Escolar Documentos
Profissional Documentos
Cultura Documentos
Version 1.1
Written by
Marc Bouchard
www.subnet192.com
Special thanks…........................................................................................................................................... 48
www.subnet192.com 2
Introduction
Studying for the CCENT/CCNA exams is challenging. There are a lot of resources out there, lots of
material but there was nothing I could find to meet my objective: provide me with a challenge, and then
show a step by step explanation to validate the tasks.
This guide is in no way endorsed by Cisco Systems. I created this document out of personal need and to
help myself memorize and learn the various commands and configurations. I thought I should share this
with others to assist in actually learning hands-on skills with Cisco equipment. Also, note that I didn’t
reinvent the wheel here. Most of this is inspired from personal experience in my own lab, from
information gathered on the internet, from some of the simulators, etc.
This guide is provided FREE of charge. If you paid for this guide, you got ripped off. I do however
accept donations of any amount via Paypal at marc@subnet192.com if you find this guide of use and
want to thank me for my efforts. Visit my site at www.subnet192.com for more information and the
latest guides!
My recommendations, for a reasonably priced lab that would get you through the CCNA curriculum
would be the following.
3 www.subnet192.com
How this guide works…
First off, this is not intended to explain any of the concepts. There are fantastic books out there for that
job. This guide attempts to make you think about what you need to do, which commands are required
to complete each step and so on.
In this guide, there is no goal topology, as it will change depending on the objectives of each lab. The
various topologies are all based on my recommendations for hardware above. You can also perform
most of the steps using Cisco’s Packet Tracer software if you are part of the Cisco Learning Academy, but
be aware that some commands may not be fully implemented.
Also, by now you should be familiar with the familiar prompts of the IOS (the exec mode #, the config
mode (config)#, etc.) so steps to get you into these modes will not be identified in the walkthrough.
www.subnet192.com 4
Lab 1 – VLAN Trunking Protocol (VTP)
Material required: 3 switches, 1 PC, rollover cable, crossover and standard Ethernet cables.
Objectives
This lab will guide you in configuring VTP in the lab environment.
Preparation
Configure all three switches using the scripts in appendix 1.
DISCONNECT all crossover cables from S1.
Configure your laptop with the IP address 192.168.1.100/24
Cisco CCNA Lab Guide
5 www.subnet192.com
Tasks
Open a terminal emulator session to S1 (console)
o Display VLAN configuration.
o Display switch ports information from the running-configuration using output modifiers
to begin the display at interface FastEthernet0/1.
o Display the default VTP configuration information.
o Configure all switch ports to access mode.
o Set the VTP mode to Transparent.
o Save the configuration.
Open a terminal emulator session to S2 (console)
o Configure all switch ports to access mode.
o Configure VTP
Set the VTP mode to Server.
Set the VTP domain to CCNALAB.
Set the VTP version to 2.
o Save the configuration.
Open a terminal emulator session to S3 (console)
o Configure all switch ports to access mode.
o Set the VTP mode to Client.
o Save the configuration.
Experimentation
o Display and compare the VTP configuration information on all 3 switches.
o Connect the topology together using the diagram at the beginning of the lab.
o Telnet to S3.
o Display the VTP configuration information.
Is the domain name set? Why?
No trunks exist between the switches so VTP doesn’t do anything.
o Configure all the links between switches to trunk mode.
o Display the interface status to confirm trunk is enabled.
o Display the VTP configuration information on S1 and S3.
Is the domain name set? Why?
S1: Transparent mode switches ignore VTP broadcasts.
S3: Trunks are enabled and all server and clients receive VTP updates.
However, since no VLANs exist, no VTP traffic is generated so the
domain name might not be configured yet.
Cisco CCNA Lab Guide
www.subnet192.com 6
o Create VLAN 100 on S1.
What happens? Is it propagated to other switches?
VLAN is created but remains local to this switch.
o Create VLAN 300 on S3.
What happens?
Unable to create a VLAN, client mode doesn’t allow creation.
o Create VLAN 200 on S2.
Is it propagated to other switches? Which ones?
Yes it is. S3 receives the update as it is in client mode.
o Display the VLAN and VTP configuration on S3 and observe what has changed.
o Enable debugging of VTP events on S3.
Attempt to perform all the tasks listed above before going through the walkthrough.
Cisco CCNA Lab Guide
7 www.subnet192.com
Walkthrough
On S1:
S1#show vlan
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
www.subnet192.com 8
Display the default VTP configuration information
On S2:
Configure VTP
On S3:
9 www.subnet192.com
Experimentation:
S2(config)#interface fa0/1
S2(config-if)#switchport mode trunk
S3(config)#interface fa0/1
S3(config-if)#switchport mode trunk
Cisco CCNA Lab Guide
www.subnet192.com 10
Display the interface status to confirm trunk is enabled
S1(config)#VLAN 100
S3(config)#VLAN 300
VTP VLAN configuration not allowed when device is in CLIENT mode. Unable to create!
S2(config)#vlan 200
11 www.subnet192.com
Display the VLAN and VTP configuration on S3 and observe what has changed
www.subnet192.com 12
Lab 2 – Spanning Tree Protocol (STP)
Material required: 3 switches, 1 PC, crossover and standard Ethernet cables.
Objectives
This lab will guide you in configuring STP in the lab environment.
Preparation
Connect a crossover cables on FastEthernet ports 02 on between S2 and S3.
Remove VLAN 100 from S1.
Remove VLAN 200 from S2.
Tasks
Configure ports FastEthernet 0/2 on S2 and S3 to trunk mode using the dynamic modes.
Display the trunk interfaces information.
Display the spanning tree information summary on all switches to identify the root.
Display the spanning tree information details on the root bridge and the blocking switch.
On the blocking switch, force a path change by changing the cost of the uplink to the root.
Disconnect one of the cables going to your root bridge. Observe the spanning tree on the switch
at the other end of that cable (switching between ports, going into listening mode etc.)
Reconnect the cable.
Force another switch to become your primary root bridge.
Disable spanning tree on all switches and cause a broadcast storm. Observe what happens.
Re-enable spanning tree.
Enable Rapid STP on all switches and verify STP summary.
On the blocking switch, enable Spanning Tree events debugging and…
o Disable the root port interface.
o Observe STP events.
Cisco CCNA Lab Guide
Attempt to perform all the tasks listed above before going through the walkthrough.
13 www.subnet192.com
Walkthrough
Configure ports Fa0/2 on both switches to trunk mode using the dynamic modes
Fa0/2 1
www.subnet192.com 14
Display the spanning tree information summary on all switches
S1#show spanning-tree
VLAN0001 Note that a spanning-tree has been defined for each VLAN (PVST)
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000a.4117.5300
This bridge is the root This is the root bridge in my lab.
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
S2#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000a.4117.5300
Cost 19
Port 1 (FastEthernet0/1) I can reach the root through this port.
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
S3#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000a.4117.5300
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
15 www.subnet192.com
Display the spanning tree information details on the root bridge and the blocking
switch
On root bridge:
S1#show spanning-tree detail
www.subnet192.com 16
On blocking switch:
S2#show spanning-tree detail
17 www.subnet192.com
Disconnect one of the cables going to your root bridge. Observe…
S2#ping
Protocol [ip]:
Target IP address: 192.168.1.5
Repeat count [5]: 20000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 20000, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
You can repeat the following command to see the various status of the interface:
S2#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000a.4117.5300
Cost 38
Port 2 (FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
www.subnet192.com 18
Force another switch to become your primary root bridge
You can then perform a show spanning-tree command to view the changes.
S1#ping 4.2.2.2
Then watch the port lights on your switch. They should start blinking non-stop. The CLI
will probably be slower to respond while this is happening. To restore everything back to
normal, repeat the following steps on all switches:
S1(config)#spanning-tree vlan 1
19 www.subnet192.com
On the blocking switch, enable Spanning Tree events debugging and…
S2(config)#interface fa0/1
S2(config-if)#shutdown
S2(config-if)#no shutdown
S2(config-if)#
12:09:20: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
S2(config-if)#
12:09:22: RSTP(1): initializing port Fa0/1
12:09:22: RSTP(1): Fa0/1 is now designated
12:09:22: RSTP(1): transmitting a proposal on Fa0/1
12:09:22: RSTP(1): updt roles, superior bpdu on Fa0/1 (synced=0)
12:09:22: RSTP(1): Fa0/1 is now root port
12:09:22: RSTP(1): Fa0/2 blocked by re-root
12:09:22: RSTP(1): Fa0/2 not in sync
12:09:22: RSTP(1): Fa0/2 is now alternate
12:09:22: RSTP(1): synced Fa0/1
12:09:22: RSTP(1): synced Fa0/1
12:09:22: RSTP(1): transmitting an agreement on Fa0/1 as a response to a proposal
12:09:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state
to up
www.subnet192.com 20
Lab 3 – VLAN Routing (Router on-a-stick)
Material required: 1 switch, 1 router, 2 PC, 3 standard Ethernet cables.
Objectives
Configuring and understanding inter-VLAN routing.
Preparation
Disconnect all Ethernet cables from S1.
Connect R1 to port Fa0/1 on S1.
Connect PC1 to port Fa0/4 on S1.
Connect PC2 to port Fa0/5 on S1.
Configure R1 and S1 using the scripts in appendix 2.
Prepare two computers using the following configurations.
o Both: 100mbps/full duplex
o PC1: IP address: 10.1.0.5/24, Gateway: 10.1.0.1
PC2: IP address: 10.2.0.5/24, Gateway: 10.2.0.1
Tasks
On S1, perform the following tasks
o Create VLAN 10, with a description of “Students” and assign port Fa0/4 to it.
o Create VLAN 20, with a description of “Faculty” and assign port Fa0/5 to it.
o Configure port Fa0/1 to forward VLAN information to the router.
On R1, perform the following tasks
o Create a sub-interface named Fa0/0.10, that is part of VLAN 10.
o Set the sub-interface IP address to 10.1.0.1/24
o Create a sub-interface named Fa0/0.20, that is part of VLAN 20.
o Set the sub-interface IP address to 10.2.0.1/24
Cisco CCNA Lab Guide
21 www.subnet192.com
Walkthrough
S1(config)#vlan 10
S1(config-vlan)#name Students
S1(config-vlan)#vlan 20
S1(config-vlan)#name Faculty
S1(config-vlan)#exit
S1(config)#interface fastEthernet 0/4
S1(config-if)#switchport access vlan 10
S1(config-if)#interface fastEthernet 0/5
S1(config-if)#switchport access vlan 20
S1(config-if)#exit
S1(config)#interface fastEthernet 0/1
S1(config-if)#switchport mode trunk
S1(config-if)#^Z
R1(config)#router rip
R1(config-router)#version 2
Cisco CCNA Lab Guide
R1(config-router)#network 10.0.0.0
R1(config-router)#^Z
www.subnet192.com 22
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
You are now able to ping from any VLAN to any device on the network (VLAN1, 10 or 20).
23 www.subnet192.com
Lab 4 – Routing Protocols
Material required: 3 switches, 3 routers, 3 DCE-DTE Smart Serial cables, 3 standard Ethernet cables.
OSPF
Objectives
This lab simulates the connection of three different sites with different subnets using OSPF.
Preparation
Connect the DCE end of each cable to the Serial0 interface, and the DTE end to Serial1 of the
neighbor router.
Connect a standard Ethernet cable from Ethernet0 on each router to Port Fa0/1 on each switch.
Configure the switches and routers using the scripts in Appendix 3.
Tasks
Complete the following table:
o Use the first address in each subnet for the router and the last for the switch.
o For the serial links, use the first subnet for R1-R2, the 2nd for R2-R3 and the 3rd for R3-R1.
Configure the addresses on all interfaces and enable all links, set the clock rates to 64000.
Verify all links to ensure connectivity between all components.
Enable OSPF routing using the router number as process ID and enable all routes (summarize if
Cisco CCNA Lab Guide
possible).
From each router, ping all VLAN interface IPs to verify connectivity.
Display the protocol information on R3 to confirm published routes and routing protocol used.
Display the routing table for R2.
Display the OSPF neighbor list on R2.
Display the OSPF database on R2.
www.subnet192.com 24
Walkthrough
S1(config)#interface vlan 1
S1(config-if)#ip address 10.0.1.254 255.255.254.0
S1(config-if)#no shutdown
S1(config-if)#exit
S1(config)#ip default-gateway 10.0.0.1
S2(config)#interface vlan 1
S2(config-if)#ip address 172.16.5.126 255.255.255.128
S2(config-if)#no shutdown
S2(config-if)#exit
S2(config)#ip default-gateway 172.16.5.1
S3(config)#interface vlan 1
S3(config-if)#ip address 192.168.0.62 255.255.255.192
S3(config-if)#no shutdown
S3(config-if)#exit
S3(config)#ip default-gateway 192.168.0.1
25 www.subnet192.com
R3(config-if)#no shutdown
To do so, you can either ping from each end, or use CDP to ensure devices are seen.
R3#ping 192.168.0.62
Enable OSPF routing using the router number as process ID and enable all routes…
R1(config-router)#router ospf 0
From each router, ping all VLAN interface IPs to verify connectivity
From each router, ping the 3 IP addresses that were configured on the switches. Successful pings will
confirm that all sub networks are accessible from everywhere.
R3#ping 192.168.0.62
R3#ping 10.0.1.254
R3#ping 172.16.5.126
Cisco CCNA Lab Guide
www.subnet192.com 26
Display the protocol information on R3 to confirm published routes…
R3#show ip protocols
Routing Protocol is "ospf 3"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 192.168.0.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
10.50.0.0 0.0.255.255 area 0
192.168.0.0 0.0.255.255 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
10.50.0.10 110 00:07:43
172.16.5.1 110 00:07:43
Distance: (default is 110)
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
27 www.subnet192.com
EIGRP
Objectives
This lab simulates the connection of three different sites with different subnets using EIGRP.
Preparation
The topology configured for the OSPF section will be used. No changes required.
Tasks
Disable OSPF on all routers.
Enable EIGRP using ASN 1.
Enable all routes.
Display the routing table on R2.
Display the protocol information on R3.
Display the neighbors list on R2.
From each router, ping all VLAN interface IPs to verify connectivity.
www.subnet192.com 28
Walkthrough
R1(config)#router eigrp 1
R2(config)#router eigrp 1
R3(config)#router eigrp 1
R1(config-router)#network 10.50.0.0
R2(config-router)#network 10.50.0.0
R2(config-router)#network 172.16.0.0
R3(config-router)#network 10.50.0.0
R3(config-router)#network 192.168.0.0
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
29 www.subnet192.com
Display the protocol information on R3
R3#show ip protocols
Routing Protocol is "eigrp 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 1
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is in effect
Automatic address summarization:
192.168.0.0/24 for Serial0/0, Serial0/1
Summarizing with metric 28160
10.0.0.0/8 for FastEthernet0/0
Summarizing with metric 2169856
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.0.0
Routing Information Sources:
Gateway Distance Last Update
(this router) 90 00:29:36
Gateway Distance Last Update
10.50.0.10 90 00:01:40
10.50.0.5 90 00:01:40
Distance: internal 90 external 170
From each router, ping all VLAN interface IPs to verify connectivity
From each router, ping the 3 IP addresses that were configured on the switches. Successful pings will
confirm that all sub networks are accessible from everywhere.
R3#ping 192.168.0.62
R3#ping 10.0.1.254
…
Cisco CCNA Lab Guide
R3#ping 172.16.5.126
www.subnet192.com 30
Lab 5 – WAN
Material required: 4 routers, 2 switches, 1 PC, 3 DCE-DTE Serial to Smart Serial cables, 4 standard
Ethernet cables.
Ethernet R1 R2 R3 PC S1 S2
Local IP 10.1.0.1/24 10.2.0.1/24 5.1.1.1/24 10.1.0.5/24 10.1.0.2/24 10.2.0.2/24
Addresses
WAN IP 10.100.0.2 10.200.0.2 10.100.0.1 - - -
Addresses 10.200.0.1
Preparation
R4 requires the installation of an NM4/S or equivalent serial interface.
Connect the Serial to Smart Serial cables from R4 Serial 0, 1 and 2 to Smart Serial 0/0 of routers
R1, R2 and R3.
Connect a standard Ethernet cable from FastEthernet0 on R1 and R2 to Port Fa0/1 on each
switch.
If available, connect your internet link to the FastEthernet0 port on R3.
Cisco CCNA Lab Guide
31 www.subnet192.com
Tasks
First we will configure the Frame Relay switch (FRSwitch).
o Enable Frame Relay switching.
o Configure the serial interfaces.
Enable encapsulation.
Configure the port as a DCE.
Configure the DLCI routes using the following table
R3 uses DLCI 301 to reach R1 and 302 to reach R2.
R1 uses DLCI 123 to reach R2 and R3.
R2 uses DLCI 213 to reach R1 and R3.
Configure the hub router, using a point-to-point configuration.
Configure the spoke routers.
Display the Serial 0/0 interface information on R1.
Display the frame relay DLCI to Serial interface mappings on R1.
Display the LMI status information on R1.
Verify connectivity from the hub to the spokes.
Display the frame relay routes on FRSwitch.
Display the PVC statistics on FRSwitch.
Enable EIGRP routing on all routers.
Display the routing table on R1.
Verify connectivity from S1 to all IP addresses on the network.
www.subnet192.com 32
Walkthrough
FRSwitch(config)#frame-relay switching
Link to R1 (Spoke)
FRSwitch(config)#interface serial 1/0
FRSwitch(config-if)#encapsulation frame-relay
FRSwitch(config-if)#frame-relay intf-type dce
FRSwitch(config-if)#clock rate 56000
FRSwitch(config-if)#frame-relay route 123 interface serial 1/2 301
FRSwitch(config-if)#no shutdown
Link to R2 (Spoke)
FRSwitch(config)#interface serial 1/1
FRSwitch(config-if)#encapsulation frame-relay
FRSwitch(config-if)#frame-relay intf-type dce
FRSwitch(config-if)#clock rate 56000
FRSwitch(config-if)#frame-relay route 213 interface serial 1/2 302
FRSwitch(config-if)#no shutdown
Link to R3 (Hub)
FRSwitch(config)#interface serial 1/2
FRSwitch(config-if)#encapsulation frame-relay
FRSwitch(config-if)#frame-relay intf-type dce
FRSwitch(config-if)#clock rate 56000
FRSwitch(config-if)#frame-relay route 301 interface serial 1/0 123
FRSwitch(config-if)#frame-relay route 302 interface serial 1/1 213
FRSwitch(config-if)#no shutdown
FRSwitch(config-if)#^Z
33 www.subnet192.com
Configure the spoke routers
www.subnet192.com 34
Display the LMI status information on R1
LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 405 Num Status msgs Rcvd 406
Num Update Status Rcvd 0 Num Status Timeouts 0
R3#ping 10.100.0.2
R3#ping 10.200.0.2
DLCI = 123, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0
35 www.subnet192.com
Enable EIGRP on all routers
R1(config)#router eigrp 1
R1(config-router)#network 10.0.0.0
R2(config)#router eigrp 1
R2(config-router)#network 10.0.0.0
R3(config)#router eigrp 1
R3(config-router)#network 10.0.0.0
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
S1#ping 10.1.0.1
S1#ping 10.200.0.1
S1#ping 10.200.0.2
And so on…
Cisco CCNA Lab Guide
www.subnet192.com 36
Lab 6 – Access Lists
Objectives
Configuring and understanding access lists and their various applications.
Preparation
This lab uses the WAN topology from Lab 5.
Tasks
Configure and apply the following access lists at the appropriate location, then test the configuration.
Standard Access Lists (use the first access list number available)
Prevent only the PC from accessing the network where S2 is located. Allow access everywhere
else.
o Verify the access lists to see if they were the ones preventing access.
Allow only S2 to telnet into R1.
Extended Access Lists (use the first access list number available)
Prevent the PC’s subnet from reaching the web management page on R2. Allow all other traffic.
Add a new rule to also prevent the PC exclusively from using telnet outside its subnet.
Review the running configuration to see the configured access lists on R1.
Cisco CCNA Lab Guide
37 www.subnet192.com
Walkthrough
Prevent only the PC from accessing the network where S2 is located. Allow access
everywhere else.
R2#configure terminal
R2(config)#access-list 1 deny host 10.1.0.5
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/0
R2(config)#ip access-group 1 out
Standard access lists should be applied closest to the destination, thus the outbound port of the router
connected to the subnet to block.
C:\>ping 10.2.0.2
C:\>
R2#show access-lists
Standard IP access list 1
10 deny 10.1.0.5 (8 matches) shows that this rule was “hit” 8 times.
10 permit any (5 matches) shows that this rule was “hit” 5 times.
R1#configure terminal
R1(config)#access-list 1 permit 10.2.0.2
R1(config)#line vty 0 4
R1(config-line)#access-class 1 in
R1(config-line)#^Z
Cisco CCNA Lab Guide
www.subnet192.com 38
Test using telnet from any device (except S2).
S2#telnet 10.1.0.1
Trying 10.1.0.1 ... Open
R1#configure terminal
R1(config)#access-list 100 deny icmp host 10.1.0.5 host 5.1.1.1 echo
R1(config)#access-list 100 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 100 in
R1(config-if)#^Z
Extended access lists should be applied closest to the source, thus the inbound port of the router
connected to the subnet to block.
C:\>ping 5.1.1.1
C:\>
R1#show access-lists
Standard IP access list 1
10 permit 10.2.0.2 (8 matches) Standard access list is still present
Extended IP access list 100
10 deny icmp host 10.1.0.5 host 5.1.1.1 echo (8 matches) New rule blocking pings
Cisco CCNA Lab Guide
39 www.subnet192.com
Named Access Lists
Prevent the PC’s subnet from reaching the web management page on R2. Allow
all other traffic.
R1#configure terminal
R1(config)#ip access-list extended NOWEB
R1(config-ext-nacl)#deny tcp any 10.2.0.1 0.0.0.0 eq 80
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#interface fastethernet 0/0
R1(config-if)#ip access-group NOWEB in
R1(config-if)#^Z
You can test by opening a web browser on the PC and trying to access http://10.2.0.1
Add a new rule to also prevent the PC exclusively from using telnet outside its
subnet.
R1#show access-lists
Standard IP access list 1
10 permit 10.2.0.2 (8 matches)
Extended IP access list 100
10 deny icmp host 10.1.0.5 host 5.1.1.1 echo (8 matches)
20 permit ip any any
Extended IP access list NOWEB
10 deny tcp any host 10.2.0.1 eq www
15 deny tcp host 10.1.0.5 any eq telnet
20 permit ip any any
R1#show running-config
Building configuration...
<OUTPUT EDITED>
www.subnet192.com 40
Lab 7 – Network Address Translation (NAT/PAT)
Material required: 2 routers, 1 switch, 1 PC, 1 DCE-DTE Serial to Smart Serial cables, 2 standard Ethernet
cables.
Objectives
Understanding network/port address translation.
Preparation
Connect the DCE end of each cable to the Serial0 interface, and the DTE end to Serial0 of the
neighbor router.
Connect a standard Ethernet cable from Ethernet0 on R1 to Port Fa0/1 on S1.
Connect a standard Ethernet cable from the PC’s Ethernet adapter to Port Fa0/2 on S1.
Configure the switch and router using the scripts in Appendix 5.
Tasks
You have been assigned 6 public addresses in the 24.101.12.8/29 subnet.
o Configure Network Address Translation to allow up to 6 connections to the internet.
o Test by pinging 172.16.1.1 from the PC
o Test by pinging 172.16.1.1 from S1
o Review the translation table on R1
You have been assigned the single public address 200.1.1.18/30 (configured on R1 S0/0).
o Remove the commands from NAT that shouldn’t be there.
o Configure Port Address Translation to share the single IP address.
o Test by pinging 172.16.1.1 from the PC
o Test by pinging 172.16.1.1 from S1
o Review the translation table on R1
Cisco CCNA Lab Guide
41 www.subnet192.com
Walkthrough
R1#configure terminal
R1(config)#ip nat pool PUBLIC-ACCESS 24.101.12.9 24.101.12.14 netmask 255.255.255.248
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R1(config)#ip nat inside source list 1 pool PUBLIC-ACCESS
R1(config)#interface fastEthernet 0/0
R1(config)#ip nat inside
R1(config)#interface serial 0/0
R1(config)#ip nat outside
R1#configure terminal
R1(config)#no ip nat inside source list 1 pool PUBLIC-ACCESS
R1(config)#no ip nat pool PUBLIC-ACCESS 24.101.12.9 24.101.12.14 netmask 255.255.255.248
www.subnet192.com 42
Appendix 1
Paste the following script in the CLI on each switch to configure it. Edit to fit your specifications (# of
ports etc.)
43 www.subnet192.com
Appendix 2
Switch>enable
Switch#write erase
Switch#delete flash:vlan.dat
Switch#reload
Paste the following scripts in the CLI on the router and switch to reconfigure them.
www.subnet192.com 44
Appendix 3
Switch>enable
Switch#write erase
Switch#delete flash:vlan.dat
Switch#reload
Paste the following scripts in the CLI on the router and switch to reconfigure them.
45 www.subnet192.com
Appendix 4
Switch>enable
Switch#write erase
Switch#delete flash:vlan.dat
Switch#reload
Paste the following scripts in the CLI on the router and switch to reconfigure them.
www.subnet192.com 46
Appendix 5
Switch>enable
Switch#write erase
Switch#delete flash:vlan.dat
Switch#reload
Paste the following scripts in the CLI on the router and switch to reconfigure them.
PC
IP: 192.168.0.100
Mask: 255.255.255.0
Gateway: 192.168.0.1
Speed : 100
Duplex: Full
Cisco CCNA Lab Guide
47 www.subnet192.com
References & Resources
Cisco official certification information
http://www.cisco.com/web/learning/le3/learning_career_certifications_and_learning_paths_home.html
Software
Dynagen/Dynamips Cisco emulator
http://dynagen.org/
Special thanks…
To my wife Luz and my son Ian, for understanding my passion for technology; and to all of you who went
through this whole guide and thought…
“Wow! What a great guide, I can pass this exam easily now! This guy rocks!”
… and then went to Paypal and sent in a donation to marc@subnet192.com to thank me for all my hard
work.
Marc Bouchard
Cisco CCNA Lab Guide
http://www.subnet192.com
www.subnet192.com 48