CCNA Routing & Switching v3 LAB Guide

CCNA RnS, CCNA Sec, CCNP RnS, CCNP Sec, CCIE Sec (written)

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
2

Contents

1. Cisco CLI mode ----------------------------------------------------------------------------- 4

2. Basic Configuration of Router and Switch ------------------------------------------------------- 6

3. Configuring SSH Access to Cisco Device -------------------------------------------------------- 13

4. Backup and restoring your configuration ------------------------------------------------------- 17

5. VLAN, Access and Trunk Port Configuration ----------------------------------------------------- 19

6. VTP Configuration ------------------------------------------------------------------------------ 26

7. Etherchannel Configuration ------------------------------------------------------------------------ 29

8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration----------------------------- 32

9. Inter-Vlan Routing Configuration on L3 Switch (SVI) -------------------------------------------- 43

10. Configure Port Security ----------------------------------------------------------------------------- 47

11. Configure portfast ---------------------------------------------------------------------------------- 53

12. Configure BPDU Guard on Cisco Switch ------------------------------------------------------------ 54

13. Configure Root Guard on Cisco Switch ------------------------------------------------------------- 55

14. Spanning tree behavior - mode , priority value, root bridge ---------------------------------- 59

15. Static route and Static default route configuration --------------------------------------------- 61

16. Static default route configuration --------------------------------------------- ----------------- 65

17. RIPv2 Basic configuration ----------------------------------------------------------------------------- 73

18. RIP Passive Interface -------------------------------------------------------------------------------- 74

19. Configure RIP Authentication ------------------------------------------------------------- 76

20. EIGRP configuration (EIGRP Neighbor Adjacency) -------------------------------------------- 84

21. EIGRP Passive Interface ---------------------------------------------------------------------- 85

22. EIGRP Authentication -------------------------------------------------------------------------- 89

23. EIGRP Hold time and Hello time ----------------------------------------------------------- 91

24. EIGRP Summarization ------------------------------------------------------------------------- 93

25. EIGRP Project LAB ---------------------------------------------------------------------------------- 96

26. OSPF Configuration --------------------------------------------------------------------------------- 108

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
3

27. OSPF Virtual LAB ------------------------------------------------------------------------------------- 110

28. OSPF Authentication --------------------------------------------------------------------------------- 112

29. OSPF summarization --------------------------------------------------------------------------------- 114

30. PPP and HDLC ---------------------------------------------------------------------------------------- 115

31. BGP Basic Configuration -----------------------------------------------------------------------------120

32. BGP Single Homed Design ---------------------------------------------------------------------------123

33. HSRP Configuration ----------------------------------------------------------------------------------125

34. Standard ACL -----------------------------------------------------------------------------------------133

35. Extended ACL -----------------------------------------------------------------------------------------136

36. Named ACL --------------------------------------------------------------------------------------------140

37. Staci NAT --------------------------------------------------------------------------------------------- 142

38. Dynamic NAT -----------------------------------------------------------------------------------------146

39. Static PAT ---------------------------------------------------------------------------------------------148

40. Dynamic PAT -----------------------------------------------------------------------------------------152

41. Configure GRE Tunnel ------------------------------------------------------------------------------153

42. AAA configuration ----------------------------------------------------------------------------- 156

43. Syslog Server ---------------------------------------------------------------------------------------162

44. SNMPv3 Configurtion ---------------------------------------------------------------------------------166

45. Password Recovery ---------------------------------------------------------------------------------- 168

Final Project --------------------------------------------------------------------------------------170

PRIVATE USE ONLY

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
4

LAB 1: CISCO CLI MODE

Cisco routers have different configuration modes based on the model. Mainly two modes :

EXEC Mode Prompt Typical Use

User ccna> Check the router status
Privileged ccna # Accessing the router

From privileged Mode we enter into the Global Configuration mode with "config ternminal" command.

To be access either User Exec or Privileged mode a password is needed if we set password. From Global
Configuration Mode (password is not needed here) we can configure interfaces, routing protocols,
access lists and many more.

Some of the specific configuration modes can be entered from Global Configuration Mode and other
from Privileged mode:

User Exec Mode ( ">" prompt) : It is used to get statistics from router, see which version IOS you're
running, check memory resources and a few more things.

Privileged Mode ( "#" prompt): Here you can enable or disable interfaces on the router, get more
detailed information on the router, for example, view the running configuration of the router, copy the

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
5

configuration, load a new configuration to the router, backup or delete the configuration, backup or
delete the IOS and a lot more.

Global Configuration Mode ("config# " prompt): It is accessible via Privileged Mode. In this mode we
can configure each interface individually, setup banners and passwords, enable secrets (encrypted
passwords), enable and configure routing protocols and a lot more. Every time we want to configure or
change something on the router, we will need to be in this mode.

Examples :

Router>------------------------- User Exec Mode

Router>enable ----------------- Enter Privileged Mode

Router#-------------------------- Privileged Mode

Router#disable ---------------- Enter User Exec Mode

Router>-------------------------- User Exec Mode

Router#conf ig terminal------ Enter Global Configuration Mode

Router(config)#----------------- Global Configuration Mode

Router(config)#interface fastEthernet 0/0---- Enter Interface Configuration Mode

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
6

Router(config-if)#-------------------------------- Interface Configuration Mode

Router(config)#interface fastEthernet 0/0.10-- Enter Sub-Interface Configuration Mode

Router(config-subif)#------------------------------ Sub-Interface Configuration Mode

Router(config)#line vty 0 4----------------------- Enter Line Mode

Router(config-line)#------------------------------- Line Mode

================================================================================

LAB 2. BASIC CONFIGURTION OF ROUTER AND SWITCH

Objective:

1. Configure the Switch as follows:

 hostname
 login banner
 enable password for accessing privilege mode
 assign console password to prevent console login
 assign IP for vlan 1 (Management VLAN)
 configure virtual terminal for telnet session
 set default gateway for the switch

2. Configure The Router as follows:

 hostname
 login banner

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
7

 enable password for accessing privilege mode

 assign console password to prevent console login
 configure virtual terminal for telnet session
 Assign IP Address on Router Interface

3. Assign IP for the PC

4. Save all configuration

5. Verification

Configuration of a switch:

1. First check the startup-config and running-config ..if there any configuration is exist

When you type a command in the global configuration mode it is stored in the running configuration. A
running configuration resides in a device’s RAM, so if a device loses power, all configured commands
will be lost.

So you need to copy your current configuration into a startup configuration. A startup configuration is
stored in the NVRAM of a device, Now all configurations are saved even if the device loses power.

There are two ways to save your configuration:

Switch#copy running-config startup-config

or

Switch# write memory

Check the startup-config and running-config

Switch#show startup-config
startup-config is not present
Switch#show running-config

2. Enter global configuration mode and configure Hostname as DU

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname DU
DU(config)#

3. Assign password cisco123

Enable password will restrict one's access to privilege mode which is like a root user's password. We can
set it in two ways : enable password / enable secret command.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
8

enable secret password provides encryption automatically using MD5 hash algorithm.

The enable password password does not encrypt the password and can be view in clear text in the
running-config. In order to encrypt the enable password password , use the service password-
encryption command. Actually, the enable secret password command provides stronger encryption
than the service password-encryption command.

DU(config)#enable secret cisco123

4. Configure login banner

A login banner is displayed whenever someone connects to the router by telnet or console connections

DU(config)#banner motd "Unauthorized Users are highly Prohibited to login

here"
DU(config)#

5. Console Password

We can protect console port of Cisco devices using console port password.

DU(config)#line console 0
DU(config-line)#password ashish123
DU(config-line)#login
DU(config-line)#exit
DU(config)#

6. Telnet configuration for remote access

Telnet is a user command and an underlying TCP/IP protocol for accessing remote devices.

The VTY lines are the Virtual Terminal lines of the router. They are virtual, in the sense that they are a
function of software - there is no hardware associated with them. They appear in the configuration as
line vty 0 4.

DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DU(config)#line vty 0 4
DU(config-line)#password ashish@123#
DU(config-line)#login
DU(config-line)#exit
DU(config)#

7. Configure management vlan for remotely access on the switch

By default, all switch ports are part of VLAN 1. VLAN 1 contains control plane traffic and can contain
user traffic.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
9

By default, VLAN 1 is the management VLAN. Management VLAN is used for purposes such as telnet,
SNMP, and syslog.

DU(config)#interface vlan 1
DU(config-if)#ip address 192.168.10.10 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
DU(config)#

8. Configure default-gateway for the switch

The switch should be configured with a default gateway if the switch will be managed remotely from
networks not directly connected. The default gateway is the first Layer 3 device (such as a router) on
the same management VLAN network to which the switch connects. The switch will forward IP packets
with destination IP addresses outside the local network to the default gateway.

DU(config)#ip default-gateway 192.168.10.1

----------------------------------------------------------------------------------------------------------------------------

Configure The Router

1. First check the startup-config and running-config

Switch#show startup-config
startup-config is not present
Switch#show running-config

2. Configure Hostname as BUET

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname BUET
BUET(config)#

3. Assign enable secret password cisco123

BUET(config)#enable secret cisco123

BUET(config)#

4. Configure login banner

BUET(config)#banner motd "Do not try to access here"

5. Console password

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
10

BUET(config)#line console 0
BUET(config-line)#password ashish123
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#

6. Enter Virtual Terminal lines and give a password ashish@123#, to login remotely

BUET(config)#line vty 0 4
BUET(config-line)#password ashish@123#
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#

7. Configure IP Address Router's on Interface

Enter global configuration mode

BUET# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

BUET(config)#

Enter FastEthernet 0/0 interface configuration mode :

BUET(config)#interface fastEthernet 0/0

BUET(config-if)#

Enter IP address and subnet mask:

BUET(config-if)#ip address 192.168.10.1 255.255.255.0

By default, all interfaces on a Cisco router are “Administratively Down”. To bring an interface up, issue
the no shutdown command.

BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#

8. Save Configuration

BUET#write memory

Building configuration...
[OK]
BUET#

DU#write memory

Building configuration...
[OK]

you can also save configuration using

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
11

BUET# copy running-config start-up config

But be sure about the command, cannot be reversed as :

copy start-up config running-config

then all your configuration will be lost or backup from NVRAM.

9. Assign IP to all hosts

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
12

11. Now ping to all devices from any PC

C:\>ping 192.168.10.2

Pinging 192.168.10.2 with 32 bytes of data:

Reply from 192.168.10.2: bytes=32 time=1ms TTL=128

Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128

C:\>ping 192.168.10.3

Pinging 192.168.10.3 with 32 bytes of data:

Reply from 192.168.10.3: bytes=32 time=1ms TTL=128

Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128

C:\>ping 192.168.10.1

Pinging 192.168.10.1 with 32 bytes of data:

Reply from 192.168.10.1: bytes=32 time=1ms TTL=255

Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time=1ms TTL=255

14. Now logon to the router remotely

C:\>telnet 192.168.10.1

Trying 192.168.10.1 ...Open

Do not try to access here

User Access Verification

Password:
Password:
BUET>

16. Now logon to the switch remotely

C:\>telnet 192.168.10.10

Trying 192.168.10.10 ...Open

Unauthorized Users are highly Prohibited to login here

User Access Verification

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
13

Password:
DU>

N.B. if the switch is L3 you can assign IP address to its interfaces as follows:

DU(config)#interface fastEthernet 0/2

DU(config-if)# no switchport

DU(config-if)# ip address 192.168.10.10 255.255.255.0

DU(config-if)# no shutdown

For routing capabilities you can also follow the rules

DU(config)# ip routing

===============================================================================

LAB 3: CONFIGURING SSH ON CISCO SWITCH AND ROUTER

Telnet was designed to work within a private network and not across a public network where
threats can appear. Because of this, all the data is transmitted in plain text, including
passwords. This is a major security issue and the developers of SSH used encryptions to make
it harder for other people to sniff the password and other relevant information.

Secure Shell (SSH) is a protocol which provides a secure remote access connection to network
devices. Communication between the client and server is encrypted in SSH. To do this, it uses
a RSA public/private keypair.

There are two versions: version 1 and 2. Version 2 is more secure and commonly used.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
14

Enable SSH on Cisco Switch

Step 1: Configure Management IP

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.10.10 255.255.255.0
Switch(config-if)#no shutdown

Step 2 : Configure default gateway points to the router

Switch(config)#ip default-gateway 192.168.10.1

Step 3: Configure hostname and domain name

The name of the RSA keypair will be the hostname and domain name of the router.

Switch(config)#hostname ASHISH-SW
ASHISH-SW(config)#ip domain-name ashish.com

Step 4 :Generate the RSA Keys

ASHISH-SW(config)#crypto key generate rsa

The name for the keys will be: ASHISH-SW.ashish.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
ASHISH-SW(config)#

Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate
and enhance more security

Step 5: SSH version 1 is the default version. So change it to version 2

ASHISH-SW(config)#ip ssh version 2

Step 6 : Setup the Line VTY configurations

ASHISH-SW(config)#line vty 0 4
ASHISH-SW(config-line)#transport input ssh
ASHISH-SW(config-line)#login local

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
15

Step 7: Create the username password

ASHISH-SW(config)#username ashish privilege 15 password cisco123

Step 8: Create enable password

ASHISH-SW(config)#enable secret cisco123

Step 9: create console password

ASHISH-SW(config)#line console 0
ASHISH-SW(config-line)#logging synchronous
ASHISH-SW(config-line)#login local

Step 10: Verify SSH

C:\>ssh -l ashish 192.168.10.10 Open
Password:
ASHISH-SW#conf t
ASHISH-SW(config)#

Enable SSH on Router (same as before)

Router>en
Router#conf t
Router(config)#hostname Venus
Venus(config)#interface fastEthernet 0/0
Venus(config-if)#ip address 192.168.10.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
Venus(config)#ip domain-name cisco.com
Venus(config)#username ashish privilege 15 password cisco123
Venus(config)#crypto key generate rsa

The name for the keys will be: Venus.cisco.com

Choose the size of the key modulus in the range of 360 to 2048 for your

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
16

General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
Venus(config)#
*Mar 1 0:34:31.790: %SSH-5-ENABLED: SSH 1.99 has been enabled
Venus(config)#ip ssh version 2
Venus(config)#enable secret cisco
Venus(config)#line console 0
Venus(config-line)#logging synchronous
Venus(config-line)#login local
Venus(config-line)#exit
Venus(config)#line vty 0 4
Venus(config-line)#transport input ssh
Venus(config-line)#login local

Venus#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Venus#

C:\>ssh -l ashish 192.168.10.1 Open

Password:
Venus#conf t
Venus(config)#

Key Note:
----------------------------------------------------------------------------
"logging synchronous" prevents every logging output from immediately interrupting your console
session.
Say for example when you tried to telnet your Router or switch you will see lot of log messages before
you logged in with username and password.
---------------------------------------------------------------------------------------------------------------------------------
RSA is algorithm used by modern computers to encrypt and decrypt messages. It is an asymmetric
cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public
key cryptography, because one of them can be given to everyone.
============================================================================

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
17

-------------------------------------------
-----------------------------------------------

LAB 41 : Configure GRE Tunnel

Generic Routing Encapsulation (GRE) is developed by Cisco is a simple IP packet

encapsulation protocol. GRE encapsulates the original IP packet with a new IP header also
appending an additional GRE header. A GRE tunnel creates a point-to-point link between two
routers that are otherwise not directly connected to each other.

When packets require to be sent from one network to another over the Internet or an
insecure network, We can use GRE Tunnel. A virtual tunnel is created between the two Cisco
routers and packets are sent through the tunnel.

GRE tunnels allow multicast packets but IPSec VPN does not support multicast packets. In
large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels
are the best to utilize.

Configuring GRE Tunnel:

Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface.
Then you must configure the tunnel endpoints for the tunnel interface.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
18

Configuring Router Interface :

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip address 192.168.20.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/1
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#

R2(config)#interface fastEthernet 0/0

R2(config-if)#ip address 192.168.20.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip address 192.168.30.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

Creating a Cisco GRE Tunnel

GRE tunnel uses a tunnel interface – a logical interface configured on the router with an IP
address where packets are encapsulated and de encapsulated as they enter or exit the GRE
tunnel.

First step is to create our tunnel interface on R1:

R1(config)# interface Tunnel0

R1(config-if)# ip address 172.16.10.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 192.168.20.1
R1(config-if)# tunnel destination 192.168.20.2

R2(config)# interface Tunnel0

R2(config-if)# ip address 172.16.10.2 255.255.255.0
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
19

R2(config-if)# tunnel source 192.168.20.2

R2(config-if)# tunnel destination 192.168.20.1

All Tunnel interfaces must be configured with an IP address. Each Tunnel interface is
configured with an IP address within the same subnet(172.16.10.0/24).

Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400
bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500
bytes and we have an added overhead because of GRE, we must reduce the MTU to account
for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary
packet fragmentation is kept to a minimum.

Now we will configure static route to make the reachability of two hosts:

Here next hope will be the tunnel Interface IP

R1(config)# ip route 192.168.30.0 255.255.255.0 172.16.10.2

R2(config)# ip route 192.168.10.0 255.255.255.0 172.16.10.1

n.b. We can also write tunnel source as an interface like

# tunnel source fastEthernet 0/0

R1#show interfaces tunnel 0

Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.10.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.20.1, destination 192.168.20.2
Tunnel protocol/transport GRE/IP

PC1#ping 192.168.30.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/34/44 ms

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)
 CCNA Routing & Switching v3 LAB Guide
20

ASHISH HALDER

EMAIL [email protected]

skype: ashish.halder312

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written)