CCNP All Labs

Zoom Technologies CCNP Lab Guide
Zoom Technologies
Cisco Certified Network
Professional
Lab Guide
Name___________________________________
Faculty ______________________
Batch ______Date_________
INDEX
EIGRP ----------------------------------------------------------------------------1
OSPF --------------------------------------------------------------------------- 4
ISIS ---------------------------------------------------------------------------- 10
REDISTRIBUTION------------------------------------------------------------14
BGP ----------------------------------------------------------------------------19
MULTICASTING -------------------------------------------------------------29
IPv6 --------------------------------------------------------------------------- 30
ADSL -------------------------------------------------------------------------- 34
VPN ----------------------------------------------------------------------------36
IDS/IPS ------------------------------------------------------------------------39
FIREWALL --- -----------------------------------------------------------------40
AAA, SYSLOG, SNMP -------------------------------------------------------41
MPLS -------------------------------------------------------------------------- 43
VLAN- --------------------------------------------------------------------------46
STP -----------------------------------------------------------------------------49
Advanced STP ---------------------------------------------------------------51
INTERVLAN ROUTING ------------------------------------------------------53
HSRP ---------------------------------------------------------------------------57
GLBP ----------------------------------------------------------------------------59
SWITCH SECURITY-----------------------------------------------------------61
VOIP-----------------------------------------------------------------------------64
QOS-----------------------------------------------------------------------------67
WLAN-------------------------------------------------------------------------- 69
Important Notes
How to telnet (for ZOOM CCNP Lab only)
1. First make sure your IP address matches the one on the label on your monitor. If
different, please change it to the correct address.
2. Telnet to the Access-server IP address. 192.168.0.1
3. In case you are using router number is ‘A’ , where ‘A’ can be value from 1 to 16, in the
access-server enter the following command. For example, when using the first router the
command must look like this
Access-server1#clear line 1
[confirm]
[OK]
4. Keeping the current telnet window open, open another command prompt to telnet to
your router
5. Enter the following command to telnet to your router
C:\>telnet 192.168.0.1 200A
6. In case you fail to connect to the router, follow steps 3 to 5 again.
NOTE:
During the configuration in few of the labs, you might encounter ip addresses with the value
‘X’ in it. You will have to replace ‘X’ with a number according to the router you will be
configuring. These are the values for X for the following routers
INDIA POLAND
SRILANKA RUSSIA
X=1 X=3
MALAYSIA FRANCE
THAILAND SPAIN
SUDAN CHINA
ALGERIA MONGOLIA
X=2 X=4
NIGERIA JAPAN
TANZANIA HONGKONG
EIGRP
*Configure the bandwidth on the WAN interfaces as per the given diagram and
initiate EIGRP routing protocol on all the routers in autonomous system 65000.
RA1#conf t
RA1(config)#interface serial 1/0
RA1(config-if)#bandwidth 128
RA1(config-if)#exit
RA1(config)#router eigrp 65000
RA1(config-router)#network 10.0.0.0
RA1(config-router)#network 192.168.X.0
RA1(config-router)#end
RA2#conf t
RA2(config)#interface serial 1
RA2(config-if)#interface serial 0
RA2(config-if)#exit
1|Page
RA3(config-if)#exit
RA4(config-if)#exit
RA4(config-router)#net 192.168.X.0
RA4(config-router)#net 40.0.0.0
*Verification of EIGRP
RA#show ip protocol
RA#show ip eigrp neighbor
RA#show ip eigrp topology
RA#show ip route
*Check the auto summarization of your loopback networks in your neighbor’s

routing table by telnetting on their WAN IP. All the Loopback interfaces networks
appear as one network with the default class-full subnet mask.
RA4#show ip route
Router#conf t
Router(config)#router eigrp 65000
Router(config-router)#no auto-summary
Router(config-router)#end
*Check the output in neighbor router to find the Loopbacks advertised

individually
RA4#show ip route
*Manual summarization has to be configured on a per-interface basis.

Calculate the summarized network ID manually and advertise it on all the
interfaces of the router as follows.
Router (config)#interface serial 0/1/0
Router (config-if)#ip summary-address eigrp 65000 10.X.0.0 255.255.252.0
Router (config)#interface serial 0/1/1
Router (config-if)#interface serial 0/2/0
2|Page
*Check the output in neighbor’s routing table to find the summarized address with
the customized subnet mask that you advertised.
RA4#show ip route
VARIANCE
RA3#show ip eigrp topology
RA3#show ip route
You will find the successors and feasible successors in the topology table but only
the successor routes in the routing table. To use the feasible successor also, we
have to enable variance. This can be configured only on the routers with feasible
successors available in the topology table.
RA3# conf t
RA3(config-router)#variance 2
RA3#clear ip route *
RA3#show ip route
AUTHENTICATION
Check the eigrp-neighbor table to note your neighbors. First configure

authentication on one of your serial interfaces, you will not be able to see the
neighboring router on that interface. The neighbor router will be shown in the
neighbor table only if authentication has been enabled on its corresponding
interface too.
RA1#show ip eigrp neighbor
RA1(config)#key chain zoom
RA1(config-keychain)#key 1
RA1(config-keychain-key)#key-string zoom123
RA1(config-keychain-key)#exit
RA1(config-keychain)#exit
RA1(config)#interface serial 0/1/0
RA1(config-if)#ip authentication mode eigrp 65000 md5
RA1(config-if)#ip authentication key-chain eigrp 65000 zoom
RA1(config-if)#end
RA2(config)#key chain ccnp

RA2(config-keychain)#key 1
RA2(config-keychain-key)#key-string zoom123
RA2(config-keychain-key)#exit
RA2(config-keychain)#exit
RA2(config-if)#ip authentication mode eigrp 65000 md5
RA2(config-if)#ip authentication key-chain eigrp 65000 ccnp
RA2(config-if)#end
RA1#show ip eigrp neighbor
3|Page
OSPF
*Configure all the routers in OSPF area 0. Shown below are the different possible
ways of advertising the directly connected networks in the OSPF process. You
may use any of the following methods to advertise your connected networks.
RA1(config)#router ospf 1
RA1(config-router)#network 192.168.X.16 0.0.0.15 area 0
RA1(config-router)#network 172.16.1.Y 0.0.0.3 area 0
RA2#conf t
RA2(config-router)#net 192.168.X.0 0.0.0.255 area 0
RA3(config-router)#net 0.0.0.0 255.255.255.255 area 0
RA#show ip protocol
RA#show ip ospf neighbor
RA#show ip ospf database
RA#show ip route
4|Page
DR and BDR Election

*Remove any previous routing configuration and configure all routers’ Ethernet
interface ip addresses in the same network as shown in the diagram and advertise
the networks in OSPF area 0
RA4(config)#no ip routing
RA4(config)#ip routing
RA4(config)#interface ethernet 0
RA4(config-if)#ip add 192.168.X0.4 255.255.255.0
RA4(config-if)#ip ospf priority 0
RA4(config-router)#net 192.168.X0.0 0.0.0.255 area 0
RA3(config-if)#ip address 192.168.X0.3 255.255.255.0
RA3(config-if)#exit
RA3(config-router)#network 192.168.X0.0 0.0.0.255 area 0
RA2(config-if)#exit
RA1(config)#interface fa 0/0
RA1(config-if)#exit
RA4#show ip ospf neighbor
5|Page
*Use the show ip ospf neighbor command to find the DR and BDR in the
neighbor table. In case of the wrong routers elected as the DR and BDR, restart
the election process; clear the OSPF process on all the routers at the same time.
RA3#clear ip ospf process
Reset ALL OSPF processes? [no]: y
RA4#show ip ospf neighbor
AUTHENTICATION - MD5
*Configure OSPF authentication on router to accept updates only from

authenticated OSPF neighbors.
RA1(config-router)#area 0 authentication message-digest
RA1(config-router)#exit
RA1(config-if)#ip ospf message-digest-key 1 md5 zoom123
RA2(config-router)#area 0 authentication message-digest
RA2(config-if)#ip ospf message-digest-key 1 md5 zoom123
*Verify by checking the routing table to see from which routers you receive
updates.
RA1#show ip route
RA2#show ip route
6|Page
OSPF - II
*Configure Routers into Multi Area OSPF as per given diagram. Routers on the
border of two areas have different interfaces configured in different areas. Take
care to advertise the proper interfaces (networks) in the right areas.
RA1(config-router)#network 172.16.1.Y 0.0.0.3 area 0
RA1(config)#router EIGRP 100
RA1(config-router)#no auto-summary
RA2(config-router)#network 20.X.0.0 0.0.255.255 area 10
RA3(config)#router rip
RA3(config-router)#version 2
7|Page
RA4(config-router)#network 0.0.0.0 255.255.255.255 area 20
*Verify the configuration using the following commands

RA#show ip protocol
RA#show ip ospf
RA#show ip ospf neighbor
RA#show ip ospf database
RA#show ip ospf border-routers
RA#show ip route
*Configure the redistribution of RIP routes from RA3 and EIGRP routes from
RA1 into OSPF.
RA3(config-router)#redistribute rip subnets
RA1(config-router)#redistribute eigrp 100 subnets
*Check the output in neighbor router to find OSPF external routes labeled as E2.
RA2#show ip route
*Redistributed routes have a default metric. Use the following commands to

change the seed-metric of the redistributed routes and check the output in the
neighbor router.
RA3(config-router)#redistribute rip subnets metric 100
RA2#show ip route
*Use the following commands to change the metric type of the redistributed
routes to type-I. Check the change in the output in the neighbor router
RA3(config-router)#redistribute rip subnets metric 100 metric-type 1
RA2#show ip route
*Configuration of manual summarization of OSPF routes in Area Border

Router. Manual summary in OSPF can be done on area border routers only.
(It is also applicable to other ABR i.e. RA2 for 20.X.0.0 subnet)
RA1#conf t
RA1(config-router)#area 20 range 40.X.0.0 255.255.252.0
RA1(config-router)#
Check the output in area 0 or area 10 routers
8|Page
*Configuration of manual summarization of routes originated by redistribution of

RIP & EIGRP, on the ASBR.
RA3(config-router)#summary-address 30.X.0.0 255.255.252.0
RA2#show ip route
*We can configure Area 20 as a Stub area, since it doesn’t have any ASBR in it
and has only one exit point in the AS. ALL the routers in the stub area must be
configured with this configuration. Check the routing table to find only ‘O’ and ‘O
IA’ routes and no ‘O E2’ routes. Verify by checking the routing table before and
after configuration.
RA1(config-router)#area 20 stub
RA4(config-router)#area 20 stub
*Configure Area 20, now as a Totally Stubby area. Check the routing table to
find only ‘O’ routes and no ‘O IA’ and ‘O E2’ routes.
RA1(config-router)#area 20 stub no-summary
After configuration check the routing table again.

RA4#show ip route
*Since Area 10 has an ASBR in it, it can’t be configured as a stub, but can be
configured as a Not-So-Stubby-Area (NSSA). Configure Area 10 as a NSSA using
the following commands. Check the routing table to find only ‘O’ and ‘O IA’
routes and no ‘O E2’ routes. Verify by checking the routing table before and after
configuration.
RA2(config-router)#area 10 nssa
RA3(config-router)#area 10 nssa
*After configuration check the routing table again.

RA3#show ip route
*Configure Area 10, now as a Totally NSSA. Check the routing table to find only
‘O’ routes and no ‘O IA’ and ‘O E2’ routes.
RA2(config-router)#area 10 nssa no-summary
*After configuration check the routing table again.
9|Page
ISIS
SINGLE AREA IS-IS
*Configure ISIS routing protocol as per give diagram by first assigning the CLNS
address to each router and making sure all of them are in the same area. Next, on
the interface-configuration mode of each interface that you wish to advertise,
execute the ‘ip router isis’ command.
RA1(config)#router isis
RA1(config-router)#net 49.1000.1921.6800.X017.00
RA1(config-if)#ip router isis
RA1(config-if)#interface serial 1/1
RA1(config-if)#interface serial 1/2
RA1(config-if)#int fa 0/0
RA1(config-if)#end
RA2(config-if)#interface ethernet 0
10 | P a g e
RA3(config-if)#end
RA4(config-if)#end
*Verify the output using the following show commands

RA4#sh clns neighbor
RA4#sh isis database
RA4#sh isis topology
RA4#sh ip route
11 | P a g e
CONFIGURING MULTIPLE AREA ISIS
*Configure ISIS routing protocol as per give diagram by first assigning the CLNS
address to each router and making sure all of them are in their respective areas.
Then configure the is-type level of the router. Next, on the interface-
configuration mode of each interface that you wish to advertise, execute the ‘ip
router isis’ command.
RA1(config)#no router isis

RA1(config-router)#is-type level-1-2
RA1(config)#interface serial 0/1/0
RA1(config-if)#interface serial 0/1/1
RA1(config-if)#interface serial 0/2/0
RA1(config-if)#int f 0/0
RA1(config-if)#end

RA2(config-router)#is-type level-2-only
RA2(config-router)#interface serial 1
12 | P a g e

RA3(config-router)#is-type level-1
RA3(config-if)#int loopback 1
RA3(config-if)#end

RA4(config-router)#is-type level-1-2
RA4(config-router)#interface serial 1
RA4(config-if)#end
*Verify the output using the following show commands

RA4#sh clns neighbor
RA4#sh isis database
RA4#sh isis topology
RA4#sh ip route
*Configure manual summarization of the internal networks of an area, on the

border router of that particular area. This summarized route is injected to the
other areas by the Level-2 router (border router).
RA4(config-router)#summary-address 30.X.0.0 255.255.252.0
*Verify the output of summarization by checking the routing tables of routers in

the other areas
RA1#show ip route
13 | P a g e
REDISTRIBUTION
*Configure the routers from each group as shown in the diagram using the
different routing protocols between every two routers.
RA1(config)#interface loopback 1
RA1(config-if)#interface loopback 2
RA1(config-if)#exit
RA1(config-router)#network 192.168.X.80 0.0.0.3
RA1(config-router)#network 192.168.X.16 0.0.0.15
14 | P a g e
RA3(config-router)#net 30.0.0.0
RA3(config-router)#router ospf 3
RA4(config-router)#net 0.0.0.0 255.255.255.255 area 20
*Use the redistribute command to inject eigrp routes into isis with some seed
metric of link cost.
RA1(config-router)#redistribute eigrp 20
*Use the redistribute command to inject isis only Level 1 routes into eigrp
along with directly connected networks with seed metric which includes values for
bandwidth, delay, reliability, load and MTU.
RA1(config-router)#redistribute isis level-1 metric 1544 2000 255 1 1500
RA1(config-router)#redistribute connected metric 1544 2000 255 1 1500
*Use the redistribute command to inject eigrp routes into rip with seed metric
in hop counts taking care that the final hop count doesn’t cross ‘15’.
RA2(config-router)#redistribute eigrp 20 metric 13
*Use the redistribute command to inject rip routes into eigrp with some seed
metric which includes values for bandwidth, delay, reliability, load and MTU.
RA2(config-router)#redistribute rip metric 1544 2000 255 1 1500
*Use the redistribute command to inject ospf routes into rip with some seed
metric in hop counts taking care that the final hop count doesn’t cross ‘15’.
RA3(config-router)#redistribute ospf 3 metric 5
*Use the redistribute command to inject rip routes into ospf with some seed
metric in link cost taking care that the final hop count doesn’t cross ‘15’.
RA3(config-router)#redistribute rip subnets metric 50 metric-type 1
*Check by pinging successfully from router RA4 to the core.
15 | P a g e
DISTRIBUTE-LIST
*Without removing the previous configuration, create a distribute list on router

RA2 to send out all updates from RA3 to router RA1 other than that of 30.X.0.0.
RA2(config)#access-list 10 deny 30.X.0.0 0.0.255.255

RA2(config)#access-list 10 permit any
RA2(config-router)#distribute-list 10 out serial 1
*Verify the output by checking the routing table of RA1. Routes of 30.X.0.0
shouldn’t be available.
RA1#show ip route
16 | P a g e
CONFIGURING THE ROUTE-MAP FOR FILTERING REDISTRIUTED ROUTES
*All the routes redistributed from RIP to OSPF are injected with the same default
metric. This can be changed according to our necessity and individual routes can
be assigned different metrics using route-map.
*Creating access-lists to define the selected networks.
RA3(config)#access-list 21 permit 20.X.0.0 0.0.0.255

*Creating route maps with multiple statements. Each statement contains a match-
and-set condition.
RA3(config)#route-map zoom permit 10

RA3(config-route-map)#match ip address 21
RA3(config-route-map)#set metric 500
RA3(config-route-map)#set metric-type type-2
RA3(config-route-map)#exit
RA3(config)#route-map zoom deny 20



17 | P a g e

*Applying the created route-map in the routing protocol that these routes are
being redistributed into.
Note:-Be careful to remove the previous redistribution configuration.
RA3(config-router)#redistribute rip route-map zoom subnets
*Check the output in RA4 to find different routes with different metrics as
specified in the diagram.
RA1#show ip route
18 | P a g e
BGP
*Configure all the routers in the same BGP autonomous system. Create a full-
mesh topology by mentioning every other router, including those not directly
connected, with the ‘neighbor’ statement.
RA1(config)#router bgp 6500X
RA1(config-router)#neighbor 172.16.1.Y remote-as 65000
RA1(config-router)#neighbor 192.168.X.82 remote-as 6500X
RA1(config-router)#network 192.168.X.16 mask 255.255.255.240
RA1(config-router)#no synchronization

19 | P a g e

RA3(config-router)#neighbor 192.168.X.85 remote 6500X

*Verify the configuration using the following show commands.

Router #show ip protocol
Router #show ip bgp summary
Router #show ip bgp neighbor
Router #show ip bgp
Router #show ip route
*Enable synchronization in one router and check the output on the same router.
You will find that the router doesn’t have Internal BGP routes anymore.
RA4(config-router)#synchronization
RA4 #show ip bgp

RA4#show ip route
*Disable synchronization by the ‘no synchronization’ command to get the

IBGP routes back
*Check output on same router.
Router #show ip bgp

20 | P a g e
VERIFYING SPLIT-HORIZON
*To verify the problem of split-horizon, configure the lab as per the above
diagram. Remove the previous instance of bgp and configure bgp freshly as
shown. Take care not to configure bgp on RA3.
RA1(config-router)#neighbor 172.16.1.Y remote-as 65000


*Verify the output in each router. RA1 gets routes from both RA2 and RA4. RA2
and RA4 cannot see the updates of each others LAN in their routing table. This is
because of Split-Horizon.
Router #show ip bgp
*The Solution to this Split-Horizon problem is to configure Route-Reflector as

defined in the next page.
21 | P a g e
CONFIGURING ROUTE-REFLECTOR CLIENT
R.R Server
R.R Client R.R Client
*Note: Continue configuration from above steps.
*By configuring the following, RA1 becomes the route-reflector-server and it

‘reflects’ the routes coming from one interface out the other interface, hence
solving the problem of split-horizon.

RA1(config-router)#neighbor 192.168.X.93 route-reflector-client
*Check output in all three router to find that RA2 and RA4 now have each other’s
routes in their routing table.
Router #show ip bgp
22 | P a g e
BGP - II
*Configure the routers in multiple-AS BGP according to the above diagram.
RA1(config)#router bgp 65000

RA1(config-router)#neighbor 172.16.1.Y remote 65000
RA1(config-router)#neighbor 192.168.X.82 remote 650X1
RA1(config-router)#network 10.X.0.0 mask 255.255.255.0
RA2(config)#router bgp 650X1

RA2(config-router)#neighbor 192.168.X.81 remote 65000
23 | P a g e


RA4(config-router)#neighbor 192.168.X.94 remote 65000
*Check the output by using the following show commands

R#sh ip bgp
R#sh ip route
*Use the following commands to configure manual summarization of routes.

RA1(config-router)#aggregate-address 10.X.0.0 255.255.252.0 summary-only
Check the output in neighbor routers.

R#sh ip bgp
R#sh ip route
*Continue from above configuration. The information of next-hop to each the

diagonally opposite router in RA2 and RA3 in the show ip bgp table is
incorrect. To advertise the correct next-hop, use the following configuration.
Make sure to check the output before and after configuration. The same can be
tested on RA1 and Core.
RA2(config-router)#neighbor 192.168.X.86 next-hop-self
RA2(config-router)#

RA3(config-router)#neighbor 192.168.X.85 next-hop-self
RA3#clear ip bgp 192.168.X.85
Check the output in RA2, RA3 router

R#sh ip bgp
R#sh ip route
24 | P a g e
Step 4: CONFIGURING LOCAL-PREFERENCE
*Creating Route-maps to set local-preference values for specific routes in order

to define which path the router must use to exit the AS.
*Note: Continue from above configuration.
*Create access lists to define the mentioned networks

*Create route-maps , one for each neighbor. Each route-map contains a match-
and-set condition.
RA1(config)#route-map R1toR2 permit 10

RA1(config-route-map)#match ip address 40 42
RA1(config-route-map)#set local-preference 800

RA1(config-route-map)#set local-preference 600
25 | P a g e
*Implement the route-map by defining one route-map for each neighbor in the
appropriate direction

RA1(config-router)#neighbor 192.168.X.82 route-map R1toR2 in
RA1(config-router)#neighbor 192.168.X.93 route-map R1toR4 in
*Clear the bgp route updates from the two neighboring BGP routers

*Check the output in Core and in the RA1 router

R#sh ip bgp
R#sh ip route
26 | P a g e
CONFIGURING MED
*Remove the previous configuration of BGP and configure the above given
topology. RA1 belongs to AS 65001 whereas routers RA2, RA3 and RA4 are in AS
650X5. Make sure you configure RA2 and RA4 as route-reflector-clients and RA3
as a server.
RA1(config-router)#neighbor 192.168.X.82 remote-as 650X5

RA2(config-router)#neighbor 192.168.X.81 remote-as 65001

27 | P a g e


RA4(config-router)#neighbor 192.168.X.94 remote-as 65001
*After configuring BGP as specified in the above diagram and verifying the BGP
table and routing table, configure the following configuration. Use route-maps to
set different metrics for routes coming from each neighbor.
RA2(config)#route-map med-alg permit 10
RA2(config)#route-map med-alg permit 20
RA2(config-router)#neighbor 192.168.X.81 route-map med-alg out

RA4(config)#route-map med-tan permit 10
RA4(config)#route-map med-tan permit 20
RA4(config-router)#neighbor 192.168.X.94 route-map med-tan out
*Check the routing table in RA1 to find the route with the lower MED chooses as
the best path.
RA1#sh ip route
RA1#sh ip bgp
28 | P a g e
MULTICASTING
*Enable multicast-routing on all the routers:

RA1#config t
RA1(config)#ip multicast-routing
RA1(config-if)#ip address 192.168.100.1 255.255.255.0
RA1(config-if)#no shutdown
RA1(config-if)#ip pim sparse-dense mode
RA1(config-if)#exit
RA1(config-if)#no shutdown
RA1(config-if)#ip pim sparse-dense mode
RA1(config-if)#exit
Step 2: Configure and run the multimedia multicast server application on the
server PC
Step 3: Change the IP address and gateway of the client PCs to allow them to be
in the LAN of the configured router. Make sure the switch to which the multicast
server is connected is isolated from the rest of the LAN.
Step 4: Start the multicast client software and enter the appropriate server IP
address and file location to start receiving the multicast.
Verification
RA1#show ip mroute
RA1#show ip igmp groups
On the Switch
Sw#show mac-address-table multicast
29 | P a g e
IPv6
*Configure IPv6 addressing on the interfaces of routers RA1, RA2 and RA4 as
shown in the diagram
RA1#conf t
RA1(config)#int fa 0/0
RA1(config-if)#ipv6 address 2001:X:3::1/64
RA1(config-if)#exit
RA1(config)#
RA1(config)#int s 0
RA1(config-if)#exit
RA1(config)#
RA1(config)#int s 1
RA1(config-if)#exit
*Enable ipv6 routing using the following command.

RA1(config)#ipv6 unicast-routing
*Repeat the above steps for the other routers too.

RA2(config)#int e 0
RA2(config-if)#exit
RA2(config)#int s 1
RA2(config-if)#exit
RA4(config)#int e 0
RA4(config-if)#exit
RA4(config)#int s 0
RA4(config-if)#exit
*Check the output of configuration in the entire three routes

router#sh ipv6 route
30 | P a g e
*After the interfaces are configured with IPv6 addresses, configure OSPF v3
routing on all the routers.
RA1(config)#ipv6 router ospf 1

RA1(config-rtr)#exit
RA1(config)#int fa 0/0
RA1(config-if)#ipv6 ospf 1 area 0
RA1(config-if)#exit
RA1(config)#int s 0
RA1(config-if)#exit
RA1(config)#int s 1
RA1(config-if)#exit

RA2(config-if)#int e 0
RA2(config-if)#int s 1
RA2(config-if)#end

RA4(config)#int e 0
RA4(config-if)#exit
RA4(config)#int s 0
RA4(config-if)#end
*Check the output in the entire three routes

R# show ipv6 protocol
R# show ipv6 ospf
R# show ipv6 ospf neighbor
R# show ipv6 ospf database
R# show ipv6 route
31 | P a g e
IP6 to IP4 tunnel
*Configuring a IPv6 tunnel over an IPv4 tunnel. The network in between the two
routers is an IPv4 network and is unaware of IPv6.
*Clear both IPv4 and IPv6 routing on the routers

R(config)#no ip routing
R(config)#ip routing
R(config)#no ipv6 unicast-routing
R(config)#ipv6 unicast-routing
*Create an IPv6 tunnel and assign it an IPv6 address. Also mention the source
and destination interface/address for it. Then, create static IPv4 and IPv6 routing
to the destination router.
RA2(config)#int tunnel 0
RA2(config-if)#ipv6 address 2001:X:A::1/64
RA2(config-if)#tunnel mode ipv6ip
RA2(config-if)#tunnel source s 0
RA2(config-if)#tunnel destination 192.168.X.90
RA2(config-if)#exit
RA2(config)#ip route 192.168.X.88 255.255.255.252 s 0
RA2(config)#ipv6 route 2001:X:5::/64 2001:X:A::2
RA2(config)#end
RA4(config)#
RA4(config-if)#ipv6 address 2001:X:A::2/64
RA4(config-if)#tunnel mode ipv6ip
RA4(config-if)#tunnel destination 192.168.X.85
RA4(config-if)#exit
RA4(config)#ip route 192.168.X.84 255.255.255.252 s 1
RA4(config)#ipv6 route 2001:X:1::/64 tunnel 5
R#sh ipv6 route

R#Ping ipv6 <IPv6 address>
32 | P a g e
Configuration of IPv6-v4 auto tunnel
*Configure IPv6-v4 auto tunnel over an IPv4 network. The destination end of the
tunnel is not mentioned in this configuration. Both routers find each other and
create a tunnel with the help of the static route and the Ipv6 auto tunnel
configuration.
RA2(config)#no ipv6 unicast-routing

RA2(config-if)#ipv6 add 2002:C0A8:0X55::1/64
RA2(config-if)#tunnel mode ipv6ip 6to4
RA2(config-if)#tunnel source serial 0
RA2(config-if)#exit
RA2(config)#ip route 0.0.0.0 0.0.0.0 s 0
RA2(config)#ipv6 route 2002::/16 tunnel 10
RA2(config)#ipv6 route 2001:X:5::/64 2002:C0A8:0X5A::1
RA2(config)#end
RA4(config)#no ipv6 unicast-routing

RA4(config-if)#ipv6 add 2002:C0A8:0X5A::1/64
RA4(config-if)#tunnel mode ipv6ip 6to4
RA4(config-if)#exit
RA4(config)#ip route 0.0.0.0 0.0.0.0 s 1
RA4(config)#ipv6 route 2002::/16 tunnel 15
RA4(config)#ipv6 route 2001:X:1::/64 2002:C0A8:0X55::1
RA4(config)#end
*Check the output on the two routers

R#sh ipv6 route
R#Ping ipv6 <IPv6 address>
33 | P a g e
ADSL ROUTER Configuration
*Configure physical WAN interface (ATM 0 in our case) with PPPoE or PPPoA
and map it with logical dialer interface using the dial-pool-number which we’ll
configure further below.
adslrouter(config)#interface atm 0
adslrouter(config-if)#no shut
adslrouter(config-if)#pvc 1/32
adslrouter(config-if-atm-vc)#pppoe-client dial-pool-number 1
adslrouter(config-if-atm-vc)#end
*Configure a Dialer interface (logical) with DDR (Dial-on-Demand-Routing),

PPP authentication (Point-to-Point-Protocol) and assign in a dialer pool number
that has to be mapped on the physical interface.
adslrouter(config)#interface dialer 0
adslrouter(config-if)#ip address negotiated
adslrouter(config-if)#encapsulation ppp
adslrouter(config-if)#ppp authentication pap chap callin
adslrouter(config-if)#ppp pap sent-username *** password ***
adslrouter(config-if)#ppp chap hostname ***
adslrouter(config-if)#ppp chap password ***
adslrouter(config-if)#ip mtu 1492
adslrouter(config-if)#dialer pool 1
adslrouter(config-if)#exit
*Configure static default route for internet towards interface dialer 0
adslrouter(config)#ip route 0.0.0.0 0.0.0.0 dialer 0
*Configure NAT/PAT with the VLAN interface configured as ‘nat inside’ interface
and the dialer interface as the ‘nat outside’ interface.
adslrouter(config)#access-list 15 permit 192.168.0.0 0.0.0.255

adslrouter(config)#ip nat inside source list 15 interface dialer 0 overload
adslrouter(config)#interface vlan 1
adslrouter(config-if)#ip nat inside
adslrouter(config)#interface dialer 0
adslrouter(config-if)#ip nat outside
34 | P a g e
*Verification
Verify the configuration by checking the routing table and the interface status of
the dialer. The configuration is successful if you obtain a public address from the
service provider.
show ip route
show ip int brief
show interface atm 0
show interface dialer 10
show dsl interface atm 0
35 | P a g e
VPN Configuration
*A VPN is a tunnel of private network over the public network. Configure a IPSec
VPN tunnel between the LANs of RA2 and RA4 over the link with router RA3.
*Configure the wan interface (connected to the ‘public’ network) as per the
diagram. Configure a default route towards the public network on the serial
interface.
RA2#conf t
RA2(config-if)#ip add 61.0.0.5 255.255.255.0
RA2(config-if)#no shut
RA2(config-if)#exit
RA2(config)#ip route 0.0.0.0 0.0.0.0 serial 0
*Configure IKE phase 1: Configuring the isakmp policy with appropriate

authentication and encryption and hash function. All these have to match on the
peer router too.
RA2(config)#crypto isakmp policy 1
RA2(config-isakmp)#authentication pre-share
RA2(config-isakmp)#encryption des
RA2(config-isakmp)#hash sha
RA2(config-isakmp)#group 2
RA2(config-isakmp)#exit
*Configure IKE Pre Share Key for the peer router whose address has to be
mentioned. Take care that the key has to match on both the routers.
RA2(config)#crypto isakmp key zoom123 address 71.0.0.5
*Configure IKE phase 2: Configuring the ipsec policy. Create a transform-set

with encryption and hash-function properties and the tunnel mode which should
match on the peer router.
RA2(config)#crypto ipsec transform-set zoomtr esp-des esp-sha-hmac

RA2(cfg-crypto-trans)#mode tunnel
RA2(cfg-crypto-trans)#exit
*Configure access-list to mark the interesting traffic to initiate VPN Connection.

RA2(config)# access-list 100 permit ip 192.168.X.32 0.0.0.15 192.168.X.64 0.0.0.15
36 | P a g e
*Create a crypto map to bind the interesting traffic to the transform-set. This
means that any interestic traffic originated, initiate the VPN using the properties
from the transform set mentioned towards the mentioned peer.
RA2(config)#crypto map vpnmap 10 ipsec-isakmp
RA2(config-crypto-map)#match address 100
RA2(config-crypto-map)#set transform-set zoomtr
RA2(config-crypto-map)#set peer 71.0.0.5
* Mapping the crypto-map to the serial interface.
RA2(config-if)#crypto map vpnmap
*Repeat the similar configuration on the other router.
RA4(config-if)#exit
RA4(config)#ip route 0.0.0.0 0.0.0.0 serial 1
RA4(config)#crypto isakmp policy 10

RA4(config-isakmp)#authentication pre-share
RA4(config-isakmp)#hash sha
RA4(config-isakmp)#encryption des
RA4(config-isakmp)#group 2
RA4(config-isakmp)#exit
RA4(config)#crypto isakmp key zoom123 address 61.0.0.5

RA4(config)#crypto ipsec transform-set trans esp-des esp-sha-hmac
RA4(cfg-crypto-trans)#mode tunnel
RA4(cfg-crypto-trans)#exit
RA4(config)# access-list 110 permit ip 192.168.X.64 0.0.0.15 192.168.X.32 0.0.0.15
RA4(config)#crypto map demomap 5 ipsec-isakmp

RA4(config-crypto-map)#match address 110
RA4(config-crypto-map)#set transform-set trans
RA4(config-crypto-map)#set peer 61.0.0.5
RA4(config-crypto-map)#exit
RA4(config-if)#crypto map demomap
RA4(config-if)#end
*Configure the serial interfaces on the middle router with the appropriate IP
addresses and enable routing.
37 | P a g e
RA3(config-if)#exit
RA3(config)#end
*Initiate some interesting traffic by pinging one router from the other routers LAN
or by using the ‘extended’ ping. Wait for a few seconds before the VPN tunnel is
initiated.
*Verify the output by using the following commands
RA2#show crypto isakmp sa

RA2#show crypto ipsec sa
RA2#show crypto engine connections active
38 | P a g e
IDS / IPS
*The scenario here is as shown above. RA1 is the router in our network connected
to the ISP. RA2 is one of the routers that are inside the network. In case of an
attack from the internet, i.e. the CORE router in our example, router RA1 with
IPS must be configured to detect and prevent the intrusion.
*Let us consider an example that any anonymous user manages to enter our
network and logs in to router RA2. He could give the command ‘enable’ to
enter into the privilege mode and change the router configuration. The IPS on
RA1 must be configured in such a way that when the intruder types the characters
enable, his connection must be terminated.
*Step1: Enable routing between all the three routers.
*Step2: Configure the router using SDM. In the IPS configuration mode, start the
wizard available. Select the proper interface and the proper direction. In our
case, it’s Serial 1/2 in the inbound direction. Tick the ‘Use the in-built
signatures’ in the next screen and finish.
*Step3: You’ll be taken to the ‘Edit IPS’ page next. In there, go to the signatures
tab. In the drop down menu in the centre, choose ‘engine’ as the ‘view by’
option. In the drop down menu beside it, pick the ‘STRING.TCP’ option.
*Step4: Add a new signature. The parameters that have to be configured here are
Sig name: (any name); Alarm Severity; EventAction: (alarm, drop and reset);
Protocol: (TCP); RegexString: (the string of characters in order that they would
be entered); ServicePorts: (23 for telnet)
*Step 5: Click the OK button and apply the changes made.
* To verify, configure a PC in CORE router’s LAN. Telnet to the router RA2’s

serial interface. When you type in ‘enable’ your telnet session must be
disconnected by RA1.
39 | P a g e
IOS Firewall
*The scenario set up is as shown above. RA1 has two interfaces connected to two
different LANs. Both can communicate with each other initially. Our scenario is
to allow communication from one LAN to the other, but deny the communication
in the opposite direction.
*Configure access-lists on both the interfaces allowing one way communication.
For example, PC connected to the Fa0/0 interface must be able to ping to the PC
connected to the Fa4/0, but the opposite should not be possible
RA1#config terminal
RA1(config)# access-list 100 permit ip 192.168.1.16 0.0.0.15 192.168.100.0 0.0.0.255
RA1(config)# access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.1.16 0.0.0.15
RA1(config-if)#ip access-group 100 in
RA1(config-if)#interface fa 4/0
RA1(config-if)#ip access-group 101 in
*When you ping from both the PCs to each other, you will note that both cannot
ping each other. To achieve our goal on only one-way communication, we have to
configure the following. Configure a firewall rule for ICMP protocol and apply it
on the interface where we want the traffic to flow to, in the inbound direction.
RA1(config)#ip inspect name zoom icmp

RA1(config)#interface fa0/0
RA1(config-if)#ip inspect zoom in
*Now, you will notice that PC on the F0/0 can ping the PC on Fa4/0 but the PC
on Fa4/0 cannot ping Fa0/0
40 | P a g e
AAA Configuration
*In case of AAA configuration, a PC installed with the ACS software is called the
AAA Server. The Network device (ex: router) which is using the AAA server for
authentication is called the AAA Client. The PC labeled as the Client in the above
diagram is actually the user who is trying to log in to the router and is NOT the
AAA client.
*Configuring authentication: This is for the router and in turn, the user, to be
authenticated by the AAA server. Take care to not close the telnet window after
configuring this.
RA1 (config)# aaa new-model
RA1 (config)# aaa authentication login default group tacacs+
RA1 (config)# line vty 0 15
RA1 (config-line)# login authentication default
RA1 (config)# tacacs-server host 192.168.X.Y key zoom123
* On the ACS server, configure the following.

Network configuration: By adding the router as a client.
Users Settings: By adding a username and password for the user to log in. Also
add the user in a specific group.
*Configuring authorization: This is for assigning privilege levels the user who
has logged in to the router.
RA1 (config)#aaa authorization exec default group tacacs+
*In ACS server, under the group settings for the user’s group, tick the ‘Shell
(EXEC)’ option and mention the Privilege level that you want to assign to the
user.
*Verify the output from client by show privilege command on the router.
41 | P a g e
*By using the following configuration, we can allow the following commands to
the user that are normally now allowed.
RA1(config)#privilege exec level 10 configure terminal
RA1(config)#privilege configure level 10 ip route
RA1(config)#privilege configure level 10 interface
RA1(config)#privilege interface level 10 shutdown
*Configuring AAA accounting on the router.

RA1(config)#aaa accounting commands 1 default start-stop tacacs+
*Verify the output in ACS server
Configuring SNMP
*On each router, configure the following mentioning the community in which the
router belongs to. The next two statements enable SNMP traps and points the
router to the SNMP server along with the key. Make sure that the SNMP server
belongs to the LAN of one of the routers and there is routing enabled from each
router to the SNMP server. Test by pinging from each router to the SNMP server.
RA1(config)#snmp-server community zoom123 rw

RA1(config)#snmp-server enable traps
RA1(config)#snmp-server host 192.168.X.Y zoom123
*Verify the output in SNMP server
Configuring SYSLOG
*Configure on each router the following to enable syslog and to mention the IP
address of the syslog server.
RA1(config)#logging on
RA1(config)#logging host 192.168.X.Y
*Verify the output in Syslog Server. Any changes that trigger syslog messages will
be sent to the syslog software on the server. Syslog can be verified by shutting
down and bringing up an interface.
42 | P a g e
MPLS Configuration
*Configure the above MPLS network topology with routers INDIA, POLAND and
SUDAN belonging to the MPLS cloud and routers RUSSIA and ALGERIA are the
customer end routers.
*Pre-requisites for this kind of set would be for routing to be enabled from one
end to the other. We use OSPF for the same in this set up.
Russia(config)#no ip routing
Russia(config)#ip routing
Russia(config)#router ospf 10
Russia(config-router)#net 0.0.0.0 255.255.255.255 area 0
Russia(config-router)#end
Russia#
Poland(config)#interface fa 0/1
Poland(config-if)#ip add 192.168.100.1 255.255.255.0
Poland(config-if)#no sh
Poland(config-if)#exit
Poland(config)#router ospf 10
Poland(config-router)#net 0.0.0.0 255.255.255.255 area 0
Poland(config-router)#end
INDIA(config)#int f 0/0
INDIA(config-if)#ip add 192.168.100.2 255.255.255.0
INDIA(config-if)#no shut
INDIA(config-if)#interface fa 4/0
43 | P a g e
INDIA(config-if)#ip add 192.168.200.1 255.255.255.0

INDIA(config-if)#no shut
INDIA(config-if)#exit
INDIA(config)#no ip routing
INDIA(config)#ip routing
INDIA(config)#router ospf 10
INDIA(config-router)#net 0.0.0.0 255.255.255.255 area 0
Sudan(config)#int f 0/1
Sudan(config-if)#ip add 192.168.200.2 255.255.25.0
Sudan(config-if)#no shut
Sudan(config-if)#exit
Sudan(config)#router ospf 10
Sudan(config-router)#net 0.0.0.0 255.255.255.255 area 0
Sudan(config-router)#end
Sudan#
Algeria(config)#no ip routing
Algeria(config)#ip routing
Algeria(config)#router ospf 10
Algeria(config-router)#net 0.0.0.0 255.255.255.255 area 0
Algeria(config-router)#end
Algeria#
*Configuring MPLS in the Service Provider cloud.
Poland(config)#ip cef INDIA(config)#ip cef Sudan(config)#mpls ip

Poland(config)#mpls ip INDIA(config)#mpls ip Sudan(config)#ip cef
Poland(config)#interface fa 0/1 INDIA(config)#interface fa 0/0 Sudan(config)#interface fa 0/1
Poland(config-if)#mpls ip INDIA(config-if)#mpls ip Sudan(config-if)#mpls ip
Poland(config-if)#interface fa INDIA(config-if)#interface fa Sudan(config-if)#int f 0/0
0/0 4/0 Sudan(config-if)#mpls ip
Poland(config-if)#mpls ip INDIA(config-if)#mpls ip Sudan(config-if)#end
Poland(config-if)#end INDIA(config-if)#end
*Verify using the following commands.

R#show ip cef
R#show mpls forwarding-table
R#show ip route
R#Traceroute <destination ip>
44 | P a g e
45 | P a g e
VLAN Configuration
Configuration on 2950-229 (192.168.0.229)
*Configuring the trunk

s2950-229(config)#interface fastethernet 0/24
s2950-229(config-if)#switchport mode trunk
s2950-229(config-if)#switchport trunk allowed vlan all
s2950-229(config-if)#exit
*Configuring the Vtp domain and password
s2950-229(config)#vtp domain zoom

s2950-229(config)#vtp password zoom
*Creation of VLANs
s2950-229(config)#vlan 10
s2950-229(config-vlan)#name sales
s2950-229(config-vlan)#exit
s2950-229(config-vlan)#name marketing
s2950-229(config-vlan)#name accounting
*Assigning the interface to VLANs

s2950-229(config-if)#switchport mode access
s2950-229(config-if)#switchport access vlan 1
#show interface trunk

#show vlan
#show vtp status
#show interface status
#show interface fastethernet 0/X switchport
46 | P a g e
*By using the following configuration, we can make switch 3560 the root bridge
for the entire lan. This is done by changing the priority less than the default
priority of 32768.
S3560(config)#spanning-tree vlan 1 priority 24576
*Verify the output in all the switches to see which switch is the root and which
port is in the blocked state.
s2950-229#show spanning-tree
S3560#show spanning-tree
Configuring Spanning-tree Portfast feature
*By configuring a port as a portfast, the port doesn’t take part in the spanning-
tree calculation process.
S3560#conf t
S3560(config)#interface fa 0/X
S3560(config-if)#spanning-tree portfast
*Verify by the result by the show command.

Output Omitted
Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- -------------------------
-------
Fa0/17 Desg FWD 19 128.17 Edge P2p
Configuring Uplinkfast
*Uplinkfast is configured only on the switch that has blocked ports. By

configuring this, when the link in forwarding state on this particular switch goes
down, the switch immediately brings the blocked port into forwarding state
instead of running the spanning-tree algorithm.
s3550(config)#spanning-tree uplinkfast
*Verify the output by shutting down the link in forwarding state and note that the
blocked state immediately comes up. This can be tested by keeping a ping ON
between two machines on different PCs.
47 | P a g e
Configuring the Spanning-tree Backbonefast
*When an indirectly connected link to the switch with the blocked port goes down,
the switch gets information from the other switches and immediately brings up the
blocked port. This has to be configured on all the switches.
s2950-229#conf t
s2950-229(config)#spanning-tree backbonefast
s3550#conf t
s3550(config)#spanning-tree backbonefast
S3560#conf t
S3560(config)#spanning-tree backbonefast
s2950-129#conf t
s2950-129(config)#spanning-tree backbonefast
*Verify the output by shutting down the indirectly connected link i.e., any link that
is not connected to the switch with the blocked port, and note that the blocked
state immediately comes up. This can be tested by keeping a ping ON between two
machines on different PCs.
48 | P a g e
STP
Configuring PVST+
*When the LAN network consists of more than one VLAN, the switch with the
lowest mac-address will be the root bridge for all the VLANs, with the same port
being blocked for all the VLANs. In order to change this, our goal is to configure
one switch as the root for each VLAN. This is done by lowering the respective
switch’s spanning-tree priority value on each switch for the respective VLAN.
Change The Root Election Of the Switch as per the Given Table
For
Vlan 1 root is S3560

Vlan 101 root is S2950-229
Vlan 201 root is S2950-129
Vlan 301 root is S3550
*Create the Required number of vlan as given above.

Tip: Use VTP to create vlan
S3560#conf t
S3560(config)#vlan 101
S3560(config-vlan)#name ccna
S3560(config-vlan)#exit
S3560(config-vlan)#name ccnp
S3560(config-vlan)#name mcse
*Configure the spanning-tree mode to PVST and then change the priority of the
vlan on the respective switch to make it root for that VLAN.
S3560(config)#spanning-tree mode pvst
S3560(config)#spanning-tree vlan 1 priority 24576
s2950-229#conf t
s2950-229(config)#spanning-tree mode pvst
s2950-229(config)#spanning-tree vlan 101 priority 24576
s2950-129#conf t
s2950-129(config)#spanning-tree mode pvst
s2950-129(config)#spanning-tree vlan 201 priority 24576
s3550#conf t
s3550(config)#spanning-tree mode pvst
s3550(config)#spanning-tree vlan 301 priority 24576
49 | P a g e
*Verify using the show commands to see the status of VLANs

Switch 3560
S3560#show spanning-tree vlan 101
50 | P a g e
ADVANCED STP
Configuring MST
*When the LAN network consists of more than one VLAN, the switch with the
lowest mac-address will be the root bridge for all the VLANs, with the same port
being blocked for all the VLANs. In order to change this, our goal is to configure
one switch as the root for each group of VLANs. This is done by lowering the
respective switch’s spanning-tree priority value on each switch for the respective
VLAN groups.
MST Inst 1 Vlan 1-100 root S3560

MST Inst 2 Vlan 101-200 root S2950-229
MST Inst 3 Vlan 201-300 root S2950-129
MST Inst 4 Vlan 301-400 root S3550
*Note: Configuration on all the four switches should be same for MST Instance
S3560(config)#spanning-tree mst configuration

S3560(config-mst)#instance 1 vlan 1-100
S3560(config-mst)#name zoom
S3560(config-mst)#revision 1
S3560(config-mst)#exit
S3560(config)#spanning-tree mst 1 priority 28672
S3560(config)#spanning-tree mode mst
s2950-229(config)#spanning-tree mst configuration

s2950-229(config-mst)#instance 1 vlan 1-100
s2950-229(config-mst)#name zoom
s2950-229(config-mst)#revision 1
s2950-229(config-mst)#exit
s2950-229(config)#spanning-tree mst 2 priority 28672
s2950-229(config)#spanning-tree mode mst
s2950-129(config)#spanning-tree mst configuration

s2950-129(config-mst)#name zoom
s2950-129(config-mst)#revision 1
s2950-129(config-mst)#exit
s2950-129(config)#spanning-tree mst 3 priority 28672
s2950-129(config)#spanning-tree mode mst
51 | P a g e
s3550(config)#spanning-tree mst configuration

s3550(config-mst)#instance 1 vlan 1-100
s3550(config-mst)#name zoom
s3550(config-mst)#revision 1
s3550(config-mst)#exit
s3550(config)#spanning-tree mst 4 priority 28672
s3550(config)#spanning-tree mode mst
*Verify using the following commands

S3560#show spanning-tree mst <Instance no>
S3560#show spanning-tree summary
52 | P a g e
*Devices in different VLANs cannot communicate with each other by default. To

enable communication between them, routing must be enabled between the
VLANs.
*Create the VLANs as per requirement.

S3560(config-vlan)#name sales
S3560(config-vlan)#name marketing
S3560(config-vlan)#vlan 60
S3560(config-vlan)#name accounts
*Bind the interface in respective VLANs.

S3560(config)#interface fa 0/12
S3560(config-if)#switchport mode access
S3560(config-if)#switchport access vlan 40
S3560(config-if)#exit
53 | P a g e
*Assign an IP address for each of the vlan interfaces. These addresses are going
to be the default gateway for the devices in those particular VLANs.
S3560(config)#interface vlan 40
S3560(config-if)#ip address 192.168.40.1 255.255.255.0
*Enable the routing process on the multilayer-switch to allow communication

between the VLANs.
S3560(config)#ip routing
S3560(config)#end
*Verify using the following show commands.
#show ip route
#show vlan
#show ip cef
#sh adjacency detail
54 | P a g e
*Configuring Inter-VLAN routing with the help on an external router.
* This method is also called Router-On-Stick. This is done by connecting the

switch to the routers Ethernet/Fastethernet port. That Ethernet port is then
logically divided into sub-interfaces. Each sub-interface in turn acts as a gateway
for each of the VLANs.
Switch configuration
*Configure the numbers of vlan as per requirement and implement in layer 2
switch.
S2950-229(config)#vlan 10
S2950-229(config-vlan)#exit
S2950-229(config)#vlan 20
S2950-229(config-vlan)#vlan 30
S2950-229(config-vlan)#exit
S2950-229(config)#interface fa 0/12
S2950-229(config-if)#switchport mode access
S2950-229(config-if)#switchport access vlan 10
S2950-229(config-if)#exit
S2950-229(config-if)#exit
55 | P a g e
*The port on the switch connected to the router must be configured as a trunk
port since it carries information from more than one VLAN.
S2950-229(config-if)#switchport mode trunk
S2950-229(config-if)#end
Router Configuration
*On the router’s Ethernet interface, remove the ip address and create sub-
interfaces as given below. Each sub-interface has to be configured with the right
encapsulation so that it can interpret the data coming from the trunk port of the
switch.
Sudan#conf t
Sudan(config)#ip routing
Sudan(config)#interface fa 0/1
Sudan(config-if)#no ip address
Sudan(config-if)#no shutdown
Sudan(config)#interface fa 0/1.1
Sudan(config-subif)#encapsulation dot1q 1 native
Sudan(config-subif)#ip address 192.168.0.50 255.255.255.0
Sudan(config-subif)#exit
Sudan(config-subif)#encapsulation dot1q 10
*Verify by using the following commands and also by pinging from a PC in one
VLAN to a PC in another VLAN.
R#show ip route
S#show vlan
S#show interface trunk
56 | P a g e
HSRP
*In this practical, we configure two routers connected on the same LAN network
with HSRP. By doing that, the two routers create a Virtual Router with a Virtual-
IP that we mention in the configuration. This virtual-IP is to be used as the
default-gateway to the devices in the LAN.
*Make sure that both router’s LAN interface belongs to the same network and
both routers are configured with the same standby group.
Sudan#conf t
Sudan(config-if)#ip address 192.168.1X0.100 255.255.255.0
Sudan(config-if)#standby X0 ip 192.168.1X0.1
Sudan(config-if)#standby X0 priority 150
Sudan(config-if)#standby X0 preempt
Sudan(config)#ip route 192.168.0.0 255.255.255.0 s 0/2/0
Poland#conf t
Poland(config-if)#ip address 192.168.1X0.200 255.255.255.0
Poland(config-if)#no shutdown
Poland(config-if)#standby X0 ip 192.168.1X0.1
Poland(config-if)#standby X0 priority 120
Poland(config-if)#standby X0 preempt
Poland(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0
CORE#conf t
CORE(config)# ip route 192.168.1X0.0 255.255.255.0 s 1
57 | P a g e
*Verify using the following command, which router is the ACTIVE router and
which router is the STANDBY.
Router#show standby
*Shutdown the Ethernet interfaces of the active (Sudan) Router and verify which
router now becomes the ACTIVE router.
Sudan#conf t
Sudan(config-if)#shutdown
Sudan(config-if)#end
*Bring up the Ethernet interface again and now configure interface tracking in
Sudan router.
Sudan#conf t
Sudan(config-if)#standby X0 track serial 0/2/0 50
*The above statement implies that for group X0, if the interface serial 0/2/0 goes
down, decrease the standby priority of this router by a value of 50 such that the
other router, now, has the higher priority and it becomes the ACTIVE router.
*Shutdown the serial 0/2/0 interface and verify the output.

Sudan(config)#interface Serial 0/2/0
Sudan(config-if)# shutdown
Router#show standby
58 | P a g e
GLBP
*In this practical, we configure two routers connected on the same LAN network
with GLBP. By doing that, the two routers create a Virtual Router with a Virtual-
IP that we mention in the configuration. This virtual-IP is to be used as the
default-gateway to the devices in the LAN.
*Make sure that both router’s LAN interface belongs to the same network and
both routers are configured with the same standby group.
Sudan(config-if)#ip address 192.168.1X0.100 255.255.255.0
Sudan(config-if)#glbp X0 ip 192.168.1X0.1
Sudan(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0
Poland(config-if)#ip address 192.168.1X0.200 255.255.255.0
Poland(config-if)#no shutdown
Poland(config-if)#glbp X0 ip 192.168.1X0.1
Poland(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0
CORE#conf t
59 | P a g e
*Verify using the following command, which router is the ACTIVE router.
Router#sh glbp
*Shutdown the Ethernet interfaces of the active (Sudan) Router and verify the
output.
Sudan#conf t
Sudan(config-if)#shutdown
*Bring up the Ethernet interface again and now configure interface tracking in
Sudan router.
Sudan#conf t
Sudan(config)#track 50 interface serial 0/2/0 line-protocol
Sudan(config-track)#exit
Sudan(config-if)#glbp X0 weighting track 50 decrement 100
*Configure using the following commands to reduce the preempt delay in both the
routers.
Sudan(config-if)#glbp X0 forwarder preempt delay minimum 5
*Reducing the preempt delay in Poland

Poland (config-if)#glbp X0 forwarder preempt delay minimum 5
*Shutdown the serial 0/2/0 interface in Sudan router and verify the output
Sudan#conf t
Sudan(config)#interface s 0/2/0
Sudan(config-if)# shutdown
60 | P a g e
PORT-SECURITY
Fa 0/12
Mac-address xxxx.xxxx.xxxx
*This practical is to configure port-security on a switch by binding the mac-

address of a PC to a particular port. By doing so, we allow only that PC to work
on that port. Any other PC trying to use that port is not allowed to do so since it
would be having a different mac-address.
S3560#conf t
S3560(config-if)#switchport port-security
S3560(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx
S3560(config-if)#switchport port-security violation shutdown
*You can verify the output by disconnecting the PC from the port and connecting
another PC to the same port and trying to start communication on it. You will find
that as soon as the new PC tries to establish communication, the port goes into an
err-disabled state and is shut down.
S3560#show port-security
S3560#show interface status
S3560#show port-security interface fa 0/12
61 | P a g e
VACL
*Two PCs belonging to the same VLAN on the same switch can communicate with
each other by default. In cases where we do not want them to communicate and
there is no router available to configure access-lists, we can configure VLAN
access-lists or VACL.
* Assign 192.168.0.3 and 192.168.0.203 ports in vlan 10. They can ping each
other normally. The required scenario here is that the ping request from the pc-
192.168.0.3 to pc-192.168.0.203 should not happen and the ping request from pc-
192.168.0.203 to pc-192.168.0.3 must be allowed.
S3560(config)#access-list 110 permit icmp host 192.168.0.3 host 192.168.0.203 echo

S3560(config)#vlan access-map zoom 10
S3560(config-access-map)#match ip address 110
S3560(config-access-map)#action drop
S3560(config-access-map)#exit
S3560(config)#vlan access-map zoom 20
S3560(config-access-map)#exit
S3560(config)#vlan filter zoom vlan-list 10
*Verify the output by having ping ON between the two machines.
62 | P a g e
DOT1X AUTHENTICATION
*An open port is open for anybody to connect their device and start
communication with the LAN. Our goal here is to authenticate any user that
connects to the switch and allow access only if he is properly authenticated.
Authentication is done with the help of a AAA server.
*Make sure the test-PC is enabled for dot1x authentication.
s2950-229(config)#aaa new-model
s2950-229(config)#aaa authentication dot1x default group radius
s2950-229(config)#dot1x system-auth-control
s2950-229(config)#radius-server host 192.168.0.3 key zoom123
s2950-229(config)#interface fa 0/16
s2950-229(config-if)#dot1x port-control auto
*Verify using the following commands and also by disconnecting and connecting
the device from the switch and then going through the authentication process
when prompted.
s2950-229#show dot1x all
63 | P a g e
VOIP
*To enable VOIP, the pre-requisite is to have routing enabled on the network
between the different voice devices. For that, we are configuring EIGRP protocol
between routers India and Sudan.
INDIA#conf t
INDIA(config)#router eigrp 100
INDIA(config-router)#network 192.168.1.0
INDIA(config-router)#net 172.16.0.0
INDIA(config-router)#end
CORE#conf t
CORE(config)#no ip routing
CORE(config)#ip routing
CORE(config)#router eigrp 100
CORE(config-router)#network 172.16.0.0
CORE(config-router)#end
Sudan#conf t
Sudan(config)#no ip routing
Sudan(config)#ip routing
Sudan(config)#router eigrp 100
Sudan(config-router)#net 172.16.0.0
Sudan(config-router)#net 192.168.100.0
Sudan(config-router)#exit
Sudan(config-if)#ip address 192.168.100.1 255.255.255.0
Sudan(config-if)#no shut
64 | P a g e
*Router INDIA has two FXS ports to which two analog phones are connected.
Below is the configuration for assigning phone numbers to the analog phones by
configuring the dial-peer as POTS (plain old telephone system)
INDIA(config)#dial-peer voice 10 pots
INDIA(config-dial-peer)#destination-pattern 2001
INDIA(config-dial-peer)#port 2/0/0
INDIA(config-dial-peer)#exit
INDIA(config)#dial-peer voice 20 pots
INDIA(config-dial-peer)#destination-pattern 2002
INDIA(config-dial-peer)#port 2/0/1
INDIA(config-dial-peer)#exit
*Verify the output by dialing the extension number from one to another phone
*Here we have to configure the call routing from India to Sudan. It mentions the
destination IPV4 network to which the VOIP packets have to be routed if a call to
the mentioned phone number has to be made.
INDIA(config)#dial-peer voice 30 voip

INDIA(config-dial-peer)#destination-pattern 300.
INDIA(config-dial-peer)#session target ipv4:172.16.1.5
INDIA(config-dial-peer)#end
*Below is the configuration of Sudan router to which two IP phones have been
connected.
*First we have to configure a DHCP pool from which an ip-address will be

assigned to the IP phone.
Sudan(config)#ip dhcp pool voip
Sudan(dhcp-config)#network 192.168.100.0
Sudan(dhcp-config)#default-router 192.168.100.1
Sudan(dhcp-config)#option 150 ip 192.168.100.1
Sudan(dhcp-config)#exit
Sudan(config)# ip dhcp excluded-address 192.168.100.1
*Below is the configuration for telephony-service where we configure various

parameters such as number of dial-numbers and ephones, assigning of phone
numbers to the e-phones and binding the mac-address of the ip-phone to the
ephone.
Sudan(config)#telephony-service
Sudan(config-telephony)#max-dn 10
Sudan(config-telephony)#max-ephone 5
Sudan(config-telephony)#ip source-address 192.168.100.1
Sudan(config-telephony)#exit
Sudan(config)#ephone-dn 1
Sudan(config-ephone-dn)#number 3001
Sudan(config-ephone-dn)#name zoom
65 | P a g e
Sudan(config-ephone-dn)#exit
Sudan(config-ephone-dn)#name ccnp
Sudan(config-ephone-dn)#name ccna
Sudan(config-ephone-dn)#name cisco
Sudan(config)#ephone 1
Sudan(config-ephone)# mac-address ****.****.****
Sudan(config-ephone)#button 1:1
Sudan(config-ephone)#exit
Sudan(config)#ephone 2
Sudan(config-ephone)#mac-address ****.****.****
Sudan(config-ephone)#button 1:2
Sudan(config-ephone)#exit
*Here we have to configure the call routing from Sudan to India. It mentions the
destination Ipv4 network to which the VOIP packets have to be routed if a call to
the mentioned phone number has to be made.
Sudan(config)#dial-peer voice 10 voip

Sudan(config-dial-peer)#destination-pattern 200.
Sudan(config-dial-peer)#session target ipv4:172.16.1.1
Sudan(config-dial-peer)#exit
66 | P a g e
QOS
*Initially, configure routing between the LANs of the two routers. The LAN of
India router contains the HTTP and FTP server and the LAN of CORE router
contains the client PCs from where the resources will be accessed.
India#config t
India(config)#ip route 192.168.0.0 255.255.255.0 s1/2
India(config)#exit
CORE#config t
CORE(config)#ip route 0.0.0.0 0.0.0.0 s 0
CORE(config)#exit
CORE(config)#int s0
CORE(config-if)#clock rate 1000000
CORE(config-if)#end
*Using the above configuration, we have enabled routing between the two
networks and also configured the rate of flow over the serial interface between the
routers to be of 1Mbps.
*We now need to monitor the rate of flow two types of traffic, one HTTP and the
other FTP. For this, we use a download manager software on the client side PC
to observe the download speed of each type of traffic.
*You might observe that when we have traffic via both the protocols, they share
the available bandwidth equally, but in absence of the one, the other takes up the
entire bandwidth. Our aim is to allocate certain amount of bandwidth to each type
of traffic. For this, we need to configure QOS in the INDIA router.
*Step1: Create separate class-maps for each type of traffic by matching it by the
protocol it is using.
INDIA(config)#class-map httpclass
INDIA(config-cmap)#match protocol http
INDIA(config-cmap)#exit
67 | P a g e
INDIA(config)#class-map ftpclass
INDIA(config-cmap)#match protocol ftp
INDIA(config-cmap)#exit
*Create a policy-map to define what has to be done with each type of traffic that
have been defined in the class-maps.
INDIA(config)#policy-map ccnpqos
INDIA(config-pmap)#class httpclass
INDIA(config-pmap-c)#bandwidth percent 10
INDIA(config-pmap-c)#exit
INDIA(config-pmap)#class ftpclass
INDIA(config-pmap-c)#bandwidth percent 60
INDIA(config-pmap-c)#exit
INDIA(config-pmap)#exit
*The policy-map now has to be implemented on the proper interface in the proper
direction on the router close to the source of the traffic.
INDIA(config)#interface serial 1/2
INDIA(config-if)#service-policy output ccnpqos
INDIA(config-if)#end
*You will observe that in absence of traffic from one protocol, the other takes up
the entire bandwidth. To prevent this, we can configure ‘policing’ to limit the
bandwidth usage of a certain type of data flow to a fixed value.
INDIA(config)#policy-map ccnpqos
INDIA(config-pmap)#class httpclass
INDIA(config-pmap-c)# police rate percent 10
INDIA(config-pmap-c-police)#exceed-action drop
INDIA(config-pmap-c-police)#end
*Now you will observe that even though you stop the FTP data, the HTTP
download does not cross 10% of the total available bandwidth.
68 | P a g e
WIRELESS LAN
*For a wireless router, there are two main interfaces. One wired and the other
wireless. The wired interface is the VLAN interface where users from the LAN can
be connected to the router. The wireless interface is the radio antenna through
which users with wireless end systems can connect to the router.
*Configure an ip address on the Dot11Radio interface
adslrouter#config t
adslrouter(config)# interface Dot11Radio 0
adslrouter(config-if)#ip address 192.168.200.1 255.255.255.0
*Configuring SSID and broadcast. Users trying to connect to the wireless network
now will be able to connect without any authentication
adslrouter(config-if)#ssid ccnp
adslrouter(config-if-ssid)#guest-mode
adslrouter(config-if-ssid)#authentication open
adslrouter(config-if-ssid)#exit
adslrouter(config-if)#channel 11
adslrouter(config-if)#speed default
*In case we require the users trying to connect to the wireless network to be
authenticated before they can access the resources, we can configure the
authentication mode and key in the following way.
adslrouter(config-if)#encryption mode wep mandatory

adslrouter(config-if)#encryption key 1 size 128 01234567899876543210012345
*Configure a DHCP pool on the wireless router to assign ip address to any user
trying to connect to the router through the wireless network.
adslrouter(config)#ip dhcp pool wireless

adslrouter(dhcp-config)#network 192.168.200.0 255.255
adslrouter(dhcp-config)#default-router 192.168.200.1
adslrouter(dhcp-config)#dns-server 192.168.200.1
69 | P a g e

CCNP All Labs

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CCNP All Labs

Transféré par

Droits d'auteur :

Formats disponibles

Zoom Technologies CCNP Lab Guide

2. Telnet to the Access-server IP address. 192.168.0.1

5. Enter the following command to telnet to your router

C:\>telnet 192.168.0.1 200A

6. In case you fail to connect to the router, follow steps 3 to 5 again.

*Check the auto summarization of your loopback networks in your neighbor’s

*Check the output in neighbor router to find the Loopbacks advertised

*Manual summarization has to be configured on a per-interface basis.

Check the eigrp-neighbor table to note your neighbors. First configure

RA2(config)#key chain ccnp

DR and BDR Election

RA4#show ip ospf neighbor

*Configure OSPF authentication on router to accept updates only from

*Verify the configuration using the following commands

*Redistributed routes have a default metric. Use the following commands to

*Configuration of manual summarization of OSPF routes in Area Border

Check the output in area 0 or area 10 routers

*Configuration of manual summarization of routes originated by redistribution of

After configuration check the routing table again.

*After configuration check the routing table again.

SINGLE AREA IS-IS

RA2(config-if)#ip router isis

*Verify the output using the following show commands

CONFIGURING MULTIPLE AREA ISIS

RA1(config)#no router isis

RA2(config)#no router isis

RA3(config)#no router isis

RA4(config)#no router isis

*Verify the output using the following show commands

*Configure manual summarization of the internal networks of an area, on the

*Verify the output of summarization by checking the routing tables of routers in

*Check by pinging successfully from router RA4 to the core.

*Without removing the previous configuration, create a distribute list on router

RA2(config)#access-list 10 deny 30.X.0.0 0.0.255.255

CONFIGURING THE ROUTE-MAP FOR FILTERING REDISTRIUTED ROUTES

*Creating access-lists to define the selected networks.

RA3(config)#access-list 21 permit 20.X.0.0 0.0.0.255

RA3(config)#route-map zoom permit 10

RA3(config)#route-map zoom deny 20

RA3(config)#route-map zoom permit 30

RA3(config)#route-map zoom permit 40

RA3(config)#route-map zoom permit 50

Note:-Be careful to remove the previous redistribution configuration.

RA2(config)#router bgp 6500X

RA3(config)#router bgp 6500X

RA4(config)#router bgp 6500X

*Verify the configuration using the following show commands.

RA4 #show ip bgp

*Disable synchronization by the ‘no synchronization’ command to get the

*Check output on same router.

Router #show ip bgp

RA2(config)#router bgp 6500X

RA4(config)#router bgp 6500X

*The Solution to this Split-Horizon problem is to configure Route-Reflector as

CONFIGURING ROUTE-REFLECTOR CLIENT

R.R Client R.R Client

*Note: Continue configuration from above steps.

*By configuring the following, RA1 becomes the route-reflector-server and it

RA1(config)#router bgp 6500X

*Configure the routers in multiple-AS BGP according to the above diagram.

RA1(config)#router bgp 65000

RA2(config)#router bgp 650X1

RA3(config)#router bgp 650X1