Anda di halaman 1dari 73

Zoom Technologies CCNP Lab Guide

Name___________________________________
Faculty ______________________
Batch ______Date_________

Zoom Technologies
Cisco Certified Network
Professional
Lab Guide

Zoom Technologies CCNP Lab Guide


INDEX
EIGRP ----------------------------------------------------------------------------1
OSPF --------------------------------------------------------------------------- 4
ISIS ---------------------------------------------------------------------------- 10
REDISTRIBUTION------------------------------------------------------------14
BGP ----------------------------------------------------------------------------19
MULTICASTING -------------------------------------------------------------29
IPv6 --------------------------------------------------------------------------- 30
ADSL -------------------------------------------------------------------------- 34
VPN ----------------------------------------------------------------------------36
IDS/IPS ------------------------------------------------------------------------39
FIREWALL --- -----------------------------------------------------------------40
AAA, SYSLOG, SNMP -------------------------------------------------------41
MPLS -------------------------------------------------------------------------- 43
VLAN- --------------------------------------------------------------------------46
STP -----------------------------------------------------------------------------49
Advanced STP ---------------------------------------------------------------51
INTERVLAN ROUTING ------------------------------------------------------53
HSRP ---------------------------------------------------------------------------57
GLBP ----------------------------------------------------------------------------59
SWITCH SECURITY-----------------------------------------------------------61
VOIP-----------------------------------------------------------------------------64
QOS-----------------------------------------------------------------------------67
WLAN-------------------------------------------------------------------------- 69
Zoom Technologies CCNP Lab Guide



Zoom Technologies CCNP Lab Guide


Important Notes
How to telnet (for ZOOM CCNP Lab only)

1. First make sure your IP address matches the one on the label on your monitor. If
different, please change it to the correct address.
2. Telnet to the Access-server IP address. 192.168.0.1
3. In case you are using router number is A , where A can be value from 1 to 16, in the
access-server enter the following command. For example, when using the first router the
command must look like this
Access-server1#clear line 1
[confirm]
[OK]

4. Keeping the current telnet window open, open another command prompt to telnet to
your router
5. Enter the following command to telnet to your router
C:\>telnet 192.168.0.1 200A
6. In case you fail to connect to the router, follow steps 3 to 5 again.



NOTE:
During the configuration in few of the labs, you might encounter ip addresses with the value
X in it. You will have to replace X with a number according to the router you will be
configuring. These are the values for X for the following routers
INDIA
X = 1
POLAND
X = 3
SRILANKA RUSSIA
MALAYSIA FRANCE
THAILAND SPAIN
SUDAN
X = 2
CHINA
X = 4
ALGERIA MONGOLIA
NIGERIA JAPAN
TANZANIA HONGKONG
Zoom Technologies CCNP Lab Guide
1 | P a g e

EIGRP






















*Configure the bandwidth on the WAN interfaces as per the given diagram and
initiate EIGRP routing protocol on all the routers in autonomous system 65000.

RA1#conf t
RA1(config)#interface serial 1/0
RA1(config-if)#bandwidth 128
RA1(config)#interface serial 1/1
RA1(config-if)#bandwidth 128
RA1(config-if)#exit
RA1(config)#router eigrp 65000
RA1(config-router)#network 10.0.0.0
RA1(config-router)#network 192.168.X.0
RA1(config-router)#network 172.16.0.0
RA1(config-router)#end

RA2#conf t
RA2(config)#interface serial 1
RA2(config-if)#bandwidth 128
RA2(config-if)#interface serial 0
RA2(config-if)#bandwidth 128
RA2(config-if)#exit
RA2(config)#router eigrp 65000
RA2(config-router)#network 192.168.X.0
RA2(config-router)#network 20.0.0.0
RA2(config-router)#end

RA3(config)#interface serial 0
RA3(config-if)#bandwidth 64
RA3(config-if)#interface serial 1
Zoom Technologies CCNP Lab Guide
2 | P a g e

RA3(config-if)#bandwidth 128
RA3(config-if)#exit
RA3(config)#router eigrp 65000
RA3(config-router)#network 192.168.X.0
RA3(config-router)#network 30.0.0.0
RA3(config-router)#end

RA4(config)#interface serial 0
RA4(config-if)#bandwidth 128
RA4(config-if)#interface serial 1
RA4(config-if)#bandwidth 64
RA4(config-if)#exit
RA4(config)#router eigrp 65000
RA4(config-router)#net 192.168.X.0
RA4(config-router)#net 40.0.0.0
RA4(config-router)#end

*Verification of EIGRP

RA#show ip protocol
RA#show ip eigrp neighbor
RA#show ip eigrp topology
RA#show ip route

*Check the auto summarization of your loopback networks in your neighbors
routing table by telnetting on their WAN IP. All the Loopback interfaces networks
appear as one network with the default class-full subnet mask.

RA4#show ip route

Router#conf t
Router(config)#router eigrp 65000
Router(config-router)#no auto-summary
Router(config-router)#end

*Check the output in neighbor router to find the Loopbacks advertised
individually

RA4#show ip route

*Manual summarization has to be configured on a per-interface basis.
Calculate the summarized network ID manually and advertise it on all the
interfaces of the router as follows.

Router (config)#interface serial 0/1/0
Router (config-if)#ip summary-address eigrp 65000 10.X.0.0 255.255.252.0
Router (config)#interface serial 0/1/1
Router (config-if)#ip summary-address eigrp 65000 10.X.0.0 255.255.252.0
Router (config-if)#interface serial 0/2/0
Router (config-if)#ip summary-address eigrp 65000 10.X.0.0 255.255.252.0
Zoom Technologies CCNP Lab Guide
3 | P a g e

*Check the output in neighbors routing table to find the summarized address with
the customized subnet mask that you advertised.

RA4#show ip route

VARI ANCE
RA3#show ip eigrp topology
RA3#show ip route

You will find the successors and feasible successors in the topology table but only
the successor routes in the routing table. To use the feasible successor also, we
have to enable variance. This can be configured only on the routers with feasible
successors available in the topology table.

RA3# conf t
RA3(config)#router eigrp 65000
RA3(config-router)#variance 2
RA3(config-router)#end
RA3#clear ip route *
RA3#show ip route

AUTHENTI CATI ON
Check the eigrp-neighbor table to note your neighbors. First configure
authentication on one of your serial interfaces, you will not be able to see the
neighboring router on that interface. The neighbor router will be shown in the
neighbor table only if authentication has been enabled on its corresponding
interface too.

RA1#show ip eigrp neighbor
RA1(config)#key chain zoom
RA1(config-keychain)#key 1
RA1(config-keychain-key)#key-string zoom123
RA1(config-keychain-key)#exit
RA1(config-keychain)#exit
RA1(config)#interface serial 0/1/0
RA1(config-if)#ip authentication mode eigrp 65000 md5
RA1(config-if)#ip authentication key-chain eigrp 65000 zoom
RA1(config-if)#end

RA2(config)#key chain ccnp
RA2(config-keychain)#key 1
RA2(config-keychain-key)#key-string zoom123
RA2(config-keychain-key)#exit
RA2(config-keychain)#exit
RA2(config)#interface serial 1
RA2(config-if)#ip authentication mode eigrp 65000 md5
RA2(config-if)#ip authentication key-chain eigrp 65000 ccnp
RA2(config-if)#end
RA1#show ip eigrp neighbor
Zoom Technologies CCNP Lab Guide
4 | P a g e

OSPF


















*Configure all the routers in OSPF area 0. Shown below are the different possible
ways of advertising the directly connected networks in the OSPF process. You
may use any of the following methods to advertise your connected networks.

RA1(config)#router ospf 1
RA1(config-router)#network 192.168.X.16 0.0.0.15 area 0
RA1(config-router)#network 192.168.X.80 0.0.0.3 area 0
RA1(config-router)#network 192.168.X.92 0.0.0.3 area 0
RA1(config-router)#network 172.16.1.Y 0.0.0.3 area 0
RA1(config-router)#end

RA2#conf t
RA2(config)#router ospf 2
RA2(config-router)#net 192.168.X.0 0.0.0.255 area 0
RA2(config-router)#end

RA3(config)#router ospf 3
RA3(config-router)#net 0.0.0.0 255.255.255.255 area 0
RA3(config-router)#end

RA4(config)#router ospf 4
RA4(config-router)#net 192.168.X.0 0.0.0.255 area 0
RA4(config-router)#end

RA#show ip protocol
RA#show ip ospf neighbor
RA#show ip ospf database
RA#show ip route
Zoom Technologies CCNP Lab Guide
5 | P a g e

DR and BDR Election
*Remove any previous routing configuration and configure all routers Ethernet
interface ip addresses in the same network as shown in the diagram and advertise
the networks in OSPF area 0



RA4(config)#no ip routing
RA4(config)#ip routing
RA4(config)#interface ethernet 0
RA4(config-if)#ip add 192.168.X0.4 255.255.255.0
RA4(config-if)#ip ospf priority 0
RA4(config)#router ospf 4
RA4(config-router)#net 192.168.X0.0 0.0.0.255 area 0
RA4(config-router)#end

RA3(config)#no ip routing
RA3(config)#ip routing
RA3(config)#interface ethernet 0
RA3(config-if)#ip address 192.168.X0.3 255.255.255.0
RA3(config-if)#ip ospf priority 20
RA3(config-if)#exit
RA3(config)#router ospf 3
RA3(config-router)#network 192.168.X0.0 0.0.0.255 area 0
RA3(config-router)#end

RA2(config)#no ip routing
RA2(config)#ip routing
RA2(config)#interface ethernet 0
RA2(config-if)#ip add 192.168.X0.2 255.255.255.0
RA2(config-if)#ip ospf priority 50
RA2(config-if)#exit
RA2(config)#router ospf 2
RA2(config-router)#net 192.168.X0.0 0.0.0.255 area 0
RA2(config-router)#end

RA1(config)#no ip routing
RA1(config)#ip routing
RA1(config)#interface fa 0/0
RA1(config-if)#ip add 192.168.X0.1 255.255.255.0
RA1(config-if)#ip ospf priority 100
RA1(config-if)#exit
RA1(config)#router ospf 1
RA1(config-router)#net 192.168.X0.0 0.0.0.255 area 0
RA4#show ip ospf neighbor

Zoom Technologies CCNP Lab Guide
6 | P a g e

*Use the show ip ospf neighbor command to find the DR and BDR in the
neighbor table. In case of the wrong routers elected as the DR and BDR, restart
the election process; clear the OSPF process on all the routers at the same time.

RA3#clear ip ospf process
Reset ALL OSPF processes? [no]: y

RA4#show ip ospf neighbor

AUTHENTI CATI ON - MD5
*Configure OSPF authentication on router to accept updates only from
authenticated OSPF neighbors.

RA1(config)#router ospf 1
RA1(config-router)#area 0 authentication message-digest
RA1(config-router)#exit
RA1(config)#interface fa 0/0
RA1(config-if)#ip ospf message-digest-key 1 md5 zoom123


RA2(config)#router ospf 2
RA2(config-router)#area 0 authentication message-digest
RA2(config-router)#exit
RA2(config)#interface ethernet 0
RA2(config-if)#ip ospf message-digest-key 1 md5 zoom123

*Verify by checking the routing table to see from which routers you receive
updates.

RA1#show ip route

RA2#show ip route












Zoom Technologies CCNP Lab Guide
7 | P a g e

OSPF - II























*Configure Routers into Multi Area OSPF as per given diagram. Routers on the
border of two areas have different interfaces configured in different areas. Take
care to advertise the proper interfaces (networks) in the right areas.

RA1(config)#router ospf 1
RA1(config-router)#network 172.16.1.Y 0.0.0.3 area 0
RA1(config-router)#network 192.168.X.16 0.0.0.15 area 0
RA1(config-router)#network 192.168.X.80 0.0.0.3 area 0
RA1(config-router)#network 192.168.X.92 0.0.0.3 area 20
RA1(config)#router EIGRP 100
RA1(config-router)#no auto-summary
RA1(config-router)#network 10.0.0.0
RA1(config-router)#exit

RA2(config)#router ospf 2
RA2(config-router)#network 192.168.X.80 0.0.0.3 area 0
RA2(config-router)#network 192.168.X.32 0.0.0.15 area 10
RA2(config-router)#network 192.168.X.84 0.0.0.3 area 10
RA2(config-router)#network 20.X.0.0 0.0.255.255 area 10
RA2(config-router)#exit

RA3(config)#router ospf 3
RA3(config-router)#network 192.168.X.0 0.0.0.255 area 10
RA3(config-router)#exit
RA3(config)#router rip
RA3(config-router)#version 2
RA3(config-router)#network 30.0.0.0
RA3(config-router)#no auto-summary
RA3(config-router)#exit
Zoom Technologies CCNP Lab Guide
8 | P a g e

RA4(config)#router ospf 4
RA4(config-router)#network 0.0.0.0 255.255.255.255 area 20
RA4(config-router)#end

*Verify the configuration using the following commands

RA#show ip protocol
RA#show ip ospf
RA#show ip ospf neighbor
RA#show ip ospf database
RA#show ip ospf border-routers
RA#show ip route

*Configure the redistribution of RIP routes from RA3 and EIGRP routes from
RA1 into OSPF.

RA3(config)#router ospf 3
RA3(config-router)#redistribute rip subnets

RA1(config)#router ospf 1
RA1(config-router)#redistribute eigrp 100 subnets

*Check the output in neighbor router to find OSPF external routes labeled as E2.

RA2#show ip route

*Redistributed routes have a default metric. Use the following commands to
change the seed-metric of the redistributed routes and check the output in the
neighbor router.

RA3(config-router)#redistribute rip subnets metric 100

RA2#show ip route

*Use the following commands to change the metric type of the redistributed
routes to type-I. Check the change in the output in the neighbor router

RA3(config-router)#redistribute rip subnets metric 100 metric-type 1

RA2#show ip route

*Configuration of manual summarization of OSPF routes in Area Border
Router. Manual summary in OSPF can be done on area border routers only.
(It is also applicable to other ABR i.e. RA2 for 20.X.0.0 subnet)

RA1#conf t
RA1(config)#router ospf 1
RA1(config-router)#area 20 range 40.X.0.0 255.255.252.0
RA1(config-router)#

Check the output in area 0 or area 10 routers
Zoom Technologies CCNP Lab Guide
9 | P a g e

*Configuration of manual summarization of routes originated by redistribution of
RIP & EIGRP, on the ASBR.

RA3(config)#router ospf 1
RA3(config-router)#summary-address 30.X.0.0 255.255.252.0

RA2#show ip route

*We can configure Area 20 as a Stub area, since it doesnt have any ASBR in it
and has only one exit point in the AS. ALL the routers in the stub area must be
configured with this configuration. Check the routing table to find only O and O
IA routes and no O E2 routes. Verify by checking the routing table before and
after configuration.

RA1(config)#router ospf 1
RA1(config-router)#area 20 stub

RA4(config)#router ospf 4
RA4(config-router)#area 20 stub

*Configure Area 20, now as a Totally Stubby area. Check the routing table to
find only O routes and no O IA and O E2 routes.

RA1(config)#router ospf 1
RA1(config-router)#area 20 stub no-summary

After configuration check the routing table again.
RA4#show ip route

*Since Area 10 has an ASBR in it, it cant be configured as a stub, but can be
configured as a Not-So-Stubby-Area (NSSA). Configure Area 10 as a NSSA using
the following commands. Check the routing table to find only O and O IA
routes and no O E2 routes. Verify by checking the routing table before and after
configuration.

RA2(config)#router ospf 2
RA2(config-router)#area 10 nssa

RA3(config)#router ospf 3
RA3(config-router)#area 10 nssa

*After configuration check the routing table again.
RA3#show ip route

*Configure Area 10, now as a Totally NSSA. Check the routing table to find only
O routes and no O IA and O E2 routes.

RA2(config)#router ospf 2
RA2(config-router)#area 10 nssa no-summary
*After configuration check the routing table again.
Zoom Technologies CCNP Lab Guide
10 | P a g e

ISIS























SINGLE AREA IS-IS

*Configure ISIS routing protocol as per give diagram by first assigning the CLNS
address to each router and making sure all of them are in the same area. Next, on
the interface-configuration mode of each interface that you wish to advertise,
execute the ip router isis command.

RA1(config)#router isis
RA1(config-router)#net 49.1000.1921.6800.X017.00
RA1(config-router)#exit
RA1(config)#interface serial 1/0
RA1(config-if)#ip router isis
RA1(config-if)#interface serial 1/1
RA1(config-if)#ip router isis
RA1(config-if)#interface serial 1/2
RA1(config-if)#ip router isis
RA1(config-if)#int fa 0/0
RA1(config-if)#ip router isis
RA1(config-if)#end

RA2(config)#router isis
RA2(config-router)#net 49.1000.1921.6800.X033.00
RA2(config-router)#exit
RA2(config)#interface serial 1
RA2(config-if)#ip router isis
RA2(config-if)#interface serial 0
RA2(config-if)#ip router isis
RA2(config-if)#interface ethernet 0
Zoom Technologies CCNP Lab Guide
11 | P a g e

RA2(config-if)#ip router isis

RA3(config)#router isis
RA3(config-router)#net 49.1000.1921.6800.X049.00
RA3(config-router)#exit
RA3(config)#interface serial 0
RA3(config-if)#ip router isis
RA3(config-if)#interface serial 1
RA3(config-if)#ip router isis
RA3(config-if)#interface ethernet 0
RA3(config-if)#ip router isis
RA3(config-if)#end

RA4(config)#router isis
RA4(config-router)#net 49.1000.1921.6800.X065.00
RA4(config-router)#exit
RA4(config-if)#interface serial 0
RA4(config-if)#ip router isis
RA4(config-if)#interface serial 1
RA4(config-if)#ip router isis
RA4(config-if)#interface ethernet 0
RA4(config-if)#ip router isis
RA4(config-if)#end


*Verify the output using the following show commands

RA4#sh clns neighbor
RA4#sh isis database
RA4#sh isis topology
RA4#sh ip route
Zoom Technologies CCNP Lab Guide
12 | P a g e

CONFIGURING MULTIPLE AREA ISIS























*Configure ISIS routing protocol as per give diagram by first assigning the CLNS
address to each router and making sure all of them are in their respective areas.
Then configure the is-type level of the router. Next, on the interface-
configuration mode of each interface that you wish to advertise, execute the ip
router isis command.

RA1(config)#no router isis
RA1(config)#router isis
RA1(config-router)#net 49.0010.1921.6800.X017.00
RA1(config-router)#is-type level-1-2
RA1(config-router)#exit
RA1(config)#interface serial 0/1/0
RA1(config-if)#ip router isis
RA1(config-if)#interface serial 0/1/1
RA1(config-if)#ip router isis
RA1(config-if)#interface serial 0/2/0
RA1(config-if)#ip router isis
RA1(config-if)#int f 0/0
RA1(config-if)#ip router isis
RA1(config-if)#end

RA2(config)#no router isis
RA2(config)#router isis
RA2(config-router)#net 49.0400.1921.6800.X033.00
RA2(config-router)#is-type level-2-only
RA2(config-router)#interface serial 1
RA2(config-if)#ip router isis
RA2(config-if)#interface ethernet 0
RA2(config-if)#ip router isis
Zoom Technologies CCNP Lab Guide
13 | P a g e

RA3(config)#no router isis
RA3(config)#router isis
RA3(config-router)#net 49.0300.1921.6800.X049.00
RA3(config-router)#is-type level-1
RA3(config-router)#exit
RA3(config)#interface serial 0
RA3(config-if)#ip router isis
RA3(config-if)#interface ethernet 0
RA3(config-if)#ip router isis
RA3(config-if)#int loopback 1
RA3(config-if)#ip router isis
RA3(config-if)#int loopback 2
RA3(config-if)#ip router isis
RA3(config-if)#int loopback 3
RA3(config-if)#ip router isis
RA3(config-if)#int loopback 4
RA3(config-if)#ip router isis
RA3(config-if)#end

RA4(config)#no router isis
RA4(config)#router isis
RA4(config-router)#net 49.0300.1921.6800.X065.00
RA4(config-router)#is-type level-1-2
RA4(config-router)#interface serial 1
RA4(config-if)#ip router isis
RA4(config-if)#interface serial 0
RA4(config-if)#ip router isis
RA4(config-if)#interface ethernet 0
RA4(config-if)#ip router isis
RA4(config-if)#end

*Verify the output using the following show commands

RA4#sh clns neighbor
RA4#sh isis database
RA4#sh isis topology
RA4#sh ip route

*Configure manual summarization of the internal networks of an area, on the
border router of that particular area. This summarized route is injected to the
other areas by the Level-2 router (border router).

RA4(config)#router isis
RA4(config-router)#summary-address 30.X.0.0 255.255.252.0
RA4(config-router)#end

*Verify the output of summarization by checking the routing tables of routers in
the other areas

RA1#show ip route


Zoom Technologies CCNP Lab Guide
14 | P a g e

REDISTRIBUTION


















*Configure the routers from each group as shown in the diagram using the
different routing protocols between every two routers.

RA1(config)#router isis
RA1(config-router)#net 49.0000.1921.6800.X017.00
RA1(config-router)#exit
RA1(config)#interface serial 1/2
RA1(config-if)#ip router isis
RA1(config)#interface loopback 1
RA1(config-if)#ip router isis
RA1(config-if)#interface loopback 2
RA1(config-if)#ip router isis
RA1(config-if)#interface loopback 3
RA1(config-if)#ip router isis
RA1(config-if)#interface loopback 4
RA1(config-if)#ip router isis
RA1(config-if)#exit
RA1(config)#router eigrp 20
RA1(config-router)#network 192.168.X.80 0.0.0.3
RA1(config-router)#network 192.168.X.16 0.0.0.15
RA1(config-router)#exit

RA2(config)#router eigrp 20
RA2(config-router)#network 192.168.X.80
RA2(config)#router rip
RA2(config-router)#version 2
RA2(config-router)#no auto-summary
RA2(config-router)#net 192.168.X.0
RA2(config-router)#network 20.0.0.0
RA2(config-router)#end
Zoom Technologies CCNP Lab Guide
15 | P a g e

RA3(config)#router rip
RA3(config-router)#version 2
RA3(config-router)#no auto-summary
RA3(config-router)#net 192.168.X.0
RA3(config-router)#net 30.0.0.0
RA3(config-router)#router ospf 3
RA3(config-router)#net 192.168.X.88 0.0.0.3 area 20

RA4(config)#router ospf 4
RA4(config-router)#net 0.0.0.0 255.255.255.255 area 20

*Use the redistribute command to inject eigrp routes into isis with some seed
metric of link cost.

RA1(config)#router isis
RA1(config-router)#redistribute eigrp 20

*Use the redistribute command to inject isis only Level 1 routes into eigrp
along with directly connected networks with seed metric which includes values for
bandwidth, delay, reliability, load and MTU.

RA1(config)#router eigrp 20
RA1(config-router)#redistribute isis level-1 metric 1544 2000 255 1 1500
RA1(config-router)#redistribute connected metric 1544 2000 255 1 1500

*Use the redistribute command to inject eigrp routes into rip with seed metric
in hop counts taking care that the final hop count doesnt cross 15.

RA2(config)#router rip
RA2(config-router)#redistribute eigrp 20 metric 13

*Use the redistribute command to inject rip routes into eigrp with some seed
metric which includes values for bandwidth, delay, reliability, load and MTU.

RA2(config)#router eigrp 20
RA2(config-router)#redistribute rip metric 1544 2000 255 1 1500

*Use the redistribute command to inject ospf routes into rip with some seed
metric in hop counts taking care that the final hop count doesnt cross 15.

RA3(config)#router rip
RA3(config-router)#redistribute ospf 3 metric 5

*Use the redistribute command to inject rip routes into ospf with some seed
metric in link cost taking care that the final hop count doesnt cross 15.

RA3(config)#router ospf 3
RA3(config-router)#redistribute rip subnets metric 50 metric-type 1

*Check by pinging successfully from router RA4 to the core.
Zoom Technologies CCNP Lab Guide
16 | P a g e

DISTRIBUTE-LIST



*Without removing the previous configuration, create a distribute list on router
RA2 to send out all updates from RA3 to router RA1 other than that of 30.X.0.0.

RA2(config)#access-list 10 deny 30.X.0.0 0.0.255.255
RA2(config)#access-list 10 permit any
RA2(config)#router eigrp 20
RA2(config-router)#distribute-list 10 out serial 1
RA2(config-router)#end

*Verify the output by checking the routing table of RA1. Routes of 30.X.0.0
shouldnt be available.

RA1#show ip route
Zoom Technologies CCNP Lab Guide
17 | P a g e

CONFIGURING THE ROUTE-MAP FOR FILTERING REDISTRIUTED ROUTES















*All the routes redistributed from RIP to OSPF are injected with the same default
metric. This can be changed according to our necessity and individual routes can
be assigned different metrics using route-map.

*Creating access-lists to define the selected networks.

RA3(config)#access-list 21 permit 20.X.0.0 0.0.0.255
RA3(config)#access-list 22 permit 20.X.1.0 0.0.0.255
RA3(config)#access-list 23 permit 20.X.2.0 0.0.0.255
RA3(config)#access-list 24 permit 20.X.3.0 0.0.0.255

*Creating route maps with multiple statements. Each statement contains a match-
and-set condition.

RA3(config)#route-map zoom permit 10
RA3(config-route-map)#match ip address 21
RA3(config-route-map)#set metric 500
RA3(config-route-map)#set metric-type type-2
RA3(config-route-map)#exit

RA3(config)#route-map zoom deny 20
RA3(config-route-map)#match ip address 22
RA3(config-route-map)#exit

RA3(config)#route-map zoom permit 30
RA3(config-route-map)#match ip address 23
RA3(config-route-map)#set metric-type type-1
RA3(config-route-map)#set metric 100
RA3(config-route-map)#exit

RA3(config)#route-map zoom permit 40
RA3(config-route-map)#match ip address 24
RA3(config-route-map)#set metric 250
RA3(config-route-map)#set metric-type type-2
RA3(config-route-map)#exit

Zoom Technologies CCNP Lab Guide
18 | P a g e

RA3(config)#route-map zoom permit 50
RA3(config-route-map)#set metric 2000
RA3(config-route-map)#set metric-type type-2
RA3(config-route-map)#exit

*Applying the created route-map in the routing protocol that these routes are
being redistributed into.

Note:-Be careful to remove the previous redistribution configuration.

RA3(config)#router ospf 3
RA3(config-router)#redistribute rip route-map zoom subnets

*Check the output in RA4 to find different routes with different metrics as
specified in the diagram.

RA1#show ip route
Zoom Technologies CCNP Lab Guide
19 | P a g e

BGP
























*Configure all the routers in the same BGP autonomous system. Create a full-
mesh topology by mentioning every other router, including those not directly
connected, with the neighbor statement.

RA1(config)#router bgp 6500X
RA1(config-router)#neighbor 172.16.1.Y remote-as 65000
RA1(config-router)#neighbor 192.168.X.82 remote-as 6500X
RA1(config-router)#neighbor 192.168.X.93 remote-as 6500X
RA1(config-router)#neighbor 192.168.X.86 remote-as 6500X
RA1(config-router)#network 192.168.X.16 mask 255.255.255.240
RA1(config-router)#network 192.168.X.92 mask 255.255.255.252
RA1(config-router)#network 192.168.X.80 mask 255.255.255.252
RA1(config-router)#no synchronization
RA1(config-router)#end

RA2(config)#router bgp 6500X
RA2(config-router)#neighbor 192.168.X.81 remote-as 6500X
RA2(config-router)#neighbor 192.168.X.86 remote-as 6500X
RA2(config-router)#neighbor 192.168.X.93 remote-as 6500X
RA2(config-router)#network 192.168.X.32 mask 255.255.255.240
RA2(config-router)#network 192.168.X.84 mask 255.255.255.252
RA2(config-router)#network 192.168.X.80 mask 255.255.255.252
RA2(config-router)#no synchronization
RA2(config-router)#end



Zoom Technologies CCNP Lab Guide
20 | P a g e

RA3(config)#router bgp 6500X
RA3(config-router)#neighbor 192.168.X.85 remote 6500X
RA3(config-router)#neighbor 192.168.X.90 remote 6500X
RA3(config-router)#neighbor 192.168.X.81 remote 6500X
RA3(config-router)#network 192.168.X.48 mask 255.255.255.240
RA3(config-router)#network 192.168.X.84 mask 255.255.255.252
RA3(config-router)#network 192.168.X.88 mask 255.255.255.252
RA3(config-router)#no synchronization
RA3(config-router)#end

RA4(config)#router bgp 6500X
RA4(config-router)#neighbor 192.168.X.94 remote 6500X
RA4(config-router)#neighbor 192.168.X.89 remote 6500X
RA4(config-router)#neighbor 192.168.X.82 remote 6500X
RA4(config-router)#network 192.168.X.64 mask 255.255.255.240
RA4(config-router)#network 192.168.X.88 mask 255.255.255.252
RA4(config-router)#network 192.168.X.92 mask 255.255.255.252
RA4(config-router)#no synchronization
RA4(config-router)#end


*Verify the configuration using the following show commands.
Router #show ip protocol
Router #show ip bgp summary
Router #show ip bgp neighbor
Router #show ip bgp
Router #show ip route

*Enable synchronization in one router and check the output on the same router.
You will find that the router doesnt have Internal BGP routes anymore.

RA4(config)#router bgp 6500X
RA4(config-router)#synchronization

RA4 #show ip bgp
RA4#show ip route

*Disable synchronization by the no synchronization command to get the
IBGP routes back

RA4(config)#router bgp 6500X
RA4(config-router)#no synchronization

*Check output on same router.

Router #show ip bgp
Router #show ip route
Zoom Technologies CCNP Lab Guide
21 | P a g e

VERIFYING SPLIT-HORIZON















*To verify the problem of split-horizon, configure the lab as per the above
diagram. Remove the previous instance of bgp and configure bgp freshly as
shown. Take care not to configure bgp on RA3.

RA1(config)#router bgp 6500X
RA1(config-router)#neighbor 172.16.1.Y remote-as 65000
RA1(config-router)#neighbor 192.168.X.93 remote 6500X
RA1(config-router)#neighbor 192.168.X.82 remote 6500X
RA1(config-router)#network 192.168.X.80 mask 255.255.255.252
RA1(config-router)#network 192.168.X.92 mask 255.255.255.252
RA1(config-router)#network 192.168.X.16 mask 255.255.255.240
RA1(config-router)#no synchronization

RA2(config)#router bgp 6500X
RA2(config-router)#neighbor 192.168.X.81 remote 6500X
RA2(config-router)#network 192.168.X.32 mask 255.255.255.240
RA2(config-router)#network 192.168.X.80 mask 255.255.255.252
RA2(config-router)#no synchronization

RA4(config)#router bgp 6500X
RA4(config-router)#neighbor 192.168.X.94 remote 6500X
RA4(config-router)#network 192.168.X.64 mask 255.255.255.240
RA4(config-router)#network 192.168.X.92 mask 255.255.255.252
RA4(config-router)#no synchronization

*Verify the output in each router. RA1 gets routes from both RA2 and RA4. RA2
and RA4 cannot see the updates of each others LAN in their routing table. This is
because of Split-Horizon.

Router #show ip bgp
Router #show ip route

*The Solution to this Split-Horizon problem is to configure Route-Reflector as
defined in the next page.
Zoom Technologies CCNP Lab Guide
22 | P a g e

CONFIGURING ROUTE-REFLECTOR CLIENT




*Note: Continue configuration from above steps.

*By configuring the following, RA1 becomes the route-reflector-server and it
reflects the routes coming from one interface out the other interface, hence
solving the problem of split-horizon.

RA1(config)#router bgp 6500X
RA1(config-router)#neighbor 192.168.X.93 route-reflector-client
RA1(config-router)#neighbor 192.168.X.82 route-reflector-client
RA1(config-router)#end

*Check output in all three router to find that RA2 and RA4 now have each others
routes in their routing table.

Router #show ip bgp
Router #show ip route













R.R Server
R.R Client R.R Client
Zoom Technologies CCNP Lab Guide
23 | P a g e

BGP - II
























*Configure the routers in multiple-AS BGP according to the above diagram.


RA1(config)#router bgp 65000
RA1(config-router)#neighbor 172.16.1.Y remote 65000
RA1(config-router)#neighbor 192.168.X.82 remote 650X1
RA1(config-router)#neighbor 192.168.X.93 remote 650X2
RA1(config-router)#network 192.168.X.16 mask 255.255.255.240
RA1(config-router)#network 10.X.0.0 mask 255.255.255.0
RA1(config-router)#network 10.X.1.0 mask 255.255.255.0
RA1(config-router)#network 10.X.2.0 mask 255.255.255.0
RA1(config-router)#network 10.X.3.0 mask 255.255.255.0
RA1(config-router)#no synchronization


RA2(config)#router bgp 650X1
RA2(config-router)#neighbor 192.168.X.81 remote 65000
RA2(config-router)#neighbor 192.168.X.86 remote 650X1
RA2(config-router)#network 192.168.X.84 mask 255.255.255.252
RA2(config-router)#network 192.168.X.32 mask 255.255.255.240
RA2(config-router)#network 20.X.0.0 mask 255.255.255.0
RA2(config-router)#network 20.X.1.0 mask 255.255.255.0
RA2(config-router)#network 20.X.2.0 mask 255.255.255.0
RA2(config-router)#network 20.X.3.0 mask 255.255.255.0
RA2(config-router)#no synchronization


Zoom Technologies CCNP Lab Guide
24 | P a g e


RA3(config)#router bgp 650X1
RA3(config-router)#neighbor 192.168.X.85 remote 650X1
RA3(config-router)#neighbor 192.168.X.90 remote 650X2
RA3(config-router)#network 30.X.0.0 mask 255.255.255.0
RA3(config-router)#network 30.X.1.0 mask 255.255.255.0
RA3(config-router)#network 30.X.2.0 mask 255.255.255.0
RA3(config-router)#network 30.X.3.0 mask 255.255.255.0
RA3(config-router)#network 192.168.X.84 mask 255.255.255.252
RA3(config-router)#network 192.168.X.48 mask 255.255.255.240
RA3(config-router)#no synchronization

RA4(config)#router bgp 650X2
RA4(config-router)#neighbor 192.168.X.94 remote 65000
RA4(config-router)#neighbor 192.168.X.89 remote 650X1
RA4(config-router)#network 192.168.X.64 mask 255.255.255.240
RA4(config-router)#network 40.X.0.0 mask 255.255.255.0
RA4(config-router)#network 40.X.1.0 mask 255.255.255.0
RA4(config-router)#network 40.X.2.0 mask 255.255.255.0
RA4(config-router)#network 40.X.3.0 mask 255.255.255.0

*Check the output by using the following show commands

R#sh ip bgp
R#sh ip route

*Use the following commands to configure manual summarization of routes.

RA1(config)#router bgp 65000
RA1(config-router)#aggregate-address 10.X.0.0 255.255.252.0 summary-only

Check the output in neighbor routers.
R#sh ip bgp
R#sh ip route

*Continue from above configuration. The information of next-hop to each the
diagonally opposite router in RA2 and RA3 in the show ip bgp table is
incorrect. To advertise the correct next-hop, use the following configuration.
Make sure to check the output before and after configuration. The same can be
tested on RA1 and Core.

RA2(config)#router bgp 650X1
RA2(config-router)#neighbor 192.168.X.86 next-hop-self
RA2(config-router)#

RA3(config)#router bgp 650X1
RA3(config-router)#neighbor 192.168.X.85 next-hop-self
RA3#clear ip bgp 192.168.X.85

Check the output in RA2, RA3 router
R#sh ip bgp
R#sh ip route
Zoom Technologies CCNP Lab Guide
25 | P a g e

Step 4: CONFIGURING LOCAL-PREFERENCE



















*Creating Route-maps to set local-preference values for specific routes in order
to define which path the router must use to exit the AS.

*Note: Continue from above configuration.

*Create access lists to define the mentioned networks

RA1(config)#access-list 40 permit 40.X.0.0 0.0.0.255
RA1(config)#access-list 42 permit 40.X.2.0 0.0.0.255

*Create route-maps , one for each neighbor. Each route-map contains a match-
and-set condition.

RA1(config)#route-map R1toR2 permit 10
RA1(config-route-map)#match ip address 40 42
RA1(config-route-map)#set local-preference 800
RA1(config-route-map)#exit
RA1(config)#route-map R1toR2 permit 20
RA1(config-route-map)#exit

RA1(config)#route-map R1toR4 permit 10
RA1(config-route-map)#match ip address 40 42
RA1(config-route-map)#set local-preference 600
RA1(config-route-map)#exit
RA1(config)#route-map R1toR4 permit 20
RA1(config-route-map)#exit



Zoom Technologies CCNP Lab Guide
26 | P a g e

*Implement the route-map by defining one route-map for each neighbor in the
appropriate direction

RA1(config)#router bgp 65000
RA1(config-router)#neighbor 192.168.X.82 route-map R1toR2 in
RA1(config-router)#neighbor 192.168.X.93 route-map R1toR4 in

*Clear the bgp route updates from the two neighboring BGP routers

RA1#clear ip bgp 192.168.X.82
RA1#clear ip bgp 192.168.X.93

*Check the output in Core and in the RA1 router

R#sh ip bgp
R#sh ip route
Zoom Technologies CCNP Lab Guide
27 | P a g e

CONFIGURING MED


*Remove the previous configuration of BGP and configure the above given
topology. RA1 belongs to AS 65001 whereas routers RA2, RA3 and RA4 are in AS
650X5. Make sure you configure RA2 and RA4 as route-reflector-clients and RA3
as a server.

RA1(config)#router bgp 65001
RA1(config-router)#network 192.168.X.16 mask 255.255.255.240
RA1(config-router)#neighbor 192.168.X.82 remote-as 650X5
RA1(config-router)#neighbor 192.168.X.93 remote-as 650X5
RA1(config-router)#end


RA2(config)#router bgp 650X5
RA2(config-router)#network 192.168.X.32 mask 255.255.255.240
RA2(config-router)#network 192.168.X.84 mask 255.255.255.252
RA2(config-router)#neighbor 192.168.X.81 remote-as 65001
RA2(config-router)#neighbor 192.168.X.86 remote-as 650X5
RA2(config-router)#no synchronization
RA2(config-router)#end

RA3(config)#router bgp 650X5
RA3(config-router)#no synchronization
RA3(config-router)#network 192.168.X.84 mask 255.255.255.252
RA3(config-router)#network 192.168.X.88 mask 255.255.255.252
RA3(config-router)#network 192.168.X.48 mask 255.255.255.240
RA3(config-router)#neighbor 192.168.X.85 remote-as 650X5
Zoom Technologies CCNP Lab Guide
28 | P a g e

RA3(config-router)#neighbor 192.168.X.90 remote-as 650X5
RA3(config-router)#neighbor 192.168.X.85 route-reflector-client
RA3(config-router)#neighbor 192.168.X.90 route-reflector-client
RA3(config-router)#network 30.X.0.0 mask 255.255.255.0
RA3(config-router)#network 30.X.1.0 mask 255.255.255.0
RA3(config-router)#network 30.X.2.0 mask 255.255.255.0
RA3(config-router)#network 30.X.3.0 mask 255.255.255.0
RA3(config-router)#end

RA4(config)#router bgp 650X5
RA4(config-router)#no synchronization
RA4(config-router)#neighbor 192.168.X.89 remote-as 650X5
RA4(config-router)#neighbor 192.168.X.94 remote-as 65001
RA4(config-router)#network 192.168.X.64 mask 255.255.255.240
RA4(config-router)#network 192.168.X.88 mask 255.255.255.252
RA4(config-router)#end

*After configuring BGP as specified in the above diagram and verifying the BGP
table and routing table, configure the following configuration. Use route-maps to
set different metrics for routes coming from each neighbor.

RA2(config)#access-list 30 permit 30.X.0.0 0.0.0.255
RA2(config)#access-list 31 permit 30.X.1.0 0.0.0.255
RA2(config)#route-map med-alg permit 10
RA2(config-route-map)#match ip address 30 31
RA2(config-route-map)#set metric 50
RA2(config-route-map)#exit
RA2(config)#route-map med-alg permit 20
RA2(config-route-map)#exit
RA2(config)#router bgp 650X5
RA2(config-router)#neighbor 192.168.X.81 route-map med-alg out
RA2(config-router)#end
RA2#clear ip bgp 192.168.X.81


RA4(config)#access-list 30 permit 30.X.0.0 0.0.0.255
RA4(config)#access-list 31 permit 30.X.1.0 0.0.0.255
RA4(config)#route-map med-tan permit 10
RA4(config-route-map)#match ip address 30 31
RA4(config-route-map)#set metric 600
RA4(config-route-map)#exit
RA4(config)#route-map med-tan permit 20
RA4(config-route-map)#exit
RA4(config)#router bgp 650X5
RA4(config-router)#neighbor 192.168.X.94 route-map med-tan out
RA4(config-router)#end
RA4#clear ip bgp 192.168.X.94

*Check the routing table in RA1 to find the route with the lower MED chooses as
the best path.

RA1#sh ip route
RA1#sh ip bgp
Zoom Technologies CCNP Lab Guide
29 | P a g e

MULTICASTING

*Enable multicast-routing on all the routers:
RA1#config t
RA1(config)#ip multicast-routing

RA1(config)#interface fa 0/0
RA1(config-if)#ip address 192.168.100.1 255.255.255.0
RA1(config-if)#no shutdown
RA1(config-if)#ip pim sparse-dense mode
RA1(config-if)#exit
RA1(config)#interface fa 4/0
RA1(config-if)#ip address 192.168.0.2 255.255.255.0
RA1(config-if)#no shutdown
RA1(config-if)#ip pim sparse-dense mode
RA1(config-if)#exit

Step 2: Configure and run the multimedia multicast server application on the
server PC
Step 3: Change the IP address and gateway of the client PCs to allow them to be
in the LAN of the configured router. Make sure the switch to which the multicast
server is connected is isolated from the rest of the LAN.
Step 4: Start the multicast client software and enter the appropriate server IP
address and file location to start receiving the multicast.
Verification
RA1#show ip mroute
RA1#show ip igmp groups

On the Switch
Sw#show mac-address-table multicast

Zoom Technologies CCNP Lab Guide
30 | P a g e

IPv6









*Configure IPv6 addressing on the interfaces of routers RA1, RA2 and RA4 as
shown in the diagram

RA1#conf t
RA1(config)#int fa 0/0
RA1(config-if)#ipv6 address 2001:X:3::1/64
RA1(config-if)#exit
RA1(config)#
RA1(config)#int s 0
RA1(config-if)#ipv6 address 2001:X:2::2/64
RA1(config-if)#exit
RA1(config)#
RA1(config)#int s 1
RA1(config-if)#ipv6 address 2001:X:4::2/64
RA1(config-if)#exit

*Enable ipv6 routing using the following command.

RA1(config)#ipv6 unicast-routing

*Repeat the above steps for the other routers too.

RA2(config)#int e 0
RA2(config-if)#ipv6 address 2001:X:1::1/64
RA2(config-if)#exit
RA2(config)#int s 1
RA2(config-if)#ipv6 address 2001:X:2::1/64
RA2(config-if)#exit
RA2(config)#ipv6 unicast-routing

RA4(config)#int e 0
RA4(config-if)#ipv6 address 2001:X:5::1/64
RA4(config-if)#exit
RA4(config)#int s 0
RA4(config-if)#ipv6 address 2001:X:4::1/64
RA4(config-if)#exit
RA4(config)#ipv6 unicast-routing

*Check the output of configuration in the entire three routes
router#sh ipv6 route


Zoom Technologies CCNP Lab Guide
31 | P a g e

*After the interfaces are configured with IPv6 addresses, configure OSPF v3
routing on all the routers.

RA1(config)#ipv6 router ospf 1
RA1(config-rtr)#exit
RA1(config)#int fa 0/0
RA1(config-if)#ipv6 ospf 1 area 0
RA1(config-if)#exit
RA1(config)#int s 0
RA1(config-if)#ipv6 ospf 1 area 0
RA1(config-if)#exit
RA1(config)#int s 1
RA1(config-if)#ipv6 ospf 1 area 0
RA1(config-if)#exit

RA2(config)#ipv6 router ospf 2
RA2(config-rtr)#exit
RA2(config-if)#int e 0
RA2(config-if)#ipv6 ospf 2 area 0
RA2(config-if)#int s 1
RA2(config-if)#ipv6 ospf 2 area 0
RA2(config-if)#end

RA4(config)#ipv6 router ospf 3
RA4(config-rtr)#exit
RA4(config)#int e 0
RA4(config-if)#ipv6 ospf 3 area 0
RA4(config-if)#exit
RA4(config)#int s 0
RA4(config-if)#ipv6 ospf 3 area 0
RA4(config-if)#end

*Check the output in the entire three routes

R# show ipv6 protocol
R# show ipv6 ospf
R# show ipv6 ospf neighbor
R# show ipv6 ospf database
R# show ipv6 route

Zoom Technologies CCNP Lab Guide
32 | P a g e

IP6 to IP4 tunnel











*Configuring a IPv6 tunnel over an IPv4 tunnel. The network in between the two
routers is an IPv4 network and is unaware of IPv6.

*Clear both IPv4 and IPv6 routing on the routers
RA3(config)#no ip routing
RA3(config)#ip routing

R(config)#no ip routing
R(config)#ip routing
R(config)#no ipv6 unicast-routing
R(config)#ipv6 unicast-routing

*Create an IPv6 tunnel and assign it an IPv6 address. Also mention the source
and destination interface/address for it. Then, create static IPv4 and IPv6 routing
to the destination router.

RA2(config)#int tunnel 0
RA2(config-if)#ipv6 address 2001:X:A::1/64
RA2(config-if)#tunnel mode ipv6ip
RA2(config-if)#tunnel source s 0
RA2(config-if)#tunnel destination 192.168.X.90
RA2(config-if)#exit
RA2(config)#ip route 192.168.X.88 255.255.255.252 s 0
RA2(config)#ipv6 route 2001:X:5::/64 2001:X:A::2
RA2(config)#end

RA4(config)#
RA4(config)#int tunnel 5
RA4(config-if)#ipv6 address 2001:X:A::2/64
RA4(config-if)#tunnel mode ipv6ip
RA4(config-if)#tunnel source s 1
RA4(config-if)#tunnel destination 192.168.X.85
RA4(config-if)#exit
RA4(config)#ip route 192.168.X.84 255.255.255.252 s 1
RA4(config)#ipv6 route 2001:X:1::/64 tunnel 5

R#sh ipv6 route
R#Ping ipv6 <IPv6 address>

Zoom Technologies CCNP Lab Guide
33 | P a g e

Configuration of IPv6-v4 auto tunnel











*Configure IPv6-v4 auto tunnel over an IPv4 network. The destination end of the
tunnel is not mentioned in this configuration. Both routers find each other and
create a tunnel with the help of the static route and the Ipv6 auto tunnel
configuration.

RA2(config)#no ipv6 unicast-routing
RA2(config)#ipv6 unicast-routing
RA2(config)#int tunnel 10
RA2(config-if)#ipv6 add 2002:C0A8:0X55::1/64
RA2(config-if)#tunnel mode ipv6ip 6to4
RA2(config-if)#tunnel source serial 0
RA2(config-if)#exit
RA2(config)#ip route 0.0.0.0 0.0.0.0 s 0
RA2(config)#ipv6 route 2002::/16 tunnel 10
RA2(config)#ipv6 route 2001:X:5::/64 2002:C0A8:0X5A::1
RA2(config)#end

RA4(config)#no ipv6 unicast-routing
RA4(config)#ipv6 unicast-routing
RA4(config)#int tunnel 15
RA4(config-if)#ipv6 add 2002:C0A8:0X5A::1/64
RA4(config-if)#tunnel mode ipv6ip 6to4
RA4(config-if)#tunnel source s 1
RA4(config-if)#exit
RA4(config)#ip route 0.0.0.0 0.0.0.0 s 1
RA4(config)#ipv6 route 2002::/16 tunnel 15
RA4(config)#ipv6 route 2001:X:1::/64 2002:C0A8:0X55::1
RA4(config)#end


*Check the output on the two routers

R#sh ipv6 route
R#Ping ipv6 <IPv6 address>



Zoom Technologies CCNP Lab Guide
34 | P a g e

ADSL ROUTER Configuration




*Configure physical WAN interface (ATM 0 in our case) with PPPoE or PPPoA
and map it with logical dialer interface using the dial-pool-number which well
configure further below.

adslrouter(config)#interface atm 0
adslrouter(config-if)#no shut
adslrouter(config-if)#pvc 1/32
adslrouter(config-if-atm-vc)#pppoe-client dial-pool-number 1
adslrouter(config-if-atm-vc)#end

*Configure a Dialer interface (logical) with DDR (Dial-on-Demand-Routing),
PPP authentication (Point-to-Point-Protocol) and assign in a dialer pool number
that has to be mapped on the physical interface.

adslrouter(config)#interface dialer 0
adslrouter(config-if)#ip address negotiated
adslrouter(config-if)#encapsulation ppp
adslrouter(config-if)#ppp authentication pap chap callin
adslrouter(config-if)#ppp pap sent-username *** password ***
adslrouter(config-if)#ppp chap hostname ***
adslrouter(config-if)#ppp chap password ***
adslrouter(config-if)#ip mtu 1492
adslrouter(config-if)#dialer pool 1
adslrouter(config-if)#exit

*Configure static default route for internet towards interface dialer 0

adslrouter(config)#ip route 0.0.0.0 0.0.0.0 dialer 0

*Configure NAT/PAT with the VLAN interface configured as nat inside interface
and the dialer interface as the nat outside interface.

adslrouter(config)#access-list 15 permit 192.168.0.0 0.0.0.255
adslrouter(config)#ip nat inside source list 15 interface dialer 0 overload

adslrouter(config)#interface vlan 1
adslrouter(config-if)#ip nat inside
adslrouter(config-if)#exit

adslrouter(config)#interface dialer 0
adslrouter(config-if)#ip nat outside


Zoom Technologies CCNP Lab Guide
35 | P a g e

*Verification
Verify the configuration by checking the routing table and the interface status of
the dialer. The configuration is successful if you obtain a public address from the
service provider.

show ip route
show ip int brief
show interface atm 0
show interface dialer 10
show dsl interface atm 0
Zoom Technologies CCNP Lab Guide
36 | P a g e

VPN Configuration








*A VPN is a tunnel of private network over the public network. Configure a IPSec
VPN tunnel between the LANs of RA2 and RA4 over the link with router RA3.

*Configure the wan interface (connected to the public network) as per the
diagram. Configure a default route towards the public network on the serial
interface.

RA2#conf t
RA2(config)#interface serial 0
RA2(config-if)#ip add 61.0.0.5 255.255.255.0
RA2(config-if)#no shut
RA2(config-if)#exit
RA2(config)#ip route 0.0.0.0 0.0.0.0 serial 0

*Configure IKE phase 1: Configuring the isakmp policy with appropriate
authentication and encryption and hash function. All these have to match on the
peer router too.

RA2(config)#crypto isakmp policy 1
RA2(config-isakmp)#authentication pre-share
RA2(config-isakmp)#encryption des
RA2(config-isakmp)#hash sha
RA2(config-isakmp)#group 2
RA2(config-isakmp)#exit

*Configure IKE Pre Share Key for the peer router whose address has to be
mentioned. Take care that the key has to match on both the routers.

RA2(config)#crypto isakmp key zoom123 address 71.0.0.5

*Configure IKE phase 2: Configuring the ipsec policy. Create a transform-set
with encryption and hash-function properties and the tunnel mode which should
match on the peer router.

RA2(config)#crypto ipsec transform-set zoomtr esp-des esp-sha-hmac
RA2(cfg-crypto-trans)#mode tunnel
RA2(cfg-crypto-trans)#exit

*Configure access-list to mark the interesting traffic to initiate VPN Connection.

RA2(config)# access-list 100 permit ip 192.168.X.32 0.0.0.15 192.168.X.64 0.0.0.15
Zoom Technologies CCNP Lab Guide
37 | P a g e

*Create a crypto map to bind the interesting traffic to the transform-set. This
means that any interestic traffic originated, initiate the VPN using the properties
from the transform set mentioned towards the mentioned peer.

RA2(config)#crypto map vpnmap 10 ipsec-isakmp
RA2(config-crypto-map)#match address 100
RA2(config-crypto-map)#set transform-set zoomtr
RA2(config-crypto-map)#set peer 71.0.0.5

* Mapping the crypto-map to the serial interface.

RA2(config)#interface serial 0
RA2(config-if)#crypto map vpnmap

*Repeat the similar configuration on the other router.

RA4(config)#interface serial 1
RA4(config-if)#ip add 71.0.0.5 255.255.255.0
RA4(config-if)#no shut
RA4(config-if)#exit
RA4(config)#ip route 0.0.0.0 0.0.0.0 serial 1

RA4(config)#crypto isakmp policy 10
RA4(config-isakmp)#authentication pre-share
RA4(config-isakmp)#hash sha
RA4(config-isakmp)#encryption des
RA4(config-isakmp)#group 2
RA4(config-isakmp)#exit

RA4(config)#crypto isakmp key zoom123 address 61.0.0.5
RA4(config)#crypto ipsec transform-set trans esp-des esp-sha-hmac
RA4(cfg-crypto-trans)#mode tunnel
RA4(cfg-crypto-trans)#exit

RA4(config)# access-list 110 permit ip 192.168.X.64 0.0.0.15 192.168.X.32 0.0.0.15

RA4(config)#crypto map demomap 5 ipsec-isakmp
RA4(config-crypto-map)#match address 110
RA4(config-crypto-map)#set transform-set trans
RA4(config-crypto-map)#set peer 61.0.0.5
RA4(config-crypto-map)#exit

RA4(config)#interface serial 1
RA4(config-if)#crypto map demomap
RA4(config-if)#end

*Configure the serial interfaces on the middle router with the appropriate IP
addresses and enable routing.

RA3(config)#interface serial 1
RA3(config-if)#ip add 61.0.0.6 255.255.255.0
RA3(config-if)#no shut
Zoom Technologies CCNP Lab Guide
38 | P a g e

RA3(config)#interface serial 0
RA3(config-if)#ip address 71.0.0.6 255.255.255.0
RA3(config-if)#no shut
RA3(config-if)#exit
RA3(config)#no ip routing
RA3(config)#ip routing
RA3(config)#end

*Initiate some interesting traffic by pinging one router from the other routers LAN
or by using the extended ping. Wait for a few seconds before the VPN tunnel is
initiated.
*Verify the output by using the following commands

RA2#show crypto isakmp sa
RA2#show crypto ipsec sa
RA2#show crypto engine connections active





Zoom Technologies CCNP Lab Guide
39 | P a g e

IDS / IPS





*The scenario here is as shown above. RA1 is the router in our network connected
to the ISP. RA2 is one of the routers that are inside the network. In case of an
attack from the internet, i.e. the CORE router in our example, router RA1 with
IPS must be configured to detect and prevent the intrusion.
*Let us consider an example that any anonymous user manages to enter our
network and logs in to router RA2. He could give the command enable to
enter into the privilege mode and change the router configuration. The IPS on
RA1 must be configured in such a way that when the intruder types the characters
enable, his connection must be terminated.
*Step1: Enable routing between all the three routers.
*Step2: Configure the router using SDM. In the IPS configuration mode, start the
wizard available. Select the proper interface and the proper direction. In our
case, its Serial 1/2 in the inbound direction. Tick the Use the in-built
signatures in the next screen and finish.
*Step3: Youll be taken to the Edit IPS page next. In there, go to the signatures
tab. In the drop down menu in the centre, choose engine as the view by
option. In the drop down menu beside it, pick the STRING.TCP option.
*Step4: Add a new signature. The parameters that have to be configured here are
Sig name: (any name); Alarm Severity; EventAction: (alarm, drop and reset);
Protocol: (TCP); RegexString: (the string of characters in order that they would
be entered); ServicePorts: (23 for telnet)
*Step 5: Click the OK button and apply the changes made.

* To verify, configure a PC in CORE routers LAN. Telnet to the router RA2s
serial interface. When you type in enable your telnet session must be
disconnected by RA1.
Zoom Technologies CCNP Lab Guide
40 | P a g e

IOS Firewall








*The scenario set up is as shown above. RA1 has two interfaces connected to two
different LANs. Both can communicate with each other initially. Our scenario is
to allow communication from one LAN to the other, but deny the communication
in the opposite direction.
*Configure access-lists on both the interfaces allowing one way communication.
For example, PC connected to the Fa0/0 interface must be able to ping to the PC
connected to the Fa4/0, but the opposite should not be possible
RA1#config terminal
RA1(config)# access-list 100 permit ip 192.168.1.16 0.0.0.15 192.168.100.0 0.0.0.255
RA1(config)# access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.1.16 0.0.0.15
RA1(config)#interface fa 0/0
RA1(config-if)#ip access-group 100 in
RA1(config-if)#interface fa 4/0
RA1(config-if)#ip access-group 101 in

*When you ping from both the PCs to each other, you will note that both cannot
ping each other. To achieve our goal on only one-way communication, we have to
configure the following. Configure a firewall rule for ICMP protocol and apply it
on the interface where we want the traffic to flow to, in the inbound direction.

RA1(config)#ip inspect name zoom icmp
RA1(config)#interface fa0/0
RA1(config-if)#ip inspect zoom in

*Now, you will notice that PC on the F0/0 can ping the PC on Fa4/0 but the PC
on Fa4/0 cannot ping Fa0/0



Zoom Technologies CCNP Lab Guide
41 | P a g e

AAA Configuration
















*In case of AAA configuration, a PC installed with the ACS software is called the
AAA Server. The Network device (ex: router) which is using the AAA server for
authentication is called the AAA Client. The PC labeled as the Client in the above
diagram is actually the user who is trying to log in to the router and is NOT the
AAA client.

*Configuring authentication: This is for the router and in turn, the user, to be
authenticated by the AAA server. Take care to not close the telnet window after
configuring this.

RA1 (config)# aaa new-model
RA1 (config)# aaa authentication login default group tacacs+
RA1 (config)# line vty 0 15
RA1 (config-line)# login authentication default
RA1 (config)# tacacs-server host 192.168.X.Y key zoom123

* On the ACS server, configure the following.
Network configuration: By adding the router as a client.
Users Settings: By adding a username and password for the user to log in. Also
add the user in a specific group.

*Configuring authorization: This is for assigning privilege levels the user who
has logged in to the router.

RA1 (config)#aaa authorization exec default group tacacs+

*In ACS server, under the group settings for the users group, tick the Shell
(EXEC) option and mention the Privilege level that you want to assign to the
user.

*Verify the output from client by show privilege command on the router.


Zoom Technologies CCNP Lab Guide
42 | P a g e


*By using the following configuration, we can allow the following commands to
the user that are normally now allowed.

RA1(config)#privilege exec level 10 configure terminal
RA1(config)#privilege configure level 10 ip route
RA1(config)#privilege configure level 10 interface
RA1(config)#privilege interface level 10 shutdown

*Configuring AAA accounting on the router.

RA1(config)#aaa accounting commands 1 default start-stop tacacs+
RA1(config)#aaa accounting commands 10 default start-stop tacacs+
RA1(config)#aaa accounting commands 15 default start-stop tacacs+

*Verify the output in ACS server



Configuring SNMP
*On each router, configure the following mentioning the community in which the
router belongs to. The next two statements enable SNMP traps and points the
router to the SNMP server along with the key. Make sure that the SNMP server
belongs to the LAN of one of the routers and there is routing enabled from each
router to the SNMP server. Test by pinging from each router to the SNMP server.

RA1(config)#snmp-server community zoom123 rw
RA1(config)#snmp-server enable traps
RA1(config)#snmp-server host 192.168.X.Y zoom123


*Verify the output in SNMP server


Configuring SYSLOG
*Configure on each router the following to enable syslog and to mention the IP
address of the syslog server.

RA1(config)#logging on
RA1(config)#logging host 192.168.X.Y

*Verify the output in Syslog Server. Any changes that trigger syslog messages will
be sent to the syslog software on the server. Syslog can be verified by shutting
down and bringing up an interface.



Zoom Technologies CCNP Lab Guide
43 | P a g e

MPLS Configuration



























*Configure the above MPLS network topology with routers INDIA, POLAND and
SUDAN belonging to the MPLS cloud and routers RUSSIA and ALGERIA are the
customer end routers.

*Pre-requisites for this kind of set would be for routing to be enabled from one
end to the other. We use OSPF for the same in this set up.

Russia(config)#no ip routing
Russia(config)#ip routing
Russia(config)#router ospf 10
Russia(config-router)#net 0.0.0.0 255.255.255.255 area 0
Russia(config-router)#end
Russia#

Poland(config)#interface fa 0/1
Poland(config-if)#ip add 192.168.100.1 255.255.255.0
Poland(config-if)#no sh
Poland(config-if)#exit
Poland(config)#router ospf 10
Poland(config-router)#net 0.0.0.0 255.255.255.255 area 0
Poland(config-router)#end

INDIA(config)#int f 0/0
INDIA(config-if)#ip add 192.168.100.2 255.255.255.0
INDIA(config-if)#no shut
INDIA(config-if)#interface fa 4/0
Zoom Technologies CCNP Lab Guide
44 | P a g e

INDIA(config-if)#ip add 192.168.200.1 255.255.255.0
INDIA(config-if)#no shut
INDIA(config-if)#exit
INDIA(config)#no ip routing
INDIA(config)#ip routing
INDIA(config)#router ospf 10
INDIA(config-router)#net 0.0.0.0 255.255.255.255 area 0

Sudan(config)#int f 0/1
Sudan(config-if)#ip add 192.168.200.2 255.255.25.0
Sudan(config-if)#no shut
Sudan(config-if)#exit
Sudan(config)#router ospf 10
Sudan(config-router)#net 0.0.0.0 255.255.255.255 area 0
Sudan(config-router)#end
Sudan#

Algeria(config)#no ip routing
Algeria(config)#ip routing
Algeria(config)#router ospf 10
Algeria(config-router)#net 0.0.0.0 255.255.255.255 area 0
Algeria(config-router)#end
Algeria#

*Configuring MPLS in the Service Provider cloud.


*Verify using the following commands.

R#show ip cef
R#show mpls forwarding-table
R#show ip route
R#Traceroute <destination ip>





Poland(config)#ip cef
Poland(config)#mpls ip
Poland(config)#interface fa 0/1
Poland(config-if)#mpls ip
Poland(config-if)#interface fa
0/0
Poland(config-if)#mpls ip
Poland(config-if)#end

INDIA(config)#ip cef
INDIA(config)#mpls ip
INDIA(config)#interface fa 0/0
INDIA(config-if)#mpls ip
INDIA(config-if)#interface fa
4/0
INDIA(config-if)#mpls ip
INDIA(config-if)#end

Sudan(config)#mpls ip
Sudan(config)#ip cef
Sudan(config)#interface fa 0/1
Sudan(config-if)#mpls ip
Sudan(config-if)#int f 0/0
Sudan(config-if)#mpls ip
Sudan(config-if)#end
Zoom Technologies CCNP Lab Guide
45 | P a g e






















































Zoom Technologies CCNP Lab Guide
46 | P a g e


VLAN Configuration

Configuration on 2950-229 (192.168.0.229)

*Configuring the trunk

s2950-229(config)#interface fastethernet 0/24
s2950-229(config-if)#switchport mode trunk
s2950-229(config-if)#switchport trunk allowed vlan all
s2950-229(config-if)#exit

*Configuring the Vtp domain and password

s2950-229(config)#vtp domain zoom
s2950-229(config)#vtp password zoom

*Creation of VLANs

s2950-229(config)#vlan 10
s2950-229(config-vlan)#name sales
s2950-229(config-vlan)#exit
s2950-229(config)#vlan 20
s2950-229(config-vlan)#name marketing
s2950-229(config-vlan)#exit
s2950-229(config)#vlan 30
s2950-229(config-vlan)#name accounting
s2950-229(config-vlan)#exit

*Assigning the interface to VLANs

s2950-229(config)#interface fastethernet 0/10
s2950-229(config-if)#switchport mode access
s2950-229(config-if)#switchport access vlan 1
s2950-229(config-if)#exit
s2950-229(config)#interface fastethernet 0/12
s2950-229(config-if)#switchport mode access
s2950-229(config-if)#switchport access vlan 10
s2950-229(config-if)#exit
s2950-229(config)#interface fastethernet 0/14
s2950-229(config-if)#switchport mode access
s2950-229(config-if)#switchport access vlan 20
s2950-229(config-if)#exit
s2950-229(config)#interface fastethernet 0/16
s2950-229(config-if)#switchport mode access
s2950-229(config-if)#switchport access vlan 30

#show interface trunk
#show vlan
#show vtp status
#show interface status
#show interface fastethernet 0/X switchport
Zoom Technologies CCNP Lab Guide
47 | P a g e


*By using the following configuration, we can make switch 3560 the root bridge
for the entire lan. This is done by changing the priority less than the default
priority of 32768.

S3560(config)#spanning-tree vlan 1 priority 24576

*Verify the output in all the switches to see which switch is the root and which
port is in the blocked state.

s2950-229#show spanning-tree
S3560#show spanning-tree

Configuring Spanning-tree Portfast feature

*By configuring a port as a portfast, the port doesnt take part in the spanning-
tree calculation process.

S3560#conf t
S3560(config)#interface fa 0/X
S3560(config-if)#spanning-tree portfast

*Verify by the result by the show command.

S3560#show spanning-tree

Output Omitted

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------
-------
Fa0/17 Desg FWD 19 128.17 Edge P2p


Configuring Uplinkfast

*Uplinkfast is configured only on the switch that has blocked ports. By
configuring this, when the link in forwarding state on this particular switch goes
down, the switch immediately brings the blocked port into forwarding state
instead of running the spanning-tree algorithm.

s3550(config)#spanning-tree uplinkfast


*Verify the output by shutting down the link in forwarding state and note that the
blocked state immediately comes up. This can be tested by keeping a ping ON
between two machines on different PCs.

S3550#show spanning-tree



Zoom Technologies CCNP Lab Guide
48 | P a g e


Configuring the Spanning-tree Backbonefast

*When an indirectly connected link to the switch with the blocked port goes down,
the switch gets information from the other switches and immediately brings up the
blocked port. This has to be configured on all the switches.

s2950-229#conf t
s2950-229(config)#spanning-tree backbonefast

s3550#conf t
s3550(config)#spanning-tree backbonefast

S3560#conf t
S3560(config)#spanning-tree backbonefast

s2950-129#conf t
s2950-129(config)#spanning-tree backbonefast


*Verify the output by shutting down the indirectly connected link i.e., any link that
is not connected to the switch with the blocked port, and note that the blocked
state immediately comes up. This can be tested by keeping a ping ON between two
machines on different PCs.

Zoom Technologies CCNP Lab Guide
49 | P a g e

STP
Configuring PVST+
*When the LAN network consists of more than one VLAN, the switch with the
lowest mac-address will be the root bridge for all the VLANs, with the same port
being blocked for all the VLANs. In order to change this, our goal is to configure
one switch as the root for each VLAN. This is done by lowering the respective
switchs spanning-tree priority value on each switch for the respective VLAN.

Change The Root Election Of the Switch as per the Given Table
For

Vlan 1 root is S3560
Vlan 101 root is S2950-229
Vlan 201 root is S2950-129
Vlan 301 root is S3550

*Create the Required number of vlan as given above.

Tip: Use VTP to create vlan

S3560#conf t
S3560(config)#vlan 101
S3560(config-vlan)#name ccna
S3560(config-vlan)#exit
S3560(config)#vlan 201
S3560(config-vlan)#name ccnp
S3560(config-vlan)#exit
S3560(config)#vlan 301
S3560(config-vlan)#name mcse
S3560(config-vlan)#exit

*Configure the spanning-tree mode to PVST and then change the priority of the
vlan on the respective switch to make it root for that VLAN.

S3560(config)#spanning-tree mode pvst
S3560(config)#spanning-tree vlan 1 priority 24576

s2950-229#conf t
s2950-229(config)#spanning-tree mode pvst
s2950-229(config)#spanning-tree vlan 101 priority 24576

s2950-129#conf t
s2950-129(config)#spanning-tree mode pvst
s2950-129(config)#spanning-tree vlan 201 priority 24576

s3550#conf t
s3550(config)#spanning-tree mode pvst
s3550(config)#spanning-tree vlan 301 priority 24576


Zoom Technologies CCNP Lab Guide
50 | P a g e

*Verify using the show commands to see the status of VLANs

Switch 3560

S3560#show spanning-tree
S3560#show spanning-tree vlan 101

Zoom Technologies CCNP Lab Guide
51 | P a g e

ADVANCED STP
Configuring MST
*When the LAN network consists of more than one VLAN, the switch with the
lowest mac-address will be the root bridge for all the VLANs, with the same port
being blocked for all the VLANs. In order to change this, our goal is to configure
one switch as the root for each group of VLANs. This is done by lowering the
respective switchs spanning-tree priority value on each switch for the respective
VLAN groups.


MST Inst 1 Vlan 1-100 root S3560
MST Inst 2 Vlan 101-200 root S2950-229
MST Inst 3 Vlan 201-300 root S2950-129
MST Inst 4 Vlan 301-400 root S3550

*Note: Configuration on all the four switches should be same for MST Instance

S3560(config)#spanning-tree mst configuration
S3560(config-mst)#instance 1 vlan 1-100
S3560(config-mst)#instance 2 vlan 101-200
S3560(config-mst)#instance 3 vlan 201-300
S3560(config-mst)#instance 4 vlan 301-400
S3560(config-mst)#name zoom
S3560(config-mst)#revision 1
S3560(config-mst)#exit
S3560(config)#spanning-tree mst 1 priority 28672
S3560(config)#spanning-tree mode mst

s2950-229(config)#spanning-tree mst configuration
s2950-229(config-mst)#instance 1 vlan 1-100
s2950-229(config-mst)#instance 2 vlan 101-200
s2950-229(config-mst)#instance 3 vlan 201-300
s2950-229(config-mst)#instance 4 vlan 301-400
s2950-229(config-mst)#name zoom
s2950-229(config-mst)#revision 1
s2950-229(config-mst)#exit
s2950-229(config)#spanning-tree mst 2 priority 28672
s2950-229(config)#spanning-tree mode mst

s2950-129(config)#spanning-tree mst configuration
s2950-129(config-mst)#instance 1 vlan 1-100
s2950-129(config-mst)#instance 2 vlan 101-200
s2950-129(config-mst)#instance 3 vlan 201-300
s2950-129(config-mst)#instance 4 vlan 301-400
s2950-129(config-mst)#name zoom
s2950-129(config-mst)#revision 1
s2950-129(config-mst)#exit
s2950-129(config)#spanning-tree mst 3 priority 28672
s2950-129(config)#spanning-tree mode mst

Zoom Technologies CCNP Lab Guide
52 | P a g e

s3550(config)#spanning-tree mst configuration
s3550(config-mst)#instance 1 vlan 1-100
s3550(config-mst)#instance 2 vlan 101-200
s3550(config-mst)#instance 3 vlan 201-300
s3550(config-mst)#instance 4 vlan 301-400
s3550(config-mst)#name zoom
s3550(config-mst)#revision 1
s3550(config-mst)#exit
s3550(config)#spanning-tree mst 4 priority 28672
s3550(config)#spanning-tree mode mst


*Verify using the following commands

S3560#show spanning-tree
S3560#show spanning-tree mst <Instance no>
S3560#show spanning-tree summary
Zoom Technologies CCNP Lab Guide
53 | P a g e























*Devices in different VLANs cannot communicate with each other by default. To
enable communication between them, routing must be enabled between the
VLANs.

*Create the VLANs as per requirement.

S3560(config)#vlan 40
S3560(config-vlan)#name sales
S3560(config-vlan)#exit
S3560(config)#vlan 50
S3560(config-vlan)#name marketing
S3560(config-vlan)#vlan 60
S3560(config-vlan)#name accounts
S3560(config-vlan)#exit

*Bind the interface in respective VLANs.

S3560(config)#interface fa 0/12
S3560(config-if)#switchport mode access
S3560(config-if)#switchport access vlan 40
S3560(config-if)#exit
S3560(config)#interface fa 0/14
S3560(config-if)#switchport mode access
S3560(config-if)#switchport access vlan 50
S3560(config-if)#exit
S3560(config)#interface fa 0/16
S3560(config-if)#switchport mode access
S3560(config-if)#switchport access vlan 60
Zoom Technologies CCNP Lab Guide
54 | P a g e

*Assign an IP address for each of the vlan interfaces. These addresses are going
to be the default gateway for the devices in those particular VLANs.

S3560(config)#interface vlan 40
S3560(config-if)#ip address 192.168.40.1 255.255.255.0
S3560(config-if)#exit
S3560(config)#interface vlan 50
S3560(config-if)#ip address 192.168.50.1 255.255.255.0
S3560(config-if)#exit
S3560(config)#interface vlan 60
S3560(config-if)#ip address 192.168.60.1 255.255.255.0
S3560(config-if)#exit

*Enable the routing process on the multilayer-switch to allow communication
between the VLANs.

S3560(config)#ip routing
S3560(config)#end

*Verify using the following show commands.

#show ip route
#show vlan
#show ip cef
#sh adjacency detail






Zoom Technologies CCNP Lab Guide
55 | P a g e


*Configuring Inter-VLAN routing with the help on an external router.

* This method is also called Router-On-Stick. This is done by connecting the
switch to the routers Ethernet/Fastethernet port. That Ethernet port is then
logically divided into sub-interfaces. Each sub-interface in turn acts as a gateway
for each of the VLANs.


Switch configuration
*Configure the numbers of vlan as per requirement and implement in layer 2
switch.

S2950-229(config)#vlan 10
S2950-229(config-vlan)#exit
S2950-229(config)#vlan 20
S2950-229(config-vlan)#vlan 30
S2950-229(config-vlan)#exit
S2950-229(config)#interface fa 0/12
S2950-229(config-if)#switchport mode access
S2950-229(config-if)#switchport access vlan 10
S2950-229(config-if)#exit
S2950-229(config)#interface fa 0/14
S2950-229(config-if)#switchport mode access
S2950-229(config-if)#switchport access vlan 20
S2950-229(config-if)#exit
S2950-229(config)#interface fa 0/16
S2950-229(config-if)#switchport mode access
S2950-229(config-if)#switchport access vlan 30

Zoom Technologies CCNP Lab Guide
56 | P a g e

*The port on the switch connected to the router must be configured as a trunk
port since it carries information from more than one VLAN.
S2950-229(config)#interface fa 0/3
S2950-229(config-if)#switchport mode trunk
S2950-229(config-if)#end

Router Configuration
*On the routers Ethernet interface, remove the ip address and create sub-
interfaces as given below. Each sub-interface has to be configured with the right
encapsulation so that it can interpret the data coming from the trunk port of the
switch.

Sudan#conf t
Sudan(config)#ip routing
Sudan(config)#interface fa 0/1
Sudan(config-if)#no ip address
Sudan(config-if)#no shutdown
Sudan(config-if)#exit

Sudan(config)#interface fa 0/1.1
Sudan(config-subif)#encapsulation dot1q 1 native
Sudan(config-subif)#ip address 192.168.0.50 255.255.255.0
Sudan(config-subif)#exit
Sudan(config)#interface fa 0/1.10
Sudan(config-subif)#encapsulation dot1q 10
Sudan(config-subif)#ip address 192.168.10.1 255.255.255.0
Sudan(config-subif)#exit
Sudan(config)#interface fa 0/1.20
Sudan(config-subif)#encapsulation dot1q 20
Sudan(config-subif)#ip address 192.168.20.1 255.255.255.0
Sudan(config-subif)#exit
Sudan(config)#interface fa 0/1.30
Sudan(config-subif)#encapsulation dot1q 30
Sudan(config-subif)#ip address 192.168.30.1 255.255.255.0
Sudan(config-subif)#exit

*Verify by using the following commands and also by pinging from a PC in one
VLAN to a PC in another VLAN.

R#show ip route
S#show vlan
S#show interface trunk
Zoom Technologies CCNP Lab Guide
57 | P a g e

HSRP

















*In this practical, we configure two routers connected on the same LAN network
with HSRP. By doing that, the two routers create a Virtual Router with a Virtual-
IP that we mention in the configuration. This virtual-IP is to be used as the
default-gateway to the devices in the LAN.

*Make sure that both routers LAN interface belongs to the same network and
both routers are configured with the same standby group.

Sudan#conf t
Sudan(config)#interface fa 0/0
Sudan(config-if)#ip address 192.168.1X0.100 255.255.255.0
Sudan(config-if)#no shutdown
Sudan(config-if)#standby X0 ip 192.168.1X0.1
Sudan(config-if)#standby X0 priority 150
Sudan(config-if)#standby X0 preempt
Sudan(config-if)#exit
Sudan(config)#ip route 192.168.0.0 255.255.255.0 s 0/2/0

Poland#conf t
Poland(config)#interface fa 0/0
Poland(config-if)#ip address 192.168.1X0.200 255.255.255.0
Poland(config-if)#no shutdown
Poland(config-if)#standby X0 ip 192.168.1X0.1
Poland(config-if)#standby X0 priority 120
Poland(config-if)#standby X0 preempt
Poland(config-if)#exit
Poland(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0

CORE#conf t
CORE(config)# ip route 192.168.1X0.0 255.255.255.0 s 1
CORE(config)# ip route 192.168.1X0.0 255.255.255.0 s 2


Zoom Technologies CCNP Lab Guide
58 | P a g e


*Verify using the following command, which router is the ACTIVE router and
which router is the STANDBY.

Router#show standby


*Shutdown the Ethernet interfaces of the active (Sudan) Router and verify which
router now becomes the ACTIVE router.
Sudan#conf t
Sudan(config)#interface fa 0/0
Sudan(config-if)#shutdown
Sudan(config-if)#end

*Bring up the Ethernet interface again and now configure interface tracking in
Sudan router.

Sudan#conf t
Sudan(config)#interface fa 0/0
Sudan(config-if)#no shutdown
Sudan(config-if)#standby X0 track serial 0/2/0 50

*The above statement implies that for group X0, if the interface serial 0/2/0 goes
down, decrease the standby priority of this router by a value of 50 such that the
other router, now, has the higher priority and it becomes the ACTIVE router.

*Shutdown the serial 0/2/0 interface and verify the output.

Sudan(config)#interface Serial 0/2/0
Sudan(config-if)# shutdown

Router#show standby

















Zoom Technologies CCNP Lab Guide
59 | P a g e

GLBP























*In this practical, we configure two routers connected on the same LAN network
with GLBP. By doing that, the two routers create a Virtual Router with a Virtual-
IP that we mention in the configuration. This virtual-IP is to be used as the
default-gateway to the devices in the LAN.

*Make sure that both routers LAN interface belongs to the same network and
both routers are configured with the same standby group.

Sudan(config)#interface fa 0/0
Sudan(config-if)#ip address 192.168.1X0.100 255.255.255.0
Sudan(config-if)#no shutdown
Sudan(config-if)#glbp X0 ip 192.168.1X0.1
Sudan(config-if)#exit
Sudan(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0

Poland(config)#interface fa 0/0
Poland(config-if)#ip address 192.168.1X0.200 255.255.255.0
Poland(config-if)#no shutdown
Poland(config-if)#glbp X0 ip 192.168.1X0.1
Poland(config-if)#exit
Poland(config)# ip route 192.168.0.0 255.255.255.0 s 0/2/0

CORE#conf t
CORE(config)# ip route 192.168.1X0.0 255.255.255.0 s 1
CORE(config)# ip route 192.168.1X0.0 255.255.255.0 s 2


Zoom Technologies CCNP Lab Guide
60 | P a g e


*Verify using the following command, which router is the ACTIVE router.

Router#sh glbp

*Shutdown the Ethernet interfaces of the active (Sudan) Router and verify the
output.
Sudan#conf t
Sudan(config)#interface fa 0/0
Sudan(config-if)#shutdown
Sudan(config-if)#end

*Bring up the Ethernet interface again and now configure interface tracking in
Sudan router.

Sudan#conf t
Sudan(config)#track 50 interface serial 0/2/0 line-protocol
Sudan(config-track)#exit
Sudan(config)#interface fa 0/0
Sudan(config-if)#glbp X0 weighting track 50 decrement 100

*Configure using the following commands to reduce the preempt delay in both the
routers.

Sudan(config-if)#glbp X0 forwarder preempt delay minimum 5
Sudan(config-if)#end

*Reducing the preempt delay in Poland

Poland (config-if)#glbp X0 forwarder preempt delay minimum 5


*Shutdown the serial 0/2/0 interface in Sudan router and verify the output

Sudan#conf t
Sudan(config)#interface s 0/2/0
Sudan(config-if)# shutdown














Zoom Technologies CCNP Lab Guide
61 | P a g e

PORT-SECURITY


















*This practical is to configure port-security on a switch by binding the mac-
address of a PC to a particular port. By doing so, we allow only that PC to work
on that port. Any other PC trying to use that port is not allowed to do so since it
would be having a different mac-address.


S3560#conf t
S3560(config)#interface fa 0/12
S3560(config-if)#switchport mode access
S3560(config-if)#switchport port-security
S3560(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx
S3560(config-if)#switchport port-security violation shutdown


*You can verify the output by disconnecting the PC from the port and connecting
another PC to the same port and trying to start communication on it. You will find
that as soon as the new PC tries to establish communication, the port goes into an
err-disabled state and is shut down.

S3560#show port-security
S3560#show interface status
S3560#show port-security interface fa 0/12




Mac-address xxxx.xxxx.xxxx
Fa 0/12
Zoom Technologies CCNP Lab Guide
62 | P a g e

VACL














*Two PCs belonging to the same VLAN on the same switch can communicate with
each other by default. In cases where we do not want them to communicate and
there is no router available to configure access-lists, we can configure VLAN
access-lists or VACL.

* Assign 192.168.0.3 and 192.168.0.203 ports in vlan 10. They can ping each
other normally. The required scenario here is that the ping request from the pc-
192.168.0.3 to pc-192.168.0.203 should not happen and the ping request from pc-
192.168.0.203 to pc-192.168.0.3 must be allowed.


S3560(config)#access-list 110 permit icmp host 192.168.0.3 host 192.168.0.203 echo
S3560(config)#vlan access-map zoom 10
S3560(config-access-map)#match ip address 110
S3560(config-access-map)#action drop
S3560(config-access-map)#exit
S3560(config)#vlan access-map zoom 20
S3560(config-access-map)#exit
S3560(config)#vlan filter zoom vlan-list 10

*Verify the output by having ping ON between the two machines.


Zoom Technologies CCNP Lab Guide
63 | P a g e

DOT1X AUTHENTICATION




*An open port is open for anybody to connect their device and start
communication with the LAN. Our goal here is to authenticate any user that
connects to the switch and allow access only if he is properly authenticated.
Authentication is done with the help of a AAA server.

*Make sure the test-PC is enabled for dot1x authentication.

s2950-229(config)#aaa new-model
s2950-229(config)#aaa authentication dot1x default group radius
s2950-229(config)#dot1x system-auth-control
s2950-229(config)#radius-server host 192.168.0.3 key zoom123

s2950-229(config)#interface fa 0/16
s2950-229(config-if)#switchport mode access
s2950-229(config-if)#dot1x port-control auto
s2950-229(config-if)#exit

*Verify using the following commands and also by disconnecting and connecting
the device from the switch and then going through the authentication process
when prompted.

s2950-229#show dot1x all



Zoom Technologies CCNP Lab Guide
64 | P a g e

VOIP






















*To enable VOIP, the pre-requisite is to have routing enabled on the network
between the different voice devices. For that, we are configuring EIGRP protocol
between routers India and Sudan.

INDIA#conf t
INDIA(config)#router eigrp 100
INDIA(config-router)#network 192.168.1.0
INDIA(config-router)#net 172.16.0.0
INDIA(config-router)#end

CORE#conf t
CORE(config)#no ip routing
CORE(config)#ip routing
CORE(config)#router eigrp 100
CORE(config-router)#network 172.16.0.0
CORE(config-router)#end

Sudan#conf t
Sudan(config)#no ip routing
Sudan(config)#ip routing
Sudan(config)#router eigrp 100
Sudan(config-router)#net 172.16.0.0
Sudan(config-router)#net 192.168.100.0
Sudan(config-router)#exit
Sudan(config)#interface fa 0/1
Sudan(config-if)#ip address 192.168.100.1 255.255.255.0
Sudan(config-if)#no shut
Sudan(config-if)#end

Zoom Technologies CCNP Lab Guide
65 | P a g e

*Router INDIA has two FXS ports to which two analog phones are connected.
Below is the configuration for assigning phone numbers to the analog phones by
configuring the dial-peer as POTS (plain old telephone system)

INDIA(config)#dial-peer voice 10 pots
INDIA(config-dial-peer)#destination-pattern 2001
INDIA(config-dial-peer)#port 2/0/0
INDIA(config-dial-peer)#exit
INDIA(config)#dial-peer voice 20 pots
INDIA(config-dial-peer)#destination-pattern 2002
INDIA(config-dial-peer)#port 2/0/1
INDIA(config-dial-peer)#exit

*Verify the output by dialing the extension number from one to another phone

*Here we have to configure the call routing from India to Sudan. It mentions the
destination IPV4 network to which the VOIP packets have to be routed if a call to
the mentioned phone number has to be made.

INDIA(config)#dial-peer voice 30 voip
INDIA(config-dial-peer)#destination-pattern 300.
INDIA(config-dial-peer)#session target ipv4:172.16.1.5
INDIA(config-dial-peer)#end


*Below is the configuration of Sudan router to which two IP phones have been
connected.

*First we have to configure a DHCP pool from which an ip-address will be
assigned to the IP phone.

Sudan(config)#ip dhcp pool voip
Sudan(dhcp-config)#network 192.168.100.0
Sudan(dhcp-config)#default-router 192.168.100.1
Sudan(dhcp-config)#option 150 ip 192.168.100.1
Sudan(dhcp-config)#exit
Sudan(config)# ip dhcp excluded-address 192.168.100.1

*Below is the configuration for telephony-service where we configure various
parameters such as number of dial-numbers and ephones, assigning of phone
numbers to the e-phones and binding the mac-address of the ip-phone to the
ephone.

Sudan(config)#telephony-service
Sudan(config-telephony)#max-dn 10
Sudan(config-telephony)#max-ephone 5
Sudan(config-telephony)#ip source-address 192.168.100.1
Sudan(config-telephony)#exit
Sudan(config)#ephone-dn 1
Sudan(config-ephone-dn)#number 3001
Sudan(config-ephone-dn)#name zoom
Zoom Technologies CCNP Lab Guide
66 | P a g e

Sudan(config-ephone-dn)#exit
Sudan(config)#ephone-dn 2
Sudan(config-ephone-dn)#number 3002
Sudan(config-ephone-dn)#name ccnp
Sudan(config-ephone-dn)#exit
Sudan(config)#ephone-dn 3
Sudan(config-ephone-dn)#number 3003
Sudan(config-ephone-dn)#name ccna
Sudan(config-ephone-dn)#exit
Sudan(config)#ephone-dn 4
Sudan(config-ephone-dn)#number 3004
Sudan(config-ephone-dn)#name cisco
Sudan(config-ephone-dn)#exit

Sudan(config)#ephone 1
Sudan(config-ephone)# mac-address ****.****.****
Sudan(config-ephone)#button 1:1
Sudan(config-ephone)#exit
Sudan(config)#ephone 2
Sudan(config-ephone)#mac-address ****.****.****
Sudan(config-ephone)#button 1:2
Sudan(config-ephone)#exit


*Here we have to configure the call routing from Sudan to India. It mentions the
destination Ipv4 network to which the VOIP packets have to be routed if a call to
the mentioned phone number has to be made.


Sudan(config)#dial-peer voice 10 voip
Sudan(config-dial-peer)#destination-pattern 200.
Sudan(config-dial-peer)#session target ipv4:172.16.1.1
Sudan(config-dial-peer)#exit


Zoom Technologies CCNP Lab Guide
67 | P a g e

QOS













*Initially, configure routing between the LANs of the two routers. The LAN of
India router contains the HTTP and FTP server and the LAN of CORE router
contains the client PCs from where the resources will be accessed.

India#config t
India(config)#ip route 192.168.0.0 255.255.255.0 s1/2
India(config)#exit

CORE#config t
CORE(config)#ip route 0.0.0.0 0.0.0.0 s 0
CORE(config)#exit
CORE(config)#int s0
CORE(config-if)#clock rate 1000000
CORE(config-if)#end


*Using the above configuration, we have enabled routing between the two
networks and also configured the rate of flow over the serial interface between the
routers to be of 1Mbps.

*We now need to monitor the rate of flow two types of traffic, one HTTP and the
other FTP. For this, we use a download manager software on the client side PC
to observe the download speed of each type of traffic.

*You might observe that when we have traffic via both the protocols, they share
the available bandwidth equally, but in absence of the one, the other takes up the
entire bandwidth. Our aim is to allocate certain amount of bandwidth to each type
of traffic. For this, we need to configure QOS in the INDIA router.

*Step1: Create separate class-maps for each type of traffic by matching it by the
protocol it is using.

INDIA(config)#class-map httpclass
INDIA(config-cmap)#match protocol http
INDIA(config-cmap)#exit

Zoom Technologies CCNP Lab Guide
68 | P a g e

INDIA(config)#class-map ftpclass
INDIA(config-cmap)#match protocol ftp
INDIA(config-cmap)#exit

*Create a policy-map to define what has to be done with each type of traffic that
have been defined in the class-maps.

INDIA(config)#policy-map ccnpqos
INDIA(config-pmap)#class httpclass
INDIA(config-pmap-c)#bandwidth percent 10
INDIA(config-pmap-c)#exit
INDIA(config-pmap)#class ftpclass
INDIA(config-pmap-c)#bandwidth percent 60
INDIA(config-pmap-c)#exit
INDIA(config-pmap)#exit

*The policy-map now has to be implemented on the proper interface in the proper
direction on the router close to the source of the traffic.

INDIA(config)#interface serial 1/2
INDIA(config-if)#service-policy output ccnpqos
INDIA(config-if)#end

*You will observe that in absence of traffic from one protocol, the other takes up
the entire bandwidth. To prevent this, we can configure policing to limit the
bandwidth usage of a certain type of data flow to a fixed value.

INDIA(config)#policy-map ccnpqos
INDIA(config-pmap)#class httpclass
INDIA(config-pmap-c)# police rate percent 10
INDIA(config-pmap-c-police)#exceed-action drop
INDIA(config-pmap-c-police)#end

*Now you will observe that even though you stop the FTP data, the HTTP
download does not cross 10% of the total available bandwidth.
Zoom Technologies CCNP Lab Guide
69 | P a g e

WIRELESS LAN

*For a wireless router, there are two main interfaces. One wired and the other
wireless. The wired interface is the VLAN interface where users from the LAN can
be connected to the router. The wireless interface is the radio antenna through
which users with wireless end systems can connect to the router.

*Configure an ip address on the Dot11Radio interface

adslrouter#config t
adslrouter(config)# interface Dot11Radio 0
adslrouter(config-if)#ip address 192.168.200.1 255.255.255.0

*Configuring SSID and broadcast. Users trying to connect to the wireless network
now will be able to connect without any authentication

adslrouter(config-if)#ssid ccnp
adslrouter(config-if-ssid)#guest-mode
adslrouter(config-if-ssid)#authentication open
adslrouter(config-if-ssid)#exit
adslrouter(config-if)#channel 11
adslrouter(config-if)#speed default

*In case we require the users trying to connect to the wireless network to be
authenticated before they can access the resources, we can configure the
authentication mode and key in the following way.

adslrouter(config-if)#encryption mode wep mandatory
adslrouter(config-if)#encryption key 1 size 128 01234567899876543210012345
adslrouter(config-if)#exit

*Configure a DHCP pool on the wireless router to assign ip address to any user
trying to connect to the router through the wireless network.

adslrouter(config)#ip dhcp pool wireless
adslrouter(dhcp-config)#network 192.168.200.0 255.255
adslrouter(dhcp-config)#default-router 192.168.200.1
adslrouter(dhcp-config)#dns-server 192.168.200.1