Category: ACLs
Complete simulate lab CCNA, ICNDv2,done Cisco Packet Tracer
Complete simulate lab CCNA, ICNDv2,done Cisco Packet Tracer
This lab simulate the LAN switching technologies, IPv4 and IPv6 routing technologies, WAN technologies.
LAN switching technologies.
1.2 VTP, the switch SW1 is configured as VTP server and the rest of switches(SWD1, SWD2,SCORE1, SCORE2,SCORE3) are configured as client
SW1#show vtp status
VTP Version : 2
Configuration Revision : 6
Maximum VLANs supported locally : 255
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : CompleteCCNA
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
1.3 DTP
The switch SW1, as the port from FastEthernet0/0 to 0/7 are configured as “Access port” links between SW1 and SWD1 and SWD1 are configured as “Trunk port”.
SW1(config)#interface FastEthernet0/2
SW1(config-if)#switchport access vlan 10
SW1(config-if)# switchport mode access
SWD1(config)#interface GigabitEthernet0/1
SWD1(config-if)# switchport mode dynamic desirable
SWD2(config)#interface GigabitEthernet0/2
SWD2(config-if)#switchport mode dynamic desirable
Note: Configuring one side as dynamic desirable, the other end must be configured as “Trunk” or “Dynamic auto”(Review the DTP)
1.3 Spanning-tree protocols
The spanning-tree protocols is configured to use Cisco RPVST+) on the switches. (SWD1, SWD2,SCORE1, SCORE2,SCORE3). The PVST+ is default spanning-tree protocols that is compatible with RPVST+.
SW1(config)#spanning-tree mode rapid-pvst
1.4 PostFast and BPDU guard
The interfaces from FastEthernet0/0 to FastEthernet0/0 of the switch SW1, because they are access port, are configured with PortFast feature and BPDU guard.
SW1(config-if-range)#spanning-tree ?
bpduguard Don’t accept BPDUs on this interface
guard Change an interface’s spanning tree guard mode
link-type Specify a link type for spanning tree protocol use
portfast Enable an interface to move directly to forwarding on link up
vlan VLAN Switch Spanning Tree
1.4a Configuring PortFast
SW1(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc… to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast will be configured in 6 interfaces due to the range command
but will only have effect when the interfaces are in a non-trunking mode.
1.4b Configuring bpduguard
SW1(config-if-range)#spanning-tree bpduguard enable
1.5 Etherchannel
1.5a Etherchannel static
The interfaces FastEthernet0/23 and FastEthernet0/24 are bundle together as etherchannel
SWD1>enable
SWD1# configure terminal
SWD1(config)#interface range fa0/23-24
SWD1(config-if-range)#channel-group 3 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected
SW1(config-if-range)channel-group 3 mode on
1.5b PAgP – The Port Agregation Protocol by Cisco
SWD1(config-if-range)#channel-group 2 mode auto
If one side is configured as “auto” the other must be “desirable”, in that case on SCORE2.
SCORE2>enable
SCORE2# configure terminal
SCORE2(config)#interface range fa0/1-5
SCORE2(config-if-range)#channel-group 2 mode desirable
1.5c LACP
The LACP is configured between the switch SWD2 and SCORE1
SWD2>enable
SWD2# configure terminal
SWD2(config)#interface range fa0/1-5
SWD2(config-if-range)#interface Port-channel 1 mode active
If one side is configured as “active” the other must be “active” or “passive”, in that case on SCORE1.
2 Routing technologies
2.1a Router on a stick
The subinterface Gi0/1.10,Gi0/1.20 and Gi0/1.30, is configured to allow the VLAN 10, VLAN 20 and VLAN 30 respectively on the router R2
R2#enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface fa0/1.10
R2(config)#interface GigabitEthernet0/1.10
R2(config-subif)#encapsulation dot1Q 10
R2(config-subif)#ip address 192.168.10.1 255.255.255.0
2.1b SVI – Switched Virtual Interface
The list of SVI by switches are
SCORE1
SVI 33 192.168.33.1/28
SVI 27 192.168.27.1/24
SCORE2
SVI 41 192.168.41.1/24
SVI 44 192.168.44.1/24
SCORE3 40 192.168.40.1/24
SCORE3(config)#interface vlan 40
SCORE3(config-if)#ip address 192.168.40.1 255.255.255.0
SCORE3(config-if)#no shut
SCORE3(config-if)#
2.2 Routing protocols
2.2.1 Configure OSPFV2 for IPV4
An example of configure OSPFv2
R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 172.16.2.0 0.0.0.3 area 0
R1(config-router)#network 192.168.10.0 0.0.0.255 area 0
R1(config-router)#network 192.168.20.0 0.0.0.255 area 0
R1(config-router)#network 192.168.30.0 0.0.0.255 area 0
R1(config-router)#network 172.16.4.0 0.0.0.3 area 1
R1(config-router)#network 172.16.3.0 0.0.0.3 area 1
R1(config-router)#network 172.16.2.4 0.0.0.3 area 2
2.2.2 Configure EIGRP
An example of configure EIGRP
R3(config)#router eigrp 13
R3(config-router)#eigrp router-id 3.3.3.3
R3(config-router)#network 172.16.5.0 0.0.0.255
R3(config-router)#network 172.16.2.4 0.0.0.3
3.0 WAN Technologies
3.1 Configure and very eBGP
An example of configuring the BGP as eBGP between the router R7(AS 65535) and the router ISP3(64000)
3.1.1 BGP on router R7
R7(config)#router bgp 65535
R7(config-router)#neighbor 198.198.8.1 remote-as 64000
R7(config-router)#network 198.198.8.0 mask 255.255.255.0
3.1.2 BGP on router ISP3
router bgp 64000
ISP3(config-router)#neighbor 198.198.8.2 remote-as 65535
ISP3(config-router)#network 6.6.3.0 mask 255.255.255.0
ISP3(config-router)#network 198.198.8.0 mask 255.255.255.0
4.0 Infrastructure services
[download id=”4292″]
Complete simulate CCNA, ICND2 v3.0 lab done with GNS3
Complete simulate CCNA, ICND2 v3.0 lab done with GNS3
The complete CCNA lab simulate network done with GNS3 include:
HSRP,
DUAL OSPF for where OSPFv2 for IPv4 and OSPFv3 IPv6
Dual EIGRP, EIGRP for IPv4 and EIGRP for IPv6
PPPoE
ACL
GRE tunnel
eBGP
Inter-vlan trunking
Etherchannel
Multilink
Download now, the complete simulate CCNA, ICND2 v3.0 lab done with GNS3
[download id=”4264″]
Common Cisco VTP Troubleshooting Issues,CCNA
Common Cisco VTP Troubleshooting Issues
1- Different domain. A switch must has the same domain name in order to participate
Example
S1(config)#vtp domain NOukgoodbye
Changing VTP domain name from ukgoodbye to NOukgoodbye
S1(config)#vtp mode cl01:06:12 %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/24 because of VTP domain mismatch.
i01:06:13 %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/2 because of VTP domain mismatch.
2- Trunk between the switches,
The VLAN Trunking protocol, is Cisco proprietary protocol, as its name says “Trunking”
VLAN Trunking protocol
To be a trunk to be form between two switches is required
| Switch 1 | Switch 2 | |
| Dynamic auto | – | Dynamic Desirable |
| Dynamic Desirable | – | Dynamic Desirable |
| Trunk | – | Dynamic Desirable |
| Trunk | – | Trunk |
3- VTP version
4- VTP password
Configuring EIGRPv3 and IPv6 ACL, packet tracer 7.0
Configuring EIGRPv3 and IPv6 ACL, packet tracer 7.0
Network diagram:
1- Configuring EIGRP on both router
1.1 Router 2 and eigrpv3 on both interface GigabitEthernet0/0 and GigabitEthernet0/1
R2(config)#ipv6 router eigrp 10
R2(config-rtr)# eigrp router-id 2.2.2.2
R2(config-rtr)# no shutdown
On interface configuration mode for g0/0 and
R2(config-if)#ipv6 eigrp 10
1.2 Router 1 and eigrpv3 on both interface GigabitEthernet0/0 and GigabitEthernet0/1
R2(config)#ipv6 router eigrp 10
R2(config-rtr)# eigrp router-id 1.1.1.1
R2(config-rtr)# no shutdown
On interface configuration mode for GigabitEthernet0/0 and
R2(config-if)#ipv6 eigrp 10
2- configuring IPv6 acl
R2(config)#ipv6 access-list GuestAcl
R2(config-ipv6-acl)# deny tcp host 2001:DB8:1000:1::201 host 2001:DB8:1000:2::100 eq telnet
R2(config-ipv6-acl)# deny tcp host 2001:DB8:1000:1::201 host 2001:DB8:1000:2::100 eq 20
R2(config-ipv6-acl)# deny tcp host 2001:DB8:1000:1::201 host 2001:DB8:1000:2::100 eq ftp
R2(config-ipv6-acl)# deny tcp host 2001:DB8:1000:1::201 host 2001:DB8:1000:2::100 eq domain
R2(config-ipv6-acl)# deny tcp host 2001:DB8:1000:1::201 host 2001:DB8:1000:2::100 eq smtp
R2(config-ipv6-acl)# permit tcp host 2001:DB8:1000:1::201 host 2001:DB8:1000:2::100 eq www
R2(config-ipv6-acl)# deny icmp host 2001:DB8:1000:1::201 host 2001:DB8:1000:2::100 echo-request
2.1 Applied the IPv6 acl to an interface GigabitEthernet0/1
R2(config)#interface GigabitEthernet0/1
R2(config-if)#ipv6 traffic-filter GuestAcl out
3 Testing the ACL, ping from the PC, to server S1(2001:db8:1000:2::100)
C:\>ping 2001:db8:1000:2::100
Pinging 2001:db8:1000:2::100 with 32 bytes of data:
Reply from 2001:DB8:1:2::2: Destination host unreachable.
Reply from 2001:DB8:1:2::2: Destination host unreachable.
Reply from 2001:DB8:1:2::2: Destination host unreachable.
Reply from 2001:DB8:1:2::2: Destination host unreachable.
Ping statistics for 2001:DB8:1000:2::100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Download here, the pkt file(configuringeigrpv3andIPv6ACL.pkt) for cisco Packet tracer
[download id=”3910″]
Configuring an Access-Lists, IPv6
Configuring an Access-Lists, IPv6
1- Create IPv6 ACL
Route2CCNA(config)#ipv6 access-list ?
WORD User selected string identifying this access list
log-update Control access list log updates
Route2CCNA(config)#ipv6 access-list block_bad_neighbors
The permit and/or deny are defined in ipv6 acl mode.
Route2CCNA(config-ipv6-acl)#deny ?
An IPv6 protocol number
X:X:X:X::X/ IPv6 source prefix x:x::y/
ahp Authentication Header Protocol
any Any source prefix
esp Encapsulation Security Payload
hbh Hop by Hop options header
host A single source host
icmp Internet Control Message Protocol
ipv6 Any IPv6
pcp Payload Compression Protocol
sctp Streams Control Transmission Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Route2CCNA(config-ipv6-acl)#deny any host FE80:::54F0
Route2CCNA(config-ipv6-acl)#permit any any
IPv6 required to indicate the source and destination!
1.1 Add/modify a defined ipv6 access-list. The sequence command is used…
Route2CCNA(config)#ipv6 access-list block_NYEDGE2
Route2CCNA(config-ipv6-acl)#sequence 25 deny any 2001::/64 log
Route2CCNA(config-ipv6-acl)#exit
2- Apply the IPv6 to an interface.
Like with IPv4, you need to apply the ACl to an interface.
Route2CCNA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Route2CCNA(config)#interface gig0/0
Route2CCNA(config-if)#ipv6 traffic ?
WORD Access-list name
Route2CCNA(config-if)#ipv6 traffic block_bad_neighbors ?
in inbound packets
out outbound packets
Route2CCNA(config-if)#ipv6 traffic block_bad_neighbors out
3- Verify the IPv6 ACL
Route2CCNA#show ipv6 access-list
Keep in mind that the ACL name must be exactly the same during its creation and when you are applying to an interface.
4- Apply ipv6 to vty or console line
Route2CCNA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Route2CCNA(config)#line vt 0 15
Route2CCNA(config-line)#ipv6 ?
access-class Filter connections based on an IPv6 access list
Route2CCNA(config-line)#ipv6 access-class acl_not_allowe_telnet ?
in
out
Route2CCNA(config-line)#ipv6 access-class acl_not_allowe_telnet in
Route2CCNA(config-line)#
Keep in mind, the IOS(cisco) you will not tell that the access-list you have applied do not exist. Double check your accces-list when you are applied then to an interface or vty line.
Route2CCNA(config-line)#ipv6 access-class acl-donot-exist ou
Route2CCNA(config-if)#ipv6 access-class acl-donot-exist ou
Comparing IPv4 and IPv6 Access Control Lists
Comparing IPv4 and IPv6 Access Control Lists
Similarities and difference between IPv4 and IPv6 Access Control Lists.
[table id=11 /]