Cisco ICND 2 v3

Students Lab Manual

Lab 2.1.4.4–Configure VLANs, VTP and DTP
.

Topology

Addressing Table

Device Interface IP Address Subnet Mask

PC0 NIC 192.168.10.1 255.255.255.0

PC1 NIC 192.168.20.1 255.255.255.0
PC2 NIC 192.168.30.1 255.255.255.0
PC3 NIC 192.168.30.2 255.255.255.0
PC4 NIC 192.168.20.2 255.255.255.0
PC5 NIC 192.168.10.2 255.255.255.0
S1 VLAN 99 192.168.99.1 255.255.255.0
S2 VLAN 99 192.168.99.2 255.255.255.0
S3 VLAN 99 192.168.99.3 255.255.255.0

Objectives
Part 1: Configure and Verify DTP
Part 2: Configure and Verify VTP

Background / Scenario
As the number of switches in a network increases, the administration necessary to manage the VLANs and
trunks can be challenging. To ease some of the VLAN and trunking configurations, VLAN trunking protocol
(VTP) allows a network administration to automate the management of VLANs. Trunk negotiation between
network devices is managed by the Dynamic Trunking Protocol (DTP),
(DTP), and is automatically enabled on
Catalyst 2960 and Catalyst 3560 switches.

© 2019 Cisco and/or its affiliates.. All rights reserved. This document is Cisco Public.
Packet Tracer – Configure VLANs, VTP and DTP

In this activity, you will configure trunk links between the switches. You will configure a VTP server and VTP
clients in the same VTP domain. You will also observe the VTP behavior when a switch is in VTP transparent
mode. You will assign ports to VLANs and verify end-to-end connectivity with the same VLAN.

Part 1: Configure and Verify DTP

In Part 1, you will configure trunk links among the switches, and you will configure VLAN 999 as the native
VLAN.

Step 1: Verify VLAN configuration.

Verify the configured VLANs on the switches.
a. On S1, click theCLI tab. At the prompt, enter enable and enter the show vlan brief command to verify
the configured VLANs on S1.
S1# show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
99 Management active
999 VLAN0999 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
b. Repeat step a. on S2 and S3. What VLANs are configured on the switches?
____________________________________________________________________________________
VLANs 99 and 999 are configured on all the switches.

Step 2: Configure Trunks on S1, S2, and S3.

Dynamic trunking protocol (DTP) manages the trunk links between Cisco switches. Currently all the
switchports are in the default trunking mode, which is dynamic auto. In this step, you will change the trunking
mode to dynamic desirable for the link between switches S1 and S2. For the link between switches S1 and
S3, the link will be set as a static trunk. Use VLAN 999 as the native VLAN in this topology.
a. On switch S1 and switch S2, configure the trunk link to dynamic desirable on the GigabitEthernet 0/1
interface. The configuration of S1 is shown below.
S1(config)# interface g0/1
S1(config-if)# switchport mode dynamic desirable
b. For the trunk link between S1 and S3, configure a static trunk link on the GigabitEthernet 0/2 interface.
S1(config)# interface g0/2
S1(config-if)# switchport mode trunk

2
Packet Tracer – Configure VLANs, VTP and DTP

S3(config)# interface g0/2

S3(config-if)# switchportmode trunk
c. Verify trunking is enabled on all the switches using the show interfaces trunk command.
S1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gig0/1 desirable n-802.1q trunking 1
Gig0/2 on 802.1q trunking 1

Port Vlans allowed on trunk

Gig0/1 1-1005
Gig0/2 1-1005

Port Vlans allowed and active in management domain

Gig0/1 1,99,999
Gig0/2 1,99,999

Port Vlans in spanning tree forwarding state and not pruned

Gig0/1 none
Gig0/2 none
What is the native VLAN for these trunks currently? ____________________________________ VLAN 1
d. ConfigureVLAN 999 as the native VLAN for the trunk links on S1.
S1(config)# interface range g0/1 - 2
S1(config-if-range)# switchport trunk native vlan 999
What messages did you receive on S1? How would you correct it?
____________________________________________________________________________________
____________________________________________________________________________________
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/2 (999),
with S3 GigabitEthernet0/2 (1).
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (999),
with S2 GigabitEthernet0/1 (1).
To correct native VLAN mismatch, configure VLAN 999 as the native VLAN on S2 and S3.
e. On S2 and S3, configure VLAN 999 as the native VLAN.
f. Verify trunking is successfully configured on all the switches. You should be able ping one switch from
another switch in the topology using the IP addresses configured on the SVI.

Part 2: Configure and Verify VTP

S1 will be configured as the VTP server and S2 will be configured as a VTP client. All the switches will be
configured to be in the VTP domain CCNA and use the VTP password cisco.
VLANs can be created on the VTP server and distributed to other switches in the VTP domain. In this part,
you will create 3 new VLANs on the VTP server, S1. These VLANs will be distributed to S2 using VTP.
Observe how the transparent VTP mode behaves.

Step 1: Configure S1 as VTP server.

Configure S1 as the VTP server in the CCNA domain with the password cisco.

3
Packet Tracer – Configure VLANs, VTP and DTP

a. Configure S1 as a VTP server.

S1(config)# vtp mode server
Setting device to VTP SERVER mode.
b. Configure CCNA as the VTP domain name.
S1(config)# vtp domain CCNA
Changing VTP domain name from NULL to CCNA
c. Configure cisco as the VTP password.
S1(config)# vtp password cisco
Setting device VLAN database password to cisco

Step 2: Verify VTP on S1.

a. Use the show vtp status command on the switches to confirm that the VTP mode and domain are
configured correctly.
S1#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : CCNA
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x8C 0x29 0x40 0xDD 0x7F 0x7A 0x63 0x17
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 192.168.99.1 on interface Vl99 (lowest numbered VLAN interface
found)
b. To verify the VTP password, use the show vtp password command.
S1#show vtp password
VTP Password: cisco

Step 3: Add S2 and S3 to the VTP domain.

Before S2 and S3 will accept VTP advertisements from S1, they must belong to the same VTP domain.
Configure S2 as a VTP client with CCNA as the VTP domain name and cisco as the VTP password.
Remember that VTP domain names are case sensitive.
a. Configure S2 as a VTP client in the CCNAVTP domain with the VTP password cisco.
S2(config)# vtp mode client
Setting device to VTP CLIENT mode.
S2(config)# vtp domain CCNA
Changing VTP domain name from NULL to CCNA
S2(config)# vtp password cisco
Setting device VLAN database password to cisco
b. To verify the VTP password, use the show vtp password command.
S2#show vtp password

4
Packet Tracer – Configure VLANs, VTP and DTP

VTP Password: cisco

c. Configure S3 to be in the CCNA VTP domain with the VTP password cisco. Switch S3 will be set in VTP
transparent mode.
S3(config)# vtp mode Transparent
S3(config)# vtp domain CCNA
Changing VTP domain name from NULL to CCNA
S3(config)# vtp password cisco
Setting device VLAN database password to cisco
d. Enter show vtp status command on all the switches to answer the following question.
Notice that the configuration revision number is 0 on all three switches. Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The configuration revision number increments by one every time a VLAN is added, deleted, or modified.
No additional configurations have been made to VLANs on any of the switches.

Step 4: Create more VLANs on S1.

a. On S1, create VLAN 10 and name it Red.
S1(config)# vlan 10
S1(config-vlan)# name Red
b. Create VLANs 20 and 30 according to the table below.

VLAN Number VLAN Name

10 Red
20 Blue
30 Yellow

c. Verify the addition of the new VLANs. Enter show vlan brief at the privileged EXEC mode.
Which VLANs are configured on S1?
____________________________________________________________________________________
VLANs 1, 10, 20, 30, 99, and 999.
d. Confirm configuration changes using the show vtp status command on S1 and S2 to confirm that the
VTP mode and domain are configured correctly. Output for S2 is shown here:
S2# show vtp status
VTP Version : 2
Configuration Revision : 6
Maximum VLANs supported locally : 255
Number of existing VLANs : 10
VTP Operating Mode : Client
VTP Domain Name : CCNA
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled

5
Packet Tracer – Configure VLANs, VTP and DTP

VTP Traps Generation : Disabled

MD5 digest : 0xE6 0x56 0x05 0xE0 0x7A 0x63 0xFB 0x33
Configuration last modified by 192.168.99.1 at 3-1-93 00:21:07
How many VLANs are configured on S2? Does S2 have the same VLANs as S1? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
S2 has 10 VLANs, the same number as S1. Because S1 is the VTP server and S2 is a VTP client in the
CCNA domain, S2 has received the VLAN information from S1.

Step 5: Observe VTP transparent mode.

S3 is currently configured as VTP transparent mode.
a. Use show vtp status command to answer the following question.
How many VLANs are configured on S3 currently? What is the configuration revision number? Explain
your answer.
____________________________________________________________________________________
____________________________________________________________________________________
Currently there are 7 VLANs on S3. The configuration revision number is 0 because S3 is in transparent
mode and VLAN configurations have not been changed since switch startup.
How would you change the number of VLANs on S3?
____________________________________________________________________________________
____________________________________________________________________________________
While S3 is in transparent mode, it will not implement the VLAN information from the VTP server, so all of
the VLANs changes either need to be configured manually, orS3 can be changed to a VTP client to
implement the VLAN information from VTP server.
b. Change VTP mode to client on S3.
Use show commands to verify the changes on VTP mode. How many VLANs exists on S3 now?
____________________________________________________________________________________
10
Note: VTP advertisements are flooded throughout the management domain every five minutes, or
whenever a change occurs in VLAN configurations. To accelerate this process, you can switch between
Realtime mode and Simulation mode until the next round of updates. However, you may have to do this
multiple times because this will only forward Packet Tracer’s clock by 10 seconds each time. Alternatively,
you can change one of the client switches to transparent mode and then back to client mode.

Step 6: Assign VLANs to Ports

Use the switchport mode access command to set access mode for the access links. Use the
switchportaccess vlanvlan-id command to assign a VLAN to an access port.

6
Packet Tracer – Configure VLANs, VTP and DTP

Ports Assignments Network

S2 F0/1 – 8
S3 F0/1 – 8 VLAN 10 (Red) 192.168.10.0 /24
S2 F0/9 – 16
S3 F0/9 – 16 VLAN 20 (Blue) 192.168.20.0 /24
S2 F0/17 – 24
S3 F0/17 – 24 VLAN 30 (Yellow) 192.168.30.0 /24

a. Assign VLANs to ports on S2 using assignments from the table above.

S2(config-if)#interface range f0/1 - 8
S2(config-if-range)# switchport mode access
S2(config-if-range)# switchport access vlan 10
S2(config-if-range)#interface range f0/9 -16
S2(config-if-range)# switchport mode access
S2(config-if-range)# switchport access vlan 20
S2(config-if-range)#interface range f0/17 - 24
S2(config-if-range)# switchport mode access
S2(config-if-range)# switchport access vlan 30
b. Assign VLANs to ports on S3 using assignment from the table above.

Step 7: Verify end to end connectivity.

a. From PC0 ping PC5.
b. From PC1 ping PC4.
c. From PC2 ping PC3.

Script

Switch S1
enable
config t
vtp mode server
vtp domain CCNA
vtp password cisco
vlan 10
name Red
vlan 20
name Blue
vlan 30
name Yellow
interface g0/1
switchport mode dynamic desirable
switchport trunk native vlan 999
interface g0/2
switchport mode trunk

7
Packet Tracer – Configure VLANs, VTP and DTP

switchport trunk native vlan 999

end

Switches S2 and S3
enable
config t
vtp mode client
vtp domain CCNA
vtp password cisco
interface g0/1
switchport mode dynamic desirable
switchport trunk native vlan 999
interface g0/2
switchport mode trunk
switchport trunk native vlan 999
interface range f0/1 - 8
switchport mode access
switchport access vlan 10
interface range f0/9 -16
switchport mode access
switchport access vlan 20
interface range f0/17 - 24
switchport mode access
switchport access vlan 30
end

8
Packet Tracer – Configure VLANs, VTP and DTP

Lab 2.2.2.4 –Troubleshooting Inter-VLAN Routing

.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway VLAN

G0/1.10 172.17.10.1 255.255.255.0 N/A VLAN 10

R1
G0/1.30 172.17.30.1 255.255.255.0 N/A VLAN 30
PC1 NIC 172.17.10.10 255.255.255.0 172.17.10.1 VLAN 10
PC3 NIC 172.17.30.10 255.255.255.0 172.17.30.1 VLAN 30

Objectives
Part 1: LocateNetwork Problems
Part 2: Implement the Solution
Part 3: Verify Network Connectivity

Scenario
In this activity, you will troubleshoot connectivity problems caused by improper configurations related to
VLANs and inter-VLAN routing.

Part 1: Locate the Network Problems

Examine the network and locate the source of any connectivity issues.
 Test connectivity and use the necessary show commands on to verify configurations.
 List all of the problems and possible solutions in the Documentation Table.

9
Packet Tracer – Configure VLANs, VTP and DTP

Documentation Table

Problems Solutions

The G0/1 physical interface is up but

G0/1.10 subinterface is administratively Implement the no shutdown command to
down. enable the G0/1.10 subinterface.
PC3is configured with the wrong default Change the default gateway on PC3 from
gateway address. 172.17.10.1 to 172.17.30.1
Interface G0/1 on S1 is configured as an Use the command switchport mode
access port instead of trunk port trunk to change the interface from access
mode to trunk mode
Subinterface VLAN assignments are Issue the no encapsulation dot1q
switched on R1. command to remove the incorrect
configuration. Then configure the
subinterfaces with the correct encap
dot1q <vlan>command. Reenter the
correct IP address information.

Part 2: Implement the Solutions

Make changes according to your recommended solutions.

Part 3: Verify Network Connectivity

Verify the PCs can ping other PCs and R1. If not, continue to troubleshoot until the pings are successful.

Suggested Scoring Rubric

Packet Tracer scores 60 points. Completing the Documentation Table is worth 40 points.

10
Packet Tracer – Configure VLANs, VTP and DTP

Lab 2.2.3.3–TroubleshootVTP
oubleshootVTP and DTP
Topology

Addressing Table

Device IP Address Subnet Mask

PC0 172.16.10.1 255.255.255.0

PC1 172.16.20.1 255.255.255.0
PC2 172.16.30.1 255.255.255.0
PC3 172.16.30.2 255.255.255.0
PC4 172.16.20.2 255.255.255.0
PC5 172.16.10.2 255.255.255.0
S1 172.16.99.1 255.255.255.0
S2 172.16.99.2 255.255.255.0
S3 172.16.99.3 255.255.255.0

Objectives
Part 1: Troubleshoot DTP
Part 2: Troubleshoot VTP

Background / Scenario
In this activity, the switches S2 and S3 are not implementing VTP information. You will verify that DTP and
VTP configurations are correctly implemented. When all the issues are resolved, the PCs in the same VLAN
will be able to communicate with each other.

Part 1: Troubleshoot DTP

In Part 1, you will troubleshoot the trunk
trunk links among the switches. You will verify that permanent trunk links
are used between the switches.

11
Packet Tracer – Configure VLANs, VTP and DTP

a. Enter show interfaces trunk at the privileged EXEC prompt on all the switches to determine the status of
the trunk links.How many trunk links are configured currently?
____________________________________________________________________________________
There are noworking trunk links between the switches.
b. Enter show interfaces g0/1 switchport at the privileged EXEC prompt on S1. Do the same for g0/2
interface on S1.
What is the operational mode on the GigabitEthernet interfaces on S1? ______________Static access
c. Repeat the commands for g0/1 on S2 and g0/2 on S3.
Correct the trunk links. Record the commands you used to correct the trunking issue.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
S1(config)# interface range g0/1 - 2
S1(config-if-range)#switchport mode trunk

S2(config)# interface g0/1

S2(config-if)#switchport mode trunk

S3(config)# interface g0/2

S3(config-if)#switchport mode trunk
d. Verify the trunk links using the show commands.

Part 2: TroubleshootVTP

Step 1: Verify VLAN information

Use the show vlan brief command on all the switches. Do all the switches have the same number of VLANs?
How many does each switch have?
_______________________________________________________________________________________
No. S1 has 10 VLANs.The other two switches have only 7 VLANs each.

Step 2: VerifyVTP configurations.

Use the show vtp statusand show vtp passwordcommands on all the switches to verify the VTP status.

12
Packet Tracer – Configure VLANs, VTP and DTP

Record the VTP status information in the table below.

Device Domain Name Operating Mode VTP Password

S1 No domain name configured Transparent No password configured

S2 ccna Transparent No password configured
S3 CCNA Transparent Cisco

Step 3: Correct the VTP configurations.

Ensure that switch S1 is operating as the VTP server. S2 and S3 should be VTP clients, and receiving VTP
updates from S1. The VTP domain should be CCNA and the VTP password should be cisco. The desired
VLANs are already configured on switch S1
Record the commands used to correct the VTP configurations.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
S1(config)# vtp mode server
S1(config)#vtp domain CCNA
S1(config)#vtp password cisco

S2(config)#vtp mode client

S2(config)#vtp domain CCNA
S2(config)#vtp password cisco

S3(config)#vtp mode client

S3(config)#vtp password cisco

Step 4: Verify port assignment.

The switchports connecting to the PCs need to be configured in the correct VLANsso the PCs can
communicate with each other.
Use the show vlan brief command on S2 and S3 to determine if VLANs have been assigned to the
switchports. Which VLAN is associated with these switchports? _____________________________ 1

Ports Assignments Network

S2 F0/1
S3 F0/8 VLAN 10 (Staff) 172.16.10.0/24
S2 F0/9
S3 F0/16 VLAN 20 (Student) 172.16.20.0 /24
S2 F0/17
S3 F0/24 VLAN 30 (Faculty) 172.16.30.0 /24

13
Packet Tracer – Configure VLANs, VTP and DTP

Using the table above, correct the VLAN assignments on S2 and S3. Record the VLAN assignment
configurationsbelow.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
S2(config)# interface f0/1
S2(config-if)#switchport access vlan 10
S2(config-if)#interface f0/9
S2(config-if)#switchport access vlan 20
S2(config-if)#interface f0/17
S2(config-if)#switchport access vlan 30
S3(config)# interface f0/8
S3(config-if)#switchport access vlan 10
S3(config-if)#interface f0/16
S3(config-if)#switchport access vlan 20
S3(config-if)#interface f0/24
S2(config-if)#switchport access vlan 30

Step 5: Verify end to end connectivity.

a. From PC0 ping PC5.
b. From PC1 ping PC4.
c. From PC2 ping PC3.

Script

Switch S1
enable
config t
vtp mode server
vtp domain CCNA
vtp password cisco
interface range g0/1 - 2
switchport mode trunk
end

Switch S2
enable
config t
vtp mode client
vtp domain CCNA
vtp password cisco
interface g0/1
switchport mode trunk
interface f0/1

14
Packet Tracer – Configure VLANs, VTP and DTP

switchport access vlan 10

interface f0/9
switchport access vlan 20
interface f0/17
switchport access vlan 30
end

Switch S3
enable
config t
vtp mode client
vtp domain CCNA
vtp password cisco
interface g0/2
switchport mode trunk
interface f0/8
switchport access vlan 10
interface f0/16
switchport access vlan 20
interface f0/24
switchport access vlan 30
end

15
Packet Tracer – Configure VLANs, VTP and DTP

Lab 2.3.1.5–Configure
Configure Layer 3 Switching and Inter-VLAN
Inter VLAN Routing

Topology

16
Packet Tracer – Configure VLANs, VTP and DTP

Addressing Table

Device Interface IP Address Subnet Mask

VLAN 10 192.168.10.254 255.255.255.0

VLAN 20 192.168.20.254 255.255.255.0
MLS VLAN 30 192.168.30.254 255.255.255.0
VLAN 99 192.168.99.254 255.255.255.0
G0/2 209.165.200.225 255.255.255.252
PC0 NIC 192.168.10.1 255.255.255.0
PC1 NIC 192.168.20.1 255.255.255.0
PC2 NIC 192.168.30.1 255.255.255.0
PC3 NIC 192.168.10.2 255.255.255.0
PC4 NIC 192.168.20.2 255.255.255.0
PC5 NIC 192.168.30.2 255.255.255.0
S1 VLAN 99 192.168.99.1 255.255.255.0
S2 VLAN 99 192.168.99.2 255.255.255.0
S3 VLAN 99 192.168.99.3 255.255.255.0

Objectives
Part 1: Configure Layer 3 Switching
Part 2: Configure Inter-VLAN Routing

Background / Scenario
A multilayer switch like the Cisco Catalyst 3560 is capable of both Layer 2 switching and Layer 3 routing. One
of the advantages of using a multilayer switch is this dual functionality. A benefit for a small-to medium-sized
company would be the ability to purchase a single multilayer switch instead of separate switching and routing
network devices. Capabilities of a multilayer switch include the ability to route from one VLAN to another
using multiple switched virtual interfaces (SVIs), as well as the ability to convert a Layer 2 switchport to a
Layer 3 interface.

Part 1: Configure Layer 3 Switching

In Part 1, you will configure the GigabitEthernet 0/2 port on switch MLS as a routed port and verify that you
can ping another Layer 3 address.
d. On MLS, configure G0/2 as a routed port and assign an IP address according to the Addressing Table.
MLS(config)# interface g0/2
MLS(config-if)# no switchport
MLS(config-if)# ip address 209.165.200.225 255.255.255.252
e. Verify connectivity to Cloud by pinging 209.165.200.226.
MLS# ping 209.165.200.226

17
Packet Tracer – Configure VLANs, VTP and DTP

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms

Part 2: Configure Inter-VLAN Routing

Step 1: Add VLANs.

Add VLANs to MLS according to the table below.

VLAN Number VLAN Name

10 Staff
20 Student
30 Faculty

Step 2: Configure SVI on MLS.

Configure and activate the SVI interface for VLANs 10, 20, 30, and 99 according to the Addressing Table. The
configuration for VLAN 10 is shown below.
MLS(config)# interface vlan 10
MLS(config-if)# ip address 192.168.10.254 255.255.255.0

Step 3: Enable routing.

Use the show ip route command. Are there any active routes? ______________________________ No.
f. Enter the ip routing command to enable routing in global configuration mode.
MLS(config)# ip routing
g. Use the show ip route command to verify routing is enabled.
MLS# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.10.0/24 is directly connected, Vlan10

C 192.168.20.0/24 is directly connected, Vlan20
C 192.168.30.0/24 is directly connected, Vlan30
C 192.168.99.0/24 is directly connected, Vlan99
209.165.200.0/30 is subnetted, 1 subnets
C 209.165.200.224 is directly connected, GigabitEthernet0/2

18
Packet Tracer – Configure VLANs, VTP and DTP

Step 4: Verify end-to-end connectivity.

a. From PC0, ping PC3 or MLS to verify connectivity within VLAN 10.
b. From PC1, ping PC4 or MLS to verify connectivity within VLAN 20.
c. From PC2, ping PC5 or MLS to verify connectivity within VLAN 30.
d. From S1, ping S2, S3, or MLS to verify connectivity with VLAN 99.
e. To verify inter-VLAN routing, ping devices outside the sender’s VLAN.
f. From any device, ping this address inside Cloud, 209.165.200.226

Script

MLS
enable
config t
ip routing
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/2
no switchport
ip address 209.165.200.225 255.255.255.252
vlan 10
name Staff
vlan 20
name Student
vlan 30
name Faculty
interface Vlan10
ip address 192.168.10.254 255.255.255.0
no shutdown
interface Vlan20
ip address 192.168.20.254 255.255.255.0
no shutdown
interface Vlan30
ip address 192.168.30.254 255.255.255.0
no shutdown
interface Vlan99
ip address 192.168.99.254 255.255.255.0
no shutdown

19
Packet Tracer – Configure VLANs, VTP and DTP

Lab 3.3.1.5 –Configuring PVST+

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

S1 VLAN 99 172.31.99.1 255.255.255.0 N/A

S2 VLAN 99 172.31.99.2 255.255.255.0 N/A
S3 VLAN 99 172.31.99.3 255.255.255.0 N/A
PC1 NIC 172.31.10.21 255.255.255.0 172.31.10.254
PC2 NIC 172.31.20.22 255.255.255.0 172.31.20.254
PC3 NIC 172.31.30.23 255.255.255.0 172.31.30.254

Switch Port Assignment Specifications

Ports Assignments Network

S1 F0/6 VLAN 30 172.17.30.0/24

S2 F0/18 VLAN 20 172.17.20.0/24
S3 F0/11 VLAN 10 172.17.10.0/24

Objectives
Part 1: Configure VLANs
Part 2: ConfigureSpanning Tree PVST+and Load Balancing
Part 3: ConfigurePortFast and BPDU Guard

20
Packet Tracer – Configure VLANs, VTP and DTP

Background
In this activity, you will configure VLANs and trunks, and examine and configure the Spanning Tree Protocol
primary and secondary root bridges. You will also optimize the switched topology using PVST+, PortFast, and
BPDU guard.

Part 1: Configure VLANs

Task 1: Enable the user ports on S1, S2, and S3 in access mode.
Refer to the topology diagram to determine which switch ports (S1, S2,and S3) are activated for end-user
device access. These three ports will be configured for access mode and enabled with the no shutdown
command.
S1(config)#interface f0/6
S1(config-if)#switchport mode access
S1(config-if)#no shutdown

S2(config)#interface f0/18
S2(config-if)#switchport mode access
S2(config-if)#no shutdown

S3(config)#interface f0/11
S3(config-if)#switchport mode access
S3(config-if)#no shutdown

Task 2: Create VLANs.

Using the appropriate command, create VLANs 10,20,30,40,50,60,70,80, and 99 on all of the switches.
S1(config)# vlan 10
S1(config-vlan)# vlan 20
S1(config-vlan)# vlan 30
S1(config-vlan)# vlan 40
S1(config-vlan)# vlan 50
S1(config-vlan)# vlan 60
S1(config-vlan)# vlan 70
S1(config-vlan)# vlan 80
S1(config-vlan)# vlan 99

S2(config)# vlan 10
S2(config-vlan)# vlan 20
S2(config-vlan)# vlan 30
S2(config-vlan)# vlan 40
S2(config-vlan)# vlan 50
S2(config-vlan)# vlan 60
S2(config-vlan)# vlan 70
S2(config-vlan)# vlan 80
S2(config-vlan)# vlan 99

21
Packet Tracer – Configure VLANs, VTP and DTP

S3(config)# vlan 10
S3(config-vlan)# vlan 20
S3(config-vlan)# vlan 30
S3(config-vlan)# vlan 40
S3(config-vlan)# vlan 50
S3(config-vlan)# vlan 60
S3(config-vlan)# vlan 70
S3(config-vlan)# vlan 80
S3(config-vlan)# vlan 99

Task 3: Assign VLANs to switch ports.

Port assignments are listed in the table at the beginning of the activity. Save your configurations after
assigning switch ports to the VLANs.
S1(config)# interface f0/6
S1(config-if)#switchport access vlan 30

S2(config)# interface f0/18

S2(config-if)#switchport access vlan 20

S3(config)# interface f0/11

S3(config-if)#switchport access vlan 10

Task 4: Verify the VLANs.

Use theshow vlan briefcommand on all switches to verify that all VLANs are registered in the VLAN table.

Task 5: Assign the trunks to native VLAN 99.

Use the appropriate command to configureports F0/1 to F0/4 on each switch as trunk ports, and assign these
trunk portsto native VLAN 99.
S1(config)#interface range f0/1-4
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# switchport trunk native vlan 99

S2(config)#interface range f0/1-4

S2(config-if-range)# switchport mode trunk
S2(config-if-range)# switchport trunk native vlan 99

S3(config)#interface range f0/1-4

S3(config-if-range)# switchport mode trunk
S3(config-if-range)# switchport trunk native vlan 99

Task 6: Configure the management interface on all three switches with an address.
S1(config)#interface vlan99
S1(config-if)#ip address 172.31.99.1 255.255.255.0

22
Packet Tracer – Configure VLANs, VTP and DTP

S2(config)#interface vlan99
S2(config-if)#ip address 172.31.99.2 255.255.255.0

S3(config)#interface vlan99
S3(config-if)#ip address 172.31.99.3 255.255.255.0
Verify that the switches are correctly configured by pinging between them.

Part 2: ConfigureSpanning Tree PVST+and Load Balancing

Because there is a separate instance of the spanning tree for every active VLAN, a separate root election is
conducted for each instance. If the default switch priorities are used in root selection, the same root is elected
for every spanning tree instance, as we have seen. This could lead to an inferior design. Some reasons to
control the selection of the root switch include:
 The root switch is responsible for generating BPDUs for STP 802.1D and is the focal point for spanning
tree to control traffic. The root switch must be capable of handling this additional load.
 The placement of the root defines the active switched paths in the network. Random placement is likely to
lead to suboptimal paths. Ideally the root is in the distribution layer.
 Consider the topology used in this activity. Of the six trunks configured, only three are carrying traffic.
While this prevents loops, it is a waste of resources. Because the root can be defined on the basis of the
VLAN, you can have some ports blocking for one VLAN and forwarding for another. This is demonstrated
below.

Task 1: Configure STP mode.

Use the spanning-tree mode commandto configure the switches so they use PVST as the STP mode.
S1(config)# spanning-tree mode pvst

S2(config)# spanning-tree mode pvst

S3(config)# spanning-tree mode pvst

Task 2: Configure Spanning Tree PVST+ load balancing.

Step 1: Configure S1 to be theprimary root for VLANs 1, 10, 30, 50, and 70. Configure S3 to be the primary
root forVLANs 20, 40, 60,80, and 99. Configure S2 to be the secondary root for all VLANs.
S1(config)#spanning-tree vlan 1,10,30,50,70 root primary

S2(config)#spanning-tree vlan 1,10,20,30,40,50,60,70,80,99 root secondary

S3(config)#spanning-tree vlan 20,40,60,80,99 root primary

Step 2: Verify your configurations using the show spanning-treecommand.

23
Packet Tracer – Configure VLANs, VTP and DTP

Part3: ConfigurePortFast and BPDU Guard

Task 1: ConfigurePortFast on the switches.

PortFast causes a port to enter the forwarding state almost immediately by dramatically decreasing the time
of the listening and learning states. PortFast minimizes the time it takes for the server or workstation to come
online. Configure PortFaston the switchinterfaces that are connected to PCs.
S1(config)#interfacef0/6
S1(config-if-range)#spanning-tree portfast

S2(config)#interface f0/18
S2(config-if-range)#spanning-tree portfast

S3(config)#interface f0/11
S3(config-if-range)#spanning-tree portfast

Task 2: Configure BPDU guard on the switches.

The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders
and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are
unable to influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the port
that has PortFast configured. The BPDU guard transitions the port into the err-disable state, and a message
appears on the console. Configure BPDU guard on switch interfaces that are connected to PCs.
S1(config)#interfacef0/6
S1(config-if)#spanning-tree bpduguard enable

S2(config)#interfacef0/18
S2(config-if)#spanning-tree bpduguard enable

S3(config)#interface f0/11
S3(config-if)#spanning-tree bpduguard enable

Task 3: Verify your configuration.

Use the show running-configuration command to verify your configuration.

24
Packet Tracer – Configure VLANs, VTP and DTP

Lab 33.2.2–Configuring Rapid PVST+

.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

S1 VLAN 99 172.17.99.11 255.255.255.0 N/A

S2 VLAN 99 172.17.99.12 255.255.255.0 N/A
S3 VLAN 99 172.17.99.13 255.255.255.0 N/A
PC1 NIC 172.17.10.21 255.255.255.0 172.17.10.254
PC2 NIC 172.17.20.22 255.255.255.0 172.17.20.254
PC3 NIC 172.17.30.23 255.255.255.0 172.17.30.254

Switch Port Assignment Specifications

Ports Assignments Network

S2 F0/6 VLAN 30 172.17.30.0/24

S2 F0/18 VLAN 20 172.17.20.0/24
S2 F0/11 VLAN 10 172.17.10.0/24

Objectives
Part 1: Configure VLANs

25
Packet Tracer – Configure VLANs, VTP and DTP

Part 2: ConfigureRapid Spanning Tree PVST+ Load balancing

Part 3: Configure PortFast and BPDU Guard

Background
In this activity, you will configure VLANs and trunks, Rapid Spanning Tree PVST+, primary and secondary
root bridges, and examine the configuration results. You will also optimize the network by configuring
PortFast, and BPDU Guard on edge ports.

Part 1: Configure VLANs

Task 1: Enable the user ports on S2 in access mode.

Refer to the topology diagram to determine which switch ports on S2 are activated for end-user device
access. These three ports will be configured for access mode and enabled with the no shutdown command.
S2(config)# interface range f0/6,f0/11,f0/18
S2(config-if-range)# switchport mode access
S2(config-fi-range)# no shutdown

Task 2: Create VLANs.

Using the appropriate command, create VLANs 10,20,30,40,50,60,70,80, and 99 on all of the switches.
S1(config)# vlan 10
S1(config-vlan)# vlan 20
S1(config-vlan)# vlan 30
S1(config-vlan)# vlan 40
S1(config-vlan)# vlan 50
S1(config-vlan)# vlan 60
S1(config-vlan)# vlan 70
S1(config-vlan)# vlan 80
S1(config-vlan)# vlan 99

S2(config)# vlan 10
S2(config-vlan)# vlan 20
S2(config-vlan)# vlan 30
S2(config-vlan)# vlan 40
S2(config-vlan)# vlan 50
S2(config-vlan)# vlan 60
S2(config-vlan)# vlan 70
S2(config-vlan)# vlan 80
S2(config-vlan)# vlan 99

S3(config)# vlan 10
S3(config-vlan)# vlan 20
S3(config-vlan)# vlan 30
S3(config-vlan)# vlan 40
S3(config-vlan)# vlan 50

26
Packet Tracer – Configure VLANs, VTP and DTP

S3(config-vlan)# vlan 60
S3(config-vlan)# vlan 70
S3(config-vlan)# vlan 80
S3(config-vlan)# vlan 99

Task 3: Assign VLANs to switch ports.

Port assignments are listed in the table at the beginning of the activity. Save your configurations after
assigning switch ports to the VLANs.
S2(config)# interface f0/6
S2(config-if)#switchport access vlan 30
S2(config-if)# interface f0/11
S2(config-if)#switchport access vlan 10
S2(config-if)# interface f0/18
S2(config-if)#switchport access vlan 20

Task 4: Verify the VLANs.

Use theshow vlan briefcommand on all switches to verify that all VLANs are registered in the VLAN table.

Task 5: Assign the trunks to native VLAN 99.

Use the appropriate command to configure ports F0/1 to F0/4 on each switch as trunk ports and assign these
trunk ports to native VLAN 99.
S1(config)#interface range f0/1-4
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# switchport trunk native vlan 99

S2(config)#interface range f0/1-4

S2(config-if-range)# switchport mode trunk
S2(config-if-range)# switchport trunk native vlan 99

S3(config)#interface range f0/1-4

S3(config-if-range)# switchport mode trunk
S3(config-if-range)# switchport trunk native vlan 99

Task 6: Configure the management interface on all three switches with an address.
S1(config)#interface vlan99
S1(config-if)#ip address 172.17.99.11 255.255.255.0

S2(config)#interface vlan99
S2(config-if)#ip address 172.17.99.12 255.255.255.0

S3(config)#interface vlan99
S3(config-if)#ip address 172.17.99.13 255.255.255.0
Verify that the switches are correctly configured by pinging between them.

27
Packet Tracer – Configure VLANs, VTP and DTP

Part 2 : ConfigureRapid Spanning Tree PVST+ Load Balancing

The Rapid Spanning Tree Protocol (RSTP; IEEE 802.1w) can be seen as an evolution of the 802.1D standard
more so than a revolution. The 802.1D terminology remains primarily the same. Most parameters have been
left unchanged so users familiar with 802.1D can rapidly configure the new protocol comfortably. In most
cases, RSTP performs better than proprietary extensions of Cisco without any additional configuration.
802.1w can also revert back to 802.1D in order to interoperate with legacy bridges on a per-port basis.

Task 1: Configure STP mode.

Use the spanning-tree modecommandto configure the switches to userapid PVST as the STP mode.
S1(config)# spanning-tree mode rapid-pvst

S2(config)# spanning-tree mode rapid-pvst

S3(config)# spanning-tree mode rapid-pvst

Task 2: ConfigureRapid Spanning Tree PVST+ load balancing.

Configure S1 to be the primary root for VLANs 1, 10, 30, 50, and 70. Configure S3 to be the primary root for
VLANs 20, 40, 60,80, and 99. Configure S2 to be the secondary root for all of the VLANs.
S1(config)#spanning-tree vlan 1,10,30,50,70 root primary

S2(config)#spanning-tree vlan 1,10,20,30,40,50,60,70,80,99 root secondary

S3(config)#spanning-tree vlan 20,40,60,80,99 root primary

Verify your configurations by using the show spanning-treecommand.

Part 3: ConfigurePortFast and BPDU Guard

Task 1: Configuring PortFast on S2.

PortFast causes a port to enter the forwarding state almost immediately by dramatically decreasing the time
of the listening and learning states. PortFast minimizes the time it takes for the server or workstation to come
online. Configure PortFaston S2 interfaces that are connected to PCs.
S2(config)# interface range f0/6,f0/11,f0/18
S2(config-if-range)# spanning-tree portfast

Task 2: Configuring BPDU Guard on S2.

The STP PortFast BPDU Guard enhancementallows network designers to enforce the STP domain borders
and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are
not able to influence the STP topology. At the reception of BPDUs, the BPDU Guard operation disables the
port that has PortFast configured. The BPDU Guard transitions the port into err-disable state, and a message
appears on the console. Configure BPDU Guard on S2 interfaces that are connected to PCs.
S2(config)# interface range f0/6,f0/11,f0/18
S2(config-if-range)#spanning-tree bpduguard enable

28
Packet Tracer – Configure VLANs, VTP and DTP

Task 3: Verify your configuration.

Use the show run command to verify your configuration.

29
Packet Tracer – Configure VLANs, VTP and DTP

Lab 4.2.13–Configuring EtherChannel

.

Topology

Objectives
Part 1: Configure Basic Switch Settings
Part 2: Configure an EtherChannel with Cisco PAgP
Part 3: Configure an 802.3ad LACP EtherChannel
Part 4: Configure a Redundant EtherChannel Link

Background
Three switches have just been installed. There are redundant uplinks between the switches. Usually, only one
of these links could be used; otherwise, a bridging loop might occur.However, using only one link utilizes only
half of the available bandwidth. EtherChannel allows up to eight redundant links to be bundled together into
one logical link. In this lab, you will configure Port Aggregation Protocol (PAgP), a Cisco EtherChannel
protocol, and Link Aggregation Control Protocol (LACP), an IEEE802.3adopen standard version of
EtherChannel.

Part 1 : Configure Basic Switch Settings

Task 1: Configure basic switch parameters.

Step 1: Assign each switch a hostname according to the topology diagram.
Switch(config)# hostname S1

Switch(config)# hostname S2

Switch(config)# hostname S3
Step 2: Configure all required ports as trunks, depending on the connections between devices.
Note: If the ports are configured with dynamic auto mode, and you do not set the mode of the ports to
trunk, the links do not form trunks and remain access ports. The default mode on a 2960 switch is
dynamic auto.
S1(config)# interface range g0/1 - 2
S1(config-if-range)#switchport mode trunk

30
Packet Tracer – Configure VLANs, VTP and DTP

S1(config-if-range)#interface range f0/21 - 22

S1(config-if-range)#switchport mode trunk
S1(config-if-range)#end

S2(config)# interface range g0/1 - 2

S2(config-if-range)#switchport mode trunk
S2(config-if-range)#interface range f0/23 - 24
S2(config-if-range)#switchport mode trunk
S2(config-if-range)#end

S3(config)# interface range f0/21 - 24

S3(config-if-range)#switchport mode trunk
S3(config-if-range)#end

Part 2: Configure an EtherChannel with Cisco PAgP

Note: When configuring EtherChannels, it is recommended to shutdown the physical ports being grouped on
both devices before configuring them into channel groups. Otherwise, the EtherChannelMisconfig Guard may
place these ports into err-disabled state. The ports and port channels can be re-enabled afterEtherChannel is
configured.

Task 1: ConfigurePort Channel 1.

Step1 : The first EtherChannel created for this activity aggregates ports F0/22 and F0/21 between S1 and S3.
Use the show interfaces trunk command to ensure that you have an active trunk link for those two links.
S1# show interfaces trunk

Port Mode Encapsulation Status Native vlan

F0/21 on 802.1q trunking 1
F0/22 on 802.1q trunking 1
G0/1 on 802.1q trunking 1
G0/2 on 802.1q trunking 1

<output omitted>
Step 2: On both switches, add ports F0/21 and F0/22 to Port Channel 1 with the channel-group 1 mode
desirable command. The mode desirable option enables the switch to actively negotiate to form a PAgP
link.
S1(config)# interface range f0/21 – 22
S1(config-if-range)#shutdown
S1(config-if-range)#channel-group 1 mode desirable
S1(config-if-range)#no shutdown

S3(config)# interface range f0/21 - 22

S3(config-if-range)#shutdown
S3(config-if-range)#channel-group 1 mode desirable
S3(config-if-range)#no shutdown

31
Packet Tracer – Configure VLANs, VTP and DTP

Step 3: Configure the logical interface to become a trunk by first entering the interface port-channel
numbercommand and then the switchport mode trunk command. Add this configuration to both
switches.
Instructor Note:Packet Tracer 6.0.1 does not grade the switchport mode trunk command in port-
channel interfaces.
S1(config)# interface port-channel 1
S1(config-if)#switchport mode trunk
Instructor Note:Packet Tracer 6.0.1 does not grade the switchport mode trunk command in port-
channel interfaces.
S3(config)# interface port-channel 1
S3(config-if)#switchport mode trunk

Task 2: Verify Port Channel 1 status.

Step 1: Issue the show etherchannel summary command to verify that EtherChannel is working on both
switches. This command displays the type of EtherChannel, the ports utilized, and port states.
S1# show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+----------------------------------------
1 Po1(SU) PAgPF0/21(P) F0/22(P)

S3# show etherchannel summary

Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

32
Packet Tracer – Configure VLANs, VTP and DTP

------+-------------+-----------+----------------------------------------
1 Po1(SU) PAgPF0/21(P) F0/22(P)
Step 2: If the EtherChannel does not come up, shut down the physical interfaces on both ends of the
EtherChannel and then bring them back up again. This involves using the shutdown command on those
interfaces, followed by a no shutdown command a few seconds later.
The show interfaces trunk and show spanning-tree commands also show the port channel as one
logical link.
S1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gig0/1 on 802.1q trunking 1
Gig0/2 on 802.1q trunking 1
Po1 on 802.1q trunking 1

<output omitted>

S1# show spanning-tree

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.436E.8494
Cost 9
Port 27(Port-channel 1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 000A.F313.2395
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------
Gi0/1Desg FWD 4 128.25 P2p
Gi0/2Desg FWD 4 128.26 P2p
Po1 Root FWD 9 128.27 Shr

Part 3: Configure an 802.3ad LACP EtherChannel

Task 1: Configure Port Channel 2.

Step 1: In 2000, the IEEE released 802.3ad, which is an open standard version of EtherChannel. Using the
previous commands, configure the link between S1 and S2 on ports G0/1 and G0/2 as an LACP
EtherChannel. You must use a different port channel number on S1than 1, because you already used
that in the previous step. To configure port channel 2 as LACP, use the interface configuration
mode channel-group 2 mode active command. Active mode indicates that the switch actively tries to
negotiate that link as LACP, as opposed to PAgP.
Instructor Note:Packet Tracer 6.0.1 does not grade the switchport mode trunk command in port-
channel interfaces.
S1(config)# interface range g0/1 - 2

33
Packet Tracer – Configure VLANs, VTP and DTP

S1(config-if-range)#shutdown
S1(config-if-range)#channel-group 2 mode active
S1(config-if-range)#no shutdown
S1(config-if-range)#interface port-channel 2
S1(config-if)#switchport mode trunk

S2(config)# interface range g0/1 - 2

S2(config-if-range)#shutdwon
S2(config-if-range)#channel-group 2 mode active
S2(config-if-range)#no shutdown
S2(config-if-range)#interface port-channel 2
S2(config-if)#switchport mode trunk

Task 2: Verify Port Channel 2status.

Step 1: Use the show commands from Part 1 Step 2 to verify the status of Port Channel 2. Look for the
protocol used by each port.
S1# show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 2

Number of aggregators: 2

Group Port-channel Protocol Ports

------+-------------+-----------+----------------------------------------------

1 Po1(SU) PAgP Fa0/21(P) Fa0/22(P)

2 Po2(SU) LACP Gig0/1(P) Gig0/2(P)

Part 4: Configure a Redundant EtherChannel Link

Task 1: Configure Port Channel 3.

There are various ways to enter the channel-group numbermode command:
S2(config)# interface range f0/23 - 24
S2(config-if-range)#channel-group 3 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable EnablePAgP unconditionally
on Enable Etherchannel only

34
Packet Tracer – Configure VLANs, VTP and DTP

passive Enable LACP only if a LACP device is detected

Step 1: On switch S2, add ports F0/23 and F0/24 to Port Channel 3 with the channel-group 3 mode passive
command. The passive option indicates that you want the switch to use LACP only if anotherLACP
device is detected. Statically configure Port Channel 3 as a trunk interface.
Instructor Note:Packet Tracer 6.0.1 does not grade the switchport mode trunk command in port-
channel interfaces.
S2(config)# interface range f0/23 - 24
S2(config-if-range)#shutdown
S2(config-if-range)#channel-group 3 mode passive
S2(config-if-range)#no shutdown
S2(config-if-range)#interface port-channel 3
S2(config-if)#switchport mode trunk

Step 2: On switch S3, add ports F0/23 and F0/24 to Port Channel 3 with the channel-group 3 mode active
command. The active option indicates that you want the switch to use LACP unconditionally. Statically
configure Port Channel 3 as a trunk interface.
Instructor Note:Packet Tracer 6.0.1 does not grade the switchport mode trunk command in port-
channel interfaces.
S3(config)# interface range f0/23 - 24
S3(config-if-range)#shutdown
S3(config-if-range)#channel-group 3 mode active
S3(config-if-range)#no shutdown
S3(config-if-range)#interface port-channel 3
S3(config-if)#switchport mode trunk

Task 2: Verify Port Channel 3 status.

Step1 : Use the show commands from Part 1 Step 2 to verify the status of Port Channel 3. Look for the
protocol used by each port.
S2# show etherchannel summary
<output omitted>
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+----------------------------------------
2 Po2(SU) LACP Gig0/1(P) Gig0/2(P)
3 Po3(SU) LACP Fa0/23(P) Fa0/24(P)
Step 2: Port Channel 2 is not operative because spanning tree protocol placed some ports into blocking
mode. Unfortunately, those ports were Gigabit ports. To restore these ports, configure S1 to be primary
root for VLAN 1 or set the priority to 24576.
S1(config)#spanning-tree vlan 1 root primary
or
S1(config)#spanning-tree vlan 1 priority 24576

35
Packet Tracer – Configure VLANs, VTP and DTP

Lab 4.2.2.3 –Troubleshooting EtherChannel

Topology

Objectives
Part 1: Examine the Physical Layer and Correct Switch Port Mode Issues
Part 2:Identify and Correct Port Channel Assignment Issues
Part 3:Identify and Correct Port Channel Protocol Issues

Background
Four switches were recently configured by a junior technician. Users are complaining that the network is
running slow and would like you to investigate.

Part 1: Examine the Physical Layer and Correct Switch Port Mode Issues

Task 1: Look for access ports.

Examine the switches. When physical ports are assigned to an EtherChannel port, they behave as one. Each
pair will either be operational or down. They will not be mixed with one port green and the other port orange.

Task2 : Set ports to trunking mode.

a. Verify that all physical ports in the topology are set to trunking. Correct any that are in access mode.
S2(config)# interface range f0/21 - 24
S2(config-if-range)#switchport mode trunk
S2(config-if-range)#interface range g0/1-2
S2(config-if-range)#switchport mode trunk
b. Correct any EtherChannel ports that are not set to trunking mode.

36
Packet Tracer – Configure VLANs, VTP and DTP

S1(config)# interface port-channel 1

S1(config-if)# switchport mode trunk

S2(config)# interface port-channel 2

S2(config-if)# switchport mode trunk
S2(config-if)# interface port-channel 3
S2(config-if)# switchport mode trunk
S2(config-if)# interface Port-channel 6
S2(config-if)#switchport mode trunk

Part 2: Identify and Correct Port Channel Assignment Issues

Task 1: Examine port channel assignments.

The topology illustrates physical ports and their EtherChannel assignments. Verify that the switches are
configured as indicated.
S1#show etherchannel summary
<output omitted>
1 Po1(SD) LACP Gig0/1(I) Gig0/2(I)
3 Po3(SU) LACP Fa0/23(P) Fa0/24(P)
5 Po5(SU) LACP Fa0/21(P) Fa0/22(P)

S2# show etherchannel summary

<output omitted>
2 Po2(SU) LACP Gig0/1(P) Gig0/2(P)
3 Po3(SU) LACP Fa0/23(P) Fa0/24(P)
6 Po6(SD) LACP Fa0/21(I) Fa0/22(I)

S3#show etherchannel summary

<output omitted>
1 Po1(SD) PAgP Gig0/1(I) Gig0/2(I)
4 Po4(SD) PAgP Fa0/23(I) Fa0/24(I)
6 Po6(SD) PAgP Fa0/21(I) Fa0/22(I)

S4#show etherchannel summary

<output omitted>
2 Po2(SU) LACP Gig0/1(P) Gig0/2(P)
4 Po4(SU) LACP Fa0/21(P) Fa0/22(P) Fa0/23(I) Fa0/24(I)
5 Po5(SD) -

Task 2: Correct port channel assignments.

Correct any switch ports that are not assigned to the correct EtherChannel port.
S4(config)# interface rangef0/21 - 22
S4(config-if-range)#channel-group 5 mode active

37
Packet Tracer – Configure VLANs, VTP and DTP

Part 3: Identify and Correct Port Channel Protocol Issues

Task 1: Identify protocol issues.

In 2000, the IEEE released 802.3ad (LACP), which is an open standard version of EtherChannel. For
compatibility reasons, the network design team chose to use LACP across the network. All ports that
participate in EtherChannel need to actively negotiate the link as LACP, as opposed to PAgP. Verify that the
physical ports are configured as indicated.
S3#show etherchannel summary
<output omitted>
1 Po1(SD) PAgP Gig0/1(I) Gig0/2(I)
4 Po4(SD) PAgP Fa0/23(I) Fa0/24(I)
6 Po6(SD) PAgP Fa0/21(I) Fa0/22(I)

Task 2: Correct Protocol issues.

Correct any switch ports that are not negotiating using LACP.
S3(config)# interface range g0/1 - 2
S3(config-if-range)#no channel-group
S3(config-if-range)#channel-group 1 mode active
S3(config-if-range)# interface range f0/21 - 22
S3(config-if-range)#no channel-group
S3(config-if-range)#channel-group 6 mode active
S3(config-if-range)# interface range f0/23 - 24
S3(config-if-range)#no channel-group
S3(config-if-range)#channel-group 4 mode active

38
Packet Tracer – Configure VLANs, VTP and DTP

Lab 4.3.4.4-Troubleshoot
Troubleshoot HSRP

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/1 192.168.1.1 255.255.255.0 N/A

R1
S0/0/0 209.165.200.226 255.255.255.252 N/A
G0/1 192.168.1.2 255.255.255.0 N/A
R2
S0/0/1 209.165.200.230 255.255.255.252 N/A
PC0 NIC 192.168.1.10 255.255.255.0 192.168.1.254
Laptop0 NIC 192.168.1.11 255.255.255.0 192.168.1.254
Laptop1 NIC 192.168.1.12 255.255.255.0 192.168.1.254
PC1 NIC 192.168.1.13 255.255.255.0 192.168.1.254
Web NIC 209.165.202.156 255.255.255.224 209.165.202.158

Objective
In this activity, you will troubleshoot and resolve the HSRP issues in the network. You will also verify that all
the HSRP configurations meet the network requirement.

39
Packet Tracer – Configure VLANs, VTP and DTP

Background / Scenario
Currently the users can access www.cisco.pka. The network has been updated to use HSRP to ensure the
network availability to the users. You must verify that the users can still access the website if one of the
routers is down. R1 should always be the active router if it is functioning.
Network Requirement:
 HSRP virtual router is 192.168.1.254.
 HSRP standby group is 1.
 DNS server is 209.165.202.157.
 R1 should always be the active router when it is functioning properly.
 R2 uses the default HSRP priority.
 All users should be able to access www.cisco.pka as long as one of the routers is functioning.

Troubleshooting Process

Task 1: PCs and Laptops

1 Verify the PCs and laptops are configured correctly using the provided network requirement.
2 Based on the Network Requirement shown above, verify that the PCs and laptops can navigate
towww.cisco.pkasuccessfully.

Task 2: Troubleshoot R1.

1 Disable the interface G0/1 on R2.
2 Use show commands to determine issues. Record and correct any issues found on R1.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
R1 is configured with the incorrect standby group and is not configured to preempt. The priority needs to
be higher than 100, which isthe priority on R2. If the PC0 and Laptop1 are still using R2 (192.168.1.2) as
the default gateway, they will lose connectivity to the Web when the interface G0/1 on R2 is disabled.
Without the correct default gateway (virtual router IP address) configured on PC0 and Laptop1, these end
devices cannot switch the default gateway to R1’s G0/1 interface (192.168.1.1).
R1# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gig0/1 11 50 Active local unknown 192.168.1.254

R1(config)# interface g0/1

R1(config-if)# no standby 11
R1(config-if)# standby 1 ip 192.168.1.254
R1(config-if)#standby 1 priority 101
R1(config-if)#standby 1 preempt
1. Re-enable the interface G0/1on R2.

40
Packet Tracer – Configure VLANs, VTP and DTP

Task 3: Troubleshoot R2.

1 Disable the interface G0/1 on R1.
2 Use show commands to determine any issues. Record and correct any issues found on R2.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The PCs and laptop use 192.168.1.254 (HSRP’s virtual router IP) as gateway. Because R1’s G0/1 has
been disabled and R2 is not yet a member of the HSRP standby group 1, laptops and PCs will lose
connectivity to the server.
R2# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gig0/1 111 100 Active local unknown 192.168.1.254

R2(config)# interface g0/1

R2(config-if)# no standby 111
R2(config-if)# standby 1 ip 192.168.1.254
3 After verifying that the PCs and laptops can navigate to www.cisco.pkasuccessfully, re-
enable the interface G0/1 on R1.

Task 4: Verify connectivity.

1 Verify all PCs and laptops can navigate to www.cisco.pka.
2 Verify all the HSRP requirements have been met.

Running Scripts

PC0 and Laptop1

The default gateway should be configured at 192.168.1.254.

R1 Configuration
interface g0/1
no standby 11
standby 1 ip 192.168.1.254
standby 1 priority 101
standby 1 preempt

R2 Configuration
interface g0/1
no standby 111
standby 1 ip 192.168.1.254

41
Packet Tracer – Configure VLANs, VTP and DTP

Lab 6-2-2-4–Configuring
Configuring Basic EIGRP with IPv4

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 172.16.1.1 255.255.255.0 N/A

R1 S0/0/0 172.16.3.1 255.255.255.252 N/A
S0/0/1 192.168.10.5 255.255.255.252 N/A
G0/0 172.16.2.1 255.255.255.0 N/A
R2 S0/0/0 172.16.3.2 255.255.255.252 N/A
S0/0/1 192.168.10.9 255.255.255.252 N/A
G0/0 192.168.1.1 255.255.255.0 N/A
R3 S0/0/0 192.168.10.6 255.255.255.252 N/A
S0/0/1 192.168.10.10 255.255.255.252 N/A
PC1 NIC 172.16.1.10 255.255.255.0 172.16.1.1
PC2 NIC 172.16.2.10 255.255.255.0 172.16.2.1
PC3 NIC 192.168.1.10 255.255.255.0 192.168.1.1

Objectives
Part 1: Configure EIGRP
Part 2: Verify EIGRP Routing

42
Packet Tracer – Configure VLANs, VTP and DTP

Background
In this activity, you will implement basic EIGRP configurations including network commands, passive interfaces
and disabling automatic summarization. You will then verify your EIGRP configuration using a variety of show
commands and testing end-to-end connectivity.

Part 1: Configure EIGRP

Task 1: Enable the EIGRP routing process.

Enable the EIGRP routing process on each router using AS number 1.The configuration for R1 is shown.
R1(config)# router eigrp 1
R2(config)# router eigrp 1
R3(config)# router eigrp 1
What is the range of numbers that can be used for AS numbers? 1 – 65,535

Task 2: Advertise directly connected networks.

a. Use the show ip route command to display the directly connected networks on each router.
How can you tell the difference between subnet addresses and interface addresses? Subnets are
identified with a "C" and link addresses are identified with an "L".
b. On each router, configure EIGRP to advertise the specific directly connected subnets. The configuration
for R1 is shown.
R1(config-router)# network 172.16.1.0 0.0.0.255
R1(config-router)# network 172.16.3.0 0.0.0.3
R1(config-router)# network 192.168.10.4 0.0.0.3

R2(config-router)# network 172.16.2.0 0.0.0.255

R2(config-router)# network 172.16.3.0 0.0.0.3
R2(config-router)# network 192.168.10.8 0.0.0.3

R3(config-router)# network 192.168.1.0 0.0.0.255

R3(config-router)# network 192.168.10.4 0.0.0.3
R3(config-router)# network 192.168.10.8 0.0.0.3

Task 3: Configure passive interfaces.

Configure the LAN interfaces to not advertise EIGRP updates. The configuration for R1 is shown.
R1(config-router)# passive-interface g0/0
R2(config-router)# passive-interface g0/0
R3(config-router)# passive-interface g0/0

Task 4: Disable automatic summarization.

The topology contains discontiguous networks. Therefore, disable automatic summarization on each
router.The configuration for R1 is shown.
R1(config-router)# no auto-summary
R2(config-router)# no auto-summary

43
Packet Tracer – Configure VLANs, VTP and DTP

R3(config-router)# no auto-summary
Note: Prior to IOS 15 auto-summary had to be manually disabled.

Task 5: Save the configurations.

Part 2: Verify EIGRP Routing

a. Examine neighbor adjacencies.

i. Which command displays the neighbors discovered by EIGRP? show ip eigrp neighbors
ii. All three routers should have two neighbors listed. The output for R1 should look similar to the following:
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.3.2 Se0/0/0 14 00:25:05 40 1000 0 28
1 192.168.10.6 Se0/0/1 12 00:13:29 40 1000 0 31

b. Display the EIGRP routing protocol parameters.

i. What command displays the parameters and other information about the current state of any active IPv4
routing protocol processes configured on the router? show ip protocols
ii. On R2, enter the command you listed for 2a and answer the following questions:
How many routers are sharing routing information with R2? 2
Where is this information located under? Routing Information Sources
What is the maximum hop count? 100

c. Verify end-to-end connectivity

PC1, PC2 and PC3 should now be able to ping each other. If not, troubleshoot your EIGRP configurations.

44
Packet Tracer – Configure VLANs, VTP and DTP

Suggested Scoring Rubric

Question Possible Earned

Activity Section Location Points Points

Part 1: Configure EIGRP Step 1 2

Step 2a 2
Part 1 Total 4
Part 2: Verify EIGRP Step 1a 5
Routing
Step 2a 5
Step 2b 6
Part 2 Total 16
Packet Tracer Score 80
Total Score 100

45
Packet Tracer – Configure VLANs, VTP and DTP

Lab 6.4.3.4–Configuring
Configuring Basic EIGRP with IPv6

Topology

Addressing Table

Device Interface IPv6 Address Default Gateway

G0/0 2001:DB8:CAFE:1::1/64 N/A

S0/0/0 2001:DB8:CAFE:A001::1/64 N/A
R1
S0/0/1 2001:DB8:CAFE:A003::1/64 N/A
Link-local
local FE80::1 N/A
G0/0 2001:DB8:CAFE:2::1/64 N/A
S0/0/0 2001:DB8:CAFE:A001::2/64 N/A
R2
S0/0/1 2001:DB8:CAFE:A002::1/64 N/A
Link-local
local FE80::2 N/A
G0/0 2001:DB8:CAFE:3::1/64 N/A
S0/0/0 2001:DB8:CAFE:A003::2/64 N/A
R3
S0/0/1 2001:DB8:CAFE:A002::2/64 N/A
Link-local
local FE80::3 N/A
PC1 NIC 2001:DB8:CAFE:1::3/64 Fe80::1
PC2 NIC 2001:DB8:CAFE:2::3/64 Fe80::2
PC3 NIC 2001:DB8:CAFE:3::3/64 Fe80::3

Objectives
Part 1: Configure EIGRP for IPv6 Routing
Part 2: Verify IPv6 EIGRPfor IPv6 Routing

46
Packet Tracer – Configure VLANs, VTP and DTP

Scenario
In this activity, you will configure the network with EIGRP routing for IPv6. You will also assign router IDs,
configure passive interfaces, verify the network is fully converged, and display routing information usingshow
commands.
EIGRP for IPv6 has the same overall operation and features as EIGRP for IPv4. There are a few major
differences between them:
 EIGRP for IPv6 is configured directly on the router interfaces.
 With EIGRP for IPv6, a router-id is required on each router or the routing process will not start.
 The EIGRP for IPv6 routing process uses a “shutdown” feature.

Part 1: Configure EIGRP for IPv6 Routing

a. Enable IPv6 routing on each router.

R1(config)#ipv6 unicast-routing

R2(config)#ipv6 unicast-routing

R3(config)#ipv6 unicast-routing

b. Enable EIGRP for IPv6 routing on each router.

The IPv6 routing process is shutdown by default. Issue a command that will enable EIGRP for IPv6 routing in
R1, R2 and R3.
Enable the EIGRP process on all routers and use 1 as the Autonomous System number.
R1(config)#ipv6 router eigrp 1
R1(config-rtr)#no shutdown

R2(config)#ipv6 router eigrp 1

R2(config-rtr)#no shutdown

R3(config)#ipv6 router eigrp 1

R3(config-rtr)#no shutdowna

c. Assign a router ID to each router.

The router IDs are as follows:
 R1: 1.1.1.1
 R2: 2.2.2.2
 R3: 3.3.3.3
R1(config-rtr)#eigrp router-id 1.1.1.1

R2(config-rtr)#eigrp router-id 2.2.2.2

R3(config-rtr)#eigrp router-id 3.3.3.3

47
Packet Tracer – Configure VLANs, VTP and DTP

d. Using AS 1, configure EIGRP for IPv6 on each interface.

R1(config)#int g0/0
R1(config-if)#ipv6 eigrp 1
R1(config)#int s0/0/0
R1(config-if)#ipv6 eigrp 1
R1(config)#int s0/0/1
R1(config-if)#ipv6 eigrp 1

R2(config)#int g0/0
R2(config-if)#ipv6 eigrp 1
R2(config)#int s0/0/0
R2(config-if)#ipv6 eigrp 1
R2(config)#int s0/0/1
R2(config-if)#ipv6 eigrp 1

R3(config)#int g0/0
R3(config-if)#ipv6 eigrp 1
R3(config)#int s0/0/0
R3(config-if)#ipv6 eigrp 1
R3(config)#int s0/0/1
R3(config-if)#ipv6 eigrp 1

Part 2: Verify EIGRP for IPv6 Routing

a. Examine neighbor adjacencies.

Use the command show ipv6 eigrp neighbors to verify that the adjacency has been established with its
neighboring routers. The link-local addresses of the neighboring routers are displayed in the adjacency table.

b. Examine the IPv6 EIGRP routing table.

Use the show ipv6 route command to display the IPv6 routing table on all routers. EIGRP for IPv6 routes are
denoted in the routing table with a D.

c. Verify the parameters and current state of the active IPv6 routing protocol
processes.
Use the command show ipv6 protocols to verify the configured parameter.

d. Verify end-to-end connectivity.

PC1, PC2, and PC3 should now be able to ping each other. If not, troubleshoot your EIGRP configurations.

48
Packet Tracer – Configure VLANs, VTP and DTP

Lab 7.1.2.4–Propagating
Propagating a Default Route in EIGRP for IPv4 and
IPv6

Topology

49
Packet Tracer – Configure VLANs, VTP and DTP

Addressing Table

IPv4 Address Subnet Mask

Device Interface
IPv6 Address/Prefix

S0/0/0 172.31.6.1 255.255.255.0

IPv4-Edge S0/0/1 172.31.7.1 255.255.255.0
S0/1/0 209.165.200.226 255.255.255.224
G0/0 172.31.8.1 255.255.255.0
Branch-1
S0/0/0 172.31.6.2 255.255.255.0
G0/0 172.31.9.1 255.255.255.0
Branch-2
S0/0/1 172.31.7.2 255.255.255.0
S0/0/0 2001:DB8:ACAD:7::1/64
IPv6-Edge S0/0/1 2001:DB8:ACAD:6::1/64
S0/1/0 2001:DB8:CAFE:ABCD::2/164
G0/0 2001:DB8:ACAD:8::1/64
Branch-3
S0/0/0 2001:DB8:ACAD:7::2/64
G0/0 2001:DB8:ACAD:9::1/64
Branch-4
S0/0/1 2001:DB8:ACAD:6:::2/64

Objectives
Part 1: Propagate an IPv4 Default Route
Part 2: Propagate an IPv6 Default Route
Part 3: Verify Connectivity to Outside Hosts

Scenario
In this activity, you will configure and propagate a default route in EIGRP for IPv4 and IPv6 networks. EIGRP
is already configured. However, you are required to configure an IPv4 and an IPv6 default route. Then, you
will configure the EIGRP routing process to propagate the default route to downstream EIGRP neighbors.
Finally, you will verify the default routes by pinging hosts outside the EIGRP routing domain.

Part 1: Propagate a Default Route in EIGRP for IPv4

a. Verify EIGRP configuration on each IPv4 enabled router.

Display the routing table of each IPv4 enabled router and verify that all IPv4 routes are visible.

b. Configure an IPv4 default route.

Configurea directly connected IPv4 default route on IPv4-Edge.
IPv4-Edge(config)# ip route 0.0.0.0 0.0.0.0 Serial0/1/0

50
Packet Tracer – Configure VLANs, VTP and DTP

c. Propagate the default route in EIGRP.

Configure the EIGRP routing process to propagate the default route.
IPv4-Edge(config)# router eigrp 1
IPv4-Edge(config-router)# redistribute static

d. Verify IPv4 default route is propagating.

Display the routing tables for Branch-1 and Branch-2 to verify the default route is now installed.
Branch-1#show ip route
<output omitted>
D*EX 0.0.0.0/0 [170/7289856] via 172.31.6.1, 00:01:24, Serial0/0/0

Branch-2# show ip route

<output omitted>
D*EX 0.0.0.0/0 [170/7289856] via 172.31.7.1, 00:01:45, Serial0/0/1

Part 2: Propagate a Default Route in EIGRP for IPv6

a. Verify EIGRP configuration on each IPv6 enabled router.

Display the routing table of each IPv6 enabled router and verify that all IPv6 routes are visible.

b. Configure an IPv6 default route.

Configure a directly connected IPv6 default route on IPv6-Edge.
IPv6-Edge(config)# ipv6route ::/0 Serial0/1/0

c. Propagate the default route in EIGRP.

Configure the EIGRP routing process to propagate the default route.
IPv6-Edge(config)# ipv6 router eigrp 1
IPv6-Edge(config-rtr)# redistribute static

d. Verify IPv6 default route is propagating.

Display the routing tables for Branch-3 and Branch-4 to verify the default route is now installed.
Branch-3>en
Branch-3# show ipv6 route
<output omitted>
EX ::/0 [170/7289856]
via FE80::1, Serial0/0/0

Branch-4# show ipv6 route

<output omitted>

51
Packet Tracer – Configure VLANs, VTP and DTP

EX ::/0 [170/7289856]
via FE80::1, Serial0/0/1

Part 3: Verify Connectivity to Outside Hosts

 PC1 and PC2 should now be able to ping IPv4 Outside Host.
 PC3 and PC4 should now be able to ping IPv6 Outside Host.

52
Packet Tracer – Configure VLANs, VTP and DTP

Lab 7.2.3.5–Troubleshooting
Troubleshooting EIGRP for IPv4

Topology

Addressing Table

Default
Device Interface IP Address Subnet Mask Gateway

G0/0 172.31.10.1 255.255.255.0 N/A

R1 S0/0/0 172.31.40.225 255.255.255.252 N/A
S0/0/1 172.31.40.233 255.255.255.252 N/A
G0/0 172.31.20.1 255.255.255.0 N/A
S0/0/0 172.31.40.226 255.255.255.252 N/A
R2
S0/0/1 172.31.40.229 255.255.255.252 N/A
S0/1/0 209.165.201.1 255.255.255.224 N/A
G0/0 172.31.30.1 255.255.255.0 N/A
R3 S0/0/0 172.31.40.234 255.255.255.252 N/A
S0/0/1 172.31.40.230 255.255.255.252 N/A
PC1 NIC 172.31.10.10 255.255.255.0 172.31.10.1
PC2 NIC 172.31.20.10 255.255.255.0 172.31.20.1
PC3 NIC 172.31.30.10 255.255.255.0 172.31.30.1

Scenario
In this activity, you will troubleshoot EIGRP neighbor issues. Use show commands to identify errors in the
network configuration. Then, you will document the errors you discover and implement an appropriate
solution. Finally, you will verify full end-to-end
end connectivity is restored.

53
Packet Tracer – Configure VLANs, VTP and DTP

Troubleshooting Process
1. Use testing commands to discover connectivity problems in the network and document the problem in
the Documentation Table.
2. Use verification commands to discover the source of the problem and devise an appropriate solution
to implement. Document the proposed solution in the Documentation Table.
3. Implement each solution one at a time and verify if the problem is resolved. Indicate the resolution
status in the Documentation Table.
4. If the problem is not resolved, it may be necessary to first remove the implemented solution before
returning to Step 2.
5. Once all identified problems are resolved, test for full end-to-end connectivity.

Documentation Table

Device Identified Problem Proposed Solution Resolved?

R1 Has not established any adjacencies Remove EIGRP 11 and configure

EIGRP 1, advertise the directly
connected networks and passive-
interface g0/0 and disable automatic
summarization.
R2 Is not forming an adjacency with R3. Advertise the 172.31.40.228/30
network
R3 Is performing automatic summarization Disable automatic summarization
using the no auto-summary EIGRP
subcommand

54
Packet Tracer – Configure VLANs, VTP and DTP

Lab 8.2.2.7–Configuring
Configuring OSPFv2 in a Single Area

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 172.16.1.1 255.255.255.0 N/A

R1 S0/0/0 172.16.3.1 255.255.255.252 N/A
S0/0/1 192.168.10.5 255.255.255.252 N/A
G0/0 172.16.2.1 255.255.255.0 N/A
R2 S0/0/0 172.16.3.2 255.255.255.252 N/A
S0/0/1 192.168.10.9 255.255.255.252 N/A
G0/0 192.168.1.1 255.255.255.0 N/A
R3 S0/0/0 192.168.10.6 255.255.255.252 N/A
S0/0/1 192.168.10.10 255.255.255.252 N/A
PC1 NIC 172.16.1.2 255.255.255.0 172.16.1.1
PC2 NIC 172.16.2.2 255.255.255.0 172.16.2.1
PC3 NIC 192.168.1.2 255.255.255.0 192.168.1.1

Objectives
Part 1: Configure OSPFv2 Routing
Part 2: Verify the Configurations

Background
In this activity, the IP addressing is already configured. Youare responsible for configuring the three router
topology with basic single area OSPFv2 and then verifying connectivity between end devices.

55
Packet Tracer – Configure VLANs, VTP and DTP

Part 1: Configure OSPFv2 Routing

a. Configure OSPF on the R1, R2 and R3.

Use the following requirements to configure OSPF routing on all three routers:
- Process ID 10
- Router ID for each router: R1 = 1.1.1.1; R2 = 2.2.2.2; R3 = 3.3.3.3
- Network address for each interface
- LAN interface set to passive (do not use the default keyword)

b. Verify OSPF routing is operational.

On each router, the routing table should now have a route to every network in the topology.

Part 2: Verify the Configurations

Each PC should be able to ping the other two PCs. If not, check your configurations.

!--------------------------
!R1
!--------------------------
ena
conf t
!
router ospf 10
router-id 1.1.1.1
network 172.16.1.0 0.0.0.255 area 0
network 172.16.3.0 0.0.0.3 area 0
network 192.168.10.4 0.0.0.3 area 0
passive-interface GigabitEthernet0/0
!
end

!--------------------------
!R2
!--------------------------
ena
conf t
!
router ospf 10
router-id 2.2.2.2

56
Packet Tracer – Configure VLANs, VTP and DTP

network 172.16.2.0 0.0.0.255 area 0

network 172.16.3.0 0.0.0.3 area 0
network 192.168.10.8 0.0.0.3 area 0
passive-interface GigabitEthernet0/0
!
end

!--------------------------
!R3
!--------------------------
ena
conf t
!
router ospf 10
router-id 3.3.3.3
network 192.168.1.0 0.0.0.255 area 0
network 192.168.10.4 0.0.0.3 area 0
network 192.168.10.8 0.0.0.3 area 0
passive-interface GigabitEthernet0/0
!
end

57
Packet Tracer – Configure VLANs, VTP and DTP

Lab 8.3.3.5–Configuring
Configuring Basic OSPFv3 in a Single Area
.

Topology

Addressing Table

Device Interface IPv6 Address/Prefix Default Gateway

G0/0 2001:db8:cafe:1::1/64 N/A

R1 S0/0/0 2001:db8:cafe:a001::1/64 N/A
S0/0/1
1 2001:db8:cafe:a003::1/64 N/A
G0/0 2001:db8:cafe:2::1/64 N/A
R2 S0/0/0 2001:db8:cafe:a001::2/64 N/A
S0/0/1
1 2001:db8:cafe:a002::1/64 N/A
G0/0 2001:db8:cafe:3::1/64 N/A
R3 S0/0/0 2001:db8:cafe:a003::264 N/A
S0/0/1
1 2001:db8:cafe:a002::2/64 N/A
PC1 NIC 2001:db8:cafe:1::10/64 fe80::1
PC2 NIC 2001:db8:cafe:2::10/64 fe80::2
PC3 NIC 2001:db8:cafe:3::10/64 fe80::3

Objectives
Part 1: Configure OSPFv3 Routing
Part 2: Verify Connectivity

Background
In this activity, the IPv6 addressing is already configured. You are responsible for configuring the three router
topology with basic single area OSPFv3 and then verifying connectivity between end devices.

58
Packet Tracer – Configure VLANs, VTP and DTP

Part 1: Configure OSPFv3 Routing

a. Configure OSPFv3 on R1, R2 and R3.

Use the following requirements to configure OSPF routing on all three routers:
- Enable IPv6 routing
- Process ID 10
- Router ID for each router: R1 = 1.1.1.1; R2 = 2.2.2.2; R3 = 3.3.3.3
- Enable OSPFv3 on each interface
- Adjust the default reference bandwidth to support gigabit links using the auto-cost
reference-bandwidth command.
- Prevent the LAN interfaces from sending out OSPF routing messages.

b. Verify OSPF routing is operational.

Verify each router has established adjacency with the other two routers. Verify the routing table has a route to
every network in the topology.

Part 2: Verify Connectivity

Each PC should be able to ping the other two PCs. If not, check your configurations.
Note: This activity is graded using only connectivity tests. The instructions window will not show your score.
To see your score, click Check Results >Assessment Items. To see the results of a specific connectivity
test, click Check Results>Connectivity Tests.

SCRIPT
!R1
!--------------------------
ena
conf t
!
ipv6 unicast-routing
!
ipv6 router ospf 10
router-id 1.1.1.1
auto-cost reference-bandwidth 1000
passive-interface GigabitEthernet 0/0
end
clear ipv6 ospf process
y

59
Packet Tracer – Configure VLANs, VTP and DTP

conf t
!
interface GigabitEthernet 0/0
ipv6 ospf 10 area 0
!
interface Serial0/0/0
ipv6 ospf 10 area 0
!
interface Serial0/0/1
ipv6 ospf 10 area 0
!
end

!--------------------------
!R2
!--------------------------
ena
conf t
!
ipv6 unicast-routing
!
ipv6 router ospf 10
router-id 2.2.2.2
auto-cost reference-bandwidth 1000
passive-interface GigabitEthernet 0/0
end
clear ipv6 ospf process
y

conf t
!
interface GigabitEthernet 0/0
ipv6 ospf 10 area 0
!
interface Serial0/0/0
ipv6 ospf 10 area 0
!

60
Packet Tracer – Configure VLANs, VTP and DTP

interface Serial0/0/1
ipv6 ospf 10 area 0
!
end

!--------------------------
!R3
!--------------------------
ena
conf t
!
ipv6 unicast-routing
!
ipv6 router ospf 10
router-id 3.3.3.3
auto-cost reference-bandwidth 1000
passive-interface GigabitEthernet 0/0
end
clear ipv6 ospf process
y
conf t
!
interface GigabitEthernet 0/0
ipv6 ospf 10 area 0
!
interface Serial0/0/0
ipv6 ospf 10 area 0
!
interface Serial0/0/1
ipv6 ospf 10 area 0
!
end

61
Packet Tracer – Configure VLANs, VTP and DTP

Lab 9.2.2.6–Configuring
ring Multiarea OSPFv2

Topology

Addressing Table

OSPFv2
Device Interface IP Address Subnet Mask Area

G0/0 10.1.1.1 255.255.255.0 1

R1 G0/1 10.1.2.1 255.255.255.0 1
S0/0/0 192.168.10.2 255.255.255.252 0
G0/0 10.2.1.1 255.255.255.0 0
R2 S0/0/0 192.168.10.1 255.255.255.252 0
S0/0/1 192.168.10.5 255.255.255.252 0
G0/0 192.168.2.1 255.255.255.0 2
R3 G0/1 192.168.1.1 255.255.255.0 2
S0/0/1 192.168.10.6 255.255.255.252 0

Objectives
Part 1: Configure Multiarea OSPFv2
Part 2:Verify
Verify and Examine Multiarea OSPFv2

62
Packet Tracer – Configure VLANs, VTP and DTP

Background
In this activity, you will configure multiarea OSPFv2. The network is already connected and interfaces are
configured with IPv4 addressing. Your job is to enable multiarea OSPFv2, verify connectivity, and examine
the operation of multiarea OSPFv2.

Part 1: Configure OSPFv2

a. Configure OSPFv2on R1.

Configure OSPFv2 on R1 with a process ID of 1 and a router ID of 1.1.1.1.
R1(config)# router ospf 1
R1(config-router)# router-id 1.1.1.1

b. Advertise each directly connected network in OSPFv2 on R1.

Configure each network in OSPFv2 assigning areas according to the Addressing Table.
R1(config-router)# network 10.1.1.0 0.0.0.255 area 1
R1(config-router)# network 10.1.2.0 0.0.0.255 area 1
R1(config-router)# network 192.168.10.0 0.0.0.3 area 0

c. Configure OSPFv2 on R2 and R3.

Repeat the steps above for R2 and R3using a router ID of 2.2.2.2 and 3.3.3.3, respectively.
R2(config)# router ospf 1
R2(config-router)# router-id 2.2.2.2
R2(config-router)# network 10.2.1.0 0.0.0.255 area 0
R2(config-router)# network 192.168.10.0 0.0.0.3 area 0
R2(config-router)# network 192.168.10.4 0.0.0.3 area 0
!
R3(config)# router ospf 1
R3(config-router)# router-id 3.3.3.3
R3(config-router)# network 192.168.2.0 0.0.0.255 area 2
R3(config-router)# network 192.168.1.0 0.0.0.255 area 2
R3(config-router)# network 192.168.10.4 0.0.0.3 area 0

Part 2: Verify and Examine Multiarea OSPFv2

a. Verify connectivity to each of the OSPFv2 areas.

From R1, ping each of the following remote devices in area 0 and area 2:192.168.1.2, 192.168.2.2, and
10.2.1.2.

b. Use show commands to examine the current OSPFv2 operations.

Use the following commands to gather information about your OSPFv2 multiarea implementation.
show ip protocols

63
Packet Tracer – Configure VLANs, VTP and DTP

show ip route
show ip ospf database
show ip ospf interface
show ip ospf neighbor

Reflection Questions
1. Which router(s) are internal routers? R2
2. Which router(s) are backbone routers? R1, R2, and R3 are all backbone routers.
3. Which router(s) are area border routers? R1 and R3
4. Which router(s) are autonomous system routers? None, all active interfaces on all three routers connect to an
OSPF area.
5. Which routers are generating Type 1 LSAs? All OSPF routers generate Type 1 LSAs.
6. Which routers are generating Type 2 LSAs? Hidden routers in each of the areas that are DRs are. Router IDs
4.4.4.4, 5.5.5.5, 6.6.6.6, 9.9.9.9
7. Which routers are generating Type 3 LSAs? R1 and R3 because each is an ABR and needs to flood area
information from one area to the other.
8. Which routers are generating Type 4 and 5 LSAs? None, because there is not an ASBR in the network.
9. How many inter area routes does each router have? R1 and R3 have two IAs and R2 has 4 IAs.
10. Why would there usually be an ASBR in this type of network? ASBR is used to connect external routing
domains.

Suggested Scoring Rubric

Packet Tracer scores 80 points. Each of the Reflection Questions is worth 2 points.

64
Packet Tracer – Configure VLANs, VTP and DTP

Lab 9.2.2.7–Configuring
ring Multiarea OSPFv3
.

Topology

Addressing Table

Device Interface IPv6 Address OSPF Area

G0/0 2001:DB8:1:A1::1/64 1
G0/1 2001:DB8:1:A2::1/64 1
RA
S0/0/0 2001:DB8:1:AB::2/64 0
Link-Local FE80::A N/A
G0/0 2001:DB8:1:B1::1/64 0
S0/0/0 2001:DB8:1:AB::1/64 0
RB
S0/0/1 2001:DB8:1:BC::1/64 0
Link-Local FE80::B N/A
G0/0 2001:DB8:1:C1::1/64 2
G0/1 2001:DB8:1:C2::1/64 2
RC
S0/0/1 2001:DB8:1:BC::2/64 0
Link-Local FE80::C N/A

65
Packet Tracer – Configure VLANs, VTP and DTP

Objectives
Part 1: Configure OSPFv3
Part 2: Verify Multiarea OSPFv3 Operations

Background
In this activity, you will configure multiarea OSPFv3. The network is already connected and interfaces are
configured with IPv6 addressing. Your job is to enable multiarea OSPFv3, verify connectivity and examine the
operation of multiareaOSPFv3.

Part 1: Configure OSPFv3

a. Enable IPv6 routing and configure OSPFv3on RA.

i. Enable IPv6 routing.
RA(config)# ipv6 unicast-routing
ii. Configure OSPFv3 on RA with a process ID of 1 and a router ID of 1.1.1.1.
RA(config)# ipv6 router ospf 1
RA(config-rtr)# router-id 1.1.1.1

b. Advertise each directly connected network in OSPFv3 on RA.

Configure each active IPv6 interface with OSPFv3 assigning each to thearea listed in the Addressing Table.
RA(config)# interface GigabitEthernet 0/0
RA(config-if)# ipv6 ospf 1 area 1
RA(config-if)# interface GigabitEthernet 0/1
RA(config-if)# ipv6 ospf 1 area 1
RA(config-if)# interface Serial 0/0/0
RA(config-if)# ipv6 ospf 1 area 0

c. Configure OSPFv3 on RB and RC

Repeat the Steps 1 and 2forRB and RC, changing the router ID to 2.2.2.2 and 3.3.3.3 respectively.
RB(config)# ipv6 unicast-routing
RB(config)# ipv6 router ospf 1
RB(config-rtr)# router-id 2.2.2.2
RB(config-rtr)# interface GigabitEthernet0/0
RB(config-if)# ipv6 ospf 1 area 0
RB(config-if)# interface Serial0/0/0
RB(config-if)# ipv6 ospf 1 area 0
RB(config-if)# interface Serial0/0/1
RB(config-if)# ipv6 ospf 1 area 0
!
RC(config)# ipv6 unicast-routing
RC(config)# ipv6 router ospf 1

66
Packet Tracer – Configure VLANs, VTP and DTP

RC(config-rtr)# router-id 3.3.3.3

RC(config-rtr)#interface GigabitEthernet 0/0
RC(config-if)# ipv6 ospf 1 area 2
RC(config-if)# interface GigabitEthernet 0/1
RC(config-if)# ipv6 ospf 1 area 2
RC(config-if)# interface Serial 0/0/1
RC(config-if)# ipv6 ospf 1 area 0

Part 2: Verify Multiarea OSPFv3 Operations

a. Verify connectivity to each of the OSPFv3 areas.

FromRA, ping each of the following remote devices in area 0 and area 2: 2001:DB8:1:B1::2,
2001:DB8:1:A1::2, 2001:DB8:1:A2::2, 2001:DB8:1:C1::2, and2001:DB8:1:C2::2.

b. Use show commands to examine the current OSPFv3 operations.

Use the following commands to gather information about your OSPFv3 multiarea implementation.
show ipv6 ospf
show ipv6 route
show ipv6 ospf database
show ipv6 ospf interface
show ipv6 ospf neighbor
Note: Packet Tracer output for show ipv6 protocols is currently not aligned with IOS 15 output. Refer to the
real equipment labs for correct show command output.

67
Packet Tracer – Configure VLANs, VTP and DTP

Lab 10.1.1.12 - Determining the DR and BDR

.

Topology

Addressing Table

Device Interface IP Address Subnet Mask

G0/0 192.168.1.1 255.255.255.0

RA
Lo0 192.168.31.11 255.255.255.255
G0/0 192.168.1.2 255.255.255.0
RB
Lo0 192.168.31.22 255.255.255.255
G0/0 192.168.1.3 255.255.255.0
RC
Lo0 192.168.31.33 255.255.255.255

Objectives
Part 1: Examine DR and BDR Changing Roles
Part 2: Modify OSPF Priority and Force Elections

Scenario
In this activity, you will examine DR and BDR roles and watch the roles change when there is a change in the
network. You will then modify the priority to control the roles and force a new election. Finally, you will verify
routers are filling the desired roles.

Part 1: Examine DR and BDR Changing Roles

a. Wait until the amber link lights turn green.

When you first open the file in Packet Tracer, you may notice that the link lights for the switch are amber.
These link lights will stay amber for 50 seconds while the switch makes sure that one of the routers is not
another switch. Alternatively, you can click Fast Forward Timeto bypass this process.

68
Packet Tracer – Configure VLANs, VTP and DTP

b. Verify the current OSPF neighbor states.

1. Use the appropriate command on each router to examine the current DR and BDR.
2. Which router is the DR? RC
3. Which router is the BDR? RB

c. Turn on IP OSPF adjacency debugging.

1. You can monitor the DR and BDR election process with a debug command. On RA and RB, enter the
followingcommand.
RA# debug ip ospf adj
RB# debug ip ospf adj

d. Disable the Gigabit Ethernet 0/0 interface on RC.

1. Disable the link between RC and the switch to cause roles to change.
2. Wait about 30 seconds for the dead timers to expire on RA and RB. According to the debug output, which
router was elected DR and which router was elected BDR? RB is now DR and RA is now BDR.

e. Restore the Gigabit Ethernet 0/0 interface on RC.

1. Re-enable the link between RC and the switch.
2. Wait for the new DR/BDR elections to occur. Did DR and BDR roles change? Why or why not?No, roles did
not change because the current DR and BDR are still active. A router that comes online with a higher router
ID will not assume the DR role until the DR fails.

f. Disable the Gigabit Ethernet 0/0 interface on RB.

1. Disable the link between RB and the switch to cause roles to change.
2. Wait about 30 seconds for the holddown timers to expire on RA and RC. According to the debug
output on RA, which router was elected DR and which router was elected BDR? RA is now DR and
RC is now BDR.

g. Restore the Gigabit Ethernet 0/0 interface on RB.

1. Re-enable the link between RB and the switch.
2. Wait for the new DR/BDR elections to occur. Did DR and BDR roles change? Why or why not? No, roles
did not change because the current DR and BDR are still active. A router that comes online with a higher
router ID will not assume the DR role until the DR fails.

h. Turn off Debugging.

Enter the command undebug all on RA and RB to disable debugging.

Part 2: Modify OSPF Priority and Force Elections

a. Configure OSPF priorities on each router.

To change the DR and BDR, configure the Gigabit Ethernet 0/0 port of each router with the following OSPF
interface priorities:
 RA: 200

69
Packet Tracer – Configure VLANs, VTP and DTP

 RB: 100
 RC: 1 (This is the default priority)

b. Force an election by reloading the switch.

Note:The command clear ip ospf process can also be used on the routers to reset the OSPF process.

c. Verify DR and BDR elections were successful.

1. Wait long enough for OSPF to converge and for the DR/BDR election to occur. This should take a few
minutes. You can click Fast Forward Time to speed up the process.
2. According to output from an appropriate command, which router is now DR and which router is now
BDR?RA is now DR and RB is now BDR.

Suggested Scoring Rubric

Question Possible Earned

Activity Section Location Points Points

Part 1: Examine DR and BDR Changing Roles Step 2b 10

Step 2c 10
Step 4b 10
Step 5b 10
Step 6b 10
Step 7b 10
Part 1 Total 60
Part 2:Modify OSPF Priority and Force Elections Step 3b 10
Part 2 Total 10
Packet Tracer Score 30
Total Score 100

70
Packet Tracer – Configure VLANs, VTP and DTP

Lab 10.1.2.5 - Propagating a Default Route in OSPFv2

Topology

Addressing Table

Device Interface IPv4 Address Subnet Mask Default Gateway

G0/0 172.16.1.1 255.255.255.0 N/A

R1 S0/0/0 172.16.3.1 255.255.255.252 N/A
S0/0/1 192.168.10.5 255.255.255.252 N/A
G0/0 172.16.2.1 255.255.255.0 N/A
S0/0/0 172.16.3.2 255.255.255.252 N/A
R2
S0/0/1 192.168.10.9 255.255.255.252 N/A
S0/1/0 209.165.200.225 255.255.255.224 N/A
G0/0 192.168.1.1 255.255.255.0 N/A
R3 S0/0/0 192.168.10.6 255.255.255.252 N/A
S0/0/1 192.168.10.10 255.255.255.252 N/A
PC1 NIC 172.16.1.2 255.255.255.0 172.16.1.1
PC2 NIC 172.16.2.2 255.255.255.0 172.16.2.1
PC3 NIC 192.168.1.2 255.255.255.0 192.168.1.1

Objectives
Part 1: Propagate a Default Route
Part 2: Verify Connectivity

71
Packet Tracer – Configure VLANs, VTP and DTP

Background
In this activity, you will configure an IPv4 default route to the Internet and propagate that default route to other
OSPF routers. You will then verify the default route is in downstream routing tables and that hosts can now
access a web server on the Internet.

Part 1: Propagate a Default Route

a. Configure a default route on R2.

Configure R2 with a directly attached default route to the Internet.
R2(config)# ip route 0.0.0.0 0.0.0.0 Serial0/1/0

b. Propagate the route in OSPF.

Configure OSPF to propagate the default route in OSPF routing updates.
R2(config-router)# default-information originate

c. Examine the routing tables on R1 and R3.

Examine the routing tables of R1 and R3 to verify that the route has been propagated.
R1>show ip route
<output omitted>
O*E2 0.0.0.0/0 [110/1] via 172.16.3.2, 00:00:08, Serial0/0/0
!-------------------
R3>show ip route
<output omitted>
O*E2 0.0.0.0/0 [110/1] via 192.168.10.9, 00:08:15, Serial0/0/1

Part 2: Verify Connectivity

Verify that PC1, PC2,and PC3 can ping the web server.

72
Packet Tracer – Configure VLANs, VTP and DTP

Lab 10.1.3.4 - Configuring OSPF Advanced Features

Topology

Addressing Table

Device Interface IPv4 Address Subnet Mask Default Gateway

G0/0 172.16.1.1 255.255.255.0 N/A

R1 S0/0/0 172.16.3.1 255.255.255.252 N/A
S0/0/1 192.168.10.5 255.255.255.252 N/A
G0/0 172.16.2.1 255.255.255.0 N/A
S0/0/0 172.16.3.2 255.255.255.252 N/A
R2
S0/0/1 192.168.10.9 255.255.255.252 N/A
S0/1/0 209.165.200.225 255.255.255.224 N/A
G0/0 192.168.1.1 255.255.255.0 N/A
R3 S0/0/0 192.168.10.6 255.255.255.252 N/A
S0/0/1 192.168.10.10 255.255.255.252 N/A
PC1 NIC 172.16.1.2 255.255.255.0 172.16.1.1
PC2 NIC 172.16.2.2 255.255.255.0 172.16.2.1
PC3 NIC 192.168.1.2 255.255.255.0 192.168.1.1

Objectives
Part 1: Modify OSPF Default Settings
Part 2: Verify Connectivity

73
Packet Tracer – Configure VLANs, VTP and DTP

Scenario
In this activity, OSPF is already configured and all end devices currently have full connectivity. You will modify
the default OSPF routing configurations by changing the hello and dead timers and adjusting the bandwidth of
a link. Then you will verify that full connectivity is restored for all end devices.

Part 1: Modify OSPF Default Settings

a. Test connectivity between all end devices.

Before modifying the OSPF settings, verify that all PCs can ping the web server and each other.

b. Adjust the hello and dead timers between R1 and R2.

1. Enter the following commands on R1.
R1(config)# interface s0/0/0
R1(config-if)#ip ospf hello-interval 15
R1(config-if)#ip ospf dead-interval 60
2. After a short period of time, the OSPF connection with R2 will fail. Both sides of the connection need to have
the same timers in order for the adjacency to be maintained.Adjust the timers on R2.

c. Adjust the bandwidth setting on R1.

1. Trace the path between PC1 and the web server located at 64.100.1.2. Notice that the path from PC1 to
64.100.1.2 is routed through R2. OSPF prefers the lower cost path.
2. On the R1 Serial 0/0/0 interface, set the bandwidth to 64 Kb/s. This does not change the actual port
speed, only the metric that the OSPF process on R1 will use to calculate best routes.
R1(config-if)#bandwidth 64
3. Trace the path between PC1and the web server located at 64.100.1.2. Notice that the path from PC1 to
64.100.1.2 is redirected through R3. OSPF prefers the lower cost path.

Part 2: Verify Connectivity

Verify all PCs can ping the web server and each other.

74
Packet Tracer – Configure VLANs, VTP and DTP

10.2.2.3 –Troubleshooting
Troubleshooting Single-Area
Single OSPFv2

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 172.16.1.1 255.255.255.0 N/A

R1 S0/0/0 172.16.3.1 255.255.255.252 N/A
S0/0/1 192.168.10.5 255.255.255.252 N/A
G0/0 172.16.2.1 255.255.255.0 N/A
S0/0/0 172.16.3.2 255.255.255.252 N/A
R2
S0/0/1 192.168.10.9 255.255.255.252 N/A
S0/1/0 209.165.200.225 255.255.255.224 N/A
G0/0 192.168.1.1 255.255.255.0 N/A
R3 S0/0/0 192.168.10.6 255.255.255.252 N/A
S0/0/1 192.168.10.10 255.255.255.252 N/A
PC1 NIC 172.16.1.2 255.255.255.0 172.16.1.1
PC2 NIC 172.16.2.2 255.255.255.0 172.16.2.1
PC3 NIC 192.168.1.2 255.255.255.0 192.168.1.1

Scenario
In this activity, you will troubleshoot OSPF routing issues using ping and show commands to identify errors in
the network configuration. Then, you will document the errors you discover and implement an appropriate
solution. Finally, you will verify end-to
to-end connectivity is restored.

75
Packet Tracer – Configure VLANs, VTP and DTP

Troubleshooting Process
1. Use testing commands to discover connectivity problems in the network and document the problem in
the Documentation Table.
2. Use verification commands to discover the source of the problem and devise an appropriate solution
to implement. Document the proposed solution in the Documentation Table.
3. Implement each solution one at a time and verify if the problem is resolved. Indicate the resolution
status in the Documentation Table.
4. If the problem is not resolved, it may be necessary to first remove the implemented solution before
returning to Step 2.
5. Once all identified problems are resolved, test for end-to-end connectivity.

Documentation Table

Device Identified Problem Proposed Solution Resolved?

R1 Is not forming neighborship with R3 Remove the network 172.16.10.4

0.0.0.3 area 0 statement and replace
it with netowrk 192.168.10.4 0.0.0.3
area 0
R2 Is not propagating the default route Configure OSPF with the default-
information originate command
R3 Is not forming neighborship with R2 Remove the hello-interval command
on the R3 S0/0/1 interface.

76
Packet Tracer – Configure VLANs, VTP and DTP

Lab 10.2.4.3–TroubleshootMultiarea
TroubleshootMultiarea OSPFv2

Topology

77
Packet Tracer – Configure VLANs, VTP and DTP

Addressing Table

Device Interface IP Address Subnet Mask

ISP GigabitEthernet0/0 209.165.200.17 255.255.255.240

GigabitEthernet0/0 209.165.200.18 255.255.255.240
ASBR Serial0/0/0 10.1.1.2 255.255.255.252
Serial0/0/1 10.2.2.2 255.255.255.252
Serial0/0/0 10.1.1.1 255.255.255.252
ABR1
GigabitEthernet0/1 192.168.1.1 255.255.255.0
Serial0/0/1 10.2.2.1 255.255.255.252
ABR2
GigabitEthernet0/1 172.16.1.33 255.255.255.224
GigabitEthernet0/1 192.168.1.2 255.255.255.0
R1 GigabitEthernet0/0 192.168.2.1 255.255.255.0
Loopback0 192.168.3.1 255.255.255.0
GigabitEthernet0/0 192.168.2.2 255.255.255.0
R2
Loopback1 192.168.4.1 255.255.255.0
GigabitEthernet0/1 172.16.1.62 255.255.255.224
R3
GigabitEthernet0/0 172.16.1.65 255.255.255.224
GigabitEthernet0/0 172.16.1.94 255.255.255.224
R4
GigabitEthernet0/1 172.16.1.97 255.255.255.224

Objectives
Troubleshoot a multiarea OSPFv2 network.

Background / Scenario
A largeorganization has recently decided to change the network from single-area OSPFv2 to multiarea
OSPFv2.As a result, the network is no longer functioning correctly and communication through much of the
network has failed. As a network administrator, you must troubleshoot the problem, fix the multiarea OSPFv2
implementation, and restore communication throughout the network. To do this, you are given the Addressing
Table above, showing all of the routers in the network including their interface IP addresses and subnet
masks. You are told that in Area 1 communication to the 192.168.4.0/24 network is down and that router R2 is
unable to form an OSPF adjacency with router R1. In Area 2, communication to the 172.16.1.64/27 and
172.16.1.96/24 networks has been lost and router R4 is unable to form an adjacency. Area 0 is behaving as
expected.

Part 1: Use Show Commands to Troubleshoot OSPFv2 Area 1

In Part 1, using the particular symptoms of network failure reported in the Background / Scenario, begin
troubleshooting configuration settings at the routers in Area 1.

78
Packet Tracer – Configure VLANs, VTP and DTP

a. Check the router configurations in Area 1.

1. Because R2 is not forming an adjacency with R1, console into R2 and check its interface IP address
configuration and its multiarea OSPFv2 configuration. Use the show running-config command to view
the configuration.
Is R2’s OSPF router process configuration present and correct? Are the network statements, including
subnets, wildcard bits and area numbers correct?
____________________________________________________________________________________
R2’s OSPF routing configuration appears to be correct.
2. On R2, issue a show ipospf interface command to check the hello timer interval configuration and to
verify that hello messages are being sent.
Is R2’s hello timer interval configuration set to the default setting? Is the dead time interval 4 x the hello
time interval? Are hellos being sent?
____________________________________________________________________________________
R2’s timer interval configuration is default at hello 10 and dead 40. Hellos are being sent.
3. If R2’s configurations and settings are correct then the problem of not forming and adjacency must lay
with R1. Console into R1 and check the network interface and OSPFv2 configurations in the running-
configuration.
Are the R1 network interfaces configured correctly? Is there a problem in the R1 OSPFv2 routing process
configuration that would cause an adjacency failure?
____________________________________________________________________________________
R1’s interfaces are configured correctly. R1’s OSPFv2 routing process has a passive-interface command
configured on interface G0/0.
4. Correct the configuration error on R1.
R1# configure terminal
R1(config)# router ospf 1
R1(config-router)# no passive-interface G0/0
5. If the problem has been corrected, R1 should receive a syslog message to the console showing an OSPF
adjacency change from loading to full.
Did a syslog message appear in the R1 console reporting an OSPF adjacency change?
____________________________________________________________________________________
Yes, the syslog message was: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on GigabitEthernet0/0 from
LOADING to FULL.

b. Check the router configurations in Area 2.

1. Because it was reported that the network has lost contact with the Area 2 subnets 172.16.1.64/24 and
172.16.1.96/24, verify this at the Area 2 Border Router (ABR2) using the show ip route command.
Does the ABR2 routing table show the presence of the 172.16.1.64/24 and 172.16.1.96/24 networks?
____________________________________________________________________________________
No.
2. Check to see if ABR2 has established an OSPFv2 neighbor adjacency with R3.
Does ABR2 show two OSPF neighbors? Which neighbor ID signifies R3 and how do you know this?
____________________________________________________________________________________

79
Packet Tracer – Configure VLANs, VTP and DTP

Yes. ABR2 shows two neighbors with neighbor IDs 3.3.3.3 and 7.7.7.7. R3 is neighbor ID 3.3.3.3
because it shows it is connected on interface G0/1.
3. Because ABR2 has formed a neighbor relationship with R3, the problem may lay with the OSPFv2
configurations on either R3 or R4. Console into R3 and check the OSPFv2 configurations in the running-
configuration.
Are there any problems withthe R3 OSPFv2 routing process configurations?
____________________________________________________________________________________
Yes, the network statement for the 172.16.1.64 network is incorrectly configured in Area 0 instead of Area
2.
4. To correct the problem, replace the OSPF routing process network statement that places the
172.16.1.64/24 subnet in Area 0 and change it to Area 2.
R3# configure terminal
R3(config)# router ospf 1
R3(config-router)#no network 172.16.1.64 0.0.0.31 area 0
R3(config-router)#network 172.16.1.64 0.0.0.31 area 2
Did a syslog message appear in the R3 console reporting an OSPF adjacency change? What does this
signify?
____________________________________________________________________________________
Yes, the syslog message was: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on GigabitEthernet0/0 from
LOADING to FULL. This signifies that an adjacency was formed with R4.
5. Verify that the R3 routing table has routes to all of the networks in all of the OSPF areas.
Are any routes missing? If so, which ones?
____________________________________________________________________________________
Yes, the routes to the 192.168.x.x networks are missing.
6. It appears that R3 is missing the OSPFv2 interarea 192.168.0.0/21 summary route. To solve this
problem, completely remove the OSPFv2 routing process from router R3 and then re-add it.
R3# configure terminal
R3(config)# no router ospf 1
R3(config)# router ospf 1
R3(config-router)#router-id 3.3.3.3
R3(config-router)#network 172.16.1.32 0.0.0.31 area 2
R3(config-router)#network 172.16.1.64 0.0.0.31 area 2
7. Now verify that the R3 routing table has learned the OSPF interarea summary route to the 192.168.0.0/21
subnet.
Is the OSPF interarea route to the 192.168.0.0/21 subnet in the routing table?
____________________________________________________________________________________
Yes.

80
Packet Tracer – Configure VLANs, VTP and DTP

Lab 10.2.4.4 –TroubleshootMultiarea

TroubleshootMultiarea OSPFv3

Topology

81
Packet Tracer – Configure VLANs, VTP and DTP

Addressing Table

IPv6Global Unicast IPv6 Link-local Default Gateway

Device Interface Address Address

ISP GigabitEthernet0/0 2001:DB8:C1:1::1/64 FE80::C1 N/A

ASBR GigabitEthernet0/0 2001:DB8:C1:1::2/64 FE80::7 N/A
2001:DB8:A8EA:F0A:: N/A
Serial0/0/0 1 FE80::7
2001:DB8:A8EA:F0B:: N/A
Serial0/0/1 1 FE80::7
2001:DB8:A8EA:F0A:: N/A
ABR1 Serial0/0/0 2 FE80::5
GigabitEthernet0/1 2001:DB8:A8EA:1A::1 FE80::5 N/A
2001:DB8:A8EA:F0B:: N/A
ABR2 Serial0/0/1 2 FE80::6
GigabitEthernet0/1 2001:DB8:A8EA:2A::1 FE80::6 N/A
R1 GigabitEthernet0/1 2001:DB8:A8EA:1A::2 FE80::1 N/A
GigabitEthernet0/0 2001:DB8:A8EA:1C::1 FE80::1 N/A
Loopback0 2001:DB8:A8EA:1B::1 FE80::1 N/A
R2 GigabitEthernet0/0 2001:DB8:A8EA:1C::2 FE80::2 N/A
Loopback1 2001:DB8:A8EA:1D::1 FE80::2 N/A
R3 GigabitEthernet0/1 2001:DB8:A8EA:2A::2 FE80::3 N/A
GigabitEthernet0/0 2001:DB8:A8EA:2B::1 FE80::3 N/A
R4 GigabitEthernet0/0 2001:DB8:A8EA:2B::2 FE80::4 N/A
GigabitEthernet0/1 2001:DB8:A8EA:2C::1 FE80::4 N/A

Objectives
Troubleshoot a multiarea OSPFv3 network.

Background / Scenario
A largeorganization has recently decided to implement a multiarea OSPFv3 network.As a result, the network
is no longer functioning correctly and communication through much of the network has failed. As a network
administrator you must troubleshoot the problem, fix the multiarea OSPFv3 implementation, and restore
communication throughout the network. To do this, you are given the Addressing Table above, showing all of
the routers in the network including their interface IPv6 addresses. You are told that in Area 1, R2 is unable to
form OSPF adjacencies. In Area 0 and Area 2, three routers ABR2, R3 and R4 have not been able to form
OSPF adjacencies. Lastly, ABR1 and R1 have not received default route information.
.

82
Packet Tracer – Configure VLANs, VTP and DTP

Part 1: Use Show Commands to Troubleshoot OSPFv3 Area 1

In Part 1, using the particular symptoms of network failure reported in the Background / Scenario begin
troubleshooting configuration settings at the routers in Area 1.

a. Check the R2 configuration in Area 1.

1. Because R2 is not forming an adjacency with R1, console into R2 and check its interface IP address
configuration and its multiarea OSPFv2 configuration. Use the show running-config command to view the
configuration.
Is R2’s OSPFv3routing process configuration present and correct? Has OSPFv3 been activated on the
g0/0 and Loopback 1 interfaces and have they been set to the correct Area?
____________________________________________________________________________________
R2’s OSPFv3 routing process is enabled and the interfaces are configured for area 1.
2. If R2’s OSPFv3 configurations are correct, it is possible that OSPFv3 has not been configured on the R1
G0/0 interface. Console into R1 and issue a show running-config command to check the G0/0 interface
for the ipv6 ospf 10 area 1 configuration.
Is R1’s OSPFv3 routing process configuration present and correct? Has OSPFv3 been activated on the
g0/0 interface and set to Area1?
____________________________________________________________________________________
Yes.
3. It is possible that the hello-interval and dead-interval timers have been altered from their default values of
10 seconds and 40 seconds respectively.A timer mismatch can cause the routers to not form adjacencies. If
the dead-interval timer is not four times the value of the hello-interval timer, that could also cause the
routers to not form adjacencies. Check the hello-interval and dead-interval timer values on R1 and R2.
R1# show ipv6 ospf interface g0/0
R2# show ipv6 ospf interface g0/0
Is there a mismatch or incorrect configuration on either the R1 or R2 hello-interval or dead-interval
timers?
____________________________________________________________________________________
Yes, R2’s interface G0/0 timers are mismatched and incorrect.
4. Correct the hello-interval and dead-interval timer configuration errors on R2.
R2# configure terminal
R2(config)# interface g0/0
R2(config-router)# ipv6 ospf hello-interval 10
R2(config-router)# ipv6 ospf dead-interval 40

If the problem has been corrected a syslog message should appear in the R2 console showing an OSPF
adjacency change from LOADING to FULL.State if the problem has been corrected, and if so, what is the
Nbr address?
____________________________________________________________________________________
Yes, there is a successful adjacency change to FULL with Nbr 1.1.1.1.

83
Packet Tracer – Configure VLANs, VTP and DTP

b. Check the router configurations in Area 2 starting with ABR2.

1. Because it was reported that routers ABR2, R3 and R4 were all unable to form OSPFv3
adjacencies,console into the ABR2 border router to see why it is unable to form an adjacency with ASBR
router.
Is ABR2’s OSPFv3 routing process configuration present and correct? Has OSPFv3 been activated on
the s0/0/1 and g0/1 interfaces and have they been set to Area2?
____________________________________________________________________________________
ABR2’s OSPFv3 routing process has been enabled but a router-id has not been set. The interfaces have
been configured correctly.
2. OSPFv3 requires the presence of a 32bit dotted decimal router-id.Because ABR2 has no IPv4 addresses
assigned to any of its interfaces, a router-id needs to be manually configured. Configure ABR2 with a
6.6.6.6 router-id.
ABR2# configure terminal
ABR2(config)# ipv6 router ospf 10
ABR2(config-router)# router-id 6.6.6.6
If the problem has been corrected, syslog messages should appear in the console showing OSPF
adjacency changes from LOADING to FULL. State if this is the case, and what neighbor Nbr addresses
appear?
____________________________________________________________________________________
Yes, there are successful adjacency changes with Nbr 7.7.7.7 and Nbr 3.3.3.3.
3. On ABR2, a Syslog message showing an adjacency change from LOADING to FULL with Nbr 3.3.3.3
means that R3 is now participating in the OSPFv3 Area 2 process. Check that R4 has provided route
information for its connected networks to the OSPFv3 topology database.
ABR2# show ipv6 ospf database
Looking at the output of the show ipv6 ospf database command, what information would signal the
presence of R4?
____________________________________________________________________________________
The router-id 4.4.4.4 signifies the presence of R4 as well as the inclusion of the 2001:DB8:A8EA:2C::/64
network in the Area 2 section of the output.

c. Check ASBR for OSPFv3 default route distribution.

1. Because ASBR is the edge router, it should have a static IPv6 default route configured. If so, it can
distribute that route using OSPFv3 and a default-information originate command.
Is there an IPv6 default route configured on ASBR? Does the OSPFv3 routing process configuration have
a default-information originate line present?
____________________________________________________________________________________
Yes ASBRhas an ipv6 default route to ::/0, but the IPv6 OSPF 10 routing process does not contain a
default-information originate line.
2. On ASBR, add a default-information originate command to the OSPFv3 routing process.
ASBR# configure terminal
ASBR2(config)# ipv6 router ospf 10
ABR2(config-router)# default-information originate

84
Packet Tracer – Configure VLANs, VTP and DTP

3. Check the IPv6 routing tables of ABR1 and ABR2 to see if the default route was discovered through
OSPFv3.
Looking at the output of the show ipv6 route, did the router learn of the default route from OSPFv3? If
so, list the line or lines that signify this.
____________________________________________________________________________________
Yes. OE2 ::/0 [110/1] via FE80::7, Serial0/0/0.

85
Packet Tracer – Configure VLANs, VTP and DTP

Lab 12.3.2.6 –Configuring

Configuring PAP and CHAP Authentication

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 192.168.10.1 255.255.255.0 N/A

R1
S0/0/0 10.1.1.1 255.255.255.252 N/A
G0/0 192.168.30.1 255.255.255.0 N/A
R2
S0/0/1 10.2.2.2 255.255.255.252 N/A
S0/0/0 10.1.1.2 255.255.255.252 N/A
R3 S0/0/1 10.2.2.1 255.255.255.252 N/A
S0/1/0 209.165.200.225 255.255.255.252 N/A
S0/0/0 209.165.200.226 255.255.255.252 N/A
ISP
G0/0 209.165.200.1 255.255.255.252 N/A
Web NIC 209.165.200.2 255.255.255.252 209.165.200.1
PC NIC 192.168.10.10 255.255.255.0 192.168.10.1
Laptop NIC 192.168.30.10 255.255.255.0 192.168.30.1

Objectives
Part 1: Review Routing Configurations
Part 2: Configure PPP as the Encapsulation Method
Part 3: Configure PPP Authentication

86
Packet Tracer – Configure VLANs, VTP and DTP

Background
In this activity, you will practice configuring PPP encapsulation on serial links. You will also configure PPP PAP
authentication and PPP CHAP authentication.

Review Routing Configurations

a. View running configurations on all routers.

While reviewing the router configurations, note the use of both static and dynamic routes in the topology.

b. Test connectivity between computers and the web server.

FromPC and Laptop, ping the web server at 209.165.200.2.Both ping commands should be successful.
Remember to give enough time for STP and EIGRP to converge.

Configure PPP as the Encapsulation Method

c. Configure R1 to use PPP encapsulation with R3.

Enter the following commands onR1:
R1(config)#interface s0/0/0
R1(config-if)#encapsulation ppp

d. Configure R2 to use PPP encapsulation with R3.

Enter the appropriate commands on R2:
R2(config)# interface s0/0/1
R2(config-if)# encapsulation ppp

e. Configure R3 to use PPP encapsulation with R1, R2, and ISP.

Enter the appropriate commands on R3:
R3(config)# interface s0/0/0
R3(config-if)# encapsulation ppp
R3(config)# interface s0/0/1
R3(config-if)# encapsulation ppp
R3(config)# interface s0/1/0
R3(config-if)# encapsulation ppp

f. Configure ISP to use PPP encapsulation with R3.

1. Click the Internet cloud, then ISP. Enter the following commands:
Router(config)#interface s0/0/0
Router(config-if)#encapsulation ppp
2. Exit the Internet cloud by clicking Back in the upper left corner or by pressing Alt+left arrow.

g. Test connectivity to the web server.

PC and Laptop should be able to ping the web server at 209.165.200.2. This may take some time as
interfaces start working again and EIGRP reconverges.

87
Packet Tracer – Configure VLANs, VTP and DTP

Configure PPP Authentication

h. Configure PPP PAP Authentication Between R1 and R3.

Note: Instead of using the keyword password as shown in the curriculum, you will use the keyword secret to
provide a better encryption of the password.
1. Enter the following commands into R1:
R1(config)#username R3 secret class
R1(config)#interface s0/0/0
R1(config-if)#ppp authentication pap
R1(config-if)#ppp pap sent-username R1 password cisco
2. Enter the following commands into R3:
R3(config)#username R1 secret cisco
R3(config)#interface s0/0/0
R3(config-if)#ppp authentication pap
R3(config-if)#ppp pap sent-username R3 password class

i. Configure PPP PAP Authentication Between R2 and R3.

Repeat step 1 to configure authentication between R2 and R3 changing the usernames as needed.Note that
each password sent on each serial port matches the password expected by the opposite router.
R2(config-if)# username R3 secret class
R2(config)# interface s0/0/1
R2(config-if)#ppp authentication pap
R2(config-if)#ppp pap sent-username R2 password cisco

R3(config-if)#username R2 secret cisco

R3(config)#interface s0/0/1
R3(config-if)# ppp authentication pap
R3(config-if)#ppp pap sent-username R3 password class

j. Configure PPP CHAP Authentication Between R3 and ISP.

1. Enter the following commands into ISP. The hostname is sent as the username:
Router(config)#hostname ISP
ISP(config)#username R3 secret cisco
ISP(config)#interface s0/0/0
ISP(config-if)#ppp authentication chap
2. Enter the following commands into R3. The passwords must match for CHAP authentication:
R3(config)#username ISP secret cisco
R3(config)#interface serial0/1/0
R3(config-if)#ppp authentication chap

k. Test connectivity between computers and the web server.

FromPC and Laptop, ping the web server at 209.165.200.2. Both ping commands should be successful.
Remember to give enough time for STP and EIGRP to converge.

88
Packet Tracer – Configure VLANs, VTP and DTP

Lab 12.4.1.4 –Troubleshooting

Troubleshooting PPP with Authentication

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/1 10.0.0.1 255.255.255.128 N/A

R1 S0/0/0 172.16.0.1 255.255.255.252 N/A
S0/0/1 172.16.0.9 255.255.255.252 N/A
G0/1 209.165.200.161 255.255.255.224 N/A
R2 S0/0/0 172.16.0.2 255.255.255.252 N/A
S0/0/1 172.16.0.5 255.255.255.252 N/A
G0/1 10.0.0.129 255.255.255.128 N/A
R3 S0/0/0 172.16.0.10 255.255.255.252 N/A
S0/0/1 172.16.0.6 255.255.255.252 N/A
ISP G0/1 209.165.200.162 255.255.255.224 N/A
PC1 NIC 10.0.0.10 255.255.255.128 10.0.0.1
PC3 NIC 10.0.0.139 255.255.255.128 10.0.0.129
Web Server NIC 209.165.200.2 255.255.255.252 209.165.200.1

Objectives
Part 1: Diagnose and Repair the Physical Layer
Part 2: Diagnose and Repair the Data Link Layer
Part 3: Diagnose and Repair the Network Layer

89
Packet Tracer – Configure VLANs, VTP and DTP

Scenario
The routers at your company were configured by an inexperienced network engineer. Several errors in the
configuration have resulted in connectivity issues. Your boss has asked you to troubleshoot and correct the
configuration errors and document your work. Using your knowledge of PPP and standard testing methods,
find and correct the errors. Make sure that all of the serial links use PPP CHAP authentication, and that all of
the networks are reachable. The passwords are cisco and class.

Diagnose and Repair the Physical Layer

a. Diagnose and repair the cabling.

1. Examine the Addressing Table to determine the location of the all connections.
2. Verify cables are connected as specified.
3. Diagnose and repair any inactive interfaces.
R1(config-if)# interface g0/1
R1(config-if)# no shutdown
R1(config)# interface s0/0/0
R1(config-if)# no shutdown
R1(config-if)# interface s0/0/1
R1(config-if)# no shutdown

R2(config)# interface s0/0/0

R2(config-if)# no shutdown
R2(config-if)# interface s0/0/1
R2(config-if)# no shutdown

R3(config)# interface g0/1

R3(config-if)# no shutdown
R3(config-if)# interface s0/0/0
R3(config-if)# no shutdown
R3(config-if)# interface s0/0/1
R3(config-if)# no shutdown

Diagnose and Repair the Data Link Layer

b. Examine and set clock rates on the DCE equipment.

Examine the configuration of each router to verify that a clock rate has been set on appropriate interfaces.Set
the clock rate of any serial interfaces that requires it.
R2(config)# interface s0/0/1
R2(config-if)# clock rate 64000

c. Examine the encapsulation on the DCE equipment.

All of the serial interfaces should be using PPP as the encapsulation type. Change the encapsulation type to
PPP for any interface that is set otherwise.
R1(config)# interface s0/0/0
R1(config-if)# encapsulation ppp

90
Packet Tracer – Configure VLANs, VTP and DTP

R2(config)#interface s0/0/1
R2(config-if)# encapsulation ppp

R3(config)# interface s0/0/0

R3(config-if)# encapsulation ppp

d. Examine and set CHAP usernames and passwords.

Examine each link to verify that routers are logging into each other correctly. All CHAP passwords are set to
cisco. Use the debug ppp authentication command if needed.Correct or set any usernames and passwords
that need it.
R1(config)# username R3 password cisco
R1(config)# interface s0/0/0
R1(config-if)# ppp authentication chap
R1(config-if)#interface s0/0/1
R1(config-if)# ppp authentication chap

R2(config)# username R1 password cisco

R2(config)# no username R11
R2(config)# interface s0/0/1
R2(config-if)# ppp authentication chap

R3(config)# username R2 password cisco

R3(config)# interface s0/0/0
R3(config-if)# ppp authentication chap
R3(config-if)# interface s0/0/1
R3(config-if)# ppp authentication chap

Diagnose and Repair the Network Layer

a. Verify the IP addressing.

Check IP addresses against the Addressing Table and ensure that they are in the correct subnet with their
connecting interface.Correct any IP addresses that overlap, are on the wrong interface, have the wrong
subnet address, or are set to the host or broadcast address.
R1(config)# interface g0/0
R1(config-if)# no ip address
R1(config-if)# interface g0/1
R1(config-if)# ip address 10.0.0.1 255.255.255.128
R1(config-if)# interface s0/0/0
R1(config-if)# ip address 172.16.0.1 255.255.255.252

R2(config)# interface g0/1

R2(config-if)# ip address 209.165.200.161 255.255.255.224

R3(config)# interface g0/1

91
Packet Tracer – Configure VLANs, VTP and DTP

R3(config-if)# ipaddress 10.0.0.129 255.255.255.128

R3(config-if)# interface s0/0/1
R3(config-if)# ip address 172.16.0.6 255.255.255.252

b. Verify full connectivity by tracing a path from PC1 and PC3 to the web server.

92
Packet Tracer – Configure VLANs, VTP and DTP

Lab 13.4.2.4 –Configuring GRE

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 192.168.1.1 255.255.255.0 N/A

RA S0/0/0 64.103.211.2 255.255.255.252 N/A
Tunnel 0 10.10.10.1 255.255.255.252 N/A
G0/0 192.168.2.1 255.255.255.0 N/A
RB S0/0/0 209.165.122.2 255.255.255.252 N/A
Tunnel 0 10.10.10.2 255.255.255.252 N/A
PC-A NIC 192.168.1.2 255.255.255.0 192.168.1.1
PC-C NIC 192.168.2.2 255.255.255.0 192.168.2.1

Objectives
Part 1: Verify Router Connectivity
Part 2: Configure GRE Tunnels
Part 3: Verify PC Connectivity

Scenario
You are the network administrator for a company which wants to set up a GRE tunnel to a remote office. Both
networks are locally configured, and need only the tunnel configured.

93
Packet Tracer – Configure VLANs, VTP and DTP

Verify Router Connectivity

a. Ping RA from RB.

4. Use the show ip interface brief command on RA to determine the IP address of the S0/0/0 port.
5. From RB ping the IP S0/0/0 address of RA.

b. Ping PCA from PCB.

Attempt to ping the IP address of PCA from PCB.We will repeat this test after configuring the GRE tunnel.
What were the ping results? Why? The pings failed because there is no route to the destination.

Configure GRE Tunnels

c. Configure the Tunnel 0 interface of RA.

1. Enter into the configuration mode for RA Tunnel 0.
RA(config)# interface tunnel 0
2. Set the IP address as indicated in the Addressing Table.
RA(config-if)# ip address 10.10.10.1 255.255.255.252
3. Set the source and destination for the endpoints of Tunnel 0.
RA(config-if)# tunnel source s0/0/0
RA(config-if)# tunnel destination 209.165.122.2
4. Configure Tunnel 0 to convey IP traffic over GRE.
RA(config-if)#tunnel mode gre ip
5. The Tunnel 0 interface should already be active. In the event that it is not, treat it like any other interface.
RA(config-if)#no shutdown

d. Configure the Tunnel 0 interface of RB.

Repeat Steps 1a – e with RB. Be sure to change the IP addressing as appropriate.
RB(config)# interface tunnel 0
RB(config-if)# ip address 10.10.10.2 255.255.255.252
RB(config-if)# tunnel source s0/0/0
RB(config-if)# tunnel destination 64.103.211.2
RB(config-if)# tunnel mode gre ip
RB(config-if)# no shutdown

e. Configure a route for private IP traffic.

Establish a route between the 192.168.X.X networks using the 10.10.10.0/30 network as the destination.
RA(config)#ip route 192.168.2.0 255.255.255.0 10.10.10.2
RB(config)#ip route 192.168.1.0 255.255.255.0 10.10.10.1

94
Packet Tracer – Configure VLANs, VTP and DTP

Verify Router Connectivity

f. Ping PCA from PCB.

Attempt to ping the IP address of PCA from PCB. The ping should be successful.

g. Trace the path from PCA to PCB.

Attempt to trace the path fromPCAtoPCB. Note the lack of public IP addresses in the output.

Device Configs

Router RA
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname RA
license udi pid CISCO2911/K9 sn FTX15242579
spanning-tree mode pvst
interface Tunnel0
ip address 10.10.10.1 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 209.165.122.2
tunnel mode gre ip
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 64.103.211.2 255.255.255.252
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
line con 0

95
Packet Tracer – Configure VLANs, VTP and DTP

line aux 0
line vty 0 4
login
end

Router RB
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
license udi pid CISCO2911/K9 sn FTX152497Z4
spanning-tree mode pvst
interface Tunnel0
ip address 10.10.10.2 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 64.103.211.2
tunnel mode gre ip
interface GigabitEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 209.165.122.2 255.255.255.252
!
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 192.168.1.0 255.255.255.0 10.10.10.1
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
line con 0
line aux 0
line vty 0 4
login
end

96
Packet Tracer – Configure VLANs, VTP and DTP

Lab 13.4.2.5 –Troubleshooting GRE

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 172.31.0.1 255.255.255.0 N/A

RA S0/0/0 209.165.122.2 255.255.255.252 N/A
Tunnel 0 192.168.1.1 255.255.255.252 N/A
G0/0 172.31.1.1 255.255.255.0 N/A
RB S0/0/0 64.103.211.2 255.255.255.252 N/A
Tunnel 0 192.168.1.2 255.255.255.252 N/A
PC-A NIC 172.31.0.2 255.255.255.0 172.31.0.1
PC-C NIC 172.31.1.2 255.255.255.0 172.31.1.1

Objectives
 Find and Correct All Network Errors
 Verify Connectivity

Scenario
A junior network administrator was hired to set up a GRE tunnel between two sites and was unable to complete
the task. You have been asked to correct configuration errors in the company network.

97
Packet Tracer – Configure VLANs, VTP and DTP

Find and Correct All Network Errors.

Device Error Correction

RA G0/0 IP interface and subnet mask is not interface Tunnel 0

correct. Tunnel address must be removed no ip address
to prevent overlap error.
interface g0/0
ip address 172.31.0.1 255.255.255.0
RA T0 IP address is not correct. interface Tunnel 0
ip address 192.168.1.1 255.255.255.252

RA Static route is not correct. no ip route 172.31.1.0 255.255.255.0 64.103.211.2

ip route 172.31.1.0 255.255.255.0 192.168.1.2

RB Tunnel destination address is not correct. tunnel destination 209.165.122.2

RB Tunnel source port is not correct. tunnel source Serial0/0/0

Verify Connectivity

a. Ping PCA from PCB.

Attempt to ping the IP address of PCA from PCB. The ping should be successful.

b. Trace the path from PCA to PCB.

Attempt to trace the path fromPCAtoPCB. Note the lack of public IP addresses in the output.

Device Configs

Router RA
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname RA
interface Tunnel0
ip address 192.168.1.1 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 64.103.211.2

98
Packet Tracer – Configure VLANs, VTP and DTP

tunnel mode gre ip

interface GigabitEthernet0/0
ip address 172.31.0.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 209.165.122.2 255.255.255.252
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 172.31.1.0 255.255.255.0 192.168.1.2
line con 0
line aux 0
line vty 0 4
login
end

Router RB
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname RB
interface Tunnel0
ip address 192.168.1.2 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 209.165.122.2
tunnel mode gre ip
interface GigabitEthernet0/0
ip address 172.31.1.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto

99
Packet Tracer – Configure VLANs, VTP and DTP

speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 64.103.211.2 255.255.255.252
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 172.31.0.0 255.255.255.0 192.168.1.1
line con 0
line aux 0
line vty 0 4
login
end

100
Packet Tracer – Configure VLANs, VTP and DTP

Lab 13.5.3.4 -Configure

Configure and Verify eBGP

Topology

Objectives
Configure and verify eBGP between two autonomous systems.

Background / Scenario
In this activity, you will configure and verify the operation of eBGP between autonomous systems 65001 and
65002. ACME Inc. is a company that has a partnership with Other Company and must exchange routes. Both
companies have their own autonomous systems and will use ISP as the transit AS to reach each other.
Note: Only companies with very large networks can afford their own autonomous system.

101
Packet Tracer – Configure VLANs, VTP and DTP

Address Table

Device Interface IPv4 Address Subnet Mask Default Gateway

G0/0 192.168.0.1 255.255.255.0 N/A

ACME1
S0/0/0 1.1.1.2 255.255.255.252 N/A
G/0/0 172.16.10.1 255.255.255.0 N/A
OtherCo1
S0/0/0 1.1.1.10 255.255.255.252 N/A
S0/0/0 1.1.1.1 255.255.255.252
ISP1
S0/0/1 1.1.1.5 255.255.255.252
S0/0/0 1.1.1.9 255.255.255.252
ISP2
S0/0/1 1.1.1.6 255.255.255.252
PC0 NIC DHCP 192.168.0.1
Laptop0 NIC DHCP 192.168.0.1
Laptop1 NIC DHCP 192.168.0.1
Server NIC 172.16.10.2 255.255.255.0 172.16.10.1

Task 1: Configure eBGP in ACME Inc.

ACME Inc. hired an ISP to connect to a partner company called Other Company. The ISP has established
network reachability within its network and to Other Company. You must connect ACME to the ISP so that
ACME and Other Company can communicate. Because ISP is using BGP as the routing protocol, you must
configure ACME1, ACME’s border router, to establish a BGP neighbor connection with ISP1, the ISP border
router that faces ACME.
Step 3: Verify that the ISP has provided IP reachability through its network by pinging 1.1.1.9, the IP address
assigned to ISP2’s Serial 0/0/0.
Step 4: From any device inside ACME’s network, ping the Other Company’s server 172.16.10.2. The pings
should fail as no BGP routing is configured at this time.
Step 5: Configure ACME1 to become an eBGP peer with ISP1. ACME’s AS number is 65001, while the ISP is
using AS number 65003. Use the 1.1.1.1 as the neighbor IP address and make sure to add ACME’s
internal network 192.168.0.0/24 to BGP.
ACME1(config)# router bgp 65001
ACME1(config-router)# neighbor 1.1.1.1 remote-as 65003
ACME1(config-router)# network 192.168.0.0 mask 255.255.255.0
From any device inside ACME’s network, ping the Other Company internal server again. Does it work?
_________________________________________________________________________________ No.

Task 2: Configure eBGP in Other Company Inc.

The network administrator at Other Company is not familiar with BGP and could not configure their side of the
link. You must also configure their end of the connection.

102
Packet Tracer – Configure VLANs, VTP and DTP

Configure OtherCo1 to form an eBGP adjacency with ISP2, the ISP border router facing OtherCo1. Other
Company is under AS 65002 while ISP is under AS 65003. Use the 1.1.1.9 as the neighbor IP address of
ISP2 and make sure to add Other Company’s internal network 172.16.10.0/24 to BGP.
OtherCo1(config)# router bgp 65002
OtherCo1(config-router)#neighbor 1.1.1.9 remote-as 65003
OtherCo1(config-router)#network 172.16.10.0 mask 255.255.255.0

Task 3: eBGP Verification

Step 6: Verify that ACME1 has properly formed an eBGP adjacency with ISP1. The show ip bgp summary
command is very useful here.
Step 7: Use the show ip bgp summary command to verify all the routes ACME1 has learned via eBGP and
their status.
Step 8: Look at the routing tables on ACME1 and OtherCo1. ACME1 should have routes learned about Other
Company’s route 172.16.10.0/24. Similarly, OtherCo1 should now know about ACME’s route
192.168.0.0/24.
Step 9: Open a web browser in any ACME Inc. end devices and navigate to Other Company’s server by
entering its IP address 172.16.10.2
Step 10: From any ACME Inc. device, ping the Other Company’s server at 172.16.10.2.

Scripts

ACME1 Configuration
router bgp 65001
neighbor 1.1.1.1 remote-as 65003
network 192.168.0.0 mask 255.255.255.0

OtherCo1 Configuration
router bgp 65002
neighbor 1.1.1.9 remote-as 65003
network 172.16.10.0 mask 255.255.255.0

103
Packet Tracer – Configure VLANs, VTP and DTP

Lab 14.1.3.5–Configure
Configure Standard IPv4 ACLs

Topology

104
Packet Tracer – Configure VLANs, VTP and DTP

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 192.168.1.1 255.255.255.0

R1 G0/1 192.168.2.1 255.255.255.0 N/A
G0/2 192.168.250.1 255.255.255.0
G0/0 172.16.1.1 255.255.255.0
R2 G0/1 172.16.2.1 255.255.255.0 N/A
G0/2 192.168.250.2 255.255.255.0
PC-A NIC 192.168.1.100 255.255.255.0 192.168.1.1
PC-B NIC 192.168.1.150 255.255.255.0 192.168.1.1
PC-C NIC 192.168.2.50 255.255.255.0 192.168.2.1
PC-D NIC 192.168.2.112 255.255.255.0 192.168.2.1
PC-E NIC 172.16.1.10 255.255.255.0 172.16.1.1
PC-F NIC 172.16.1.20 255.255.255.0 172.16.1.1
PC-G NIC 172.16.2.100 255.255.255.0 172.16.2.1
PC-H NIC 172.16.2.200 255.255.255.0 172.16.2.1

Objectives
Restrict traffic on the network by configuring standard IPv4 ACLs.

Background / Scenario
An organization has recently decided to restrict traffic using standard IPv4 ACLs. As the network
administrator, it is your job to configure two standard IPv4 ACLs to restrict traffic to the Pink LAN and the Blue
LAN (see PT Topology Diagram). You must also configure a named standard IPv4 ACL to restrict remote
access to router R1. Router interfaces and default/static routes have already been configured. Remote SSH
access has also been enabled on the routers. You will need the following access information for console,
VTY, and privileged EXEC mode:
Username: admin01
Password: ciscoPA55
Enable secret: secretPA55

Configure a Standard IPv4 ACL to Restrict Access to the Pink LAN

In Part 1, you will configure and apply access list 10 to restrict access to the Pink LAN.

a. Outline what you wish to accomplish with accesslist 10.

Access list 10 should have 4 access control entries to do the following:
1. Access list 10 should start with the following comment: ACL_TO_PINK_LAN
2. Permit PC-C to reach the Pink LAN

105
Packet Tracer – Configure VLANs, VTP and DTP

3. Permit only the first half of hosts on the Yellow LAN, so they can reach the Pink LAN
4. Permit all of the hosts on the Blue LAN to reach the Pink LAN
Access list 10 should be configured on the correct router, and applied to the correct interface and in the right
direction.

b. Create, apply, and test access-list 10.

After configuring and applying access list 10, you should be able to execute the following network tests:
5. Aping from PC-A to a host in the Pink LAN should be successful, but a ping from PC-B should be
denied.
6. Aping from PC-C to a host in the Pink LAN should be successful, but a ping from PC-D should be
denied.
7. Pings from hosts in the Blue LAN to hosts in the Pink LAN should be successful.
What message is sent back to the PCs when a ping is denied due to an ACL?
____________________________________________________________________________________
A destination unreachable message.
Which IP addresses on the Yellow LAN are permitted to ping hosts on the Pink LAN?
____________________________________________________________________________________
Access list 10 permits pings to the Pink LAN from hosts 192.168.1.1 to 192.168.1.127 on the Yellow LAN.

Configure a Standard IPv4 ACL to Restrict Access to the Blue LAN

In Part 2, you will configure and apply access list 20 to restrict access to the Blue LAN.

c. Outline what you wish to accomplish with accesslist 20.

Access list 20 should have 3 access control entries to do the following:
8. Access list 20 should start with the following comment: ACL_TO_BLUE_LAN
9. Permit PC-A to reach the Blue LAN
10. Denythe Yellow LAN from reaching the Blue LAN
11. Allow all other networks to reach the Blue LAN
Access list 20 should be configured on the correct router, and applied to the correct interface and in the right
direction.

d. Create, apply, and test access-list 20.

After configuring and applying access list 20 you should be able to execute the following network tests:
12. Only PC-A on the Yellow LAN can successfully ping the Blue LAN.
13. Pings from hostsin the Yellow LAN tothe Blue LAN should fail.
14. Pings from hosts in the Green and Pink LANs to the Blue LAN should be successful.

e. Insert an ACE into access-list 20.

You need to make a changeto access list 20. Insert an access control entry into access list 20 to permit PC-A
to reach the Blue LAN. Insert the ACE prior to the other access list 20 permit and deny access control entries.
How do you insert or remove an ACE into a specific line of an ACL?

106
Packet Tracer – Configure VLANs, VTP and DTP

____________________________________________________________________________________
To insert or remove an ACE on a specific line enter the ACL using the ip access-list keywords and arguments
as if the numbered ACL was a named ACL.
What line did you enter the ACE on?
____________________________________________________________________________________
Answers may vary but inserting the ACE on lines 1 through 9 would all work.

Configure a Named Standard IPv4 ACL

In Part 3, you will configure and apply a named standard IPv4 ACL to restrict remote access to router R1.

a. Outline what you wish to accomplish with named standard ACL.

The named access list should do the following:
15. On R1 create a standard ACL named ADMIN_VTY
16. Permit a single host, PC-C
17. Apply the ACL to the VTY lines

b. Test access-list ADMIN_VTY.

After configuring and applying access list ADMIN_VTY, you should be able to execute the following network
test:
18. An SSH connection from host PC-C to R1 should be successful.
19. SSH connections from all other hosts should fail.

Reflection
This lab features two standard ACLs to restrict traffic to the Pink and Blue LANs. Could you create 2 more
standard ACLs to restrict traffic to the Yellow and Green ACLs and which router would those ACLs need to be
created on?
_______________________________________________________________________________________
_______________________________________________________________________________________
Yes, you could create a standard ACL for G0/0 and G0/1 on router R1 to restrict access to the Yellow and
Green LANs.

Script

R1
ip access-list standard ADMIN_VTY
permit 192.168.2.50
line vty 0 4
access-class ADMIN_VTY in

R2
access-list 10 remark ACL_TO_PINK_LAN
access-list 10 permit host 192.168.2.50
access-list 10 permit 192.168.1.0 0.0.0.127

107
Packet Tracer – Configure VLANs, VTP and DTP

access-list 10 permit 172.16.1.0 0.0.0.255

access-list 20 remark ACL_TO_BLUE_LAN
access-list 20 permit host 192.168.1.100
access-list 20 deny 192.168.1.0 0.0.0.255
access-list 20 permit any
interface gigabitEthernet0/0
ip access-group 20 out
interface gigabitEthernet0/1
ip access-group 10 out

108
Packet Tracer – Configure VLANs, VTP and DTP

Lab 14.2.2.10 - Configuring Extended ACLs - Scenario 1

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 172.22.34.65 255.255.255.224 N/A

R1 G0/1 172.22.34.97 255.255.255.240 N/A
G0/2 172.22.34.1 255.255.255.192 N/A
Server NIC 172.22.34.62 255.255.255.192 172.22.34.1
PC1 NIC 172.22.34.66 255.255.255.224 172.22.34.65
PC2 NIC 172.22.34.98 255.255.255.240 172.22.34.97

Objectives
Part 1: Configure, Apply and Verify an Extended Numbered ACL
Part 2: Configure, Apply and Verify an Extended Named ACL

Background / Scenario
Two employees need access to services provided by the server. PC1 only needs FTP access while PC2 only
needs web access. Both computers are able to ping the server, but not each other.

Configure, Apply and Verify an Extended Numbered ACL

c. Configure an ACL to permit FTP and ICMP.

1. From global configuration mode onR1,
on , enter the following command to determine the first valid number
for an extended access list.

109
Packet Tracer – Configure VLANs, VTP and DTP

R1(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
2. Add 100 to the command,followed by a question mark.
R1(config)# access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
3. To permit FTP traffic, enter permit,followed by a question mark.
R1(config)# access-list 100 permit ?
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
4. This ACL permits FTP and ICMP. ICMP is listed above, but FTP is not, because FTP uses TCP. So you
enter TCP. Enter tcp to further refine the ACL help.
R1(config)# access-list 100 permit tcp ?
A.B.C.D Source address
any Any source host
host A single source host
5. Notice that we could filter just for PC1 by using the hostkeywordor we could allow any host. In this case,
any device is allowed that has an address belonging to the 172.22.34.64/27 network. Enter the network
address, followed by a question mark.
R1(config)# access-list 100 permit tcp 172.22.34.64 ?
A.B.C.D Source wildcard bits
6. Calculate the wildcard maskdetermining the binary opposite of a subnet mask.
11111111.11111111.11111111.11100000 = 255.255.255.224
00000000.00000000.00000000.00011111 = 0.0.0.31
7. Enter the wildcard mask, followed by a question mark.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers

110
Packet Tracer – Configure VLANs, VTP and DTP

8. Configure the destination address. In this scenario, we are filtering traffic for a single destination, the
server. Enter thehost keywordfollowed by the server’s IP address.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host
172.22.34.62 ?
dscp Match packets with given dscp value
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
<cr>
9. Notice that one of the options is <cr>(carriage return). In other words, you canpress Enter and the
statement would permit all TCP traffic. However, we are only permitting FTP traffic; therefore, enter the
eqkeyword, followed by a question mark to display the available options. Then, enter ftp and press Enter.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host
172.22.34.62 eq ?
<0-65535> Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
R1(config)#access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62
eq ftp
10. Create a second access list statement to permit ICMP (ping, etc.) traffic from PC1 to Server. Note that
the access list number remains the same and a specific type of ICMP traffic does not need to be
specified.
R1(config)# access-list 100 permit icmp 172.22.34.64 0.0.0.31 host
172.22.34.62
11. All other traffic is denied, by default.

d. Apply the ACL on the correct interface to filter traffic.

From R1’s perspective, the traffic that ACL 100 applies to is inbound from the network connected to Gigabit
Ethernet 0/0 interface. Enter interface configuration mode and apply the ACL.
R1(config)# interface gigabitEthernet 0/0
R1(config-if)# ip access-group 100 in

e. Verify the ACL implementation.

1. Ping fromPC1 to Server.If the pings are unsuccessful, verify the IP addresses before continuing.
2. FTP from PC1 to Server. The username and password are both cisco.
PC>ftp 172.22.34.62
3. Exit the FTP service of the Server.

111
Packet Tracer – Configure VLANs, VTP and DTP

ftp>quit
4. Ping fromPC1 to PC2. The destination host should be unreachable, because the traffic was not explicitly
permitted.

Configure, Apply and Verify an Extended Named ACL

f. Configure an ACL to permit HTTP access and ICMP.

1. Named ACLs start with the ip keyword. From global configuration mode of R1, enter the following
command, followed by a question mark.
R1(config)# ip access-list ?
extended Extended Access List
standard Standard Access List
2. You can configure named standard and extended ACLs. This access list filters both source and
destination IP addresses; therefore, it must be extended. Enter HTTP_ONLY as the name. (For Packet
Tracer scoring, the name is case-sensitive.)
R1(config)# ip access-list extended HTTP_ONLY
3. The prompt changes. You are now in extended named ACL configuration mode. All devices on the PC2
LAN needTCP access. Enter the network address, followed by a question mark.
R1(config-ext-nacl)# permit tcp 172.22.34.96 ?
A.B.C.D Source wildcard bits
4. An alternative way to calculate a wildcard is to subtract the subnet mask from 255.255.255.255.
255.255.255.255
-255.255.255.240
-----------------
=0.0.0.15
R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 ?

5. Finish the statement by specifying the server address as you did in Part 1 and filtering www traffic.
R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www
6. Create a second access list statement to permit ICMP (ping, etc.) traffic from PC2 to Server. Note:The
prompt remains the same and a specific type of ICMP traffic does not need to be specified.
R1(config-ext-nacl)# permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62

7. All other traffic is denied, by default. Exit out of extended named ACL configuration mode.

g. Apply the ACL on the correct interface to filter traffic.

From R1’s perspective, the traffic that access list HTTP_ONLY applies to is inbound from the network
connected to Gigabit Ethernet 0/1 interface. Enter the interface configuration mode and apply the ACL.
R1(config)# interface gigabitEthernet 0/1
R1(config-if)# ip access-group HTTP_ONLY in

h. Verify the ACL implementation.

1. Ping fromPC2 to Server. If the pings unsuccessful, verify the IP addresses before continuing.
2. FTP from PC2 to Server. The connection should fail.

112
Packet Tracer – Configure VLANs, VTP and DTP

3. Open the web browser onPC2 and enter the IP address of Serveras the URL. The connection should be
successful.

113
Packet Tracer – Configure VLANs, VTP and DTP

Lab 14.2.2.11 - Configuring Extended ACLs - Scenario 2

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 10.101.117.49 255.255.255.248 N/A

RTA G0/1 10.101.117.33 255.255.255.240 N/A
G0/2 10.101.117.1 255.255.255.224 N/A
PCA NIC 10.101.117.51 255.255.255.248 10.101.117.49
PCB NIC 10.101.117.35 255.255.255.240 10.101.117.33
SWC VLAN1 10.101.117.2 255.255.255.224 10.101.117.1

Objectives
Part 1: Configure, Apply and Verify an Extended Numbered ACL
Part 2: Reflection Questions

Background / Scenario
In this scenario, devices on one LAN are allowed to remotely access devices in another LAN using the Telnet
protocol.Besides ICMP, all traffic from other networks is denied.

Configure, Apply and Verify an Extended Numbered ACL

Configure, apply and verify an ACL to satisfy the following policy:
 Telnet traffic from devices
vices on the 10.101.117.32/28 network is allowed to devices on the
10.101.117.0/27 networks.
 ICMP traffic is allowed from any source to any destination

114
Packet Tracer – Configure VLANs, VTP and DTP

 All other traffic to 10.101.117.0/27 is blocked.

a. Configure the extended ACL.

1. From the appropriateconfiguration mode onRTA, use the last valid extended access list number to
configure the ACL. Use the following steps to construct the first ACL statement:
1. The last extended list number is 199.
2. The protocol is TCP.
3. The source network is 10.101.117.32.
4. The wildcard can be determined by subtracting 255.255.255.240 from 255.255.255.255.
5. The destination network is 10.101.117.0.
6. The wildcard can be determined by subtracting 255.255.255.224 from 255.255.255.255.
7. The protocol is Telnet.
What is the first ACL statement?
access-list 199 permit tcp 10.101.117.32 0.0.0.15 10.101.117.0 0.0.0.31 eq
telnet.
2. ICMP is allowed, and a second ACL statement is needed. Use the same access list number to permit all
ICMP traffic, regardless of the source or destination address. What is the second ACL statement? (Hint:
Use the any keywords)
access-list 199 permit icmp any any
3. All other IP traffic is denied, by default.

b. Apply the extended ACL.

The general rule is to place extended ACLs close to the source. However, since access list 199 affects traffic
originating from both networks10.101.117.48/29 and 10.101.117.32/28, the best placement for this ACLmight
be on interface Gigabit Ethernet 0/2 in the outbound direction. What is the command to apply ACL 199 to the
Gigabit Ethernet 0/2 interface?
ip access-group 199 out

c. Verify the extended ACL implementation.

1. Ping fromPCB to all of the other IP addresses in the network. If the pings are unsuccessful, verify the IP
addresses before continuing.
2. Telnet from PCB to SWC. The password is cisco.
3. Exit the Telnet service of the SWC.
4. Ping fromPCA to all of the other IP addresses in the network. If the pings are unsuccessful, verify the IP
addresses before continuing.
5. Telnet from PCA to SWC. The access list causes the router to reject the connection.
6. Telnet from PCA to SWB. The access list is placed on G0/2 and does not affect this connection.
7. After logging into SWB,do not log out. Telnet to SWC.

Reflection Questions
1. How was PCA able to bypass access list 199 and Telnet to SWC?Two steps were used: First, PCA used
Telnet to access SWB. From SWB, Telnet was allowed to SWC.

115
Packet Tracer – Configure VLANs, VTP and DTP

2. What could have been done to prevent PCA from accessing SWC indirectly, while allowing PCB Telnet
access to SWC?Access list 199 should have been written to deny Telnet traffic from the 10.101.117.48 /29
network while permitting ICMP. It should have been placed on G0/0 of RTA.

Suggested Scoring Rubric

Question Possible Earned

Activity Section Location Points Points

Part 1:Configure, Apply and Step 1a 4

Verify an Extended Numbered
ACL Step 1b 4
Step 2 4
Part 1 Total 12
Part 2: Reflection Questions Question 1 4
Question 2 4
Part 2 Total 8
Packet Tracer Score 80
Total Score 100

116
Packet Tracer – Configure VLANs, VTP and DTP

Lab 14.2.2.12 - Configuring Extended ACLs - Scenario 3

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

RT1 G0/0 172.31.1.126 255.255.255.224 N/A

S0/0/0 209.165.1.2 255.255.255.252 N/A
PC1 NIC 172.31.1.101 255.255.255.224 172.31.1.126
PC2 NIC 172.31.1.102 255.255.255.224 172.31.1.126
PC3 NIC 172.31.1.103 255.255.255.224 172.31.1.126
Server1 NIC 64.101.255.254 255.254.0.0 64.100.1.1
Server2 NIC 64.103.255.254 255.254.0.0 64.102.1.1

Objectives
Part 1: Configure a Named Extended ACL
Part 2: Apply and Verify the Extended ACL

Background / Scenario
In this scenario, specific devices on the LAN are allowed to various services on servers located on the
Internet.

Configure a Named Extended ACL

Use one named ACL to implement
ement the following policy:

117
Packet Tracer – Configure VLANs, VTP and DTP

 Block HTTP and HTTPS access from PC1 to Server1 and Server2. The servers are inside the cloud
and you only know their IP addresses.
 Block FTP access from PC2 to Server1 and Server2.
 Block ICMP access from PC3 to Server1 and Server2.
Note: For scoring purposes, you must configure the statements in the order specified in the following steps.

a. Deny PC1 to access HTTP and HTTPS services on Server1 and Server2.
1. Create an extended IP access list named ACL which will deny PC1 access to the HTTP and HTTPS
services of Server1 and Server2. Because it is impossible to directly observe the subnet of servers on
the Internet, four rules are required.
What is the command to begin the named ACL?
ip access-list extended ACL
2. Record the statement that denies access from PC1 to Server1, only for HTTP (port 80).
deny tcp host 172.31.1.101 host 64.101.255.254 eq 80
3. Record the statement that denies access from PC1 to Server1, only for HTTPS (port 443).
deny tcp host 172.31.1.101 host 64.101.255.254 eq 443
4. Record the statement that denies access from PC1 to Server2, only for HTTP.
deny tcp host 172.31.1.101 host 64.103.255.254 eq 80
5. Record the statement that deniesaccess from PC1 to Server2, only for HTTPS.
deny tcp host 172.31.1.101 host 64.103.255.254 eq 443

b. Deny PC2 to access FTP services on Server1 and Server2.

1. Record the statement that denies access from PC2 to Server1, only for FTP (port 21 only).
deny tcp host 172.31.1.102 host 64.101.255.254 eq 21
2. Record the statement that denies access from PC2 to Server2, only for FTP (port 21 only).
deny tcp host 172.31.1.102 host 64.103.255.254 eq 21

c. Deny PC3 to ping Server1 and Server2.

1. Record the statement that denies ICMP access from PC3 to Server1.
deny icmp host 172.31.1.103 host 64.101.255.254
2. Record the statement that denies ICMP access from PC3 to Server2.
deny icmp host 172.31.1.103 host 64.103.255.254

d. Permit all other IP traffic.

By default, an access list denies all traffic that does not match any rule in the list. What command permits all
other traffic?
permit ip any any

Apply and Verify the Extended ACL

The traffic to be filtered is coming from the 172.31.1.96/27 network and is destined for remote networks.
Appropriate ACL placement also depends on the relationship of the traffic with respect toRT1.

118
Packet Tracer – Configure VLANs, VTP and DTP

e. Apply the ACL to the correct interface and in the correct direction.
1. What are the commands you need to apply the ACL to the correct interface and in the correct direction?
interface g0/0
ip access-group ACL in

f. Test access for each PC.

1. Access the websites of Server1 and Server2 using the Web Browser of PC1and using both HTTP and
HTTPS protocols.
2. Access FTP of Server1 and Server2 using PC1. The username and password is “cisco”.
3. Ping Server1 and Server2 from PC1.
4. Repeat Step 2a to Step 2c with PC2 and PC3 to verify proper access list operation.

119
Packet Tracer – Configure VLANs, VTP and DTP

Lab 14.3.2.6 - Configuring IPv6 ACLs

Topology

Addressing Table

Device Interface IPv6 Address/Prefix Default Gateway

Server3 NIC 2001:DB8:1:30::30/64 FE80::30

Objectives
Part 1: Configure, Apply, and Verifyan IPv6 ACL
Part 2: Configure, Apply, and Verify a Second IPv6 ACL

Configure, Apply, and Verify an IPv6 ACL

Logs indicate that a computer on the 2001:DB8:1:11::0/64 network is repeatedly refreshing their web page
causing a Denial-of-Service
Service (DoS) attack against Server3.. Until the client can be identified and cleaned, you
must block HTTP and HTTPS access to that network with an access list.

a. Configure an ACL that will block HTTP and HTTPSaccess.

Configure anACL named BLOCK_HTTP on R1 with the following statements.
1. Block HTTP and HTTPS traffic from reaching Server3.
R1(config)# deny tcp any host 2001:DB8:
2001:DB8:1:30::30 eq www
R1(config)# deny tcp any host 2001:DB8:1:30::30
2001:DB8: eq 443
2. Allow all other IPv6 traffic to pass.
R1(config)# permit ipv6 any any

120
Packet Tracer – Configure VLANs, VTP and DTP

b. Apply the ACL to the correct interface.

Apply the ACL on the interface closest the source of the traffic to be blocked.
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ipv6 traffic-filter BLOCK_HTTP in

c. Verify the ACL implementation.

Verify the ACL is operating as intended by conducting the following tests:
 Open the web browser of PC1 to http://2001:DB8:1:30::30 or https://2001:DB8:1:30::30. The website
should appear.
 Open the web browser of PC2 to http://2001:DB8:1:30::30 or https://2001:DB8:1:30::30. The website
should be blocked
 Ping from PC2 to 2001:DB8:1:30::30. The ping should be successful.

Configure, Apply, and Verify a Second IPv6 ACL

The logs now indicate that your server is receiving pings from many different IPv6 addresses in a Distributed
Denial of Service (DDoS) attack. You must filter ICMP ping requests to your server.

d. Create an access list to block ICMP.

Configure an ACL named BLOCK_ICMPon R3 with the following statements:
1. Block allICMP traffic from any hosts to any destination.
R3(config)# deny icmp any any
2. Allow all other IPv6 traffic to pass.
R3(config)# permit ipv6 any any

e. Apply the ACL to the correct interface.

In this case, ICMP traffic can come from any source. To ensure that ICMP traffic is blocked regardless of its
source or changes that occur to the network topology, apply the ACL closest to the destination.
R3(config)# interface GigabitEthernet0/0
R3(config-if)# ipv6 traffic-filter BLOCK_ICMP out

f. Verify that the proper access list functions.

1. Ping from PC2 to 2001:DB8:1:30::30. The ping should fail.
2. Ping from PC1 to 2001:DB8:1:30::30.The ping should fail.
Open the web browser of PC1 to http://2001:DB8:1:30::30 or https://2001:DB8:1:30::30. The website
should display.

121
Packet Tracer – Configure VLANs, VTP and DTP

Lab 14.4.2.9 - Troubleshooting IPv4 ACLs

.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 10.0.0.1 255.0.0.0 N/A

R1 G0/1 172.16.0.1 255.255.0.0 N/A
G0/2 192.168.0.1 255.255.255.0 N/A
Server1 NIC 172.16.255.254 255.255.0.0 172.16.0.1
Server2 NIC 192.168.0.254 255.255.255.0 192.168.0.1
Server3 NIC 10.255.255.254 255.0.0.0 10.0.0.1
L1 NIC 172.16.0.2 255.255.0.0 172.16.0.1
L2 NIC 192.168.0.2 255.255.255.0 192.168.0.1
L3 NIC 10.0.0.2 255.0.0.0 10.0.0.1

Objectives
Part 1: Troubleshoot ACL Issue 1
Part 2: Troubleshoot ACL Issue 2
Part 3: Troubleshoot ACL Issue 3

122
Packet Tracer – Configure VLANs, VTP and DTP

Scenario
This network is meant to have the following three policies implemented:
 Hosts from the 192.168.0.0/24 network are unable to access anyTCP service of Server3.
 Hosts from the 10.0.0.0/8 network are unable to access the HTTP service of Server1.
 Hosts from the 172.16.0.0/16 network are unable to access the FTP service of Server2.
Note:All FTP usernames and passwords are “cisco”.
No other restrictions should be in place. Unfortunately, the rules that have been implemented are not working
correctly. Your task is to find and fix the errors related to the access lists on R1.

Troubleshoot ACL Issue 1

Hosts from the 192.168.0.0/24 network are intentionally unable to access any TCP service of Server3, but
should not be otherwise restricted.

a. Determine the ACL problem.

As you perform the following tasks, compare the results to what you would expect from the ACL.
1. Using L2, attempt to access FTP and HTTP services of Server1, Server2, and Server3.
2. UsingL2, ping Server1, Server2, and Server3.
3. UsingL2, ping G0/2 of R1.
4. View the running configuration onR1. Examine access list 192_to_10 and its placement on the interfaces.
Is the access list placed on the correct interface and in the correct direction? Is there any statement in the
list that permits or denies traffic to other networks? Are the statements in the correct order?
5. Perform other tests, as necessary.

b. Implement a solution.
Make an adjustment to access list 192_to_10 to fix the problem.

c. Verify that the problem is resolved and document the solution.

If the problem is resolved, document the solution:otherwise return to Step 1.
_______________________________________________________________________________________
_______________________________________________________________________________________
No traffic is getting through because of the implicit deny any. Added a permit ip any any to the ACL

Troubleshoot ACL Issue 2

Hosts from the 10.0.0.0/8 network are intentionally unable to access the HTTP service of Server1, but should
not be otherwise restricted.

d. Determine the ACL problem.

As you perform the following tasks, compare the results to what you would expect from the ACL.
1. Using L3, attempt to access FTP and HTTP services of Server1, Server2, and Server3.
2. Using L3, ping Server1, Server2, and Server3.

123
Packet Tracer – Configure VLANs, VTP and DTP

1. View the running configuration onR1. Examine access list 10_to_172 and its placement on the interfaces.
Is the access list placed on the correct interface and in the correct direction? Is there any statement in the
list that permits or denies traffic to other networks? Are the statements in the correct order?
2. Run other tests as necessary.

e. Implement a solution.
Make an adjustment to access list 10_to_172 to fix the problem.

f. Verify the problem is resolved and document the solution.

If the problem is resolved, document the solution;otherwise return to Step 1.
_______________________________________________________________________________________
_______________________________________________________________________________________
ACL was applied outbound on G0/0. Removed as outbound and applied as inbound on G0/0.

Troubleshoot ACL Issue 3

Hosts from the 172.16.0.0/16 network are intentionally unable to access the FTP service of Server2, but
should not be otherwise restricted.

a. Determine the ACL problem.

As you perform the following tasks, compare the results to the expectations of the ACL.
1. Using L1, attempt to access FTP and HTTP services of Server1, Server2, and Server3.
2. Using L1, ping Server1, Server2, and Server3.
3. View the running configuration on R1. Examine access list 172_to_192 and its placement on the
interfaces. Is the access list placed on the correct port in the correct direction? Is there any statement in
the list that permits or denies traffic to other networks? Are the statements in the correct order?
4. Run other tests as necessary.

b. Implement a solution.
Make an adjustment to access list 172_to_192 to fix the problem.

c. Verify the problem is resolved and document the solution.

If the problem is resolved, document the solution;otherwise return to Step 1.
_______________________________________________________________________________________
_______________________________________________________________________________________
All traffic is allowed through because the order of the statements is wrong. Reorder the statements so that the
permit ip any any is the second statement

124
Packet Tracer – Configure VLANs, VTP and DTP

Suggested Scoring Rubric

Possible Earned
Question Location Points Points

Documentation Score 10
Packet Tracer Score 90
Total Score 100

125
Packet Tracer – Configure VLANs, VTP and DTP

Lab 14.4.2.10 – Troubleshooting IPv6 ACLs

Topology

Addressing Table

Device Interface IPv6 Address / Prefix Default Gateway

G0/0 2001:DB8:CAFE::1/64 N/A

R1 G0/1 2001:DB8:CAFE:1::1/64 N/A
G0/2 2001:DB8:CAFE:2::1/64 N/A
PC0 NIC 2001:DB8:CAFE::2/64 FE80::1
Server1 NIC 2001:DB8:CAFE:1::2/64 FE80::1
Server2 NIC 2001:DB8:CAFE:2::2/64 FE80::1
L0 NIC 2001:DB8:CAFE::3/64 FE80::1
L1 NIC 2001:DB8:CAFE:1::3/64 FE80::1
L2 NIC 2001:DB8:CAFE:2::3/64 FE80::1

Objectives
Part 1: Troubleshoot HTTP Access
Part 2: Troubleshoot FTP Access
Part 3: Troubleshoot SSH Access

126
Packet Tracer – Configure VLANs, VTP and DTP

Scenario
The following three polices have been implemented on the network:
 Hosts from the 2001:DB8:CAFÉ::/64 network do not have HTTP access to the other networks.
 Hosts from the 2001:DB8:CAFÉ:1::/64 network are prevented from access to the FTP service on Server2.
 Hosts from the 2001:DB8:CAFE:1::/64 and 2001:DB8:CAFE:2::/64 networks are prevented from
accessing R1via SSH.
No other restrictions should be in place. Unfortunately, the rules that have been implemented are not working
correctly. Your task is to find and fix the errors related to the access lists on R1.
Note: To access R1 and the FTP servers, use the username user01 and password user01pass.

Troubleshoot HTTP Access

Hosts from the 2001:DB8:CAFE::/64 network are intentionally unable to access the HTTP service, but should
not be otherwise restricted.

a. Determine the ACL problem.

As you perform the following tasks, compare the results to what you would expect from the ACL.
1. Using L0, L1, and L2, attempt to access HTTP services of Server1 and Server2.
2. Using L0, ping Server1 and Server2.
3. Using PC0, access the HTTPS services of Server1 and Server2.
4. View the running configuration onR1. Examine access list G0-ACCESS and its placement on the
interfaces. Is the access list placed on the correct interface and in the correct direction? Is there any
statement in the list that permits or denies traffic to other networks? Are the statements in the correct
order?
5. Run other tests as necessary.

b. Implement a solution.
Make adjustments to access liststo fix the problem.
R1(config)# ipv6 access-list G0-ACCESS
R1(config-ipv6-acl)# permit ipv6 any any

c. Verify the problem is resolved and document the solution.

If the problem is resolved, document the solution;otherwise return to Step 1.
No traffic is getting through because of the implicit deny any. Added a permit ipv6 any any to the G0-
ACCESS.

Troubleshoot FTP Access

Hosts from the 2001:DB8:CAFE:1::/64 network are prevented from accessing the FTP service of Server2, but
no other restriction should be in place.

d. Determine the ACL problem.

As you perform the following tasks, compare the results to the expectations of the ACL.
1. Using L0, L1, and L2, attempt to access FTP service of Server2.

127
Packet Tracer – Configure VLANs, VTP and DTP

PC>ftp 2001:db8:cafe:2::2
2. View the running configuration on R1. Examine access listG1-ACCESS and its placement on the
interfaces. Is the access list placed on the correct port in the correct direction? Is there any statement in
the list that permits or denies traffic to other networks? Are the statements in the correct order?
3. Run other tests as necessary.

e. Implement a solution.
Make adjustments to access lists to fix the problem.
R1(config)# interface GigabitEthernet0/1
R1(config-if)# no ipv6 traffic-filter G1-ACCESS out
R1(config-if)# ipv6 traffic-filter G1-ACCESS in

f. Verify the problem is resolved and document the solution.

If the problem is resolved, document the solution;otherwise return to Step 1.
G1-ACCESS was applied outbound on G0/1. Removed as outbound and applied as inbound on G0/1.

Troubleshoot SSH Access

Only the hosts from 2001:DB8:CAFE::/64 network are permitted remote access to R1via SSH.

g. Determine the ACL problem.

As you perform the following tasks, compare the results to what you would expect from the ACL.
1. From L0 or PC0, verify SSH access to R1.
2. Using L1 and L2, attempt to access R1 via SSH.
3. View the running configuration on R1. Examine access lists and their placements on the interfaces. Is the
access list placed on the correct interface and in the correct direction? Is there any statement in the list
that permits or denies traffic to other networks? Are the statements in the correct order?
4. Perform other tests, as necessary.

h. Implement a solution.
Make adjustments to access lists to fix the problem.
R1(config)# no ipv6 access-list G2-ACCESS
R1(config)# ipv6 access-list G2-ACCESS
R1(config-ipv6-acl)# deny tcp 2001:DB8:CAFE:2::/64 any eq 22
R1(config-ipv6-acl)# permit ipv6 any any

i. Verify that the problem is resolved and document the solution.

If the problem is resolved, document the solution: otherwise return to Step 1.
The access list G2-ACCESS allows all traffic because the order of the statements is wrong. Reorder the
statements so that the permit ipv6 any any is the second statement

128
Packet Tracer – Configure VLANs, VTP and DTP

Suggested Scoring Rubric

Possible Earned
Question Location Points Points

Documentation Score 10
Packet Tracer Score 90
Total Score 100

Script

R1 Configuration
ipv6 access-list G0-ACCESS
permit ipv6 any any
no ipv6 access-list G2-ACCESS
ipv6 access-list G2-ACCESS
deny tcp 2001:DB8:CAFE:2::/64 any eq 22
permit ipv6 any any
interface GigabitEthernet0/1
no ipv6 traffic-filter G1-ACCESS out
ipv6 traffic-filter G1-ACCESS in

129
Packet Tracer – Configure VLANs, VTP and DTP

Lab 18.2.4.12 –Troubleshooting Enterprise Networks 1

Topology

130
Packet Tracer – Configure VLANs, VTP and DTP

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

S0/0/0 10.1.1.1 255.255.255.252 N/A

R1
S0/0/1 10.3.3.1 255.255.255.252 N/A
G0/0 192.168.40.1 255.255.255.0 N/A
G0/1 DHCP assigned DHCP assigned N/A
R2
S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
G0/0.10 192.168.10.1 255.255.255.0 N/A
G0/0.20 192.168.20.1 255.255.255.0 N/A
G0/0.30 192.168.30.1 255.255.255.0 N/A
R3
G0/0.88 192.168.88.1 255.255.255.0 N/A
S0/0/0 10.3.3.2 255.255.255.252 N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A
S1 VLAN 88 192.168.88.2 255.255.255.0 192.168.88.1
S2 VLAN 88 192.168.88.3 255.255.255.0 192.168.88.1
S3 VLAN 88 192.168.88.4 255.255.255.0 192.168.88.1
PC1 NIC DHCP assigned DHCP assigned DHCP assigned
PC2 NIC DHCP assigned DHCP assigned DHCP assigned
PC3 NIC DHCP assigned DHCP assigned DHCP assigned
TFTP Server NIC 192.168.40.254 255.255.255.0 192.168.40.1

Background
This activity uses a variety of technologies you have encountered during your CCNA studies, including VLANs,
STP, routing, inter-VLAN routing, DHCP, NAT, and PPP. Your task is to review the requirements, isolate and
resolve any issues, and then document the steps you took to verify the requirements.

Requirements
VLANs and Access
 S2 is the spanning-tree root for VLAN 1, 10, and 20. S3 is the spanning-tree root for VLAN 30 and 88.
 The trunk links connecting the switches are in native VLAN 99.
 R3 is responsible for inter-VLAN routing and serves as the DHCP server for VLANs 10, 20, and 30.
Routing
 Each router is configured with EIGRP and uses AS 22.
 R2 is configured with a default route pointing to the ISP and redistributes the default route.
 NAT is configured on R2 and no untranslated addresses are permitted to cross the Internet.

131
Packet Tracer – Configure VLANs, VTP and DTP

WAN Technologies
 The serial link between R1 and R2 uses Frame Relay.
 The serial link between R2 and R3 uses HDLC encapsulation.
 The serial link between R1 and R3 uses PPP with CHAP.
Connectivity
 Devices should be configured according to the Addressing Table.
 Every device should be able to ping every other device.

Troubleshooting Documentation

Device Problem Solution

R1 R1 and R2 are not forming an adjacency interface Serial0/0/0

encapsulation frame-relay

R1 Username and passwords are incorrect username R3 password 0 ciscoccna

R2 TFTP Server cannot ping the Outside interface g0/0

Host no ip nat outside
ip nat inside
interface g0/1
ip nat outside
R2 Default route is pointing to the incorrect no ip route 0.0.0.0 0.0.0.0 g0/0
interface ip route 0.0.0.0 0.0.0.0 g0/1
S1 Native VLAN mismatch interface range fa0/1-4
switchport trunk native vlan 99
S2 This switch is not the root bridge for spanning-tree vlan 1,10,20 root primary
VLANs 1, 10, and 20
S3 The PCs do not pull a DHCP address interface g0/1
switchport mode trunk

Verification Documentation
Capture output from verification commands and provide documentation proving that each of the requirements has
been satisfied.

Suggested Scoring Rubric

Packet Tracer scores 60 points. The troubleshooting documentation and instructor verification is worth 40 points.

132
Packet Tracer – Configure VLANs, VTP and DTP

Lab 18.2.4.13 –Troubleshooting

shooting Enterprise Networks 2

Topology

133
Packet Tracer – Configure VLANs, VTP and DTP

Addressing Table

Device Interface IPv6 Address/Prefix Default Gateway

G0/0 2001:DB8:ACAD:A::1/64 N/A

R1 S0/0/0 2001:DB8:ACAD:12::1/64 N/A
S0/0/1 2001:DB8:ACAD:31::1/64 N/A
G0/0 2001:DB8:CC1E:A::1/64 N/A
G0/1 2001:DB8:ACAD:F::2/64 N/A
R2
S0/0/0 2001:DB8:ACAD:12::2/64 N/A
S0/0/1 2001:DB8:ACAD:23::2/64 N/A
G0/0 2001:DB8:CAFE:2::1/64 N/A
G0/1 2001:DB8:CAFE:3::1/64 N/A
R3
S0/0/0 2001:DB8:ACAD:31::2/64 N/A
S0/0/1 2001:DB8:ACAD:23::1/64 N/A
Admin_PC1 NIC 2001:DB8:CAFE:2::2/64 FE80::3
Admin_PC2 NIC 2001:DB8:CAFE:3::2/64 FE80::3
Host_A NIC DHCP Assigned DHCP Assigned
Host_B NIC DHCP Assigned DHCP Assigned
TFTP Server NIC 2001:DB8:CC1E:A::2/64 FE80::2
Outside Host NIC 2001:DB8:CC1E:F::1/64 FE80::4

Background
This activity uses IPv6 configurationsthat include DHCPv6, EIGRPv6, and IPv6 default routing. Your task is to
review the requirements, isolate and resolve any issues, and then document the steps you took to verify the
requirements.

Requirements
DHCPv6
 Host_A and Host_B are assigned through IPv6 DHCP configured on R1.
IPv6 Routing
 Each router is configured with IPv6 EIGRP and uses AS 100.
 R3 is advertising a summary route to R2 and R1 for the twoR3 LANs.
 R2 is configured with a fully specified default route pointing to the ISP.
Connectivity
 Devices should be configured according to the Addressing Table.
 Every device should be able to ping every other device.

134
Packet Tracer – Configure VLANs, VTP and DTP

Troubleshooting Documentation

Device Error Correction

R1 Host_A and Host_B do not get interface g0/0

addressing from R1 because the IPv6 ipv6 dhcp server R1_LAN
DHCPv6 pool is not assigned under the
G0/0 interface.
R1 Interface S0/0/1 is configured with the int s0/0/1
wrong IPv6 address. no ipv6 address 2001:DB8:ACAD:32::1/64
ipv6 address 2001:DB8:ACAD:31::1/64
R1 S3 is connected to the wrong interface of Switch the cable in the topology from
R1. G0/1 to G0/0

R2 The default route has the incorrect next- no ipv6 route ::/0 GigabitEthernet0/0
hop address configured. 2001:DB8:ACAD:F::
ipv6 route ::/0 GigabitEthernet0/1
2001:DB8:ACAD:F::1
R2 IPv6 EIGRP is configured with the wrong int g0/0
autonomous system. no ipv6 eigrp 1000
ipv6 eigrp 100
R3 IPv6 EIGRP 100 is shutdown. ipv6 router eigrp 100
no shutdown
R3 EIGRP summary address is incorrectly int s0/0/0
advertised on S0/0/1. no ipv6 summary-address eigrp 100
2001:DB8:CAFE::/65 5
ipv6 summary-address eigrp 100
2001:DB8:CAFÉ:2::/63 5
int s0/0/1
no ipv6 summary-address eigrp 100
2001:DB8:CAFE::/65 5
ipv6 summary-address eigrp 100
2001:DB8:CAFE:2::/63 5

Verification Documentation
Capture output from verification commands and provide documentation proving that each of the requirements has
been satisfied.
Note: Some EIGRPv6 commands are not scored in Packet Tracer v6.0.1. Your instructor will verify that all
requirements are met.

Suggested Scoring Rubric

Packet Tracer scores 50 points. The troubleshooting documentation and instructor verification is worth 50 points.

135
Packet Tracer – Configure VLANs, VTP and DTP

- Lab 18.2.4.14 –Troubleshooting

Troubleshooting Enterprise Networks 3

Topology

136
Packet Tracer – Configure VLANs, VTP and DTP

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 192.168.10.1 255.255.255.0 N/A

R1 S0/0/0 10.1.1.1 255.255.255.252 N/A
S0/0/1 10.3.3.1 255.255.255.252 N/A
G0/0 209.165.200.225 255.255.255.224 N/A
G0/1 192.168.20.1 255.255.255.0 N/A
R2
S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
G0/1 192.168.30.1 255.255.255.0 NN/A
R3 S0/0/0 10.3.3.2 255.255.255.252 N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A
S1 VLAN10 DHCP assigned DHCP assigned DHCP assigned
S2 VLAN11 192.168.11.2 255.255.255.0 N/A
S3 VLAN30 192.168.30.2 255.255.255.0 N/A
PC1 NIC DHCP assigned DHCP assigned DHCP assigned
PC2 NIC 192.168.30.10 255.255.255.0 192.168.30.1
TFTP Server NIC 192.168.20.254 255.255.255.0 192.168.20.1

Background
This activity uses a variety of technologies you have encountered during your CCNA studies, including routing,
port security, EtherChannel, DHCP, NAT, PPP, and Frame Relay. Your task is to review the requirements, isolate
and resolve any issues, and then document the steps you took to verify the requirements.
Note: This activity begins with a partial score.

Requirements
DHCP
 R1 is the DHCP server for the R1 LAN.
Switching Technologies
 Port security is configured to only allow PC1 to access S1's F0/3 interface. All violations should disable
the interface.
 Link aggregation using EtherChannel is configured on S2, S3, and S4.
Routing
 All routers are configured with OSPFprocess ID 1 and no routing updates should be sent across
interfaces that do not have routers connected.
 R2 is configured with a default route pointing to the ISP and redistributes the default route.
 NAT is configured on R2 and no untranslated addresses are permitted to cross the Internet.

137
Packet Tracer – Configure VLANs, VTP and DTP

WAN Technologies
 The serial link between R1 and R2 uses Frame Relay.
 The serial link between R2 and R3 uses HDLC encapsulation.
 The serial link between R1 and R3 uses PPP with PAP.
Connectivity
 Devices should be configured according to the Addressing Table.
 Every device should be able to ping every other device.

138
Packet Tracer – Configure VLANs, VTP and DTP

Troubleshooting Documentation

Device Error Correction

There is an incorrect default gateway in

DHCP pool ip dhcp pool Access
R1 default-router 192.168.10.1

The default route propagation should not router ospf 1

R1 be configured on this router no default-information originate

The default route propagation should be router ospf 1

R2 configured on this router default-information originate
interface s0/0/1
R2 Incorrect encapsulation on S0/0/1 encapsulation hdlc
router ospf 1
no passive-interface default
R3 is not forming an adjacency with R1 passive-interface g0/1
R3 and R2
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
switchport port-security
Port security was configured on the switchport port-security mac-address
S1 incorrect interface sticky

Interface G1/1 switchport is not interface g1/1

S3 configured as a trunk port switchport mode trunk
interface range f0/1-2
no channel-group 3 mode auto
channel-group 2 mode auto

interface range f0/3-4

no channel-group 2 mode auto
S4 Port channels are configured incorrectly channel-group 3 mode auto

139
Packet Tracer – Configure VLANs, VTP and DTP

Verification Documentation
Capture output from verification commands and provide documentation proving that each of the requirements has
been satisfied.

Suggested Scoring Rubric

Packet Tracer scores 60 points. The troubleshooting documentation and instructor verification is worth 40 points.

140