Académique Documents
Professionnel Documents
Culture Documents
Zoom Technologies
Cisco Certified Network
Professional
Lab Guide
Name___________________________________
Faculty ______________________
Batch ______Date_________
Zoom Technologies CCNP Lab Guide
INDEX
EIGRP ----------------------------------------------------------------------------1
OSPF --------------------------------------------------------------------------- 4
ISIS ---------------------------------------------------------------------------- 10
REDISTRIBUTION------------------------------------------------------------14
BGP ----------------------------------------------------------------------------19
MULTICASTING -------------------------------------------------------------29
IPv6 --------------------------------------------------------------------------- 30
ADSL -------------------------------------------------------------------------- 34
VPN ----------------------------------------------------------------------------36
IDS/IPS ------------------------------------------------------------------------39
FIREWALL --- -----------------------------------------------------------------40
AAA, SYSLOG, SNMP -------------------------------------------------------41
MPLS -------------------------------------------------------------------------- 43
VLAN- --------------------------------------------------------------------------46
STP -----------------------------------------------------------------------------49
Advanced STP ---------------------------------------------------------------51
INTERVLAN ROUTING ------------------------------------------------------53
HSRP ---------------------------------------------------------------------------57
GLBP ----------------------------------------------------------------------------59
SWITCH SECURITY-----------------------------------------------------------61
VOIP-----------------------------------------------------------------------------64
QOS-----------------------------------------------------------------------------67
WLAN-------------------------------------------------------------------------- 69
Zoom Technologies CCNP Lab Guide
Zoom Technologies CCNP Lab Guide
Important Notes
How to telnet (for ZOOM CCNP Lab only)
1. First make sure your IP address matches the one on the label on your monitor. If
different, please change it to the correct address.
3. In case you are using router number is ‘A’ , where ‘A’ can be value from 1 to 16, in the
access-server enter the following command. For example, when using the first router the
command must look like this
Access-server1#clear line 1
[confirm]
[OK]
4. Keeping the current telnet window open, open another command prompt to telnet to
your router
NOTE:
During the configuration in few of the labs, you might encounter ip addresses with the value
‘X’ in it. You will have to replace ‘X’ with a number according to the router you will be
configuring. These are the values for X for the following routers
INDIA POLAND
SRILANKA RUSSIA
X=1 X=3
MALAYSIA FRANCE
THAILAND SPAIN
SUDAN CHINA
ALGERIA MONGOLIA
X=2 X=4
NIGERIA JAPAN
TANZANIA HONGKONG
Zoom Technologies CCNP Lab Guide
EIGRP
*Configure the bandwidth on the WAN interfaces as per the given diagram and
initiate EIGRP routing protocol on all the routers in autonomous system 65000.
RA1#conf t
RA1(config)#interface serial 1/0
RA1(config-if)#bandwidth 128
RA1(config)#interface serial 1/1
RA1(config-if)#bandwidth 128
RA1(config-if)#exit
RA1(config)#router eigrp 65000
RA1(config-router)#network 10.0.0.0
RA1(config-router)#network 192.168.X.0
RA1(config-router)#network 172.16.0.0
RA1(config-router)#end
RA2#conf t
RA2(config)#interface serial 1
RA2(config-if)#bandwidth 128
RA2(config-if)#interface serial 0
RA2(config-if)#bandwidth 128
RA2(config-if)#exit
RA2(config)#router eigrp 65000
RA2(config-router)#network 192.168.X.0
RA2(config-router)#network 20.0.0.0
RA2(config-router)#end
RA3(config)#interface serial 0
RA3(config-if)#bandwidth 64
RA3(config-if)#interface serial 1
1|Page
Zoom Technologies CCNP Lab Guide
RA3(config-if)#bandwidth 128
RA3(config-if)#exit
RA3(config)#router eigrp 65000
RA3(config-router)#network 192.168.X.0
RA3(config-router)#network 30.0.0.0
RA3(config-router)#end
RA4(config)#interface serial 0
RA4(config-if)#bandwidth 128
RA4(config-if)#interface serial 1
RA4(config-if)#bandwidth 64
RA4(config-if)#exit
RA4(config)#router eigrp 65000
RA4(config-router)#net 192.168.X.0
RA4(config-router)#net 40.0.0.0
RA4(config-router)#end
*Verification of EIGRP
RA#show ip protocol
RA#show ip eigrp neighbor
RA#show ip eigrp topology
RA#show ip route
Router#conf t
Router(config)#router eigrp 65000
Router(config-router)#no auto-summary
Router(config-router)#end
2|Page
Zoom Technologies CCNP Lab Guide
*Check the output in neighbor’s routing table to find the summarized address with
the customized subnet mask that you advertised.
RA4#show ip route
VARIANCE
RA3#show ip eigrp topology
RA3#show ip route
You will find the successors and feasible successors in the topology table but only
the successor routes in the routing table. To use the feasible successor also, we
have to enable variance. This can be configured only on the routers with feasible
successors available in the topology table.
RA3# conf t
RA3(config)#router eigrp 65000
RA3(config-router)#variance 2
RA3(config-router)#end
RA3#clear ip route *
RA3#show ip route
AUTHENTICATION
3|Page
Zoom Technologies CCNP Lab Guide
OSPF
*Configure all the routers in OSPF area 0. Shown below are the different possible
ways of advertising the directly connected networks in the OSPF process. You
may use any of the following methods to advertise your connected networks.
RA1(config)#router ospf 1
RA1(config-router)#network 192.168.X.16 0.0.0.15 area 0
RA1(config-router)#network 192.168.X.80 0.0.0.3 area 0
RA1(config-router)#network 192.168.X.92 0.0.0.3 area 0
RA1(config-router)#network 172.16.1.Y 0.0.0.3 area 0
RA1(config-router)#end
RA2#conf t
RA2(config)#router ospf 2
RA2(config-router)#net 192.168.X.0 0.0.0.255 area 0
RA2(config-router)#end
RA3(config)#router ospf 3
RA3(config-router)#net 0.0.0.0 255.255.255.255 area 0
RA3(config-router)#end
RA4(config)#router ospf 4
RA4(config-router)#net 192.168.X.0 0.0.0.255 area 0
RA4(config-router)#end
RA#show ip protocol
RA#show ip ospf neighbor
RA#show ip ospf database
RA#show ip route
4|Page
Zoom Technologies CCNP Lab Guide
RA4(config)#no ip routing
RA4(config)#ip routing
RA4(config)#interface ethernet 0
RA4(config-if)#ip add 192.168.X0.4 255.255.255.0
RA4(config-if)#ip ospf priority 0
RA4(config)#router ospf 4
RA4(config-router)#net 192.168.X0.0 0.0.0.255 area 0
RA4(config-router)#end
RA3(config)#no ip routing
RA3(config)#ip routing
RA3(config)#interface ethernet 0
RA3(config-if)#ip address 192.168.X0.3 255.255.255.0
RA3(config-if)#ip ospf priority 20
RA3(config-if)#exit
RA3(config)#router ospf 3
RA3(config-router)#network 192.168.X0.0 0.0.0.255 area 0
RA3(config-router)#end
RA2(config)#no ip routing
RA2(config)#ip routing
RA2(config)#interface ethernet 0
RA2(config-if)#ip add 192.168.X0.2 255.255.255.0
RA2(config-if)#ip ospf priority 50
RA2(config-if)#exit
RA2(config)#router ospf 2
RA2(config-router)#net 192.168.X0.0 0.0.0.255 area 0
RA2(config-router)#end
RA1(config)#no ip routing
RA1(config)#ip routing
RA1(config)#interface fa 0/0
RA1(config-if)#ip add 192.168.X0.1 255.255.255.0
RA1(config-if)#ip ospf priority 100
RA1(config-if)#exit
RA1(config)#router ospf 1
RA1(config-router)#net 192.168.X0.0 0.0.0.255 area 0
RA4#show ip ospf neighbor
5|Page
Zoom Technologies CCNP Lab Guide
*Use the show ip ospf neighbor command to find the DR and BDR in the
neighbor table. In case of the wrong routers elected as the DR and BDR, restart
the election process; clear the OSPF process on all the routers at the same time.
RA3#clear ip ospf process
Reset ALL OSPF processes? [no]: y
AUTHENTICATION - MD5
RA2(config)#router ospf 2
RA2(config-router)#area 0 authentication message-digest
RA2(config-router)#exit
RA2(config)#interface ethernet 0
RA2(config-if)#ip ospf message-digest-key 1 md5 zoom123
*Verify by checking the routing table to see from which routers you receive
updates.
RA1#show ip route
RA2#show ip route
6|Page
Zoom Technologies CCNP Lab Guide
OSPF - II
*Configure Routers into Multi Area OSPF as per given diagram. Routers on the
border of two areas have different interfaces configured in different areas. Take
care to advertise the proper interfaces (networks) in the right areas.
RA1(config)#router ospf 1
RA1(config-router)#network 172.16.1.Y 0.0.0.3 area 0
RA1(config-router)#network 192.168.X.16 0.0.0.15 area 0
RA1(config-router)#network 192.168.X.80 0.0.0.3 area 0
RA1(config-router)#network 192.168.X.92 0.0.0.3 area 20
RA1(config)#router EIGRP 100
RA1(config-router)#no auto-summary
RA1(config-router)#network 10.0.0.0
RA1(config-router)#exit
RA2(config)#router ospf 2
RA2(config-router)#network 192.168.X.80 0.0.0.3 area 0
RA2(config-router)#network 192.168.X.32 0.0.0.15 area 10
RA2(config-router)#network 192.168.X.84 0.0.0.3 area 10
RA2(config-router)#network 20.X.0.0 0.0.255.255 area 10
RA2(config-router)#exit
RA3(config)#router ospf 3
RA3(config-router)#network 192.168.X.0 0.0.0.255 area 10
RA3(config-router)#exit
RA3(config)#router rip
RA3(config-router)#version 2
RA3(config-router)#network 30.0.0.0
RA3(config-router)#no auto-summary
RA3(config-router)#exit
7|Page
Zoom Technologies CCNP Lab Guide
RA4(config)#router ospf 4
RA4(config-router)#network 0.0.0.0 255.255.255.255 area 20
RA4(config-router)#end
*Configure the redistribution of RIP routes from RA3 and EIGRP routes from
RA1 into OSPF.
RA3(config)#router ospf 3
RA3(config-router)#redistribute rip subnets
RA1(config)#router ospf 1
RA1(config-router)#redistribute eigrp 100 subnets
*Check the output in neighbor router to find OSPF external routes labeled as E2.
RA2#show ip route
RA2#show ip route
*Use the following commands to change the metric type of the redistributed
routes to type-I. Check the change in the output in the neighbor router
RA3(config-router)#redistribute rip subnets metric 100 metric-type 1
RA2#show ip route
RA1#conf t
RA1(config)#router ospf 1
RA1(config-router)#area 20 range 40.X.0.0 255.255.252.0
RA1(config-router)#
8|Page
Zoom Technologies CCNP Lab Guide
RA2#show ip route
*We can configure Area 20 as a Stub area, since it doesn’t have any ASBR in it
and has only one exit point in the AS. ALL the routers in the stub area must be
configured with this configuration. Check the routing table to find only ‘O’ and ‘O
IA’ routes and no ‘O E2’ routes. Verify by checking the routing table before and
after configuration.
RA1(config)#router ospf 1
RA1(config-router)#area 20 stub
RA4(config)#router ospf 4
RA4(config-router)#area 20 stub
*Configure Area 20, now as a Totally Stubby area. Check the routing table to
find only ‘O’ routes and no ‘O IA’ and ‘O E2’ routes.
RA1(config)#router ospf 1
RA1(config-router)#area 20 stub no-summary
*Since Area 10 has an ASBR in it, it can’t be configured as a stub, but can be
configured as a Not-So-Stubby-Area (NSSA). Configure Area 10 as a NSSA using
the following commands. Check the routing table to find only ‘O’ and ‘O IA’
routes and no ‘O E2’ routes. Verify by checking the routing table before and after
configuration.
RA2(config)#router ospf 2
RA2(config-router)#area 10 nssa
RA3(config)#router ospf 3
RA3(config-router)#area 10 nssa
*Configure Area 10, now as a Totally NSSA. Check the routing table to find only
‘O’ routes and no ‘O IA’ and ‘O E2’ routes.
RA2(config)#router ospf 2
RA2(config-router)#area 10 nssa no-summary
*After configuration check the routing table again.
9|Page
Zoom Technologies CCNP Lab Guide
ISIS
*Configure ISIS routing protocol as per give diagram by first assigning the CLNS
address to each router and making sure all of them are in the same area. Next, on
the interface-configuration mode of each interface that you wish to advertise,
execute the ‘ip router isis’ command.
RA1(config)#router isis
RA1(config-router)#net 49.1000.1921.6800.X017.00
RA1(config-router)#exit
RA1(config)#interface serial 1/0
RA1(config-if)#ip router isis
RA1(config-if)#interface serial 1/1
RA1(config-if)#ip router isis
RA1(config-if)#interface serial 1/2
RA1(config-if)#ip router isis
RA1(config-if)#int fa 0/0
RA1(config-if)#ip router isis
RA1(config-if)#end
RA2(config)#router isis
RA2(config-router)#net 49.1000.1921.6800.X033.00
RA2(config-router)#exit
RA2(config)#interface serial 1
RA2(config-if)#ip router isis
RA2(config-if)#interface serial 0
RA2(config-if)#ip router isis
RA2(config-if)#interface ethernet 0
10 | P a g e
Zoom Technologies CCNP Lab Guide
RA3(config)#router isis
RA3(config-router)#net 49.1000.1921.6800.X049.00
RA3(config-router)#exit
RA3(config)#interface serial 0
RA3(config-if)#ip router isis
RA3(config-if)#interface serial 1
RA3(config-if)#ip router isis
RA3(config-if)#interface ethernet 0
RA3(config-if)#ip router isis
RA3(config-if)#end
RA4(config)#router isis
RA4(config-router)#net 49.1000.1921.6800.X065.00
RA4(config-router)#exit
RA4(config-if)#interface serial 0
RA4(config-if)#ip router isis
RA4(config-if)#interface serial 1
RA4(config-if)#ip router isis
RA4(config-if)#interface ethernet 0
RA4(config-if)#ip router isis
RA4(config-if)#end
11 | P a g e
Zoom Technologies CCNP Lab Guide
*Configure ISIS routing protocol as per give diagram by first assigning the CLNS
address to each router and making sure all of them are in their respective areas.
Then configure the is-type level of the router. Next, on the interface-
configuration mode of each interface that you wish to advertise, execute the ‘ip
router isis’ command.
13 | P a g e
Zoom Technologies CCNP Lab Guide
REDISTRIBUTION
*Configure the routers from each group as shown in the diagram using the
different routing protocols between every two routers.
RA1(config)#router isis
RA1(config-router)#net 49.0000.1921.6800.X017.00
RA1(config-router)#exit
RA1(config)#interface serial 1/2
RA1(config-if)#ip router isis
RA1(config)#interface loopback 1
RA1(config-if)#ip router isis
RA1(config-if)#interface loopback 2
RA1(config-if)#ip router isis
RA1(config-if)#interface loopback 3
RA1(config-if)#ip router isis
RA1(config-if)#interface loopback 4
RA1(config-if)#ip router isis
RA1(config-if)#exit
RA1(config)#router eigrp 20
RA1(config-router)#network 192.168.X.80 0.0.0.3
RA1(config-router)#network 192.168.X.16 0.0.0.15
RA1(config-router)#exit
RA2(config)#router eigrp 20
RA2(config-router)#network 192.168.X.80
RA2(config)#router rip
RA2(config-router)#version 2
RA2(config-router)#no auto-summary
RA2(config-router)#net 192.168.X.0
RA2(config-router)#network 20.0.0.0
RA2(config-router)#end
14 | P a g e
Zoom Technologies CCNP Lab Guide
RA3(config)#router rip
RA3(config-router)#version 2
RA3(config-router)#no auto-summary
RA3(config-router)#net 192.168.X.0
RA3(config-router)#net 30.0.0.0
RA3(config-router)#router ospf 3
RA3(config-router)#net 192.168.X.88 0.0.0.3 area 20
RA4(config)#router ospf 4
RA4(config-router)#net 0.0.0.0 255.255.255.255 area 20
*Use the redistribute command to inject eigrp routes into isis with some seed
metric of link cost.
RA1(config)#router isis
RA1(config-router)#redistribute eigrp 20
*Use the redistribute command to inject isis only Level 1 routes into eigrp
along with directly connected networks with seed metric which includes values for
bandwidth, delay, reliability, load and MTU.
RA1(config)#router eigrp 20
RA1(config-router)#redistribute isis level-1 metric 1544 2000 255 1 1500
RA1(config-router)#redistribute connected metric 1544 2000 255 1 1500
*Use the redistribute command to inject eigrp routes into rip with seed metric
in hop counts taking care that the final hop count doesn’t cross ‘15’.
RA2(config)#router rip
RA2(config-router)#redistribute eigrp 20 metric 13
*Use the redistribute command to inject rip routes into eigrp with some seed
metric which includes values for bandwidth, delay, reliability, load and MTU.
RA2(config)#router eigrp 20
RA2(config-router)#redistribute rip metric 1544 2000 255 1 1500
*Use the redistribute command to inject ospf routes into rip with some seed
metric in hop counts taking care that the final hop count doesn’t cross ‘15’.
RA3(config)#router rip
RA3(config-router)#redistribute ospf 3 metric 5
*Use the redistribute command to inject rip routes into ospf with some seed
metric in link cost taking care that the final hop count doesn’t cross ‘15’.
RA3(config)#router ospf 3
RA3(config-router)#redistribute rip subnets metric 50 metric-type 1
15 | P a g e
Zoom Technologies CCNP Lab Guide
DISTRIBUTE-LIST
*Verify the output by checking the routing table of RA1. Routes of 30.X.0.0
shouldn’t be available.
RA1#show ip route
16 | P a g e
Zoom Technologies CCNP Lab Guide
*All the routes redistributed from RIP to OSPF are injected with the same default
metric. This can be changed according to our necessity and individual routes can
be assigned different metrics using route-map.
*Creating route maps with multiple statements. Each statement contains a match-
and-set condition.
17 | P a g e
Zoom Technologies CCNP Lab Guide
*Applying the created route-map in the routing protocol that these routes are
being redistributed into.
RA3(config)#router ospf 3
RA3(config-router)#redistribute rip route-map zoom subnets
*Check the output in RA4 to find different routes with different metrics as
specified in the diagram.
RA1#show ip route
18 | P a g e
Zoom Technologies CCNP Lab Guide
BGP
*Configure all the routers in the same BGP autonomous system. Create a full-
mesh topology by mentioning every other router, including those not directly
connected, with the ‘neighbor’ statement.
RA1(config)#router bgp 6500X
RA1(config-router)#neighbor 172.16.1.Y remote-as 65000
RA1(config-router)#neighbor 192.168.X.82 remote-as 6500X
RA1(config-router)#neighbor 192.168.X.93 remote-as 6500X
RA1(config-router)#neighbor 192.168.X.86 remote-as 6500X
RA1(config-router)#network 192.168.X.16 mask 255.255.255.240
RA1(config-router)#network 192.168.X.92 mask 255.255.255.252
RA1(config-router)#network 192.168.X.80 mask 255.255.255.252
RA1(config-router)#no synchronization
RA1(config-router)#end
19 | P a g e
Zoom Technologies CCNP Lab Guide
*Enable synchronization in one router and check the output on the same router.
You will find that the router doesn’t have Internal BGP routes anymore.
RA4(config)#router bgp 6500X
RA4(config-router)#synchronization
20 | P a g e
Zoom Technologies CCNP Lab Guide
VERIFYING SPLIT-HORIZON
*To verify the problem of split-horizon, configure the lab as per the above
diagram. Remove the previous instance of bgp and configure bgp freshly as
shown. Take care not to configure bgp on RA3.
RA1(config)#router bgp 6500X
RA1(config-router)#neighbor 172.16.1.Y remote-as 65000
RA1(config-router)#neighbor 192.168.X.93 remote 6500X
RA1(config-router)#neighbor 192.168.X.82 remote 6500X
RA1(config-router)#network 192.168.X.80 mask 255.255.255.252
RA1(config-router)#network 192.168.X.92 mask 255.255.255.252
RA1(config-router)#network 192.168.X.16 mask 255.255.255.240
RA1(config-router)#no synchronization
*Verify the output in each router. RA1 gets routes from both RA2 and RA4. RA2
and RA4 cannot see the updates of each others LAN in their routing table. This is
because of Split-Horizon.
Router #show ip bgp
Router #show ip route
21 | P a g e
Zoom Technologies CCNP Lab Guide
R.R Server
*Check output in all three router to find that RA2 and RA4 now have each other’s
routes in their routing table.
Router #show ip bgp
Router #show ip route
22 | P a g e
Zoom Technologies CCNP Lab Guide
BGP - II
23 | P a g e
Zoom Technologies CCNP Lab Guide
*Create route-maps , one for each neighbor. Each route-map contains a match-
and-set condition.
25 | P a g e
Zoom Technologies CCNP Lab Guide
*Implement the route-map by defining one route-map for each neighbor in the
appropriate direction
*Clear the bgp route updates from the two neighboring BGP routers
26 | P a g e
Zoom Technologies CCNP Lab Guide
CONFIGURING MED
*Remove the previous configuration of BGP and configure the above given
topology. RA1 belongs to AS 65001 whereas routers RA2, RA3 and RA4 are in AS
650X5. Make sure you configure RA2 and RA4 as route-reflector-clients and RA3
as a server.
RA1(config)#router bgp 65001
RA1(config-router)#network 192.168.X.16 mask 255.255.255.240
RA1(config-router)#neighbor 192.168.X.82 remote-as 650X5
RA1(config-router)#neighbor 192.168.X.93 remote-as 650X5
RA1(config-router)#end
*After configuring BGP as specified in the above diagram and verifying the BGP
table and routing table, configure the following configuration. Use route-maps to
set different metrics for routes coming from each neighbor.
RA2(config)#access-list 30 permit 30.X.0.0 0.0.0.255
RA2(config)#access-list 31 permit 30.X.1.0 0.0.0.255
RA2(config)#route-map med-alg permit 10
RA2(config-route-map)#match ip address 30 31
RA2(config-route-map)#set metric 50
RA2(config-route-map)#exit
RA2(config)#route-map med-alg permit 20
RA2(config-route-map)#exit
RA2(config)#router bgp 650X5
RA2(config-router)#neighbor 192.168.X.81 route-map med-alg out
RA2(config-router)#end
RA2#clear ip bgp 192.168.X.81
*Check the routing table in RA1 to find the route with the lower MED chooses as
the best path.
RA1#sh ip route
RA1#sh ip bgp
28 | P a g e
Zoom Technologies CCNP Lab Guide
MULTICASTING
RA1(config)#interface fa 0/0
RA1(config-if)#ip address 192.168.100.1 255.255.255.0
RA1(config-if)#no shutdown
RA1(config-if)#ip pim sparse-dense mode
RA1(config-if)#exit
RA1(config)#interface fa 4/0
RA1(config-if)#ip address 192.168.0.2 255.255.255.0
RA1(config-if)#no shutdown
RA1(config-if)#ip pim sparse-dense mode
RA1(config-if)#exit
Step 2: Configure and run the multimedia multicast server application on the
server PC
Step 3: Change the IP address and gateway of the client PCs to allow them to be
in the LAN of the configured router. Make sure the switch to which the multicast
server is connected is isolated from the rest of the LAN.
Step 4: Start the multicast client software and enter the appropriate server IP
address and file location to start receiving the multicast.
Verification
RA1#show ip mroute
RA1#show ip igmp groups
On the Switch
Sw#show mac-address-table multicast
29 | P a g e
Zoom Technologies CCNP Lab Guide
IPv6
*Configure IPv6 addressing on the interfaces of routers RA1, RA2 and RA4 as
shown in the diagram
RA1#conf t
RA1(config)#int fa 0/0
RA1(config-if)#ipv6 address 2001:X:3::1/64
RA1(config-if)#exit
RA1(config)#
RA1(config)#int s 0
RA1(config-if)#ipv6 address 2001:X:2::2/64
RA1(config-if)#exit
RA1(config)#
RA1(config)#int s 1
RA1(config-if)#ipv6 address 2001:X:4::2/64
RA1(config-if)#exit
RA4(config)#int e 0
RA4(config-if)#ipv6 address 2001:X:5::1/64
RA4(config-if)#exit
RA4(config)#int s 0
RA4(config-if)#ipv6 address 2001:X:4::1/64
RA4(config-if)#exit
RA4(config)#ipv6 unicast-routing
30 | P a g e
Zoom Technologies CCNP Lab Guide
*After the interfaces are configured with IPv6 addresses, configure OSPF v3
routing on all the routers.
31 | P a g e
Zoom Technologies CCNP Lab Guide
*Configuring a IPv6 tunnel over an IPv4 tunnel. The network in between the two
routers is an IPv4 network and is unaware of IPv6.
R(config)#no ip routing
R(config)#ip routing
R(config)#no ipv6 unicast-routing
R(config)#ipv6 unicast-routing
*Create an IPv6 tunnel and assign it an IPv6 address. Also mention the source
and destination interface/address for it. Then, create static IPv4 and IPv6 routing
to the destination router.
RA2(config)#int tunnel 0
RA2(config-if)#ipv6 address 2001:X:A::1/64
RA2(config-if)#tunnel mode ipv6ip
RA2(config-if)#tunnel source s 0
RA2(config-if)#tunnel destination 192.168.X.90
RA2(config-if)#exit
RA2(config)#ip route 192.168.X.88 255.255.255.252 s 0
RA2(config)#ipv6 route 2001:X:5::/64 2001:X:A::2
RA2(config)#end
RA4(config)#
RA4(config)#int tunnel 5
RA4(config-if)#ipv6 address 2001:X:A::2/64
RA4(config-if)#tunnel mode ipv6ip
RA4(config-if)#tunnel source s 1
RA4(config-if)#tunnel destination 192.168.X.85
RA4(config-if)#exit
RA4(config)#ip route 192.168.X.84 255.255.255.252 s 1
RA4(config)#ipv6 route 2001:X:1::/64 tunnel 5
32 | P a g e
Zoom Technologies CCNP Lab Guide
*Configure IPv6-v4 auto tunnel over an IPv4 network. The destination end of the
tunnel is not mentioned in this configuration. Both routers find each other and
create a tunnel with the help of the static route and the Ipv6 auto tunnel
configuration.
33 | P a g e
Zoom Technologies CCNP Lab Guide
*Configure physical WAN interface (ATM 0 in our case) with PPPoE or PPPoA
and map it with logical dialer interface using the dial-pool-number which we’ll
configure further below.
adslrouter(config)#interface atm 0
adslrouter(config-if)#no shut
adslrouter(config-if)#pvc 1/32
adslrouter(config-if-atm-vc)#pppoe-client dial-pool-number 1
adslrouter(config-if-atm-vc)#end
*Configure NAT/PAT with the VLAN interface configured as ‘nat inside’ interface
and the dialer interface as the ‘nat outside’ interface.
adslrouter(config)#interface vlan 1
adslrouter(config-if)#ip nat inside
adslrouter(config-if)#exit
adslrouter(config)#interface dialer 0
adslrouter(config-if)#ip nat outside
34 | P a g e
Zoom Technologies CCNP Lab Guide
*Verification
Verify the configuration by checking the routing table and the interface status of
the dialer. The configuration is successful if you obtain a public address from the
service provider.
show ip route
show ip int brief
show interface atm 0
show interface dialer 10
show dsl interface atm 0
35 | P a g e
Zoom Technologies CCNP Lab Guide
VPN Configuration
*A VPN is a tunnel of private network over the public network. Configure a IPSec
VPN tunnel between the LANs of RA2 and RA4 over the link with router RA3.
*Configure the wan interface (connected to the ‘public’ network) as per the
diagram. Configure a default route towards the public network on the serial
interface.
RA2#conf t
RA2(config)#interface serial 0
RA2(config-if)#ip add 61.0.0.5 255.255.255.0
RA2(config-if)#no shut
RA2(config-if)#exit
RA2(config)#ip route 0.0.0.0 0.0.0.0 serial 0
*Configure IKE Pre Share Key for the peer router whose address has to be
mentioned. Take care that the key has to match on both the routers.
*Create a crypto map to bind the interesting traffic to the transform-set. This
means that any interestic traffic originated, initiate the VPN using the properties
from the transform set mentioned towards the mentioned peer.
RA2(config)#crypto map vpnmap 10 ipsec-isakmp
RA2(config-crypto-map)#match address 100
RA2(config-crypto-map)#set transform-set zoomtr
RA2(config-crypto-map)#set peer 71.0.0.5
RA2(config)#interface serial 0
RA2(config-if)#crypto map vpnmap
RA4(config)#interface serial 1
RA4(config-if)#ip add 71.0.0.5 255.255.255.0
RA4(config-if)#no shut
RA4(config-if)#exit
RA4(config)#ip route 0.0.0.0 0.0.0.0 serial 1
RA4(config)#interface serial 1
RA4(config-if)#crypto map demomap
RA4(config-if)#end
*Configure the serial interfaces on the middle router with the appropriate IP
addresses and enable routing.
RA3(config)#interface serial 1
RA3(config-if)#ip add 61.0.0.6 255.255.255.0
RA3(config-if)#no shut
37 | P a g e
Zoom Technologies CCNP Lab Guide
RA3(config)#interface serial 0
RA3(config-if)#ip address 71.0.0.6 255.255.255.0
RA3(config-if)#no shut
RA3(config-if)#exit
RA3(config)#no ip routing
RA3(config)#ip routing
RA3(config)#end
*Initiate some interesting traffic by pinging one router from the other routers LAN
or by using the ‘extended’ ping. Wait for a few seconds before the VPN tunnel is
initiated.
*Verify the output by using the following commands
38 | P a g e
Zoom Technologies CCNP Lab Guide
IDS / IPS
*The scenario here is as shown above. RA1 is the router in our network connected
to the ISP. RA2 is one of the routers that are inside the network. In case of an
attack from the internet, i.e. the CORE router in our example, router RA1 with
IPS must be configured to detect and prevent the intrusion.
*Let us consider an example that any anonymous user manages to enter our
network and logs in to router RA2. He could give the command ‘enable’ to
enter into the privilege mode and change the router configuration. The IPS on
RA1 must be configured in such a way that when the intruder types the characters
enable, his connection must be terminated.
*Step1: Enable routing between all the three routers.
*Step2: Configure the router using SDM. In the IPS configuration mode, start the
wizard available. Select the proper interface and the proper direction. In our
case, it’s Serial 1/2 in the inbound direction. Tick the ‘Use the in-built
signatures’ in the next screen and finish.
*Step3: You’ll be taken to the ‘Edit IPS’ page next. In there, go to the signatures
tab. In the drop down menu in the centre, choose ‘engine’ as the ‘view by’
option. In the drop down menu beside it, pick the ‘STRING.TCP’ option.
*Step4: Add a new signature. The parameters that have to be configured here are
Sig name: (any name); Alarm Severity; EventAction: (alarm, drop and reset);
Protocol: (TCP); RegexString: (the string of characters in order that they would
be entered); ServicePorts: (23 for telnet)
*Step 5: Click the OK button and apply the changes made.
39 | P a g e
Zoom Technologies CCNP Lab Guide
IOS Firewall
*The scenario set up is as shown above. RA1 has two interfaces connected to two
different LANs. Both can communicate with each other initially. Our scenario is
to allow communication from one LAN to the other, but deny the communication
in the opposite direction.
*Configure access-lists on both the interfaces allowing one way communication.
For example, PC connected to the Fa0/0 interface must be able to ping to the PC
connected to the Fa4/0, but the opposite should not be possible
RA1#config terminal
RA1(config)# access-list 100 permit ip 192.168.1.16 0.0.0.15 192.168.100.0 0.0.0.255
RA1(config)# access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.1.16 0.0.0.15
RA1(config)#interface fa 0/0
RA1(config-if)#ip access-group 100 in
RA1(config-if)#interface fa 4/0
RA1(config-if)#ip access-group 101 in
*When you ping from both the PCs to each other, you will note that both cannot
ping each other. To achieve our goal on only one-way communication, we have to
configure the following. Configure a firewall rule for ICMP protocol and apply it
on the interface where we want the traffic to flow to, in the inbound direction.
*Now, you will notice that PC on the F0/0 can ping the PC on Fa4/0 but the PC
on Fa4/0 cannot ping Fa0/0
40 | P a g e
Zoom Technologies CCNP Lab Guide
AAA Configuration
*In case of AAA configuration, a PC installed with the ACS software is called the
AAA Server. The Network device (ex: router) which is using the AAA server for
authentication is called the AAA Client. The PC labeled as the Client in the above
diagram is actually the user who is trying to log in to the router and is NOT the
AAA client.
*Configuring authentication: This is for the router and in turn, the user, to be
authenticated by the AAA server. Take care to not close the telnet window after
configuring this.
RA1 (config)# aaa new-model
RA1 (config)# aaa authentication login default group tacacs+
RA1 (config)# line vty 0 15
RA1 (config-line)# login authentication default
RA1 (config)# tacacs-server host 192.168.X.Y key zoom123
*Configuring authorization: This is for assigning privilege levels the user who
has logged in to the router.
RA1 (config)#aaa authorization exec default group tacacs+
*In ACS server, under the group settings for the user’s group, tick the ‘Shell
(EXEC)’ option and mention the Privilege level that you want to assign to the
user.
*Verify the output from client by show privilege command on the router.
41 | P a g e
Zoom Technologies CCNP Lab Guide
*By using the following configuration, we can allow the following commands to
the user that are normally now allowed.
RA1(config)#privilege exec level 10 configure terminal
RA1(config)#privilege configure level 10 ip route
RA1(config)#privilege configure level 10 interface
RA1(config)#privilege interface level 10 shutdown
Configuring SNMP
*On each router, configure the following mentioning the community in which the
router belongs to. The next two statements enable SNMP traps and points the
router to the SNMP server along with the key. Make sure that the SNMP server
belongs to the LAN of one of the routers and there is routing enabled from each
router to the SNMP server. Test by pinging from each router to the SNMP server.
Configuring SYSLOG
*Configure on each router the following to enable syslog and to mention the IP
address of the syslog server.
RA1(config)#logging on
RA1(config)#logging host 192.168.X.Y
*Verify the output in Syslog Server. Any changes that trigger syslog messages will
be sent to the syslog software on the server. Syslog can be verified by shutting
down and bringing up an interface.
42 | P a g e
Zoom Technologies CCNP Lab Guide
MPLS Configuration
*Configure the above MPLS network topology with routers INDIA, POLAND and
SUDAN belonging to the MPLS cloud and routers RUSSIA and ALGERIA are the
customer end routers.
*Pre-requisites for this kind of set would be for routing to be enabled from one
end to the other. We use OSPF for the same in this set up.
Russia(config)#no ip routing
Russia(config)#ip routing
Russia(config)#router ospf 10
Russia(config-router)#net 0.0.0.0 255.255.255.255 area 0
Russia(config-router)#end
Russia#
Poland(config)#interface fa 0/1
Poland(config-if)#ip add 192.168.100.1 255.255.255.0
Poland(config-if)#no sh
Poland(config-if)#exit
Poland(config)#router ospf 10
Poland(config-router)#net 0.0.0.0 255.255.255.255 area 0
Poland(config-router)#end
INDIA(config)#int f 0/0
INDIA(config-if)#ip add 192.168.100.2 255.255.255.0
INDIA(config-if)#no shut
INDIA(config-if)#interface fa 4/0
43 | P a g e
Zoom Technologies CCNP Lab Guide
Sudan(config)#int f 0/1
Sudan(config-if)#ip add 192.168.200.2 255.255.25.0
Sudan(config-if)#no shut
Sudan(config-if)#exit
Sudan(config)#router ospf 10
Sudan(config-router)#net 0.0.0.0 255.255.255.255 area 0
Sudan(config-router)#end
Sudan#
Algeria(config)#no ip routing
Algeria(config)#ip routing
Algeria(config)#router ospf 10
Algeria(config-router)#net 0.0.0.0 255.255.255.255 area 0
Algeria(config-router)#end
Algeria#
44 | P a g e
Zoom Technologies CCNP Lab Guide
45 | P a g e
Zoom Technologies CCNP Lab Guide
VLAN Configuration
*Creation of VLANs
s2950-229(config)#vlan 10
s2950-229(config-vlan)#name sales
s2950-229(config-vlan)#exit
s2950-229(config)#vlan 20
s2950-229(config-vlan)#name marketing
s2950-229(config-vlan)#exit
s2950-229(config)#vlan 30
s2950-229(config-vlan)#name accounting
s2950-229(config-vlan)#exit
*By using the following configuration, we can make switch 3560 the root bridge
for the entire lan. This is done by changing the priority less than the default
priority of 32768.
*Verify the output in all the switches to see which switch is the root and which
port is in the blocked state.
s2950-229#show spanning-tree
S3560#show spanning-tree
*By configuring a port as a portfast, the port doesn’t take part in the spanning-
tree calculation process.
S3560#conf t
S3560(config)#interface fa 0/X
S3560(config-if)#spanning-tree portfast
Output Omitted
Configuring Uplinkfast
*Verify the output by shutting down the link in forwarding state and note that the
blocked state immediately comes up. This can be tested by keeping a ping ON
between two machines on different PCs.
S3550#show spanning-tree
47 | P a g e
Zoom Technologies CCNP Lab Guide
*When an indirectly connected link to the switch with the blocked port goes down,
the switch gets information from the other switches and immediately brings up the
blocked port. This has to be configured on all the switches.
s2950-229#conf t
s2950-229(config)#spanning-tree backbonefast
s3550#conf t
s3550(config)#spanning-tree backbonefast
S3560#conf t
S3560(config)#spanning-tree backbonefast
s2950-129#conf t
s2950-129(config)#spanning-tree backbonefast
*Verify the output by shutting down the indirectly connected link i.e., any link that
is not connected to the switch with the blocked port, and note that the blocked
state immediately comes up. This can be tested by keeping a ping ON between two
machines on different PCs.
48 | P a g e
Zoom Technologies CCNP Lab Guide
STP
Configuring PVST+
*When the LAN network consists of more than one VLAN, the switch with the
lowest mac-address will be the root bridge for all the VLANs, with the same port
being blocked for all the VLANs. In order to change this, our goal is to configure
one switch as the root for each VLAN. This is done by lowering the respective
switch’s spanning-tree priority value on each switch for the respective VLAN.
Change The Root Election Of the Switch as per the Given Table
For
S3560#conf t
S3560(config)#vlan 101
S3560(config-vlan)#name ccna
S3560(config-vlan)#exit
S3560(config)#vlan 201
S3560(config-vlan)#name ccnp
S3560(config-vlan)#exit
S3560(config)#vlan 301
S3560(config-vlan)#name mcse
S3560(config-vlan)#exit
*Configure the spanning-tree mode to PVST and then change the priority of the
vlan on the respective switch to make it root for that VLAN.
S3560(config)#spanning-tree mode pvst
S3560(config)#spanning-tree vlan 1 priority 24576
s2950-229#conf t
s2950-229(config)#spanning-tree mode pvst
s2950-229(config)#spanning-tree vlan 101 priority 24576
s2950-129#conf t
s2950-129(config)#spanning-tree mode pvst
s2950-129(config)#spanning-tree vlan 201 priority 24576
s3550#conf t
s3550(config)#spanning-tree mode pvst
s3550(config)#spanning-tree vlan 301 priority 24576
49 | P a g e
Zoom Technologies CCNP Lab Guide
S3560#show spanning-tree
S3560#show spanning-tree vlan 101
50 | P a g e
Zoom Technologies CCNP Lab Guide
ADVANCED STP
Configuring MST
*When the LAN network consists of more than one VLAN, the switch with the
lowest mac-address will be the root bridge for all the VLANs, with the same port
being blocked for all the VLANs. In order to change this, our goal is to configure
one switch as the root for each group of VLANs. This is done by lowering the
respective switch’s spanning-tree priority value on each switch for the respective
VLAN groups.
*Note: Configuration on all the four switches should be same for MST Instance
51 | P a g e
Zoom Technologies CCNP Lab Guide
52 | P a g e
Zoom Technologies CCNP Lab Guide
*Assign an IP address for each of the vlan interfaces. These addresses are going
to be the default gateway for the devices in those particular VLANs.
S3560(config)#interface vlan 40
S3560(config-if)#ip address 192.168.40.1 255.255.255.0
S3560(config-if)#exit
S3560(config)#interface vlan 50
S3560(config-if)#ip address 192.168.50.1 255.255.255.0
S3560(config-if)#exit
S3560(config)#interface vlan 60
S3560(config-if)#ip address 192.168.60.1 255.255.255.0
S3560(config-if)#exit
#show ip route
#show vlan
#show ip cef
#sh adjacency detail
54 | P a g e
Zoom Technologies CCNP Lab Guide
Switch configuration
*Configure the numbers of vlan as per requirement and implement in layer 2
switch.
S2950-229(config)#vlan 10
S2950-229(config-vlan)#exit
S2950-229(config)#vlan 20
S2950-229(config-vlan)#vlan 30
S2950-229(config-vlan)#exit
S2950-229(config)#interface fa 0/12
S2950-229(config-if)#switchport mode access
S2950-229(config-if)#switchport access vlan 10
S2950-229(config-if)#exit
S2950-229(config)#interface fa 0/14
S2950-229(config-if)#switchport mode access
S2950-229(config-if)#switchport access vlan 20
S2950-229(config-if)#exit
S2950-229(config)#interface fa 0/16
S2950-229(config-if)#switchport mode access
S2950-229(config-if)#switchport access vlan 30
55 | P a g e
Zoom Technologies CCNP Lab Guide
*The port on the switch connected to the router must be configured as a trunk
port since it carries information from more than one VLAN.
S2950-229(config)#interface fa 0/3
S2950-229(config-if)#switchport mode trunk
S2950-229(config-if)#end
Router Configuration
*On the router’s Ethernet interface, remove the ip address and create sub-
interfaces as given below. Each sub-interface has to be configured with the right
encapsulation so that it can interpret the data coming from the trunk port of the
switch.
Sudan#conf t
Sudan(config)#ip routing
Sudan(config)#interface fa 0/1
Sudan(config-if)#no ip address
Sudan(config-if)#no shutdown
Sudan(config-if)#exit
Sudan(config)#interface fa 0/1.1
Sudan(config-subif)#encapsulation dot1q 1 native
Sudan(config-subif)#ip address 192.168.0.50 255.255.255.0
Sudan(config-subif)#exit
Sudan(config)#interface fa 0/1.10
Sudan(config-subif)#encapsulation dot1q 10
Sudan(config-subif)#ip address 192.168.10.1 255.255.255.0
Sudan(config-subif)#exit
Sudan(config)#interface fa 0/1.20
Sudan(config-subif)#encapsulation dot1q 20
Sudan(config-subif)#ip address 192.168.20.1 255.255.255.0
Sudan(config-subif)#exit
Sudan(config)#interface fa 0/1.30
Sudan(config-subif)#encapsulation dot1q 30
Sudan(config-subif)#ip address 192.168.30.1 255.255.255.0
Sudan(config-subif)#exit
*Verify by using the following commands and also by pinging from a PC in one
VLAN to a PC in another VLAN.
R#show ip route
S#show vlan
S#show interface trunk
56 | P a g e
Zoom Technologies CCNP Lab Guide
HSRP
*In this practical, we configure two routers connected on the same LAN network
with HSRP. By doing that, the two routers create a Virtual Router with a Virtual-
IP that we mention in the configuration. This virtual-IP is to be used as the
default-gateway to the devices in the LAN.
*Make sure that both router’s LAN interface belongs to the same network and
both routers are configured with the same standby group.
Sudan#conf t
Sudan(config)#interface fa 0/0
Sudan(config-if)#ip address 192.168.1X0.100 255.255.255.0
Sudan(config-if)#no shutdown
Sudan(config-if)#standby X0 ip 192.168.1X0.1
Sudan(config-if)#standby X0 priority 150
Sudan(config-if)#standby X0 preempt
Sudan(config-if)#exit
Sudan(config)#ip route 192.168.0.0 255.255.255.0 s 0/2/0
Poland#conf t
Poland(config)#interface fa 0/0
Poland(config-if)#ip address 192.168.1X0.200 255.255.255.0
Poland(config-if)#no shutdown
Poland(config-if)#standby X0 ip 192.168.1X0.1
Poland(config-if)#standby X0 priority 120
Poland(config-if)#standby X0 preempt
Poland(config-if)#exit
Poland(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0
CORE#conf t
CORE(config)# ip route 192.168.1X0.0 255.255.255.0 s 1
CORE(config)# ip route 192.168.1X0.0 255.255.255.0 s 2
57 | P a g e
Zoom Technologies CCNP Lab Guide
*Verify using the following command, which router is the ACTIVE router and
which router is the STANDBY.
Router#show standby
*Shutdown the Ethernet interfaces of the active (Sudan) Router and verify which
router now becomes the ACTIVE router.
Sudan#conf t
Sudan(config)#interface fa 0/0
Sudan(config-if)#shutdown
Sudan(config-if)#end
*Bring up the Ethernet interface again and now configure interface tracking in
Sudan router.
Sudan#conf t
Sudan(config)#interface fa 0/0
Sudan(config-if)#no shutdown
Sudan(config-if)#standby X0 track serial 0/2/0 50
*The above statement implies that for group X0, if the interface serial 0/2/0 goes
down, decrease the standby priority of this router by a value of 50 such that the
other router, now, has the higher priority and it becomes the ACTIVE router.
Router#show standby
58 | P a g e
Zoom Technologies CCNP Lab Guide
GLBP
*In this practical, we configure two routers connected on the same LAN network
with GLBP. By doing that, the two routers create a Virtual Router with a Virtual-
IP that we mention in the configuration. This virtual-IP is to be used as the
default-gateway to the devices in the LAN.
*Make sure that both router’s LAN interface belongs to the same network and
both routers are configured with the same standby group.
Sudan(config)#interface fa 0/0
Sudan(config-if)#ip address 192.168.1X0.100 255.255.255.0
Sudan(config-if)#no shutdown
Sudan(config-if)#glbp X0 ip 192.168.1X0.1
Sudan(config-if)#exit
Sudan(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0
Poland(config)#interface fa 0/0
Poland(config-if)#ip address 192.168.1X0.200 255.255.255.0
Poland(config-if)#no shutdown
Poland(config-if)#glbp X0 ip 192.168.1X0.1
Poland(config-if)#exit
Poland(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0
CORE#conf t
CORE(config)# ip route 192.168.1X0.0 255.255.255.0 s 1
CORE(config)# ip route 192.168.1X0.0 255.255.255.0 s 2
59 | P a g e
Zoom Technologies CCNP Lab Guide
*Verify using the following command, which router is the ACTIVE router.
Router#sh glbp
*Shutdown the Ethernet interfaces of the active (Sudan) Router and verify the
output.
Sudan#conf t
Sudan(config)#interface fa 0/0
Sudan(config-if)#shutdown
Sudan(config-if)#end
*Bring up the Ethernet interface again and now configure interface tracking in
Sudan router.
Sudan#conf t
Sudan(config)#track 50 interface serial 0/2/0 line-protocol
Sudan(config-track)#exit
Sudan(config)#interface fa 0/0
Sudan(config-if)#glbp X0 weighting track 50 decrement 100
*Configure using the following commands to reduce the preempt delay in both the
routers.
Sudan(config-if)#glbp X0 forwarder preempt delay minimum 5
Sudan(config-if)#end
*Shutdown the serial 0/2/0 interface in Sudan router and verify the output
Sudan#conf t
Sudan(config)#interface s 0/2/0
Sudan(config-if)# shutdown
60 | P a g e
Zoom Technologies CCNP Lab Guide
PORT-SECURITY
Fa 0/12
Mac-address xxxx.xxxx.xxxx
S3560#conf t
S3560(config)#interface fa 0/12
S3560(config-if)#switchport mode access
S3560(config-if)#switchport port-security
S3560(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx
S3560(config-if)#switchport port-security violation shutdown
*You can verify the output by disconnecting the PC from the port and connecting
another PC to the same port and trying to start communication on it. You will find
that as soon as the new PC tries to establish communication, the port goes into an
err-disabled state and is shut down.
S3560#show port-security
S3560#show interface status
S3560#show port-security interface fa 0/12
61 | P a g e
Zoom Technologies CCNP Lab Guide
VACL
*Two PCs belonging to the same VLAN on the same switch can communicate with
each other by default. In cases where we do not want them to communicate and
there is no router available to configure access-lists, we can configure VLAN
access-lists or VACL.
* Assign 192.168.0.3 and 192.168.0.203 ports in vlan 10. They can ping each
other normally. The required scenario here is that the ping request from the pc-
192.168.0.3 to pc-192.168.0.203 should not happen and the ping request from pc-
192.168.0.203 to pc-192.168.0.3 must be allowed.
62 | P a g e
Zoom Technologies CCNP Lab Guide
DOT1X AUTHENTICATION
*An open port is open for anybody to connect their device and start
communication with the LAN. Our goal here is to authenticate any user that
connects to the switch and allow access only if he is properly authenticated.
Authentication is done with the help of a AAA server.
s2950-229(config)#aaa new-model
s2950-229(config)#aaa authentication dot1x default group radius
s2950-229(config)#dot1x system-auth-control
s2950-229(config)#radius-server host 192.168.0.3 key zoom123
s2950-229(config)#interface fa 0/16
s2950-229(config-if)#switchport mode access
s2950-229(config-if)#dot1x port-control auto
s2950-229(config-if)#exit
*Verify using the following commands and also by disconnecting and connecting
the device from the switch and then going through the authentication process
when prompted.
63 | P a g e
Zoom Technologies CCNP Lab Guide
VOIP
*To enable VOIP, the pre-requisite is to have routing enabled on the network
between the different voice devices. For that, we are configuring EIGRP protocol
between routers India and Sudan.
INDIA#conf t
INDIA(config)#router eigrp 100
INDIA(config-router)#network 192.168.1.0
INDIA(config-router)#net 172.16.0.0
INDIA(config-router)#end
CORE#conf t
CORE(config)#no ip routing
CORE(config)#ip routing
CORE(config)#router eigrp 100
CORE(config-router)#network 172.16.0.0
CORE(config-router)#end
Sudan#conf t
Sudan(config)#no ip routing
Sudan(config)#ip routing
Sudan(config)#router eigrp 100
Sudan(config-router)#net 172.16.0.0
Sudan(config-router)#net 192.168.100.0
Sudan(config-router)#exit
Sudan(config)#interface fa 0/1
Sudan(config-if)#ip address 192.168.100.1 255.255.255.0
Sudan(config-if)#no shut
Sudan(config-if)#end
64 | P a g e
Zoom Technologies CCNP Lab Guide
*Router INDIA has two FXS ports to which two analog phones are connected.
Below is the configuration for assigning phone numbers to the analog phones by
configuring the dial-peer as POTS (plain old telephone system)
INDIA(config)#dial-peer voice 10 pots
INDIA(config-dial-peer)#destination-pattern 2001
INDIA(config-dial-peer)#port 2/0/0
INDIA(config-dial-peer)#exit
INDIA(config)#dial-peer voice 20 pots
INDIA(config-dial-peer)#destination-pattern 2002
INDIA(config-dial-peer)#port 2/0/1
INDIA(config-dial-peer)#exit
*Verify the output by dialing the extension number from one to another phone
*Here we have to configure the call routing from India to Sudan. It mentions the
destination IPV4 network to which the VOIP packets have to be routed if a call to
the mentioned phone number has to be made.
*Below is the configuration of Sudan router to which two IP phones have been
connected.
Sudan(config-ephone-dn)#exit
Sudan(config)#ephone-dn 2
Sudan(config-ephone-dn)#number 3002
Sudan(config-ephone-dn)#name ccnp
Sudan(config-ephone-dn)#exit
Sudan(config)#ephone-dn 3
Sudan(config-ephone-dn)#number 3003
Sudan(config-ephone-dn)#name ccna
Sudan(config-ephone-dn)#exit
Sudan(config)#ephone-dn 4
Sudan(config-ephone-dn)#number 3004
Sudan(config-ephone-dn)#name cisco
Sudan(config-ephone-dn)#exit
Sudan(config)#ephone 1
Sudan(config-ephone)# mac-address ****.****.****
Sudan(config-ephone)#button 1:1
Sudan(config-ephone)#exit
Sudan(config)#ephone 2
Sudan(config-ephone)#mac-address ****.****.****
Sudan(config-ephone)#button 1:2
Sudan(config-ephone)#exit
*Here we have to configure the call routing from Sudan to India. It mentions the
destination Ipv4 network to which the VOIP packets have to be routed if a call to
the mentioned phone number has to be made.
66 | P a g e
Zoom Technologies CCNP Lab Guide
QOS
*Initially, configure routing between the LANs of the two routers. The LAN of
India router contains the HTTP and FTP server and the LAN of CORE router
contains the client PCs from where the resources will be accessed.
India#config t
India(config)#ip route 192.168.0.0 255.255.255.0 s1/2
India(config)#exit
CORE#config t
CORE(config)#ip route 0.0.0.0 0.0.0.0 s 0
CORE(config)#exit
CORE(config)#int s0
CORE(config-if)#clock rate 1000000
CORE(config-if)#end
*Using the above configuration, we have enabled routing between the two
networks and also configured the rate of flow over the serial interface between the
routers to be of 1Mbps.
*We now need to monitor the rate of flow two types of traffic, one HTTP and the
other FTP. For this, we use a download manager software on the client side PC
to observe the download speed of each type of traffic.
*You might observe that when we have traffic via both the protocols, they share
the available bandwidth equally, but in absence of the one, the other takes up the
entire bandwidth. Our aim is to allocate certain amount of bandwidth to each type
of traffic. For this, we need to configure QOS in the INDIA router.
*Step1: Create separate class-maps for each type of traffic by matching it by the
protocol it is using.
INDIA(config)#class-map httpclass
INDIA(config-cmap)#match protocol http
INDIA(config-cmap)#exit
67 | P a g e
Zoom Technologies CCNP Lab Guide
INDIA(config)#class-map ftpclass
INDIA(config-cmap)#match protocol ftp
INDIA(config-cmap)#exit
*Create a policy-map to define what has to be done with each type of traffic that
have been defined in the class-maps.
INDIA(config)#policy-map ccnpqos
INDIA(config-pmap)#class httpclass
INDIA(config-pmap-c)#bandwidth percent 10
INDIA(config-pmap-c)#exit
INDIA(config-pmap)#class ftpclass
INDIA(config-pmap-c)#bandwidth percent 60
INDIA(config-pmap-c)#exit
INDIA(config-pmap)#exit
*The policy-map now has to be implemented on the proper interface in the proper
direction on the router close to the source of the traffic.
INDIA(config)#interface serial 1/2
INDIA(config-if)#service-policy output ccnpqos
INDIA(config-if)#end
*You will observe that in absence of traffic from one protocol, the other takes up
the entire bandwidth. To prevent this, we can configure ‘policing’ to limit the
bandwidth usage of a certain type of data flow to a fixed value.
INDIA(config)#policy-map ccnpqos
INDIA(config-pmap)#class httpclass
INDIA(config-pmap-c)# police rate percent 10
INDIA(config-pmap-c-police)#exceed-action drop
INDIA(config-pmap-c-police)#end
*Now you will observe that even though you stop the FTP data, the HTTP
download does not cross 10% of the total available bandwidth.
68 | P a g e
Zoom Technologies CCNP Lab Guide
WIRELESS LAN
*For a wireless router, there are two main interfaces. One wired and the other
wireless. The wired interface is the VLAN interface where users from the LAN can
be connected to the router. The wireless interface is the radio antenna through
which users with wireless end systems can connect to the router.
adslrouter#config t
adslrouter(config)# interface Dot11Radio 0
adslrouter(config-if)#ip address 192.168.200.1 255.255.255.0
*Configuring SSID and broadcast. Users trying to connect to the wireless network
now will be able to connect without any authentication
adslrouter(config-if)#ssid ccnp
adslrouter(config-if-ssid)#guest-mode
adslrouter(config-if-ssid)#authentication open
adslrouter(config-if-ssid)#exit
adslrouter(config-if)#channel 11
adslrouter(config-if)#speed default
*In case we require the users trying to connect to the wireless network to be
authenticated before they can access the resources, we can configure the
authentication mode and key in the following way.
*Configure a DHCP pool on the wireless router to assign ip address to any user
trying to connect to the router through the wireless network.
69 | P a g e