Ccna Lab Guide V3 PDF

CCNA Routing & Switching v3 LAB Guide
CCNA RnS, CCNA Sec, CCNP RnS, CCNP Sec, CCIE Sec (written)
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
2
Contents
1. Cisco CLI mode ----------------------------------------------------------------------------- 4
2. Basic Configuration of Router and Switch ------------------------------------------------------- 6
3. Configuring SSH Access to Cisco Device -------------------------------------------------------- 13
4. Backup and restoring your configuration ------------------------------------------------------- 17
5. VLAN, Access and Trunk Port Configuration ----------------------------------------------------- 19
6. VTP Configuration ------------------------------------------------------------------------------ 26
7. Etherchannel Configuration ------------------------------------------------------------------------ 29
8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration----------------------------- 32
9. Inter-Vlan Routing Configuration on L3 Switch (SVI) -------------------------------------------- 43
10. Configure Port Security ----------------------------------------------------------------------------- 47
11. Configure portfast ---------------------------------------------------------------------------------- 53
12. Configure BPDU Guard on Cisco Switch ------------------------------------------------------------ 54
13. Configure Root Guard on Cisco Switch ------------------------------------------------------------- 55
14. Spanning tree behavior - mode , priority value, root bridge ---------------------------------- 59
15. Static route and Static default route configuration --------------------------------------------- 61
16. Static default route configuration --------------------------------------------- ----------------- 65
17. RIPv2 Basic configuration ----------------------------------------------------------------------------- 73
18. RIP Passive Interface -------------------------------------------------------------------------------- 74
19. Configure RIP Authentication ------------------------------------------------------------- 76
20. EIGRP configuration (EIGRP Neighbor Adjacency) -------------------------------------------- 84
21. EIGRP Passive Interface ---------------------------------------------------------------------- 85
22. EIGRP Authentication -------------------------------------------------------------------------- 89
23. EIGRP Hold time and Hello time ----------------------------------------------------------- 91
24. EIGRP Summarization ------------------------------------------------------------------------- 93
25. EIGRP Project LAB ---------------------------------------------------------------------------------- 96
3
26. OSPF Configuration --------------------------------------------------------------------------------- 108
27. OSPF Virtual LAB ------------------------------------------------------------------------------------- 110
28. OSPF Authentication --------------------------------------------------------------------------------- 112
29. OSPF summarization --------------------------------------------------------------------------------- 114
30. PPP and HDLC ---------------------------------------------------------------------------------------- 115
31. BGP Basic Configuration -----------------------------------------------------------------------------120
32. BGP Single Homed Design ---------------------------------------------------------------------------123
33. HSRP Configuration ----------------------------------------------------------------------------------125
34. Standard ACL -----------------------------------------------------------------------------------------133
35. Extended ACL -----------------------------------------------------------------------------------------136
36. Named ACL --------------------------------------------------------------------------------------------140
37. Staci NAT --------------------------------------------------------------------------------------------- 142
38. Dynamic NAT -----------------------------------------------------------------------------------------146
39. Static PAT ---------------------------------------------------------------------------------------------148
40. Dynamic PAT -----------------------------------------------------------------------------------------152
41. Configure GRE Tunnel ------------------------------------------------------------------------------153
42. AAA configuration ----------------------------------------------------------------------------- 156
43. Syslog Server ---------------------------------------------------------------------------------------162
44. SNMPv3 Configurtion ---------------------------------------------------------------------------------166
45. Password Recovery ---------------------------------------------------------------------------------- 168
46. Final Project --------------------------------------------------------------------------------------170
47. Configure IPv6 -------------------------------------------------------------------------------------- 186
48. Configure IPv6 Static Route ----------------------------------------------------------------------- 190
49. Configure RIPNG on Cisco Router ----------------------------------------------------------------- 193
50. Dual-Stack Example ---------------------------------------------------------------------------------195
4
LAB 1: CISCO CLI MODE
Cisco routers have different configuration modes based on the model. Mainly two modes :
EXEC Mode Prompt Typical Use

User ccna> Check the router status
Privileged ccna # Accessing the router
From privileged Mode we enter into the Global Configuration mode with "config ternminal" command.
To be access either User Exec or Privileged mode a password is needed if we set password. From Global
Configuration Mode (password is not needed here) we can configure interfaces, routing protocols,
access lists and many more.
Some of the specific configuration modes can be entered from Global Configuration Mode and other
from Privileged mode:
User Exec Mode ( ">" prompt) : It is used to get statistics from router, see which version IOS you're
running, check memory resources and a few more things.
5
Privileged Mode ( "#" prompt): Here you can enable or disable interfaces on the router, get more
detailed information on the router, for example, view the running configuration of the router, copy the
configuration, load a new configuration to the router, backup or delete the configuration, backup or
delete the IOS and a lot more.
Global Configuration Mode ("config# " prompt): It is accessible via Privileged Mode. In this mode we
can configure each interface individually, setup banners and passwords, enable secrets (encrypted
passwords), enable and configure routing protocols and a lot more. Every time we want to configure or
change something on the router, we will need to be in this mode.
Examples :
Router>------------------------- User Exec Mode
Router>enable ----------------- Enter Privileged Mode

Router#-------------------------- Privileged Mode
Router#disable ---------------- Enter User Exec Mode

Router>-------------------------- User Exec Mode
Router#conf ig terminal------ Enter Global Configuration Mode
6
Router(config)#----------------- Global Configuration Mode
Router(config)#interface fastEthernet 0/0---- Enter Interface Configuration Mode

Router(config-if)#-------------------------------- Interface Configuration Mode
Router(config)#interface fastEthernet 0/0.10-- Enter Sub-Interface Configuration Mode

Router(config-subif)#------------------------------ Sub-Interface Configuration Mode
Router(config)#line vty 0 4----------------------- Enter Line Mode

Router(config-line)#------------------------------- Line Mode
================================================================================
LAB 2. BASIC CONFIGURTION OF ROUTER AND SWITCH
Objective:
1. Configure the Switch as follows:
 hostname
 login banner
 enable password for accessing privilege mode
 assign console password to prevent console login
 assign IP for vlan 1 (Management VLAN)
 configure virtual terminal for telnet session
 set default gateway for the switch
2. Configure The Router as follows:
7
 hostname
 login banner
 enable password for accessing privilege mode
 assign console password to prevent console login
 configure virtual terminal for telnet session
 Assign IP Address on Router Interface
3. Assign IP for the PC
4. Save all configuration
5. Verification
Configuration of a switch:
1. First check the startup-config and running-config ..if there any configuration is exist
When you type a command in the global configuration mode it is stored in the running configuration. A
running configuration resides in a device’s RAM, so if a device loses power, all configured commands
will be lost.
So you need to copy your current configuration into a startup configuration. A startup configuration is
stored in the NVRAM of a device, Now all configurations are saved even if the device loses power.
There are two ways to save your configuration:
Switch#copy running-config startup-config
or
Switch# write memory
Check the startup-config and running-config
Switch#show startup-config
startup-config is not present
Switch#show running-config
2. Enter global configuration mode and configure Hostname as DU
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname DU
DU(config)#
3. Assign password cisco123
8
Enable password will restrict one's access to privilege mode which is like a root user's password. We can
set it in two ways : enable password / enable secret command.
enable secret password provides encryption automatically using MD5 hash algorithm.
The enable password password does not encrypt the password and can be view in clear text in the
running-config. In order to encrypt the enable password password , use the service password-
encryption command. Actually, the enable secret password command provides stronger encryption
than the service password-encryption command.
DU(config)#enable secret cisco123
4. Configure login banner
A login banner is displayed whenever someone connects to the router by telnet or console connections
DU(config)#banner motd "Unauthorized Users are highly Prohibited to login

here"
DU(config)#
5. Console Password
We can protect console port of Cisco devices using console port password.
DU(config)#line console 0
DU(config-line)#password ashish123
DU(config-line)#login
DU(config-line)#exit
DU(config)#
6. Telnet configuration for remote access
Telnet is a user command and an underlying TCP/IP protocol for accessing remote devices.
The VTY lines are the Virtual Terminal lines of the router. They are virtual, in the sense that they are a
function of software - there is no hardware associated with them. They appear in the configuration as
line vty 0 4.
DU#conf t
DU(config)#line vty 0 4
DU(config-line)#password ashish@123#
DU(config)#
7. Configure management vlan for remotely access on the switch
9
By default, all switch ports are part of VLAN 1. VLAN 1 contains control plane traffic and can contain
user traffic.
By default, VLAN 1 is the management VLAN. Management VLAN is used for purposes such as telnet,
SNMP, and syslog.
DU(config)#interface vlan 1
DU(config-if)#ip address 192.168.10.10 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
DU(config)#
8. Configure default-gateway for the switch
The switch should be configured with a default gateway if the switch will be managed remotely from
networks not directly connected. The default gateway is the first Layer 3 device (such as a router) on
the same management VLAN network to which the switch connects. The switch will forward IP packets
with destination IP addresses outside the local network to the default gateway.
DU(config)#ip default-gateway 192.168.10.1
----------------------------------------------------------------------------------------------------------------------------
Configure The Router
1. First check the startup-config and running-config
Switch#show startup-config
startup-config is not present
Switch#show running-config
2. Configure Hostname as BUET
Switch#conf t
Switch(config)#hostname BUET
BUET(config)#
3. Assign enable secret password cisco123
BUET(config)#enable secret cisco123

BUET(config)#
4. Configure login banner
BUET(config)#banner motd "Do not try to access here"
10
5. Console password
BUET(config)#line console 0
BUET(config-line)#password ashish123
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#
6. Enter Virtual Terminal lines and give a password ashish@123#, to login remotely
BUET(config)#line vty 0 4
BUET(config-line)#password ashish@123#
BUET(config)#
7. Configure IP Address Router's on Interface
Enter global configuration mode
BUET# config terminal
BUET(config)#
Enter FastEthernet 0/0 interface configuration mode :
BUET(config)#interface fastEthernet 0/0

BUET(config-if)#
Enter IP address and subnet mask:
BUET(config-if)#ip address 192.168.10.1 255.255.255.0
By default, all interfaces on a Cisco router are “Administratively Down”. To bring an interface up, issue
the no shutdown command.
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#
8. Save Configuration
BUET#write memory
Building configuration...
[OK]
BUET#
DU#write memory
[OK]
11
you can also save configuration using
BUET# copy running-config start-up config
But be sure about the command, cannot be reversed as :
copy start-up config running-config
then all your configuration will be lost or backup from NVRAM.
9. Assign IP to all hosts
12
11. Now ping to all devices from any PC
C:\>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=1ms TTL=128

Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
C:\>ping 192.168.10.3

C:\>ping 192.168.10.1

14. Now logon to the router remotely
C:\>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
Do not try to access here
User Access Verification
13
Password:
Password:
BUET>
16. Now logon to the switch remotely
C:\>telnet 192.168.10.10
Trying 192.168.10.10 ...Open
Unauthorized Users are highly Prohibited to login here
Password:
DU>
N.B. if the switch is L3 you can assign IP address to its interfaces as follows:
DU(config)#interface fastEthernet 0/2
DU(config-if)# no switchport
DU(config-if)# ip address 192.168.10.10 255.255.255.0
DU(config-if)# no shutdown
For routing capabilities you can also follow the rules
DU(config)# ip routing
===============================================================================
LAB 3: CONFIGURING SSH ON CISCO SWITCH AND ROUTER
Telnet was designed to work within a private network and not across a public network where
threats can appear. Because of this, all the data is transmitted in plain text, including
passwords. This is a major security issue and the developers of SSH used encryptions to make
it harder for other people to sniff the password and other relevant information.
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network
devices. Communication between the client and server is encrypted in SSH. To do this, it uses
a RSA public/private keypair.
There are two versions: version 1 and 2. Version 2 is more secure and commonly used.
14
Enable SSH on Cisco Switch
Step 1: Configure Management IP
Switch#conf t
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.10.10 255.255.255.0
Switch(config-if)#no shutdown
Step 2 : Configure default gateway points to the router

Switch(config)#ip default-gateway 192.168.10.1
Step 3: Configure hostname and domain name
The name of the RSA keypair will be the hostname and domain name of the router.
Switch(config)#hostname ASHISH-SW
ASHISH-SW(config)#ip domain-name ashish.com
Step 4 :Generate the RSA Keys
ASHISH-SW(config)#crypto key generate rsa

The name for the keys will be: ASHISH-SW.ashish.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
15
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
ASHISH-SW(config)#
Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate
and enhance more security
Step 5: SSH version 1 is the default version. So change it to version 2
ASHISH-SW(config)#ip ssh version 2
Step 6 : Setup the Line VTY configurations
ASHISH-SW(config)#line vty 0 4
ASHISH-SW(config-line)#transport input ssh
ASHISH-SW(config-line)#login local
Step 7: Create the username password
ASHISH-SW(config)#username ashish privilege 15 password cisco123
Step 8: Create enable password
ASHISH-SW(config)#enable secret cisco123
Step 9: create console password
ASHISH-SW(config)#line console 0
ASHISH-SW(config-line)#logging synchronous
ASHISH-SW(config-line)#login local
Step 10: Verify SSH

C:\>ssh -l ashish 192.168.10.10 Open
Password:
ASHISH-SW#conf t
ASHISH-SW(config)#
Enable SSH on Router (same as before)
16
Router>en
Router#conf t
Router(config)#hostname Venus
Venus(config)#interface fastEthernet 0/0
Venus(config-if)#ip address 192.168.10.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
Venus(config)#ip domain-name cisco.com
Venus(config)#username ashish privilege 15 password cisco123
Venus(config)#crypto key generate rsa
The name for the keys will be: Venus.cisco.com

Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
Venus(config)#
*Mar 1 0:34:31.790: %SSH-5-ENABLED: SSH 1.99 has been enabled
Venus(config)#ip ssh version 2
Venus(config)#enable secret cisco
Venus(config)#line console 0
Venus(config-line)#logging synchronous
Venus(config-line)#login local
Venus(config-line)#exit
Venus(config)#line vty 0 4
Venus(config-line)#transport input ssh
Venus(config-line)#login local
Venus#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Venus#
C:\>ssh -l ashish 192.168.10.1 Open

Password:
Venus#conf t
Venus(config)#
17
Key Note:
----------------------------------------------------------------------------
"logging synchronous" prevents every logging output from immediately interrupting your console
session.
Say for example when you tried to telnet your Router or switch you will see lot of log messages before
you logged in with username and password.
---------------------------------------------------------------------------------------------------------------------------------
RSA is algorithm used by modern computers to encrypt and decrypt messages. It is an asymmetric
cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public
key cryptography, because one of them can be given to everyone.
============================================================================
LAB 4: BACKUP AND RESTORING CONFIGURATION
Configure tftp server (In your physical Lab you can download tftp server in your PC then
configure it. And rest of the configurations are same)
18
Verify configuration file is saved in NVRAM
Denver#show startup-config
DU#show startup-config
Now backup configuration file to tftp server (From Switch)
Denver#copy startup-config tftp
Address or name of remote host []? 192.168.10.4 (TFTP Server IP)

Destination filename [Denver-confg]? (Press Enter to save it as default name)
Writing startup-config...!!
[OK - 653 bytes]
653 bytes copied in 0.012 secs (54416 bytes/sec)

Denver#
Now backup configuration file to tftp server (From Router)
DU#copy startup-config tftp:
Address or name of remote host []? 192.168.10.4

Destination filename [DU-confg]?
Writing startup-config...!!
[OK - 1178 bytes]
1178 bytes copied in 0.032 secs (36812 bytes/sec)

DU#
Erase startup-configuration file and reboot or reload the router and switch
DU#erase startup-config
19
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
DU#
DU#reload
Proceed with reload? [confirm]
Denver#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
BUET#
Denver #reload
Proceed with reload? [confirm]
Configure IP address to router and switch
Router#conf t
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Switch#conf t
Switch(config-if)#exit
Now restore configuration from tftp server to switch and router
Switch#copy tftp running-config

Source filename []? Denver-confg (Backup file name on tftp server)
Destination filename [running-config]? (Press enter)
Denver#write
20
[OK]
Denver#
Router#copy tftp running-config

Source filename []? DU-confg (Backup file name on tftp server)
Destination filename [running-config]? (Press enter)
Now save the configuration to NVRAM
Switch# write memory
Router# write memory
============================================================================
LAB 5: Configure VLAN, Access and Trunk Port
The design of layer-2 switched network is a flat network. Each and every device on the
Network can see the transmission of every broadcast packet even if it does not need to
receive the data. But we can create multiple/ separate broadcast domain logically in a L2
switch. This is possible with VLAN technology. VLAN means Virtual LAN.
The segregation of vlan is only to reduce the broadcast domain. Every vlan means you are
using one subnet for each vlan.
The VLANs makes network management easy with number of ways:
 The VLAN can categorize many broadcast domains into number of logical subnets.
 The network needs to configure a port into the suitable VLAN in order to achieve
change, add or move.
 In the VLAN a group of users with the demand of high security can be included so that
the external users out the VLAN cannot interact with them.
 When it comes to logical classification of users in terms of function, we can consider
VLAN as independent from their geographic or physical locations.
 Even the security of network can be enhanced by VLAN.
 The number of broadcast domains are increased with VLANs while the size decreases.
21
Trunk Ports: Between switches we are going to create a trunk. A trunk connection is an
interface carries multiple VLANs.
Access Ports : Carries data, generally connected to hosts or Servers
There are two trunking protocols we can use:
1. IEEE 802.1Q: Open standard, support switch of any vendor.

2. Cisco ISL (Inter-Switch Link): Cisco proprietary protocol that is only supported on
some Cisco switches.
On a Cisco switch, VLAN 1 is by default. 802.1Q will not tag the native VLAN while ISL does
tag the native VLAN.
By default all switch ports are on VLAN1.
VLAN information is not saved in the running-config or startup-config but in separate file
vlan.dat on flash memory. To delete the VLAN information , delete the file by delete
flash:vlan.dat command.
Objective
1. Basic configuration of switch
2. Create VLANs
22
3. configuration of trunk ports
4. Configuration of Access ports
5. Assign IP to hosts
6. Verification
Data sheet
VLAN ID VLAN Name Ports Switch Subnet

10 Cisco F0/1 - f0/9 DU 192.168.10.0/24
20 Solaris F 0/10 - F 0/20 BUET 172.16.20.0/24
1. Basic configuration of switch
DU(config)#enable secret cisco
DU(config-line)#password cisco
BUET(config)#enable secret cisco
BUET(config-line)#password cisco
2. Create VLANs
DU(config)#vlan 10
DU(config-vlan)#name cisco
DU(config-vlan)#exit
DU(config)#vlan 20
DU(config-vlan)#name solaris
DU(config)#
BUET(config)#vlan 10
BUET(config-vlan)#name cisco
23
BUET(config-vlan)#exit
BUET(config)#vlan 20
BUET(config-vlan)#name solaris
BUET(config-vlan)#exit
BUET(config)#
3. configuration of trunk ports
DU(config)#interface gigabitEthernet 0/1

DU(config-if)#switchport mode trunk
DU(config-if)#exit
BUET(config)#interface gigabitEthernet 0/1

BUET(config-if)#switchport mode trunk
DU#show interfaces gigabitEthernet 0/1 switchport

Name: Gig0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
24
BUET#conf t
BUET(config)#interface range fastEthernet 0/1 - 9
BUET(config-if-range)#switchport mode access
BUET(config-if-range)#switchport access vlan 10
BUET(config-if-range)#exit
BUET(config)#exit
BUET#
DU#conf t
DU(config)#interface range fastEthernet 0/1 - 9
DU(config-if-range)#switchport mode access
DU(config-if-range)#switchport access vlan 10
DU(config-if-range)#exit
DU(config-if-range)#end
DU#
25
5. Assign IP to hosts
26
Ping to same VLAN..............PC0 to PC2
C:\>ping 192.168.10.3

C:\>ping 172.16.20.3 (PC1 to PC 3)

Ping to different VLAN......................... (PC1 to PC0)

C:\>ping 192.168.10.2
Request timed out.
27
Request timed out.
Request timed out.
Request timed out.
LAB 6: VTP Configuration
VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used by Cisco switches to
exchange VLAN information. VTP replicates configured VLANs to all participating switches.
Consider a network with 50 switches. Without VTP, if you want to create a VLAN on each
switch, you would have to manually enter commands to create the VLAN on each switch! VTP
enables you to create the VLAN only on one switch. That switch can then propagate
information about that VLAN to each switch on a network and cause other switches to create
that VLAN too. If you want to delete a VLAN, you only need to delete it on one switch, and
the change is automatically propagated to every other switch inside the same VTP domain.
Cisco switches can be configured in one of three VTP modes:

 Server
 Client
 Transparent
Server mode is the default for Cisco switches.
Client mode takes VLAN configuration from the Server. It doesn’t place the VLANs in a
vlan.dat file.
Switches in Transparent mode never updated themselves. If they receive VTP advertisements
they will forward them along. In Transparent mode you can configure VLANs normally as you
would on a Server switch.
Be careful, if a switch is deployed with a higher VTP revision number than the rest of the VTP
switches. Because of that, switches in Client mode will download whatever VLAN
configuration that switch has, remove your current configuration. So before use them in a
production network , configure them as Transparent mode. You can also omit VTP
Configuration to avoid these situation.
28
Objective:
1. Create VTP Server and VTP Client

2. Configure Trunk port
3. Create VLAN on Server
4. Verify
1. Create VTP Server and VTP Client
Switch(config)#hostname SERVER
SERVER(config)#vtp domain cisco.com
SERVER(config)#vtp mode server
SERVER(config)#vtp password cisco
SERVER(config)#vtp version 2
SERVER(config)#
Switch(config)#hostname Client
Client(config)#vtp domain cisco.com
Client(config)#vtp version 2
Client(config)#vtp mode client
Client(config)#vtp password cisco
NOTES
 The VTP domain name must match and it is case sensitive.

 Make sure that If any password is set, the password is the same on both sides.
 Every switch in the VTP domain must use the same VTP version. VTP V1 and VTP V2 are not
compatible on switches in the same VTP domain. But VTP v2 and v3 are compatible.
2. Configure Trunk port
SERVER(config)#interface gigabitEthernet 0/1

SERVER(config-if)#switchport mode trunk
SERVER(config-if)#no shut
Client(config)#interface gigabitEthernet 0/1

Client(config-if)#switchport mode trunk
29
Client(config-if)# no shut
3. Create VLAN on Server only
SERVER(config)#vlan 100
SERVER(config-vlan)#name cisco
SERVER(config-vlan)#exit
SERVER(config)#vlan 200
SERVER(config-vlan)#name solaris
SERVER(config-vlan)#end
4. Verify the VLANs are propagated on Client Switch
Here we can see that we have created VLAN on Server switch and it has been seen on Client
Switch Vlan 100 and Vlan 200.
Other Verification Command of VTP

================================
30
From here we can check the VTP Mode, VTP Domain Name and revision Number. Revision
number must be same. If not same, Updates are not considered propagated successfully.
LAB 7 : ETHERCHANNEL Configuration
 EtherChannel is a port link aggregation technology or port-channel architecture which

is a bundle of multiple physical links into a single logical link.
 Etherchannel is great for improving redundancy in your network.
 In this way you can increase the bandwidth of a particular connection.
 With EtherChannel the links that are aggregated are not blocked by STP.
Link aggregation is very common and is usually seen in the following scenarios:
 Switch to switch connectivity in an access block (non-stackable)

 Access switch connectivity to distribution switches.
 Server connectivity to the data center LAN fabric
If you are going to create an etherchannel you need to make sure that all ports have the same
configuration:
 Duplex has to be the same.

 Speed has to be there same.
 Same native AND allowed VLANs.
 Same switchport mode (access or trunk).
31
There’s a maximum to the number of links you can use: 8 physical interfaces.
If you want to configure an Etherchannel there are two protocols you can choose from:
PAGP – port aggregation protocol
 Developed by Cisco
 The port modes are defined as either auto or desirable
LACP – link aggregation control protocol
 Open standard as defined by IEEE 802.3ad standard

 The port modes are either passive or active. Passive is the equivalent of the PAGP auto
and active is the equivalent of PAGP desirable mode.
S1(config)#int range fa0/7-12

S1(config-if-range)##channel-group 1 mode desirable
or
S1(config-if-range)##channel-group 1 mode active
We can use desirable so that the switch will actively negotiate to form a PAgP link(Cisco
Proprietary EtherChannel).
or we can use active so that the switch will actively negotiate to form a LACP link(open
standard EtherChannel).
To verify the configuration, you can use show etherchannel summary.
32
Objective
1. Create Etherchannel
2. Configure Trunk
3. Verification
Create Etherchannel
DU(config)#interface range gigabitEthernet 0/1 - 2
DU(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
Switch(config)#hostname ASHISH
ASHISH(config)#interface range gigabitEthernet 0/1 - 2
ASHISH(config-if-range)#channel-group 1 mode passive
ASHISH(config-if-range)#
Configure Trunk
DU(config)#interface port-channel 1
DU(config-if)# no shut
ASHISH(config)#interface port-channel 1
ASHISH(config-if)#switchport mode trunk
ASHISH(config-if)# no shutdown
33
Verification
Po1 = Port channel 1 , Channel group must be same for both switch
S = Capital S means L2
U = in Use
LACP = which Etherchannel Protol is used
P = in port Channel
if these appears, be sure your configuration is correct
8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration
Inter-VLAN Routing
In our previous lab, we only can communicate with same VLAN. For example, PCs within VLAN
10 or VLAN 20. In order to communicate with different VLAN we must need routing with
different VLAN as each VLAN is now a separate broadcast domain. So we need a L3 switch or
Router for Routing. Here we will use a Router.
34
SWITCH VLAN ID VLAN NAME SWITCH PORTS SUBNET

DU 100 CISCO F 0/3 - 15 192.168.100.0/24
200 SOLARIS F 0/16 - 21 172.16.200.0/24
BUET 100 CISCO F 0/ 6 - 10 192.168.100.0/24
200 SOLARIS F 0/14 - 20 172.16.200.0/24
OBJECTIVE:
BASIC CONFIGURATION OF SWITCH AND ROUTER

ETHER-CHANNEL & TRUNK PORT CONFIGUARTION
VTP CONFIGURATION
CONFIGURATION OF VLAN
VERIFY VTP, TRUNK PORTS AND ETHERCHANNEL CONFIGURATION
CONFIGURE ACCESS-PORTS
CONFIGURE IP TO HOSTS
VERIFICATION
CONFIGURE INTER-VLAN ROUTING
VERIFY CONFIGURATION
BASIC CONFIGURATION OF SWITCH AND ROUTER

==========================================
Switch>en
Switch#conf t
35
DU(config)#banner motd "Do not try to login my Switch"
DU(config-line)#password cisco123
DU(config)#
========================================
Switch#conf t
BUET(config)#hostname BUET
BUET(config)#banner motd "This is the switch of BUET"
BUET(config-line)#password cisco123
BUET(config-line)#end
BUET#
=====================================================
Router>en
Router#conf t
Router(config)#hostname DENVER
DENVER(config)#enable secret cisco123
DENVER(config)#banner motd "This Router belongs to VENUS TELECOM LTD"
DENVER(config)#line console 0
DENVER(config-line)#password cisco123
DENVER(config-line)#login
DENVER(config-line)#end
DENVER#
ETHER-CHANNEL & TRUNK PORT CONFIGUARTION

===============================================

DU(config-if-range)#channel-group 1 mode active
DU(config-if-range)#no shutdown
36
TRUNK PORT CONFIGUARTION

===========================
DU(config)#interface port-channel 1
DU(config-if)#sw
DU(config-if)#switchport mo
====================================================
BUET(config-if-range)#channel-group 1 mode passive
BUET(config-if-range)#no shutdown
TRUNK PORT CONFIGUARTION
BUET(config)#interface port-channel 1
BUET(config-if)#no shutdown '
VTP CONFIGURATION
============================
DU(config)#vtp domain cisco.com

Changing VTP domain name from NULL to cisco.com
DU(config)#vtp mo
DU(config)#vtp mode ser
DU(config)#vtp mode server
Device mode already VTP SERVER.
DU(config)#vtp v
DU(config)#vtp version 2
DU(config)#vtp pass
DU(config)#vtp password cisco
Setting device VLAN database password to cisco
DU(config)#exit
-----------------------------------------------------------------------------
BUET(config)#vtp domain cisco.com
37
Domain name already set to cisco.com.
BUET(config)#vtp mo
BUET(config)#vtp mode cl
BUET(config)#vtp mode client
Setting device to VTP CLIENT mode.
BUET(config)#vtp ve
BUET(config)#vtp version 2
Cannot modify version in VTP client mode
BUET(config)#vtp pass
BUET(config)#vtp password cisco
Setting device VLAN database password to cisco
BUET(config)#
CONFIGURATION OF VLAN
========================
DU#conf t
DU(config)#vlan 100
DU(config-vlan)#name CISCO
DU(config-vlan)#EXIT
DU(config)#VLan 200
DU(config-vlan)#NAMe SOLARIS
VERIFY
==========
38
DU#show etherchannel summary
Flags: D - down P - in port-channel

I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1

Number of aggregators: 1
Group Port-channel Protocol Ports

------+-------------+-----------+------
1 Po1(SU) LACP Fa0/1(P) Fa0/2(P)
DU#
CONFIGURE ACCESS-PORTS
DU#conf t

DU(config)#
---------------------------------------------------------------------------
BUET#conf t

BUET(config-if-range)#end
BUET#
39
CONFIGURE IP TO HOSTS
40
Verify
=========
ping to same VLAN
C:\>ping 192.168.100.3

C:\>ping 172.16.200.3

PING to different VLAN
C:\>ping 192.168.100.2
Request timed out.

Request timed out.
Request timed out.
Request timed out.
Not successful, Right ? So we will now configure Inter-Vlan Routing to get access to different
VLAN.
CONFIGURE INTER-VLAN ROUTING

=========================
BUET#conf t
BUET(config)#interface gigabitEthernet 0/1
41
------------------------------------------------------------------------
DENVER#conf t
DENVER(config)#interface fastEthernet 0/0
DENVER(config-if)#no shutdown
DENVER(config-if)#exit
DENVER(config)#interface fastEthernet 0/0.100
DENVER(config-subif)#encapsulation dot1Q 100
DENVER(config-subif)#ip address 192.168.100.1 255.255.255.0
DENVER(config-subif)#no shutdown
DENVER(config-subif)#exit
Here we have created two sub-interface 0/0.100 and 0/0.200 for respective VLANs. For
encapsulation dot1Q is used.
Verify
===========
Now ping to different VLAN
C:\>ping 172.16.200.2

C:\>ping 192.168.100.2

====================================================================
42
TELNET ACCESS to Switch

======================
VTP SERVER
============
DU#conf t
DU(config)#vlan 99
DU(config-vlan)#name admin
DU(config)#vlan 199
DU(config-vlan)#name admin2
DU(config-if)#switchport mode access
DU(config-if)#switchport access vlan 99
DU(config-if)#exit
DU(config)#interface vlan 99
DU(config-if)#exit
-------------------------------------------------
Telnet Configuration
===================
DU(config-line)#password cisco123
================================================================
BUET#conf t
BUET(config-if)#switchport mode access
BUET(config-if)#switchport access vlan 199
-------------------------------------------
BUET(config)#interface vlan 199
43
Telnet Configuration
BUET(config-line)#password cisco123
DENVER(config)#line vty 0 4
DENVER(config-line)#password cisco123
DENVER(config-line)#login
DENVER(config-line)#exit
DENVER(config-subif)#end
DENVER#ping 192.168.10.1
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/8 ms
================================================================
DENVER#telnet 192.168.10.1
Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD

Password:
% Password: timeout expired!
[Connection to 192.168.10.1 closed by foreign host]
==============================================================
DENVER#conf t
DENVER(config)#end
=======================================================
44
DENVER#ping 192.168.20.1
!!!!!
DENVER#telnet 192.168.20.1
Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD
Password:
LAB 9 : Inter-Vlan Routing Configuration on L3 Switch
SVI - Switched Virtual Interface. There is no physical interface for the VLAN, hence it is
virtual.
Technique is, Assign IP address of each VLAN Interface (suppose Interface vlan 10), then
issue the " ip routing " command on global configuration mode.
Generally, routers do the routing between different broadcast domains that is, Different
VLANs. But SVI provides the routing capabilities of different VLANs.
Example switch models that support layer 3 routing are the 3550, 3750, 3560 etc.
45
Our Tasks (All configuration is only on L3 switch here)
1. Creating vlan 10 and vlan 20

2. Naming these two vlans:
vlan 10 = cisco
vlan 20 = solaris
4. Assigning IP to Hosts
5. Assigning IP to Vlan Interface
6. Verification
CREATE VLAN
Switch>en
Switch#conf t
Switch(config)#vlan 10
Switch(config-vlan)#name cisco
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name solaris
Switch(config-vlan)#exit
Switch(config)#exit
ACCESS-PORT CONFIGURATION
Switch#conf t
Switch(config)#interface range fastEthernet 0/3 - 9
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#exit
Switch(config)#interface range fastEthernet 0/10 - 15
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#exit
Switch(config)#
46
ASSIGN IP TO VLAN INTERFACE
ENABLE ROUTING
Switch(config)#ip routing
Switch(config)#exit
ASSIGN IP TO HOSTS
47
VERIFICATION
Ping to different vlan
48
LAB 10 : Port Security
Port Security
One can access unsecure network resources by plugging his laptop into one of our available
switch ports. He can also change his physical location in LAN network without telling the admin.
But you can secure layer two accesses by using port security.
First in our LAB we will plug one PC, and other PC will remain unplugged as shown in figure:
Assign IP to hosts
49
Switch(config)#interface fastEthernet 0/1

Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 1
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security mac-address sticky
Port security is disabled by default. switchport port-security command enables it.

According to our requirements we can limit hosts that can be associated with an interface.
We can set this limit anywhere from 1 to 132. Maximum number of devices that can be
associated with the interface is 132. By default it is set to 1. switchport port-security
maximum value command will set the maximum number of hosts.
We have two options static and dynamic to associate mac address with interface.
In static method we have to manually define exact host mac address with switchport port-
security mac-address MAC_address command.
In dynamic mode we use sticky feature that allows interface to learn mac address
automatically
We need to specify what action; it should take in security violation. Three possible modes are
available:
Protect: - This mode only work with sticky option. In this mode frames from non-allowed
address would be dropped.
50
Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this
mode, switch will make a log entry and generate a security violation alert.
Shutdown: - In this mode switch will generate the violation alert and disable the port. Only
way to re-enable the port is to manually enter no shutdown command. This is the default
violation mode.
Switchport port security explained
Command Description
Switch>enable Move in privilege exec mode
Switch#configure terminal Move in global configuration mode
Switch(config)#interface fastethernet
Move in interface mode
0/1
Switch(config-if)#switchport mode
Assign port as host port
access
Switch(config-if)#switchport port-
Enable port security feature on this port
security
Set limit for hosts that can be associated with

interface. Default value is 1. Skip this command to
security maximum 1
use default value.
Switch(config-if)#switchport port- Set security violation mode. Default mode is

security violation shutdown shutdown. Skip this command to use default mode.
Enable sticky feature.
security mac-address sticky
We have secured F0/1 port of switch. We used dynamic address learning feature. Switch will
remember first learned mac address (on interface F0/1) with this port. We can check MAC
Address table for currently associated address.
51
No mac address is associated with F0/1 port. Switch learns mac address from incoming
frames.
We need to generate frame from PC0 that would be receive on F0/1 port of switch. We can
use ping to generate frames from PC0 to Server.
Switch learns this address dynamically but it is showing as STATIC. Sticky option automatically
converts dynamically learned address in static address.
Switchport port security testing
Now we unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1).
52
Now try to ping from PC1 to Server
Why ping is not success ? Because switch detected the mac address change and shutdown the
port.
Verify port security
We have three commands to verify the port security
show port-security
This command displays port security information about all the interfaces on switch.
53
show port-security address

Display statically defined or dynamically learned address with port security.
show port-security interface interface
Display port security information about the specific interface.
Here is a useful command to check your port security configuration. Use show port-security
interface to see the port security details per interface. We can see the violation mode is
shutdown and that the last violation was caused by MAC address 0002.1622.CB46:1 The
aging time is 0 mins which means it will stay in err-disable state forever.
How to reset an interface that is disabled due to violation of port security

Manually restart the interface. Unplugged cable from PC1 and plugged back it to PC0
Run following commands on switch and test connectivity from pc
54
First go to the interface, shutdown and then apply no shutdown.
LAB 11: Configure Portfast
Advantages
 Interfaces which is portfast enabled will go to forwarding mode immediately, the

interface will skip the listening and learning state.
 A switch will never generate a topology change notification.
55
 The PortFast feature will only have effect when the interface is in a non-trunking mode.
So, enabling the PortFast feature on a trunk port is useless. Only in access mode.
Configure PortFast on Cisco Switch (First unplug the two PCs as shown in figure)
Next, execute the following command on Switch to enable the PortFast feature on the Fa0/1
interface.
Switch(config)#interface fa0/1
Switch(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only

have effect when the interface is in a non-trunking mode.
Switch(config-if)#
Now, connect PC0 to the fa0/1 interface and PC1 to the fa0/2 interface, as shown in the
following figure.
56
We notice that the Fa0/1 interface will be activated within 5 seconds because it will not
participate in the STP convergence process.
LAB 12 : Configure BPDU Guard on Cisco Switch
 The BPDU Guard is used to protect the Spanning Tree domain from external influence.
BPDU Guard is disabled by default. But it is recommended to apply BPDU guard enable
for all ports on which the Port Fast is enabled.
 BPDU guard should be applied toward user-facing ports to prevent rogue switch
network extensions by an attacker.
 BPDU Guard can be configured either in Global mode or Interface mode
 On an interface BPDU guard will put the port into err disable state if a BPDU is
received
In global configuration mode BPDU guard will disable port fast on any interface if a BPDU is
received.
SW2(config)# spanning-tree portfast bpduguard default
SW2(config-if)# spanning-tree bpduguard enable
57
Switch(config)#interface fastEthernet 0/1

Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 1
Switch(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only

have effect when the interface is in a non-trunking mode.
Switch(config-if)#spanning-tree bpduguard enable

Switch#show spanning-tree interface fastEthernet 0/1 portfast
VLAN0001 enabled
LAB 13: Configure Root Guard on Cisco Switch
Root-guard will stop a superior bpdu from becoming the root.
Note: Root guard is best deployed towards ports that connect to switches which should
not be the root bridge
58
For example, a port on the distribution layer switch which is connected to an access layer
switch can be Root Guard enabled, because the access layer switch should never become the
Root Bridge.
Switch#conf t
Switch#conf t
Switch(config)#hostname ASHISH
Now check which switch is the root bridge
59
Switch DU becomes the root bridge...right ?
Now we will enable root guard on switch DU on port G 0/1 so that if the Switch ASHISH want
to become root bridge then the port G0/1 of DU switch will shutdown.

DU(config-if)#spanning-tree guard root
Now apply ping to PC1 to PC2 to verify connectivity

C:\>ping 192.168.10.2

Now we will change the priority value of Switch ASHISH ....to check what happen !!
ASHISH(config)#spanning-tree vlan 1 priority 4096
60
now ping....
C:\>ping 192.168.10.2
Request timed out.
Request timed out.
Request timed out.
Request timed out.
The port beomes red colored......taht indicates the port is shutdown when switch ASHISH
wants to root bridge
%SPANTREE-2-ROOTGUARDBLOCK: Port 0/1 tried to become non-designated in VLAN 1.

Moved to root-inconsistent state
--------------------------------- And the above message is generated on switch DU-------------------------------
To recover from this ..............
Reset the priority value of switch ASHISH
ASHISH(config)#spanning-tree vlan 1 priority 32768
On DU switch

DU(config-if)#shutdown
Now apply ping to PC1 to PC2 to verify connectivity
C:\>ping 192.168.10.2

61
LAB 14 : Spanning tree behavior - mode , priority value, root bridge
Here Switch DU is the root bridge as its all the ports are forwarding mode. (Indicates green
signal)
By default Cisco switches run a separate STP instance for every VLAN configured on the
switch; this mode is called PVST.
We will configure Switch ASHISH as a root switch for the default VLAN (1) using one method
then DU switch in another method :
Method 1 (Switch ASHISH will be the root bridge )
First verify switch ASHISH if it is root or not..................
The switch is not the roor bridge
62
Now we will make it root bridge by using the following command:
spanning-tree vlan [list] root [primary | secondary]
Using this command will automatically lower the priority of the switch to a very significant
value in order to make sure that the switch is elected as a root switch.
ASHISH#conf t
ASHISH(config)#spanning-tree vlan 1 root primary
ASHISH(config)#exit
We can see that the switch is now the root bridge.
Method2 (Switch DU will be the root bridge now):
Setting the Bridge priority using the command spanning-tree vlan [list] priority
[value].
DU(config)#spanning-tree vlan 1 priority 4096
63
DU is now the root switch.
LAB 15: Static route configuration
Overview of Static Routing
 Routes are configured Manually

 Administrative distance value 0
 Reducing CPU/RAM overhead and saving bandwidth.
 Static routes are not advertised over the network
 Not fault-tolerant
 Initial configuration and maintenance is time-consuming.
 Not appropriate for complex topologies
64
DU Router (Basic Configuration)
Router>enable
Router#configure terminal
Router(config)#hostname DU

DU(config-if)#description conectivity from DU to BUET
DU(config-if)#exit

DU(config-if)#description connectivity to Local Network
DU(config-if)#exit
BUET Router (Basic Configuration)

Router>en
Router#conf t
Router(config)#hostname BUET
65

BUET(config-if)#description Connectivity from BUET to DU

BUET(config-if)#description connectivity from BUET to it's Local Network
Now Assign IP Address to Hosts
66
Try to Ping from PC0 to PC1
C:\>ping 192.168.30.2
Reply from 192.168.10.1: Destination host unreachable.

Ping statistics for 192.168.30.2:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>
Thus we need routing either static or dynamic, right ?
Let us start with static routing...............
DU Router
DU(config)#ip route 192.168.30.0 255.255.255.0 192.168.20.2
BUET Router
BUET(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1
Rules of Static route
Router(config)# ip route [destination_network] [subnet_mask] [next-hop]
On point-to-point links, an exit-interface can be specified instead of a next-hop address.
Router(config)# ip route [destination_network] [subnet_mask] [Exit-Interface ]
So for the previous example instead of IP Address we can write exit-interface as follows but if
the 2 routers are connected point-to-point
DU(config)#ip route 192.168.30.0 255.255.255.0 fastEthernet 0/0

BUET(config)#ip route 192.168.10.0 255.255.255.0 fastEthernet 0/0
Now ping again,
C:\>ping 192.168.30.2

Telnet to BUET Router..............
67
C:\>telnet 192.168.20.2
Trying 192.168.20.2 ...Open
Password:
Password:
BUET>
Success...right ..
Other verification command
BUET#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 192.168.10.0/24 [1/0] via 192.168.20.1
C 192.168.20.0/24 is directly connected, FastEthernet0/0

BUET#
S ----- represent Static route
C------Directly connected route
LAB 16: Static Default Routing
It is a special type of static route. Default routing is used in stub networks. The stub network
has only one way for the traffic to go, to reach several different networks.
A DEFAULT ROUTE is sometime called Zero/Zero Route because the network and subnet we
are specifying as the destination for the traffic that it would match are all zeros.
A DEFAULT ROUTE says "for any traffic that DOES NOT match a specific route in the routing
table ,then forward that traffic to this destination (next-hop-router-IP Address)".Other
words default route is a "CATCH ALL"
On default route, both the network and subnet mask will be zero (0.0.0.0 0.0.0.0).
ip route 0.0.0.0 0.0.0.0 next-hop-router-IP address
68
Normally Customer route to ISP is default route and ISP route to Customer is normal static
route as shown below :
Objective:
 Basic Configuration on Router CUSTOMER and ISP

 Static default route to INTERNET on CUSTOMER Router
 Static route to CUSTOMER LAN on ISP Router
 Verification
Configuration
Basic Configuration on Router CUSTOMER and ISP
CUSTOMER Router
Router>en
Router#conf t
Router(config)#hostname CUSTOMER
CUSTOMER(config)#interface fastEthernet 0/1
CUSTOMER(config-if)#description CUSTOMER LAN
CUSTOMER(config-if)#ip address 192.168.10.1 255.255.255.0
CUSTOMER(config-if)#no shutdown
CUSTOMER(config-if)#exit
CUSTOMER(config)#interface fastEthernet 0/0
69
CUSTOMER(config-if)#description Connectivity to ISP
CUSTOMER(config-if)#ip address 103.13.148.1 255.255.255.248
CUSTOMER(config-if)#no shutdown
CUSTOMER(config-if)#exit
ISP ROUTER
Router>en
Router#conf t
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#description Connectivity to CUSTOMER ROUTER
ISP(config-if)#ip address 103.13.148.2 255.255.255.248
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config-if)#description Connectivity to INTERNET
ISP(config-if)#end
default route to INTERNET on CUSTOMER Router
CUSTOMER(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Static route to CUSTOMER LAN on ISP Router

ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
Assign IP Address to hosts.............................
70
Verification
Apply Ping from PC0 to PC1
C:\>ping 100.100.100.2
Successfull.....................
Now on Customer Router
S* indicates default route
71
On ISP Router
..................S indicates Static route
RIPv2 Configuration
Dynamic Routing Protocol
 Interior Gateway Protocol - RIP, IGRP, EIGRP, OSPF, IS-IS

 Distance vector - RIP, IGRP
 Link-state - OSPF, IS-IS
 Hybrid - EIGRP
 Exterior Gateway Protocol - BGP
IGPs are used for routing within networks that are under a common network administration,
whereas EGP (exterior gateway protocols) are used to exchange routing information between
networks.
RIP - Distance Vector Routing Protocol
RIP Fundamentals (RIPv2)
 Distance-vector protocol.
 Uses UDP port 520.
 Classless protocol (support for CIDR).
 Supports VLSMs.
 Metric is router hop count.
 Maximum hop count is 15; infinite (unreachable) routes have a metric of 16.
 Periodic route updates sent every 30 seconds to multicast address 224.0.0.9.
72
 25 routes per RIP message (24 if you use authentication).
 Supports authentication.
 Implements split horizon with poison reverse.
 Implements triggered updates.
 Subnet mask included in route entry.
 Administrative distance for RIPv2 is 120.
 Used in small, flat networks or at the edge of larger networks.
 Prevents routing loops (Split Horizon, Route poisoning, Hold-down Timers and
Maximum hop Count)
Hello and Dead Time
RIPv2 EIGRP OSPF

Hello interval = 30 sec Hello sends every 5 sec, dead 15 ppp hello 10 dead 40
Dead interval = 30*6 = 180 sec (point to point) brodcast same
Hold down timers = 180 sec In NBMA , hello interval = 60 sec But in point to multipoing hello
Flush timers = 240 sec and dead = 180 sec is 30 sec, dead 120 sec
RIPV2 CONFIGURATION LAB
73
Objective:
 Basic Configuration of Router

 Assign IP Address to Hosts
 RIP Configuration
 Configure Passive Interface
 Configure Authentication (MD5)
1. Basic Configuration of Router
DU Router
Router>en
Router#conf t

DU(config-if)#description Connected to LAN
DU(config-if)#exit

DU(config-if)#description Connected to BUET router
DU(config-if)#exit
BUET
Router>en
Router#conf t

BUET(config-if)#description to DU Router
74
BUET(config-if)#description connected to BUET LAN
2. Assign IP Address to Hosts
75
LAB 17 : RIP Basic Configuration
DU(config)#router rip
DU(config-router)#version 2
DU(config-router)#network 192.168.10.0
DU(config-router)#no auto-summary
BUET(config)#router rip
BUET(config-router)#version 2
BUET(config-router)#network 100.100.100.0
BUET(config-router)#no auto-summary
Network command sends RIP updates to the associated Network. we specify only the directly
connected networks of this router.
Auto Summarization is turned on by default for RIPv2 and EIGRP, altough these are Classless
Routing protocols. So you manually have to make them Classless with the "no auto-summary"
command.
Verification
R indicates RIP generated Routes
Apply ping from DU LAN to BUET LAN
C:\>ping 100.100.100.100

LAB 18 : Configure Passive Interface
RIP updates will be sent to all interfaces when we use network command on that interfaces.
But, we don’t need to send updates everywhere. In our LAB on DU Router does not need to
send RIP updates to a the LAN switch.
76
We can use use the passive-interface command to prevent RIP updates to send.
DU(config-router)#passive-interface f
DU(config-router)#passive-interface fastEthernet 0/1
Verification
DU#show ip protocols
Routing Protocol is "rip"

Sending updates every 30 seconds, next due in 17 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 2, receive 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
103.0.0.0
192.168.10.0
Passive Interface(s):
FastEthernet0/1
Routing Information Sources:
Gateway Distance Last Update
103.13.148.2 120 00:00:04
Distance: (default is 120)
DU#
77
RIP send updates only to 224.0.0.9 (multicast address) Via F0/0 (103.13.148.1).....not
192.168.10.0/24
BUET#show ip route rip
103.0.0.0/29 is subnetted, 1 subnets

R 192.168.10.0/24 [120/1] via 103.13.148.1, 00:00:15, FastEthernet0/0
We can see that the network is advertised but not send any RIP updates
towards DU LAN.
LAB 19: Configure RIP Authentication
Plain text authentication mode is the default setting in every RIPv2 packet, when
authentication is enabled. Plain text authentication should not be used when security is an
issue, because the unencrypted authentication password is sent in every RIPv2 packet. Note:
RIP version 1 (RIPv1) does not support authentication.
N.B. I have used GNS3 to configure this LAB
Objective:
1. Basic configuration of Router R1 and R2

2. Configure RIP
3. Assign IP address to hosts
4. Verify Configuration
5. Configure Authentication
6. Verify
78
Basic configuration of Router R1

DU(config-if)#exit

DU(config-if)#exit
RIP Configuration
DU(config)#router rip
DU(config-router)#version 2
DU(config-router)#end
DU#
Basic configuration of Router R2
BUET#conf t
Configure RIP on R2
BUET(config)#router rip
BUET(config-router)#version 2
79
BUET(config-router)#end
BUET#
Assign IP address to hosts and verify connectivity using ping command
DU#show ip route rip

DU#
R2#show ip route rip

R2#
80
Configure Authentication
MD5 Authentication
The Cisco implementation of RIP v2 supports MD5 authentication. This provides a higher level
of security over clear text. Both router interfaces need to be configured with MD5
authentication. The key number and key string must match on both sides, or authentication
will fail.
DU Router
DU(config)#key chain venus

(Name a key chain)
DU(config-keychain)#key 1
(This is the Identification number of an authentication key on a key chain)
DU(config-keychain-key)#key-string ashish
(The actual password or key-string.It needs to be identical to the key-string
on the remote router)
DU(config-keychain-key)#exit
DU(config-keychain)#exit
BUET Router
BUET(config)#key chain venus

BUET(config-keychain)#key 1
BUET(config-keychain-key)#key-string ashish
BUET(config-keychain-key)#exit
BUET(config-keychain)#exit
BUET(config)#
Apply it to Interface

DU(config-if)#ip rip authentication mode md5
Now check using debug command what is happened if MD5 is enable in DU router and
BUET Router is not..............
BUET#debug ip rip
RIP protocol debugging is on
BUET#
81
*Mar 1 00:09:03.883: RIP: ignored v2 packet from 192.168.10.1 (invalid authentication)
*Mar 1 00:09:03.951: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.2)
*Mar 1 00:09:03.951: RIP: build update entries
*Mar 1 00:09:03.951: 192.168.30.0/24 via 0.0.0.0, metric 1, tag 0
*Mar 1 00:09:09.847: 192.168.20.0/24 via 0.0.0.0, metric 2, tag 0u
BUET#undebug all
BUET ROUTER

BUET(config-if)#ip rip authentication mode md5
BUET(config-if)#end
Now verify
BUET#debug ip rip
BUET#
*Mar 1 00:09:58.267: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.2)
*Mar 1 00:09:59.131: RIP: received packet with MD5 authentication
*Mar 1 00:09:59.131: RIP: received v2 update from 192.168.10.1 on FastEthernet0/0
*Mar 1 00:09:59.135: 192.168.20.0/24 via 0.0.0.0 in 1 hops
BUET #undebug all
All possible debugging has been turned off
Plain text Authentication

DU(config-if)#ip rip authentication key-chain venus
DU(config-if)#end
BUET(config)#int fastEthernet 0/0

BUET(config-if)#ip rip authentication key-chain venus
BUET(config-if)#end
82
Verification
DU#debug ip rip
DU#
*Mar 1 00:07:21.115: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1
(192.168.20.1)
DU#
*Mar 1 00:07:39.775: RIP: received packet with text authentication ashish
*Mar 1 00:07:39.775: RIP: received v2 update from 192.168.10.2 on FastEthernet0/0
*Mar 1 00:07:39.779: 192.168.30.0/24 via 0.0.0.0 in 1 hops
DU#
(192.168.10.1)
DU#
(192.168.20.1)
DU#undebug all
Introduction to EIGRP
 Distance vector routing protocols.

 EIGRP was created by Cisco which means you can only run it on Cisco hardware.
 Cisco added some of the features from link-state routing protocols to EIGRP which
makes it far more advanced than a true distance vector routing protocol like RIP.
 EIGRP does not use broadcast packets to send information to other neighbors but will
use multicast or unicast.
 IPv4 you can also use EIGRP to route IPv6 or even some older network layer protocols
like IPX or AppleTalk
 EIGRP is 100% loop-free
 EIGRP has its own protocol number which is 88. Other protocol numbers you are
familiar with are TCP (6) and UDP (17).
 EIGRP Table:
1. Neigbor Table
2. Topology Table
3. Routing Table
83
 EIGRP routers will start sending hello packets to other routers just like OSPF does, if
you send hello packets and you receive them you will become neighbors.
 EIGRP uses a rich set of metrics namely bandwidth, delay, load and reliability. The
lower these metrics the better.
 Sophisticated metric that supports load-balancing across unequal-cost paths.
 Support for authentication only MD5 authentication
 Manual summarization at any interface
 Uses multicast 224.0.0.10.
 EIGRP max hop count 255 (all 8 bits 11111111)
 Neighbor discovery and maintenance: Periodic hello messages
 EIGRP neighbor-ship condition:
 Both routers must be in the same primary subnet
 Both routers must be configured to use the same k-values
 Both routers must in the same AS
 Both routers must have the same authentication configuration (within reason)
 The interfaces facing each other must not be passive
EIGRP’s function is controlled by four key technologies:
 Neighbor discovery and maintenance: Periodic hello messages

 The Reliable Transport Protocol (RTP): Controls sending, tracking, and
acknowledging EIGRP messages
 Diffusing Update Algorithm (DUAL): Determines the best loop-free route
 Protocol-independent modules (PDM): Modules are “plug-ins” for IP, IPX, and
AppleTalk versions of EIGRP
EIGRP Neighborship Requirements and Conditions
EIGRP Router doesn’t trust anyone blindly. It checks following configuration values to insure
that requesting router is eligible to become his neighbor or not.
1. Active Hello packets

2. AS Number
3. K-Values
84
 If you lose the successor because of a link failure EIGRP will copy/paste the feasible
successor in the routing table. This is what makes EIGRP a FAST routing protocol…but
only if you have feasible successor in the topology table.
 RIP and OSPF both can do load balancing but the paths have to be equal. EIGRP can do
unequal load balancing
EIGRP Packets and Metrics
EIGRP packets:
Hello
Update
Query
Reply
ACK (Acknowledgement)
Neighbor Discovery and Route Exchange
Step 1. Router A sends out a hello.

Step 2. Router B sends back a hello and an update.The update contains routing information.
Step 3. Router A acknowledges the update.
Step 4. Router A sends its update.
Step 5. Router B acknowledges.
A neighbor is considered lost if no hello is received within three hello periods (called the hold
time). The default hello/hold timers are as follows:
 5 seconds/15 seconds for multipoint circuits with bandwidth greater than T1 and for
point-to-point media
 60 seconds/180 seconds for multipoint circuits with bandwidth less than or equal to T1
EIGRP Summarization
EIGRP has two ways of summarizing networks:
Automatic summarization:
 Subnets are summarized to the classful network.

 This is the default for EIGRP.
And Manual summarization.
85
What if I entered a wrong key-string?
authentication mismatch
What are the k-values that EIGRP uses?
k1 = bandwidth
k2 = load
k3 = delay
k4 = reliability
k5 = MTU
LAB 20: EIGRP Neighbor Adjacency
loopback interface is a virtual interface—an interface not associated with any hardware or
network
Basic Configuration
R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#exit
R2#conf t
86
R2(config-if)#exit
EIGRP Configuration
R1#conf t
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end
------------------------------------------------
R2#conf t
Verification
R1#debug eigrp packets hello
R1#
*Mar 1 00:21:05.583: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.2
*Mar 1 00:21:05.583: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
*Mar 1 00:21:06.139: EIGRP: Sending HELLO on Loopback0
*Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
87
*Mar 1 00:21:06.139: EIGRP: Received HELLO on Loopback0 nbr 10.10.10.1
*Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0
R1#undegug all
LAB 21 : EIGRP Passive Interface
If we want to advertise a network in EIGRP but we don’t want to send hello packets
everywhere, in this case we can use this features.
Basic Configuration
R1#conf t
R1(config-if)#exit
R1(config-if)#exit
R2#conf t
R2(config-if)#exit
88
EIGRP Configuration
R1#conf t
------------------------------------------------
R2#conf t
We can configure passive Interface in two ways. First we apply first method in router R1
and the 2nd method in router R2.
R1#conf t
R1(config-router)#passive-interface default
*Mar 1 00:27:50.875: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
192.168.10.2 (FastEthernet0/0) is down: interface passive
R1(config-router)#no passive-interface fastEthernet 0/0

192.168.10.2 (FastEthernet0/0) is up: new adjacency
R1(config-router)#
Passive-interface default command will make all the interface passive and then we will
disable the specific interface with "no passive-interface" command
N.B. Neighborship Interface should be not passive,otherwise no neighborship will be formed

with neighbor routers
Verification
R1#show ip protocols
Routing Protocol is "eigrp 10"

89
10.10.10.0/24
192.168.10.0
Serial0/0
FastEthernet0/1
Serial0/1
Serial0/2
FastEthernet1/0
Loopback0
VoIP-Null0
Second Method
R2(config-router)#passive-interface loopback 0
R2(config-router)#
This is the another way to make the interface passive.
R2#show ip protocols
Routing Protocol is "eigrp 10"
11.11.11.0/24
192.168.10.0
Loopback0
Routing Information Sources:
Gateway Distance Last Update
(this router) 90 00:23:10
192.168.10.1 90 00:05:44
Distance: internal 90 external 170
-------------------------------------------------------------------------------------------------
R2#debug eigrp packets hello
EIGRP Packets debugging is on

(HELLO)
R2#
*Mar 1 00:37:39.787: EIGRP: Sending HELLO on FastEthernet0/0
R2#
R2#
90
R2#
R2#
R2#undebu
R2#undebug all
All possible debugging has been turned off
R2#
R2#
------------------------------------------------------------------------------------------------------------------------------------------
LAB 22: EIGRP Authentication
EIGRP only supports the MD5 authentication method.
EIGRP provides benefits like fast convergence, incremental updates and support for multiple
network layer protocols. EIGRP supports Message Digest 5 (MD5) authentication to prevent
malicious and incorrect routing information from being introduced into the routing table of a
Cisco router.
Basic Configuration
R1#conf t
R1(config-if)#exit
91
R1(config-if)#exit
R2#conf t
R2(config-if)#exit
EIGRP Configuration
R1#conf t
R2#conf t
EIGRP Authentication
R1(config)#key chain venus

Specify the keychain name
R1(config-keychain)#key 1
Specify the keychain id
R1(config-keychain-key)#key-string ccnp
Specify the password

R1(config-if)#ip authentication mode eigrp 10 md5
Specify MD5 authentication for the EIGRP packets
R1(config-if)#ip authentication key-chain eigrp 10 venus

Apply key chain on the interface connecting to the other router.
92
N.B. A shared authentication key which is same on both routes must be configured. The
password is known as the ‘key’.
R2(config)#key chain venus
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string ccnp
R2(config-keychain-key)#exit
R2(config-if)#ip authentication mode eigrp 10 md5
R2(config-if)#ip authentication key-chain eigrp 10 venus
192.168.10.1 (FastEthernet0/0) is up: new adjacency
R2(config-if)#
R1#show ip eigrp interfaces detail
IP-EIGRP interfaces for process 10

Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/0 1 0/0 29 0/2 144 0
Hello interval is 5 sec
Next xmit serial <none>
Un/reliable mcasts: 0/5 Un/reliable ucasts: 10/13
Mcast exceptions: 5 CR packets: 4 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 1
Authentication mode is md5, key-chain is "venus"
Use multicast
LAB 23: Configure EIGRP Hold time and Hello time
93
Basic Configuration
R1#conf t
R1(config-if)#exit
R1(config-if)#exit
R2#conf t
R2(config-if)#exit
EIGRP Configuration
R1#conf t
R2#conf t
EIGRP uses two hello and hold timer :
Hello/Hold timer 5/15 (point to point / Broadcast Network)

Hello/Hold timer 60/180 (NBMA)
94
But it can be changed as following :

R1(config-if)#ip hello-interval eigrp 10 30
R1(config-if)#ip hold-time eigrp 10 90
R1(config-if)#end

R2(config-if)#ip hello-interval eigrp 10 300
R2(config-if)#ip hold-time eigrp 10 3600
N.B. It is possible for two routers to become EIGRP neighbors even though the hello and hold
timers do not match.
LAB 24: EIGRP Summarization
Summarization is used to reduce the size of a routing table thus reducing the load on CPU and
memory.
There are two types of summarization:
 Auto summarization - it will advertise the classful A, B or C network to its neighbors.

By default, the “auto-summary” command is enabled.
 Manual summarization - Here we will describe it........
95
Basic Configuration of R1 and R2
R1#conf t
R1(config-if)#exit
R1(config-if)#interface loopback 1
R1(config-if)#
R2#conf t
R2(config-if)#exit
EIGRP Configuration
R1#conf t
-------------------------------------------------------------------
96
Now see the routing table
R1#show ip route

172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.16.4.0/24 is directly connected, Loopback4
D 172.16.0.0/16 is a summary, 00:00:30, Null0
R2#show ip route

D 172.16.4.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0
Router R2 gets a number of EIGRP Route from R1, So we will now reduce the size of routing
table of R2
We will create the summary (Manual Summarization)

R1(config-if)#ip summary-address eigrp 10 172.16.0.0 255.255.248.0
Verification
R2#show ip route
97
R2#show ip route eigrp
Now we can see that R2 Router has only one summary route......
LAB 25 : ADVANCED EIGRP LAB
DU Router
1. Basic Configuration
DU>en
DU#conf t
DU(config)#hostname DU
DU(config)#enable password cisco
2. Line console password

3. Telnet configuration for remote login

98
4. IP configuration on router Interface

DU(config-if)#exit
DU(config-if)#exit
5. Configure Loopback Interface

DU(config)#interface loopback 1
DU(config-if)#interface loopback 2
DU(config-if)#exit
BUET Router
1. Basic Configuration
BUET #conf t
BUET (config)#hostname BUET
2. Line console password

3. Telnet configuration for remote login

99
4. IP configuration on router Interface

BUET(config)#
Main Configuration
============
EIGRP Configuration and advertise network
=================================
DU(config)#router eigrp 10
DU(config-router)#network 172.16.0.0 0.0.0.255
BUET#conf t
BUET(config)#router eigrp 10
BUET(config-router)#
Configure EIGRP Authentication

==========================
DU(config)#key chain ashishkey
DU(config-keychain)#key 1
DU(config-keychain-key)#key-string ashish
100
DU(config-keychain-key)#exit
DU(config-keychain)#exit
DU(config)#

DU(config-if)#ip authentication mode eigrp 10 md5
DU(config-if)#ip authentication key-chain eigrp 10 ashishkey
BUET(config)#key chain ashishkey

BUET(config-keychain)#key 1
BUET(config-keychain-key)#key-string ashish
BUET(config-keychain-key)#exit
BUET(config-keychain)#exit

BUET(config-if)#ip authentication mode eigrp 10 md5
BUET(config-if)#ip authentication key-chain eigrp 10 ashishkey
Configure EIGRP Summary Address

==========================

DU(config-if)#ip summary-address eigrp 10 172.16.0.0 255.255.252.0
Configure EIGRP Passive Interface

=========================
BUET(config-router)#passive-interface fastEthernet 0/1
Troubleshooting commands
# show ip route
# show ip eigrp neighbors / topology / interfaces
# show ip interface F0/0
# show ip protocols
OSPF Fundamentals
 Open standard Protocol

 It is a Link state Protocol
101
 It uses the Dijkstra shortest Path algorithm (construct a shortest path tree and then
populate the routing table with best routes)
 No limit on hop count
 Metric is cost ( cost = 10^8 / Bandwidth)
 Administrative distance is 110
 It is a Classless Routing Protocol
 Support VLSM and CIDR
 Supports only IP routing
 Supports only Equal cost load-balancing
 Uses the concept of Areas for easy management, hierarchical design
 Must have one area as Area 0, which is called backbone area
 All other areas must connect to this Area 0
 Scalability is better than of Distance Vector Routing Protocols
 Supports authentication
 Update are sent through multicast address 224.0.0.5 ( all routers) and 224.0.0.6( all
Designated Routers)
 Faster convergence
 Sends Hello packets every 10 seconds
 Triggered / Incremental updates : Sends update when change triggers in network and
sends only information about the change not complete routing table, LSAs are sent
when change occurs and only about the change.
 LSAs refresh every 30 minutes
 Forms neighbors with adjacent routers in same area
 LSAs used to advertises directly connected links
Link: That’s the interface of our router.

State: Description of the interface and how it’s connected to neighbor routers.
Link-state routing protocols operate by sending link-state advertisements (LSA) to all

other link-state routers. All the routers need to have these link-state advertisements so they
can build their link state database or LSDB. This LSDB is our full picture of the network, in
network terms we call this the topology.
OSPF maintains three tables :
102
Neighbor Table: Contains the list of directly connected neighbors (Routers).We can see
the table using the command ‘show ip ospf neighbors’.
Database Table: It is known as the Link state Database (LSDB). All possible routes to any
network in the same area are contained in this table. " show ip ospf database"
Routing Table: The best paths to reach each destination. The routing table can be seen
using the ‘show ip route’ command.
All the routers in OSPF have a common database.
The two level of hierarchy consist of:
 Transit Area ( backbone or Area 0)

 Regular Area ( non-backbone area)
OSPF works with the concepts of areas and by default you will always have a single area,
normally this is area 0 or also called the backbone area.
 Internal Router: The router for which all its interface belong to one area.
 Area Border Router (ABRs): The router that contains interfaces in more than one
area.
 Backbone Router: The router that has all or at least one interface in Area 0.
 Autonomous System Boundary Router (ASBR): The routers with connection to a
separate autonomous system.
Advantages of OSPF
 Open Standard this can be used by all vendors

 No limitations for hop count
 Provides a loop free network
 Provides faster convergence
Disadvantages of OSPF
 More CPU intensive, uses more CPU resources

 Design and Implementation is complex
 It only supports Equal cost load-balancing
 Only Supports IP and not others like IPX or Apple Talk
Once you configure OSPF your router will start sending hello packets. If you also receive
103
hello packets from the other router you will become neighbors.
Parameters to match to become neighbors

For two or more OSPF routers to become neighbors there are some parameters that need to
match / be identical:
- Area ID
- Area Type ( NSSA, Stub)
- Subnet Mask
- Hello Interval
- Dead Interval
- Prefix
- Network Type ( broadcast, point-to-point, etc)
- Authentication
OSPF Metric
Cost = Reference Bandwidth / Interface Bandwidth
Cost = 100Mbps / Bandwidth
Some things worth knowing about OSPF load balancing:

 Paths must have an equal cost.
 4 equal cost paths will be placed in routing table.
 Maximum of 16 paths.
 To make paths equal cost, change the “cost” of a link
Each LSA has an aging timer which carries the link-state age field. By default each OSPF LSA
is only valid for 30 minutes.
If the LSA expires then the router that created the LSA will resend the LSA and increase the
sequence number
104
OSPF has to get through 7 states in order to become neighbors…here they are:
1. Down: no OSPF neighbors detected at this moment.

2. Init: Hello packet received.
3. Two-way: own router ID found in received hello packet.
4. Exstart: master and slave roles determined.
5. Exchange: database description packets (DBD) are sent.
6. Loading: exchange of LSRs (Link state request) and LSUs (Link state update) packets.
7. Full: OSPF routers now have an adjacency.
OSPF Packet Types
1. Hello: to build and maintain neighbor relationship or adjacencies and as keepalives.

2. DBD – Database Descriptor: Used to verify if the LSDB between two routers is same. It
is a summary of the Link State Database (LSDB)
3. Link State Request (LSR): Any request made to other routers for some information is
using this packet.
4. Link State Update (LSU): Contains the information requested in the LSR.
5. Links State Acknowledgement (LSAck): Acknowledgement for all the OSPF packets
except the Hello packet.
Hellos are the keepalives for OSPF. If a Hello is not received in 4 Hello periods, then the
neighbor is considered Dead. 4 Hello Periods = Dead Time. The hello and dead timers are as
follows:
 LAN and point-to-point interfaces : Hello 10 seconds , Dead timer 40 seconds
 Non-broadcast Multi-access (NBMA) interfaces: Hello 30 seconds, Dead timer120
seconds
There are total 11 types of LSA but famous types are as follow.
LSA Type-1| Router LSA from one network: Each router generates a Type 1 LSA that lists its
active interfaces, IP addresses, neighbors and the cost to each. Flooded inside the router's
area. Link ID is router's ID.
105
LSA Type-2| Network LSA from more network (DR Generated): Type 2 LSA is created by the
DR on the network, and represents the subnet and the router interfaces connected to that
network. Link ID interface IP address. Does not cross area.
LSA Type-3| Summary LSA (ABR summary Route): Generated by Area Border Routers (ABRs).
In type 3 LSAs are advertised networks from an area to the rest of the areas in AS. The link-
state id used by this LSA is the network number advertised.
Describe how to reach from one area to another area, does the summary of network. Type 3
is called inter-area link, represented by O IA
LSA Type-4| Summary LSA (just IP address of ASBR): Describe how to reach ASBR. ABR says
other area's router if you want to go ASBR use me. ABR passes the ASBR summary route.
LSA Type-5| External LSA (ASBR summary Route): ASBR creates the route to go to external
routers. And says if you want to go to external routes use me. I know the path. Type 4 tells
other router how to go ASBR. These routes appear as O E1 or O E2
NSSA External LSA (Type 7): Type 7 LSA allow injection of external routes through Not-so-
Stubby-Areas (NSSA). Generally external routes are advertised by type 5 LSA but they are not
allowed inside any stub area. That’s why Type 7 LSA is used, to trick OSPF. Type 7 LSA is
generated by NSSA ASBR and is translated into type 5 LSA as it leaves the area by NSSA ABR,
which is then propagated throughout the network as type 5 LSA.
Stub area prevents external routers to go through it. So NSSA is used that allows type7 LSA
only
Area Types
Normal Areas: These areas can either be standard areas or transit (backbone) areas. Standard
areas are defined as areas that can accept intra-area, inter-area and external routes. The
backbone area is the central area to which all other areas in OSPF connect.
Stub Areas: These areas do not accept routes belonging to external autonomous systems (AS);
however, these areas have inter-area and intra-area routes. In order to reach the outside
networks, the routers in the stub area use a default route which is injected into the area by
the Area Border Router (ABR).
Totally Stub Areas: These areas do not accept routes belonging to external autonomous
systems (AS); and even inter-area routes (summary routes) are not propagated inside the
106
totally stubby areas. The default routes to be propagated within the area. The ABR injects a
default route into the area and all the routers belonging to this area use the default route to
send any traffic outside the area.
NSSA: This type of area allows the flexibility of importing a few external routes into the area
while still trying to retain the stub characteristic.
OSPF can do summarization
OSPF can do summarization but it’s impossible to summarize within an area. This means we
have to configure summarization on an ABR or ASBR. OSPF can only summarize our LSA type 3
and 5.
OSPF does not support auto summarization, only manual. OSPF route summarization can be of
two types:
1. Internal route summarization;
ABR(config-router)#area 15 range 192.168.0.0 255.255.254.0
1. External route summarization.
ASBR(config-router)# summary-address 172.16.32.0 255.255.224.0
OSPF Supports two types of Authentication:
 Plaintext authentication
 MD5 authentication!
OSPF Network types:
Point-to-Point
High-Level Data Link Control (HDLC) and Point-to-Point Protocol (PPP), Open Shortest Path
First (OSPF) runs as a point-to-point network type.
Broadcast
An Ethernet segment is an example of such a network. Ethernet networks support broadcasts;

a single packet transmitted by a device can be multiplied by the medium (in this case an
Ethernet switch) so that every other end point receives a copy.
Non-Broadcast
107
Frame relay and ATM are probably the most common examples of non-broadcast transport,
requiring individual permanent virtual circuits (PVCs) to be configured between end points.
Non-Broadcast Multi-Access (NBMA)
An NBMA segment emulates the function of a broadcast network. Every router on the segment
must be configured with the IP address of each of its neighbors. OSPF hello packets are then
individually transmitted as unicast packets to each adjacent neighbor.
point-to-multipoint
No DR/BDR election since OSPF sees the network as a collection of point-to-point links.
Only a single IP subnet is used in the topology above.
DR/BDR Election Process
 DR/BDR election is per multi-access segment…not per area. Each multi-access segment
(ex: Ethernet Segment), will have a Designated Router (DR) and a Backup Designated
Router (BDR).
 The other Router who will be not the DR or BDR will be the DROTHER. DROTHER router
on the segment forms a Full adjacency with the DR/BDR. DR/BDR is a property of a
router’s interface, not the entire router.
 DR’s reduce network traffic as only they maintain the complete ospf database and
then send updates to the other routers on the shared network segment.
 The router with the highest priority on the data link wins the election, but by default
priorities are 1. In this case the router with the highest Router ID will win.
108
Consider, all OSPF router processes start at the same time, Router0 and Router1 win the
election for DR and BDR respectively because they have the highest Router ID’s on the
segment. Others routers will be the DROTHER.
Here Router2 and Router3 will make it full adjacency with router Router0(DR) or Router1(BDR)
 We can use show ip ospf neighbor command to verify this.

 The default priority is 1 but the priority can be changed by
Router(config-if)# ip ospf priority <priority number>
 If we do not want a router to participate in the DR / BDR election, then its priority
must be set as 0.
 We need to use clear ip ospf process before this change takes effect.
LAB --- OSPF
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1. BASIC CONFIGURATION
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
R1#conf t
109
R1(config-if)#exit
R1(config-if)#exit
===================================================================
R2#conf t
R2(config-if)#exit

R2(config-if)#exit
R2(config)#
===================================================================
R3#conf t
R3(config-if)#exit
R3(config)#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB 26 : OSPF BASIC CONFIGURATION
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
R1(config)#router ospf 1
R1(config-router)#network 172.16.0.0 0.0.3.255 area 0
R2#conf t
110
R3#conf t
R3(config-router)#exit
Wild card Mask
Wildcard masks are used to specify a range of network addresses. They are commonly used
with routing protocols (like OSPF) and access lists.
 To indicate the size of a network or subnet for some routing protocols, such as OSPF.
 To indicate what IP addresses should be permitted or denied in access control lists
(ACLs).
Slash Netmask Wildcard Mask

/32 255.255.255.255 0.0.0.0
/31 255.255.255.254 0.0.0.1
/30 255.255.255.252 0.0.0.3
/29 255.255.255.248 0.0.0.7
/28 255.255.255.240 0.0.0.15
/27 255.255.255.224 0.0.0.31
/26 255.255.255.192 0.0.0.63
/25 255.255.255.128 0.0.0.127
/24 255.255.255.0 0.0.0.255
/23 255.255.254.0 0.0.1.255
Rules :
If all bit 1 then all bit zero and vice versa ;
255.255.255.255 0.0.0.0
255.255.255.0 0.0.0.255
if other value (not 0 or 255) then find out the block size
255.255.255.248 ...... block size = 256-248 = 8
And wildcard bit will be "blocksize - 1" = 8 - 1 = 7
And thus here 255.255.255.248 0.0.0.7
111
===========================================================================
Verification
=============
Here we can see that neighbor ship is formed but no route to area 0 and area1
So we have to configure now virtual link on R1 and R2 through area 1.........................
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB : 27 OSPF VIRTUAL-LINK
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In OSPF all other area must be connected with area 0 (Backbone area) either physically or
virtually. In our figure area 1 is directly connected with area 0 but area 2 is not connected
with area 0. So here area 2 have to be connected with area 0 virtually. In this Lab we will see
it :
First we configure Router ID on R1 and R2 Router
R1(config-router)#router-id 1.1.1.1
R1(config-router)#
R2(config-router)#router-id 2.2.2.2
Reload or use "clear ip ospf process" command, for this to take effect
R2#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
112
We must run this command to take effect on this configuration (also called soft reset)
Now we will configure virtual link through area 1
R1(config-router)#area 1 virtual-link 2.2.2.2
R2(config-router)#area 1 virtual-link 1.1.1.1
===========
Now verify
============
Ping to any loopback IP
R3#ping 172.16.1.1
!!!!!
--------------------------------------------------------------------------
R2#show ip ospf virtual-links

Virtual Link OSPF_VL0 to router 1.1.1.1 is up
Run as demand circuit
DoNotAge LSA allowed.
113
Transit area 1, via interface FastEthernet0/0, Cost of using 10
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07
Adjacency State FULL (Hello suppressed)
Index 1/3, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB 28: OSPF authentication
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Plaintext authentication on Router R1 and R2---F0/0 interface (Area 1)

R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key mypass
---------------------------------------------------------
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key mypass
============
Verification
===========
R1#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 1
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 192.168.12.2
Backup Designated router (ID) 1.1.1.1, Interface address 192.168.12.1
oob-resync timeout 40
114
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/5, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 3, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
R1#
MD5 authentication on Router R2 and R3---F0/0 interface (Area 2)
R2(config-if)#ip ospf message-digest-key 1 md5 mypass1

R2(config-if)#ip ospf authentication message-digest
-------------------------------------------------------
R3(config-if)#ip ospf message-digest-key 1 md5 mypass1
R3(config-if)#ip ospf authentication message-digest
=====================================================================
Verification
===========
R2#show ip ospf interface f0/1
Internet Address 192.168.23.2/24, Area 2
Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.23.3, Interface address 192.168.23.3
Backup Designated router (ID) 2.2.2.2, Interface address 192.168.23.2
oob-resync timeout 40
Supports Link-local Signaling (LLS)
Index 1/2, flood queue length 0
Last flood scan length is 1, maximum is 4
115
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.23.3 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
LAB 29: OSPF Summarization
OSPF does not support auto summarization, only manual. OSPF route summarization can be of
two types:
1. Internal route summarization;
2. External route summarization.
I’m going to show you an example of interarea route summarization on Router R1
First we will check the Routing table of R3
R1(config-router)#area 0 range 172.16.0.0 255.255.252.0
-------------------------------------------------
116
LAB 30 : PPP Configuration
Designing a wide area network (WAN) is one of the most challenging issues. We must have to
choose the correct connection type. Most carriers offer three connection types:
1. Circuit-switched connections
2. Packet-switched or cell-switched connections
3. Dedicated connection
Circuit-switched connections:
Asynchronous dial-in (PSTN) and ISDN services, the telephone companies use circuit switching.
Packet-switched or cell-switched connections
Examples of packet-switched and cell-switched networks include Frame Relay (packet-

switched), X.25 (packet-switched), and Asynchronous Transfer Mode or ATM (cell-switched).
Leased Line(Dedicated connection):
A permanent communication path exists between a Customer Premise Equipment (CPE) on

one site and a CPE at the remote site communicating through a Data Communicating
Equipment (DCE) within the providers' site. Synchronous serial lines are used for this
connection and the most frequent protocols observed in these lines are HDLC (High-Level
Data Link Control) and PPP (Point-to-Point Protocol). When cost in not an issue, you should
use this type of connection.
117
HDLC
 HDLC stands for High-Level Data Link Control protocol.

 HDLC is a Layer 2 protocol.
 HDLC would be the protocol with the least amount of configuration required to
connect these two locations. HDLC would be running over the WAN, between the two
locations.
 HDLC performs error correction, just like Ethernet.
 HDLC is actually proprietary because they added a protocol type field.
 HDLC is actually the default protocol on all Cisco serial interfaces.
PPP
PPP or Point-to-Point Protocol is a type of Layer 2 protocol (Data-link layer) used mainly for
WAN. PPP features two methods of authentication:
 PAP (Password Authentication Protocol) and

 CHAP (Challenge Handshake Authentication Protocol)
 PAP sends the password in clear text and CHAP sends the encrypted password
 PPP encapsulation is possible only over a serial link.
 PPP encapsulates Layer 3 data over point-to-point links.
 PPP uses a Network Control Protocol (NCP) component to encapsulate multiple
protocols and uses Link Control Protocol (LCP) to set up and negotiate control options
on the data link.
 PPP supports multivendor devices.
118
Configuration on Ashish Router
Basic Configuration
Router#conf t
Router(config)#interface serial 0/1/0
Router(config)#hostname Ashish
Ashish(config)#interface fastEthernet 0/0
Ashish(config-if)#ip add
Ashish(config-if)#ip address 192.168.10.1 255.255.255.0
Ashish(config-if)#no shut
Ashish(config-if)#no shutdown
PPP Configuration
Ashish(config)#username buet privilege 15 password cisco

Ashish(config)#interface serial 0/1/0
Ashish(config-if)#encapsulation ppp
Ashish(config-if)#ppp authentication chap
Ashish(config-if)#exit
For PPP configuration we must configure hostname and username. In this router username
will be the hostname of peer router , i.e. buet
Configure Static Route
Ashish(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2
Ashish(config)#
BUET Router
Router#conf t
Router(config)#hostname buet
buet(config)#interface serial 0/1/0

buet(config-if)#ip address 103.13.148.2 255.255.255.248
buet(config-if)#no shutdown
buet(config)#interface fastEthernet 0/0
buet(config-if)#ip address 192.168.20.1 255.255.255.0
119
buet(config-if)#no shutdown
buet(config)#username Ashish privilege 15 password cisco

buet(config)#interface serial 0/1/0
buet(config-if)#encapsulation ppp
buet(config-if)#ppp authentication chap
buet(config-if)#end
buet#
In this router username will be the hostname of peer router , i.e. Ashish
buet(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
Verification :
Ashish#show interfaces serial 0/1/0
Serial0/1/0 is up, line protocol is up (connected)

Hardware is HD64570
Internet address is 103.13.148.1/29
MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 96 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
8 packets input, 1024 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9 packets output, 1152 bytes, 0 underruns
120
C:\>ping 192.168.20.2

The clock rate will set the speed. It doesn’t matter much what clock speed we use. We can
use a command to verify that the DTE router has received the clock rate:
Ashish# show controllers serial 0/1/0
Interface Serial0/1/0
Hardware is PowerQUICC MPC860
DTE V.35 TX and RX clocks detected
idb at 0x81081AC4, driver data structure at 0x81084AC0
In the example above Ashish is the DTE side and it has received a clock rate. Show controllers
is a useful command when you don’t have physical access to your hardware so you don’t know
which side of the cable is DTE or DCE
LAB 31: BGP Basic Configuration
BGP is an external gateway protocol, It is used between different networks. It is the protocol
used between Internet service providers (ISPs) and also can be used between an Enterprise
and an ISP.
BGP was built for reliability, scalability, and control, not speed.
BGP stands for Border Gateway Protocol. Routers running BGP are termed BGP speakers.
 BGP uses the concept of autonomous systems (AS). An autonomous system is a group of
networks under a common administration. The Internet Assigned Numbers Authority
(IANA) assigns AS numbers: 1 to 64511 are public AS numbers and 64512 to 65535 are
private AS numbers.
121
 Autonomous systems run Interior Gateway Protocols (IGP) within the system. They run
an Exterior Gateway Protocol (EGP) between them. BGP version 4 is the only EGP
currently in use.
 Routing between autonomous systems is called interdomain routing.
 The administrative distance for EBGP routes is 20. The administrative distance for
IBGP routes is 200.
 BGP neighbors are called peers and must be statically configured.
 BGP uses TCP port 179. BGP peers exchange incremental, triggered route updates and
periodic keepalives.
 Routers can run only one instance of BGP at a time.
 BGP is a path-vector protocol.
BGP neighbors can be of two types:
 IBGP neighbors – when two neighbors are in the same AS;
 EBGP neighbors – when two neighbors belong to different AS.
122
Basic Configuration
ISP1
Router#conf t
Router(config)#hostname ISP1
ISP1(config)#interface fastEthernet 0/0
ISP1(config-if)#ip address 192.168.10.1 255.255.255.0
ISP1(config-if)#no shutdown
ISP1(config-if)#exit
ISP2
Router(config)#hostname ISP2
BGP Configuration
ISP1(config)#router bgp 100 *100 is the AS Number of ISP1*

ISP1(config-router)#neighbor 192.168.10.2 remote-as 200 * Declare neighbor,
200 is the AS of ISP2, 192.168.10.2 is the IP Address of ISP2's F0/0
Interface*
ISP1(config-router)#network 10.10.10.0 mask 255.255.255.0 * advertise
network*
ISP1(config-router)#exit
ISP2(config)#router bgp 200

ISP2(config-router)#neighbor 192.168.10.1 remote-as 100
ISP2(config-router)#%BGP-5-ADJCHANGE: neighbor 192.168.10.1 Up
ISP2(config-router)#network 11.11.11.0 mask 255.255.255.0
ISP2(config-router)#
123
Verification
Show ip bgp summary command shows if the neighborship is formed
We can see the bgp route with show ip bgp command
LAB 32: BGP Single Homed Design
124
R1 is in our enterprise core and has OSPF as its IGP.
R1#conf t
R1(config-if)#exit
R1(config)#
R2 is in our enterprise edge and has OSPF for IGP and BGP for EGP.
R2#conf t
R2(config-if)#exit
R2(config-if)#exit
R2(config-router)#default-information originate
R2(config)#router bgp 100
R2(config-router)#neighbor 192.168.20.2 remote-as 200
R2(config-router)#network 1.1.1.0 mask 255.255.255.0
R2(config)#ip route 1.1.1.0 255.255.255.0 null 0
R2 is in the service provider edge. R2 has a couple of static routes to advertise into BGP and is
advertising a default route to R1 which will then get propagated throughout the enterprise
core.
125
R3#conf t
R3(config-if)#exit
R3(config)#router bgp 200
R3(config-router)#neighbor 192.168.20.1 remote-as 100
R3(config-router)#network 2.2.2.0 mask 255.255.255.0
R3(config-router)#neighbor 192.168.20.1 default-originate
Verification
R3#show ip bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

192.168.20.1 4 100 23 24 3 0 0 00:19:33 1
R3#
R2#show ip route
..................<output omitted>...................
S 1.1.1.0 is directly connected, Null0
B 2.2.2.0 [20/0] via 192.168.20.2, 00:17:59 ** BGP learned route **
B* 0.0.0.0/0 [20/0] via 192.168.20.2, 00:20:18 ** default route from BGP
because of the default originate command in R3 **
R2#show ip bgp
-------------------<output omitted>.........................
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 192.168.20.2 0 0 200 i
*> 1.1.1.0/24 0.0.0.0 0 32768 i
*> 2.2.2.0/24 192.168.20.2 0 0 200 i
126
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

192.168.20.1 1 FULL/BDR 00:00:31 192.168.10.1 FastEthernet0/1
R1#show ip route
------------------<outputs are omitted>--------------
Gateway of last resort is 192.168.10.1 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 192.168.10.1, 00:06:16, FastEthernet0/1
Here we can see R2 is BGP (Single homed) with R3 advertising a /24 (1.1.1.0/24) and R2 is
advertising a default to the enterprise core (R1).
Explaination
default-information originate, the router is going to Redistribute a default route it got from
another Router (OSPF)
neighbor x.x.x.x default-originate (BGP)
If you want to advertise default route to a specific peer, this is the method for that
requirement.
 Add ‘neighbor x.x.x.x default-originate’ under router bgp <ASN>

 It does not even check for the existence of a default route in the IP routing table
 The ‘default-information originate’ command should not be configured with the
‘neighbor x.x.x.x default-originate’ command on the same router
The Null interface is typically used for preventing routing loops.
Also prevent DoS Aattack. An example of where this traffic to unused IP addresses might come
from could be denial of service attacks, scanning of IP blocks to find vulnerable hosts, etc
LAB 33 : HSRP (Hot Standby Router Protocol) Configuration
HSRP provides layer 3 redundancy in our network through active and standby router
assignment, interface tracking, and load balancing. A group of physical routers, acting as a
single virtual router, advertise a single IP address and MAC address into our network. By
tracking interfaces and managing multiple groups, we can optimize speed as well as add
127
redundancy to our networks. And we can use VRRP or GLBP based on our individual network
needs. The services that HSRP provides are a great addition to any network.
Characteristics
 HSRP is Cisco proprietary

 HSRP has 5 states: Initial, listen, speak, standby and active.
 HSRP allows multiple routers to share a virtual IP and MAC address so that the end-
user hosts do not realize when a failure occurs.
 The active (or Master) router uses the virtual IP and MAC addresses.
 Standby routers listen for Hellos from the Active router. A hello packet is sent every 3
seconds by default. The hold time (dead interval) is 10 seconds.
 Virtual MAC of 0000.0C07.ACxx , where xx is the hexadecimal number of HSRP group.
 The group numbers of HSRP version 1 range from 0 to 255. HSRP does support group
number of 0 (we do check it and in fact, it is the default group number if you don’t
enter group number in the configuration) so HSRP version 1 supports up to 256 group
numbers. HSRP version 2 supports 4096 group numbers.
128
Assign IP Address to Venus
===============================
Switch>en
Switch#conf t
Switch(config)#hostname venus
venus(config)#int fastEthernet 0/10
venus(config-if)#no switchport
venus(config-if)#ip address 192.168.1.1 255.255.255.0
venus(config-if)#no shutdown
venus(config-if)#exit
venus(config-if)#no switchport
venus(config-if)#ip address 192.168.30.2 255.255.255.0
venus(config-if)#no shutdown
venus(config-if)#
Assign IP Address to Denver

===============================
Switch>en
Switch#conf t
Switch(config)#hostname Denver
Denver(config)#int fastEthernet 0/11
Denver(config-if)#no switchport
Denver(config-if)#ip address 192.168.1.2 255.255.255.0
Denver(config-if)#no shutdown
Denver(config-if)#exit
Denver(config-if)#no switchport
129
Denver(config-if)#ip address 192.168.40.2 255.255.255.0
Denver(config-if)#no shutdown
Denver(config-if)#end
Assign IP Address to Toronto

=============================
Router>en
Router#conf t
Router(config)#hostname Toronto
Toronto(config)#interface fastEthernet 0/0
Toronto(config-if)#ip address 192.168.30.1 255.255.255.0
Toronto(config-if)#no shutdown
Toronto(config-if)#exit
Toronto(config)#int fastEthernet 0/1
Toronto(config-if)#ip add
Toronto(config-if)#no shutdown
Toronto(config)#int loopback 1
Toronto(config)#int loopback 1
Create static route to 1.1.1.0/24 network from Venus and Denver

=====================================================================
venus(config)#ip route 1.1.1.0 255.255.255.0 192.168.30.1
130
Denver(config)#ip route 1.1.1.0 255.255.255.0 192.168.40.1
Create static route to 192.168.1.0/24 network from Toronto

================================================================
Toronto(config)#ip route 192.168.1.0 255.255.255.0 192.168.30.2
Toronto(config)#ip route 192.168.1.0 255.255.255.0 192.168.40.2
Apply ip routing command on venus and Denver

=================================================
venus(config)#ip routing
Denver(config)#ip routing
Assign IP address to host with default Gateway 192.168.1.1 and

192.168.1.2 and apply ping command to 1.1.1.0 Network
======================================================================
C:\>ping 1.1.1.1
Configure HSRP
================
venus#conf t
venus(config-if)#standby 10 ip 192.168.1.3
venus(config-if)#standby 10 priority 110
venus(config-if)#standby 10 preempt
------------------------------------------------------------
Denver>en
131
Denver#conf t
Denver(config-if)#standby 10 ip 192.168.1.3
Denver(config-if)#standby 10 priority 100
Denver(config-if)#standby 10 preempt
Denver(config-if)#end
Verify
============
venus#show standby
FastEthernet0/10 - Group 10
State is Active
12 state changes, last state change 01:01:47
Virtual IP address is 192.168.1.3
Active virtual MAC address is 0000.0C07.AC0A
Local virtual MAC address is 0000.0C07.AC0A (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.461 secs
Preemption enabled
Active router is local
Standby router is 192.168.1.2
Priority 110 (configured 110)
Group name is hsrp-Fa0/10-10 (default)
venus#
-------------------------------------------------------------------
Denver#show standby
132
State is Standby
Preemption enabled
Active router is 192.168.1.1
Standby router is local
Priority 100 (default 100)
Denver#
Now change the default gateway of both PC to 192.168.1.3 and ping to

1.1.1.1
======================================================================
Successful...
now shutdown one of the interface F0/10 or F0/11 that has the highest
priority (110)
======================================================================
and verify by standby command...
also see that ping to 1.1.1.1 is even successful
------------------------------------------------------
Denver#show standby
State is Active
133
Preemption enabled
Active router is local
Standby router is unknown
Priority 100 (default 100)
Denver#
Now the Denver switch is Active
-----------------------------------------------------------------
C:\>ping 1.1.1.1
IP Access Control List (ACL)
Access-lists work on the network (layer 3) and the transport (layer 4) layer and can be used
for two different things:
 Filtering traffic
 Identifying traffic
Filtering is used to permit or deny traffic.
134
Identify means - selecting traffic. It can be used when we configure VPN. The traffic is
identified and then it passes through VPN Tunnels.
IP ACLs are the most popular as IP is the most common type of traffic. There are two types of
IP ACLs:
 Standard IP ACLs: 1 to 99 and 1300 to 1999

 Extended IP ACLs: 100 to 199 and 2000 to 2699
Standard IP ACLs can only control traffic based on the SOURCE IP address where Extended IP
ACLs identify traffic based on source IP, source port, destination IP, and destination port.
We can use ACLs to filter traffic according per protocol, per interface, and per direction. We
can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g.,
FastEthernet0/0), and one ACL per direction (i.e., IN or OUT).
LAB 34 : Standard IP access-lists
Standard IP access-lists are based upon the source host or network IP address, and should be
placed closest to the destination network.
135
Router R1 (IP Address and EIGRP Configuration)
R1#conf t
R1(config-if)#exit
R1(config-if)#exit
Router R2 (IP Address and EIGRP Configuration)
R2#conf t
R2(config-if)#exit
R2(config-if)#exit
R2(config-if)#exit
R2(config)#
OK, Now we will create ACL rules so that.........
136
only PC 1, PC 2, PC3 can ping loopback IP
R1(config)#access-list 50 permit host 192.168.20.2

R1(config)#access-list 50 deny any
Apply it to R2 Router (closest to the destination)

R2(config-if)#ip access-group 50 in
Verification
R2#show ip interface fastEthernet 0/0

Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 50
Now ping from PC4
PC4> ping 11.11.11.11
*192.168.20.1 icmp_seq=1 ttl=255 time=15.600 ms (ICMP type:3, code:13,

Communication administratively prohibited)
And from PC1 / PC2 / PC3

PC1> ping 11.11.11.11
137
84 bytes from 11.11.11.11 icmp_seq=1 ttl=254 time=46.800 ms
PC2> ping 12.12.12.12

PC3> ping 12.12.12.12

R2#show access-lists
Standard IP access list 50

10 permit 192.168.10.0, wildcard bits 0.0.0.255 (27 matches)
LAB 35 : EXTENDED IP ACCESS-LIST

Extended IP access-lists block based upon the source IP address, destination IP address, and TCP
or UDP port number. Extended access-lists should be placed closest to the source network.
138
Objective:
We will configure Extended ACL so that
PC0 can only posseses Telnet service

PC2 can only posseses HTTP Service and
PC1 can only posseses Mail service
IP Configuration
Router(config)#hostname LOCAL
LOCAL(config)#interface fastEthernet 0/1
LOCAL(config-if)#ip address 192.168.10.1 255.255.255.0
LOCAL(config-if)#no shutdown
LOCAL(config-if)#exit
LOCAL(config)#interface fastEthernet 0/0
LOCAL(config-if)#ip address 103.13.148.1 255.255.255.240
LOCAL(config-if)#no shutdown
LOCAL(config-if)#exit
Static Default Route

LOCAL(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Telnet Access
LOCAL(config)#line vty 0 5
LOCAL(config-line)#password cisco
LOCAL(config-line)#login
LOCAL(config-line)#exit
LOCAL(config)#enable secret cisco
IP Configuration
ISP(config-if)#exit
ISP(config-if)#exit
139
Static Route
Extended ACL Configuration
ISP(config)#access-list 101 permit tcp host 100.100.100.2 any eq telnet
ISP(config)#access-list 101 permit tcp host 100.100.100.4 any eq www
ISP(config)#access-list 101 permit tcp host 100.100.100.3 any eq smtp
Apply it to its Inside Interface

ISP(config-if)#ip access-group 101 in
ISP#show ip interface fastEthernet 0/1
FastEthernet0/1 is up, line protocol is up (connected)

Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 101
ISP#show access-lists 101

Extended IP access list 101
permit tcp host 100.100.100.2 any eq telnet (37 match(es))
permit tcp host 100.100.100.4 any eq www (11 match(es))
permit tcp host 100.100.100.3 any eq smtp (2 match(es))
From PC0 login to Router LOCAL using telnet is possible
140
But from others PC it is not possible
From PC2 we can browse ....................
But PC0 or PC1 cannot browse to HTTP Server
From PC1 we can see that SMTP service is open but others PC not...
141
LAB 36: Named IP Access List
This allows standard and extended ACLs to be given names instead of numbers
Objective:
We will configure Named ACL to ensure that only PC0 can be logged in throughTelnet to
router BUET but PC1 can not..........
Basic Configuration of Router and Switch:

Router>en
Router#conf t
142
DU(config-if)#exit
DU(config)#router eigrp 10
DU(config-router)#exit
DU(config-if)#exit
BUET(config-router)#exit
BUET(config)#no ip domain-lookup
BUET(config)#exit
DEFINE NAMED ACL
DU(config)#ip access-list extended venus

DU(config-ext-nacl)#permit tcp host 172.16.10.2 any eq telnet
DU(config-ext-nacl)#deny tcp host 172.16.10.3 any eq telnet
DU(config-ext-nacl)#permit ip any any
DU(config-ext-nacl)#exit
Apply ACL to Router's Interface
143
DU(config-if)#ip access-group venus out
DU(config-if)#end
From PC0
C:\>ping 192.168.10.2

C:\>telnet 192.168.10.2 (Success)
Trying 192.168.10.2 ...Open
Password:
From PC1
C:\>ping 192.168.10.2

C:\>telnet 192.168.10.2 (Not Success)

Trying 192.168.10.2 ...
% Connection timed out; remote host not responding
C:\>
DU#show ip access-lists
Extended IP access list venus

10 permit tcp host 172.16.10.2 any eq telnet (4 match(es))
20 deny tcp host 172.16.10.3 any eq telnet (12 match(es))
30 permit ip any any (4 match(es))
144
LAB 37 : STATIC NAT
We use Static NAT for one-to-one mapping between an inside address and an outside address.
Static NAT allows connections from an outside host to an inside host. Generally, static NAT is
used for servers inside our network.
Suppose, we have a web or a mail server with the inside IP address 192.168.10.2 and we want
it to be accessible from Internet i.e. when a remote host makes a request to 103.13.148.10.
In this case we must do a static NAT mapping between Inside (192.168.10.2) and Outside IPs
(103.13.148.10).
IP Configuration to router Interface and Hosts

Router>en
Router#conf t
Gateway(config)#hostname Gateway
Gateway(config)#interface fastEthernet 0/0
Gateway(config-if)#ip address 103.13.148.1 255.255.255.0
Gateway(config-if)#no shutdown
Gateway(config-if)#exit
Gateway(config-if)#ip address 192.168.10.1 255.255.255.0
Gateway(config-if)#no shutdown
Router>en
Router#conf t
145
ISP(config-if)#exit
ISP(config-if)#exit
Configure default-route to Internet on Gateway Router
Gateway(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2

Gateway(config)#exit
Configure static route to LAN on ISP
146
Specify default gateway on switch
Static NAT Configuration
Gateway#conf t
Gateway(config)#ip nat inside source static 192.168.10.2 103.13.148.10
Gateway(config-if)#ip nat inside
Gateway(config-if)#ip nat outside
Gateway(config-if)#end
Gateway#
Verification
Gateway# show ip route
ISP# show ip route
Ping from PC0 to Server PC
147
On Server PC ---- Activate the http service ;
From Internet PC (PC0 under ISP Router) browse using 103.13.148.10 IP (through Public
IP that is assigned for static mapping)
LAB 38 : Dynamic NAT (Like many to many)
(We will do Dynamic NAT Configuration following Static NAT , So all the configuration of
previous LAB will remain same)
When we have a pool of public IP addresses, Dynamic NAT is used.
148
Never use dynamic NAT for servers or other devices that need to be accessible from the
Internet.
Suppose our internal network is 192.168.10.0/24. We also have the pool of public IP
addresses from 103.13.148.20-103.13.148.30 and Net Mask is 255.255.255.0. The procedure
will be as follows:
Create an ACL for LAN traffic

-------------------------------------
Gateway(config)#access-list 1 permit 192.168.10.0 0.0.0.255
Create a nat pool which Public IP addresses are used for translations
-----------------------------------------------------------------------------------------
Gateway(config)#ip nat pool venus 103.13.148.20 103.13.148.30 netmask
255.255.255.0
Apply the NAT with ACL and nat pool

---------------------------------------------------
Gateway(config)#ip nat inside source list 1 pool venus
Apply it to interface
----------------------------
Gateway(config-if)#ip nat inside
Gateway(config-if)#ip nat outside
Verification
PING PC0 from PC1 / PC2.................
Gateway#show ip nat translations
Dynamic NAT
icmp 103.13.148.20:3 192.168.10.11:3 10.10.10.2:3 10.10.10.2:3

icmp 103.13.148.20:4 192.168.10.11:4 10.10.10.2:4 10.10.10.2:4
icmp 103.13.148.21:5 192.168.10.10:5 10.10.10.2:5 10.10.10.2:5
icmp 103.13.148.21:6 192.168.10.10:6 10.10.10.2:6 10.10.10.2:6
icmp 103.13.148.21:7 192.168.10.10:7 10.10.10.2:7 10.10.10.2:7
149
Static NAT
--- 103.13.148.10 192.168.10.2 --- ---
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1025 10.10.10.2:1025

tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1026 10.10.10.2:1026
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1027 10.10.10.2:1027
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1028 10.10.10.2:1028
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1029 10.10.10.2:1029
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1030 10.10.10.2:1030
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1031 10.10.10.2:1031
An inside host makes a request to an outside host and the router dynamically assigns an
available IP address from the pool for the translation of the private IP address. If there’s no
public IP address available, the router rejects new connections until you clear the NAT
mappings. However, you have as many public IP addresses as hosts in your network, you won’t
be faced this problem.
NAT Overload
NAT Overload, also called PAT, probably the most used type of NAT. We can configure NAT
overload in two ways, depending on how many public IP address we have..
LAB 39 : Static PAT
Suppose, we have only one public IP address allocated by our ISP. Here we have to map all our
inside hosts to the available IP address. The configuration is almost the same as for dynamic
NAT, but in this case we specify the outside interface instead of a NAT pool.
150
Router(config)#hostname GW
GW(config)#int
GW(config)#interface fastEthernet 0/0
GW(config-if)#ip address 103.13.148.1 255.255.255.240
GW(config-if)#no shutdown
GW(config-if)#exit
GW(config-if)#ip address 192.168.10.1 255.255.255.0
GW(config-if)#no shutdown
GW(config-if)#exit
ISP(config-if)#exit
ISP(config-if)#exit
Static default route to Internet on GW Router
GW(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Static route to LAN on ISP Router
Assign IP address to Hosts and verify connectivity
151
C:\>ping 192.168.10.10

C:\>ping 192.168.10.20

Configure NAT overload
GW(config)#access-list 1 permit 192.168.10.0 0.0.0.255

GW(config)#ip nat inside source list 1 interface fastEthernet 0/0 overload
GW(config-if)#ip nat outside
GW(config-if)#exit
152
GW(config-if)#ip nat inside
GW(config-if)#exit
Verification
Apply ping from PC0 to OUTSIDE SERVER
C:\>ping 100.100.100.30

Browse the OUTSIDE SERVER
The router automatically determines what public IP address to use for the mappings by
checking what IP is assigned to the Serial 0/0/0 interface. All the inside addresses are
translated to the only public IP address available on our router. Routers are able to recognize
the traffic flows by using port numbers, specified by the overload keyword.
153
LAB 40 : DYNAMIC PAT
The second way: If ISP gave you more than one public IP addresses, but not enough for a
dynamic or static mapping.
The configuration is same as dynamic NAT, but this time we will add overload for the router
to know to use traffic flow identification using port numbers, instead of mapping a private to
a public IP address dynamically.
Configure NAT overload
GW(config)# ip nat pool venus 103.13.148.5 103.13.148.10 netmask

255.255.255.240
GW(config)#access-list 1 permit 192.168.10.0 0.0.0.255
GW(config)#ip nat inside source list 1 pool venus overload
GW(config-if)#ip nat outside
GW(config-if)#exit
GW(config-if)#ip nat inside
Verification
C:\>ping 100.100.100.30

154
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global

icmp 103.13.148.5:10 192.168.10.20:10 100.100.100.30:10 100.100.100.30:10
icmp 103.13.148.5:11 192.168.10.20:11 100.100.100.30:11 100.100.100.30:11
icmp 103.13.148.5:12 192.168.10.20:12 100.100.100.30:12 100.100.100.30:12
icmp 103.13.148.5:9 192.168.10.20:9 100.100.100.30:9 100.100.100.30:9
tcp 103.13.148.5:1027 192.168.10.10:1027 100.100.100.30:80 100.100.100.30:80
tcp 103.13.148.5:1028 192.168.10.10:1028 100.100.100.30:80 100.100.100.30:80
We can clear the NAT translation table with the following commands:
Router#clear ip nat translation *

Router#show ip nat translations
LAB 41 : Configure GRE Tunnel
Generic Routing Encapsulation (GRE) is developed by Cisco is a simple IP packet

encapsulation protocol. GRE encapsulates the original IP packet with a new IP header also
appending an additional GRE header. A GRE tunnel creates a point-to-point link between two
routers that are otherwise not directly connected to each other.
When packets require to be sent from one network to another over the Internet or an
insecure network, We can use GRE Tunnel. A virtual tunnel is created between the two Cisco
routers and packets are sent through the tunnel.
155
GRE tunnels allow multicast packets but IPSec VPN does not support multicast packets. In
large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels
are the best to utilize.
Configuring GRE Tunnel:
Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface.
Then you must configure the tunnel endpoints for the tunnel interface.
Configuring Router Interface :

R1(config-if)#exit
R1(config-if)#exit
R1(config)#

156
R2(config-if)#exit
R2(config-if)#exit
Creating a Cisco GRE Tunnel
GRE tunnel uses a tunnel interface – a logical interface configured on the router with an IP
address where packets are encapsulated and de encapsulated as they enter or exit the GRE
tunnel.
First step is to create our tunnel interface on R1:
R1(config)# interface Tunnel0

R1(config-if)# ip address 172.16.10.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 192.168.20.1
R1(config-if)# tunnel destination 192.168.20.2
R2(config)# interface Tunnel0

R2(config-if)# ip address 172.16.10.2 255.255.255.0
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360
R2(config-if)# tunnel source 192.168.20.2
R2(config-if)# tunnel destination 192.168.20.1
All Tunnel interfaces must be configured with an IP address. Each Tunnel interface is
configured with an IP address within the same subnet(172.16.10.0/24).
Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400
bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500
bytes and we have an added overhead because of GRE, we must reduce the MTU to account
for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary
packet fragmentation is kept to a minimum.
Now we will configure static route to make the reachability of two hosts:
157
Here next hope will be the tunnel Interface IP
R1(config)# ip route 192.168.30.0 255.255.255.0 172.16.10.2
R2(config)# ip route 192.168.10.0 255.255.255.0 172.16.10.1
n.b. We can also write tunnel source as an interface like
# tunnel source fastEthernet 0/0
R1#show interfaces tunnel 0

Tunnel0 is up, line protocol is up
Hardware is Tunnel
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.20.1, destination 192.168.20.2
Tunnel protocol/transport GRE/IP
PC1#ping 192.168.30.2

!!!!!
LAB 42: AAA Configuration
AAA(Authentication, Authorization & Accounting ) provides the basic security framework

setting up access control on a network device.
Authentication = who is permitted to access a network
Provides the method of identifying users, including login and password dialog, challenge and
response, messaging support, and, depending on the security protocol you select, encryption.
Authorization = Control what they can do while they are there
Provides the method for remote access control, including one-time authorization or
authorization for each service, per-user account list and profile, user group support, and
support of IP, IPX, ARA, and Telnet.
158
Accounting =audit what actions they performed while accessing the network
Provides the method for collecting and sending security server information used for billing,
auditing, and reporting, such as user identities, start and stop times, executed commands
(such as PPP), number of packets, and number of bytes.
AAA uses two common methods :
1) Local AAA authentication:
This method stores usernames and passwords locally in the Cisco router, and users
authenticate against the local database.
2) Server-based AAA authentication:
A central AAA server contains the usernames and passwords for all users.
AAA can be used with both RADIUS & TACACS+ servers to provide secure services. But there
are some difference between the two protocols.
AAA Lab (Server-based AAA authentication)
159
Objective :
Any one telnet the router must be authenticated through AAA server and in case AAA server
is down , routers will use the local user accounts database.
RADIUS SERVER CONFIGURATION
Configuration:
Router#conf terminal
Router(config)#hostname Radius
Radius(config)#interface fastEthernet 0/0
Radius(config-if)#ip address 192.168.10.1 255.255.255.0
Radius(config-if)#no shutdown
Radius(config-if)#exit
Telnet Access from local database
Radius(config)#enable secret cisco123

Radius(config)#line vty 0 4
Radius(config-line)#login authentication default
Radius(config-line)#login
Radius(config-line)#exit
Radius(config)#username ashish password ashish123
Radius(config)#exit
AAA Server Configuration
To enable AAA, you need to configure the aaa new-model command in global configuration.
Until this command is enabled, all other AAA commands are hidden.
Radius(config)#aaa new-model
Set authentication for login using two methods: the Radius server (the first method). If the
Radius server doesn’t respond, then the router’s local database is used (the second method).
Radius(config)#aaa authentication login default group radius local
Tell the router what is the IP address for Radius server and key (password) to connect to:
Radius(config)#radius-server host 192.168.10.3 auth-port 1645 key cisco
160
Here,
Client name = any
Client IP = Rouer IP
Key = That is defined in previous command line
From the PC
C:\>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
Username: admin
Password:
Radius>en
Password:
Radius#
Here username: admin and password: admin123 that was created in Radius Server
161
Now disconnect the ACS server or just remove the cable and try to Telnet the router using
ashish (local database) and it will work .
Be remember, If method 1 fail , you will not go to method 2, but if method 1 is not available
then you can go to method 2 and use it.
C:\>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
Username: ashish
Password:
Radius>
Radius#show AAA user all
Unique id 4 is currently in use.

Accounting:
log=0x18001
Events recorded :
CALL START
INTERIM START
INTERIM STOP
update method(s) :
NONE
update interval = 0
Outstanding Stop Records : 0
Radius#show aaa sessions
Total sessions since last reload: 3

Session Id:4
Unique Id:4
User Name:admin
IP Address:0.0.0.0
Idle Time: 0
CT Call Handle: 0
Radius#
OR , TACACS+ Configuration
Router#conf t
Router(config)#hostname Tacacs
Tacacs(config)#interface fastEthernet 0/0
Tacacs(config-if)#ip address 192.168.10.2 255.255.255.0
Tacacs(config-if)#no shutdown
162
Tacacs(config-if)#exit
Tacacs(config)#aaa new-model
Tacacs(config)#aaa authentication login default group tacacs+ local
Tacacs(config)#tacacs-server host 192.168.10.4 key 8888
Tacacs(config)#enable secret cisco123

Tacacs(config)#line vty 0 4
Tacacs(config-line)#login authentication default
Tacacs(config-line)#login
AAA is enabled. Command not supported. Use an aaa authentication methodlist
Tacacs(config-line)#exit
Tacacs(config)#username ashish password ashish123
C:\>telnet 192.168.10.2
Trying 192.168.10.2 ...Open
Username: admin
Password:
Tacacs>en
Password:
Tacacs#
163
LAB 43: Syslog Server
Cisco devices use the syslog protocol to manage system logs and alerts. Syslog Server collects
all the logs in a central location and then we can use these logs for the troubleshooting
devices.
There are 8 levels of logs that is generated. these are called severity level. Lower severity
level is more critical.
Message Logging Level Keywords
Level Keyword Level Description Syslog Definition
emergencies 0 System unstable LOG_EMERG
alerts 1 Immediate action needed LOG_ALERT
critical 2 Critical conditions LOG_CRIT
errors 3 Error conditions LOG_ERR
warnings 4 Warning conditions LOG_WARNING
notifications 5 Normal but significant condition LOG_NOTICE
informational 6 Informational messages only LOG_INFO
debugging 7 Debugging messages LOG_DEBUG
164
The software generates four other categories of messages:
 Error messages about software or hardware malfunctions, displayed at levels warnings

through emergencies: these types of messages mean that the functionality of the
access point is affected.
 Output from the debug commands, displayed at the debugging level: debug
commands are typically used only by the Technical Assistance Center (TAC).
 Interface up or down transitions and system restart messages, displayed at the
notifications level: this message is only for information; access point functionality is
not affected.
 Reload requests and low-process stack messages, displayed at the informational level:
this message is only for information; access point functionality is not affected.
Part of syslog messages
 Timestamp
 Log Message Name and Severity Level
 Message Text
LAB :
165
Router>
Router>enable
Router#conf t
Go to the service and be sure syslog service is on
Syslog configuration on DU Router
We will use the logging host <syslog server IP address> command to specify the Syslog
server address on Cisco router.
DU(config)#logging host 192.168.10.2
166
Then apply the logging trap <severity level> command to specify the log types and category
(called severity level). For example, use the debug log (severity level 7). We may use any
other severity level that we wish to test.
DU(config)#logging trap debugging
Then we will use the debug ip <protocol> command to enable debugging for a protocol. In
this case, we will use ICMP protocol.
DU#debug ip icmp
Apply ping 192.168.1.100 command to generate some ICMP packets to test your configuration.
C:\>ping 192.168.10.1

C:\>
Next, move on to Syslog Server console, and examine the output. In the following figure, you
can see the sample output of the Syslog server.
We can see the logs collected by Syslog Server for Cisco router.
167
LAB 44: SNMPv3
Simple Network Management Protocol (SNMP) is an application-layer protocol.
The Simple Network Management Protocol (SNMP) is used for network monitoring and
management. The network device send some informations to the NMS server to trace
graphics who permit to analysing the CPU, memory, I/O…
It is made up of 3 parts, the SNMP manager, SNMP agent and Management Information Base
(MIB).
 The SNMP manager is the software that is running on a pc or server that will monitor
the network devices
 The SNMP agent runs on the network device.
 The database that I just described is called the MIB (Manament Information Base) and
an object could be the interface status on the router (up or down) or perhaps the CPU
load at a certain moment. An object in the MIB is called an OID (Object Identifier).
Configure SNMP
Enable SNMP on Router
Router#conf t
168
Router(config)#snmp-server community V1 ro
%SNMP-5-WARMSTART: SNMP agent on host Router is undergoing a warm start
Router(config)#snmp-server community V1rw rw
Router(config)#exit
Router#
Here,
Read Community: V1. It has taken from read only (ro) community name.
Write Community: V1rw, it is the name of read and write (rw) community.
Testing SNMP from a PC
Click on PC0 and click Desktop tab, then open MIB Browser
Now go to Advanced tab and enter the following Information:
Address: 192.168.10.1
Read Community: V1
Write Community: V1rw
SNMP Version, select V3 and click OK.
169
Now on the MIB browser page expend MIB tree to system and select each value then hit the
GO button to display the exact information on Router0.
LAB 45: Password Recovery
Method 1
1. Shut the router down.

2. Remove the compact flash from the back of the router.
3. Turn the router back on.
4. When you see the Rommon1> prompt, enter the command of confreg 0x2142
5. Insert the compact flash.
6. Type reset.
7. When prompted to enter the initial configuration, type no and press enter.
8. At the router> prompt, type enable
9. At the Router# prompt, enter the configure memory command, and press Enter in
order to copy the startup configuration to the running configuration.
10. Use the config t command in order to enter global configuration mode.
170
11. Use this command in order to create a new user name and password:
router(config) #username cisco123 privilege 15 password cisco123
12. Use this command in order to change the boot statement:
config-register 0x2102
13. Use this command in order to save the configuration:
write memory
14. Reload the router, and then use your new user name and password to log in to the
router.
Method 2
1. Connect a terminal or PC with terminal emulation to the console port of the router
and ensure you have the correct terminal settings. They include no flow control, 1
stop bit, 8 data bits, no parity and 9600 baud rate.
2. If you are able to access the router, enter in show version at the prompt screen, and
document the configuration register setting.
3. Next, turn off the router and wait about 5 seconds and turn it back on.
4. Press break on the terminal keyboard within 1 minute of power up in order to the
router into ROMmon.
5. Enter in confreg 0x2142 at the rommon 1> prompot in order to boot the from Flash.
6. Type reset at the rommon 2> prompt.
7. Type no after each setup question or press Ctrl+C to bypass all questions.
8. Type enable at the Router> prompt
9. Type configure memory or copy startup-config running-config in order to copy
NVRAM into memory.
10. Type show running-config
11. Type configure terminal
12. Type enable secret <enter in a password that you will remember> in order to change
the enable secret password.
13. Issue the no shutdown command on every single interface that you use.
14. Type config-register . This typically is 0x2102.
15. Press Ctrl-z or end to leave config mode.
16. Type write memory or copy running-config startup-config to commit the
modifications
171
LAB 46 : PROJECT 1
1. VLAN Information
Switch VLAN ID VLAN Name IP Ports

DENVER 10 Cisco 172.16.10.0/24 F0/1-9
20 Solaris 172.16.20.0/24 F0/10 - 15
99 MGT 10.10.10.10/24 F0/24
TORONTO 30 Admin 172.16.30.0/24 F0/1 - 9
40 Accounts 172.16.40.0/24 F0/10 - 15
88 Management 11.11.11.11/24 F0/24
2. Router Information
Router Name Interface IP Address Description

LAN F0/0 (.1) 192.168.10.0/24 To GWY Router
F0/1.10 (Sub interface) 172.16.10.1/24 To VLAN 10
F0/1.99 (Sub interface) 10.10.10.10/24 To VLAN 99 (MGT)
GWY F0/0 (.2) 192.168.20.0/24 To LAN Router
172
F0/1.88 (Sub interface) 11.11.11.11/24 To VLAN 88(Management)
F1/0 (.1) 192.168.30.0/24 To ISP Router
ISP F0/0 (.2) 192.168.30.0/24 To GWY Router
F0/1 (.1) 172.16.50.0/24 To LAN Switch
2. DENVER
a. hostname, enable password, telnet access & VLAN configuration
b. Management VLAN Configuration
3. Router : LAN
a. Interface, hostname, enable password, telnet access configuration
b. Inter-Vlan Routing Configuration
4. TORONTO
a. Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
b. Management VLAN Configuration
5. Router : GWY
b. Inter-Vlan Routing Configuration
6. EIGRP Configuration on LAN and GWY Router only
7. Router ISP
b. static route to LAN router
8. GWY
Static default route to ISP
9. Redistribute static route into EIGRP
10. ACL Configuration
Condition : for the Internet hosts the following service is disabled to Inside but http service is
enabled
a. Telnet, FTP, SMTP, SSH, ping
11. Static NAT Configuration
condition : only Inside HTTP Server's private IP is translated to public IP : 103.13.148.20
173
12. Configure Inside Server as a HTTP Server
13. Verification
Configuration
DENVER
Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
================================================================================
Switch(config)#hostname DENVER
DENVER(config)#enable secret cisco
DENVER(config)#username admin password admin123
DENVER(config)#line vty 0 4
DENVER(config-line)#login local
DENVER(config-line)#exit
DENVER(config)#
DENVER(config)#vlan 10
DENVER(config-vlan)#name cisco
DENVER(config-vlan)#exit
DENVER(config-vlan)#name solaris
DENVER(config)#interface range fastEthernet 0/1 - 9
DENVER(config-if-range)#switchport mode access
DENVER(config-if-range)#switchport access vlan 10
DENVER(config-if-range)#exit
DENVER(config)#interface range fastEthernet 0/10 - 15
DENVER(config-if-range)#switchport mode access
DENVER(config-if-range)#switchport access vlan 20
DENVER(config-if-range)#exit
Management VLAN Configuration

=============================
DENVER(config-vlan)#name MGT
DENVER(config-if)#switchport access vlan 99
DENVER(config)#interface vlan 99
DENVER(config-if)#ip address 10.10.10.10 255.255.255.0

174
Router : LAN
=============
Interface, hostname, enable password, telnet access configuration

=========================================================
Router(config)#hostname LAN
LAN(config)#interface fastEthernet 0/1
LAN(config-if)#no shutdown
LAN(config-if)#exit
LAN(config)#interface fastEthernet 0/0
LAN(config-if)#ip address 192.168.10.1 255.255.255.0
LAN(config-if)#no shutdown
LAN(config-if)#exit
LAN(config)#enable password cisco
LAN(config)#username admin password admin123
LAN(config)#line vty 0 4
LAN(config-line)#login local
LAN(config-line)#exit
Inter-Vlan Routing Configuration

==========================
LAN(config)#interface fastEthernet 0/1.10

LAN(config-subif)#encapsulation dot1Q 10
LAN(config-subif)#ip address 172.16.10.1 255.255.255.0
LAN(config-subif)#no shutdown
LAN(config-subif)#exit
LAN(config-subif)#exit
LAN(config)#
DENVER
========

DENVER(config-if)#switchport mode trunk
175
IP Assign to Hosts
==============
Verification
==========
Ping : VLAN 10 host to VLAN 20 host
C:\>ping 172.16.20.2

LAN>en
Password:
LAN#ping 10.10.10.10
176
!!!!!
LAN#telnet 10.10.10.10
Trying 10.10.10.10 ...Open

Username: admin
Password:
LAN>
TORONTO
Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
================================================================================
Switch#conf t
Switch(config)#hostname TORONTO
TORONTO(config)#enable secret cisco
TORONTO(config)#username admin password admin123
TORONTO(config)#line vty 0 4
TORONTO(config-line)#login local
TORONTO(config-line)#exit
TORONTO(config-vlan)#name admin
TORONTO(config-vlan)#exit
TORONTO(config)#vlan 40
TORONTO(config-vlan)#name Accounts
TORONTO(config)#interface range fastEthernet 0/1 - 9
TORONTO(config-if-range)#switchport mode access
TORONTO(config-if-range)#switchport access vlan 30
TORONTO(config-if-range)#exit
TORONTO(config)#interface range fastEthernet 0/10 - 15
TORONTO(config-if-range)#switchport mode access
TORONTO(config-if-range)#switchport access vlan 40
TORONTO(config-if-range)#exit
TORONTO(config)#
Management VLAN Configuration

=============================
TORONTO(config)#vlan 88
TORONTO(config-vlan)#name Management
TORONTO(config)#interface fastEthernet 0/24
177
TORONTO(config-if)#switchport access vlan 88
TORONTO(config-if)#exit
TORONTO(config)#interface vlan 88
TORONTO(config-if)#ip address 11.11.11.11 255.255.255.0
TORONTO(config-if)#no shutdown
TORONTO(config-if)#exit
TORONTO(config)#
Router : GWY
=============
Interface, hostname, enable password, telnet access configuration

=========================================================
Router(config)#hostname GWY
GWY(config)#interface fastEthernet 0/0
GWY(config-if)#ip address 192.168.10.2 255.255.255.0
GWY(config-if)#no shutdown
GWY(config-if)#exit
GWY(config-if)#ip address 192.168.20.1 255.255.255.0
GWY(config-if)#exit
GWY(config)#enable secret cisco
GWY(config)#username admin password admin123
GWY(config)#line vty 0 4
GWY(config-line)#login local
GWY(config-line)#exit
GWY(config)#
Inter-Vlan Routing Configuration

==========================

GWY(config-if)#exit
GWY(config)#interface fastEthernet 0/1.30
GWY(config-subif)#encapsulation dot1Q 30
GWY(config-subif)#ip address 172.16.30.1 255.255.255.0
GWY(config-subif)#no shutdown
GWY(config-subif)#exit
GWY(config-subif)#exit
178
TORONTO
===========
TORONTO(config)#interface fastEthernet 0/24

TORONTO(config-if)#switchport mode trunk
IP Assign to Hosts
==============
Verification
===========
C:\>ping 172.16.40.2

GWY#ping 11.11.11.11

179
!!!!!
GWY#telnet 11.11.11.11
Trying 11.11.11.11 ...Open
Username: admin
Password:
GWY>
EIGRP Configuration on LAN and GWY Router only (except GWY to ISP)
=========================================================
LAN#conf t
LAN(config)#router eigrp 10
LAN(config-router)#network 172.16.10.0
LAN(config-router)#no auto-summary
GWY(config)#router eigrp 10
GWY(config-router)#network 172.16.30.0
GWY(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 10: Neighbor 192.168.10.1 (FastEthernet0/0) is up: new
adjacency
GWY(config-router)#no auto-summary
Verification EIGRP
180
Ping: Server PC to host on the Toronto
C:\>ping 172.16.30.2

C:\>ping 172.16.40.2

Telnet to DENVER switch from GWY

=============================
GWY#telnet 10.10.10.10
Trying 10.10.10.10 ...Open

Username: admin
Password:
LAN>
7. Router ISP

============================================================
181
ISP(config-if)#exit
ISP(config)#do ping 192.168.20.1
.!!!!
ISP(config)#enable secret cisco

ISP(config)#username admin password admin123
ISP(config)#line vty 0 4
ISP(config-line)#login local
ISP(config-line)#exit
ISP(config-if)#exit
b. static route to LAN router

========================

8. GWY
Static default route to ISP
GWY(config)#ip route 0.0.0.0 0.0.0.0 192.168.20.2
9. Redistribute static route into EIGRP on router GWY
GWY(config-router)#redistribute static
GWY(config-router)#redistribute connected
Verification
ISP#ping 172.16.20.2

!!!!!
182
ISP#ping 10.10.10.10

!!!!!
ISP#telnet 10.10.10.10
Trying 10.10.10.10 ...Open
Username: admin
Password:
LAN>
Assign IP address to outside PC
Verification
C:\>ping 192.168.30.1

C:\>ping 172.16.10.2
183

C:\>
10. ACL Configuration
Condition : for the Internet hosts the following service is disabled to Inside but http service is enabled
a. Telnet, FTP, SMTP, SSH, ping
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq telnet

GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq ftp
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq smtp
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq pop3
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq 22
GWY(config)#access-list 101 deny icmp host 192.168.30.2 any echo
GWY(config)#access-list 101 deny icmp any host 192.168.30.2 echo-reply
GWY(config)#access-list 101 permit ip any any
GWY(config-if)#ip access-group 101 in
184
11. Static NAT Configuration
condition : only Inside HTTP Server's private IP is translated to public IP : 103.13.148.20

GWY(config-if)#ip nat outside
GWY(config-if)#exit
GWY(config-if)#ip nat inside
GWY(config-if)#exit
GWY(config)#ip nat inside source static 172.16.10.2 103.13.148.20
GWY(config)#
185
IPV6 Address
IPv6 uses 128-bit addresses, which means that for each person on the Earth there are
48,000,000,000,000,000,000,000,000,000 addresses !
Advantages:
 Enhanced security
 Header improvements
 No need for NAT
 Stateless address autoconfiguration
IPv6 uses eight groups of four hexadecimal digits separated by colons. For example, this is a
valid IPv6 address:
1234:4523:EDBA:0A01:0056:5054:5ABC:ABBD
IPv6 address shortening
1. a leading zero can be omitted

1240:0023:CCBA:0A01:0065:5054:9ABC:ABB4
will be------------
1240:23:CCBA:A01:65:5054:9ABC:ABB4
2. String of of zero's can be represented as two colons (::)
1240:0000:0000:0000:0456:0000:CCCB:11DC
can be written as
1240::456:0000:CCCB:11DC (But this can be for one time)
Here the 0000 can be written as single zero, not double ::

1240::456:0:CCCB:11DC
Three categories of IPv6 addresses exist:

 Unicast
 Anycast
 Multicast
There are three types of IPv6 unicast addresses
186
global unicast – similar to IPv4 public IP addresses. These addresses are assigned by the IANA
and used on public networks. They have a prefix of 2000::/3, meaning all the addresses that
begin with binary 001.
unique local – similar to IPv4 private addresses. They are used in private networks and aren’t
routable on the Internet. These addresses have a prefix of FD00::/8.
link local – these addresses are used for sending packets over the local subnet. Routers do not
forward packets with this addresses to other subnets. IPv6 requires a link-local address to be
assigned to every network interface on which the IPv6 protocol is enabled. These addresses
have a prefix of FE80::/10.
Loopback Address ::1/128
Unspecified Address ::/0
IPv6 multicast addresses
Multicast addresses in IPv6 are similar to multicast addresses in IPv4. They are used to
communicate with dynamic groupings of hosts, for example all routers on the link (“one-to-
many distribution”).
IPv6 multicast addresses start with FF00::/8
Here is a table of some of the most common link local multicast addresses:
Here is a summary of the most common address prefixes in IPv6:
187
IPv6 transition options
IPv4 and IPv6 networks are not interoperable and the number of devices that use IPv4 number
is still great. Some of these devices do not support IPv6 at all, so the migration process is
necessary since IPv4 and IPv6 will likely coexist for some time.
Many transition mechanisms have been proposes. We will introduce the main ones and
describe them in the next sections:
1. IPv4/IPv6 Dual Stacks

2. NAT64
3. Tunneling
IPv6 supports the following routing protocols:
 RIPng (RIP New Generation)

 OSPFv3
 EIGRP for IPv6
 IS-IS for IPv6
 MP-BGP4 (Multiprotocol BGP-4)
The following table summarizes the major differences between IPv4 and IPv6:
LAB 47: Configure IPv6
Cisco Routers do not have IPv6 routing enabled by default. To configure IPv6 on a Cisco DUs
you need to do two things:
1. Apply "ipv6 unicast-routing" in global configuration command.

2. We can assign IP to Interface on different method. We will describe here the following
methods:
188
 With eui-64 parameter
 Manually Assigned
 Link-local Addressing
eui-64 Parameter
BASIC Configuration
DU#conf t
DU(config)#ipv6 unicast-routing
DU(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64
DU(config-if)#end
BUET>en
BUET#conf t
BUET(config)#ipv6 unicast-routing
BUET(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64
BUET(config-if)#end
Verification
DU#show ipv6 interface fastEthernet 0/0

IPv6 is enabled, link-local address is FE80::2E0:8FFF:FED5:BD01
No Virtual link-local address(es):
Global unicast address(es):
2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01, subnet is 2001:BB9:AABB:1234::/64
[EUI]
Joined group address(es):
189
DU#show ipv6 route
IPv6 Routing Table - 3 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
C 2001:BB9:AABB:1234::/64 [0/0]
via ::, FastEthernet0/0
L 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01/128 [0/0]
L FF00::/8 [0/0]
via ::, Null0
DU#
BUET#show ipv6 interface fastEthernet 0/0

IPv6 is enabled, link-local address is FE80::202:4AFF:FEA8:2D01
No Virtual link-local address(es):
Global unicast address(es):
2001:BB9:AABB:1234:202:4AFF:FEA8:2D01, subnet is 2001:BB9:AABB:1234::/64
[EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFA8:2D01
Ping from BUET to DU
BUET#ping ipv6 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01

Sending 5, 100-byte ICMP Echos to 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01,
timeout is 2 seconds:
!!!!!
190
Manually Assigned and Link-local Addressing
Router>en
Router#conf t
Router(config)#hostname APECE
APECE(config)#ipv6 unicast-routing
APECE(config)#interface loopback 1
APECE(config-if)#ipv6 address 2001::2/128
APECE(config-if)#exit
APECE(config)#interface fastEthernet 0/0
APECE(config-if)#ipv6 enable
APECE(config-if)#no shutdown
APECE(config-if)#exit
with "ipv6 enable" command we will get IP address automatically to the router's Interface
Router#conf t
Router(config)#hostname Ashish
Ashish(config)#ipv6 unicast-routing
Ashish(config)#interface loopback 1
Ashish(config-if)#ipv6 address 2001::1/128
Ashish(config-if)#exit
Ashish(config)#interface fastEthernet 0/0
Ashish(config-if)#ipv6 enable
Ashish(config-if)#no shutdown
Ashish(config-if)#end
Ashish#
Ashish#show ipv6 interface brief
191
FastEthernet0/0 [up/up]
FE80::202:17FF:FE09:E901 (IP Address - link local Address, getting by ipv6 enable command)
FastEthernet0/1 [administratively down/down]
Loopback1 [up/up]
FE80::210:11FF:FE65:7A37
2001::1
Vlan1 [administratively down/down]
Ashish#
APECE#ping ipv6 FE80::202:17FF:FE09:E901
Output Interface: fastethernet0/0

Sending 5, 100-byte ICMP Echos to FE80::202:17FF:FE09:E901, timeout is 2
seconds:
!!!!!
LAB 48 : Configure IPv6 Static Route
The configuration and syntax are same as IPv4 Static routing, Just we will find some minor
differences than that of IPv4.
DU Router
Router>en
Router#conf t
192
DU(config-if)#ipv6 address 2001:AD8:23:45::1/64
DU(config-if)#exit
BUET Router
Router>en
Router#conf t
BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64
BUET#conf t
BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64
BUET(config-if)#end
BUET#
Veirfication
BUET#show ipv6 interface brief
FastEthernet0/0 [up/up]
FE80::260:3EFF:FEAE:5901
2001:AD8:23:45::2
FastEthernet0/1 [administratively down/down]
Vlan1 [administratively down/down]
BUET#
Verify Connectivity using ping
193
DU#ping ipv6 2001:AD8:23:45::2

Sending 5, 100-byte ICMP Echos to 2001:AD8:23:45::2, timeout is 2 seconds:
!!!!!
DU#
Assign IPv6 Address to host
Ping to Router BUET from host
C:\>ping 2001:BD55:1234:DC4::1
Pinging 2001:BD55:1234:DC4::1 with 32 bytes of data:
Reply from 2001:BD55:1234:DC4::1: bytes=32 time=1ms TTL=255

Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255
Now ping to Router DU
C:\>ping 2001:AD8:23:45::1
Pinging 2001:AD8:23:45::1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.
Not success...so we need routing. We will configure static route here......
194
DU(config)#ipv6 route 2001:BD55:1234:DC4::/64 2001:AD8:23:45::2
DU(config)#exit
Now ping to Host IP

DU#ping ipv6 2001:BD55:1234:DC4::2

Sending 5, 100-byte ICMP Echos to 2001:BD55:1234:DC4::1, timeout is 2
seconds:
!!!!!
DU#
And ping to DU from host
C:\>ping 2001:AD8:23:45::1
Pinging 2001:AD8:23:45::1 with 32 bytes of data:
Reply from 2001:AD8:23:45::1: bytes=32 time=2ms TTL=254
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254
LAB 49 :Configure RIPNG on Cisco Router
Basic Configuration
DU Router
Router>en
Router#conf t
195
DU(config-if)#ipv6 address 2001:AD8:23:45::1/64
DU(config-if)#exit
BUET Router
Router>en
Router#conf t
BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64
BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64
BUET(config-if)#end
Configure RIPNGN
DU(config)#ipv6 router rip ashish

DU(config-rtr)#exit
DU(config-if)#ipv6 rip ashish enable
DU(config-if)#exit
BUET(config)#ipv6 router rip ashish

BUET(config-rtr)#exit
BUET(config-if)#ipv6 rip ashish enable
BUET(config-if)#ipv6 rip ashish enable
BUET(config-if)#end
Verification
196
DU#ping ipv6 2001:BD55:1234:DC4::2
Sending 5, 100-byte ICMP Echos to 2001:BD55:1234:DC4::2, timeout is 2

seconds:
!!!!!
DU#show ipv6 route
IPv6 Routing Table - 4 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
C 2001:AD8:23:45::/64 [0/0]
L 2001:AD8:23:45::1/128 [0/0]
R 2001:BD55:1234:DC4::/64 [120/2]
via FE80::260:3EFF:FEAE:5901, FastEthernet0/0
L FF00::/8 [0/0]
via ::, Null0
DU#
*** Don’t forget to enable IPv6 unicast routing otherwise no routing protocol will work for IPv6.
LAB 50 : Dual-Stack Example
Hosts and network devices run both IPv4 and IPv6 at the same time.
Router#conf t
Router(config)#ipv6 unicast-routing
197
Router(config-if)#no shut
Router(config-if)#ipv6 address 2001:12::1/64
DU(config-if)#ipv6 address 2001:12::2/64
DU(config-if)#end
 FastEthernet 0/0 interfaces of two routers are dual stacked.

 It is configured with an IPv4 and an IPv6 address.
 For each protocol, the addresses on two routers are on the same network.
Verification
DU#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up (connected)

Internet address is 192.168.10.2/24 (IPv4 Address)
------------------------------------
DU#show ipv6 interface fastEthernet 0/0

IPv6 is enabled, link-local address is FE80::2D0:97FF:FE08:1301 (IPv6 Address)
----------------------------------------
DU#ping ipv6 2001:12::1

Sending 5, 100-byte ICMP Echos to 2001:12::1, timeout is 2 seconds:
!!!!!
198
LAB 51 : Configuration of IPSEC VPN
A Virtual Private Network (VPN) provides a secure tunnel across a public network such as
Internet. for organizations to connect users and offices together, without the high costs of
dedicated leased lines.
VPNs are used generally for :
 Client VPNs (Remote Access VPN)- To connect Office to home or “roaming” users
 Site-to-Site VPNs - To connect branch offices to a head office.
Types of VPN protocols
1. Internet Protocol Security or IPSec:
2. Layer 2 Tunneling Protocol (L2TP):
3. Point – to – Point Tunneling Protocol (PPTP):
4. Secure Sockets Layer (SSL) and Transport Layer Security (TLS):
5. OpenVPN:
6. Secure Shell (SSH)
Here we describe only IPSec Site-to-Site VPN
IPSec:
IPSEC (Internet Protocol Security), is a suite of protocols, helps us to protect IP traffic on the
network layer.
4 core IPsec services:
 Confidentiality – It means encrypt the data.

 Integrity – It ensures that data has not been tampered or altered using hashing
algorithm.
 Authentication – It confirms the identity of the host sending data, using
 pre-shared keys or CA (Certificate Authority)
 Anti-replay – prevents duplication of encrypted packets
199
Configuration of IPSEC VPN
5 Phases of IPSec VPN:
1. Define interesting traffic.

2. IKE phase 1
Creates the first tunnel, which protects later ISAKMP negotiation message.
3. IKE phase 2
Creates the tunnel that protects data.
4. Transfer data
5. Tear down tunnel.
Basic Configuration
DU ROUTER
R1#conf t
R1(config-if)#exit
R1(config-if)#exit
200
R1(config-if)#exit
R1(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2
Configuring IKE Phase 1
1. Enable ISAKMP
R1(config)#crypto isakmp enable
2. Create ISAKMP Policy
R1(config)#crypto isakmp policy 1

R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash md5
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#exit
3. Configure pre-shared keys:
R1(config)#crypto isakmp key cisco123 address 103.13.148.2
Configuring IKE Phase 2
1. Create transform sets: Router(config)#crypto ipsec transform-set <name>

<methods>
R1(config)#crypto ipsec transform-set ashish esp-3des esp-md5-hmac
2. (optional) Configure IPSec lifetime:

R1(config)#crypto ipsec security-association lifetime seconds 3600
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be
received encrypted
4. Set up IPSec crypto-map:
Router(config)#crypto map <name> <seq> ipsec-isakmp

Router(config-crypto-map)#match address <acl>
201
Router(config-crypto-map)#set peer <remote_ip>
Router(config-crypto-map)#set pfs <group1/2/5>
Router(config-crypto-map)#set transform-set <set>
--------------------------------------------------------------
R1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#set peer 103.13.148.2
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#set transform-set ashish
R1(config-crypto-map)#
Apply Cypto Map to Interface

R1(config-if)#crypto map mymap
The Configuration is same for R2 Router
R2(config)#crypto isakmp enable

R2(config)#crypto isakmp policy 1
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#hash md5
R2(config-isakmp)#group 2
R2(config-isakmp)#lifetime 3600
R2(config)#crypto ipsec transform-set ashish esp-3des esp-md5-hmac

R2(cfg-crypto-trans)#exit
R2(config)#crypto ipsec security-association lifetime seconds 3600
R2(config)#access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0
0.0.0.255
R2(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#match address 101
R2(config-crypto-map)#set peer 103.13.148.1
202
R2(config-crypto-map)#set pfs group2
R2(config-crypto-map)#set transform-set ashish
R2(config-crypto-map)#exit

R2(config-if)#crypto map mymap
R2(config-if)#
*Mar 1 00:34:26.911: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#
Verification and testing
Apply ping from R1 to PC2
R1#ping 192.168.20.2 source 192.168.10.1
Be sure we apply ping from inside IP address while testing the VPN tunnel from the router. We
can also ping from PC1 to PC2.
Now the ping has setup the VPN because of its “interesting” traffic (the first ping is lost in the
VPN creation). We can verify with “show crypto engine connections active”
Verify the IPSec Phase 1 connection
R1#show crypto isakmp sa
203
Verify IPSec Phase 2 connection
R1# show crypto ipsec sa
We can also view active IPSec sessions using show crypto session command
204
ASHISH HALDER
APPLIED PHYSICS, ELECTRONICS AND COMMUNICATION ENGINEERING
UNIVERSITY OF DHAKA
EMAIL -glakh2010@gmail.com
skype: ashish.halder312

Ccna Lab Guide V3 PDF

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Ccna Lab Guide V3 PDF

Transféré par

Droits d'auteur :

Formats disponibles

CCNA Routing & Switching v3 LAB Guide

1. Cisco CLI mode ----------------------------------------------------------------------------- 4

2. Basic Configuration of Router and Switch ------------------------------------------------------- 6

3. Configuring SSH Access to Cisco Device -------------------------------------------------------- 13

4. Backup and restoring your configuration ------------------------------------------------------- 17

5. VLAN, Access and Trunk Port Configuration ----------------------------------------------------- 19

6. VTP Configuration ------------------------------------------------------------------------------ 26

7. Etherchannel Configuration ------------------------------------------------------------------------ 29

8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration----------------------------- 32

9. Inter-Vlan Routing Configuration on L3 Switch (SVI) -------------------------------------------- 43

10. Configure Port Security ----------------------------------------------------------------------------- 47

11. Configure portfast ---------------------------------------------------------------------------------- 53

12. Configure BPDU Guard on Cisco Switch ------------------------------------------------------------ 54

13. Configure Root Guard on Cisco Switch ------------------------------------------------------------- 55

15. Static route and Static default route configuration --------------------------------------------- 61

16. Static default route configuration --------------------------------------------- ----------------- 65

17. RIPv2 Basic configuration ----------------------------------------------------------------------------- 73

18. RIP Passive Interface -------------------------------------------------------------------------------- 74

19. Configure RIP Authentication ------------------------------------------------------------- 76

20. EIGRP configuration (EIGRP Neighbor Adjacency) -------------------------------------------- 84

21. EIGRP Passive Interface ---------------------------------------------------------------------- 85

22. EIGRP Authentication -------------------------------------------------------------------------- 89

23. EIGRP Hold time and Hello time ----------------------------------------------------------- 91

24. EIGRP Summarization ------------------------------------------------------------------------- 93

25. EIGRP Project LAB ---------------------------------------------------------------------------------- 96

27. OSPF Virtual LAB ------------------------------------------------------------------------------------- 110

28. OSPF Authentication --------------------------------------------------------------------------------- 112

29. OSPF summarization --------------------------------------------------------------------------------- 114

30. PPP and HDLC ---------------------------------------------------------------------------------------- 115

31. BGP Basic Configuration -----------------------------------------------------------------------------120

32. BGP Single Homed Design ---------------------------------------------------------------------------123

33. HSRP Configuration ----------------------------------------------------------------------------------125

34. Standard ACL -----------------------------------------------------------------------------------------133

35. Extended ACL -----------------------------------------------------------------------------------------136

36. Named ACL --------------------------------------------------------------------------------------------140

37. Staci NAT --------------------------------------------------------------------------------------------- 142

38. Dynamic NAT -----------------------------------------------------------------------------------------146

39. Static PAT ---------------------------------------------------------------------------------------------148

40. Dynamic PAT -----------------------------------------------------------------------------------------152

41. Configure GRE Tunnel ------------------------------------------------------------------------------153

42. AAA configuration ----------------------------------------------------------------------------- 156

43. Syslog Server ---------------------------------------------------------------------------------------162

44. SNMPv3 Configurtion ---------------------------------------------------------------------------------166

45. Password Recovery ---------------------------------------------------------------------------------- 168

46. Final Project --------------------------------------------------------------------------------------170

47. Configure IPv6 -------------------------------------------------------------------------------------- 186

48. Configure IPv6 Static Route ----------------------------------------------------------------------- 190

49. Configure RIPNG on Cisco Router ----------------------------------------------------------------- 193

50. Dual-Stack Example ---------------------------------------------------------------------------------195

LAB 1: CISCO CLI MODE

EXEC Mode Prompt Typical Use

Router>------------------------- User Exec Mode

Router>enable ----------------- Enter Privileged Mode

Router#disable ---------------- Enter User Exec Mode

Router#conf ig terminal------ Enter Global Configuration Mode

Router(config)#interface fastEthernet 0/0---- Enter Interface Configuration Mode

Router(config)#interface fastEthernet 0/0.10-- Enter Sub-Interface Configuration Mode

Router(config)#line vty 0 4----------------------- Enter Line Mode

LAB 2. BASIC CONFIGURTION OF ROUTER AND SWITCH

1. Configure the Switch as follows:

2. Configure The Router as follows:

3. Assign IP for the PC