The following are all the problems you will encounter when working through CCIE RS LAB EXAM.
When doing a project, I often encounter such a small project. That is the customer only buys a Cisco router and a core switch. Now you need to configure the router and switch for the client to access the Internet. In fact, this small project looks very simple but it is very important and often encounters unsuccessful configuration or fails to meet customer requirements. Here is a detailed analysis of such a small project because through this such small projects can be derived from many different configurations and requirements, such as dual exports, etc. First look at the configuration of the router.
Router#sh run | b interface
interface Ethernet0/0
ip address 12.1.1.2 255.255.255.0
ip nat outside
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
I believe that everyone is familiar with the configuration of these interfaces. The main configuration is the address of the WAN port that telecom gives to you, as well as the address of the intranet. Of course, NAT is generally required so NAT will be configured. INSIDE and OUTSIDE interface. Qtherwise, there is no way to do NAT. The internal network cannot be on the public network.
Then you need to configure the default route mainly to access the public network
ip route 0.0.0.0 0.0.0.0 12.1.1.1
So in theory, you can PING the public network address such as PING 8.8.8.8 is theoretically achievable. If it is said, it may be an interface problem or an ISP problem. This is also an idea for troubleshooting. For example, if the public network is unreachable, you should first check whether the WNG public network address can be found on the router.
Now you can do NAT conversion. There are two main steps to do NAT conversion. The first step is to specify the scope of a conversion. What does it mean? It is possible that there are many network segments on the intranet, not every network segment. Public network, some companies require that only part of it can go to the public network. Part of it cannot be on the public network, such as protecting the security of some data and so on. Because ISP now only assigns an IP address to you so do port address translation. This port is the configured OUTSIDE interface.
ip nat inside source list 100 interface Ethernet0/0 overload
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
The above two commands that the second rule specifies the range that can be converted. Of course, this network segment is enlarged here. Under normal circumstances, it can be enlarged mainly when writing ACL is simpler and it can be written very finely. This is to look at the actual situation when doing NAT Wait, you can see that it is doing end product address conversion.
When these two commands are hit, the network segment above the core switch can access the external network in the theory. Why is it theoretical? For example, now there is nothing configured on the core switch. Only a network segment is divided. In this case, the public network above the main river.
Of course, it is not so simple in general. You need to configure a routing protocol on the router and most importantly is to send a default route.
router ospf 1
network 10.1.1.1 0.0.0.0 area 0
default-information originate always
Note that this is 0.0.0.0, which is mainly safer.
The configuration of the router is basically completed. Let's look at the configuration of the core switch.
The core switch can be Layer 2 or Layer 3. Now it is usually Layer 3. Now let's talk about the specific configuration requirements of the Layer 3 switch:
interface G0/1
no switchport
ip address 10.1.1.2 255.255.255.0
interface Vlanl0
ip address 192.168.10.1 255.255.255.0
interface Vlan20
ip address 192.168.20.1 255.255.255.0
The above configuration is very simple. Configure an interface that is interconnected with the router and then come out in several network segments to isolate the client below.
Configure a routing protocol so that the router can access the network segment of the core switch.
router ospf 1
network 10.1.1.2 0.0.0.0 area 0
network 192.168.0.0 0.0.255.255 area 0
If you do not configure a routing protocol, you can also configure a static route. Here, the core switch is configured with a default route, and the router is the master. To configure a static route, you can access the following network segment otherwise it will not be able to communicate.
Finally, the port can be divided into different VLANs. Basically, the configuration of the core switch is like this. In this case, the current client should be able to access the public network.
Question 1: The customer now needs to be able to access each other between the network segments but can be connected to the public network.
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group 101 in
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 permit ip any any
The above configuration is well understood. The network segment is grabbed and then restricted. Then applied to the VLAN interface below. In the actual project, it’s often encountered ,such configuration requirements.
Question 2: Switches can access each other but one network segment cannot be connected to the public network.
Switch#sh run | b access-list 100
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip any any
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
Question 3: Only one host can access each other and cannot access the public network.
Switch#sh run | in access-list 100
access-list 100 permit ip host 192.168.10.2 host 192.168.20.2
Summary: In fact, you can see that although the router and switch configuration on the public network is very simple, also encountered the most and is the most used configuration in the actual project and can pass the above analysis.
Everyone is troubleshooting , there will be very steps. For example, if you can't get on the public network, the first step is to check the router. No PING public network address mainly to see if the ISP has a problem. Then, check whether the router to the core switch can communicate. Whether the core switch to the access layer switch can pass and finally whether the access layer switch to the client can through. As long as the mind is clear, troubleshooting is also an easy task.
Let's take a look at the configuration in the actual project and delete some unused configurations.
1941#sh run
Building configuration...
Current configuration : 1785 bytes
Last configuration change at 05:58:15 UTC Tue Sep 24 2013 by cisco
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec no service password-encryption
boot-start-marker
boot system flash0:/cl900-universalk9-mz.SPA.153-3.M.bin
boot-end-marker
enable secret 5 $l$FGLC$Y/iyOOH5xkYLI3mWkijL91
enable password cisco
no aaa new-model
ip dhcp excluded-address 192.168.11.1 192.168.11.100
ip dhcp pool ccna
network 192.168.11.0 255.255.255.0
dns-server 221.12.1.227 221.12.33.227
default-router 192.168.11.1
license udi pid CISC01941/K9 sn FGL1721109D
license accept end user agreement
license boot module cl900 technology-package securityk9
username CISCO privilege 15 password 0 cisco
interface GigabitEthernet0/0
description wan
ip address 101.71.246.162 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description lan
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip nat inside source list natout interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 101.71.246.161
ip access-list standard natout
permit 192.168.0.0 0.0.255.255
Note that DHCP is configured above. This can be configured on the router or on the core switch. Pay attention to the current IOS version. This is 15.3. It is basically new. The router comes with the IOS default BUG comparison maybe more.
It is recommended to upgrade to the latest IOS!
The above is my feeling of when I exam CISCO CCIE LAB and CISCO CCIE written exam. Hope you guys for your own dream to fight! Fighting!
Comments