Routing commands

Contents
Week 1 ................................................................................................................... 4
Part 1: Configure Basic Device Configuration on S1 ................................................. 4
Part 2: Configure SSH on R1 as a Secure Remote Access Method. ............................ 5
Step 1: Set the IP domain name and generate secure keys.................................... 5
Step 2: Create an SSH user and reconfigure the VTY lines for SSH-only access. ..... 5
Part 3: Configure IPv4 Addressing and Verify Connectivity ........................................ 6
Step 1: Assign IPv4 addresses to R1 and LAN devices. ......................................... 6
Step 2: Verify connectivity. PC1 and PC2 should be able to ping each other. .......... 7
Part 4: Configure IPv6 Addressing and Verify Connectivity ........................................ 8
Step 1: Assign IPv6 addresses to R1 and LAN devices. Referring to the Addressing
Table, configure IPv6 addressing for R1 LAN interfaces, PC-A and PC-B. ................ 8
Step 2: Verify connectivity. PC-A and PC-B should be able to ping each other. Page
2 of 2 ................................................................................................................ 8
Week 2 ................................................................................................................... 9
Part 1: Configure VLANs ........................................................................................ 9
Part 2: Assign Ports to VLANs ............................................................................... 10
Part 3: Configure Static Trunking .......................................................................... 11
Part 4: Configure End Devices with IP Addresses ................................................... 11
Part 5: Configure Router on a Stick VLAN .............................................................. 12
Week 3 ................................................................................................................. 14
Part 1: Build the Network and Configure Basic Device Settings............................... 14
Part 3: Configure and Verify a Stateless DHCPv6 server on R1 ................................ 15
Part 4: Configure a Stateful DHCPv6 server on R2 ................................................. 16
Part 5: Configure a DHCPv4 settings on R1 for both LANs ...................................... 16
week 4 .................................................................................................................. 18
Part 1: Configure Port Security ............................................................................. 18
Part 2: Verify Port Security ................................................................................... 19
week 6 .................................................................................................................. 21
Part 1: Configure IPv4 and IPv6 Addresses to Router Interfaces and Hosts .............. 21
Part 2: Configure IPv4 Static Routes on R1 and R2 ................................................. 22
Part 3: Configure IPv6 Static Routes on R1 and R2 ................................................. 22
Part 4: Configure IPv4 Default Route on R2 ........................................................... 23
Part 5: Configure IPv6 Default Route on R2 ........................................................... 23
Week 1
Part 1: Configure Basic Device Configuration on S1
a. Disable DNS lookup

Switch> en

Switch# conf t

Switch (config)# no ip domain-lookup

b. Configure console password as “cisco” and encrypted privilege mode password

as “class”.

Switch (config)# line console 0

Switch (config-line)# password cisco

Switch (config-line)# login

Switch (config-line)# exit

Switch (config)# enable secret class

c. Configure vty lines password as “telnet”.

Switch (config)# line vty 0 4

Switch (config-line)# password telnet

Switch (config-line)# login

Switch (config-line)# exit

d. Show the current configuration and note that the passwords are in plain text.
Enter the command that encrypts plain text passwords: S1(config)# service
password-encryption

Switch# show running-config

Switch# conf t

Switch(config)# service password-encryption

e. Verify that the passwords are encrypted.

Switch# show running-config

f. Configure banner motd “Authorized Users Only!”

Switch(config)# banner motd # ‘’Authorized Users Only!’’ #

Part 2: Configure SSH on R1 as a Secure Remote Access Method.

Step 1: Set the IP domain name and generate secure keys.
It is generally not safe to use Telnet, because data is transferred in plain text. Therefore,
use SSH whenever it is available.

a. Configure the domain name to be netacad.pka

Router> en

Router# conf t

Router(config)# hostname R1

R1 (config)# ip domain-name netacad.pka

b. Configure encrypted privilege mode password as “class”.

R1 (config)# enable secret class

c. Secure keys are needed to encrypt the data. Generate the RSA keys using a 1024
key length.

R1 (config)# crypto key generate rsa general-keys modulus 1024

Step 2: Create an SSH user and reconfigure the VTY lines for SSH-only
access.
a. Create an administrator user with cisco as the secret password.

R1 (config)# username administrator secret cisco

R1 (config)# line vty 0 4

R1 (config-line)# login local

R1 (config-line)# transport input ssh

Part 3: Configure IPv4 Addressing and Verify Connectivity

Step 1: Assign IPv4 addresses to R1 and LAN devices.

Referring to the Addressing Table, configure IPv4 addressing for R1 LAN interfaces, PC-A
and PC-B.

R1 (config)# interface gigabitethernet0/0

R1 (config-if)# ip address 192.168.1.1 255.255.255.0

R1 (config-if)# no shutdown

R1 (config-if)# ipv6 address 2001:db8:ACAD:A::1/64

R1 (config-if)# ipv6 address fe80::1 link-local

R1 (config-if)# exit

R1 (config)# interface gigabitethernet0/1

R1 (config-if)# ip address 192.168.2.1 255.255.255.0

R1 (config-if)# no shutdown

R1 (config-if)# ipv6 address 2001:db8:ACAD:B::1/64

R1 (config-if)# ipv6 address fe80::2 link-local

R1 (config-if)# exit

R1 (config)# ipv6 unicast-routing

R1 (config)# do wr

S1(config)# interface vlan 1

S1(config-if)# no shutdown

S1(config-if)# ip address 192.168.1.2 255.255.255.0

S1(config-if)# exit
S1(config)# ip default-gateway 192.168.1.1

S1(config)# do wr

Switch> en

Switch># conf t

Switch(config)# hostname S2

S2(config)# interface vlan 1

S2(config-if)# no shutdown

S2(config-if)# ip address 192.168.2.2 255.255.255.0

S2(config-if)# exit

S2(config)# ip default-gateway 192.168.2.1

S2(config)# do wr

(Configure PC-A and PC-B through the packet tracer interface (no need to use
commands)).

Step 2: Verify connectivity. PC1 and PC2 should be able to ping each other.
PC-A

C:\> ping 2001:db8:ACAD:B::10

C:\> ping 192.168.2.10

Verify telnet on switch 1:

C:\> telnet 192.168.1.2

Password:

Switch> en

Password:

Switch#
Verify ssh on router:

C:\> ssh -l administrator 192.168.1.1

Password:

R1>

R1> enable

Password:

R1#

Verify connectivity:

R1# show ip route

R1# show ipv6 route

R1# show ip interface brief

R1# show ipv6 interface brief

Part 4: Configure IPv6 Addressing and Verify Connectivity

Step 1: Assign IPv6 addresses to R1 and LAN devices. Referring to the
Addressing Table, configure IPv6 addressing for R1 LAN interfaces, PC-A
and PC-B.
Step 2: Verify connectivity. PC-A and PC-B should be able to ping each
other. Page 2 of 2

Did this in part 3.

Week 2
Part 1: Configure VLANs
Configure VLANs on all three switches. Refer to the VLAN Table. Note that the VLAN
names must match the

values in the table exactly.

VLAN Number VLAN Name

101 Staff
102 Sales
103 IT

!!!!SW1!!!!!

Switch> en

Switch# conf t

Switch(config)# hostname SW1

SW1(config)# vlan 101

SW1(config-vlan)# name Staff

SW1(config-vlan)# vlan 102

SW1(config-vlan)#name Sales

SW1(config-vlan)#exit

SW1(config)# vlan 103

SW1(config-vlan)#name IT

SW1(config-vlan)# do sh history

(this should show you the last commands used from hostname to do sh history. Select
all the commands starting from vlan 101 and ending at name IT-> right click -> copy ->
now go to sw2 and sw3 -> en -> conf t -> change hostname ->and paste. (Good to also
do a “do wr” to save the configuration.))

After having done this type command (SW1# show vlan brief) to verify everything went
through correctly.

Tip : go to options -> preferences and select always show port labels in logical
workspace
Part 2: Assign Ports to VLANs
a. On SW2 and SW3, assign ports to the VLANs. Refer to the Addressing Table.
SW2(config)# interface fastEthernet 0/1

SW2(config-if)# switchport mode access

SW2(config-if)# switchport access vlan 101

SW2(config-if)# exit

SW2(config)# interface fa0/2

SW2(config-if)# switchport mode access

SW2(config-if)# switchport access vlan 102

SW2(config-if)# exit

SW2(config)# do sh history

Copy commands above and save to notepad

SW2(config)# interface fa0/3

SW2(config-if)# switchport mode access

SW2(config-if)# switchport access vlan 103

SW2(config-if)# exit

SW2(config)# do sh history

Copy paste new commands and add to notepad

Copy all notepad commands and paste in switch 3 starting from SW3(config)#

Use “show vlan brief” in e.g SW2# to verify VLAN status

!!Don’t forget to save with “do wr”!!

Part 3: Configure Static Trunking
a. Configure the link between SW1-SW2, SW1-SW3 and SW1-R1 as a static trunk.
Disable dynamic trunking on this port.

b. Disable DTP on the switch port on both ends of the trunk link.

A+B

A ) SW1(config)# interface range gigabitEthernet 0/1-2, fastEthernet 0/1

A) SW1(config-if-range)# switchport mode trunk
B) SW1(config-if-range)# switchport nonegotiate

SW2(config)# interface gigabitEthernet 0/1

SW2(config-if)# switchport mode trunk

SW2(config-if)# switchport nonegotiate

SW2(config-if)# exit

SW3(config}# interface gigabitEthernet 0/1

SW3(config-if)# switchport mode trunk

SW3(config-if)# switchport nonegotiate

SW3(config-if)# exit

To check e.g SW3# show interfaces trunk

!!Don’t forget to save with “do wr”!!

Part 4: Configure End Devices with IP Addresses

a. Configure PC’s with IP addresses, subnet mask and default gateways & ensure
that PC’s within the same VLAN can communicate with each other.

Add all Ip’s and default gateways from addressing table to pc’s
Part 5: Configure Router on a Stick VLAN
Configure the devices to meet the following requirements.

• Create sub-interfaces for VLANs on R1 and assign IP addresses based on the

Addressing Table.
• Verify that all PC’s can communicate with each other
• Copy the running configuration to the startup configuration.
Router> en

Router# conf t

Router(config)# hostname R1

R1(config)# interface gigabitEthernet 0/0

R1(config-if)# no shutdown

R1(config-if)# exit

R1(config)# interface gigabitEthernet 0/0.101

R1(config-subif)# encapsulation dot1Q 101

R1(config-subif)# ip address 192.168.101.1 255.255.255.0

R1(config-subif)# exit

R1(config)# interface gigabitEthernet 0/0.102

R1(config-subif)# encapsulation dot1Q 102

R1(config-subif)# ip address 192.168.102.1 255.255.255.0

R1(config-subif)# exit

R1(config)# interface gigabitEthernet 0/0.103

R1(config-subif)# encapsulation dot1Q 103

R1(config-subif)# ip address 192.168.103.1 255.255.255.0

R1(config-subif)# exit

To check R1# show ip interface brief

R1# copy running-config startup-config

R1# write

^^Use these 2 commands on the switches as well^^

Check by pinging pc4 from pc1 and pc2 from pc1
Week 3

***************************************************************

***************************************************************

Part 1: Build the Network and Configure Basic Device Settings

***************************************************************

***************************************************************

hostname R1

interface gigabitEthernet 0/0

ip address 192.168.2.1 255.255.255.252

ipv6 address 2001:db8:abc:2::1/64

ipv6 address fe80::1 link-local

no shutdown

exit

interface gigabitEthernet 0/1

ip address 192.168.1.1 255.255.255.0

ipv6 address 2001:db8:abc:1::1/64

ipv6 address fe80::1 link-local

no shutdown

exit

ipv6 unicast-routing

hostname R2

interface gigabitEthernet 0/0

ip address 192.168.2.2 255.255.255.252

ipv6 address 2001:db8:abc:2::2/64

ipv6 address fe80::2 link-local

no shutdown

exit

interface gigabitEthernet 0/1

ip address 192.168.3.1 255.255.255.0

ipv6 address 2001:db8:abc:3::1/64

ipv6 address fe80::2 link-local

no shutdown

exit

ipv6 unicast-routing

***************************************************************

***************************************************************

Part 3: Configure and Verify a Stateless DHCPv6 server on R1

***************************************************************ipv6 nd other-
config-flag sets the "O" flag in Router Advertisements to notify IPv6 hosts that they need
to use DHCPv6 for additional configuration information. This could include DNS server
addresses or other network parameters.

***************************************************************

R1

ipv6 dhcp pool R1-Stateless

dns-server 2001:db8:acad::254

domain-name Stateless.com

exit

interface g0/1

ipv6 nd other-config-flag

ipv6 dhcp server R1-Stateless

exit
***************************************************************

***************************************************************

Part 4: Configure a Stateful DHCPv6 server on R2

***************************************************************when you use the
ipv6 nd managed-config-flag command, the RA messages will inform the hosts on the
network to use DHCPv6 for their full address configuration (IP address, prefix, etc.)
rather than autoconfiguring their address.

***************************************************************

R2

ipv6 dhcp pool R2-Stateful

address prefix 2001:db8:abc:3::/64

dns-server 2001:db8:abc:3::1

domain-name Stateful.com

exit

interface g0/1

ipv6 dhcp server R2-Stateful

ipv6 nd managed-config-flag

exit

***************************************************************

***************************************************************

Part 5: Configure a DHCPv4 settings on R1 for both LANs

***************************************************************The ip helper-
address command is primarily used for DHCP relay, allowing DHCP clients in one
subnet to reach DHCP servers in a different subnet by forwarding their broadcast
requests as unicast packets.

***************************************************************
R1

ip dhcp pool R1-LAN

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 8.8.8.8

exit

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp pool R2-LAN

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

dns-server 8.8.8.8

exit

ip dhcp excluded-address 192.168.3.1 192.168.3.10

R2

interface GigabitEthernet0/1

ip helper-address 192.168.2.1

exit

***************************************************************

***************************************************************
week 4

Objective

Part 1: Configure Port Security

Part 2: Verify Port Security

Background

In this activity, you will configure and verify port security on a switch. Port security
allows you to restrict a port’s ingress traffic by limiting the MAC addresses that are
allowed to send traffic into the port.

!Tip Options -> interface -> Check Always Show Port Labels in Logical Workspace.

Part 1: Configure Port Security

a. Access the command line for S1 and enable port security on Fast Ethernet ports
0/1 and 0/2.
S1> en

S1# conf t

S1 (config)# interface range fastEthernet 0/1-2 (interface range f0/1-2)

S1 (config-if-range)# switchport mode access (can’t use port-security if

interface is in dynamic mode)

S1 (config-if-range)# switchport port-security

b. Set the maximum so that only one device can access the Fast Ethernet ports 0/1
and 0/2.
S1 (config-if-range)# switchport port-security maximum 1

c. Secure the ports so that the MAC address of a device is dynamically learned and
added to the running configuration.
S1 (config-if-range)# switchport port-security mac-address sticky
d. Set the violation mode so that the Fast Ethernet ports 0/1 and 0/2 are not
disabled when a violation occurs, but a notification of the security violation is
generated and packets from the unknown source are dropped.
S1 (config-if-range)# switchport port-security violation restrict

(index)

Protect: When a different mac address is used to access this port the port will drop
all packets coming through but it won’t log the security violation.

Restrict: When a different mac address is used to access this port the port the port
will drop all packets coming through and log the amount of security violations (1
ping is 1 violation).

Shutdown: When a different mac address is used to access this port the port will be
administratively shut down.

e. Disable all the remaining unused ports. Use the range keyword to apply this
configuration to all the ports simultaneously.
S1 (config)# interface range fastEthernet 0/3-24, gig0/2

S1 (config-if-range)# shutdown

S1 (config-if-range)# exit

S1 (config)# do wr (to save)

Part 2: Verify Port Security

a. From PC0, ping PC1.
Ping 192.168.1.3

b. Verify that port security is enabled and the MAC addresses of PC0 and PC1 were
added to the running configuration.
S1# show running config

c. Use port-security show commands to display configuration information.

S1# show port-security interface fastEthernet 0/1`
S1# show port-security interface fastEthernet 0/2
d. Attach Rogue Laptop to any unused switch port and notice that the link lights are
red.
Click on the lightning bolt on the bottom left then again on the lightning bolt just
to the right of the original one. Click on laptop then click on S1.

e. Enable the port and verify that Rogue Laptop can ping PC0 and PC1. After
verification, shut down the port connected to Rogue Laptop.
S1# conf t
S1 (config)# interface fastEthernet 0/3
S1 (config-if)# no shutdown
(verify connectivity)
S1 (config-if)# shutdown

f. Disconnect PC1 and connect Rogue Laptop to F0/2, which is the port to which
PC1 was originally connected. Verify that Rogue Laptop is unable to ping PC0.
Double click on the cable near pc1 and drag to laptop
Ping 192.168.1.2

g. Display the port security violations for the port to which Rogue Laptop is
connected.
S1# show port-security interface fastEthernet 0/2

h. Disconnect Rouge Laptop and reconnect PC1. Verify PC1 can ping PC0.
Double click on the cable near the laptop and drag back to pc1
Ping 192.168.1.2
week 6

Instructions

Part 1: Configure IPv4 and IPv6 Addresses to Router Interfaces and

Hosts
a. Configure IPv4 and IPv6 addresses to routers based on the addressing table
Router> en
Router# conf t
Router(config) hostname R1
R1(config)# interface gigabitEthernet 0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# ipv6 address 2001:ACAD:ABC:1::1/64
R1(config-if)# no shut
R1(config-if)# exit
R1(config)# interface gigabitEthernet 0/1
R1(config-if)# ip address 192.168.2.1 255.255.255.0
R1(config-if)# ipv6 address 2001:ACAD:ABC:2::1/64
R1(config-if)# no shut
R1(config-if)# exit
R1(config)# interface gigabitEthernet 0/2
R1(config-if)# ip address 192.168.5.1 255.255.255.0
R1(config-if)# ipv6 address 2001:ACAD:ABC:5::1/64
R1(config-if)# no shut
R1(config-if)# exit
R1(config)# ipv6 unicast-routing
R1(config)#exit
R1#wr

R2(config)# interface gigabitEthernet 0/0

R2(config-if)# ip address 192.168.3.1 255.255.255.0
R2(config-if)# ipv6 address 2001:ACAD:ABC:3::1/64
R2(config-if)# no shut
R2(config-if)# exit
R2(config)# interface gigabitEthernet 0/1
R2(config-if)# ip address 192.168.4.1 255.255.255.0
R2(config-if)# ipv6 address 2001:ACAD:ABC:4::1/64
R2(config-if)# no shut
R2(config-if)# exit
R2(config)# interface gigabitEthernet 0/2
R2(config-if)# ip address 192.168.5.2 255.255.255.0
R2(config-if)# ipv6 address 2001:ACAD:ABC:5::2/64
R2(config-if)# no shut
R2(config-if)# exit
R2(config)# ipv6 unicast-routing
R2(config)#exit
R2#wr

b. Configure host devices with IPv4 and IPv6 addresses

Copy the ip address to the corresponding devices.

Part 2: Configure IPv4 Static Routes on R1 and R2

a. Configure IPv4 static routes on R1 for R2 LANs
R1(config)#ip route 192.168.3.0 255.255.255.0 192.168.5.2

R1(config)#ip route 192.168.4.0 255.255.255.0 192.168.5.2

R1(config)#exit

b. Configure IPv4 static routes on R2 for R1 LANs

R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.5.1

R2(config)#ip route 192.168.2.0 255.255.255.0 192.168.5.1

R2(config)#exit

Part 3: Configure IPv6 Static Routes on R1 and R2

a. Configure IPv6 static routes on R1 for R2 LANs
R1(config)#ipv6 route 2001:ACAD:ABC:3::/64 2001:ACAD:ABC:5::2

R1(config)#ipv6 route 2001:ACAD:ABC:4::/64 2001:ACAD:ABC:5::2

b. Configure IPv6 static routes on R2 for R1 LANs
R2(config)#ipv6 route 2001:ACAD:ABC:1::/64 2001:ACAD:ABC:5::1

R2(config)#ipv6 route 2001:ACAD:ABC:2::/64 2001:ACAD:ABC:5::1

Part 4: Configure IPv4 Default Route on R2

a. To test the default route functionality configure a Loopback1 interface on R1 with
IP address 1.1.1.1/32
R1(config)#interface loopback 1

R1(config-if)#ip address 1.1.1.1 255.255.255.255

b. Configure a default route on R2 that will point towards R1

R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.5.1

Part 5: Configure IPv6 Default Route on R2

a. To test the IPv6 default route functionality configure a Loopback10 interface on
R1 with IP address 127::1/128
R1(config-if)#ipv6 address 127::1/128

b. Configure an IPv6 default route on R2 that will point towards R1

R2(config)#ipv6 route ::/0 2001:ACAD:ABC:5::1