zoom ccnp all labs

Zoom Technologies CCNP Lab Guide

Name___________________________________

Faculty ______________________

Batch ______Date_________

Zoom Technologies

Cisco Certified Network

Professional Lab Guide


INDEX

EIGRP ----------------------------------------------------------------------------1

OSPF --------------------------------------------------------------------------- 4

ISIS ---------------------------------------------------------------------------- 10

REDISTRIBUTION------------------------------------------------------------14

BGP ----------------------------------------------------------------------------19 MULTICASTING -------------------------------------------------------------29

IPv6 --------------------------------------------------------------------------- 30

ADSL -------------------------------------------------------------------------- 34

VPN ----------------------------------------------------------------------------36

IDS/IPS ------------------------------------------------------------------------39

FIREWALL --- -----------------------------------------------------------------40

AAA, SYSLOG, SNMP -------------------------------------------------------41 MPLS -------------------------------------------------------------------------- 43

VLAN- --------------------------------------------------------------------------46

STP -----------------------------------------------------------------------------49 Advanced STP ---------------------------------------------------------------51 INTERVLAN ROUTING ------------------------------------------------------53

HSRP ---------------------------------------------------------------------------57 GLBP ----------------------------------------------------------------------------59

SWITCH SECURITY-------------------------- ---------------------------------61

VOIP-----------------------------------------------------------------------------64

QOS-----------------------------------------------------------------------------67

WLAN-------------------------------------------------------------------------- 69


Important Notes

How to telnet (for ZOOM CCNP Lab only)

1. First make sure your IP address matches the one on the label on your monitor. If different, please change it to the correct address.

2. Telnet to the Access-server IP address. 192.168.0.1

3. In case you are using router number is A , where A can be value from 1 to 16, in the access-server enter the following command. For example, when using the first router the

command must look like this

Access-server1#clear line 1

[confirm]

[OK]

4. Keeping the current telnet window open, open another command prompt to telnet to your router

5. Enter the following command to telnet to your router

C:\>telnet 192.168.0.1 200A

6. In case you fail to connect to the router, follow steps 3 to 5 again.

NOTE:

During the configuration in few of the labs, you might encounter ip addresses with the value

X in it. You will have to replace X with a number according to the router you will be configuring. These are the values for X for the following routers

INDIA

X = 1

POLAND

X = 3 SRILANKA RUSSIA

MALAYSIA FRANCE

THAILAND SPAIN

SUDAN

X = 2

CHINA

X = 4 ALGERIA MONGOLIA

NIGERIA JAPAN

TANZANIA HONGKONG


1 | P a g e

EIGRP

*Configure the bandwidth on the WAN interfaces as per the given diagram and

initiate EIGRP routing protocol on all the routers in autonomous system 65000.

RA1#conf t

RA1(config)#interface serial 1/0

RA1(config-if)#bandwidth 128



RA1(config-if)#exit

RA1(config)#router eigrp 65000

RA1(config-router)#network 10.0.0.0

RA1(config-router)#network 192.168.X.0


RA1(config-router)#end

RA2#conf t

RA2(config)#interface serial 1


RA2(config-if)#interface serial 0


RA2(config-if)#exit









2 | P a g e


RA3(config-if)#exit









RA4(config-if)#exit


RA4(config-router)#net 192.168.X.0

RA4(config-router)#net 40.0.0.0


*Verification of EIGRP

RA#show ip protocol

RA#show ip eigrp neighbor

RA#show ip eigrp topology

RA#show ip route

*Check the auto summarization of your loopback networks in your neighbors routing table by telnetting on their WAN IP. All the Loopback interfaces networks

appear as one network with the default class-full subnet mask.

RA4#show ip route

Router#conf t

Router(config)#router eigrp 65000

Router(config-router)#no auto-summary

Router(config-router)#end

*Check the output in neighbor router to find the Loopbacks advertised

individually

RA4#show ip route

*Manual summarization has to be configured on a per-interface basis. Calculate the summarized network ID manually and advertise it on all the

interfaces of the router as follows.

Router (config)#interface serial 0/1/0

Router (config-if)#ip summary-address eigrp 65000 10.X.0.0 255.255.252.0

Router (config)#interface serial 0/1/1


Router (config-if)#interface serial 0/2/0



3 | P a g e

*Check the output in neighbors routing table to find the summarized address with the customized subnet mask that you advertised.

RA4#show ip route

VARIANCE

RA3#show ip eigrp topology

RA3#show ip route

You will find the successors and feasible successors in the topology table but only

the successor routes in the routing table. To use the feasible successor also, we

have to enable variance. This can be configured only on the routers with feasible

successors available in the topology table.

RA3# conf t


RA3(config-router)#variance 2


RA3#clear ip route *

RA3#show ip route

AUTHENTICATION

Check the eigrp-neighbor table to note your neighbors. First configure

authentication on one of your serial interfaces, you will not be able to see the

neighboring router on that interface. The neighbor router will be shown in the

neighbor table only if authentication has been enabled on its corresponding

interface too.

RA1#show ip eigrp neighbor

RA1(config)#key chain zoom

RA1(config-keychain)#key 1

RA1(config-keychain-key)#key-string zoom123

RA1(config-keychain-key)#exit

RA1(config-keychain)#exit

RA1(config)#interface serial 0/1/0

RA1(config-if)#ip authentication mode eigrp 65000 md5

RA1(config-if)#ip authentication key-chain eigrp 65000 zoom

RA1(config-if)#end

RA2(config)#key chain ccnp

RA2(config-keychain)#key 1

RA2(config-keychain-key)#key-string zoom123

RA2(config-keychain-key)#exit

RA2(config-keychain)#exit


RA2(config-if)#ip authentication mode eigrp 65000 md5

RA2(config-if)#ip authentication key-chain eigrp 65000 ccnp

RA2(config-if)#end

RA1#show ip eigrp neighbor


4 | P a g e

OSPF

*Configure all the routers in OSPF area 0. Shown below are the different possible

ways of advertising the directly connected networks in the OSPF process. You

may use any of the following methods to advertise your connected networks.

RA1(config)#router ospf 1

RA1(config-router)#network 192.168.X.16 0.0.0.15 area 0



RA1(config-router)#network 172.16.1.Y 0.0.0.3 area 0


RA2#conf t


RA2(config-router)#net 192.168.X.0 0.0.0.255 area 0



RA3(config-router)#net 0.0.0.0 255.255.255.255 area 0





RA#show ip protocol

RA#show ip ospf neighbor

RA#show ip ospf database

RA#show ip route


5 | P a g e

DR and BDR Election

*Remove any previous routing configuration and configure all routers Ethernet interface ip addresses in the same network as shown in the diagram and advertise

the networks in OSPF area 0

RA4(config)#no ip routing

RA4(config)#ip routing

RA4(config)#interface ethernet 0

RA4(config-if)#ip add 192.168.X0.4 255.255.255.0

RA4(config-if)#ip ospf priority 0


RA4(config-router)#net 192.168.X0.0 0.0.0.255 area 0





RA3(config-if)#ip address 192.168.X0.3 255.255.255.0


RA3(config-if)#exit


RA3(config-router)#network 192.168.X0.0 0.0.0.255 area 0







RA2(config-if)#exit






RA1(config)#interface fa 0/0



RA1(config-if)#exit



RA4#show ip ospf neighbor


6 | P a g e

*Use the show ip ospf neighbor command to find the DR and BDR in the neighbor table. In case of the wrong routers elected as the DR and BDR, restart

the election process; clear the OSPF process on all the routers at the same time.

RA3#clear ip ospf process Reset ALL OSPF processes? [no]: y

RA4#show ip ospf neighbor

AUTHENTICATION - MD5

*Configure OSPF authentication on router to accept updates only from

authenticated OSPF neighbors.


RA1(config-router)#area 0 authentication message-digest

RA1(config-router)#exit


RA1(config-if)#ip ospf message-digest-key 1 md5 zoom123


RA2(config-router)#area 0 authentication message-digest



RA2(config-if)#ip ospf message-digest-key 1 md5 zoom123

*Verify by checking the routing table to see from which routers you receive

updates.

RA1#show ip route

RA2#show ip route


7 | P a g e

OSPF - II

*Configure Routers into Multi Area OSPF as per given diagram. Routers on the

border of two areas have different interfaces configured in different areas. Take

care to advertise the proper interfaces (networks) in the right areas.


RA1(config-router)#network 172.16.1.Y 0.0.0.3 area 0




RA1(config)#router EIGRP 100

RA1(config-router)#no auto-summary







RA2(config-router)#network 20.X.0.0 0.0.255.255 area 10





RA3(config)#router rip

RA3(config-router)#version 2





8 | P a g e


RA4(config-router)#network 0.0.0.0 255.255.255.255 area 20


*Verify the configuration using the following commands

RA#show ip protocol

RA#show ip ospf

RA#show ip ospf neighbor

RA#show ip ospf database

RA#show ip ospf border-routers

RA#show ip route

*Configure the redistribution of RIP routes from RA3 and EIGRP routes from

RA1 into OSPF.


RA3(config-router)#redistribute rip subnets


RA1(config-router)#redistribute eigrp 100 subnets

*Check the output in neighbor router to find OSPF external routes labeled as E2.

RA2#show ip route

*Redistributed routes have a default metric. Use the following commands to

change the seed-metric of the redistributed routes and check the output in the

neighbor router.

RA3(config-router)#redistribute rip subnets metric 100

RA2#show ip route

*Use the following commands to change the metric type of the redistributed

routes to type-I. Check the change in the output in the neighbor router

RA3(config-router)#redistribute rip subnets metric 100 metric-type 1

RA2#show ip route

*Configuration of manual summarization of OSPF routes in Area Border Router. Manual summary in OSPF can be done on area border routers only. (It is also applicable to other ABR i.e. RA2 for 20.X.0.0 subnet)

RA1#conf t


RA1(config-router)#area 20 range 40.X.0.0 255.255.252.0

RA1(config-router)#

Check the output in area 0 or area 10 routers


9 | P a g e

*Configuration of manual summarization of routes originated by redistribution of

RIP & EIGRP, on the ASBR.


RA3(config-router)#summary-address 30.X.0.0 255.255.252.0

RA2#show ip route

*We can configure Area 20 as a Stub area, since it doesnt have any ASBR in it and has only one exit point in the AS. ALL the routers in the stub area must be

configured with this configuration. Check the routing table to find only O and O IA routes and no O E2 routes. Verify by checking the routing table before and after configuration.


RA1(config-router)#area 20 stub


RA4(config-router)#area 20 stub

*Configure Area 20, now as a Totally Stubby area. Check the routing table to

find only O routes and no O IA and O E2 routes.


RA1(config-router)#area 20 stub no-summary

After configuration check the routing table again.

RA4#show ip route

*Since Area 10 has an ASBR in it, it cant be configured as a stub, but can be configured as a Not-So-Stubby-Area (NSSA). Configure Area 10 as a NSSA using

the following commands. Check the routing table to find only O and O IA routes and no O E2 routes. Verify by checking the routing table before and after configuration.


RA2(config-router)#area 10 nssa


RA3(config-router)#area 10 nssa

*After configuration check the routing table again. RA3#show ip route

*Configure Area 10, now as a Totally NSSA. Check the routing table to find only

O routes and no O IA and O E2 routes.


RA2(config-router)#area 10 nssa no-summary

*After configuration check the routing table again.


10 | P a g e

ISIS

SINGLE AREA IS-IS

*Configure ISIS routing protocol as per give diagram by first assigning the CLNS

address to each router and making sure all of them are in the same area. Next, on

the interface-configuration mode of each interface that you wish to advertise,

execute the ip router isis command.

RA1(config)#router isis

RA1(config-router)#net 49.1000.1921.6800.X017.00



RA1(config-if)#ip router isis

RA1(config-if)#interface serial 1/1


RA1(config-if)#interface serial 1/2


RA1(config-if)#int fa 0/0


RA1(config-if)#end








RA2(config-if)#interface ethernet 0


11 | P a g e











RA3(config-if)#end










RA4(config-if)#end

*Verify the output using the following show commands

RA4#sh clns neighbor

RA4#sh isis database

RA4#sh isis topology

RA4#sh ip route


12 | P a g e

CONFIGURING MULTIPLE AREA ISIS

*Configure ISIS routing protocol as per give diagram by first assigning the CLNS

address to each router and making sure all of them are in their respective areas.

Then configure the is-type level of the router. Next, on the interface-

configuration mode of each interface that you wish to advertise, execute the ip

router isis command.

RA1(config)#no router isis



RA1(config-router)#is-type level-1-2


RA1(config)#interface serial 0/1/0


RA1(config-if)#interface serial 0/1/1


RA1(config-if)#interface serial 0/2/0


RA1(config-if)#int f 0/0


RA1(config-if)#end




RA2(config-router)#is-type level-2-only

RA2(config-router)#interface serial 1





13 | P a g e




RA3(config-router)#is-type level-1






RA3(config-if)#int loopback 1








RA3(config-if)#end




RA4(config-router)#is-type level-1-2

RA4(config-router)#interface serial 1






RA4(config-if)#end

*Verify the output using the following show commands

RA4#sh clns neighbor

RA4#sh isis database

RA4#sh isis topology

RA4#sh ip route

*Configure manual summarization of the internal networks of an area, on the

border router of that particular area. This summarized route is injected to the

other areas by the Level-2 router (border router).


RA4(config-router)#summary-address 30.X.0.0 255.255.252.0


*Verify the output of summarization by checking the routing tables of routers in

the other areas

RA1#show ip route


14 | P a g e

REDISTRIBUTION

*Configure the routers from each group as shown in the diagram using the

different routing protocols between every two routers.






RA1(config)#interface loopback 1


RA1(config-if)#interface loopback 2






RA1(config-if)#exit


RA1(config-router)#network 192.168.X.80 0.0.0.3

RA1(config-router)#network 192.168.X.16 0.0.0.15











15 | P a g e





RA3(config-router)#net 30.0.0.0

RA3(config-router)#router ospf 3



RA4(config-router)#net 0.0.0.0 255.255.255.255 area 20

*Use the redistribute command to inject eigrp routes into isis with some seed

metric of link cost.


RA1(config-router)#redistribute eigrp 20

*Use the redistribute command to inject isis only Level 1 routes into eigrp

along with directly connected networks with seed metric which includes values for

bandwidth, delay, reliability, load and MTU.


RA1(config-router)#redistribute isis level-1 metric 1544 2000 255 1 1500

RA1(config-router)#redistribute connected metric 1544 2000 255 1 1500

*Use the redistribute command to inject eigrp routes into rip with seed metric

in hop counts taking care that the final hop count doesnt cross 15.


RA2(config-router)#redistribute eigrp 20 metric 13

*Use the redistribute command to inject rip routes into eigrp with some seed

metric which includes values for bandwidth, delay, reliability, load and MTU.


RA2(config-router)#redistribute rip metric 1544 2000 255 1 1500

*Use the redistribute command to inject ospf routes into rip with some seed

metric in hop counts taking care that the final hop count doesnt cross 15.


RA3(config-router)#redistribute ospf 3 metric 5

*Use the redistribute command to inject rip routes into ospf with some seed

metric in link cost taking care that the final hop count doesnt cross 15.


RA3(config-router)#redistribute rip subnets metric 50 metric-type 1

*Check by pinging successfully from router RA4 to the core.


16 | P a g e

DISTRIBUTE-LIST

*Without removing the previous configuration, create a distribute list on router

RA2 to send out all updates from RA3 to router RA1 other than that of 30.X.0.0.

RA2(config)#access-list 10 deny 30.X.0.0 0.0.255.255

RA2(config)#access-list 10 permit any


RA2(config-router)#distribute-list 10 out serial 1


*Verify the output by checking the routing table of RA1. Routes of 30.X.0.0

shouldnt be available. RA1#show ip route


17 | P a g e

CONFIGURING THE ROUTE-MAP FOR FILTERING REDISTRIUTED ROUTES

*All the routes redistributed from RIP to OSPF are injected with the same default

metric. This can be changed according to our necessity and individual routes can

be assigned different metrics using route-map.

*Creating access-lists to define the selected networks.

RA3(config)#access-list 21 permit 20.X.0.0 0.0.0.255




*Creating route maps with multiple statements. Each statement contains a match-

and-set condition.

RA3(config)#route-map zoom permit 10

RA3(config-route-map)#match ip address 21

RA3(config-route-map)#set metric 500

RA3(config-route-map)#set metric-type type-2

RA3(config-route-map)#exit

RA3(config)#route-map zoom deny 20














18 | P a g e





*Applying the created route-map in the routing protocol that these routes are

being redistributed into.

Note:-Be careful to remove the previous redistribution configuration.


RA3(config-router)#redistribute rip route-map zoom subnets

*Check the output in RA4 to find different routes with different metrics as

specified in the diagram.

RA1#show ip route


19 | P a g e

BGP

*Configure all the routers in the same BGP autonomous system. Create a full-

mesh topology by mentioning every other router, including those not directly

connected, with the neighbor statement.

RA1(config)#router bgp 6500X

RA1(config-router)#neighbor 172.16.1.Y remote-as 65000

RA1(config-router)#neighbor 192.168.X.82 remote-as 6500X



RA1(config-router)#network 192.168.X.16 mask 255.255.255.240



RA1(config-router)#no synchronization












20 | P a g e


RA3(config-router)#neighbor 192.168.X.85 remote 6500X

















*Verify the configuration using the following show commands. Router #show ip protocol

Router #show ip bgp summary

Router #show ip bgp neighbor

Router #show ip bgp

Router #show ip route

*Enable synchronization in one router and check the output on the same router.

You will find that the router doesnt have Internal BGP routes anymore.


RA4(config-router)#synchronization

RA4 #show ip bgp

RA4#show ip route

*Disable synchronization by the no synchronization command to get the IBGP routes back



*Check output on same router.

Router #show ip bgp



21 | P a g e

VERIFYING SPLIT-HORIZON

*To verify the problem of split-horizon, configure the lab as per the above diagram. Remove the previous instance of bgp and configure bgp freshly as

shown. Take care not to configure bgp on RA3.


RA1(config-router)#neighbor 172.16.1.Y remote-as 65000

















*Verify the output in each router. RA1 gets routes from both RA2 and RA4. RA2

and RA4 cannot see the updates of each others LAN in their routing table. This is

because of Split-Horizon.

Router #show ip bgp


*The Solution to this Split-Horizon problem is to configure Route-Reflector as

defined in the next page.


22 | P a g e

CONFIGURING ROUTE-REFLECTOR CLIENT

*Note: Continue configuration from above steps.

*By configuring the following, RA1 becomes the route-reflector-server and it

reflects the routes coming from one interface out the other interface, hence solving the problem of split-horizon.


RA1(config-router)#neighbor 192.168.X.93 route-reflector-client



*Check output in all three router to find that RA2 and RA4 now have each others routes in their routing table.

Router #show ip bgp


R.R Server

R.R Client R.R Client


23 | P a g e

BGP - II

*Configure the routers in multiple-AS BGP according to the above diagram.

RA1(config)#router bgp 65000

RA1(config-router)#neighbor 172.16.1.Y remote 65000

RA1(config-router)#neighbor 192.168.X.82 remote 650X1



RA1(config-router)#network 10.X.0.0 mask 255.255.255.0





RA2(config)#router bgp 650X1

RA2(config-router)#neighbor 192.168.X.81 remote 65000










24 | P a g e












RA4(config-router)#neighbor 192.168.X.94 remote 65000







*Check the output by using the following show commands

R#sh ip bgp

R#sh ip route

*Use the following commands to configure manual summarization of routes.


RA1(config-router)#aggregate-address 10.X.0.0 255.255.252.0 summary-only

Check the output in neighbor routers. R#sh ip bgp

R#sh ip route

*Continue from above configuration. The information of next-hop to each the

diagonally opposite router in RA2 and RA3 in the show ip bgp table is incorrect. To advertise the correct next-hop, use the following configuration.

Make sure to check the output before and after configuration. The same can be

tested on RA1 and Core.


RA2(config-router)#neighbor 192.168.X.86 next-hop-self

RA2(config-router)#


RA3(config-router)#neighbor 192.168.X.85 next-hop-self

RA3#clear ip bgp 192.168.X.85

Check the output in RA2, RA3 router R#sh ip bgp

R#sh ip route


25 | P a g e

Step 4: CONFIGURING LOCAL-PREFERENCE

*Creating Route-maps to set local-preference values for specific routes in order

to define which path the router must use to exit the AS.

*Note: Continue from above configuration.

*Create access lists to define the mentioned networks



*Create route-maps , one for each neighbor. Each route-map contains a match-

and-set condition.

RA1(config)#route-map R1toR2 permit 10

RA1(config-route-map)#match ip address 40 42

RA1(config-route-map)#set local-preference 800






RA1(config-route-map)#set local-preference 600





26 | P a g e

*Implement the route-map by defining one route-map for each neighbor in the

appropriate direction


RA1(config-router)#neighbor 192.168.X.82 route-map R1toR2 in

RA1(config-router)#neighbor 192.168.X.93 route-map R1toR4 in

*Clear the bgp route updates from the two neighboring BGP routers



*Check the output in Core and in the RA1 router

R#sh ip bgp

R#sh ip route


27 | P a g e

CONFIGURING MED

*Remove the previous configuration of BGP and configure the above given

topology. RA1 belongs to AS 65001 whereas routers RA2, RA3 and RA4 are in AS

650X5. Make sure you configure RA2 and RA4 as route-reflector-clients and RA3

as a server.



RA1(config-router)#neighbor 192.168.X.82 remote-as 650X5






RA2(config-router)#neighbor 192.168.X.81 remote-as 65001











28 | P a g e












RA4(config-router)#neighbor 192.168.X.94 remote-as 65001




*After configuring BGP as specified in the above diagram and verifying the BGP

table and routing table, configure the following configuration. Use route-maps to

set different metrics for routes coming from each neighbor.



RA2(config)#route-map med-alg permit 10




RA2(config)#route-map med-alg permit 20



RA2(config-router)#neighbor 192.168.X.81 route-map med-alg out





RA4(config)#route-map med-tan permit 10




RA4(config)#route-map med-tan permit 20



RA4(config-router)#neighbor 192.168.X.94 route-map med-tan out



*Check the routing table in RA1 to find the route with the lower MED chooses as

the best path.

RA1#sh ip route

RA1#sh ip bgp


29 | P a g e

MULTICASTING

*Enable multicast-routing on all the routers:

RA1#config t

RA1(config)#ip multicast-routing


RA1(config-if)#ip address 192.168.100.1 255.255.255.0

RA1(config-if)#no shutdown

RA1(config-if)#ip pim sparse-dense mode

RA1(config-if)#exit



RA1(config-if)#no shutdown

RA1(config-if)#ip pim sparse-dense mode

RA1(config-if)#exit

Step 2: Configure and run the multimedia multicast server application on the

server PC

Step 3: Change the IP address and gateway of the client PCs to allow them to be

in the LAN of the configured router. Make sure the switch to which the multicast

server is connected is isolated from the rest of the LAN.

Step 4: Start the multicast client software and enter the appropriate server IP

address and file location to start receiving the multicast.

Verification

RA1#show ip mroute

RA1#show ip igmp groups

On the Switch

Sw#show mac-address-table multicast


30 | P a g e

IPv6

*Configure IPv6 addressing on the interfaces of routers RA1, RA2 and RA4 as

shown in the diagram

RA1#conf t

RA1(config)#int fa 0/0

RA1(config-if)#ipv6 address 2001:X:3::1/64

RA1(config-if)#exit

RA1(config)#

RA1(config)#int s 0


RA1(config-if)#exit

RA1(config)#

RA1(config)#int s 1


RA1(config-if)#exit

*Enable ipv6 routing using the following command.

RA1(config)#ipv6 unicast-routing

*Repeat the above steps for the other routers too.

RA2(config)#int e 0


RA2(config-if)#exit

RA2(config)#int s 1


RA2(config-if)#exit


RA4(config)#int e 0


RA4(config-if)#exit

RA4(config)#int s 0


RA4(config-if)#exit


*Check the output of configuration in the entire three routes router#sh ipv6 route


31 | P a g e

*After the interfaces are configured with IPv6 addresses, configure OSPF v3

routing on all the routers.

RA1(config)#ipv6 router ospf 1

RA1(config-rtr)#exit

RA1(config)#int fa 0/0

RA1(config-if)#ipv6 ospf 1 area 0

RA1(config-if)#exit

RA1(config)#int s 0


RA1(config-if)#exit

RA1(config)#int s 1


RA1(config-if)#exit



RA2(config-if)#int e 0


RA2(config-if)#int s 1


RA2(config-if)#end



RA4(config)#int e 0


RA4(config-if)#exit

RA4(config)#int s 0


RA4(config-if)#end

*Check the output in the entire three routes

R# show ipv6 protocol

R# show ipv6 ospf

R# show ipv6 ospf neighbor

R# show ipv6 ospf database

R# show ipv6 route


32 | P a g e

IP6 to IP4 tunnel

*Configuring a IPv6 tunnel over an IPv4 tunnel. The network in between the two

routers is an IPv4 network and is unaware of IPv6.

*Clear both IPv4 and IPv6 routing on the routers RA3(config)#no ip routing


R(config)#no ip routing

R(config)#ip routing

R(config)#no ipv6 unicast-routing

R(config)#ipv6 unicast-routing

*Create an IPv6 tunnel and assign it an IPv6 address. Also mention the source

and destination interface/address for it. Then, create static IPv4 and IPv6 routing

to the destination router.

RA2(config)#int tunnel 0

RA2(config-if)#ipv6 address 2001:X:A::1/64

RA2(config-if)#tunnel mode ipv6ip

RA2(config-if)#tunnel source s 0

RA2(config-if)#tunnel destination 192.168.X.90

RA2(config-if)#exit

RA2(config)#ip route 192.168.X.88 255.255.255.252 s 0

RA2(config)#ipv6 route 2001:X:5::/64 2001:X:A::2

RA2(config)#end

RA4(config)#


RA4(config-if)#ipv6 address 2001:X:A::2/64

RA4(config-if)#tunnel mode ipv6ip


RA4(config-if)#tunnel destination 192.168.X.85

RA4(config-if)#exit

RA4(config)#ip route 192.168.X.84 255.255.255.252 s 1

RA4(config)#ipv6 route 2001:X:1::/64 tunnel 5

R#sh ipv6 route

R#Ping ipv6


33 | P a g e

Configuration of IPv6-v4 auto tunnel

*Configure IPv6-v4 auto tunnel over an IPv4 network. The destination end of the

tunnel is not mentioned in this configuration. Both routers find each other and

create a tunnel with the help of the static route and the Ipv6 auto tunnel

configuration.

RA2(config)#no ipv6 unicast-routing



RA2(config-if)#ipv6 add 2002:C0A8:0X55::1/64

RA2(config-if)#tunnel mode ipv6ip 6to4

RA2(config-if)#tunnel source serial 0

RA2(config-if)#exit

RA2(config)#ip route 0.0.0.0 0.0.0.0 s 0

RA2(config)#ipv6 route 2002::/16 tunnel 10

RA2(config)#ipv6 route 2001:X:5::/64 2002:C0A8:0X5A::1

RA2(config)#end

RA4(config)#no ipv6 unicast-routing



RA4(config-if)#ipv6 add 2002:C0A8:0X5A::1/64

RA4(config-if)#tunnel mode ipv6ip 6to4


RA4(config-if)#exit

RA4(config)#ip route 0.0.0.0 0.0.0.0 s 1

RA4(config)#ipv6 route 2002::/16 tunnel 15

RA4(config)#ipv6 route 2001:X:1::/64 2002:C0A8:0X55::1

RA4(config)#end

*Check the output on the two routers

R#sh ipv6 route

R#Ping ipv6


34 | P a g e

ADSL ROUTER Configuration

*Configure physical WAN interface (ATM 0 in our case) with PPPoE or PPPoA

and map it with logical dialer interface using the dial-pool-number which well configure further below.

adslrouter(config)#interface atm 0

adslrouter(config-if)#no shut

adslrouter(config-if)#pvc 1/32

adslrouter(config-if-atm-vc)#pppoe-client dial-pool-number 1

adslrouter(config-if-atm-vc)#end

*Configure a Dialer interface (logical) with DDR (Dial-on-Demand-Routing),

PPP authentication (Point-to-Point-Protocol) and assign in a dialer pool number

that has to be mapped on the physical interface.

adslrouter(config)#interface dialer 0

adslrouter(config-if)#ip address negotiated

adslrouter(config-if)#encapsulation ppp

adslrouter(config-if)#ppp authentication pap chap callin

adslrouter(config-if)#ppp pap sent-username *** password ***

adslrouter(config-if)#ppp chap hostname ***

adslrouter(config-if)#ppp chap password ***

adslrouter(config-if)#ip mtu 1492

adslrouter(config-if)#dialer pool 1

adslrouter(config-if)#exit

*Configure static default route for internet towards interface dialer 0

adslrouter(config)#ip route 0.0.0.0 0.0.0.0 dialer 0

*Configure NAT/PAT with the VLAN interface configured as nat inside interface and the dialer interface as the nat outside interface. adslrouter(config)#access-list 15 permit 192.168.0.0 0.0.0.255

adslrouter(config)#ip nat inside source list 15 interface dialer 0 overload

adslrouter(config)#interface vlan 1

adslrouter(config-if)#ip nat inside

adslrouter(config-if)#exit

adslrouter(config)#interface dialer 0

adslrouter(config-if)#ip nat outside


35 | P a g e

*Verification

Verify the configuration by checking the routing table and the interface status of

the dialer. The configuration is successful if you obtain a public address from the

service provider.

show ip route

show ip int brief

show interface atm 0

show interface dialer 10

show dsl interface atm 0


36 | P a g e

VPN Configuration

*A VPN is a tunnel of private network over the public network. Configure a IPSec

VPN tunnel between the LANs of RA2 and RA4 over the link with router RA3.

*Configure the wan interface (connected to the public network) as per the diagram. Configure a default route towards the public network on the serial

interface.

RA2#conf t


RA2(config-if)#ip add 61.0.0.5 255.255.255.0

RA2(config-if)#no shut

RA2(config-if)#exit

RA2(config)#ip route 0.0.0.0 0.0.0.0 serial 0

*Configure IKE phase 1: Configuring the isakmp policy with appropriate

authentication and encryption and hash function. All these have to match on the

peer router too.

RA2(config)#crypto isakmp policy 1

RA2(config-isakmp)#authentication pre-share

RA2(config-isakmp)#encryption des

RA2(config-isakmp)#hash sha

RA2(config-isakmp)#group 2

RA2(config-isakmp)#exit

*Configure IKE Pre Share Key for the peer router whose address has to be

mentioned. Take care that the key has to match on both the routers.

RA2(config)#crypto isakmp key zoom123 address 71.0.0.5

*Configure IKE phase 2: Configuring the ipsec policy. Create a transform-set

with encryption and hash-function properties and the tunnel mode which should

match on the peer router.

RA2(config)#crypto ipsec transform-set zoomtr esp-des esp-sha-hmac

RA2(cfg-crypto-trans)#mode tunnel

RA2(cfg-crypto-trans)#exit

*Configure access-list to mark the interesting traffic to initiate VPN Connection.

RA2(config)# access-list 100 permit ip 192.168.X.32 0.0.0.15 192.168.X.64 0.0.0.15


37 | P a g e

*Create a crypto map to bind the interesting traffic to the transform-set. This

means that any interestic traffic originated, initiate the VPN using the properties

from the transform set mentioned towards the mentioned peer.

RA2(config)#crypto map vpnmap 10 ipsec-isakmp

RA2(config-crypto-map)#match address 100

RA2(config-crypto-map)#set transform-set zoomtr

RA2(config-crypto-map)#set peer 71.0.0.5

* Mapping the crypto-map to the serial interface.


RA2(config-if)#crypto map vpnmap

*Repeat the similar configuration on the other router.




RA4(config-if)#exit

RA4(config)#ip route 0.0.0.0 0.0.0.0 serial 1

RA4(config)#crypto isakmp policy 10

RA4(config-isakmp)#authentication pre-share

RA4(config-isakmp)#hash sha

RA4(config-isakmp)#encryption des

RA4(config-isakmp)#group 2

RA4(config-isakmp)#exit

RA4(config)#crypto isakmp key zoom123 address 61.0.0.5

RA4(config)#crypto ipsec transform-set trans esp-des esp-sha-hmac

RA4(cfg-crypto-trans)#mode tunnel

RA4(cfg-crypto-trans)#exit

RA4(config)# access-list 110 permit ip 192.168.X.64 0.0.0.15 192.168.X.32 0.0.0.15

RA4(config)#crypto map demomap 5 ipsec-isakmp

RA4(config-crypto-map)#match address 110

RA4(config-crypto-map)#set transform-set trans

RA4(config-crypto-map)#set peer 61.0.0.5

RA4(config-crypto-map)#exit


RA4(config-if)#crypto map demomap

RA4(config-if)#end

*Configure the serial interfaces on the middle router with the appropriate IP

addresses and enable routing.





38 | P a g e




RA3(config-if)#exit



RA3(config)#end

*Initiate some interesting traffic by pinging one router from the other routers LAN

or by using the extended ping. Wait for a few seconds before the VPN tunnel is initiated.

*Verify the output by using the following commands

RA2#show crypto isakmp sa

RA2#show crypto ipsec sa

RA2#show crypto engine connections active


39 | P a g e

IDS / IPS

*The scenario here is as shown above. RA1 is the router in our network connected

to the ISP. RA2 is one of the routers that are inside the network. In case of an

attack from the internet, i.e. the CORE router in our example, router RA1 with

IPS must be configured to detect and prevent the intrusion.

*Let us consider an example that any anonymous user manages to enter our

network and logs in to router RA2. He could give the command enable to enter into the privilege mode and change the router configuration. The IPS on

RA1 must be configured in such a way that when the intruder types the characters enable, his connection must be terminated.

*Step1: Enable routing between all the three routers.

*Step2: Configure the router using SDM. In the IPS configuration mode, start the

wizard available. Select the proper interface and the proper direction. In our

case, its Serial 1/2 in the inbound direction. Tick the Use the in-built signatures in the next screen and finish.

*Step3: Youll be taken to the Edit IPS page next. In there, go to the signatures tab. In the drop down menu in the centre, choose engine as the view by option. In the drop down menu beside it, pick the STRING.TCP option.

*Step4: Add a new signature. The parameters that have to be configured here are

Sig name: (any name); Alarm Severity; EventAction: (alarm, drop and reset);

Protocol: (TCP); RegexString: (the string of characters in order that they would

be entered); ServicePorts: (23 for telnet)

*Step 5: Click the OK button and apply the changes made.

* To verify, configure a PC in CORE routers LAN. Telnet to the router RA2s serial interface. When you type in enable your telnet session must be disconnected by RA1.


40 | P a g e

IOS Firewall

*The scenario set up is as shown above. RA1 has two interfaces connected to two

different LANs. Both can communicate with each other initially. Our scenario is

to allow communication from one LAN to the other, but deny the communication

in the opposite direction.

*Configure access-lists on both the interfaces allowing one way communication.

For example, PC connected to the Fa0/0 interface must be able to ping to the PC

connected to the Fa4/0, but the opposite should not be possible

RA1#config terminal

RA1(config)# access-list 100 permit ip 192.168.1.16 0.0.0.15 192.168.100.0 0.0.0.255

RA1(config)# access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.1.16 0.0.0.15 RA1(config)#interface fa 0/0

RA1(config-if)#ip access-group 100 in

RA1(config-if)#interface fa 4/0

RA1(config-if)#ip access-group 101 in

*When you ping from both the PCs to each other, you will note that both cannot

ping each other. To achieve our goal on only one-way communication, we have to

configure the following. Configure a firewall rule for ICMP protocol and apply it

on the interface where we want the traffic to flow to, in the inbound direction.

RA1(config)#ip inspect name zoom icmp

RA1(config)#interface fa0/0

RA1(config-if)#ip inspect zoom in

*Now, you will notice that PC on the F0/0 can ping the PC on Fa4/0 but the PC

on Fa4/0 cannot ping Fa0/0


41 | P a g e

AAA Configuration

*In case of AAA configuration, a PC installed with the ACS software is called the

AAA Server. The Network device (ex: router) which is using the AAA server for

authentication is called the AAA Client. The PC labeled as the Client in the above

diagram is actually the user who is trying to log in to the router and is NOT the

AAA client.

*Configuring authentication: This is for the router and in turn, the user, to be

authenticated by the AAA server. Take care to not close the telnet window after

configuring this.

RA1 (config)# aaa new-model

RA1 (config)# aaa authentication login default group tacacs+

RA1 (config)# line vty 0 15

RA1 (config-line)# login authentication default

RA1 (config)# tacacs-server host 192.168.X.Y key zoom123

* On the ACS server, configure the following.

Network configuration: By adding the router as a client.

Users Settings: By adding a username and password for the user to log in. Also

add the user in a specific group.

*Configuring authorization: This is for assigning privilege levels the user who

has logged in to the router.

RA1 (config)#aaa authorization exec default group tacacs+

*In ACS server, under the group settings for the users group, tick the Shell (EXEC) option and mention the Privilege level that you want to assign to the user.

*Verify the output from client by show privilege command on the router.


42 | P a g e

*By using the following configuration, we can allow the following commands to

the user that are normally now allowed.

RA1(config)#privilege exec level 10 configure terminal

RA1(config)#privilege configure level 10 ip route

RA1(config)#privilege configure level 10 interface

RA1(config)#privilege interface level 10 shutdown

*Configuring AAA accounting on the router.

RA1(config)#aaa accounting commands 1 default start-stop tacacs+



*Verify the output in ACS server

Configuring SNMP

*On each router, configure the following mentioning the community in which the

router belongs to. The next two statements enable SNMP traps and points the

router to the SNMP server along with the key. Make sure that the SNMP server

belongs to the LAN of one of the routers and there is routing enabled from each

router to the SNMP server. Test by pinging from each router to the SNMP server.

RA1(config)#snmp-server community zoom123 rw

RA1(config)#snmp-server enable traps

RA1(config)#snmp-server host 192.168.X.Y zoom123

*Verify the output in SNMP server

Configuring SYSLOG

*Configure on each router the following to enable syslog and to mention the IP

address of the syslog server.

RA1(config)#logging on

RA1(config)#logging host 192.168.X.Y

*Verify the output in Syslog Server. Any changes that trigger syslog messages will

be sent to the syslog software on the server. Syslog can be verified by shutting

down and bringing up an interface.


43 | P a g e

MPLS Configuration

*Configure the above MPLS network topology with routers INDIA, POLAND and

SUDAN belonging to the MPLS cloud and routers RUSSIA and ALGERIA are the

customer end routers.

*Pre-requisites for this kind of set would be for routing to be enabled from one

end to the other. We use OSPF for the same in this set up.

Russia(config)#no ip routing

Russia(config)#ip routing

Russia(config)#router ospf 10

Russia(config-router)#net 0.0.0.0 255.255.255.255 area 0

Russia(config-router)#end

Russia#

Poland(config)#interface fa 0/1

Poland(config-if)#ip add 192.168.100.1 255.255.255.0

Poland(config-if)#no sh

Poland(config-if)#exit

Poland(config)#router ospf 10

Poland(config-router)#net 0.0.0.0 255.255.255.255 area 0

Poland(config-router)#end

INDIA(config)#int f 0/0

INDIA(config-if)#ip add 192.168.100.2 255.255.255.0

INDIA(config-if)#no shut

INDIA(config-if)#interface fa 4/0


44 | P a g e

INDIA(config-if)#ip add 192.168.200.1 255.255.255.0

INDIA(config-if)#no shut

INDIA(config-if)#exit

INDIA(config)#no ip routing

INDIA(config)#ip routing

INDIA(config)#router ospf 10

INDIA(config-router)#net 0.0.0.0 255.255.255.255 area 0

Sudan(config)#int f 0/1

Sudan(config-if)#ip add 192.168.200.2 255.255.25.0

Sudan(config-if)#no shut

Sudan(config-if)#exit

Sudan(config)#router ospf 10

Sudan(config-router)#net 0.0.0.0 255.255.255.255 area 0

Sudan(config-router)#end

Sudan#

Algeria(config)#no ip routing

Algeria(config)#ip routing

Algeria(config)#router ospf 10

Algeria(config-router)#net 0.0.0.0 255.255.255.255 area 0

Algeria(config-router)#end

Algeria#

*Configuring MPLS in the Service Provider cloud.

*Verify using the following commands.

R#show ip cef

R#show mpls forwarding-table

R#show ip route

R#Traceroute

Poland(config)#ip cef

Poland(config)#mpls ip


Poland(config-if)#mpls ip

Poland(config-if)#interface fa

0/0

Poland(config-if)#mpls ip

Poland(config-if)#end

INDIA(config)#ip cef

INDIA(config)#mpls ip

INDIA(config)#interface fa 0/0

INDIA(config-if)#mpls ip

INDIA(config-if)#interface fa

4/0

INDIA(config-if)#mpls ip

INDIA(config-if)#end

Sudan(config)#mpls ip

Sudan(config)#ip cef

Sudan(config)#interface fa 0/1

Sudan(config-if)#mpls ip

Sudan(config-if)#int f 0/0

Sudan(config-if)#mpls ip

Sudan(config-if)#end


45 | P a g e


46 | P a g e

VLAN Configuration

Configuration on 2950-229 (192.168.0.229)

*Configuring the trunk

s2950-229(config)#interface fastethernet 0/24

s2950-229(config-if)#switchport mode trunk

s2950-229(config-if)#switchport trunk allowed vlan all

s2950-229(config-if)#exit

*Configuring the Vtp domain and password

s2950-229(config)#vtp domain zoom

s2950-229(config)#vtp password zoom

*Creation of VLANs

s2950-229(config)#vlan 10

s2950-229(config-vlan)#name sales

s2950-229(config-vlan)#exit


s2950-229(config-vlan)#name marketing



s2950-229(config-vlan)#name accounting


*Assigning the interface to VLANs


s2950-229(config-if)#switchport mode access

s2950-229(config-if)#switchport access vlan 1













#show interface trunk

#show vlan

#show vtp status

#show interface status

#show interface fastethernet 0/X switchport


47 | P a g e

*By using the following configuration, we can make switch 3560 the root bridge

for the entire lan. This is done by changing the priority less than the default

priority of 32768.

S3560(config)#spanning-tree vlan 1 priority 24576

*Verify the output in all the switches to see which switch is the root and which

port is in the blocked state.

s2950-229#show spanning-tree

S3560#show spanning-tree

Configuring Spanning-tree Portfast feature

*By configuring a port as a portfast, the port doesnt take part in the spanning-tree calculation process.

S3560#conf t

S3560(config)#interface fa 0/X

S3560(config-if)#spanning-tree portfast

*Verify by the result by the show command.

S3560#show spanning-tree Output Omitted

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- -------------------------

-------

Fa0/17 Desg FWD 19 128.17 Edge P2p

Configuring Uplinkfast

*Uplinkfast is configured only on the switch that has blocked ports. By

configuring this, when the link in forwarding state on this particular switch goes

down, the switch immediately brings the blocked port into forwarding state

instead of running the spanning-tree algorithm.

s3550(config)#spanning-tree uplinkfast

*Verify the output by shutting down the link in forwarding state and note that the

blocked state immediately comes up. This can be tested by keeping a ping ON

between two machines on different PCs.



48 | P a g e

Configuring the Spanning-tree Backbonefast

*When an indirectly connected link to the switch with the blocked port goes down,

the switch gets information from the other switches and immediately brings up the

blocked port. This has to be configured on all the switches.

s2950-229#conf t

s2950-229(config)#spanning-tree backbonefast

s3550#conf t

s3550(config)#spanning-tree backbonefast

S3560#conf t

S3560(config)#spanning-tree backbonefast

s2950-129#conf t

s2950-129(config)#spanning-tree backbonefast

*Verify the output by shutting down the indirectly connected link i.e., any link that

is not connected to the switch with the blocked port, and note that the blocked

state immediately comes up. This can be tested by keeping a ping ON between two

machines on different PCs.


49 | P a g e

STP

Configuring PVST+

*When the LAN network consists of more than one VLAN, the switch with the

lowest mac-address will be the root bridge for all the VLANs, with the same port

being blocked for all the VLANs. In order to change this, our goal is to configure

one switch as the root for each VLAN. This is done by lowering the respective

switchs spanning-tree priority value on each switch for the respective VLAN.

Change The Root Election Of the Switch as per the Given Table

For

Vlan 1 root is S3560

Vlan 101 root is S2950-229

Vlan 201 root is S2950-129

Vlan 301 root is S3550

*Create the Required number of vlan as given above.

Tip: Use VTP to create vlan

S3560#conf t

S3560(config)#vlan 101

S3560(config-vlan)#name ccna

S3560(config-vlan)#exit


S3560(config-vlan)#name ccnp



S3560(config-vlan)#name mcse


*Configure the spanning-tree mode to PVST and then change the priority of the

vlan on the respective switch to make it root for that VLAN.

S3560(config)#spanning-tree mode pvst

S3560(config)#spanning-tree vlan 1 priority 24576

s2950-229#conf t

s2950-229(config)#spanning-tree mode pvst

s2950-229(config)#spanning-tree vlan 101 priority 24576

s2950-129#conf t

s2950-129(config)#spanning-tree mode pvst

s2950-129(config)#spanning-tree vlan 201 priority 24576

s3550#conf t

s3550(config)#spanning-tree mode pvst

s3550(config)#spanning-tree vlan 301 priority 24576


50 | P a g e

*Verify using the show commands to see the status of VLANs

Switch 3560


S3560#show spanning-tree vlan 101


51 | P a g e

ADVANCED STP

Configuring MST

*When the LAN network consists of more than one VLAN, the switch with the

lowest mac-address will be the root bridge for all the VLANs, with the same port

being blocked for all the VLANs. In order to change this, our goal is to configure

one switch as the root for each group of VLANs. This is done by lowering the

respective switchs spanning-tree priority value on each switch for the respective VLAN groups.

MST Inst 1 Vlan 1-100 root S3560

MST Inst 2 Vlan 101-200 root S2950-229

MST Inst 3 Vlan 201-300 root S2950-129

MST Inst 4 Vlan 301-400 root S3550

*Note: Configuration on all the four switches should be same for MST Instance

S3560(config)#spanning-tree mst configuration

S3560(config-mst)#instance 1 vlan 1-100




S3560(config-mst)#name zoom

S3560(config-mst)#revision 1

S3560(config-mst)#exit

S3560(config)#spanning-tree mst 1 priority 28672

S3560(config)#spanning-tree mode mst

s2950-229(config)#spanning-tree mst configuration

s2950-229(config-mst)#instance 1 vlan 1-100




s2950-229(config-mst)#name zoom

s2950-229(config-mst)#revision 1

s2950-229(config-mst)#exit

s2950-229(config)#spanning-tree mst 2 priority 28672

s2950-229(config)#spanning-tree mode mst

s2950-129(config)#spanning-tree mst configuration





s2950-129(config-mst)#name zoom

s2950-129(config-mst)#revision 1

s2950-129(config-mst)#exit

s2950-129(config)#spanning-tree mst 3 priority 28672

s2950-129(config)#spanning-tree mode mst


52 | P a g e

s3550(config)#spanning-tree mst configuration

s3550(config-mst)#instance 1 vlan 1-100




s3550(config-mst)#name zoom

s3550(config-mst)#revision 1

s3550(config-mst)#exit

s3550(config)#spanning-tree mst 4 priority 28672

s3550(config)#spanning-tree mode mst

*Verify using the following commands


S3560#show spanning-tree mst

S3560#show spanning-tree summary


53 | P a g e

*Devices in different VLANs cannot communicate with each other by default. To

enable communication between them, routing must be enabled between the

VLANs.

*Create the VLANs as per requirement.


S3560(config-vlan)#name sales



S3560(config-vlan)#name marketing

S3560(config-vlan)#vlan 60

S3560(config-vlan)#name accounts


*Bind the interface in respective VLANs.

S3560(config)#interface fa 0/12

S3560(config-if)#switchport mode access

S3560(config-if)#switchport access vlan 40

S3560(config-if)#exit









54 | P a g e

*Assign an IP address for each of the vlan interfaces. These addresses are going

to be the default gateway for the devices in those particular VLANs.

S3560(config)#interface vlan 40

S3560(config-if)#ip address 192.168.40.1 255.255.255.0








*Enable the routing process on the multilayer-switch to allow communication

between the VLANs.

S3560(config)#ip routing

S3560(config)#end

*Verify using the following show commands.

#show ip route

#show vlan

#show ip cef

#sh adjacency detail


55 | P a g e

*Configuring Inter-VLAN routing with the help on an external router.

* This method is also called Router-On-Stick. This is done by connecting the

switch to the routers Ethernet/Fastethernet port. That Ethernet port is then

logically divided into sub-interfaces. Each sub-interface in turn acts as a gateway

for each of the VLANs.

Switch configuration

*Configure the numbers of vlan as per requirement and implement in layer 2

switch.

S2950-229(config)#vlan 10

S2950-229(config-vlan)#exit

S2950-229(config)#vlan 20

S2950-229(config-vlan)#vlan 30

S2950-229(config-vlan)#exit

S2950-229(config)#interface fa 0/12

S2950-229(config-if)#switchport mode access

S2950-229(config-if)#switchport access vlan 10

S2950-229(config-if)#exit




S2950-229(config-if)#exit





56 | P a g e

*The port on the switch connected to the router must be configured as a trunk

port since it carries information from more than one VLAN. S2950-229(config)#interface fa 0/3

S2950-229(config-if)#switchport mode trunk

S2950-229(config-if)#end

Router Configuration

*On the routers Ethernet interface, remove the ip address and create sub-interfaces as given below. Each sub-interface has to be configured with the right

encapsulation so that it can interpret the data coming from the trunk port of the

switch.

Sudan#conf t

Sudan(config)#ip routing


Sudan(config-if)#no ip address

Sudan(config-if)#no shutdown


Sudan(config)#interface fa 0/1.1

Sudan(config-subif)#encapsulation dot1q 1 native

Sudan(config-subif)#ip address 192.168.0.50 255.255.255.0

Sudan(config-subif)#exit


Sudan(config-subif)#encapsulation dot1q 10











*Verify by using the following commands and also by pinging from a PC in one

VLAN to a PC in another VLAN.

R#show ip route

S#show vlan

S#show interface trunk


57 | P a g e

HSRP

*In this practical, we configure two routers connected on the same LAN network

with HSRP. By doing that, the two routers create a Virtual Router with a Virtual-

IP that we mention in the configuration. This virtual-IP is to be used as the

default-gateway to the devices in the LAN.

*Make sure that both routers LAN interface belongs to the same network and both routers are configured with the same standby group.

Sudan#conf t


Sudan(config-if)#ip address 192.168.1X0.100 255.255.255.0


Sudan(config-if)#standby X0 ip 192.168.1X0.1

Sudan(config-if)#standby X0 priority 150

Sudan(config-if)#standby X0 preempt


Sudan(config)#ip route 192.168.0.0 255.255.255.0 s 0/2/0

Poland#conf t


Poland(config-if)#ip address 192.168.1X0.200 255.255.255.0

Poland(config-if)#no shutdown

Poland(config-if)#standby X0 ip 192.168.1X0.1

Poland(config-if)#standby X0 priority 120

Poland(config-if)#standby X0 preempt


Poland(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0

CORE#conf t

CORE(config)# ip route 192.168.1X0.0 255.255.255.0 s 1



58 | P a g e

*Verify using the following command, which router is the ACTIVE router and

which router is the STANDBY.

Router#show standby

*Shutdown the Ethernet interfaces of the active (Sudan) Router and verify which

router now becomes the ACTIVE router.

Sudan#conf t


Sudan(config-if)#shutdown


*Bring up the Ethernet interface again and now configure interface tracking in

Sudan router.

Sudan#conf t



Sudan(config-if)#standby X0 track serial 0/2/0 50

*The above statement implies that for group X0, if the interface serial 0/2/0 goes

down, decrease the standby priority of this router by a value of 50 such that the

other router, now, has the higher priority and it becomes the ACTIVE router.

*Shutdown the serial 0/2/0 interface and verify the output.

Sudan(config)#interface Serial 0/2/0

Sudan(config-if)# shutdown

Router#show standby


59 | P a g e

GLBP

*In this practical, we configure two routers connected on the same LAN network

with GLBP. By doing that, the two routers create a Virtual Router with a Virtual-

IP that we mention in the configuration. This virtual-IP is to be used as the

default-gateway to the devices in the LAN.

*Make sure that both routers LAN interface belongs to the same network and both routers are configured with the same standby group.


Sudan(config-if)#ip address 192.168.1X0.100 255.255.255.0


Sudan(config-if)#glbp X0 ip 192.168.1X0.1


Sudan(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0


Poland(config-if)#ip address 192.168.1X0.200 255.255.255.0

Poland(config-if)#no shutdown

Poland(config-if)#glbp X0 ip 192.168.1X0.1


Poland(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0

CORE#conf t




60 | P a g e

*Verify using the following command, which router is the ACTIVE router.

Router#sh glbp

*Shutdown the Ethernet interfaces of the active (Sudan) Router and verify the

output.

Sudan#conf t


Sudan(config-if)#shutdown


*Bring up the Ethernet interface again and now configure interface tracking in

Sudan router.

Sudan#conf t

Sudan(config)#track 50 interface serial 0/2/0 line-protocol

Sudan(config-track)#exit


Sudan(config-if)#glbp X0 weighting track 50 decrement 100

*Configure using the following commands to reduce the preempt delay in both the

routers.

Sudan(config-if)#glbp X0 forwarder preempt delay minimum 5


*Reducing the preempt delay in Poland

Poland (config-if)#glbp X0 forwarder preempt delay minimum 5

*Shutdown the serial 0/2/0 interface in Sudan router and verify the output

Sudan#conf t

Sudan(config)#interface s 0/2/0

Sudan(config-if)# shutdown


61 | P a g e

PORT-SECURITY

*This practical is to configure port-security on a switch by binding the mac-

address of a PC to a particular port. By doing so, we allow only that PC to work

on that port. Any other PC trying to use that port is not allowed to do so since it

would be having a different mac-address.

S3560#conf t



S3560(config-if)#switchport port-security

S3560(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx

S3560(config-if)#switchport port-security violation shutdown

*You can verify the output by disconnecting the PC from the port and connecting

another PC to the same port and trying to start communication on it. You will find

that as soon as the new PC tries to establish communication, the port goes into an

err-disabled state and is shut down.

S3560#show port-security

S3560#show interface status

S3560#show port-security interface fa 0/12

Mac-address xxxx.xxxx.xxxx

Fa 0/12


62 | P a g e

VACL

*Two PCs belonging to the same VLAN on the same switch can communicate with

each other by default. In cases where we do not want them to communicate and

there is no router available to configure access-lists, we can configure VLAN

access-lists or VACL.

* Assign 192.168.0.3 and 192.168.0.203 ports in vlan 10. They can ping each

other normally. The required scenario here is that the ping request from the pc-

192.168.0.3 to pc-192.168.0.203 should not happen and the ping request from pc-

192.168.0.203 to pc-192.168.0.3 must be allowed.

S3560(config)#access-list 110 permit icmp host 192.168.0.3 host 192.168.0.203 echo

S3560(config)#vlan access-map zoom 1

zoom ccnp all labs

Documents