16.0.0 0.0.3.255 area 0 R1(config-router)#network 192.168.12.0 0.0.0.255 area 1 R2#conf t R2(config)#router ospf 1 R2(config-router)#network 192.168.12.0 0.0.0.255 area 1 R2(config-router)#network 192.168.23.0 0.0.0.255 area 2 R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#router ospf 1 R3(config-router)#network 192.168.23.0 0.0.0.255 area 2 R3(config-router)#exit Wild card Mask Wildcard masks are used to specify a range of network addresses. They are commonly used with routing protocols (like OSPF) and access lists.  To indicate the size of a network or subnet for some routing protocols, such as OSPF.  To indicate what IP addresses should be permitted or denied in access control lists (ACLs). Slash Netmask Wildcard Mask /32 255.255.255.255 0.0.0.0 /31 255.255.255.254 0.0.0.1 /30 255.255.255.252 0.0.0.3 /29 255.255.255.248 0.0.0.7 /28 255.255.255.240 0.0.0.15 /27 255.255.255.224 0.0.0.31 /26 255.255.255.192 0.0.0.63 /25 255.255.255.128 0.0.0.127 /24 255.255.255.0 0.0.0.255 /23 255.255.254.0 0.0.1.255 Rules : If all bit 1 then all bit zero and vice versa ;
  • 108.
    CCNA Routing &Switching v3 LAB Guide 108 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 255.255.255.255 0.0.0.0 255.255.255.0 0.0.0.255 if other value (not 0 or 255) then find out the block size 255.255.255.248 ...... block size = 256-248 = 8 And wildcard bit will be "blocksize - 1" = 8 - 1 = 7 And thus here 255.255.255.248 0.0.0.7 =========================================================================== Verification ============= Here we can see that neighbor ship is formed but no route to area 0 and area1 So we have to configure now virtual link on R1 and R2 through area 1......................... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ LAB 29 : OSPF VIRTUAL-LINK ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ In OSPF all other area must be connected with area 0 (Backbone area) either physically or virtually. In our figure area 1 is directly connected with area 0 but area 2 is not connected with area 0. So here area 2 have to be connected with area 0 virtually. In this Lab we will see it : First we configure Router ID on R1 and R2 Router
  • 109.
    CCNA Routing &Switching v3 LAB Guide 109 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R1(config-router)#router-id 1.1.1.1 R1(config-router)# R2(config-router)#router-id 2.2.2.2 Reload or use "clear ip ospf process" command, for this to take effect R2#clear ip ospf process Reset ALL OSPF processes? [no]: yes We must run this command to take effect on this configuration (also called soft reset) Now we will configure virtual link through area 1 R1(config)#router ospf 1 R1(config-router)#area 1 virtual-link 2.2.2.2 R2(config)#router ospf 1 R2(config-router)#area 1 virtual-link 1.1.1.1 =========== Now verify ============ Ping to any loopback IP R3#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: !!!!!
  • 110.
    CCNA Routing &Switching v3 LAB Guide 110 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Success rate is 100 percent (5/5), round-trip min/avg/max = 16/38/52 ms -------------------------------------------------------------------------- R2#show ip ospf virtual-links Virtual Link OSPF_VL0 to router 1.1.1.1 is up Run as demand circuit DoNotAge LSA allowed. Transit area 1, via interface FastEthernet0/0, Cost of using 10 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:07 Adjacency State FULL (Hello suppressed) Index 1/3, retransmission queue length 0, number of retransmission 1 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ LAB 30: OSPF authentication ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plaintext authentication on Router R1 and R2---F0/0 interface (Area 1) R1(config)#interface fastEthernet 0/0 R1(config-if)#ip ospf authentication R1(config-if)#ip ospf authentication-key mypass --------------------------------------------------------- R2(config)#interface fastEthernet 0/0 R2(config-if)#ip ospf authentication R2(config-if)#ip ospf authentication-key mypass ============ Verification =========== R1#show ip ospf interface fastEthernet 0/0 FastEthernet0/0 is up, line protocol is up Internet Address 192.168.12.1/24, Area 1 Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 2.2.2.2, Interface address 192.168.12.2
  • 111.
    CCNA Routing &Switching v3 LAB Guide 111 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Backup Designated router (ID) 1.1.1.1, Interface address 192.168.12.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:02 Cisco NSF helper support enabled Index 1/5, flood queue length 0 Last flood scan length is 3, maximum is 3 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2 (Designated Router) Suppress hello for 0 neighbor(s) Simple password authentication enabled R1# MD5 authentication on Router R2 and R3---F0/0 interface (Area 2) R2(config-if)#ip ospf message-digest-key 1 md5 mypass1 R2(config-if)#ip ospf authentication message-digest ------------------------------------------------------- R3(config-if)#ip ospf message-digest-key 1 md5 mypass1 R3(config-if)#ip ospf authentication message-digest ===================================================================== Verification =========== R2#show ip ospf interface f0/1 FastEthernet0/1 is up, line protocol is up Internet Address 192.168.23.2/24, Area 2 Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 192.168.23.3, Interface address 192.168.23.3 Backup Designated router (ID) 2.2.2.2, Interface address 192.168.23.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:05 Last flood scan length is 1, maximum is 4 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.23.3 (Designated Router)
  • 112.
    CCNA Routing &Switching v3 LAB Guide 112 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1 LAB 31: OSPF Summarization OSPF does not support auto summarization, only manual. OSPF route summarization can be of two types: 1. Internal route summarization; 2. External route summarization. I’m going to show you an example of interarea route summarization on Router R1 First we will check the Routing table of R3 R1(config)#router ospf 1 R1(config-router)#area 0 range 172.16.0.0 255.255.252.0 R1(config-router)#end ------------------------------------------------- R1#clear ip ospf process R2#clear ip ospf process R3#clear ip ospf process
  • 113.
    CCNA Routing &Switching v3 LAB Guide 113 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 32 : PPP Configuration Designing a wide area network (WAN) is one of the most challenging issues. We must have to choose the correct connection type. Most carriers offer three connection types: 1. Circuit-switched connections 2. Packet-switched or cell-switched connections 3. Dedicated connection Circuit-switched connections: Asynchronous dial-in (PSTN) and ISDN services, the telephone companies use circuit switching. Packet-switched or cell-switched connections Examples of packet-switched and cell-switched networks include Frame Relay (packet- switched), X.25 (packet-switched), and Asynchronous Transfer Mode or ATM (cell-switched). Leased Line(Dedicated connection): A permanent communication path exists between a Customer Premise Equipment (CPE) on one site and a CPE at the remote site communicating through a Data Communicating Equipment (DCE) within the providers' site. Synchronous serial lines are used for this connection and the most frequent protocols observed in these lines are HDLC (High-Level Data Link Control) and PPP (Point-to-Point Protocol). When cost in not an issue, you should use this type of connection.
  • 114.
    CCNA Routing &Switching v3 LAB Guide 114 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved HDLC  HDLC stands for High-Level Data Link Control protocol.  HDLC is a Layer 2 protocol.  HDLC would be the protocol with the least amount of configuration required to connect these two locations. HDLC would be running over the WAN, between the two locations.  HDLC performs error correction, just like Ethernet.  HDLC is actually proprietary because they added a protocol type field.  HDLC is actually the default protocol on all Cisco serial interfaces. PPP PPP or Point-to-Point Protocol is a type of Layer 2 protocol (Data-link layer) used mainly for WAN. PPP features two methods of authentication:  PAP (Password Authentication Protocol) and  CHAP (Challenge Handshake Authentication Protocol)  PAP sends the password in clear text and CHAP sends the encrypted password  PPP encapsulation is possible only over a serial link.  PPP encapsulates Layer 3 data over point-to-point links.  PPP uses a Network Control Protocol (NCP) component to encapsulate multiple protocols and uses Link Control Protocol (LCP) to set up and negotiate control options on the data link.  PPP supports multivendor devices.
  • 115.
    CCNA Routing &Switching v3 LAB Guide 115 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Configuration on Ashish Router Basic Configuration Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface serial 0/1/0 Router(config-if)#ip address 103.13.148.1 255.255.255.248 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#hostname Ashish Ashish(config)#interface fastEthernet 0/0 Ashish(config-if)#ip add Ashish(config-if)#ip address 192.168.10.1 255.255.255.0 Ashish(config-if)#no shut Ashish(config-if)#no shutdown PPP Configuration Ashish(config)#username buet privilege 15 password cisco Ashish(config)#interface serial 0/1/0 Ashish(config-if)#encapsulation ppp Ashish(config-if)#ppp authentication chap Ashish(config-if)#exit For PPP configuration we must configure hostname and username. In this router username will be the hostname of peer router , i.e. buet Configure Static Route Ashish(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2 Ashish(config)# BUET Router Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname buet buet(config)#interface serial 0/1/0 buet(config-if)#ip address 103.13.148.2 255.255.255.248 buet(config-if)#no shutdown buet(config)#interface fastEthernet 0/0 buet(config-if)#ip address 192.168.20.1 255.255.255.0
  • 116.
    CCNA Routing &Switching v3 LAB Guide 116 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved buet(config-if)#no shutdown buet(config)#username Ashish privilege 15 password cisco buet(config)#interface serial 0/1/0 buet(config-if)#encapsulation ppp buet(config-if)#ppp authentication chap buet(config-if)#end buet# In this router username will be the hostname of peer router , i.e. Ashish buet(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 Verification : Ashish#show interfaces serial 0/1/0 Serial0/1/0 is up, line protocol is up (connected) Hardware is HD64570 Internet address is 103.13.148.1/29 MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) LCP Open Open: IPCP, CDPCP Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0 (size/max/drops); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 96 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 8 packets input, 1024 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 9 packets output, 1152 bytes, 0 underruns
  • 117.
    CCNA Routing &Switching v3 LAB Guide 117 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved C:>ping 192.168.20.2 Reply from 192.168.20.2: bytes=32 time=1ms TTL=126 Reply from 192.168.20.2: bytes=32 time=1ms TTL=126 Reply from 192.168.20.2: bytes=32 time=1ms TTL=126 Reply from 192.168.20.2: bytes=32 time=1ms TTL=126 The clock rate will set the speed. It doesn’t matter much what clock speed we use. We can use a command to verify that the DTE router has received the clock rate: Ashish# show controllers serial 0/1/0 Interface Serial0/1/0 Hardware is PowerQUICC MPC860 DTE V.35 TX and RX clocks detected idb at 0x81081AC4, driver data structure at 0x81084AC0 In the example above Ashish is the DTE side and it has received a clock rate. Show controllers is a useful command when you don’t have physical access to your hardware so you don’t know which side of the cable is DTE or DCE LAB 33: BGP Basic Configuration BGP is an external gateway protocol, It is used between different networks. It is the protocol used between Internet service providers (ISPs) and also can be used between an Enterprise and an ISP. BGP was built for reliability, scalability, and control, not speed. BGP stands for Border Gateway Protocol. Routers running BGP are termed BGP speakers.  BGP uses the concept of autonomous systems (AS). An autonomous system is a group of networks under a common administration. The Internet Assigned Numbers Authority (IANA) assigns AS numbers: 1 to 64511 are public AS numbers and 64512 to 65535 are private AS numbers.
  • 118.
    CCNA Routing &Switching v3 LAB Guide 118 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved  Autonomous systems run Interior Gateway Protocols (IGP) within the system. They run an Exterior Gateway Protocol (EGP) between them. BGP version 4 is the only EGP currently in use.  Routing between autonomous systems is called interdomain routing.  The administrative distance for EBGP routes is 20. The administrative distance for IBGP routes is 200.  BGP neighbors are called peers and must be statically configured.  BGP uses TCP port 179. BGP peers exchange incremental, triggered route updates and periodic keepalives.  Routers can run only one instance of BGP at a time.  BGP is a path-vector protocol. BGP neighbors can be of two types:  IBGP neighbors – when two neighbors are in the same AS;  EBGP neighbors – when two neighbors belong to different AS.
  • 119.
    CCNA Routing &Switching v3 LAB Guide 119 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Basic Configuration ISP1 Router#conf t Router(config)#hostname ISP1 ISP1(config)#interface fastEthernet 0/0 ISP1(config-if)#ip address 192.168.10.1 255.255.255.0 ISP1(config-if)#no shutdown ISP1(config-if)#exit ISP1(config)#interface fastEthernet 0/1 ISP1(config-if)#ip address 10.10.10.1 255.255.255.0 ISP1(config-if)#no shutdown ISP1(config-if)#exit ISP2 Router(config)#hostname ISP2 ISP2(config)#interface fastEthernet 0/0 ISP2(config-if)#ip address 192.168.10.2 255.255.255.0 ISP2(config-if)#no shutdown ISP2(config-if)#exit ISP2(config)#interface fastEthernet 0/1 ISP2(config-if)#ip address 11.11.11.1 255.255.255.0 ISP2(config-if)#no shutdown BGP Configuration ISP1(config)#router bgp 100 *100 is the AS Number of ISP1* ISP1(config-router)#neighbor 192.168.10.2 remote-as 200 * Declare neighbor, 200 is the AS of ISP2, 192.168.10.2 is the IP Address of ISP2's F0/0 Interface* ISP1(config-router)#network 10.10.10.0 mask 255.255.255.0 * advertise network* ISP1(config-router)#exit ISP2(config)#router bgp 200 ISP2(config-router)#neighbor 192.168.10.1 remote-as 100 ISP2(config-router)#%BGP-5-ADJCHANGE: neighbor 192.168.10.1 Up ISP2(config-router)#network 11.11.11.0 mask 255.255.255.0 ISP2(config-router)#
  • 120.
    CCNA Routing &Switching v3 LAB Guide 120 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Verification Show ip bgp summary command shows if the neighborship is formed We can see the bgp route with show ip bgp command LAB 34: BGP PEERING WITH LOOPBACK ADDRESS To establish eBGP/iBGP connection if loopback is used as the following command is needed neighbor <peer’s ip address> update-source loopback<id> By default BGP will use the interface IP as the source address to establish TCP connection. If update-source is not used then the BGP adjacency will never be formed, and will always stuck in Active state. Another is , If we want to establish connections to peers which are not directly connected use this following command: neighbor <peer’s ip address> ebgp-multihop <value> The "value" indicates the number of hops. The range of "value" is 1 to 255.
  • 121.
    CCNA Routing &Switching v3 LAB Guide 121 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R1: Configure IP Address to All Interface R1#conf t R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 103.13.148.5 255.255.255.252 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface loopback 0 R1(config-if)#ip address 10.10.10.10 255.255.255.255 R1(config-if)#exit R2: Configure IP Address to All Interface R2#conf t R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 103.13.148.6 255.255.255.252 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#interface loopback 0 R2(config-if)#ip address 11.11.11.11 255.255.255.255 R2(config-if)#exit BGP Configuration on R1 and R2 R1(config)#router bgp 100 R1(config-router)#neighbor 11.11.11.11 remote-as 200 R1(config-router)#neighbor 11.11.11.11 update-source loopback 0
  • 122.
    CCNA Routing &Switching v3 LAB Guide 122 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R1(config-router)#neighbor 11.11.11.11 ebgp-multihop 2 R1(config-router)#exit R2(config)#router bgp 200 R2(config-router)#neighbor 10.10.10.10 remote-as 100 R2(config-router)#neighbor 10.10.10.10 update-source loopback 0 R2(config-router)#neighbor 10.10.10.10 ebgp-multihop 2 R2(config-router)#exit Now we will check if BGP neighborship is established or not ! R1#show ip bgp summary Not established, The BGP Session is still in Active Mode Let us check with ping command if the loopback IP of R2 Router is reachable Ping is also not successful. Check the routing table
  • 123.
    CCNA Routing &Switching v3 LAB Guide 123 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved The 11.11.11.11 route is not in the routing table. Let us create static route on both routers. R1(config)#ip route 11.11.11.11 255.255.255.255 103.13.148.6 R2(config)#ip route 10.10.10.10 255.255.255.255 103.13.148.5 Now check the BGP Status..............Established..Right ?? N.B. ebgp-multihop command is required only for eBGP Router, if both Routers are in iBGP then the command is not required ! LAB 35: BGP REDUNDANCY WITH LOAD SHARING BGP load sharing is commonly done using loopback's Peering between two BGP Routers.
  • 124.
    CCNA Routing &Switching v3 LAB Guide 124 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R1 Router : Configure IP Address to each Interface Venus(config)#interface fastEthernet 0/1 Venus(config-if)#ip address 192.168.10.1 255.255.255.0 Venus(config-if)#no shutdown Venus(config-if)#exit Venus(config)#interface fastEthernet 0/0 Venus(config-if)#ip address 192.168.20.1 255.255.255.0 Venus(config-if)#no shutdown Venus(config-if)#exit Venus(config)#interface loopback 0 Venus(config-if)#ip address 5.5.5.5 255.255.255.0 Venus(config-if)#exit Venus(config)#interface fastEthernet 1/0 Venus(config-if)#ip address 172.16.10.1 255.255.255.0 Venus(config-if)#no shutdown Venus(config-if)#exit R2 Router: Configure IP Address to each Interface Gvtl(config)#interface fastEthernet 0/1 Gvtl(config-if)#ip address 192.168.10.2 255.255.255.0 Gvtl(config-if)#no shutdown Gvtl(config-if)#exit Gvtl(config)#interface fastEthernet 0/0 Gvtl(config-if)#ip address 192.168.20.2 255.255.255.0 Gvtl(config-if)#no shutdown Gvtl(config-if)#exit Gvtl(config)#interface loopback 0 Gvtl(config-if)#ip address 6.6.6.6 255.255.255.0 Gvtl(config-if)#exit Gvtl(config)#interface fastEthernet 1/0 Gvtl(config-if)#ip address 172.16.20.1 255.255.255.0 Gvtl(config-if)#no shutdown Gvtl(config-if)#exit
  • 125.
    CCNA Routing &Switching v3 LAB Guide 125 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Configure OSPF as an IGP on both routers for reachability issue Venus(config)#router ospf 1 Venus(config-router)#network 192.168.10.0 0.0.0.255 area 0 Venus(config-router)#network 192.168.20.0 0.0.0.255 area 0 Venus(config-router)#network 172.16.10.0 0.0.0.255 area 0 Venus(config-router)#network 5.5.5.0 0.0.0.255 area 0 Venus(config-router)#exit Gvtl(config)#router ospf 1 Gvtl(config-router)#network 192.168.10.0 0.0.0.255 area 0 Gvtl(config-router)#network 192.168.20.0 0.0.0.255 area 0 Gvtl(config-router)#network 6.6.0 0.0.0.255 area 0 Gvtl(config-router)#network 172.16.20.0 0.0.0.255 area 0 Gvtl(config-router)#exit Gvtl(config)# OSPF Neighborship Verification # show ip ospf neighbor Assign IP to Hosts and apply ping to its default gateway
  • 126.
    CCNA Routing &Switching v3 LAB Guide 126 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Also ping from PC2 to PC1 BGP Configuration on Venus and Gvtl Router (BGP Peering with loopback Address) Venus(config)#router bgp 100 Venus(config-router)#neighbor 6.6.6.6 remote-as 200 Venus(config-router)#neighbor 6.6.6.6 update-source loopback 0 Venus(config-router)#neighbor 6.6.6.6 ebgp-multihop 2 Venus(config-router)#neighbor 6.6.6.6 soft-reconfiguration inbound Venus(config-router)#maximum-paths 2 Venus(config-router)#no auto-summary Venus(config-router)#exit Gvtl(config)#router bgp 200 Gvtl(config-router)#neighbor 5.5.5.5 remote-as 100 Gvtl(config-router)#neighbor 5.5.5.5 ebgp-multihop 2 Gvtl(config-router)#neighbor 5.5.5.5 update-source loopback 0 Gvtl(config-router)#neighbor 5.5.5.5 soft-reconfiguration inbound Gvtl(config-router)#maximum-paths 2 Gvtl(config-router)#no auto-summary
  • 127.
    CCNA Routing &Switching v3 LAB Guide 127 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Gvtl(config-router)#exit Note: Soft-reconfiguration inbound allows the router to receive and save the updates from a neighbor it its memory regardless of any policy applied in inbound direction. There is no need to clear the bgp session if we have soft-reconfiguration enabled, one of its purposes is to allow us to change the policy without clearing the session off. BGP Peering with loopback Address added an extra benifit. Loopback is never down. So when we make neighborship with loopback IP our BGP Session will remain up if one of the physical link is getting down. Verification of BGP Venus#show ip bgp summary We see that BGP State is UP (shows value means active) Here we can see that at first 192.168.20.2 route is used and in the second time 192.168.10.2 is used. This proves that load is shared !!! Now we will verify if one link is down other link is active or not ! Let us shutdown F0/0 Interface of Router Venus and at the same time issue continue ping from PC1 to PC2 Venus(config)#interface fastEthernet 0/0 Venus(config-if)#shutdown
  • 128.
    CCNA Routing &Switching v3 LAB Guide 128 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Some packets will be drop during shifting the link as F0/0 Interface is used as a (IP Address corresponding to 192.168.20.0/24 Network) primary link. Look the following traceroute Result.......... But if we shutdown the F0/1 link no packets will be dropped, as it is used here as the secondary link.
  • 129.
    CCNA Routing &Switching v3 LAB Guide 129 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 36: BGP Single Homed Design R1 is in our enterprise core and has OSPF as its IGP. Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fastEthernet 0/1 R1(config-if)#ip address 192.168.10.2 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#router ospf 1 R1(config-router)#network 192.168.10.0 0.0.0.255 area 0 R2 is in our enterprise edge and has OSPF for IGP and BGP for EGP. R2(config)#interface fastEthernet 0/1 R2(config-if)#ip address 192.168.10.1 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 192.168.20.1 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#router ospf 1 R2(config-router)#network 192.168.10.0 0.0.0.255 area 0 R2(config-router)#exit R2(config)#router ospf 1 R2(config-router)#default-information originate
  • 130.
    CCNA Routing &Switching v3 LAB Guide 130 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R2(config-router)#exit R2(config)#router bgp 100 R2(config-router)#neighbor 192.168.20.2 remote-as 200 R2(config-router)#network 1.1.1.0 mask 255.255.255.0 R2(config-router)#exit R2(config)#ip route 1.1.1.0 255.255.255.0 null 0 R2 is in the service provider edge. R2 has a couple of static routes to advertise into BGP and is advertising a default route to R1 which will then propagated throughout the enterprise core. R3(config)#interface fastEthernet 0/0 R3(config-if)#ip address 192.168.20.2 255.255.255.0 R3(config-if)#no shutdown R3(config)#ip route 0.0.0.0 0.0.0.0 null 0 R3(config)#ip route 2.2.2.0 255.255.255.0 null 0 R3(config)#router bgp 200 R3(config-router)#neighbor 192.168.20.1 remote-as 100 R3(config-router)#network 2.2.2.0 mask 255.255.255.0 R3(config-router)#neighbor 192.168.20.1 default-originate R3(config-router)#exit Verification R3#show ip bgp summary Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.20.1 4 100 23 24 3 0 0 00:19:33 1 R2#show ip route ..................<output omitted>................... 1.0.0.0/24 is subnetted, 1 subnets S 1.1.1.0 is directly connected, Null0 2.0.0.0/24 is subnetted, 1 subnets B 2.2.2.0 [20/0] via 192.168.20.2, 00:17:59 ** BGP learned route ** C 192.168.10.0/24 is directly connected, FastEthernet0/1 C 192.168.20.0/24 is directly connected, FastEthernet0/0 B* 0.0.0.0/0 [20/0] via 192.168.20.2, 00:20:18 ** default route from BGP because of the default originate command in R3 ** R2#show ip bgp -------------------<output omitted>......................... Network Next Hop Metric LocPrf Weight Path
  • 131.
    CCNA Routing &Switching v3 LAB Guide 131 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved *> 0.0.0.0 192.168.20.2 0 0 200 i *> 1.1.1.0/24 0.0.0.0 0 32768 i *> 2.2.2.0/24 192.168.20.2 0 0 200 i R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.20.1 1 FULL/BDR 00:00:31 192.168.10.1 FastEthernet0/1 R1#show ip route ------------------<outputs are omitted>-------------- Gateway of last resort is 192.168.10.1 to network 0.0.0.0 C 192.168.10.0/24 is directly connected, FastEthernet0/1 O*E2 0.0.0.0/0 [110/1] via 192.168.10.1, 00:06:16, FastEthernet0/1 Here we can see R2 is BGP (Single homed) with R3 advertising a /24 (1.1.1.0/24) and R2 is advertising a default to the enterprise core (R1). Explaination default-information originate, the router is going to Redistribute a default route it got from another Router (OSPF) neighbor x.x.x.x default-originate (BGP) If you want to advertise default route to a specific peer, this is the method for that requirement.  Add ‘neighbor x.x.x.x default-originate’ under router bgp <ASN>  It does not even check for the existence of a default route in the IP routing table  The ‘default-information originate’ command should not be configured with the ‘neighbor x.x.x.x default-originate’ command on the same router The Null interface is typically used for preventing routing loops. Also prevent DoS Aattack. An example of where this traffic to unused IP addresses might come from could be denial of service attacks, scanning of IP blocks to find vulnerable hosts, etc LAB 37 : HSRP (Hot Standby Router Protocol) Configuration HSRP provides layer 3 redundancy in our network through active and standby router assignment, interface tracking, and load balancing. A group of physical routers, acting as a single virtual router, advertise a single IP address and MAC address into our network. By tracking interfaces and managing multiple groups, we can optimize speed as well as add
  • 132.
    CCNA Routing &Switching v3 LAB Guide 132 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved redundancy to our networks. And we can use VRRP or GLBP based on our individual network needs. The services that HSRP provides are a great addition to any network. Characteristics  HSRP is Cisco proprietary  HSRP has 5 states: Initial, listen, speak, standby and active.  HSRP allows multiple routers to share a virtual IP and MAC address so that the end- user hosts do not realize when a failure occurs.  The active (or Master) router uses the virtual IP and MAC addresses.  Standby routers listen for Hellos from the Active router. A hello packet is sent every 3 seconds by default. The hold time (dead interval) is 10 seconds.  Virtual MAC of 0000.0C07.ACxx , where xx is the hexadecimal number of HSRP group.  The group numbers of HSRP version 1 range from 0 to 255. HSRP does support group number of 0 (we do check it and in fact, it is the default group number if you don’t enter group number in the configuration) so HSRP version 1 supports up to 256 group numbers. HSRP version 2 supports 4096 group numbers.
  • 133.
    CCNA Routing &Switching v3 LAB Guide 133 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Assign IP Address to Venus Switch#conf t Switch(config)#hostname venus venus(config)#int fastEthernet 0/10 venus(config-if)#no switchport venus(config-if)#ip address 192.168.1.1 255.255.255.0 venus(config-if)#no shutdown venus(config-if)#exit venus(config)#int fastEthernet 0/1 venus(config-if)#no switchport venus(config-if)#ip address 192.168.30.2 255.255.255.0 venus(config-if)#no shutdown venus(config-if)# Assign IP Address to Denver Switch#conf t Switch(config)#hostname Denver Denver(config)#int fastEthernet 0/11 Denver(config-if)#no switchport Denver(config-if)#ip address 192.168.1.2 255.255.255.0 Denver(config-if)#no shutdown Denver(config-if)#exit Denver(config)#int fastEthernet 0/1 Denver(config-if)#no switchport Denver(config-if)#ip address 192.168.40.2 255.255.255.0 Denver(config-if)#no shutdown Denver(config-if)#end Assign IP Address to Toronto ============================= Router>en Router#conf t Router(config)#hostname Toronto Toronto(config)#interface fastEthernet 0/0 Toronto(config-if)#ip address 192.168.30.1 255.255.255.0 Toronto(config-if)#no shutdown Toronto(config-if)#exit Toronto(config)#int fastEthernet 0/1
  • 134.
    CCNA Routing &Switching v3 LAB Guide 134 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Toronto(config-if)#ip add Toronto(config-if)#ip address 192.168.40.1 255.255.255.0 Toronto(config-if)#no shutdown Toronto(config-if)#exit Toronto(config)#int loopback 1 Toronto(config-if)#ip address 1.1.1.1 255.255.255.0 Toronto(config-if)#exit Toronto(config)#int loopback 1 Toronto(config-if)#ip address 1.1.1.1 255.255.255.0 Toronto(config-if)#exit Create static route to 1.1.1.0/24 network from Venus and Denver ===================================================================== venus(config)#ip route 1.1.1.0 255.255.255.0 192.168.30.1 Denver(config)#ip route 1.1.1.0 255.255.255.0 192.168.40.1 Create static route to 192.168.1.0/24 network from Toronto ================================================================ Toronto(config)#ip route 192.168.1.0 255.255.255.0 192.168.30.2 Toronto(config)#ip route 192.168.1.0 255.255.255.0 192.168.40.2 Apply ip routing command on venus and Denver ================================================= venus(config)#ip routing Denver(config)#ip routing Assign IP address to host with default Gateway 192.168.1.1 and 192.168.1.2 and apply ping command to 1.1.1.0 Network ====================================================================== C:>ping 1.1.1.1 Reply from 1.1.1.1: bytes=32 time=1ms TTL=254 Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 Reply from 1.1.1.1: bytes=32 time=1ms TTL=254 Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 Configure HSRP venus(config)#int fastEthernet 0/10 venus(config-if)#standby 10 ip 192.168.1.3 venus(config-if)#standby 10 priority 110 venus(config-if)#standby 10 preempt Denver(config)#int fastEthernet 0/11 Denver(config-if)#standby 10 ip 192.168.1.3
  • 135.
    CCNA Routing &Switching v3 LAB Guide 135 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Denver(config-if)#standby 10 priority 100 Denver(config-if)#standby 10 preempt Denver(config-if)#end Verify ============ venus#show standby FastEthernet0/10 - Group 10 State is Active 12 state changes, last state change 01:01:47 Virtual IP address is 192.168.1.3 Active virtual MAC address is 0000.0C07.AC0A Local virtual MAC address is 0000.0C07.AC0A (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.461 secs Preemption enabled Active router is local Standby router is 192.168.1.2 Priority 110 (configured 110) Group name is hsrp-Fa0/10-10 (default) venus# ------------------------------------------------------------------- Denver#show standby FastEthernet0/11 - Group 10 State is Standby 3 state changes, last state change 01:17:54 Virtual IP address is 192.168.1.3 Active virtual MAC address is 0000.0C07.AC0A Local virtual MAC address is 0000.0C07.AC0A (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.757 secs Preemption enabled Active router is 192.168.1.1 Standby router is local Priority 100 (default 100) Group name is hsrp-Fa0/11-10 (default) Denver# Now change the default gateway of both PC to 192.168.1.3 and ping to 1.1.1.1
  • 136.
    CCNA Routing &Switching v3 LAB Guide 136 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved ====================================================================== Successful... now shutdown one of the interface F0/10 or F0/11 that has the highest priority (110) ====================================================================== and verify by standby command... also see that ping to 1.1.1.1 is even successful ------------------------------------------------------ Denver#show standby FastEthernet0/11 - Group 10 State is Active 4 state changes, last state change 01:28:33 Virtual IP address is 192.168.1.3 Active virtual MAC address is 0000.0C07.AC0A Local virtual MAC address is 0000.0C07.AC0A (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.754 secs Preemption enabled Active router is local Standby router is unknown Priority 100 (default 100) Group name is hsrp-Fa0/11-10 (default) Denver# Now the Denver switch is Active ----------------------------------------------------------------- C:>ping 1.1.1.1 Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 IP Access Control List (ACL) Access-lists work on the network (layer 3) and the transport (layer 4) layer and can be used for two different things:  Filtering traffic  Identifying traffic
  • 137.
    CCNA Routing &Switching v3 LAB Guide 137 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Filtering is used to permit or deny traffic. Identify means - selecting traffic. It can be used when we configure VPN. The traffic is identified and then it passes through VPN Tunnels. IP ACLs are the most popular as IP is the most common type of traffic. There are two types of IP ACLs:  Standard IP ACLs: 1 to 99 and 1300 to 1999  Extended IP ACLs: 100 to 199 and 2000 to 2699 Standard IP ACLs can only control traffic based on the SOURCE IP address where Extended IP ACLs identify traffic based on source IP, source port, destination IP, and destination port. We can use ACLs to filter traffic according per protocol, per interface, and per direction. We can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g., FastEthernet0/0), and one ACL per direction (i.e., IN or OUT). LAB 38 : Standard IP access-lists Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to the destination network.
  • 138.
    CCNA Routing &Switching v3 LAB Guide 138 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Router R1 (IP Address and EIGRP Configuration) R1#conf t R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface fastEthernet 0/1 R1(config-if)#ip address 192.168.20.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#router eigrp 10 R1(config-router)#network 192.168.20.0 R1(config-router)#network 192.168.10.0 R1(config-router)#no auto-summary R1(config-router)#exit Router R2 (IP Address and EIGRP Configuration) R2#conf t R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 192.168.10.2 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#interface loopback 0 R2(config-if)#ip address 12.12.12.12 255.255.255.0 R2(config-if)#exit R2(config)#interface loopback 1 R2(config-if)#ip address 11.11.11.11 255.255.255.0 R2(config-if)#exit R2(config)#router eigrp 10 R2(config-router)#network 192.168.10.0 R2(config-router)#network 11.11.11.0 R2(config-router)#network 12.12.12.0 R2(config-router)#no auto-summary R2(config-router)#exit R2(config)# OK, Now we will create ACL rules so that.........
  • 139.
    CCNA Routing &Switching v3 LAB Guide 139 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved only PC 1, PC 2, PC3 can ping loopback IP R1(config)#access-list 50 permit host 192.168.20.2 R1(config)#access-list 50 permit host 192.168.20.3 R1(config)#access-list 50 permit host 192.168.20.4 R1(config)#access-list 50 deny any Apply it to R2 Router (closest to the destination) R2(config)#interface fastEthernet 0/0 R2(config-if)#ip access-group 50 in Verification R2#show ip interface fastEthernet 0/0 FastEthernet0/0 is up, line protocol is up Internet address is 192.168.10.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 50 Now ping from PC4 PC4> ping 11.11.11.11 *192.168.20.1 icmp_seq=1 ttl=255 time=15.600 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.20.1 icmp_seq=2 ttl=255 time=15.600 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.20.1 icmp_seq=3 ttl=255 time=15.600 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.20.1 icmp_seq=4 ttl=255 time=15.600 ms (ICMP type:3, code:13, Communication administratively prohibited) And from PC1 / PC2 / PC3 PC1> ping 11.11.11.11 84 bytes from 11.11.11.11 icmp_seq=1 ttl=254 time=46.800 ms 84 bytes from 11.11.11.11 icmp_seq=2 ttl=254 time=46.801 ms
  • 140.
    CCNA Routing &Switching v3 LAB Guide 140 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 84 bytes from 11.11.11.11 icmp_seq=3 ttl=254 time=46.800 ms 84 bytes from 11.11.11.11 icmp_seq=4 ttl=254 time=46.800 ms PC2> ping 12.12.12.12 84 bytes from 12.12.12.12 icmp_seq=1 ttl=254 time=31.200 ms 84 bytes from 12.12.12.12 icmp_seq=2 ttl=254 time=31.200 ms 84 bytes from 12.12.12.12 icmp_seq=3 ttl=254 time=31.200 ms 84 bytes from 12.12.12.12 icmp_seq=4 ttl=254 time=31.200 ms PC3> ping 12.12.12.12 84 bytes from 12.12.12.12 icmp_seq=1 ttl=254 time=31.200 ms 84 bytes from 12.12.12.12 icmp_seq=2 ttl=254 time=31.200 ms 84 bytes from 12.12.12.12 icmp_seq=3 ttl=254 time=31.200 ms 84 bytes from 12.12.12.12 icmp_seq=4 ttl=254 time=31.200 ms R2#show access-lists Standard IP access list 50 10 permit 192.168.10.0, wildcard bits 0.0.0.255 (27 matches) LAB 39 : EXTENDED IP ACCESS-LIST Extended IP access-lists block based upon the source IP address, destination IP address, and TCP or UDP port number. Extended access-lists should be placed closest to the source network.
  • 141.
    CCNA Routing &Switching v3 LAB Guide 141 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Objective: We will configure Extended ACL so that PC0 can only posseses Telnet service PC2 can only posseses HTTP Service and PC1 can only posseses Mail service IP Configuration Router(config)#hostname LOCAL LOCAL(config)#interface fastEthernet 0/1 LOCAL(config-if)#ip address 192.168.10.1 255.255.255.0 LOCAL(config-if)#no shutdown LOCAL(config-if)#exit LOCAL(config)#interface fastEthernet 0/0 LOCAL(config-if)#ip address 103.13.148.1 255.255.255.240 LOCAL(config-if)#no shutdown LOCAL(config-if)#exit Static Default Route LOCAL(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2 Telnet Access LOCAL(config)#line vty 0 5 LOCAL(config-line)#password cisco LOCAL(config-line)#login LOCAL(config-line)#exit LOCAL(config)#enable secret cisco IP Configuration Router(config)#hostname ISP ISP(config)#interface fastEthernet 0/0 ISP(config-if)#ip address 103.13.148.2 255.255.255.240 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#interface fastEthernet 0/1 ISP(config-if)#ip address 100.100.100.1 255.255.255.0 ISP(config-if)#no shutdown ISP(config-if)#exit
  • 142.
    CCNA Routing &Switching v3 LAB Guide 142 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Static Route ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 Switch(config)#ip default-gateway 100.100.100.1 Extended ACL Configuration ISP(config)#access-list 101 permit tcp host 100.100.100.2 any eq telnet ISP(config)#access-list 101 permit tcp host 100.100.100.4 any eq www ISP(config)#access-list 101 permit tcp host 100.100.100.3 any eq smtp Apply it to its Inside Interface ISP(config)#interface fastEthernet 0/1 ISP(config-if)#ip access-group 101 in ISP#show ip interface fastEthernet 0/1 FastEthernet0/1 is up, line protocol is up (connected) Internet address is 100.100.100.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 101 ISP#show access-lists 101 Extended IP access list 101 permit tcp host 100.100.100.2 any eq telnet (37 match(es)) permit tcp host 100.100.100.4 any eq www (11 match(es)) permit tcp host 100.100.100.3 any eq smtp (2 match(es)) From PC0 login to Router LOCAL using telnet is possible
  • 143.
    CCNA Routing &Switching v3 LAB Guide 143 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved But from others PC it is not possible From PC2 we can browse .................... But PC0 or PC1 cannot browse to HTTP Server From PC1 we can see that SMTP service is open but others PC not...
  • 144.
    CCNA Routing &Switching v3 LAB Guide 144 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 40: Named IP Access List This allows standard and extended ACLs to be given names instead of numbers Objective: We will configure Named ACL to ensure that only PC0 can be logged in throughTelnet to router BUET but PC1 can not.......... Basic Configuration of Router and Switch: Router>en Router#conf t Router(config)#hostname DU DU(config)#interface fastEthernet 0/0 DU(config-if)#ip address 192.168.10.1 255.255.255.0
  • 145.
    CCNA Routing &Switching v3 LAB Guide 145 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DU(config-if)#no shutdown DU(config-if)#exit DU(config)#interface fastEthernet 0/1 DU(config-if)#ip address 172.16.10.1 255.255.255.0 DU(config-if)#no shutdown DU(config)#router eigrp 10 DU(config-router)#network 192.168.10.0 DU(config-router)#network 172.16.10.0 DU(config-router)#no auto-summary DU(config-router)#exit DU(config-if)#exit Router(config)#hostname BUET BUET(config)#interface fastEthernet 0/0 BUET(config-if)#ip address 192.168.10.2 255.255.255.0 BUET(config-if)#no shutdown BUET(config-if)#exit BUET(config)#router eigrp 10 BUET(config-router)#network 192.168.10.0 BUET(config-router)#no auto-summary BUET(config-router)#exit BUET(config)#no ip domain-lookup BUET(config)#line vty 0 4 BUET(config-line)#password cisco BUET(config-line)#login BUET(config-line)#exit BUET(config)#enable secret cisco BUET(config)#exit DEFINE NAMED ACL DU(config)#ip access-list extended venus DU(config-ext-nacl)#permit tcp host 172.16.10.2 any eq telnet DU(config-ext-nacl)#deny tcp host 172.16.10.3 any eq telnet DU(config-ext-nacl)#permit ip any any DU(config-ext-nacl)#exit Apply ACL to Router's Interface DU(config)#interface fastEthernet 0/0 DU(config-if)#ip access-group venus out
  • 146.
    CCNA Routing &Switching v3 LAB Guide 146 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DU(config-if)#end Switch(config)#ip default-gateway 172.16.10.1 From PC0 C:>ping 192.168.10.2 Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 Reply from 192.168.10.2: bytes=32 time=1ms TTL=254 Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 C:>telnet 192.168.10.2 (Success) Trying 192.168.10.2 ...Open User Access Verification Password: From PC1 C:>ping 192.168.10.2 Reply from 192.168.10.2: bytes=32 time=2ms TTL=254 Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 C:>telnet 192.168.10.2 (Not Success) Trying 192.168.10.2 ... % Connection timed out; remote host not responding C:> DU#show ip access-lists Extended IP access list venus 10 permit tcp host 172.16.10.2 any eq telnet (4 match(es)) 20 deny tcp host 172.16.10.3 any eq telnet (12 match(es)) 30 permit ip any any (4 match(es)) LAB 41: HOW TO BLOCKED ICMP ECHO AND ECHO-REQUEST ICMP is a network layer protocol (ICMP has its own protocol number in the header, IP protocol number 1). It does not rely on TCP or UDP. Echo is simply call a 'ping'. The Echo Reply is the 'ping reply'. ICMP Echo's are used for Network troubleshooting.
  • 147.
    CCNA Routing &Switching v3 LAB Guide 147 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved ICMP traffic is critical network traffic, but it can also cause security issues if used against your network by a malicious attacker. GW and ISP Router: Interface Configuration Router#conf t Router(config)#hostname GW GW(config)#interface fastEthernet 0/0 GW(config-if)#ip address 103.13.148.1 255.255.255.240 GW(config-if)#no shutdown GW(config-if)#exit GW(config)#interface fastEthernet 0/1 GW(config-if)#ip address 172.16.10.1 255.255.255.0 GW(config-if)#no shutdown GW(config-if)#exit ISP#conf t ISP(config)#interface fastEthernet 0/0 ISP(config-if)#ip address 103.13.148.2 255.255.255.240 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#interface fastEthernet 0/1 ISP(config-if)#ip address 100.100.100.1 255.255.255.0 ISP(config-if)#no shutdown
  • 148.
    CCNA Routing &Switching v3 LAB Guide 148 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved ISP(config-if)#exit Configure Static default route to Internet and Static route to Local LAN GW(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2 ISP(config)#ip route 172.16.10.0 255.255.255.0 103.13.148.1 Assign IP to Server PC (LAN Host) Assign IP to Outside Host PC1 Apply ping from outside to our local LAN Server
  • 149.
    CCNA Routing &Switching v3 LAB Guide 149 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved But we do not want this. So we have to block ICMP Reply from inside LAN for outside hosts GW(config)#ip access-list extended inside-in GW(config-ext-nacl)#deny icmp any any echo-reply GW(config-ext-nacl)#permit ip any any GW(config-ext-nacl)#exit Also block ICMP echo request from outside to inside LAN GW(config)#ip access-list extended outside-in GW(config-ext-nacl)#deny icmp any any echo GW(config-ext-nacl)#permit ip any any GW(config-ext-nacl)#exit Apply these rules to both Interface GW(config)#interface fastEthernet 0/1 GW(config-if)#ip access-group inside-in in GW(config-if)#exit GW(config)#interface fastEthernet 0/0 GW(config-if)#ip access-group outside-in in GW(config-if)#end Verification Now Apply ping from outside host to inside Server - 172.16.10.2 But other Service such as WEB Service is permitted as we have not block it, only ICMP echo- reply is blocked.
  • 150.
    CCNA Routing &Switching v3 LAB Guide 150 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 42 : STATIC NAT We use Static NAT for one-to-one mapping between an inside address and an outside address. Static NAT allows connections from an outside host to an inside host. Generally, static NAT is used for servers inside our network. Suppose, we have a web or a mail server with the inside IP address 192.168.10.2 and we want it to be accessible from Internet i.e. when a remote host makes a request to 103.13.148.10. In this case we must do a static NAT mapping between Inside (192.168.10.2) and Outside IPs (103.13.148.10).
  • 151.
    CCNA Routing &Switching v3 LAB Guide 151 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved IP Configuration to router Interface and Hosts Router>en Router#conf t Gateway(config)#hostname Gateway Gateway(config)#interface fastEthernet 0/0 Gateway(config-if)#ip address 103.13.148.1 255.255.255.0 Gateway(config-if)#no shutdown Gateway(config-if)#exit Gateway(config)#interface fastEthernet 0/1 Gateway(config-if)#ip address 192.168.10.1 255.255.255.0 Gateway(config-if)#no shutdown Gateway(config-if)#exit Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname ISP ISP(config)#interface fastEthernet 0/0 ISP(config-if)#ip address 103.13.148.2 255.255.255.0 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#interface fastEthernet 0/1 ISP(config-if)#ip address 10.10.10.1 255.255.255.0 ISP(config-if)#no shutdown ISP(config-if)#exit
  • 152.
    CCNA Routing &Switching v3 LAB Guide 152 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Configure default-route to Internet on Gateway Router Gateway(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2 Configure static route to LAN on ISP ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 Specify default gateway on switch Switch(config)#ip default-gateway 192.168.10.1 Static NAT Configuration Gateway(config)#ip nat inside source static 192.168.10.2 103.13.148.10 Gateway(config)#interface fastEthernet 0/1 Gateway(config-if)#ip nat inside Gateway(config-if)#exit Gateway(config)#interface fastEthernet 0/0 Gateway(config-if)#ip nat outside Verification Gateway# show ip route ISP# show ip route
  • 153.
    CCNA Routing &Switching v3 LAB Guide 153 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Ping from PC0 to Server PC On Server PC ---- Activate the http service ; From Internet PC (PC0 under ISP Router) browse using 103.13.148.10 IP (through Public IP that is assigned for static mapping)
  • 154.
    CCNA Routing &Switching v3 LAB Guide 154 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 43 : Dynamic NAT (Like many to many) (We will do Dynamic NAT Configuration following Static NAT , So all the configuration of previous LAB will remain same) When we have a pool of public IP addresses, Dynamic NAT is used. Never use dynamic NAT for servers or other devices that need to be accessible from the Internet. Suppose our internal network is 192.168.10.0/24. We also have the pool of public IP addresses from 103.13.148.20-103.13.148.30 and Net Mask is 255.255.255.0. The procedure will be as follows: Create an ACL for LAN traffic ------------------------------------- Gateway(config)#access-list 1 permit 192.168.10.0 0.0.0.255 Create a nat pool which Public IP addresses are used for translations Gateway(config)#ip nat pool venus 103.13.148.20 103.13.148.30 netmask 255.255.255.0 Apply the NAT with ACL and nat pool Gateway(config)#ip nat inside source list 1 pool venus Apply it to interface Gateway(config)#interface fastEthernet 0/1 Gateway(config-if)#ip nat inside Gateway(config-if)#exit Gateway(config)#interface fastEthernet 0/0 Gateway(config-if)#ip nat outside Verification PING PC0 from PC1 / PC2................. Gateway#show ip nat translations Dynamic NAT icmp 103.13.148.20:3 192.168.10.11:3 10.10.10.2:3 10.10.10.2:3 icmp 103.13.148.20:4 192.168.10.11:4 10.10.10.2:4 10.10.10.2:4 icmp 103.13.148.21:5 192.168.10.10:5 10.10.10.2:5 10.10.10.2:5 icmp 103.13.148.21:6 192.168.10.10:6 10.10.10.2:6 10.10.10.2:6 icmp 103.13.148.21:7 192.168.10.10:7 10.10.10.2:7 10.10.10.2:7
  • 155.
    CCNA Routing &Switching v3 LAB Guide 155 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Static NAT --- 103.13.148.10 192.168.10.2 --- --- tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1025 10.10.10.2:1025 tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1026 10.10.10.2:1026 tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1027 10.10.10.2:1027 tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1028 10.10.10.2:1028 tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1029 10.10.10.2:1029 tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1030 10.10.10.2:1030 An inside host makes a request to an outside host and the router dynamically assigns an available IP address from the pool for the translation of the private IP address. If there’s no public IP address available, the router rejects new connections until you clear the NAT mappings. However, you have as many public IP addresses as hosts in your network, you won’t be faced this problem. NAT Overload NAT Overload, also called PAT, probably the most used type of NAT. We can configure NAT overload in two ways, depending on how many public IP address we have.. LAB 44 : Static PAT Suppose, we have only one public IP address allocated by our ISP. Here we have to map all our inside hosts to the available IP address. The configuration is almost the same as for dynamic NAT, but in this case we specify the outside interface instead of a NAT pool.
  • 156.
    CCNA Routing &Switching v3 LAB Guide 156 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Router(config)#hostname GW GW(config)#interface fastEthernet 0/0 GW(config-if)#ip address 103.13.148.1 255.255.255.240 GW(config-if)#no shutdown GW(config-if)#exit GW(config)#interface fastEthernet 0/1 GW(config-if)#ip address 192.168.10.1 255.255.255.0 GW(config-if)#no shutdown GW(config-if)#exit Router(config)#hostname ISP ISP(config)#interface fastEthernet 0/0 ISP(config-if)#ip address 103.13.148.2 255.255.255.240 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#interface fastEthernet 0/1 ISP(config-if)#ip address 100.100.100.1 255.255.255.0 ISP(config-if)#no shutdown ISP(config-if)#exit Static default route to Internet on GW Router GW(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2 Static route to LAN on ISP Router ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 Assign IP address to Hosts and verify connectivity
  • 157.
    CCNA Routing &Switching v3 LAB Guide 157 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved C:>ping 192.168.10.10 Reply from 192.168.10.10: bytes=32 time=1ms TTL=126 Reply from 192.168.10.10: bytes=32 time=10ms TTL=126 Reply from 192.168.10.10: bytes=32 time<1ms TTL=126 Reply from 192.168.10.10: bytes=32 time<1ms TTL=126 C:>ping 192.168.10.20 Reply from 192.168.10.20: bytes=32 time=11ms TTL=126 Reply from 192.168.10.20: bytes=32 time<1ms TTL=126 Reply from 192.168.10.20: bytes=32 time<1ms TTL=126 Reply from 192.168.10.20: bytes=32 time<1ms TTL=126 Configure NAT overload GW(config)#access-list 1 permit 192.168.10.0 0.0.0.255 GW(config)#ip nat inside source list 1 interface fastEthernet 0/0 overload GW(config)#interface fastEthernet 0/0 GW(config-if)#ip nat outside GW(config-if)#exit
  • 158.
    CCNA Routing &Switching v3 LAB Guide 158 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved GW(config)#interface fastEthernet 0/1 GW(config-if)#ip nat inside GW(config-if)#exit Verification Apply ping from PC0 to OUTSIDE SERVER C:>ping 100.100.100.30 Reply from 100.100.100.30: bytes=32 time=11ms TTL=126 Reply from 100.100.100.30: bytes=32 time<1ms TTL=126 Reply from 100.100.100.30: bytes=32 time<1ms TTL=126 Reply from 100.100.100.30: bytes=32 time=10ms TTL=126 Browse the OUTSIDE SERVER The router automatically determines what public IP address to use for the mappings by checking what IP is assigned to the Serial 0/0/0 interface. All the inside addresses are translated to the only public IP address available on our router. Routers are able to recognize the traffic flows by using port numbers, specified by the overload keyword.
  • 159.
    CCNA Routing &Switching v3 LAB Guide 159 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 45 : DYNAMIC PAT The second way: If ISP gave you more than one public IP addresses, but not enough for a dynamic or static mapping. The configuration is same as dynamic NAT, but this time we will add overload for the router to know to use traffic flow identification using port numbers, instead of mapping a private to a public IP address dynamically. Configure NAT overload GW(config)# ip nat pool venus 103.13.148.5 103.13.148.10 netmask 255.255.255.240 GW(config)#access-list 1 permit 192.168.10.0 0.0.0.255 GW(config)#ip nat inside source list 1 pool venus overload GW(config)#interface fastEthernet 0/0 GW(config-if)#ip nat outside GW(config-if)#exit GW(config)#interface fastEthernet 0/1 GW(config-if)#ip nat inside Verification C:>ping 100.100.100.30 Reply from 100.100.100.30: bytes=32 time=1ms TTL=126 Reply from 100.100.100.30: bytes=32 time<1ms TTL=126 Reply from 100.100.100.30: bytes=32 time=11ms TTL=126 Reply from 100.100.100.30: bytes=32 time<1ms TTL=126
  • 160.
    CCNA Routing &Switching v3 LAB Guide 160 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Router#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 103.13.148.5:10 192.168.10.20:10 100.100.100.30:10 100.100.100.30:10 icmp 103.13.148.5:11 192.168.10.20:11 100.100.100.30:11 100.100.100.30:11 icmp 103.13.148.5:12 192.168.10.20:12 100.100.100.30:12 100.100.100.30:12 icmp 103.13.148.5:9 192.168.10.20:9 100.100.100.30:9 100.100.100.30:9 tcp 103.13.148.5:1027 192.168.10.10:1027 100.100.100.30:80 100.100.100.30:80 tcp 103.13.148.5:1028 192.168.10.10:1028 100.100.100.30:80 100.100.100.30:80 We can clear the NAT translation table with the following commands: Router#clear ip nat translation * Router#show ip nat translations LAB 46 : Configure GRE Tunnel Generic Routing Encapsulation (GRE) is developed by Cisco is a simple IP packet encapsulation protocol. GRE encapsulates the original IP packet with a new IP header also appending an additional GRE header. A GRE tunnel creates a point-to-point link between two routers that are otherwise not directly connected to each other. When packets require to be sent from one network to another over the Internet or an insecure network, We can use GRE Tunnel. A virtual tunnel is created between the two Cisco routers and packets are sent through the tunnel. GRE tunnels allow multicast packets but IPSec VPN does not support multicast packets. In large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels are the best to utilize.
  • 161.
    CCNA Routing &Switching v3 LAB Guide 161 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Configuring GRE Tunnel: Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface. Then you must configure the tunnel endpoints for the tunnel interface. Configuring Router Interface : R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.20.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface fastEthernet 0/1 R1(config-if)#ip address 192.168.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)# R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 192.168.20.2 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#interface fastEthernet 0/1 R2(config-if)#ip address 192.168.30.1 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit
  • 162.
    CCNA Routing &Switching v3 LAB Guide 162 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Creating a Cisco GRE Tunnel GRE tunnel uses a tunnel interface – a logical interface configured on the router with an IP address where packets are encapsulated and de encapsulated as they enter or exit the GRE tunnel. First step is to create our tunnel interface on R1: R1(config)# interface Tunnel0 R1(config-if)# ip address 172.16.10.1 255.255.255.0 R1(config-if)# ip mtu 1400 R1(config-if)# ip tcp adjust-mss 1360 R1(config-if)# tunnel source 192.168.20.1 R1(config-if)# tunnel destination 192.168.20.2 R2(config)# interface Tunnel0 R2(config-if)# ip address 172.16.10.2 255.255.255.0 R2(config-if)# ip mtu 1400 R2(config-if)# ip tcp adjust-mss 1360 R2(config-if)# tunnel source 192.168.20.2 R2(config-if)# tunnel destination 192.168.20.1 All Tunnel interfaces must be configured with an IP address. Each Tunnel interface is configured with an IP address within the same subnet(172.16.10.0/24). Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added overhead because of GRE, we must reduce the MTU to account for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary packet fragmentation is kept to a minimum. Now we will configure static route to make the reachability of two hosts: Here next hope will be the tunnel Interface IP R1(config)# ip route 192.168.30.0 255.255.255.0 172.16.10.2 R2(config)# ip route 192.168.10.0 255.255.255.0 172.16.10.1 n.b. We can also write tunnel source as an interface like # tunnel source fastEthernet 0/0
  • 163.
    CCNA Routing &Switching v3 LAB Guide 163 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R1#show interfaces tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 172.16.10.1/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 192.168.20.1, destination 192.168.20.2 Tunnel protocol/transport GRE/IP PC1#ping 192.168.30.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/34/44 ms LAB 47: AAA Configuration AAA(Authentication, Authorization & Accounting ) provides the basic security framework setting up access control on a network device. Authentication = who is permitted to access a network Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption. Authorization = Control what they can do while they are there Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet. Accounting =audit what actions they performed while accessing the network Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.
  • 164.
    CCNA Routing &Switching v3 LAB Guide 164 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved AAA uses two common methods : 1) Local AAA authentication: This method stores usernames and passwords locally in the Cisco router, and users authenticate against the local database. 2) Server-based AAA authentication: A central AAA server contains the usernames and pass- words for all users. AAA can be used with both RADIUS & TACACS+ servers to provide secure services. But there are some difference between the two protocols. AAA Lab (Server-based AAA authentication)
  • 165.
    CCNA Routing &Switching v3 LAB Guide 165 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Objective : Any one telnet the router must be authenticated through AAA server and in case AAA server is down , routers will use the local user accounts database. RADIUS SERVER CONFIGURATION Configuration: Router#conf terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname Radius Radius(config)#interface fastEthernet 0/0 Radius(config-if)#ip address 192.168.10.1 255.255.255.0 Radius(config-if)#no shutdown Radius(config-if)#exit Telnet Access from local database Radius(config)#enable secret cisco123 Radius(config)#line vty 0 4 Radius(config-line)#login authentication default Radius(config-line)#login Radius(config-line)#exit Radius(config)#username ashish password ashish123 Radius(config)#exit AAA Server Configuration To enable AAA, you need to configure the aaa new-model command in global configuration. Until this command is enabled, all other AAA commands are hidden. Radius(config)#aaa new-model Set authentication for login using two methods: the Radius server (the first method). If the Radius server doesn’t respond, then the router’s local database is used (the second method). Radius(config)#aaa authentication login default group radius local Tell the router what is the IP address for Radius server and key (password) to connect to: Radius(config)#radius-server host 192.168.10.3 auth-port 1645 key cisco
  • 166.
    CCNA Routing &Switching v3 LAB Guide 166 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Here, Client name = any Client IP = Rouer IP Key = That is defined in previous command line From the PC C:>telnet 192.168.10.1 Trying 192.168.10.1 ...Open User Access Verification Username: admin Password: Radius>en Password: Radius# Here username: admin and password: admin123 that was created in Radius Server Now disconnect the ACS server or just remove the cable and try to Telnet the router using ashish (local database) and it will work .
  • 167.
    CCNA Routing &Switching v3 LAB Guide 167 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Be remember, If method 1 fail , you will not go to method 2, but if method 1 is not available then you can go to method 2 and use it. C:>telnet 192.168.10.1 Trying 192.168.10.1 ...Open User Access Verification Username: ashish Password: Radius> Radius#show AAA user all Unique id 4 is currently in use. Accounting: log=0x18001 Events recorded : CALL START INTERIM START INTERIM STOP update method(s) : NONE update interval = 0 Outstanding Stop Records : 0 Radius#show aaa sessions Total sessions since last reload: 3 Session Id:4 Unique Id:4 User Name:admin IP Address:0.0.0.0 Idle Time: 0 CT Call Handle: 0 Radius# OR , TACACS+ Configuration Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname Tacacs Tacacs(config)#interface fastEthernet 0/0 Tacacs(config-if)#ip address 192.168.10.2 255.255.255.0 Tacacs(config-if)#no shutdown Tacacs(config-if)#exit Tacacs(config)#aaa new-model
  • 168.
    CCNA Routing &Switching v3 LAB Guide 168 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Tacacs(config)#aaa authentication login default group tacacs+ local Tacacs(config)#tacacs-server host 192.168.10.4 key 8888 Tacacs(config)#enable secret cisco123 Tacacs(config)#line vty 0 4 Tacacs(config-line)#login authentication default Tacacs(config-line)#login AAA is enabled. Command not supported. Use an aaa authentication methodlist Tacacs(config-line)#exit Tacacs(config)#username ashish password ashish123 C:>telnet 192.168.10.2 Trying 192.168.10.2 ...Open User Access Verification Username: admin Password: Tacacs>en Password: Tacacs#
  • 169.
    CCNA Routing &Switching v3 LAB Guide 169 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 48: Syslog Server Cisco devices use the syslog protocol to manage system logs and alerts. Syslog Server collects all the logs in a central location and then we can use these logs for the troubleshooting devices. There are 8 levels of logs that is generated. these are called severity level. Lower severity level is more critical. Message Logging Level Keywords Level Keyword Level Description Syslog Definition emergencies 0 System unstable LOG_EMERG alerts 1 Immediate action needed LOG_ALERT critical 2 Critical conditions LOG_CRIT errors 3 Error conditions LOG_ERR warnings 4 Warning conditions LOG_WARNING notifications 5 Normal but significant condition LOG_NOTICE informational 6 Informational messages only LOG_INFO debugging 7 Debugging messages LOG_DEBUG The software generates four other categories of messages:
  • 170.
    CCNA Routing &Switching v3 LAB Guide 170 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved  Error messages about software or hardware malfunctions, displayed at levels warnings through emergencies: these types of messages mean that the functionality of the access point is affected.  Output from the debug commands, displayed at the debugging level: debug commands are typically used only by the Technical Assistance Center (TAC).  Interface up or down transitions and system restart messages, displayed at the notifications level: this message is only for information; access point functionality is not affected.  Reload requests and low-process stack messages, displayed at the informational level: this message is only for information; access point functionality is not affected. Part of syslog messages  Timestamp  Log Message Name and Severity Level  Message Text LAB : Router>
  • 171.
    CCNA Routing &Switching v3 LAB Guide 171 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Router>enable Router#conf t Router(config)#hostname DU DU(config)#interface fastEthernet 0/0 DU(config-if)#ip address 192.168.10.1 255.255.255.0 DU(config-if)#no shutdown Go to the service and be sure syslog service is on Syslog configuration on DU Router We will use the logging host <syslog server IP address> command to specify the Syslog server address on Cisco router. DU(config)#logging host 192.168.10.2
  • 172.
    CCNA Routing &Switching v3 LAB Guide 172 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Then apply the logging trap <severity level> command to specify the log types and category (called severity level). For example, use the debug log (severity level 7). We may use any other severity level that we wish to test. DU(config)#logging trap debugging Then we will use the debug ip <protocol> command to enable debugging for a protocol. In this case, we will use ICMP protocol. DU#debug ip icmp Apply ping 192.168.1.100 command to generate some ICMP packets to test your configuration. C:>ping 192.168.10.1 Pinging 192.168.10.1 with 32 bytes of data: Reply from 192.168.10.1: bytes=32 time=1ms TTL=255 Reply from 192.168.10.1: bytes=32 time<1ms TTL=255 Reply from 192.168.10.1: bytes=32 time<1ms TTL=255 Reply from 192.168.10.1: bytes=32 time<1ms TTL=255 C:> Next, move on to Syslog Server console, and examine the output. In the following figure, you can see the sample output of the Syslog server. We can see the logs collected by Syslog Server for Cisco router.
  • 173.
    CCNA Routing &Switching v3 LAB Guide 173 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 49: SNMPv3 Simple Network Management Protocol (SNMP) is an application-layer protocol. The Simple Network Management Protocol (SNMP) is used for network monitoring and management. The network device send some informations to the NMS server to trace graphics who permit to analysing the CPU, memory, I/O… It is made up of 3 parts, the SNMP manager, SNMP agent and Management Information Base (MIB).  The SNMP manager is the software that is running on a pc or server that will monitor the network devices  The SNMP agent runs on the network device.  The database that I just described is called the MIB (Manament Information Base) and an object could be the interface status on the router (up or down) or perhaps the CPU load at a certain moment. An object in the MIB is called an OID (Object Identifier). Configure SNMP Enable SNMP on Router Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastEthernet 0/0 Router(config-if)#ip address 192.168.10.1 255.255.255.0
  • 174.
    CCNA Routing &Switching v3 LAB Guide 174 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Router(config-if)#no shutdown Router(config-if)#exit Router(config)#snmp-server community V1 ro %SNMP-5-WARMSTART: SNMP agent on host Router is undergoing a warm start Router(config)#snmp-server community V1rw rw Router(config)#exit Router# Here, Read Community: V1. It has taken from read only (ro) community name. Write Community: V1rw, it is the name of read and write (rw) community. Testing SNMP from a PC Click on PC0 and click Desktop tab, then open MIB Browser Now go to Advanced tab and enter the following Information: Address: 192.168.10.1 Read Community: V1 Write Community: V1rw SNMP Version, select V3 and click OK.
  • 175.
    CCNA Routing &Switching v3 LAB Guide 175 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Now on the MIB browser page expend MIB tree to system and select each value then hit the GO button to display the exact information on Router0. LAB 50: Password Recovery Method 1 1. Shut the router down. 2. Remove the compact flash from the back of the router. 3. Turn the router back on. 4. When you see the Rommon1> prompt, enter the command of confreg 0x2142 5. Insert the compact flash. 6. Type reset. 7. When prompted to enter the initial configuration, type no and press enter. 8. At the router> prompt, type enable 9. At the Router# prompt, enter the configure memory command, and press Enter in order to copy the startup configuration to the running configuration. 10. Use the config t command in order to enter global configuration mode.
  • 176.
    CCNA Routing &Switching v3 LAB Guide 176 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 11. Use this command in order to create a new user name and password: router(config) #username cisco123 privilege 15 password cisco123 12. Use this command in order to change the boot statement: config-register 0x2102 13. Use this command in order to save the configuration: write memory 14. Reload the router, and then use your new user name and password to log in to the router. Method 2 1. Connect a terminal or PC with terminal emulation to the console port of the router and ensure you have the correct terminal settings. They include no flow control, 1 stop bit, 8 data bits, no parity and 9600 baud rate. 2. If you are able to access the router, enter in show version at the prompt screen, and document the configuration register setting. 3. Next, turn off the router and wait about 5 seconds and turn it back on. 4. Press break on the terminal keyboard within 1 minute of power up in order to the router into ROMmon. 5. Enter in confreg 0x2142 at the rommon 1> prompot in order to boot the from Flash. 6. Type reset at the rommon 2> prompt. 7. Type no after each setup question or press Ctrl+C to bypass all questions. 8. Type enable at the Router> prompt 9. Type configure memory or copy startup-config running-config in order to copy NVRAM into memory. 10. Type show running-config 11. Type configure terminal 12. Type enable secret <enter in a password that you will remember> in order to change the enable secret password. 13. Issue the no shutdown command on every single interface that you use. 14. Type config-register . This typically is 0x2102. 15. Press Ctrl-z or end to leave config mode. 16. Type write memory or copy running-config startup-config to commit the modifications
  • 177.
    CCNA Routing &Switching v3 LAB Guide 177 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 51 : PROJECT 1. VLAN Information Switch VLAN ID VLAN Name IP Ports DENVER 10 Cisco 172.16.10.0/24 F0/1-9 20 Solaris 172.16.20.0/24 F0/10 - 15 99 MGT 10.10.10.10/24 F0/24 TORONTO 30 Admin 172.16.30.0/24 F0/1 - 9 40 Accounts 172.16.40.0/24 F0/10 - 15 88 Management 11.11.11.11/24 F0/24 2. Router Information Router Name Interface IP Address Description LAN F0/0 (.1) 192.168.10.0/24 To GWY Router F0/1.10 (Sub interface) 172.16.10.1/24 To VLAN 10 F0/1.20 (Sub interface) 172.16.20.1/24 To VLAN 20 F0/1.99 (Sub interface) 10.10.10.10/24 To VLAN 99 (MGT) GWY F0/0 (.2) 192.168.20.0/24 To LAN Router F0/1.30 (Sub interface) 172.16.30.1/24 To VLAN 30 F0/1.40 (Sub interface) 172.16.40.1/24 To VLAN 40 F0/1.88 (Sub interface) 11.11.11.11/24 To VLAN 88(Management) F1/0 (.1) 192.168.30.0/24 To ISP Router ISP F0/0 (.2) 192.168.30.0/24 To GWY Router F0/1 (.1) 172.16.50.0/24 To LAN Switch
  • 178.
    CCNA Routing &Switching v3 LAB Guide 178 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 2. DENVER a. hostname, enable password, telnet access & VLAN configuration b. Management VLAN Configuration 3. Router : LAN a. Interface, hostname, enable password, telnet access configuration b. Inter-Vlan Routing Configuration 4. TORONTO a. Hostname, enable password, telnet access configuration , VLAN & Access Port configuration b. Management VLAN Configuration 5. Router : GWY a. Interface, hostname, enable password, telnet access configuration b. Inter-Vlan Routing Configuration 6. EIGRP Configuration on LAN and GWY Router only 7. Router ISP a. Interface, hostname, enable password, telnet access configuration b. static route to LAN router 8. GWY Static default route to ISP 9. Redistribute static route into EIGRP 10. ACL Configuration Condition : for the Internet hosts the following service is disabled to Inside but http service is enabled a. Telnet, FTP, SMTP, SSH, ping 11. Static NAT Configuration condition : only Inside HTTP Server's private IP is translated to public IP : 103.13.148.20 12. Configure Inside Server as a HTTP Server 13. Verification
  • 179.
    CCNA Routing &Switching v3 LAB Guide 179 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Configuration DENVER Hostname, enable password, telnet access configuration , VLAN & Access Port configuration ================================================================================ Switch(config)#hostname DENVER DENVER(config)#enable secret cisco DENVER(config)#username admin password admin123 DENVER(config)#line vty 0 4 DENVER(config-line)#login local DENVER(config-line)#exit DENVER(config)# DENVER(config)#vlan 10 DENVER(config-vlan)#name cisco DENVER(config-vlan)#exit DENVER(config)#vlan 20 DENVER(config-vlan)#name solaris DENVER(config-vlan)#exit DENVER(config)#interface range fastEthernet 0/1 - 9 DENVER(config-if-range)#switchport mode access DENVER(config-if-range)#switchport access vlan 10 DENVER(config-if-range)#exit DENVER(config)#interface range fastEthernet 0/10 - 15 DENVER(config-if-range)#switchport mode access DENVER(config-if-range)#switchport access vlan 20 DENVER(config-if-range)#exit Management VLAN Configuration ============================= DENVER(config)#vlan 99 DENVER(config-vlan)#name MGT DENVER(config-vlan)#exit DENVER(config)#interface fastEthernet 0/24 DENVER(config-if)#switchport access vlan 99 DENVER(config-if)#exit DENVER(config)#interface vlan 99 DENVER(config-if)#ip address 10.10.10.10 255.255.255.0 DENVER(config-if)#no shutdown
  • 180.
    CCNA Routing &Switching v3 LAB Guide 180 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Router : LAN ============= Interface, hostname, enable password, telnet access configuration ========================================================= Router(config)#hostname LAN LAN(config)#interface fastEthernet 0/1 LAN(config-if)#no shutdown LAN(config-if)#exit LAN(config)#interface fastEthernet 0/0 LAN(config-if)#ip address 192.168.10.1 255.255.255.0 LAN(config-if)#no shutdown LAN(config-if)#exit LAN(config)#enable password cisco LAN(config)#username admin password admin123 LAN(config)#line vty 0 4 LAN(config-line)#login local LAN(config-line)#exit Inter-Vlan Routing Configuration ========================== LAN(config)#interface fastEthernet 0/1.10 LAN(config-subif)#encapsulation dot1Q 10 LAN(config-subif)#ip address 172.16.10.1 255.255.255.0 LAN(config-subif)#no shutdown LAN(config-subif)#exit LAN(config)#interface fastEthernet 0/1.20 LAN(config-subif)#encapsulation dot1Q 20 LAN(config-subif)#ip address 172.16.20.1 255.255.255.0 LAN(config-subif)#no shutdown LAN(config)#interface fastEthernet 0/1.99 LAN(config-subif)#encapsulation dot1Q 99 LAN(config-subif)#ip address 10.10.10.10 255.255.255.0 LAN(config-subif)#no shutdown LAN(config-subif)#exit LAN(config)# DENVER ======== DENVER(config)#interface fastEthernet 0/24 DENVER(config-if)#switchport mode trunk DENVER(config-if)#no shutdown DENVER(config-if)#exit
  • 181.
    CCNA Routing &Switching v3 LAB Guide 181 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved IP Assign to Hosts ============== Verification ========== Ping : VLAN 10 host to VLAN 20 host C:>ping 172.16.20.2 Reply from 172.16.20.2: bytes=32 time<1ms TTL=127 Reply from 172.16.20.2: bytes=32 time<1ms TTL=127 Reply from 172.16.20.2: bytes=32 time=4ms TTL=127 Reply from 172.16.20.2: bytes=32 time<1ms TTL=127 LAN>en Password: LAN#ping 10.10.10.10 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/11 ms
  • 182.
    CCNA Routing &Switching v3 LAB Guide 182 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAN#telnet 10.10.10.10 Trying 10.10.10.10 ...Open User Access Verification Username: admin Password: LAN> TORONTO Hostname, enable password, telnet access configuration , VLAN & Access Port configuration ================================================================================ Switch#conf t Switch(config)#hostname TORONTO TORONTO(config)#enable secret cisco TORONTO(config)#username admin password admin123 TORONTO(config)#line vty 0 4 TORONTO(config-line)#login local TORONTO(config-line)#exit TORONTO(config-vlan)#name admin TORONTO(config-vlan)#exit TORONTO(config)#vlan 40 TORONTO(config-vlan)#name Accounts TORONTO(config-vlan)#exit TORONTO(config)#interface range fastEthernet 0/1 - 9 TORONTO(config-if-range)#switchport mode access TORONTO(config-if-range)#switchport access vlan 30 TORONTO(config-if-range)#exit TORONTO(config)#interface range fastEthernet 0/10 - 15 TORONTO(config-if-range)#switchport mode access TORONTO(config-if-range)#switchport access vlan 40 TORONTO(config-if-range)#exit TORONTO(config)# Management VLAN Configuration ============================= TORONTO(config)#vlan 88 TORONTO(config-vlan)#name Management TORONTO(config-vlan)#exit TORONTO(config)#interface fastEthernet 0/24 TORONTO(config-if)#switchport access vlan 88 TORONTO(config-if)#exit TORONTO(config)#interface vlan 88 TORONTO(config-if)#ip address 11.11.11.11 255.255.255.0 TORONTO(config-if)#no shutdown TORONTO(config-if)#exit
  • 183.
    CCNA Routing &Switching v3 LAB Guide 183 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved TORONTO(config)# Router : GWY ============= Interface, hostname, enable password, telnet access configuration ========================================================= Router(config)#hostname GWY GWY(config)#interface fastEthernet 0/0 GWY(config-if)#ip address 192.168.10.2 255.255.255.0 GWY(config-if)#no shutdown GWY(config-if)#exit GWY(config)#interface fastEthernet 1/0 GWY(config-if)#ip address 192.168.20.1 255.255.255.0 GWY(config-if)#no shutdown GWY(config-if)#exit GWY(config)#enable secret cisco GWY(config)#username admin password admin123 GWY(config)#line vty 0 4 GWY(config-line)#login local GWY(config-line)#exit GWY(config)# Inter-Vlan Routing Configuration ========================== GWY(config)#interface fastEthernet 0/1 GWY(config-if)#no shutdown GWY(config-if)#exit GWY(config)#interface fastEthernet 0/1.30 GWY(config-subif)#encapsulation dot1Q 30 GWY(config-subif)#ip address 172.16.30.1 255.255.255.0 GWY(config-subif)#no shutdown GWY(config-subif)#exit GWY(config)#interface fastEthernet 0/1.40 GWY(config-subif)#encapsulation dot1Q 40 GWY(config-subif)#ip address 172.16.40.1 255.255.255.0 GWY(config-subif)#no shutdown GWY(config-subif)#exit GWY(config)#interface fastEthernet 0/1.88 GWY(config-subif)#encapsulation dot1Q 88 GWY(config-subif)#ip address 11.11.11.11 255.255.255.0 GWY(config-subif)#no shutdown TORONTO ===========
  • 184.
    CCNA Routing &Switching v3 LAB Guide 184 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved TORONTO(config)#interface fastEthernet 0/24 TORONTO(config-if)#switchport mode trunk IP Assign to Hosts ============== Verification =========== C:>ping 172.16.40.2 Reply from 172.16.40.2: bytes=32 time<1ms TTL=127 Reply from 172.16.40.2: bytes=32 time<1ms TTL=127 Reply from 172.16.40.2: bytes=32 time<1ms TTL=127 Reply from 172.16.40.2: bytes=32 time<1ms TTL=127 GWY#ping 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/7 ms GWY#telnet 11.11.11.11 Trying 11.11.11.11 ...Open User Access Verification Username: admin
  • 185.
    CCNA Routing &Switching v3 LAB Guide 185 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Password: GWY> EIGRP Configuration on LAN and GWY Router only (except GWY to ISP) ========================================================= LAN#conf t LAN(config)#router eigrp 10 LAN(config-router)#network 172.16.10.0 LAN(config-router)#network 172.16.20.0 LAN(config-router)#network 10.10.10.0 LAN(config-router)#network 192.168.10.0 LAN(config-router)#no auto-summary GWY(config)#router eigrp 10 GWY(config-router)#network 172.16.30.0 GWY(config-router)#network 172.16.40.0 GWY(config-router)#network 11.11.11.0 GWY(config-router)#network 192.168.10.0 GWY(config-router)# %DUAL-5-NBRCHANGE: IP-EIGRP 10: Neighbor 192.168.10.1 (FastEthernet0/0) is up: new adjacency GWY(config-router)#no auto-summary Verification EIGRP Ping: Server PC to host on the Toronto C:>ping 172.16.30.2 Pinging 172.16.30.2 with 32 bytes of data:
  • 186.
    CCNA Routing &Switching v3 LAB Guide 186 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Reply from 172.16.30.2: bytes=32 time=11ms TTL=126 Reply from 172.16.30.2: bytes=32 time<1ms TTL=126 Reply from 172.16.30.2: bytes=32 time=11ms TTL=126 Reply from 172.16.30.2: bytes=32 time=12ms TTL=126 C:>ping 172.16.40.2 Pinging 172.16.40.2 with 32 bytes of data: Reply from 172.16.40.2: bytes=32 time<1ms TTL=126 Reply from 172.16.40.2: bytes=32 time=1ms TTL=126 Reply from 172.16.40.2: bytes=32 time=12ms TTL=126 Reply from 172.16.40.2: bytes=32 time=12ms TTL=126 Telnet to DENVER switch from GWY ============================= GWY#telnet 10.10.10.10 Trying 10.10.10.10 ...Open User Access Verification Username: admin Password: LAN> 7. Router ISP a. Interface, hostname, enable password, telnet access configuration ============================================================ Router(config)#hostname ISP ISP(config)#interface fastEthernet 0/0 ISP(config-if)#ip address 192.168.20.2 255.255.255.0 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#do ping 192.168.20.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms ISP(config)#enable secret cisco ISP(config)#username admin password admin123 ISP(config)#line vty 0 4 ISP(config-line)#login local ISP(config-line)#exit
  • 187.
    CCNA Routing &Switching v3 LAB Guide 187 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved ISP(config)#interface fastEthernet 0/1 ISP(config-if)#no shutdown ISP(config-if)#ip address 192.168.30.1 255.255.255.0 ISP(config-if)#no shutdown ISP(config-if)#exit b. static route to LAN router ======================== ISP(config)#ip route 172.16.40.0 255.255.255.0 192.168.20.1 ISP(config)#ip route 172.16.30.0 255.255.255.0 192.168.20.1 ISP(config)#ip route 172.16.20.0 255.255.255.0 192.168.20.1 ISP(config)#ip route 172.16.10.0 255.255.255.0 192.168.20.1 ISP(config)#ip route 10.10.10.0 255.255.255.0 192.168.20.1 8. GWY Static default route to ISP GWY(config)#ip route 0.0.0.0 0.0.0.0 192.168.20.2 9. Redistribute static route into EIGRP on router GWY GWY(config-router)#redistribute static GWY(config-router)#redistribute connected Verification ISP#ping 172.16.20.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/12 ms ISP#ping 10.10.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/2 ms ISP#telnet 10.10.10.10 Trying 10.10.10.10 ...Open User Access Verification
  • 188.
    CCNA Routing &Switching v3 LAB Guide 188 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Username: admin Password: LAN> Assign IP address to outside PC Verification C:>ping 192.168.30.1 Reply from 192.168.30.1: bytes=32 time=2ms TTL=255 Reply from 192.168.30.1: bytes=32 time=1ms TTL=255 Reply from 192.168.30.1: bytes=32 time<1ms TTL=255 Reply from 192.168.30.1: bytes=32 time=1ms TTL=255 C:>ping 172.16.10.2 Reply from 172.16.10.2: bytes=32 time=11ms TTL=125 Reply from 172.16.10.2: bytes=32 time=11ms TTL=125 Reply from 172.16.10.2: bytes=32 time=11ms TTL=125 Reply from 172.16.10.2: bytes=32 time=12ms TTL=125
  • 189.
    CCNA Routing &Switching v3 LAB Guide 189 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 10. ACL Configuration Condition : for the Internet hosts the following service is disabled to Inside but http service is enabled a. Telnet, FTP, SMTP, SSH, ping GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq telnet GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq ftp GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq smtp GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq pop3 GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq 22 GWY(config)#access-list 101 deny icmp host 192.168.30.2 any echo GWY(config)#access-list 101 deny icmp any host 192.168.30.2 echo-reply GWY(config)#access-list 101 permit ip any any GWY(config)#interface fastEthernet 1/0 GWY(config-if)#ip access-group 101 in 11. Static NAT Configuration condition : only Inside HTTP Server's private IP is translated to public IP : 103.13.148.20 ISP(config)#ip route 103.13.148.20 255.255.255.255 192.168.20.1 GWY(config)#interface fastEthernet 1/0 GWY(config-if)#ip nat outside GWY(config-if)#exit GWY(config)#interface fastEthernet 0/0 GWY(config-if)#ip nat inside GWY(config-if)#exit GWY(config)#ip nat inside source static 172.16.10.2 103.13.148.20 GWY(config)#
  • 190.
    CCNA Routing &Switching v3 LAB Guide 190 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved IPV6 Address IPv6 uses 128-bit addresses, which means that for each person on the Earth there are 48,000,000,000,000,000,000,000,000,000 addresses ! Advantages:  Enhanced security  Header improvements  No need for NAT  Stateless address autoconfiguration IPv6 uses eight groups of four hexadecimal digits separated by colons. For example, this is a valid IPv6 address: 1234:4523:EDBA:0A01:0056:5054:5ABC:ABBD IPv6 address shortening 1. a leading zero can be omitted 1240:0023:CCBA:0A01:0065:5054:9ABC:ABB4 will be------------ 1240:23:CCBA:A01:65:5054:9ABC:ABB4 2. String of of zero's can be represented as two colons (::) 1240:0000:0000:0000:0456:0000:CCCB:11DC can be written as
  • 191.
    CCNA Routing &Switching v3 LAB Guide 191 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 1240::456:0000:CCCB:11DC (But this can be for one time) Here the 0000 can be written as single zero, not double :: 1240::456:0:CCCB:11DC Three categories of IPv6 addresses exist:  Unicast  Anycast  Multicast There are three types of IPv6 unicast addresses global unicast – similar to IPv4 public IP addresses. These addresses are assigned by the IANA and used on public networks. They have a prefix of 2000::/3, meaning all the addresses that begin with binary 001. unique local – similar to IPv4 private addresses. They are used in private networks and aren’t routable on the Internet. These addresses have a prefix of FD00::/8. link local – these addresses are used for sending packets over the local subnet. Routers do not forward packets with this addresses to other subnets. IPv6 requires a link-local address to be assigned to every network interface on which the IPv6 protocol is enabled. These addresses have a prefix of FE80::/10. Loopback Address ::1/128 Unspecified Address ::/0 IPv6 multicast addresses Multicast addresses in IPv6 are similar to multicast addresses in IPv4. They are used to communicate with dynamic groupings of hosts, for example all routers on the link (“one-to- many distribution”). IPv6 multicast addresses start with FF00::/8 Here is a table of some of the most common link local multicast addresses:
  • 192.
    CCNA Routing &Switching v3 LAB Guide 192 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Here is a summary of the most common address prefixes in IPv6: IPv6 transition options IPv4 and IPv6 networks are not interoperable and the number of devices that use IPv4 number is still great. Some of these devices do not support IPv6 at all, so the migration process is necessary since IPv4 and IPv6 will likely coexist for some time. Many transition mechanisms have been proposes. We will introduce the main ones and describe them in the next sections: 1. IPv4/IPv6 Dual Stacks 2. NAT64 3. Tunneling IPv6 supports the following routing protocols:  RIPng (RIP New Generation)  OSPFv3  EIGRP for IPv6  IS-IS for IPv6  MP-BGP4 (Multiprotocol BGP-4) The following table summarizes the major differences between IPv4 and IPv6:
  • 193.
    CCNA Routing &Switching v3 LAB Guide 193 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 52: Configure IPv6 Cisco Routers do not have IPv6 routing enabled by default. To configure IPv6 on a Cisco DUs you need to do two things: 1. Apply "ipv6 unicast-routing" in global configuration command. 2. We can assign IP to Interface on different method. We will describe here the following methods:  With eui-64 parameter  Manually Assigned  Link-local Addressing eui-64 Parameter BASIC Configuration DU#conf t Enter configuration commands, one per line. End with CNTL/Z. DU(config)#ipv6 unicast-routing DU(config)#interface fastEthernet 0/0 DU(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64 DU(config-if)#no shutdown DU(config-if)#end BUET>en BUET#conf t Enter configuration commands, one per line. End with CNTL/Z. BUET(config)#ipv6 unicast-routing BUET(config)#interface fastEthernet 0/0 BUET(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64 BUET(config-if)#no shutdown BUET(config-if)#end Verification
  • 194.
    CCNA Routing &Switching v3 LAB Guide 194 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DU#show ipv6 interface fastEthernet 0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::2E0:8FFF:FED5:BD01 No Virtual link-local address(es): Global unicast address(es): 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01, subnet is 2001:BB9:AABB:1234::/64 [EUI] Joined group address(es): DU#show ipv6 route IPv6 Routing Table - 3 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route, M - MIPv6 I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 D - EIGRP, EX - EIGRP external C 2001:BB9:AABB:1234::/64 [0/0] via ::, FastEthernet0/0 L 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01/128 [0/0] via ::, FastEthernet0/0 L FF00::/8 [0/0] via ::, Null0 DU# BUET#show ipv6 interface fastEthernet 0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::202:4AFF:FEA8:2D01 No Virtual link-local address(es): Global unicast address(es): 2001:BB9:AABB:1234:202:4AFF:FEA8:2D01, subnet is 2001:BB9:AABB:1234::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FFA8:2D01 Ping from BUET to DU
  • 195.
    CCNA Routing &Switching v3 LAB Guide 195 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved BUET#ping ipv6 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/4/24 ms Manually Assigned and Link-local Addressing Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname APECE APECE(config)#ipv6 unicast-routing APECE(config)#interface loopback 1 APECE(config-if)#ipv6 address 2001::2/128 APECE(config-if)#exit APECE(config)#interface fastEthernet 0/0 APECE(config-if)#ipv6 enable APECE(config-if)#no shutdown APECE(config-if)#exit with "ipv6 enable" command we will get IP address automatically to the router's Interface Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname Ashish Ashish(config)#ipv6 unicast-routing Ashish(config)#interface loopback 1 Ashish(config-if)#ipv6 address 2001::1/128
  • 196.
    CCNA Routing &Switching v3 LAB Guide 196 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Ashish(config-if)#exit Ashish(config)#interface fastEthernet 0/0 Ashish(config-if)#ipv6 enable Ashish(config-if)#no shutdown Ashish(config-if)#end Ashish#show ipv6 interface brief FastEthernet0/0 [up/up] FE80::202:17FF:FE09:E901 (IP Address - link local Address, getting by ipv6 enable command) FastEthernet0/1 [administratively down/down] Loopback1 [up/up] FE80::210:11FF:FE65:7A37 2001::1 Vlan1 [administratively down/down] APECE#ping ipv6 FE80::202:17FF:FE09:E901 Output Interface: fastethernet0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::202:17FF:FE09:E901, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms LAB 53 : Configure IPv6 Static Route
  • 197.
    CCNA Routing &Switching v3 LAB Guide 197 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved The configuration and syntax are same as IPv4 Static routing, Just we will find some minor differences than that of IPv4. DU Router Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname DU DU(config)#ipv6 unicast-routing DU(config)#interface fastEthernet 0/0 DU(config-if)#ipv6 address 2001:AD8:23:45::1/64 DU(config-if)#no shutdown DU(config-if)#exit BUET Router Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname BUET BUET(config)#ipv6 unicast-routing BUET(config)#interface fastEthernet 0/0 BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64 BUET(config-if)#no shutdown BUET(config-if)#exit BUET#conf t Enter configuration commands, one per line. End with CNTL/Z. BUET(config)#interface fastEthernet 0/1 BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64 BUET(config-if)#no shutdown BUET(config-if)#end BUET# Veirfication BUET#show ipv6 interface brief FastEthernet0/0 [up/up] FE80::260:3EFF:FEAE:5901 2001:AD8:23:45::2
  • 198.
    CCNA Routing &Switching v3 LAB Guide 198 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved FastEthernet0/1 [administratively down/down] Vlan1 [administratively down/down] BUET# Verify Connectivity using ping DU#ping ipv6 2001:AD8:23:45::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:AD8:23:45::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/2 ms DU# Assign IPv6 Address to host Ping to Router BUET from host C:>ping 2001:BD55:1234:DC4::1 Reply from 2001:BD55:1234:DC4::1: bytes=32 time=1ms TTL=255 Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255 Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255 Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255 Now ping to Router DU C:>ping 2001:AD8:23:45::1 Request timed out. Request timed out. Request timed out. Request timed out.
  • 199.
    CCNA Routing &Switching v3 LAB Guide 199 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Not success...so we need routing. We will configure static route here...... DU(config)#ipv6 route 2001:BD55:1234:DC4::/64 2001:AD8:23:45::2 Now ping to Host IP DU#ping ipv6 2001:BD55:1234:DC4::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:BD55:1234:DC4::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms DU# And ping to DU from host C:>ping 2001:AD8:23:45::1 Pinging 2001:AD8:23:45::1 with 32 bytes of data: Reply from 2001:AD8:23:45::1: bytes=32 time=2ms TTL=254 Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254 Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254 Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254 LAB 54 :Configure RIPNG on Cisco Router Basic Configuration DU Router Router#conf t Router(config)#hostname DU
  • 200.
    CCNA Routing &Switching v3 LAB Guide 200 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved DU(config)#ipv6 unicast-routing DU(config)#interface fastEthernet 0/0 DU(config-if)#ipv6 address 2001:AD8:23:45::1/64 DU(config-if)#no shutdown DU(config-if)#exit BUET Router Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname BUET BUET(config)#ipv6 unicast-routing BUET(config)#interface fastEthernet 0/0 BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64 BUET(config-if)#no shutdown BUET(config-if)#exit BUET(config)#interface fastEthernet 0/1 BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64 BUET(config-if)#no shutdown BUET(config-if)#end Configure RIPNGN DU(config)#ipv6 router rip ashish DU(config-rtr)#exit DU(config)#interface fastEthernet 0/0 DU(config-if)#ipv6 rip ashish enable DU(config-if)#exit BUET(config)#ipv6 router rip ashish BUET(config-rtr)#exit BUET(config)#interface fastEthernet 0/0 BUET(config-if)#ipv6 rip ashish enable BUET(config-if)#exit BUET(config)#interface fastEthernet 0/1 BUET(config-if)#ipv6 rip ashish enable BUET(config-if)#end Verification DU#ping ipv6 2001:BD55:1234:DC4::2
  • 201.
    CCNA Routing &Switching v3 LAB Guide 201 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Sending 5, 100-byte ICMP Echos to 2001:BD55:1234:DC4::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms DU#show ipv6 route IPv6 Routing Table - 4 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route, M - MIPv6 I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 D - EIGRP, EX - EIGRP external C 2001:AD8:23:45::/64 [0/0] via ::, FastEthernet0/0 L 2001:AD8:23:45::1/128 [0/0] via ::, FastEthernet0/0 R 2001:BD55:1234:DC4::/64 [120/2] via FE80::260:3EFF:FEAE:5901, FastEthernet0/0 L FF00::/8 [0/0] via ::, Null0 DU# *** Don’t forget to enable IPv6 unicast routing otherwise no routing protocol will work for IPv6. LAB 55 : Dual-Stack Example Hosts and network devices run both IPv4 and IPv6 at the same time. Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ipv6 unicast-routing
  • 202.
    CCNA Routing &Switching v3 LAB Guide 202 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Router(config)#interface fastEthernet 0/0 Router(config-if)#ip address 192.168.10.1 255.255.255.0 Router(config-if)#no shut Router(config-if)#ipv6 address 2001:12::1/64 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#hostname DU DU(config)#ipv6 unicast-routing DU(config)#interface fastEthernet 0/0 DU(config-if)#ip address 192.168.10.2 255.255.255.0 DU(config-if)#ipv6 address 2001:12::2/64 DU(config-if)#no shutdown DU(config-if)#end  FastEthernet 0/0 interfaces of two routers are dual stacked.  It is configured with an IPv4 and an IPv6 address.  For each protocol, the addresses on two routers are on the same network. Verification DU#show ip interface fastEthernet 0/0 FastEthernet0/0 is up, line protocol is up (connected) Internet address is 192.168.10.2/24 (IPv4 Address) Broadcast address is 255.255.255.255 ------------------------------------ DU#show ipv6 interface fastEthernet 0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::2D0:97FF:FE08:1301 (IPv6 Address) ---------------------------------------- DU#ping ipv6 2001:12::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:12::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/2 ms
  • 203.
    CCNA Routing &Switching v3 LAB Guide 203 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved LAB 56 : Configuration of IPSEC VPN A Virtual Private Network (VPN) provides a secure tunnel across a public network such as Internet. for organizations to connect users and offices together, without the high costs of dedicated leased lines. VPNs are used generally for :  Client VPNs (Remote Access VPN)- To connect Office to home or “roaming” users  Site-to-Site VPNs - To connect branch offices to a head office. Types of VPN protocols 1. Internet Protocol Security or IPSec: 2. Layer 2 Tunneling Protocol (L2TP): 3. Point – to – Point Tunneling Protocol (PPTP): 4. Secure Sockets Layer (SSL) and Transport Layer Security (TLS): 5. OpenVPN: 6. Secure Shell (SSH) Here we describe only IPSec Site-to-Site VPN IPSec: IPSEC (Internet Protocol Security), is a suite of protocols, helps us to protect IP traffic on the network layer. 4 core IPsec services:  Confidentiality – It means encrypt the data.  Integrity – It ensures that data has not been tampered or altered using hashing algorithm.  Authentication – It confirms the identity of the host sending data, using  pre-shared keys or CA (Certificate Authority)  Anti-replay – prevents duplication of encrypted packets
  • 204.
    CCNA Routing &Switching v3 LAB Guide 204 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Configuration of IPSEC VPN 5 Phases of IPSec VPN: 1. Define interesting traffic. 2. IKE phase 1 Creates the first tunnel, which protects later ISAKMP negotiation message. 3. IKE phase 2 Creates the tunnel that protects data. 4. Transfer data 5. Tear down tunnel. Basic Configuration DU ROUTER R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 103.13.148.1 255.255.255.240 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface fastEthernet 0/1
  • 205.
    CCNA Routing &Switching v3 LAB Guide 205 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R1(config-if)#ip address 192.168.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2 Configuring IKE Phase 1 1. Enable ISAKMP R1(config)#crypto isakmp enable 2. Create ISAKMP Policy R1(config)#crypto isakmp policy 1 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#hash md5 R1(config-isakmp)#encryption 3des R1(config-isakmp)#group 2 R1(config-isakmp)#lifetime 3600 R1(config-isakmp)#exit 3. Configure pre-shared keys: R1(config)#crypto isakmp key cisco123 address 103.13.148.2 Configuring IKE Phase 2 1. Create transform sets: R1(config)#crypto ipsec transform-set ashish esp-3des esp-md5-hmac 2. (optional) Configure IPSec lifetime: R1(config)#crypto ipsec security-association lifetime seconds 3600 3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received encrypted R1(config)#access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 4. Set up IPSec crypto-map: R1(config)#crypto map mymap 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R1(config-crypto-map)#match address 101
  • 206.
    CCNA Routing &Switching v3 LAB Guide 206 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved R1(config-crypto-map)#set peer 103.13.148.2 R1(config-crypto-map)#set pfs group2 R1(config-crypto-map)#set transform-set ashish R1(config-crypto-map)# Apply Cypto Map to Interface R1(config)#interface fastEthernet 0/0 R1(config-if)#crypto map mymap The Configuration is same for R2 Router R2(config)#crypto isakmp enable R2(config)#crypto isakmp policy 1 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#encryption 3des R2(config-isakmp)#hash md5 R2(config-isakmp)#group 2 R2(config-isakmp)#lifetime 3600 R2(config)#crypto isakmp key cisco123 address 103.13.148.1 R2(config)#crypto ipsec transform-set ashish esp-3des esp-md5-hmac R2(cfg-crypto-trans)#exit R2(config)#crypto ipsec security-association lifetime seconds 3600 R2(config)#access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 R2(config)#crypto map mymap 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R2(config-crypto-map)#match address 101 R2(config-crypto-map)#set peer 103.13.148.1 R2(config-crypto-map)#set pfs group2 R2(config-crypto-map)#set transform-set ashish R2(config-crypto-map)#exit R2(config)#interface fastEthernet 0/0 R2(config-if)#crypto map mymap R2(config-if)# *Mar 1 00:34:26.911: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)#
  • 207.
    CCNA Routing &Switching v3 LAB Guide 207 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Verification and testing Apply ping from R1 to PC2 R1#ping 192.168.20.2 source 192.168.10.1 Be sure we apply ping from inside IP address while testing the VPN tunnel from the router. We can also ping from PC1 to PC2. Now the ping has setup the VPN because of its “interesting” traffic (the first ping is lost in the VPN creation). We can verify with “show crypto engine connections active” Verify the IPSec Phase 1 connection R1#show crypto isakmp sa Verify IPSec Phase 2 connection R1# show crypto ipsec sa
  • 208.
    CCNA Routing &Switching v3 LAB Guide 208 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved We can also view active IPSec sessions using show crypto session command APPENDIX ------- -----------------------------------------------------------SUBNETTING TECHNIQUE
  • 209.
    CCNA Routing &Switching v3 LAB Guide 209 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved IPv4 Address and Subnetting IP or IP address or Internet Protocol address, is a number used to indicate the location of a computer or other device on a network using TCP/IP. Evolving the Internet technology there has been a high increasing demand for IP addresses. IPv4 can only provide only 4.3 billion IP Addresses (approx). So there comes IPv6 and can provide about 3.4*104 IP Addresses. IP address classes (IPv4) There are five classes of available IP ranges: Class A, Class B, Class C, Class D and Class E, while only A, B, and C are commonly used. Each class allows for a range of valid IP addresses, shown in the following table. Class Address Range Supports Class A 1.0.0.1 to 126.255.255.254 Supports 16 million hosts on each of 127 networks. Class B 128.1.0.1 to 191.255.255.254 Supports 65,000 hosts on each of 16,000 networks. Class C 192.0.1.1 to 223.255.254.254 Supports 254 hosts on each of 2 million networks. Class D 224.0.0.0 to 239.255.255.255 Reserved for multicast groups. Class E 240.0.0.0 to 254.255.255.254 Reserved for future use, or Research and Development Purposes. Ranges 127.x.x.x are reserved for the loopback or localhost, for example, 127.0.0.1 is the loopback address. Range 255.255.255.255 broadcasts to all hosts on the local network.
  • 210.
    CCNA Routing &Switching v3 LAB Guide 210 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 127.0.0.1 is the loopback Internet protocol (IP) address also referred to as the “localhost.” The address is used to establish an IP connection to the same machine or computer being used by the end-user. IPv4 network standards reserve the entire 127.0.0.0/8 address block for loopback purposes. That means any packet sent to any of those addresses (127.0.0.1 through 127.255.255.255) is looped back. The address 127.0.0.1 is the standard address normally used for IPv4 loopback traffic; the rest are rarely used in practice. The IPv6 standard assigns only a single address for loopback: ::1. Private IP Addresses The Internet Assigned Numbers Authority (IANA) reserves the following IP address blocks for use as private IP addresses: 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 The first set of IP addresses from above allow for over 16 million addresses, the second for over 1 million, and over 65,000 for the last range. Another range of private IP addresses is 169.254.0.0 to 169.254.255.255 but is for Automatic Private IP Addressing (APIPA) use only. Reserved IP Addresses Technically, the entire range from 127.0.0.0 to 127.255.255.255 is reserved for loopback purposes but you'll almost never see anything but 127.0.0.1 used in the real world. The range from 0.0.0.0 to 0.255.255.255 are also reserved but don't do anything at all. If you're even able to assign a device an IP address in this range, it would not function properly no matter where on the network it was installed.
  • 211.
    CCNA Routing &Switching v3 LAB Guide 211 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Subnet Mask The subnet mask is the value assigned during subnetting. If, for example, your Internet Service Provider has given you an IP address of 192.168.0.1/24, it means that your subnet mask is 255.255.255.0. The 24 value represents the 24 1's of the binary equivalent of 255.255.255.0 A subnet mask is helpful to identify the network portion and host portion in an IP address. The host portion further helps in calculating the number of IP addresses. For e.g. 192.168.99.0 255.255.255.0 Here, in the subnet mask ‘255.255.255.0′, the last octet ‘0’ is the host portion which states that the network can hold 2^8 = 256 IP addresses out of which the first one is ‘network ID’ and last one is called ‘broadcast ID’. So, the usable IP addresses are (256–2 = 254) IP addresses. Benefits of Subnetting If we have whole room shared by all office staff without partition. And same office room shared by staff after partitioning. Now they will get separate room. Same case, when a large Network is divided into some small networks then number of broadcast domain will be increased and performance will be better.  Improve network performance and speed  Reduce network congestion  Boost network security  Control network growth  Ease administration  Subnetting allows you to make efficient use of your address space.
  • 212.
    CCNA Routing &Switching v3 LAB Guide 212 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved Given Subnet is 192.168.10.0/24 We have to Subnet it so that there can have 1. At least 5 Subnets 2. 25 Hosts per subnet And also find out the 3. Subnet Mask 4. What are the valid Subnets 5. The Valid Hosts Range for each Subnet 6. The broadcast Address for each Subnet 7. Find the Subnet and broadcast Address for 192.168.10.191 IP Address 192 168 10 0 8 bits 8 bits 8 bits 8 zeros 255 255 255 0 0 0 0 0 0 0 0 We will create New subnet and hosts /subnet using these 8 bits. As our CIDR is 24 so First 24 bits will not be used for subnetting Network bits will be taken from left side an Hosts bits will be taken from Right side We need at least 5 subnets. Formula to find out Valid Subnet = 2^n - 2; where n is the number of bits If n = 1; Subnet = 2^1 - 2 =0 If n = 2; Subnet = 2^2 -2 = 2 If n = 3; Subnet = 2^3 - 2 = 6 (our desired value) If n = 4; Subnet = 2^4 - 2 = 14 The Number of valid Subnets = 6 So we will take 3 bits from left side of the octet and make these value to all three bits are 1 1 1 1 0 0 0 0 0 Here rest of the 5 bits are used for hosts / subnet So The Number of Hosts / Subnet = 2^5 - 2 = 30
  • 213.
    CCNA Routing &Switching v3 LAB Guide 213 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 1. The Number of valid Subnets = 6 2. The Number of Valid Hosts / Subnet = 30 3. The Subnet Mask = 255.255.255.224 Subnet MASK 255.255.255. 1 1 1 0 0 0 0 0 255.255.255.224 Binary to Decimal 1 1 1 0 0 0 0 0 Have to memorize this 128 64 32 16 8 4 2 1 Consider the values where the value are 1's so here .........128, 64 and 32 Now Adding these values we have = 128 + 64 + 32 = 224 (Mask) Decimal to Binary 248 128 64 32 16 8 4 2 1 1 1 1 1 1 0 0 0 248 = 128 + 64 + 32 + 16 + 8 (Have to find out which values are needed to form the value 248, make these values are all ones as described above) 4. To find out the subnets we will first find the GAP between two subnets This can be by using the following formula Subnet Gap = 256 - mask value = 256 - 224 = 32 Also called incremental value just like 0---32----64----etc. But zero subnet is not used normally in Cisco. If we want to use this we have to apply "ip- subnet zero" command. in details..................... Subnet 32 64 96 128 160 196 our next value is 224, as it is mask bit value we will not use this. *** First Host 33 65 97 129 161 197 Last Host 62 94 126 158 194 222 Broadcast 63 95 127 159 195 223
  • 214.
    CCNA Routing &Switching v3 LAB Guide 214 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved  Broadcast will be the previous value of next subnet.  First host = subnet +1, Last host = Broadcast-1  So when we use subnet 32 i.e. 192.168.10.32 Subnet, then IP Addresses will be 192.168.10.33 through 192.168.10.62 total 30 IP Addresses which can be used in Host.  Broadcast and Subnet IP would never be used as host IP Address  Subnet Mask for these Addresses will be 255.255.255.224 and it is for all subnets  From our formula, to find out the number of subnets we have subtract 2 (0ne is zero subnet and other is 224 -mask bit value)  WE also subtract 2 when we find the number of valid hosts , one is subnet value and other is broadcast 7. We will do a simple calculation to find out --- 191/32 = 5 remainder is 191 - 160 (this value will be the always subnet) = 31 (must be lower than 32) i.e. Subnet = 192.168.10.160 Broadcast will be = 196-1 = 195 (Next Subnet = 160+32 =196)
  • 215.
    CCNA Routing &Switching v3 LAB Guide 215 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved ASHISH HALDER APPLIED PHYSICS, ELECTRONICS AND COMMUNICATION ENGINEERING UNIVERSITY OF DHAKA EMAIL -glakh2010@gmail.com skype: ashish.halder312