Fluent Essays

its a starter ccna course and the file is 82 pages but only because it has tips on how to do it. VOLUME 1 LABS Hands-on Labs In this section, you will perform commands on a Cisco switch (or you can use a router) that will help you understand what you learned in this chapter. You’ll need at least one Cisco device—two would be better, three would be outstand- ing. The hands-on labs in this section are included for use with real Cisco routers, but all of these labs work with the LammleSim IOS version (see www.lammle.com/ccna) or use the Cisco Packet Tracer router simulator. Last, for the Cisco exam it doesn’t mat- ter what model of switch or router you use with these labs, as long as you’re running IOS 12.2 or newer. Yes, I know the objectives are 15 code, but that is not important for any of these labs. It is assumed that the device you’re going to use has no current configuration present. If necessary, erase any existing configuration with Hands-on Lab 6.1; otherwise, proceed to Hands-on Lab 6.2: Lab 6.1: Erasing an Existing Configuration Lab 6.2: Exploring User, Privileged, and Configuration Modes Lab 6.3: Using the Help and Editing Features Lab 6.4: Saving a Configuration Lab 6.5: Setting Passwords Lab 6.6: Setting the Hostname, Descriptions, IP Address, and Clock Rate Hands-on Lab 6.1: Erasing an Existing Configuration The following lab may require the knowledge of a username and password to enter privi- leged mode. If the router has a configuration with an unknown username and password for privileged mode, this procedure will not be possible. It is possible to erase a configuration without a privileged mode password, but the exact steps depend on the model and will not be covered until Chapter 7. 1. Start the switch up and when prompted, press Enter. 2. At the Switch> prompt, type enable. 3. If prompted, enter the username and press Enter. Then enter the correct password and press Enter. 4. At the privileged mode prompt, type erase startup-config. 5. At the privileged mode prompt, type reload, and when prompted to save the con- figuration, type n for no. Hands-on Lab 6.2: Exploring User, Privileged, and Configuration Modes In the following lab, you’ll explore user, privileged, and configuration modes: 1. Plug the switch in, or turn the router on. If you just erased the configuration as in Hands-on Lab 6.1, when prompted to continue with the configuration dialog, enter n for no and press Enter. When prompted, press Enter to connect to your router. This will put you into user mode. 2. At the Switch> prompt, type a question mark (?). 3. Notice the –more– at the bottom of the screen. 4. Press the Enter key to view the commands line by line. Press the spacebar to view the commands a full screen at a time. You can type q at any time to quit. 5. Type enable or en and press Enter. This will put you into privileged mode where you can change and view the router configuration. 6. At the Switch# prompt, type a question mark (?). Notice how many options are avail- able to you in privileged mode. 7. Type q to quit. 8. Type config and press Enter. 9. When prompted for a method, press Enter to configure your router using your terminal (which is the default). 10. At the Switch(config)# prompt, type a question mark (?), then q to quit, or press the spacebar to view the commands. 11. Type interface f0/1 or int f0/1 (or even int gig0/1) and press Enter. This will allow you to configure interface FastEthernet 0/1 or Gigabit 0/1. 12. At the Switch(config-if)# prompt, type a question mark (?). 13. If using a router, type int s0/0, interface s0/0 or even interface s0/0/0 and press Enter. This will allow you to configure interface serial 0/0. Notice that you can go from interface to interface easily. 14. Type encapsulation ?. 15. Type exit. Notice how this brings you back one level. 16. Press Ctrl+Z. Notice how this brings you out of configuration mode and places you back into privileged mode. 17. Type disable. This will put you into user mode. 18. Type exit, which will log you out of the router or switch. Hands-on Lab 6.3: Using the Help and Editing Features This lab will provide hands-on experience with Cisco’s help and editing features. 1. Log into your device and go to privileged mode by typing en or enable. 2. Type a question mark (?). 3. Type cl? and then press Enter. Notice that you can see all the commands that start with cl. 4. Type clock ? and press Enter. Notice the difference between steps 3 and 4. Step 3 has you type letters with no space and a question mark, which will give you all the commands that start with cl. Step 4 has you type a command, space, and question mark. By doing this, you will see the next available parameter. 5. Set the clock by typing clock ? and, following the help screens, setting the time and date. The following steps walk you through setting the date and time. 6. Type clock ?. 7. Type clock set ?. 8. Type clock set 10:30:30 ?. 9. Type clock set 10:30:30 14 May ?. 10. Type clock set 10:30:30 14 May 2011. 11. Press Enter. 12. Type show clock to see the time and date. 13. From privileged mode, type show access-list 10. Don’t press Enter. 14. Press Ctrl+A. This takes you to the beginning of the line. 15. Press Ctrl+E. This should take you back to the end of the line. 16. Ctrl+A takes your cursor back to the beginning of the line, and then Ctrl+F moves your cursor forward one character. 17. Press Ctrl+B, which will move you back one character. 18. Press Enter, then press Ctrl+P. This will repeat the last command. 19. Press the up arrow key on your keyboard. This will also repeat the last command. 20. Type sh history. This shows you the last 10 commands entered. 21. Type terminal history size ?. This changes the history entry size. The ? is the number of allowed lines. 22. Type show terminal to gather terminal statistics and history size. 23. Type terminal no editing. This turns off advanced editing. Repeat steps 14 through 18 to see that the shortcut editing keys have no effect until you type terminal editing. 24. Type terminal editing and press Enter to re-enable advanced editing. 25. Type sh run, then press your Tab key. This will finish typing the command for you. 26. Type sh start, then press your Tab key. This will finish typing the command for you. Hands-on Lab 6.4: Saving a Configuration In this lab, you will get hands-on experience saving a configuration: 1. Log into your device and go into privileged mode by typing en or enable, then press Enter. 2. To see the configuration stored in NVRAM, type sh start and press Tab and Enter, or type show startup-config and press Enter. However, if no configuration has been saved, you will get an error message. 3. To save a configuration to NVRAM, which is known as startup-config, you can do one of the following: · Type copy run start and press Enter. · Type copy running, press Tab, type start, press Tab, and press Enter. · Type copy running-config startup-config and press Enter. 4. Type sh start, press Tab, then press Enter. 5. Type sh run, press Tab, then press Enter. 6. Type erase startup-config, press Tab, then press Enter. 7. Type sh start, press Tab, then press Enter. The router will either tell you that NVRAM is not present or display some other type of message, depending on the IOS and hardware. 8. Type reload, then press Enter. Acknowledge the reload by pressing Enter. Wait for the device to reload. 9. Say no to entering setup mode, or just press Ctrl+C. Hands-on Lab 6.5: Setting Passwords This hands-on lab will have you set your passwords. 1. Log into the router and go into privileged mode by typing en or enable. 2. Type config t and press Enter. 3. Type enable ?. 4. Set your enable secret password by typing enable secret password (the third word should be your own personalized password) and pressing Enter. Do not add the param- eter password after the parameter secret (this would make your password the word password). An example would be enable secret todd. 5. Now let’s see what happens when you log all the way out of the router and then log in. Log out by pressing Ctrl+Z, and then type exit and press Enter. Go to privileged mode. Before you are allowed to enter privileged mode, you will be asked for a pass- word. If you successfully enter the secret password, you can proceed. 6. Remove the secret password. Go to privileged mode, type config t, and press Enter. Type no enable secret and press Enter. Log out and then log back in again; now you should not be asked for a password. 7. One more password used to enter privileged mode is called the enable password. It is an older, less secure password and is not used if an enable secret password is set. Here is an example of how to set it: config t enable password todd1 8. Notice that the enable secret and enable passwords are different. They should never be set the same. Actually, you should never use the enable password, only enable secret. 9. Type config t to be at the right level to set your console and auxiliary passwords, then type line ?. 10. Notice that the parameters for the line commands are auxiliary, vty, and console. You will set all three if you’re on a router; if you’re on a switch, only the console and VTY lines are available. 11. To set the Telnet or VTY password, type line vty 0 4 and then press Enter. The 0 4 is the range of the five available virtual lines used to connect with Telnet. If you have an enterprise IOS, the number of lines may vary. Use the question mark to determine the last line number available on your router. 12. The next command is used to set the authentication on or off. Type login and press Enter to prompt for a user-mode password when telnetting into the device. You will not be able to telnet into a Cisco device if the password is not set. ( You can use the no login command to disable the user-mode password prompt when using Telnet. Do not do this in production! ) 13. One more command you need to set for your VTY password is password. Type password password to set the password. (password is your password.) 14. Here is an example of how to set the VTY password: config t line vty 0 4 password todd login 15. Set your auxiliary password by first typing line auxiliary 0 or line aux 0 (if you are using a router). 16. Type login. 17. Type password password . 18. Set your console password by first typing line console 0 or line con 0. 19. Type login. 20. Type password password . Here is an example of the last two command sequences: config t line con 0 password todd1 login line aux 0 password todd login 21. You can add the Exec-timeout 0 0 command to the console 0 line. This will stop the console from timing out and logging you out. The command sequence will now look like this: config t line con 0 password todd2 login exec-timeout 0 0 22. Set the console prompt to not overwrite the command you’re typing with console mes- sages by using the command logging synchronous. config t line con 0 logging synchronous Hands-on Lab 6.6: Setting the Hostname, Descriptions, IP Address, and Clock Rate This lab will have you set your administrative functions on each device. 1. Log into the switch or router and go into privileged mode by typing en or enable. If required, enter a username and password. 2. Set your hostname by using the hostname command. Notice that it is one word. Here is an example of setting your hostname on your router, but the switch uses the exact same command: Router#config t Router(config)#hostname RouterA RouterA(config)# Notice that the hostname of the router changed in the prompt as soon as you pressed Enter. 3. Set a banner that the network administrators will see by using the banner command, as shown in the following steps. 4. Type config t, then banner ?. 5. Notice that you can set at least four different banners. For this lab we are only inter- ested in the login and message of the day (MOTD) banners. 6. Set your MOTD banner, which will be displayed when a console, auxiliary, or Telnet connection is made to the router, by typing this: config t banner motd # This is an motd banner # 7. The preceding example used a # sign as a delimiting character. This tells the router when the message is done. You cannot use the delimiting character in the message itself. 8. You can remove the MOTD banner by typing the following command: config t no banner motd 9. Set the login banner by typing this: config t banner login # This is a login banner # 10. The login banner will display immediately after the MOTD but before the user-mode password prompt. Remember that you set your user-mode passwords by setting the console, auxiliary, and VTY line passwords. 11. You can remove the login banner by typing this: config t no banner login 12. You can add an IP address to an interface with the ip address command if you are using a router. You need to get into interface configuration mode first; here is an exam- ple of how you do that: config t int f0/1 ip address 1.1.1.1 255.255.0.0 no shutdown Notice that the IP address (1.1.1.1) and subnet mask (255.255.0.0) are configured on one line. The no shutdown (or no shut for short) command is used to enable the inter- face. All interfaces are shut down by default on a router. If you are on a layer 2 switch, you can set an IP address only on the VLAN 1 interface. 13. You can add identification to an interface by using the description command. This is useful for adding information about the connection. Here is an example: config t int f0/1 ip address 2.2.2.1 255.255.0.0 no shut description LAN link to Finance 14. You can add the bandwidth of a serial link as well as the clock rate when simulating a DCE WAN link on a router. Here is an example: config t int s0/0 bandwidth 1000 clock rate 1000000 Hands-on Labs To complete the labs in this section, you need at least one router or switch (three would be best) and at least one PC running as a TFTP server. TFTP server software must be installed and running on the PC. For this lab, it is also assumed that your PC and the Cisco devices are connected together with a switch and that all interfaces (PC NIC and router interfaces) are in the same subnet. You can alternately connect the PC directly to the router or con- nect the routers directly to one another (use a crossover cable in that case). Remember that the labs listed here were created for use with real routers but can easily be used with the LammleSim IOS Version (see www.lammle.com/ccna) or you can use the Cisco Packet Tracer router simulator. Last, although it doesn’t matter if you are using a switch or router in these labs, I’m just going to use my routers, but feel free to use your switch to go through these labs! Here is a list of the labs in this chapter: Lab 7.1: Backing Up the Router Configuration Lab 7.2: Using the Cisco Discovery Protocol (CDP) Lab 7.3: Using Telnet Lab 7.4: Resolving Hostnames Hands-on Lab 7.1: Backing Up the Router Configuration In this lab, you’ll back up the router configuration: 1. Log into your router and go into privileged mode by typing en or enable. 2. Ping the TFTP server to make sure you have IP connectivity. 3. From RouterB, type copy run tftp. 4. When prompted, type the IP address of the TFTP server (for example, 172.16.30.2) and press Enter. 5. By default, the router will prompt you for a filename. The hostname of the router is followed by the suffix -confg (yes, I spelled that correctly). You can use any name you want. Name of configuration file to write [RouterB-confg]? Press Enter to accept the default name. Write file RouterB-confg on host 172.16.30.2? [confirm] Press Enter to confirm. Hands-on Lab 7.2: Using the Cisco Discovery Protocol (CDP) CDP is an important objective for the Cisco exams. Please go through this lab and use CDP as much as possible during your studies. 1. Log into your router and go into privileged mode by typing en or enable. 2. From the router, type sh cdp and press Enter. You should see that CDP packets are being sent out to all active interfaces every 60 seconds and the holdtime is 180 seconds (these are the defaults). 3. Verify that your CDP timer frequency has changed by using the command show cdp in privileged mode. Router#sh cdp Global CDP information: Sending CDP packets every 90 seconds Sending a holdtime value of 180 seconds 4. Now use CDP to gather information about neighbor routers. You can get the list of available commands by typing sh cdp ?. Router#sh cdp ? entry Information for specific neighbor entry interface CDP interface status and configuration neighbors CDP neighbor entries traffic CDP statistics <cr> 5. Type sh cdp int to see the interface information plus the default encapsulation used by the interface. It also shows the CDP timer information. 6. Type sh cdp entry * to see complete CDP information received from all devices. 7. Type show cdp neighbors to gather information about all connected neighbors. (You should know the specific information output by this command.) 8. Type show cdp neighbors detail. Notice that it produces the same output as show cdp entry *. ********** in order to see output for the last few commands you will need to connect more than one router or switch in order to have a neighbor Hands-on Lab 7.3: Using Telnet 1. About Telnet Telnet is an application layer protocol that allows a network administrator to access and manage remote devices . A user on a client machine can use a software (also known as a Telnet client) to access a command-line interface of another, remote machine that is running a Telnet server program. A network administrator can access the device by telnetting  to the IP address or hostname of a remote device. The network administrator will then be presented with a virtual terminal that can interact with the remote host. Now assume you’re the network admin. We’ll begin with: 2. Telnet configuration on a switch 1. Create the network topology below in Packet Tracer. Assign the laptop a static IP address of 10.0.0.10. The topology above consists of an ADMIN laptop and a remote switch. We’ll configure Telnet on the switch so that as the admin,you’ll be able to access and manage the switch remotely. 2. Configure enable password  or enable secret password on the  switch. If you fail to do this,you won’t get past the executive mode of the switch even after you establish a telnet connection to the switch. Switch>enable Switch#config terminal Switch(config)#enable password admin 3.Configure a VLAN interface on the switch We assign an IP address to the VLAN interface of the switch so that we can Telnet the switch from the laptop using this address. Switch(config)#int VLAN 1 Switch(config-if)#ip address 10.0.0.20   255.0.0.0 Switch(config-if)#no shut Switch(config-if)#exit 4.Configure a  Telnet password  for remote access. This password is configured on VTY lines. VTY means Virtual Terminal.  Before you can manage the switch remotely via Telnet, you’ll have to provide this password. Switch(config)#line vty 0 15 Switch(config-line)#password cisco Switch(config-line)#login Telnet access to the switch is allowed through VTY lines. We can establish up to 16 telnet connections to to the switch at the same time. Tha’ts what  ‘0  15‘ means. Next, 5. Test Telnet connectivity. Go to command prompt of the laptop and type telnet  10.0.0.20 Hope you remember that 10.0.0.20 is the VLAN address of the switch through which we can access it remotely. 6. Now provide the Telnet password that you set in step 3. Mine is cisco. Notice that password characters won’t show up(no echo)  on the screen as you type them, but just type, then hit ENTER. After you’re authenticated, you will see the the CLI of the remote switch appear. Now provide the enable password admin (or yours which you set in step 1) to enter the privileged executive mode of the switch. You can then continue to configure your switch the way you desire( but now, remotely) Note that Telnet and enable passwords are different. Enable password authenticates you into privileged executive mode of the terminal device(switch, for example), but you’re using Telnet Password to allow you access the interface of the remote device after connecting to it. You can see that we used telnet  password to access the CLI of the remote switch. Alright! That’s all for Telnet configuration on a switch. Now let’s configure Telnet access to a router. 3. Telnet Configuration on Router For a router, Telnet configuration is almost same as that of the switch. 1. Build the network topology below 2. Configure enable password or enable secret password on the router Router>en Router#config term Router(config)#enable password admin 3. Configure IP addresses on the admin  PC and interface fa0/0 of the router Router Router(config)#int fa0/0 Router(config-if)#ip address 10.0.0.1 255.0.0.0 Router(config-if)#no shut Admin PC IP address 10.0.0.10   Subnet mask  255.0.0.0  Default gateway 10.0.0.1 4. Configure VLAN interface on the router. This interface allows for remote access on a switch or router via protocols such as Telnet or  Secure Shell(SSH) Router(config)#int VLAN 1 Router(config-if)#no shutdown As you can see, we’ve not configured the VLAN interface with an IP address. We could do this but it unnecessary. We already have an interface fa0/0 of the router with an IP address through which we can Telnet the router from the PC. 4. Configure Telnet password on VTY lines and configure remote login. Router(config)# Router(config)#line vty 0 15 Router(config-line)#password cisco Router(config-line)#login 5. We can now telnet the router using the IP address of fa0/0 interface. So, in the command prompt of the admin PC type  telnet  10.0.0.1  then hit enter key. 6. Provide Telnet Password (that you set in step 4), then hit enter. Correct password allows you access the CLI of the router . 7. Now provide the enable password (that you set in step 2) to be allowed into privileged executive mode of the router. You can now do configurations on  the router from the PC remotely. Hands-on Lab 7.4: Resolving Hostnames It’s best to use a DNS server for name resolution, but you can also create a local hosts table to resolve names. Let’s take a look. 1. Log into your router and go into privileged mode by typing en or enable. 2. From RouterA, type todd and press Enter at the command prompt. Notice the error you receive and the delay. The router is trying to resolve the hostname to an IP address by looking for a DNS server. You can turn this feature off by using the no ip domain- lookup command from global configuration mode. 3. To build a host table, you use the ip host command. From RouterA, add a host table entry for RouterB and RouterC by entering the following commands: ip host routerb ip_address ip host routerc ip_address Here is an example: ip host routerb 172.16.20.2 ip host routerc 172.16.40.2 4. Test your host table by typing ping routerb from the privileged mode prompt (not the config prompt). RouterA#ping routerb Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 5. Test your host table by typing ping routerc. RouterA#ping routerc Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.40.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms 6. Telnet to RouterB and keep your session to RouterB open to RouterA by pressing Ctrl+Shift+6, then X. 7. Telnet to RouterC by typing routerc at the command prompt. 8. Return to RouterA and keep the session to RouterC open by pressing Ctrl+Shift+6, then X. 9. View the host table by typing show hosts and pressing Enter. Default domain is not set Name/address lookup uses domain service Name servers are 255.255.255.255 Host Flags Age Type Address(es) routerb (perm, OK) 0 IP 172.16.20.2 routerc (perm, OK) 0 IP 172.16.40.2 Hands-on Labs To complete the labs in this section, you need at least one router (three would be best) and at least one PC running as a TFTP server. TFTP server software must be installed and running on the PC. For these labs, it is also assumed that your PC and the router(s) are connected together with a switch or hub and that all interfaces (PC NIC and router interfaces) are in the same subnet. You can alternately connect the PC directly to the router or connect the routers directly to one another (use a crossover cable in that case). Remember that the labs listed here were created for use with real routers but can easily be used with the LammleSim IOS version (found at www.lammle.com/ccna) or Cisco’s Packet Tracer program. Here is a list of the labs in this chapter: Lab 8.1: Backing Up Your Router IOS Lab 8.2: Upgrading or Restoring Your Router IOS Hands-on Lab 8.1: Backing Up Your Router IOS In this lab, we’ll be backing up the IOS from flash to a TFTP host. 1. Log into your router and go into privileged mode by typing en or enable. 2. Make sure you can connect to the TFTP server that is on your network by pinging the IP address from the router console. 3. Type show flash to see the contents of flash memory. 4. Type show version at the router privileged-mode prompt to get the name of the IOS currently running on the router. If there is only one file in flash memory, the show flash and show version commands show the same file. Remember that the show ver- sion command shows you the file that is currently running and the show flash com- mand shows you all of the files in flash memory. 5. Once you know you have good Ethernet connectivity to the TFTP server and you also know the IOS filename, back up your IOS by typing copy flash tftp. This com- mand tells the router to copy a specified file from flash memory (this is where the IOS is stored by default) to a TFTP server. 6. Enter the IP address of the TFTP server and the source IOS filename. The file is now copied and stored in the TFTP server’s default directory. Hands-on Lab 8.2: Upgrading or Restoring Your Router IOS In this lab, we’ll be copying an IOS from a TFTP host to flash memory. 1. Log into your router and go into privileged mode by typing en or enable. 2. Make sure you can connect to the TFTP server by pinging the IP address of the server from the router console. 3. Once you know you have good Ethernet connectivity to the TFTP server, type the copy tftp flash command. 4. Confirm that the router will not function during the restore or upgrade by following the prompts provided on the router console. It is possible this prompt may not occur. 5. Enter the IP address of the TFTP server. 6. Enter the name of the IOS file you want to restore or upgrade. 7. Confirm that you understand that the contents of flash memory will be erased if there is not enough room in flash to store the new image. 8. Watch in amazement as your IOS is deleted out of flash memory and your new IOS is copied to flash memory. If the file that was in flash memory is deleted but the new version wasn’t copied to flash memory, the router will boot from ROM monitor mode. You’ll need to figure out why the copy operation did not take place. Hands-on Labs In the following hands-on labs, you will configure a network with three routers. These exercises assume all the same setup requirements as the labs found in earlier chapters. You can use real routers, the LammleSim IOS version found at www.lammle.com/ccna, or the Cisco Packet Tracer program to run these labs. This chapter includes the following labs: Lab 9.1: Creating Static Routes Lab 9.2: Configuring RIP Routing The internetwork shown in the following graphic will be used to configure all routers. S0/0 DCE S0/0 Lab A Lab B Fa0/0 S0/1 S0/0 DCE Lab C Fa0/0 Table 9.2 shows our IP addresses for each router (each interface uses a /24 mask). Ta b l e 9 . 2 Our IP addresses Router Interface IP Address Lab_A Fa0/0 172.16.10.1 Lab_A S0/0 172.16.20.1 Lab_B S0/0 172.16.20.2 Lab_B S0/1 172.16.30.1 Lab_C S0/0 172.16.30.2 Lab_C Fa0/0 172.16.40.1 These labs were written without using the LAN interface on the Lab_B router. You can choose to add that LAN into the labs if necessary. Also, if you have enough LAN interfaces, then you don’t need to add the serial interfaces into this lab. Using all LAN interfaces is fine. Hands-on Lab 9.1: Creating Static Routes In this lab, you will create a static route in all three routers so that the routers see all net- works. Verify with the Ping program when complete. 1. The Lab_A router is connected to two networks, 172.16.10.0 and 172.16.20.0. You need to add routes to networks 172.16.30.0 and 172.16.40.0. Use the following com- mands to add the static routes: Lab_A#config t Lab_A(config)#ip route 172.16.30.0 255.255.255.0 172.16.20.2 Lab_A(config)#ip route 172.16.40.0 255.255.255.0 172.16.20.2 2. Save the current configuration for the Lab_A router by going to privileged mode, typ- ing copy run start, and pressing Enter. 3. On the Lab_B router, you have direct connections to networks 172.16.20.0 and 172.16.30.0. You need to add routes to networks 172.16.10.0 and 172.16.40.0. Use the following commands to add the static routes: Lab_B#config t Lab_B(config)#ip route 172.16.10.0 255.255.255.0 172.16.20.1 Lab_B(config)#ip route 172.16.40.0 255.255.255.0 172.16.30.2 4. Save the current configuration for router Lab_B by going to the enabled mode, typing copy run start, and pressing Enter. 5. On router Lab_C, create a static route to networks 172.16.10.0 and 172.16.20.0, which are not directly connected. Create static routes so that router Lab_C can see all networks, using the commands shown here: Lab_C#config t Lab_C(config)#ip route 172.16.10.0 255.255.255.0 172.16.30.1 Lab_C(config)#ip route 172.16.20.0 255.255.255.0 172.16.30.1 6. Save the current configuration for router Lab_C by going to the enable mode, typing copy run start, and pressing Enter. 7. Check your routing tables to make sure all four networks show up by executing the show ip route command. 8. Now ping from each router to your hosts and from each router to each router. If it is set up correctly, it will work. Hands-on Lab 9.2: Configuring RIP Routing In this lab, we will use the dynamic routing protocol RIP instead of static routing. 1. Remove any static routes or default routes configured on your routers by using the no ip route command. For example, here is how you would remove the static routes on the Lab_A router: Lab_A#config t Lab_A(config)#no ip route 172.16.30.0 255.255.255.0 172.16.20.2 Lab_A(config)#no ip route 172.16.40.0 255.255.255.0 172.16.20.2 Do the same thing for routers Lab_B and Lab_C. Verify that only your directly con- nected networks are in the routing tables. 2. After your static and default routes are clear, go into configuration mode on router Lab_A by typing config t. 3. Tell your router to use RIP routing by typing router rip and pressing Enter, as shown here: config t router rip 4. Add the network number for the networks you want to advertise. Since router Lab_A has two interfaces that are in two different networks, you must enter a network state- ment using the network ID of the network in which each interface resides. Alternately, you could use a summarization of these networks and use a single statement, mini- mizing the size of the routing table. Since the two networks are 172.16.10.0/24 and 172.16.20.0/24, the network summarization 172.16.0.0 would include both subnets. Do this by typing network 172.16.0.0 and pressing Enter. 5. Press Ctrl+Z to get out of configuration mode. 6. The interfaces on Lab_B and Lab_C are in the 172.16.20.0/24 and 172.16.30.0/24 networks; therefore, the same summarized network statement will work there as well. Type the same commands, as shown here: Config t Router rip network 172.16.0.0 7. Verify that RIP is running at each router by typing the following commands at each router: show ip protocols (Should indicate to you that RIP is present on the router.) show ip route (Should have routes present with an R to the left of them.) show running-config or show run (Should indicate that RIP is present and the networks are being advertised.) 8. Save your configurations by typing copy run start or copy running-config startup-config and pressing Enter at each router. 9. Verify the network by pinging all remote networks and hosts. VOLUME 2 LABS Hands-on Labs In this section, you will use the following network and add OSPF routing. S0/0 DCE S0/0 S0/1 S0/0 DCE Lab A Lab B Lab C Fa0/0 Fa0/0 The first lab (Lab 6.1) requires you to configure three routers for OSPF and then view the configuration. Note that the labs in this chapter were written to be used with real equipment—but they can be used with any router simulator. You can replace the WAN links with Ethernet links if you want to. The labs in this chapter are as follows: Lab 6.1: Enabling the OSPF Process Lab 6.2: Configuring OSPF Interfaces Lab 6.3: Verifying OSPF Operation ***Table 6.3 shows our IP addresses for each router (each interface uses a /24 mask). Ta b l e 6 . 3 Our IP addresses Router Interface IP address Lab_A Fa0/0 172.16.10.1 Lab_A S0/0 172.16.20.1 Lab_B S0/0 172.16.20.2 Lab_B S0/1 172.16.30.1 Lab_C S0/0 172.16.30.2 Lab_C Fa0/0 172.16.40.1 Hands-on Lab 6.1: Enabling the OSPF Process This is the first mandatory step in OSPF configuration. 1. Enable OSPF process 100 on Lab_A: Lab_A#conf t Enter configuration commands, one per line. End with CNTL/Z. Lab_A (config)#router ospf 100 Lab_A (config-router)#^Z 2. Enable OSPF process 101 on Lab_B: Lab_B#conf t Enter configuration commands, one per line. End with CNTL/Z. Lab_B (config)#router ospf 101 Lab_B (config-router)#^Z 3. Enable OSPF process 102 on Lab_C: Lab_C#conf t Enter configuration commands, one per line. End with CNTL/Z. Lab_C (config)#router ospf 102 Lab_C (config-router)#^Z Hands-on Lab 6.2: Configuring OSPF Interfaces The second mandatory step in OSPF is adding your network statements. 1. Configure the LAN and the network between Lab_A and Lab_B. Assign it to area 0. Lab_A#conf t Enter configuration commands, one per line. End with CNTL/Z. Lab_A (config)#router ospf 100 Lab_A (config-router)#network 172.16.10.1 0.0.0.0 area 0 Lab_A (config-router)#network 172.16.20.1 0.0.0.0 area 0 Lab_A (config-router)#^Z Lab_A # 2. Configure the networks on the Lab_B router. Assign them to area 0. Lab_B#conf t Enter configuration commands, one per line. End with CNTL/Z. Lab_B(config)#router ospf 101 Lab_B(config-router)#network 172.16.20.2 0.0.0.0 area 0 Lab_B(config-router)#network 172.16.30.1 0.0.0.0 area 0 Lab_B(config-router)#^Z Lab_B # 3. Configure the networks on the Lab_C router. Assign them to area 0. Lab_C#conf t Enter configuration commands, one per line. End with CNTL/Z. Lab_C(config)#router ospf 102 Lab_C(config-router)#network 172.16.30.2 0.0.0.0 area 0 Lab_C(config-router)#network 172.16.40.1 0.0.0.0 area 0 Lab_C(config-router)#^Z Lab_C# Hands-on Lab 6.3: Verifying OSPF Operation You need to be able to verify what you configure. 1. Execute a show ip ospf neighbors command from the Lab_A router and view the results. Lab_A#sho ip ospf neighbors 2. Execute a show ip route command to verify that all other routers are learning all routes. Lab_A#sho ip route 3. Execute a show ip protocols command to verify OSPF information. Lab_A#sho ip protocols 4. Execute a show ip OSPF command to verify your RID. Lab_A#sho ip ospf 5. Execute a show ip ospf interface f0/0 command to verify your timers. Lab_A#sho ip ospf int f0/0 Hands-on Labs In this section, you will use the following network and add OSPF and OSPFv3 routing. ( 192.168.1.1 10.1.1.0/24 s0/0 g0/0 RouterA s0/0 R o A u r t e e a r B 1 g0/0 10.2.2.0/24 192.168.1.2 Area 1 Area 0 ) The first lab requires you to configure two routers with OSPF and then verify the configuration. In the second, you will be asked to enable OSPFv3 routing on the same network. Note that the labs in this chapter were written to be used with real equipment—real cheap equipment, that is. As with the chapter on EIGRP, I wrote these labs with the cheapest, oldest routers I had lying around so you can see that you don’t need expensive gear to get through some of the hardest labs in this book. However, you can use the free LammleSim IOS version simu- lator or Cisco’s Packet Tracer to run through these labs. The labs in this chapter are as follows: Lab 6.4: Configuring and Verifying Multi-Area OSPF Lab 6.5: Configuring and Verifying OSPFv3 Hands-on Lab 6.4: Configuring and Verifying OSPF Multi-Area In this lab, you’ll configure and verify multi-area OSPF: 1. Implement OSPFv2 on RouterA based on the information in the diagram. RouterA#conf t RouterA(config)#router ospf 10 RouterA(config-router)#network 10.0.0.0 0.255.255.255 area 0 RouterA(config-router)#network 192.168.1.0 0.0.0.255 area 0 2. Implement OSPF on RouterB based on the diagram. RouterB#conf t RouterB(config)#router ospf 1 RouterB(config-router)#network 192.168.1.2 0.0.0.0 area 0 RouterB(config-router)#network 10.2.2.0 0.0.0.255 area 1 3. Display all the LSAs received on RouterA. RouterA#sh ip ospf database OSPF Router with ID (192.168.1.1) (Process ID 10) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 10.1.1.2 10.1.1.2 380 0x80000035 0x0012AB 1 192.168.1.1 192.168.1.1 13 0x8000000A 0x00729F 3 192.168.1.2 192.168.1.2 10 0x80000002 0x0090F9 2 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 10.1.1.2 10.1.1.2 381 0x80000001 0x003371 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 10.2.2.0 192.168.1.2 8 0x80000001 0x00C3FD 4. Display the routing table for RouterA. RouterA#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia -IS-IS inter area,* - candidate default,U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/24 is subnetted, 2 subnets O IA 10.2.2.0 [110/101] via 192.168.1.2, 00:00:29, Serial0/0 C 10.1.1.0 is directly connected, FastEthernet0/0 192.168.1.0/30 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Serial0/0 5. Display the neighbor table for RouterA. RouterA#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 0 FULL/ - 00:00:35 192.168.1.2 Serial0/0 10.1.1.2 1 FULL/DR 00:00:34 10.1.1.2 FastEthernet0/0 6. Use the show ip ospf command on RouterB to see that it is an ABR. RouterB#sh ip ospf Routing Process ospf 1 with ID 192.168.1.2 Start time: 1w4d, Time elapsed: 00:07:04.100 Supports only single TOS(TOS0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transit capability It is an area border router Router is not originating router-LSAs with maximum metric Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Incremental-SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 0. Checksum Sum 0x000000 Number of opaque AS LSA 0. Checksum Sum 0x000000 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 2. 2 normal 0 stub 0 nssa Number of areas transit capable is 0 External flood list length 0 Area BACKBONE(0) Number of interfaces in this area is 1 Area has no authentication SPF algorithm last executed 00:06:44.492 ago SPF algorithm executed 3 times Area ranges are Number of LSA 5. Checksum Sum 0x020DB1 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 Area 1 Number of interfaces in this area is 1 Area has no authentication SPF algorithm last executed 00:06:45.640 ago SPF algorithm executed 2 times Area ranges are Number of LSA 3. Checksum Sum 0x00F204 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 Hands-on Lab 6.5: Configuring and Verifying OSPFv3 In this lab, you will configure and verify OSPFv3: 1. Implement OSPFv3 on RouterA. Since the routers have IPv4 addresses, we don’t need to set the RID of the router. RouterA#config t *****Router(config)#ipv6 unicast-routing RouterA(config)#int g0/0 *****RouterA(config-if)#ipv6 enable RouterA(config-if)#ipv6 ospf 1 area 0 RouterA(config-if)#int s0/0 *****RouterA(config-if)#ipv6 enable RouterA(config-if)#ipv6 ospf 1 area 0 That’s all there is to it! Nice. 2. Implement OSPFv3 on RouterB. RouterB#config t *****Router(config)#ipv6 unicast-routing RouterB(config)#int s0/0/0 *****RouterB(config-if)#ipv6 enable RouterB(config-if)#ipv6 ospf 1 area 0 RouterB(config-if)#int f0/0 *****RouterB(config-if)#ipv6 enable RouterB(config-if)#ipv6 ospf 1 area 1 Again, that’s all there is to it! 3. Display the routing table for RouterA. RouterA#sh ipv6 route ospf IPv6 Routing Table - 11 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 D - EIGRP, EX - EIGRP external OI 2001:DB8:3C4D:15::/64 [110/65] via FE80::21A:2FFF:FEE7:4398, Serial0/0 Notice that the one route OSPFv3 found is an inter-area route, meaning the network is in another area. 4. Display the neighbor table for RouterA. RouterA#sh ipv6 ospf neighbor Neighbor ID Pri State Dead Time Interface ID Interface 192.168.1.2 1 FULL/ - 00:00:32 6 Serial0/0 5. Display the show ipv6 ospf command on RouterB. RouterB#sh ipv6 ospf Routing Process ospfv3 1 with ID 192.168.1.2 It is an area border router SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 0. Checksum Sum 0x000000 Number of areas in this router is 2. 2 normal 0 stub 0 nssa Reference bandwidth unit is 100 mbps Area BACKBONE(0) Number of interfaces in this area is 1 SPF algorithm executed 3 times Number of LSA 7. Checksum Sum 0x041C1B Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 Area 1 Number of interfaces in this area is 1 SPF algorithm executed 2 times Number of LSA 5. Checksum Sum 0x02C608 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 ****** In order to have ipv6 info show up on the routers you have to set ipv6 address on the interfaces Run the following on each interface following the address scheme in the diagram. For example RouterB(config-if)#int s0/0/0 RouterB(config-if)#ipv6 address 2001:db8:3c4d:3::/64 RouterB(config-if)#int g0/0 RouterB(config-if)#ipv6 address 2001:db8:3c4d:4::/64 ****you may also have to restart the network. Remember to save your running config and pkt before you restart Hands-on Labs In this section, you will use the following switched network to configure your switching labs. You can use any Cisco switches to do this lab, as well as LammleSim IOS version simulator found at www.lammle.com/ccna. They do not need to be multilayer switches, just layer 2 switches. ***Instructor Note*** But you should use a multilayer for S1 like 3560 because of Lab 8.4 or you can export and load your startup-config from layer2 switch to multi as well. ( F0/0 192.168.10.17/28 F0/15 F0/16 F0/8 F0/17 F0/18 F0/1 F0/1 F0/2 F0/2 192.168.10.19/28 F0/3 S3 F0/5 F0/6 F0/5 F0/6 192.168.10.18/28 F0/4 F0/3 F0/4 S1 S2 ) The first lab (Lab 7.1) requires you to configure three switches, and then you will verify them in Lab 7.2. The labs in this chapter are as follows: Hands-on Lab 7.1: Configuring Layer 2 Switches Hands-on Lab 7.2: Verifying Layer 2 Switches Hands-on Lab 7.3: Configuring Port Security Lab 7.1: Configuring Layer 2 Switches In this lab, you will configure the three switches in the graphic: 1. Connect to the S1 switch and configure the following, not in any particular order: · Hostname · Banner · Interface description · Passwords · IP address, subnet mask, default gateway Switch>en Switch#config t Switch(config)#hostname S1 S1(config)#enable secret todd S1(config)#int f0/15 S1(config-if)#description 1st connection to S3 S1(config-if)#int f0/16 S1(config-if)#description 2nd connection to S3 S1(config-if)#int f0/17 S1(config-if)#description 1st connection to S2 S1(config-if)#int f0/18 S1(config-if)#description 2nd connection to S2 S1(config-if)#int f0/8 S1(config-if)#desc Connection to IVR S1(config-if)#line con 0 S1(config-line)#password console S1(config-line)#login S1(config-line)#line vty 0 15 S1(config-line)#password telnet S1(config-line)#login S1(config-line)#int vlan 1 S1(config-if)#ip address 192.168.10.17 255.255.255.240 S1(config-if)#no shut S1(config-if)#exit S1(config)#banner motd #this is my S1 switch# S1(config)#exit S1#copy run start Destination filename [startup-config]? [enter] Building configuration... ****On switch 2 Switch#config t Switch(config)#hostname S2 S2(config)#enable secret todd S2(config)#int f0/1 S2(config-if)#desc 1st connection to S1 S2(config-if)#int f0/2 S2(config-if)#desc 2nd connection to s2 S2(config-if)#int f0/5 S2(config-if)#desc 1st connection to S3 S2(config-if)#int f0/6 S2(config-if)#desc 2nd connection to s3 S2(config-if)#line con 0 S2(config-line)#password console S2(config-line)#login S2(config-line)#line vty 0 15 S2(config-line)#password telnet S2(config-line)#login S2(config-line)#int vlan 1 S2(config-if)#ip address 192.168.10.18 255.255.255.240 S2(config)#exit S2#copy run start Destination filename [startup-config]?[enter] Building configuration... [OK] S2# *****On Switch 3 Switch>en Switch#config t SW-3(config)#hostname S3 S3(config)#enable secret todd S3(config)#int f0/1 S3(config-if)#desc 1st connection to S1 S3(config-if)#int f0/2 S3(config-if)#desc 2nd connection to S1 S3(config-if)#int f0/5 S3(config-if)#desc 1st connection to S2 S3(config-if)#int f0/6 S3(config-if)#desc 2nd connection to S2 S3(config-if)#line con 0 S3(config-line)#password console S3(config-line)#login S3(config-line)#line vty 0 15 S3(config-line)#password telnet S3(config-line)#login S3(config-line)#int vlan 1 S3(config-if)#ip address 192.168.10.19 255.255.255.240 S3(config-if)#no shut S3(config-if)#banner motd #This is the S3 switch# S3(config)#exit S3#copy run start Destination filename [startup-config]?[enter] Building configuration... [OK] Lab 7.2: Verifying Layer 2 Switches Once you configure a device, you must be able to verify it. 1. Connect to each switch and verify the management interface. S1#sh interface vlan 1 2. Connect to each switch and verify the CAM. S1#sh mac address-table 3. Verify your configurations with the following commands: S1#sh running-config S1#sh ip int brief Lab 7.3: Configuring Port Security Port security is a big Cisco objective. Do not skip this lab! 1. Connect to your S3 switch. 2. Configure port Fa0/3 with port security. S3#config t S(config)#int fa0/3 S3(config-if#Switchport mode access S3(config-if#switchport port-security 3. Check your default setting for port security. S3#show port-security int f0/3 4. Change the settings to have a maximum of two MAC addresses that can associate to interface Fa0/3. S3#config t S(config)#int fa0/3 S3(config-if#switchport port-security maximum 2 5. Change the violation mode to restrict. S3#config t S(config)#int fa0/3 S3(config-if#switchport port-security violation restrict 6. Verify your configuration with the following commands: S3#show port-security S3#show port-security int fa0/3 S3#show running-config Hands-on Labs In these labs, you will use three switches and a router. To perform the last lab, you’ll need a layer 3 switch. ***If you used a layer 2 switch in previous lab then you can export your startup config and load it in the multilayer 3560 you swap out for S1**** Lab 8.1: Configuring and Verifying VLANs Lab 8.2: Configuring and Verifying Trunk Links Lab 8.3: Configuring Router on a Stick Routing Lab 8.4: Configuring IVR with a Layer 3 Switch In these labs, I’ll use the following layout: ( F0/0 192.168.10.17/28 F0/15 F0/16 F0/8 F0/17 F0/18 F0/1 F0/1 F0/2 F0/3 F0/4 F0/5 F0/6 F0/5 F0/6 F0/2 192.168.10.18/28 F0/3 F0/4 S3 192.168.10.19/28 S1 S2 ) Hands-on Lab 8.1: Configuring and Verifying VLANs This lab will have you configure VLANs from global configuration mode and then verify the VLANs. 1. Configure two VLANs on each switch, VLAN 10 and VLAN 20. S1(config)#vlan 10 S1(config-vlan)#vlan 20 S2(config)#vlan 10 S2(config-vlan)#vlan 20 S3(config)#vlan 10 S3(config-vlan)#vlan 20 2. Use the show vlan and show vlan brief commands to verify your VLANs. Notice that all interfaces are in VLAN 1 by default. S1#sh vlan S1#sh vlan brief Hands-on Lab 8.2: Configuring and Verifying Trunk Links This lab will have you configure trunk links and then verify them. 1. Connect to each switch and configure trunking on all switch links. If you are using a switch that supports both 802.1q and ISL frame tagging, then use the encapsulation command; if not, then skip that command. ***Instructor note, switches like the 2960 won’t let you run encapsulation dot1q because they use it by default and you can’t change it to ISL. Just skip those commands if you cannot run them but run the others like int fa0/15 then switchport mode trunk. S1#config t S1(config)#interface fa0/15 S1(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802.1q trunking encapsulation when trunking isl Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface Again, if you typed the previous and received an error, then your switch does not sup- port both encapsulation methods: S1 (config-if)#switchport trunk encapsulation dot1q S1 (config-if)#switchport mode trunk S1 (config-if)#interface fa0/16 S1 (config-if)#switchport trunk encapsulation dot1q S1 (config-if)#switchport mode trunk S1 (config-if)#interface fa0/17 S1 (config-if)#switchport trunk encapsulation dot1q S1 (config-if)#switchport mode trunk S1 (config-f)#interface fa0/18 S1 (config-if)#switchport trunk encapsulation dot1q S1 (config-if)#switchport mode trunk 2. Configure the trunk links on your other switches. 3. On each switch, verify your trunk ports with the show interface trunk command: S1#show interface trunk 4. Verify the switchport configuration with the following: S1#show interface interface switchport The second interface in the command is a variable, such as Fa0/15. Hands-on Lab 8.3: Configuring Router on a Stick Routing In this lab, you’ll use the router connected to port F0/8 of switch S1 to configure ROAS. 1. Configure the F0/0 of the router with two subinterfaces to provide inter-VLAN rout- ing using 802.1q encapsulation. Use 172.16.10.0/24 for your management VLAN 1, 10.10.10.0/24 for VLAN 10, and 20.20.20.0/24 for VLAN 20. Router#config t Router (config)#int f0/0 Router (config-if)#ip address 172.16.10.1 255.255.255.0 Router (config-if)#interface f0/0.10 Router (config-subif)#encapsulation dot1q 10 Router (config-subif)#ip address 10.10.10.1 255.255.255.0 Router (config-subif)#interface f0/0.20 Router (config-subif)#encapsulation dot1q 20 Router (config-subif)#ip address 20.20.20.1 255.255.255.0 2. Verify the configuration with the show running-config command. 3. Configure trunking on interface F0/8 of the S1 switch connecting to your router. ***int f0/8 then switchport trunk encapsulation dot1q then switchport mode trunk 4. Verify that your VLANs are still configured on your switches with the sh vlan command. 5. Configure your hosts to be in VLAN 10 and VLAN 20 with the switchport access vlan x command. *****switchport mode access**** first 6. *****Instructors note, you have to set static ip’s in the proper range on your PC’s to put them in the proper vlan they are connected to 10.10.10.1/24 for vlan 10, 20.20.20.1/24 for vlan 20 and then you will be able to ping all gateways and other pc’s connected to a different switch even in different vlans. If you set a static ip for a different VLAN than the port it is connected to the pings should fail. Remember to think about if you need Ip’s from the range for interfaces or not. 7. Ping from your PC to the router’s subinterface configured for your VLAN. 8. Ping from your PC to your PC in the other VLAN. You are now routing through the router! Hands-on Lab 8.4: Configuring IVR with a Layer 3 Switch In this lab, you will disable the router and use the S1 switch to provide inter-VLAN routing by creating SVI’s. *****Instructor note, if you didn’t use a multilayer switch, export S1’s startup-config, swap S1 out for a multilayer like 3560 and load the startup config 1. Connect to the S1 switch and make interface F0/8 an access port, which will make the router stop providing inter-VLAN routing. *** Switch(config)#int f0/8 then switchport mode access 2. Enable IP routing on the S1 switch. S1(config)#ip routing 3. Create two new interfaces on the S1 switch to provide IVR. S1(config)#interface vlan 10 S1(config-if)#ip address 10.10.10.1 255.255.255.0 S1(config-if)#interface vlan 20 S1(config-if)#ip address 20.20.20.1 255.255.255.0 4. Clear the ARP cache on all switches and hosts. S1#clear arp *****make sure you set all of each switches ports to the appropriate mode**** 5. Ping from your PC to the router’s subinterface configured for your VLAN. 6. Ping from your PC to your PC in the other VLAN. You are now routing through the S1 switch! Hands-on Labs In this section, you will configure and verify STP, as well as configure PortFast and BPDU Guard, and finally, bundle links together with EtherChannel. Note that the labs in this chapter were written to be used with real equipment using 2960 switches. However, you can use the free LammleSim IOS version simulator or Cisco’s Packet Tracer to run through these labs. The labs in this chapter are as follows: Lab 9.1: Verifying STP and Finding Your Root Bridge Lab 9.2: Configuring and Verifying Your Root Bridge Lab 9.3: Configuring PortFast and BPDU Guard ( 100 Mbps 100 Mbps S3 Fa0/2 1 Gb/s S2 Fa0/2 S1 )Lab 9.4: Configuring and Verifying EtherChannel We’ll use the following illustration for all four labs: Hands-on Lab 9.1: Verifying STP and Finding Your Root Bridge This lab will assume that you have added VLANs 2 and 3 to each of your switches and all of your links are trunked. ******To do that S1(config)#vlan 2 S1(config-vlan)#vlan 3 S2(config)#vlan 2 S2(config-vlan)#vlan 3 S3(config)#vlan 2 S3(config-vlan)#vlan 3 ****do this on every interface on every switch S1#config t S1(config)#interface fa0/15 S1 (config-if)#switchport trunk encapsulation dot1q (may not be needed if error) S1 (config-if)#switchport mode trunk 1. From one of your switches, use the show spanning-tree vlan 2 command. Verify the output. S3#sh spanning-tree vlan 2 VLAN0002 Spanning tree enabled protocol ieee Root ID Priority 32770 Address 0001.C9A5.8748 Cost 19 Port 1(FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32770 (priority 32768 sys-id-ext 2) Address 0004.9A04.ED97 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p Gi1/1 Altn BLK 4 128.25 P2p Gi1/2 Altn BLK 4 128.26 P2p Notice that S3 is not the root bridge, so to find your root bridge, just follow the root port and see what bridge is connected to that port. Port Fa0/1 is the root port with a cost of 19, which means the switch that is off the Fa0/1 port is the root port connecting to the root bridge because it is a cost of 19, meaning one Fast Ethernet link away. 2. Find the bridge that is off of Fa0/1, which will be our root. S3#sh cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone Device ID Local Intrfce Holdtme Capability Platform Port ID S1 Fas 0/1 158 S 2960 Fas 0/1 S2 Gig 1/1 151 S 2960 Gig 1/1 S2 Gig 1/2 151 S 2960 Gig 1/2 S3# Notice that S1 is connected to the local interface Fa0/1, so let’s go to S1 and verify our root bridge. 3. Verify the root bridge for each of the three VLANs. From S1, use the show spanning- tree summary command. S1#sh spanning-tree summary Switch is in pvst mode Root bridge for: default VLAN0002 VLAN0003 Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is disabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- VLAN0001 0 0 0 2 2 VLAN0002 0 0 0 2 2 VLAN0003 0 0 0 2 2 ---------------------- -------- --------- -------- ---------- ---------- 3 vlans 0 0 0 6 6 S1# Notice that S1 is the root bridge for all three VLANs. 4. Make note of all your root bridges, for all three VLANs, if you have more than one root bridge. Hands-on Lab 9.2: Configuring and Verifying Your Root Bridge This lab will assume you have performed Lab 1 and now know who your root bridge is for each VLAN. 1. Go to one of your non-root bridges and verify the bridge ID with the show spanning- tree vlan command. S3#sh spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.C9A5.8748 Cost 19 Port 1(FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0004.9A04.ED97 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p Gi1/1 Altn BLK 4 128.25 P2p Gi1/2 Altn BLK 4 128.26 P2p Notice that this bridge is not the root bridge for VLAN 1 and the root port is Fa0/1 with a cost of 19, which means the root bridge is directly connected one Fast Ethernet link away. 2. Make one of your non-root bridges the root bridge for VLAN 1. Use priority 16,384, which is lower than the 32,768 of the current root. S3(config)#spanning-tree vlan 1 priority ? <0-61440> bridge priority in increments of 4096 S3(config)#spanning-tree vlan 1 priority 16384 3. Verify the root bridge for VLAN 1. S3#sh spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 16385 Address 0004.9A04.ED97 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 16385 (priority 16384 sys-id-ext 1) Address 0004.9A04.ED97 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Desg FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p Gi1/1 Desg FWD 4 128.25 P2p Gi1/2 Desg FWD 4 128.26 P2p Notice that this bridge is indeed the root and all ports are in Desg FWD mode. Hands-on Lab 9.3: Configuring PortFast and BPDU Guard This lab will have you configure ports on switches S3 and S2 to allow the PC and server to automatically go into forward mode when they connect into the port. 1. Connect to your switch that has a host connected and enable PortFast for the interface. S3#config t S3(config)#int fa0/2 S3(config-if)#spanning-tree portfast \%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION \%Portfast has been configured on FastEthernet0/2 but will only have effect when the interface is in a non-trunking mode. 2. Verify that the switch port will be shut down if another switch Ethernet cable plugs into this port. S3(config-if)#spanning-tree bpduguard enable 3. Verify your configuration with the show running-config command. ! interface FastEthernet0/2 switchport mode trunk spanning-tree portfast spanning-tree bpduguard enable ! Hands-on Lab 9.4: Configuring and Verifying EtherChannel This lab will have you configure the Cisco EtherChannel PAgP version on the switches used in this lab. Because I have preconfigured the switches, I have set up the trunks on all inter- switch ports. We’ll use the Gigabit Ethernet ports between switches S3 and S2. 1. Configure the S3 switch with EtherChannel by creating a port channel interface. S3#config t S3(config)#inter port-channel 1 2. Configure the ports to be in the bundle with the channel-group command. S3(config-if)#int range g1/1 – 2 ***(if not a range then g7/1 - g6/1 S3(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally on Enable Etherchannel only passive Enable LACP only if a LACP device is detected S3(config-if-range)#channel-group 1 mode desirable I chose the PAgP desirable mode for the S3 switch. 3. Configure the S2 switch with EtherChannel, using the same parameters as S3. S2#config t S2(config)#interface port-channel 1 S2(config-if)#int rang g1/1 – 2 ***(if not a range then g7/1, g6/1 S2(config-if-range)#channel-group 1 mode desirable \%LINK-5-CHANGED: Interface Port-channel 1, changed state to up \%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel 1, changed state to up Pretty simple, really. Just a couple of commands. 4. Verify with the show etherchannel port-channel command. S3#sh etherchannel port-channel Channel-group listing: ---------------------- Group: 1 ---------- Port-channels in the group: --------------------------- Port-channel: Po1 ------------ Age of the Port-channel = 00d:00h:06m:43s Logical slot/port = 2/1 Number of ports = 2 GC = 0x00000000 HotStandBy port = null Port state = Port-channel Protocol = PAGP Port Security = Disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 0 00 Gig1/1 Desirable-Sl 0 0 00 Gig1/2 Desirable-Sl 0 Time since last port bundled: 00d:00h:01m:30s Gig1/2 5. Verify with the show etherchannel summary command. S3#sh etherchannel summary Flags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+---------------------------------- 1 Po1(SU) PAgP Gig1/1(P) Gig1/2(P) S3# Hands-on Labs In this section, you will complete two labs. To complete these labs, you will need at least three routers. You can easily perform these labs with the Cisco Packet Tracer program. If you are studying to take your Cisco exam, you really need to do these labs! Lab 10.1: Standard IP Access Lists Lab 10.2: Extended IP Access Lists All of the labs will use the following diagram for configuring the routers. 192.168.10.2 192.168.20.2 SF Fa0/0: 192.168.10.1/24 S0/0/0: 172.16.10.2/30 Fa0/0 Fa0/0 LA Fa0/0: 192.168.20.1/24 S0/0/0: 172.16.10.6/30 ( S0/0/0 )SF LA S0/0/1 S0/0 S0/1 Corp Fa0/0 ************Quickly configure eigrp on each router to automatically learn all of the routes Corp#config t Router(config)#router eigrp 10 Router(config-router)#network 10.0.0.0 0.255.255.255 Router(config-router)#network 172.16.0.0 0.0.255.255 Router(config-router)#network 192.168.0.0 0.0.255.255 *******run the exact same commands on SF and LA routers****** Corp Serial 0/0: 172.16.10.1/30 Serial 0/1: 172.16.10.5/30 Fa0/0: 10.10.10.1/24 Hands-on Lab 10.1: Standard IP Access Lists In this lab, you will allow only packets from a single host on the SF LAN to enter the LA LAN. 1. Go to LA router and enter global configuration mode by typing config t. 2. From global configuration mode, type access-list ? to get a list of all the different access lists available. 3. Choose an access-list number that will allow you to create an IP standard access list. This is a number between 1 and 99 or 1300 and 1399. 4. Choose to permit host 192.168.10.2, which is the host address: ***** note the book has this IP wrong after this line, it should be 192.168.10.2 in SF LAN NOT 192.168.20.2********** ac 192.168.10.2 ? A.B.C.D Wildcard bits <cr> To specify only host 192.168.10.2, use the wildcards 0.0.0.0: LA(config)#access-list 10 permit 192.168.10.2 0.0.0.0 5. Now that the access list is created, you must apply it to an interface to make it work: LA(config)#int f0/0 Lab_A(config-if)#ip access-group 10 out 6. Verify your access list with the following commands: LA#sh access-list Standard IP access list 10 permit 192.168.20.2 LA#sh run [output cut] interface FastEthernet0/0 ip address 192.168.20.1 255.255.255.0 ip access-group 10 out 7. Test your access list by pinging from 192.168.10.2 to 192.168.20.2. 8. If you have another host on the LA LAN, ping that address, which should fail if your ACL is working. Hands-on Lab 10.2: Extended IP Access Lists In this lab, you will use an extended IP access list to stop host 192.168.10.2 from creating a Telnet session to router LA (172.16.10.6). However, the host still should be able to ping the LA router. IP extended lists should be placed close to the source, so add the extended list on router SF. Pay attention to the log command used in step 6. It is a Cisco objective! 1. Remove any access lists on SF and add an extended list to SF. 2. Choose a number to create an extended IP list. The IP extended lists use 100–199 or 2000–2699. 3. Use a deny statement. (You’ll add a permit statement in step 7 to allow other traffic to still work.) SF(config)#access-list 110 deny ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Ciscos EIGRP routing protocol esp Encapsulation Security Payload gre Ciscos GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Ciscos IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol tcp Transmission Control Protocol udp User Datagram Protocol 4. Since you are going to deny Telnet, you must choose TCP as a Transport layer protocol: SF(config)#access-list 110 deny tcp ? A.B.C.D Source address any Any source host host A single source host 5. Add the source IP address you want to filter on, then add the destination host IP address. Use the host command instead of wildcard bits. SF(config)#access-list 110 deny tcp host 192.168.10.2 host 172.16.10.6 ? ack Match on the ACK bit eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit tos Match packets with given TOS value urg Match on the URG bit <cr> 6. At this point, you can add the eq telnet command to filter host 192.168.10.2 from telnetting to 172.16.10.6. The log command can also be used at the end of the command so that whenever the access-list line is hit, a log will be generated on the console. SF(config)#access-list 110 deny tcp host 192.168.10.2 host 172.16.10.6 eq telnet log ****** if you receive an error change “log” to “established” 7. It is important to add this line next to create a permit statement. (Remember that 0.0.0.0 255.255.255.255 is the same as the any command.) SF(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255 You must create a permit statement; if you just add a deny statement, nothing will be permitted at all. Please see the sections earlier in this chapter for more detailed infor- mation on the deny any command implied at the end of every ACL. 8. Apply the access list to the FastEthernet0/0 on SF to stop the Telnet traffic as soon as it hits the first router interface. SF(config)#int f0/0 SF(config-if)#ip access-group 110 in SF(config-if)#^Z 9. Try telnetting from host 192.168.10.2 to LA using the destination IP address of 172.16.10.6. This should fail, but the ping command should work. 10. On the console of SF, because of the log command, the output should appear as follows: 01:11:48: \%SEC-6-IPACCESSLOGP: list 110 denied tcp 192.168.10.2(1030) -> 172.16.10.6(23), 1 packet 01:13:04: \%SEC-6-IPACCESSLOGP: list 110 denied tcp 192.168.10.2(1030) -> 172.16.10.6(23), 3 packets Hands-on Labs I am going to use some basic routers for these labs, but really, almost any Cisco router will work. Also, you can use the LammleSim IOS version to run through all the labs in this (and every) chapter in this book. Here is a list of the labs in this chapter: Lab 11.1: Preparing for NAT Lab 11.2: Configuring Dynamic NAT Lab 11.3: Configuring PAT I am going to use the network shown in the following diagram for our hands-on labs. I highly recommend you connect up some routers and run through these labs. You will con- figure NAT on router Lab_A to translate the private IP address of 192.168.10.0 to a public address of 171.16.10.0. ( S0 S0/0 S0/2 S0 Lab C E0 E0 Lab B Lab A ISP ) Table 11.3 shows the commands we will use and the purpose of each command. TA b l e 11 . 3 Command summary for NAT/PAT hands-on labs Command Purpose ip nat inside source list acl pool name ip nat inside source static inside_addr outside_addr Translates IPs that match the ACL to the pool Statically maps an inside local address to an out- side global address ip nat pool name Creates an address pool ip nat inside Sets an interface to be an inside interface ip nat outside Sets an interface to be an outside interface show ip nat translations Shows current NAT translations Lab 11.1: Preparing for NAT In this lab, you’ll set up your routers with IP addresses and RIP routing. 1. Configure the routers with the IP addresses listed in the following table: Router Interface IP Address ISP S0 171.16.10.1/24 Lab_A S0/2 171.16.10.2/24 Lab_A S0/0 192.168.20.1/24 Lab_B S0 192.168.20.2/24 Lab_B E0 192.168.30.1/24 Lab_C E0 192.168.30.2/24 After you configure IP addresses on the routers, you should be able to ping from router to router, but since we do not have a routing protocol running until the next step, you can verify only from one router to another but not through the network until RIP is set up. You can use any routing protocol you wish; I am just using RIP for simplicity’s sake to get this up and running. 2. On Lab_A, configure RIP routing, set a passive interface, and configure the default network. Lab_A#config t Lab_A(config)#router rip Lab_A(config-router)#network 192.168.20.0 Lab_A(config-router)#network 171.16.0.0 *******then run version 2 command for RIP or pings will not work Lab_A(config-router)# version 2 Lab_A(config-router)#passive-interface s0/2 Lab_A(config-router)#exit Lab_A(config)#ip default-network 171.16.10.1 The passive-interface command stops RIP updates from being sent to the ISP and the ip default-network command advertises a default network to the other routers so they know how to get to the Internet. 3. On Lab_B, configure RIP routing: Lab_B#config t Lab_B(config)#router rip Lab_B(config-router)#network 192.168.30.0 Lab_B(config-router)#network 192.168.20.0 *******then run version 2 command for RIP or pings will not work Lab_B(config-router)# version 2 4. On Lab_C, configure RIP routing: Lab_C#config t Lab_C(config)#router rip Lab_C(config-router)#network 192.168.30.0 *******then run version 2 command for RIP or pings will not work Lab_C(config-router)# version 2 5. On the ISP router, configure a default route to the corporate network: ISP#config t ISP(config)#ip route 0.0.0.0 0.0.0.0 s0 6. Configure the ISP router so you can telnet into the router without being prompted for a password: ISP#config t ISP(config)#line vty 0 4 ISP(config-line)#no login 7. Verify that you can ping from the ISP router to the Lab_C router and from the Lab_C router to the ISP router. If you cannot, troubleshoot your network. Lab 11.2: Configuring Dynamic NAT In this lab, you’ll configure dynamic NAT on the Lab_A router. 1. Create a pool of addresses called GlobalNet on the Lab_A router. The pool should contain a range of addresses of 171.16.10.50 through 171.16.10.55. Lab_A(config)#ip nat pool GlobalNet 171.16.10.50 171.16.10.55 net 255.255.255.0 2. Create access list 1. This list permits traffic from the 192.168.20.0 and 192.168.30.0 network to be translated. Lab_A(config)#access-list 1 permit 192.168.20.0 0.0.0.255 Lab_A(config)#access-list 1 permit 192.168.30.0 0.0.0.255 3. Map the access list to the pool that was created. Lab_A(config)#ip nat inside source list 1 pool GlobalNet 4. Configure serial 0/0 as an inside NAT interface. Lab_A(config)#int s0/0 Lab_A(config-if)#ip nat inside 5. Configure serial 0/2 as an outside NAT interface. Lab_A(config-if)#int s0/2 Lab_A(config-if)#ip nat outside 6. Move the console connection to the Lab_C router. Log in to the Lab_C router. Telnet from the Lab_C router to the ISP router. Lab_C#telnet 171.16.10.1 7. Move the console connection to the Lab_B router. Log in to the Lab_B router. Telnet from the Lab_B router to the ISP router. Lab_B#telnet 171.16.10.1 8. Execute the command show users from the ISP router. (This shows who is accessing the VTY lines.) ISP#show users a. What does it show as your source IP address? b. ( Line User Host(s) Idle Location 0 con 0 idle 00:03:32 2 vty 0 idle 00:01:33 171.16.10.50 * 3 vty 1 idle 00:00:09 171.16.10.51 Interface User Mode Idle Peer Address )What is your real source IP address? The show users output should look something like this: ISP>sh users ISP> Notice that there is a one-to-one translation. This means you must have a real IP address for every host that wants to get to the Internet, which is not typically possible. 9. Leave the session open on the ISP router and connect to Lab_A. (Use Ctrl+Shift+6, let go, and then press X.) 10. Log in to your Lab_A router and view your current translations by entering the show ip nat translations command. You should see something like this: Lab_A#sh ip nat translations Pro Inside global Inside local Outside local Outside global --- 171.16.10.50 192.168.30.2 --- --- --- 171.16.10.51 192.168.20.2 --- --- Lab_A# 11. If you turn on debug ip nat on the Lab_A router and then ping through the router, you will see the actual NAT process take place, which will look something like this: 00:32:47: NAT*: s=192.168.30.2->171.16.10.50, d=171.16.10.1 [5] 00:32:47: NAT*: s=171.16.10.1, d=171.16.10.50->192.168.30.2 Lab 11.3: Configuring PAT In this lab, you’ll configure PAT on the Lab_A router. We will use PAT because we don’t want a one-to-one translation, which uses just one IP address for every user on the network. 1. On the Lab_A router, delete the translation table and remove the dynamic NAT pool. Lab_A#clear ip nat translations * Lab_A#config t Lab_A(config)#no ip nat pool GlobalNet 171.16.10.50 171.16.10.55 netmask 255.255.255.0 Lab_A(config)#no ip nat inside source list 1 pool GlobalNet 2. On the Lab_A router, create a NAT pool with one address called Lammle. The pool should contain a single address, 171.16.10.100. Enter the following command: Lab_A#config t Lab_A(config)#ip nat pool Lammle 171.16.10.100 171.16.10.100 net 255.255.255.0 3. Create access list 2. It should permit networks 192.168.20.0 and 192.168.30.0 to be translated. Lab_A(config)#access-list 2 permit 192.168.20.0 0.0.0.255 Lab_A(config)#access-list 2 permit 192.168.30.0 0.0.0.255 4. Map access list 2 to the new pool, allowing PAT to occur by using the overload command. Lab_A(config)#ip nat inside source list 2 pool Lammle overload 5. Log in to the Lab_C router and telnet to the ISP router; also, log in to the Lab_B router and telnet to the ISP router. 6. From the ISP router, use the show users command. The output should look like this: ISP>sh users Line User Host(s) Idle Location * 0 con 0 idle 00:00:00 2 vty 0 idle 00:00:39 171.16.10.100 4 vty 2 idle 00:00:37 171.16.10.100 Interface User Mode Idle Peer Address ISP> 7. From the Lab_A router, use the show ip nat translations command. Lab_A#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 171.16.10.100:11001 192.168.20.2:11001 171.16.10.1:23 171.16.10.1:23 tcp 171.16.10.100:11002 192.168.30.2:11002 171.16.10.1:23 171.16.10.1:23 8. Also make sure the debug ip nat command is on for the Lab_A router. If you ping from the Lab_C router to the ISP router, the output will look like this: 01:12:36: NAT: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [35] 01:12:36: NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [35] 01:12:36: NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [36] 01:12:36: NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [36] 01:12:36: NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [37] 01:12:36: NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [37] 01:12:36: NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [38] 01:12:36: NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [38] 01:12:37: NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [39] 01:12:37: NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [39] Hands-on Labs In this section, you will configure Cisco routers in three different WAN labs using the figure supplied in each lab. (These labs are included for use with real Cisco routers but work per- fectly with the LammleSim IOS version simulator and with Cisco’s Packet Tracer program.) Lab 15.1: Configuring PPP Encapsulation and Authentication Lab 15.2: Configuring and Monitoring HDLC Lab 15.3: Configuring a GRE Tunnel Hands-on Lab 15.1: Configuring PPP Encapsulation and Authentication By default, Cisco routers use High-Level Data-Link Control (HDLC) as a point-to-point encapsulation method on serial links. If you are connecting to non-Cisco equipment, then you can use the PPP encapsulation method to communicate. Labs 15.1 and 15.2 will have you configure the network in the following diagram. ******be sure to use 2911 routers Fa0/0 Fa0/0 Fa0/0 RouterA S0/0 S0/0 RouterB DCE S0/1 DCE S0/0 RouterC 1. Type sh int s0/0 on RouterA and RouterB to see the encapsulation method. 2. Make sure each router has the hostname assigned. RouterA#config t RouterA(config)#hostname RouterA RouterB#config t RouterB(config)#hostname RouterB 3. To change the default HDLC encapsulation method to PPP on both routers, use the encapsulation command at interface configuration. Both ends of the link must run the same encapsulation method. RouterA#Config t RouterA(config)#int s0 RouterA(config-if)#encap ppp 4. Now go to RouterB and set serial 0/0 to PPP encapsulation. RouterB#config t RouterB(config)#int s0 RouterB(config-if)#encap ppp 5. Verify the configuration by typing sh int s0/0 on both routers. 6. Notice the IPCP and CDPCP (assuming the interface is up). This is the information used to transmit the upper-layer (Network layer) information across the HDLC at the MAC sublayer. 7. Define a username and password on each router. Notice that the username is the name of the remote router. Also, the password must be the same. RouterA#config t RouterA(config)#username RouterB password todd RouterB#config t RouterB(config)#username RouterA password todd 8. Enable CHAP or PAP authentication on each interface. RouterA(config)#int s0 RouterA(config-if)#ppp authentication chap RouterB(config)#int s0 RouterB(config-if)#ppp authentication chap 9. Verify the PPP configuration on each router by using these commands. RouterB(config-if)#shut *****cntrl+z RouterB#debug ppp authentication RouterB#config t RouterB(config)#int s0 RouterB(config-if)#no shut Hands-on Lab 15.2: Configuring and Monitoring HDLC There really is no configuration required for HDLC (as it is the default configuration on Cisco serial interfaces), but if you completed Lab 21.1, then the PPP encapsulation would be set on both routers. This is why I put the PPP lab first. This lab allows you to actually configure HDLC encapsulation on a router. ( For this second lab, you will use the same configuration you used for Lab 10.1. ) 1. Set the encapsulation for each serial interface by using the encapsulation hdlc command. RouterA#config t RouterA(config)#int s0 RouterA(config-if)#encapsulation hdlc RouterB#config t RouterB(config)#int s0 RouterB(config-if)#encapsulation hdlc 2. Verify the HDLC encapsulation by using the show interface s0 command on each router. Hands-on Lab 15.3: Configuring a GRE Tunnel In this lab you will configure two point-to-point routers with a simple IP GRE tunnel. You can use a real router, LammleSim IOS version, or Packet Tracer to do this lab. 1. First, configure the logical tunnel with the interface tunnel number command. Corp(config)#int s0/0/0 Corp(config-if)#ip address 63.1.1.2 255.255.255.252 *****cntrl+z Then conf t Corp(config)#int tunnel ? <0-2147483647> Tunnel interface number Corp(config)#int tunnel 0 *Jan 5 16:58:22.719: \%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down 2. Once you have configured your interface and created the logical tunnel, you need to configure the mode and then the transport protocol. Corp(config-if)#tunnel mode ? aurp AURP TunnelTalk AppleTalk encapsulation cayman Cayman TunnelTalk AppleTalk encapsulation dvmrp DVMRP multicast tunnel eon EON compatible CLNS tunnel gre generic route encapsulation protocol ipip IP over IP encapsulation ipsec IPSec tunnel encapsulation iptalk Apple IPTalk encapsulation ipv6 Generic packet tunneling in IPv6 ipv6ip IPv6 over IP encapsulation nos IP over IP encapsulation (KA9Q/NOS compatible) rbscp RBSCP in IP tunnel Corp(config-if)#tunnel mode gre ? ip over IP ipv6 over IPv6 multipoint over IP (multipoint) Corp(config-if)#tunnel mode gre ip 3. Now that you have created the tunnel interface, the type, and the transport protocol, you need to configure your IP addresses. Of course, you need to use your actual inter- face IP for the tunnel, but you also need to configure the tunnel source and tunnel des- tination addresses. Corp(config-if)#int t0 Corp(config-if)#ip address 192.168.10.1 255.255.255.0 ***Corp(config-if)#tunnel source serial 0/1/0 Corp(config-if)#tunnel destination 63.1.1.2 Corp#sho run Building configuration... Current configuration : 117 bytes ! interface Tunnel0 ip address 192.168.10.1 255.255.255.0 tunnel source 63.1.1.1 tunnel destination 63.1.1.2 end 4. Now configure the other end of the serial link and watch the tunnel pop up! SF(config)#int s0/0/0 SF(config-if)#ip address 63.1.1.2 255.255.255.252 SF(config-if)#int t0 SF(config-if)#ip address 192.168.10.2 255.255.255.0 SF(config-if)#tunnel source 63.1.1.2 SF(config-if)#tun destination 63.1.1.1 *May 19 22:46:37.099: \%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up Remember, you don’t need to configure your tunnel mode and transport protocol because GRE and IP are the defaults. It’s really important that you remember to configure the tun- nel interface with the actual source and destination IP addresses to use or the tunnel won’t come up. In my example, 63.1.1.2 was the source and 63.1.1.1 was the destination. 5. Verify with the following commands: Corp#sh ip int brief You should see that the tunnel interface is now showing as an interface on your router. The IP address of the tunnel interface and the physical and data link status shows as up/up. Corp#sh int tun 0 The show interfaces command shows the configuration settings and the interface sta- tus as well as the IP address and tunnel source and destination address. Corp#sh ip route The tunnel0 interface shows up as a directly connected interface, and although it’s a logical interface, the router treats it as a physical interface just like serial0/0 in the routing table. Hands-on Labs You’ll need at least three routers to complete these labs; five would be better, but if you are using the LammleSim IOS version, then these lab layouts are preconfigured for you. This section will have you configure the following labs: Lab 17.1: Manual and Stateful Autoconfiguration Lab 17.2: Static and Default Routing Here is our network: ( A B D E Fa0/0 Fa0/0 Fa0/0 Fa0/0 2001:db8:3c4d:1::/64 Fa0/0 C Fa0/1 2001:db8:3c4d:2::/64 ) Hands-on Lab 17.1: Manual and Stateful Autoconfiguration In this lab, you will configure the C router with manual IPv6 addresses on the Fa0/0 and Fa0/1 interfaces and then configure the other routers to automatically assign themselves an IPv6 address. ***********Use three 2911 Routers and connect with crossovers to gigabit Ethernet in order to have IPv6 available without extra configuration*********** 1. Log in to the C router and configure IPv6 addresses on each interface based on the sub- nets (1 and 2) shown in the graphic. C(config)#ipv6 unicast-routing C(config)#int g0/0 C(config-if)#ipv6 address 2001:db8:3c4d:1::1/64 ******* C(config-if)#no shut C(config-if)#int g0/1 C(config-if)#ipv6 address 2001:db8:3c4d:2::1/64 ******* C(config-if)#no shut 2. Verify the interfaces with the show ipv6 route connected and sho ipv6 int brief commands. C(config-if)#do show ipv6 route connected [output cut] C 2001:DB8:3C4D:1::/64 [0/0] via ::, FastEthernet0/0 C 2001:DB8:3C4D:2::/64 [0/0] via ::, FastEthernet0/0 C(config-if)#sh ipv6 int brief FastEthernet0/0 [up/up] FE80::20D:BDFF:FE3B:D80 2001:DB8:3C4D:1::1 FastEthernet0/1 [up/up] FE80::20D:BDFF:FE3B:D81 2001:DB8:3C4D:2::1 Loopback0 [up/up] Unassigned 3. Go to your other routers and configure the Fa0/0 on each router to autoconfigure an IPv6 address. A(config)#ipv6 unicast-routing A(config)#int g0/0 A(config-if)#ipv6 address autoconfig A(config-if)#no shut B(config)#ipv6 unicast-routing B(config)#int g0/0 B(config-if)#ipv6 address autoconfig B(config-if)#no shut D(config)#ipv6 unicast-routing D(config)#int g0/0 D(config-if)#ipv6 address autoconfig D(config-if)#no shut E(config)#ipv6 unicast-routing E(config)#int g0/0 E(config-if)#ipv6 address autoconfig E(config-if)#no shut 4. Verify that your routers received an IPv6 address. A#sh ipv6 int brief FastEthernet0/0 [up/up] FE80::20D:BDFF:FE3B:C20 2001:DB8:3C4D:1:20D:BDFF:FE3B:C20 Continue to verify your addresses on all your other routers. Hands-on Lab 17.2: Static and Default Routing Router C is directly connected to both subnets, so no routing of any type needs to be con- figured. However, all the other routers are connected to only one subnet, so at least one route needs to be configured on each router. 1. On the A router, configure a static route to the 2001:db8:3c4d:2::/64 subnet. A(config)#ipv6 route 2001:db8:3c4d:2::/64 g0/0 2. On the B router, configure a default route. B(config)#ipv6 route ::/0 g0/0 3. On the D router, create a static route to the remote subnet. D(config)#ipv6 route 2001:db8:3c4d:1::/64 g0/0 4. On the E router, create a static route to the remote subnet. E(config)#ipv6 route 2001:db8:3c4d:1::/64 g0/0 5. Verify your configurations with a show running-config and show ipv6 route. 6. Ping from router D to router A. First, you need to get router A’s IPv6 address with a show ipv6 int brief command. Here is an example: A#sh ipv6 int brief FastEthernet0/0 [up/up] FE80::20D:BDFF:FE3B:C20 2001:DB8:3C4D:1:20D:BDFF:FE3B:C20 7. Now go to router D and ping the IPv6 address from router A: D#ping ipv6 *******place router A’s ipv6 address here****** Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:3C4D:1:20D:BDFF:FE3B:C20, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/4 ms ******you may have a low success rate on the pings such as 20\% or so that is ok. It has at least successfully pinged*****