top of page
Search
Writer's picturePASS HOT

Cisco routers and switches online configuration FAQ



The following are all the problems you will encounter when working through CCIE RS LAB EXAM.

When doing a project, I often encounter such a small project. That is the customer only buys a Cisco router and a core switch. Now you need to configure the router and switch for the client to access the Internet. In fact, this small project looks very simple but it is very important and often encounters unsuccessful configuration or fails to meet customer requirements. Here is a detailed analysis of such a small project because through this such small projects can be derived from many different configurations and requirements, such as dual exports, etc. First look at the configuration of the router.

Router#sh run | b interface

interface Ethernet0/0

ip address 12.1.1.2 255.255.255.0

ip nat outside

interface Ethernet0/1 

ip address 10.1.1.1 255.255.255.0

ip nat inside

I believe that everyone is familiar with the configuration of these interfaces. The main configuration is the address of the WAN port that telecom gives to you, as well as the address of the intranet. Of course, NAT is generally required so NAT will be configured. INSIDE and OUTSIDE interface. Qtherwise, there is no way to do NAT. The internal network cannot be on the public network.

Then you need to configure the default route mainly to access the public network 

ip route 0.0.0.0 0.0.0.0 12.1.1.1 

So in theory, you can PING the public network address such as PING 8.8.8.8 is theoretically achievable. If it is said, it may be an interface problem or an ISP problem. This is also an idea for troubleshooting. For example, if the public network is unreachable, you should first check whether the WNG public network address can be found on the router.

Now you can do NAT conversion. There are two main steps to do NAT conversion. The first step is to specify the scope of a conversion. What does it mean? It is possible that there are many network segments on the intranet, not every network segment. Public network, some companies require that only part of it can go to the public network. Part of it cannot be on the public network, such as protecting the security of some data and so on. Because ISP now only assigns an IP address to you so do port address translation. This port is the configured OUTSIDE interface.

ip nat inside source list 100 interface Ethernet0/0 overload

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

The above two commands that the second rule specifies the range that can be converted. Of course, this network segment is enlarged here. Under normal circumstances, it can be enlarged mainly when writing ACL is simpler and it can be written very finely. This is to look at the actual situation when doing NAT Wait, you can see that it is doing end product address conversion.

When these two commands are hit, the network segment above the core switch can access the external network in the theory. Why is it theoretical? For example, now there is nothing configured on the core switch. Only a network segment is divided. In this case, the public network above the main river.

Of course, it is not so simple in general. You need to configure a routing protocol on the router and most importantly is to send a default route.

router ospf 1

network 10.1.1.1 0.0.0.0 area 0

default-information originate always

Note that this is 0.0.0.0, which is mainly safer.

The configuration of the router is basically completed. Let's look at the configuration of the core switch.

The core switch can be Layer 2 or Layer 3. Now it is usually Layer 3. Now let's talk about the specific configuration requirements of the Layer 3 switch:

interface G0/1 

no switchport

ip address 10.1.1.2 255.255.255.0

interface Vlanl0

ip address 192.168.10.1 255.255.255.0

interface Vlan20

ip address 192.168.20.1 255.255.255.0

The above configuration is very simple. Configure an interface that is interconnected with the router and then come out in several network segments to isolate the client below.

Configure a routing protocol so that the router can access the network segment of the core switch.

router ospf 1

network 10.1.1.2 0.0.0.0 area 0 

network 192.168.0.0 0.0.255.255 area 0

If you do not configure a routing protocol, you can also configure a static route. Here, the core switch is configured with a default route, and the router is the master. To configure a static route, you can access the following network segment otherwise it will not be able to communicate.

Finally, the port can be divided into different VLANs. Basically, the configuration of the core switch is like this. In this case, the current client should be able to access the public network.

Question 1: The customer now needs to be able to access each other between the network segments but can be connected to the public network.

interface Vlan10

ip address 192.168.10.1 255.255.255.0 

ip access-group 100 in 

interface Vlan20

ip address 192.168.20.1 255.255.255.0 

ip access-group 101 in

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 

access-list 100 permit ip any any

access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 

access-list 101 permit ip any any

The above configuration is well understood. The network segment is grabbed and then restricted. Then applied to the VLAN interface below. In the actual project, it’s often encountered ,such configuration requirements.

Question 2: Switches can access each other but one network segment cannot be connected to the public network.

Switch#sh run | b access-list 100

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 

access-list 100 deny ip any any

interface Vlan10

ip address 192.168.10.1 255.255.255.0 

ip access-group 100 in

Question 3: Only one host can access each other and cannot access the public network.

Switch#sh run | in access-list 100

access-list 100 permit ip host 192.168.10.2 host 192.168.20.2

Summary: In fact, you can see that although the router and switch configuration on the public network is very simple,  also encountered the most and is the most used configuration in the actual project and can pass the above analysis. 

Everyone is troubleshooting , there will be very steps. For example, if you can't get on the public network, the first step is to check the router. No PING public network address mainly to see if the ISP has a problem. Then, check whether the router to the core switch can communicate. Whether the core switch to the access layer switch can pass and finally whether the access layer switch to the client can through. As long as the mind is clear, troubleshooting is also an easy task.

Let's take a look at the configuration in the actual project and delete some unused configurations.

1941#sh run

Building configuration...

Current configuration : 1785 bytes

Last configuration change at 05:58:15 UTC Tue Sep 24 2013 by cisco 

version 15.3

service timestamps debug datetime msec 

service timestamps log datetime msec no service password-encryption 

boot-start-marker

boot system flash0:/cl900-universalk9-mz.SPA.153-3.M.bin 

boot-end-marker

enable secret 5 $l$FGLC$Y/iyOOH5xkYLI3mWkijL91 

enable password cisco 

no aaa new-model

ip dhcp excluded-address 192.168.11.1 192.168.11.100 

ip dhcp pool ccna

network 192.168.11.0 255.255.255.0 

dns-server 221.12.1.227 221.12.33.227 

default-router 192.168.11.1

license udi pid CISC01941/K9 sn FGL1721109D

license accept end user agreement

license boot module cl900 technology-package securityk9

username CISCO privilege 15 password 0 cisco 

interface GigabitEthernet0/0 

description wan

ip address 101.71.246.162 255.255.255.252 

ip nat outside 

ip virtual-reassembly in

duplex auto

speed auto

interface GigabitEthernet0/1 

description lan

ip address 192.168.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

ip nat inside source list natout interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 101.71.246.161

ip access-list standard natout 

permit 192.168.0.0 0.0.255.255

Note that DHCP is configured above. This can be configured on the router or on the core switch. Pay attention to the current IOS version. This is 15.3. It is basically new. The router comes with the IOS default BUG comparison maybe more.

It is recommended to upgrade to the latest IOS!


The above is my feeling of when I exam CISCO CCIE LAB and CISCO CCIE written exam. Hope you guys for your own dream to fight! Fighting!

1 view0 comments

Recent Posts

See All

Comments


文章: Blog2_Post
bottom of page