Skip to main content

Cisco Learning Labs
(CCNA v1.0)

The following lab exercises are sourced from the Cisco CCNA v1.0 discovery labs. Many of the notes and commands come directly from the lab job aids and procedures. Any information contained within this page is purely for learning purposes.

Lab Directory

Discovery 7: Configure Default Gateway

show ip route
show arp

There is an ARP cache entry for 192.168.3.2. The MAC addresses for 192.168.3.2 and 10.10.1.1 are identical. This behavior is the result of the Proxy ARP feature, which is enabled on Cisco IOS routers by default. PC1 does not have a default gateway that is configured, so it attempts to use ARP for all addresses. R1 saw the ARP request for a remote address that was available in its routing table, and sent an ARP reply with its own MAC address. PC1 can then forward traffic that is destined to 192.168.3.2 to the R1 MAC address, and R1 will forward as necessary. While proxy ARP can be helpful as a last resort, properly configuring a default gateway is a better practice.

conf t
ip default-gateway 10.10.1.1
end

Default gateway, along with the IPv4 address and the subnet mask, is one of the main configuration parameters for the end-device. The default gateway is used when there is a need to communicate with the devices outside the local subnet. The sending device examines the destination address to determine the destination network ID. It then compares this destination subnet ID with its own subnet ID. If subnet IDs are different, the sending device forwards the packet to the default gateway for further routing. The default gateway is an IPv4 address of a router interface that is connected to the local subnet. In other words, a default gateway always belongs to the same subnet as the end-device.

The main advantage of proxy ARP is that it can be added to a single router on a network and does not disturb the routing tables of the other routers on the network. Proxy ARP must be used on the network where IPv4 hosts are not configured with a default gateway or do not have any routing intelligence. The use of proxy ARP is not recommended in today's networks, because it can be a significant security issue. Therefore, Proxy ARP should be disabled on all interfaces unless in a rare situation where you need it.

clear ip arp x.x.x.x
show arp

Discovery 8: Explore Packet Forwarding

debug arp

Be very careful when using debug commands in production environments. Depending on the circumstances, they can have a catastrophic effect on router performance. Until you have experience with debug commands, it is best to consult a senior engineer within your organization on their use.

*Jan  4 01:52:04.435: IP ARP: sent rep src 10.10.1.10 aabb.cc00.3b00,
dst 10.10.1.10 ffff.ffff.ffff Ethernet0/0
*Jan 4 01:52:04.435: IP ARP: sent rep src 10.10.1.10 aabb.cc00.3b00,
dst 10.10.1.10 ffff.ffff.ffff Ethernet0/0

The two preceding messages are debug messages. Note that they are both ARP "rep" frames, which are reply frames. The destination IPv4 address is 10.10.1.10. PC1 is sending this ARP broadcast asking any host that has the IPv4 address 10.10.1.10, which is its own address, to respond back with an ARP reply. Cisco IOS Software sends this ARP broadcast automatically when interfaces are brought online. It is an attempt to recognize when there are duplicate IPv4 addresses on the network. If any responses are received, system logging (syslog) messages would be generated to alert the network administrator that there are duplicate addresses. No replies were received, which is normal.

ping 10.10.3.30
*Jan  4 02:01:44.589: IP ARP: creating incomplete entry for IP address: 10.10.1.1 interface Ethernet0/0

This debug message indicates that PC1 recognizes that it needs the MAC address for 10.10.1.1 (R1, its default gateway). PC1 creates an entry in its ARP cache and starts the ARP process.

*Jan  4 02:01:44.590: IP ARP: sent req src 10.10.1.10 aabb.cc00.3b00,
dst 10.10.1.1 0000.0000.0000 Ethernet0/0

This debug message indicates that PC1 sent an ARP request specifying 10.10.1.1 as the destination; the 0000.0000.0000 field in the request is a place holder because PC1 does not know the MAC address (which is why it is sending the ARP request). This ARP request is broadcast to all hosts within the broadcast domain (we don’t see the broadcast in the debug output). PC1 is requesting any system with the IPv4 address 10.10.1.1 to respond with an ARP reply.

*Jan  4 02:01:44.590: IP ARP: rcvd rep src 10.10.1.1 aabb.cc00.3200, dst 10.10.1.10 Ethernet0/0

This debug message indicates that PC1 received an ARP reply from 10.10.1.1, indicating that its MAC address is aabb.cc00.0100.

show mac address-table
clear mac address-table dynamic

When the switch receives a frame of any kind, it examines the source MAC address to determine if it needs to add it to the MAC address table. By default, with Cisco IOS Software, Ethernet interfaces send frames to their own MAC address every 10 seconds as a keepalive mechanism. Verify this setting by using the show interface command to view the status of interfaces.

Discovery 11: Configure Basic IPv6 Connectivity

By default, routing for IPv6 is not enabled on a Cisco router. To enable IPv6 routing, use the ipv6 unicast-routing command in global configuration mode. If IPv6 routing is not enabled, the router still plays a role of IPv6 host, once it has an IPv6 address.

The ipv6 unicast-routing command is required for forwarding and configuring routing protocol, but not required to configure IPv6 addresses on interfaces.

conf t
ipv6 unicast-routing

You can use abbreviated commands during configuration. For example, you can use conf t for configure terminal. If there is any confusion, you can attempt tab completion to expand the full command syntax. For example, conf <tab> t <tab> would expand to configure terminal.

Discovery 12: Configure and Verify IPv4 Static Routes

# configure terminal
(config)# ip route <network_id> <subnet_mask> <gateway_ip>
(config)# end
# ping <ip_address>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <ip_address>, timeout is 2 seconds:
.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

PC1 can ping PC2. This fact implies bidirectional connectivity. The forwarding ICMP echoes from PC1 to PC2 were successful, and the forwarding of ICMP echo replies from PC2 to PC1 was successful as well. The first miss (.) in the output is normal behavior, since ARP response time is longer than the timeout for ICMP echo replies. Without knowing destination MAC address, ICMP echo request cannot be successful.

# ping 10.1.1.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.6, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

This ping attempt fails for a different reason. The subnet 10.1.1.4/30 is the point-to-point link between R2 and R3. R1 does not have a route to that subnet. Therefore, it must drop the packets that are destined for that subnet.

The "U" characters in the ping output indicate that a router in the forwarding path returned ICMP Unreachable messages to PC1.

Static Route Drawbacks

# traceroute 10.10.3.30
Type escape sequence to abort.
Tracing the route to 10.10.3.30
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.1.1 1 msec 1 msec 1 msec
2 10.1.1.1 1 msec 0 msec 0 msec
3 10.10.3.30 1 msec * 1 msec

It is normal for the middle attempt to the final destination to time out with the traceroute command. The reason for this behavior is because Cisco routers rate limit ICMP Port Unreachable Massages. When a traceroute is started, the router sends out a sequence of UDP datagrams to an invalid port address at the destination host. Three datagrams are sent, each with TTL value set to 1. As soon as the datagrams hit the first router, they expire and the router responds with an ICMP Time Exceeded Message. For every additional datagram sent, the TTL values increments by 1. When the destination host is reached, it replies with ICMP Port Unreachable Messages, because the datagrams are trying to access an invalid port.

At this point, one of the limitations of static routes should be apparent. They do not scale well. In the lab, there are only six subnets and three routers, with no path being longer than two hops. In this simple environment, nine static routes were required for full connectivity. As the network complexity grows, the number of required static routes grows very fast and quickly becomes unwieldy.

Configure Backup Static Routes

Administrative distance is a property that is used to distinguish the trustworthiness of different routing protocols. Cisco IOS routers prefer routes with a lower administrative distance. By default, static routes have an administrative distance of 1, which all but guarantees that they will be used in the routing table. It is optional to specify a different administrative distance on static routes.

# configure terminal
(config)# ip route <network_id> <subnet_mask> <gateway_ip> <administrative_distance>
(config)# end

Discovery 14: Configure VLANs and Trunks

  • Configure a VLAN
# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
(config)# vlan 2
(config-vlan)# name Engineering
(config-vlan)# end
  • Show VLAN
show vlan brief
  • Show a specific VLAN
show vlan id vlan-id

When you show all VLANs, only the access mode ports are displayed. When you show a particular VLAN, the trunk ports that carry the VLAN are also displayed. Ethernet0/0 is the trunk port connecting SW1 and SW2.

In the lab environment, the default trunking encapsulation method on the SW1 and SW2 is Inter-Switch Link (ISL), which is an older Cisco proprietary trunking protocol. IEEE 802.1Q is much more common in networks today, and some switch models no longer support ISL. Thus, before verifying the switch port status of the Ethernet0/0 interface on SW1, explicitly configure this interface to IEEE 802.1Q trunk using the switchport trunk encapsulation dot1q command.

# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
(config)# interface Ethernet0/0
(config-if)# switchport trunk encapsulation dot1q
(config-if)# end
  • View switchport status of interfaces
# show int e0/0 switchport
Name: Et0/0
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q

The default administrative trunking mode on the Ethernet 0/0 switch port on SW1 is "dynamic desirable." Since the other side was able to receive the DTP messages sent from this port, a trunk link was formed between the two switches. Both administrative and operational trunking encapsulations are the 802.1Q trunk.

While the trunking status was automatically negotiated between the switches, the best practice is to explicitly configure the trunking status on switch ports. Also, it is best practice to assign a native VLAN to 802.1Q trunks that is not used by any endpoint hosts on the network

# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
(config)# vlan 256
(config-vlan)# name NoHosts
(config-vlan)# exit
(config)#

While it makes no difference to the switch which IPv4 subnet you implement on which VLAN, for ease of network management, it is common to use the value of the third octet of the IPv4 network as the VLAN ID, when possible. For example, you would pair VLAN 2 with 10.10.2.0/24, pair VLAN 3 with 10.10.3.0/24, etc.

The number 256 is not a valid IPv4 address octet. The X.Y.256.Z addresses are invalid IPv4 addresses. Therefore, 256 can be an effective VID to use for a VLAN that intentionally services no hosts and is used for the native VLAN on 802.1Q trunks.

FASTLab 5: Troubleshoot VLANs and Trunk

  • Ensure VLAN names are configured correctly
# show vlan brief
  • Make necessary corrections to VLAN names
(config)# vlan <vlan_id>
(config-vlan)# name <vlan_name>
(config-vlan)# exit
  • Correct VLAN assignments for interfaces
(config)# interface <interface_id>
(config-if)# switchport access vlan <vlan_id>
  • Check VLAN assignments for interfaces
# show run interface <interface_id>

interface Ethernet <interface_id>
switchport access vlan <vlan_id>
switchport mode access
duplex auto
end
  • Check switchport mode for interface
# show run interface <interface_id>

interface <interface_id>
switchport access vlan <vlan_id>
switchport trunk encapsulation dot1q
switchport mode access
duplex auto
end
  • Update interface to be a trunk
(config)# interface <interface_id>
(config-if)# no switchport access vlan <vlan_id>
(config-if)# no switchport mode access
(config-if)# switchport mode trunk
  • Confirm trunk interfaces
# show interface trunk

Discovery 15: Configure a Router on a Stick

  • Configure link from switch to router as trunk interface with dot1q
SW1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)# interface Ethernet 0/2
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport trunk native vlan 256
SW1(config-if)# switchport trunk allowed vlan 2,3
SW1(config-if)# switchport mode trunk
SW1(config-if)# end
SW1#
  • Configure sub iterfaces on router
R1(config-if)# interface Ethernet 0/1.2
R1(config-subif)# encapsulation dot1q 2
R1(config-subif)# ip address 10.10.2.1 255.255.255.0

R1(config-subif)# interface Ethernet 0/1.3
R1(config-subif)# encapsulation dot1q 3
R1(config-subif)# ip address 10.10.3.1 255.255.255.0
R1(config-subif)# end
R1#

FASTLab 6: Implement Multiple VLANs and Basic Routing Between the VLANs

  • Configure VLANs on switches
SW1(config)# vlan 65
SW1(config-vlan)# name Users
SW1(config-vlan)# vlan 80
SW1(config-vlan)# name Servers
SW1(config-vlan)# vlan 256
SW1(config-vlan)# name NoHosts
SW1(config-vlan)# exit
  • Configure access switchport interfaces
SW1(config)# interface E0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 65

SW1(config)# interface E0/2
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 80
  • Configure interface trunks on switches
SW1(config)# interface E0/0
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport trunk native vlan 256
SW1(config-if)# switchport mode trunk
  • Configure subinterfaces on router
R1(config)# interface 0/0.65
R1(config-subif)# encapsulation dot1q 65
R1(config-subif)# ip address 192.168.65.254 255.255.255.0
R1(config-subif)#

R1(config)# interface e0/0.80
R1(config-subif)# encapsulation dot1q 80
R1(config-subif)# ip address 192.168.80.254 255.255.255.0

Discovery 16: Configure and Verify Single-Area OSPF

OSPF Command List

Command:
router ospf <process_id>

Enters the OSPF routing configuration mode. The network administrator chooses the process ID, which is a number between 1 and 65,535. The process ID is locally significant, which means that it does not have to match other OSPF routers to establish adjacencies with those neighbors.

Command:
network <ip_address> <wildcard_mask> area <area_id>

Uses a combination of the network address and wildcard mask and serves as the criteria to match when identifying the interfaces that can send and receive OSPF packets. The network address along with the wildcard mask, identifies which networks OSPF will run on, which in turn indicates which networks will be advertised in OSPF. The area ID identifies the OSPF area to which the network belongs. When all the routers are within the same OSPF area, the network commands must be configured with the same area ID on all routers. There must be an Area 0. In a single-area OSPF environment, the area is always 0.

Command:
ip ospf <process_id> area <area_id>

Enables OSPF explicitly on the selected interface. This interface configuration mode command is an alternative to the network command.

Procedure

The router ospf command uses a process identifier as an argument. The process ID is a unique, arbitrary number that you select to identify the routing process. The process ID is locally significant and does not need to match the OSPF process ID on other OSPF routers. However, best practice suggests that the process ID should be the same on all routers in the same routing domain.

The network command identifies which IPv4 networks on the router are part of the OSPF network. For each network, you must also identify the OSPF area to which the networks belong. The network that is identified in the network command does not tell the router which network to advertise; instead, it indicates the interfaces on which OSPF will be enabled. Then, the network configured on these interfaces will be advertised into OSPF.

As with subnet mask and an IPv4 address, a wildcard mask is a string of 32 binary digits. However, a wildcard mask is used by a device to determine which bits of the address to examine for a match. A wildcard mask is not used on its own. It is used in conjunction with an IPv4 address. The matching rule consists of a reference IPv4 address and a wildcard mask that applies to it. When a wildcard mask is applied to the reference IPv4 address, the result is the matching pattern of binary digits. For a match to occur, the IPv4 address from the packet header must match the resulting pattern.

The wildcard mask bits are used as follows:

  • Where wildcard mask bit is 0: the value found at the same position in the reference IPv4 address must be matched.
  • Where wildcard mask bit is 1: the value found at the same position in the reference IPv4 address can be ignored.

Note
In order to route traffic toward external networks or toward the internet, the router must either know all the destination networks or have a default route. You can statically configure a default route, but it can also be learned dynamically via OSPF. The router that announces the default route needs to be configured with the default-information originate command in the router configuration (config-router) mode. You can also add the always keyword at the end of the command (default-information originate always) so that the router will always advertise the default route, regardless of whether its routing table has a default route.

Activity

  1. Show the active routing protocols on each router
R3#show ip protocols

*** IP Routing is NSF aware ***

Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 3.3.3.3
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
10.1.1.0 0.0.0.255 area 0
10.2.1.0 0.0.0.255 area 0
10.10.13.0 0.0.0.255 area 0
Routing Information Sources:
Gateway Distance Last Update
2.2.2.2 110 00:02:59
Distance: (default is 110)

Note The router ID looks like an IPv4 address, but it is not routable and therefore not included in the routing table, unless the OSPF routing process chooses an interface (physical or loopback) that is appropriately defined by a network command or ip ospf process-id area area-id interface command.

  1. Configure ospf on router 1
R1# configure terminal
R1(config)# router ospf 1
R1(config-router)# router-id 1.1.1.1
R1(config-router)# network 10.0.1.0 0.0.0.255 area 0
R1(config-router)# network 10.1.1.0 0.0.0.255 area 0
R1(config-router)# network 10.10.11.0 0.0.0.255 area 0
R1(config-router)# end
  1. Verify Single-Area OSPF
show ip ospf interface brief

show ip protocols

show ip ospf neighbor

show ip route
  1. Adjust the cost of an interface
R1# configure terminal
R1(config)# interface Ethernet0/0
R1(config-if)# ip ospf cost 1
R1(config-if)# end
  • If multiple interfaces have the same cost, then OSPF will load balance traffic between them.
  • The lower the cost, the more preferred the path in OSPF.
  1. Configure some interfaces as passive

With OSPF running on a network, the passive-interface command stops both outgoing and incoming routing updates because the effect of the command causes the router to stop sending and receiving hello packets over an interface. For this reason, the routers will not become neighbors. Use the passive interface configuration only on the interfaces where you do not expect the router to form any OSPF neighbor adjacency, for example on a connection to an end device.

Discovery 17: Configure and Verify EtherChannel

  • Show the interface status of the switch
SW1# show interfaces status
  • Show the spanning tree status for vlan 10
SW1# show spanning-tree vlan 10

VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address aabb.cc00.4200
Cost 100
Port 3 (Ethernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address aabb.cc00.3a00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Altn BLK 100 128.1 Shr
Et0/1 Altn BLK 100 128.2 Shr
Et0/2 Root FWD 100 128.3 Shr
Et0/3 Altn BLK 100 128.4 Shr
Et1/0 Desg FWD 100 128.5 Shr
  • Identify that some interfaces are in a blocking state while others are root, desg, and are forwarding packets

Configure the port channel

  1. Shut the interfaces by range
conf t
int range e0/2-3
shut
  1. Create the channel group
channel-group 1 mode active
  1. Bring up the interfaces
no shut
  1. Add a description to the port channel
conf t
int po1
description Po to SW3
  1. Re-observe spanning tree with the newly created port channel
show spanning-tree vlan 10

VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address aabb.cc00.4200
Cost 56
Port 65 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address aabb.cc00.3a00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 Shr
Et0/1 Desg FWD 100 128.2 Shr
Et1/0 Desg FWD 100 128.5 Shr
Po1 Root FWD 56 128.65 Shr
  1. View the aggregate details for the port channel
show etherchannel port-channel 

Channel-group listing:
----------------------

Group: 1
----------
Port-channels in the group:
---------------------------

Port-channel: Po1 (Primary Aggregator)

------------

Age of the Port-channel = 0d:00h:04m:16s
Logical slot/port = 16/0 Number of ports = 2
HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = LACP
Port security = Disabled

Ports in the Port-channel:

Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Et0/2 Active 0
0 00 Et0/3 Active 0

Time since last port bundled: 0d:00h:03m:41s Et0/3

FASTLab 7: Improve Redundant Switched Topologies with EtherChannel

Lab Requirements

  • You need to group the existing four links into a single channel group using port channel identifier 12. Switch SW1 needs to initiate the EtherChannel while switch SW2 should only respond to it.
  • You need to make sure that the port channel trunk encapsulation is dot1q and then enable trunking on the port channel.
  • Once you have completed the configuration, perform a connectivity check between PC1 and PC2 using ping ping. The ping test should be successful.

Procedure

  1. Configure the interfaces on SW1
conf t
int range e0/0-3
shut

channel-group 12 mode active
  1. Configure the interfaces on SW2
conf t
int range e0/0-3
shut

channel-group 12 mode passive
  1. Ensure trunk encapsulation is dot1q on both SW1 and SW2
conf t
int po12
switchport trunk encapsulation dot1q
switchport mode trunk

Make sure to perform commands on both switches.

  1. Enable the interfaces on both switches
int range e0/0-3
no shut
  1. Confirm trunk interface for port channel
show int trunk
  1. Show the EtherChannel summary
show etherchannel summary

Discovery 18: Configure and Verify IPv4 ACLs

Standard Access Lists

  • Standard access lists are simpler and less flexible than extended access lists.
  • They filter traffic based only on the source IP address of the packet.
  • Standard access lists are typically used for basic access control scenarios where you want to permit or deny traffic from specific source IP addresses.
  • They are identified by numbers in the range 1-99 and 1300-1999 (e.g., access-list 10 permit 192.168.1.0 0.0.0.255).

Procedure

  1. Show the access lists on each router
show running-config | include access-list

access-list 10 permit 10.10.1.10
access-list 10 deny 10.10.1.0 0.0.0.255
access-list 10 permit 10.10.0.0 0.0.255.255
access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 permit any

Defining an ACL on a Cisco IOS device does not change the behavior of the device until the ACL is applied. ACLs are used for various purposes. Depending on the purpose of an ACL, different commands are used in different configuration mode. In this lab, you use access list 10 to filter traffic transiting R1 router.

  1. Apply the access list to an interface
conf t
int e0/3
ip access-group 10 out

The placement of an access list and the traffic direction of access list processing are very important, so care must be taken when choosing the most appropriate location. To filter traffic coming from department A and going to department B using a standard access list, the best place to filter is on the R1 interface facing department B, outbound. Have in mind that standard access lists filter the traffic only based on the source IPv4 address in a packet. Placing access list 10 inbound on either Ethernet 0/0 or Ethernet 0/1 R1 interfaces would also filter the communication between 10.10.1.0/24 and 10.10.2.0/24 subnets.

  1. Show the access lists
show access-lists <number>

Standard IP access list 10
10 permit 10.10.1.10
20 deny 10.10.1.0, wildcard bits 0.0.0.255
30 permit 10.10.0.0, wildcard bits 0.0.255.255
40 deny 10.0.0.0, wildcard bits 0.255.255.255
50 permit any
  • Show access lists applied to interfaces
show ip interface | include line protocol | <access-list>

Ethernet0/3 is up, line protocol is up
Outgoing access list is 10
  1. Show the access lists after performing some network tests e.g. ping.
show access-lists

Standard IP access list 10
10 permit 10.10.1.10 (5 matches)
20 deny 10.10.1.0, wildcard bits 0.0.0.255
30 permit 10.10.0.0, wildcard bits 0.0.255.255 (5 matches)
40 deny 10.0.0.0, wildcard bits 0.255.255.255
50 permit any
note

Remember that for the ping to succeed, connectivity must exist in both directions.

The show access-lists command will display statistics for each rule which gets matched during filtering.

tip

During the testing of an ACL, the counters can be cleared using the clear access-list counters command. This command can be used without further arguments or with the number or the name of a specific ACL.

  1. Configure an access list and remove entries
ip access-list standard <name>
no <line-number>
note

When using the no access-list command, different Cisco IOS software releases act differently. If the ACL that has been deleted is still applied to an interface, some Cisco IOS versions act as if no ACL is protecting your network while others deny all traffic. For this reason, it is a good practice to remove the reference to the access list from the interface before modifying the access list. If there is an error in the new list, disable it and troubleshoot the problem. In that instance, the network has no ACL during the correction process.

  1. Add an access list entry at a specific line number
conf t
ip access-list standard <number>
<line-number> permit host <ip-address>
<line-number> deny <ip-address> <wildcard-bits>
tip

When adding new entries to an existing access list, it is a good practice to choose sequence numbers that are apart. Having sequence numbers apart will allow eventual new additions to the access list.

Extended Access Lists

  • Extended access lists provide more granular control and allow filtering based on various criteria, including source and destination IP addresses, source and destination port numbers, protocols, and more.
  • They are more complex but offer greater flexibility for controlling traffic.
  • Extended access lists are identified by numbers in the range 100-199 and 2000-2699 (e.g., access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.1 eq 80).

Procedure

  1. Configure an extended access list for PC1
conf t
ip access-list extended PC1_TELNET
deny udp any any
permit tcp host 10.10.1.10 any eq 23
deny tcp host 10.10.1.10 any
permit ip any any
  1. Apply the extended access list to an interface
conf t
int e0/0
ip access-group PC1_TELNET in
end
  1. Show the extended access list
show access-list PC1_TELNET
tip

Be careful when filtering traffic with access lists. Take care not to block services that are desired, such as DNS. Instead of blocking the entire protocol, like UDP, the extended access list allows you to give finer specification of port numbers and protocols to filter.

FASTLab 8: Implement Numbered and Named IPv4 ACLs

Create a numbered access-list using number 1 on router PoC2, to filter traffic that goes from PoC3 to PoC1. Ensure the following:

  • With one ACL statement, block all traffic from the host 172.16.1.1.
  • Ensure that access-list 1 allows traffic from rest of the hosts in the 172.16.1.0/24 range.
  • Ensure that access-list 1 blocks traffic from the subnet range 172.16.2.0/24.
  • Ensure that access-list 1 allows rest of the traffic.
conf t
ip access-list standard 1
deny 172.16.1.1 0.0.0.0
permit 172.16.1.0 0.0.0.255
deny 172.16.2.0 0.0.0.255
permit any

Apply the access list on PoC2 on the appropriate interface and in the appropriate direction, so that only traffic from the loopback network segments of PoC3 to loopback network segments of PoC1 is blocked. Traffic to PoC2 should not be blocked.

conf t
int range e0/0-1
ip access-group 1 out

On router PoC2, create a named standard access-list with the name NAMED_ACL. The access list NAMED_ACL should:

  • Allow traffic from hosts 10.1.1.1, 10.1.1.2, and 10.1.1.3. You need to use a single ACL statement to allow traffic from the specified IPv4 addresses.
  • Should have one entry that allows traffic from 10.1.2.0/24 and 10.1.3.0/24 subnets.
  • Should also allow traffic with a source address of interface E0/0 on router PoC1.
conf t
ip access-list extended NAMED_ACL
permit ip 10.1.1.0 0.0.0.3 any
permit ip 10.1.2.0 0.0.1.255 any
permit ip host 192.168.12.1 any

Apply the access list NAMED_ACL so that it filters traffic ingressing from PoC1.

conf t
int e0/0
ip access-group NAMED_ACL in

Create a named extended access-list with the name PING_31.

  • The access list PING_31 should allow ICMP connectivity tests only from PoC3 Ethernet 0/0 interface.
  • Make sure that ICMP tests from other PoC3 interfaces fail.
  • The access list PING_31 should not introduce other restriction—it should not block other traffic that is allowed by the standard access list 1.
conf t
ip access-list extended PING_31
permit icmp host 192.168.23.3 any
deny icmp any any
permit ip any any

Apply the access list PING_31 to the PoC2 to the appropriate interface and direction.

int e0/1
ip access-group PING_31 in

Discovery 19: Configure a Provider-Assigned IPv4 Address

  1. Examine current interfaces and their assigned ip addresses on a router
show ip int bri
  1. Examine current routing table for the router
show ip route
  1. Configure the internet facing interface to get its ip address via dhcp
conf t
int e0/3
ip address dhcp
end
  1. Verify the interface is receiving an ip address via dhcp
show ip int bri

Interface IP-Address OK? Method Status Protocol
Ethernet0/3 198.51.100.101 YES DHCP up up
  1. Configure R1 to act as a DHCP relay agent by specifying a helper address on an interface
conf t
int e0/0
ip helper-address 198.51.100.1
end
note

A DHCP relay agent is any host that forwards DHCP packets between clients and servers. Relay agents are used to forward requests and replies between clients and servers when they are not on the same physical subnet. Relay agent forwarding is distinct from the normal forwarding, where IP packets are switched somewhat transparently. By contrast, relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface.

  1. Verify DHCP leases on devices
show dhcp lease
  1. Show the DHCP server used for devices
show dhcp server
note

The show dhcp commands verify the basic DHCP IPv4 address and default gateway information, along with DHCP-specific information. In the output of the show dhcp lease command, you can see the assigned IPv4 address, the local interface to which the DHCP address was assigned, the DHCP server that provided the information, default gateway, and lease duration expressed in seconds. The value of 432000 seconds corresponds to 5 days. The output of the show dhcp server command indicates which DHCP server is chosen by the device. For PC1, it is any available server.

  1. Show the DHCP server configuration on the DHCP server itself
show startup-config | section dhcp

ip dhcp excluded-address 198.51.100.1 198.51.100.100
ip dhcp excluded-address 10.10.1.1 10.10.1.100
ip dhcp pool ClientRouter
network 198.51.100.0 255.255.255.0
default-router 198.51.100.1
lease 7
ip dhcp pool Client_10_10_1_0
network 10.10.1.0 255.255.255.0
default-router 10.10.1.1
lease 5

Discovery 20: Configure Static NAT

  1. Configure a static IPv4 public address on the outbound interface of the router.
conf t
int e0/3
ip address 198.51.100.2 255.255.255.0
exit
  1. Verify the interface address while still in Global Configuration mode.
do show ip int brief
tip

You can use the do EXEC-command command to execute an EXEC-level command in any configuration mode (including configuration submodes).

  1. Configure a static default route to send all traffic through the public interface
conf t
ip route 0.0.0.0 0.0.0.0 198.51.100.1
note

Be sure to configure the route to use the next router's interface as the next-hop address.

  1. Verify the routing table on the router
show ip route
  1. Configure the router to perform static inside IPv4 NAT for a local client
conf t
int e0/1
ip nat inside
int e0/3
ip nat outside
note

There will be a significant pause in response (3 to 5 minutes) to the first interface NAT command because R1 will have to initiate an internal NAT Virtual Interface (NVI) to support NAT.

  1. Create a static NAT configuration entry to translate the internal client private address to the public address on the router.
conf t
ip nat inside source static 10.10.2.20 198.51.100.20
end
  1. Show the nat table on the router
show ip nat translations
note

Static translations do not time out and remain in the translation table, regardless of whether they are used, for example, regardless of whether there is traffic to be translated. A static entry is persistent and will be present in the NAT translations table until it is manually removed.

  1. Generate traffic from an internal device to the internet and then show the nat table
ping 203.0.113.30
show ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 198.51.100.20:6 10.10.2.20:6 203.0.113.30:6 203.0.113.30:6
tcp 198.51.100.20:26269 10.10.2.20:26269 203.0.113.30:23 203.0.113.30:23
--- 198.51.100.20 10.10.2.20 --- ---

The NAT table displays the configured static translation as well as the translations which occurred due to network activity. ICMP requests are encapsulated into packets so the number after the colon is not the port number but rather the ICMP identifier. For other activity, the source port number is shown on the inside table and the destination port number is shown on the outside table.

Discovery 21: Configure Dynamic NAT and PAT

Dynamic NAT

  1. Verify any existing NAT configurations.
show ip nat statistics
  1. Configure an inside interface on the router for NAT.
conf t
int e0/0
ip nat inside
  1. Configure an access list number to identify which addresses to translate.
conf t
access-list 10 permit 10.10.0.0 0.0.255.255
note

The access list that you define to identify the traffic for which NAT will be performed is not applied to an interface, as was the case with ACLs used to filter traffic. Instead, it will be referenced in the ip nat inside source command that specifies the translation.

  1. Specify a pool of global addresses to use for the dynamic NAT.
conf t
ip nat pool NAT_POOL 198.51.100.100 198.51.100.149 netmask 255.255.255.0
  1. Define the dynamic NAT by indicating which addresses are inside and which addresses should be used for the global addresses. In this case, the access list 10 will be inside and the nat pool NAT_POOL will be the global addresses.
conf t
ip nat inside source list 10 pool NAT_POOL
  1. Send traffic to the internet from a local device, transitting the router such as ping or telnet.

  2. Verify the nat translations in use on the router.

show ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 198.51.100.100:1 10.10.1.10:1 203.0.113.30:1 203.0.113.30:1
--- 198.51.100.100 10.10.1.10 --- ---
icmp 198.51.100.101:1 10.10.2.4:1 203.0.113.30:1 203.0.113.30:1
--- 198.51.100.101 10.10.2.4 --- ---
--- 198.51.100.20 10.10.2.20 --- ---

The entries with a protocol specified such as icmp, are extended entries and are short-lived, usually with a timeout.

The entries without a protocol are simple entries and indicate a dyanmic assignment of a NAT or a static assignment. By default dynamic translations have an inactivity period of 24 hours.

  1. Show the NAT statistics on the router.
show ip nat statistics
  1. Clear any dynamic NAT entries from the NAT table.
clear ip nat translation *

PAT (NAT Overloading)

  1. Delete the NAT pool and the dynamic NAT configuration from the router. The access list and the NAT configuration on the router interfaces are still needed.
conf t
no ip nat pool NAT_POOL
no ip nat inside source list 10 pool NAT_POOL
exit
  1. Configure the PAT or NAT overloading by specifying the source list and interface to overload.
conf t
ip nat inside source list 10 interface Ethernet0/3 overload
end

When an IPv4 interface address is used for PAT, a pool of global addresses doesn't need to be configured.

  1. Verify connectivity by triggering network activity using ping or telnet.

  2. Verify connections on the far side by showing the open ports established.

show control-plane host open-ports
  1. Confirm the presence of extended NAT entries in the router.
show ip nat translations

show ip nat statistics

FASTLab 9: Implement PAT

Scenario

  • On the Branch router, create a single statement standard IPv4 access list named NAT_Traffic. The NAT_Traffic access list should identify all inside local addresses—all addresses of all inside subnets. The address identification ACL statement should specify the range of addresses as close as possible (as narrow as possible).
  • Configure the Branch router interfaces for NAT. Make sure to configure all relevant interfaces. There will be a significant pause in response to the first interface NAT command because the Branch router will have to initiate an internal NVI to support NAT.
  • Specify PAT as the translation mechanism. The traffic to be translated is identified in the NAT_Traffic access list. Public IPv4 address is assigned to the Branch router by the ISP.
  • Verify that all the inside devices have internet connectivity, by checking the connectivity to IPv4 test address 209.165.201.1.

Procedure

  1. Create the standard access list named NAT_Traffic
conf t
ip access-list standard NAT_Traffic
permit 172.16.160.0 0.0.63.255
  1. Configure the interfaces for nat inside or nat outside
conf t
int e0/2
ip nat inside
int e0/0
ip nat inside
int e0/1
ip nat outside
  1. Overload the outside interface with the proper access list
ip nat inside source list NAT_Traffic interface e0/1 overload
  1. Confirm connectivity to the internet on each private device