cisco network academy ccna 2 routing and switching essentialshlee3/classes/backup/itec451... ·...

Cisco Network Academy CCNA 2 Routing and Switching Essentials

Packet Tracer Practice with Dans’ Sample

http://www.danscourses.com/ In this lab, you will:

Step 1 ------------ Using the address information in the topology diagram configure: - Web Server: ip address - 192.168.35.252 subnet mask - 255.255.255.0 gateway - 192.168.35.1 DNS server - 192.168.35.253 - DNS Server: ip address - 192.168.35.253 subnet mask - 255.255.255.0 gateway - 192.168.35.1 DNS server - 127.0.0.1 - PC-Admin: ip address - 192.168.88.10 subnet mask - 255.255.255.0 gateway - 192.168.88.1 DNS server - 192.168.35.253 Step 2 ------------ Using the information in topology diagram configure S1, S2, S3 with the following initial settings: 1. hostname 2. vlans and vlan names 3. trunks (allowed vlans, and native vlan) - S1, S2, S3 VLANs allowed: 15, 25, 35, 88, 98, native: 98 4. access switchports with vlans 5. shutdown unused switchports 6. the management interface vlan 88 with an ip address 7. use the planned R1 address 192.168.88.1 as the default gateway Step 3

http://www.danscourses.com/

------------ Using the address information in the topology diagram configure R1, R2, R3 with the following initial settings: 1. hostname, 2. interface addresses and subnet masks R1, R2, R3 R1 s0/0/0: clock rate 2000000 R2 s0/0/1: clock rate 128000 3. R1 g0/0 & R3 g0/1 - sub-interface addressing and 802.1q encapsulation *note: when configuring sub-interfaces you need to enable the physical interface 4. Enable IPv6 routing on R2 and R3 5. R2 s0/1/0 and s0/0/1 - IPv6 addressing (see topology diagram) R3 g0/0 and s0/0/1 - IPv6 addressing (see topology diagram) 6. R3 loopback interfaces with ip addresses Step 4 ------------ 1. Configure R1 as a DHCPv4 server: Create a dhcp pool named POOL15 for the 192.168.15.0/24 network Create a dhcp pool named POOL25 for the 192.168.25.0/24 network exclude the first 5 addresses in both pools the dhcp pools will need: - network and mask - default-router - dns-server 2. Enable the DHCPv4 clients on PC1 and PC2 to verify the dhcp server is working 3. Configure R3 as a stateless DHCPv6 server: create a ipv6 dhcp pool named POOLIPV6 provide dns-server information: 2001:DB8:2323:E::1 *note: DHCPv6 needs to be applied to the interface and the nd other-config-flag will need to be set for stateless DHCPv6 4. Enable the DHCPv6 client on PC4 to verify that SLAAC and the DHCPv6 server is working. 5. *Note: sometimes you need to toggle the DHCPv4 and v6 client settings on and off to get them to work correctly and pick up addressing information Step 5 ------------- Configure single area OSPFv2 on R1, R2, R3

R1 ospf process id 1 router-id 1.1.1.1 networks all (area 0) do not send router advertisements out of all LAN interfaces set serial 0/0/0 bandwidth to 1544 kilobits per second R2 first create a default route on R2 out of s0/1/0 ospf process id 1 router-id 2.2.2.2 networks 192.168.5.0 and 192.168.5.4 (area 0) do not send router advertisements out of s0/1/0 interface advertise the default route to other OSPF routers set serial 0/0/0 bandwidth to 1544 kilobits per second set serial 0/0/1 bandwidth to 128 kilobits per second R3 ospf process id 1 router-id 3.3.3.3 networks all (area 0) except use a single summary route for the loopback networks do not send router advertisements out of all LAN interfaces do not send router advertisements out of all loopback interfaces set serial 0/0/1 bandwidth to 128 kilobits per second Step 6 --------------------- configure OSPFv3 on R2 and R3 R3 ipv6 ospf process id 10 router-id 3.3.3.3 passive-interfaces on g0/0 and g0/1 configure s0/0/1 and g0/0 with ipv6 ospf 10 area 0 configure an ipv6 ::/0 default route out s0/0/1 R2 ipv6 ospf process id 10 router-id 2.2.2.2 passive interfaces on s0/0/0 and s0/1/0 configure s0/0/1 with ipv6 ospf 10 area 0 configure an ipv6 ::/0 default route out s0/1/0

*note: You should be able to ping the Initech Server IPv6 address from PC4. If you are unable to ping Initech, double check your interface and OSPFv3 settings and do a clear ipv6 ospf process command on R2 and R3 Step 7 --------------------- Configure static and dynamic NAT on R2. 1. Configure a static nat rule: - translating global 209.165.201.65 to the local web server at 192.168.35.252 2. Configure int s0/1/0 as the outside NAT interface 3. Configure int s0/0/0 and s0/0/1 as the inside NAT interfaces 4. Configure a NAT pool named R2NATPOOL for: 209.165.201.66 through 209.165.201.69 make the netmask as close as possible to masking just those addresses 5. Configure access-list 15 to permit the 192.168.15.0/24 network 6. Configure access-list 25 to permit the 192.168.25.0/24 network 7. Create two separate dynamic NAT rules: - "ip nat inside" that maps access-list 15 to the nat pool with overload - "ip nat inside" that maps access-list 25 to the nat pool with overload Step 8 --------------------- Configure access lists on R2 to limit outside access into the network 1. configure an extended access-list 100 to achieve the following goals (3 lines only): - from the outside permit port 80 access to the web server - from the outside permit pings that were initiated from within the network only - permit "established" web page requests generated from within the network only (you will need to use the established keyword at the end of the line) - deny all other kinds of communication from outside the network 2. configure an IPv6 access-list FIREWALL-IPV6 to achieve the following goals (2 lines only): - from the outside permit pings that were initiated from within the network only - permit "established" web page requests generated from within the network only (you will need to use the established keyword at the end of the line) - deny all other kinds of communication from outside the network Step 9 --------------------- Configure the following on R3: - password min length 10 characters - encrypt all passwords - banner motd "No unauthorized access allowed!" - administrative user account: username: admin,

secret pass: danscourses - enable secret: class12345 - named access-list ADMIN-MGT permit only host PC-Admin remote Telnet access - console 0 and vty 0 4: use local database for logins, timeout after 5 min apply ADMIN-MGT access-list to vty - save running-config to startup-config

Lab Guide

Step 1 ------------ Using the address information in the topology diagram configure: - Web Server: ip address - 192.168.35.252 subnet mask - 255.255.255.0 gateway - 192.168.35.1 DNS server - 192.168.35.253 - DNS Server: ip address - 192.168.35.253 subnet mask - 255.255.255.0 gateway - 192.168.35.1 DNS server - 127.0.0.1 - PC-Admin: ip address - 192.168.88.10 subnet mask - 255.255.255.0 gateway - 192.168.88.1 DNS server - 192.168.35.253 Step 2 ------------ Using the information in topology diagram configure S1, S2, S3 with the following initial settings: 1. hostname 2. vlans and vlan names 3. trunks (allowed vlans, and native vlan) - S1, S2, S3 VLANs allowed: 15, 25, 35, 88, 98, native: 98 4. access switchports with vlans 5. shutdown unused switchports 6. the management interface vlan 88 with an ip address 7. use the planned R1 address 192.168.88.1 as the default gateway

For the switch S1:

S1>en

S1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

S1(config)#hostname S1

S1(config)#vlan 15

S1(config-vlan)#name Sales

S1(config-vlan)#vlan 25

S1(config-vlan)#name Research


S1(config-vlan)#name Servers


S1(config-vlan)#name Mgt


S1(config-vlan)#name Native

S1(config-vlan)#exit

S1(config-if)#int f0/5

S1(config-if)#switchport mode access

S1(config-if)#switchport access vlan 15

S1(config-if)#int g0/1

S1(config-if)#switchport mode trunk

S1(config-if)#switchport trunk allowed vlan 15,25,35,88,98

S1(config-if)#switchport trunk native vlan 98





S1(config-if)#int range f0/1-4, f0/6-24

S1(config-if-range)#shut

S1(config-if-range)#exit

S1(config)#

S1(config)#int vlan 88

S1(config-if)#ip address 192.168.88.11 255.255.255.0

S1(config-if)#exit

S1(config)#ip default-gateway 192.168.88.1

S1(config)#exit

S1#

S1#copy run start

Destination filename [startup-config]?

Building configuration...

[OK]

S1#show run


Current configuration : 1617 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname S1

!

!

!

!

!

spanning-tree mode pvst

!

interface FastEthernet0/1

shutdown

!


shutdown

!


shutdown

!


shutdown

!


switchport access vlan 15

switchport mode access

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!

interface GigabitEthernet0/1

switchport trunk native vlan 98

switchport trunk allowed vlan 15,25,35,88,98

switchport mode trunk

!





!

interface Vlan1

no ip address

shutdown

!

interface Vlan88

ip address 192.168.88.11 255.255.255.0

!

ip default-gateway 192.168.88.1

!

!

!

!

line con 0

!

line vty 0 4

login

line vty 5 15

login

!

!

end

S1#

Please complete the same configuration for the switch S2 and S3.

Note: the switch name should be S2 and S3 respectively, not S1.

For the switch S2:

Switch>en

Switch#conf t


Switch(config)#hostname S2

S2(config)#vlan 15











S2(config)#int g0/1




S2(config-if)# int g0/2




S2(config-if)#int f0/10



S2(config-if)#int range f0/1-9, f0/11-24





S2(config-if)#exit


S2(config)#exit

S2#copy run start



S2#show run



!

version 12.2




!

hostname S2

!

!

!

!

!


!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!




!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!





!





!

interface Vlan1

no ip address

shutdown

!

interface Vlan88

ip address 192.168.88.12 255.255.255.0

!


!

!

!

!

line con 0

!

line vty 0 4

login

line vty 5 15

login

!

!

end

S2#

For the switch S3:

Switch>en

Switch#conf t


Switch(config)#hostname S3

S3(config)#vlan 15











S3(config)#int g0/1








S3(config-if)#exit

S3(config)#int f0/5



S3(config-if)#int range f0/1-2

S3(config-if-range)#switchport mode access

S3(config-if-range)#switchport access vlan 35

S3(config-if-range)#int range f0/3-4, f0/6-24



S3(config)#



S3(config-if)#exit


S3(config)#exit

S3#copy run start



[OK]

S3#show run



!

version 12.2




!

hostname S3

!

!

!

!

!


!




!




!


shutdown

!


shutdown

!




!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!


shutdown

!





!





!

interface Vlan1

no ip address

shutdown

!

interface Vlan88

ip address 192.168.88.13 255.255.255.0

!


!

!

!

!

line con 0

!

line vty 0 4

login

line vty 5 15

login

!

!

end

S3#

Step 3 ------------

Using the address information in the topology diagram configure

R1, R2, R3 with the following initial settings:

1. hostname,

2. interface addresses and subnet masks R1, R2, R3

R1 s0/0/0: clock rate 2000000

R2 s0/0/1: clock rate 128000

3. R1 g0/0 & R3 g0/1

- sub-interface addressing and 802.1q encapsulation

*note: when configuring sub-interfaces you need to enable the physical interface

4. Enable IPv6 routing on R2 and R3

5. R2 s0/1/0 and s0/0/1 - IPv6 addressing (see topology diagram)

R3 g0/0 and s0/0/1 - IPv6 addressing (see topology diagram)

6. R3 loopback interfaces with ip addresses

For the router R1:

Router>en

Router#conf t


Router(config)# hostname R1

R1(config)#int g0/0

R1(config-if)#no shut

R1(config-if)#int g0/0.15

R1(config-subif)#encapsulation dot1q ?

<1-1005> IEEE 802.1Q VLAN ID

R1(config-subif)#encapsulation dot1q 15

R1(config-subif)#ip address 192.168.15.1 255.255.255.0

R1(config-subif)#int g0/0.25








Router(config-subif)#ip address 192.168.88.1 255.255.255.0


R1(config-subif)#encapsulation dot1q 98 ?

native Make this as native vlan

<cr>

R1(config-subif)#encapsulation dot1q 98 native


R1(config-subif)#exit

R1(config)#

R1(config)#int s0/0/0

R1(config-if)#clock rate 2000000

R1(config-if)#ip address 192.168.5.1 255.255.255.252


R1(config-if)#exit

R1(config)#exit

R1#

R1#show run



!

version 15.1




!

hostname R1

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

license udi pid CISCO1941/K9 sn FTX15245PB6

!

!

!

!

!

!

!

!

!

!

!


!

!

!

!

!

!


no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.15

encapsulation dot1Q 15

ip address 192.168.15.1 255.255.255.0

!



ip address 192.168.25.1 255.255.255.0

!



ip address 192.168.35.1 255.255.255.0

!



ip address 192.168.88.1 255.255.255.0

!


encapsulation dot1Q 98 native

ip address 192.168.98.1 255.255.255.0

!


no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 192.168.5.1 255.255.255.252

clock rate 2000000

!


no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

R1#copy run start



[OK]

R1#

For the router R2:

Router>en

Router#conf t


Router(config)#hostname R2




R2(config-if)#int s0/1/0



R2#show controller s0/1/0

Interface Serial0/1/0

Hardware is PowerQUICC MPC860

DTE V.35 TX and RX clocks detected

<omitted>

R2#show controller s0/0/1

Interface Serial0/0/1

Hardware is PowerQUICC MPC860

DCE V.35, clock rate 2000000

<omitted>

R2#

R2#

R2#conf t



R2(config-if)#clock rate 128000



<CTRL + C>

R2#

R2#ping 209.165.201.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.165.201.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/22/60 ms

R2#

R2#ping 192.168.5.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/37 ms

R2# conf t

R2 (config)# ipv6 unicast-routing

R2 (config)# int s0/1/0

R2 (config-if)# ipv6 address 2001:DB8:2323:E::2/64

R2 (config-if)# ipv6 address FE80::2 link-local


R2 (config-if)# ipv6 address 2001:DB8:DC:A::1/64



R2(config-if)#no ipv6 traffic-filter FIREWALL-IPV6 in

R2(config-if)#

R2#

R2#show run



!

version 15.1




!

hostname R2

!

!

!

!

!

!

ip cef

ipv6 unicast-routing

!

no ipv6 cef

!

!

!

!

license udi pid CISCO1941/K9 sn FTX1524595X

!

!

!

!

!

!

!

!

!

!

!


!

!

!

!

!

!


no ip address

duplex auto

speed auto

shutdown

!


no ip address

duplex auto

speed auto

shutdown

!


ip address 192.168.5.2 255.255.255.252

!


ip address 192.168.5.5 255.255.255.252

ipv6 address FE80::2 link-local

ipv6 address 2001:DB8:DC:A::1/64

clock rate 128000

!


ip address 209.165.201.66 255.255.255.0


ipv6 address 2001:DB8:2323:E::2/64

!


no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!


!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

R2#copy run start



[OK]

R2#

For the router R3:

Router>en

Router#conf t


Router(config)#hostname R3

R3(config)#int g0/1


R3(config-if)#int g0/1.15













R3(config-subif)#encapsulation dot1q 98 native


R3(config-subif)#exit

R3(config)# exit

R3#show run



!

version 15.1




security passwords min-length 10

!

hostname R3

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

license udi pid CISCO1941/K9 sn FTX1524SI65

!

!

!

!

!

!

!

!

!

!

!


!

!

!

!

!

!


no ip address

duplex auto

speed auto

shutdown

!


no ip address

duplex auto

speed auto

!



ip address 192.168.15.3 255.255.255.0

!



ip address 192.168.25.3 255.255.255.0

!



ip address 192.168.35.3 255.255.255.0

!



ip address 192.168.88.3 255.255.255.0

!



ip address 192.168.98.3 255.255.255.0

!


no ip address

clock rate 2000000

shutdown

!


no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!


!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

access-class ADMIN-MGT in

login

!

!

!

end

R3(config)#




R3(config-if)#exit

R3(config)#ipv6 unicast-routing

R3(config)#int g0/0

R3(config-if)#ipv6 address 2001:DB88:DC:1::1/64

R3(config-if)#ipv6 address FE80::3 link-local


R3(config-if)#exit


R3 (config-if)# ipv6 address 2001:DB8:DC:A::2/64



R3(config-if)#exit

R3(config)#exit

R3#copy run start



[OK]

R3#show run



!

version 15.1





!

hostname R3

!

!

!

!

!

!

ip cef


!

no ipv6 cef

!

!

!

!


!

!

!

!

!

!

!

!

!

!

!


!

!

!

!

!

!


no ip address

duplex auto

speed auto


ipv6 address 2001:DB88:DC:1::1/64

!


no ip address

duplex auto

speed auto

!



ip address 192.168.15.3 255.255.255.0

!



ip address 192.168.25.3 255.255.255.0

!



ip address 192.168.35.3 255.255.255.0

!



ip address 192.168.88.3 255.255.255.0

!



ip address 192.168.98.3 255.255.255.0

!


no ip address

clock rate 2000000

shutdown

!


ip address 192.168.5.6 255.255.255.252

!

interface Vlan1

no ip address

shutdown

!

ip classless

!


!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4


login

!

!

!

end

R3#

R3#conf t


R3(config)#int lo0


R3(config-if)#int lo1






R3(config-if)#exit

R3(config)#exit

R3#copy run start



[OK]

R3#show run



!

version 15.1





!

hostname R3

!

!

!

!

!

!

ip cef


!

no ipv6 cef

!

!

!

!


!

!

!

!

!

!

!

!

!

!

!


!

!

!

!

!

!

interface Loopback0

ip address 172.16.4.1 255.255.255.0

!

interface Loopback1

ip address 172.16.5.1 255.255.255.0

!

interface Loopback2

ip address 172.16.6.1 255.255.255.0

!

interface Loopback3

ip address 172.16.7.1 255.255.255.0

!


no ip address

duplex auto

speed auto



!


no ip address

duplex auto

speed auto

!



ip address 192.168.15.3 255.255.255.0

!



ip address 192.168.25.3 255.255.255.0

!



ip address 192.168.35.3 255.255.255.0

!



ip address 192.168.88.3 255.255.255.0

!



ip address 192.168.98.3 255.255.255.0

!


no ip address

clock rate 2000000

shutdown

!


ip address 192.168.5.6 255.255.255.252

!

interface Vlan1

no ip address

shutdown

!

ip classless

!


!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4


login

!

!

!

end

R3#

Step 4 ------------

1. Configure R1 as a DHCPv4 server:

Create a dhcp pool named POOL15 for the 192.168.15.0/24 network

Create a dhcp pool named POOL25 for the 192.168.25.0/24 network

exclude the first 5 addresses in both pools

the dhcp pools will need:

- network and mask

- default-router

- dns-server

2. Enable the DHCPv4 clients on PC1 and PC2 to verify the dhcp server is working

3. Configure R3 as a stateless DHCPv6 server:

create a ipv6 dhcp pool named POOLIPV6

provide dns-server information: 2001:DB8:2323:E::1

*note: DHCPv6 needs to be applied to the interface and the

nd other-config-flag will need to be set for stateless DHCPv6

4. Enable the DHCPv6 client on PC4 to verify that SLAAC and the

DHCPv6 server is working.

5. *Note: sometimes you need to toggle the DHCPv4 and v6 client settings

on and off to get them to work correctly and pick up addressing information

For the Router R1:

R1>en

R1#conf t


R1(config)#ip dhcp pool POOL15

R1(dhcp-config)#network 192.168.15.0 255.255.255.0

R1(dhcp-config)#default-router 192.168.15.1

R1(dhcp-config)#dns-server 192.168.35.253

R1(dhcp-config)#ip dhcp pool POOL25

R1(dhcp-config)#network 192.168.25.0 255.255.255.0

R1(dhcp-config)#default-router 192.168.25.1

R1(dhcp-config)#dns-server 192.168.35.253

R1(dhcp-config)#exit

R1(config)#ip dhcp excluded-address 192.168.15.1 192.168.15.5

R1(config)#ip dhcp excluded-address 192.168.25.1 192.168.25.5

R1(config)#exit

R1#copy run start



[OK]

R1#

Note: At this point, check if the DHCPv4 setup is successfully done by changing IP

configuration of both PC1 and PC2 from Static to DHCP.

We also can check if the default router has been setup successfully by pining to the

default gateway R1 from PC1 and PC2.

PC1> ping 192.168.15.1

PC2> ping 192.168.25.1

Now, we will start to setup DHCPv6

Note: To see what SLAAC does, change IPv6 configuration on PC4 from Static to

Auto Config.

For the Router R3:

SLAAC (Stateless Address Auto Configuration) + DHCPv6

R3>en

R3#conf t


R3(config)#ipv6 dhcp pool POOLIPV6

R3(config-dhcp)#dns-server 2001:DB8:2323:E::1

R3(config-dhcp)#exit

R3(config)#int g0/0

R3(config-if)#ipv6 dhcp ?

client Act as an IPv6 DHCP client

server Act as an IPv6 DHCP server

R3(config-if)#ipv6 dhcp server ?

WORD Name of IPv6 DHCP pool

R3(config-if)#ipv6 dhcp server POOLIPV6

R3(config-if)#ipv6 nd ?

managed-config-flag Hosts should use DHCP for address config

other-config-flag Other stateful configuration flag

ra Router Advertisement control

R3(config-if)#ipv6 nd other-config-flag

R3(config-if)#

Note: To check the setup, change IPv6 configuration on PC4 from Auto Config to

Static and then from Static to Auto Config. If necessary, keep checking it back and

forth until we can see all the information under IPv6 configuration.

Step 5 -------------

Configure single area OSPFv2 on R1, R2, R3

R1

ospf process id 1

router-id 1.1.1.1

networks all (area 0)

do not send router advertisements out of all LAN interfaces

set serial 0/0/0 bandwidth to 1544 kilobits per second

R2

first create a default route on R2 out of s0/1/0

ospf process id 1

router-id 2.2.2.2

networks 192.168.5.0 and 192.168.5.4 (area 0)

do not send router advertisements out of s0/1/0 interface

advertise the default route to other OSPF routers



R3

ospf process id 1

router-id 3.3.3.3

networks all (area 0) except use a single summary route for the loopback networks

do not send router advertisements out of all LAN interfaces

do not send router advertisements out of all loopback interfaces


On R1:

R1> en

R1#conf t


R1(config)#router ospf 1

R1(config-router)#router-id 1.1.1.1

R1(config-router)#network 192.168.15.0 ?

A.B.C.D OSPF wild card bits

R1(config-router)#network 192.168.15.0 0.0.0.255 area 0






R1(config-router)#passive-interface g0/0.15





R1(config-router)#exit


R1(config-if)#bandwidth ?

<1-10000000> Bandwidth in kilobits

R1(config-if)#bandwidth 1544

R1(config-if)#exit

R1(config)#exit

R1#copy run start



[OK]

R1#

On R2:

R2>en

R2#conf t




R2(config-if)#exit



R2(config-router)#

00:08:54: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Serial0/0/0 from LOADING to

FULL, Loading Done



R2(config-router)#passive-interface s0/1/0


R2(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0



R2(config-if)#exit


R2(config-router)#default-information originate


R2(config)#exit

R2#show run



!

version 15.1




!

hostname R2

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!


!

!

!

!

!

!

!

!

!

!

!


!

!

!

!

!

!


no ip address

duplex auto

speed auto

shutdown

!


no ip address

duplex auto

speed auto

shutdown

!


bandwidth 1544

ip address 192.168.5.2 255.255.255.252

clock rate 2000000

!


bandwidth 128

ip address 192.168.5.5 255.255.255.252

clock rate 128000

!


ip address 209.165.201.66 255.255.255.0

ipv6 traffic-filter FIREWALL-IPV6 in

clock rate 2000000

!


no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

router-id 2.2.2.2

log-adjacency-changes

passive-interface Serial0/1/0

network 192.168.5.0 0.0.0.3 area 0

network 192.168.5.4 0.0.0.3 area 0

default-information originate

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/1/0

!


!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

R2#copy run start



[OK]

R2#

On R3:

R3>en

R3#conf t















R3(config-router)#passive-interface lo0






R3(config)#exit

R3#

R3#copy run start



[OK]

R3#

R3#

R3#show run



!

version 15.1





!

hostname R3

!

!

!

!

!

!

ip cef


!

no ipv6 cef

!

ipv6 dhcp pool POOLIPV6

dns-server 2001:DB8:2323:E::1

!

!

!


!

!

!

!

!

!

!

!

!

!

!


!

!

!

!

!

!

interface Loopback0

ip address 172.16.4.1 255.255.255.0

!

interface Loopback1

ip address 172.16.5.1 255.255.255.0

!

interface Loopback2

ip address 172.16.6.1 255.255.255.0

!

interface Loopback3

ip address 172.16.7.1 255.255.255.0

!


no ip address

duplex auto

speed auto



ipv6 nd other-config-flag

ipv6 dhcp server POOLIPV6

!


no ip address

duplex auto

speed auto

!



ip address 192.168.15.3 255.255.255.0

!



ip address 192.168.25.3 255.255.255.0

!



ip address 192.168.35.3 255.255.255.0

!



ip address 192.168.88.3 255.255.255.0

!



ip address 192.168.98.3 255.255.255.0

!


no ip address

clock rate 2000000

shutdown

!


ip address 192.168.5.6 255.255.255.252



clock rate 2000000

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

router-id 3.3.3.3


passive-interface Loopback0




passive-interface GigabitEthernet0/1.15





network 192.168.15.0 0.0.0.255 area 0

network 192.168.25.0 0.0.0.255 area 0

network 192.168.35.0 0.0.0.255 area 0

network 192.168.88.0 0.0.0.255 area 0

network 192.168.98.0 0.0.0.255 area 0

network 192.168.5.4 0.0.0.3 area 0

network 172.16.4.0 0.0.3.255 area 0

!

ip classless

!


!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4


login

!

!

!

end

R3#

At this point, to restart the ospf process, configure the following on R1, R2, and R3

On R1:

R1>en

R1#clear ip ospf process

Reset ALL OSPF processes? [no]: yes

R1#

00:23:14: %OSPF-5-ADJCHG: Process 1, Nbr 209.165.201.66 on Serial0/0/0 from

FULL to DOWN, Neighbor Down: Adjacency forced to reset


FULL to DOWN, Neighbor Down: Interface down or detached


LOADING to FULL, Loading Done

R1#copy run start



[OK]

R1#

On R2:

R2>en



R2#

00:24:52: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Serial0/0/0 from FULL to

DOWN, Neighbor Down: Adjacency forced to reset


DOWN, Neighbor Down: Interface down or detached






FULL, Loading Done

R2#copy run start



[OK]

R2#

On R3:

R3>en



R3#






FULL, Loading Done

R3#copy run start



[OK]

R3#

Step 6 ---------------------

configure OSPFv3 on R2 and R3

R3

ipv6 ospf process id 10

router-id 3.3.3.3

passive-interfaces on g0/0 and g0/1

configure s0/0/1 and g0/0 with ipv6 ospf 10 area 0

configure an ipv6 ::/0 default route out s0/0/1

R2

ipv6 ospf process id 10

router-id 2.2.2.2

passive interfaces on s0/0/0 and s0/1/0

configure s0/0/1 with ipv6 ospf 10 area 0

configure an ipv6 ::/0 default route out s0/1/0

*note: You should be able to ping the Initech Server IPv6 address from PC4. If

you are unable to ping Initech, double check your interface and OSPFv3

settings and do a clear ipv6 ospf process command on R2 and R3

On R3:

R3>en

R3#conf t


R3(config)#ipv6 router ospf 10

R3(config-rtr)#router-id 3.3.3.3

R3(config-rtr)#passive-interface g0/0

R3(config-rtr)#passive-interface g0/1

R3(config-rtr)#end

R3#

R3#conf t


R3(config)#int g0/0

R3(config-if)#ipv6 ospf 10 area 0



R3(config-if)#exit

R3(config)#exit

R3#show run



!

version 15.1





!

hostname R3

!

!

!

!

!

!

ip cef


!

no ipv6 cef

!

ipv6 dhcp pool POOLIPV6

dns-server 2001:DB8:2323:E::1

!

!

!


!

!

!

!

!

!

!

!

!

!

!


!

!

!

!

!

!

interface Loopback0

ip address 172.16.4.1 255.255.255.0

!

interface Loopback1

ip address 172.16.5.1 255.255.255.0

!

interface Loopback2

ip address 172.16.6.1 255.255.255.0

!

interface Loopback3

ip address 172.16.7.1 255.255.255.0

!


no ip address

duplex auto

speed auto



ipv6 nd other-config-flag

ipv6 ospf 10 area 0

ipv6 dhcp server POOLIPV6

!


no ip address

duplex auto

speed auto

!



ip address 192.168.15.3 255.255.255.0

!



ip address 192.168.25.3 255.255.255.0

!



ip address 192.168.35.3 255.255.255.0

!



ip address 192.168.88.3 255.255.255.0

!



ip address 192.168.98.3 255.255.255.0

!


no ip address

clock rate 2000000

shutdown

!


ip address 192.168.5.6 255.255.255.252



ipv6 ospf 10 area 0

clock rate 2000000

!

interface Vlan1

no ip address

shutdown

!

ipv6 router ospf 10

router-id 3.3.3.3


passive-interface GigabitEthernet0/0

passive-interface GigabitEthernet0/1

!

ip classless

!


!

ipv6 route ::/0 Serial0/0/1

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4


login

!

!

!

end

R3#

On R2:

R2>en

R2#conf t


R2(config)#ipv6 router ospf 10

R2(config-rtr)#router-id 2.2.2.2

R2(config-rtr)#passive-interface s0/0/0

R2(config-rtr)#passive-interface s0/1/0

R2(config-rtr)#exit



R2(config-if)#exit

R2(config)#ipv6 route ::/0 s0/1/0

R2(config)#exit

R2#copy run start



[OK]

R2#show run



!

version 15.1




!

hostname R2

!

!

!

!

!

!

ip cef


!

no ipv6 cef

!

!

!

!


!

!

!

!

!

!

!

!

!

!

!


!

!

!

!

!

!


no ip address

duplex auto

speed auto

shutdown

!


no ip address

duplex auto

speed auto

shutdown

!


ip address 192.168.5.2 255.255.255.252

clock rate 2000000

!


bandwidth 128

ip address 192.168.5.5 255.255.255.252



ipv6 ospf 10 area 0

clock rate 128000

!


ip address 209.165.201.66 255.255.255.0


ipv6 address 2001:DB8:2323:E::2/64

clock rate 2000000

!


no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

router-id 2.2.2.2



network 192.168.5.0 0.0.0.3 area 0

network 192.168.5.4 0.0.0.3 area 0

default-information originate

!

ipv6 router ospf 10

router-id 2.2.2.2




!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/1/0

!


!

ipv6 route ::/0 Serial0/1/0

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

R2#

At this point, you should be able to ping the Initech Web Server IPv6

address from PC4.

PC4> ping 2001:DB8:2323:F::F2

If you are unable to ping Initech Web Server, double check your interface

and OSPFv3 settings and do a clear ipv6 ospf process command on R2 and

R3.

If it still doesn’t work, check if all the IPv6 addresses are set in the IPv6

configuration on PC4. If not, change the setting to DHCP and then to Auto

Config multiple times until you see all the IPv6 addresses.

Step 7 ---------------------

Configure static and dynamic NAT on R2.

1. Configure a static nat rule:

- translating global 209.165.201.65 to the local web server at 192.168.35.252

2. Configure int s0/1/0 as the outside NAT interface

3. Configure int s0/0/0 and s0/0/1 as the inside NAT interfaces

4. Configure a NAT pool named R2NATPOOL for:

209.165.201.66 through 209.165.201.69

make the netmask as close as possible to masking just those addresses

5. Configure access-list 15 to permit the 192.168.15.0/24 network

6. Configure access-list 25 to permit the 192.168.25.0/24 network

7. Create two separate dynamic NAT rules:

- "ip nat inside" that maps access-list 15 to the nat pool with overload

- "ip nat inside" that maps access-list 25 to the nat pool with overload

On R2:

R2>en

R2#conf t


R2(config)#ip nat ?

inside Inside address translation

outside Outside address translation

pool Define pool of addresses

R2(config)#ip nat inside ?

source Source address translation

R2(config)#ip nat inside source ?

list Specify access list describing local addresses

static Specify static local->global mapping

R2(config)#ip nat inside source static ?

A.B.C.D Inside local IP address

tcp Transmission Control Protocol

udp User Datagram Protocol

R2(config)#ip nat inside source static 192.168.35.252 ?

A.B.C.D Inside global IP address

R2(config)#ip nat inside source static 192.168.35.252 209.165.201.65


R2(config-if)#ip nat outside


R2(config-if)#ip nat inside


R2(config-if)#ip nat inside

R2(config-if)#exit

R2(config)#exit

R2#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 209.165.201.65 192.168.35.252 --- ---

R2#

At this point, we should be able to access to our web server (209.165.201.65) from the PC

on the Internet (209.165.201.1)

Desktop tab Web Browswer type the url, http://209.165.201.65 Go

Then, you can do the following on R2:



--- 209.165.201.65 192.168.35.252 --- ---

tcp 209.165.201.65:80 192.168.35.252:80 209.165.201.1:1025 209.165.201.1:1025

R2#

Now, let’s continue the requested configuration.

On R2:

R2#

R2#conf t


R2(config)#ip nat pool R2NATPOOL ?

A.B.C.D Start IP address

http://209.165.201.65/

R2(config)#ip nat pool R2NATPOOL 209.165.201.66 209.165.201.69 ?

netmask Specify the network mask

R2(config)#ip nat pool R2NATPOOL 209.165.201.66 209.165.201.69 netmask

255.255.255.248

R2(config)#access-list 15 permit 192.168.15.0 0.0.0.255

R2(config)#access-list 25 permit 192.168.25.0 0.0.0.255

R2(config)#ip nat inside ?

source Source address translation

R2(config)#ip nat inside source ?

list Specify access list describing local addresses

static Specify static local->global mapping

R2(config)#ip nat inside source list 15 ?

interface Specify interface for global address

pool Name pool of global addresses

R2(config)#ip nat inside source list 15 pool R2NATPOOL ?

overload Overload an address translation

<cr>

R2(config)#ip nat inside source list 15 pool R2NATPOOL overload

R2(config)#ip nat inside source list 25 pool R2NATPOOL overload

R2(config)#

At this point, we can check if PC1 and PC 2 can ping to the Initech Web Server

(209.165.201.250)

PC1> ping 209.165.201.250

PC2> ping 209.165.201.250

Then, on R2, do the following.



icmp 209.165.201.66:1024192.168.25.6:1 209.165.201.250:1 209.165.201.250:1024

icmp 209.165.201.66:1025192.168.25.6:2 209.165.201.250:2 209.165.201.250:1025

icmp 209.165.201.66:1026192.168.25.6:3 209.165.201.250:3 209.165.201.250:1026

icmp 209.165.201.66:1027192.168.25.6:4 209.165.201.250:4 209.165.201.250:1027

icmp 209.165.201.66:1 192.168.15.6:1 209.165.201.250:1 209.165.201.250:1

icmp 209.165.201.66:2 192.168.15.6:2 209.165.201.250:2 209.165.201.250:2

icmp 209.165.201.66:3 192.168.15.6:3 209.165.201.250:3 209.165.201.250:3

icmp 209.165.201.66:4 192.168.15.6:4 209.165.201.250:4 209.165.201.250:4

--- 209.165.201.65 192.168.35.252 --- ---

tcp 209.165.201.65:80 192.168.35.252:80 209.165.201.1:1025 209.165.201.1:1025

R2#

Step 8 ---------------------

Configure access lists on R2 to limit outside access into the network

1. configure an extended access-list 100 to achieve the following goals (3 lines only):

- from the outside permit port 80 access to the web server

- from the outside permit pings that were initiated from within the network only

- permit "established" web page requests generated from within the network only

(you will need to use the established keyword at the end of the line)

- deny all other kinds of communication from outside the network

2. configure an IPv6 access-list FIREWALL-IPV6 to achieve the following goals (2 lines only):

- from the outside permit pings that were initiated from within the network only

- permit "established" web page requests generated from within the network only

(you will need to use the established keyword at the end of the line)

- deny all other kinds of communication from outside the network

On R2:

R2>en

R2#conf t


R2(config)#access-list 100 permit tcp any host 209.165.201.65 eq 80

R2(config)#access-list 100 permit icmp any any echo-reply

R2(config)#access-list 100 permit tcp any eq 80 any ?

dscp Match packets with given dscp value

eq Match only packets on a given port number

established established

gt Match only packets with a greater port number

lt Match only packets with a lower port number

neq Match only packets not on a given port number

precedence Match packets with given precedence value

range Match only packets in the range of port numbers

<cr>

R2(config)#access-list 100 permit tcp any eq 80 any established

R2(config)#ipv6 access-list ?

WORD User selected string identifying this access list

R2(config)#ipv6 access-list FIREWALL-IPV6

R2(config-ipv6-acl)#permit icmp any any echo-reply

R2(config-ipv6-acl)#permit tcp any eq 80 any established

R2(config-ipv6-acl)#exit


R2(config-if)#ip access-group 100 in

R2(config-if)#ipv6 ?

address Configure IPv6 address on interface

authentication authentication subcommands

dhcp IPv6 DHCP interface subcommands

eigrp Configure EIGRP IPv6 on interface

enable Enable IPv6 on interface

flow NetFlow Related commands

hello-interval Configures IP-EIGRP hello interval

mtu Set IPv6 Maximum Transmission Unit

nat Enable IPv6 NAT on interface

nd IPv6 interface Neighbor Discovery subcommands

ospf OSPF interface commands

rip Configure RIP routing protocol

summary-address Summary prefix

traffic-filter Access control list for packets

R2(config-if)#ipv6 traffic-filter ?

WORD Access-list name

R2(config-if)#ipv6 traffic-filter FIREWALL-IPV6 in

R2(config-if)#exit

R2(config)#exit

R2#copy run start



[OK]

R2#

At this point, test if the configurations work.

On PC1

PC> ping 209.165.201.250

Web Browser

Type the following URL

http://209.165.201.250

Then, press GO

On the PC on the Internet

Web Broswer

Type the following URL

http://209.165.201.65

Then, press GO

And the following ping should be blocked

PC> ping 209.165.201.65

http://209.165.201.250/

http://209.165.201.65/

Step 9 ---------------------

Configure the following on R3:

- password min length 10 characters

- encrypt all passwords

- banner motd "No unauthorized access allowed!"

- administrative user account:

username: admin,

secret pass: danscourses

- enable secret: class12345

- named access-list ADMIN-MGT

permit only host PC-Admin remote Telnet access

- console 0 and vty 0 4:

use local database for logins,

timeout after 5 min

apply ADMIN-MGT access-list to vty

- save running-config to startup-config

On R3:

R3>en

R3#conf t


R3(config)#security ?

passwords Password security CLIs

R3(config)#security passwords min-length 10

R3(config)#service password-encryption

R3(config)#banner motd "No unauthorized access allowed!"

R3(config)#username admin secret danscourses

R3(config)#enable secret class12345

R3(config)#ip access-list standard ADMIN-MGT

R3(config-std-nacl)#permit host 192.168.88.10

R3(config-std-nacl)#exit

R3(config)#line console 0

R3(config-line)#login local

R3(config-line)#exec-timeout 5 0

R3(config-line)#line vty 0 4

R3(config-line)#login local

R3(config-line)#exec-timeout 5 0

R3(config-line)#ip access-class ADMIN-MGT in

R3(config-line)#exit

R3(config)#exit

R3#

%SYS-5-CONFIG_I: Configured from console by console

R3#copy run start



[OK]

R3#

cisco network academy ccna 2 routing and switching essentialshlee3/classes/backup/itec451... ·...

Documents