DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Enjoy Enclusive Offer for All IT Exam Dumps Now! Order Now

Cisco routers and switches online configuration FAQ

  •     Spoto
  • |
  •   Posted on: 2019-05-23
  • |
  •   Views: 1222
  • |
  •   Category:
  • CCIE Lab

Cisco routers and switches online configuration FAQ

 

The following are all the problems you will encounter when working through the CCIE RS LAB EXAM.


When doing a project, I often encounter such a small project. That is the customer only buys a Cisco router and a core switch. Now you need to configure the router and switch for the client to access the Internet. In fact, this small project looks very simple but it is very important and often encounters unsuccessful configuration or fails to meet customer requirements. Here is a detailed analysis of such a small project because through this such small projects can be derived from many different configurations and requirements, such as dual exports, etc. First look at the configuration of the router.

Customer service

 

Router#sh run | b interface

 

interface Ethernet0/0

 

ip address 12.1.1.2 255.255.255.0

 

ip nat outside

 

interface Ethernet0/1

 

ip address 10.1.1.1 255.255.255.0

 

ip nat inside

 

I believe that everyone is familiar with the configuration of these interfaces. The main configuration is the address of the WAN port that telecom gives to you, as well as the address of the intranet. Of course, NAT is generally required so NAT will be configured. INSIDE and OUTSIDE interface. Qtherwise, there is no way to do NAT. The internal network cannot be on the public network.

 

Then you need to configure the default route mainly to access the public network

 

ip route 0.0.0.0 0.0.0.0 12.1.1.1

 

So in theory, you can PING the public network address such as PING 8.8.8.8 is theoretically achievable. If it is said, it may be an interface problem or an ISP problem. This is also an idea for troubleshooting. For example, if the public network is unreachable, you should first check whether the WNG public network address can be found on the router.

 

Now you can do NAT conversion. There are two main steps to do NAT conversion. The first step is to specify the scope of a conversion. What does it mean? It is possible that there are many network segments on the intranet, not every network segment. Public network, some companies require that only part of it can go to the public network. Part of it cannot be on the public network, such as protecting the security of some data and so on. Because ISP now only assigns an IP address to you so do port address translation. This port is the configured OUTSIDE interface.

 

ip nat inside source list 100 interface Ethernet0/0 overload  

 

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

 

The above two commands that the second rule specifies the range that can be converted. Of course, this network segment is enlarged here. Under normal circumstances, it can be enlarged mainly when writing ACL is simpler and it can be written very finely. This is to look at the actual situation when doing NAT Wait, you can see that it is doing end product address conversion.

 

 

When these two commands are hit, the network segment above the core switch can access the external network in the theory. Why is it theoretical? For example, now there is nothing configured on the core switch. Only a network segment is divided. In this case, the public network above the main river.

 

Of course, it is not so simple in general. You need to configure a routing protocol on the router and most importantly is to send a default route.

 

 

 

router ospf 1

 

network 10.1.1.1 0.0.0.0 area 0

 

default-information originate always

 

 

 

Note that this is 0.0.0.0, which is mainly safer.

 

The configuration of the router is basically completed. Let's look at the configuration of the core switch.

 

The core switch can be Layer 2 or Layer 3. Now it is usually Layer 3. Now let's talk about the specific configuration requirements of the Layer 3 switch:

 

interface G0/1

 

no switchport

 

ip address 10.1.1.2 255.255.255.0

 

interface Vlanl0

 

ip address 192.168.10.1 255.255.255.0

 

interface Vlan20

 

ip address 192.168.20.1 255.255.255.0

 

The above configuration is very simple. Configure an interface that is interconnected with the router and then come out in several network segments to isolate the client below.

 

Configure a routing protocol so that the router can access the network segment of the core switch.

 

router ospf 1

 

network 10.1.1.2 0.0.0.0 area 0

 

network 192.168.0.0 0.0.255.255 area 0

 

 

If you do not configure a routing protocol, you can also configure a static route. Here, the core switch is configured with a default route, and the router is the master. To configure a static route, you can access the following network segment otherwise it will not be able to communicate.

 

 

Finally, the port can be divided into different VLANs. Basically, the configuration of the core switch is like this. In this case, the current client should be able to access the public network.

 

Question 1: The customer now needs to be able to access each other between the network segments but can be connected to the public network.

 

interface Vlan10

 

ip address 192.168.10.1 255.255.255.0

 

ip access-group 100 in

 

interface Vlan20

 

ip address 192.168.20.1 255.255.255.0

 

ip access-group 101 in  

 

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

 

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

 

access-list 100 permit ip any any

 

access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255

 

access-list 101 permit ip any any

 

The above configuration is well understood. The network segment is grabbed and then restricted. Then applied to the VLAN interface below. In the actual project, it’s often encountered ,such configuration requirements.

 

Question 2: Switches can access each other but one network segment cannot be connected to the public network.

 

Switch#sh run | b access-list 100

 

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

 

access-list 100 deny ip any any

 

interface Vlan10

 

ip address 192.168.10.1 255.255.255.0

 

ip access-group 100 in

 

Question 3: Only one host can access each other and cannot access the public network.

 

Switch#sh run | in access-list 100

 

access-list 100 permit ip host 192.168.10.2 host 192.168.20.2

 

Summary: In fact, you can see that although the router and switch configuration on the public network is very simple,  also encountered the most and is the most used configuration in the actual project and can pass the above analysis.

 

Everyone is troubleshooting , there will be very steps. For example, if you can't get on the public network, the first step is to check the router. No PING public network address mainly to see if the ISP has a problem. Then, check whether the router to the core switch can communicate. Whether the core switch to the access layer switch can pass and finally whether the access layer switch to the client can through. As long as the mind is clear, troubleshooting is also an easy task.

 

Let's take a look at the configuration in the actual project and delete some unused configurations.

 

1941#sh run

 

Building configuration...

 

Current configuration : 1785 bytes

 

Last configuration change at 05:58:15 UTC Tue Sep 24 2013 by cisco

 

version 15.3

 

service timestamps debug datetime msec

 

service timestamps log datetime msec no service password-encryption

 

boot-start-marker

 

boot system flash0:/cl900-universalk9-mz.SPA.153-3.M.bin

 

boot-end-marker

 

enable secret 5 $l$FGLC$Y/iyOOH5xkYLI3mWkijL91

 

enable password cisco

 

no aaa new-model

 

ip dhcp excluded-address 192.168.11.1 192.168.11.100

 

ip dhcp pool ccna

 

network 192.168.11.0 255.255.255.0

 

dns-server 221.12.1.227 221.12.33.227

 

default-router 192.168.11.1

 

license udi pid CISC01941/K9 sn FGL1721109D

 

license accept end user agreement

 

license boot module cl900 technology-package securityk9

 

username CISCO privilege 15 password 0 cisco

 

interface GigabitEthernet0/0

 

description wan

 

ip address 101.71.246.162 255.255.255.252

 

ip nat outside

 

ip virtual-reassembly in

 

duplex auto

 

speed auto

 

interface GigabitEthernet0/1

 

description lan

 

ip address 192.168.11.1 255.255.255.0

 

ip nat inside

 

ip virtual-reassembly in

 

duplex auto

 

speed auto

 

ip nat inside source list natout interface GigabitEthernet0/0 overload

 

ip route 0.0.0.0 0.0.0.0 101.71.246.161

 

ip access-list standard natout

 

permit 192.168.0.0 0.0.255.255

 

Note that DHCP is configured above. This can be configured on the router or on the core switch. Pay attention to the current IOS version. This is 15.3. It is basically new. The router comes with the IOS default BUG comparison maybe more.

 

It is recommended to upgrade to the latest IOS!


DOWNLOAD MORE CCIE RS LAB PRACTICE EXAM

 

More you may be interested:

 

Where can I buy the latest dumps?

 

How to choose Cisco dumps?

 

 

CCIE experts tell you how to pass the CCIE lab exam in 3 months

 

 

Comments:

Start the discussion...


To Leave a Comment or reply to posts please log in