You are on page 1of 12

R4

:
config t
hostname R4
enable secret pass
no ip domain-lookup
no logging console
no service config
alias exec bp show ip int brief | ex una
alias exec sr show ip route
alias exec cn show cdp nei
alias exec sp show ip protocols
line console 0
no login
exec-timeout 0 0
line vty 0 14
no login
exec-timeout 0 0
no ip domain-lookup
no logging console
int fa 1/0
ip add 43.0.0.4 255.0.0.0
no shut
int fa 1/1
ip add 41.0.0.4 255.0.0.0
no shut
***
R3:
config t
hostname R3
enable secret pass
no ip domain-lookup
no logging console
no service config
alias exec bp show ip int brief | ex una
alias exec sr show ip route
alias exec cn show cdp nei
alias exec sp show ip protocols
line console 0
no login
exec-timeout 0 0
line vty 0 14
no login
exec-timeout 0 0
no ip domain-lookup
no logging console
int fa 1/0
ip add 43.0.0.3 255.0.0.0
no shut
int fa 1/1
ip add 31.0.0.3 255.0.0.0
no shut
***
R1:
config t
hostname R1
enable secret pass
no ip domain-lookup
no logging console
no service config
alias exec bp show ip int brief | ex una
alias exec sr show ip route
alias exec cn show cdp nei
alias exec sp show ip protocols
line console 0
no login
exec-timeout 0 0
line vty 0 14
no login
exec-timeout 0 0
no ip domain-lookup
no logging console
int fa 1/0
ip add 41.0.0.1 255.0.0.0
no shut
int fa 1/1
ip add 31.0.0.1 255.0.0.0
no shut
int fa 2/0
ip add 12.0.0.1 255.0.0.0
no shut
***
R2:
config t
hostname r2
enable secret pass
no ip domain-lookup
no logging console
no service config
alias exec bp show ip int brief | ex una
alias exec sr show ip route
alias exec cn show cdp nei
alias exec sp show ip protocols
line console 0
no login
exec-timeout 0 0
line vty 0 14
no login
exec-timeout 0 0
no ip domain-lookup
no logging console
ip route 0.0.0.0 0.0.0.0 12.0.0.1
int fa 1/0
ip add 12.0.0.2 255.0.0.0
no shut
*******
R4:
ip route 0.0.0.0 0.0.0.0 41.0.0.1
R3:
ip route 0.0.0.0 0.0.0.0 31.0.0.1

*******this is it**************************
nat on R1:
config t
int fa 1/0
ip nat outside
int fa 1/1
ip nat outside
int fa 2/0
ip nat inside
ip policy route-map PBR
exit
!
ip sla 1
icmp-echo 41.0.0.4
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
!
ip sla 2
icmp-echo 31.0.0.3
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
!
track 10 rtr 1 reachability
delay down 1 up 1
!
track 20 rtr 2 reachability
delay down 1 up 1
!
ip route 0.0.0.0 0.0.0.0 41.0.0.4 11 track 10
ip route 0.0.0.0 0.0.0.0 31.0.0.3 22 track 20
!
access-list 10 permit 12.0.0.0 0.0.0.255
access-list 20 permit 12.0.0.0 0.0.0.255
!
access-list 110 permit ip any any
access-list 120 permit ip any any
!
!
ip nat inside source route-map ISPR4 interface fastethernet 1/0 overload
ip nat inside source route-map ISPR3 interface fastethernet 1/1 overload
!
route-map PBR permit 10
match ip address 110
set ip next-hop verify-availability 41.0.0.4 1 track 10
exit
route-map PBR permit 20
match ip address 120
set ip next-hop verify-availability 31.0.0.3 2 track 20
exit
route-map ISPR4 permit 10
match ip address 10
match interface fastethernet 1/0
route-map ISPR3 permit 10
match ip address 20
match interface fastethernet 1/1
exit

r1#sh ip sla statistics
Round Trip Time (RTT) for Index 1
Latest RTT: 32 milliseconds
Latest operation start time: *09:01:14.995 UTC Fri Jun 14 2013
Latest operation return code: OK
Number of successes: 1514
Number of failures: 271
Operation time to live: Forever
r1#sh ip sla statistics
Round Trip Time (RTT) for Index 1
Latest RTT: 32 milliseconds
Latest operation start time: *09:01:14.995 UTC Fri Jun 14 2013
Latest operation return code: OK
Number of successes: 1514
Number of failures: 271
Operation time to live: Forever
Round Trip Time (RTT) for Index 2
Latest RTT: 40 milliseconds
Latest operation start time: *09:01:15.167 UTC Fri Jun 14 2013
Latest operation return code: OK
Number of successes: 1784
Number of failures: 1
Operation time to live: Forever

r1#sh ip sla application
IP Service Level Agreements
Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-II
Time of last change in whole IP SLAs: *08:31:31.151 UTC Fri Jun 14 2013
Estimated system max number of entries: 19256

Estimated number of configurable operations: 19254
Number of Entries configured : 2
Number of active Entries : 2
Number of pending Entries : 0
Number of inactive Entries : 0

*************GNS3: ************************

task1: What is SLA
using cisco IP SLA. the performance of the network can be monitored.
this can be performed w/o deploying a physical probe. A router can be
configured to send a generated packet to the destination device and once
the destination device receives this packet, the device will respond with
time-stamp info. for the source so that the source can make the calculation
metric.

conf t
hostname CUCM
enable secret pass
no logging console
no ip domain-lookup
line con 0
no login
exec-timeout 0 0
line vty 0 14
no login
exec-timeout 0 0
int gi0/0
no shut
ip add 192.168.M.254 255.255.255.0
do ping 192.168.M.1
do ping 192.168.M.5X <-- phone!

CONFIGURING IP TELEPHONY:
config t
no telephony-service
telephony-service
no auto-reg-ephone
no auto assign
max-ephone 8
max-dn 8
ip source-address 192.168.M.254
create cnf-files
ephone-dn 1
number M01
exit
ephone 1
mac-address ____.____.____
type 6941
button 1:1
restart
exit

VOICE ROUTING:
config t
voice service voip
ip address trusted list
ipv4 0.0.0.0 0.0.0.0

dial-peer voice K voip
destination-pattern K..
session target ipv4:192.168.K.1
codec g711uLaw
no vad

CONFIGURING ANALOG PHONES:
config t
dial-peer voice 1 pots
destination-pattern M30
port 0/3/0
exit
sh dial-peer voice summary
csim start M30

Task4: Remote Port Monitoring:

you suspect your gf is sop to the internet, you want to monitor her fa 0/3 (tx/rx)
packets
and send the Re-routed packets to your Fa 0/1 so that Wireshark can catch her sop
talk.
Router#192.168.m.2
D1>enable
config t
Monitor session 1 source interface fa 0/3 Both
monitor session 1 destination interface fa 0/1
end

IF you are on a Different Switch somewhere, you can still monitor someone as long
as you know which he belongs:
Bantay: Core (this only works if you have trunk!)
CORE:
config t
vtp domain rivan
vtp password pass
int range fa 0/21-22
swi trunk enc dot1Q
swi mode trunk
vlan 69
name tagahuli
remote-span
no monitor session 1
monitor session 1 source vlan 69
monitor session 1 destination interface fa 0/1

Task5: Possible Lab on Switch Exam:
CORE:
config t
ip http server (will open port 80/'website)
ip http secure-server (will open port 443)
firefox:
c>ping 192.168.m.1
http://192.168.m.1 and httpS://192.168.m.1 (443 is worki
username:
password:
CORE:
config t
vlan 5
name NOT-ITSTAFF
exit
int vlan 5
ip add 10.5.0.1 255.255.0.0
no shut
exit
ip dhcp pool vlan5
network 10.5.0.0 255.255.0.0
default-router 10.5.0.1
int fa 0/5
spanning-tree portfast
swi acc vlan 5
One of Labs in SWITCH is Vlan Access List:
You are the Network ADmin. If you are in VLAN1(vip) you
can ping,http,https, all Devices. But, if you are in Non-IT
(vlan 5) you can only ping the Switch.
Lipat sa fa0/5
http://10.5.0.1 and httpS://10.5.0.1 and ping 10.5.0.1
block http and https, if you are a member of Vlan5.
Step1: Create a VLAN access-list
config t
ip access-list extended VACL1-ACL
permit tcp any any eq 80
permit tcp any any eq 443
permit icmp any any
exit
vlan access-map vacl1 10
match ip address VACL1-ACL
action drop
exit
vlan access-map vacl1 20
action forward
exit

TASK 6: CCNP/CCIE: Port Security -> using Security:
we will static map the Mac address of PC to the Port!

core#show port-security address
config t
int fa0/1
spanning-tree Portfast
swi mode access
swi port-security
switchport port-security maximum 1
switchport port-security violation SHUTdown
switchport port-security mac-address sticky
switchport port-security aging type inactivity
(dont flush out the mac!)
show port-security address
show int status err-disable
bring back orig device:
config t
int fa 0/1
shut
no shut
USING MACRO COMMANDS TO DEPLOY ON MULTIPLE PORTS:(FA0/1-5)
Core#
config t
define interface-range ALLIN fa0/1-5
macro name PORTSECURED
swi mode access
swi port-security
switchport port-security maximum 1
switchport port-security violation SHUTdown
switchport port-security mac-address sticky
switchport port-security aging type inactivity
Apply to Any POrt you like: (fa0/1 -5)
Config t
int range macro ALLIN
macro apply PORTSECURED
do sh run int fa 0/4
TAsk7: PRIVATE VLANS: Vlans inside A Vlan:

------------------------------------------------------------------------
Dist:
config t
default int fa 0/24
do ping d1
do wr

CORE:
config t
ip host c1 126.m.0.1
ip host d1 126.m.0.2
default int fa 0/24
int fa 0/23
no shut
no switchport
ip add 126.m.0.1 255.255.0.0
do ping 126.m.0.1
do ping c1

show sessions

config t
ip cef
mpls ldp router-id lo0 force
mpls ip
int fa 1/0
mpls ip
mpls label protocol ldp
mpls mtu 1512

FIB: Forward Information Base
LFIB: Label Forward Info Base
LIB: LAbel Info Base

VRF CONFIGURATION:
config t
ip vrf clientBDOa
route-target 64999:1
rd 999:1

On Core Switch
Task 3: Voip Switching with RMON
CORE SWITCH
configure the default Management VLAN
conf t
int vlan 1
ip add 192.168.M.1 255.255.255.0
no shut
do ping 192.168.M.1

DISTRO SWITCH
conf t
int vlan 1
ip add 192.168.M.2 255.255.255.0
no shut
do ping 192.168.M.2

DHCP SERVER on CORE!
conf t
ip dhcp excluded-address 192.168.M.1 192.168.M.50
ip dhcp pool DHCPVLAN1
network 192.168.M.0
default-router 192.168.M.1
option 150 ip 192.168.M.254

Step3:
config t
vlan 5
private-vlan primary
private-vlan association 501,502
exit
Step4:
config t
int fa0/3
swi mode private-vlan host
swi private-vlan host-asso 5 502
!IP phone will be Isolated
int fa0/1
swi mode private-vlan host
swi private-vlan host-asso 5 501
int fa 0/24
switchport
switchport mode private-vlan promiscuous
no switchport private-vlan mapping 2 201,202
switchport private-vlan mapping 5 501,502
end
What Happened,Private VLAN isolated your network
from the Corporate DHCP Server.(CoreM),CUCM router
must now server sa both the VoIPGW and DHCP server
for the PrivateVLAN.
CUCM:
ip dhcp pool cucm
network 192.168.m.0 255.255.255.0
default-router 192.168.m.254
option 150 ip 192.168.m.254

-----------------------------------------------------------------------
DistM
enable secret pass
ip host d1
line vty 0 14
no login
exec-timeout 0 0
config t
int fa 0/23
no switchport
ip add 126.m.0.2 255.255.0.0
do ping 126.m.0.2

hostname Create:
Dist:
config t
ip host d1 126.m.0.2
do telnet d1
exit
wr

SWITCHING OF TELCO:
WHAT ARE YOUR CHOICES:
1. FLOATING STATIC ROUTES:
2. bACKUP INTERFACE
3.
R1: WILL BE THE GATEWAY ROUTER, R2:MGA PC SA OFFICE.

R1:
CONFIG T
ip route 0.0.0.0 0.0.0.0 41.0.0.4 10
ip route 0.0.0.0 0.0.0.0 31.0.0.3 20

what is wrong with floating static routes,
it cannot guard vs down na telco, just down
na MOdem(off)

2nd Choice: is backup interface:

R1:
config t
int fa 1/0
no shut
baCKup Interface FA 1/1
bad: slow to backup, ethernet ports:
backup Interface: backup and serial interface
not ethernet, NOBODY USES SERIAL ANYMORE:
BROADBAND.

3RD CHOICE: IP SLA: THE ONLY OPTION USED BY ALL
NETWORK ENGINEERS. you are not c Real CCNP in you
cant SLA.

5 Steps to Deploying IP SLA:

1. Create a PBR: policy based routing: ROUTE
2. tie-up NAT with PBR
3. Create a Floating STatic with Tracking

8% MUlti Protocol LAbel SWITCHING:

DIST:
config t
vtp domain rivan
vtp password pass
int range fa 0/21-22
swi trunk enc dot1Q
swi mode trunk
do sh vlan brief
no monitor session 1
monitor session 1 source int fa0/3 both
monitor session 1 desti Remote vlan 69

step2:
config t
vlan filter vacl1 vlan-list 5
do show vlan filter

c>telnet 10.5.0.1
c>ipconfig /release
c>ipconfig /renew
Distri:
PrivateVLAN configuration: used by small office!
step1: go to Transparent mode:
dist#confi t
vtp mode Transparent
Step2: Define the vlan and subVLANs:
config t
vlan 5
vlan 501
name pvlan501
private-vlan community
vlan 502
name pvlan502
private-vlan isolated
exit