Professional Documents
Culture Documents
13
16
19
23
27
31
34
37
40
44
47
52
54
56
Use debug commands to verify proper RIP operation and analyze data transmitted
between routers.
Internet
R1
R2
200.20.2.0/24
.2
172.16.0.0/16
.1
.1
172.17.0.0/16
.2
.1
PC
RIPv2
222.22.2.0/24
2. From the global configuration mode in the router R2, enter the following:
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#network 172.16.0.0
R2(config-router)#network 172.17.0.0
R2(config-router)#end
1 of 59
3. Prevent the R1 router from advertising its routes to the Internet router, enter the
following command in the router configuration mode:
R1(config-router)# passive-interface FastEthernet 0/0
To confirm this, use the debug ip rip events command on the R1 router.
Verify from the output that the router is not sending updates out the interface to
the Internet router.
Disable the debug output with the no debug all command.
4. Ping all of the interfaces of the router R1 and R2 on the network from host
Were all of the interfaces still able to be pinged? ___________________________
If not, troubleshoot the network and ping again.
Step 3: Change the network addressing scheme
1. Show the routing tables on both routers again.
What is the difference between RIP v2 and RIP v1? ________________________
What must be done in order to see a difference between RIP v2 and RIP v1?
__________________________________________________________________
2. Change the Fast Ethernet IP subnet mask on the R2 router
Change the subnet mask of FastEthernet 0/0 on router R2 from a default Class B
mask (255.255.0.0) to a default Class C mask (255.255.255.0). Use the same IP
address.
R2(config)# interface FastEthernet 0/0
R2(config-if)# ip address 172.17.0.1 255.255.255.0
R3(config-if)# exit
On the R2 router:
R2(config)# interface serial 0/1
R2(config-if)# ip address 172.17.1.2 255.255.255.252
Has the output changed with the addition of a subnetted IP address? ___________
5. Change the host configuration to reflect the new IP addressing scheme of the
network:
IP Address 172.17.0.10 / 255.255.255.0
Default gateway 172.17.0.1
6. Ping all of the interfaces on the network from each host
Were all of the interfaces still able to be pinged? ___________________________
If not, troubleshoot the network and ping again.
Step 4: Configuring default route and advertising default route
1. Since Internet router is not getting routing updates, it does not have a route to the
RIP domain. It needs to be provided with a static route.
From the global configuration mode of Internet, enter:
Internet(config)# ip route 172.17.0.0 255.255.0.0 200.20.2.1
Verify the static route is in the Internet routing table by issuing the show ip
route command.
There should be an output similar to the following:
Internet# show ip route
<Output eliminated. >
C 200.20.2.0/24 is directly connected, FastEthernet0/0
S 172.17.0.0/16 [1/0] via 200.20.2.1
2. Because router R1 link RIP domain with the outside world, R1 should be
configured with a default route therefore R1 can send packet to every Internet
destination. A default route is the route that data is sent out if the routing table
does not have a specific route to use.
From the global configuration mode of R1, enter:
R1(config)# ip route 0.0.0.0 0.0.0.0 200.20.2.2
Verify the default route is in the R1 routing table by issuing the show ip route
command.
From R1 privileged mode, try to ping Internets interface on the subnet 222.22.2.0
If not, troubleshoot the network and ping again.
3. Check connectivity from the workstations to the Internet using ping. From the
workstation attached to the R2, ping any interfaces on the Internet router.
Was the ping successful? _____________________________________________
Why did the ping fail? _______________________________________________
4. Using the command show ip route, view the IP routing table for R2.
R2#show ip route
Gateway of last resort is not set
172.17.0.0 is variably subnetted, 2 subnets, 2 masks
C
Based on these output from the show ip route, can a host on network
172.17.0.0 connect to a host on network 222.22.2.0? _______________________
5. R2 needs to know a route to Internet. Use default-information originate
command on the router R1 to advertise default route into RIP domain.
From the router configuration mode of R1, enter:
R1(config-router)# default-information originate
Verify the default route is in the R2 routing table by issuing the show ip route
command.
There should be an output similar to the following:
R2#show ip route
Gateway of last resort is not set
172.17.0.0 is variably subnetted, 2 subnets, 2 masks
C
R*
6. Check connectivity between the workstations and Internet router using ping.
From the workstation attached to the router R2, ping interface at 222.22.2.0 subnet
of the Internet router.
C:\>ping 222.22.2.1
Pinging 222.22.2.1 with 32 bytes of data:
Reply from 222.22.2.1: bytes=32 time=32ms TTL=254
Reply from 222.22.2.1: bytes=32 time=32ms TTL=254
Reply from 222.22.2.1: bytes=32 time=32ms TTL=254
Reply from 222.22.2.1: bytes=32 time=32ms TTL=254
Ping statistics for 222.22.2.1: Packets: Sent = 4, Received
= 4, Lost = 0 (0% loss), Approximate round trip times in
milli-seconds: Minimum = 32ms, Maximum = 32ms, Average =
32ms
If the ping was not successful, check routing table to make sure static routes are
entered correctly.
Step 5: Verifying RIP v2 Configuration
1. Enter show ip route connected on the R1 router.
What networks are displayed? _________________________________________
What interface is directly connected? ____________________________________
Enter show ip route rip
List the routes listed in the routing table? _________________________________
What is the administrative distance? ____________________________________
2. Enter show ip route connected on the R2 router.
What networks are displayed? _________________________________________
What interface is directly connected? ____________________________________
Enter show ip route rip
List the routes listed in the routing table? _________________________________
4 of 59
5 of 59
Determine which switch is selected as the root with the factory default settings.
192.168.1.1/24
S1
192.168.1.2/24
PC2
S2
192.168.1.3/24
192.168.1.4/24
6 of 59
7 of 59
8 of 59
Create multiple VLANs, name them, and assign multiple member ports to them.
Create an 802.1q trunk line between the two switches to allow communication
between paired VLANs.
S1
Fa0/12
192.168.20.1/24
VLAN Number
PC2
S2
Fa0/1
Fa0/1
Fa0/12
192.168.1.2/24
192.168.1.3/24
VLAN Name
1 (Native)
192.168.20.4/24
Fa0/2 Fa0/3
10
Accounting
Fa0/4 Fa0/6
20
Marketing
Fa0/7 Fa0/9
30
Engineering
Fa0/10 Fa0/12
Note:
There should be an entry for VLAN 1 and the default VLANs (1002 +). If
other VLANs appear, they could be deleted by no vlan command on
global configuration mode.
2. By default, the Catalyst switch series are configured as VTP servers. In the event
that the server services are turned off, use the following command to turn it back
on:
S1# vlan database
S1(vlan)# vtp server
S1(vlan)# vtp domain group1
S1(vlan)# exit.
2. Use the show vlan command to verify that the VLANs have been created
correctly.
Step 4: Create the trunk
1. On both switches, S1 and S2, type the following command at the fastEthernet 0/1
interface command prompt. Note that it is not necessary to specify the
encapsulation on a 2950, since it only supports 802.1Q.
S1(config)# interface fastEthernet 0/1
S1(config-if)# switchport mode trunk
S1(config-if)# end
S2(config)# interface fastEthernet 0/1
S2(config-if)# switchport mode trunk
S2(config-if)# end
2. To verify that port FastEthernet 0/1 has been established as a trunk port, type
show interface fastethernet 0/1 switchport at the Privileged EXEC
mode prompt.
What type of trunking encapsulation is shown on the output results? ___________
3. According to the output with show interface fastEthernet 0/1
switchport on S2, is there a difference from the Administrative Trunking
Encapsulation from the Operational Trunking Encapsulation?
__________________________________________________________________
On the fragment Trunking VLANs Enable from the output, what does the
word ALL mean?
__________________________________________________________________
What would happen if the two ports of the trunk were using different
encapsulation? Explain.
__________________________________________________________________
__________________________________________________________________
10 of 59
2. On S2, type the command show vlan at the Privileged EXEC prompt as follows:
S2# show vlan
Do VLANs 10, 20, and 30 show without having to type them in? _____________
Why did this happen? ________________________________________________
Step 6: Assign ports to VLANs
1. Assigning ports to VLANs must be done from the interface mode. For example,
enter the following commands to add ports VLAN on switch S1:
S1# configure terminal
S1(config)# interface range fastethernet 0/4 - 6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# exit
S1(config)# interface range fastethernet 0/7 - 9
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
S1(config-if)# exit
S1(config)# interface range fastethernet 0/10 - 12
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
S1(config-if)# end
12 of 59
Create multiple VLANs, name them and assign multiple member ports to them.
Create an 802.1q trunk line between the switch and router to allow communication
between VLANs.
S1
R1
Fa0/1
PC2
Fa0/9
VLAN Number
VLAN Name
1 (Native)
10
Sales
Fa0/5 Fa0/8
20
Support
Fa0/9 Fa0/12
13 of 59
2. Assigning ports to VLANs must be done from the interface mode. Enter the
following commands to add ports 0/5 to 0/8 to VLAN 10:
S1(config)# interface range fastethernet 0/5 - 8
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# end
3. Enter the following commands to add ports 0/9 to 0/12 to VLAN 20:
S1(config)# interface
range
fastethernet 0/9 - 12
14 of 59
15 of 59
Use variable-length subnet mask (VLSM) to support more efficient use of the
assigned IP addresses and to reduce the amount of routing information at the top
level.
28 hosts
192.168.10.0/24
R1
R3
R2
60 hosts
12 hosts
R4
12 hosts
Step 1: Divide the allocated address into four equal size address blocks
The first step in the sub-netting process is to divide the allocated address of
192.168.10.0/24 into four equal size address blocks. Since 4 = 22, 2 bits are
required to identify each of the 4 subnets.
Next, take subnet #0 (192.168.10.0/26) and identify each of its hosts.
Allocated Address
Sub-Networks
Usable hosts
192.168.10.0/24
192.168.10.0/26
192.168.10.1 192.168.10.62
192.168.10.64/26
192.168.10.65 192.168.10.126
192.168.10.128/26
192.168.10.129 192.168.10.190
192.168.10.192/26
192.168.10.193 192.168.10.254
192.168.10.0/26
16 of 59
Sub-Sub-Networks
Usable hosts
192.168.10.64/24
192.168.10.64/27
192.168.10.65 192.168.10.94
192.168.10.96/27
192.168.10.97 192.168.10.126
192.168.10.64/27
Sub-Sub-Networks
Usable hosts
192.168.10.96/27
192.168.10.96/28
192.168.10.97 192.168.10.110
192.168.10.112/28
192.168.10.113 192.168.10.126
192.168.10.96/28
Since R4 also requires 12 hosts, the next set of host addresses can be derived from
the next available subnet (192.168.10.112/28). Here is the range for the /28 mask.
R1
192.168.10.112/28
17 of 59
Sub-Sub-Networks
Usable hosts
192.168.10.128/26
192.168.10.128/30
192.168.10.129 192.168.10.130
192.168.10.132/30
192.168.10.133 192.168.10.134
192.168.10.136/30
192.168.10.137 192.168.10.138
192.168.10.140/30
192.168.10.141 192.168.10.142
192.168.10.144/30
192.168.10.145 192.168.10.146
192.168.10.148/30
192.168.10.149 192.168.10.150
192.168.10.152/30
192.168.10.153 192.168.10.154
192.168.10.156/30
192.168.10.157 192.168.10.158
192.168.10.160/30
192.168.10.161 192.168.10.162
192.168.10.164/30
192.168.10.165 192.168.10.166
192.168.10.168/30
192.168.10.168 192.168.10.169
192.168.10.172/30
192.168.10.173 192.168.10.174
192.168.10.176/30
192.168.10.177 192.168.10.178
192.168.10.180/30
192.168.10.181 192.168.10.182
192.168.10.184/30
192.168.10.184 192.168.10.185
192.168.10.188/30
192.168.10.189 192.168.10.190
The available addresses for the WAN links can be taken from the available
addresses in each of the /30 subnets.
18 of 59
Configure the OSPF network so that all hosts in OSPF area can connect to outside
networks.
200.20.2.0/24
ISP
R1
R2
192.168.1.0/24
.2
.1
.1
.2
192.168.2.0/24
.1
PC
OSPF
Area 0
222.22.2.0/24
Why? _______________________________________________________
3. Configure an OSPF routing process on router R2. Use OSPF process number 1
and ensure all networks are in area 0.
R2(config)# router ospf 1
R2(config-router)# log-adjacency-changes
R2(config-router)# network 192.168.1.0 0.0.0.255 area 0
R2(config-router)# network 192.168.2.0 0.0.0.255 area 0
R2(config-router)# end
Are there any OSPF entries in the routing table now? _______________________
What is the metric value of the OSPF route? ______________________________
What is the via address in the OSPF route? ____________________________
Are routes to all networks shown in the routing table? ______________________
What does the O mean in the first column of the routing table? _______________
5. Ping the R1 from the workstation. Was it successful? _______________________
If not troubleshoot as necessary.
Step 3: Configure the ISP router
1. Normally the ISP router would be configured by the Internet service provider
(ISP). For the purpose of this lab, after erasing the old configuration, configure the
ISP router this way by typing:
Router> enable
Router# configure terminal
Router(config)# hostname ISP
ISP(config)# line vty 0 4
ISP(config-line)# password cisco
ISP(config-line)# login
ISP(config-line)# interface serial 0/0
ISP(config-if)# ip address 200.20.2.2 255.255.255.255
ISP(config-if)# clock rate 64000
ISP(config-if)# no shutdown
ISP(config-if)# interface loopback 0
ISP(config-if)# ip address 222.22.2.1 255.255.255.0
ISP(config-if)# exit
ISP(config)# ip route 192.168.1.0 255.255.255.0 200.20.2.1
ISP(config)# ip route 192.168.2.0 255.255.255.0 200.20.2.1
ISP(config)# end
ISP# copy running-config startup-config
20 of 59
What is the OSPF password being used for md5 authentication? ______________
What encryption type is being used? ____________________________________
2. Enable OSPF authentication in this area, area 0
R1(config-if)# router ospf 1
R2(config-router)# area 0 authentication message-digest
21 of 59
Wait for a few seconds. Does the router generate any output? ________________
3. Enter the command show ip ospf neighbor.
Are there any OSPF neighbors? ________________________________________
Examine the routing table by entering show ip route.
Are there any OSPF routes in the R1 router routing table?
Can the R1 ping the R2 host? __________________________________________
4. Enter these configuration commands, one per line. End with CNTL/Z.
R2#configure terminal
R2(config)# interface FastEthernet 0/0
R2(config-if)# ip ospf message-digest-key 1 md5 7 secret_key
R2(config-if)# router ospf 1
R2(config-router)# area 0 authentication message-digest
22 of 59
Observe the election process for designated routers (DR) and backup designated
routers (BDR) on the multiaccess network.
Configure loopback addresses for Open Shortest Path First (OSPF) stability.
OSPF
Area 0
192.168.1.0/24
R1
R3
PC
3. Configure an OSPF routing process on the router R3. Use OSPF process number 1
and ensure all networks are in area 0.
R3(config)# router ospf 1
R3(config-router)# log-adjacency-changes
R3(config-router)# network 192.168.1.0 0.0.0.255 area 0
R3(config-router)# end
24 of 59
2. Type the command show ip ospf neighbor on all routers to verify that the
OSPF routing has formed adjacencies.
Is there a designated router identified? ___________________________________
Write down the router ID and link address of the DR:
_________________________________ ________________________________
Is there a backup designated router? _____________________________________
Write down the router ID and link address of the BDR:
_________________________________ ________________________________
What is the third router referred to as? ___________________________________
Write down that Routers ID and link address:
_________________________________ ________________________________
3. Type the command show ip ospf neighbor detail for more information.
What is the neighbor priority of R1 from router R3? ________________________
What interface is Identified as being part of Area 0? ________________________
4. Type show ip ospf interface fastethernet 0/0 on the R1 router.
What is the OSPF state of the interface? _________________________________
What is the default priority of the interface? ______________________________
What is the network type of the interface? ________________________________
25 of 59
3. To watch the OSPF election process restart all of the routers using the reload
command. Be sure to save the running config before restarting the routers. As
soon as the router prompt is available type:
R2> enable
R2# debug ip ospf events
26 of 59
Setup an IP addressing scheme for Open Shortest Path First (OSPF) area.
PC1
192.168.1.0/24
.1
R1
192.168.2.0/24
.1
R2
.2
PC2
192.168.3.0/24
.1
OSPF
Area 0
Are there any OSPF entries in the routing table now? _______________________
What is the metric value of the OSPF route? ______________________________
What is the VIA address in the OSPF route? ______________________________
Are routes to all networks shown in the routing table? ______________________
What does the O mean in the first column of the routing table? _______________
4. Ping the R1 host from the R2 host. Was it successful? ______________________
If not troubleshoot as necessary.
Step 3: Determining OSPF cost
Link Bandwidth
56 Kbps
1785
T1
65
Ethernet 10 Mbps
10
Token-Ring 16 Mbps
1. Show the properties of the R1 router serial and FastEthernet interfaces using the
show interfaces command.
What is the default bandwidth of the interfaces?
Serial Interface: _____________________________________________________
FastEthernet Interface: _______________________________________________
Calculate the OSPF cost.
Serial Interface: _____________________________________________________
FastEthernet Interface: _______________________________________________
2. Using the show ip ospf interface command, record the OSPF cost of the
serial and Fast Ethernet interfaces.
OSPF cost of Serial Interface: _________________________________________
28 of 59
2. Wait for a minute and then enter the command show ip ospf neighbor.
Are there any OSPF neighbors? ________________________________________
3. Examine the R1 router routing table by entering show ip route.
Are there any OSPF routes in the table? __________________________________
Can the R1 Host ping the R2 host? ______________________________________
4. Enter the command debug ip ospf events in privileged EXEC mode.
Is there an issue that is identified? ______________________________________
If there is, what is the issue? ___________________________________________
5. a. On the R2 router check the routing table by typing show ip route.
Are there any OSPF routes in the table? __________________________________
6. Set the R2 router interval timers
Match the timer values on the R2 serial link with the R1 router.
R2(config)# interface serial 0/1
R2(config-if)# ip ospf hello-interval 5
R2(config-if)# ip ospf dead-interval 20
30 of 59
PC1
192.168.1.0/24
R1
S0/0
S0/0
S0/1
S0/1
R2
PC2
192.168.3.0/24
192.168.4.0/24
Because the EIGRP metric includes bandwidth in its calculation, bandwidth must
be manually configured on the serial interfaces in order too ensure accuracy. For
31 of 59
the purposes of this lab, the alternative paths to network 192.168.3.0 from the R1
router are not of unequal cost until the appropriate bandwidths are set.
3. Use the show interface command output to verify the correct bandwidth
settings and the show ip interface command to ensure that fast switching is
disabled.
Can the bandwidth of Ethernet interfaces be set manually? ___________________
Step 3: Configure unequal-cost load balancing
1. The variance value determines whether EIGRP will accept unequal-cost routes.
An EIGRP router will only accept routes equal to the local best metric for the
destination multiplied by the variance value. So if the local best metric of an
EIGRP router for a network is 10000, and the variance is 3, the router will accept
unequal-cost routes with any metric up to 30000 or 10,000 x 3. This is as long as
the advertising router is closer to the destination. An EIGRP router accepts only
up to four paths to the same network.
Note: An alternate route is added to the route table only if the next-hop
router in that path is closer to the destination (has a lower metric value)
than the current route.
By default, EIGRP variance is set to 1, which means that only routes that are
exactly 1 times the local best metric are installed. Therefore, a variance of 1
disables unequal-cost load balancing.
2. Configure the R1 router to enable unequal-cost load balancing using the following
commands:
R1(config)# router eigrp 100
R2(config-router)# variance 10
According to the help feature, what is the maximum variance value? ___________
3. Check the R1 routing table. It should have two routes to network 192.168.3.0 with
unequal metrics.
What is the EIGRP metric for the route to 192.168.3.0 through serial 0/0? ______
What is the EIGRP metric for the route to 192.168.3.0 through serial 0/1? ______
Step 4: Verify per-packet load balancing
1. Because there are two routes to the destination network, half the packets will be
sent along one path, and half will travel over the other. The path selection
alternates with each packet received.
Observe this process by using the debug ip packet command on the R1 router.
Send a 30 ping packets across the network from the host attached to R2 router to
the host attached to the R1 router. This can be done with the ping 192.168.1.2
n 30 command on the host. As the pings are responded to, the router outputs IP
packet information.
Stop the debug after the pings by using the command undebug all.
2. Examine and record part of the debug output.
What is the evidence of load balancing in the output?
__________________________________________________________________
__________________________________________________________________
32 of 59
33 of 59
Answer: ___________________________________________________________
2. Which networks would be denied by the following router command?
R1(config)# access-list 2 deny 172.16.16.0 0.0.31.255
Answer: ___________________________________________________________
3. Which networks will be allowed by the following router command?
R1(config)# access-list 3 permit 210.105.23.0 0.0.16.255
Answer: ___________________________________________________________
4. Which networks will be allowed by the following router command?
R1(config)# access-list 4 permit 168.192.132.0 0.3.255.255
Answer: ___________________________________________________________
5. Which networks will be allowed by the following router command?
R1(config)# access-list 5 deny 158.16.2.0 0.0.7.255
Answer: ___________________________________________________________
6. Which networks will be allowed by the following router command?
R1(config)# access-list 6 permit 196.122.86.13 0.3.31.0
Answer: ___________________________________________________________
34 of 59
Answer: ___________________________________________________________
8. Which networks would be denied by the following router command?
R1(config)# access-list 8 deny 142.55.56.0 0.0.0.63
Answer: ___________________________________________________________
9. Which networks would be denied by the following router command?
R1(config)# access-list 9 deny 177.37.205.0 3.7.0.0
Answer: ___________________________________________________________
10. Which networks would be denied by the following router command?
R1(config)# access-list 10 deny 157.118.237.0 7.63.0.0
Answer: ___________________________________________________________
11. Which networks would be denied by the following router command?
R1(config)# access-list 11 deny 35.8.2.3 3.7.15.31
Answer: ___________________________________________________________
12. Which networks would be denied by the following router command?
R1(config)# access-list 12 deny 43.34.42.0 0.0.15.255
Answer: ___________________________________________________________
13. Which networks would be denied by the following router command?
R1(config)# access-list 13 deny 84.7.109.0 63.3.0.63
Answer: ___________________________________________________________
14. Which networks would be denied by the following router command?
R1(config)# access-list 14 deny 222.16.5.0 0. 0.3.15.255
Answer: ___________________________________________________________
15. Which networks would be denied by the following router command?
R1(config)# access-list 15 deny 10.5.16.2 0.0.92.0
Answer: ___________________________________________________________
16. Which networks would be denied by the following router command?
R1(config)# access-list 16 deny 208.172.2.16 102.0.0.0
Answer: ___________________________________________________________
Step 3: Determine a wildcard mask from a range of IP addresses
1. Finish the command below such that it allows IP Addresses 112.85.96-99.0-255
Answer: R1(config)# access-list 1 deny 112.85.96.0 ____________
__________________________________________________________________
2. Finish the command below such that it denies IP Addresses 133.8-15.0-31.0-255
Answer: R1(config)# access-list 2 deny 133.8.0.0 ______________
__________________________________________________________________
3. Complete the command below such that it allows IP Addresses 192-223.108.23.29
35 of 59
such
that
it
allows
IP
Addresses
that
it
allows
IP
Addresses
Addresses
R1
.1
192.168.2.0/24
.1
.2
R2
Lo0
.2
192.168.3.0/24
2. From the global configuration mode in the router R2, enter the following:
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#network 192.168.2.0
R2(config-router)#network 192.168.3.0
R2(config-router)#end
Ping all of the interfaces of the router R1 and R2 on the network from the host
Were all of the interfaces still able to be pinged? ___________________________
If not, troubleshoot the network and ping again.
37 of 59
Step 4: Create an access list that will not allow the even numbered hosts to
ping but permit the odd numbered hosts to ping the Ethernet interface of R1
1. What will that access list look like? Finish this command with an appropriate
comR3on IP address and wildcard mask:
access-list 2 permit ____.____.____.____ ____.____.____.____
Why was it not necessary to have the permit any statement at the end this time?
__________________________________________________________________
Apply the new access list by typing ip access-group 2 in
2. Assign an even address to host and ping the router R1
Was the ping from host successful? _____________________________________
Why or why not? ___________________________________________________
3. Assign an odd address to host and ping the router R1
Was the ping from host 2 successful? ___________________________________
Why or why not? ___________________________________________________
4. Remove the Access list from the interface before finishing step
R1(config-if)# no ip access-group 2 in
Step 4: Prevent access from the host to the local network on the router R2
1. The host needs to be prevented access to the local network on the router R2. It is
determined that a standard access list needs to be created to prevent traffic from
this host from accessing loopback interface of R2. The access control list should
block traffic from this host and not affect other traffic from this network.
38 of 59
2. First, define the information needed to create the ACL. Remember that statements
are added sequentially to an ACL. Therefore, the order of the statements needs to
be planned carefully.
3. It has been determined that this ACL will require 2 logical steps. Each of these
steps can be accomplished with one statement each:
! stop traffic from host
! permit all other traffic
4. From this logic the actual ACL will be written. Write each statement: access-list
[permit/deny], comR3on IP address and wildcard mask.
access-list 3 ______ ____.____.____.____ ____.____.____.____
access-list 3 ______ ____.____.____.____ ____.____.____.____
What would be the result of not including a statement to permit all other source
addresses?
__________________________________________________________________
What would be the result of reversing the order of the 2 statements in the list?
__________________________________________________________________
Why are both statements using the same ACL number?
__________________________________________________________________
5. The final step is to determine the best location for the access list and the direction
the list should be applied. Examine the inter-network diagram and choose the
appropriate interface and direction:
Router: _____________, Interface: ______________, Direction: ______________
The command to apply the access list: ip access-group 3 _____
6. Now that the ACL is completed, the ACL needs to be confirmed and tested.
Test the functionality of the ACL by trying to send packets from the source host
and verify that is to be permitted or denied as appropriate. In this case, ping will
be used to test this.
Ping the router from the host 192.168.1.2
Were these pings successful? __________________________________________
Why or why not? ___________________________________________________
Change host IP address to 192.168.1.3, ping the router from the host
Were these pings successful? __________________________________________
Why or why not? ___________________________________________________
5. Remove the Access list from the interface before finishing step
Rx(config-if)# no ip access-group 3 [ in | out ]
39 of 59
PC1
192.168.1.0/24
R1
.1
192.168.2.0/24
.1
.2
R2
Lo0
.2
192.168.3.0/24
2. From the global configuration mode in the router R2, enter the following:
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#network 192.168.2.0
R2(config-router)#network 192.168.3.0
R2(config-router)#end
Ping all of the interfaces of the router R1 and R2 on the network from the host
Were all of the interfaces still able to be pinged? ___________________________
If not, troubleshoot the network and ping again.
40 of 59
This statement will deny ip access for any users on the 192.168.1.128
192.168.1.255 network if they are trying to access network 192.168.3.0.
4. Remember that there is an implicit deny all at the of every access list. We must
now make sure to let the group A access the R2 LAN network. Enter the following
statement:
R1(config)#
5. Now we need to apply the access list to an interface. We could apply the list to
any incoming traffic going to the R1 Ethernet interface. However, if there were a
great deal of traffic between the R1 LAN and the R2 LAN, the router would have
41 of 59
to check every packet. There is concern that this would add unwanted overhead to
the router. Therefore the access list is applied to the any outgoing traffic going
through the R1 router serial interface.
R1(config)# interface s0/0
R1(config-if)# ip access-group 102 out
6. Verify the syntax of the access-list with the show running-config command.
Another valuable command is the show access-lists command. The show
access-lists command also displays counters, indicating how many times the
list has been used. No counters are listed here since we havent attempted to verify
it yet.
Note: Use the clear access-list counters command to restart the
access list counters
7. Test the functionality of the ACL by trying to send packets from the source host
and verify that is to be permitted or denied as appropriate. In this case, ping will
be used to test this.
Ping the R2 loopback interface from the host 192.168.1.2
Were these pings successful? __________________________________________
Change host IP address to 192.168.1.130 then ping the R2 loopback interface
Were these pings successful? __________________________________________
8. Issue the show access-lists command. How many matches are there? ___________
Note: The show access-lists command displays the number of
matches per line. Therefore the number of deny matches may seem odd
until it is realized that the pings matched the deny statement and the
permit statement.
Step 5: Allow a user in the group B from accessing the 192.168.3.0 network
1. Configure an extended access-list to allow that user access to R2 LAN.
To allow a host (192.168.1.200) from accessing R2 LAN, an extended access list
needs to be altered to allow them access to the R2 LAN, while denying everyone
else on the group B.
Unfortunately, it is not possible to reorder an access list, skip statements, edit
statements, or delete statements from a numbered access list. With numbered
access lists, any attempt to delete a single statement results in the entire lists
deletion.
2. Therefore the initial extended access list needs to be deleted and a new one
created. To delete access-list 102, enter the following:
R1(config)# no access-list 102
Verify that it has been deleted with the show access-lists command.
3. Now create a new extended access list. Always filter from the most specific to the
most generic. Therefore the first line of the access list should allow the host
192.168.1.200 access to the R2 LAN. The remainder of the access-list should be
the same as the previous we had entered.
R1(config)# access-list
192.168.3.0 0.0.0.255
103
permit
ip
host
192.168.1.200
4. Now deny all of the remaining hosts of the group B access to the R2 LAN and
permit any on else. Refer to the previous step for the next two lines of the
configuration.
42 of 59
5. The show access-list command would display output similar to the following:
R1# show access-lists
Extended IP access list 103
permit ip host 192.168.1.200 192.168.3.0 0.0.0.255
deny ip 192.168.1.128 0.0.0.127 192.168.3.0 0.0.0.255
permit ip any any
R1#
43 of 59
Inside
Outside
.2
R1
192.168.1.0/24
.1
PC2
.3
R2
200.0.0.0/24
.1
Lo0
.2
.2
222.0.0.0/24
Public pool:
199.0.0.32/27
44 of 59
2. Define an access list that will match the inside private IP addresses, use the
access-list command:
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
3. Define the NAT translation from inside list to outside pool, use the ip nat
inside source command:
R1(config)# ip nat inside source list 1 pool PUBLIC-ACCESS
4. The active interfaces on the router need to be specified as either inside or outside
interfaces with respect to NAT. To do this, use the ip nat inside or ip nat
outside command:
R1(config)# interface fastethernet 0/0
R1(config-if)# ip nat inside
R1(config-if)#interface serial 0/0
R1(config-if)# ip nat outside
5. From the PC2, ping 222.0.0.2. If successful, look at the NAT translation on the R1
router, using the command show ip nat translations.
What is the translation of the inside local host addresses?
_______________ = _______________ ________________ = _______________
The inside global address is assigned by? ________________________________
The inside local address is assigned by? _________________________________
Step 4: Configure static NAT
1. PC1, 192.168.1.2/24, will be designated as the public WWW server. Thus, it
needs a permanent public IP address. This mapping is defined using a static NAT
mapping.
2. To configure a static IP NAT mapping, use the ip nat inside source
static command at the privileged EXEC mode prompt:
R1(config)# ip nat inside source static 192.168.1.2
199.0.0.33
Does the mapping appear in the output of the show command? _______________
45 of 59
46 of 59
:?
R2
FEC0::23:0/112
FEC0::12:0/112
:1
Loopback 0:
10.1.1.1/24
FEC0::1:1/112
R1
FEC0::13:0/112
:1
R3
:?
:3
Loopback 0:
10.1.3.1/24
FEC0::3:1/112
47 of 59
3. If you accidentally put the wrong IPv6 address on an interface, make sure you take
it off with the no version of the command you entered. Unlike IPv4 addresses,
where the ip address command overwrites the existing address, multiple IPv6
addresses can exist on an interface. Putting in the command ipv6 address
multiple times will add more addresses, not replace them.
Also, notice that we put both an IPv4 and IPv6 address on the same interface, and
neither conflict with each other. This is because they are different layer 3
protocols and they run independently.
Step 2: Configuring the static IPv6 addresses
1. Now, configure the two serial links with IPv6 addresses. Use the ipv6 address
address/mask command again to configure the interfaces with the addresses
given in the diagram. Remember to set the clock rates where appropriate and put a
no shutdown on the interfaces. Verify with ping for local subnet connectivity.
R1(config)# interface serial0/0
R1(config-if)# ipv6 address FEC0::12:1/112
R1(config-if)# clockrate 64000
R1(config-if)# no shutdown
R1(config)# interface serial0/1
R1(config-if)# ipv6 address FEC0::13:1/112
R1(config-if)# no shutdown
R2(config)# interface serial0/1
R2(config-if)# ipv6 address FEC0::12:2/112
R2(config-if)# no shutdown
R3(config)# interface serial0/0
R3(config-if)# ipv6 address FEC0::13:3/112
R3(config-if)# clockrate 64000
R3(config-if)# no shutdown
R1# ping FEC0::12:2
R1# ping FEC0::13:3
R2# ping FEC0::12:1
R3# ping FEC0::13:1
2. Use the command show ipv6 interface to look at IPv6 related properties of
the router interfaces. You can also specify a specific type/number of an interface
with this command to see the output for only that interface.
Step 3: Changing the Link-local address on an interface
1. Notice that in addition to the address you already configured, there is a link local
address starting with FE80. Your actual address may vary. You can change this on
the link between R1 and R2 by putting the link-local address FE80::1 on R1 and
FE80::2 on R2. There is no subnet mask on link-local addresses, because they are
not routed; hence the term link-local. To configure this, use the command ipv6
address address link-local. Verify that you can ping the link local address
on the other side. When pinging link local addresses, you must specify an
outgoing interface because the addresses are not routed and not in the routing
table.
48 of 59
2. Verify the link local addresses with the command show ipv6 interface.
Step 4: Configuring EUI-64 Addresses
1. EUI-64 IPv6 addresses are addresses where the first 64 bits are the network
portion of the address and specified, and the second 64 bits are the host portion of
the address and automatically generated by the device. To configure IPv6 EUI-64
addresses on an interface, use ipv6 address address/mask eui-64.
2. Configure this on the FastEthernet interfaces of R2 and R3 with the subnet given
in the diagram. Also, make sure you put a no shutdown on the interfaces. Find
out the IPv6 addresses of the interfaces with show ipv6 interface or show
ipv6 interface brief, and then ping the other side of the link.
R2(config)# interface fastethernet0/0
R2(config-if)# ipv6 address FEC0:23::/64 eui-64
R2(config-if)# no shutdown
R3(config)# interface fastethernet0/0
R3(config-if)# ipv6 address FEC0:23::/64 eui-64
R3(config-if)# no shutdown
R2# show ipv6 interface brief
FastEthernet0/0 [up/up]
FE80::218:B9FF:FE92:28D8
FEC0:23::218:B9FF:FE92:28D8
<Output eliminated >
R3# ping FEC0:23::218:B9FF:FE92:28D8
Note: Your addresses will be different from the addresses displayed in the
example, because EUI-64 addresses include the MAC address of the
interface in them, which will be unique per interface.
Step 5: Enabling IPv6 Routing and CEF
1. As of the time of this writing, the current IOS version has IPv6 routing and CEF
disabled by default. To enable IPv6 routing, use the global configuration
command ipv6 unicast-routing. To enable IPv6 CEF, use the command
ipv6 cef. Use these commands on all three routers.
R1(config)# ipv6 unicast-routing
R1(config)# ipv6 cef
R2(config)# ipv6 unicast-routing
R2(config)# ipv6 cef
R3(config)# ipv6 unicast-routing
R3(config)# ipv6 cef
49 of 59
3. View the routing table on all three routers with the command show ipv6 route.
R1# show ipv6 route
IPv6 Routing Table - 11 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BG
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS s
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSP
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
50 of 59
FEC0::1:0/112 [0/0]
via ::, Loopback0
FEC0::1:1/128 [0/0]
via ::, Loopback0
FEC0::2:1/128 [120/2]
via FE80::2, Serial0/0
FEC0::3:1/128 [120/2]
via FE80::218:B9FF:FECD:BEF0, Serial0/1
FEC0::12:0/112 [0/0]
via ::, Serial0/0
FEC0::12:1/128 [0/0]
via ::, Serial0/0
FEC0::13:0/112 [0/0]
via ::, Serial0/1
FEC0::13:1/128 [0/0]
via ::, Serial0/1
FEC0:23::/64 [120/2]
via FE80::2, Serial0/0
via FE80::218:B9FF:FECD:BEF0, Serial0/1
FE80::/10 [0/0]
via ::, Null0
FF00::/8 [0/0]
via ::, Null0
51 of 59
.2
R2
172.16.12.0/24
R1
172.16.23.0/24
.1
.3
:1
FEC0::13:0/112
R3
:3
Loopback 0:
10.1.3.1/24
FEC0::3:1/112
Loopback 0:
10.1.1.1/24
FEC0::1:1/112
52 of 59
3. Verify that you can ping across the tunnel to the other side.
R1#ping FEC0::13:3
53 of 59
PC1
192.168.1.0/24
Encapsulation
Frame-Relay
R1
R2
PC2
192.168.3.0/24
.1
.1
192.168.2.0/24
.1
DLCI
101
.2
DLCI
101
And R2:
R2(config-if)# frame-relay map ip 192.168.2.1 101 broadcast
54 of 59
55 of 59
Configure a router as a Frame Relay switch, connecting two routers in a point-topoint topology.
Frame-Relay
Switch
S0/1
S0/0
R2
PC 1
DLCI
102
R1
.2
.1
DLCI
201
.1
PC 2
R3
.2
.1
.2
192.168.2.0/24
192.168.3.0/24
192.168.1.0/24
5. The remaining configurations on the Frame Relay switch are specific to the
interfaces. On each serial interface, configure the encapsulation to Frame Relay,
define the interface as a Frame Relay DCE, and set the clock rate. The following is
an example:
R2(config-if)# encapsulation frame-relay
R2(config-if)# frame-relay intf-type dce
R2(config-if)# clock rate 56000 (If DCE cable is attached)
R2(config-if)# no shutdown
7. The switch logic indicates that if the frame inbound to interface serial 0/0 is
labeled DLCI 102, then send the frame to the outbound interface serial 0/1 labeled
with DLCI 201. For traffic traveling in the opposite direction, the logic indicates
that if the frame inbound to interface serial 0/1 is labeled DLCI 201, then send the
frame to the outbound interface serial 0/0 labeled with DLCI 102.
56 of 59
Confirm with the show frame-relay route on the switch, as shown in the
following:
R2# show frame-relay route
Input Intf
Input Dlci
Output Intf
Output Dlci
Status
Serial0/0
102
Serial0/1
201
active
Serial0/1
201
Serial0/0
102
active
3. Use extended pings and show ip route to test Frame Relay connectivity and
route propagation.
Step 3: Verifying the Frame Relay configuration
1. To verify the configuration, use the show interfaces commands, related to
Frame Relay. To view the serial interface configuration use the following
command:
R1# show interfaces serial 0/0
What is the state of the interface? Serial 0 is ________, line protocol is _________
57 of 59
58 of 59