Académique Documents
Professionnel Documents
Culture Documents
CCNA RnS, CCNA Sec, CCNP RnS, CCNP Sec, CCIE Sec (written)
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
2
Contents
14. Spanning tree behavior - mode , priority value, root bridge ---------------------------------- 59
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
3
26. OSPF Configuration --------------------------------------------------------------------------------- 108
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
4
Cisco routers have different configuration modes based on the model. Mainly two modes :
From privileged Mode we enter into the Global Configuration mode with "config ternminal" command.
To be access either User Exec or Privileged mode a password is needed if we set password. From Global
Configuration Mode (password is not needed here) we can configure interfaces, routing protocols,
access lists and many more.
Some of the specific configuration modes can be entered from Global Configuration Mode and other
from Privileged mode:
User Exec Mode ( ">" prompt) : It is used to get statistics from router, see which version IOS you're
running, check memory resources and a few more things.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
5
Privileged Mode ( "#" prompt): Here you can enable or disable interfaces on the router, get more
detailed information on the router, for example, view the running configuration of the router, copy the
configuration, load a new configuration to the router, backup or delete the configuration, backup or
delete the IOS and a lot more.
Global Configuration Mode ("config# " prompt): It is accessible via Privileged Mode. In this mode we
can configure each interface individually, setup banners and passwords, enable secrets (encrypted
passwords), enable and configure routing protocols and a lot more. Every time we want to configure or
change something on the router, we will need to be in this mode.
Examples :
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
6
Router(config)#----------------- Global Configuration Mode
================================================================================
Objective:
hostname
login banner
enable password for accessing privilege mode
assign console password to prevent console login
assign IP for vlan 1 (Management VLAN)
configure virtual terminal for telnet session
set default gateway for the switch
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
7
hostname
login banner
enable password for accessing privilege mode
assign console password to prevent console login
configure virtual terminal for telnet session
Assign IP Address on Router Interface
5. Verification
Configuration of a switch:
1. First check the startup-config and running-config ..if there any configuration is exist
When you type a command in the global configuration mode it is stored in the running configuration. A
running configuration resides in a device’s RAM, so if a device loses power, all configured commands
will be lost.
So you need to copy your current configuration into a startup configuration. A startup configuration is
stored in the NVRAM of a device, Now all configurations are saved even if the device loses power.
or
Switch#show startup-config
startup-config is not present
Switch#show running-config
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname DU
DU(config)#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
8
Enable password will restrict one's access to privilege mode which is like a root user's password. We can
set it in two ways : enable password / enable secret command.
enable secret password provides encryption automatically using MD5 hash algorithm.
The enable password password does not encrypt the password and can be view in clear text in the
running-config. In order to encrypt the enable password password , use the service password-
encryption command. Actually, the enable secret password command provides stronger encryption
than the service password-encryption command.
A login banner is displayed whenever someone connects to the router by telnet or console connections
5. Console Password
We can protect console port of Cisco devices using console port password.
DU(config)#line console 0
DU(config-line)#password ashish123
DU(config-line)#login
DU(config-line)#exit
DU(config)#
Telnet is a user command and an underlying TCP/IP protocol for accessing remote devices.
The VTY lines are the Virtual Terminal lines of the router. They are virtual, in the sense that they are a
function of software - there is no hardware associated with them. They appear in the configuration as
line vty 0 4.
DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DU(config)#line vty 0 4
DU(config-line)#password ashish@123#
DU(config-line)#login
DU(config-line)#exit
DU(config)#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
9
By default, all switch ports are part of VLAN 1. VLAN 1 contains control plane traffic and can contain
user traffic.
By default, VLAN 1 is the management VLAN. Management VLAN is used for purposes such as telnet,
SNMP, and syslog.
DU(config)#interface vlan 1
DU(config-if)#ip address 192.168.10.10 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
DU(config)#
The switch should be configured with a default gateway if the switch will be managed remotely from
networks not directly connected. The default gateway is the first Layer 3 device (such as a router) on
the same management VLAN network to which the switch connects. The switch will forward IP packets
with destination IP addresses outside the local network to the default gateway.
----------------------------------------------------------------------------------------------------------------------------
Switch#show startup-config
startup-config is not present
Switch#show running-config
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname BUET
BUET(config)#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
10
5. Console password
BUET(config)#line console 0
BUET(config-line)#password ashish123
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#
6. Enter Virtual Terminal lines and give a password ashish@123#, to login remotely
BUET(config)#line vty 0 4
BUET(config-line)#password ashish@123#
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#
BUET(config)#
By default, all interfaces on a Cisco router are “Administratively Down”. To bring an interface up, issue
the no shutdown command.
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#
8. Save Configuration
BUET#write memory
Building configuration...
[OK]
BUET#
DU#write memory
Building configuration...
[OK]
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
11
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
12
C:\>ping 192.168.10.2
C:\>ping 192.168.10.3
C:\>ping 192.168.10.1
C:\>telnet 192.168.10.1
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
13
Password:
Password:
BUET>
C:\>telnet 192.168.10.10
Password:
DU>
N.B. if the switch is L3 you can assign IP address to its interfaces as follows:
DU(config-if)# no switchport
DU(config-if)# no shutdown
DU(config)# ip routing
===============================================================================
Telnet was designed to work within a private network and not across a public network where
threats can appear. Because of this, all the data is transmitted in plain text, including
passwords. This is a major security issue and the developers of SSH used encryptions to make
it harder for other people to sniff the password and other relevant information.
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network
devices. Communication between the client and server is encrypted in SSH. To do this, it uses
a RSA public/private keypair.
There are two versions: version 1 and 2. Version 2 is more secure and commonly used.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
14
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.10.10 255.255.255.0
Switch(config-if)#no shutdown
The name of the RSA keypair will be the hostname and domain name of the router.
Switch(config)#hostname ASHISH-SW
ASHISH-SW(config)#ip domain-name ashish.com
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
15
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
ASHISH-SW(config)#
Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate
and enhance more security
ASHISH-SW(config)#line vty 0 4
ASHISH-SW(config-line)#transport input ssh
ASHISH-SW(config-line)#login local
Step 7: Create the username password
ASHISH-SW(config)#username ashish privilege 15 password cisco123
ASHISH-SW(config)#line console 0
ASHISH-SW(config-line)#logging synchronous
ASHISH-SW(config-line)#login local
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
16
Router>en
Router#conf t
Router(config)#hostname Venus
Venus(config)#interface fastEthernet 0/0
Venus(config-if)#ip address 192.168.10.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
Venus(config)#ip domain-name cisco.com
Venus(config)#username ashish privilege 15 password cisco123
Venus(config)#crypto key generate rsa
Venus#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Venus#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
17
Key Note:
----------------------------------------------------------------------------
"logging synchronous" prevents every logging output from immediately interrupting your console
session.
Say for example when you tried to telnet your Router or switch you will see lot of log messages before
you logged in with username and password.
---------------------------------------------------------------------------------------------------------------------------------
RSA is algorithm used by modern computers to encrypt and decrypt messages. It is an asymmetric
cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public
key cryptography, because one of them can be given to everyone.
============================================================================
Configure tftp server (In your physical Lab you can download tftp server in your PC then
configure it. And rest of the configurations are same)
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
18
Denver#show startup-config
DU#show startup-config
Writing startup-config...!!
[OK - 653 bytes]
Writing startup-config...!!
[OK - 1178 bytes]
Erase startup-configuration file and reboot or reload the router and switch
DU#erase startup-config
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
19
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
DU#
DU#reload
Denver#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
BUET#
Denver #reload
Proceed with reload? [confirm]
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.10.10 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#ip default-gateway 192.168.10.1
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
20
Building configuration...
[OK]
Denver#
============================================================================
The design of layer-2 switched network is a flat network. Each and every device on the
Network can see the transmission of every broadcast packet even if it does not need to
receive the data. But we can create multiple/ separate broadcast domain logically in a L2
switch. This is possible with VLAN technology. VLAN means Virtual LAN.
The segregation of vlan is only to reduce the broadcast domain. Every vlan means you are
using one subnet for each vlan.
The VLAN can categorize many broadcast domains into number of logical subnets.
The network needs to configure a port into the suitable VLAN in order to achieve
change, add or move.
In the VLAN a group of users with the demand of high security can be included so that
the external users out the VLAN cannot interact with them.
When it comes to logical classification of users in terms of function, we can consider
VLAN as independent from their geographic or physical locations.
Even the security of network can be enhanced by VLAN.
The number of broadcast domains are increased with VLANs while the size decreases.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
21
Trunk Ports: Between switches we are going to create a trunk. A trunk connection is an
interface carries multiple VLANs.
On a Cisco switch, VLAN 1 is by default. 802.1Q will not tag the native VLAN while ISL does
tag the native VLAN.
By default all switch ports are on VLAN1.
VLAN information is not saved in the running-config or startup-config but in separate file
vlan.dat on flash memory. To delete the VLAN information , delete the file by delete
flash:vlan.dat command.
Objective
2. Create VLANs
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
22
3. configuration of trunk ports
5. Assign IP to hosts
6. Verification
Data sheet
Switch(config)#hostname DU
DU(config)#enable secret cisco
DU(config)#line console 0
DU(config-line)#password cisco
DU(config-line)#login
DU(config-line)#exit
Switch(config)#hostname BUET
BUET(config)#enable secret cisco
BUET(config)#line console 0
BUET(config-line)#password cisco
BUET(config-line)#login
BUET(config-line)#exit
2. Create VLANs
DU(config)#vlan 10
DU(config-vlan)#name cisco
DU(config-vlan)#exit
DU(config)#vlan 20
DU(config-vlan)#name solaris
DU(config-vlan)#exit
DU(config)#
BUET(config)#vlan 10
BUET(config-vlan)#name cisco
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
23
BUET(config-vlan)#exit
BUET(config)#vlan 20
BUET(config-vlan)#name solaris
BUET(config-vlan)#exit
BUET(config)#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
24
BUET#conf t
BUET(config)#interface range fastEthernet 0/1 - 9
BUET(config-if-range)#switchport mode access
BUET(config-if-range)#switchport access vlan 10
BUET(config-if-range)#exit
BUET(config)#interface range fastEthernet 0/10 - 20
BUET(config-if-range)#switchport mode access
BUET(config-if-range)#switchport access vlan 20
BUET(config-if-range)#exit
BUET(config)#exit
BUET#
DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DU(config)#interface range fastEthernet 0/1 - 9
DU(config-if-range)#switchport mode access
DU(config-if-range)#switchport access vlan 10
DU(config-if-range)#exit
DU(config)#interface range fastEthernet 0/10 - 20
DU(config-if-range)#switchport mode access
DU(config-if-range)#switchport access vlan 20
DU(config-if-range)#end
DU#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
25
5. Assign IP to hosts
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
26
C:\>ping 192.168.10.3
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
27
Request timed out.
Request timed out.
Request timed out.
VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used by Cisco switches to
exchange VLAN information. VTP replicates configured VLANs to all participating switches.
Consider a network with 50 switches. Without VTP, if you want to create a VLAN on each
switch, you would have to manually enter commands to create the VLAN on each switch! VTP
enables you to create the VLAN only on one switch. That switch can then propagate
information about that VLAN to each switch on a network and cause other switches to create
that VLAN too. If you want to delete a VLAN, you only need to delete it on one switch, and
the change is automatically propagated to every other switch inside the same VTP domain.
Client mode takes VLAN configuration from the Server. It doesn’t place the VLANs in a
vlan.dat file.
Switches in Transparent mode never updated themselves. If they receive VTP advertisements
they will forward them along. In Transparent mode you can configure VLANs normally as you
would on a Server switch.
Be careful, if a switch is deployed with a higher VTP revision number than the rest of the VTP
switches. Because of that, switches in Client mode will download whatever VLAN
configuration that switch has, remove your current configuration. So before use them in a
production network , configure them as Transparent mode. You can also omit VTP
Configuration to avoid these situation.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
28
Objective:
Switch(config)#hostname SERVER
SERVER(config)#vtp domain cisco.com
SERVER(config)#vtp mode server
SERVER(config)#vtp password cisco
SERVER(config)#vtp version 2
SERVER(config)#
Switch(config)#hostname Client
Client(config)#vtp domain cisco.com
Client(config)#vtp version 2
Client(config)#vtp mode client
Client(config)#vtp password cisco
NOTES
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
29
Client(config-if)# no shut
SERVER(config)#vlan 100
SERVER(config-vlan)#name cisco
SERVER(config-vlan)#exit
SERVER(config)#vlan 200
SERVER(config-vlan)#name solaris
SERVER(config-vlan)#end
Here we can see that we have created VLAN on Server switch and it has been seen on Client
Switch Vlan 100 and Vlan 200.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
30
From here we can check the VTP Mode, VTP Domain Name and revision Number. Revision
number must be same. If not same, Updates are not considered propagated successfully.
Link aggregation is very common and is usually seen in the following scenarios:
If you are going to create an etherchannel you need to make sure that all ports have the same
configuration:
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
31
There’s a maximum to the number of links you can use: 8 physical interfaces.
If you want to configure an Etherchannel there are two protocols you can choose from:
Developed by Cisco
The port modes are defined as either auto or desirable
We can use desirable so that the switch will actively negotiate to form a PAgP link(Cisco
Proprietary EtherChannel).
or we can use active so that the switch will actively negotiate to form a LACP link(open
standard EtherChannel).
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
32
Objective
1. Create Etherchannel
2. Configure Trunk
3. Verification
Create Etherchannel
Switch(config)#hostname DU
DU(config)#interface range gigabitEthernet 0/1 - 2
DU(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
DU(config-if-range)#exit
Switch(config)#hostname ASHISH
ASHISH(config)#interface range gigabitEthernet 0/1 - 2
ASHISH(config-if-range)#channel-group 1 mode passive
ASHISH(config-if-range)#
Configure Trunk
DU(config)#interface port-channel 1
DU(config-if)#switchport mode trunk
DU(config-if)# no shut
ASHISH(config)#interface port-channel 1
ASHISH(config-if)#switchport mode trunk
ASHISH(config-if)# no shutdown
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
33
Verification
Po1 = Port channel 1 , Channel group must be same for both switch
S = Capital S means L2
U = in Use
P = in port Channel
Inter-VLAN Routing
In our previous lab, we only can communicate with same VLAN. For example, PCs within VLAN
10 or VLAN 20. In order to communicate with different VLAN we must need routing with
different VLAN as each VLAN is now a separate broadcast domain. So we need a L3 switch or
Router for Routing. Here we will use a Router.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
34
OBJECTIVE:
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
35
DU(config)#banner motd "Do not try to login my Switch"
DU(config)#enable secret cisco123
DU(config)#line console 0
DU(config-line)#password cisco123
DU(config-line)#login
DU(config-line)#exit
DU(config)#
========================================
Switch#conf t
Switch(config)#hostname BUET
BUET(config)#hostname BUET
BUET(config)#banner motd "This is the switch of BUET"
BUET(config)#enable secret cisco123
BUET(config)#line console 0
BUET(config-line)#password cisco123
BUET(config-line)#login
BUET(config-line)#end
BUET#
=====================================================
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname DENVER
DENVER(config)#enable secret cisco123
DENVER(config)#banner motd "This Router belongs to VENUS TELECOM LTD"
DENVER(config)#line console 0
DENVER(config-line)#password cisco123
DENVER(config-line)#login
DENVER(config-line)#end
DENVER#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
36
DU(config)#interface port-channel 1
DU(config-if)#sw
DU(config-if)#switchport mo
DU(config-if)#switchport mode trunk
DU(config-if)#no shutdown
====================================================
BUET(config)#interface range fastEthernet 0/1 - 2
BUET(config-if-range)#channel-group 1 mode passive
BUET(config-if-range)#no shutdown
BUET(config-if-range)#exit
BUET(config)#interface port-channel 1
BUET(config-if)#switchport mode trunk
BUET(config-if)#no shutdown '
VTP CONFIGURATION
============================
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
37
Domain name already set to cisco.com.
BUET(config)#vtp mo
BUET(config)#vtp mode cl
BUET(config)#vtp mode client
Setting device to VTP CLIENT mode.
BUET(config)#vtp ve
BUET(config)#vtp version 2
Cannot modify version in VTP client mode
BUET(config)#vtp pass
BUET(config)#vtp password cisco
Setting device VLAN database password to cisco
BUET(config)#
CONFIGURATION OF VLAN
========================
DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DU(config)#vlan 100
DU(config-vlan)#name CISCO
DU(config-vlan)#EXIT
DU(config)#VLan 200
DU(config-vlan)#NAMe SOLARIS
DU(config-vlan)#exit
VERIFY
==========
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
38
DU#show etherchannel summary
DU#
CONFIGURE ACCESS-PORTS
DU#conf t
DU(config)#interface range fastEthernet 0/3 - 15
DU(config-if-range)#switchport mode access
DU(config-if-range)#switchport access vlan 100
DU(config-if-range)#exit
---------------------------------------------------------------------------
BUET#conf t
BUET(config)#interface range fastEthernet 0/6 - 10
BUET(config-if-range)#switchport mode access
BUET(config-if-range)#switchport access vlan 100
BUET(config-if-range)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
39
CONFIGURE IP TO HOSTS
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
40
Verify
=========
C:\>ping 192.168.100.3
C:\>ping 172.16.200.3
C:\>ping 192.168.100.2
Not successful, Right ? So we will now configure Inter-Vlan Routing to get access to different
VLAN.
BUET#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#interface gigabitEthernet 0/1
BUET(config-if)#no shutdown
BUET(config-if)#switchport mode trunk
BUET(config-if)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
41
------------------------------------------------------------------------
DENVER#conf t
DENVER(config)#interface fastEthernet 0/0
DENVER(config-if)#no shutdown
DENVER(config-if)#exit
DENVER(config)#interface fastEthernet 0/0.100
DENVER(config-subif)#encapsulation dot1Q 100
DENVER(config-subif)#ip address 192.168.100.1 255.255.255.0
DENVER(config-subif)#no shutdown
DENVER(config-subif)#exit
DENVER(config)#interface fastEthernet 0/0.200
DENVER(config-subif)#encapsulation dot1Q 200
DENVER(config-subif)#ip address 172.16.200.1 255.255.255.0
DENVER(config-subif)#no shutdown
DENVER(config-subif)#exit
Here we have created two sub-interface 0/0.100 and 0/0.200 for respective VLANs. For
encapsulation dot1Q is used.
Verify
===========
C:\>ping 172.16.200.2
C:\>ping 192.168.100.2
====================================================================
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
42
VTP SERVER
============
DU#conf t
DU(config)#vlan 99
DU(config-vlan)#name admin
DU(config-vlan)#exit
DU(config)#vlan 199
DU(config-vlan)#name admin2
DU(config)#interface fastEthernet 0/23
DU(config-if)#switchport mode access
DU(config-if)#switchport access vlan 99
DU(config-if)#exit
DU(config)#interface vlan 99
DU(config-if)#ip address 192.168.10.1 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
-------------------------------------------------
Telnet Configuration
===================
DU(config)#line vty 0 4
DU(config-line)#password cisco123
DU(config-line)#login
DU(config-line)#exit
================================================================
BUET#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#interface fastEthernet 0/23
BUET(config-if)#switchport mode access
BUET(config-if)#switchport access vlan 199
BUET(config-if)#exit
-------------------------------------------
BUET(config)#interface vlan 199
BUET(config-if)#ip address 192.168.20.1 255.255.255.0
BUET(config-if)#no shutdown
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
43
Telnet Configuration
BUET(config)#line vty 0 4
BUET(config-line)#password cisco123
BUET(config-line)#login
BUET(config-line)#exit
DENVER(config)#line vty 0 4
DENVER(config-line)#password cisco123
DENVER(config-line)#login
DENVER(config-line)#exit
DENVER(config)#interface fastEthernet 0/0.99
DENVER(config-subif)#encapsulation dot1Q 99
DENVER(config-subif)#ip address 192.168.10.1 255.255.255.0
DENVER(config-subif)#no shutdown
DENVER(config-subif)#end
DENVER#ping 192.168.10.1
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
44
DENVER#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/9 ms
DENVER#telnet 192.168.20.1
Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD
User Access Verification
Password:
SVI - Switched Virtual Interface. There is no physical interface for the VLAN, hence it is
virtual.
Technique is, Assign IP address of each VLAN Interface (suppose Interface vlan 10), then
issue the " ip routing " command on global configuration mode.
Generally, routers do the routing between different broadcast domains that is, Different
VLANs. But SVI provides the routing capabilities of different VLANs.
Example switch models that support layer 3 routing are the 3550, 3750, 3560 etc.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
45
Our Tasks (All configuration is only on L3 switch here)
CREATE VLAN
Switch>en
Switch#conf t
Switch(config)#vlan 10
Switch(config-vlan)#name cisco
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name solaris
Switch(config-vlan)#exit
Switch(config)#exit
ACCESS-PORT CONFIGURATION
Switch#conf t
Switch(config)#interface range fastEthernet 0/3 - 9
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#exit
Switch(config)#interface range fastEthernet 0/10 - 15
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#exit
Switch(config)#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
46
ASSIGN IP TO VLAN INTERFACE
Switch(config)#interface vlan 10
Switch(config-if)#ip address 192.168.10.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#interface vlan 20
Switch(config-if)#ip address 192.168.20.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
ENABLE ROUTING
Switch(config)#ip routing
Switch(config)#exit
ASSIGN IP TO HOSTS
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
47
VERIFICATION
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
48
LAB 10 : Port Security
Port Security
One can access unsecure network resources by plugging his laptop into one of our available
switch ports. He can also change his physical location in LAN network without telling the admin.
But you can secure layer two accesses by using port security.
First in our LAB we will plug one PC, and other PC will remain unplugged as shown in figure:
Assign IP to hosts
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
49
We have two options static and dynamic to associate mac address with interface.
In static method we have to manually define exact host mac address with switchport port-
security mac-address MAC_address command.
In dynamic mode we use sticky feature that allows interface to learn mac address
automatically
We need to specify what action; it should take in security violation. Three possible modes are
available:
Protect: - This mode only work with sticky option. In this mode frames from non-allowed
address would be dropped.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
50
Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this
mode, switch will make a log entry and generate a security violation alert.
Shutdown: - In this mode switch will generate the violation alert and disable the port. Only
way to re-enable the port is to manually enter no shutdown command. This is the default
violation mode.
Command Description
Switch(config)#interface fastethernet
Move in interface mode
0/1
Switch(config-if)#switchport mode
Assign port as host port
access
Switch(config-if)#switchport port-
Enable port security feature on this port
security
Switch(config-if)#switchport port-
Enable sticky feature.
security mac-address sticky
We have secured F0/1 port of switch. We used dynamic address learning feature. Switch will
remember first learned mac address (on interface F0/1) with this port. We can check MAC
Address table for currently associated address.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
51
No mac address is associated with F0/1 port. Switch learns mac address from incoming
frames.
We need to generate frame from PC0 that would be receive on F0/1 port of switch. We can
use ping to generate frames from PC0 to Server.
Switch learns this address dynamically but it is showing as STATIC. Sticky option automatically
converts dynamically learned address in static address.
Now we unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1).
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
52
Why ping is not success ? Because switch detected the mac address change and shutdown the
port.
show port-security
This command displays port security information about all the interfaces on switch.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
53
Here is a useful command to check your port security configuration. Use show port-security
interface to see the port security details per interface. We can see the violation mode is
shutdown and that the last violation was caused by MAC address 0002.1622.CB46:1 The
aging time is 0 mins which means it will stay in err-disable state forever.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
54
Advantages
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
55
The PortFast feature will only have effect when the interface is in a non-trunking mode.
So, enabling the PortFast feature on a trunk port is useless. Only in access mode.
Configure PortFast on Cisco Switch (First unplug the two PCs as shown in figure)
Next, execute the following command on Switch to enable the PortFast feature on the Fa0/1
interface.
Switch(config)#interface fa0/1
Switch(config-if)#spanning-tree portfast
Now, connect PC0 to the fa0/1 interface and PC1 to the fa0/2 interface, as shown in the
following figure.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
56
We notice that the Fa0/1 interface will be activated within 5 seconds because it will not
participate in the STP convergence process.
The BPDU Guard is used to protect the Spanning Tree domain from external influence.
BPDU Guard is disabled by default. But it is recommended to apply BPDU guard enable
for all ports on which the Port Fast is enabled.
BPDU guard should be applied toward user-facing ports to prevent rogue switch
network extensions by an attacker.
BPDU Guard can be configured either in Global mode or Interface mode
On an interface BPDU guard will put the port into err disable state if a BPDU is
received
In global configuration mode BPDU guard will disable port fast on any interface if a BPDU is
received.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
57
VLAN0001 enabled
Note: Root guard is best deployed towards ports that connect to switches which should
not be the root bridge
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
58
For example, a port on the distribution layer switch which is connected to an access layer
switch can be Root Guard enabled, because the access layer switch should never become the
Root Bridge.
Switch#conf t
Switch(config)#hostname DU
Switch#conf t
Switch(config)#hostname ASHISH
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
59
Now we will enable root guard on switch DU on port G 0/1 so that if the Switch ASHISH want
to become root bridge then the port G0/1 of DU switch will shutdown.
Now we will change the priority value of Switch ASHISH ....to check what happen !!
ASHISH(config)#spanning-tree vlan 1 priority 4096
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
60
now ping....
C:\>ping 192.168.10.2
Request timed out.
Request timed out.
Request timed out.
Request timed out.
The port beomes red colored......taht indicates the port is shutdown when switch ASHISH
wants to root bridge
On DU switch
C:\>ping 192.168.10.2
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
61
LAB 14 : Spanning tree behavior - mode , priority value, root bridge
Here Switch DU is the root bridge as its all the ports are forwarding mode. (Indicates green
signal)
By default Cisco switches run a separate STP instance for every VLAN configured on the
switch; this mode is called PVST.
We will configure Switch ASHISH as a root switch for the default VLAN (1) using one method
then DU switch in another method :
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
62
Now we will make it root bridge by using the following command:
Using this command will automatically lower the priority of the switch to a very significant
value in order to make sure that the switch is elected as a root switch.
ASHISH#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ASHISH(config)#spanning-tree vlan 1 root primary
ASHISH(config)#exit
Setting the Bridge priority using the command spanning-tree vlan [list] priority
[value].
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
63
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
64
DU Router (Basic Configuration)
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname DU
DU(config)#enable secret cisco123
DU(config)#line console 0
DU(config-line)#password cisco
DU(config-line)#login
DU(config-line)#exit
DU(config)#line vty 0 5
DU(config-line)#password cisco
DU(config-line)#login
DU(config-line)#exit
BUET(config)#line console 0
BUET(config-line)#password cisco
BUET(config-line)#login
BUET(config-line)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
65
BUET(config)#line vty 0 5
BUET(config-line)#password cisco
BUET(config-line)#login
BUET(config-line)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
66
Try to Ping from PC0 to PC1
C:\>ping 192.168.30.2
C:\>
DU Router
BUET Router
So for the previous example instead of IP Address we can write exit-interface as follows but if
the 2 routers are connected point-to-point
C:\>ping 192.168.30.2
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
67
C:\>telnet 192.168.20.2
Trying 192.168.20.2 ...Open
Password:
Password:
BUET>
Success...right ..
BUET#show ip route
BUET#
It is a special type of static route. Default routing is used in stub networks. The stub network
has only one way for the traffic to go, to reach several different networks.
A DEFAULT ROUTE is sometime called Zero/Zero Route because the network and subnet we
are specifying as the destination for the traffic that it would match are all zeros.
A DEFAULT ROUTE says "for any traffic that DOES NOT match a specific route in the routing
table ,then forward that traffic to this destination (next-hop-router-IP Address)".Other
words default route is a "CATCH ALL"
On default route, both the network and subnet mask will be zero (0.0.0.0 0.0.0.0).
ip route 0.0.0.0 0.0.0.0 next-hop-router-IP address
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
68
Normally Customer route to ISP is default route and ISP route to Customer is normal static
route as shown below :
Objective:
Configuration
CUSTOMER Router
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname CUSTOMER
CUSTOMER(config)#interface fastEthernet 0/1
CUSTOMER(config-if)#description CUSTOMER LAN
CUSTOMER(config-if)#ip address 192.168.10.1 255.255.255.0
CUSTOMER(config-if)#no shutdown
CUSTOMER(config-if)#exit
CUSTOMER(config)#interface fastEthernet 0/0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
69
CUSTOMER(config-if)#description Connectivity to ISP
CUSTOMER(config-if)#ip address 103.13.148.1 255.255.255.248
CUSTOMER(config-if)#no shutdown
CUSTOMER(config-if)#exit
ISP ROUTER
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#description Connectivity to CUSTOMER ROUTER
ISP(config-if)#ip address 103.13.148.2 255.255.255.248
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface fastEthernet 1/0
ISP(config-if)#description Connectivity to INTERNET
ISP(config-if)#ip address 100.100.100.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#end
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
70
Verification
Apply Ping from PC0 to PC1
C:\>ping 100.100.100.2
Reply from 100.100.100.2: bytes=32 time=1ms TTL=126
Reply from 100.100.100.2: bytes=32 time<1ms TTL=126
Reply from 100.100.100.2: bytes=32 time<1ms TTL=126
Reply from 100.100.100.2: bytes=32 time<1ms TTL=126
Successfull.....................
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
71
On ISP Router
RIPv2 Configuration
IGPs are used for routing within networks that are under a common network administration,
whereas EGP (exterior gateway protocols) are used to exchange routing information between
networks.
Distance-vector protocol.
Uses UDP port 520.
Classless protocol (support for CIDR).
Supports VLSMs.
Metric is router hop count.
Maximum hop count is 15; infinite (unreachable) routes have a metric of 16.
Periodic route updates sent every 30 seconds to multicast address 224.0.0.9.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
72
25 routes per RIP message (24 if you use authentication).
Supports authentication.
Implements split horizon with poison reverse.
Implements triggered updates.
Subnet mask included in route entry.
Administrative distance for RIPv2 is 120.
Used in small, flat networks or at the edge of larger networks.
Prevents routing loops (Split Horizon, Route poisoning, Hold-down Timers and
Maximum hop Count)
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
73
Objective:
DU Router
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname DU
BUET
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname BUET
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
74
BUET(config-if)#description connected to BUET LAN
BUET(config-if)#ip address 100.100.100.1 255.255.255.0
BUET(config-if)#no shutdown
BUET(config-if)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
75
LAB 17 : RIP Basic Configuration
DU(config)#router rip
DU(config-router)#version 2
DU(config-router)#network 192.168.10.0
DU(config-router)#network 103.13.148.248
DU(config-router)#no auto-summary
BUET(config)#router rip
BUET(config-router)#version 2
BUET(config-router)#network 100.100.100.0
BUET(config-router)#network 103.13.148.248
BUET(config-router)#no auto-summary
Network command sends RIP updates to the associated Network. we specify only the directly
connected networks of this router.
Auto Summarization is turned on by default for RIPv2 and EIGRP, altough these are Classless
Routing protocols. So you manually have to make them Classless with the "no auto-summary"
command.
Verification
C:\>ping 100.100.100.100
RIP updates will be sent to all interfaces when we use network command on that interfaces.
But, we don’t need to send updates everywhere. In our LAB on DU Router does not need to
send RIP updates to a the LAN switch.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
76
We can use use the passive-interface command to prevent RIP updates to send.
DU(config-router)#passive-interface f
DU(config-router)#passive-interface fastEthernet 0/1
Verification
DU#show ip protocols
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
77
RIP send updates only to 224.0.0.9 (multicast address) Via F0/0 (103.13.148.1).....not
192.168.10.0/24
We can see that the network is advertised but not send any RIP updates
towards DU LAN.
Plain text authentication mode is the default setting in every RIPv2 packet, when
authentication is enabled. Plain text authentication should not be used when security is an
issue, because the unencrypted authentication password is sent in every RIPv2 packet. Note:
RIP version 1 (RIPv1) does not support authentication.
Objective:
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
78
Basic configuration of Router R1
RIP Configuration
DU(config)#router rip
DU(config-router)#version 2
DU(config-router)#network 192.168.10.0
DU(config-router)#network 192.168.20.0
DU(config-router)#no auto-summary
DU(config-router)#end
DU#
BUET#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ip address 192.168.10.2 255.255.255.0
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#interface fastEthernet 0/1
BUET(config-if)#ip address 192.168.30.1 255.255.255.0
BUET(config-if)#no shutdown
BUET(config-if)#exit
Configure RIP on R2
BUET(config)#router rip
BUET(config-router)#version 2
BUET(config-router)#network 192.168.10.0
BUET(config-router)#network 192.168.30.0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
79
BUET(config-router)#no auto-summary
BUET(config-router)#end
BUET#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
80
Configure Authentication
MD5 Authentication
The Cisco implementation of RIP v2 supports MD5 authentication. This provides a higher level
of security over clear text. Both router interfaces need to be configured with MD5
authentication. The key number and key string must match on both sides, or authentication
will fail.
DU Router
DU(config-keychain)#key 1
(This is the Identification number of an authentication key on a key chain)
DU(config-keychain-key)#key-string ashish
(The actual password or key-string.It needs to be identical to the key-string
on the remote router)
DU(config-keychain-key)#exit
DU(config-keychain)#exit
BUET Router
Apply it to Interface
Now check using debug command what is happened if MD5 is enable in DU router and
BUET Router is not..............
BUET#debug ip rip
BUET#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
81
*Mar 1 00:09:03.883: RIP: ignored v2 packet from 192.168.10.1 (invalid authentication)
BUET#undebug all
BUET ROUTER
Now verify
BUET#debug ip rip
BUET#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
82
Verification
DU#debug ip rip
RIP protocol debugging is on
DU#
*Mar 1 00:07:21.115: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1
(192.168.20.1)
*Mar 1 00:07:21.115: RIP: build update entries
*Mar 1 00:07:21.115: 192.168.10.0/24 via 0.0.0.0, metric 1, tag 0
*Mar 1 00:07:21.119: 192.168.30.0/24 via 0.0.0.0, metric 2, tag 0
DU#
*Mar 1 00:07:39.775: RIP: received packet with text authentication ashish
*Mar 1 00:07:39.775: RIP: received v2 update from 192.168.10.2 on FastEthernet0/0
*Mar 1 00:07:39.779: 192.168.30.0/24 via 0.0.0.0 in 1 hops
DU#
*Mar 1 00:07:41.939: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0
(192.168.10.1)
*Mar 1 00:07:41.939: RIP: build update entries
*Mar 1 00:07:41.939: 192.168.20.0/24 via 0.0.0.0, metric 1, tag 0
DU#
*Mar 1 00:07:48.647: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1
(192.168.20.1)
*Mar 1 00:07:48.647: RIP: build update entries
*Mar 1 00:07:48.647: 192.168.10.0/24 via 0.0.0.0, metric 1, tag 0
*Mar 1 00:07:48.651: 192.168.30.0/24 via 0.0.0.0, metric 2, tag 0
DU#undebug all
Introduction to EIGRP
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
83
EIGRP routers will start sending hello packets to other routers just like OSPF does, if
you send hello packets and you receive them you will become neighbors.
EIGRP uses a rich set of metrics namely bandwidth, delay, load and reliability. The
lower these metrics the better.
Sophisticated metric that supports load-balancing across unequal-cost paths.
Support for authentication only MD5 authentication
Manual summarization at any interface
Uses multicast 224.0.0.10.
EIGRP max hop count 255 (all 8 bits 11111111)
Neighbor discovery and maintenance: Periodic hello messages
EIGRP neighbor-ship condition:
Both routers must be in the same primary subnet
Both routers must be configured to use the same k-values
Both routers must in the same AS
Both routers must have the same authentication configuration (within reason)
The interfaces facing each other must not be passive
EIGRP Router doesn’t trust anyone blindly. It checks following configuration values to insure
that requesting router is eligible to become his neighbor or not.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
84
If you lose the successor because of a link failure EIGRP will copy/paste the feasible
successor in the routing table. This is what makes EIGRP a FAST routing protocol…but
only if you have feasible successor in the topology table.
RIP and OSPF both can do load balancing but the paths have to be equal. EIGRP can do
unequal load balancing
EIGRP packets:
Hello
Update
Query
Reply
ACK (Acknowledgement)
A neighbor is considered lost if no hello is received within three hello periods (called the hold
time). The default hello/hold timers are as follows:
5 seconds/15 seconds for multipoint circuits with bandwidth greater than T1 and for
point-to-point media
60 seconds/180 seconds for multipoint circuits with bandwidth less than or equal to T1
EIGRP Summarization
Automatic summarization:
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
85
What if I entered a wrong key-string?
authentication mismatch
k1 = bandwidth
k2 = load
k3 = delay
k4 = reliability
k5 = MTU
loopback interface is a virtual interface—an interface not associated with any hardware or
network
Basic Configuration
R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#exit
R2#conf t
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
86
R2(config)#interface loopback 0
R2(config-if)#ip address 11.11.11.1 255.255.255.0
R2(config-if)#exit
EIGRP Configuration
R1#conf t
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end
------------------------------------------------
R2#conf t
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#network 11.11.11.0 0.0.0.255
R2(config-router)#no auto-summary
R2(config-router)#end
Verification
R1#
*Mar 1 00:21:05.583: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
*Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
87
*Mar 1 00:21:06.139: EIGRP: Received HELLO on Loopback0 nbr 10.10.10.1
R1#undegug all
If we want to advertise a network in EIGRP but we don’t want to send hello packets
everywhere, in this case we can use this features.
Basic Configuration
R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#exit
R2#conf t
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
R2(config)#interface loopback 0
R2(config-if)#ip address 11.11.11.1 255.255.255.0
R2(config-if)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
88
EIGRP Configuration
R1#conf t
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end
------------------------------------------------
R2#conf t
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#network 11.11.11.0 0.0.0.255
R2(config-router)#no auto-summary
R2(config-router)#end
We can configure passive Interface in two ways. First we apply first method in router R1
and the 2nd method in router R2.
R1#conf t
R1(config)#router eigrp 10
R1(config-router)#passive-interface default
*Mar 1 00:27:50.875: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
192.168.10.2 (FastEthernet0/0) is down: interface passive
R1(config-router)#
Passive-interface default command will make all the interface passive and then we will
disable the specific interface with "no passive-interface" command
Verification
R1#show ip protocols
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
89
10.10.10.0/24
192.168.10.0
Passive Interface(s):
Serial0/0
FastEthernet0/1
Serial0/1
Serial0/2
FastEthernet1/0
Loopback0
VoIP-Null0
Second Method
R2(config)#router eigrp 10
R2(config-router)#passive-interface loopback 0
R2(config-router)#
R2#show ip protocols
Routing Protocol is "eigrp 10"
11.11.11.0/24
192.168.10.0
Passive Interface(s):
Loopback0
192.168.10.1 90 00:05:44
-------------------------------------------------------------------------------------------------
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
90
*Mar 1 00:37:44.567: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:37:44.567: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#
*Mar 1 00:37:46.671: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1
*Mar 1 00:37:46.671: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R2#
*Mar 1 00:37:49.563: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:37:49.563: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#undebu
*Mar 1 00:37:51.143: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1
*Mar 1 00:37:51.147: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R2#undebug all
All possible debugging has been turned off
R2#
*Mar 1 00:37:53.871: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:37:53.871: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#
------------------------------------------------------------------------------------------------------------------------------------------
EIGRP provides benefits like fast convergence, incremental updates and support for multiple
network layer protocols. EIGRP supports Message Digest 5 (MD5) authentication to prevent
malicious and incorrect routing information from being introduced into the routing table of a
Cisco router.
Basic Configuration
R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
91
R1(config-if)#exit
R2#conf t
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
R2(config)#interface loopback 0
R2(config-if)#ip address 11.11.11.1 255.255.255.0
R2(config-if)#exit
EIGRP Configuration
R1#conf t
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end
R2#conf t
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#network 11.11.11.0 0.0.0.255
R2(config-router)#no auto-summary
R2(config-router)#end
EIGRP Authentication
R1(config-keychain)#key 1
Specify the keychain id
R1(config-keychain-key)#key-string ccnp
Specify the password
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
92
N.B. A shared authentication key which is same on both routes must be configured. The
password is known as the ‘key’.
R2(config)#key chain venus
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string ccnp
R2(config-keychain-key)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip authentication mode eigrp 10 md5
R2(config-if)#ip authentication key-chain eigrp 10 venus
*Mar 1 01:31:02.455: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
192.168.10.1 (FastEthernet0/0) is up: new adjacency
R2(config-if)#
R1#show ip eigrp interfaces detail
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
93
Basic Configuration
R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#exit
R2#conf t
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
R2(config)#interface loopback 0
R2(config-if)#ip address 11.11.11.1 255.255.255.0
R2(config-if)#exit
EIGRP Configuration
R1#conf t
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end
R2#conf t
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#network 11.11.11.0 0.0.0.255
R2(config-router)#no auto-summary
R2(config-router)#end
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
94
But it can be changed as following :
N.B. It is possible for two routers to become EIGRP neighbors even though the hello and hold
timers do not match.
Summarization is used to reduce the size of a routing table thus reducing the load on CPU and
memory.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
95
Basic Configuration of R1 and R2
R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 172.16.0.1 255.255.255.0
R1(config-if)#interface loopback 1
R1(config-if)#ip address 172.16.1.1 255.255.255.0
R1(config-if)#interface loopback 2
R1(config-if)#ip address 172.16.2.1 255.255.255.0
R1(config-if)#interface loopback 3
R1(config-if)#ip address 172.16.3.1 255.255.255.0
R1(config-if)#interface loopback 4
R1(config-if)#ip address 172.16.4.1 255.255.255.0
R1(config-if)#
R2#conf t
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
EIGRP Configuration
R1#conf t
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 172.16.0.0
R1(config-router)#network 172.16.1.0
R1(config-router)#network 172.16.2.0
R1(config-router)#network 172.16.3.0
R1(config-router)#network 172.16.4.0
R1(config-router)#no auto-summary
-------------------------------------------------------------------
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
96
R2(config-router)#no auto-summary
R2(config-router)#end
R1#show ip route
R2#show ip route
Router R2 gets a number of EIGRP Route from R1, So we will now reduce the size of routing
table of R2
Verification
R2#show ip route
C 192.168.10.0/24 is directly connected, FastEthernet0/0
172.16.0.0/21 is subnetted, 1 subnets
D 172.16.0.0 [90/409600] via 192.168.10.1, 00:00:15, FastEthernet0/0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
97
R2#show ip route eigrp
172.16.0.0/21 is subnetted, 1 subnets
D 172.16.0.0 [90/409600] via 192.168.10.1, 00:05:05, FastEthernet0/0
Now we can see that R2 Router has only one summary route......
DU Router
1. Basic Configuration
DU>en
DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DU(config)#hostname DU
DU(config)#enable password cisco
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
98
DU(config-line)#login
DU(config-line)#exit
BUET Router
1. Basic Configuration
BUET #conf t
Enter configuration commands, one per line. End with CNTL/Z.
BUET (config)#hostname BUET
BUET(config)#enable secret cisco
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
99
BUET(config-line)#login
BUET(config-line)#exit
Main Configuration
============
EIGRP Configuration and advertise network
=================================
DU(config)#router eigrp 10
DU(config-router)#network 192.168.10.0
DU(config-router)#network 192.168.20.0
DU(config-router)#network 172.16.1.0
DU(config-router)#network 172.16.2.0
DU(config-router)#network 172.16.3.0
DU(config-router)#network 172.16.0.0 0.0.0.255
DU(config-router)#no auto-summary
BUET#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#router eigrp 10
BUET(config-router)#network 192.168.20.0
BUET(config-router)#network 192.168.30.0
BUET(config-router)#no auto-summary
BUET(config-router)#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
100
DU(config-keychain-key)#exit
DU(config-keychain)#exit
DU(config)#
BUET(config)#router eigrp 10
BUET(config-router)#passive-interface fastEthernet 0/1
Troubleshooting commands
# show ip route
# show ip eigrp neighbors / topology / interfaces
# show ip interface F0/0
# show ip protocols
OSPF Fundamentals
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
101
It uses the Dijkstra shortest Path algorithm (construct a shortest path tree and then
populate the routing table with best routes)
No limit on hop count
Metric is cost ( cost = 10^8 / Bandwidth)
Administrative distance is 110
It is a Classless Routing Protocol
Support VLSM and CIDR
Supports only IP routing
Supports only Equal cost load-balancing
Uses the concept of Areas for easy management, hierarchical design
Must have one area as Area 0, which is called backbone area
All other areas must connect to this Area 0
Scalability is better than of Distance Vector Routing Protocols
Supports authentication
Update are sent through multicast address 224.0.0.5 ( all routers) and 224.0.0.6( all
Designated Routers)
Faster convergence
Sends Hello packets every 10 seconds
Triggered / Incremental updates : Sends update when change triggers in network and
sends only information about the change not complete routing table, LSAs are sent
when change occurs and only about the change.
LSAs refresh every 30 minutes
Forms neighbors with adjacent routers in same area
LSAs used to advertises directly connected links
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
102
Neighbor Table: Contains the list of directly connected neighbors (Routers).We can see
the table using the command ‘show ip ospf neighbors’.
Database Table: It is known as the Link state Database (LSDB). All possible routes to any
network in the same area are contained in this table. " show ip ospf database"
Routing Table: The best paths to reach each destination. The routing table can be seen
using the ‘show ip route’ command.
OSPF works with the concepts of areas and by default you will always have a single area,
normally this is area 0 or also called the backbone area.
Internal Router: The router for which all its interface belong to one area.
Area Border Router (ABRs): The router that contains interfaces in more than one
area.
Backbone Router: The router that has all or at least one interface in Area 0.
Autonomous System Boundary Router (ASBR): The routers with connection to a
separate autonomous system.
Advantages of OSPF
Disadvantages of OSPF
Once you configure OSPF your router will start sending hello packets. If you also receive
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
103
hello packets from the other router you will become neighbors.
Each LSA has an aging timer which carries the link-state age field. By default each OSPF LSA
is only valid for 30 minutes.
If the LSA expires then the router that created the LSA will resend the LSA and increase the
sequence number
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
104
OSPF has to get through 7 states in order to become neighbors…here they are:
Hellos are the keepalives for OSPF. If a Hello is not received in 4 Hello periods, then the
neighbor is considered Dead. 4 Hello Periods = Dead Time. The hello and dead timers are as
follows:
LAN and point-to-point interfaces : Hello 10 seconds , Dead timer 40 seconds
Non-broadcast Multi-access (NBMA) interfaces: Hello 30 seconds, Dead timer120
seconds
There are total 11 types of LSA but famous types are as follow.
LSA Type-1| Router LSA from one network: Each router generates a Type 1 LSA that lists its
active interfaces, IP addresses, neighbors and the cost to each. Flooded inside the router's
area. Link ID is router's ID.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
105
LSA Type-2| Network LSA from more network (DR Generated): Type 2 LSA is created by the
DR on the network, and represents the subnet and the router interfaces connected to that
network. Link ID interface IP address. Does not cross area.
LSA Type-3| Summary LSA (ABR summary Route): Generated by Area Border Routers (ABRs).
In type 3 LSAs are advertised networks from an area to the rest of the areas in AS. The link-
state id used by this LSA is the network number advertised.
Describe how to reach from one area to another area, does the summary of network. Type 3
is called inter-area link, represented by O IA
LSA Type-4| Summary LSA (just IP address of ASBR): Describe how to reach ASBR. ABR says
other area's router if you want to go ASBR use me. ABR passes the ASBR summary route.
LSA Type-5| External LSA (ASBR summary Route): ASBR creates the route to go to external
routers. And says if you want to go to external routes use me. I know the path. Type 4 tells
other router how to go ASBR. These routes appear as O E1 or O E2
NSSA External LSA (Type 7): Type 7 LSA allow injection of external routes through Not-so-
Stubby-Areas (NSSA). Generally external routes are advertised by type 5 LSA but they are not
allowed inside any stub area. That’s why Type 7 LSA is used, to trick OSPF. Type 7 LSA is
generated by NSSA ASBR and is translated into type 5 LSA as it leaves the area by NSSA ABR,
which is then propagated throughout the network as type 5 LSA.
Stub area prevents external routers to go through it. So NSSA is used that allows type7 LSA
only
Area Types
Normal Areas: These areas can either be standard areas or transit (backbone) areas. Standard
areas are defined as areas that can accept intra-area, inter-area and external routes. The
backbone area is the central area to which all other areas in OSPF connect.
Stub Areas: These areas do not accept routes belonging to external autonomous systems (AS);
however, these areas have inter-area and intra-area routes. In order to reach the outside
networks, the routers in the stub area use a default route which is injected into the area by
the Area Border Router (ABR).
Totally Stub Areas: These areas do not accept routes belonging to external autonomous
systems (AS); and even inter-area routes (summary routes) are not propagated inside the
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
106
totally stubby areas. The default routes to be propagated within the area. The ABR injects a
default route into the area and all the routers belonging to this area use the default route to
send any traffic outside the area.
NSSA: This type of area allows the flexibility of importing a few external routes into the area
while still trying to retain the stub characteristic.
OSPF can do summarization but it’s impossible to summarize within an area. This means we
have to configure summarization on an ABR or ASBR. OSPF can only summarize our LSA type 3
and 5.
OSPF does not support auto summarization, only manual. OSPF route summarization can be of
two types:
Plaintext authentication
MD5 authentication!
Point-to-Point
High-Level Data Link Control (HDLC) and Point-to-Point Protocol (PPP), Open Shortest Path
First (OSPF) runs as a point-to-point network type.
Broadcast
Non-Broadcast
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
107
Frame relay and ATM are probably the most common examples of non-broadcast transport,
requiring individual permanent virtual circuits (PVCs) to be configured between end points.
Non-Broadcast Multi-Access (NBMA)
An NBMA segment emulates the function of a broadcast network. Every router on the segment
must be configured with the IP address of each of its neighbors. OSPF hello packets are then
individually transmitted as unicast packets to each adjacent neighbor.
point-to-multipoint
No DR/BDR election since OSPF sees the network as a collection of point-to-point links.
Only a single IP subnet is used in the topology above.
DR/BDR election is per multi-access segment…not per area. Each multi-access segment
(ex: Ethernet Segment), will have a Designated Router (DR) and a Backup Designated
Router (BDR).
The other Router who will be not the DR or BDR will be the DROTHER. DROTHER router
on the segment forms a Full adjacency with the DR/BDR. DR/BDR is a property of a
router’s interface, not the entire router.
DR’s reduce network traffic as only they maintain the complete ospf database and
then send updates to the other routers on the shared network segment.
The router with the highest priority on the data link wins the election, but by default
priorities are 1. In this case the router with the highest Router ID will win.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
108
Consider, all OSPF router processes start at the same time, Router0 and Router1 win the
election for DR and BDR respectively because they have the highest Router ID’s on the
segment. Others routers will be the DROTHER.
Here Router2 and Router3 will make it full adjacency with router Router0(DR) or Router1(BDR)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1. BASIC CONFIGURATION
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
R1#conf t
R1(config)#interface loopback 0
R1(config-if)#ip address 172.16.0.1 255.255.255.0
R1(config-if)#interface loopback 1
R1(config-if)#ip address 172.16.0.1 255.255.255.0
R1(config-if)#interface loopback 2
R1(config-if)#ip address 172.16.2.1 255.255.255.0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
109
R1(config-if)#interface loopback 3
R1(config-if)#ip address 172.16.3.1 255.255.255.0
R1(config-if)#exit
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
===================================================================
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB 26 : OSPF BASIC CONFIGURATION
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
R1(config)#router ospf 1
R1(config-router)#network 172.16.0.0 0.0.3.255 area 0
R1(config-router)#network 192.168.12.0 0.0.0.255 area 1
R2#conf t
R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 1
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
110
R2(config-router)#network 192.168.23.0 0.0.0.255 area 2
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#network 192.168.23.0 0.0.0.255 area 2
R3(config-router)#exit
Wildcard masks are used to specify a range of network addresses. They are commonly used
with routing protocols (like OSPF) and access lists.
To indicate the size of a network or subnet for some routing protocols, such as OSPF.
To indicate what IP addresses should be permitted or denied in access control lists
(ACLs).
Rules :
255.255.255.255 0.0.0.0
255.255.255.0 0.0.0.255
if other value (not 0 or 255) then find out the block size
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
111
===========================================================================
Verification
=============
Here we can see that neighbor ship is formed but no route to area 0 and area1
So we have to configure now virtual link on R1 and R2 through area 1.........................
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB : 27 OSPF VIRTUAL-LINK
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In OSPF all other area must be connected with area 0 (Backbone area) either physically or
virtually. In our figure area 1 is directly connected with area 0 but area 2 is not connected
with area 0. So here area 2 have to be connected with area 0 virtually. In this Lab we will see
it :
First we configure Router ID on R1 and R2 Router
R1(config-router)#router-id 1.1.1.1
R1(config-router)#
R2(config-router)#router-id 2.2.2.2
Reload or use "clear ip ospf process" command, for this to take effect
R2#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
112
We must run this command to take effect on this configuration (also called soft reset)
R1(config)#router ospf 1
R1(config-router)#area 1 virtual-link 2.2.2.2
R2(config)#router ospf 1
R2(config-router)#area 1 virtual-link 1.1.1.1
===========
Now verify
============
R3#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/38/52 ms
--------------------------------------------------------------------------
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
113
Transit area 1, via interface FastEthernet0/0, Cost of using 10
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07
Adjacency State FULL (Hello suppressed)
Index 1/3, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB 28: OSPF authentication
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
============
Verification
===========
R1#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 1
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 192.168.12.2
Backup Designated router (ID) 1.1.1.1, Interface address 192.168.12.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
114
Hello due in 00:00:02
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/5, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 3, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
R1#
Verification
===========
R2#show ip ospf interface f0/1
FastEthernet0/1 is up, line protocol is up
Internet Address 192.168.23.2/24, Area 2
Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.23.3, Interface address 192.168.23.3
Backup Designated router (ID) 2.2.2.2, Interface address 192.168.23.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 1/2, flood queue length 0
Last flood scan length is 1, maximum is 4
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
115
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.23.3 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
OSPF does not support auto summarization, only manual. OSPF route summarization can be of
two types:
1. Internal route summarization;
2. External route summarization.
R1(config)#router ospf 1
R1(config-router)#area 0 range 172.16.0.0 255.255.252.0
R1(config-router)#end
-------------------------------------------------
R1#clear ip ospf process
R2#clear ip ospf process
R3#clear ip ospf process
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
116
Designing a wide area network (WAN) is one of the most challenging issues. We must have to
choose the correct connection type. Most carriers offer three connection types:
1. Circuit-switched connections
2. Packet-switched or cell-switched connections
3. Dedicated connection
Circuit-switched connections:
Asynchronous dial-in (PSTN) and ISDN services, the telephone companies use circuit switching.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
117
HDLC
PPP
PPP or Point-to-Point Protocol is a type of Layer 2 protocol (Data-link layer) used mainly for
WAN. PPP features two methods of authentication:
PAP sends the password in clear text and CHAP sends the encrypted password
PPP encapsulation is possible only over a serial link.
PPP encapsulates Layer 3 data over point-to-point links.
PPP uses a Network Control Protocol (NCP) component to encapsulate multiple
protocols and uses Link Control Protocol (LCP) to set up and negotiate control options
on the data link.
PPP supports multivendor devices.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
118
Configuration on Ashish Router
Basic Configuration
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 0/1/0
Router(config-if)#ip address 103.13.148.1 255.255.255.248
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#hostname Ashish
Ashish(config)#interface fastEthernet 0/0
Ashish(config-if)#ip add
Ashish(config-if)#ip address 192.168.10.1 255.255.255.0
Ashish(config-if)#no shut
Ashish(config-if)#no shutdown
PPP Configuration
For PPP configuration we must configure hostname and username. In this router username
will be the hostname of peer router , i.e. buet
Configure Static Route
Ashish(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2
Ashish(config)#
BUET Router
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname buet
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
119
buet(config-if)#no shutdown
In this router username will be the hostname of peer router , i.e. Ashish
Verification :
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
120
C:\>ping 192.168.20.2
The clock rate will set the speed. It doesn’t matter much what clock speed we use. We can
use a command to verify that the DTE router has received the clock rate:
Interface Serial0/1/0
Hardware is PowerQUICC MPC860
DTE V.35 TX and RX clocks detected
In the example above Ashish is the DTE side and it has received a clock rate. Show controllers
is a useful command when you don’t have physical access to your hardware so you don’t know
BGP is an external gateway protocol, It is used between different networks. It is the protocol
used between Internet service providers (ISPs) and also can be used between an Enterprise
and an ISP.
BGP was built for reliability, scalability, and control, not speed.
BGP stands for Border Gateway Protocol. Routers running BGP are termed BGP speakers.
BGP uses the concept of autonomous systems (AS). An autonomous system is a group of
(IANA) assigns AS numbers: 1 to 64511 are public AS numbers and 64512 to 65535 are
private AS numbers.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
121
Autonomous systems run Interior Gateway Protocols (IGP) within the system. They run
an Exterior Gateway Protocol (EGP) between them. BGP version 4 is the only EGP
currently in use.
The administrative distance for EBGP routes is 20. The administrative distance for
BGP uses TCP port 179. BGP peers exchange incremental, triggered route updates and
periodic keepalives.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
122
Basic Configuration
ISP1
Router#conf t
Router(config)#hostname ISP1
ISP1(config)#interface fastEthernet 0/0
ISP1(config-if)#ip address 192.168.10.1 255.255.255.0
ISP1(config-if)#no shutdown
ISP1(config-if)#exit
ISP1(config)#interface fastEthernet 0/1
ISP1(config-if)#ip address 10.10.10.1 255.255.255.0
ISP1(config-if)#no shutdown
ISP1(config-if)#exit
ISP2
Router(config)#hostname ISP2
ISP2(config)#interface fastEthernet 0/0
ISP2(config-if)#ip address 192.168.10.2 255.255.255.0
ISP2(config-if)#no shutdown
ISP2(config-if)#exit
ISP2(config)#interface fastEthernet 0/1
ISP2(config-if)#ip address 11.11.11.1 255.255.255.0
ISP2(config-if)#no shutdown
BGP Configuration
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
123
Verification
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
124
R1 is in our enterprise core and has OSPF as its IGP.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface fastEthernet 0/1
R1(config-if)#ip address 192.168.10.2 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#router ospf 1
R1(config-router)#network 192.168.10.0 0.0.0.255 area 0
R1(config-router)#exit
R1(config)#
R2 is in our enterprise edge and has OSPF for IGP and BGP for EGP.
R2#conf t
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip address 192.168.10.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.20.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#router ospf 1
R2(config-router)#network 192.168.10.0 0.0.0.255 area 0
R2(config-router)#exit
R2(config)#router ospf 1
R2(config-router)#default-information originate
R2(config-router)#exit
R2(config)#router bgp 100
R2(config-router)#neighbor 192.168.20.2 remote-as 200
R2(config-router)#network 1.1.1.0 mask 255.255.255.0
R2(config-router)#exit
R2(config)#ip route 1.1.1.0 255.255.255.0 null 0
R2 is in the service provider edge. R2 has a couple of static routes to advertise into BGP and is
advertising a default route to R1 which will then get propagated throughout the enterprise
core.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
125
R3#conf t
R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 192.168.20.2 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 null 0
R3(config)#ip route 2.2.2.0 255.255.255.0 null 0
R3(config)#router bgp 200
R3(config-router)#neighbor 192.168.20.1 remote-as 100
R3(config-router)#network 2.2.2.0 mask 255.255.255.0
R3(config-router)#neighbor 192.168.20.1 default-originate
R3(config-router)#exit
Verification
R2#show ip route
..................<output omitted>...................
1.0.0.0/24 is subnetted, 1 subnets
S 1.1.1.0 is directly connected, Null0
2.0.0.0/24 is subnetted, 1 subnets
B 2.2.2.0 [20/0] via 192.168.20.2, 00:17:59 ** BGP learned route **
C 192.168.10.0/24 is directly connected, FastEthernet0/1
C 192.168.20.0/24 is directly connected, FastEthernet0/0
B* 0.0.0.0/0 [20/0] via 192.168.20.2, 00:20:18 ** default route from BGP
because of the default originate command in R3 **
R2#show ip bgp
-------------------<output omitted>.........................
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 192.168.20.2 0 0 200 i
*> 1.1.1.0/24 0.0.0.0 0 32768 i
*> 2.2.2.0/24 192.168.20.2 0 0 200 i
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
126
R1#show ip ospf neighbor
R1#show ip route
------------------<outputs are omitted>--------------
Gateway of last resort is 192.168.10.1 to network 0.0.0.0
Here we can see R2 is BGP (Single homed) with R3 advertising a /24 (1.1.1.0/24) and R2 is
advertising a default to the enterprise core (R1).
Explaination
default-information originate, the router is going to Redistribute a default route it got from
another Router (OSPF)
neighbor x.x.x.x default-originate (BGP)
If you want to advertise default route to a specific peer, this is the method for that
requirement.
Also prevent DoS Aattack. An example of where this traffic to unused IP addresses might come
from could be denial of service attacks, scanning of IP blocks to find vulnerable hosts, etc
HSRP provides layer 3 redundancy in our network through active and standby router
assignment, interface tracking, and load balancing. A group of physical routers, acting as a
single virtual router, advertise a single IP address and MAC address into our network. By
tracking interfaces and managing multiple groups, we can optimize speed as well as add
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
127
redundancy to our networks. And we can use VRRP or GLBP based on our individual network
needs. The services that HSRP provides are a great addition to any network.
Characteristics
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
128
Assign IP Address to Venus
===============================
Switch>en
Switch#conf t
Switch(config)#hostname venus
venus(config-if)#no switchport
venus(config-if)#no shutdown
venus(config-if)#exit
venus(config-if)#no switchport
venus(config-if)#no shutdown
venus(config-if)#
Switch>en
Switch#conf t
Switch(config)#hostname Denver
Denver(config-if)#no switchport
Denver(config-if)#no shutdown
Denver(config-if)#exit
Denver(config-if)#no switchport
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
129
Denver(config-if)#ip address 192.168.40.2 255.255.255.0
Denver(config-if)#no shutdown
Denver(config-if)#end
Router>en
Router#conf t
Router(config)#hostname Toronto
Toronto(config-if)#no shutdown
Toronto(config-if)#exit
Toronto(config-if)#ip add
Toronto(config-if)#no shutdown
Toronto(config-if)#exit
Toronto(config)#int loopback 1
Toronto(config-if)#exit
Toronto(config)#int loopback 1
Toronto(config-if)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
130
Denver(config)#ip route 1.1.1.0 255.255.255.0 192.168.40.1
venus(config)#ip routing
Denver(config)#ip routing
C:\>ping 1.1.1.1
Configure HSRP
================
venus#conf t
venus(config-if)#standby 10 ip 192.168.1.3
venus(config-if)#standby 10 preempt
------------------------------------------------------------
Denver>en
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
131
Denver#conf t
Denver(config-if)#standby 10 ip 192.168.1.3
Denver(config-if)#standby 10 preempt
Denver(config-if)#end
Verify
============
venus#show standby
FastEthernet0/10 - Group 10
State is Active
Preemption enabled
venus#
-------------------------------------------------------------------
Denver#show standby
FastEthernet0/11 - Group 10
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
132
State is Standby
Preemption enabled
Denver#
======================================================================
Successful...
now shutdown one of the interface F0/10 or F0/11 that has the highest
priority (110)
======================================================================
------------------------------------------------------
Denver#show standby
FastEthernet0/11 - Group 10
State is Active
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
133
Virtual IP address is 192.168.1.3
Preemption enabled
Denver#
-----------------------------------------------------------------
C:\>ping 1.1.1.1
Access-lists work on the network (layer 3) and the transport (layer 4) layer and can be used
for two different things:
Filtering traffic
Identifying traffic
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
134
Identify means - selecting traffic. It can be used when we configure VPN. The traffic is
identified and then it passes through VPN Tunnels.
IP ACLs are the most popular as IP is the most common type of traffic. There are two types of
IP ACLs:
Standard IP ACLs can only control traffic based on the SOURCE IP address where Extended IP
ACLs identify traffic based on source IP, source port, destination IP, and destination port.
We can use ACLs to filter traffic according per protocol, per interface, and per direction. We
can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g.,
FastEthernet0/0), and one ACL per direction (i.e., IN or OUT).
Standard IP access-lists are based upon the source host or network IP address, and should be
placed closest to the destination network.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
135
R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/1
R1(config-if)#ip address 192.168.20.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#router eigrp 10
R1(config-router)#network 192.168.20.0
R1(config-router)#network 192.168.10.0
R1(config-router)#no auto-summary
R1(config-router)#exit
R2#conf t
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface loopback 0
R2(config-if)#ip address 12.12.12.12 255.255.255.0
R2(config-if)#exit
R2(config)#interface loopback 1
R2(config-if)#ip address 11.11.11.11 255.255.255.0
R2(config-if)#exit
R2(config)#router eigrp 10
R2(config-router)#network 192.168.10.0
R2(config-router)#network 11.11.11.0
R2(config-router)#network 12.12.12.0
R2(config-router)#no auto-summary
R2(config-router)#exit
R2(config)#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
136
only PC 1, PC 2, PC3 can ping loopback IP
Verification
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
137
84 bytes from 11.11.11.11 icmp_seq=1 ttl=254 time=46.800 ms
84 bytes from 11.11.11.11 icmp_seq=2 ttl=254 time=46.801 ms
84 bytes from 11.11.11.11 icmp_seq=3 ttl=254 time=46.800 ms
84 bytes from 11.11.11.11 icmp_seq=4 ttl=254 time=46.800 ms
R2#show access-lists
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
138
Objective:
IP Configuration
Router(config)#hostname LOCAL
LOCAL(config)#interface fastEthernet 0/1
LOCAL(config-if)#ip address 192.168.10.1 255.255.255.0
LOCAL(config-if)#no shutdown
LOCAL(config-if)#exit
LOCAL(config)#interface fastEthernet 0/0
LOCAL(config-if)#ip address 103.13.148.1 255.255.255.240
LOCAL(config-if)#no shutdown
LOCAL(config-if)#exit
Telnet Access
LOCAL(config)#line vty 0 5
LOCAL(config-line)#password cisco
LOCAL(config-line)#login
LOCAL(config-line)#exit
LOCAL(config)#enable secret cisco
IP Configuration
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 103.13.148.2 255.255.255.240
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface fastEthernet 0/1
ISP(config-if)#ip address 100.100.100.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
139
Static Route
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
Switch(config)#ip default-gateway 100.100.100.1
Extended ACL Configuration
ISP(config)#access-list 101 permit tcp host 100.100.100.2 any eq telnet
ISP(config)#access-list 101 permit tcp host 100.100.100.4 any eq www
ISP(config)#access-list 101 permit tcp host 100.100.100.3 any eq smtp
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
140
But from others PC it is not possible
From PC1 we can see that SMTP service is open but others PC not...
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
141
This allows standard and extended ACLs to be given names instead of numbers
Objective:
We will configure Named ACL to ensure that only PC0 can be logged in throughTelnet to
router BUET but PC1 can not..........
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
142
DU(config-if)#no shutdown
DU(config-if)#exit
DU(config)#interface fastEthernet 0/1
DU(config-if)#ip address 172.16.10.1 255.255.255.0
DU(config-if)#no shutdown
DU(config)#router eigrp 10
DU(config-router)#network 192.168.10.0
DU(config-router)#network 172.16.10.0
DU(config-router)#no auto-summary
DU(config-router)#exit
DU(config-if)#exit
Router(config)#hostname BUET
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ip address 192.168.10.2 255.255.255.0
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#router eigrp 10
BUET(config-router)#network 192.168.10.0
BUET(config-router)#no auto-summary
BUET(config-router)#exit
BUET(config)#no ip domain-lookup
BUET(config)#line vty 0 4
BUET(config-line)#password cisco
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#enable secret cisco
BUET(config)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
143
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip access-group venus out
DU(config-if)#end
From PC0
C:\>ping 192.168.10.2
Password:
From PC1
C:\>ping 192.168.10.2
DU#show ip access-lists
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
144
LAB 37 : STATIC NAT
We use Static NAT for one-to-one mapping between an inside address and an outside address.
Static NAT allows connections from an outside host to an inside host. Generally, static NAT is
Suppose, we have a web or a mail server with the inside IP address 192.168.10.2 and we want
it to be accessible from Internet i.e. when a remote host makes a request to 103.13.148.10.
In this case we must do a static NAT mapping between Inside (192.168.10.2) and Outside IPs
(103.13.148.10).
Router>en
Router#conf t
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
145
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 103.13.148.2 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface fastEthernet 0/1
ISP(config-if)#ip address 10.10.10.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
146
Specify default gateway on switch
Gateway#conf t
Gateway(config)#ip nat inside source static 192.168.10.2 103.13.148.10
Gateway(config)#interface fastEthernet 0/1
Gateway(config-if)#ip nat inside
Gateway(config-if)#exit
Gateway(config)#interface fastEthernet 0/0
Gateway(config-if)#ip nat outside
Gateway(config-if)#end
Gateway#
Verification
Gateway# show ip route
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
147
From Internet PC (PC0 under ISP Router) browse using 103.13.148.10 IP (through Public
IP that is assigned for static mapping)
(We will do Dynamic NAT Configuration following Static NAT , So all the configuration of
previous LAB will remain same)
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
148
Never use dynamic NAT for servers or other devices that need to be accessible from the
Internet.
Suppose our internal network is 192.168.10.0/24. We also have the pool of public IP
addresses from 103.13.148.20-103.13.148.30 and Net Mask is 255.255.255.0. The procedure
will be as follows:
Create a nat pool which Public IP addresses are used for translations
-----------------------------------------------------------------------------------------
Gateway(config)#ip nat pool venus 103.13.148.20 103.13.148.30 netmask
255.255.255.0
Apply it to interface
----------------------------
Gateway(config)#interface fastEthernet 0/1
Gateway(config-if)#ip nat inside
Gateway(config-if)#exit
Gateway(config)#interface fastEthernet 0/0
Gateway(config-if)#ip nat outside
Gateway(config-if)#exit
Verification
Dynamic NAT
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
149
Static NAT
--- 103.13.148.10 192.168.10.2 --- ---
An inside host makes a request to an outside host and the router dynamically assigns an
available IP address from the pool for the translation of the private IP address. If there’s no
public IP address available, the router rejects new connections until you clear the NAT
mappings. However, you have as many public IP addresses as hosts in your network, you won’t
be faced this problem.
NAT Overload
NAT Overload, also called PAT, probably the most used type of NAT. We can configure NAT
overload in two ways, depending on how many public IP address we have..
Suppose, we have only one public IP address allocated by our ISP. Here we have to map all our
inside hosts to the available IP address. The configuration is almost the same as for dynamic
NAT, but in this case we specify the outside interface instead of a NAT pool.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
150
Router(config)#hostname GW
GW(config)#int
GW(config)#interface fastEthernet 0/0
GW(config-if)#ip address 103.13.148.1 255.255.255.240
GW(config-if)#no shutdown
GW(config-if)#exit
GW(config)#interface fastEthernet 0/1
GW(config-if)#ip address 192.168.10.1 255.255.255.0
GW(config-if)#no shutdown
GW(config-if)#exit
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 103.13.148.2 255.255.255.240
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface fastEthernet 0/1
ISP(config-if)#ip address 100.100.100.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
151
C:\>ping 192.168.10.10
C:\>ping 192.168.10.20
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
152
GW(config)#interface fastEthernet 0/1
GW(config-if)#ip nat inside
GW(config-if)#exit
Verification
C:\>ping 100.100.100.30
The router automatically determines what public IP address to use for the mappings by
checking what IP is assigned to the Serial 0/0/0 interface. All the inside addresses are
translated to the only public IP address available on our router. Routers are able to recognize
the traffic flows by using port numbers, specified by the overload keyword.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
153
LAB 40 : DYNAMIC PAT
The second way: If ISP gave you more than one public IP addresses, but not enough for a
dynamic or static mapping.
The configuration is same as dynamic NAT, but this time we will add overload for the router
to know to use traffic flow identification using port numbers, instead of mapping a private to
a public IP address dynamically.
Verification
C:\>ping 100.100.100.30
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
154
We can clear the NAT translation table with the following commands:
When packets require to be sent from one network to another over the Internet or an
insecure network, We can use GRE Tunnel. A virtual tunnel is created between the two Cisco
routers and packets are sent through the tunnel.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
155
GRE tunnels allow multicast packets but IPSec VPN does not support multicast packets. In
large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels
are the best to utilize.
Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface.
Then you must configure the tunnel endpoints for the tunnel interface.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
156
R2(config-if)#exit
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip address 192.168.30.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
GRE tunnel uses a tunnel interface – a logical interface configured on the router with an IP
address where packets are encapsulated and de encapsulated as they enter or exit the GRE
tunnel.
All Tunnel interfaces must be configured with an IP address. Each Tunnel interface is
configured with an IP address within the same subnet(172.16.10.0/24).
Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400
bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500
bytes and we have an added overhead because of GRE, we must reduce the MTU to account
for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary
packet fragmentation is kept to a minimum.
Now we will configure static route to make the reachability of two hosts:
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
157
Here next hope will be the tunnel Interface IP
PC1#ping 192.168.30.2
Provides the method of identifying users, including login and password dialog, challenge and
response, messaging support, and, depending on the security protocol you select, encryption.
Authorization = Control what they can do while they are there
Provides the method for remote access control, including one-time authorization or
authorization for each service, per-user account list and profile, user group support, and
support of IP, IPX, ARA, and Telnet.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
158
Accounting =audit what actions they performed while accessing the network
Provides the method for collecting and sending security server information used for billing,
auditing, and reporting, such as user identities, start and stop times, executed commands
(such as PPP), number of packets, and number of bytes.
This method stores usernames and passwords locally in the Cisco router, and users
authenticate against the local database.
A central AAA server contains the usernames and pass- words for all users.
AAA can be used with both RADIUS & TACACS+ servers to provide secure services. But there
are some difference between the two protocols.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
159
Objective :
Any one telnet the router must be authenticated through AAA server and in case AAA server
is down , routers will use the local user accounts database.
Configuration:
Router#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Radius
Radius(config)#interface fastEthernet 0/0
Radius(config-if)#ip address 192.168.10.1 255.255.255.0
Radius(config-if)#no shutdown
Radius(config-if)#exit
To enable AAA, you need to configure the aaa new-model command in global configuration.
Until this command is enabled, all other AAA commands are hidden.
Radius(config)#aaa new-model
Set authentication for login using two methods: the Radius server (the first method). If the
Radius server doesn’t respond, then the router’s local database is used (the second method).
Tell the router what is the IP address for Radius server and key (password) to connect to:
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
160
Here,
Client name = any
Client IP = Rouer IP
Key = That is defined in previous command line
From the PC
C:\>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
Username: admin
Password:
Radius>en
Password:
Radius#
Here username: admin and password: admin123 that was created in Radius Server
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
161
Now disconnect the ACS server or just remove the cable and try to Telnet the router using
ashish (local database) and it will work .
Be remember, If method 1 fail , you will not go to method 2, but if method 1 is not available
then you can go to method 2 and use it.
C:\>telnet 192.168.10.1
Username: ashish
Password:
Radius>
OR , TACACS+ Configuration
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Tacacs
Tacacs(config)#interface fastEthernet 0/0
Tacacs(config-if)#ip address 192.168.10.2 255.255.255.0
Tacacs(config-if)#no shutdown
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
162
Tacacs(config-if)#exit
Tacacs(config)#aaa new-model
Tacacs(config)#aaa authentication login default group tacacs+ local
Tacacs(config)#tacacs-server host 192.168.10.4 key 8888
C:\>telnet 192.168.10.2
Username: admin
Password:
Tacacs>en
Password:
Tacacs#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
163
LAB 43: Syslog Server
Cisco devices use the syslog protocol to manage system logs and alerts. Syslog Server collects
all the logs in a central location and then we can use these logs for the troubleshooting
devices.
There are 8 levels of logs that is generated. these are called severity level. Lower severity
level is more critical.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
164
The software generates four other categories of messages:
Timestamp
Log Message Name and Severity Level
Message Text
LAB :
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
165
Router>
Router>enable
Router#conf t
Router(config)#hostname DU
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip address 192.168.10.1 255.255.255.0
DU(config-if)#no shutdown
We will use the logging host <syslog server IP address> command to specify the Syslog
server address on Cisco router.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
166
Then apply the logging trap <severity level> command to specify the log types and category
(called severity level). For example, use the debug log (severity level 7). We may use any
other severity level that we wish to test.
Then we will use the debug ip <protocol> command to enable debugging for a protocol. In
this case, we will use ICMP protocol.
DU#debug ip icmp
Apply ping 192.168.1.100 command to generate some ICMP packets to test your configuration.
C:\>ping 192.168.10.1
C:\>
Next, move on to Syslog Server console, and examine the output. In the following figure, you
can see the sample output of the Syslog server.
We can see the logs collected by Syslog Server for Cisco router.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
167
LAB 44: SNMPv3
The Simple Network Management Protocol (SNMP) is used for network monitoring and
management. The network device send some informations to the NMS server to trace
graphics who permit to analysing the CPU, memory, I/O…
It is made up of 3 parts, the SNMP manager, SNMP agent and Management Information Base
(MIB).
The SNMP manager is the software that is running on a pc or server that will monitor
the network devices
The SNMP agent runs on the network device.
The database that I just described is called the MIB (Manament Information Base) and
an object could be the interface status on the router (up or down) or perhaps the CPU
load at a certain moment. An object in the MIB is called an OID (Object Identifier).
Configure SNMP
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
168
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#snmp-server community V1 ro
%SNMP-5-WARMSTART: SNMP agent on host Router is undergoing a warm start
Router(config)#snmp-server community V1rw rw
Router(config)#exit
Router#
Here,
Read Community: V1. It has taken from read only (ro) community name.
Write Community: V1rw, it is the name of read and write (rw) community.
Click on PC0 and click Desktop tab, then open MIB Browser
Address: 192.168.10.1
Read Community: V1
Write Community: V1rw
SNMP Version, select V3 and click OK.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
169
Now on the MIB browser page expend MIB tree to system and select each value then hit the
GO button to display the exact information on Router0.
Method 1
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
170
11. Use this command in order to create a new user name and password:
router(config) #username cisco123 privilege 15 password cisco123
12. Use this command in order to change the boot statement:
config-register 0x2102
13. Use this command in order to save the configuration:
write memory
14. Reload the router, and then use your new user name and password to log in to the
router.
Method 2
1. Connect a terminal or PC with terminal emulation to the console port of the router
and ensure you have the correct terminal settings. They include no flow control, 1
stop bit, 8 data bits, no parity and 9600 baud rate.
2. If you are able to access the router, enter in show version at the prompt screen, and
document the configuration register setting.
3. Next, turn off the router and wait about 5 seconds and turn it back on.
4. Press break on the terminal keyboard within 1 minute of power up in order to the
router into ROMmon.
5. Enter in confreg 0x2142 at the rommon 1> prompot in order to boot the from Flash.
6. Type reset at the rommon 2> prompt.
7. Type no after each setup question or press Ctrl+C to bypass all questions.
8. Type enable at the Router> prompt
9. Type configure memory or copy startup-config running-config in order to copy
NVRAM into memory.
10. Type show running-config
11. Type configure terminal
12. Type enable secret <enter in a password that you will remember> in order to change
the enable secret password.
13. Issue the no shutdown command on every single interface that you use.
14. Type config-register . This typically is 0x2102.
15. Press Ctrl-z or end to leave config mode.
16. Type write memory or copy running-config startup-config to commit the
modifications
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
171
LAB 46 : PROJECT 1
1. VLAN Information
2. Router Information
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
172
F0/1.40 (Sub interface) 172.16.40.1/24 To VLAN 40
F0/1.88 (Sub interface) 11.11.11.11/24 To VLAN 88(Management)
F1/0 (.1) 192.168.30.0/24 To ISP Router
ISP F0/0 (.2) 192.168.30.0/24 To GWY Router
F0/1 (.1) 172.16.50.0/24 To LAN Switch
2. DENVER
3. Router : LAN
4. TORONTO
a. Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
b. Management VLAN Configuration
5. Router : GWY
7. Router ISP
8. GWY
Condition : for the Internet hosts the following service is disabled to Inside but http service is
enabled
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
173
12. Configure Inside Server as a HTTP Server
13. Verification
Configuration
DENVER
Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
================================================================================
Switch(config)#hostname DENVER
DENVER(config)#enable secret cisco
DENVER(config)#username admin password admin123
DENVER(config)#line vty 0 4
DENVER(config-line)#login local
DENVER(config-line)#exit
DENVER(config)#
DENVER(config)#vlan 10
DENVER(config-vlan)#name cisco
DENVER(config-vlan)#exit
DENVER(config)#vlan 20
DENVER(config-vlan)#name solaris
DENVER(config-vlan)#exit
DENVER(config)#interface range fastEthernet 0/1 - 9
DENVER(config-if-range)#switchport mode access
DENVER(config-if-range)#switchport access vlan 10
DENVER(config-if-range)#exit
DENVER(config)#interface range fastEthernet 0/10 - 15
DENVER(config-if-range)#switchport mode access
DENVER(config-if-range)#switchport access vlan 20
DENVER(config-if-range)#exit
DENVER(config)#vlan 99
DENVER(config-vlan)#name MGT
DENVER(config-vlan)#exit
DENVER(config)#interface fastEthernet 0/24
DENVER(config-if)#switchport access vlan 99
DENVER(config-if)#exit
DENVER(config)#interface vlan 99
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
174
Router : LAN
=============
Router(config)#hostname LAN
LAN(config)#interface fastEthernet 0/1
LAN(config-if)#no shutdown
LAN(config-if)#exit
LAN(config)#interface fastEthernet 0/0
LAN(config-if)#ip address 192.168.10.1 255.255.255.0
LAN(config-if)#no shutdown
LAN(config-if)#exit
LAN(config)#enable password cisco
LAN(config)#username admin password admin123
LAN(config)#line vty 0 4
LAN(config-line)#login local
LAN(config-line)#exit
DENVER
========
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
175
IP Assign to Hosts
==============
Verification
==========
C:\>ping 172.16.20.2
LAN>en
Password:
LAN#ping 10.10.10.10
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
176
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/11 ms
LAN#telnet 10.10.10.10
Trying 10.10.10.10 ...Open
TORONTO
Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
================================================================================
Switch#conf t
Switch(config)#hostname TORONTO
TORONTO(config)#enable secret cisco
TORONTO(config)#username admin password admin123
TORONTO(config)#line vty 0 4
TORONTO(config-line)#login local
TORONTO(config-line)#exit
TORONTO(config-vlan)#name admin
TORONTO(config-vlan)#exit
TORONTO(config)#vlan 40
TORONTO(config-vlan)#name Accounts
TORONTO(config-vlan)#exit
TORONTO(config)#interface range fastEthernet 0/1 - 9
TORONTO(config-if-range)#switchport mode access
TORONTO(config-if-range)#switchport access vlan 30
TORONTO(config-if-range)#exit
TORONTO(config)#interface range fastEthernet 0/10 - 15
TORONTO(config-if-range)#switchport mode access
TORONTO(config-if-range)#switchport access vlan 40
TORONTO(config-if-range)#exit
TORONTO(config)#
TORONTO(config)#vlan 88
TORONTO(config-vlan)#name Management
TORONTO(config-vlan)#exit
TORONTO(config)#interface fastEthernet 0/24
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
177
TORONTO(config-if)#switchport access vlan 88
TORONTO(config-if)#exit
TORONTO(config)#interface vlan 88
TORONTO(config-if)#ip address 11.11.11.11 255.255.255.0
TORONTO(config-if)#no shutdown
TORONTO(config-if)#exit
TORONTO(config)#
Router : GWY
=============
Router(config)#hostname GWY
GWY(config)#interface fastEthernet 0/0
GWY(config-if)#ip address 192.168.10.2 255.255.255.0
GWY(config-if)#no shutdown
GWY(config-if)#exit
GWY(config)#interface fastEthernet 1/0
GWY(config-if)#ip address 192.168.20.1 255.255.255.0
GWY(config-if)#no shutdown
GWY(config-if)#exit
GWY(config)#enable secret cisco
GWY(config)#username admin password admin123
GWY(config)#line vty 0 4
GWY(config-line)#login local
GWY(config-line)#exit
GWY(config)#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
178
GWY(config-subif)#encapsulation dot1Q 88
GWY(config-subif)#ip address 11.11.11.11 255.255.255.0
GWY(config-subif)#no shutdown
TORONTO
===========
IP Assign to Hosts
==============
Verification
===========
C:\>ping 172.16.40.2
GWY#ping 11.11.11.11
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
179
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/7 ms
GWY#telnet 11.11.11.11
Trying 11.11.11.11 ...Open
User Access Verification
Username: admin
Password:
GWY>
EIGRP Configuration on LAN and GWY Router only (except GWY to ISP)
=========================================================
LAN#conf t
LAN(config)#router eigrp 10
LAN(config-router)#network 172.16.10.0
LAN(config-router)#network 172.16.20.0
LAN(config-router)#network 10.10.10.0
LAN(config-router)#network 192.168.10.0
LAN(config-router)#no auto-summary
GWY(config)#router eigrp 10
GWY(config-router)#network 172.16.30.0
GWY(config-router)#network 172.16.40.0
GWY(config-router)#network 11.11.11.0
GWY(config-router)#network 192.168.10.0
GWY(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 10: Neighbor 192.168.10.1 (FastEthernet0/0) is up: new
adjacency
GWY(config-router)#no auto-summary
Verification EIGRP
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
180
C:\>ping 172.16.30.2
C:\>ping 172.16.40.2
GWY#telnet 10.10.10.10
Trying 10.10.10.10 ...Open
7. Router ISP
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 192.168.20.2 255.255.255.0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
181
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#do ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms
8. GWY
GWY(config-router)#redistribute static
GWY(config-router)#redistribute connected
Verification
ISP#ping 172.16.20.2
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
182
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/12 ms
ISP#ping 10.10.10.10
ISP#telnet 10.10.10.10
Trying 10.10.10.10 ...Open
Username: admin
Password:
LAN>
Verification
C:\>ping 192.168.30.1
C:\>ping 172.16.10.2
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
183
C:\>
Condition : for the Internet hosts the following service is disabled to Inside but http service is enabled
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
184
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
185
IPV6 Address
IPv6 uses 128-bit addresses, which means that for each person on the Earth there are
48,000,000,000,000,000,000,000,000,000 addresses !
Advantages:
Enhanced security
Header improvements
No need for NAT
Stateless address autoconfiguration
IPv6 uses eight groups of four hexadecimal digits separated by colons. For example, this is a
valid IPv6 address:
1234:4523:EDBA:0A01:0056:5054:5ABC:ABBD
1240:0000:0000:0000:0456:0000:CCCB:11DC
can be written as
1240::456:0000:CCCB:11DC (But this can be for one time)
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
186
global unicast – similar to IPv4 public IP addresses. These addresses are assigned by the IANA
and used on public networks. They have a prefix of 2000::/3, meaning all the addresses that
begin with binary 001.
unique local – similar to IPv4 private addresses. They are used in private networks and aren’t
routable on the Internet. These addresses have a prefix of FD00::/8.
link local – these addresses are used for sending packets over the local subnet. Routers do not
forward packets with this addresses to other subnets. IPv6 requires a link-local address to be
assigned to every network interface on which the IPv6 protocol is enabled. These addresses
have a prefix of FE80::/10.
Loopback Address ::1/128
Unspecified Address ::/0
Multicast addresses in IPv6 are similar to multicast addresses in IPv4. They are used to
communicate with dynamic groupings of hosts, for example all routers on the link (“one-to-
many distribution”).
Here is a table of some of the most common link local multicast addresses:
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
187
IPv6 transition options
IPv4 and IPv6 networks are not interoperable and the number of devices that use IPv4 number
is still great. Some of these devices do not support IPv6 at all, so the migration process is
necessary since IPv4 and IPv6 will likely coexist for some time.
Many transition mechanisms have been proposes. We will introduce the main ones and
describe them in the next sections:
The following table summarizes the major differences between IPv4 and IPv6:
Cisco Routers do not have IPv6 routing enabled by default. To configure IPv6 on a Cisco DUs
you need to do two things:
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
188
With eui-64 parameter
Manually Assigned
Link-local Addressing
eui-64 Parameter
BASIC Configuration
DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DU(config)#ipv6 unicast-routing
DU(config)#interface fastEthernet 0/0
DU(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64
DU(config-if)#no shutdown
DU(config-if)#end
BUET>en
BUET#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#ipv6 unicast-routing
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64
BUET(config-if)#no shutdown
BUET(config-if)#end
Verification
DU#show ipv6 interface fastEthernet 0/0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
189
DU#show ipv6 route
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
190
Manually Assigned and Link-local Addressing
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname APECE
APECE(config)#ipv6 unicast-routing
APECE(config)#interface loopback 1
APECE(config-if)#ipv6 address 2001::2/128
APECE(config-if)#exit
APECE(config)#interface fastEthernet 0/0
APECE(config-if)#ipv6 enable
APECE(config-if)#no shutdown
APECE(config-if)#exit
with "ipv6 enable" command we will get IP address automatically to the router's Interface
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Ashish
Ashish(config)#ipv6 unicast-routing
Ashish(config)#interface loopback 1
Ashish(config-if)#ipv6 address 2001::1/128
Ashish(config-if)#exit
Ashish(config)#interface fastEthernet 0/0
Ashish(config-if)#ipv6 enable
Ashish(config-if)#no shutdown
Ashish(config-if)#end
Ashish#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
191
FastEthernet0/0 [up/up]
FE80::202:17FF:FE09:E901 (IP Address - link local Address, getting by ipv6 enable command)
FastEthernet0/1 [administratively down/down]
Loopback1 [up/up]
FE80::210:11FF:FE65:7A37
2001::1
Vlan1 [administratively down/down]
Ashish#
The configuration and syntax are same as IPv4 Static routing, Just we will find some minor
differences than that of IPv4.
DU Router
Router>en
Router#conf t
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
192
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname DU
DU(config)#ipv6 unicast-routing
DU(config)#interface fastEthernet 0/0
DU(config-if)#ipv6 address 2001:AD8:23:45::1/64
DU(config-if)#no shutdown
DU(config-if)#exit
BUET Router
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname BUET
BUET(config)#ipv6 unicast-routing
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#interface fastEthernet 0/1
BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64
BUET(config-if)#no shutdown
BUET(config-if)#end
BUET#
Veirfication
FastEthernet0/0 [up/up]
FE80::260:3EFF:FEAE:5901
2001:AD8:23:45::2
FastEthernet0/1 [administratively down/down]
Vlan1 [administratively down/down]
BUET#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
193
DU#ping ipv6 2001:AD8:23:45::2
C:\>ping 2001:BD55:1234:DC4::1
C:\>ping 2001:AD8:23:45::1
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
194
DU(config)#ipv6 route 2001:BD55:1234:DC4::/64 2001:AD8:23:45::2
DU(config)#exit
C:\>ping 2001:AD8:23:45::1
Pinging 2001:AD8:23:45::1 with 32 bytes of data:
Reply from 2001:AD8:23:45::1: bytes=32 time=2ms TTL=254
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254
Basic Configuration
DU Router
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
195
Router(config)#hostname DU
DU(config)#ipv6 unicast-routing
DU(config)#interface fastEthernet 0/0
DU(config-if)#ipv6 address 2001:AD8:23:45::1/64
DU(config-if)#no shutdown
DU(config-if)#exit
BUET Router
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname BUET
BUET(config)#ipv6 unicast-routing
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#interface fastEthernet 0/1
BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64
BUET(config-if)#no shutdown
BUET(config-if)#end
Configure RIPNGN
Verification
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
196
DU#ping ipv6 2001:BD55:1234:DC4::2
*** Don’t forget to enable IPv6 unicast routing otherwise no routing protocol will work for IPv6.
Hosts and network devices run both IPv4 and IPv6 at the same time.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ipv6 unicast-routing
Router(config)#interface fastEthernet 0/0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
197
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#ipv6 address 2001:12::1/64
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#hostname DU
DU(config)#ipv6 unicast-routing
DU(config)#interface fastEthernet 0/0
DU(config-if)#ip address 192.168.10.2 255.255.255.0
DU(config-if)#ipv6 address 2001:12::2/64
DU(config-if)#no shutdown
DU(config-if)#end
Verification
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
198
LAB 51 : Configuration of IPSEC VPN
A Virtual Private Network (VPN) provides a secure tunnel across a public network such as
Internet. for organizations to connect users and offices together, without the high costs of
dedicated leased lines.
Client VPNs (Remote Access VPN)- To connect Office to home or “roaming” users
Site-to-Site VPNs - To connect branch offices to a head office.
5. OpenVPN:
IPSec:
IPSEC (Internet Protocol Security), is a suite of protocols, helps us to protect IP traffic on the
network layer.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
199
Configuration of IPSEC VPN
Basic Configuration
DU ROUTER
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 103.13.148.1 255.255.255.240
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/1
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
200
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2
1. Enable ISAKMP
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be
received encrypted
4. Set up IPSec crypto-map:
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
201
Router(config-crypto-map)#set peer <remote_ip>
Router(config-crypto-map)#set pfs <group1/2/5>
Router(config-crypto-map)#set transform-set <set>
--------------------------------------------------------------
R1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#set peer 103.13.148.2
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#set transform-set ashish
R1(config-crypto-map)#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
202
R2(config-crypto-map)#set pfs group2
R2(config-crypto-map)#set transform-set ashish
R2(config-crypto-map)#exit
Be sure we apply ping from inside IP address while testing the VPN tunnel from the router. We
can also ping from PC1 to PC2.
Now the ping has setup the VPN because of its “interesting” traffic (the first ping is lost in the
VPN creation). We can verify with “show crypto engine connections active”
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
203
We can also view active IPSec sessions using show crypto session command
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA Routing & Switching v3 LAB Guide
204
ASHISH HALDER
UNIVERSITY OF DHAKA
EMAIL -glakh2010@gmail.com
skype: ashish.halder312
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved