www.cisconetsolutions.

com

Configure DNS server where requests are sent that originate

Login to global configuration mode
from that network device
router > enable
router# configure terminal ip name-server 172.16.1.2
router(config)#
Configure DNS domain name for network services
Encrypt clear text passwords in configuration files ip domain-name ccna.cisconet.com
service password-encryption
Configure switch port access mode and assign VLAN 10
Configure enable password cisconet with level 15 privilege
interface fastethernet0/1
enable password cisconet switchport mode access
switchport access vlan 10
Configure username admin with privileged EXEC level access
and a hidden encrypted password Configure Trunking with native VLAN 999 and allow VLANs
10-12 on a default configuration
username admin privilege 15 password 7
interface fastethernet0/1
Configure local authentication: username cisco with user switchport mode trunk
EXEC level access and a hidden secret password switchport trunk native vlan 999
switchport trunk allowed vlan 10-12
username cisco privilege 1 password 5
Enable DTP on a switch port to send request frames and
Configure VTY 0 4 default lines to enable login with password negotiate dynamic trunking with neighbor switch.
cisconet and a timeout of 5 minutes
interface fastethernet0/1
line vty 0 4 switchport mode dynamic desirable
password cisconet
login Configure PAgP desirable mode on switch port for dynamic
exec-timeout 5 EtherChannel negotiation and assign to channel group 1

interface fastethernet0/1
Enable local authentication on VTY 0 4 lines
switchport mode access
line vty 0 4 switchport access vlan 10
login local duplex auto
speed auto
Configure console port with password cisconet for access channel-group 1 mode desirable
security
Configure LACP active mode on a switch port for dynamic
line console 0 EtherChannel negotiation and assign to channel group 1
password cisconet
login interface fastethernet0/1
switchport mode access
Configure PST timezone on a Cisco device switchport access vlan 10
duplex auto
clock timezone PST -8
speed auto
Configure SSH version 2 for management access channel-group 1 mode active

crypto key generate rsa Configure VTP server mode on a switch with password
ip ssh version 2 ccnalab and VTP domain name cisconet. Trunking is required
ip domain-name cisconet.com on uplinks between switches.
vtp mode server | client | transparent
Configure Cisco device to only permit inbound SSH vtp password ccnalab
connections on default VTY lines vtp domain cisconet
line vty 0 4
Enable Rapid PVST+ globally on a switch
transport input ssh
spanning-tree mode rapid-pvst
Configure SNMP community string to read-only access with
password cisco. Configure a string with a read/write access Configure PortFast and BPDU guard on a switch port
and password simlabs
interface fastethernet0/1
snmp-server community cisco ro switchport mode access
snmp-server community simlabs rw switchport access vlan 10
spanning-tree portfast
Configure an external syslog server IP address for sending spanning-tree bpduguard enable
local system messages
logging on Configure Layer 2 switch with a default gateway for Telnet
logging host 192.168.3.1 management access
ip default-gateway 172.16.1.3
Configure NTP external time server as authoritative time
source for a Cisco device Enable CDP globally on a Cisco network device
ntp server 172.16.1.1 cdp run
 www.cisconetsolutions.com

Enable LLDP globally on a Cisco network device Configure EIGRP for IPv4 globally advertising subnet
192.168.1.0/24 and 172.16.3.0/24 to AS 10. Cisco
lldp run automatically converts a subnet mask when configured to a
wildcard mask with EIGRP
Enable IPv6 address Autoconfiguration (SLAAC).
ipv6 unicast-routing router eigrp 10
interface fastethernet1/0 network 192.168.1.0 0.0.0.255
ipv6 address autoconfig network 172.16.3.0 0.0.0.255
no shutdown
Configure EIGRP for IPv6 globally and on interface Gi0/0 with
Configure an IPv6 address that generates host portion EIGRP in autonomous system 1
identifier from the interface MAC address.
ipv6 router eigrp 1
ipv6 unicast-routing router-id 172.16.1.1
interface fastethernet1/0
no shutdown
ipv6 address 2001:db8:3c4d:4::/64 eui-64
no shutdown interface gigabitethernet0/0
ipv6 address autoconfig
Configure IPv4 static route to destination 172.16.1.1/24 with ipv6 eigrp 1
next hop 172.16.2.1 no shutdown
ip route 172.16.1.1 255.255.255.0 172.16.2.1
Configure eBGP for peering with a remote BGP peer. Assign
Configure IPv4 default route with next hop of 172.33.1.2 local router to private AS 65535 and neighbor to 65534 with
assigned 172.16.1.2 address. Advertise subnet 10.10.34.0/24
ip route 0.0.0.0/0 172.33.1.2 to remote peer

Configure IPv6 static route to destination subnet router bgp 65535

2001:DB8:3C4D:1::/64 neighbor 172.16.1.2 remote-as 65534
network 10.10.34.0 mask 255.255.255.0
ipv6 unicast-routing
ipv6 route 2001:DB8:3C4D:1::/64 2001:DB8:3C4D:2::1 Configure an SVI on Layer 2 switch for Telnet access
interface vlan 10
Configure IPv6 default route with next hop of
2001:DB8:3C4D:2::1 ip address 172.16.1.1 255.255.255.0
no shutdown
ipv6 unicast-routing
ipv6 route ::/0 2001:DB8:3C4D:2::1 Configure subinterfaces on a router to enable Inter-VLAN
routing for VLAN 10, VLAN 11 and VLAN 12. There is a trunk
Configure IPv4 floating static route to destination 192.168.3.1 port required on a switch (not shown) to configure, allowing
with AD = 200 VLANs to router.
ip route 192.168.3.1 255.255.255.0 192.168.2.2 200 interface gigabitethernet0/0.10
encapsulation dot1q 10
Configure OSPFv2 globally advertising subnet 192.168.0.0/24
ip address 192.168.10.254 255.255.255.0
to area 0 and 172.16.1.0/24 to area 1
interface gigabitethernet0/0.11
router ospf 1 encapsulation dot1q 11
router-id 172.16.1.255 ip address 192.168.11.254 255.255.255.0
network 192.168.0.0 0.0.255.255 area 0
interface gigabitethernet0/0.12
network 172.16.1.0 0.0.0.255 area 1
encapsulation dot1q 12
Configure OSPFv3 on router interface and assign to area 0. ip address 192.168.12.254 255.255.255.0
There are two global commands that enable OSPFv3 for the
router. The OSPFv3 global process is assigned to process ID Configure port security on a switch interface and add MAC
1 for this example. The interface is enabled when it is address dynamically to running configuration. Limit number of
assigned to process ID 1 and area 0 hosts for the switch port to a maximum of one.

ipv6 router ospf 1 switchport port-security

router-id 192.168.1.1 switchport port-security mac-address sticky
interface gigabitethernet0/0 switchport port-security maximum 1
no ip address
Configure HSRPv2 on an interface as active for group 1 with
ipv6 enable virtual IP address of 172.16.3.1 for that HSRP group
ipv6 address 2001:AB3E::/64 eui-64
ipv6 ospf 1 area 0 interface gigabitethernet0/1
ip address 172.16.1.1 255.255.255.0
Configure RIPv2 globally and advertise 172.33.0.0 and standby version 2 (enable HSRPv2)
192.168.1.0 subnets. Advertise a default route to all peering standby 1 preempt (compare priorities for group 1)
RIPv2 neighbors and turn off automatic summarization to
standby 1 priority 110 (local router is active)
enable classless routing.
standby 1 ip 172.16.1.3 (virtual IP address)
router rip
version 2 Configure static NAT between inside local IP address
network 172.33.0.0 172.16.1.1 (private) and inside global IP address 200.16.1.1
network 192.168.1.0 (routable).
default-information originate ip nat inside source static tcp 172.16.1.1 80 200.16.1.1 80
no auto-summary
 www.cisconetsolutions.com

Configure NAT pool inet with public addresses and overload Cisco best practices for creating and applying ACLs
keyword for port address translation. Configure ACL to enable
hosts from subnet 192.168.1.0/24 to have internet access.  apply extended ACL near source
Enable NAT on an inside and outside interface.  apply standard ACL near destination
 order ACL with multiple statements from most specific to
ip nat pool inet 172.33.1.1 172.33.1.9 netmask 255.255.255.0
least specific
ip nat inside source list 100 pool inet overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any  one ACL can be applied inbound or outbound per
interface per Layer 3 protocol
interface gigabitethernet0/0  IPv6 supports only named ACL and denies all traffic as
ip nat inside an implicit default for the last statement of ACL
interface gigabitethernet0/1
ip nat outside ACL Example 1

The following command permits http traffic from host

10.1.1.1/24 to host 10.1.2.1/24
access-list 100 permit tcp host 10.1.1.1 host 10.1.2.1 eq 80

The access control list (ACL) statement reads from left to right
as - permit all tcp traffic from source host only to
destination host that is http (80). The TCP refers to
applications that are TCP-based. The UDP keyword is used
for applications that are UDP-based such as SNMP.

ACL Example 2

What is the purpose or effect of applying the following ACL?

Standard ACL
access-list 100 deny ip host 192.168.1.1 host 192.168.3.1
The number range is from 1-99 and 1300-1999. It is
comprised of permit or deny statement/s from a source access-list 100 permit ip any any
address with a wildcard mask only. The single deny statement
requires you add permit any as a last statement for a The first statement denies all application traffic from host-1
standard ACL or all packet are denied from all sources. (192.168.1.1) to web server (host 192.168.3.1). The ip
keyword refers to Layer 3 and affects all protocols and
access-list 99 deny host 172.33.1.1 applications at layer 3 and higher. The last statement is
access-list 99 permit any required to permit all other traffic.

ACL Example 3
Standard Named ACL
They are defined with a name instead of number and have What is the purpose or effect of applying the following ACL?
the same rules as a standard ACL. The following ACL is
named internet and will deny all traffic from all hosts access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq
connected to 192.168.1.0/24 subnet. It will log any packets telnet
that are denied. access-list 100 permit ip any any
ip access-list internet log The first statement permits Telnet traffic from all hosts
deny 192.168.1.0 0.0.0.255 assigned to subnet 192.168.1.0/24 subnet. That include host-
permit any 1 (192.168.1.1) and host-2 (192.168.1.2). The tcp keyword is
Layer 4 and affects all protocols and applications at Layer 4
Extended Named ACL and higher. The permit tcp configuration allows the specified
TCP application (Telnet). The any keyword allows Telnet
They are defined with a name and supports all syntax sessions to any destination host. The last statement is
commands available with extended ACLs. You can required to permit all other traffic.
dynamically add or delete statements to any named ACL
without having to delete and rewrite all lines. They are easier ACL Example 4
to manage and troubleshoot based on naming conventions.
The following named ACL permits http traffic from hosts What is the purpose or effect of applying the following ACL?
assigned to 192.168.0.0 subnets access to server
192.168.3.1 access-list 100 permit ip 172.16.1.0 0.0.0.255 host
ip access-list extended http-filter 192.168.3.1
remark permit http to web server access-list 100 deny ip 172.16.2.0 0.0.0.255 any
permit tcp 192.168.0.0 0.0.255.255 host 192.168.3.1 eq 80 access-list 100 permit ip any any
permit ip any any
 The first ACL permits only hosts assigned to subnet
172.16.1.0/24 access to all applications on server-1
Extended ACL (192.168.3.1)
The number range is from 100-199 and 2000-2699. It
supports multiple permit/deny statements with source /  The second statement denies hosts assigned to subnet
172.16.2.0/24 access to either server. That would include
destination IP address or subnet. You can filter on IP, TCP or
any additional hosts added to that subnet and any new
UDP protocols and destination port. Extended ACL must have
a permit all source and destination traffic with permit ip any servers added.
any as a last statement.
 The last ACL statement is required to permit all other
traffic not matching previous filtering statements.
 www.cisconetsolutions.com

ACL is applied to an interface with ip access-group

command. Routers often have multiple interfaces with hosts
assigned. Any ACL applied outbound on an interface shared
by multiple subnets filter traffic from all hosts for all subnets.

Application Ports

Application Port *ACL

FTP TCP 21 ftp
SSH TCP 22 ssh
Telnet TCP 23 telnet
DNS TCP 53 | UDP 53 dns
TFTP UDP 69 tftp
HTTP TCP 80 www
NTP UDP 123 ntp
HTTPS TCP 443 https

*use protocol keyword or port number for ACL

IPv4 ACL vs IPv6 ACL

 IPv6 supports only named ACLs

 IPv6 permits ICMP neighbor discovery (ARP) as implicit

default

 IPv6 denies all traffic as an implicit default for the last line
of the ACL