Prévia do material em texto

CCNA Routing & Switching v3 LAB Guide 
1 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
 
 
 
 
 CCNA RnS, CCNA Sec, CCNP RnS, CCNP Sec, CCIE Sec (written) 
 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
2 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Contents 
 
1. Cisco CLI mode ----------------------------------------------------------------------------- 4 
2. Basic Configuration of Router and Switch ------------------------------------------------------- 6 
3. Configuring SSH Access to Cisco Device -------------------------------------------------------- 13 
4. Backup and restoring your configuration ------------------------------------------------------- 17 
5. VLAN, Access and Trunk Port Configuration ----------------------------------------------------- 19 
6. VTP Configuration ------------------------------------------------------------------------------ 26 
7. Etherchannel Configuration ------------------------------------------------------------------------ 29 
8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration----------------------------- 32 
9. Inter-Vlan Routing Configuration on L3 Switch (SVI) -------------------------------------------- 43 
10. Configure Port Security ----------------------------------------------------------------------------- 47 
11. Configure portfast ---------------------------------------------------------------------------------- 53 
12. Configure BPDU Guard on Cisco Switch ------------------------------------------------------------ 54 
13. Configure Root Guard on Cisco Switch ------------------------------------------------------------- 55 
14. Spanning tree behavior - mode , priority value, root bridge ---------------------------------- 59 
15. Static route and Static default route configuration --------------------------------------------- 61 
16. Static default route configuration --------------------------------------------- ----------------- 65 
17. RIPv2 Basic configuration ----------------------------------------------------------------------------- 73 
18. RIP Passive Interface -------------------------------------------------------------------------------- 74 
19. Configure RIP Authentication ------------------------------------------------------------- 76 
20. EIGRP configuration (EIGRP Neighbor Adjacency) -------------------------------------------- 84 
21. EIGRP Passive Interface ---------------------------------------------------------------------- 85 
22. EIGRP Authentication -------------------------------------------------------------------------- 89 
23. EIGRP Hold time and Hello time ----------------------------------------------------------- 91 
24. EIGRP Summarization ------------------------------------------------------------------------- 93 
25. EIGRP Project LAB ---------------------------------------------------------------------------------- 96 
https://networklessons.com/cisco/ccnp-route/detailed-look-of-eigrp-neighbor-adjacency/
 
CCNA Routing & Switching v3 LAB Guide 
3 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
26. OSPF Configuration --------------------------------------------------------------------------------- 108 
27. OSPF Virtual LAB ------------------------------------------------------------------------------------- 110 
28. OSPF Authentication --------------------------------------------------------------------------------- 112 
29. OSPF summarization --------------------------------------------------------------------------------- 114 
30. PPP and HDLC ---------------------------------------------------------------------------------------- 115 
31. BGP Basic Configuration -----------------------------------------------------------------------------120 
32. BGP Single Homed Design ---------------------------------------------------------------------------123 
33. HSRP Configuration ----------------------------------------------------------------------------------125 
34. Standard ACL -----------------------------------------------------------------------------------------133 
35. Extended ACL -----------------------------------------------------------------------------------------136 
36. Named ACL --------------------------------------------------------------------------------------------140 
37. Staci NAT ---------------------------------------------------------------------------------------------142 
38. Dynamic NAT -----------------------------------------------------------------------------------------146 
39. Static PAT ---------------------------------------------------------------------------------------------148 
40. Dynamic PAT -----------------------------------------------------------------------------------------152 
41. Configure GRE Tunnel ------------------------------------------------------------------------------153 
42. AAA configuration ----------------------------------------------------------------------------- 156 
43. Syslog Server ---------------------------------------------------------------------------------------162 
44. SNMPv3 Configurtion ---------------------------------------------------------------------------------166 
45. Password Recovery ---------------------------------------------------------------------------------- 168 
46. Final Project --------------------------------------------------------------------------------------170 
47. Configure IPv6 -------------------------------------------------------------------------------------- 186 
48. Configure IPv6 Static Route ----------------------------------------------------------------------- 190 
49. Configure RIPNG on Cisco Router ----------------------------------------------------------------- 193 
50. Dual-Stack Example ---------------------------------------------------------------------------------195 
 
 
CCNA Routing & Switching v3 LAB Guide 
4 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
LAB 1: CISCO CLI MODE 
Cisco routers have different configuration modes based on the model. Mainly two modes : 
 
EXEC Mode Prompt Typical Use 
User ccna> Check the router status 
Privileged ccna # Accessing the router 
 
From privileged Mode we enter into the Global Configuration mode with "config ternminal" command. 
 
To be access either User Exec or Privileged mode a password is needed if we set password. From Global 
Configuration Mode (password is not needed here) we can configure interfaces, routing protocols, 
access lists and many more. 
 
Some of the specific configuration modes can be entered from Global Configuration Mode and other 
from Privileged mode: 
 
User Exec Mode ( ">" prompt) : It is used to get statistics from router, see which version IOS you're 
running, check memory resources and a few more things. 
 
 
CCNA Routing & Switching v3 LAB Guide 
5 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Privileged Mode ( "#" prompt): Here you can enable or disable interfaces on the router, get more 
detailed information on the router, for example, view the running configuration of the router, copy the 
configuration, load a new configuration to the router, backup or delete the configuration, backup or 
delete the IOS and a lot more. 
 
Global Configuration Mode ("config# " prompt): It is accessible via Privileged Mode. In this mode we 
can configure each interface individually, setup banners and passwords, enable secrets (encrypted 
passwords), enable and configure routing protocols and a lot more. Every time we want to configure or 
change something on the router, we will need to be inthis mode. 
 
Examples : 
 
 
 
Router>------------------------- User Exec Mode 
 
Router>enable ----------------- Enter Privileged Mode 
Router#-------------------------- Privileged Mode 
 
Router#disable ---------------- Enter User Exec Mode 
Router>-------------------------- User Exec Mode 
 
Router#conf ig terminal------ Enter Global Configuration Mode 
 
CCNA Routing & Switching v3 LAB Guide 
6 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Router(config)#----------------- Global Configuration Mode 
 
Router(config)#interface fastEthernet 0/0---- Enter Interface Configuration Mode 
Router(config-if)#-------------------------------- Interface Configuration Mode 
 
Router(config)#interface fastEthernet 0/0.10-- Enter Sub-Interface Configuration Mode 
Router(config-subif)#------------------------------ Sub-Interface Configuration Mode 
 
Router(config)#line vty 0 4----------------------- Enter Line Mode 
Router(config-line)#------------------------------- Line Mode 
 
================================================================================ 
 
LAB 2. BASIC CONFIGURTION OF ROUTER AND SWITCH 
 
 
Objective: 
1. Configure the Switch as follows: 
 hostname 
 login banner 
 enable password for accessing privilege mode 
 assign console password to prevent console login 
 assign IP for vlan 1 (Management VLAN) 
 configure virtual terminal for telnet session 
 set default gateway for the switch 
2. Configure The Router as follows: 
 
CCNA Routing & Switching v3 LAB Guide 
7 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 hostname 
 login banner 
 enable password for accessing privilege mode 
 assign console password to prevent console login 
 configure virtual terminal for telnet session 
 Assign IP Address on Router Interface 
3. Assign IP for the PC 
4. Save all configuration 
5. Verification 
 
Configuration of a switch: 
 
1. First check the startup-config and running-config ..if there any configuration is exist 
When you type a command in the global configuration mode it is stored in the running configuration. A 
running configuration resides in a device’s RAM, so if a device loses power, all configured commands 
will be lost. 
So you need to copy your current configuration into a startup configuration. A startup configuration is 
stored in the NVRAM of a device, Now all configurations are saved even if the device loses power. 
There are two ways to save your configuration: 
Switch#copy running-config startup-config 
or 
Switch# write memory 
Check the startup-config and running-config 
Switch#show startup-config 
startup-config is not present 
Switch#show running-config 
 
2. Enter global configuration mode and configure Hostname as DU 
Switch#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Switch(config)#hostname DU 
DU(config)# 
 
3. Assign password cisco123 
 
CCNA Routing & Switching v3 LAB Guide 
8 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Enable password will restrict one's access to privilege mode which is like a root user's password. We can 
set it in two ways : enable password / enable secret command. 
enable secret password provides encryption automatically using MD5 hash algorithm. 
 
The enable password password does not encrypt the password and can be view in clear text in the 
running-config. In order to encrypt the enable password password , use the service password-
encryption command. Actually, the enable secret password command provides stronger encryption 
than the service password-encryption command. 
 
DU(config)#enable secret cisco123 
 
4. Configure login banner 
A login banner is displayed whenever someone connects to the router by telnet or console connections 
DU(config)#banner motd "Unauthorized Users are highly Prohibited to login 
here" 
DU(config)# 
5. Console Password 
We can protect console port of Cisco devices using console port password. 
DU(config)#line console 0 
DU(config-line)#password ashish123 
DU(config-line)#login 
DU(config-line)#exit 
DU(config)# 
6. Telnet configuration for remote access 
Telnet is a user command and an underlying TCP/IP protocol for accessing remote devices. 
 
The VTY lines are the Virtual Terminal lines of the router. They are virtual, in the sense that they are a 
function of software - there is no hardware associated with them. They appear in the configuration as 
line vty 0 4. 
 
DU#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
DU(config)#line vty 0 4 
DU(config-line)#password ashish@123# 
DU(config-line)#login 
DU(config-line)#exit 
DU(config)# 
7. Configure management vlan for remotely access on the switch 
 
 
CCNA Routing & Switching v3 LAB Guide 
9 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
By default, all switch ports are part of VLAN 1. VLAN 1 contains control plane traffic and can contain 
user traffic. 
By default, VLAN 1 is the management VLAN. Management VLAN is used for purposes such as telnet, 
SNMP, and syslog. 
 
DU(config)#interface vlan 1 
DU(config-if)#ip address 192.168.10.10 255.255.255.0 
DU(config-if)#no shutdown 
DU(config-if)#exit 
DU(config)# 
 
8. Configure default-gateway for the switch 
 
The switch should be configured with a default gateway if the switch will be managed remotely from 
networks not directly connected. The default gateway is the first Layer 3 device (such as a router) on 
the same management VLAN network to which the switch connects. The switch will forward IP packets 
with destination IP addresses outside the local network to the default gateway. 
 
DU(config)#ip default-gateway 192.168.10.1 
---------------------------------------------------------------------------------------------------------------------------- 
Configure The Router 
 
1. First check the startup-config and running-config 
Switch#show startup-config 
startup-config is not present 
Switch#show running-config 
2. Configure Hostname as BUET 
Switch#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Switch(config)#hostname BUET 
BUET(config)# 
3. Assign enable secret password cisco123 
BUET(config)#enable secret cisco123 
BUET(config)# 
4. Configure login banner 
BUET(config)#banner motd "Do not try to access here" 
 
CCNA Routing & Switching v3 LAB Guide 
10 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
5. Console password 
BUET(config)#line console 0 
BUET(config-line)#password ashish123 
BUET(config-line)#login 
BUET(config-line)#exit 
BUET(config)# 
6. Enter Virtual Terminal lines and give a password ashish@123#, to login remotely 
BUET(config)#line vty 0 4 
BUET(config-line)#password ashish@123# 
BUET(config-line)#login 
BUET(config-line)#exit 
BUET(config)# 
7. Configure IP Address Router's on Interface 
 
Enter global configuration mode 
BUET# config terminal 
Enter configuration commands, one per line. End with CNTL/Z. 
BUET(config)# 
Enter FastEthernet 0/0 interface configuration mode : 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)# 
 
Enter IP address and subnet mask: 
 
BUET(config-if)#ip address 192.168.10.1 255.255.255.0 
 
By default, all interfaces on a Cisco router are “Administratively Down”. To bring an interface up, issue 
the no shutdown command. 
 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
BUET(config)# 
8. Save Configuration 
BUET#write memory 
 
Building configuration... 
[OK] 
BUET# 
DU#write memory 
 
Building configuration... 
[OK] 
 
CCNA Routing & Switching v3 LAB Guide 
11 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reservedyou can also save configuration using 
BUET# copy running-config start-up config 
But be sure about the command, cannot be reversed as : 
copy start-up config running-config 
then all your configuration will be lost or backup from NVRAM. 
 
9. Assign IP to all hosts 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
12 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
11. Now ping to all devices from any PC 
C:\>ping 192.168.10.2 
 
Pinging 192.168.10.2 with 32 bytes of data: 
 
Reply from 192.168.10.2: bytes=32 time=1ms TTL=128 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 
 
 
C:\>ping 192.168.10.3 
 
Pinging 192.168.10.3 with 32 bytes of data: 
 
Reply from 192.168.10.3: bytes=32 time=1ms TTL=128 
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 
 
 
C:\>ping 192.168.10.1 
 
Pinging 192.168.10.1 with 32 bytes of data: 
 
Reply from 192.168.10.1: bytes=32 time=1ms TTL=255 
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255 
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255 
Reply from 192.168.10.1: bytes=32 time=1ms TTL=255 
 
14. Now logon to the router remotely 
C:\>telnet 192.168.10.1 
 
Trying 192.168.10.1 ...Open 
 
Do not try to access here 
 
User Access Verification 
 
CCNA Routing & Switching v3 LAB Guide 
13 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Password: 
Password: 
BUET> 
16. Now logon to the switch remotely 
C:\>telnet 192.168.10.10 
 
Trying 192.168.10.10 ...Open 
 
Unauthorized Users are highly Prohibited to login here 
 
User Access Verification 
 
Password: 
DU> 
N.B. if the switch is L3 you can assign IP address to its interfaces as follows: 
 
DU(config)#interface fastEthernet 0/2 
DU(config-if)# no switchport 
DU(config-if)# ip address 192.168.10.10 255.255.255.0 
DU(config-if)# no shutdown 
For routing capabilities you can also follow the rules 
DU(config)# ip routing 
=============================================================================== 
LAB 3: CONFIGURING SSH ON CISCO SWITCH AND ROUTER 
 
Telnet was designed to work within a private network and not across a public network where 
threats can appear. Because of this, all the data is transmitted in plain text, including 
passwords. This is a major security issue and the developers of SSH used encryptions to make 
it harder for other people to sniff the password and other relevant information. 
 
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network 
devices. Communication between the client and server is encrypted in SSH. To do this, it uses 
a RSA public/private keypair. 
 
There are two versions: version 1 and 2. Version 2 is more secure and commonly used. 
 
 
CCNA Routing & Switching v3 LAB Guide 
14 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
Enable SSH on Cisco Switch 
 
Step 1: Configure Management IP 
 
Switch#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Switch(config)#interface vlan 1 
Switch(config-if)#ip address 192.168.10.10 255.255.255.0 
Switch(config-if)#no shutdown 
 
Step 2 : Configure default gateway points to the router 
 
Switch(config)#ip default-gateway 192.168.10.1 
 
Step 3: Configure hostname and domain name 
 
The name of the RSA keypair will be the hostname and domain name of the router. 
 
Switch(config)#hostname ASHISH-SW 
ASHISH-SW(config)#ip domain-name ashish.com 
 
Step 4 :Generate the RSA Keys 
 
ASHISH-SW(config)#crypto key generate rsa 
The name for the keys will be: ASHISH-SW.ashish.com 
Choose the size of the key modulus in the range of 360 to 2048 for your 
General Purpose Keys. Choosing a key modulus greater than 512 may take 
a few minutes. 
How many bits in the modulus [512]: 2048 
 
CCNA Routing & Switching v3 LAB Guide 
15 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK] 
ASHISH-SW(config)# 
 
Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate 
and enhance more security 
 
Step 5: SSH version 1 is the default version. So change it to version 2 
 
ASHISH-SW(config)#ip ssh version 2 
 
Step 6 : Setup the Line VTY configurations 
 
ASHISH-SW(config)#line vty 0 4 
ASHISH-SW(config-line)#transport input ssh 
ASHISH-SW(config-line)#login local 
Step 7: Create the username password 
ASHISH-SW(config)#username ashish privilege 15 password cisco123 
 
Step 8: Create enable password 
 
ASHISH-SW(config)#enable secret cisco123 
 
Step 9: create console password 
 
ASHISH-SW(config)#line console 0 
ASHISH-SW(config-line)#logging synchronous 
ASHISH-SW(config-line)#login local 
 
Step 10: Verify SSH 
C:\>ssh -l ashish 192.168.10.10 Open 
Password: 
ASHISH-SW#conf t 
ASHISH-SW(config)# 
 
 
 
Enable SSH on Router (same as before) 
 
CCNA Routing & Switching v3 LAB Guide 
16 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Router>en 
Router#conf t 
Router(config)#hostname Venus 
Venus(config)#interface fastEthernet 0/0 
Venus(config-if)#ip address 192.168.10.1 255.255.255.0 
Venus(config-if)#no shutdown 
Venus(config-if)#exit 
Venus(config)#ip domain-name cisco.com 
Venus(config)#username ashish privilege 15 password cisco123 
Venus(config)#crypto key generate rsa 
 
The name for the keys will be: Venus.cisco.com 
Choose the size of the key modulus in the range of 360 to 2048 for your 
General Purpose Keys. Choosing a key modulus greater than 512 may take 
a few minutes. 
How many bits in the modulus [512]: 2048 
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK] 
Venus(config)# 
*Mar 1 0:34:31.790: %SSH-5-ENABLED: SSH 1.99 has been enabled 
Venus(config)#ip ssh version 2 
Venus(config)#enable secret cisco 
Venus(config)#line console 0 
Venus(config-line)#logging synchronous 
Venus(config-line)#login local 
Venus(config-line)#exit 
Venus(config)#line vty 0 4 
Venus(config-line)#transport input ssh 
Venus(config-line)#login local 
 
Venus#show ip ssh 
SSH Enabled - version 2.0 
Authentication timeout: 120 secs; Authentication retries: 3 
Venus# 
 
C:\>ssh -l ashish 192.168.10.1 Open 
Password: 
Venus#conf t 
Venus(config)# 
 
 
CCNA Routing & Switching v3 LAB Guide 
17 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Key Note: 
---------------------------------------------------------------------------- 
"logging synchronous" prevents every logging output from immediately interrupting your console 
session. 
Say for example when you tried to telnet your Router or switch you will see lot of log messages before 
you logged in with username and password. 
--------------------------------------------------------------------------------------------------------------------------------- 
RSA is algorithm used by modern computers to encrypt and decrypt messages. It is an asymmetric 
cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public 
key cryptography, because one of them can be given to everyone. 
============================================================================ 
 
LAB 4: BACKUP AND RESTORING CONFIGURATION 
 
 
Configure tftp server (In your physical Lab you can download tftp server in your PC then 
configure it. And rest of the configurations are same) 
 
 
CCNA Routing & Switching v3 LAB Guide 
18 
 
Ashish Halder (CCNA RnS, CCNPRnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
Verify configuration file is saved in NVRAM 
Denver#show startup-config 
DU#show startup-config 
Now backup configuration file to tftp server (From Switch) 
Denver#copy startup-config tftp 
 
Address or name of remote host []? 192.168.10.4 (TFTP Server IP) 
Destination filename [Denver-confg]? (Press Enter to save it as default name) 
 
Writing startup-config...!! 
[OK - 653 bytes] 
 
653 bytes copied in 0.012 secs (54416 bytes/sec) 
Denver# 
Now backup configuration file to tftp server (From Router) 
DU#copy startup-config tftp: 
 
Address or name of remote host []? 192.168.10.4 
Destination filename [DU-confg]? 
 
Writing startup-config...!! 
[OK - 1178 bytes] 
 
1178 bytes copied in 0.032 secs (36812 bytes/sec) 
DU# 
Erase startup-configuration file and reboot or reload the router and switch 
DU#erase startup-config 
 
CCNA Routing & Switching v3 LAB Guide 
19 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Erasing the nvram filesystem will remove all configuration files! Continue? 
[confirm] 
[OK] 
Erase of nvram: complete 
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram 
DU# 
DU#reload 
 
Proceed with reload? [confirm] 
Denver#erase startup-config 
 
Erasing the nvram filesystem will remove all configuration files! Continue? 
[confirm] 
[OK] 
Erase of nvram: complete 
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram 
BUET# 
Denver #reload 
Proceed with reload? [confirm] 
Configure IP address to router and switch 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#interface fastEthernet 0/0 
Router(config-if)#ip address 192.168.10.1 255.255.255.0 
Router(config-if)#no shutdown 
Router(config-if)#exit 
Switch#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Switch(config)#interface vlan 1 
Switch(config-if)#ip address 192.168.10.10 255.255.255.0 
Switch(config-if)#no shutdown 
Switch(config-if)#exit 
Switch(config)#ip default-gateway 192.168.10.1 
 
Now restore configuration from tftp server to switch and router 
Switch#copy tftp running-config 
 
Address or name of remote host []? 192.168.10.4 (TFTP Server IP) 
Source filename []? Denver-confg (Backup file name on tftp server) 
Destination filename [running-config]? (Press enter) 
Denver#write 
 
CCNA Routing & Switching v3 LAB Guide 
20 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Building configuration... 
[OK] 
Denver# 
 
Router#copy tftp running-config 
 
 
Address or name of remote host []? 192.168.10.4 (TFTP Server IP) 
Source filename []? DU-confg (Backup file name on tftp server) 
Destination filename [running-config]? (Press enter) 
 
Now save the configuration to NVRAM 
 
Switch# write memory 
Router# write memory 
============================================================================ 
LAB 5: Configure VLAN, Access and Trunk Port 
 
The design of layer-2 switched network is a flat network. Each and every device on the 
Network can see the transmission of every broadcast packet even if it does not need to 
receive the data. But we can create multiple/ separate broadcast domain logically in a L2 
switch. This is possible with VLAN technology. VLAN means Virtual LAN. 
 
The segregation of vlan is only to reduce the broadcast domain. Every vlan means you are 
using one subnet for each vlan. 
 
The VLANs makes network management easy with number of ways: 
 
 The VLAN can categorize many broadcast domains into number of logical subnets. 
 The network needs to configure a port into the suitable VLAN in order to achieve 
change, add or move. 
 In the VLAN a group of users with the demand of high security can be included so that 
the external users out the VLAN cannot interact with them. 
 When it comes to logical classification of users in terms of function, we can consider 
VLAN as independent from their geographic or physical locations. 
 Even the security of network can be enhanced by VLAN. 
 The number of broadcast domains are increased with VLANs while the size decreases. 
 
 
CCNA Routing & Switching v3 LAB Guide 
21 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Trunk Ports: Between switches we are going to create a trunk. A trunk connection is an 
interface carries multiple VLANs. 
 
Access Ports : Carries data, generally connected to hosts or Servers 
 
There are two trunking protocols we can use: 
 
1. IEEE 802.1Q: Open standard, support switch of any vendor. 
2. Cisco ISL (Inter-Switch Link): Cisco proprietary protocol that is only supported on 
some Cisco switches. 
 
On a Cisco switch, VLAN 1 is by default. 802.1Q will not tag the native VLAN while ISL does 
tag the native VLAN. 
By default all switch ports are on VLAN1. 
 
VLAN information is not saved in the running-config or startup-config but in separate file 
vlan.dat on flash memory. To delete the VLAN information , delete the file by delete 
flash:vlan.dat command. 
 
 
 
Objective 
1. Basic configuration of switch 
2. Create VLANs 
 
CCNA Routing & Switching v3 LAB Guide 
22 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
3. configuration of trunk ports 
4. Configuration of Access ports 
5. Assign IP to hosts 
6. Verification 
Data sheet 
 
VLAN ID VLAN Name Ports Switch Subnet 
10 Cisco F0/1 - f0/9 DU 192.168.10.0/24 
20 Solaris F 0/10 - F 0/20 BUET 172.16.20.0/24 
 
1. Basic configuration of switch 
Switch(config)#hostname DU 
DU(config)#enable secret cisco 
DU(config)#line console 0 
DU(config-line)#password cisco 
DU(config-line)#login 
DU(config-line)#exit 
Switch(config)#hostname BUET 
BUET(config)#enable secret cisco 
BUET(config)#line console 0 
BUET(config-line)#password cisco 
BUET(config-line)#login 
BUET(config-line)#exit 
 
2. Create VLANs 
DU(config)#vlan 10 
DU(config-vlan)#name cisco 
DU(config-vlan)#exit 
DU(config)#vlan 20 
DU(config-vlan)#name solaris 
DU(config-vlan)#exit 
DU(config)# 
 
BUET(config)#vlan 10 
BUET(config-vlan)#name cisco 
 
CCNA Routing & Switching v3 LAB Guide 
23 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
BUET(config-vlan)#exit 
BUET(config)#vlan 20 
BUET(config-vlan)#name solaris 
BUET(config-vlan)#exit 
BUET(config)# 
 
3. configuration of trunk ports 
DU(config)#interface gigabitEthernet 0/1 
DU(config-if)#switchport mode trunk 
DU(config-if)#no shutdown 
DU(config-if)#exit 
 
BUET(config)#interface gigabitEthernet 0/1 
BUET(config-if)#switchport mode trunk 
BUET(config-if)#no shutdown 
 
DU#show interfaces gigabitEthernet 0/1 switchport 
 
Name: Gig0/1 
Switchport: Enabled 
Administrative Mode: trunk 
Operational Mode: trunk 
Administrative Trunking Encapsulation: dot1q 
Operational Trunking Encapsulation: dot1q 
Negotiation of Trunking: On 
Access Mode VLAN: 1 (default) 
Trunking Native Mode VLAN: 1 (default) 
Voice VLAN: none 
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none 
Administrative private-vlan trunk encapsulation: dot1q 
Administrative private-vlan trunk normal VLANs: none 
Administrative private-vlan trunk private VLANs: none 
Operational private-vlan: none 
Trunking VLANs Enabled: ALL 
Pruning VLANs Enabled: 2-1001 
Capture Mode Disabled 
Capture VLANs Allowed: ALL 
Protected: false 
 
CCNA Routing & Switching v3 LAB Guide 
24 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
4. Configuration of Access ports 
BUET#conf t 
BUET(config)#interface range fastEthernet0/1 - 9 
BUET(config-if-range)#switchport mode access 
BUET(config-if-range)#switchport access vlan 10 
BUET(config-if-range)#exit 
BUET(config)#interface range fastEthernet 0/10 - 20 
BUET(config-if-range)#switchport mode access 
BUET(config-if-range)#switchport access vlan 20 
BUET(config-if-range)#exit 
BUET(config)#exit 
BUET# 
 
DU#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
DU(config)#interface range fastEthernet 0/1 - 9 
DU(config-if-range)#switchport mode access 
DU(config-if-range)#switchport access vlan 10 
DU(config-if-range)#exit 
DU(config)#interface range fastEthernet 0/10 - 20 
DU(config-if-range)#switchport mode access 
DU(config-if-range)#switchport access vlan 20 
DU(config-if-range)#end 
DU# 
 
CCNA Routing & Switching v3 LAB Guide 
25 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
5. Assign IP to hosts 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
26 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
Ping to same VLAN..............PC0 to PC2 
 
C:\>ping 192.168.10.3 
 
Pinging 192.168.10.3 with 32 bytes of data: 
 
Reply from 192.168.10.3: bytes=32 time=11ms TTL=128 
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128 
C:\>ping 172.16.20.3 (PC1 to PC 3) 
 
Pinging 172.16.20.3 with 32 bytes of data: 
 
Reply from 172.16.20.3: bytes=32 time=11ms TTL=128 
Reply from 172.16.20.3: bytes=32 time<1ms TTL=128 
Reply from 172.16.20.3: bytes=32 time<1ms TTL=128 
Reply from 172.16.20.3: bytes=32 time=1ms TTL=128 
Ping to different VLAN......................... (PC1 to PC0) 
C:\>ping 192.168.10.2 
 
Pinging 192.168.10.2 with 32 bytes of data: 
 
Request timed out. 
 
CCNA Routing & Switching v3 LAB Guide 
27 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Request timed out. 
Request timed out. 
Request timed out. 
 
LAB 6: VTP Configuration 
 
VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used by Cisco switches to 
exchange VLAN information. VTP replicates configured VLANs to all participating switches. 
 
Consider a network with 50 switches. Without VTP, if you want to create a VLAN on each 
switch, you would have to manually enter commands to create the VLAN on each switch! VTP 
enables you to create the VLAN only on one switch. That switch can then propagate 
information about that VLAN to each switch on a network and cause other switches to create 
that VLAN too. If you want to delete a VLAN, you only need to delete it on one switch, and 
the change is automatically propagated to every other switch inside the same VTP domain. 
 
Cisco switches can be configured in one of three VTP modes: 
 Server 
 Client 
 Transparent 
 
Server mode is the default for Cisco switches. 
 
Client mode takes VLAN configuration from the Server. It doesn’t place the VLANs in a 
vlan.dat file. 
 
Switches in Transparent mode never updated themselves. If they receive VTP advertisements 
they will forward them along. In Transparent mode you can configure VLANs normally as you 
would on a Server switch. 
 
Be careful, if a switch is deployed with a higher VTP revision number than the rest of the VTP 
switches. Because of that, switches in Client mode will download whatever VLAN 
configuration that switch has, remove your current configuration. So before use them in a 
production network , configure them as Transparent mode. You can also omit VTP 
Configuration to avoid these situation. 
 
 
CCNA Routing & Switching v3 LAB Guide 
28 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
Objective: 
 
1. Create VTP Server and VTP Client 
2. Configure Trunk port 
3. Create VLAN on Server 
4. Verify 
 
1. Create VTP Server and VTP Client 
 
Switch(config)#hostname SERVER 
SERVER(config)#vtp domain cisco.com 
SERVER(config)#vtp mode server 
SERVER(config)#vtp password cisco 
SERVER(config)#vtp version 2 
SERVER(config)# 
 
Switch(config)#hostname Client 
Client(config)#vtp domain cisco.com 
Client(config)#vtp version 2 
Client(config)#vtp mode client 
Client(config)#vtp password cisco 
 
NOTES 
 
 The VTP domain name must match and it is case sensitive. 
 Make sure that If any password is set, the password is the same on both sides. 
 Every switch in the VTP domain must use the same VTP version. VTP V1 and VTP V2 are not 
compatible on switches in the same VTP domain. But VTP v2 and v3 are compatible. 
 
2. Configure Trunk port 
 
SERVER(config)#interface gigabitEthernet 0/1 
SERVER(config-if)#switchport mode trunk 
SERVER(config-if)#no shut 
 
Client(config)#interface gigabitEthernet 0/1 
Client(config-if)#switchport mode trunk 
 
CCNA Routing & Switching v3 LAB Guide 
29 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Client(config-if)# no shut 
 
3. Create VLAN on Server only 
 
SERVER(config)#vlan 100 
SERVER(config-vlan)#name cisco 
SERVER(config-vlan)#exit 
SERVER(config)#vlan 200 
SERVER(config-vlan)#name solaris 
SERVER(config-vlan)#end 
 
4. Verify the VLANs are propagated on Client Switch 
 
 
 
Here we can see that we have created VLAN on Server switch and it has been seen on Client 
Switch Vlan 100 and Vlan 200. 
 
Other Verification Command of VTP 
================================ 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
30 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
 
From here we can check the VTP Mode, VTP Domain Name and revision Number. Revision 
number must be same. If not same, Updates are not considered propagated successfully. 
 
 
LAB 7 : ETHERCHANNEL Configuration 
 
 
 EtherChannel is a port link aggregation technology or port-channel architecture which 
is a bundle of multiple physical links into a single logical link. 
 Etherchannel is great for improving redundancy in your network. 
 In this way you can increase the bandwidth of a particular connection. 
 With EtherChannel the links that are aggregated are not blocked by STP. 
 
Link aggregation is very common and is usually seen in the following scenarios: 
 
 Switch to switch connectivity in an access block (non-stackable) 
 Access switch connectivity to distribution switches. 
 Server connectivity to the data center LAN fabric 
If you are going to create an etherchannel you need to make sure that all ports have the same 
configuration: 
 Duplex has to be the same. 
 Speed has to be there same. 
 Same native AND allowed VLANs. 
 Same switchport mode (access or trunk). 
 
CCNA Routing & Switching v3 LAB Guide 
31 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
There’s a maximum to the number of links you can use: 8 physical interfaces. 
If you want to configure an Etherchannel there are two protocols you can choose from: 
PAGP – port aggregation protocol 
 Developed by Cisco 
 The port modes are defined as either auto or desirable 
LACP – link aggregation control protocol 
 Open standard as defined by IEEE 802.3ad standard 
 The port modes are either passive or active. Passive is the equivalent of the PAGP auto 
and active is the equivalent of PAGP desirable mode. 
 
S1(config)#int range fa0/7-12 
S1(config-if-range)##channel-group 1 mode desirable 
or 
S1(config-if-range)##channel-group 1 mode active 
 
We can use desirable so that the switch will actively negotiate to form a PAgP link(Cisco 
Proprietary EtherChannel). 
or we can use active so that the switch will actively negotiate to form a LACP link(open 
standard EtherChannel). 
 
To verify the configuration,you can use show etherchannel summary. 
 
CCNA Routing & Switching v3 LAB Guide 
32 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Objective 
 
1. Create Etherchannel 
2. Configure Trunk 
3. Verification 
 
Create Etherchannel 
 
Switch(config)#hostname DU 
DU(config)#interface range gigabitEthernet 0/1 - 2 
DU(config-if-range)#channel-group 1 mode active 
Creating a port-channel interface Port-channel 1 
DU(config-if-range)#exit 
 
Switch(config)#hostname ASHISH 
ASHISH(config)#interface range gigabitEthernet 0/1 - 2 
ASHISH(config-if-range)#channel-group 1 mode passive 
ASHISH(config-if-range)# 
 
Configure Trunk 
 
DU(config)#interface port-channel 1 
DU(config-if)#switchport mode trunk 
DU(config-if)# no shut 
 
ASHISH(config)#interface port-channel 1 
ASHISH(config-if)#switchport mode trunk 
ASHISH(config-if)# no shutdown 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
33 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Verification 
 
Po1 = Port channel 1 , Channel group must be same for both switch 
S = Capital S means L2 
U = in Use 
LACP = which Etherchannel Protol is used 
P = in port Channel 
if these appears, be sure your configuration is correct 
 
8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration 
 
Inter-VLAN Routing 
In our previous lab, we only can communicate with same VLAN. For example, PCs within VLAN 
10 or VLAN 20. In order to communicate with different VLAN we must need routing with 
different VLAN as each VLAN is now a separate broadcast domain. So we need a L3 switch or 
Router for Routing. Here we will use a Router. 
 
CCNA Routing & Switching v3 LAB Guide 
34 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
SWITCH VLAN ID VLAN NAME SWITCH PORTS SUBNET 
DU 100 CISCO F 0/3 - 15 192.168.100.0/24 
 200 SOLARIS F 0/16 - 21 172.16.200.0/24 
BUET 100 CISCO F 0/ 6 - 10 192.168.100.0/24 
 200 SOLARIS F 0/14 - 20 172.16.200.0/24 
 
OBJECTIVE: 
 BASIC CONFIGURATION OF SWITCH AND ROUTER 
 ETHER-CHANNEL & TRUNK PORT CONFIGUARTION 
 VTP CONFIGURATION 
 CONFIGURATION OF VLAN 
 VERIFY VTP, TRUNK PORTS AND ETHERCHANNEL CONFIGURATION 
 CONFIGURE ACCESS-PORTS 
 CONFIGURE IP TO HOSTS 
 VERIFICATION 
 CONFIGURE INTER-VLAN ROUTING 
 VERIFY CONFIGURATION 
BASIC CONFIGURATION OF SWITCH AND ROUTER 
========================================== 
Switch>en 
Switch#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Switch(config)#hostname DU 
 
CCNA Routing & Switching v3 LAB Guide 
35 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU(config)#banner motd "Do not try to login my Switch" 
DU(config)#enable secret cisco123 
DU(config)#line console 0 
DU(config-line)#password cisco123 
DU(config-line)#login 
DU(config-line)#exit 
DU(config)# 
======================================== 
Switch#conf t 
Switch(config)#hostname BUET 
BUET(config)#hostname BUET 
BUET(config)#banner motd "This is the switch of BUET" 
BUET(config)#enable secret cisco123 
BUET(config)#line console 0 
BUET(config-line)#password cisco123 
BUET(config-line)#login 
BUET(config-line)#end 
BUET# 
===================================================== 
Router>en 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname DENVER 
DENVER(config)#enable secret cisco123 
DENVER(config)#banner motd "This Router belongs to VENUS TELECOM LTD" 
DENVER(config)#line console 0 
DENVER(config-line)#password cisco123 
DENVER(config-line)#login 
DENVER(config-line)#end 
DENVER# 
 
ETHER-CHANNEL & TRUNK PORT CONFIGUARTION 
=============================================== 
 
DU(config)#interface range fastEthernet 0/1 - 2 
DU(config-if-range)#channel-group 1 mode active 
DU(config-if-range)#no shutdown 
DU(config-if-range)#exit 
 
CCNA Routing & Switching v3 LAB Guide 
36 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
TRUNK PORT CONFIGUARTION 
=========================== 
 
DU(config)#interface port-channel 1 
DU(config-if)#sw 
DU(config-if)#switchport mo 
DU(config-if)#switchport mode trunk 
DU(config-if)#no shutdown 
==================================================== 
BUET(config)#interface range fastEthernet 0/1 - 2 
BUET(config-if-range)#channel-group 1 mode passive 
BUET(config-if-range)#no shutdown 
BUET(config-if-range)#exit 
 
TRUNK PORT CONFIGUARTION 
 
BUET(config)#interface port-channel 1 
BUET(config-if)#switchport mode trunk 
BUET(config-if)#no shutdown ' 
 
VTP CONFIGURATION 
============================ 
 
DU(config)#vtp domain cisco.com 
Changing VTP domain name from NULL to cisco.com 
DU(config)#vtp mo 
DU(config)#vtp mode ser 
DU(config)#vtp mode server 
Device mode already VTP SERVER. 
DU(config)#vtp v 
DU(config)#vtp version 2 
DU(config)#vtp pass 
DU(config)#vtp password cisco 
Setting device VLAN database password to cisco 
DU(config)#exit 
----------------------------------------------------------------------------- 
BUET(config)#vtp domain cisco.com 
 
CCNA Routing & Switching v3 LAB Guide 
37 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Domain name already set to cisco.com. 
BUET(config)#vtp mo 
BUET(config)#vtp mode cl 
BUET(config)#vtp mode client 
Setting device to VTP CLIENT mode. 
BUET(config)#vtp ve 
BUET(config)#vtp version 2 
Cannot modify version in VTP client mode 
BUET(config)#vtp pass 
BUET(config)#vtp password cisco 
Setting device VLAN database password to cisco 
BUET(config)# 
 
CONFIGURATION OF VLAN 
======================== 
 
DU#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
DU(config)#vlan 100 
DU(config-vlan)#name CISCO 
DU(config-vlan)#EXIT 
DU(config)#VLan 200 
DU(config-vlan)#NAMe SOLARIS 
DU(config-vlan)#exit 
 
VERIFY 
========== 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
38 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU#show etherchannel summary 
 
Flags: D - down P - in port-channel 
I - stand-alone s - suspended 
H - Hot-standby (LACP only) 
R - Layer3 S - Layer2 
U - in use f - failed to allocate aggregator 
u - unsuitable for bundling 
w - waiting to be aggregated 
d - default port 
 
 
Number of channel-groups in use: 1 
Number of aggregators: 1 
 
Group Port-channel Protocol Ports 
------+-------------+-----------+------ 
 
1 Po1(SU) LACP Fa0/1(P) Fa0/2(P) 
 
DU# 
 
 CONFIGURE ACCESS-PORTS 
DU#conf t 
DU(config)#interface range fastEthernet 0/3 - 15 
DU(config-if-range)#switchport mode access 
DU(config-if-range)#switchport access vlan 100 
DU(config-if-range)#exit 
 
DU(config)#interface range fastEthernet 0/16 - 21 
DU(config-if-range)#switchport mode access 
DU(config-if-range)#switchport access vlan 200 
DU(config-if-range)#exit 
DU(config)# 
--------------------------------------------------------------------------- 
BUET#conf t 
BUET(config)#interface range fastEthernet 0/6 - 10 
BUET(config-if-range)#switchport mode access 
BUET(config-if-range)#switchport access vlan 100 
BUET(config-if-range)#exit 
 
BUET(config)#interface range fastEthernet 0/14 - 20 
BUET(config-if-range)#switchport mode access 
BUET(config-if-range)#switchport access vlan 200 
BUET(config-if-range)#end 
BUET# 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
39 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 CONFIGURE IP TO HOSTS 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
40 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reservedVerify 
========= 
ping to same VLAN 
 
C:\>ping 192.168.100.3 
 
Pinging 192.168.100.3 with 32 bytes of data: 
 
Reply from 192.168.100.3: bytes=32 time=1ms TTL=128 
Reply from 192.168.100.3: bytes=32 time=1ms TTL=128 
Reply from 192.168.100.3: bytes=32 time<1ms TTL=128 
Reply from 192.168.100.3: bytes=32 time<1ms TTL=128 
 
C:\>ping 172.16.200.3 
 
Pinging 172.16.200.3 with 32 bytes of data: 
 
Reply from 172.16.200.3: bytes=32 time=12ms TTL=128 
Reply from 172.16.200.3: bytes=32 time=1ms TTL=128 
Reply from 172.16.200.3: bytes=32 time=1ms TTL=128 
Reply from 172.16.200.3: bytes=32 time<1ms TTL=128 
 
 
PING to different VLAN 
 
C:\>ping 192.168.100.2 
 
Pinging 192.168.100.2 with 32 bytes of data: 
 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
 
Not successful, Right ? So we will now configure Inter-Vlan Routing to get access to different 
VLAN. 
 
CONFIGURE INTER-VLAN ROUTING 
========================= 
 
BUET#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
BUET(config)#interface gigabitEthernet 0/1 
BUET(config-if)#no shutdown 
BUET(config-if)#switchport mode trunk 
BUET(config-if)#exit 
 
CCNA Routing & Switching v3 LAB Guide 
41 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
------------------------------------------------------------------------ 
 
DENVER#conf t 
DENVER(config)#interface fastEthernet 0/0 
DENVER(config-if)#no shutdown 
DENVER(config-if)#exit 
DENVER(config)#interface fastEthernet 0/0.100 
DENVER(config-subif)#encapsulation dot1Q 100 
DENVER(config-subif)#ip address 192.168.100.1 255.255.255.0 
DENVER(config-subif)#no shutdown 
DENVER(config-subif)#exit 
DENVER(config)#interface fastEthernet 0/0.200 
DENVER(config-subif)#encapsulation dot1Q 200 
DENVER(config-subif)#ip address 172.16.200.1 255.255.255.0 
DENVER(config-subif)#no shutdown 
DENVER(config-subif)#exit 
 
Here we have created two sub-interface 0/0.100 and 0/0.200 for respective VLANs. For 
encapsulation dot1Q is used. 
 
Verify 
=========== 
 
Now ping to different VLAN 
 
C:\>ping 172.16.200.2 
 
Pinging 172.16.200.2 with 32 bytes of data: 
 
Reply from 172.16.200.2: bytes=32 time=1ms TTL=127 
Reply from 172.16.200.2: bytes=32 time=12ms TTL=127 
Reply from 172.16.200.2: bytes=32 time=11ms TTL=127 
Reply from 172.16.200.2: bytes=32 time=10ms TTL=127 
 
C:\>ping 192.168.100.2 
 
Pinging 192.168.100.2 with 32 bytes of data: 
 
Reply from 192.168.100.2: bytes=32 time=11ms TTL=127 
Reply from 192.168.100.2: bytes=32 time=11ms TTL=127 
Reply from 192.168.100.2: bytes=32 time=1ms TTL=127 
Reply from 192.168.100.2: bytes=32 time=10ms TTL=127 
 
==================================================================== 
 
CCNA Routing & Switching v3 LAB Guide 
42 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
TELNET ACCESS to Switch 
====================== 
 
VTP SERVER 
============ 
 
DU#conf t 
DU(config)#vlan 99 
DU(config-vlan)#name admin 
DU(config-vlan)#exit 
DU(config)#vlan 199 
DU(config-vlan)#name admin2 
DU(config)#interface fastEthernet 0/23 
DU(config-if)#switchport mode access 
DU(config-if)#switchport access vlan 99 
DU(config-if)#exit 
DU(config)#interface vlan 99 
DU(config-if)#ip address 192.168.10.1 255.255.255.0 
DU(config-if)#no shutdown 
DU(config-if)#exit 
------------------------------------------------- 
Telnet Configuration 
=================== 
DU(config)#line vty 0 4 
DU(config-line)#password cisco123 
DU(config-line)#login 
DU(config-line)#exit 
 
================================================================ 
BUET#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
BUET(config)#interface fastEthernet 0/23 
BUET(config-if)#switchport mode access 
BUET(config-if)#switchport access vlan 199 
BUET(config-if)#exit 
------------------------------------------- 
BUET(config)#interface vlan 199 
BUET(config-if)#ip address 192.168.20.1 255.255.255.0 
BUET(config-if)#no shutdown 
 
CCNA Routing & Switching v3 LAB Guide 
43 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Telnet Configuration 
 
BUET(config)#line vty 0 4 
BUET(config-line)#password cisco123 
BUET(config-line)#login 
BUET(config-line)#exit 
 
DENVER(config)#line vty 0 4 
DENVER(config-line)#password cisco123 
DENVER(config-line)#login 
DENVER(config-line)#exit 
DENVER(config)#interface fastEthernet 0/0.99 
DENVER(config-subif)#encapsulation dot1Q 99 
DENVER(config-subif)#ip address 192.168.10.1 255.255.255.0 
DENVER(config-subif)#no shutdown 
DENVER(config-subif)#end 
 
DENVER#ping 192.168.10.1 
 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/8 ms 
================================================================ 
DENVER#telnet 192.168.10.1 
 
Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD 
User Access Verification 
Password: 
% Password: timeout expired! 
[Connection to 192.168.10.1 closed by foreign host] 
============================================================== 
 
DENVER#conf t 
DENVER(config)#interface fastEthernet 0/0.199 
DENVER(config-subif)#encapsulation dot1Q 199 
DENVER(config-subif)#ip address 192.168.20.1 255.255.255.0 
DENVER(config-subif)#no shutdown 
DENVER(config-subif)#exit 
DENVER(config)#end 
======================================================= 
 
 
CCNA Routing & Switching v3 LAB Guide 
44 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DENVER#ping 192.168.20.1 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/9 ms 
 
DENVER#telnet 192.168.20.1 
 
Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD 
User Access Verification 
Password: 
 
LAB 9 : Inter-Vlan Routing Configuration on L3 Switch 
 
SVI - Switched Virtual Interface. There is no physical interface for the VLAN, hence it is 
virtual. 
Technique is, Assign IP address of each VLAN Interface (suppose Interface vlan 10), then 
issue the " ip routing " command on global configuration mode. 
 
Generally, routers do the routing between different broadcast domains that is, Different 
VLANs. But SVI provides the routing capabilities of different VLANs. 
 
Example switch models that support layer 3 routing are the 3550, 3750, 3560 etc. 
 
 
CCNA Routing & Switching v3 LAB Guide 
45 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Our Tasks (All configuration is only on L3 switch here) 
 
1. Creating vlan 10 and vlan 20 
2. Naming these two vlans: 
vlan 10 = cisco 
vlan 20 = solaris 
3. Configuration of Access ports 
4. Assigning IP to Hosts 
5. Assigning IP to Vlan Interface 
6. Verification 
 
CREATE VLAN 
 
Switch>en 
Switch#conf t 
Switch(config)#vlan 10 
Switch(config-vlan)#name cisco 
Switch(config-vlan)#exit 
Switch(config)#vlan 20 
Switch(config-vlan)#name solaris 
Switch(config-vlan)#exit 
Switch(config)#exit 
 
ACCESS-PORT CONFIGURATION 
 
Switch#conf t 
Switch(config)#interface range fastEthernet 0/3 - 9 
Switch(config-if-range)#switchport mode access 
Switch(config-if-range)#switchport access vlan 10 
Switch(config-if-range)#exit 
Switch(config)#interface range fastEthernet 0/10 - 15 
Switch(config-if-range)#switchport mode access 
Switch(config-if-range)#switchport access vlan 20 
Switch(config-if-range)#exit 
Switch(config)# 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
46 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written),All rights are reserved 
ASSIGN IP TO VLAN INTERFACE 
 
Switch(config)#interface vlan 10 
Switch(config-if)#ip address 192.168.10.1 255.255.255.0 
Switch(config-if)#no shutdown 
Switch(config-if)#exit 
Switch(config)#interface vlan 20 
Switch(config-if)#ip address 192.168.20.1 255.255.255.0 
Switch(config-if)#no shutdown 
Switch(config-if)#exit 
 
 
ENABLE ROUTING 
 
Switch(config)#ip routing 
Switch(config)#exit 
 
 
ASSIGN IP TO HOSTS 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
47 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
VERIFICATION 
 
 
 
Ping to different vlan 
 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
48 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
LAB 10 : Port Security 
 
Port Security 
One can access unsecure network resources by plugging his laptop into one of our available 
switch ports. He can also change his physical location in LAN network without telling the admin. 
But you can secure layer two accesses by using port security. 
 
First in our LAB we will plug one PC, and other PC will remain unplugged as shown in figure: 
 
Assign IP to hosts 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
49 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
Switch(config)#interface fastEthernet 0/1 
Switch(config-if)#switchport mode access 
Switch(config-if)#switchport access vlan 1 
Switch(config-if)#switchport port-security 
Switch(config-if)#switchport port-security maximum 1 
Switch(config-if)#switchport port-security violation shutdown 
Switch(config-if)#switchport port-security mac-address sticky 
Switch(config-if)#exit 
 
 
Port security is disabled by default. switchport port-security command enables it. 
According to our requirements we can limit hosts that can be associated with an interface. 
We can set this limit anywhere from 1 to 132. Maximum number of devices that can be 
associated with the interface is 132. By default it is set to 1. switchport port-security 
maximum value command will set the maximum number of hosts. 
 
We have two options static and dynamic to associate mac address with interface. 
In static method we have to manually define exact host mac address with switchport port-
security mac-address MAC_address command. 
 
In dynamic mode we use sticky feature that allows interface to learn mac address 
automatically 
 
We need to specify what action; it should take in security violation. Three possible modes are 
available: 
 
Protect: - This mode only work with sticky option. In this mode frames from non-allowed 
address would be dropped. 
 
 
CCNA Routing & Switching v3 LAB Guide 
50 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this 
mode, switch will make a log entry and generate a security violation alert. 
 
Shutdown: - In this mode switch will generate the violation alert and disable the port. Only 
way to re-enable the port is to manually enter no shutdown command. This is the default 
violation mode. 
 
 
Switchport port security explained 
 
Command Description 
Switch>enable Move in privilege exec mode 
Switch#configure terminal Move in global configuration mode 
Switch(config)#interface fastethernet 
0/1 
Move in interface mode 
Switch(config-if)#switchport mode 
access 
Assign port as host port 
Switch(config-if)#switchport port-
security 
Enable port security feature on this port 
Switch(config-if)#switchport port-
security maximum 1 
Set limit for hosts that can be associated with 
interface. Default value is 1. Skip this command to 
use default value. 
Switch(config-if)#switchport port-
security violation shutdown 
Set security violation mode. Default mode is 
shutdown. Skip this command to use default mode. 
Switch(config-if)#switchport port-
security mac-address sticky 
Enable sticky feature. 
 
We have secured F0/1 port of switch. We used dynamic address learning feature. Switch will 
remember first learned mac address (on interface F0/1) with this port. We can check MAC 
Address table for currently associated address. 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
51 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
No mac address is associated with F0/1 port. Switch learns mac address from incoming 
frames. 
 
We need to generate frame from PC0 that would be receive on F0/1 port of switch. We can 
use ping to generate frames from PC0 to Server. 
 
 
 
Switch learns this address dynamically but it is showing as STATIC. Sticky option automatically 
converts dynamically learned address in static address. 
 
Switchport port security testing 
 
Now we unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1). 
 
CCNA Routing & Switching v3 LAB Guide 
52 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Now try to ping from PC1 to Server 
 
 
 
Why ping is not success ? Because switch detected the mac address change and shutdown the 
port. 
 
 
Verify port security 
 
We have three commands to verify the port security 
 
show port-security 
 
This command displays port security information about all the interfaces on switch. 
 
CCNA Routing & Switching v3 LAB Guide 
53 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
show port-security address 
Display statically defined or dynamically learned address with port security. 
 
 
show port-security interface interface 
 
Display port security information about the specific interface. 
 
 
Here is a useful command to check your port security configuration. Use show port-security 
interface to see the port security details per interface. We can see the violation mode is 
shutdown and that the last violation was caused by MAC address 0002.1622.CB46:1 The 
aging time is 0 mins which means it will stay in err-disable state forever. 
 
How to reset an interface that is disabled due to violation of port security 
Manually restart the interface. Unplugged cable from PC1 and plugged back it to PC0 
Run following commands on switch and test connectivity from pc 
 
CCNA Routing & Switching v3 LAB Guide 
54 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
 
First go to the interface, shutdown and then apply no shutdown. 
 
 
 
 
 
LAB 11: Configure Portfast 
 
Advantages 
 
 Interfaces which is portfast enabled will go to forwarding mode immediately, the 
interface will skip the listening and learning state. 
 A switch will never generate a topology change notification. 
 
CCNA Routing & Switching v3 LAB Guide 
55 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 The PortFast feature will only have effect when the interface is in a non-trunking mode. 
So, enabling the PortFast feature on a trunk port is useless. Only in access mode. 
Configure PortFast on Cisco Switch (First unplug the two PCs as shown in figure) 
 
Next, execute the following command on Switch to enable the PortFast feature on the Fa0/1 
interface. 
 
Switch(config)#interface fa0/1 
Switch(config-if)#spanning-tree portfast 
 
%Warning: portfast should only be enabled on ports connected to a single 
host. Connecting hubs, concentrators, switches, bridges, etc... to this 
interface when portfast is enabled, can cause temporary bridging loops. 
Use with CAUTION 
 
%Portfast has been configured on FastEthernet0/1 but will only 
have effect when the interface is in a non-trunking mode. 
Switch(config-if)#Now, connect PC0 to the fa0/1 interface and PC1 to the fa0/2 interface, as shown in the 
following figure. 
 
CCNA Routing & Switching v3 LAB Guide 
56 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
We notice that the Fa0/1 interface will be activated within 5 seconds because it will not 
participate in the STP convergence process. 
LAB 12 : Configure BPDU Guard on Cisco Switch 
 The BPDU Guard is used to protect the Spanning Tree domain from external influence. 
BPDU Guard is disabled by default. But it is recommended to apply BPDU guard enable 
for all ports on which the Port Fast is enabled. 
 BPDU guard should be applied toward user-facing ports to prevent rogue switch 
network extensions by an attacker. 
 BPDU Guard can be configured either in Global mode or Interface mode 
 On an interface BPDU guard will put the port into err disable state if a BPDU is 
received 
 
In global configuration mode BPDU guard will disable port fast on any interface if a BPDU is 
received. 
 
SW2(config)# spanning-tree portfast bpduguard default 
SW2(config-if)# spanning-tree bpduguard enable 
 
CCNA Routing & Switching v3 LAB Guide 
57 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Switch(config)#interface fastEthernet 0/1 
Switch(config-if)#switchport mode access 
Switch(config-if)#switchport access vlan 1 
Switch(config-if)#spanning-tree portfast 
 
%Warning: portfast should only be enabled on ports connected to a single 
host. Connecting hubs, concentrators, switches, bridges, etc... to this 
interface when portfast is enabled, can cause temporary bridging loops. 
Use with CAUTION 
 
%Portfast has been configured on FastEthernet0/1 but will only 
have effect when the interface is in a non-trunking mode. 
 
Switch(config-if)#spanning-tree bpduguard enable 
Switch(config-if)#exit 
 
Switch#show spanning-tree interface fastEthernet 0/1 portfast 
 
VLAN0001 enabled 
 
 
LAB 13: Configure Root Guard on Cisco Switch 
Root-guard will stop a superior bpdu from becoming the root. 
 
Note: Root guard is best deployed towards ports that connect to switches which should 
not be the root bridge 
 
CCNA Routing & Switching v3 LAB Guide 
58 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
For example, a port on the distribution layer switch which is connected to an access layer 
switch can be Root Guard enabled, because the access layer switch should never become the 
Root Bridge. 
 
Switch#conf t 
Switch(config)#hostname DU 
 
Switch#conf t 
Switch(config)#hostname ASHISH 
 
Now check which switch is the root bridge 
 
http://www.omnisecu.com/cisco-certified-network-associate-ccna/three-tier-hierarchical-network-model.php
http://www.omnisecu.com/cisco-certified-network-associate-ccna/three-tier-hierarchical-network-model.php
http://www.omnisecu.com/cisco-certified-network-associate-ccna/three-tier-hierarchical-network-model.php
http://www.omnisecu.com/cisco-certified-network-associate-ccna/three-tier-hierarchical-network-model.php
http://www.omnisecu.com/cisco-certified-network-associate-ccna/what-is-a-root-bridge-switch.php
 
CCNA Routing & Switching v3 LAB Guide 
59 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Switch DU becomes the root bridge...right ? 
 
Now we will enable root guard on switch DU on port G 0/1 so that if the Switch ASHISH want 
to become root bridge then the port G0/1 of DU switch will shutdown. 
 
DU(config)#interface gigabitEthernet 0/1 
DU(config-if)#spanning-tree guard root 
 
Now apply ping to PC1 to PC2 to verify connectivity 
C:\>ping 192.168.10.2 
 
Reply from 192.168.10.2: bytes=32 time=12ms TTL=128 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 
 
Now we will change the priority value of Switch ASHISH ....to check what happen !! 
 
ASHISH(config)#spanning-tree vlan 1 priority 4096 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
60 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
now ping.... 
 
C:\>ping 192.168.10.2 
 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
 
The port beomes red colored......taht indicates the port is shutdown when switch ASHISH 
wants to root bridge 
 
%SPANTREE-2-ROOTGUARDBLOCK: Port 0/1 tried to become non-designated in VLAN 1. 
 
Moved to root-inconsistent state 
--------------------------------- And the above message is generated on switch DU------------------------------- 
 
To recover from this .............. 
Reset the priority value of switch ASHISH 
ASHISH(config)#spanning-tree vlan 1 priority 32768 
 
On DU switch 
 
DU(config)#interface gigabitEthernet 0/1 
DU(config-if)#shutdown 
DU(config-if)#no shutdown 
 
Now apply ping to PC1 to PC2 to verify connectivity 
 
C:\>ping 192.168.10.2 
 
Reply from 192.168.10.2: bytes=32 time=12ms TTL=128 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128 
 
 
CCNA Routing & Switching v3 LAB Guide 
61 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
LAB 14 : Spanning tree behavior - mode , priority value, root bridge 
 
Here Switch DU is the root bridge as its all the ports are forwarding mode. (Indicates green 
signal) 
By default Cisco switches run a separate STP instance for every VLAN configured on the 
switch; this mode is called PVST. 
 
We will configure Switch ASHISH as a root switch for the default VLAN (1) using one method 
then DU switch in another method : 
 
Method 1 (Switch ASHISH will be the root bridge ) 
 
First verify switch ASHISH if it is root or not.................. 
 
 
The switch is not the roor bridge 
 
CCNA Routing & Switching v3 LAB Guide 
62 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Now we will make it root bridge by using the following command: 
 
spanning-tree vlan [list] root [primary | secondary] 
 
Using this command will automatically lower the priority of the switch to a very significant 
value in order to make sure that the switch is elected as a root switch. 
 
ASHISH#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
ASHISH(config)#spanning-tree vlan 1 root primary 
ASHISH(config)#exit 
 
 
 
We can see that the switch is now the root bridge. 
 
Method2 (Switch DU will be the root bridge now): 
 
Setting the Bridge priority using the command spanning-tree vlan [list] priority 
[value]. 
 
DU(config)#spanning-tree vlan 1 priority 4096 
 
CCNA Routing & Switching v3 LAB Guide 
63 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
DU is now the root switch. 
 
LAB 15: Static route configuration 
 
Overview of Static Routing 
 Routes are configured Manually 
 Administrative distance value 0 
 Reducing CPU/RAM overhead and saving bandwidth. 
 Static routes are not advertised over the network 
 Not fault-tolerant 
 Initial configuration and maintenance is time-consuming. 
 Not appropriate for complex topologies 
 
 
CCNA Routing & Switching v3 LAB Guide 
64 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU Router (Basic Configuration) 
 
Router>enable 
Router#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname DU 
DU(config)#enable secret cisco123 
 
DU(config)#line console 0 
DU(config-line)#password cisco 
DU(config-line)#loginDU(config-line)#exit 
DU(config)#line vty 0 5 
DU(config-line)#password cisco 
DU(config-line)#login 
DU(config-line)#exit 
 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#description conectivity from DU to BUET 
DU(config-if)#ip address 192.168.20.1 255.255.255.0 
DU(config-if)#no shutdown 
DU(config-if)#exit 
 
DU(config)#interface fastEthernet 0/1 
DU(config-if)#description connectivity to Local Network 
DU(config-if)#ip address 192.168.10.1 255.255.255.0 
DU(config-if)#no shutdown 
DU(config-if)#exit 
 
BUET Router (Basic Configuration) 
Router>en 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname BUET 
BUET(config)#enable secret cisco123 
 
BUET(config)#line console 0 
BUET(config-line)#password cisco 
BUET(config-line)#login 
BUET(config-line)#exit 
 
CCNA Routing & Switching v3 LAB Guide 
65 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
BUET(config)#line vty 0 5 
BUET(config-line)#password cisco 
BUET(config-line)#login 
BUET(config-line)#exit 
 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#description Connectivity from BUET to DU 
BUET(config-if)#ip address 192.168.20.2 255.255.255.0 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
 
BUET(config)#interface fastEthernet 0/1 
BUET(config-if)#description connectivity from BUET to it's Local Network 
BUET(config-if)#ip address 192.168.30.1 255.255.255.0 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
 
Now Assign IP Address to Hosts 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
66 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Try to Ping from PC0 to PC1 
C:\>ping 192.168.30.2 
 
Pinging 192.168.30.2 with 32 bytes of data: 
 
Reply from 192.168.10.1: Destination host unreachable. 
Reply from 192.168.10.1: Destination host unreachable. 
Reply from 192.168.10.1: Destination host unreachable. 
Reply from 192.168.10.1: Destination host unreachable. 
 
Ping statistics for 192.168.30.2: 
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 
 
C:\> 
Thus we need routing either static or dynamic, right ? 
Let us start with static routing............... 
DU Router 
DU(config)#ip route 192.168.30.0 255.255.255.0 192.168.20.2 
BUET Router 
BUET(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1 
Rules of Static route 
Router(config)# ip route [destination_network] [subnet_mask] [next-hop] 
 
On point-to-point links, an exit-interface can be specified instead of a next-hop address. 
 
Router(config)# ip route [destination_network] [subnet_mask] [Exit-Interface ] 
 
So for the previous example instead of IP Address we can write exit-interface as follows but if 
the 2 routers are connected point-to-point 
 
DU(config)#ip route 192.168.30.0 255.255.255.0 fastEthernet 0/0 
BUET(config)#ip route 192.168.10.0 255.255.255.0 fastEthernet 0/0 
 
Now ping again, 
C:\>ping 192.168.30.2 
 
Reply from 192.168.30.2: bytes=32 time<1ms TTL=126 
Reply from 192.168.30.2: bytes=32 time<1ms TTL=126 
Reply from 192.168.30.2: bytes=32 time<1ms TTL=126 
Reply from 192.168.30.2: bytes=32 time<1ms TTL=126 
 
 
Telnet to BUET Router.............. 
 
 
CCNA Routing & Switching v3 LAB Guide 
67 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
C:\>telnet 192.168.20.2 
Trying 192.168.20.2 ...Open 
 
User Access Verification 
 
Password: 
Password: 
BUET> 
Success...right .. 
Other verification command 
BUET#show ip route 
 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP 
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP 
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area 
* - candidate default, U - per-user static route, o - ODR 
P - periodic downloaded static route 
 
Gateway of last resort is not set 
 
S 192.168.10.0/24 [1/0] via 192.168.20.1 
 
C 192.168.20.0/24 is directly connected, FastEthernet0/0 
C 192.168.30.0/24 is directly connected, FastEthernet0/1 
 
BUET# 
S ----- represent Static route 
C------Directly connected route 
 
LAB 16: Static Default Routing 
 
It is a special type of static route. Default routing is used in stub networks. The stub network 
has only one way for the traffic to go, to reach several different networks. 
 
A DEFAULT ROUTE is sometime called Zero/Zero Route because the network and subnet we 
are specifying as the destination for the traffic that it would match are all zeros. 
 
A DEFAULT ROUTE says "for any traffic that DOES NOT match a specific route in the routing 
table ,then forward that traffic to this destination (next-hop-router-IP Address)".Other 
words default route is a "CATCH ALL" 
 
On default route, both the network and subnet mask will be zero (0.0.0.0 0.0.0.0). 
ip route 0.0.0.0 0.0.0.0 next-hop-router-IP address 
 
CCNA Routing & Switching v3 LAB Guide 
68 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Normally Customer route to ISP is default route and ISP route to Customer is normal static 
route as shown below : 
 
Objective: 
 Basic Configuration on Router CUSTOMER and ISP 
 Static default route to INTERNET on CUSTOMER Router 
 Static route to CUSTOMER LAN on ISP Router 
 Verification 
 
Configuration 
Basic Configuration on Router CUSTOMER and ISP 
 
CUSTOMER Router 
 
Router>en 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname CUSTOMER 
CUSTOMER(config)#interface fastEthernet 0/1 
CUSTOMER(config-if)#description CUSTOMER LAN 
CUSTOMER(config-if)#ip address 192.168.10.1 255.255.255.0 
CUSTOMER(config-if)#no shutdown 
CUSTOMER(config-if)#exit 
CUSTOMER(config)#interface fastEthernet 0/0 
 
CCNA Routing & Switching v3 LAB Guide 
69 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
CUSTOMER(config-if)#description Connectivity to ISP 
CUSTOMER(config-if)#ip address 103.13.148.1 255.255.255.248 
CUSTOMER(config-if)#no shutdown 
CUSTOMER(config-if)#exit 
 
ISP ROUTER 
 
Router>en 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname ISP 
ISP(config)#interface fastEthernet 0/0 
ISP(config-if)#description Connectivity to CUSTOMER ROUTER 
ISP(config-if)#ip address 103.13.148.2 255.255.255.248 
ISP(config-if)#no shutdown 
ISP(config-if)#exit 
ISP(config)#interface fastEthernet 1/0 
ISP(config-if)#description Connectivity to INTERNET 
ISP(config-if)#ip address 100.100.100.1 255.255.255.0 
ISP(config-if)#no shutdown 
ISP(config-if)#end 
 
default route to INTERNET on CUSTOMER Router 
 
CUSTOMER(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2 
 
Static route to CUSTOMER LAN on ISP Router 
 
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 
 
Assign IP Address to hosts............................. 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
70 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
Verification 
 
Apply Ping from PC0 to PC1 
C:\>ping 100.100.100.2 
 
Reply from 100.100.100.2: bytes=32 time=1ms TTL=126 
Reply from 100.100.100.2: bytes=32 time<1ms TTL=126 
Reply from 100.100.100.2: bytes=32 time<1ms TTL=126 
Reply from 100.100.100.2: bytes=32 time<1ms TTL=126 
 
Successfull..................... 
 
Now on Customer Router 
 
 
 
S* indicates default route 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
71 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
On ISP Router 
 
 
 
..................S indicates Static routeRIPv2 Configuration 
 
Dynamic Routing Protocol 
 
 Interior Gateway Protocol - RIP, IGRP, EIGRP, OSPF, IS-IS 
 Distance vector - RIP, IGRP 
 Link-state - OSPF, IS-IS 
 Hybrid - EIGRP 
 Exterior Gateway Protocol - BGP 
 
IGPs are used for routing within networks that are under a common network administration, 
whereas EGP (exterior gateway protocols) are used to exchange routing information between 
networks. 
 
RIP - Distance Vector Routing Protocol 
 
RIP Fundamentals (RIPv2) 
 
 Distance-vector protocol. 
 Uses UDP port 520. 
 Classless protocol (support for CIDR). 
 Supports VLSMs. 
 Metric is router hop count. 
 Maximum hop count is 15; infinite (unreachable) routes have a metric of 16. 
 Periodic route updates sent every 30 seconds to multicast address 224.0.0.9. 
 
CCNA Routing & Switching v3 LAB Guide 
72 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 25 routes per RIP message (24 if you use authentication). 
 Supports authentication. 
 Implements split horizon with poison reverse. 
 Implements triggered updates. 
 Subnet mask included in route entry. 
 Administrative distance for RIPv2 is 120. 
 Used in small, flat networks or at the edge of larger networks. 
 Prevents routing loops (Split Horizon, Route poisoning, Hold-down Timers and 
Maximum hop Count) 
 
Hello and Dead Time 
 
RIPv2 EIGRP OSPF 
Hello interval = 30 sec 
Dead interval = 30*6 = 180 
Hold down timers = 180 sec 
Flush timers = 240 sec 
 
Hello sends every 5 sec, dead 15 
sec (point to point) 
In NBMA , hello interval = 60 sec 
and dead = 180 sec 
ppp hello 10 dead 40 
brodcast same 
But in point to multipoing hello 
is 30 sec, dead 120 sec 
 
 
 
RIPV2 CONFIGURATION LAB 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
73 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Objective: 
 Basic Configuration of Router 
 Assign IP Address to Hosts 
 RIP Configuration 
 Configure Passive Interface 
 Configure Authentication (MD5) 
 
1. Basic Configuration of Router 
DU Router 
Router>en 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname DU 
 
DU(config)#interface fastEthernet 0/1 
DU(config-if)#description Connected to LAN 
DU(config-if)#ip address 192.168.10.1 255.255.255.0 
DU(config-if)#no shutdown 
DU(config-if)#exit 
 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip address 103.13.148.1 255.255.255.248 
DU(config-if)#no shutdown 
DU(config-if)#description Connected to BUET router 
DU(config-if)#exit 
 
BUET 
Router>en 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname BUET 
 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#description to DU Router 
BUET(config-if)#ip address 103.13.148.2 255.255.255.248 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
 
BUET(config)#interface fastEthernet 0/1 
 
CCNA Routing & Switching v3 LAB Guide 
74 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
BUET(config-if)#description connected to BUET LAN 
BUET(config-if)#ip address 100.100.100.1 255.255.255.0 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
 
2. Assign IP Address to Hosts 
 
 
 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
75 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
LAB 17 : RIP Basic Configuration 
DU(config)#router rip 
DU(config-router)#version 2 
DU(config-router)#network 192.168.10.0 
DU(config-router)#network 103.13.148.248 
DU(config-router)#no auto-summary 
 
BUET(config)#router rip 
BUET(config-router)#version 2 
BUET(config-router)#network 100.100.100.0 
BUET(config-router)#network 103.13.148.248 
BUET(config-router)#no auto-summary 
 
Network command sends RIP updates to the associated Network. we specify only the directly 
connected networks of this router. 
 
Auto Summarization is turned on by default for RIPv2 and EIGRP, altough these are Classless 
Routing protocols. So you manually have to make them Classless with the "no auto-summary" 
command. 
 
Verification 
 
R indicates RIP generated Routes 
Apply ping from DU LAN to BUET LAN 
C:\>ping 100.100.100.100 
 
Pinging 100.100.100.100 with 32 bytes of data: 
 
Reply from 100.100.100.100: bytes=32 time=2ms TTL=126 
Reply from 100.100.100.100: bytes=32 time<1ms TTL=126 
Reply from 100.100.100.100: bytes=32 time<1ms TTL=126 
Reply from 100.100.100.100: bytes=32 time<1ms TTL=126 
 
LAB 18 : Configure Passive Interface 
 
RIP updates will be sent to all interfaces when we use network command on that interfaces. 
But, we don’t need to send updates everywhere. In our LAB on DU Router does not need to 
send RIP updates to a the LAN switch. 
 
CCNA Routing & Switching v3 LAB Guide 
76 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
We can use use the passive-interface command to prevent RIP updates to send. 
 
DU(config-router)#passive-interface f 
DU(config-router)#passive-interface fastEthernet 0/1 
 
Verification 
DU#show ip protocols 
 
Routing Protocol is "rip" 
Sending updates every 30 seconds, next due in 17 seconds 
Invalid after 180 seconds, hold down 180, flushed after 240 
Outgoing update filter list for all interfaces is not set 
Incoming update filter list for all interfaces is not set 
Redistributing: rip 
Default version control: send version 2, receive 2 
Interface Send Recv Triggered RIP Key-chain 
FastEthernet0/0 2 2 
Automatic network summarization is not in effect 
Maximum path: 4 
Routing for Networks: 
103.0.0.0 
192.168.10.0 
Passive Interface(s): 
FastEthernet0/1 
Routing Information Sources: 
Gateway Distance Last Update 
103.13.148.2 120 00:00:04 
Distance: (default is 120) 
DU# 
 
 
CCNA Routing & Switching v3 LAB Guide 
77 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
RIP send updates only to 224.0.0.9 (multicast address) Via F0/0 (103.13.148.1).....not 
192.168.10.0/24 
 
BUET#show ip route rip 
 
103.0.0.0/29 is subnetted, 1 subnets 
R 192.168.10.0/24 [120/1] via 103.13.148.1, 00:00:15, FastEthernet0/0 
 
We can see that the network is advertised but not send any RIP updates 
towards DU LAN. 
 
LAB 19: Configure RIP Authentication 
 
Plain text authentication mode is the default setting in every RIPv2 packet, when 
authentication is enabled. Plain text authentication should not be used when security is an 
issue, because the unencrypted authentication password is sent in every RIPv2 packet. Note: 
RIP version 1 (RIPv1) does not support authentication. 
 
N.B. I have used GNS3 to configure this LAB 
 
Objective: 
 
1. Basic configuration of Router R1 and R2 
2. Configure RIP 
3. Assign IP address to hosts 
4. Verify Configuration 
5. Configure Authentication 
6. Verify 
 
CCNA Routing & Switching v3 LAB Guide 
78 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Basic configuration of Router R1 
 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip address 192.168.10.1 255.255.255.0 
DU(config-if)#no shutdown 
DU(config-if)#exit 
 
DU(config)#interface fastEthernet 0/1 
DU(config-if)#ip address 192.168.20.1 255.255.255.0 
DU(config-if)#no shutdown 
DU(config-if)#exit 
 
RIP Configuration 
 
DU(config)#router rip 
DU(config-router)#version 2 
DU(config-router)#network 192.168.10.0 
DU(config-router)#network 192.168.20.0 
DU(config-router)#no auto-summary 
DU(config-router)#end 
DU# 
 
Basic configuration of Router R2 
 
BUET#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#ipaddress 192.168.10.2 255.255.255.0 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
BUET(config)#interface fastEthernet 0/1 
BUET(config-if)#ip address 192.168.30.1 255.255.255.0 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
 
Configure RIP on R2 
BUET(config)#router rip 
BUET(config-router)#version 2 
BUET(config-router)#network 192.168.10.0 
BUET(config-router)#network 192.168.30.0 
 
CCNA Routing & Switching v3 LAB Guide 
79 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
BUET(config-router)#no auto-summary 
BUET(config-router)#end 
BUET# 
 
Assign IP address to hosts and verify connectivity using ping command 
 
 
 
 
 
 
 
DU#show ip route rip 
R 192.168.30.0/24 [120/1] via 192.168.10.2, 00:00:26, FastEthernet0/0 
DU# 
 
R2#show ip route rip 
R 192.168.20.0/24 [120/1] via 192.168.10.1, 00:00:27, FastEthernet0/0 
R2# 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
80 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Configure Authentication 
MD5 Authentication 
 
The Cisco implementation of RIP v2 supports MD5 authentication. This provides a higher level 
of security over clear text. Both router interfaces need to be configured with MD5 
authentication. The key number and key string must match on both sides, or authentication 
will fail. 
 
DU Router 
 
DU(config)#key chain venus 
(Name a key chain) 
 
DU(config-keychain)#key 1 
(This is the Identification number of an authentication key on a key chain) 
 
DU(config-keychain-key)#key-string ashish 
(The actual password or key-string.It needs to be identical to the key-string 
on the remote router) 
 
DU(config-keychain-key)#exit 
DU(config-keychain)#exit 
 
BUET Router 
 
BUET(config)#key chain venus 
BUET(config-keychain)#key 1 
BUET(config-keychain-key)#key-string ashish 
BUET(config-keychain-key)#exit 
BUET(config-keychain)#exit 
BUET(config)# 
 
Apply it to Interface 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip rip authentication mode md5 
 
Now check using debug command what is happened if MD5 is enable in DU router and 
BUET Router is not.............. 
BUET#debug ip rip 
RIP protocol debugging is on 
BUET# 
 
CCNA Routing & Switching v3 LAB Guide 
81 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
*Mar 1 00:09:03.883: RIP: ignored v2 packet from 192.168.10.1 (invalid authentication) 
*Mar 1 00:09:03.951: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.2) 
*Mar 1 00:09:03.951: RIP: build update entries 
*Mar 1 00:09:03.951: 192.168.30.0/24 via 0.0.0.0, metric 1, tag 0 
*Mar 1 00:09:09.847: 192.168.20.0/24 via 0.0.0.0, metric 2, tag 0u 
BUET#undebug all 
 
BUET ROUTER 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#ip rip authentication mode md5 
BUET(config-if)#end 
 
Now verify 
BUET#debug ip rip 
RIP protocol debugging is on 
BUET# 
*Mar 1 00:09:58.267: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.2) 
*Mar 1 00:09:58.267: RIP: build update entries 
*Mar 1 00:09:58.267: 192.168.30.0/24 via 0.0.0.0, metric 1, tag 0 
*Mar 1 00:09:59.131: RIP: received packet with MD5 authentication 
*Mar 1 00:09:59.131: RIP: received v2 update from 192.168.10.1 on FastEthernet0/0 
*Mar 1 00:09:59.135: 192.168.20.0/24 via 0.0.0.0 in 1 hops 
BUET #undebug all 
All possible debugging has been turned off 
 
Plain text Authentication 
 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip rip authentication key-chain venus 
DU(config-if)#end 
 
BUET(config)#int fastEthernet 0/0 
BUET(config-if)#ip rip authentication key-chain venus 
BUET(config-if)#end 
 
 
CCNA Routing & Switching v3 LAB Guide 
82 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Verification 
 
DU#debug ip rip 
RIP protocol debugging is on 
DU# 
*Mar 1 00:07:21.115: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1 
(192.168.20.1) 
*Mar 1 00:07:21.115: RIP: build update entries 
*Mar 1 00:07:21.115: 192.168.10.0/24 via 0.0.0.0, metric 1, tag 0 
*Mar 1 00:07:21.119: 192.168.30.0/24 via 0.0.0.0, metric 2, tag 0 
DU# 
*Mar 1 00:07:39.775: RIP: received packet with text authentication ashish 
*Mar 1 00:07:39.775: RIP: received v2 update from 192.168.10.2 on FastEthernet0/0 
*Mar 1 00:07:39.779: 192.168.30.0/24 via 0.0.0.0 in 1 hops 
DU# 
*Mar 1 00:07:41.939: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 
(192.168.10.1) 
*Mar 1 00:07:41.939: RIP: build update entries 
*Mar 1 00:07:41.939: 192.168.20.0/24 via 0.0.0.0, metric 1, tag 0 
DU# 
*Mar 1 00:07:48.647: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1 
(192.168.20.1) 
*Mar 1 00:07:48.647: RIP: build update entries 
*Mar 1 00:07:48.647: 192.168.10.0/24 via 0.0.0.0, metric 1, tag 0 
*Mar 1 00:07:48.651: 192.168.30.0/24 via 0.0.0.0, metric 2, tag 0 
DU#undebug all 
 
 
Introduction to EIGRP 
 
 Distance vector routing protocols. 
 EIGRP was created by Cisco which means you can only run it on Cisco hardware. 
 Cisco added some of the features from link-state routing protocols to EIGRP which 
makes it far more advanced than a true distance vector routing protocol like RIP. 
 EIGRP does not use broadcast packets to send information to other neighbors but will 
use multicast or unicast. 
 IPv4 you can also use EIGRP to route IPv6 or even some older network layer protocols 
like IPX or AppleTalk 
 EIGRP is 100% loop-free 
 EIGRP has its own protocol number which is 88. Other protocol numbers you are 
familiar with are TCP (6) and UDP (17). 
 EIGRP Table: 
 1. Neigbor Table 
 2. Topology Table 
 3. Routing Table 
 
CCNA Routing & Switching v3 LAB Guide 
83 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 EIGRP routers will start sending hello packets to other routers just like OSPF does, if 
you send hello packets and you receive them you will become neighbors. 
 EIGRP uses a rich set of metrics namely bandwidth, delay, load and reliability. The 
lower these metrics the better. 
 Sophisticated metric that supports load-balancing across unequal-cost paths. 
 Support for authentication only MD5 authentication 
 Manual summarization at any interface 
 Uses multicast 224.0.0.10. 
 EIGRP max hop count 255 (all 8 bits 11111111) 
 Neighbor discovery and maintenance: Periodic hello messages 
 EIGRP neighbor-ship condition: 
 Both routers must be in the same primary subnet 
 Both routers must be configured to use the same k-values 
 Both routers must in the same AS 
 Both routers must have the same authentication configuration (within reason) 
 The interfaces facing each other must not be passive 
 
EIGRP’s function is controlled by four key technologies: 
 
 Neighbor discovery and maintenance: Periodic hello messages 
 The Reliable Transport Protocol (RTP): Controls sending, tracking, and 
acknowledging EIGRP messages 
 Diffusing Update Algorithm (DUAL): Determines the best loop-free route 
 Protocol-independent modules (PDM): Modules are “plug-ins” for IP, IPX, and 
AppleTalk versions of EIGRP 
 
EIGRP Neighborship Requirements and Conditions 
 
EIGRP Router doesn’t trust anyone blindly. It checks following configuration values to insure 
that requesting router is eligible to become his neighbor or not. 
 
1. Active Hello packets 
2. AS Number 
3. K-Values 
 
CCNA Routing & Switching v3 LAB Guide 
84 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 If you lose the successor because of a link failure EIGRP will copy/paste the feasible 
successor in the routing table. This is what makes EIGRP a FAST routing protocol…but 
only if youhave feasible successor in the topology table. 
 
 
 RIP and OSPF both can do load balancing but the paths have to be equal. EIGRP can do 
unequal load balancing 
 
EIGRP Packets and Metrics 
 
EIGRP packets: 
Hello 
Update 
Query 
Reply 
ACK (Acknowledgement) 
 
Neighbor Discovery and Route Exchange 
 
Step 1. Router A sends out a hello. 
Step 2. Router B sends back a hello and an update.The update contains routing information. 
Step 3. Router A acknowledges the update. 
Step 4. Router A sends its update. 
Step 5. Router B acknowledges. 
 
A neighbor is considered lost if no hello is received within three hello periods (called the hold 
time). The default hello/hold timers are as follows: 
 
 5 seconds/15 seconds for multipoint circuits with bandwidth greater than T1 and for 
point-to-point media 
 
 60 seconds/180 seconds for multipoint circuits with bandwidth less than or equal to T1 
 
EIGRP Summarization 
 
 
EIGRP has two ways of summarizing networks: 
 
Automatic summarization: 
 
 Subnets are summarized to the classful network. 
 This is the default for EIGRP. 
And Manual summarization. 
 
CCNA Routing & Switching v3 LAB Guide 
85 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 What if I entered a wrong key-string? 
 
authentication mismatch 
 
What are the k-values that EIGRP uses? 
 
k1 = bandwidth 
k2 = load 
k3 = delay 
k4 = reliability 
k5 = MTU 
 
LAB 20: EIGRP Neighbor Adjacency 
 
loopback interface is a virtual interface—an interface not associated with any hardware or 
network 
 
Basic Configuration 
 
R1#conf t 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip address 192.168.10.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#interface loopback 0 
R1(config-if)#ip address 10.10.10.1 255.255.255.0 
R1(config-if)#exit 
 
R2#conf t 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip address 192.168.10.2 255.255.255.0 
R2(config-if)#no shutdown 
https://networklessons.com/cisco/ccnp-route/detailed-look-of-eigrp-neighbor-adjacency/
 
CCNA Routing & Switching v3 LAB Guide 
86 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
R2(config)#interface loopback 0 
R2(config-if)#ip address 11.11.11.1 255.255.255.0 
R2(config-if)#exit 
 
EIGRP Configuration 
 
 
R1#conf t 
R1(config)#router eigrp 10 
R1(config-router)#network 192.168.10.0 
R1(config-router)#network 10.10.10.0 0.0.0.255 
R1(config-router)#no auto-summary 
R1(config-router)#end 
------------------------------------------------ 
R2#conf t 
R2(config)#router eigrp 10 
R2(config-router)#network 192.168.10.0 
R2(config-router)#network 11.11.11.0 0.0.0.255 
R2(config-router)#no auto-summary 
R2(config-router)#end 
 
Verification 
 
 
 
R1#debug eigrp packets hello 
R1# 
*Mar 1 00:21:05.583: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.2 
*Mar 1 00:21:05.583: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 
*Mar 1 00:21:06.139: EIGRP: Sending HELLO on Loopback0 
*Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 
 
CCNA Routing & Switching v3 LAB Guide 
87 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
*Mar 1 00:21:06.139: EIGRP: Received HELLO on Loopback0 nbr 10.10.10.1 
*Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 
R1#undegug all 
 
LAB 21 : EIGRP Passive Interface 
 
 
 
If we want to advertise a network in EIGRP but we don’t want to send hello packets 
everywhere, in this case we can use this features. 
 
Basic Configuration 
 
R1#conf t 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip address 192.168.10.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#interface loopback 0 
R1(config-if)#ip address 10.10.10.1 255.255.255.0 
R1(config-if)#exit 
 
R2#conf t 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip address 192.168.10.2 255.255.255.0 
R2(config-if)#no shutdown 
R2(config)#interface loopback 0 
R2(config-if)#ip address 11.11.11.1 255.255.255.0 
R2(config-if)#exit 
 
 
 
https://networklessons.com/cisco/ccnp-route/eigrp-passive-interface/
 
CCNA Routing & Switching v3 LAB Guide 
88 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
EIGRP Configuration 
 
 
R1#conf t 
R1(config)#router eigrp 10 
R1(config-router)#network 192.168.10.0 
R1(config-router)#network 10.10.10.0 0.0.0.255 
R1(config-router)#no auto-summary 
R1(config-router)#end 
------------------------------------------------ 
R2#conf t 
R2(config)#router eigrp 10 
R2(config-router)#network 192.168.10.0 
R2(config-router)#network 11.11.11.0 0.0.0.255 
R2(config-router)#no auto-summary 
R2(config-router)#end 
 
We can configure passive Interface in two ways. First we apply first method in router R1 
and the 2nd method in router R2. 
 
R1#conf t 
R1(config)#router eigrp 10 
R1(config-router)#passive-interface default 
*Mar 1 00:27:50.875: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 
192.168.10.2 (FastEthernet0/0) is down: interface passive 
R1(config-router)#no passive-interface fastEthernet 0/0 
*Mar 1 00:28:00.727: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 
192.168.10.2 (FastEthernet0/0) is up: new adjacency 
R1(config-router)# 
Passive-interface default command will make all the interface passive and then we will 
disable the specific interface with "no passive-interface" command 
 
N.B. Neighborship Interface should be not passive,otherwise no neighborship will be formed 
with neighbor routers 
 
Verification 
 
R1#show ip protocols 
 
Routing Protocol is "eigrp 10" 
 Routing for Networks: 
 
CCNA Routing & Switching v3 LAB Guide 
89 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 10.10.10.0/24 
 192.168.10.0 
 Passive Interface(s): 
 Serial0/0 
 FastEthernet0/1 
 Serial0/1 
 Serial0/2 
 FastEthernet1/0 
 Loopback0 
 VoIP-Null0 
 
Second Method 
R2(config)#router eigrp 10 
R2(config-router)#passive-interface loopback 0 
R2(config-router)# 
 
This is the another way to make the interface passive. 
R2#show ip protocols 
 
Routing Protocol is "eigrp 10" 
 Routing for Networks: 
 11.11.11.0/24 
 192.168.10.0 
 Passive Interface(s): 
 Loopback0 
 Routing Information Sources: 
 Gateway Distance Last Update 
 (this router) 90 00:23:10 
 192.168.10.1 90 00:05:44 
 Distance: internal 90 external 170 
------------------------------------------------------------------------------------------------- 
R2#debug eigrp packets hello 
 
EIGRP Packets debugging is on 
 (HELLO) 
R2# 
*Mar 1 00:37:39.787: EIGRP: Sending HELLO on FastEthernet0/0 
*Mar 1 00:37:39.787: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 
R2# 
*Mar 1 00:37:42.255: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1 
*Mar 1 00:37:42.259: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 
R2# 
 
CCNA Routing & Switching v3 LAB Guide 
90 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
*Mar 1 00:37:44.567: EIGRP: Sending HELLO on FastEthernet0/0 
*Mar 1 00:37:44.567: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 
R2# 
*Mar 1 00:37:46.671: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1 
*Mar 1 00:37:46.671: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 
R2# 
*Mar 1 00:37:49.563: EIGRP: Sending HELLO on FastEthernet0/0 
*Mar 1 00:37:49.563: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 
R2#undebu 
*Mar 1 00:37:51.143: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.1 
*Mar 1 00:37:51.147:AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 
R2#undebug all 
All possible debugging has been turned off 
R2# 
*Mar 1 00:37:53.871: EIGRP: Sending HELLO on FastEthernet0/0 
*Mar 1 00:37:53.871: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 
R2# 
 
------------------------------------------------------------------------------------------------------------------------------------------ 
 
LAB 22: EIGRP Authentication 
 
EIGRP only supports the MD5 authentication method. 
 
EIGRP provides benefits like fast convergence, incremental updates and support for multiple 
network layer protocols. EIGRP supports Message Digest 5 (MD5) authentication to prevent 
malicious and incorrect routing information from being introduced into the routing table of a 
Cisco router. 
 
Basic Configuration 
 
R1#conf t 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip address 192.168.10.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#interface loopback 0 
R1(config-if)#ip address 10.10.10.1 255.255.255.0 
https://networklessons.com/cisco/ccnp-route/how-to-configure-eigrp-authentication/
http://en.wikipedia.org/wiki/MD5
http://www.cisco.com/en/US/products/hw/routers/index.html
 
CCNA Routing & Switching v3 LAB Guide 
91 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
R1(config-if)#exit 
 
R2#conf t 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip address 192.168.10.2 255.255.255.0 
R2(config-if)#no shutdown 
R2(config)#interface loopback 0 
R2(config-if)#ip address 11.11.11.1 255.255.255.0 
R2(config-if)#exit 
 
EIGRP Configuration 
 
 
R1#conf t 
R1(config)#router eigrp 10 
R1(config-router)#network 192.168.10.0 
R1(config-router)#network 10.10.10.0 0.0.0.255 
R1(config-router)#no auto-summary 
R1(config-router)#end 
 
R2#conf t 
R2(config)#router eigrp 10 
R2(config-router)#network 192.168.10.0 
R2(config-router)#network 11.11.11.0 0.0.0.255 
R2(config-router)#no auto-summary 
R2(config-router)#end 
 
EIGRP Authentication 
 
R1(config)#key chain venus 
Specify the keychain name 
R1(config-keychain)#key 1 
Specify the keychain id 
R1(config-keychain-key)#key-string ccnp 
Specify the password 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip authentication mode eigrp 10 md5 
Specify MD5 authentication for the EIGRP packets 
R1(config-if)#ip authentication key-chain eigrp 10 venus 
Apply key chain on the interface connecting to the other router. 
 
CCNA Routing & Switching v3 LAB Guide 
92 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
N.B. A shared authentication key which is same on both routes must be configured. The 
password is known as the ‘key’. 
R2(config)#key chain venus 
R2(config-keychain)#key 1 
R2(config-keychain-key)#key-string ccnp 
R2(config-keychain-key)#exit 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip authentication mode eigrp 10 md5 
R2(config-if)#ip authentication key-chain eigrp 10 venus 
*Mar 1 01:31:02.455: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 
192.168.10.1 (FastEthernet0/0) is up: new adjacency 
R2(config-if)# 
R1#show ip eigrp interfaces detail 
 
IP-EIGRP interfaces for process 10 
 Xmit Queue Mean Pacing Time Multicast Pending 
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes 
Fa0/0 1 0/0 29 0/2 144 0 
 Hello interval is 5 sec 
 Next xmit serial <none> 
 Un/reliable mcasts: 0/5 Un/reliable ucasts: 10/13 
 Mcast exceptions: 5 CR packets: 4 ACKs suppressed: 0 
 Retransmissions sent: 3 Out-of-sequence rcvd: 1 
 Authentication mode is md5, key-chain is "venus" 
 Use multicast 
 
 
LAB 23: Configure EIGRP Hold time and Hello time 
 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
93 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Basic Configuration 
 
R1#conf t 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip address 192.168.10.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#interface loopback 0 
R1(config-if)#ip address 10.10.10.1 255.255.255.0 
R1(config-if)#exit 
 
R2#conf t 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip address 192.168.10.2 255.255.255.0 
R2(config-if)#no shutdown 
R2(config)#interface loopback 0 
R2(config-if)#ip address 11.11.11.1 255.255.255.0 
R2(config-if)#exit 
 
EIGRP Configuration 
 
 
R1#conf t 
R1(config)#router eigrp 10 
R1(config-router)#network 192.168.10.0 
R1(config-router)#network 10.10.10.0 0.0.0.255 
R1(config-router)#no auto-summary 
R1(config-router)#end 
 
 
R2#conf t 
R2(config)#router eigrp 10 
R2(config-router)#network 192.168.10.0 
R2(config-router)#network 11.11.11.0 0.0.0.255 
R2(config-router)#no auto-summary 
R2(config-router)#end 
 
EIGRP uses two hello and hold timer : 
 
Hello/Hold timer 5/15 (point to point / Broadcast Network) 
Hello/Hold timer 60/180 (NBMA) 
 
 
CCNA Routing & Switching v3 LAB Guide 
94 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
But it can be changed as following : 
 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip hello-interval eigrp 10 30 
R1(config-if)#ip hold-time eigrp 10 90 
R1(config-if)#end 
 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip hello-interval eigrp 10 300 
R2(config-if)#ip hold-time eigrp 10 3600 
 
N.B. It is possible for two routers to become EIGRP neighbors even though the hello and hold 
timers do not match. 
 
 
 
LAB 24: EIGRP Summarization 
 
Summarization is used to reduce the size of a routing table thus reducing the load on CPU and 
memory. 
 
There are two types of summarization: 
 
 Auto summarization - it will advertise the classful A, B or C network to its neighbors. 
By default, the “auto-summary” command is enabled. 
 Manual summarization - Here we will describe it........ 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
95 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Basic Configuration of R1 and R2 
R1#conf t 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip address 192.168.10.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#interface loopback 0 
R1(config-if)#ip address 172.16.0.1 255.255.255.0 
R1(config-if)#interface loopback 1 
R1(config-if)#ip address 172.16.1.1 255.255.255.0 
R1(config-if)#interface loopback 2 
R1(config-if)#ip address 172.16.2.1 255.255.255.0 
R1(config-if)#interface loopback 3 
R1(config-if)#ip address 172.16.3.1 255.255.255.0 
R1(config-if)#interface loopback 4 
R1(config-if)#ip address 172.16.4.1 255.255.255.0 
R1(config-if)# 
 
R2#conf t 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip address 192.168.10.2 255.255.255.0 
R2(config-if)#no shutdown 
R2(config-if)#exit 
 
EIGRP Configuration 
R1#conf t 
R1(config)#router eigrp 10 
R1(config-router)#network 192.168.10.0 
R1(config-router)#network 172.16.0.0 
R1(config-router)#network 172.16.1.0 
R1(config-router)#network 172.16.2.0 
R1(config-router)#network 172.16.3.0 
R1(config-router)#network 172.16.4.0 
R1(config-router)#no auto-summary 
------------------------------------------------------------------- 
R2(config)#router eigrp 10 
R2(config-router)#network 192.168.10.0 
 
CCNA Routing & Switching v3 LAB Guide 
96 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
R2(config-router)#no auto-summary 
R2(config-router)#end 
 
Now see the routing table 
 
R1#show ip route 
 
C 192.168.10.0/24 is directly connected, FastEthernet0/0 
 172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks 
C 172.16.4.0/24is directly connected, Loopback4 
C 172.16.0.0/24 is directly connected, Loopback0 
D 172.16.0.0/16 is a summary, 00:00:30, Null0 
C 172.16.1.0/24 is directly connected, Loopback1 
C 172.16.2.0/24 is directly connected, Loopback2 
C 172.16.3.0/24 is directly connected, Loopback3 
 
R2#show ip route 
 
C 192.168.10.0/24 is directly connected, FastEthernet0/0 
 172.16.0.0/24 is subnetted, 5 subnets 
D 172.16.4.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0 
D 172.16.0.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0 
D 172.16.1.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0 
D 172.16.2.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0 
D 172.16.3.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0 
 
Router R2 gets a number of EIGRP Route from R1, So we will now reduce the size of routing 
table of R2 
 
We will create the summary (Manual Summarization) 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip summary-address eigrp 10 172.16.0.0 255.255.248.0 
 
Verification 
R2#show ip route 
C 192.168.10.0/24 is directly connected, FastEthernet0/0 
 172.16.0.0/21 is subnetted, 1 subnets 
D 172.16.0.0 [90/409600] via 192.168.10.1, 00:00:15, FastEthernet0/0 
 
 
CCNA Routing & Switching v3 LAB Guide 
97 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
R2#show ip route eigrp 
 172.16.0.0/21 is subnetted, 1 subnets 
D 172.16.0.0 [90/409600] via 192.168.10.1, 00:05:05, FastEthernet0/0 
 
Now we can see that R2 Router has only one summary route...... 
 
LAB 25 : ADVANCED EIGRP LAB 
 
 
 
DU Router 
 
1. Basic Configuration 
 
DU>en 
DU#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
DU(config)#hostname DU 
DU(config)#enable password cisco 
 
2. Line console password 
 
DU(config)#line console 0 
DU(config-line)#password cisco 
DU(config-line)#login 
DU(config-line)#exit 
 
3. Telnet configuration for remote login 
 
DU(config)#line vty 0 4 
DU(config-line)#password cisco 
 
CCNA Routing & Switching v3 LAB Guide 
98 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU(config-line)#login 
DU(config-line)#exit 
 
4. IP configuration on router Interface 
 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip address 192.168.20.1 255.255.255.0 
DU(config-if)#no shutdown 
DU(config-if)#exit 
DU(config)#interface fastEthernet 0/1 
DU(config-if)#ip address 192.168.10.1 255.255.255.0 
DU(config-if)#no shutdown 
DU(config-if)#exit 
 
5. Configure Loopback Interface 
 
DU(config)#interface loopback 1 
DU(config-if)#ip address 172.16.0.1 255.255.255.0 
DU(config-if)#interface loopback 2 
DU(config-if)#ip address 172.16.1.1 255.255.255.0 
DU(config-if)#interface loopback 3 
DU(config-if)#ip address 172.16.2.1 255.255.255.0 
DU(config-if)#interface loopback 4 
DU(config-if)#ip address 172.16.3.1 255.255.255.0 
DU(config-if)#exit 
 
BUET Router 
 
1. Basic Configuration 
 
BUET #conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
BUET (config)#hostname BUET 
BUET(config)#enable secret cisco 
 
2. Line console password 
 
BUET(config)#line console 0 
BUET(config-line)#password cisco 
BUET(config-line)#login 
BUET(config-line)#exit 
 
3. Telnet configuration for remote login 
 
BUET(config)#line vty 0 4 
BUET(config-line)#password cisco 
 
CCNA Routing & Switching v3 LAB Guide 
99 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
BUET(config-line)#login 
BUET(config-line)#exit 
 
4. IP configuration on router Interface 
 
 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#ip address 192.168.20.2 255.255.255.0 
BUET(config-if)#no shutdown 
BUET(config)#interface fastEthernet 0/1 
BUET(config-if)#ip address 192.168.30.1 255.255.255.0 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
BUET(config)# 
 
Main Configuration 
============ 
 
EIGRP Configuration and advertise network 
================================= 
 
DU(config)#router eigrp 10 
DU(config-router)#network 192.168.10.0 
DU(config-router)#network 192.168.20.0 
DU(config-router)#network 172.16.1.0 
DU(config-router)#network 172.16.2.0 
DU(config-router)#network 172.16.3.0 
DU(config-router)#network 172.16.0.0 0.0.0.255 
DU(config-router)#no auto-summary 
 
BUET#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
BUET(config)#router eigrp 10 
BUET(config-router)#network 192.168.20.0 
BUET(config-router)#network 192.168.30.0 
BUET(config-router)#no auto-summary 
BUET(config-router)# 
 
Configure EIGRP Authentication 
========================== 
 
DU(config)#key chain ashishkey 
DU(config-keychain)#key 1 
DU(config-keychain-key)#key-string ashish 
 
CCNA Routing & Switching v3 LAB Guide 
100 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU(config-keychain-key)#exit 
DU(config-keychain)#exit 
DU(config)# 
 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip authentication mode eigrp 10 md5 
DU(config-if)#ip authentication key-chain eigrp 10 ashishkey 
 
BUET(config)#key chain ashishkey 
BUET(config-keychain)#key 1 
BUET(config-keychain-key)#key-string ashish 
BUET(config-keychain-key)#exit 
BUET(config-keychain)#exit 
 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#ip authentication mode eigrp 10 md5 
BUET(config-if)#ip authentication key-chain eigrp 10 ashishkey 
 
Configure EIGRP Summary Address 
========================== 
 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip summary-address eigrp 10 172.16.0.0 255.255.252.0 
 
Configure EIGRP Passive Interface 
========================= 
 
BUET(config)#router eigrp 10 
BUET(config-router)#passive-interface fastEthernet 0/1 
 
Troubleshooting commands 
 
# show ip route 
# show ip eigrp neighbors / topology / interfaces 
# show ip interface F0/0 
# show ip protocols 
 
OSPF Fundamentals 
 
 Open standard Protocol 
 It is a Link state Protocol 
 
CCNA Routing & Switching v3 LAB Guide 
101 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 It uses the Dijkstra shortest Path algorithm (construct a shortest path tree and then 
populate the routing table with best routes) 
 No limit on hop count 
 Metric is cost ( cost = 10^8 / Bandwidth) 
 Administrative distance is 110 
 It is a Classless Routing Protocol 
 Support VLSM and CIDR 
 Supports only IP routing 
 Supports only Equal cost load-balancing 
 Uses the concept of Areas for easy management, hierarchical design 
 Must have one area as Area 0, which is called backbone area 
 All other areas must connect to this Area 0 
 Scalability is better than of Distance Vector Routing Protocols 
 Supports authentication 
 Update are sent through multicast address 224.0.0.5 ( all routers) and 224.0.0.6( all 
Designated Routers) 
 Faster convergence 
 Sends Hello packets every 10 seconds 
 Triggered / Incremental updates : Sends update when change triggers in network and 
sends only information about the change not complete routing table, LSAs are sent 
when change occurs and only about the change. 
 LSAs refresh every 30 minutes 
 Forms neighbors with adjacent routers in same area 
 LSAs used to advertises directly connected links 
 
Link: That’s the interface of our router. 
State: Description of the interface and how it’s connected to neighbor routers. 
 
Link-state routing protocols operate by sending link-state advertisements (LSA) to all 
other link-state routers. All the routers need to have these link-state advertisements so they 
can build their link state database or LSDB. This LSDB is our full picture of the network, in 
networkterms we call this the topology. 
 
OSPF maintains three tables : 
 
 
CCNA Routing & Switching v3 LAB Guide 
102 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Neighbor Table: Contains the list of directly connected neighbors (Routers).We can see 
the table using the command ‘show ip ospf neighbors’. 
Database Table: It is known as the Link state Database (LSDB). All possible routes to any 
network in the same area are contained in this table. " show ip ospf database" 
Routing Table: The best paths to reach each destination. The routing table can be seen 
using the ‘show ip route’ command. 
 
All the routers in OSPF have a common database. 
 
The two level of hierarchy consist of: 
 
 Transit Area ( backbone or Area 0) 
 Regular Area ( non-backbone area) 
 
OSPF works with the concepts of areas and by default you will always have a single area, 
normally this is area 0 or also called the backbone area. 
 
 Internal Router: The router for which all its interface belong to one area. 
 Area Border Router (ABRs): The router that contains interfaces in more than one 
area. 
 Backbone Router: The router that has all or at least one interface in Area 0. 
 Autonomous System Boundary Router (ASBR): The routers with connection to a 
separate autonomous system. 
 
Advantages of OSPF 
 
 Open Standard this can be used by all vendors 
 No limitations for hop count 
 Provides a loop free network 
 Provides faster convergence 
 
Disadvantages of OSPF 
 
 More CPU intensive, uses more CPU resources 
 Design and Implementation is complex 
 It only supports Equal cost load-balancing 
 Only Supports IP and not others like IPX or Apple Talk 
 
Once you configure OSPF your router will start sending hello packets. If you also receive 
 
CCNA Routing & Switching v3 LAB Guide 
103 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
hello packets from the other router you will become neighbors. 
 
Parameters to match to become neighbors 
For two or more OSPF routers to become neighbors there are some parameters that need to 
match / be identical: 
- Area ID 
- Area Type ( NSSA, Stub) 
- Subnet Mask 
- Hello Interval 
- Dead Interval 
- Prefix 
- Network Type ( broadcast, point-to-point, etc) 
- Authentication 
OSPF Metric 
Cost = Reference Bandwidth / Interface Bandwidth 
Cost = 100Mbps / Bandwidth 
 
Some things worth knowing about OSPF load balancing: 
 Paths must have an equal cost. 
 4 equal cost paths will be placed in routing table. 
 Maximum of 16 paths. 
 To make paths equal cost, change the “cost” of a link 
 
Each LSA has an aging timer which carries the link-state age field. By default each OSPF LSA 
is only valid for 30 minutes. 
 
If the LSA expires then the router that created the LSA will resend the LSA and increase the 
sequence number 
 
CCNA Routing & Switching v3 LAB Guide 
104 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
OSPF has to get through 7 states in order to become neighbors…here they are: 
 
1. Down: no OSPF neighbors detected at this moment. 
2. Init: Hello packet received. 
3. Two-way: own router ID found in received hello packet. 
4. Exstart: master and slave roles determined. 
5. Exchange: database description packets (DBD) are sent. 
6. Loading: exchange of LSRs (Link state request) and LSUs (Link state update) packets. 
7. Full: OSPF routers now have an adjacency. 
 
OSPF Packet Types 
 
1. Hello: to build and maintain neighbor relationship or adjacencies and as keepalives. 
2. DBD – Database Descriptor: Used to verify if the LSDB between two routers is same. It 
is a summary of the Link State Database (LSDB) 
3. Link State Request (LSR): Any request made to other routers for some information is 
using this packet. 
4. Link State Update (LSU): Contains the information requested in the LSR. 
5. Links State Acknowledgement (LSAck): Acknowledgement for all the OSPF packets 
except the Hello packet. 
 
Hellos are the keepalives for OSPF. If a Hello is not received in 4 Hello periods, then the 
neighbor is considered Dead. 4 Hello Periods = Dead Time. The hello and dead timers are as 
follows: 
 LAN and point-to-point interfaces : Hello 10 seconds , Dead timer 40 seconds 
 Non-broadcast Multi-access (NBMA) interfaces: Hello 30 seconds, Dead timer120 
seconds 
 
There are total 11 types of LSA but famous types are as follow. 
 
LSA Type-1| Router LSA from one network: Each router generates a Type 1 LSA that lists its 
active interfaces, IP addresses, neighbors and the cost to each. Flooded inside the router's 
area. Link ID is router's ID. 
 
CCNA Routing & Switching v3 LAB Guide 
105 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
LSA Type-2| Network LSA from more network (DR Generated): Type 2 LSA is created by the 
DR on the network, and represents the subnet and the router interfaces connected to that 
network. Link ID interface IP address. Does not cross area. 
LSA Type-3| Summary LSA (ABR summary Route): Generated by Area Border Routers (ABRs). 
In type 3 LSAs are advertised networks from an area to the rest of the areas in AS. The link-
state id used by this LSA is the network number advertised. 
 
Describe how to reach from one area to another area, does the summary of network. Type 3 
is called inter-area link, represented by O IA 
 
 LSA Type-4| Summary LSA (just IP address of ASBR): Describe how to reach ASBR. ABR says 
other area's router if you want to go ASBR use me. ABR passes the ASBR summary route. 
 
 LSA Type-5| External LSA (ASBR summary Route): ASBR creates the route to go to external 
routers. And says if you want to go to external routes use me. I know the path. Type 4 tells 
other router how to go ASBR. These routes appear as O E1 or O E2 
 
NSSA External LSA (Type 7): Type 7 LSA allow injection of external routes through Not-so-
Stubby-Areas (NSSA). Generally external routes are advertised by type 5 LSA but they are not 
allowed inside any stub area. That’s why Type 7 LSA is used, to trick OSPF. Type 7 LSA is 
generated by NSSA ASBR and is translated into type 5 LSA as it leaves the area by NSSA ABR, 
which is then propagated throughout the network as type 5 LSA. 
 
 Stub area prevents external routers to go through it. So NSSA is used that allows type7 LSA 
only 
 
Area Types 
 
Normal Areas: These areas can either be standard areas or transit (backbone) areas. Standard 
areas are defined as areas that can accept intra-area, inter-area and external routes. The 
backbone area is the central area to which all other areas in OSPF connect. 
 
Stub Areas: These areas do not accept routes belonging to external autonomous systems (AS); 
however, these areas have inter-area and intra-area routes. In order to reach the outside 
networks, the routers in the stub area use a default route which is injected into the area by 
the Area Border Router (ABR). 
 
Totally Stub Areas: These areas do not accept routes belonging to external autonomous 
systems (AS); and even inter-area routes (summary routes) are not propagated inside the 
 
CCNA Routing & Switching v3 LAB Guide 
106 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
totally stubby areas. The default routes to be propagated within the area. The ABR injects a 
default route into the area and all the routers belonging to this area use the default route to 
send any traffic outside the area. 
NSSA: This type of area allows the flexibility of importing a few external routes into the area 
while still trying to retain the stub characteristic. 
 
OSPF can do summarization 
 
OSPF can do summarizationbut it’s impossible to summarize within an area. This means we 
have to configure summarization on an ABR or ASBR. OSPF can only summarize our LSA type 3 
and 5. 
 
OSPF does not support auto summarization, only manual. OSPF route summarization can be of 
two types: 
 
1. Internal route summarization; 
 
 ABR(config-router)#area 15 range 192.168.0.0 255.255.254.0 
 
1. External route summarization. 
 
 ASBR(config-router)# summary-address 172.16.32.0 255.255.224.0 
 
OSPF Supports two types of Authentication: 
 
 Plaintext authentication 
 MD5 authentication! 
 
OSPF Network types: 
 
Point-to-Point 
 
High-Level Data Link Control (HDLC) and Point-to-Point Protocol (PPP), Open Shortest Path 
First (OSPF) runs as a point-to-point network type. 
 
Broadcast 
 
An Ethernet segment is an example of such a network. Ethernet networks support broadcasts; 
a single packet transmitted by a device can be multiplied by the medium (in this case an 
Ethernet switch) so that every other end point receives a copy. 
 
Non-Broadcast 
 
 
CCNA Routing & Switching v3 LAB Guide 
107 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Frame relay and ATM are probably the most common examples of non-broadcast transport, 
requiring individual permanent virtual circuits (PVCs) to be configured between end points. 
Non-Broadcast Multi-Access (NBMA) 
 
An NBMA segment emulates the function of a broadcast network. Every router on the segment 
must be configured with the IP address of each of its neighbors. OSPF hello packets are then 
individually transmitted as unicast packets to each adjacent neighbor. 
 
point-to-multipoint 
 
No DR/BDR election since OSPF sees the network as a collection of point-to-point links. 
Only a single IP subnet is used in the topology above. 
 
DR/BDR Election Process 
 
 DR/BDR election is per multi-access segment…not per area. Each multi-access segment 
(ex: Ethernet Segment), will have a Designated Router (DR) and a Backup Designated 
Router (BDR). 
 
 The other Router who will be not the DR or BDR will be the DROTHER. DROTHER router 
on the segment forms a Full adjacency with the DR/BDR. DR/BDR is a property of a 
router’s interface, not the entire router. 
 
 DR’s reduce network traffic as only they maintain the complete ospf database and 
then send updates to the other routers on the shared network segment. 
 
 The router with the highest priority on the data link wins the election, but by default 
priorities are 1. In this case the router with the highest Router ID will win. 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
108 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Consider, all OSPF router processes start at the same time, Router0 and Router1 win the 
election for DR and BDR respectively because they have the highest Router ID’s on the 
segment. Others routers will be the DROTHER. 
 
Here Router2 and Router3 will make it full adjacency with router Router0(DR) or Router1(BDR) 
 
 We can use show ip ospf neighbor command to verify this. 
 The default priority is 1 but the priority can be changed by 
Router(config-if)# ip ospf priority <priority number> 
 If we do not want a router to participate in the DR / BDR election, then its priority 
must be set as 0. 
 We need to use clear ip ospf process before this change takes effect. 
 
LAB --- OSPF 
 
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
1. BASIC CONFIGURATION 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
R1#conf t 
R1(config)#interface loopback 0 
R1(config-if)#ip address 172.16.0.1 255.255.255.0 
R1(config-if)#interface loopback 1 
R1(config-if)#ip address 172.16.0.1 255.255.255.0 
R1(config-if)#interface loopback 2 
R1(config-if)#ip address 172.16.2.1 255.255.255.0 
 
CCNA Routing & Switching v3 LAB Guide 
109 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
R1(config-if)#interface loopback 3 
R1(config-if)#ip address 172.16.3.1 255.255.255.0 
R1(config-if)#exit 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip address 192.168.12.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
=================================================================== 
R2#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip address 192.168.12.2 255.255.255.0 
R2(config-if)#no shutdown 
R2(config-if)#exit 
 
R2(config)#interface fastEthernet 0/1 
R2(config-if)#ip address 192.168.23.2 255.255.255.0 
R2(config-if)#no shutdown 
R2(config-if)#exit 
R2(config)# 
=================================================================== 
R3#conf t 
R3(config)#interface fastEthernet 0/1 
R3(config-if)#ip address 192.168.23.3 255.255.255.0 
R3(config-if)#no shutdown 
R3(config-if)#exit 
R3(config)# 
 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
LAB 26 : OSPF BASIC CONFIGURATION 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
R1(config)#router ospf 1 
R1(config-router)#network 172.16.0.0 0.0.3.255 area 0 
R1(config-router)#network 192.168.12.0 0.0.0.255 area 1 
 
R2#conf t 
R2(config)#router ospf 1 
R2(config-router)#network 192.168.12.0 0.0.0.255 area 1 
 
CCNA Routing & Switching v3 LAB Guide 
110 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
R2(config-router)#network 192.168.23.0 0.0.0.255 area 2 
 
R3#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
R3(config)#router ospf 1 
R3(config-router)#network 192.168.23.0 0.0.0.255 area 2 
R3(config-router)#exit 
 
Wild card Mask 
 
Wildcard masks are used to specify a range of network addresses. They are commonly used 
with routing protocols (like OSPF) and access lists. 
 
 To indicate the size of a network or subnet for some routing protocols, such as OSPF. 
 To indicate what IP addresses should be permitted or denied in access control lists 
(ACLs). 
 
Slash Netmask Wildcard Mask 
/32 255.255.255.255 0.0.0.0 
/31 255.255.255.254 0.0.0.1 
/30 255.255.255.252 0.0.0.3 
/29 255.255.255.248 0.0.0.7 
/28 255.255.255.240 0.0.0.15 
/27 255.255.255.224 0.0.0.31 
/26 255.255.255.192 0.0.0.63 
/25 255.255.255.128 0.0.0.127 
/24 255.255.255.0 0.0.0.255 
/23 255.255.254.0 0.0.1.255 
 
Rules : 
 
 
If all bit 1 then all bit zero and vice versa ; 
255.255.255.255 0.0.0.0 
255.255.255.0 0.0.0.255 
if other value (not 0 or 255) then find out the block size 
255.255.255.248 ...... block size = 256-248 = 8 
And wildcard bit will be "blocksize - 1" = 8 - 1 = 7 
And thus here 255.255.255.248 0.0.0.7 
https://en.wikipedia.org/wiki/OSPF
https://en.wikipedia.org/wiki/Access_control_list
 
CCNA Routing & Switching v3 LAB Guide 
111 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
=========================================================================== 
Verification 
============= 
 
 
 
Here we can see that neighbor ship is formed but no route to area 0 and area1 
So we have to configure now virtual link on R1 and R2 through area 1......................... 
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
LAB : 27 OSPF VIRTUAL-LINK 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
In OSPF all other area must be connected with area 0 (Backbone area) either physically or 
virtually. In our figure area 1 is directly connected with area 0 but area 2 is not connected 
with area 0. So here area 2 have to be connected with area 0 virtually. In this Lab we will see 
it : 
First we configure Router ID on R1 and R2 Router 
 
R1(config-router)#router-id 1.1.1.1 
R1(config-router)#R2(config-router)#router-id 2.2.2.2 
Reload or use "clear ip ospf process" command, for this to take effect 
R2#clear ip ospf process 
Reset ALL OSPF processes? [no]: yes 
 
 
CCNA Routing & Switching v3 LAB Guide 
112 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
We must run this command to take effect on this configuration (also called soft reset) 
 
Now we will configure virtual link through area 1 
 
R1(config)#router ospf 1 
R1(config-router)#area 1 virtual-link 2.2.2.2 
 
R2(config)#router ospf 1 
R2(config-router)#area 1 virtual-link 1.1.1.1 
 
=========== 
Now verify 
============ 
 
 
 
Ping to any loopback IP 
 
 
R3#ping 172.16.1.1 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/38/52 ms 
-------------------------------------------------------------------------- 
 
R2#show ip ospf virtual-links 
Virtual Link OSPF_VL0 to router 1.1.1.1 is up 
 Run as demand circuit 
 DoNotAge LSA allowed. 
 
CCNA Routing & Switching v3 LAB Guide 
113 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 Transit area 1, via interface FastEthernet0/0, Cost of using 10 
 Transmit Delay is 1 sec, State POINT_TO_POINT, 
 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 
 Hello due in 00:00:07 
 Adjacency State FULL (Hello suppressed) 
 Index 1/3, retransmission queue length 0, number of retransmission 1 
 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) 
 Last retransmission scan length is 1, maximum is 1 
 Last retransmission scan time is 0 msec, maximum is 0 msec 
 
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
LAB 28: OSPF authentication 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
 
 
Plaintext authentication on Router R1 and R2---F0/0 interface (Area 1) 
 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip ospf authentication 
R1(config-if)#ip ospf authentication-key mypass 
--------------------------------------------------------- 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip ospf authentication 
R2(config-if)#ip ospf authentication-key mypass 
 
============ 
Verification 
=========== 
R1#show ip ospf interface fastEthernet 0/0 
FastEthernet0/0 is up, line protocol is up 
 Internet Address 192.168.12.1/24, Area 1 
 Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10 
 Transmit Delay is 1 sec, State BDR, Priority 1 
 Designated Router (ID) 2.2.2.2, Interface address 192.168.12.2 
 Backup Designated router (ID) 1.1.1.1, Interface address 192.168.12.1 
 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 
 oob-resync timeout 40 
 
CCNA Routing & Switching v3 LAB Guide 
114 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 Hello due in 00:00:02 
 Supports Link-local Signaling (LLS) 
 Cisco NSF helper support enabled 
 IETF NSF helper support enabled 
 Index 1/5, flood queue length 0 
 Next 0x0(0)/0x0(0) 
 Last flood scan length is 3, maximum is 3 
 Last flood scan time is 0 msec, maximum is 0 msec 
 Neighbor Count is 1, Adjacent neighbor count is 1 
 Adjacent with neighbor 2.2.2.2 (Designated Router) 
 Suppress hello for 0 neighbor(s) 
 Simple password authentication enabled 
R1# 
 
MD5 authentication on Router R2 and R3---F0/0 interface (Area 2) 
 
 
R2(config-if)#ip ospf message-digest-key 1 md5 mypass1 
R2(config-if)#ip ospf authentication message-digest 
------------------------------------------------------- 
R3(config-if)#ip ospf message-digest-key 1 md5 mypass1 
R3(config-if)#ip ospf authentication message-digest 
===================================================================== 
 
Verification 
=========== 
R2#show ip ospf interface f0/1 
FastEthernet0/1 is up, line protocol is up 
 Internet Address 192.168.23.2/24, Area 2 
 Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10 
 Transmit Delay is 1 sec, State BDR, Priority 1 
 Designated Router (ID) 192.168.23.3, Interface address 192.168.23.3 
 Backup Designated router (ID) 2.2.2.2, Interface address 192.168.23.2 
 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 
 oob-resync timeout 40 
 Hello due in 00:00:05 
 Supports Link-local Signaling (LLS) 
 Index 1/2, flood queue length 0 
 Last flood scan length is 1, maximum is 4 
 
CCNA Routing & Switching v3 LAB Guide 
115 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 Last flood scan time is 0 msec, maximum is 0 msec 
 Neighbor Count is 1, Adjacent neighbor count is 1 
 Adjacent with neighbor 192.168.23.3 (Designated Router) 
 Suppress hello for 0 neighbor(s) 
 Message digest authentication enabled 
 Youngest key id is 1 
 
LAB 29: OSPF Summarization 
 
OSPF does not support auto summarization, only manual. OSPF route summarization can be of 
two types: 
1. Internal route summarization; 
2. External route summarization. 
 
 
I’m going to show you an example of interarea route summarization on Router R1 
 
First we will check the Routing table of R3 
 
 
 
 
 
 
 
 
R1(config)#router ospf 1 
R1(config-router)#area 0 range 172.16.0.0 255.255.252.0 
R1(config-router)#end 
------------------------------------------------- 
R1#clear ip ospf process 
R2#clear ip ospf process 
R3#clear ip ospf process 
 
 
CCNA Routing & Switching v3 LAB Guide 
116 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
 
 
LAB 30 : PPP Configuration 
 
Designing a wide area network (WAN) is one of the most challenging issues. We must have to 
choose the correct connection type. Most carriers offer three connection types: 
 
1. Circuit-switched connections 
2. Packet-switched or cell-switched connections 
3. Dedicated connection 
 
Circuit-switched connections: 
 
Asynchronous dial-in (PSTN) and ISDN services, the telephone companies use circuit switching. 
 
Packet-switched or cell-switched connections 
 
Examples of packet-switched and cell-switched networks include Frame Relay (packet-
switched), X.25 (packet-switched), and Asynchronous Transfer Mode or ATM (cell-switched). 
 
Leased Line(Dedicated connection): 
 
A permanent communication path exists between a Customer Premise Equipment (CPE) on 
one site and a CPE at the remote site communicating through a Data Communicating 
Equipment (DCE) within the providers' site. Synchronous serial lines are used for this 
connection and the most frequent protocols observed in these lines are HDLC (High-Level 
Data Link Control) and PPP (Point-to-Point Protocol). When cost in not an issue, you should 
use this type of connection. 
 
CCNA Routing & Switching v3 LAB Guide 
117 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
HDLC 
 
 HDLC stands for High-Level Data Link Control protocol. 
 HDLC is a Layer 2 protocol. 
 HDLC would be the protocol with the least amount of configuration required to 
connect these two locations. HDLC would be running over the WAN, between the two 
locations. 
 HDLC performs error correction, just like Ethernet. 
 HDLC is actually proprietary because they added a protocol type field. 
 HDLC is actually the default protocol on all Cisco serial interfaces. 
 
PPP 
 
PPP or Point-to-Point Protocol is a type of Layer 2 protocol (Data-link layer) used mainly for 
WAN. PPP features two methods of authentication: 
 
 PAP (Password Authentication Protocol) and 
 CHAP (Challenge Handshake Authentication Protocol) 
 
 PAP sends the password in clear text and CHAPsends the encrypted password 
 PPP encapsulation is possible only over a serial link. 
 PPP encapsulates Layer 3 data over point-to-point links. 
 PPP uses a Network Control Protocol (NCP) component to encapsulate multiple 
protocols and uses Link Control Protocol (LCP) to set up and negotiate control options 
on the data link. 
 PPP supports multivendor devices. 
 
 
CCNA Routing & Switching v3 LAB Guide 
118 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Configuration on Ashish Router 
Basic Configuration 
 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#interface serial 0/1/0 
Router(config-if)#ip address 103.13.148.1 255.255.255.248 
Router(config-if)#no shutdown 
Router(config-if)#exit 
Router(config)#hostname Ashish 
Ashish(config)#interface fastEthernet 0/0 
Ashish(config-if)#ip add 
Ashish(config-if)#ip address 192.168.10.1 255.255.255.0 
Ashish(config-if)#no shut 
Ashish(config-if)#no shutdown 
 
PPP Configuration 
 
Ashish(config)#username buet privilege 15 password cisco 
Ashish(config)#interface serial 0/1/0 
Ashish(config-if)#encapsulation ppp 
Ashish(config-if)#ppp authentication chap 
Ashish(config-if)#exit 
 
For PPP configuration we must configure hostname and username. In this router username 
will be the hostname of peer router , i.e. buet 
Configure Static Route 
 
Ashish(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2 
Ashish(config)# 
 
BUET Router 
 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname buet 
 
buet(config)#interface serial 0/1/0 
buet(config-if)#ip address 103.13.148.2 255.255.255.248 
buet(config-if)#no shutdown 
buet(config)#interface fastEthernet 0/0 
buet(config-if)#ip address 192.168.20.1 255.255.255.0 
 
CCNA Routing & Switching v3 LAB Guide 
119 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
buet(config-if)#no shutdown 
 
buet(config)#username Ashish privilege 15 password cisco 
buet(config)#interface serial 0/1/0 
buet(config-if)#encapsulation ppp 
buet(config-if)#ppp authentication chap 
buet(config-if)#end 
buet# 
 
In this router username will be the hostname of peer router , i.e. Ashish 
 
buet(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 
 
Verification : 
Ashish#show interfaces serial 0/1/0 
 
Serial0/1/0 is up, line protocol is up (connected) 
Hardware is HD64570 
Internet address is 103.13.148.1/29 
MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, 
reliability 255/255, txload 1/255, rxload 1/255 
Encapsulation PPP, loopback not set, keepalive set (10 sec) 
LCP Open 
Open: IPCP, CDPCP 
Last input never, output never, output hang never 
Last clearing of "show interface" counters never 
Input queue: 0/75/0 (size/max/drops); Total output drops: 0 
Queueing strategy: weighted fair 
Output queue: 0/1000/64/0 (size/max total/threshold/drops) 
Conversations 0/0/256 (active/max active/max total) 
Reserved Conversations 0/0 (allocated/max allocated) 
Available Bandwidth 96 kilobits/sec 
5 minute input rate 0 bits/sec, 0 packets/sec 
5 minute output rate 0 bits/sec, 0 packets/sec 
8 packets input, 1024 bytes, 0 no buffer 
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 
9 packets output, 1152 bytes, 0 underruns 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
120 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
C:\>ping 192.168.20.2 
 
Reply from 192.168.20.2: bytes=32 time=1ms TTL=126 
Reply from 192.168.20.2: bytes=32 time=1ms TTL=126 
Reply from 192.168.20.2: bytes=32 time=1ms TTL=126 
Reply from 192.168.20.2: bytes=32 time=1ms TTL=126 
The clock rate will set the speed. It doesn’t matter much what clock speed we use. We can 
use a command to verify that the DTE router has received the clock rate: 
 
Ashish# show controllers serial 0/1/0 
 
Interface Serial0/1/0 
Hardware is PowerQUICC MPC860 
DTE V.35 TX and RX clocks detected 
idb at 0x81081AC4, driver data structure at 0x81084AC0 
In the example above Ashish is the DTE side and it has received a clock rate. Show controllers 
is a useful command when you don’t have physical access to your hardware so you don’t know 
which side of the cable is DTE or DCE 
LAB 31: BGP Basic Configuration 
BGP is an external gateway protocol, It is used between different networks. It is the protocol 
used between Internet service providers (ISPs) and also can be used between an Enterprise 
and an ISP. 
 
BGP was built for reliability, scalability, and control, not speed. 
 
BGP stands for Border Gateway Protocol. Routers running BGP are termed BGP speakers. 
 
 BGP uses the concept of autonomous systems (AS). An autonomous system is a group of 
networks under a common administration. The Internet Assigned Numbers Authority 
(IANA) assigns AS numbers: 1 to 64511 are public AS numbers and 64512 to 65535 are 
private AS numbers. 
 
CCNA Routing & Switching v3 LAB Guide 
121 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 Autonomous systems run Interior Gateway Protocols (IGP) within the system. They run 
an Exterior Gateway Protocol (EGP) between them. BGP version 4 is the only EGP 
currently in use. 
 Routing between autonomous systems is called interdomain routing. 
 The administrative distance for EBGP routes is 20. The administrative distance for 
IBGP routes is 200. 
 BGP neighbors are called peers and must be statically configured. 
 BGP uses TCP port 179. BGP peers exchange incremental, triggered route updates and 
periodic keepalives. 
 Routers can run only one instance of BGP at a time. 
 BGP is a path-vector protocol. 
 
BGP neighbors can be of two types: 
 
 IBGP neighbors – when two neighbors are in the same AS; 
 EBGP neighbors – when two neighbors belong to different AS. 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
122 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Basic Configuration 
ISP1 
Router#conf t 
Router(config)#hostname ISP1 
ISP1(config)#interface fastEthernet 0/0 
ISP1(config-if)#ip address 192.168.10.1 255.255.255.0 
ISP1(config-if)#no shutdown 
ISP1(config-if)#exit 
ISP1(config)#interface fastEthernet 0/1 
ISP1(config-if)#ip address 10.10.10.1 255.255.255.0 
ISP1(config-if)#no shutdown 
ISP1(config-if)#exit 
ISP2 
Router(config)#hostname ISP2 
ISP2(config)#interface fastEthernet 0/0 
ISP2(config-if)#ip address 192.168.10.2 255.255.255.0 
ISP2(config-if)#no shutdown 
ISP2(config-if)#exit 
ISP2(config)#interface fastEthernet 0/1 
ISP2(config-if)#ip address 11.11.11.1 255.255.255.0 
ISP2(config-if)#no shutdown 
BGP Configuration 
ISP1(config)#router bgp 100 *100 is the AS Number of ISP1* 
ISP1(config-router)#neighbor 192.168.10.2 remote-as 200 * Declare neighbor, 
200 is the AS of ISP2, 192.168.10.2 is the IP Address of ISP2's F0/0 
Interface* 
ISP1(config-router)#network 10.10.10.0 mask 255.255.255.0 * advertise 
network* 
ISP1(config-router)#exit 
 
ISP2(config)#router bgp 200 
ISP2(config-router)#neighbor 192.168.10.1 remote-as 100 
ISP2(config-router)#%BGP-5-ADJCHANGE: neighbor 192.168.10.1 Up 
ISP2(config-router)#network 11.11.11.0 mask 255.255.255.0 
ISP2(config-router)# 
 
 
CCNA Routing & Switching v3 LAB Guide 
123 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Verification 
Show ip bgp summary command shows if the neighborship is formed 
 
 
We can see the bgp route with show ip bgp command 
 
LAB 32: BGP Single Homed Design 
 
 
CCNA Routing & Switching v3 LAB Guide 
124 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIESec-written), All rights are reserved 
R1 is in our enterprise core and has OSPF as its IGP. 
R1#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
R1(config)#interface fastEthernet 0/1 
R1(config-if)#ip address 192.168.10.2 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#router ospf 1 
R1(config-router)#network 192.168.10.0 0.0.0.255 area 0 
R1(config-router)#exit 
R1(config)# 
 
R2 is in our enterprise edge and has OSPF for IGP and BGP for EGP. 
 
R2#conf t 
R2(config)#interface fastEthernet 0/1 
R2(config-if)#ip address 192.168.10.1 255.255.255.0 
R2(config-if)#no shutdown 
R2(config-if)#exit 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip address 192.168.20.1 255.255.255.0 
R2(config-if)#no shutdown 
R2(config-if)#exit 
R2(config)#router ospf 1 
R2(config-router)#network 192.168.10.0 0.0.0.255 area 0 
R2(config-router)#exit 
R2(config)#router ospf 1 
R2(config-router)#default-information originate 
R2(config-router)#exit 
R2(config)#router bgp 100 
R2(config-router)#neighbor 192.168.20.2 remote-as 200 
R2(config-router)#network 1.1.1.0 mask 255.255.255.0 
R2(config-router)#exit 
R2(config)#ip route 1.1.1.0 255.255.255.0 null 0 
 
R2 is in the service provider edge. R2 has a couple of static routes to advertise into BGP and is 
advertising a default route to R1 which will then get propagated throughout the enterprise 
core. 
 
CCNA Routing & Switching v3 LAB Guide 
125 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
R3#conf t 
R3(config)#interface fastEthernet 0/0 
R3(config-if)#ip address 192.168.20.2 255.255.255.0 
R3(config-if)#no shutdown 
R3(config-if)#exit 
R3(config)#ip route 0.0.0.0 0.0.0.0 null 0 
R3(config)#ip route 2.2.2.0 255.255.255.0 null 0 
R3(config)#router bgp 200 
R3(config-router)#neighbor 192.168.20.1 remote-as 100 
R3(config-router)#network 2.2.2.0 mask 255.255.255.0 
R3(config-router)#neighbor 192.168.20.1 default-originate 
R3(config-router)#exit 
 
Verification 
 
R3#show ip bgp summary 
 
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 
192.168.20.1 4 100 23 24 3 0 0 00:19:33 1 
R3# 
 
R2#show ip route 
..................<output omitted>................... 
 1.0.0.0/24 is subnetted, 1 subnets 
S 1.1.1.0 is directly connected, Null0 
 2.0.0.0/24 is subnetted, 1 subnets 
B 2.2.2.0 [20/0] via 192.168.20.2, 00:17:59 ** BGP learned route ** 
C 192.168.10.0/24 is directly connected, FastEthernet0/1 
C 192.168.20.0/24 is directly connected, FastEthernet0/0 
B* 0.0.0.0/0 [20/0] via 192.168.20.2, 00:20:18 ** default route from BGP 
because of the default originate command in R3 ** 
 
R2#show ip bgp 
-------------------<output omitted>......................... 
 Network Next Hop Metric LocPrf Weight Path 
*> 0.0.0.0 192.168.20.2 0 0 200 i 
*> 1.1.1.0/24 0.0.0.0 0 32768 i 
*> 2.2.2.0/24 192.168.20.2 0 0 200 i 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
126 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
R1#show ip ospf neighbor 
 
Neighbor ID Pri State Dead Time Address Interface 
192.168.20.1 1 FULL/BDR 00:00:31 192.168.10.1 FastEthernet0/1 
 
R1#show ip route 
------------------<outputs are omitted>-------------- 
Gateway of last resort is 192.168.10.1 to network 0.0.0.0 
 
C 192.168.10.0/24 is directly connected, FastEthernet0/1 
O*E2 0.0.0.0/0 [110/1] via 192.168.10.1, 00:06:16, FastEthernet0/1 
 
Here we can see R2 is BGP (Single homed) with R3 advertising a /24 (1.1.1.0/24) and R2 is 
advertising a default to the enterprise core (R1). 
 
Explaination 
 
default-information originate, the router is going to Redistribute a default route it got from 
another Router (OSPF) 
 
neighbor x.x.x.x default-originate (BGP) 
 
If you want to advertise default route to a specific peer, this is the method for that 
requirement. 
 
 Add ‘neighbor x.x.x.x default-originate’ under router bgp <ASN> 
 It does not even check for the existence of a default route in the IP routing table 
 The ‘default-information originate’ command should not be configured with the 
‘neighbor x.x.x.x default-originate’ command on the same router 
 
The Null interface is typically used for preventing routing loops. 
 
Also prevent DoS Aattack. An example of where this traffic to unused IP addresses might come 
from could be denial of service attacks, scanning of IP blocks to find vulnerable hosts, etc 
 
LAB 33 : HSRP (Hot Standby Router Protocol) Configuration 
HSRP provides layer 3 redundancy in our network through active and standby router 
assignment, interface tracking, and load balancing. A group of physical routers, acting as a 
single virtual router, advertise a single IP address and MAC address into our network. By 
tracking interfaces and managing multiple groups, we can optimize speed as well as add 
 
CCNA Routing & Switching v3 LAB Guide 
127 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
redundancy to our networks. And we can use VRRP or GLBP based on our individual network 
needs. The services that HSRP provides are a great addition to any network. 
 
Characteristics 
 
 HSRP is Cisco proprietary 
 HSRP has 5 states: Initial, listen, speak, standby and active. 
 HSRP allows multiple routers to share a virtual IP and MAC address so that the end-
user hosts do not realize when a failure occurs. 
 The active (or Master) router uses the virtual IP and MAC addresses. 
 Standby routers listen for Hellos from the Active router. A hello packet is sent every 3 
seconds by default. The hold time (dead interval) is 10 seconds. 
 Virtual MAC of 0000.0C07.ACxx , where xx is the hexadecimal number of HSRP group. 
 The group numbers of HSRP version 1 range from 0 to 255. HSRP does support group 
number of 0 (we do check it and in fact, it is the default group number if you don’t 
enter group number in the configuration) so HSRP version 1 supports up to 256 group 
numbers. HSRP version 2 supports 4096 group numbers. 
 
 
CCNA Routing & Switching v3 LAB Guide 
128 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Assign IP Address to Venus 
=============================== 
 
Switch>en 
Switch#conf t 
Switch(config)#hostname venus 
venus(config)#int fastEthernet 0/10 
venus(config-if)#no switchport 
venus(config-if)#ip address 192.168.1.1 255.255.255.0 
venus(config-if)#no shutdown 
venus(config-if)#exit 
venus(config)#int fastEthernet 0/1 
venus(config-if)#no switchport 
venus(config-if)#ip address 192.168.30.2 255.255.255.0 
venus(config-if)#no shutdown 
venus(config-if)# 
 
Assign IP Address to Denver 
=============================== 
 
 
Switch>en 
Switch#conf t 
Switch(config)#hostname Denver 
Denver(config)#int fastEthernet 0/11 
Denver(config-if)#no switchport 
Denver(config-if)#ip address 192.168.1.2 255.255.255.0 
Denver(config-if)#no shutdown 
Denver(config-if)#exit 
Denver(config)#int fastEthernet 0/1 
Denver(config-if)#no switchport 
 
CCNA Routing & Switching v3 LAB Guide 
129 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Denver(config-if)#ip address 192.168.40.2 255.255.255.0 
Denver(config-if)#no shutdown 
Denver(config-if)#end 
 
Assign IP Address to Toronto 
============================= 
 
Router>en 
Router#conf t 
Router(config)#hostname Toronto 
Toronto(config)#interface fastEthernet 0/0 
Toronto(config-if)#ip address 192.168.30.1 255.255.255.0 
Toronto(config-if)#no shutdown 
Toronto(config-if)#exitToronto(config)#int fastEthernet 0/1 
Toronto(config-if)#ip add 
Toronto(config-if)#ip address 192.168.40.1 255.255.255.0 
Toronto(config-if)#no shutdown 
Toronto(config-if)#exit 
Toronto(config)#int loopback 1 
Toronto(config-if)#ip address 1.1.1.1 255.255.255.0 
Toronto(config-if)#exit 
Toronto(config)#int loopback 1 
Toronto(config-if)#ip address 1.1.1.1 255.255.255.0 
Toronto(config-if)#exit 
 
Create static route to 1.1.1.0/24 network from Venus and Denver 
===================================================================== 
 
 
venus(config)#ip route 1.1.1.0 255.255.255.0 192.168.30.1 
 
CCNA Routing & Switching v3 LAB Guide 
130 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Denver(config)#ip route 1.1.1.0 255.255.255.0 192.168.40.1 
 
Create static route to 192.168.1.0/24 network from Toronto 
================================================================ 
 
Toronto(config)#ip route 192.168.1.0 255.255.255.0 192.168.30.2 
Toronto(config)#ip route 192.168.1.0 255.255.255.0 192.168.40.2 
 
Apply ip routing command on venus and Denver 
================================================= 
 
venus(config)#ip routing 
Denver(config)#ip routing 
 
Assign IP address to host with default Gateway 192.168.1.1 and 
192.168.1.2 and apply ping command to 1.1.1.0 Network 
====================================================================== 
 
C:\>ping 1.1.1.1 
Reply from 1.1.1.1: bytes=32 time=1ms TTL=254 
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 
Reply from 1.1.1.1: bytes=32 time=1ms TTL=254 
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 
 
Configure HSRP 
================ 
 
venus#conf t 
venus(config)#int fastEthernet 0/10 
venus(config-if)#standby 10 ip 192.168.1.3 
venus(config-if)#standby 10 priority 110 
venus(config-if)#standby 10 preempt 
------------------------------------------------------------ 
Denver>en 
 
CCNA Routing & Switching v3 LAB Guide 
131 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Denver#conf t 
Denver(config)#int fastEthernet 0/11 
Denver(config-if)#standby 10 ip 192.168.1.3 
Denver(config-if)#standby 10 priority 100 
Denver(config-if)#standby 10 preempt 
Denver(config-if)#end 
 
Verify 
============ 
 
venus#show standby 
FastEthernet0/10 - Group 10 
 State is Active 
 12 state changes, last state change 01:01:47 
 Virtual IP address is 192.168.1.3 
 Active virtual MAC address is 0000.0C07.AC0A 
 Local virtual MAC address is 0000.0C07.AC0A (v1 default) 
 Hello time 3 sec, hold time 10 sec 
 Next hello sent in 1.461 secs 
 Preemption enabled 
 Active router is local 
 Standby router is 192.168.1.2 
 Priority 110 (configured 110) 
 Group name is hsrp-Fa0/10-10 (default) 
venus# 
------------------------------------------------------------------- 
Denver#show standby 
FastEthernet0/11 - Group 10 
 
CCNA Routing & Switching v3 LAB Guide 
132 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 State is Standby 
 3 state changes, last state change 01:17:54 
 Virtual IP address is 192.168.1.3 
 Active virtual MAC address is 0000.0C07.AC0A 
 Local virtual MAC address is 0000.0C07.AC0A (v1 default) 
 Hello time 3 sec, hold time 10 sec 
 Next hello sent in 0.757 secs 
 Preemption enabled 
 Active router is 192.168.1.1 
 Standby router is local 
 Priority 100 (default 100) 
 Group name is hsrp-Fa0/11-10 (default) 
Denver# 
Now change the default gateway of both PC to 192.168.1.3 and ping to 
1.1.1.1 
====================================================================== 
Successful... 
now shutdown one of the interface F0/10 or F0/11 that has the highest 
priority (110) 
====================================================================== 
and verify by standby command... 
also see that ping to 1.1.1.1 is even successful 
------------------------------------------------------ 
Denver#show standby 
FastEthernet0/11 - Group 10 
 State is Active 
 4 state changes, last state change 01:28:33 
 
CCNA Routing & Switching v3 LAB Guide 
133 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 Virtual IP address is 192.168.1.3 
 Active virtual MAC address is 0000.0C07.AC0A 
 Local virtual MAC address is 0000.0C07.AC0A (v1 default) 
 Hello time 3 sec, hold time 10 sec 
 Next hello sent in 2.754 secs 
 Preemption enabled 
 Active router is local 
 Standby router is unknown 
 Priority 100 (default 100) 
 Group name is hsrp-Fa0/11-10 (default) 
Denver# 
Now the Denver switch is Active 
----------------------------------------------------------------- 
C:\>ping 1.1.1.1 
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254 
 
IP Access Control List (ACL) 
 
 
Access-lists work on the network (layer 3) and the transport (layer 4) layer and can be used 
for two different things: 
 
 Filtering traffic 
 Identifying traffic 
 
Filtering is used to permit or deny traffic. 
 
 
CCNA Routing & Switching v3 LAB Guide 
134 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Identify means - selecting traffic. It can be used when we configure VPN. The traffic is 
identified and then it passes through VPN Tunnels. 
 
IP ACLs are the most popular as IP is the most common type of traffic. There are two types of 
IP ACLs: 
 
 Standard IP ACLs: 1 to 99 and 1300 to 1999 
 Extended IP ACLs: 100 to 199 and 2000 to 2699 
 
Standard IP ACLs can only control traffic based on the SOURCE IP address where Extended IP 
ACLs identify traffic based on source IP, source port, destination IP, and destination port. 
 
We can use ACLs to filter traffic according per protocol, per interface, and per direction. We 
can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g., 
FastEthernet0/0), and one ACL per direction (i.e., IN or OUT). 
 
LAB 34 : Standard IP access-lists 
 
 
Standard IP access-lists are based upon the source host or network IP address, and should be 
placed closest to the destination network. 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
135 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Router R1 (IP Address and EIGRP Configuration) 
 
R1#conf t 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip address 192.168.10.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#interface fastEthernet 0/1 
R1(config-if)#ip address 192.168.20.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#router eigrp 10 
R1(config-router)#network 192.168.20.0 
R1(config-router)#network 192.168.10.0 
R1(config-router)#no auto-summary 
R1(config-router)#exit 
 
Router R2 (IP Address and EIGRP Configuration) 
 
R2#conf t 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip address 192.168.10.2 255.255.255.0 
R2(config-if)#no shutdown 
R2(config-if)#exit 
R2(config)#interface loopback 0 
R2(config-if)#ip address 12.12.12.12 255.255.255.0 
R2(config-if)#exit 
R2(config)#interface loopback 1 
R2(config-if)#ip address 11.11.11.11 255.255.255.0 
R2(config-if)#exit 
R2(config)#router eigrp 10 
R2(config-router)#network 192.168.10.0 
R2(config-router)#network 11.11.11.0 
R2(config-router)#network 12.12.12.0 
R2(config-router)#no auto-summary 
R2(config-router)#exit 
R2(config)# 
 
OK, Now we will create ACL rules so that......... 
 
CCNA Routing & Switching v3 LAB Guide 
136 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
only PC 1, PC 2, PC3 can ping loopbackIP 
 
R1(config)#access-list 50 permit host 192.168.20.2 
R1(config)#access-list 50 permit host 192.168.20.3 
R1(config)#access-list 50 permit host 192.168.20.4 
R1(config)#access-list 50 deny any 
 
Apply it to R2 Router (closest to the destination) 
 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip access-group 50 in 
 
Verification 
 
 
R2#show ip interface fastEthernet 0/0 
 
FastEthernet0/0 is up, line protocol is up 
 Internet address is 192.168.10.2/24 
 Broadcast address is 255.255.255.255 
 Address determined by setup command 
 MTU is 1500 bytes 
 Helper address is not set 
 Directed broadcast forwarding is disabled 
 Outgoing access list is not set 
 Inbound access list is 50 
 
Now ping from PC4 
 
PC4> ping 11.11.11.11 
 
*192.168.20.1 icmp_seq=1 ttl=255 time=15.600 ms (ICMP type:3, code:13, 
Communication administratively prohibited) 
*192.168.20.1 icmp_seq=2 ttl=255 time=15.600 ms (ICMP type:3, code:13, 
Communication administratively prohibited) 
*192.168.20.1 icmp_seq=3 ttl=255 time=15.600 ms (ICMP type:3, code:13, 
Communication administratively prohibited) 
*192.168.20.1 icmp_seq=4 ttl=255 time=15.600 ms (ICMP type:3, code:13, 
Communication administratively prohibited) 
 
And from PC1 / PC2 / PC3 
 
PC1> ping 11.11.11.11 
 
CCNA Routing & Switching v3 LAB Guide 
137 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
84 bytes from 11.11.11.11 icmp_seq=1 ttl=254 time=46.800 ms 
84 bytes from 11.11.11.11 icmp_seq=2 ttl=254 time=46.801 ms 
84 bytes from 11.11.11.11 icmp_seq=3 ttl=254 time=46.800 ms 
84 bytes from 11.11.11.11 icmp_seq=4 ttl=254 time=46.800 ms 
 
PC2> ping 12.12.12.12 
 
84 bytes from 12.12.12.12 icmp_seq=1 ttl=254 time=31.200 ms 
84 bytes from 12.12.12.12 icmp_seq=2 ttl=254 time=31.200 ms 
84 bytes from 12.12.12.12 icmp_seq=3 ttl=254 time=31.200 ms 
84 bytes from 12.12.12.12 icmp_seq=4 ttl=254 time=31.200 ms 
 
PC3> ping 12.12.12.12 
84 bytes from 12.12.12.12 icmp_seq=1 ttl=254 time=31.200 ms 
84 bytes from 12.12.12.12 icmp_seq=2 ttl=254 time=31.200 ms 
84 bytes from 12.12.12.12 icmp_seq=3 ttl=254 time=31.200 ms 
84 bytes from 12.12.12.12 icmp_seq=4 ttl=254 time=31.200 ms 
 
R2#show access-lists 
 
Standard IP access list 50 
 10 permit 192.168.10.0, wildcard bits 0.0.0.255 (27 matches) 
 
LAB 35 : EXTENDED IP ACCESS-LIST 
Extended IP access-lists block based upon the source IP address, destination IP address, and TCP 
or UDP port number. Extended access-lists should be placed closest to the source network. 
 
 
CCNA Routing & Switching v3 LAB Guide 
138 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Objective: 
 
We will configure Extended ACL so that 
 
PC0 can only posseses Telnet service 
PC2 can only posseses HTTP Service and 
PC1 can only posseses Mail service 
 
IP Configuration 
 
Router(config)#hostname LOCAL 
LOCAL(config)#interface fastEthernet 0/1 
LOCAL(config-if)#ip address 192.168.10.1 255.255.255.0 
LOCAL(config-if)#no shutdown 
LOCAL(config-if)#exit 
LOCAL(config)#interface fastEthernet 0/0 
LOCAL(config-if)#ip address 103.13.148.1 255.255.255.240 
LOCAL(config-if)#no shutdown 
LOCAL(config-if)#exit 
 
Static Default Route 
 
LOCAL(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2 
 
Telnet Access 
 
LOCAL(config)#line vty 0 5 
LOCAL(config-line)#password cisco 
LOCAL(config-line)#login 
LOCAL(config-line)#exit 
LOCAL(config)#enable secret cisco 
 
IP Configuration 
 
Router(config)#hostname ISP 
ISP(config)#interface fastEthernet 0/0 
ISP(config-if)#ip address 103.13.148.2 255.255.255.240 
ISP(config-if)#no shutdown 
ISP(config-if)#exit 
ISP(config)#interface fastEthernet 0/1 
ISP(config-if)#ip address 100.100.100.1 255.255.255.0 
ISP(config-if)#no shutdown 
ISP(config-if)#exit 
 
CCNA Routing & Switching v3 LAB Guide 
139 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Static Route 
 
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 
 
Switch(config)#ip default-gateway 100.100.100.1 
 
Extended ACL Configuration 
 
ISP(config)#access-list 101 permit tcp host 100.100.100.2 any eq telnet 
ISP(config)#access-list 101 permit tcp host 100.100.100.4 any eq www 
ISP(config)#access-list 101 permit tcp host 100.100.100.3 any eq smtp 
 
Apply it to its Inside Interface 
 
ISP(config)#interface fastEthernet 0/1 
ISP(config-if)#ip access-group 101 in 
ISP#show ip interface fastEthernet 0/1 
 
FastEthernet0/1 is up, line protocol is up (connected) 
Internet address is 100.100.100.1/24 
Broadcast address is 255.255.255.255 
Address determined by setup command 
MTU is 1500 bytes 
Helper address is not set 
Directed broadcast forwarding is disabled 
Outgoing access list is not set 
Inbound access list is 101 
 
ISP#show access-lists 101 
 
Extended IP access list 101 
permit tcp host 100.100.100.2 any eq telnet (37 match(es)) 
permit tcp host 100.100.100.4 any eq www (11 match(es)) 
permit tcp host 100.100.100.3 any eq smtp (2 match(es)) 
 
 
From PC0 login to Router LOCAL using telnet is possible 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
140 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
But from others PC it is not possible 
 
 
From PC2 we can browse .................... 
 
 
 
But PC0 or PC1 cannot browse to HTTP Server 
 
 
 
From PC1 we can see that SMTP service is open but others PC not... 
 
 
CCNA Routing & Switching v3 LAB Guide 
141 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
LAB 36: Named IP Access List 
 
This allows standard and extended ACLs to be given names instead of numbers 
 
 
 
Objective: 
 
We will configure Named ACL to ensure that only PC0 can be logged in throughTelnet to 
router BUET but PC1 can not.......... 
 
Basic Configuration of Router and Switch: 
Router>en 
Router#conf t 
Router(config)#hostname DU 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip address 192.168.10.1 255.255.255.0 
 
CCNA Routing & Switching v3 LAB Guide 
142 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU(config-if)#no shutdown 
 
DU(config-if)#exit 
DU(config)#interface fastEthernet 0/1 
DU(config-if)#ip address 172.16.10.1 255.255.255.0 
DU(config-if)#no shutdown 
 
DU(config)#router eigrp 10 
DU(config-router)#network 192.168.10.0 
DU(config-router)#network 172.16.10.0 
DU(config-router)#no auto-summary 
DU(config-router)#exit 
DU(config-if)#exit 
 
Router(config)#hostname BUET 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#ip address 192.168.10.2 255.255.255.0 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
BUET(config)#router eigrp 10 
BUET(config-router)#network 192.168.10.0 
BUET(config-router)#no auto-summary 
BUET(config-router)#exit 
BUET(config)#no ip domain-lookup 
BUET(config)#line vty 0 4 
BUET(config-line)#password cisco 
BUET(config-line)#login 
BUET(config-line)#exit 
BUET(config)#enable secret cisco 
BUET(config)#exit 
 
DEFINE NAMED ACL 
 
DU(config)#ip access-list extended venus 
DU(config-ext-nacl)#permit tcp host 172.16.10.2 any eq telnet 
DU(config-ext-nacl)#deny tcp host 172.16.10.3 any eq telnet 
DU(config-ext-nacl)#permit ip any any 
DU(config-ext-nacl)#exit 
 
Apply ACL to Router's Interface 
 
 
CCNA Routing & Switching v3 LAB Guide 
143 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip access-group venus out 
DU(config-if)#end 
 
Switch(config)#ip default-gateway 172.16.10.1 
 
From PC0 
 
C:\>ping 192.168.10.2 
 
 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 
Reply from 192.168.10.2: bytes=32 time=1ms TTL=254 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 
 
C:\>telnet 192.168.10.2 (Success) 
 
Trying 192.168.10.2 ...Open 
 
User Access Verification 
 
Password: 
 
From PC1 
 
C:\>ping 192.168.10.2 
 
Reply from 192.168.10.2: bytes=32 time=2ms TTL=254 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 
Reply from 192.168.10.2: bytes=32 time<1ms TTL=254 
 
C:\>telnet 192.168.10.2 (Not Success) 
Trying 192.168.10.2 ... 
% Connection timed out; remote host not responding 
C:\> 
 
DU#show ip access-lists 
 
Extended IP access list venus 
10 permit tcp host 172.16.10.2 any eq telnet (4 match(es)) 
20 deny tcp host 172.16.10.3 any eq telnet (12 match(es)) 
30 permit ip any any (4 match(es)) 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
144 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
LAB 37 : STATIC NAT 
We use Static NAT for one-to-one mapping between an inside address and an outside address. 
Static NAT allows connections from an outside host to an inside host. Generally, static NAT is 
used for servers inside our network. 
 
Suppose, we have a web or a mail server with the inside IP address 192.168.10.2 and we want 
it to be accessible from Internet i.e. when a remote host makes a request to 103.13.148.10. 
In this case we must do a static NAT mapping between Inside (192.168.10.2) and Outside IPs 
(103.13.148.10). 
 
IP Configuration to router Interface and Hosts 
 
Router>en 
Router#conf t 
Gateway(config)#hostname Gateway 
Gateway(config)#interface fastEthernet 0/0 
Gateway(config-if)#ip address 103.13.148.1 255.255.255.0 
Gateway(config-if)#no shutdown 
Gateway(config-if)#exit 
Gateway(config)#interface fastEthernet 0/1 
Gateway(config-if)#ip address 192.168.10.1 255.255.255.0 
Gateway(config-if)#no shutdown 
Gateway(config-if)#exit 
 
Router>en 
Router#conf t 
 
CCNA Routing & Switching v3 LAB Guide 
145 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname ISP 
ISP(config)#interface fastEthernet 0/0 
ISP(config-if)#ip address 103.13.148.2 255.255.255.0 
ISP(config-if)#no shutdown 
ISP(config-if)#exit 
ISP(config)#interface fastEthernet 0/1 
ISP(config-if)#ip address 10.10.10.1 255.255.255.0 
ISP(config-if)#no shutdown 
ISP(config-if)#exit 
 
 
 
 
 
 
Configure default-route to Internet on Gateway Router 
 
Gateway(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2 
Gateway(config)#exit 
 
Configure static route to LAN on ISP 
 
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
146 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Specify default gateway on switch 
 
Switch(config)#ip default-gateway 192.168.10.1 
 
 
Static NAT Configuration 
 
 
Gateway#conf t 
Gateway(config)#ip nat inside source static 192.168.10.2 103.13.148.10 
Gateway(config)#interface fastEthernet 0/1 
Gateway(config-if)#ip nat inside 
Gateway(config-if)#exit 
Gateway(config)#interface fastEthernet 0/0 
Gateway(config-if)#ip nat outside 
Gateway(config-if)#end 
Gateway# 
 
Verification 
 
 
Gateway# show ip route 
 
 
 
 
ISP# show ip route 
 
 
 
 
Ping from PC0 to Server PC 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
147 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
 
On Server PC ---- Activate the http service ; 
From Internet PC (PC0 under ISP Router) browse using 103.13.148.10 IP (through Public 
IP that is assigned for static mapping) 
 
 
 
LAB 38 : Dynamic NAT (Like many to many) 
 
 
(We will do Dynamic NAT Configuration following Static NAT , So all the configuration of 
previous LAB will remain same) 
 
When we have a pool of public IP addresses, Dynamic NAT is used. 
 
CCNA Routing & Switching v3 LAB Guide 
148 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
Never use dynamic NAT for servers or other devices that need to be accessible from the 
Internet. 
 
Suppose our internal network is 192.168.10.0/24. We also have the pool of public IP 
addresses from 103.13.148.20-103.13.148.30 and Net Mask is 255.255.255.0. The procedure 
will be as follows: 
 
 
Create an ACL for LAN traffic 
------------------------------------- 
 
Gateway(config)#access-list 1 permit 192.168.10.0 0.0.0.255 
 
Create a nat pool which Public IP addresses are used for translations 
----------------------------------------------------------------------------------------- 
 
Gateway(config)#ip nat pool venus 103.13.148.20 103.13.148.30 netmask 
255.255.255.0 
 
Apply the NAT with ACL and nat pool 
--------------------------------------------------- 
 
Gateway(config)#ip nat inside source list 1 pool venus 
 
Apply it to interface 
---------------------------- 
 
Gateway(config)#interface fastEthernet 0/1 
Gateway(config-if)#ip nat inside 
Gateway(config-if)#exit 
Gateway(config)#interface fastEthernet 0/0 
Gateway(config-if)#ip nat outside 
Gateway(config-if)#exit 
 
Verification 
PING PC0 from PC1 / PC2................. 
Gateway#show ip nat translations 
 
Dynamic NAT 
 
icmp 103.13.148.20:3 192.168.10.11:3 10.10.10.2:3 10.10.10.2:3 
icmp 103.13.148.20:4 192.168.10.11:4 10.10.10.2:4 10.10.10.2:4 
icmp 103.13.148.21:5 192.168.10.10:5 10.10.10.2:5 10.10.10.2:5 
icmp 103.13.148.21:6 192.168.10.10:6 10.10.10.2:6 10.10.10.2:6 
icmp 103.13.148.21:7 192.168.10.10:7 10.10.10.2:7 10.10.10.2:7 
 
 
CCNA Routing & Switching v3 LAB Guide 
149 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Static NAT 
--- 103.13.148.10 192.168.10.2 --- --- 
 
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1025 10.10.10.2:1025 
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1026 10.10.10.2:1026 
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1027 10.10.10.2:1027 
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1028 10.10.10.2:1028 
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1029 10.10.10.2:1029 
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1030 10.10.10.2:1030 
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1031 10.10.10.2:1031 
 
An inside host makes a request to an outside host and the router dynamically assigns an 
available IP address from the pool for the translation of the private IP address. If there’s no 
public IP address available, the router rejects new connections until you clear the NAT 
mappings. However, you have as many public IP addresses as hosts in your network, you won’t 
be faced this problem. 
 
NAT Overload 
NAT Overload, also called PAT, probably the most used type of NAT. We can configure NAT 
overload in two ways, depending on how many public IP address we have.. 
 
 
LAB 39 : Static PAT 
Suppose, we have only one public IP address allocated by our ISP. Here we have to map all our 
inside hosts to the available IP address. The configuration is almost the same as for dynamic 
NAT, but in this case we specify the outside interface instead of a NAT pool. 
 
 
CCNA Routing & Switching v3 LAB Guide 
150 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Router(config)#hostname GW 
GW(config)#int 
GW(config)#interface fastEthernet 0/0 
GW(config-if)#ip address 103.13.148.1 255.255.255.240 
GW(config-if)#no shutdown 
GW(config-if)#exit 
GW(config)#interface fastEthernet 0/1 
GW(config-if)#ip address 192.168.10.1 255.255.255.0 
GW(config-if)#no shutdown 
GW(config-if)#exit 
 
Router(config)#hostname ISP 
ISP(config)#interfacefastEthernet 0/0 
ISP(config-if)#ip address 103.13.148.2 255.255.255.240 
ISP(config-if)#no shutdown 
ISP(config-if)#exit 
ISP(config)#interface fastEthernet 0/1 
ISP(config-if)#ip address 100.100.100.1 255.255.255.0 
ISP(config-if)#no shutdown 
ISP(config-if)#exit 
 
 
Static default route to Internet on GW Router 
GW(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2 
Static route to LAN on ISP Router 
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 
Assign IP address to Hosts and verify connectivity 
 
 
CCNA Routing & Switching v3 LAB Guide 
151 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
C:\>ping 192.168.10.10 
 
Reply from 192.168.10.10: bytes=32 time=1ms TTL=126 
Reply from 192.168.10.10: bytes=32 time=10ms TTL=126 
Reply from 192.168.10.10: bytes=32 time<1ms TTL=126 
Reply from 192.168.10.10: bytes=32 time<1ms TTL=126 
C:\>ping 192.168.10.20 
 
Reply from 192.168.10.20: bytes=32 time=11ms TTL=126 
Reply from 192.168.10.20: bytes=32 time<1ms TTL=126 
Reply from 192.168.10.20: bytes=32 time<1ms TTL=126 
Reply from 192.168.10.20: bytes=32 time<1ms TTL=126 
Configure NAT overload 
GW(config)#access-list 1 permit 192.168.10.0 0.0.0.255 
GW(config)#ip nat inside source list 1 interface fastEthernet 0/0 overload 
GW(config)#interface fastEthernet 0/0 
GW(config-if)#ip nat outside 
GW(config-if)#exit 
 
CCNA Routing & Switching v3 LAB Guide 
152 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
GW(config)#interface fastEthernet 0/1 
GW(config-if)#ip nat inside 
GW(config-if)#exit 
 
 
Verification 
Apply ping from PC0 to OUTSIDE SERVER 
C:\>ping 100.100.100.30 
 
Reply from 100.100.100.30: bytes=32 time=11ms TTL=126 
Reply from 100.100.100.30: bytes=32 time<1ms TTL=126 
Reply from 100.100.100.30: bytes=32 time<1ms TTL=126 
Reply from 100.100.100.30: bytes=32 time=10ms TTL=126 
 
Browse the OUTSIDE SERVER 
 
 
The router automatically determines what public IP address to use for the mappings by 
checking what IP is assigned to the Serial 0/0/0 interface. All the inside addresses are 
translated to the only public IP address available on our router. Routers are able to recognize 
the traffic flows by using port numbers, specified by the overload keyword. 
 
 
CCNA Routing & Switching v3 LAB Guide 
153 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
LAB 40 : DYNAMIC PAT 
 
The second way: If ISP gave you more than one public IP addresses, but not enough for a 
dynamic or static mapping. 
The configuration is same as dynamic NAT, but this time we will add overload for the router 
to know to use traffic flow identification using port numbers, instead of mapping a private to 
a public IP address dynamically. 
 
Configure NAT overload 
 
GW(config)# ip nat pool venus 103.13.148.5 103.13.148.10 netmask 
255.255.255.240 
GW(config)#access-list 1 permit 192.168.10.0 0.0.0.255 
GW(config)#ip nat inside source list 1 pool venus overload 
GW(config)#interface fastEthernet 0/0 
GW(config-if)#ip nat outside 
GW(config-if)#exit 
GW(config)#interface fastEthernet 0/1 
GW(config-if)#ip nat inside 
 
Verification 
C:\>ping 100.100.100.30 
 
Reply from 100.100.100.30: bytes=32 time=1ms TTL=126 
Reply from 100.100.100.30: bytes=32 time<1ms TTL=126 
Reply from 100.100.100.30: bytes=32 time=11ms TTL=126 
Reply from 100.100.100.30: bytes=32 time<1ms TTL=126 
 
 
CCNA Routing & Switching v3 LAB Guide 
154 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
Router#show ip nat translations 
 
Pro Inside global Inside local Outside local Outside global 
icmp 103.13.148.5:10 192.168.10.20:10 100.100.100.30:10 100.100.100.30:10 
icmp 103.13.148.5:11 192.168.10.20:11 100.100.100.30:11 100.100.100.30:11 
icmp 103.13.148.5:12 192.168.10.20:12 100.100.100.30:12 100.100.100.30:12 
icmp 103.13.148.5:9 192.168.10.20:9 100.100.100.30:9 100.100.100.30:9 
tcp 103.13.148.5:1027 192.168.10.10:1027 100.100.100.30:80 100.100.100.30:80 
tcp 103.13.148.5:1028 192.168.10.10:1028 100.100.100.30:80 100.100.100.30:80 
 
We can clear the NAT translation table with the following commands: 
 
Router#clear ip nat translation * 
Router#show ip nat translations 
 
LAB 41 : Configure GRE Tunnel 
 
Generic Routing Encapsulation (GRE) is developed by Cisco is a simple IP packet 
encapsulation protocol. GRE encapsulates the original IP packet with a new IP header also 
appending an additional GRE header. A GRE tunnel creates a point-to-point link between two 
routers that are otherwise not directly connected to each other. 
 
When packets require to be sent from one network to another over the Internet or an 
insecure network, We can use GRE Tunnel. A virtual tunnel is created between the two Cisco 
routers and packets are sent through the tunnel. 
 
 
CCNA Routing & Switching v3 LAB Guide 
155 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
GRE tunnels allow multicast packets but IPSec VPN does not support multicast packets. In 
large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels 
are the best to utilize. 
Configuring GRE Tunnel: 
Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface. 
Then you must configure the tunnel endpoints for the tunnel interface. 
 
Configuring Router Interface : 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip address 192.168.20.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#interface fastEthernet 0/1 
R1(config-if)#ip address 192.168.10.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)# 
 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#ip address 192.168.20.2 255.255.255.0 
R2(config-if)#no shutdown 
 
CCNA Routing & Switching v3 LAB Guide 
156 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
R2(config-if)#exit 
R2(config)#interface fastEthernet 0/1 
R2(config-if)#ip address 192.168.30.1 255.255.255.0 
R2(config-if)#no shutdown 
R2(config-if)#exit 
 
Creating a Cisco GRE Tunnel 
 
GRE tunnel uses a tunnel interface – a logical interface configured on the router with an IP 
address where packets are encapsulated and de encapsulated as they enter or exit the GRE 
tunnel. 
 
First step is to create our tunnel interface on R1: 
 
R1(config)# interface Tunnel0 
R1(config-if)# ip address 172.16.10.1 255.255.255.0 
R1(config-if)# ip mtu 1400 
R1(config-if)# ip tcp adjust-mss 1360 
R1(config-if)# tunnel source 192.168.20.1 
R1(config-if)# tunnel destination 192.168.20.2 
 
R2(config)# interface Tunnel0 
R2(config-if)# ip address 172.16.10.2 255.255.255.0 
R2(config-if)# ip mtu 1400 
R2(config-if)# ip tcp adjust-mss 1360 
R2(config-if)# tunnel source 192.168.20.2 
R2(config-if)# tunnel destination 192.168.20.1 
 
All Tunnel interfaces must be configured with an IP address. Each Tunnel interface is 
configured with an IP address within the same subnet(172.16.10.0/24). 
 
Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 
bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500 
bytes and we have an added overhead because of GRE, we must reduce the MTU to account 
for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary 
packet fragmentation is kept to a minimum. 
 
 
Now we will configure static route to make the reachability of two hosts: 
 
http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html
http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html
 
CCNA Routing & Switching v3 LAB Guide 
157 
 
AshishHalder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Here next hope will be the tunnel Interface IP 
 
R1(config)# ip route 192.168.30.0 255.255.255.0 172.16.10.2 
 
R2(config)# ip route 192.168.10.0 255.255.255.0 172.16.10.1 
 
n.b. We can also write tunnel source as an interface like 
 
# tunnel source fastEthernet 0/0 
 
R1#show interfaces tunnel 0 
Tunnel0 is up, line protocol is up 
 Hardware is Tunnel 
 Internet address is 172.16.10.1/24 
 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, 
 reliability 255/255, txload 1/255, rxload 1/255 
 Encapsulation TUNNEL, loopback not set 
 Keepalive not set 
 Tunnel source 192.168.20.1, destination 192.168.20.2 
 Tunnel protocol/transport GRE/IP 
 
PC1#ping 192.168.30.2 
 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/34/44 ms 
 
LAB 42: AAA Configuration 
 
AAA(Authentication, Authorization & Accounting ) provides the basic security framework 
setting up access control on a network device. 
 
Authentication = who is permitted to access a network 
 
Provides the method of identifying users, including login and password dialog, challenge and 
response, messaging support, and, depending on the security protocol you select, encryption. 
 
Authorization = Control what they can do while they are there 
 
Provides the method for remote access control, including one-time authorization or 
authorization for each service, per-user account list and profile, user group support, and 
support of IP, IPX, ARA, and Telnet. 
 
CCNA Routing & Switching v3 LAB Guide 
158 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Accounting =audit what actions they performed while accessing the network 
 
Provides the method for collecting and sending security server information used for billing, 
auditing, and reporting, such as user identities, start and stop times, executed commands 
(such as PPP), number of packets, and number of bytes. 
 
 
AAA uses two common methods : 
 
 
1) Local AAA authentication: 
 
This method stores usernames and passwords locally in the Cisco router, and users 
authenticate against the local database. 
 
2) Server-based AAA authentication: 
 
A central AAA server contains the usernames and pass- words for all users. 
AAA can be used with both RADIUS & TACACS+ servers to provide secure services. But there 
are some difference between the two protocols. 
 
AAA Lab (Server-based AAA authentication) 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
159 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Objective : 
 
Any one telnet the router must be authenticated through AAA server and in case AAA server 
is down , routers will use the local user accounts database. 
 
RADIUS SERVER CONFIGURATION 
 
Configuration: 
 
Router#conf terminal 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname Radius 
Radius(config)#interface fastEthernet 0/0 
Radius(config-if)#ip address 192.168.10.1 255.255.255.0 
Radius(config-if)#no shutdown 
Radius(config-if)#exit 
 
Telnet Access from local database 
 
Radius(config)#enable secret cisco123 
Radius(config)#line vty 0 4 
Radius(config-line)#login authentication default 
Radius(config-line)#login 
Radius(config-line)#exit 
Radius(config)#username ashish password ashish123 
Radius(config)#exit 
 
AAA Server Configuration 
 
To enable AAA, you need to configure the aaa new-model command in global configuration. 
Until this command is enabled, all other AAA commands are hidden. 
 
Radius(config)#aaa new-model 
 
Set authentication for login using two methods: the Radius server (the first method). If the 
Radius server doesn’t respond, then the router’s local database is used (the second method). 
 
Radius(config)#aaa authentication login default group radius local 
 
Tell the router what is the IP address for Radius server and key (password) to connect to: 
 
Radius(config)#radius-server host 192.168.10.3 auth-port 1645 key cisco 
https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html
 
CCNA Routing & Switching v3 LAB Guide 
160 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
 
Here, 
Client name = any 
Client IP = Rouer IP 
Key = That is defined in previous command line 
 
From the PC 
C:\>telnet 192.168.10.1 
Trying 192.168.10.1 ...Open 
 
User Access Verification 
 
Username: admin 
Password: 
Radius>en 
Password: 
Radius# 
Here username: admin and password: admin123 that was created in Radius Server 
 
 
CCNA Routing & Switching v3 LAB Guide 
161 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Now disconnect the ACS server or just remove the cable and try to Telnet the router using 
ashish (local database) and it will work . 
 
Be remember, If method 1 fail , you will not go to method 2, but if method 1 is not available 
then you can go to method 2 and use it. 
 
C:\>telnet 192.168.10.1 
 
Trying 192.168.10.1 ...Open 
 
User Access Verification 
 
Username: ashish 
 
Password: 
Radius> 
Radius#show AAA user all 
 
Unique id 4 is currently in use. 
Accounting: 
log=0x18001 
Events recorded : 
CALL START 
INTERIM START 
INTERIM STOP 
update method(s) : 
NONE 
update interval = 0 
Outstanding Stop Records : 0 
Radius#show aaa sessions 
 
Total sessions since last reload: 3 
Session Id:4 
Unique Id:4 
User Name:admin 
IP Address:0.0.0.0 
Idle Time: 0 
CT Call Handle: 0 
Radius# 
 
OR , TACACS+ Configuration 
 
 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname Tacacs 
Tacacs(config)#interface fastEthernet 0/0 
Tacacs(config-if)#ip address 192.168.10.2 255.255.255.0 
Tacacs(config-if)#no shutdown 
 
CCNA Routing & Switching v3 LAB Guide 
162 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Tacacs(config-if)#exit 
 
Tacacs(config)#aaa new-model 
Tacacs(config)#aaa authentication login default group tacacs+ local 
Tacacs(config)#tacacs-server host 192.168.10.4 key 8888 
 
Tacacs(config)#enable secret cisco123 
Tacacs(config)#line vty 0 4 
Tacacs(config-line)#login authentication default 
Tacacs(config-line)#login 
AAA is enabled. Command not supported. Use an aaa authentication methodlist 
Tacacs(config-line)#exit 
Tacacs(config)#username ashish password ashish123 
 
 
C:\>telnet 192.168.10.2 
 
Trying 192.168.10.2 ...Open 
 
User Access Verification 
 
Username: admin 
 
Password: 
Tacacs>en 
Password: 
Tacacs# 
 
CCNA Routing & Switching v3 LAB Guide 
163 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
LAB 43: Syslog Server 
 
Cisco devices use the syslog protocol to manage system logs and alerts. Syslog Server collects 
all the logs in a central location and then we can use these logs for the troubleshooting 
devices. 
 
There are 8 levels of logs that is generated. these are called severity level. Lower severity 
level is more critical. 
 
 
 
Message Logging Level Keywords 
Level Keyword Level Description Syslog Definition 
emergencies 0 System unstable LOG_EMERG 
alerts 1 Immediate action needed LOG_ALERT 
critical 2 Critical conditions LOG_CRIT 
errors 3 Error conditions LOG_ERR 
warnings 4 Warning conditions LOG_WARNING 
notifications 5 Normal but significant condition LOG_NOTICE 
informational 6 Informational messages only LOG_INFO 
debugging 7 Debugging messages LOG_DEBUGCCNA Routing & Switching v3 LAB Guide 
164 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
The software generates four other categories of messages: 
 
 Error messages about software or hardware malfunctions, displayed at levels warnings 
through emergencies: these types of messages mean that the functionality of the 
access point is affected. 
 Output from the debug commands, displayed at the debugging level: debug 
commands are typically used only by the Technical Assistance Center (TAC). 
 Interface up or down transitions and system restart messages, displayed at the 
notifications level: this message is only for information; access point functionality is 
not affected. 
 Reload requests and low-process stack messages, displayed at the informational level: 
this message is only for information; access point functionality is not affected. 
 
Part of syslog messages 
 
 Timestamp 
 Log Message Name and Severity Level 
 Message Text 
 
LAB : 
 
 
CCNA Routing & Switching v3 LAB Guide 
165 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Router> 
Router>enable 
Router#conf t 
Router(config)#hostname DU 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip address 192.168.10.1 255.255.255.0 
DU(config-if)#no shutdown 
 
 
Go to the service and be sure syslog service is on 
 
 
Syslog configuration on DU Router 
We will use the logging host <syslog server IP address> command to specify the Syslog 
server address on Cisco router. 
DU(config)#logging host 192.168.10.2 
 
CCNA Routing & Switching v3 LAB Guide 
166 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Then apply the logging trap <severity level> command to specify the log types and category 
(called severity level). For example, use the debug log (severity level 7). We may use any 
other severity level that we wish to test. 
 
DU(config)#logging trap debugging 
Then we will use the debug ip <protocol> command to enable debugging for a protocol. In 
this case, we will use ICMP protocol. 
 
DU#debug ip icmp 
Apply ping 192.168.1.100 command to generate some ICMP packets to test your configuration. 
C:\>ping 192.168.10.1 
 
Pinging 192.168.10.1 with 32 bytes of data: 
 
Reply from 192.168.10.1: bytes=32 time=1ms TTL=255 
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255 
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255 
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255 
 
C:\> 
Next, move on to Syslog Server console, and examine the output. In the following figure, you 
can see the sample output of the Syslog server. 
 
 
 
We can see the logs collected by Syslog Server for Cisco router. 
 
http://www.kiwisyslog.com/help/syslogv82/index.html?protocol_priority_values.htm
 
CCNA Routing & Switching v3 LAB Guide 
167 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
LAB 44: SNMPv3 
 
Simple Network Management Protocol (SNMP) is an application-layer protocol. 
 
The Simple Network Management Protocol (SNMP) is used for network monitoring and 
management. The network device send some informations to the NMS server to trace 
graphics who permit to analysing the CPU, memory, I/O… 
 
It is made up of 3 parts, the SNMP manager, SNMP agent and Management Information Base 
(MIB). 
 
 The SNMP manager is the software that is running on a pc or server that will monitor 
the network devices 
 The SNMP agent runs on the network device. 
 
 The database that I just described is called the MIB (Manament Information Base) and 
an object could be the interface status on the router (up or down) or perhaps the CPU 
load at a certain moment. An object in the MIB is called an OID (Object Identifier). 
Configure SNMP 
 
Enable SNMP on Router 
 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#interface fastEthernet 0/0 
Router(config-if)#ip address 192.168.10.1 255.255.255.0 
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
 
CCNA Routing & Switching v3 LAB Guide 
168 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Router(config-if)#no shutdown 
Router(config-if)#exit 
Router(config)#snmp-server community V1 ro 
%SNMP-5-WARMSTART: SNMP agent on host Router is undergoing a warm start 
Router(config)#snmp-server community V1rw rw 
Router(config)#exit 
Router# 
 
Here, 
 
Read Community: V1. It has taken from read only (ro) community name. 
Write Community: V1rw, it is the name of read and write (rw) community. 
 
Testing SNMP from a PC 
 
Click on PC0 and click Desktop tab, then open MIB Browser 
 
 
 
Now go to Advanced tab and enter the following Information: 
 
Address: 192.168.10.1 
Read Community: V1 
Write Community: V1rw 
SNMP Version, select V3 and click OK. 
 
CCNA Routing & Switching v3 LAB Guide 
169 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
Now on the MIB browser page expend MIB tree to system and select each value then hit the 
GO button to display the exact information on Router0. 
 
LAB 45: Password Recovery 
 
Method 1 
 
1. Shut the router down. 
2. Remove the compact flash from the back of the router. 
3. Turn the router back on. 
4. When you see the Rommon1> prompt, enter the command of confreg 0x2142 
5. Insert the compact flash. 
6. Type reset. 
7. When prompted to enter the initial configuration, type no and press enter. 
8. At the router> prompt, type enable 
9. At the Router# prompt, enter the configure memory command, and press Enter in 
order to copy the startup configuration to the running configuration. 
10. Use the config t command in order to enter global configuration mode. 
 
CCNA Routing & Switching v3 LAB Guide 
170 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
11. Use this command in order to create a new user name and password: 
router(config) #username cisco123 privilege 15 password cisco123 
12. Use this command in order to change the boot statement: 
config-register 0x2102 
13. Use this command in order to save the configuration: 
write memory 
14. Reload the router, and then use your new user name and password to log in to the 
router. 
 
Method 2 
 
1. Connect a terminal or PC with terminal emulation to the console port of the router 
and ensure you have the correct terminal settings. They include no flow control, 1 
stop bit, 8 data bits, no parity and 9600 baud rate. 
2. If you are able to access the router, enter in show version at the prompt screen, and 
document the configuration register setting. 
3. Next, turn off the router and wait about 5 seconds and turn it back on. 
4. Press break on the terminal keyboard within 1 minute of power up in order to the 
router into ROMmon. 
5. Enter in confreg 0x2142 at the rommon 1> prompot in order to boot the from Flash. 
6. Type reset at the rommon 2> prompt. 
7. Type no after each setup question or press Ctrl+C to bypass all questions. 
8. Type enable at the Router> prompt 
9. Type configure memory or copy startup-config running-config in order to copy 
NVRAM into memory. 
10. Type show running-config 
11. Type configure terminal 
12. Type enable secret <enter in a password that you will remember> in order to change 
the enable secret password. 
13. Issue the no shutdown command on every single interface that you use. 
14. Type config-register . This typically is 0x2102. 
15. Press Ctrl-z or end to leave config mode. 
16. Type write memory or copy running-config startup-config to commit the 
modifications 
 
 
CCNA Routing & Switching v3 LAB Guide 
171 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec,CCIE Sec-written), All rights are reserved 
 
LAB 46 : PROJECT 1 
 
 
 
1. VLAN Information 
 
Switch VLAN ID VLAN Name IP Ports 
DENVER 10 Cisco 172.16.10.0/24 F0/1-9 
 20 Solaris 172.16.20.0/24 F0/10 - 15 
 99 MGT 10.10.10.10/24 F0/24 
TORONTO 30 Admin 172.16.30.0/24 F0/1 - 9 
 40 Accounts 172.16.40.0/24 F0/10 - 15 
 88 Management 11.11.11.11/24 F0/24 
 
2. Router Information 
 
Router Name Interface IP Address Description 
LAN F0/0 (.1) 192.168.10.0/24 To GWY Router 
 F0/1.10 (Sub interface) 172.16.10.1/24 To VLAN 10 
 F0/1.20 (Sub interface) 172.16.20.1/24 To VLAN 20 
 F0/1.99 (Sub interface) 10.10.10.10/24 To VLAN 99 (MGT) 
GWY F0/0 (.2) 192.168.20.0/24 To LAN Router 
 F0/1.30 (Sub interface) 172.16.30.1/24 To VLAN 30 
 
CCNA Routing & Switching v3 LAB Guide 
172 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 F0/1.40 (Sub interface) 172.16.40.1/24 To VLAN 40 
 F0/1.88 (Sub interface) 11.11.11.11/24 To VLAN 88(Management) 
 F1/0 (.1) 192.168.30.0/24 To ISP Router 
ISP F0/0 (.2) 192.168.30.0/24 To GWY Router 
 F0/1 (.1) 172.16.50.0/24 To LAN Switch 
 
2. DENVER 
 a. hostname, enable password, telnet access & VLAN configuration 
 b. Management VLAN Configuration 
 
3. Router : LAN 
 a. Interface, hostname, enable password, telnet access configuration 
 b. Inter-Vlan Routing Configuration 
4. TORONTO 
 a. Hostname, enable password, telnet access configuration , VLAN & Access Port configuration 
 b. Management VLAN Configuration 
 
5. Router : GWY 
 a. Interface, hostname, enable password, telnet access configuration 
 b. Inter-Vlan Routing Configuration 
6. EIGRP Configuration on LAN and GWY Router only 
7. Router ISP 
 a. Interface, hostname, enable password, telnet access configuration 
 b. static route to LAN router 
8. GWY 
 Static default route to ISP 
9. Redistribute static route into EIGRP 
10. ACL Configuration 
 Condition : for the Internet hosts the following service is disabled to Inside but http service is 
 enabled 
 a. Telnet, FTP, SMTP, SSH, ping 
11. Static NAT Configuration 
 condition : only Inside HTTP Server's private IP is translated to public IP : 103.13.148.20 
 
CCNA Routing & Switching v3 LAB Guide 
173 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
12. Configure Inside Server as a HTTP Server 
13. Verification 
Configuration 
 
DENVER 
Hostname, enable password, telnet access configuration , VLAN & Access Port configuration 
================================================================================ 
 
Switch(config)#hostname DENVER 
DENVER(config)#enable secret cisco 
DENVER(config)#username admin password admin123 
DENVER(config)#line vty 0 4 
DENVER(config-line)#login local 
DENVER(config-line)#exit 
DENVER(config)# 
DENVER(config)#vlan 10 
DENVER(config-vlan)#name cisco 
DENVER(config-vlan)#exit 
DENVER(config)#vlan 20 
DENVER(config-vlan)#name solaris 
DENVER(config-vlan)#exit 
DENVER(config)#interface range fastEthernet 0/1 - 9 
DENVER(config-if-range)#switchport mode access 
DENVER(config-if-range)#switchport access vlan 10 
DENVER(config-if-range)#exit 
DENVER(config)#interface range fastEthernet 0/10 - 15 
DENVER(config-if-range)#switchport mode access 
DENVER(config-if-range)#switchport access vlan 20 
DENVER(config-if-range)#exit 
 
Management VLAN Configuration 
============================= 
 
DENVER(config)#vlan 99 
DENVER(config-vlan)#name MGT 
DENVER(config-vlan)#exit 
DENVER(config)#interface fastEthernet 0/24 
DENVER(config-if)#switchport access vlan 99 
DENVER(config-if)#exit 
DENVER(config)#interface vlan 99 
DENVER(config-if)#ip address 10.10.10.10 255.255.255.0 
DENVER(config-if)#no shutdown 
 
CCNA Routing & Switching v3 LAB Guide 
174 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Router : LAN 
============= 
 
Interface, hostname, enable password, telnet access configuration 
========================================================= 
 
Router(config)#hostname LAN 
LAN(config)#interface fastEthernet 0/1 
LAN(config-if)#no shutdown 
LAN(config-if)#exit 
LAN(config)#interface fastEthernet 0/0 
LAN(config-if)#ip address 192.168.10.1 255.255.255.0 
LAN(config-if)#no shutdown 
LAN(config-if)#exit 
LAN(config)#enable password cisco 
LAN(config)#username admin password admin123 
LAN(config)#line vty 0 4 
LAN(config-line)#login local 
LAN(config-line)#exit 
 
Inter-Vlan Routing Configuration 
========================== 
 
LAN(config)#interface fastEthernet 0/1.10 
LAN(config-subif)#encapsulation dot1Q 10 
LAN(config-subif)#ip address 172.16.10.1 255.255.255.0 
LAN(config-subif)#no shutdown 
LAN(config-subif)#exit 
LAN(config)#interface fastEthernet 0/1.20 
LAN(config-subif)#encapsulation dot1Q 20 
LAN(config-subif)#ip address 172.16.20.1 255.255.255.0 
LAN(config-subif)#no shutdown 
LAN(config)#interface fastEthernet 0/1.99 
LAN(config-subif)#encapsulation dot1Q 99 
LAN(config-subif)#ip address 10.10.10.10 255.255.255.0 
LAN(config-subif)#no shutdown 
LAN(config-subif)#exit 
LAN(config)# 
 
DENVER 
======== 
 
DENVER(config)#interface fastEthernet 0/24 
DENVER(config-if)#switchport mode trunk 
DENVER(config-if)#no shutdown 
DENVER(config-if)#exit 
 
CCNA Routing & Switching v3 LAB Guide 
175 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
IP Assign to Hosts 
============== 
 
 
 
 
 
 
Verification 
========== 
 
Ping : VLAN 10 host to VLAN 20 host 
 
C:\>ping 172.16.20.2 
 
Pinging 172.16.20.2 with 32 bytes of data: 
 
Reply from 172.16.20.2: bytes=32 time<1ms TTL=127 
Reply from 172.16.20.2: bytes=32 time<1ms TTL=127 
Reply from 172.16.20.2: bytes=32 time=4ms TTL=127 
Reply from 172.16.20.2: bytes=32 time<1ms TTL=127 
 
LAN>en 
Password: 
LAN#ping 10.10.10.10 
 
 
CCNA Routing & Switching v3 LAB Guide 
176 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/11 ms 
 
LAN#telnet 10.10.10.10 
Trying 10.10.10.10 ...Open 
 
User Access Verification 
Username: admin 
Password: 
LAN> 
 
TORONTO 
Hostname, enable password, telnet access configuration , VLAN & Access Port configuration 
================================================================================ 
 
Switch#conf t 
Switch(config)#hostname TORONTO 
TORONTO(config)#enable secret cisco 
TORONTO(config)#username admin password admin123 
TORONTO(config)#line vty 0 4 
TORONTO(config-line)#login local 
TORONTO(config-line)#exit 
TORONTO(config-vlan)#name admin 
TORONTO(config-vlan)#exit 
TORONTO(config)#vlan 40 
TORONTO(config-vlan)#name Accounts 
TORONTO(config-vlan)#exit 
TORONTO(config)#interface range fastEthernet 0/1 - 9 
TORONTO(config-if-range)#switchport mode access 
TORONTO(config-if-range)#switchport access vlan 30 
TORONTO(config-if-range)#exit 
TORONTO(config)#interface range fastEthernet 0/10 - 15 
TORONTO(config-if-range)#switchport mode access 
TORONTO(config-if-range)#switchport access vlan 40 
TORONTO(config-if-range)#exit 
TORONTO(config)# 
 
Management VLAN Configuration 
============================= 
 
TORONTO(config)#vlan 88 
TORONTO(config-vlan)#name Management 
TORONTO(config-vlan)#exit 
TORONTO(config)#interface fastEthernet 0/24 
 
CCNA Routing & Switching v3 LAB Guide 
177 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
TORONTO(config-if)#switchport access vlan 88 
TORONTO(config-if)#exit 
TORONTO(config)#interface vlan 88 
TORONTO(config-if)#ip address 11.11.11.11 255.255.255.0 
TORONTO(config-if)#no shutdown 
TORONTO(config-if)#exitTORONTO(config)# 
 
 
Router : GWY 
============= 
 
Interface, hostname, enable password, telnet access configuration 
========================================================= 
 
Router(config)#hostname GWY 
GWY(config)#interface fastEthernet 0/0 
GWY(config-if)#ip address 192.168.10.2 255.255.255.0 
GWY(config-if)#no shutdown 
GWY(config-if)#exit 
GWY(config)#interface fastEthernet 1/0 
GWY(config-if)#ip address 192.168.20.1 255.255.255.0 
GWY(config-if)#no shutdown 
GWY(config-if)#exit 
GWY(config)#enable secret cisco 
GWY(config)#username admin password admin123 
GWY(config)#line vty 0 4 
GWY(config-line)#login local 
GWY(config-line)#exit 
GWY(config)# 
 
Inter-Vlan Routing Configuration 
========================== 
 
GWY(config)#interface fastEthernet 0/1 
GWY(config-if)#no shutdown 
GWY(config-if)#exit 
GWY(config)#interface fastEthernet 0/1.30 
GWY(config-subif)#encapsulation dot1Q 30 
GWY(config-subif)#ip address 172.16.30.1 255.255.255.0 
GWY(config-subif)#no shutdown 
GWY(config-subif)#exit 
GWY(config)#interface fastEthernet 0/1.40 
GWY(config-subif)#encapsulation dot1Q 40 
GWY(config-subif)#ip address 172.16.40.1 255.255.255.0 
GWY(config-subif)#no shutdown 
GWY(config-subif)#exit 
GWY(config)#interface fastEthernet 0/1.88 
 
CCNA Routing & Switching v3 LAB Guide 
178 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
GWY(config-subif)#encapsulation dot1Q 88 
GWY(config-subif)#ip address 11.11.11.11 255.255.255.0 
GWY(config-subif)#no shutdown 
 
TORONTO 
=========== 
 
TORONTO(config)#interface fastEthernet 0/24 
TORONTO(config-if)#switchport mode trunk 
 
IP Assign to Hosts 
============== 
 
 
 
 
Verification 
=========== 
 
C:\>ping 172.16.40.2 
 
Reply from 172.16.40.2: bytes=32 time<1ms TTL=127 
Reply from 172.16.40.2: bytes=32 time<1ms TTL=127 
Reply from 172.16.40.2: bytes=32 time<1ms TTL=127 
Reply from 172.16.40.2: bytes=32 time<1ms TTL=127 
 
GWY#ping 11.11.11.11 
 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: 
 
CCNA Routing & Switching v3 LAB Guide 
179 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/7 ms 
GWY#telnet 11.11.11.11 
Trying 11.11.11.11 ...Open 
 
User Access Verification 
Username: admin 
 
Password: 
GWY> 
 
 
EIGRP Configuration on LAN and GWY Router only (except GWY to ISP) 
========================================================= 
 
LAN#conf t 
LAN(config)#router eigrp 10 
LAN(config-router)#network 172.16.10.0 
LAN(config-router)#network 172.16.20.0 
LAN(config-router)#network 10.10.10.0 
LAN(config-router)#network 192.168.10.0 
LAN(config-router)#no auto-summary 
 
GWY(config)#router eigrp 10 
GWY(config-router)#network 172.16.30.0 
GWY(config-router)#network 172.16.40.0 
GWY(config-router)#network 11.11.11.0 
GWY(config-router)#network 192.168.10.0 
GWY(config-router)# 
%DUAL-5-NBRCHANGE: IP-EIGRP 10: Neighbor 192.168.10.1 (FastEthernet0/0) is up: new 
adjacency 
GWY(config-router)#no auto-summary 
 
Verification EIGRP 
 
 
CCNA Routing & Switching v3 LAB Guide 
180 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Ping: Server PC to host on the Toronto 
C:\>ping 172.16.30.2 
 
Pinging 172.16.30.2 with 32 bytes of data: 
 
Reply from 172.16.30.2: bytes=32 time=11ms TTL=126 
Reply from 172.16.30.2: bytes=32 time<1ms TTL=126 
Reply from 172.16.30.2: bytes=32 time=11ms TTL=126 
Reply from 172.16.30.2: bytes=32 time=12ms TTL=126 
 
C:\>ping 172.16.40.2 
 
Pinging 172.16.40.2 with 32 bytes of data: 
 
Reply from 172.16.40.2: bytes=32 time<1ms TTL=126 
Reply from 172.16.40.2: bytes=32 time=1ms TTL=126 
Reply from 172.16.40.2: bytes=32 time=12ms TTL=126 
Reply from 172.16.40.2: bytes=32 time=12ms TTL=126 
 
Telnet to DENVER switch from GWY 
============================= 
 
GWY#telnet 10.10.10.10 
Trying 10.10.10.10 ...Open 
 
User Access Verification 
Username: admin 
Password: 
LAN> 
7. Router ISP 
a. Interface, hostname, enable password, telnet access configuration 
============================================================ 
 
Router(config)#hostname ISP 
ISP(config)#interface fastEthernet 0/0 
ISP(config-if)#ip address 192.168.20.2 255.255.255.0 
 
CCNA Routing & Switching v3 LAB Guide 
181 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
ISP(config-if)#no shutdown 
ISP(config-if)#exit 
ISP(config)#do ping 192.168.20.1 
 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds: 
.!!!! 
Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms 
 
ISP(config)#enable secret cisco 
ISP(config)#username admin password admin123 
ISP(config)#line vty 0 4 
ISP(config-line)#login local 
ISP(config-line)#exit 
ISP(config)#interface fastEthernet 0/1 
ISP(config-if)#no shutdown 
ISP(config-if)#ip address 192.168.30.1 255.255.255.0 
ISP(config-if)#no shutdown 
ISP(config-if)#exit 
 
b. static route to LAN router 
======================== 
 
ISP(config)#ip route 172.16.40.0 255.255.255.0 192.168.20.1 
ISP(config)#ip route 172.16.30.0 255.255.255.0 192.168.20.1 
ISP(config)#ip route 172.16.20.0 255.255.255.0 192.168.20.1 
ISP(config)#ip route 172.16.10.0 255.255.255.0 192.168.20.1 
ISP(config)#ip route 10.10.10.0 255.255.255.0 192.168.20.1 
8. GWY 
Static default route to ISP 
GWY(config)#ip route 0.0.0.0 0.0.0.0 192.168.20.2 
9. Redistribute static route into EIGRP on router GWY 
GWY(config-router)#redistribute static 
GWY(config-router)#redistribute connected 
Verification 
ISP#ping 172.16.20.2 
 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds: 
!!!!! 
 
CCNA Routing & Switching v3 LAB Guide 
182 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/12 ms 
 
ISP#ping 10.10.10.10 
 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/2 ms 
 
ISP#telnet 10.10.10.10 
Trying 10.10.10.10 ...Open 
 
User Access Verification 
 
Username: admin 
 
Password: 
LAN> 
Assign IP address to outside PC 
 
 
Verification 
C:\>ping 192.168.30.1 
 
Pinging 192.168.30.1 with 32 bytes of data: 
 
Reply from 192.168.30.1: bytes=32 time=2ms TTL=255 
Reply from 192.168.30.1: bytes=32 time=1ms TTL=255 
Reply from 192.168.30.1: bytes=32 time<1ms TTL=255 
Reply from 192.168.30.1: bytes=32 time=1ms TTL=255 
 
C:\>ping 172.16.10.2 
 
CCNA Routing & Switching v3 LAB Guide 
183 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
Pinging 172.16.10.2 with 32 bytes of data: 
 
Reply from 172.16.10.2: bytes=32 time=11ms TTL=125 
Reply from 172.16.10.2: bytes=32 time=11ms TTL=125 
Reply from 172.16.10.2: bytes=32 time=11ms TTL=125 
Reply from 172.16.10.2: bytes=32 time=12ms TTL=125 
 
C:\> 
 
10. ACL Configuration 
Condition : for the Internet hosts the following service is disabled to Inside but http service is enabled 
 a. Telnet, FTP, SMTP, SSH, ping 
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq telnet 
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq ftp 
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq smtp 
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq pop3 
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq 22 
GWY(config)#access-list 101 deny icmp host 192.168.30.2 any echo 
GWY(config)#access-list 101 deny icmp any host 192.168.30.2 echo-replyGWY(config)#access-list 101 permit ip any any 
GWY(config)#interface fastEthernet 1/0 
GWY(config-if)#ip access-group 101 in 
 
 
CCNA Routing & Switching v3 LAB Guide 
184 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
11. Static NAT Configuration 
 condition : only Inside HTTP Server's private IP is translated to public IP : 103.13.148.20 
ISP(config)#ip route 103.13.148.20 255.255.255.255 192.168.20.1 
 
GWY(config)#interface fastEthernet 1/0 
GWY(config-if)#ip nat outside 
GWY(config-if)#exit 
GWY(config)#interface fastEthernet 0/0 
GWY(config-if)#ip nat inside 
GWY(config-if)#exit 
GWY(config)#ip nat inside source static 172.16.10.2 103.13.148.20 
GWY(config)# 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
185 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
IPV6 Address 
 
IPv6 uses 128-bit addresses, which means that for each person on the Earth there are 
48,000,000,000,000,000,000,000,000,000 addresses ! 
 
Advantages: 
 Enhanced security 
 Header improvements 
 No need for NAT 
 Stateless address autoconfiguration 
 
IPv6 uses eight groups of four hexadecimal digits separated by colons. For example, this is a 
valid IPv6 address: 
 
1234:4523:EDBA:0A01:0056:5054:5ABC:ABBD 
 
IPv6 address shortening 
 
1. a leading zero can be omitted 
 
1240:0023:CCBA:0A01:0065:5054:9ABC:ABB4 
will be------------ 
1240:23:CCBA:A01:65:5054:9ABC:ABB4 
 
2. String of of zero's can be represented as two colons (::) 
 
1240:0000:0000:0000:0456:0000:CCCB:11DC 
can be written as 
1240::456:0000:CCCB:11DC (But this can be for one time) 
 
Here the 0000 can be written as single zero, not double :: 
1240::456:0:CCCB:11DC 
 
Three categories of IPv6 addresses exist: 
 Unicast 
 Anycast 
 Multicast 
 
There are three types of IPv6 unicast addresses 
 
 
CCNA Routing & Switching v3 LAB Guide 
186 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
global unicast – similar to IPv4 public IP addresses. These addresses are assigned by the IANA 
and used on public networks. They have a prefix of 2000::/3, meaning all the addresses that 
begin with binary 001. 
unique local – similar to IPv4 private addresses. They are used in private networks and aren’t 
routable on the Internet. These addresses have a prefix of FD00::/8. 
 
link local – these addresses are used for sending packets over the local subnet. Routers do not 
forward packets with this addresses to other subnets. IPv6 requires a link-local address to be 
assigned to every network interface on which the IPv6 protocol is enabled. These addresses 
have a prefix of FE80::/10. 
Loopback Address ::1/128 
Unspecified Address ::/0 
 
IPv6 multicast addresses 
 
Multicast addresses in IPv6 are similar to multicast addresses in IPv4. They are used to 
communicate with dynamic groupings of hosts, for example all routers on the link (“one-to-
many distribution”). 
 
IPv6 multicast addresses start with FF00::/8 
 
Here is a table of some of the most common link local multicast addresses: 
 
 
 
Here is a summary of the most common address prefixes in IPv6: 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
187 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
IPv6 transition options 
 
IPv4 and IPv6 networks are not interoperable and the number of devices that use IPv4 number 
is still great. Some of these devices do not support IPv6 at all, so the migration process is 
necessary since IPv4 and IPv6 will likely coexist for some time. 
 
Many transition mechanisms have been proposes. We will introduce the main ones and 
describe them in the next sections: 
 
1. IPv4/IPv6 Dual Stacks 
2. NAT64 
3. Tunneling 
 
IPv6 supports the following routing protocols: 
 
 RIPng (RIP New Generation) 
 OSPFv3 
 EIGRP for IPv6 
 IS-IS for IPv6 
 MP-BGP4 (Multiprotocol BGP-4) 
 
The following table summarizes the major differences between IPv4 and IPv6: 
 
 
 
LAB 47: Configure IPv6 
 
 
Cisco Routers do not have IPv6 routing enabled by default. To configure IPv6 on a Cisco DUs 
you need to do two things: 
 
1. Apply "ipv6 unicast-routing" in global configuration command. 
2. We can assign IP to Interface on different method. We will describe here the following 
methods: 
 
 
CCNA Routing & Switching v3 LAB Guide 
188 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 With eui-64 parameter 
 Manually Assigned 
 Link-local Addressing 
 
eui-64 Parameter 
 
BASIC Configuration 
 
DU#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
DU(config)#ipv6 unicast-routing 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64 
DU(config-if)#no shutdown 
DU(config-if)#end 
 
BUET>en 
BUET#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
BUET(config)#ipv6 unicast-routing 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64 
BUET(config-if)#no shutdown 
BUET(config-if)#end 
 
Verification 
DU#show ipv6 interface fastEthernet 0/0 
 
FastEthernet0/0 is up, line protocol is up 
IPv6 is enabled, link-local address is FE80::2E0:8FFF:FED5:BD01 
No Virtual link-local address(es): 
Global unicast address(es): 
2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01, subnet is 2001:BB9:AABB:1234::/64 
[EUI] 
Joined group address(es): 
 
 
CCNA Routing & Switching v3 LAB Guide 
189 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU#show ipv6 route 
 
IPv6 Routing Table - 3 entries 
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP 
U - Per-user Static route, M - MIPv6 
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary 
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 
D - EIGRP, EX - EIGRP external 
C 2001:BB9:AABB:1234::/64 [0/0] 
via ::, FastEthernet0/0 
L 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01/128 [0/0] 
via ::, FastEthernet0/0 
L FF00::/8 [0/0] 
via ::, Null0 
DU# 
 
 
BUET#show ipv6 interface fastEthernet 0/0 
 
FastEthernet0/0 is up, line protocol is up 
IPv6 is enabled, link-local address is FE80::202:4AFF:FEA8:2D01 
No Virtual link-local address(es): 
Global unicast address(es): 
2001:BB9:AABB:1234:202:4AFF:FEA8:2D01, subnet is 2001:BB9:AABB:1234::/64 
[EUI] 
Joined group address(es): 
FF02::1 
FF02::2 
FF02::1:FFA8:2D01 
 
Ping from BUET to DU 
 
BUET#ping ipv6 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01 
 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01, 
timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/4/24 ms 
 
 
CCNA Routing & Switching v3 LAB Guide 
190 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Manually Assigned and Link-local Addressing 
 
Router>en 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname APECE 
APECE(config)#ipv6 unicast-routing 
APECE(config)#interface loopback 1 
APECE(config-if)#ipv6 address 2001::2/128 
APECE(config-if)#exit 
APECE(config)#interface fastEthernet 0/0 
APECE(config-if)#ipv6 enable 
APECE(config-if)#no shutdown 
APECE(config-if)#exit 
 
with "ipv6 enable" command we will get IP address automatically to the router's Interface 
 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname Ashish 
Ashish(config)#ipv6 unicast-routing 
Ashish(config)#interface loopback 1 
Ashish(config-if)#ipv6 address 2001::1/128 
Ashish(config-if)#exitAshish(config)#interface fastEthernet 0/0 
Ashish(config-if)#ipv6 enable 
Ashish(config-if)#no shutdown 
Ashish(config-if)#end 
Ashish# 
 
Ashish#show ipv6 interface brief 
 
CCNA Routing & Switching v3 LAB Guide 
191 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
FastEthernet0/0 [up/up] 
FE80::202:17FF:FE09:E901 (IP Address - link local Address, getting by ipv6 enable command) 
FastEthernet0/1 [administratively down/down] 
Loopback1 [up/up] 
FE80::210:11FF:FE65:7A37 
2001::1 
Vlan1 [administratively down/down] 
Ashish# 
 
APECE#ping ipv6 FE80::202:17FF:FE09:E901 
 
Output Interface: fastethernet0/0 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to FE80::202:17FF:FE09:E901, timeout is 2 
seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms 
LAB 48 : Configure IPv6 Static Route 
 
The configuration and syntax are same as IPv4 Static routing, Just we will find some minor 
differences than that of IPv4. 
 
DU Router 
Router>en 
Router#conf t 
 
CCNA Routing & Switching v3 LAB Guide 
192 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname DU 
DU(config)#ipv6 unicast-routing 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ipv6 address 2001:AD8:23:45::1/64 
DU(config-if)#no shutdown 
DU(config-if)#exit 
 
BUET Router 
 
Router>en 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname BUET 
BUET(config)#ipv6 unicast-routing 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
BUET#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
BUET(config)#interface fastEthernet 0/1 
BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64 
BUET(config-if)#no shutdown 
BUET(config-if)#end 
BUET# 
 
Veirfication 
 
BUET#show ipv6 interface brief 
 
FastEthernet0/0 [up/up] 
FE80::260:3EFF:FEAE:5901 
2001:AD8:23:45::2 
FastEthernet0/1 [administratively down/down] 
Vlan1 [administratively down/down] 
 
BUET# 
 
Verify Connectivity using ping 
 
 
CCNA Routing & Switching v3 LAB Guide 
193 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU#ping ipv6 2001:AD8:23:45::2 
 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 2001:AD8:23:45::2, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/2 ms 
DU# 
Assign IPv6 Address to host 
 
 
Ping to Router BUET from host 
C:\>ping 2001:BD55:1234:DC4::1 
 
Pinging 2001:BD55:1234:DC4::1 with 32 bytes of data: 
 
Reply from 2001:BD55:1234:DC4::1: bytes=32 time=1ms TTL=255 
Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255 
Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255 
Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255 
Now ping to Router DU 
C:\>ping 2001:AD8:23:45::1 
 
Pinging 2001:AD8:23:45::1 with 32 bytes of data: 
 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Not success...so we need routing. We will configure static route here...... 
 
CCNA Routing & Switching v3 LAB Guide 
194 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU(config)#ipv6 route 2001:BD55:1234:DC4::/64 2001:AD8:23:45::2 
DU(config)#exit 
 
Now ping to Host IP 
 
DU#ping ipv6 2001:BD55:1234:DC4::2 
 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 2001:BD55:1234:DC4::1, timeout is 2 
seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms 
DU# 
And ping to DU from host 
C:\>ping 2001:AD8:23:45::1 
Pinging 2001:AD8:23:45::1 with 32 bytes of data: 
Reply from 2001:AD8:23:45::1: bytes=32 time=2ms TTL=254 
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254 
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254 
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254 
LAB 49 :Configure RIPNG on Cisco Router 
 
Basic Configuration 
DU Router 
Router>en 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
 
CCNA Routing & Switching v3 LAB Guide 
195 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Router(config)#hostname DU 
DU(config)#ipv6 unicast-routing 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ipv6 address 2001:AD8:23:45::1/64 
DU(config-if)#no shutdown 
DU(config-if)#exit 
 
BUET Router 
 
Router>en 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#hostname BUET 
BUET(config)#ipv6 unicast-routing 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64 
BUET(config-if)#no shutdown 
BUET(config-if)#exit 
BUET(config)#interface fastEthernet 0/1 
BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64 
BUET(config-if)#no shutdown 
BUET(config-if)#end 
Configure RIPNGN 
DU(config)#ipv6 router rip ashish 
DU(config-rtr)#exit 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ipv6 rip ashish enable 
DU(config-if)#exit 
 
BUET(config)#ipv6 router rip ashish 
BUET(config-rtr)#exit 
BUET(config)#interface fastEthernet 0/0 
BUET(config-if)#ipv6 rip ashish enable 
BUET(config-if)#exit 
BUET(config)#interface fastEthernet 0/1 
BUET(config-if)#ipv6 rip ashish enable 
BUET(config-if)#end 
 
Verification 
 
 
CCNA Routing & Switching v3 LAB Guide 
196 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
DU#ping ipv6 2001:BD55:1234:DC4::2 
 
Sending 5, 100-byte ICMP Echos to 2001:BD55:1234:DC4::2, timeout is 2 
seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms 
DU#show ipv6 route 
 
IPv6 Routing Table - 4 entries 
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP 
U - Per-user Static route, M - MIPv6 
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary 
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 
D - EIGRP, EX - EIGRP external 
C 2001:AD8:23:45::/64 [0/0] 
via ::, FastEthernet0/0 
L 2001:AD8:23:45::1/128 [0/0] 
via ::, FastEthernet0/0 
R 2001:BD55:1234:DC4::/64 [120/2] 
via FE80::260:3EFF:FEAE:5901, FastEthernet0/0 
L FF00::/8 [0/0] 
via ::, Null0 
DU# 
*** Don’t forget to enable IPv6 unicast routing otherwise no routing protocol will work for IPv6. 
LAB 50 : Dual-Stack Example 
Hosts and network devices run both IPv4 and IPv6 at the same time. 
 
Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
Router(config)#ipv6 unicast-routing 
Router(config)#interface fastEthernet 0/0 
 
CCNA Routing & Switching v3 LAB Guide 
197 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Router(config-if)#ip address 192.168.10.1 255.255.255.0 
Router(config-if)#no shut 
Router(config-if)#ipv6 address 2001:12::1/64 
Router(config-if)#no shutdown 
Router(config-if)#exit 
 
Router(config)#hostname DU 
DU(config)#ipv6 unicast-routing 
DU(config)#interface fastEthernet 0/0 
DU(config-if)#ip address 192.168.10.2 255.255.255.0 
DU(config-if)#ipv6 address 2001:12::2/64 
DU(config-if)#no shutdown 
DU(config-if)#end 
 
 FastEthernet 0/0 interfaces of two routers are dual stacked. 
 It is configured with an IPv4 and an IPv6 address. 
 For each protocol, the addresses on two routers are on the same network. 
 
Verification 
 
DU#show ip interface fastEthernet 0/0 
 
FastEthernet0/0 is up, line protocol is up (connected) 
Internet address is 192.168.10.2/24 (IPv4 Address)Broadcast address is 255.255.255.255 
------------------------------------ 
DU#show ipv6 interface fastEthernet 0/0 
 
FastEthernet0/0 is up, line protocol is up 
IPv6 is enabled, link-local address is FE80::2D0:97FF:FE08:1301 (IPv6 Address) 
---------------------------------------- 
DU#ping ipv6 2001:12::1 
 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 2001:12::1, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/2 ms 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
198 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
LAB 51 : Configuration of IPSEC VPN 
 
A Virtual Private Network (VPN) provides a secure tunnel across a public network such as 
Internet. for organizations to connect users and offices together, without the high costs of 
dedicated leased lines. 
 
VPNs are used generally for : 
 
 Client VPNs (Remote Access VPN)- To connect Office to home or “roaming” users 
 Site-to-Site VPNs - To connect branch offices to a head office. 
Types of VPN protocols 
1. Internet Protocol Security or IPSec: 
2. Layer 2 Tunneling Protocol (L2TP): 
3. Point – to – Point Tunneling Protocol (PPTP): 
4. Secure Sockets Layer (SSL) and Transport Layer Security (TLS): 
5. OpenVPN: 
6. Secure Shell (SSH) 
 
Here we describe only IPSec Site-to-Site VPN 
 
IPSec: 
 
IPSEC (Internet Protocol Security), is a suite of protocols, helps us to protect IP traffic on the 
network layer. 
 
4 core IPsec services: 
 
 Confidentiality – It means encrypt the data. 
 Integrity – It ensures that data has not been tampered or altered using hashing 
algorithm. 
 Authentication – It confirms the identity of the host sending data, using 
 pre-shared keys or CA (Certificate Authority) 
 Anti-replay – prevents duplication of encrypted packets 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
199 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Configuration of IPSEC VPN 
 
 
5 Phases of IPSec VPN: 
 
1. Define interesting traffic. 
2. IKE phase 1 
 Creates the first tunnel, which protects later ISAKMP negotiation message. 
3. IKE phase 2 
 Creates the tunnel that protects data. 
4. Transfer data 
5. Tear down tunnel. 
 
Basic Configuration 
 
DU ROUTER 
R1#conf t 
Enter configuration commands, one per line. End with CNTL/Z. 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip address 192.168.10.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#ip address 103.13.148.1 255.255.255.240 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#interface fastEthernet 0/1 
 
CCNA Routing & Switching v3 LAB Guide 
200 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
R1(config-if)#ip address 192.168.10.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit 
R1(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2 
 
Configuring IKE Phase 1 
 
1. Enable ISAKMP 
 
R1(config)#crypto isakmp enable 
 
2. Create ISAKMP Policy 
 
R1(config)#crypto isakmp policy 1 
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#hash md5 
R1(config-isakmp)#encryption 3des 
R1(config-isakmp)#group 2 
R1(config-isakmp)#lifetime 3600 
R1(config-isakmp)#exit 
 
3. Configure pre-shared keys: 
 
R1(config)#crypto isakmp key cisco123 address 103.13.148.2 
 
Configuring IKE Phase 2 
 
1. Create transform sets: Router(config)#crypto ipsec transform-set <name> 
<methods> 
R1(config)#crypto ipsec transform-set ashish esp-3des esp-md5-hmac 
 
2. (optional) Configure IPSec lifetime: 
 
R1(config)#crypto ipsec security-association lifetime seconds 3600 
 
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be 
received encrypted 
4. Set up IPSec crypto-map: 
 
Router(config)#crypto map <name> <seq> ipsec-isakmp 
Router(config-crypto-map)#match address <acl> 
 
CCNA Routing & Switching v3 LAB Guide 
201 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
Router(config-crypto-map)#set peer <remote_ip> 
Router(config-crypto-map)#set pfs <group1/2/5> 
Router(config-crypto-map)#set transform-set <set> 
-------------------------------------------------------------- 
R1(config)#crypto map mymap 10 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer 
 and a valid access list have been configured. 
R1(config-crypto-map)#match address 101 
R1(config-crypto-map)#set peer 103.13.148.2 
R1(config-crypto-map)#set pfs group2 
R1(config-crypto-map)#set transform-set ashish 
R1(config-crypto-map)# 
Apply Cypto Map to Interface 
R1(config)#interface fastEthernet 0/0 
R1(config-if)#crypto map mymap 
 
The Configuration is same for R2 Router 
 
R2(config)#crypto isakmp enable 
R2(config)#crypto isakmp policy 1 
R2(config-isakmp)#authentication pre-share 
R2(config-isakmp)#encryption 3des 
R2(config-isakmp)#hash md5 
R2(config-isakmp)#group 2 
R2(config-isakmp)#lifetime 3600 
 
R2(config)#crypto ipsec transform-set ashish esp-3des esp-md5-hmac 
R2(cfg-crypto-trans)#exit 
R2(config)#crypto ipsec security-association lifetime seconds 3600 
R2(config)#access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 
0.0.0.255 
R2(config)#crypto map mymap 10 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer 
 and a valid access list have been configured. 
R2(config-crypto-map)#match address 101 
R2(config-crypto-map)#set peer 103.13.148.1 
 
CCNA Routing & Switching v3 LAB Guide 
202 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
R2(config-crypto-map)#set pfs group2 
R2(config-crypto-map)#set transform-set ashish 
R2(config-crypto-map)#exit 
 
R2(config)#interface fastEthernet 0/0 
R2(config-if)#crypto map mymap 
R2(config-if)# 
*Mar 1 00:34:26.911: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON 
R2(config-if)# 
 
Verification and testing 
 
Apply ping from R1 to PC2 
 
R1#ping 192.168.20.2 source 192.168.10.1 
 
 
Be sure we apply ping from inside IP address while testing the VPN tunnel from the router. We 
can also ping from PC1 to PC2. 
Now the ping has setup the VPN because of its “interesting” traffic (the first ping is lost in the 
VPN creation). We can verify with “show crypto engine connections active” 
 
 
Verify the IPSec Phase 1 connection 
 
R1#show crypto isakmp sa 
 
 
CCNA Routing & Switching v3 LAB Guide 
203 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
Verify IPSec Phase 2 connection 
 
R1# show crypto ipsec sa 
 
 
 
We can also view active IPSec sessions using show crypto session command 
 
 
 
 
 
CCNA Routing & Switching v3 LAB Guide 
204 
 
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved 
 
 
 
 
 
 
 
 
 ASHISH HALDER 
APPLIED PHYSICS, ELECTRONICS AND COMMUNICATION ENGINEERING 
UNIVERSITY OF DHAKA 
 EMAIL -glakh2010@gmail.com 
 skype: ashish.halder312