paulmataruso/cml-community
1
0
Fork 0
mirror of https://github.com/CiscoDevNet/cml-community.git synced 2025-10-23 07:42:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: paulmataruso:remote-backup
Branches Tags
paulmataruso:master paulmataruso:code-server.custom.01.4.102 paulmataruso:ccnaprep paulmataruso:aaa-tacacs-topology paulmataruso:remote-backup
...
compare: paulmataruso:ef9821a504a0ef3fac21c95f8ac52a38335a1f34
Branches Tags
paulmataruso:master paulmataruso:code-server.custom.01.4.102 paulmataruso:ccnaprep paulmataruso:aaa-tacacs-topology paulmataruso:remote-backup

118 Commits
remote-bac ... ef9821a504

Author SHA1 Message Date
Joe Clarke
ef9821a504 Synchronize to get re-runs to work on the latest repo. 2025-07-20 04:52:06 -04:00
Joe Clarke
cc711f220e Add ext4 as a provision disk type. 2025-07-20 04:37:59 -04:00
branoTaran
2d3049f918 SIMPLE-7648: Added configuration to the ISE node definition (#62) 
* SIMPLE-7648: Added configuration to the ISE node definition

* Added Windows 11 node-definition from simple.

* Fixed typo

* Update ise.yaml

Updated some of the parameters of the config content; Commented all parameters which are not required to run ISE; For some parameters kept the <...> description but added a sample input to help fill them in;
 2025-07-20 04:36:10 -04:00
branoTaran
c30265c1ee Simple win11 node definition (#64) 
* SIMPLE-7648: Added configuration to the ISE node definition

* Added Windows 11 node-definition from simple.

* Fixed typo

* Reverted ise.yaml to upstream state
 2025-07-20 04:35:46 -04:00
Joe Clarke
a0f1f4b6aa Pet markdown lint. 2025-07-12 17:24:05 -04:00
Joe Clarke
91def995a0 Add the CML Sizing Calculator. 2025-07-12 15:47:59 -04:00
Joe Clarke
f9801dddfc Remove submodules in favor of READMEs. 
Also, add a new script, the cml-exporter.
 2025-07-12 15:41:21 -04:00
CML-TAC
12aef0e592 Added JUNOS vSwitch and vRouter node definitions. (#57) 2025-06-27 15:10:47 -04:00
Joe Clarke
e94e1a5669 Fix a typo. 2025-06-10 11:08:40 -04:00
Joe Clarke
6aeb469bf2 Add links to the other HV docs. 2025-06-09 21:26:00 -04:00
Joe Clarke
202c430cf4 Sync to latest eve2cml 2025-06-01 09:55:44 -04:00
Joe Clarke
00665a7564 Remove the Webex link. 2025-06-01 09:53:10 -04:00
Joe Clarke
3952e23fa0 Update Sandbox image. 2025-06-01 09:51:28 -04:00
Joe Clarke
e22d6a170b Update the main CML image. 2025-06-01 09:48:46 -04:00
Joe Clarke
4106a62170 Sync to latest ciscolive-brkcrt-2059 2025-06-01 09:45:29 -04:00
Joe Clarke
a0925ec081 Update schema for CML 2.9. 2025-05-25 15:08:31 -04:00
Ralph Schmieder
0683e4af4a Add autostart script and documentation (#63) 
Add a script to be deployed on CML that allows labs marked with "(autostart)" in their descriptions to be started as soon as the CML server boots up.
 2025-05-20 15:19:25 -04:00
Joe Clarke
c9f06ab4c6 Remove dead submodule. 
Reported by:	Tomas Mikuska
 2025-05-14 05:05:52 -04:00
Hank Preston
8d16025b29 Add CCNA Prep S2E7 - SNMP 2025-04-30 12:45:29 -04:00
Hank Preston
54dc0a6c4e CCNA Prep S2E6 - Syslog 2025-04-17 10:46:45 -04:00
Joe Clarke
ad902c9602 Update with latest testing values. 2025-04-09 10:58:35 -04:00
Joe Clarke
385766c69f Add some modernization. 2025-04-09 09:43:12 -04:00
Joe Clarke
4cc9778d53 Reduce memory RAM to 1 MB. 2025-04-09 09:38:15 -04:00
Hank Preston
79c0df82aa Added S02E05 NTP to list 2025-03-26 12:24:30 -04:00
Hank Preston
2b5b77ceb2 CCNA Prep S02E05 NTP Resources 2025-03-26 12:23:24 -04:00
dependabot[bot]
ea6f212a88 Bump jinja2 from 3.1.5 to 3.1.6 in /scripts/brk2iterm (#61) 
Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.5 to 3.1.6.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/3.1.5...3.1.6)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-26 00:09:55 -04:00
Chris McCoy
ecae100078 Document Node Definition that supports a vEOS day0 config (#60) 
* Correct ordering of interfaces.  Management1 is the first interface, followed by Ethernet1 and the rest.
* Document how to create a base image after SWI completes
* Tests good with vEOS 4.33.2F 64-bit
 2025-03-22 22:19:45 -04:00
Hank Preston
0b7bb154f8 updated CCNA Prep main README wiht details for Season 2 2025-03-19 09:55:25 -04:00
Hank Preston
568e961235 CCNA Prep S02Ep04 SSH Resources 2025-03-19 09:51:27 -04:00
Hank Preston
1f510d7b08 CCNA Prep S2E3 NAT Resources 2025-03-09 09:29:59 -04:00
dependabot[bot]
a4205b4bfe Bump jinja2 from 3.1.4 to 3.1.5 in /scripts/brk2iterm (#58) 
Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.4 to 3.1.5.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/3.1.4...3.1.5)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-01 08:52:02 -05:00
Joe Clarke
9aabef36f5 Fix typo. 2025-03-01 08:49:33 -05:00
Joe Clarke
a9cdfb5a71 Add support for sim parameters. 2025-02-28 14:10:53 -05:00
Joe Clarke
a37d7651b3 Add a VLAN tasks topology tailored for CML Free. 2025-02-23 10:26:14 -05:00
Hank Preston
8f1cbca437 Adding Episodes 1 and 2 from CCNA Prep 2025-02-04 10:16:46 -05:00
Greg Neujahr
0095977080 Updated CML on Hyper-V Documentation (#56) 
* docs: added documentation for running CML on hyper-v

* docs: Updated hyper-v instructions with recommended comments
 2025-01-08 11:25:52 -05:00
Greg Neujahr
1e71172679 docs: added documentation for running CML on hyper-v (#55) 
Initial revision.  More refinements to come.
 2024-12-29 18:58:23 -05:00
Hank Preston
3d899609cf Adding CCNA Prep Resources (#54) 
* CCNA Prep Season 1 Resources

* typo fixes
 2024-12-12 16:51:33 -05:00
Alexander Deca
8a340d947c Added SONiC node and image definitions (#53) 
* Added SONiC Community and Enterprise node definitions

* Update image file paths

* Update image file paths

* Update README.md

* Update image path

* Updated file paths

* Updated README.md

* Updated node definition
 2024-11-19 14:18:28 -05:00
Joe Clarke
02ce8eb54e Add some docs to the node def. 2024-11-13 09:11:36 -05:00
Joe Clarke
db9ef78ace Add an node definition for the UCS Platform Emulator. 2024-11-13 09:05:30 -05:00
ThePurpleBuffalo
5789f89faa FreeBSD node definition and instructions (#51) 
* FreeBSD Node definition

* Update interfaces for FreeBSD
 2024-10-31 08:47:21 -04:00
ThePurpleBuffalo
e066d1a1c2 Fix a typo (#52) 2024-10-29 05:35:17 -04:00
ThePurpleBuffalo
c6bfcb8f01 OpenBSD node definition and build instructions. (#50) 
* OpenBSD node definition and build instructions.

* show pkg_add with cloud-init.  Default to dhcp on em0.

* Update 'Create the VM' section

* Add link to binary
 2024-10-22 08:32:01 -04:00
amarcine
edc671c576 Add howto for CML on Nutanix and Proxmox (#49) 
* add howto for nutanix and proxmox

* moved howto to new documentation folder
 2024-10-21 14:16:28 -04:00
Hank Preston
d7282f17ca Add NXOS version of topology file as alternative 2024-10-14 14:23:34 -04:00
Hank Preston
8bf3652cf7 Lab guide fix 2024-10-08 14:49:13 -04:00
Hank Preston
1b2a390acf Add new AAA - TACACS Lab topology (#48) 
* Add new AAA - TACACS Lab topology

This is a sample topology for exploring AAA TACACS.
 2024-10-08 11:54:17 -04:00
Joe Clarke
04c75b07ed Modernize CHR based on current Mikrotik docs. 2024-09-23 17:11:42 -04:00
Ariadne
6095458ee9 Added VyOS (#47) 
++ node-definition/vyos/README.md
++ node-definition/vyos/VyOS-Router.yaml
++ virl-base-images/vyos/VyOS-1.5-rolling-XXX
++ virl-base-images/vyos/proxmox-instructions.md
++ virl-base-images/vyos/virt-install-instructions.md
 2024-09-23 16:56:26 -04:00
Joe Clarke
2859419ae6 Make the day0 proper JSON. 2024-09-20 10:35:37 -04:00
Joe Clarke
b771613deb Correct interface numbering. 2024-09-18 14:26:53 -04:00
Joe Clarke
b1bf824f79 Improve out of the box use. 
Submitted by:	Tomas Mikuska
 2024-09-18 13:46:16 -04:00
Joe Clarke
8a83eefbee Allow for a min_count for interfaces. 2024-09-18 13:16:22 -04:00
Joe Clarke
a0c56ebf89 Improve out of the box use of FTDv. 
Submitted by:	Tomas Mikuska
 2024-09-18 13:11:27 -04:00
Joe Clarke
f50f27f2cb Bump documented memory to 256 MB. 2024-09-02 14:41:47 -04:00
Joe Clarke
eec359e290 Add a link to Katherine's blog on getting ISE eval. 2024-09-02 14:39:55 -04:00
sig9org
e92707651e Add Windows Server 2022. (#45) 2024-08-14 09:53:57 -04:00
Joe Clarke
8b95b913b4 Use markdown properly. 2024-08-05 11:48:32 -04:00
Joe Clarke
47f3aebfb2 Add some warning text about how best to use ISE. 2024-08-05 11:47:58 -04:00
Joe Clarke
69ab873475 Remove min_count property. 2024-07-18 23:26:55 -04:00
Luke D Russell
ad4b8ce49c Add Check Point Gaia node and image definition (#43) 
* Adds Check Point Gaia security appliances

* add a readme

* Moving path to allow other CP platforms
 2024-07-18 23:24:06 -04:00
Joe Clarke
f924256d24 Add an overarching README for the CCNA labs. 2024-07-10 11:25:47 -04:00
James Leko
33c10d7b34 Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Thibault Muchery
a8481df40e Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Jeremy Cox
f38c9b9765 Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Jeremy Cox
9dfe27cd38 Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Bandar Shaik Dada Khalandar
330e68255b Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Bandar Shaik Dada Khalandar
4a2fe8d54d Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Bandar Shaik Dada Khalandar
16c6f08727 Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
zhaleh tayebi
8a44dfee57 Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Muhamamd Abdul Samie
d0dec0d4c5 Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Muhamamd Abdul Samie
4b25ff0db9 Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Marcello Fante
cb3fa09b32 Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Marcello Fante
414b7adbb0 Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Marcello Fante
aee5f02ee5 Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Marcello Fante
c428adec3f Import from CCNA contest results. 2024-07-09 11:58:55 -04:00
Marcello Fante
aaf25dc813 Import from CCNA contest results. 2024-07-09 11:58:54 -04:00
Marcello Fante
cb110ab616 Import from CCNA contest results. 2024-07-09 11:58:54 -04:00
Jose Solorio
60d0f70a49 Import from CCNA contest results. 2024-07-09 11:58:54 -04:00
Rogelio Jr Villaver
e3d7f0d04b Import from CCNA contest results. 2024-07-09 11:58:54 -04:00
Joe Clarke
c9290fba70 Allow VGA as a video vard type. 2024-06-15 12:51:25 -04:00
Joe Clarke
65205ebed8 Add a node def for Cisco Identity Services Engine. 
Thanks to Hank Preston for an assist on the disk driver.
 2024-06-15 12:48:20 -04:00
Joe Clarke
d177a8e431 Add a screenshot. 2024-06-02 15:21:20 -04:00
Bandar Shaik Dada Khalandar
c5d2b8e8a6 Add a CML CCNA contest task. 
This focuses on blueprint task 1.1.
 2024-06-02 15:20:02 -04:00
dependabot[bot]
8b2b0f6d6d --- (#41) 
updated-dependencies:
- dependency-name: jinja2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-05-22 11:42:20 -04:00
Rodrigo Vizcarra
5b5a0ae2c3 Adding Watchguard FireboxV all version (#40) 2024-05-22 11:37:11 -04:00
Joe Clarke
a11a8484aa Add platform console serial. 
This allows one to use the console even in controller mode.
 2024-04-22 08:56:55 -04:00
Joe Clarke
a835d23daf Update with some 2.7 properties. 2024-04-09 12:19:02 -04:00
Joe Clarke
4d714a9008 Revert driver changes to improve compatibility. 2024-04-09 10:33:30 -04:00
Joe Clarke
334ac88325 Sync with the 2.7 released node definitions. 
Additionally:

* Bump memory of Manager to 32 GB
* Fix bootstrapping Edge devices
 2024-04-09 10:24:45 -04:00
sig9org
842cc7659d Add Extreme EXOS/VOSS. (#39) 2024-04-02 19:53:51 -04:00
dependabot[bot]
ff075d90da Bump jinja2 from 3.1.2 to 3.1.3 in /scripts/brk2iterm (#38) 
Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.2 to 3.1.3.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/3.1.2...3.1.3)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-03-12 20:12:27 -04:00
Joe Clarke
310cfb0b6b Add a submodule for Ralph's eve2cml tool. 
This tool allows one to convert EVE-NG topologies to CML topologies.
 2024-03-12 20:09:36 -04:00
kellychristians
933b81bedb Windows SecureCRT Lab/Session Generation (#37) 
* New script project for SecureCRT Session Generation

Simple script for automated session generation with secureCRT on windows.
minimal module requirements
 2024-03-01 11:40:28 -05:00
Joe Clarke
ae3bc7b8b4 Chase the official IDs and names. 2024-01-31 10:23:31 -05:00
Joe Clarke
9d6ac400ec Add a comment that the cloud-init syntax is for older software. 2023-11-28 13:51:59 -05:00
Joe Clarke
ef7994edd4 Revert. This is internal. 2023-11-28 12:47:15 -05:00
Joe Clarke
159fbac9e3 Add another SD-WAN automation use case. 2023-11-28 12:46:30 -05:00
Joe Clarke
a9cefbb02d Add a specific cEdge node def. 
The day 0 config file name is different for cEdge than the base
Cat8000V.
 2023-11-28 11:32:16 -05:00
Joe Clarke
1ac2ee7b0e Update SD-WAN node definitions. 
Switch to the new Catalyst brand and update requirements and interface
names to match reality.

Since the Cat8Kv is the new "cEdge" leverage the existing Cat8Kv that
already ships with CML and remove the legacy iosxe-sdwan node definition
here.
 2023-11-21 14:47:48 -05:00
Ralph Schmieder
e5d2c238c3 added 300 node lab (#36) 2023-11-15 08:57:33 -05:00
Joe Clarke
61655c6596 Bump the memory to 256 to support ROS 7.x. 2023-09-13 09:01:04 -04:00
Hank Preston
49ba04e065 adding ipsec-exploration topology 2023-07-21 16:00:01 -04:00
Joe Clarke
fc3920d704 Add CML in AWS use case. 2023-05-02 11:10:52 -04:00
Hank Preston
ee2f5232e5 A basic topology for traffic forwarding labs 2023-04-25 21:04:13 -04:00
tmikuska
cea96a0d76 IPv6 migration support and other improvements to the migration script (#33) 2023-01-25 03:26:48 -05:00
Xinyu Wei
46930d5014 Add Juniper vSRX 3.0 node and image definition files (#32) 
* Add Juniper vSRX 3.0 node and image definition files

* Add Juniper vSRX 3.0 day 0 config
 2023-01-10 16:05:34 -05:00
oliveruhlar
e2f4389732 change cat8000v nd max number of interfaces (#31) 
Co-authored-by: Oliver Uhlar <ouhlar@cisco.com>
 2022-12-18 09:54:06 -05:00
Joe Clarke
48e7ba46b3 Ignore .vscode. 2022-12-10 20:10:41 -05:00
Joe Clarke
0b50c0e683 Add CiscoLive module with sample topologies. 2022-12-10 20:10:02 -05:00
CML-TAC
2191ef1b8a Fixed NXOSv 9500 148 directory (#30) 
Rename directory.
 2022-11-30 08:03:34 -05:00
oliveruhlar
f9b6e0d205 Fix for sim.video.memory (#29) 
* change sim.video.memory range

* set default sim.video.memory

Co-authored-by: Oliver Uhlar <ouhlar@cisco.com>
 2022-11-29 13:50:41 -05:00
Joe Clarke
c66dbf84b3 Remove trailing whitespace. 2022-11-27 12:34:16 -05:00
oliveruhlar
82da71d916 Validate action and some fixes for node definitions (#28) 
* Validation by schema action for node definitions

* fix sim.video.model for windows 10 nd

* change action checkout version

* fix node definitions (do not explicitly set `boot_disk_size` as this may break booting.  Instead, let libvirt use the actual size of the backing disk)

Co-authored-by: Oliver Uhlar <ouhlar@cisco.com>
 2022-11-27 12:32:31 -05:00
CML-TAC
0de8f83503 Fixed Win Server 2019 node definition and added NXOSv 9500 (#26) 
* Create README.MD

adding palo alto node and image definition

* Update README.MD

* Created readme

Created readme for Windows 10 node definition

* fixed typo

* added node def

* Delete README.md

* Delete winServer2019.yaml

* Add files via upload

* updated

* windows 2019

* added server 2019

* updated readme

* updated

* added node definitions

* added readme

* added node def

* added readme

* added node def

* added readme

* added node def

* added readme

* fixed typo

* added node def

* already exists

* updated fields

* Update winServer2019.yaml

Fixed Windows Server 2019 node definition

* Update winServer2019.yaml

fixed video model

* Create nxosv9500-148.yaml

Added NXOSv 9500 128 ports

* Create readme.md

Added readme

* Update readme.md

fixed formatting

* Delete README.MD

removed duplicate readme

* Update readme.md

Fixed Typo

* Rename node-definitions/cisco/NXOSv 9500 128 ports/nxosv9500-148.yaml to node-definitions/cisco/NXOSv 9500 148 ports/nxosv9500-148.yaml

Fixed directory name
 2022-11-26 07:53:06 -05:00
shawnjury
b837227eac Breakout tool update add mac support (#25) 
* breakout update and MAC OS support

Added getAllNodes function to cmlApiCalls.py.
Added Mac OS support into main.py
Added new logic to get all nodes, find label and node_definition, sort by label and add the SecureCRT ini files.  This matched what the breakout tool provided for my machine.

* Update main.py

* Using Lab_title

Changed to use the LabTitle for the Directory/CRT.  This makes it more human readable when you have multiple labs.
 2022-11-03 06:30:35 -04:00
Alexander Deca
2cf2c8af59 Update README.MD for PAN-OS (#24) 
* Updated README.md

* Updated README

* update
 2022-10-16 11:40:00 -04:00
255 changed files with 90492 additions and 3440 deletions
Expand all files Collapse all files

25
.github/workflows/nd_validation.yaml vendored Normal file
View File

@@ -0,0 +1,25 @@
name: Node definition schema check
on:
push:
types: [synchronize]
paths:
- 'node-definitions/**/*.yaml'
pull_request:
types: [synchronize]
paths:
- 'node-definitions/**/*.yaml'
jobs:
validate:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Validations of node definitions
uses: thiagodnf/yaml-schema-checker@v0.0.8
with:
jsonSchemaFile: validation_schemas/node_definition.json
yamlFiles: node-definitions/**/*.yaml

1
.gitignore vendored
View File

@@ -1,5 +1,6 @@
#macs
.DS_Store
.vscode/
#ansible
*.retry

21
.gitmodules vendored
View File

@@ -1,21 +0,0 @@
[submodule "use-cases/cml-class-automation"]
path = use-cases/cml-class-automation
url = https://github.com/CiscoDevNet/cml-class-automation
[submodule "use-cases/cml-cicd"]
path = use-cases/cml-cicd
url = https://github.com/CiscoDevNet/cml-cicd
[submodule "use-cases/dst-automation"]
path = use-cases/dst-automation
url = https://github.com/CiscoDevNet/dst-automation
[submodule "use-cases/virlutils"]
path = use-cases/virlutils
url = https://github.com/CiscoDevNet/virlutils
[submodule "use-cases/ansible-cml"]
path = use-cases/ansible-cml
url = https://github.com/CiscoDevNet/ansible-cml
[submodule "use-cases/cml-nxos-l3-edge-fabric"]
path = use-cases/cml-nxos-l3-edge-fabric
url = https://github.com/charliefenwick/cml-nxos-l3-edge-fabric
[submodule "use-cases/sdwan-devops"]
path = use-cases/sdwan-devops
url = https://github.com/CiscoDevNet/sdwan-devops

39
README.md
View File

@@ -4,47 +4,53 @@
Community Contributed Content and Resources for Cisco Modeling Labs
![](readme_images/cml-labmanager.jpg)
![CML Screenshot](readme_images/cml-lab.png)
## Repository Description
[Cisco Modeling Labs](http://developer.cisco.com/modeling-labs) (CML) is a network simulation platform from Cisco that allows for the creation of robust network topologies made up of nearly anything you can imagine. It supports virtual machine based devices using QCOW or KVM format, and can be tied into physical components by "bridging" the simulation to the real world.
This repository is intended to be a place for the CML community to find and share content that builds on top of the standard CML installation. Examples of this content include:
CML is officially supported on bare-metal x86\_64 servers and in VMware ESXi and VMware Workstation virtual machines.
Unofficially, CML can be installed onto [HyperV](documentation/cml_on_hyperv.md), [Proxmox](documentation/cml_on_proxmox.md),
and [Nutanix AHV](documentation/cml_on_nutanix.md).
This repository is intended to be a place for the CML community to find and share content that builds on top of the standard CML installation. Examples of this content include:
### Node and Image Definition Files
Included with CML is a library of ["reference platforms"](https://developer.cisco.com/docs/modeling-labs/#!reference-platforms-and-images) for a variety of Cisco network devices as well as images for Linux servers, traffic generators, unmanaged devices, etc. However, CML allows a "bring your own image" model for any KVM supported image. While we **cannot** share the actual QCOW image files for nodes that require proper licensing and rights from individual platform owners, we can post the CML YAML file definitions that have been created to support different platforms from Cisco as well as third party vendors.
The folder structure of this repository reflect the folder structure and naming conventions used on the CML server itself for storing the definitions.
Included with CML is a library of ["reference platforms"](https://developer.cisco.com/docs/modeling-labs/#!reference-platforms-and-images) for a variety of Cisco network devices as well as images for Linux servers, traffic generators, unmanaged devices, etc. However, CML allows a "bring your own image" model for any KVM supported image. While we **cannot** share the actual QCOW image files for nodes that require proper licensing and rights from individual platform owners, we can post the CML YAML file definitions that have been created to support different platforms from Cisco as well as third party vendors.
The folder structure of this repository reflect the folder structure and naming conventions used on the CML server itself for storing the definitions.
* [node-definitions](node-definitions) - Folder containing YAML file definitions for a CML node. The YAML file includes details on how the VM would be configured (ie CPU, RAM, Network Adapters, etc).
* [virl-base-images](virl-base-images) - Folder containing a folder for each added platform disk image. Within each platform folder you will find a YAML file that references a specific `disk_image` file for a platform. A base image definition will reference a node definition.
* *Note: You will need to download the disk images from the vendors yourself.*
* **Note: You will need to download the disk images from the vendors yourself.**
When deciding how many total resources you need to use CML, consult the [CML Sizing Calculator](documentation/cml_sizing_calculator.xlsx).
### Sample Lab Topologies
### Sample Lab Topologies
CML includes a series of Sample Labs that are available from the Tools menu in Lab Manager, however these are just a start of the possible network simulations that can be created. Within this repository users of CML can find, or share, network topologies that have been created to highlight a specific type of simulation challenge.
> Note: Sample Lab Topologies from this repository may leverage nodes that are **NOT** included with the standard reference platform for CML. Be sure to look at the requirements for any given lab topology.
> Note: Sample Lab Topologies from this repository may leverage nodes that are **NOT** included with the standard reference platform for CML. Be sure to look at the requirements for any given lab topology.
## DevNet Sandbox
A great way to make your repo easy for others to use is to provide a link to a [DevNet Sandbox](https://developer.cisco.com/site/sandbox/) that provides a network or other resources required to use this code. In addition to identifying an appropriate sandbox, be sure to provide instructions and any configuration necessary to run your code with the sandbox.
If you are new to Cisco Modeling Labs, you can explore and test drive CML within [DevNet Sandbox](https://developer.cisco.com/site/sandbox/). Just search for "Cisco Modeling" from the Sandbox Catalog.
If you are new to Cisco Modeling Labs, you can explore and test drive CML within [DevNet Sandbox](https://developer.cisco.com/site/sandbox/). Just search for "Cisco Modeling" from the Sandbox Catalog.
![](readme_images/sandbox-catalog-cml.jpg)
![DevNet Sandbox Screenshot](readme_images/sandbox-catalog-cml.png)
## Getting help
Instruct users how to get help with this code; this might include links to an issues list, wiki, mailing list, etc.
**Example**
### Example
If you have questions, concerns, bug reports, etc., please create an issue against this repository.
If you've questions on using CML, here are some places to checkout:
* [Cisco Modeling Labs Support](https://developer.cisco.com/docs/modeling-labs/#!support)
* [Cisco Modeling Labs Webex Teams Space](https://eurl.io/#bWHTbWz1Z)
If you've questions on using CML, post them to our [CML community](https://developer.cisco.com/docs/modeling-labs/#!support).
## Getting involved
@@ -60,3 +66,6 @@ This project was written and is maintained by the following individuals:
* sig9 <sig9@sig9.org>
* Ozzy Schoonover <OzzySchoonover@gmail.com>
* Alexander Deca <alexander@deca-consulting.be>
* Xinyu Wei <trustywolf@sfc.wide.ad.jp>
* Kelly Christians <kelly.christians@rsmus.com>
* Ariadne Haske <ariadne@haske.org>

74
documentation/cml_on_hyperv.md Normal file
View File

@@ -0,0 +1,74 @@
# CML on Hyper-V
These instructions explain how to deploy CML as a virtual machine (VM) that runs on Hyper-V on Windows. (When deploying to Hyper-V, you do not need to install VMware Workstation on your local system.) You will need a version of Windows that supports and provides the Hyper-V feature. Recent versions of Windows Pro and Windows Enterprise should work. Windows Server 2016 should also include Hyper-V, but the steps to deploy on Windows Server may differ slightly. These instructions will probably not work on other editions of Windows, such as Windows 11 Home. YMMV.
These instructions were tested on Windows 11 Enterprise but should work for other editions of Windows that meet the requirements.
## Requirements
- Windows 10 Pro/Enterprise or later, Server 2016 or later
- Hyper-V windows feature installed and enabled
## Setup
### Enable Hyper-V
To enable Hyper-V on Windows refer to these [instructions](https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/). The steps below are a summary of what is provided in the linked documentation.
- Open the **Control Panel**
- Click **Programs** and then **Programs and Features**
- Click **Turn Windows Features on or off**
- Check the checkbox for the top-level **Hyper-V** feature to enable all Hyper-V features
- Click **OK**
- Reboot when asked
### Create Hyper-V Bridged Network
By default, the CML VM will only be visible from your local host OS where Hyper-V is running. If you would like to access the CML VM from a different host on your network, you must create a bridged network in Hyper-V. You will also need to create a Hyper-V bridged network if you would like to send traffic into a lab running on the CML VM from another host or device on your network. See the CML documentation on [external connectors](https://developer.cisco.com/docs/modeling-labs/external-connectors/) for further information.
If you only plan to access the CML instance or the labs running in CML from the local machine where Hyper-V is running, you can skip these steps.
- Launch the Hyper-V GUI
- In the menu on the right of the screen, click **Virtual Switch Manager**
- In the **Create virtual switch** section, select **External** and click **Create Virtual Switch**
- From the list of external network cards, select a network card connected to your local network
- Click **OK** to save the changes
If you skip the above steps and decide later to utilize external network connections, you can follow the above instructions later. However, you will need to edit the virtual machine settings (created below) and change the associated _Virtual Switch_ to one created above to enable external connections.
### Create Hyper-V Virtual Machine
Before proceeding with the following steps, make sure to [download the latest CML ISO](https://developer.cisco.com/docs/modeling-labs/downloading-files-for-cml-installation/). For this step you do **NOT** need the _refplat_ ISO image, only the ISO for the _bare metal installation_.
#### Initial Creation
- Open the Hyper-V GUI from the windows start menu
- In the menu on the right of the screen, click **New** and **Virtual Machine** to open the **New Virtual Machine Wizard**
- Click **Next** on the **Before You Begin** screen if it was not previously dismissed
- On the **Specify a Name and Location** screen, use a **Name** without spaces to avoid quoting/escaping issues
- On the **Specify Generation** screen, select **Generation 2**
- On the **Assign Memory** screen, assign sufficient memory to meet the requirements for CML, as well as any labs you wish to run. Refer to the [CML documentation](https://developer.cisco.com/docs/modeling-labs/system-requirements/).
- Do **NOT** use dynamic memory
- **ATTENTION** Using dynamic memory with the CML VM will have a negative impact on the performance on your labs running in the CML VM. The nodes in your network simulation use nested virtualization, and using dynamic memory in Hyper-V can cause _significant_ performance problems because of page swapping.
- On the **Configure Networking** screen, connect the network adapter to either the external network (created above) or the default Hyper-V virtual switch (if you wish to only access CML from the host machine)
- On the **Connect Virtual Hard Disk** screen, assign sufficient disk space to meet the requirements for CML, as well as labs you wish to run. Refer to the [CML documentation](https://developer.cisco.com/docs/modeling-labs/system-requirements/).
- On the **Installation Options** screen, select **Install an Operating System Later**
- Click **Finish** to create the VM. Note the name of the VM you created for the following steps.
#### Additional Settings
- Right click the virtual machine you just created in the **Virtual Machines** list and select **Settings**
- Click the **Security** tab in the left menu
- In the **Security Settings** section, uncheck **Enable Secure Boot** on the right to disable it
- Click the **Processor** tab in the left menu
- In the **Processor** section, adjust **Number of Virtual Processors** according to the CML requirements and your lab demands. Refer to the [CML documentation](https://developer.cisco.com/docs/modeling-labs/system-requirements/).
- Click the **SCSI Controller** tab in the left menu
- In the **SCSI Controller** section, select **DVD Drive** and click **Add**.
- Under the **Media** section, select **Image File** and click **Browse** to select the CML bare metal installation ISO you downloaded earlier
- Click **OK** to save the configuration changes. Do **NOT** start the VM yet.
### Enable Nested Virtualization
- Open a PowerShell prompt as an administrator
- Run
```powershell
PS C:\> Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
```
`<VMName>` should be replaced with your VM name from above. Quote appropriately if it contains spaces.
### Boot the Virtual Machine and configure CML
- Double click the CML VM in the **Virtual Machines** list
- Click the green **Start** button in the toolbar
- Follow the [CML instructions](https://developer.cisco.com/docs/modeling-labs/bare-metal-installation-bare-metal-installation/) for a bare metal installation

34
documentation/cml_on_nutanix.md Normal file
View File

@@ -0,0 +1,34 @@
### CML on Nutanix CE
##### Requirements:
- Installed and configured Nutanix CE node (or cluster) from https://www.nutanix.com/uk/products/community-edition
- Downloaded CML installation ISO/OVA and refplat ISO image
##### Install CML from ISO
- Upload install and refplat ISOs to datastore. Go to Settings and Image Configuration. Select correct storage container (Images in our case) and other details and click Save.
- Wait until upload task is completed.
- Go to Settings/VM and click 'Create VM'. Fill name of VM, select number of vCPUs, cores, memory.
- Switch BIOS Configuration to UEFI. If you need secure boot, switch cdrom from IDE to SATA.
- Update cdrom settings and insert CML iso there:
- Add new disk, select correct storage container (VMs in our case)
- Add also at least one NIC
- Save VM, open ssh connection to CVM and enable nested virtualization on CML VM:
```shell
nutanix@NTNX-d295a2f4-A-CVM:10.0.10.90:~$ acli vm.list
VM name VM UUID
cml-ova-import-test b7854f03-3117-453e-9221-2611eefe0b94
cml-test-2.8.0dev e56f7e8d-a663-4826-b128-8e98ba8f1c84
ova-cml-test a1dce5ed-5d12-4096-a48f-293c35837f88
ubuntu-test-vm d5c8d107-d58f-4d6f-a585-77ef494cf2a5
nutanix@NTNX-d295a2f4-A-CVM:10.0.10.90:~$ acli vm.update cml-test-2.8.0dev cpu_passthrough=true
cml-test-2.8.0dev: pending
cml-test-2.8.0dev: complete
```
- Power on VM and launch VM console. Proceed with CML setup. Insert refplat ISO to cdrom when needed.
##### Installing CML from OVA:
In Nutanix CE, there is no option how to import OVA, you need Prism central from paid version. There should be OVA import feature in GUI - more info is here: https://portal.nutanix.com/page/documents/kbs/details?targetId=kA03200000099TXCAY
In Nutanix CE, untar OVA file and upload vmdk disk into image storage container.
When creating VM, just use 'Clone from Image Service'.
Everything else is same as when installing from ISO.

49
documentation/cml_on_proxmox.md Normal file
View File

@@ -0,0 +1,49 @@
### CML on Proxmox
##### Requirements:
- Installed and configured Proxmox node (or cluster) from https://www.proxmox.com/en/downloads
- Downloaded CML installation ISO/OVA and refplat ISO image
##### Install CML from ISO
- Import install and refplat ISOs via GUI (Folder View / Storage / local storage / ISO images / Upload or Download from URL)
If upload is not working (wrong file extension error), copy ISO files to /var/lib/vz/template/iso/ (or any other ISO compatible storage) on Proxmox host via shell.
- Start creating new VM
- General tab
- fill VM name
- OS tab
- switch storage to one where ISOs were uploaded
- select CML install ISO from ISO image dropdown
- System tab
- select VirtIO SCSI single controller
- switch BIOS to OVMF (UEFI)
- select some storage for EFI disk
- Disks tab
- set disk size to at least 32GB
- CPU tab
- set needed number of Sockets and Cores
- CPU type must be set to 'host' to support nested virtualization
- Memory tab
- set amount of memory
- Network tab
- choose correct network/MTU etc for first interface (if more interfaces are needed, they must be added after VM creation via Hardware / Add / Network Device option)
Finish VM creation. Start VM and follow install instructions. Switch install iso for refplat when needed.
##### Install CML from OVA
- Import reflat ISO via GUI (Folder View / Storage / local storage / ISO images / Upload or Download from URL)
If upload is not working (wrong file extension error), copy ISO file to /var/lib/vz/template/iso/ (or any other ISO compatible storage) on Proxmox host via shell.
- Copy OVA file to folder for example /var/lib/vz/template/ova/ on Proxmox host.
- Unzip OVA with 'tar -xf cml2_2.7.0-5_amd64-21.ova' command.
- From /var/lib/vz/template/ova/ run import commad: `qm importovf 107 cml2_2.7.0-5_amd64-21_SHA256.ovf local-lvm`. 107 is VM id, choose some not used already, and local-lvm is VMs storage.
- Go to Proxmox GUI and open newly created VM (id 107 in our case).
- Edit HW of VM:
- switch BIOS to OVMF (UEFI)
- add new HW 'EFI disk'
- set processor type to 'host'
- change SCSI controller to 'VirtIO SCSI single'
- add Network Device and set model to 'VirtIO Paravirtualized' (add more NICs if needed)
- add CD/DVD Drive and select appropriate storage and iso image
Boot VM and complete CML installaion

BIN
documentation/cml_sizing_calculator.xlsx Normal file
View File

Binary file not shown.

33753
lab-topologies/300-node-lab/300_node_lab.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

17
lab-topologies/300-node-lab/README.md Normal file
View File

@@ -0,0 +1,17 @@
# README.md
![topo](./topo.png)
## What is it
This lab topology has been created using a script available [here](https://github.com/rschmied/topogen).
It's big and random. Yeah!
## Things to do
- the DNS host should have access to the Internet to install dnsmasq and iptables. It will provide Internet access for the entire lab and also acts as the DNS.
- name resolution for all routers is available, the server is the DNS host. All records point to the loopback addresses (e.g. things like `telnet r84` should work from everywhere).
- all routers run OSPF in area 0 `¯\_(ツ)_/¯`
- try some traceroute
> **Note**: Obviously, this needs a ton of resources (and licenses) to run. It's mostly a proof of concept and a bit of a scale test demo topology. Check the `topogen` repository (link above) to create smaller topologies.

BIN
lab-topologies/300-node-lab/topo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 331 KiB

376
lab-topologies/aaa-tacacs-exploration/README.ios-nxos.md Normal file
View File

@@ -0,0 +1,376 @@
# Exploring AAA / TACACS Device Administration Configuration in IOS and NX-OS.
![](topology-ios-nxos.jpg)
Verifying the identity of the people who log into network, what each person is allowed to do on a network device, and tracking what was done is a critical part of network operations. Collectively these are known as "Triple A Services", or Authentication, Authorization, and Accounting. Another name used is "Role Based Access Control", or RBAC.
TACACS+ is a common protocol used for RBAC / AAA on network devices, and this lab explores how to configure AAA on both IOS and NX-OS devices.
> RADIUS is another protocol that can be used for device administration with AAA.
A TACACS server must be available on the network for devices to send AAA requests to for validation. This lab leverages an open source `tac_plus` server as a lightweight service that can be easily installed on an Ubuntu host within the topology. For more information on `tac_plus` see the documentation for [`tac_plus`](https://manpages.ubuntu.com/manpages/trusty/man8/tac_plus.8.html) and [`tac_plus.conf`](https://manpages.ubuntu.com/manpages/trusty/man5/tac_plus.conf.5.html). The starting config for `aaa-server` installs `tac_plus` and deploys a basic TACACS configuration to support IOS and NX-OS hosts connecting for user authentication, role based authorization (administrator and operator), and accounting. The configuration file `tac_plus.conf` is located at `/etc/tacacs/tac_plus.conf`. You can modify this configuraiton file and restart `tac_plus` (`sudo systemctl restart tac_plus`) as part of your own learning.
> Command authorization is not part of this lab guide, and the `tac_plus` server is ***NOT*** configured for command authorization as part of the initial configuration. Though you can update the `tac_plus.conf` file and experiment with command authorization on your own.
# Configuring an IOS device for TACACS device administration
## Starting Configuration on `ios01`
`ios01` has the following configuration applied as startup configuration to enable inbound SSH from `desktop` that is locally authenticated.
```
ip domain name lab.intra
crypto key generate rsa general-keys modulus 2048
!
aaa new-model
!
username cisco priv 15 secret cisco
```
## Ensuring the serial / console leverages local authentication
To provide safety and fallback access to devices, we will force the console line to only use local admin accounts.
```
aaa authentication login CONSOLE local
aaa authorization console
aaa authorization exec CONSOLE local
!
line con 0
login authentication CONSOLE
authorization exec CONSOLE
!
```
## Configuring TACACS server as default AAA
Start by identitying the interface that TACACS packets should be sourced from. This is often important because TACACS servers typically only respond to known hosts/addresses.
```
ip tacacs source-interface Ethernet0/0
```
Now create the TACACS server entry for the server. Be sure to double check the "key" (secret) used for communications.
> Note: Be careful to NOT add an extra "space" after the key. This can cause problems on some platforms.
```
tacacs server aaa-server
address ipv4 192.168.0.10
key tacacs123
!
```
Create a `aaa group` that includes the TACACS server. In a production environment, you would typically have at least 2 TACASC servers configured for fallback.
```
aaa group server tacacs+ AAA-TACACS
server name aaa-server
!
```
Test that the TACACS server is responding successfully.
```
test aaa group tacacs+ iosadmin admin123 legacy
```
Configure the authentication, authorization, and accounting policies.
```
aaa authentication login default group AAA-TACACS local
aaa authorization exec default group AAA-TACACS local
!
aaa accounting exec default start-stop group AAA-TACACS
aaa accounting commands 1 default start-stop group AAA-TACACS
aaa accounting commands 15 default start-stop group AAA-TACACS
!
```
## Testing the configuration
Open the console for the `aaa-server` and monitor the service "journal"
```
journalctl -fu tac_plus
```
Open the console for the `desktop` and attempt to connect to `ios01` with SSH as the `iosadmin` user.
```
ssh iosadmin@192.168.0.1
```
After you log in, run a command to verify access.
```
show ip interface brief
```
Check the output on the `aaa-server`. You should see messages for both the `authentication` and `authorization`
```
# Examples
Oct 07 21:30:36 aaa-server tac_plus[5704]: login query for 'iosadmin' port tty2 from 192.168.0.1 accepted
Oct 07 21:30:36 aaa-server tac_plus[5705]: connect from 192.168.0.1 [192.168.0.1]
Oct 07 21:30:36 aaa-server tac_plus[5705]: Start authorization request
Oct 07 21:30:36 aaa-server tac_plus[5705]: do_author: user='iosadmin'
Oct 07 21:30:36 aaa-server tac_plus[5705]: user 'iosadmin' found
Oct 07 21:30:36 aaa-server tac_plus[5705]: exec authorization request for iosadmin
Oct 07 21:30:36 aaa-server tac_plus[5705]: exec is explicitly permitted by line 4
Oct 07 21:30:36 aaa-server tac_plus[5705]: nas:service=shell (passed thru)
Oct 07 21:30:36 aaa-server tac_plus[5705]: nas:cmd* (passed thru)
Oct 07 21:30:36 aaa-server tac_plus[5705]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)
Oct 07 21:30:36 aaa-server tac_plus[5705]: added 1 args
Oct 07 21:30:36 aaa-server tac_plus[5705]: out_args[0] = service=shell input copy discarded
Oct 07 21:30:36 aaa-server tac_plus[5705]: out_args[1] = cmd* input copy discarded
Oct 07 21:30:36 aaa-server tac_plus[5705]: out_args[2] = priv-lvl=15 compacted to out_args[0]
Oct 07 21:30:36 aaa-server tac_plus[5705]: 1 output args
Oct 07 21:30:36 aaa-server tac_plus[5705]: authorization query for 'iosadmin' tty2 from 192.168.0.1 accepted
```
Stop the journalctl monitor (`Cntrl-c`), and open the accounting log.
```
tail -f /var/log/tac_plus.acct
```
> Note: If the command fails and the file isn't found, return to the SSH session to the router and run a couple commands. The file isn't created until an accounting message is sent to the server.
Run some more commands on `ios01`. Try some that are `priv 15` as well as `priv 1`
```
! Priv 1
show ip route
! Priv 15
write mem
```
Verify the accounting logs were received.
Logout from the router, and log in as `iosoper`. Verify through the same logs that the user is given the correct access.
# Configuring an NX-OS device for TACACS device administration
## Enabling and configuring TACACS for AAA on `nxos01`
The Nexus network operating system requires features to be `enabled` before they can become available for configuration. Start by enabling `tacacs+`.
```
feature tacacs+
```
Next configured `aaa-server` as a tacacs-server.
```
tacacs-server host 192.168.0.10 key tacacs123
```
Create a server group for TACACS servers. Like with IOS, typically you would configured at least 2 `tacacs-server` entries for redundancy.
> Nexus switches typically leverage a dedicated management interface (`mgmt0`) that is in a dedicated `management` VRF. Be sure to configure the settings on the group, otherwise the switch will default to using the "global" or "default" VRF to reach the TACACS server, which may fail.
```
aaa group server tacacs+ AAA-TACACS
server 192.168.0.10
use-vrf management
source-interface mgmt0
```
Test that the TACACS server is responding successfully.
> Be sure to use the correct username for NX-OS devices.
```
test aaa group AAA-TACACS nxosadmin admin123
```
Now configure `aaa authentication login` to leverage the server.
> NX-OS automatically falls back to try `local` authentication if the TACACS servers are unreachable. So it is ***not*** explicitly added like with IOS.
```
aaa authentication login default group AAA-TACACS
```
Unlike IOS, NX-OS automatically performs `exec` authorization as part of the `authentication login` process. So no `aaa authorization` command is required.
> If you explore the configuration commands, you will see `aaa authorization commands` as an option. This would check for explicit per-command authorization from the TACACS server whenever a user attempts to run a command. Command authorization is also supported on IOS devices.
>
> Command authorization is not part of this lab guide, and the `tac_plus` server is ***NOT*** configured for command authorization as part of the initial configuration. Though you can update the `tac_plus.conf` file and experiment with command authorization on your own.
Lastly, enable AAA accounting
```
! Track "enable" mode, and priv 15 and 1 commands
aaa accounting default group AAA-TACACS
```
## Testing the configuration
Open the console for the `aaa-server` and monitor the service "journal"
```
journalctl -fu tac_plus
```
Open the console for the `desktop` and attempt to connect to `nxos01` with SSH as the `nxosadmin` user.
```
ssh nxosadmin@192.168.0.2
```
After you log in, verify role assigment.
```
show user-account nxosadmin
! Output
user:nxosadmin
roles:network-admin vdc-admin
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user
account
Local login not possible
```
Check the output on the `aaa-server`. You should see messages for both the `authentication` and `authorization`
```
# Examples
Oct 14 17:37:45 aaa-server tac_plus[5888]: connect from 192.168.0.2 [192.168.0.2]
Oct 14 17:37:45 aaa-server tac_plus[5888]: pap-login query for 'nxosadmin' port 0 from 192.168.0.2 accepted
Oct 14 17:37:46 aaa-server tac_plus[5889]: connect from 192.168.0.2 [192.168.0.2]
Oct 14 17:37:46 aaa-server tac_plus[5889]: Start authorization request
Oct 14 17:37:46 aaa-server tac_plus[5889]: do_author: user='nxosadmin'
Oct 14 17:37:46 aaa-server tac_plus[5889]: user 'nxosadmin' found
Oct 14 17:37:46 aaa-server tac_plus[5889]: exec authorization request for nxosadmin
Oct 14 17:37:46 aaa-server tac_plus[5889]: exec is explicitly permitted by line 20
Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:service=shell (passed thru)
Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:cmd= (passed thru)
Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:cisco-av-pair* svr:absent/deny -> delete cisco-av-pair* (i)
Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:shell:roles* svr:shell:roles="network-admin vdc-admin" -> replace with shell:roles="network-admin vdc-admin" (f)
Oct 14 17:37:46 aaa-server tac_plus[5889]: replaced 2 args
Oct 14 17:37:46 aaa-server tac_plus[5889]: authorization query for 'nxosadmin' 0 from 192.168.0.2 accepted
Oct 14 17:37:46 aaa-server tac_plus[5890]: connect from 192.168.0.2 [192.168.0.2]
```
Stop the journalctl monitor (`Cntrl-c`), and open the accounting log.
```
tail -f /var/log/tac_plus.acct
```
You should see a `start` message for when you logged into the switch.
```
Oct 14 17:40:41 192.168.0.2 nxosadmin 0 192.168.0.11 start task_id=192.168.0.11@pts/3 start_time=1728927636 timezone=UTC service=none
```
Run the command `show version`. You will ***NOT*** see accounting messages on the server. NX-OS only supports command accounting for "admin" commands.
Run the command `copy run start`. You should see a message such as:
```
Oct 14 17:51:51 192.168.0.2 nxosadmin 0 192.168.0.11 stop task_id=192.168.0.11@pts/3 start_time=1728928303 timezone=UTC cmd=copy running-config startup-config (SUCCESS) service=none
```
Try to configure a loopback interface.
```
config t
interface loop1
```
You should see an accounting message.
```
Oct 14 17:51:04 192.168.0.2 nxosadmin 0 192.168.0.11 stop task_id=192.168.0.11@pts/3 start_time=1728928256 timezone=UTC cmd=configure terminal ; interface loopback1 (SUCCESS) service=none
```
Disconnect from the SSH session to `nxos01`. You should see a `stop` message in the accounting log.
```
Oct 14 17:40:44 192.168.0.2 nxosadmin 0 192.168.0.11 stop task_id=192.168.0.11@pts/3 start_time=1728927638 timezone=UTC stop_time=1728927638 service=none
```
Logout from the router, and log in as `tacoper`. Verify through the same logs that the user is given the correct access.
# Other useful commands and references
### Network Device Debug commands
***IOS:***
```
debug aaa authentication
debug aaa authorization
debug aaa accounting
debug tacacs authentication
debug tacacs authorization
debug tacacs accounting
```
***NX-OS:***
```
debug aaa aaa-requests
debug tacacs aaa-requests
```
### Network Device Show commands
**IOS:***
```
show tacacs
show aaa sessions
```
***NX-OS:***
```
show tacacs-server
show user-account
```
### Test AAA
**IOS:***
```
test aaa group tacacs+ iosadmin admin123 legacy
```
**NX-OS:***
```
test aaa group AAA-TACACS nxosadmin admin123
```
### aaa-server logs
***tac_plus logs:***
```
journalctl -fu tac_plus
tail -f /var/log/tac_plus.acct
tail -f /var/log/tac_plus.log
```
### tac_plus server maintenance
***tac_plus srevice:***
```
systemctl status tac_plus
sudo systemctl stop tac_plus
sudo systemctl start tac_plus
```

193
lab-topologies/aaa-tacacs-exploration/README.md Normal file
View File

@@ -0,0 +1,193 @@
# Exploring AAA / TACACS Configuration for IOS
> Note: An alternative topology file [aaa-exploration-ios-nxos.yaml](aaa-exploration-ios-nxos.yaml) is available that adds a NX-OS switch to the topology and walks through configuring TACACS on this data center platform as well.
![](topology.jpg)
Verifying the identity of the people who log into network, what each person is allowed to do on a network device, and tracking what was done is a critical part of network operations. Collectively these are known as "Triple A Services", or Authentication, Authorization, and Accounting. Another name used is "Role Based Access Control", or RBAC.
TACACS+ is a common protocol used for RBAC / AAA on network devices, and this lab explores how to configure AAA on both IOS and NX-OS devices.
> RADIUS is another protocol that can be used for device administration with AAA.
A TACACS server must be available on the network for devices to send AAA requests to for validation. This lab leverages an open source `tac_plus` server as a lightweight service that can be easily installed on an Ubuntu host within the topology. For more information on `tac_plus` see the documentation for [`tac_plus`](https://manpages.ubuntu.com/manpages/trusty/man8/tac_plus.8.html) and [`tac_plus.conf`](https://manpages.ubuntu.com/manpages/trusty/man5/tac_plus.conf.5.html). The starting config for `aaa-server` installs `tac_plus` and deploys a basic TACACS configuration to support IOS and NX-OS hosts connecting for user authentication, role based authorization (administrator and operator), and accounting. The configuration file `tac_plus.conf` is located at `/etc/tacacs/tac_plus.conf`. You can modify this configuraiton file and restart `tac_plus` (`sudo systemctl restart tac_plus`) as part of your own learning.
> Command authorization is not part of this lab guide, and the `tac_plus` server is ***NOT*** configured for command authorization as part of the initial configuration. Though you can update the `tac_plus.conf` file and experiment with command authorization on your own.
## Starting Configuration
`rtr1` has the following configuration applied as startup configuration to enable inbound SSH from `desktop` that is locally authenticated.
```
ip domain name lab.intra
crypto key generate rsa general-keys modulus 2048
!
aaa new-model
!
username cisco priv 15 secret cisco
```
## Ensuring the serial / console leverages local authentication
To provide safety and fallback access to devices, we will force the console line to only use local admin accounts.
```
aaa authentication login CONSOLE local
aaa authorization console
aaa authorization exec CONSOLE local
!
line con 0
login authentication CONSOLE
authorization exec CONSOLE
!
```
## Configuring TACACS server as default AAA
Start by identitying the interface that TACACS packets should be sourced from. This is often important because TACACS servers typically only respond to known hosts/addresses.
```
ip tacacs source-interface Ethernet0/0
```
Now create the TACACS server entry for the server. Be sure to double check the "key" (secret) used for communications.
> Note: Be careful to NOT add an extra "space" after the key. This can cause problems on some platforms.
```
tacacs server aaa-server
address ipv4 192.168.0.10
key tacacs123
!
```
Create a `aaa group` that includes the TACACS server. In a production environment, you would typically have at least 2 TACASC servers configured for fallback.
```
aaa group server tacacs+ AAA-TACACS
server name aaa-server
!
```
Test that the TACACS server is responding successfully.
```
test aaa group tacacs+ tacadmin admin123 legacy
```
Configure the authentication, authorization, and accounting policies.
```
aaa authentication login default group AAA-TACACS local
aaa authorization exec default group AAA-TACACS local
!
aaa accounting exec default start-stop group AAA-TACACS
aaa accounting commands 1 default start-stop group AAA-TACACS
aaa accounting commands 15 default start-stop group AAA-TACACS
!
```
## Testing the configuration
Open the console for the `tacacs-server` and monitor the service "journal"
```
journalctl -fu tac_plus
```
Open the console for the `desktop` and attempt to connect to `rtr1` with SSH as the `tacadmin` user.
```
ssh tacadmin@192.168.0.1
```
After you log in, run a command to verify access.
```
show ip interface brief
```
Check the output on the `tacacs-server`. You should see messages for both the `authentication` and `authorization`
```
# Examples
Oct 07 21:30:36 tacacs-server tac_plus[5704]: login query for 'tacadmin' port tty2 from 192.168.0.1 accepted
Oct 07 21:30:36 tacacs-server tac_plus[5705]: connect from 192.168.0.1 [192.168.0.1]
Oct 07 21:30:36 tacacs-server tac_plus[5705]: Start authorization request
Oct 07 21:30:36 tacacs-server tac_plus[5705]: do_author: user='tacadmin'
Oct 07 21:30:36 tacacs-server tac_plus[5705]: user 'tacadmin' found
Oct 07 21:30:36 tacacs-server tac_plus[5705]: exec authorization request for tacadmin
Oct 07 21:30:36 tacacs-server tac_plus[5705]: exec is explicitly permitted by line 4
Oct 07 21:30:36 tacacs-server tac_plus[5705]: nas:service=shell (passed thru)
Oct 07 21:30:36 tacacs-server tac_plus[5705]: nas:cmd* (passed thru)
Oct 07 21:30:36 tacacs-server tac_plus[5705]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)
Oct 07 21:30:36 tacacs-server tac_plus[5705]: added 1 args
Oct 07 21:30:36 tacacs-server tac_plus[5705]: out_args[0] = service=shell input copy discarded
Oct 07 21:30:36 tacacs-server tac_plus[5705]: out_args[1] = cmd* input copy discarded
Oct 07 21:30:36 tacacs-server tac_plus[5705]: out_args[2] = priv-lvl=15 compacted to out_args[0]
Oct 07 21:30:36 tacacs-server tac_plus[5705]: 1 output args
Oct 07 21:30:36 tacacs-server tac_plus[5705]: authorization query for 'tacadmin' tty2 from 192.168.0.1 accepted
```
Stop the journalctl monitor (`Cntrl-c`), and open the accounting log.
```
tail -f /var/log/tac_plus.acct
```
> Note: If the command fails and the file isn't found, return to the SSH session to the router and run a couple commands. The file isn't created until an accounting message is sent to the server.
Run some more commands on `rtr1`. Try some that are `priv 15` as well as `priv 1`
```
! Priv 1
show ip route
! Priv 15
write mem
```
Verify the accounting logs were received.
Logout from the router, and log in as `tacoper`. Verify through the same logs that the user is given the correct access.
## Other useful commands
### Debugs on the router
```
debug aaa authentication
debug aaa authorization
debug aaa accounting
debug tacacs authentication
debug tacacs authorization
debug tacacs accounting
```
### Show commands on router
```
show tacacs
show aaa sessions
```
### Test AAA
```
test aaa group tacacs+ tacadmin admin123 legacy
```
### tacacs-server logs
```
journalctl -fu tac_plus
tail -f /var/log/tac_plus.acct
tail -f /var/log/tac_plus.log
```
### tac_plus server maintenance
```
systemctl status tac_plus
sudo systemctl stop tac_plus
sudo systemctl start tac_plus
```

673
lab-topologies/aaa-tacacs-exploration/Snack_Minute_AAA_TACACS_Exploration.yaml Normal file
View File

@@ -0,0 +1,673 @@
annotations:
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: 192.168.0.10
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -565.0
y1: -74.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: 192.168.0.11
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -325.0
y1: -73.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: 192.168.0.1
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -446.3066108896985
y1: 47.653305444849266
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: cisco / cisco
text_font: monospace
text_italic: false
text_size: 8
text_unit: pt
thickness: 1
type: text
x1: -559.75
y1: -55.5
z_index: 1
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: cisco / cisco
text_font: monospace
text_italic: false
text_size: 8
text_unit: pt
thickness: 1
type: text
x1: -318.75
y1: -53.5
z_index: 1
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: |-
TACACS Accounts
tacadmin / admin123 (priv 15)
tacoper / oper123 (priv 1)
TACACS Secret
tacacs123
TACACS Log Files
journalctl -fu tac_plus
tail -f /var/log/tac_plus.acct
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -960.4378534132434
y1: -244.7193548844158
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: cisco / cisco
text_font: monospace
text_italic: false
text_size: 8
text_unit: pt
thickness: 1
type: text
x1: -443.7290720829766
y1: 67.39536041488296
z_index: 1
- border_color: '#00000000'
border_style: ''
color: '#0C0C0C'
rotation: 0
text_bold: true
text_content: Exploring AAA / TACACS Configuration for IOS
text_font: monospace
text_italic: false
text_size: 13
text_unit: pt
thickness: 1
type: text
x1: -962.0997946295324
y1: -292.6838112360871
z_index: 3
nodes:
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: internet
node_definition: external_connector
parameters: {}
ram: null
tags: []
x: -640
y: -240
interfaces:
- id: i0
label: port
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: internet-sw
node_definition: unmanaged_switch
parameters: {}
ram: null
tags: []
x: -640
y: -120
interfaces:
- id: i0
label: port0
slot: 0
type: physical
- id: i1
label: port1
slot: 1
type: physical
- id: i2
label: port2
slot: 2
type: physical
- id: i3
label: port3
slot: 3
type: physical
- id: i4
label: port4
slot: 4
type: physical
- id: i5
label: port5
slot: 5
type: physical
- id: i6
label: port6
slot: 6
type: physical
- id: i7
label: port7
slot: 7
type: physical
- boot_disk_size: null
configuration:
- name: user-data
content: |-
#cloud-config
hostname: tacacs-server
manage_etc_hosts: True
system_info:
default_user:
name: cisco
password: cisco
chpasswd: { expire: False }
ssh_pwauth: True
ssh_authorized_keys:
- your-ssh-pubkey-line-goes-here
# Install requirements for tac_plus
package_update: true
packages:
- wget
- make
- gcc
- flex
- bison
- libwrap0-dev
write_files:
# Create the tac_plus configuration file
- path: /etc/tacacs/tac_plus.conf
content: |
key = tacacs123
group = netadmin {
default service = permit
service = exec {
priv-lvl = 15
}
}
group = netoper {
default service = permit
service = exec {
priv-lvl = 1
}
}
user = tacadmin {
login = cleartext admin123
member = netadmin
}
user = tacoper {
login = cleartext oper123
member = netoper
}
# Create a systemd service to manage tac_plus
- path: /etc/systemd/system/tac_plus.service
content: |
[Unit]
Description=tac_plus Service
After=network.target
[Service]
Type=simple
ExecStart=/tacacs/sbin/tac_plus -G -C /etc/tacacs/tac_plus.conf -d 8 -d 16 -l /var/log/tac_plus.log
[Install]
WantedBy=multi-user.target
runcmd:
# Download tac_plus source code and un-tar it
- wget https://shrubbery.net/pub/tac_plus/tacacs-F4.0.4.28.tar.gz -O /opt/tacacs-F4.0.4.28.tar.gz
- cd /opt && tar -xzf tacacs-F4.0.4.28.tar.gz
# Compile and install tac_plus
- cd /opt/tacacs-F4.0.4.28 && ./configure --prefix=/tacacs && make && make install
# Enable and start the systemd service
- systemctl enable tac_plus
- systemctl start tac_plus
# Configure "inside" network adapter
# Note: ens2 is connected to internet through NAT ext-con and
# required to download the software
- ip address add 192.168.0.10/24 dev ens3
- ip link set up dev ens3
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: ubuntu-22-04-20240126
label: tacacs-server
node_definition: ubuntu
parameters: {}
ram: null
tags: []
x: -520
y: -120
interfaces:
- id: i0
label: ens2
slot: 0
type: physical
- id: i1
label: ens3
slot: 1
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: lab-sw
node_definition: unmanaged_switch
parameters: {}
ram: null
tags: []
x: -400
y: -120
interfaces:
- id: i0
label: port0
slot: 0
type: physical
- id: i1
label: port1
slot: 1
type: physical
- id: i2
label: port2
slot: 2
type: physical
- id: i3
label: port3
slot: 3
type: physical
- id: i4
label: port4
slot: 4
type: physical
- id: i5
label: port5
slot: 5
type: physical
- id: i6
label: port6
slot: 6
type: physical
- id: i7
label: port7
slot: 7
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
hostname rtr1
!
! In order to avoid entering a configuration dialog
! on boot, please ensure that all ethernet interfaces
! have some ip configuration present here such as the
! example below:
!
interface range Ethernet 0/0 - 3
no ip address
shutdown
!
no ip domain lookup
ip domain name lab.intra
crypto key generate rsa general-keys modulus 2048
!
aaa new-model
!
username cisco priv 15 secret cisco
!
interface Eth0/0
no shutdown
ip address 192.168.0.1 255.255.255.0
exit
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: rtr1
node_definition: iol-xe
parameters: {}
ram: null
tags: []
x: -400
y: 0
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |
# this is a shell script which will be sourced at boot
hostname desktop
# configurable user account
USERNAME=cisco
PASSWORD=cisco
# Network Settings
ip address add 192.168.0.11/24 dev eth0
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n5
image_definition: null
label: desktop
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -280
y: -120
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- id: i1
label: eth1
slot: 1
type: physical
links:
- id: l0
n1: n1
n2: n0
i1: i0
i2: i0
conditioning: {}
label: ext-sw-port0<->ext-conn-0-port
- id: l1
n1: n2
n2: n1
i1: i0
i2: i3
conditioning: {}
label: aaa-server_0-ens2<->ext-sw-port3
- id: l2
n1: n2
n2: n3
i1: i1
i2: i0
conditioning: {}
label: aaa-server_0-ens3<->ext-sw_0-port0
- id: l3
n1: n4
n2: n3
i1: i1
i2: i1
conditioning: {}
label: router1_0-Ethernet0/0<->ext-sw_0-port1
- id: l4
n1: n5
n2: n3
i1: i0
i2: i2
conditioning: {}
label: desktop-0-eth0<->ext-sw_0-port2
lab:
description: Simple topology for practicing AAA TACACS configuration in IOS.
notes: |-
# Exploring AAA / TACACS Configuration for IOS
Verifying the identity of the people who log into network, what each person is allowed to do on a network device, and tracking what was done is a critical part of network operations. Collectively these are known as "Triple A Services", or Authentication, Authorization, and Accounting. Another name used is "Role Based Access Control", or RBAC.
TACACS+ is a common protocol used for RBAC / AAA on network devices, and this lab explores how to configure AAA on both IOS and NX-OS devices.
> RADIUS is another protocol that can be used for device administration with AAA.
A TACACS server must be available on the network for devices to send AAA requests to for validation. This lab leverages an open source `tac_plus` server as a lightweight service that can be easily installed on an Ubuntu host within the topology. For more information on `tac_plus` see the documentation for [`tac_plus`](https://manpages.ubuntu.com/manpages/trusty/man8/tac_plus.8.html) and [`tac_plus.conf`](https://manpages.ubuntu.com/manpages/trusty/man5/tac_plus.conf.5.html). The starting config for `aaa-server` installs `tac_plus` and deploys a basic TACACS configuration to support IOS and NX-OS hosts connecting for user authentication, role based authorization (administrator and operator), and accounting. The configuration file `tac_plus.conf` is located at `/etc/tacacs/tac_plus.conf`. You can modify this configuraiton file and restart `tac_plus` (`sudo systemctl restart tac_plus`) as part of your own learning.
> Command authorization is not part of this lab guide, and the `tac_plus` server is ***NOT*** configured for command authorization as part of the initial configuration. Though you can update the `tac_plus.conf` file and experiment with command authorization on your own.
## Starting Configuration
`rtr1` has the following configuration applied as startup configuration to enable inbound SSH from `desktop` that is locally authenticated.
```
ip domain name lab.intra
crypto key generate rsa general-keys modulus 2048
!
aaa new-model
!
username cisco priv 15 secret cisco
```
## Ensuring the serial / console leverages local authentication
To provide safety and fallback access to devices, we will force the console line to only use local admin accounts.
```
aaa authentication login CONSOLE local
aaa authorization console
aaa authorization exec CONSOLE local
!
line con 0
login authentication CONSOLE
authorization exec CONSOLE
!
```
## Configuring TACACS server as default AAA
Start by identitying the interface that TACACS packets should be sourced from. This is often important because TACACS servers typically only respond to known hosts/addresses.
```
ip tacacs source-interface Ethernet0/0
```
Now create the TACACS server entry for the server. Be sure to double check the "key" (secret) used for communications.
> Note: Be careful to NOT add an extra "space" after the key. This can cause problems on some platforms.
```
tacacs server aaa-server
address ipv4 192.168.0.10
key tacacs123
!
```
Create a `aaa group` that includes the TACACS server. In a production environment, you would typically have at least 2 TACASC servers configured for fallback.
```
aaa group server tacacs+ AAA-TACACS
server name aaa-server
!
```
Test that the TACACS server is responding successfully.
```
test aaa group tacacs+ tacadmin admin123 legacy
```
Configure the authentication, authorization, and accounting policies.
```
aaa authentication login default group AAA-TACACS local
aaa authorization exec default group AAA-TACACS local
!
aaa accounting exec default start-stop group AAA-TACACS
aaa accounting commands 1 default start-stop group AAA-TACACS
aaa accounting commands 15 default start-stop group AAA-TACACS
!
```
## Testing the configuration
Open the console for the `tacacs-server` and monitor the service "journal"
```
journalctl -fu tac_plus
```
Open the console for the `desktop` and attempt to connect to `rtr1` with SSH as the `tacadmin` user.
```
ssh tacadmin@192.168.0.1
```
After you log in, run a command to verify access.
```
show ip interface brief
```
Check the output on the `tacacs-server`. You should see messages for both the `authentication` and `authorization`
```
# Examples
Oct 07 21:30:36 tacacs-server tac_plus[5704]: login query for 'tacadmin' port tty2 from 192.168.0.1 accepted
Oct 07 21:30:36 tacacs-server tac_plus[5705]: connect from 192.168.0.1 [192.168.0.1]
Oct 07 21:30:36 tacacs-server tac_plus[5705]: Start authorization request
Oct 07 21:30:36 tacacs-server tac_plus[5705]: do_author: user='tacadmin'
Oct 07 21:30:36 tacacs-server tac_plus[5705]: user 'tacadmin' found
Oct 07 21:30:36 tacacs-server tac_plus[5705]: exec authorization request for tacadmin
Oct 07 21:30:36 tacacs-server tac_plus[5705]: exec is explicitly permitted by line 4
Oct 07 21:30:36 tacacs-server tac_plus[5705]: nas:service=shell (passed thru)
Oct 07 21:30:36 tacacs-server tac_plus[5705]: nas:cmd* (passed thru)
Oct 07 21:30:36 tacacs-server tac_plus[5705]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)
Oct 07 21:30:36 tacacs-server tac_plus[5705]: added 1 args
Oct 07 21:30:36 tacacs-server tac_plus[5705]: out_args[0] = service=shell input copy discarded
Oct 07 21:30:36 tacacs-server tac_plus[5705]: out_args[1] = cmd* input copy discarded
Oct 07 21:30:36 tacacs-server tac_plus[5705]: out_args[2] = priv-lvl=15 compacted to out_args[0]
Oct 07 21:30:36 tacacs-server tac_plus[5705]: 1 output args
Oct 07 21:30:36 tacacs-server tac_plus[5705]: authorization query for 'tacadmin' tty2 from 192.168.0.1 accepted
```
Stop the journalctl monitor (`Cntrl-c`), and open the accounting log.
```
tail -f /var/log/tac_plus.acct
```
> Note: If the command fails and the file isn't found, return to the SSH session to the router and run a couple commands. The file isn't created until an accounting message is sent to the server.
Run some more commands on `rtr1`. Try some that are `priv 15` as well as `priv 1`
```
! Priv 1
show ip route
! Priv 15
write mem
```
Verify the accounting logs were received.
Logout from the router, and log in as `tacoper`. Verify through the same logs that the user is given the correct access.
## Other useful commands
### Debugs on the router
```
debug aaa authentication
debug aaa authorization
debug aaa accounting
debug tacacs authentication
debug tacacs authorization
debug tacacs accounting
```
### Show commands on router
```
show tacacs
show aaa sessions
```
### Test AAA
```
test aaa group tacacs+ tacadmin admin123 legacy
```
### tacacs-server logs
```
journalctl -fu tac_plus
tail -f /var/log/tac_plus.acct
tail -f /var/log/tac_plus.log
```
### tac_plus server maintenance
```
systemctl status tac_plus
sudo systemctl stop tac_plus
sudo systemctl start tac_plus
```
title: Snack Minute AAA TACACS Exploration
version: 0.2.2

1007
lab-topologies/aaa-tacacs-exploration/aaa-exploration-ios-nxos.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
lab-topologies/aaa-tacacs-exploration/topology-ios-nxos.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
lab-topologies/aaa-tacacs-exploration/topology.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

935
lab-topologies/basic-forwarding-behavior.yaml Normal file
View File

@@ -0,0 +1,935 @@
lab:
description: 'A flexible network topology useful for different explorations of forwarding
behavior. A single are OSPF network is configured with two LANs on either side. Linux
Alpine hosts configured for traffic testing. '
notes: ''
title: Basic Forwarding Behavior
version: 0.1.0
links:
- id: l0
n1: n4
n2: n6
i1: i2
i2: i2
label: R5-GigabitEthernet0/1<->S2-GigabitEthernet0/1
- id: l1
n1: n0
n2: n4
i1: i3
i2: i3
label: R2-GigabitEthernet0/2<->R5-GigabitEthernet0/2
- id: l2
n1: n1
n2: n4
i1: i3
i2: i4
label: R3-GigabitEthernet0/2<->R5-GigabitEthernet0/3
- id: l3
n1: n3
n2: n4
i1: i3
i2: i5
label: R4-GigabitEthernet0/2<->R5-GigabitEthernet0/4
- id: l4
n1: n8
n2: n5
i1: i0
i2: i6
label: H2-eth0<->S1-GigabitEthernet1/1
- id: l5
n1: n7
n2: n5
i1: i0
i2: i5
label: H1-eth0<->S1-GigabitEthernet1/0
- id: l6
n1: n6
n2: n9
i1: i5
i2: i0
label: S2-GigabitEthernet1/0<->H3-eth0
- id: l7
n1: n5
n2: n2
i1: i2
i2: i2
label: S1-GigabitEthernet0/1<->R1-GigabitEthernet0/1
- id: l8
n1: n0
n2: n2
i1: i2
i2: i3
label: R2-GigabitEthernet0/1<->R1-GigabitEthernet0/2
- id: l9
n1: n1
n2: n2
i1: i2
i2: i4
label: R3-GigabitEthernet0/1<->R1-GigabitEthernet0/3
- id: l10
n1: n3
n2: n2
i1: i2
i2: i5
label: R4-GigabitEthernet0/1<->R1-GigabitEthernet0/4
- id: l11
n1: n10
n2: n6
i1: i0
i2: i6
label: H4-eth0<->S2-GigabitEthernet1/1
nodes:
- boot_disk_size: 0
configuration: |-
!
hostname R2
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.12.12.2 255.255.255.0
ip ospf cost 100
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 10.25.25.2 255.255.255.0
ip ospf cost 100
duplex auto
speed auto
media-type rj45
!
!
router ospf 1
router-id 2.2.2.2
network 10.12.12.0 0.0.0.255 area 0
network 10.25.25.0 0.0.0.255 area 0
!
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
!
end
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: false
id: n0
label: R2
node_definition: iosv
ram: 512
tags: []
x: 223
y: 285
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- boot_disk_size: 0
configuration: |-
!
hostname R3
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.13.13.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 10.35.35.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
!
router ospf 1
router-id 3.3.3.3
network 10.13.13.0 0.0.0.255 area 0
network 10.35.35.0 0.0.0.255 area 0
!
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
!
end
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: false
id: n1
label: R3
node_definition: iosv
ram: 512
tags: []
x: 387
y: 288
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- boot_disk_size: 0
configuration: |-
!
hostname R1
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1.200
encapsulation dot1Q 200
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet0/2
ip address 10.12.12.1 255.255.255.0
ip ospf cost 100
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
ip address 10.13.13.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/4
ip address 10.14.14.1 255.255.255.0
ip ospf cost 110
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 1.1.1.1
passive-interface GigabitEthernet0/1
network 10.12.12.0 0.0.0.255 area 0
network 10.13.13.0 0.0.0.255 area 0
network 10.14.14.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0
network 192.168.200.0 0.0.0.255 area 0
!
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
!
end
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: false
id: n2
label: R1
node_definition: iosv
ram: 512
tags: []
x: 352
y: 440
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- id: i5
label: GigabitEthernet0/4
slot: 4
type: physical
- boot_disk_size: 0
configuration: |-
!
hostname R4
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.14.14.4 255.255.255.0
ip ospf cost 100
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 10.45.45.4 255.255.255.0
ip ospf cost 100
duplex auto
speed auto
media-type rj45
!
!
router ospf 1
router-id 4.4.4.4
network 10.14.14.0 0.0.0.255 area 0
network 10.45.45.0 0.0.0.255 area 0
!
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
!
end
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: false
id: n3
label: R4
node_definition: iosv
ram: 512
tags: []
x: 517
y: 282
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- boot_disk_size: 0
configuration: |-
!
hostname R5
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 172.16.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 10.25.25.5 255.255.255.0
ip ospf cost 100
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
ip address 10.35.35.5 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/4
ip address 10.45.45.5 255.255.255.0
ip ospf cost 110
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 5.5.5.5
passive-interface GigabitEthernet0/1
network 10.25.25.0 0.0.0.255 area 0
network 10.35.35.0 0.0.0.255 area 0
network 10.45.45.0 0.0.0.255 area 0
network 172.16.10.0 0.0.0.255 area 0
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
!
end
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: false
id: n4
label: R5
node_definition: iosv
ram: 512
tags: []
x: 389
y: 145
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- id: i5
label: GigabitEthernet0/4
slot: 4
type: physical
- boot_disk_size: 0
configuration: |-
!
hostname S1
!
vlan 100
name YELLOW
exit
vlan 200
name BLUE
exit
!
!
interface GigabitEthernet0/0
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk allowed vlan 100,200
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/2
negotiation auto
!
interface GigabitEthernet0/3
negotiation auto
!
interface GigabitEthernet1/0
switchport access vlan 100
switchport mode access
negotiation auto
!
interface GigabitEthernet1/1
switchport access vlan 200
switchport mode access
negotiation auto
!
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
!
end
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: false
id: n5
label: S1
node_definition: iosvl2
ram: 768
tags: []
x: 505
y: 568
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- id: i5
label: GigabitEthernet1/0
slot: 4
type: physical
- id: i6
label: GigabitEthernet1/1
slot: 5
type: physical
- boot_disk_size: 0
configuration: |-
!
hostname S2
!
vlan 10
name PURPLE
exit
!
!
interface GigabitEthernet0/0
negotiation auto
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
negotiation auto
no shutdown
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
negotiation auto
no shutdown
!
interface GigabitEthernet0/3
switchport access vlan 10
switchport mode access
negotiation auto
no shutdown
!
interface GigabitEthernet1/0
switchport access vlan 10
switchport mode access
negotiation auto
no shutdown
!
interface GigabitEthernet1/1
switchport access vlan 10
switchport mode access
negotiation auto
no shutdown
!
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
!
end
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: false
id: n6
label: S2
node_definition: iosvl2
ram: 768
tags: []
x: 234
y: 34
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- id: i5
label: GigabitEthernet1/0
slot: 4
type: physical
- id: i6
label: GigabitEthernet1/1
slot: 5
type: physical
- boot_disk_size: 16
configuration: |-
# this is a shell script which will be sourced at boot
hostname H1
# configurable user account
USERNAME=cisco
PASSWORD=cisco
# ip
ip addr add 192.168.100.11/24 dev eth0
ip link set dev eth0 up
ip route add 0.0.0.0/0 via 192.168.100.1
#ip route add 192.168.0.0/16 via 192.168.100.1
#ip route add 172.16.0.0/14 via 192.168.100.1
#ip route add 10.0.0.0/8 via 192.168.100.1
#ip link set dev eth0 up
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: true
id: n7
label: H1
node_definition: desktop
ram: 512
tags: []
x: 342
y: 569
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- id: i1
label: eth1
slot: 1
type: physical
- boot_disk_size: 16
configuration: |-
# this is a shell script which will be sourced at boot
hostname H2
# configurable user account
USERNAME=cisco
PASSWORD=cisco
# IP Information
ip addr add 192.168.200.11/24 dev eth0
ip link set dev eth0 up
ip route add 0.0.0.0/0 via 192.168.200.1
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: false
id: n8
label: H2
node_definition: desktop
ram: 512
tags: []
x: 662
y: 565
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: 16
configuration: |-
# this is a shell script which will be sourced at boot
hostname H3
# configurable user account
USERNAME=cisco
PASSWORD=cisco
# IP Information
ip addr add 172.16.10.11/24 dev eth0
ip link set dev eth0 up
ip route add default via 172.16.10.1
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: false
id: n9
label: H3
node_definition: desktop
ram: 512
tags: []
x: 441
y: -44
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: 16
configuration: |-
# this is a shell script which will be sourced at boot
hostname H4
# configurable user account
USERNAME=cisco
PASSWORD=cisco
# IP Information
ip addr add 172.16.10.21/24 dev eth0
ip link set dev eth0 up
ip route add default via 172.16.10.1
cpu_limit: 100
cpus: 1
data_volume: 0
hide_links: false
id: n10
label: H4
node_definition: alpine
ram: 512
tags: []
x: 461
y: 65
interfaces:
- id: i0
label: eth0
slot: 0
type: physical

33
lab-topologies/ccna-prep/README.md Normal file
View File

@@ -0,0 +1,33 @@
# CCNA Prep CML Resources
The CCNA Prep Program is a study resource put together by the Learning and Certifications team within Cisco to help engineers working towards earning their CCNA certification. Each session dives into a topic from the CCNA blueprint, exploring it through a hands on/labs driven approach. These hands on labs are run on Cisco Modeling Labs and include full lab guides that can be used after the session for anyone to practice and hone their skills as they prepare for their CCNA Exam. We are sharing the CML topology files with the CML Community for fun, learning and inspiration.
![](ccnaprep-01.jpg)
> Sign up for CCNA Prep and access recordings from sessions at: [CCNA Prep Program](https://learningnetwork.cisco.com/s/ccna-live-stream)
## CCNA Prep Hosts
The current hosts of the CCNA Prep Program are:
**Hank Preston:** I'm a Principal Engineer at Cisco Systems, and my journey in network engineering began with the CCNA. Over the years, I've earned multiple certifications, including CCNP, CCIE, and DevNet Expert. My passion for networking and teaching has led me to help engineers worldwide through Cisco's learning and certification programs.
**Patrick Gargano:** As a Lead Content Advocate and Instructor at Cisco Learning & Certifications, I am responsible for developing and delivering official Cisco course content. I started my CCNA journey in 2000 when I became a Cisco Networking Academy instructor. Since then, I've authored Cisco Press books and achieved multiple Cisco certifications. The CCNA was a pivotal point in my career, and I'm excited to share my experiences and insights with you.
## Season 1 (Fall 2024) - Back to Basics
1. [Mastering VLAN Configuration: Unlock the power of VLANs](s1e1/README.md)
1. [Spanning Tree Protocol (STP) Unleashed: Navigate network efficiency](s1e2/README.md)
1. [Building Resilient Links with EtherChannel: Gain EtherChannel excellence](s1e3/README.md)
1. [Routing Fundamentals & Static Routes: Master concepts and static routes](s1e4/README.md)
1. [Conquering OSPF: Optimize your network with OSPF](s1e5/README.md)
1. [The Router's Guild: Adventures in AD, Metrics, and Prefix Lengths](s1e4/README.md)
1. [GET a Head(er) of REST APIs for the CCNA Certification](s1e7/README.md)
## Season 2 (Spring 2025) - IP Services
1. [DHCP in Action: Streamlining Network Client Address Management](s2e1/README.md)
1. [DNS Deepdive: Exploring a Backbone of Network Communication”](s2e2/README.md)
1. [Navigating NAT: Bridging Private Networks to the Internet](s2e3/README.md)
1. [Securing Network Access: From Telnet to SSH](s2e4/README.md)
1. [Syncing Success: The Role of NTP in Network Operations](s2e5/README.md)
1. [The Syslog Detective: Unraveling Network Mysteries](s2e6/README.md)
1. [Simplifying SNMP: Delivery Data for Network Operation Dashboards](s2e7/README.md)

BIN
lab-topologies/ccna-prep/ccnaprep-01.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 179 KiB

BIN
lab-topologies/ccna-prep/s1e1/CCNA Prep S01 E01 Lab Guide.pdf Normal file
View File

Binary file not shown.

2262
lab-topologies/ccna-prep/s1e1/CCNA_Prep_2024_S1E1_Mastering_VLANs.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

5
lab-topologies/ccna-prep/s1e1/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Mastering VLAN Configuration: Unlock the Power of VLANs
*Abstract*: Join our exciting live stream to master VLAN configuration and discover the complete capabilities of VLANs in your network. Whether you're just starting out or seeking to enhance your existing skills, this session will offer valuable insights and practical techniques to improve your network management. Don't miss this chance to elevate your networking expertise to new heights!
![](s1e1-vlan.jpeg)

BIN
lab-topologies/ccna-prep/s1e1/s1e1-vlan.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
lab-topologies/ccna-prep/s1e2/CCNA Prep S01 E02 Lab Guide.pdf Normal file
View File

Binary file not shown.

1833
lab-topologies/ccna-prep/s1e2/CCNA_Prep_2024_S1E2_STP.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

5
lab-topologies/ccna-prep/s1e2/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Spanning Tree Protocol (STP) Unleashed: Navigate Network Efficiency
*Abstract:* Navigate the landscape of network optimization with this live stream event dedicated to the Spanning Tree Protocol (STP). Our subject matter experts will guide through the essentials of STP configuration and management, ensuring you can navigate network efficiency with confidence. In addition, you'll be equipped with the necessary tools and knowledge to optimize your network. Get ready to master the Spanning Tree Protocol and see its full capabilities in action.
![](s1e2-stp.jpeg)

BIN
lab-topologies/ccna-prep/s1e2/s1e2-stp.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 134 KiB

BIN
lab-topologies/ccna-prep/s1e3/CCNA Prep S01 E03 Lab Guide.pdf Normal file
View File

Binary file not shown.

1753
lab-topologies/ccna-prep/s1e3/CCNA_Prep_2024_S1E3_EtherChannel.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

5
lab-topologies/ccna-prep/s1e3/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Building Resilient Links with EtherChannel: Gain EtherChannel Excellence
*Abstract:* Learn the secrets to establishing robust and efficient network links in our comprehensive live stream event on EtherChannel. This session is crafted to provide a thorough understanding of EtherChannel concepts and configurations, helping you achieve excellence in network resilience and performance. Enhance your network management skills and master the art of building resilient links with EtherChannel.
![](s1e3-etherchannel.jpeg)

BIN
lab-topologies/ccna-prep/s1e3/s1e3-etherchannel.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 210 KiB

BIN
lab-topologies/ccna-prep/s1e4/CCNA Prep S01 E04 Guide.pdf Normal file
View File

Binary file not shown.

2718
lab-topologies/ccna-prep/s1e4/CCNA_Prep_2024_S1E4_Static_Routing.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

10
lab-topologies/ccna-prep/s1e4/README.md Normal file
View File

@@ -0,0 +1,10 @@
# Routing Fundamentals & Static Routes: Master Concepts and Static Routes
*Abstract:* Ready to advance your networking skills? Dive into our specialized live stream on Routing Fundamentals and Static Routes. Designed to lay a strong foundation in routing principles, this session provides the practical knowledge required to effectively configure static routes. Gain critical insights and hands-on tools to master routing concepts and ensure your network operates smoothly and efficiently. By the end of this session, you will have enhanced your network management capabilities.
> CCNA Prep returned to this topology for a second session:
> **The Router's Guild: Adventures in AD, Metrics, and Prefix Lengths**
>
> Starting where Episode 4 left off, this session will revisit the concepts of administrative distance, metric, and prefix length, and how they are used to build the routing table and make packet forwarding decisions.
![](s1e4-staticroute.jpeg)

BIN
lab-topologies/ccna-prep/s1e4/s1e4-staticroute.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 154 KiB

BIN
lab-topologies/ccna-prep/s1e5/CCNA Prep S01 EP05 Lab Guide.pdf Normal file
View File

Binary file not shown.

1438
lab-topologies/ccna-prep/s1e5/CCNA_Prep_2024_S1E5_Conquering_OSPF.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

4
lab-topologies/ccna-prep/s1e5/README.md Normal file
View File

@@ -0,0 +1,4 @@
# Conquering OSPF: Optimize Your Network with OSPF
*Abstract:* Maximize your network's potential with our in-depth focus on OSPF. This live stream event is tailored to help you master OSPF and optimize your network through dynamic routing and effective path selection. Perfect for networking professionals aiming to deepen their expertise, you'll be provided with the skills needed to ensure your network runs at peak performance. Join us to conquer OSPF and elevate your network optimization skills.
![](s1e5-ospf.jpeg)

BIN
lab-topologies/ccna-prep/s1e5/s1e5-ospf.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 180 KiB

BIN
lab-topologies/ccna-prep/s1e7/CCNA Prep S01 E07 Lab Guide.pdf Normal file
View File

Binary file not shown.

1178
lab-topologies/ccna-prep/s1e7/CCNA_Prep_2024_S1E7_REST_APIs.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

5
lab-topologies/ccna-prep/s1e7/README.md Normal file
View File

@@ -0,0 +1,5 @@
# GET a Head(er) of REST APIs for the CCNA Certification
*Abstract:* It is time to dive into network automation skills needed to succeed in the journey towards your CCNA certification. Learn everything you need to describe authentication, decode any possible CRUD operation, and handle JSON and XML results when working with REST APIs in this bonus CCNA Prep webinar.
![](s1e7-rest.jpeg)

BIN
lab-topologies/ccna-prep/s1e7/s1e7-rest.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 222 KiB

922
lab-topologies/ccna-prep/s2e1/CCNA_Prep_2025_-_S2E1_-_DHCP.yaml Normal file
View File

@@ -0,0 +1,922 @@
annotations:
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: 192.168.1.0/24
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -440.0
y1: -120.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: 192.168.2.0/24
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 40.0
y1: -120.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#1820C8'
rotation: 0
text_bold: false
text_content: DHCP Client
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 4.334521504159601
z_index: 1
- border_color: '#00000000'
border_style: ''
color: '#1820C8'
rotation: 0
text_bold: false
text_content: DHCP Client
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 120.0
y1: 4.334521504159601
z_index: 1
- border_color: '#00000000'
border_style: ''
color: '#1820C8'
rotation: 0
text_bold: false
text_content: DHCP Server
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -331.9199341364389
y1: -240.0
z_index: 1
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 160.0
y1: -200.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: OSPF AREA 0
text_font: monospace
text_italic: false
text_size: 16
text_unit: pt
thickness: 1
type: text
x1: -200.0
y1: 40.0
z_index: 4
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: 10.1.1.0/30
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -193.49821774376065
y1: -191.33095699168084
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: DNS Server 8.8.8.8
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 95.2436807701726
y1: -348.7528058356377
z_index: 5
- border_color: '#00000000'
border_style: ''
color: '#1820C8'
rotation: 0
text_bold: false
text_content: DHCP Client
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 37.8327392479203
y1: -226.9964354875213
z_index: 1
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: 'CCNA Exam Prep: Back to Networking Basics with Hank Preston and
Patrick Gargano (Season 2)'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -1125.258776447585
y1: -407.1581438914021
z_index: 6
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: 'DHCP in Action: Streamlining Network Client Address Management'
text_font: monospace
text_italic: false
text_size: 18
text_unit: pt
thickness: 1
type: text
x1: -1127.7286604756591
y1: -380.50714500921066
z_index: 7
- border_color: '#00000000'
border_style: ''
color: '#4557D2'
rotation: 0
text_bold: false
text_content: |-
In this lab, we will explore how to:
* Configure a router as an IPv4 DHCP Client
* Configure a Router as an IPv4 DHCP Server
* Configure an IPv4 DHCP Relay
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -1140.7773154740125
y1: 22.337510119328677
z_index: 8
- border_color: '#00000000'
border_style: ''
color: '#2A3FCC'
rotation: 0
text_bold: false
text_content: |-
Dynamic Host Configuration Protocol (DHCP) is a network protocol
that lets network administrators manage and automate the assignment
of IP addresses.
Without DHCP for IPv4, the administrator must manually assign
and configure IP addresses, preferred DNS servers, and default
gateways.
As the network grows in size, this becomes an administrative
problem when devices are moved from one internal network to another.
Related CCNA v1.1 exam topic:
4.3 Explain the role of DHCP and DNS within the network
4.6 Configure and verify DHCP client and relay
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -1132.1896418060846
y1: -324.20038804830887
z_index: 9
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#70BE58'
thickness: 1
type: rectangle
x1: -513.2157309182571
y1: -270.3112384285854
x2: 765.0004137890356
y2: 338.9822192837643
z_index: -3
nodes:
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
hostname RTR1
!
interface range Ethernet 0/0 - 3
no ip address
shutdown
!
int e0/0
ip address 10.1.1.1 255.255.255.252
no shut
!
int e0/1
ip address 192.168.1.1 255.255.255.0
no shut
!
router ospf 1
network 10.1.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
router-id 0.0.0.1
!
!
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: RTR1
node_definition: iol-xe
parameters: {}
ram: null
tags: []
x: -280
y: -201
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
hostname RTR2
!
interface range Ethernet 0/0 - 3
no ip address
shutdown
!
int e0/0
ip address 10.1.1.2 255.255.255.252
ip nat inside
no shut
!
int e0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
no shut
!
int e0/3
ip nat outside
no ip address
shutdown
!
router ospf 1
network 10.1.1.0 0.0.0.3 area 0
network 192.168.2.0 0.0.0.255 area 0
router-id 0.0.0.2
default-information originate
!
access-list 1 permit any
!
ip nat inside source list 1 interface e0/3 overload
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: RTR2
node_definition: iol-xe
parameters: {}
ram: null
tags: []
x: -1
y: -199
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname PC2
# configurable user account
USERNAME=cisco
PASSWORD=cisco
iface eth0 inet dhcp
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: PC2
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 160
y: -40
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname PC1
# configurable user account
USERNAME=cisco
PASSWORD=cisco
iface eth0 inet dhcp
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: PC1
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -440
y: -40
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: hostname ASW1
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: ASW1
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: -280
y: -40
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: 'hostname ASW2
'
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n5
image_definition: null
label: ASW2
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: 0
y: -40
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n6
image_definition: null
label: Internet
node_definition: external_connector
parameters: {}
ram: null
tags: []
x: 120
y: -320
interfaces:
- id: i0
label: port
slot: 0
type: physical
links:
- id: l0
n1: n0
n2: n1
i1: i1
i2: i1
conditioning: {}
label: RTR1-Ethernet0/0<->RTR2-Ethernet0/0
- id: l1
n1: n0
n2: n4
i1: i2
i2: i2
conditioning: {}
label: RTR1-Ethernet0/1<->ASW1-Ethernet0/1
- id: l2
n1: n1
n2: n5
i1: i2
i2: i2
conditioning: {}
label: RTR2-Ethernet0/1<->ASW2-Ethernet0/1
- id: l3
n1: n4
n2: n3
i1: i1
i2: i0
conditioning: {}
label: ASW1-Ethernet0/0<->PC1-eth0
- id: l4
n1: n5
n2: n2
i1: i1
i2: i0
conditioning: {}
label: ASW2-Ethernet0/0<->PC2-eth0
- id: l5
n1: n1
n2: n6
i1: i4
i2: i0
conditioning: {}
label: RTR2-Ethernet0/3<->Internet-port
lab:
description: ''
notes: |-
<html><head><style>body {
color: black;
}
</style></head><body><p><strong>CCNA Exam Prep: Back to Networking Basics with Hank Preston and Patrick Gargano -- Season 2</strong></p>
<h1 id="dhcp-in-action-streamlining-network-client-address-management">DHCP in Action: Streamlining Network Client Address Management</h1>
<p>Dynamic Host Configuration Protocol (DHCP) is a network protocol that lets network administrators manage and automate the assignment of IP addresses.
Without DHCP for IPv4, the administrator must manually assign and configure IP addresses, preferred DNS servers, and default gateways. As the network grows in size, this becomes an administrative problem when devices are added or moved from one internal network to another.</p>
<p>Related CCNA v1.1 exam topic:</p>
<ul>
<li>4.3 Explain the role of DHCP and DNS within the network</li>
<li>4.6 Configure and verify DHCP client and relay</li>
</ul>
<p>In this lab, we will explore how to:</p>
<ul>
<li>Configure a router as an IPv4 DHCP Client</li>
<li>Configure a Router as an IPv4 DHCP Server </li>
<li>Configure an IPv4 DHCP Relay </li>
</ul>
<h2 id="setup-and-scenario">Setup and Scenario</h2>
<p>In this set of lab-based demonstrations, you are the network engineer for a growing organization tasked with updating the network to support new network needs. The network was originally deployed using static IPv4 addresses on all hosts and servers since the network was small, but now the network has grown and requires that IPv4 address assignment be automated and centralized on a DHCP server. </p>
<p>You&#39;ve been asked to: </p>
<ul>
<li>Configure RTR2 E0/3 to request and receive a dynamic IPv4 address from the ISP.</li>
<li>Configure RTR1 as an IPv4 DHCP server for the RTR1 LAN and RTR2 LAN.</li>
<li>Configure RTR2 as an IPv4 DHCP Relay Agent for the RTR2 LAN.</li>
</ul>
<p><em>Be sure to <strong>START</strong> the lab before continuing to the demo labs but do not power on PC1 or PC2 for now.</em></p>
<h2 id="part-1-reviewing-the-current-state-of-the-network">Part 1: Reviewing the Current State of the Network</h2>
<p>Before we jump into configuring DHCP across the network, let&#39;s check the current status of the network and how it is operating. </p>
<h3 id="step-1">Step 1</h3>
<p>Open a console connection to RTR1 and RTR2 and verify the OSPF configuration.</p>
<pre>
RTR1# <b>show run | section ospf</b>
router ospf 1
router-id 0.0.0.1
network 10.1.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
RTR2# <b>show run | section ospf</b>
router ospf 1
router-id 0.0.0.2
network 10.1.1.0 0.0.0.3 area 0
network 192.168.2.0 0.0.0.255 area 0
default-information originate
</pre>
Notice that both RTR1 and RTR2 are configured with OSPF process ID 1 and that all network statements are assigned to area 0. RTR2 is also configured with the `default-information originate` command that allows RTR2 to advertise a default route to other OSPF routers as long as RTR2 has a default route in its own routing table. RTR2 does not currently have a default route but this will be corrected in the next steps.
### Step 2
Verify the routing tables on RTR1 and RTR2
<pre>
RTR1# <b>show ip route</b>
<... output omitted ...>
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/30 is directly connected, Ethernet0/0
L 10.1.1.1/32 is directly connected, Ethernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Ethernet0/1
L 192.168.1.1/32 is directly connected, Ethernet0/1
O 192.168.2.0/24 [110/20] via 10.1.1.2, 2w3d, Ethernet0/0
RTR2# <b>show ip route</b>
<... output omitted ...>
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/30 is directly connected, Ethernet0/0
L 10.1.1.2/32 is directly connected, Ethernet0/0
O 192.168.1.0/24 [110/20] via 10.1.1.1, 2w3d, Ethernet0/0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Ethernet0/1
L 192.168.2.1/32 is directly connected, Ethernet0/1
</pre>
<p>RTR1 is learning about the RTR2 LAN (192.168.2.0/24) and RTR2 is learning about the RTR1 LAN (192.168.1.0/24).</p>
<p>Also notice that RTR2 does not currently have a default route to advertise to RTR1.</p>
<h3 id="step-3">Step 3</h3>
<p>Verify the interfaces on RTR2</p>
<pre>
RTR2# <b>show ip interface brief</b>
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.1.1.2 YES TFTP up up
Ethernet0/1 192.168.2.1 YES TFTP up up
Ethernet0/2 unassigned YES TFTP administratively down down
Ethernet0/3 unassigned YES unset administratively down down
</pre>
<p>The internet-facing Ethernet0/3 interface is currently administratively down and has not IP address configured. You will correct this in the next part of the lab.</p>
<h2 id="part-2-configure-a-router-as-an-ipv4-dhcp-client">Part 2: Configure a router as an IPv4 DHCP Client</h2>
<p>The RTR2 Ethernet 0/3 interface is connected to the &quot;Internet&quot; external connector node in CML. This node acts as an ISP that provides dynamic IPv4 addresses to its clients. In this part of the lab, you will enable RTR2 to request and receive an IPv4 DHCP address on interface Ethernet 0/3. RTR2 will also automatically create a default route pointing to the ISP. RTR2 should then advertise this default route to RTR1 via OSPF.</p>
<h3 id="step-1">Step 1</h3>
<p>Configure RTR2 E0/3 as an IPv4 DHCP client and enable the interface. After the interface comes up, it should take about 10 seconds for the E0/3 to received its IPv4 address.</p>
<pre>
RTR2# <b>conf t</b>
Enter configuration commands, one per line. End with CNTL/Z.
RTR2(config)# <b>interface E0/3</b>
RTR2(config-if)# <b>ip address dhcp</b>
RTR2(config-if)# <b>no shutdown</b>
RTR2(config-if)#
*Jan 3 16:48:43.228: %LINK-3-UPDOWN: Interface Ethernet0/3, changed state to up
RTR2(config-if)#
*Jan 3 16:48:44.228: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/3, changed state to up
RTR2(config-if)#
<mark>*Jan 3 16:48:50.386: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/3 assigned DHCP address 192.168.255.141, mask 255.255.255.0, hostname RTR2</mark>
</pre>
<p>In the highlighted text above, notice that the interface is now configured with the 192.168.255.141/24 address. Use the <code>show ip interface brief</code> command to confirm the new DHCP address.</p>
<h3 id="step-2">Step 2</h3>
<p>Verify the routing table on RTR1 and RTR2. Both routers should now have a default route in its routing table.</p>
<pre>
RTR1# <b>show ip route</b>
<... output omitted ...>
<mark>Gateway of last resort is 10.1.1.2 to network 0.0.0.0</mark>
<mark>O*E2 0.0.0.0/0 [110/1] via 10.1.1.2, 00:06:47, Ethernet0/0</mark>
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/30 is directly connected, Ethernet0/0
L 10.1.1.1/32 is directly connected, Ethernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Ethernet0/1
L 192.168.1.1/32 is directly connected, Ethernet0/1
O 192.168.2.0/24 [110/20] via 10.1.1.2, 2w3d, Ethernet0/0
RTR2# <b>show ip route </b>
<... output omitted ...>
<mark>Gateway of last resort is 192.168.255.1 to network 0.0.0.0</mark>
<mark>S* 0.0.0.0/0 [254/0] via 192.168.255.1</mark>
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/30 is directly connected, Ethernet0/0
L 10.1.1.2/32 is directly connected, Ethernet0/0
O 192.168.1.0/24 [110/20] via 10.1.1.1, 2w3d, Ethernet0/0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Ethernet0/1
L 192.168.2.1/32 is directly connected, Ethernet0/1
192.168.255.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.255.0/24 is directly connected, Ethernet0/3
L 192.168.255.141/32 is directly connected, Ethernet0/3
</pre>
RTR2 is automatically configured with a static default route thanks to DHCP. RTR1 is learning the default route via OSPF thanks to an External Type 5 LSA being advertised by RTR2 because of the default-information originate command.
### Step 3
Verify connectivity from RTR1 and RTR2 to a public Internet address.
<pre>
RTR1# <b>ping 8.8.8.8</b>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
RTR2# <b>ping 8.8.8.8</b>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
</pre>
Since RTR2 is configured with NAT (which will be covered in Season 2, Episode 3), both RTR1 and RTR2 are able to reach a public Internet address.
## Part 3: Configure a Router as an IPv4 DHCP Server
The Cisco IOS DHCP server is a full DHCP server implementation that assigns and manages IPv4 addresses from specified address pools within the device to DHCP clients. The DHCP server can be configured to assign additional parameters such as the IPv4 address of the DNS server and the default gateway. In this part of the lab, you will configure RTR1 as an IPv4 DHCP server for the RTR1 LAN and the RTR2 LAN.
### Step 1
Configure the IPv4 DHCP pool for the RTR1 LAN (192.168.1.0/24) and exclude the first five addresses of that network. Use the pool name RTR1_LAN.
<pre>
RTR1(config)# <b>ip dhcp pool RTR1_LAN</b>
RTR1(dhcp-config)# <b>network 192.168.1.0 /24</b>
RTR1(dhcp-config)# <b>default-router 192.168.1.1</b>
RTR1(dhcp-config)# <b>dns-server 8.8.8.8</b>
RTR1(dhcp-config)# <b>domain-name lab.example</b>
RTR1(dhcp-config)# <b>lease 0 12</b>
RTR1(dhcp-config)#exit
RTR1(config)# <b>ip dhcp excluded-address 192.168.1.1 192.168.1.5</b>
</pre>
In the configuration example above the, IPv4 addresses are assigned from the address pool 192.168.1.0/24 with a lease time of 12 hours. Additional parameters are the default gateway, domain name, and DNS server. Also, IPv4 addresses from 192.168.1.1 to 192.168.1.5 are not assigned to the end devices. Use the ``?`` option under the DHCP pool to investigate the different configuration options available.
### Step 2
Use the `show ip dhcp pool RTR1_LAN` command to investigate the DHCP pool configuration.
<pre>
RTR1# <b>show ip dhcp pool RTR1_LAN</b>
Pool RTR1_LAN :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Excluded addresses : 5
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
192.168.1.1 192.168.1.1 - 192.168.1.254 0 / 5 / 254
</pre>
The output confirms that 5 addresses are excluded from the total range and that there are currently no leased addresses.
### Step 3
Enable DHCP debugging on RTR1 and then start the PC1 device.
<pre>
RTR1# <b>debug ip dhcp server events</b>
DHCP server event debugging is on.
RTR1# <b>debug ip dhcp server packet</b>
DHCP server packet debugging is on.
</pre>
<p>Right-click on PC1 and select <strong>Start</strong>.</p>
<p>Within a few seconds you should see some DHCP debugging messages. If you scroll through them, you should find the four DHCP messages exchanged between PC1 and RTR1:</p>
<pre>
*Jan 6 15:34:45.855: <mark>DHCPD: DHCPDISCOVER</mark> received from client 0152.5400.1529.f9 on interface Ethernet0/1.
*Jan 6 15:34:47.856: <mark>DHCPD: Sending DHCPOFFER</mark> to client 0152.5400.1529.f9 (192.168.1.6).
*Jan 6 15:34:47.859: <mark>DHCPD: DHCPREQUEST received</mark> from client 0152.5400.1529.f9 on interface Ethernet0/1
*Jan 6 15:34:47.859: <mark>DHCPD: Sending DHCPACK</mark> to client 0152.5400.1529.f9 (192.168.1.6).
</pre>
In the output above, PC1 was assigned the 192.168.1.6 address by the DHCP server on RTR1.
### Step 4
Verify the IPv4 configuration on PC1 and test connectivity to the Internet.
Open the console on PC1. Use the `ip addr show dev eth0` command to verify its IPv4 configuration. PC1 will have an IP address from the 192.168.1.0/24 network.
<pre>
PC1:~$ <b>ip addr show dev eth0</b>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:15:29:f9 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.6/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe15:29f9/64 scope link
valid_lft forever preferred_lft forever
</pre>
<p>Use the <code>ip route list</code> command to verify the PC&#39;s routing table. You should see the default gateway set to 192.168.1.1 which is the IP address of RTR1 E0/1.</p>
<pre>
PC1:~$ <b>ip route list</b>
<mark>default via 192.168.1.1 dev eth0 metric 202 </mark>
172.17.0.0/16 dev docker0 scope link src 172.17.0.1
192.168.1.0/24 dev eth0 scope link src 192.168.1.6
</pre>
<p>From the command prompt, ping the public DNS server at <strong>8.8.8.8</strong>. This ping should be successful.</p>
<p>Open a VNC connection to PC1 and use the browser to test connectivity to <strong>www.cisco.com</strong>. This test should also be successful since the DHCP server is configured to provide clients with the DNS server&#39;s IP address (8.8.8.8)</p>
<h3 id="step-5">Step 5</h3>
<p>Configure the IPv4 DHCP pool for the RTR2 LAN (192.168.2.0/24) and exclude the first five addresses of that network. Use the pool name RTR2_LAN.</p>
<pre>
RTR1(config)# <b>ip dhcp pool RTR2_LAN</b>
RTR1(dhcp-config)# <b>network 192.168.2.0 /24</b>
RTR1(dhcp-config)# <b>default-router 192.168.2.1</b>
RTR1(dhcp-config)# <b>dns-server 8.8.8.8</b>
RTR1(dhcp-config)# <b>domain-name lab.example</b>
RTR1(dhcp-config)# <b>lease 0 12</b>
RTR1(dhcp-config)#exit
RTR1(config)# <b>ip dhcp excluded-address 192.168.2.1 192.168.2.5</b>
</pre>
<h3 id="step-6">Step 6</h3>
<p>Start a packet capture on the link between RTR1 and RTR2 to capture the DHCP messages sent from PC2.</p>
<p> Right-click the link between RTR1 and RTR2 and click <strong>Packet Capture</strong>. In the packet capture tab, select Settings and add a BPF filter for DHCP packets. Cick <strong>Apply</strong> and then click <strong>Start</strong>.</p>
<p> Right-click on PC2 and select <strong>Start</strong> to boot up the device.</p>
<p> Return to the packet capture tab. You should not see any DHCP messages crossing the link between RTR1 and RTR2. Recall that DHCP messages from PC2 (DHCP Discover and DHCP Request) are broadcast messages and don&#39;t get forwarded off the local LAN by default. You will correct this issue in the next part of the lab.</p>
<h2 id="part-4-configure-an-ipv4-dhcp-relay">Part 4: Configure an IPv4 DHCP Relay</h2>
<p> A DHCP relay agent is any host that forwards DHCP packets between clients and servers. Relay agents are used for forwarding requests and replies between clients and servers when they are not on the same subnet. DHCP requests are sent as broadcasts, and because routers don&#39;t forward broadcasts, you need a relay functionality to reach the DHCP server. In this part of the lab, you will configure RTR2 E0/1 as a DHCP relay agent. This will allow PC2 DHCP messages to be forwarded to RTR1.</p>
<p> To configure the DHCP relay agent to forward packets to a DHCP server, you need to enter the interface configuration mode using the interface interface command. Then, use the <code>ip helper-address</code> command to specify that the interface will forward UDP broadcasts, including BOOTP and DHCP, to the specified server address.</p>
<p> The <code>ip helper-address</code> command should be issued on the interface where the DHCP broadcasts are received.</p>
<p>These steps show how DHCP requests are processed when DHCP relay is used:</p>
<ol>
<li><p>A DHCP client broadcasts a DHCP request.</p>
</li>
<li><p>The DHCP relay device includes option 82 and sends the DHCP request as a unicast packet to the DHCP server. Option 82 includes remote ID and circuit ID information.</p>
</li>
<li><p>The DHCP server responds to the DHCP relay.</p>
</li>
<li><p>The DHCP relay strips off option 82 and sends the response to the DHCP client.</p>
<h3 id="step-1">Step 1</h3>
<p>Configure the DHCP relay functionality on RTR2 E0/1.</p>
</li>
</ol>
<pre>
RTR2(config)# <b>interface E0/1</b>
RTR2(config-if)# <b>ip helper-address 10.1.1.1</b>
</pre>
<p>The <code>ip helper-address</code> command tells RTR2 that any broadcasts received on E0/1 will be sent to the 10.1.1.1 address which is configured on RTR1 E0/0.</p>
<p>Stop and re-start PC2 to trigger the client&#39;s DHCP process again.</p>
<h3 id="step-2">Step 2</h3>
<p>Return to the packet capture tab to observe the DHCP messages that are now crossing the link between RTR1 and RTR2. Your output should be similar to what is shown below:</p>
<table>
<thead>
<tr>
<th>Time</th>
<th>Source</th>
<th>Destination</th>
<th>Protocol</th>
<th>Info</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>0.000000</code></td>
<td><code>192.168.2.1</code></td>
<td><code>10.1.1.1</code></td>
<td><code>DHCP</code></td>
<td><code>DHCP Discover - Transaction ID 0xba02f774</code></td>
</tr>
<tr>
<td><code>0.001355</code></td>
<td><code>10.1.1.1</code></td>
<td><code>192.168.2.1</code></td>
<td><code>DHCP</code></td>
<td><code>DHCP Offer - Transaction ID 0xba02f774</code></td>
</tr>
<tr>
<td><code>0.002901</code></td>
<td><code>192.168.2.1</code></td>
<td><code>10.1.1.1</code></td>
<td><code>DHCP</code></td>
<td><code>DHCP Request - Transaction ID 0xba02f774</code></td>
</tr>
<tr>
<td><code>0.003654</code></td>
<td><code>10.1.1.1</code></td>
<td><code>192.168.2.1</code></td>
<td><code>DHCP</code></td>
<td><code>DHCP ACK - Transaction ID 0xba02f774</code></td>
</tr>
</tbody>
</table>
<p>The packet capture confirms that DHCP Discover and DHCP Request received on RTR2 E0/1 are being relayed to 10.1.1.1 on RTR1. Click through the captured packets to investigate the option fields in the DHCP header.</p>
<h3 id="step-3">Step 3</h3>
<p>Verify the IPv4 configuration on PC2 and test connectivity to the Internet.</p>
<p>Open the console on PC2 and access the command prompt. Use the <code>ip addr show dev eth0</code> command to verify its IPv4 configuration. PC1 will have an IP address from the 192.168.2.0/24 network.</p>
<p>Use the <code>ip route list</code> command to verify the PC&#39;s routing table. You should see the default gateway set to 192.168.2.1 which is the IP address of RTR2 E0/1.</p>
<p>From the command prompt, ping the public DNS server at <strong>8.8.8.8</strong>. This ping should be successful.</p>
<p>Open a VNC connection to PC2 and use the browser to test connectivity to <strong>www.cisco.com</strong>. This test should be successful.</p>
<h3 id="step-4">Step 4</h3>
<p>Return to RTR1 and inspect the DHCP debugging output. You should see the following messages:</p>
<p><pre>
*Jan 6 16:21:01.881: DHCPD: DHCPDISCOVER received from client 0152.5400.1f04.4d <mark>through relay 192.168.2.1.</mark></p>
<p>*Jan 6 16:21:01.881: DHCPD: Sending DHCPOFFER to client 0152.5400.1f04.4d (192.168.2.7).</p>
<p>*Jan 6 16:21:01.883: DHCPD: DHCPREQUEST received from client 0152.5400.1f04.4d on interface Ethernet0/0</p>
<p>*Jan 6 16:21:01.883: DHCPD: Client is Selecting (<mark>DHCP Request with Requested IP = 192.168.2.7, Server ID = 10.1.1.1</mark>)</p>
<p>*Jan 6 16:21:01.883: DHCPD: Sending DHCPACK to client 0152.5400.1f04.4d (192.168.2.7).
</pre>
Notice that RTR1 is aware that the DHCP Discover message was relayed from 192.168.2.1 and the DHCP client (PC2) is being serviced by the DHCP server located at 10.1.1.1.</p>
</body></html>
title: CCNA Prep 2025 - S2E1 - DHCP
version: 0.2.2

BIN
lab-topologies/ccna-prep/s2e1/CCNA_Prep_DHCP_Guide.pdf Normal file
View File

Binary file not shown.

5
lab-topologies/ccna-prep/s2e1/README.md Normal file
View File

@@ -0,0 +1,5 @@
# DHCP in Action: Streamlining Network Client Address Management
*Abstract:* Review the essential role of Dynamic Host Configuration Protocol (DHCP) in managing network client address assignments in this practical, demonstration focused live event. Gain insights into configuring and verifying DHCP clients and relay agents, and reinforce how DHCP simplifies IP address distribution. Through real-world examples, you'll practice the skills needed to effectively manage and troubleshoot DHCP in your network environment as you prepare for your CCNA Exam.
![](s2e1-dhcp.jpeg)

BIN
lab-topologies/ccna-prep/s2e1/s2e1-dhcp.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
lab-topologies/ccna-prep/s2e2/CCNA Prep S02 E02 Lab Guide.pdf Normal file
View File

Binary file not shown.

1296
lab-topologies/ccna-prep/s2e2/CCNA_Prep_2025_S2E2_DNS_Deepdive.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

5
lab-topologies/ccna-prep/s2e2/README.md Normal file
View File

@@ -0,0 +1,5 @@
# DNS Deepdive: Exploring a Backbone of Network Communication
*Abstract:* Step into the dynamic world of DNS in this engaging, lab focused live event. Discover how to configure basic DNS servers and clients while unraveling the mystery of how domain names translate into IP addresses. Through practical demonstrations, you'll see firsthand how DNS keeps your network running smoothly and efficiently, mastering this vital technology before you take your CCNA exam.
![](s2e2-dns.jpeg)

BIN
lab-topologies/ccna-prep/s2e2/s2e2-dns.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 83 KiB

1127
lab-topologies/ccna-prep/s2e3/CCNA_Prep_2025_-_S2E3_-_NAT.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
lab-topologies/ccna-prep/s2e3/CCNA_Prep_S02E03_NAT_Guide.pdf Normal file
View File

Binary file not shown.

5
lab-topologies/ccna-prep/s2e3/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Navigating NAT: Bridging Private Networks to the Internet
*Abstract:* Explore the critical role of Network Address Translation (NAT) in providing Internet access for networks using private IP addresses. In this live session, you'll review the configuration of NAT using static and pool techniques. The practical insights into how NAT enables efficient connectivity between private networks and the wider Internet will prepare you for your CCNA exam.
![](s2e3-nat.jpg)

BIN
lab-topologies/ccna-prep/s2e3/s2e3-nat.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
lab-topologies/ccna-prep/s2e4/CCNA Prep S02 E04 Lab Guide.pdf Normal file
View File

Binary file not shown.

885
lab-topologies/ccna-prep/s2e4/CCNA_Prep_2025_S2E4_Telnet_to_SSH.yaml Normal file
View File

@@ -0,0 +1,885 @@
annotations:
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: true
text_content: 'CCNA Exam Prep: Back to Networking Basics with Hank Preston and
Patrick Gargano'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: -80.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: true
text_content: 'Securing Network Access: From Telnet to SSH'
text_font: monospace
text_italic: false
text_size: 18
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: -40.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: |-
No doubt you've heard that SSH is better than telnet because, well "security". But what does that mean?
Is it really a problem? And how exactly do you ensure secure device administration? Well, we will tackle all
this in the following lab with the following exercises:
In this lab you will explore device adminstration with some hands on exercises focused on:
* Enabling Telnet device administration, and seeing why it might not be the most secure
* Creating local administrator accounts on network devices
* Migrating to SSH from Telnet for device administration
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 0.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: |2-
host user/pass: cisco / cisco
network enable password: enablepass
network telnet password: telnetpass
network admin user/pass: admin / adminpass
network oper user/pass: oper / operpass (read-only)
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 440.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: true
text_content: |
Credentials:
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 440.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: true
text_content: ____________
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 440.0
z_index: 3
- border_color: '#808080FF'
border_radius: 2
border_style: ''
color: '#7FF0FA'
thickness: 2
type: rectangle
x1: -483.21004499370474
y1: 310.36986501888595
x2: 538.6848224811145
y2: 117.88725898435627
z_index: 4
- border_color: '#808080FF'
border_radius: 2
border_style: ''
color: '#F593E1'
thickness: 2
type: rectangle
x1: 61.89486747481904
y1: 310.77931009652815
x2: 306.0242893998466
y2: 265.1398836171298
z_index: 4
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: true
text_content: Inside
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -475.31049493075153
y1: 318.42773531686413
z_index: 5
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: true
text_content: Outside
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 69.73658407878582
y1: 317.76716539660475
z_index: 5
nodes:
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: internet
node_definition: external_connector
parameters: {}
ram: null
tags: []
x: 320
y: 360
interfaces:
- id: i0
label: port
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
hostname rtr01
!
! In order to avoid entering a configuration dialog
! on boot, please ensure that all ethernet interfaces
! have some ip configuration present here such as the
! example below:
!
interface range Ethernet 0/0 - 3
no ip address
shutdown
!
ip host rtr01.example.com 10.0.0.1
ip host sw01.example.com 192.168.0.2
ip name-server 192.168.255.1
ip domain name example.com
ip dns server
ip dns primary example.com soa 192.168.0.1 admin@example.com 21600 900 7776000 86400
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool inside
network 192.168.0.0 /24
default-router 192.168.0.1
dns-server 10.0.0.1
domain-name example.com
exit
!
ip access-list standard NAT
permit 192.168.0.0 0.0.0.255
!
ip nat inside source list NAT interface e0/0 overload
!
interface e0/1
description Link to Inside Hosts
ip address 192.168.0.1 255.255.255.0
ip nat inside
no shut
!
interface e0/0
description Link to Internet
ip address dhcp
ip nat outside
no shut
!
!
interface loopback0
ip address 10.0.0.1 255.255.255.255
!
line vty 0 4
no login
transport input none
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: rtr01
node_definition: iol-xe
parameters: {}
ram: null
tags: []
x: 24
y: 361
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
hostname sw01
ip domain name example.com
!
vtp version 2
vtp mode transparent
!
vlan 10
name inside-network
!
interface e0/0
description Link to rtr01
switchport mode access
spanning-tree portfast
switchport access vlan 10
!
interface e0/1
description Link to netadmin
switchport mode access
spanning-tree portfast
switchport access vlan 10
!
interface vlan 10
description Switch Management Interface
ip address 192.168.0.2 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip name-server 10.0.0.1
!
line vty 0 4
no login
transport input none
!
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: sw01
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: -200
y: 360
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname netadmin
# configurable user account
USERNAME=cisco
PASSWORD=cisco
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: netadmin
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -440
y: 360
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: ext-sw
node_definition: unmanaged_switch
parameters: {}
ram: null
tags: []
x: 160
y: 360
interfaces:
- id: i0
label: port0
slot: 0
type: physical
- id: i1
label: port1
slot: 1
type: physical
- id: i2
label: port2
slot: 2
type: physical
- id: i3
label: port3
slot: 3
type: physical
- id: i4
label: port4
slot: 4
type: physical
- id: i5
label: port5
slot: 5
type: physical
- id: i6
label: port6
slot: 6
type: physical
- id: i7
label: port7
slot: 7
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname outside-host
# configurable user account
USERNAME=cisco
PASSWORD=cisco
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n5
image_definition: null
label: outside-host
node_definition: alpine
parameters: {}
ram: null
tags: []
x: 160
y: 520
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
links:
- id: l0
n1: n2
n2: n1
i1: i1
i2: i2
conditioning: {}
label: sw01-Ethernet0/0<->rtr01-Ethernet0/1
- id: l1
n1: n3
n2: n2
i1: i0
i2: i2
conditioning: {}
label: netadmin-eth0<->sw01-Ethernet0/1
- id: l2
n1: n1
n2: n4
i1: i1
i2: i0
conditioning: {}
label: rtr01-Ethernet0/0<->ext-sw-port0
- id: l3
n1: n4
n2: n0
i1: i1
i2: i0
conditioning: {}
label: ext-sw-port1<->internet-port
- id: l4
n1: n5
n2: n4
i1: i0
i2: i2
conditioning: {}
label: outside-host-eth0<->ext-sw-port2
lab:
description: Discover why SSH is the preferred choice over Telnet for secure network
management in this insightful event. Through hands-on activities, master the ins
and outs to configuring SSH on Cisco switches and routers, ensuring encrypted
and authenticated remote access. Understand the security implications of using
SSH, and elevate your skills in managing network devices securely and efficiently.
Join us as you prepare for your CCNA exam.
notes: |-
**CCNA Exam Prep: Back to Networking Basics with Hank Preston and Patrick Gargano**
# Securing Network Access: From Telnet to SSH
> Discover why SSH is the preferred choice over Telnet for secure network management in this insightful event. Through hands-on activities, master the ins and outs to configuring SSH on Cisco switches and routers, ensuring encrypted and authenticated remote access. Understand the security implications of using SSH, and elevate your skills in managing network devices securely and efficiently. Join us as you prepare for your CCNA exam.
No doubt you've heard that SSH is better than telnet because, well "security". But what does that mean? Is it really a problem? And how exactly do you ensure secure device adminsistration? Well, we will tackle all this in the following exercices:
In this lab you will explore device adminstration with some hands on exercises focused on:
* Enabling Telnet device administration, and seeing why it might not be the most secure
* Creating local administrator accounts on network devices
* Migrating to SSH from Telnet for device administration
> This lab touches on several topics from the [CCNA v1.1 Topics List](https://learningcontent.cisco.com/documents/marketing/exam-topics/200-301-CCNA-v1.1.pdf)
> 2.8 Describe network device management access (Telnet, SSH, HTTP, HTTPS, console, TACACS+/RADIUS, and cloud managed)
> 4.8 Configure network devices for remote access using SSH
> 5.3 Configure and verify device access control using local passwords
## Setup and Scenario
This setup of lab based demonstrations includes a small network made up of an IOS based switch and router, that provides internet access to a `netadmin` host. There is also an `outside-host` that will be used for some testing. The network is preconfigured to provide connectivity to the Internet for the `netadmin` host with DHCP, DNS, and NAT services provided by `rtr01`. `sw01` is configured with a management IP address, and there are DNS entries for both network devices configured to allow `netadmin` to reach the devices by name.
```
netadmin:~$ ping -c 2 sw01
PING sw01 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: seq=0 ttl=42 time=0.975 ms
64 bytes from 192.168.0.2: seq=1 ttl=42 time=1.418 ms
netadmin:~$ ping -c 2 rtr01
PING rtr01 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: seq=0 ttl=42 time=1.447 ms
64 bytes from 10.0.0.1: seq=1 ttl=42 time=1.125 ms
```
Go ahead and open the console for the `netadmin` host and try out the above pings yourself. "Pinging" is fun :-)!!
> Note: The credentials for `netadmin` and `outside-host` are `cisco / cisco`.
*Be sure to **START** the lab before continuing to the demo labs.*
## Setting up initial IP based device management with Telnet
Using serial (console) connectivity to configure and operate networking equipment requires the engineer be in physical proximity to the device so that a cable can be plugged from the devices port into their laptop. This is fine during initial setup or emergency troubleshooting, but it isn't very convenient when you want to add a VLAN to a switch, update a router's static routes, or run some show commands to understand the current state of the network. The ability to log into the network devices over "the network" is a far more convenient option.
> There are dedicated "terminal server" or "console server" appliances that can be provide the direct connection to serial ports on devices and offer network administrators access over the network. Many organizations do deploy these to aid in remote adminstration of devices, but even when they are available, console based administration is typically reserved for times when devices are unreachable over the network. Upgrades, troubleshooting, etc.
While it is highly recommended that network devices only be administered using a secure protocol like SSH, we'll begin this lab by configuring telnet to fully explore how (and why) secure network access can be configured.
1. We'll start by verifying that we can NOT log into the network devices with telnet at the start of the lab. Open the console for `netadmin`. The username/password to log in is `cisco/cisco`.
1. Attempt to use telnet to log into the `rtr01`. DNS is configured so you can use the hostname.
```
telnet rtr01
# Output
telnet: can't connect to remote host (10.0.0.1): Connection refused
```
1. Repeat for `sw01`.
1. Now that we've seen that telent does NOT work, we'll learn how to enable it.
1. Open the console for `rtr01` and enter enable mode.
1. To access the CLI for a network device over the network, you connect to a "VTY line", or "virtual teletype line". Different network devices have different numbers of VTY lines. The IOS router and switch in this lab each have 5 lines, numbered 0 -> 4. Another common number of lines is 16, numbered 0 -> 15.
1. Add the following configuration to `rtr01`. To enable `login` over the VTY lines and to allow communication on the line with `telnet`.
```
line vty 0 4
login
transport input telnet
```
1. You should get a console message like the below. This is an exmaple of a very useful message to the administrator. While we've turned on logging in via telnet on the lines, the router will NOT allow that to happen until a password is set. Because once telnet administration is enabled, anyone connected to the network could begin administering the device. Security is important!
```
% Login disabled on line 2, until 'password' is set
```
* You will actually see several of these messages, 5 to be exact. Why do you think that is?
<details><summary>Answer:</summary>
You are configuring 5 different lines at the same time, indicated by `line vty 0 4`. So one message per "line" being configured.</details>
1. So go ahead and add the password to the `line vty 0 4` configuration block.
```
password telnetpass
```
> Note: If you left `config-line` mode, you will need to re-enter with `line vty 0 4`.
1. Now return to the console for `netadmin` and try to connect with telnet. When you are prompted for the `Password:`, use the newly configured `telnetpass` that you just set.
```
telnet rtr01
# Output
Connected to rtr01
Entering character mode
Escape character is '^]'.
User Access Verification
Password:
rtr01>
```
1. Now enter enable mode. Did it work? Why not?
<details><summary>Answer</summary>
While the network device does NOT mind allowing unauthenticated privileged mode access over the console port, an `enable password` (or `secret`) is required for over the network administration.</details>
1. Return to the console for `rtr01` and set an enable secret.
```
enable secret enablepass
```
1. And now go back to the console for `netadmin` and try to enter enable mode again.
1. Ta-da... you can now administer `rtr01` remotely from your network administration workstation, from anywhere on the network.
1. Disconnect by typing `exit`.
1. Repeat the configuration to enable telnet administration on `sw01` and verify that you can login and access enable mode from `netadmin`.
1. Make sure to `exit` from the connection to `sw01` when you are done.
## Understanding why clear text protocols like Telnet are a bad idea
Great work... maybe. I'm sure you've heard by now that "telnet bad, ssh good" but why? "Security" you may say. You might even know that the issue is because "telnet isn't encrypted". Both true, but let's see if we can experience this with our own eyes.
> ***Pro Tip!:*** CML allows you to "split" the Panes display into multiple sections to allow the viewing of two or more different interfaces (ie Console, VNC, or Packet Capture) at the same time. This feature is particularly handy when doing a packet capture, so you can see the captured packets while performing actions on a node.
>
> Click the `+` button on the right side of the "Panes" to split the window. Then "click" within the section before opening starting the capture. You can also "drag" a window from one pane to another.
1. Right-click the link between `netadmin` and `sw01` and choose "Packet Capture".
1. Click the gear icon to open the settings for the capture. Add the following BPF filter and "Apply" the settings change.
```
tcp port 23
```
> Why tcp port 23?
> <details><summary>Answer</summary>
> Telnet is an application that uses TCP and operates on port 23.</details>
1. Start the packet capture.
1. Now return to the console for `netadmin` and connect to `rtr01` with telnet. Go ahead and enter the password to login.
1. Now look at the packet capture and click on Frame 6 that shows "Telnet Data..." in the Info column. Click on the frame and expand the `Telnet` section in the packet details. What do you see?
<details><summary>Answer:</summary>
You'll see the login message sent by `rtr01` to `netadmin` in clear text. </details>
1. Change to page 2 and look at Frame 12, 14, 16, and the other "Telnet Data..." frames sourced by `netadmin`. What do you see?
<details><summary>Answer:</summary>
What you should see is the password you entered to log into the router, one (or two) characters at a time.</details>
> Note: The frame numbers above should match for you if you created the filter, started the capture, and then used `telnet rtr01` from `netadmin` and logged in with the password immediately. If you aren't seeing the expected data within the frame numbers indicated, click and check the "Telnet Data..." frames until you find them.
So now you see why "telnet bad". Anyone who has access to the network packets that have a telnet session running can see everything that is sent in both directions. And you don't need to do it frame by frame. There are many programs that can be used to analyze network streams, find telnet applications, capture the output and search for credentials.
> So why is "SSH good"? Because as an encrypted protocol, an attack like this isn't possible. You'll be able to try this out yourself and see it in action later!
## Configuring local user accounts for managing network devices
Now the network team can all log into the network devices remotely from the convenience of anywhere on the network. However, everyone uses the same telnet password. Providing individual accounts to each user is a standard procedure for organizations and applications. There are many reasons to go down this path including:
* Allowing for accurate auditing of who is connected to the network and making changes
* Providing different levels of access to different people. Often called "Role Based Access Control" or "RBAC"
* Being able to disable access to individuals without effecting an entire team
There is another reason we are going to enable individual user accounts in this lab, SSH access requires it to be setup. And that's our ultimate destination :-)
1. Go ahead and log into `rtr1`. Either with the direct console connection, or through telnet from `netadmin`.
1. Enter configuration mode, and create a new admin user on the router.
```
username admin secret adminpass
```
> Note: Be careful to ***NOT*** add a space after the password. If you do, the space becomes PART of the password. This is a common mistake that can lead to you being unable to log in and access your router. The author of this lab guide has made this mistake many many times.
1. Now you need to update the VTY configuration to use the "local" username/passwords rather than the telnet password that was configured.
```
line vty 0 4
login local
```
* It is also a good idea to remove the telnet password that we won't be using anymore.
```
line vty 0 4
no password
```
1. Now return to the `netadmin` host and try to log into `rtr01` with telnet once again. Use the `admin / adminpass` credentials you just configured.
```
telnet rtr01
# Output
Connected to rtr01
Entering character mode
Escape character is '^]'.
User Access Verification
Username: admin
Password:
rtr01>
```
1. Go ahead and enter "enable" mode. You should be prompted for the enable password, this will be the same `enablepass` that you configured before.
### Adding privilege to user accounts
Now we'll enhance the login process by adding a "privilege level" to the user accounts. This isn't required, but it is a common configuration that will place "administrators" automatically into "enable" mode. We can also use it to provide "read only" access to "operator" users.
Cisco IOS uses "privilege levels" to track access levels. `priv 15` is the same as "Privileged EXEC mode" (ie "enable mode"), and `priv 1` is the same "User EXEC mode".
1. From the CLI of `rtr01` (either console or using the telnet access), add `priv 15` to the `admin` user.
```
username admin priv 15
```
1. Now try to reconnect with telnet to the router.
> If you configured the above from the telnet connection, `exit` out to disconnect and reconnect.
1. Did you see any difference?
<details><summary>Answer:</summary>
You should now have been dropped into `Priveleged EXEC mode` automatically.</details>
1. Handy right? Create a new account with `priv 15` for yourself with whatever username and password you want to use. You can do all this with a single line of configuration.
```
username carl priv 15 secret carlpass
```
1. Create one more user, `oper` with the secret password `operpass` that has `priv 1`.
```
username oper priv 1 secret operpass
```
1. Take a look at the configuration for the user accounts.
```
show run | section username
# Output
username admin privilege 15 secret 9 $9$JTuPJ0yjNpNuNk$hCbbeDhhX8DStDn5BKbOlJ7LWjvKkZP.wnFmZdNhwHA
username carl privilege 15 secret 9 $9$O1J7C4XQ8aE/rU$TcDZQXJiv3h1c7gkqdgUqKJEhCydXfY2yz6hZzxWJbI
username oper secret 9 $9$cjBNZ2V.CJT.fU$BDC0biwbJ8Wn.Lw1uau53B3jQhlFqYoEG5VF2BjpitY
```
* What do you notice about them?
<details><summary>Answer:</summary>
A couple things should jump out at you. First, the passwords (or secrets) are encrypted using a method that is (currently) difficult to break. This is indicated by `secret 9` in the output. Older versions of IOS used methods other than `9` to "hide" passwords in configurations. Most of them are considered insecure today. `secret 9` is the best practice used today. Second, `username oper` lacks a `priv 1` element to the configuration. This is because `priv 1` is the lowest privilege level and the default. </details>
### Configuring `sw01`
Before moving onto SSH, go ahead and configure `sw01`.
1. Create user accounts for `admin` and `oper` with appropriate `priv` levels
1. Update the VTY lines to use the newly created user accounts.
1. Remove the telnet password
## Migrating from Telnet to SSH for managing network devices
Excellent work so far. Just one more thing to do, enable SSH and make our device administration secure. Well, there are a couple of steps needed to enable SSH, but let's get to it!
1. Log into `rtr01` from the console or with the `admin` account and telnet.
1. From "Privileged EXEC mode" (enable mode) and NOT "Configuration Mode", create an RSA key-pair.
> Note: If you enter this command from `config` mode, you'll get an error message about deprecation of the command. Keys should now be generated from "enable mode".
```
crypto key generate rsa general-keys modulus 2048
# Output
The name for the keys will be: rtr01.example.com
% The key modulus size is 2048 bits
% Generating crypto RSA keys in background ...
```
* `rsa` is the type of key we are generating `ec` is an alternative key generation mechanism, but it won't work for SSH.
* `general-keys` means we are creating a single key that can be used by the router for both signing and encryption.
* `modulus 2048` indicates we are creating a `2048` bit key. The more bits, the more secure. `2048` is generally considered secure today, however some organizations opt for larger bit sizes for more security.
1. If you are on the console, or watching the console output, you'll also see this output.
```
*Mar 9 14:08:48.049: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named rtr01.example.com has been generated or imported by crypto-engine
*Mar 9 14:08:48.050: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 9 14:08:48.732: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named rtr01.example.com.server has been generated or imported by crypto-engine
```
> Note: The "name" of the RSA key is in the format of `<HOSTNAME>.<DOMAIN NAME>`. This means that if you have NOT configured either of these on your network device, you will get an error message. The initial configuration for this lab included both `hostname <HOSTNAME>` and `ip domain name <DOMAIN NAME>` configuration.
* In the console log message, notice the `SSH-5-ENABLED` message. SSH is typically already setup to be "enabled" on an IOS device, but in order for it to work there needs to be a "key" that can be used to encrypt the traffic. As soon as you create the key, the device will enable SSH.
* `SSH 2.0` is enabled. The version `2.0` is significant because earlier versions of SSH are insecure today and shouldn't be used. Some network devices may default to an earlier version and should be explicitly configured for `ip ssh version 2`. Newer devices likely only support version 2.
1. Go ahead and try to connect to `rtr01` with SSH from `netadmin`.
```
ssh admin@rtr01
# Output
ssh: connect to host rtr01 port 22: Connection refused
```
* Why didn't it work? We say that SSH was enabled already?
<details><summary>Answer:</summary>
The reason is because while SSH is indeed "enabled" on the router, we need to update the configuration for the VTY lines to allow SSH "input". Remember that we configured `transport input telnet`.</details>
1. Update the configuration of the VTY lines to support SSH.
```
line vty 0 4
transport input ssh
```
> Note: You could enable both telnet and ssh at the same time with `transport input telnet ssh`, and if you are making this change remotely without console access to the router, that is recommended. But once you've verified that SSH is working, don't forget to remove it as a supported input protocol or you are still vulnerable.
1. Now try to log into `rtr01` with SSH again.
```
ssh admin@rtr01
# Output
The authenticity of host 'rtr01 (10.0.0.1)' can't be established.
RSA key fingerprint is SHA256:uKLBCGaK0AWdqR6NOVbvSFjB6Mc0GMiRGH7xcI7+X0w.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'rtr01' (RSA) to the list of known hosts.
(admin@rtr01) Password:
rtr01#
```
* You will first be asked if you want to trust the fingerprint for the SSH key. The best practice for security would be to check the shown fingerprint against the known fingerprint for the device you are connecting to. Unfortunately, there isn't an easy way to find the fingerprint for an SSH key for an IOS device, and calculating it is out of scope for this lab or the CCNA. So just type "yes" at the prompt.
* Once you connect the first time to a router, your computer will store the fingerprint and verify it on future connections to the router. If the fingerprint changes, you'll be warned something is different. This could indicate a security problem, ***OR*** it could indicate that key changed on the device. A key change can happen if a device is replaced or upgraded. The key can also change if an administrator manually changes it.
* Provide the password for the `admin` user and log in.
1. Disconnect with SSH and try to log in with telnet. This should fail.
### Verifying Encryption
Setup a new packet capture between `netadmin` and `sw01`, but use the filter `tcp port 22` for SSH traffic. With it running, log back into `rtr01` with SSH. Then checkout the packets captured. You'll see many packets setting up the secure communications, and then "Encrypted packets" being sent. If you look at those you'll find that you can NOT read the messages being sent between the devices.
### Configuring SSH on `sw01`
Now go ahead and configure `sw01` for SSH with the same approach we used on `rtr01`.
1. Create a new RSA key
1. Change the VTY transport method to only support SSH
## SSH from anywhere... even the Internet?
So far we've been testing SSH access from our "trusted host", `netadmin`. But can we also access the router from "the Internet"
1. Find the "public IP" for `rtr01`. This will be the IP address on interface 'E0/0'.
```
show ip int brief
# Output
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.255.196 YES DHCP up up
Ethernet0/1 192.168.0.1 YES TFTP up up
Ethernet0/2 unassigned YES TFTP administratively down down
Ethernet0/3 unassigned YES TFTP administratively down down
Loopback0 10.0.0.1 YES TFTP up up
```
> ***Note:*** The IP address assigned to YOUR `Ethernet0/0` interface will mostly likely differ from the above output. This is because the IP address is assigned with DHCP from the CML server itself. Make note of YOUR address for the next command.
1. Open up the console for `outside-host` and try to SSH into the router using the "public IP".
* ***Remember to use the IP address from YOUR output in the below command.***
```
ssh admin@<YOUR E0/0 IP address>
```
1. After answering "yes" to accept the fingerprint, this should work just like from `netadmin`. This is because the VTY lines are "available" from all router Interfaces. Even more reason to use SSH instead of a clear text protocol like telnet.
1. Now that you are connected, checkout the output from a couple of handy `show commands`.
```
show ssh
show users
show crypto key mypubkey rsa
```
## Great Job!
Excellent work on this lab! You've successfully enabled SSH on your network devices and seen why it is a much better choice than Telnet. This is by no means the end to device administration. Here are some other topics to look into.
1. How can you limit management access to a network device? Maybe you do NOT want the Internet to be able to log into your router - even if it is secure?
1. How do TACACS+ and RADIUS fit into device administration? How would they be configured?
title: CCNA Prep 2025 S2E4 Telnet to SSH
version: 0.2.2

5
lab-topologies/ccna-prep/s2e4/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Securing Network Access: From Telnet to SSH
*Abstract:* Discover why SSH is the preferred choice over Telnet for secure network management in this insightful event. Through hands-on activities, master the ins and outs to configuring SSH on Cisco switches and routers, ensuring encrypted and authenticated remote access. Understand the security implications of using SSH, and elevate your skills in managing network devices securely and efficiently. Join us as you prepare for your CCNA exam.
![](s2e4-ssh.jpg)

BIN
lab-topologies/ccna-prep/s2e4/s2e4-ssh.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 100 KiB

BIN
lab-topologies/ccna-prep/s2e5/CCNA Prep S02 E05 Lab Guide.pdf Normal file
View File

Binary file not shown.

709
lab-topologies/ccna-prep/s2e5/CCNA_Prep_2025_S2E5_NTP_Basics.yaml Normal file
View File

@@ -0,0 +1,709 @@
annotations:
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: true
text_content: 'CCNA Exam Prep: Back to Networking Basics with Hank Preston and
Patrick Gargano'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: -80.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: true
text_content: 'Syncing Success: The Role of NTP in Network Operations'
text_font: monospace
text_italic: false
text_size: 18
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: -40.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: |-
NTP is how IT systems can "synchronize their watches". These IT systems can be network devices
like switches and routers, end user computers and mobile devices, and servers hosting the
critical applications we rely on. The "systems" also include the unimaginable number of IOT
devices that exist around us in cars, planes, trains, ships, manufacturing plants, and so on.
So yeah, NTP is a foundational protocol that is often overlooked, until something goes wrong
with it...
In this lab you will NTP with some hands on exercises focused on:
* Asking a router and switch "what time is it?" and manually setting the time.
* Configuring the NTP client in IOS to synchronize the clock with an NTP server.
* Configuring the NTP server in IOS to act as a time source for other clients
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 0.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: |2-
host user/pass: cisco / cisco
network enable password: enablepass
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 440.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: true
text_content: 'Credentials:
'
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 440.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: true
text_content: ____________
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 440.0
z_index: 3
- border_color: '#808080FF'
border_radius: 2
border_style: ''
color: '#7FF0FA'
thickness: 2
type: rectangle
x1: -483.21004499370474
y1: 310.36986501888595
x2: 763.2100449937047
y2: 260.47255474961986
z_index: 0
nodes:
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: internet
node_definition: external_connector
parameters: {}
ram: null
tags: []
x: 240
y: 360
interfaces:
- id: i0
label: port
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
hostname rtr01
!
! In order to avoid entering a configuration dialog
! on boot, please ensure that all ethernet interfaces
! have some ip configuration present here such as the
! example below:
!
interface range Ethernet 0/0 - 3
no ip address
shutdown
!
ip host rtr01.example.com 10.0.0.1
ip host sw01.example.com 192.168.0.2
ip host ntpserver.example.com 192.168.100.100
ip name-server 192.168.255.1
ip domain name example.com
ip dns server
ip dns primary example.com soa 192.168.0.1 admin@example.com 21600 900 7776000 86400
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool inside
network 192.168.0.0 /24
default-router 192.168.0.1
dns-server 10.0.0.1
domain-name example.com
exit
!
ip access-list standard NAT
permit 192.168.0.0 0.0.0.255
permit 192.168.100.0 0.0.0.255
!
ip nat inside source list NAT interface e0/0 overload
!
interface e0/1
description Link to Inside Hosts
ip address 192.168.0.1 255.255.255.0
ip nat inside
no shut
!
interface e0/0
description Link to Internet
ip address dhcp
ip nat outside
no shut
!
interface e0/2
description Link to Lab NTP Server
ip address 192.168.100.1 255.255.255.0
ip nat inside
no shut
!
interface loopback0
ip address 10.0.0.1 255.255.255.255
!
line vty 0 4
no login
transport input none
!
do clock set 00:00:00 01 Jan 1993
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: rtr01
node_definition: iol-xe
parameters: {}
ram: null
tags: []
x: 0
y: 360
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
hostname sw01
ip domain name example.com
!
vtp version 2
vtp mode transparent
!
vlan 10
name inside-network
!
interface e0/0
description Link to rtr01
switchport mode access
spanning-tree portfast
switchport access vlan 10
!
interface e0/1
description Link to netadmin
switchport mode access
spanning-tree portfast
switchport access vlan 10
!
interface vlan 10
description Switch Management Interface
ip address 192.168.0.2 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip name-server 10.0.0.1
!
line vty 0 4
no login
transport input none
!
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: sw01
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: -200
y: 360
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname netadmin
# configurable user account
USERNAME=cisco
PASSWORD=cisco
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: netadmin
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -440
y: 360
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname ntpserver
# configurable user account
USERNAME=cisco
PASSWORD=cisco
# Static IP address
ip address add 192.168.100.100/24 dev eth0
ip route add default via 192.168.100.1
# NTP Server Setup
echo 'NTPD_OPTS="-l -N"' > /etc/conf.d/ntpd
service ntpd start
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: ntpserver
node_definition: alpine
parameters: {}
ram: null
tags: []
x: 0
y: 520
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
links:
- id: l0
n1: n2
n2: n1
i1: i1
i2: i2
conditioning: {}
label: sw01-Ethernet0/0<->rtr01-Ethernet0/1
- id: l1
n1: n3
n2: n2
i1: i0
i2: i2
conditioning: {}
label: netadmin-eth0<->sw01-Ethernet0/1
- id: l2
n1: n4
n2: n1
i1: i0
i2: i3
conditioning: {}
label: outside-host-eth0<->rtr01-Ethernet0/2
- id: l3
n1: n1
n2: n0
i1: i1
i2: i0
conditioning: {}
label: rtr01-Ethernet0/0<->internet-port
lab:
description: Delve into the importance of Network Time Protocol (NTP) in maintaining
synchronized time across network devices. In this session, review the steps to
configure NTP for both client and server modes. Discover why synchronized time
is crucial for accurate event logging, seamless coordination of network operations,
and effective security measures. Master this important topic in “time” to take
your exam.
notes: |-
**CCNA Exam Prep: Back to Networking Basics with Hank Preston and Patrick Gargano**
# Syncing Success: The Role of NTP in Network Operations
> Delve into the importance of Network Time Protocol (NTP) in maintaining synchronized time across network devices. In this session, review the steps to configure NTP for both client and server modes. Discover why synchronized time is crucial for accurate event logging, seamless coordination of network operations, and effective security measures. Master this important topic in “time” to take your exam.
Time and the passage of time is inescapble in life and network engineering. There are many "time" related topics that come up while you study for your CCNA. There is latency, how long it takes takes for a data packet to move from the source to destination. And jitter, how much variation in that time between different packets.
In this lab we are going to explore NTP, or Network Time Protocol. NTP is how IT systems can "synchronize their watches". These IT systems can be network devices like switches and routers, end user computers and mobile devices, and servers hosting the critical applications we rely on. The "systems" also include the unimaginable number of IOT devices that exist around us in cars, planes, trains, ships, manufacturing plants, and so on. So yeah, NTP is a foundational protocol that is often overlooked, until something goes wrong with it...
In this lab you will NTP with some hands on exercises focused on:
* Asking a router and switch "what time is it?" and manually setting the time.
* Configuring the NTP client in IOS to synchronize the clock with a known good source - an NTP server.
* Configuring the NTP server in IOS to act as a time source for other clients
> This lab touches on the following topic from the [CCNA v1.1 Topics List](https://learningcontent.cisco.com/documents/marketing/exam-topics/200-301-CCNA-v1.1.pdf)
> 4.2 Configure and verify NTP operating in a client and server mode
## Setup and Scenario
This setup of lab based demonstrations includes a small network made up of an IOS based switch and router, that provides internet access to a `netadmin` host. The network is preconfigured to provide connectivity to the Internet for the `netadmin` host with DHCP, DNS, and NAT services provided by `rtr01`. `sw01` is configured with a management IP address, and there are DNS entries for both network devices configured to allow `netadmin` to reach the devices by name.
*Be sure to **START** the lab before continuing to the demo labs.*
```
netadmin:~$ ping -c 2 sw01
PING sw01 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: seq=0 ttl=42 time=0.975 ms
64 bytes from 192.168.0.2: seq=1 ttl=42 time=1.418 ms
netadmin:~$ ping -c 2 rtr01
PING rtr01 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: seq=0 ttl=42 time=1.447 ms
64 bytes from 10.0.0.1: seq=1 ttl=42 time=1.125 ms
```
Go ahead and open the console for the `netadmin` host and try out the above pings yourself. "Pinging" is fun :-)!!
> Note: The credentials for `netadmin` are `cisco / cisco`.
## Finding an available NTP server
Before we dive into this lab and explore configuring NTP to keep network time in sync, we need to find an available NTP server that is reachable from our lab. There are many publicly available NTP providers that can be freely leveraged by anyone around the world. Two sources for time provided by reliable clusters of NTP servers are [NIST (National Institute of Standards and Technology)](https://tf.nist.gov/tf-cgi/servers.cgi) and [pool.ntp.org](https://www.ntppool.org/en/).
The NTP server addresses for these sources are:
* NIST - `time.nist.gov`
* NTP Pool - `pool.ntp.org`
If you are running this lab from a CML server in your home lab, or a cloud provider, you should be able to leverage either of these NTP server addresses.
While these sources are trusted worldwide, some companies block access to these public NTP servers from within private networks and opt to provide their own NTP servers for internal systems. This means that if you are running this lab on a CML server that is hosted on a network that blocks access to public NTP servers, you'll need to check with the IT team to find the address for a reachable NTP server to query.
To test to see if the public servers are reachable, follow these steps.
1. Open the console to `netadmin` and login.
1. Use the `ntpd` service to query the public servers.
```
ntpd -dw -p pool.ntp.org -p time.nist.gov
```
> Note: End the `ntpd` query by pressing `Cntrl-C` (`^C`).
1. If you see output that looks like the below, these public servers are NOT available for you to leverage for this lab.
```
ntpd: 'pool.ntp.org' is 104.234.67.234
ntpd: 'time.nist.gov' is 132.163.97.4
ntpd: sending query to 132.163.97.4
ntpd: sending query to 104.234.67.234
ntpd: timed out waiting for 132.163.97.4, reach 0x00, next query in 1s
ntpd: 'time.nist.gov' is 132.163.97.4
ntpd: timed out waiting for 104.234.67.234, reach 0x00, next query in 1s
```
1. See if you can find an available NTP server for your lab environment. For example, suppose you are told an NTP server is available at `10.1.1.1`. Let's test that address.
```
ntpd -dw -p 10.1.1.1
# Output
ntpd: sending query to 10.1.1.1
ntpd: reply from 10.1.1.1: offset:+36.082774 delay:0.002821 status:0x24 strat:3 refid:0x05f1c00a rootdelay:0.001083 reach:0x01
```
* This output shows a reachable NTP server. Don't worry about the details of the output just now.
1. What should you do if the public servers aren't reachable AND you can't find information on an available server? Never fear! We have included an NTP server in the lab that can be used. It might not have exact accurate time, but it will work for the lab. This NTP server is available at `ntpserver.example.com`.
```
ntpd -dw -p ntpserver.example.com
# Output
ntpd: 'ntpserver.example.com' is 192.168.100.100
ntpd: sending query to 192.168.100.100
ntpd: reply from 192.168.100.100: offset:-0.191950 delay:0.002921 status:0x24 strat:1 refid:0x00000000 rootdelay:0.000000 reach:0x01
```
## Checking the current date/time on the router
So NTP can be used to set the time on network devices, but how do you check what the current clock is set to on an IOS router or switch?
1. Open up the console to `rtr01`, and enter enable mode.
1. Run the command `show clock` to check the current time on the router.
```
show clock
# Output
00:11:51.832 UTC Fri Jan 1 1993
```
1. Well.. unless you've gone back in time to the early nineties, the time displayed by the router probably doesn't look close to accurate.
1. Let's go ahead and "fix" the time manually. Check the current time on your computer and use the following command to correct the time.
> ***Note: The timezone setting on the router is UTC, be sure to convert your local time to UTC before setting the time in this step.***
```
clock set 19:49:00 23 March 2025
! Command Format
clock set <MM:HH:SS> <1-31> <MONTH> <YEAR>
# Output
Mar 23 19:49:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:00:46 UTC Fri Jan 1 1993 to 19:49:00 UTC Sun Mar 23 2025, configured from console by console.
```
1. Verify the time was updated correctly with `show clock`.
Excellent job! The clock on the router is right and we can all go out for some dinner and watch a movie right?
## Configuring NTP client to maintain time sync
Unfortunately dinner and the movie is going to have to wait. It is just a fact of modern computing that computers eventually experience a time drift. Typically they drift slower over time. There are many contributing factors to time loss for computers, but it does happen. A little bit every day. And even if computers did NOT lose time, there is another reason why configuring NTP to maintain sync is important. How accurate were you when you configured the manual time in the previous step? Were you accurate to the second? To the millesecond? Accurate time for computers is important for a lot of applications.
So now that I've convinced you that we need a little help to keep our router's clock accurate, let us finally dive into NTP and use it to keep our router in sync.
> In the following steps, use the best NTP server for your particular lab environment. If a public NTP server is reachable, use that. If you have a private NTP server address that works, leverage that one. And if neither the public or private NTP servers are an option, then you can use `ntpserver.example.com`.
1. Back on the console for `rtr01` check the current status of NTP with the following commands.
```
show ntp status
# Output
%NTP is not enabled.
```
```
show ntp associations
# No output
```
> Okay, NTP is not running.
1. Now enter configuration mode and configure the `ntp server` for your router.
```
ntp server ntpserver.example.com
```
1. Return to enable mode and check the status of NTP.
```
show ntp status
# Example Output
Clock is unsynchronized, stratum 2, reference is 192.168.100.100
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 74900 (1/100 of seconds), resolution is 4000
reference time is EB8AE8C3.CC49BC90 (20:08:35.798 UTC Sun Mar 23 2025)
clock offset is 18494.9973 msec, root delay is 1.95 msec
root dispersion is 18499.91 msec, peer dispersion is 3.88 msec
loopfilter state is 'FREQ' (Drift being measured), drift is 0.000000000 s/s
system poll interval is 64, last update was 5 sec ago.
```
* There is a lot of detail in the output above, much of it beyond the scope for the CCNA candidate.
* The first line indicates that the router is currently `unsynchronized` with the server (ie `reference`)
* `clock offset is 18494.9973 msec` indicates that there is an 18 second difference between the router's clock and the server. In this case our router is 18 seconds behind. If it was ahead, the value would be negative. This "offset" is why we are currently `unsynchronized`
1. NTP does NOT make large changes to a systems time, this could be disruptive to services. Rather it makes small adjustment with the goal being to bring the client into sync overtime. This process can take several minutes to hours depending on network conditions and the amount of offset involved.
* You can speed up the process of synchronization by manually updating a devices clock to be closer to the NTP server.
1. Another handy show command is `show ntp associations`.
```
show ntp associations
# Output
address ref clock st when poll reach delay offset disp
*~192.168.100.100 . 1 65 64 1 0.945 18495.1 7938.9
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
```
* The output from this command will show the NTP status in a table format. Key details to note are:
* The `*` indicating the currently selected reference clock
* The `~` indicating that this is a "configured" server. Which most of your NTP servers will be.
* The `offset` to indicate how far apart the client and server are from a time perspective
While NTP brings this router into sync with the server, we'll move onto enable the router to act as an NTP server for other network clients.
## Enabling an IOS router to act as an NTP server
Now that we've got our edge router setup to keep its own clock in sync with a trusted NTP server, we want to set it up to provide time to other network devices. You might wonder, why not just have each and every device ask the same trusted server? Well, there are a few different reasons...
* Efficient use of bandwidth. NTP isn't a big drain on network resources, but even small packets add up if you have hundreds or thousands of devices asking "what time is it" every minute. So having a "local" NTP server for other devices to query for time is a great solution for effeciency.
* What happens if the public server can't be reached, or needs to be changed? It's much easier to have just a single device to update than every device on the network
* Distributing the load on the NTP servers themselves. NTP is designed to be setup in a distributed "tree" hierarchy. Where the initial reference time source is passed from tier to tier of NTP servers and eventually to clients. Distributing the load like this is better for the network overall
Speaking of the "tiers" of NTP servers, NTP has the concept of the "stratum" of the NTP server. Stratum is an integer from 1 - 15 that indicates how close to the reference clock this particular source is. A stratum of `1` is the base reference. A stratum of `2` is a server that directly learned the time from the `stratum 1` server. NTP clients can be configured with multiple NTP servers for redundancy. The client will prefer a lower stratum source over a higher stratum source.
Now that we've got some background information laid out, let's get the configuring!
1. Open the console for `rtr01` and enter configuration mode.
1. Enable the router to act as an NTP server with a stratum of 5 with this command.
```
ntp master 5
```
1. Let's test that the NTP server is working, open the console for `netadmin` and send an NTP query to the router.
```
ntpd -dw -p rtr01
```
* The goal is that you'll get output that looks like this where we get a good reply from the server.
```
ntpd: reply from 10.0.0.1: offset:-18.652104 delay:0.001246 status:0x24 strat:5 refid:0x01017f7f rootdelay:0.000000 reach:0x01
```
* If you get output that looks like this that indicates the "peer is unsynced", this is an indication that `rtr01` hasn't fully synchronized it's own time with its configured NTP server.
```
ntpd: reply from 10.0.0.1: peer is unsynced
```
* If you are seeing the above in your test, remove the configured NTP server on `rtr01` and repeat the query.
```
no ntp server ntpserver.example.com
```
> In a "real network", the best solution would be to wait for the router to complete its synchronization. But with virtualized and simulated network devices like in this lab, the added overhead of simulation might prevent NTP from getting "fully healthy" and synchronized.
Once you've got a healthy result from the `ntpd` query test, your new NTP server is ready to go!
## Using NTP to synchronize `sw01` from `rtr01`
We've setup the site router to act as an NTP server, let's use it to keep the switch's clock accurate!
1. Opening the console for `sw01` and check the current time. If it is "close" to the accurate time you can leave it alone. If it is wildly different from accurate, go ahead and manually fix it.
1. Now configure the switch to use `rtr01` as its NTP server. You can use the IP address for the router, or the DNS name.
```
ntp server rtr01.example.com
```
1. Give it a few seconds for the initial NTP query to be sent and processed and check the status.
```
show ntp status
# Output
Clock is unsynchronized, stratum 6, reference is 10.0.0.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 2900 (1/100 of seconds), resolution is 4000
reference time is EB8C338C.B3B64790 (19:39:56.702 UTC Mon Mar 24 2025)
clock offset is -18902.4981 msec, root delay is 1.00 msec
root dispersion is 19097.90 msec, peer dispersion is 189.44 msec
loopfilter state is 'FREQ' (Drift being measured), drift is 0.000000000 s/s
system poll interval is 64, last update was 15 sec ago.
```
* Although the clock is indicated as unsynchronized, the synchronization process has started.
* The switch reports a `stratum 6` with a reference of `10.0.0.1`. `10.0.0.1` is `rtr01`, and remember we configured it for `stratum 5`. The switch adds `1` to the stratrum value for its own clock.
* Check the current clock offset for your network, how off is your time?
If you'd like to see the network get "in-sync", give it some time and check the status. You should see the offset shrink until it disappears and the status goes to `Clock is synchronized`. For example:
```
sw01#show ntp status
Clock is synchronized, stratum 6, reference is 10.0.0.1
nominal freq is 250.0000 Hz, actual freq is 250.1250 Hz, precision is 2**10
ntp uptime is 249000 (1/100 of seconds), resolution is 4000
reference time is EB8C3EB1.3541469D (20:27:29.208 UTC Mon Mar 24 2025)
clock offset is -91.5236 msec, root delay is 1.00 msec
root dispersion is 200.51 msec, peer dispersion is 64.49 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000499999 s/s
system poll interval is 64, last update was 49 sec ago.
```
## Great Job!
That's all there is to the basic setup for NTP on network devices. It isn't a complicated protocol, but it is an important one.
As with many topics in networking, there are more topic areas you could explore. Accurate time is very important in network operations, and one way to disrupt a network is to inject incorrect time from unauthorized NTP servers. NTP supports authentication between servers and clients to make sure only "trusted" servers are used.
So for now, have a great ***time*** in your CCNA preparation studies!
title: CCNA Prep 2025 S2E5 NTP Basics
version: 0.2.2

5
lab-topologies/ccna-prep/s2e5/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Syncing Success: The Role of NTP in Network Operations
*Abstract:* Delve into the importance of Network Time Protocol (NTP) in maintaining synchronized time across network devices. In this session, review the steps to configure NTP for both client and server modes. Discover why synchronized time is crucial for accurate event logging, seamless coordination of network operations, and effective security measures. Master this important topic in “time” to take your exam.
![](s2e5-ntp.jpg)

BIN
lab-topologies/ccna-prep/s2e5/s2e5-ntp.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 121 KiB

1094
lab-topologies/ccna-prep/s2e6/CCNA_Prep_2025_S2E6_Syslog.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
lab-topologies/ccna-prep/s2e6/CCNA_Prep_S02E06_Syslog_Guide.pdf Normal file
View File

Binary file not shown.

5
lab-topologies/ccna-prep/s2e6/README.md Normal file
View File

@@ -0,0 +1,5 @@
# The Syslog Detective: Unraveling Network Mysteries
*Abstract:* Step into the shoes of a network detective in this engaging live event, where Syslog serves as your investigative tool. Learn how to configure Syslog to capture and analyze crucial network events, uncovering the hidden clues within your infrastructure. Through hands-on exercises, well master syslogs role in solving network mysteries by piecing together performance insights, troubleshooting issues, and enhancing security monitoring. Join us to become a Syslog sleuth and complete your CCNA Preparation.
![](s2e6-syslog.jpg)

BIN
lab-topologies/ccna-prep/s2e6/s2e6-syslog.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

934
lab-topologies/ccna-prep/s2e7/CCNA_Prep_2025_S2E7_SNMP.yaml Normal file
View File

@@ -0,0 +1,934 @@
annotations:
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: true
text_content: 'CCNA Exam Prep: Back to Networking Basics with Hank Preston and
Patrick Gargano'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -471.6817382409052
y1: -26.525460120105087
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: true
text_content: 'Simplifying SNMP: Delivering Data for Network Operation Dashboards'
text_font: monospace
text_italic: false
text_size: 18
text_unit: pt
thickness: 1
type: text
x1: -478.8116768915578
y1: 17.039509205221208
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: |-
CCNA 1.1 Exam Topic
4.4 Explain the function of SNMP in network operations
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -483.68829366711856
y1: 211.52777439162983
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: |2-
host user/pass: cisco / cisco
network enable password: enablepass
telnet password: telnetpass
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 440.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: true
text_content: 'Credentials:
'
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 440.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: true
text_content: ____________
text_font: monospace
text_italic: false
text_size: 10
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 440.0
z_index: 3
- border_color: '#808080FF'
border_radius: 2
border_style: ''
color: '#7FF0FA'
thickness: 2
type: rectangle
x1: -483.21004499370474
y1: 310.36986501888595
x2: 763.2100449937047
y2: 260.47255474961986
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: |-
Network Monitoring is critical to security and troubleshooting tasks. As your network grows and evolves,
centralized monitoring becomes even more important. SNMP is a protocol that allows you to remotely monitor
a wide range of settings and counters, be alerted when there are changes, and even remotely make configuration changes.
In this lab you will explore how SNMP works and how to configure and verify SNMP on Cisco devices.
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -481.93824659111294
y1: 62.64675567294343
z_index: 4
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 400.19267871188174
y1: 190.55284132635407
z_index: 6
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: |-
Concepts:
- SNMP Manager or NMS
- SNMP Agent
- MIB and OID
- SNMP Set, Get, Trap, Inform
- SNMP versions
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 337.4106520219703
y1: 316.30633613768475
z_index: 7
nodes:
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: internet
node_definition: external_connector
parameters: {}
ram: null
tags: []
x: 240
y: 360
interfaces:
- id: i0
label: port
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
hostname rtr01
!
! In order to avoid entering a configuration dialog
! on boot, please ensure that all ethernet interfaces
! have some ip configuration present here such as the
! example below:
!
interface range Ethernet 0/0 - 3
no ip address
shutdown
!
ip host rtr01.example.com 10.0.0.1
ip host sw01.example.com 192.168.0.2
ip host ntpserver.example.com 192.168.100.100
ip name-server 192.168.255.1
ip domain name example.com
ip dns server
ip dns primary example.com soa 192.168.0.1 admin@example.com 21600 900 7776000 86400
ntp server 192.168.100.100
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool inside
network 192.168.0.0 /24
default-router 192.168.0.1
dns-server 10.0.0.1
domain-name example.com
exit
!
ip access-list standard NAT
permit 192.168.0.0 0.0.0.255
permit 192.168.100.0 0.0.0.255
!
ip nat inside source list NAT interface e0/0 overload
!
interface e0/1
description Link to Inside Hosts
ip address 192.168.0.1 255.255.255.0
ip nat inside
no shut
!
interface e0/0
description Link to Internet
ip address dhcp
ip nat outside
no shut
!
interface e0/2
description Link to Lab NTP Server
ip address 192.168.100.1 255.255.255.0
ip nat inside
no shut
!
interface loopback0
ip address 10.0.0.1 255.255.255.255
!
enable secret enablepass
!
line vty 0 4
transport input telnet
login
password telnetpass
!
do clock set 00:00:00 01 Jan 1993
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: rtr01
node_definition: iol-xe
parameters: {}
ram: null
tags: []
x: 0
y: 360
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
hostname sw01
ip domain name example.com
!
vtp version 2
vtp mode transparent
!
vlan 10
name inside-network
!
interface e0/0
description Link to rtr01
switchport mode access
spanning-tree portfast
switchport access vlan 10
!
interface e0/1
description Link to netadmin
switchport mode access
spanning-tree portfast
switchport access vlan 10
!
interface loopback0
ip address 1.1.1.1 255.255.255.255
!
interface vlan 10
description Switch Management Interface
ip address 192.168.0.2 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip name-server 10.0.0.1
!
line vty 0 4
no login
transport input none
!
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: sw01
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: -200
y: 360
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname netadmin
# configurable user account
USERNAME=cisco
PASSWORD=cisco
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: netadmin
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -440
y: 360
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname snmp_nms
# configurable user account
USERNAME=cisco
PASSWORD=cisco
# Static IP address
ip address add 192.168.100.100/24 dev eth0
ip route add default via 192.168.100.1
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: SNMP-NMS
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -1
y: 500
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
links:
- id: l0
n1: n2
n2: n1
i1: i1
i2: i2
conditioning: {}
label: sw01-Ethernet0/0<->rtr01-Ethernet0/1
- id: l1
n1: n3
n2: n2
i1: i0
i2: i2
conditioning: {}
label: netadmin-eth0<->sw01-Ethernet0/1
- id: l2
n1: n1
n2: n0
i1: i1
i2: i0
conditioning: {}
label: rtr01-Ethernet0/0<->internet-port
- id: l3
n1: n1
n2: n4
i1: i3
i2: i0
conditioning: {}
label: rtr01-Ethernet0/2<->desktop-0-eth0
lab:
description: 'Discover the essential role of Simple Network Management Protocol
(SNMP) in network operations during this interactive live event. Review why SNMP
is a fundamental tool for monitoring and managing network performance, and how
it provides critical insights into device status and operational health. Through
practical exercises, you''ll see SNMP''s capabilities in action, enabling efficient
network management and proactive troubleshooting. '
notes: |-
**CCNA Exam Prep: Back to Networking Basics with Hank Preston and Patrick Gargano -- Season 2**
# Simplifying SNMP: Delivering Data for Network Operation Dashboards
Network Monitoring is critical to security and troubleshooting tasks. As your network grows and evolves,
centralized monitoring becomes even more important. SNMP is a protocol that allows you to remotely monitor
a wide range of settings and counters, be alerted when there are changes, and even remotely make configuration changes.
In this lab you will explore how SNMP works and how to configure and verify SNMP on Cisco devices.
Related CCNA v1.1 exam topic:
* 4.4 Explain the function of SNMP in network operations
In this lab, we will:
* Explore SNMP and its different versions
* Configure and verify SNMPv2c
* Configure and verify SNMPv3
* Explore the SNMP message format and MIB using the snmpwalk command
## Setup and Scenario
In this set of lab-based demonstrations, you are a network engineer tasked with configuring SNMPv2c on a Cisco switch and SNMPv3 on a Cisco router.
You've been asked to:
* Configure the sw01 switch to send SNMPv2c traps to the NMS server.
* Configure the rtr01 router to send SNMPv3 traps to the NMS server.
*Be sure to **START** the lab before continuing to the demo lab.*
> Note: The credentials for all devices are shown in the CML topology.
## Part 1: Explore SNMP and its different versions
Before we jump into configuring SNMP, let's explore how SNMP operates and how it evolved over time.
SNMP has become the standard for network management. It is a simple, easy-to-implement protocol and is supported by nearly all vendors. SNMP defines how management information is exchanged between SNMP managers and SNMP agents. It uses the UDP transport mechanism on ports 162 and 162 to retrieve and send management information, such as MIB variables.
SNMP is typically used to gather environment and performance data such as device CPU usage, memory usage, interface traffic, interface error rate, and so on.
The SNMP manager periodically polls the SNMP agents on managed devices by querying the device for data. Agents can generate SNMP traps, which are unsolicited notifications that are sent from agent to manager. SNMP traps are event-based and provide almost real-time event notifications.
There are three important concepts when it comes to SNMP:
* The SNMP manager or network management system (NMS) collects management data from managed devices via polling or trap messages.
* The SNMP agent is found on a managed network device, it locally organizes data and sends it to the manager.
* The Management Information Base (MIB) represents a virtual information storage location that contains collections of managed objects. Within the MIB, there are objects that relate to different defined MIB modules (for example, the interface module). Objects in the MIB are referenced by their object ID (OID), which specifies the path from the tree root to the object. For example, system identification data is located under 1.3.6.1.2.1.1. Some examples of system data include the system name (OID 1.3.6.1.2.1.1.5), system location (OID 1.3.6.1.2.1.1.6), and system uptime (OID 1.3.6.1.2.1.1.3).
You can use the [Cisco SNMP SNMP Object Navigator](
https://snmp.cloudapps.cisco.com/Support/SNMP/do/BrowseOID.do?local=en) to locate and identify different OID values
There are three different versions of SNMP:
* SNMP version 1: SNMPv1 is the initial version of SNMP. SNMPv1 security is based on communities that are nothing more than passwords: plaintext strings that allow any SNMP-based application that knows the strings to gain access to the management information of a device. There are typically three communities in SNMPv1: read-only, read-write, and trap.
* SNMP version 2c: SNMPv2 was the first attempt to fix SNMPv1 security flaws. However, SNMPv2 never really took off. The only prevalent version of SNMPv2 today is SNMPv2c, which contains SNMPv2 protocol enhancements but leaves out the security features that no one could agree on. The letter "c" designates v2c as being "community-based," which means that it uses the same authentication mechanism as v1: community strings.
* SNMP version 3: SNMPv3 is the latest version. It adds support for strong authentication and private communication between managed entities. You can define a secure policy for each group, and optionally you can limit the IP addresses to which its members can belong. You have to define encryption and hashing algorithms and passwords for each user. SNMPv3 introduces three levels of security:
* Security level ``noAuthNoPriv``: No authentication is required, and no privacy (encryption) is provided.
* Security level ``authNoPriv``: Authentication is required, but no encryption is provided.
* Security level ``authPriv``: In addition to authentication, encryption is also used.
## Part 2: Configure and verify SNMPv2c on sw01
Let's deploy SNMPv2c on the sw01 switch to send traps to the SNMP_NMS device.
### Step 1
Configure an access-list for SNMPv2 use on sw01.
<pre>
sw01(config)# <b>ip access-list standard SNMP-NMS</b>
sw01(config-std-nacl)# <b>permit host 192.168.100.100</b>
sw01(config-std-nacl)# <b>exit</b>
</pre>
This ACL will be used to specify exactly where SNMP **get** and **set** messages should be coming from. In this lab, the 192.168.100.0/24 network is the management network, and the SNMP manager is located at 192.168.100.100
Note that the Alpine Linux server in this lab is not yet configured as a NMS.
### Step 2
Configure general SNMP information. Specify a location for the device, some contact information, and a chassis value.
<pre>
sw01(config)# <b>snmp-server location RCD</b>
sw01(config)# <b>snmp-server contact ccnaprep@example.com</b>
sw01(config)# <b>snmp-server chassis-id Cisco IOL-L2 Switch sw01</b>
</pre>
### Step 3
SNMPv2c using a community string-based authentication. Access can be limited further by using an access list. Create a read-only community named CCNAPREP that is limited by the SNMP-NMS ACL
<pre>
sw01(config)# <b>snmp-server community CCNAPREP ro SNMP-NMS</b>
</pre>
### Step 4
Configure 192.168.100.100 as a trap receiver using SNMPv2c and the community CCNAPREP.
<pre>
sw01(config)# <b>snmp-server host 192.168.100.100 version 2c CCNAPREP</b>
</pre>
### Step 5
Configure interface index persistence.
<pre>
sw01(config)# <b>snmp-server ifindex persist</b>
</pre>
Network monitoring systems record throughput and other interface statistics using SNMP polling. Each interface is referenced by its unique index number, which is dynamically assigned by the IOS during bootup. The index of each interface can be determined with the command ``show snmp mib ifmib ifindex``. The dynamic assignment aspect of this can be problematic for documentation. Therefore, it is a good idea to instruct the system to keep a persistent list of interfaces, rather than a dynamic one. The use of this command creates a file stored in NVRAM.
Use the ``show snmp mib ifmib ifindex`` command to verify the current interface indexes.
<pre>
sw01# <b>show snmp mib ifmib ifindex </b>
Ethernet0/1: Ifindex = 2
Ethernet0/3: Ifindex = 4
<mark>Loopback0: Ifindex = 8</mark>
Ethernet0/0: Ifindex = 1
Null0: Ifindex = 6
Vlan10: Ifindex = 7
Ethernet0/2: Ifindex = 3
SR0: Ifindex = 5
</pre>
Notice that the Loopback 0 interface in the output above has an index value of 8. Your actual values might differ.
### Step 6
Enable SNMP to send a trap to the NMS server when an interface on the switch goes down or up.
<pre>
sw01(config)# <b>snmp-server enable traps snmp linkdown linkup </b>
</pre>
This final SNMP configuration command actually enables the forwarding of traps to the configured trap receiver. As a part of this command, traps can be limited (as they can be in the ``snmp-server host`` command). For this lab, you will send a trap to the NMS anytime an interface goes down or up.
### Step 7
Start a Packet Capture on the link between rtr01 and the NMS server and filter the capture to UDP port 162.
### Step 8
Verify SNMP configuration
To verify that traps are being sent, issue the command ``debug snmp packets`` and then shutdown the Loopback 0 interface. You should see debug output indicating that an SNMP packet was sent. It might take a few moments for the switch to start sending traps and for them to appear in the packet capture.
<pre>
sw01# <b>debug snmp packets</b>
sw01# config t
sw01(config)# <b>interface loopback 0</b>
sw01(config-if)# <b>shut</b>
sw01(config-if)#
*Apr 26 01:10:18.534: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to down
*Apr 26 01:10:18.534: %LINK-5-CHANGED: Interface Loopback0, changed state to administratively down
sw01(config-if)#
*Apr 26 01:10:18.534: SNMP: Queuing packet to 192.168.100.100
*Apr 26 01:10:18.534: SNMP: V2 Trap, reqid 10, errstat 0, erridx 0
sysUpTime.0 = 2047407
snmpTrapOID.0 = snmpTraps.3
ifIndex.8 = 8
ifDescr.8 = Loopback0
ifType.8 = 24
lifEntry.20.8 = administratively down
<mark>*Apr 26 01:10:18.784: SNMP: Packet sent via UDP to 192.168.100.100</mark>
</pre>
Notice in the output that a packet was sent to 192.168.100.100 using UDP, and that the message references the Loopback0 interface and shows that the interface was manually shutdown.
### Step 9
Verify the SNMP packet in the Packet Capture.
Click the captured packet and open the SNMP line in the packet details. Expand all the available lines. You will see that CML does not interpret or convert the ASCII values for the individual OID entries in the SNMP packet. You will need Wireshark to help you with that. Wireshark is a free and open-source network protocol analyzer used for troubleshooting, analyzing, and debugging network problems. It captures and displays network traffic, allowing users to examine data at the packet level. This tool is valuable for network administrators, security professionals, and developers to understand how applications communicate and identify potential security issues. Although CML's Packet Capture tool is very powerful, for advanced packet analysis, Wireshark is invaluable.
> You can download Wireshark [here](https://www.wireshark.org/download.html).
In CML, click the ``Download`` button in the Packet Capture window to save the PCAP to your PC. Open the PCAP file using Wireshark. Expand the SNMP line and all its entries. This time you will be able to read in clear text the information contained in the SNMP packet. You should see the index value of the interface (8), the name of the interface (Loopback0), and the status of the interface (administratively down).
### Step 10
Verify general SNMP settings using the ``show snmp`` command.
<pre>
sw01# <b>show snmp</b>
<mark>Chassis: Cisco IOL-L2 Switch sw01
Contact: ccnaprep@example.com
Location: RCD</mark>
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
0 Dispatcher queue packet drops (Maximum queue size 75)
1 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
<mark>1 Trap PDUs</mark>
Packets currently in SNMP process input queue: 0, max 1000
Packets currently in SNMP PDU dispatcher queue: 0, max 75
SNMP global trap: enabled
<mark>SNMP logging: enabled
Logging to 192.168.100.100.162, 0/10, 1 sent, 0 dropped.</mark>
</pre>
The output confirms the basic SNMP settings and how many trap messages were sent to the NMS.
### Step 11
Verify the SNMP configuration found in the running-config on sw01.
<pre>
sw01# <b>show run | section snmp</b>
snmp-server community CCNAPREP RO SNMP-NMS
snmp-server location RCD
snmp-server contact ccnaprep@example.com
snmp-server chassis-id Cisco IOL-L2 Switch sw01
snmp-server enable traps snmp linkdown linkup
snmp-server host 192.168.100.100 version 2c CCNAPREP
snmp ifmib ifindex persist
</pre>
## Part 3: Configure and verify SNMPv3 on rtr01
Let's deploy SNMPv3 on the rtr01 router to send traps to the SNMP-NMS device. The configuration for SNMPv3 is quite different to what you did on sw01 for SNMPv2c. For SNMPv3, instead of a community string, you need to configure the following:
* SNMP view: Views specify which MIB objects are visible to a particular group.
* SNMP group: Groups are used to combine users and assign them to specific views and security levels.
* SNMP user: Once groups and views are defined, users are assigned to a specific group.
In summary, views define what information is visible, groups define who can access that information, and users are assigned to groups to inherit the access permissions. This layered approach provides flexibility and granular control over SNMPv3 access on Cisco devices.
### Step 1
Configure an access-list for SNMPv3 use on rtr01.
<pre>
rtr01(config)# <b>ip access-list standard SNMP-NMS</b>
rtr01(config-std-nacl)# <b>permit host 192.168.100.100</b>
rtr01(config-std-nacl)# <b>exit</b>
</pre>
This ACL is identical to the ACL you configured on sw01 and limits access to the router's MIB .
### Step 2
Configure a SNMPv3 view called SNMP-RO that includes the entire ``iso`` tree from the MIB.
<pre>
rtr01(config)# <b>snmp-server view SNMP-RO iso included</b>
</pre>
In a production network, you would want to restrict the view to a smaller subset of MIBs.
### Step 3
Configure a read-only SNMPv3 group with the highest level of security supported and assigned the ACL defined in Step 1.
<pre>
rtr01(config)# <b>snmp-server group ADMIN v3 priv read SNMP-RO access SNMP-NMS</b>
</pre>
A read-only SNMP group is configured with the name ADMIN, it is set to SNMPv3 with authentication and encryption required, and only allows access to the host permitted in the SNMP-NMS ACL.
### Step 4
Configure a SNMPv3 user, assign it to the ADMIN group, and use SHA-1 and AES-128 for authentication and encryption.
<pre>
rtr01(config)# <b>snmp-server user USER1 ADMIN v3 auth sha cisco12345 priv aes 128
cisco54321</b>
rtr01(config)#
Jan 1 01:52:49.896: Configuring snmpv3 USM user, persisting snmpEngineBoots. Please Wait...
</pre>
Once the user is created, you should get a message at the console indicating that the internal SNMP process is starting up.
### Step 5
Configure a SNMPv3 trap receiver at 192.168.100.100 and assign the user created in Step 4.
<pre>
rtr01(config)# <b>snmp-server host 192.168.100.100 version 3 priv USER1</b>
</pre>
### Step 6
Enable SNMP trap sending to send a trap to the NMS server when an interface on the router goes down or up.
<pre>
rtr01(config)# <b>snmp-server enable traps snmp linkdown linkup </b>
</pre>
### Step 7
Configure interface index persistence.
<pre>
rtr01(config)# <b>snmp-server ifindex persist</b>
</pre>
### Step 8
Save your configuration to NVRAM and reload the rtr01 router.
<pre>
rtr01# <b>copy run start</b>
Destination filename [startup-config]?
Building configuration...
[OK]
rtr01# <b>reload</b>
Proceed with reload? [confirm]
</pre>
> Note: Because of a bug in the Cisco IOL image in CML, you need to reboot the router after starting the SNMPv3 process to ensure that the next steps work correctly. Configuration of SNMPv3 in a production network does NOT require a device reboot.
### Step 8
After the router reboots and you can log back into Privileged EXEC mode, start a Packet Capture on the link between rtr01 and the NMS server and filter the capture to UDP port 162.
### Step 9
Verify SNMP configuration
To verify that traps are being sent, issue the command ``debug snmp packets`` and shutdown the E0/0 interface and then re-enable it. You should see debug output indicating that two SNMP packets were sent. It might take a few moments for the router to start sending traps and for them to appear in the packet capture.
<pre>
rtr01# <b>debug snmp packets</b>
SNMP packet debugging is on
rtr01# <b>conf t</b>
Enter configuration commands, one per line. End with CNTL/Z.
rtr01(config)# <b>interface e0/0</b>
rtr01(config-if)# <b>shutdown</b>
rtr01(config-if)#
Apr 26 01:10:18.534: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
Apr 26 01:10:19.534: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
rtr01(config-if)# <b>no shutdown</b>
rtr01(config-if)#
Apr 26 01:10:20.534: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
rtr01(config-if)#
Apr 26 01:10:21.534: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
rtr01(config-if)#
Apr 26 01:10:22.534: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.255.184, mask 255.255.255.0, hostname rtr01
rtr01(config-if)#
Apr 26 01:10:23.534: SNMP: Queuing packet to 192.168.100.100
Apr 26 01:10:23.534: SNMP: V2 Trap, reqid 1, errstat 0, erridx 0
sysUpTime.0 = 754478
snmpTrapOID.0 = snmpTraps.3
ifIndex.1 = 1
ifDescr.1 = Ethernet0/0
ifType.1 = 6
lifEntry.20.1 = administratively down
Apr 26 01:10:24.534: SNMP: Queuing packet to 192.168.100.100
Apr 26 01:10:24.534: SNMP: V2 Trap, reqid 2, errstat 0, erridx 0
sysUpTime.0 = 754479
snmpTrapOID.0 = snmpTraps.4
ifIndex.1 = 1
ifDescr.1 = Ethernet0/0
ifType.1 = 6
lifEntry.20.1 = up
<mark>Apr 26 01:10:25.534: SNMP: Packet sent via UDP to 192.168.100.100
Apr 26 01:10:25.534: SNMP: Packet sent via UDP to 192.168.100.100</mark>
</pre>
Notice that in the output above, two traps were sent after the interface was brought back up. Your results might differ but you should still get two traps captures in the Packet Capture window.
Disable debugging with the ``do undebug all`` command.
### Step 10
Decrypt the SNMPv3 PCAP using Wireshark.
Notice that the ``Info`` column of the Packet Capture window shows that the PDU is encrypted and that the private key is unknown. You will need to download the PCAP from CML and use Wireshark to decrypt the SNMPv3 packet.
Click the ``Download`` button in the Packet Capture window and open the PCAP in Wireshark on your PC.
Right-click one of the SNMPv3 packets displayed in the top window in Wireshark, select ``Protocol Preferences`` from the menu, select ``Simple Network Management Protocol`` and then select ``Users Table``.
Click the ``+`` button to create a new user entry. Enter the following values:
User: USER1
Authentication Model: SHA-1
Password: cisco12345
Privacy Protocol: AES
Privacy password: cisco54321
Click ``Ok`` to save the USER1 table entry.
Fully expand the ``msgData: encryptedPDU`` entry. In the last expanded field, you will see information relating to the Ethernet 0/0 interface ("administratively down" or "up" depending on the SNMPv3 packet you have selected.
# Step 11
Verify the SNMPv3 configuration on rtr01.
<pre>
rtr01# <b>show snmp</b>
Chassis: 131184943
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
0 Dispatcher queue packet drops (Maximum queue size 75)
2 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
2 Trap PDUs
Packets currently in SNMP process input queue: 0, max 1000
Packets currently in SNMP PDU dispatcher queue: 0, max 75
SNMP global trap: disabled
SNMP logging: enabled
Logging to 192.168.100.100.162, 0/10, 2 sent, 0 dropped.
rtr01# <b>show snmp group</b>
groupname: ADMIN security model:v3 priv
contextname: <no context specified> storage-type: nonvolatile
readview : SNMP-RO writeview: <no writeview specified>
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active access-list: SNMP-NMS
rtr01# <b>show snmp user </b>
User name: USER1
Engine ID: 800000090300AABBCC012F00
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: ADMIN
</pre>
### Step 12
Install SNMP and SNMP tools on the SNMP-NMS device and perform a SNMP walk on the rtr01 device.
``snmpwalk`` is a command-line utility used to retrieve a subtree of management values from a network device using SNMP GETNEXT requests. It's essentially a tool that automates the process of querying multiple SNMP-enabled devices for information, instead of having to query each device individually. This allows you to gather a wide range of data from devices like routers, switches, and other network infrastructure.
<pre>
snmp_nms:~$ <b>sudo apk add net-snmp</b>
fetch http://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
(1/4) Installing net-snmp-libs (5.9.3-r1)
(2/4) Installing net-snmp-agent-libs (5.9.3-r1)
(3/4) Installing net-snmp (5.9.3-r1)
(4/4) Installing net-snmp-openrc (5.9.3-r1)
Executing busybox-1.33.1-r8.trigger
OK: 1215 MiB in 334 packages
snmp_nms:~$ <b>sudo apk add net-snmp-tools</b>
(1/1) Installing net-snmp-tools (5.9.3-r1)
Executing busybox-1.33.1-r8.trigger
OK: 1216 MiB in 335 packages
snmp_nms:~$ <b>snmpwalk -v3 -u USER1 -l authPriv -a SHA -A "cisco12345" -x AES -X "cisco54321" 192.168.100.1 1.3.6.1.2.1.1</b>
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software [Dublin], Linux Software (X86_64BI_LINUX-ADVENTERPRISEK9-M), Version 17.12.1, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2023 by Cisco Systems, Inc.
Compiled Thu 27-Jul-23 22:33 by m
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1072907) 2:58:49.07
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: rtr01.example.com
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
</pre>
In the ``snmpwalk`` command above, you must specify the following parameters:
* SNMP version
* the user name
* the level of securty (auth and priv)
* the level of SHA authentication and the password
* the level of AES encryption and the password
* the IP address of the device to check (rtr01)
* the OID your want to view (in this case, the router's system information)
In the example above, the OID specified pulls system and IOS version information from a device.
Use the ``snmpwalk`` command and explore other OID values, like 1.3.6.1.2.1.4.24 (routing table) or 1.3.6.1.2.1.2.2.1.8 (operational status of the devices interfaces.)
Congratulations! You have completed the lab. You learned how to configure and verify SNMPv2c and SNMPv3, as well as use Wireshark and ``snmpwalk`` to analyze and gather OIDs from Cisco routers and switches.
title: CCNA Prep 2025 S2E7 SNMP
version: 0.2.2

BIN
lab-topologies/ccna-prep/s2e7/CCNA_Prep_S02E07_SNMP_Guide.pdf Normal file
View File

Binary file not shown.

5
lab-topologies/ccna-prep/s2e7/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Simplifying SNMP: Delivering Data for Network Operation Dashboards
*Abstract:* Discover the essential role of Simple Network Management Protocol (SNMP) in network operations during this interactive live event. Review why SNMP is a fundamental tool for monitoring and managing network performance, and how it provides critical insights into device status and operational health. Through practical exercises, you'll see SNMP's capabilities in action, enabling efficient network management and proactive troubleshooting.
![](s2e7-snmp.jpg)

BIN
lab-topologies/ccna-prep/s2e7/s2e7-snmp.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 84 KiB

7
lab-topologies/ccna/Domain_1/1.1-explore_fundamentals/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Task 1.1 - Explain the role and function of network components
CML Version used: 2.7.0+build.4
In this Lab, we'll explore the fundamental components of network infrastructure and their crucial roles in enabling seamless communication and data exchange. From routers directing internet traffic to access points providing wireless connectivity, we'll delve into the functions of Layer 2 and Layer 3 switches, next-generation firewalls, controllers like Cisco DNA Center and WLC, endpoints, servers, and Power over Ethernet technology. By understanding these components and their analogies to everyday scenarios, we'll gain insights into the intricate workings of networks and their significance in modern connectivity.
![Lab Topology](https://github.com/CiscoDevNet/cml-community/blob/master/lab-topologies/ccna/Domain_1/1.1-explore_fundamentals/Task-1.1.png)

BIN
lab-topologies/ccna/Domain_1/1.1-explore_fundamentals/Task-1.1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 304 KiB

711
lab-topologies/ccna/Domain_1/1.1-explore_fundamentals/Task_-_1.1__Netwotk_Fundamentals(Solution).yaml Normal file
View File

@@ -0,0 +1,711 @@
annotations:
- border_color: '#808080FF'
border_style: ''
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: -120.0
y1: 200.0
x2: -120.0
y2: 200.0
z_index: 0
- border_color: '#808080FF'
border_style: 4,2
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: -40.0
y1: 200.0
x2: 280.0
y2: 200.0
z_index: 1
- border_color: '#808080FF'
border_style: ''
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: -40.0
y1: 200.0
x2: -40.0
y2: 200.0
z_index: 2
- border_color: '#808080FF'
border_style: 4,2
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: -40.0
y1: 280.0
x2: -40.0
y2: 200.0
z_index: 3
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#FFFFFFFF'
thickness: 1
type: rectangle
x1: -80.0
y1: 280.0
x2: 80.0
y2: 40.0
z_index: 4
- border_color: '#CA272700'
border_style: ''
color: '#D65F5F'
rotation: 0
text_bold: true
text_content: AP-01
text_font: monospace
text_italic: false
text_size: 14
text_unit: pt
thickness: 1
type: text
x1: -40.0
y1: 280.0
z_index: 5
- border_color: '#808080FF'
border_style: ''
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: 240.0
y1: -120.0
x2: 240.0
y2: -120.0
z_index: 6
- border_color: '#808080FF'
border_style: ''
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: 80.0
y1: -120.0
x2: 80.0
y2: -120.0
z_index: 7
- border_color: '#808080FF'
border_style: 4,2
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: 80.0
y1: -120.0
x2: 280.0
y2: -120.0
z_index: 8
- border_color: '#EBC73F'
border_radius: 0
border_style: ''
color: '#FFFFFF'
thickness: 1
type: rectangle
x1: -80.0
y1: -160.0
x2: 160.0
y2: 80.0
z_index: 9
- border_color: '#00000000'
border_style: ''
color: '#E2B62C'
rotation: 0
text_bold: true
text_content: Firewall_01
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -40.0
y1: -160.0
z_index: 10
- border_color: '#00000000'
border_style: ''
color: '#EC3F3F'
rotation: 0
text_bold: true
text_content: Router-01
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 240.0
y1: -160.0
z_index: 11
- border_color: '#00000000'
border_style: ''
color: '#68E32A'
rotation: 0
text_bold: true
text_content: L3-Switch
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 160.0
y1: 40.0
z_index: 12
- border_color: '#00000000'
border_style: ''
color: '#0DE8C1'
rotation: 0
text_bold: true
text_content: L2-Switch
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 320.0
y1: 200.0
z_index: 13
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#CDF4F3'
thickness: 1
type: rectangle
x1: 40.0
y1: 320.0
x2: 480.0
y2: 120.0
z_index: 14
- border_color: '#00000000'
border_style: ''
color: '#000005'
rotation: 0
text_bold: true
text_content: Endpoints
text_font: monospace
text_italic: false
text_size: 18
text_unit: pt
thickness: 1
type: text
x1: 240.0
y1: 400.0
z_index: 15
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#B9F9BC'
thickness: 1
type: rectangle
x1: 560.0
y1: -40.0
x2: 240.0
y2: 200.0
z_index: 16
- border_color: '#00000000'
border_style: ''
color: '#EE0BF1'
rotation: 0
text_bold: true
text_content: Controllers
text_font: monospace
text_italic: false
text_size: 15
text_unit: pt
thickness: 1
type: text
x1: 640.0
y1: 120.0
z_index: 17
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 200.0
y1: 200.0
z_index: 18
- border_color: '#00000000'
border_style: ''
color: '#0B0000'
rotation: 0
text_bold: true
text_content: G0/4
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 200.0
y1: 200.0
z_index: 19
- border_color: '#00000000'
border_style: ''
color: '#080000'
rotation: 0
text_bold: false
text_content: G2
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 200.0
y1: -120.0
z_index: 20
- border_color: '#808080FF'
border_style: 4,2
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: 0.0
y1: -160.0
x2: 0.0
y2: -320.0
z_index: 21
- border_color: '#808080FF'
border_style: ''
color: '#FFABAB'
thickness: 1
type: ellipse
x1: 0.0
y1: -360.0
x2: 320.0
y2: 80.0
z_index: 22
- border_color: '#00000000'
border_style: ''
color: '#0C0000'
rotation: 0
text_bold: true
text_content: WAN/Internet
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -40.0
y1: -400.0
z_index: 23
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 80.0
y1: -120.0
z_index: 24
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 120.0
y1: -120.0
z_index: 25
- border_color: '#808080FF'
border_style: 4,2
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: 0.0
y1: 40.0
x2: 0.0
y2: -80.0
z_index: 26
- border_color: '#808080FF'
border_style: 4,2
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: 280.0
y1: 40.0
x2: 0.0
y2: 40.0
z_index: 27
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: G0/0
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 120.0
y1: -120.0
z_index: 28
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: G0/1
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 40.0
y1: -200.0
z_index: 29
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: m0
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 0.0
y1: -40.0
z_index: 30
nodes:
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: csr1000v-0
node_definition: csr1000v
parameters: {}
ram: null
tags: []
x: 280
y: -120
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet1
slot: 0
type: physical
- id: i2
label: GigabitEthernet2
slot: 1
type: physical
- id: i3
label: GigabitEthernet3
slot: 2
type: physical
- id: i4
label: GigabitEthernet4
slot: 3
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: iosvl2-0
node_definition: iosvl2
parameters: {}
ram: null
tags: []
x: 280
y: 200
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: iol-l2-0
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: 280
y: 40
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: desktop-0
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 120
y: 360
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: desktop-1
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 280
y: 360
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n5
image_definition: null
label: server-0
node_definition: server
parameters: {}
ram: null
tags: []
x: 440
y: 360
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n6
image_definition: null
label: vwlc-0
node_definition: vwlc
parameters: {}
ram: null
tags: []
x: 640
y: 40
interfaces:
- id: i0
label: service-port
slot: 0
type: physical
- id: i1
label: data-port
slot: 1
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n7
image_definition: null
label: ext-conn-0
node_definition: external_connector
parameters: {}
ram: null
tags: []
x: 0
y: -320
interfaces:
- id: i0
label: port
slot: 0
type: physical
links:
- id: l0
n1: n0
n2: n2
i1: i1
i2: i1
conditioning: {}
label: csr1000v-0-GigabitEthernet1<->iol-l2-0-Ethernet0/0
- id: l1
n1: n2
n2: n1
i1: i2
i2: i1
conditioning: {}
label: iol-l2-0-Ethernet0/1<->iosvl2-0-GigabitEthernet0/0
- id: l2
n1: n1
n2: n3
i1: i2
i2: i0
conditioning: {}
label: iosvl2-0-GigabitEthernet0/1<->desktop-0-eth0
- id: l3
n1: n1
n2: n4
i1: i3
i2: i0
conditioning: {}
label: iosvl2-0-GigabitEthernet0/2<->desktop-1-eth0
- id: l4
n1: n1
n2: n5
i1: i4
i2: i0
conditioning: {}
label: iosvl2-0-GigabitEthernet0/3<->server-0-eth0
- id: l5
n1: n2
n2: n6
i1: i3
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet0/2<->vwlc-0-service-port
- id: l6
n1: n6
n2: n2
i1: i1
i2: i4
conditioning: {}
label: vwlc-0-data-port<->iol-l2-0-Ethernet0/3
lab:
description: In this Lab, we'll explore the fundamental components of network infrastructure
and their crucial roles in enabling seamless communication and data exchange.
From routers directing internet traffic to access points providing wireless connectivity,
we'll delve into the functions of Layer 2 and Layer 3 switches, next-generation
firewalls, controllers like Cisco DNA Center and WLC, endpoints, servers, and
Power over Ethernet technology. By understanding these components and their analogies
to everyday scenarios, we'll gain insights into the intricate workings of networks
and their significance in modern connectivity.
notes: |-
#Lab Guid for understating roles and functions of network components.
Note: No Need to run the lab just take a look how Things are connected and research about each component(example. what they do?, what is there role...etc)
Routers: Think of routers like traffic cops for the internet. They decide the best way for information to travel between different places on the internet.
Layer 2 and Layer 3 switches: These are like mail sorters in a big office building.
Layer 2 switches look at the address on the envelope (MAC address) to send mail to the right department.
Layer 3 switches are a bit smarter; they look inside the envelope to see where the mail needs to go based on the actual content (IP address).
Next-generation firewalls and IPS:
Imagine these as security guards for your internet connection. They watch the traffic coming in and out and make sure nothing bad sneaks in, like viruses or hackers.
Access points: These are like Wi-Fi routers at your home or in cafes. They provide the wireless connection that lets your phone or laptop connect to the internet without needing a cable.
Controllers ( ex.Cisco DNA Center, Cisco ISE and WLC): These are like remote controls for your entire network. They help manage all the devices connected to your network, making sure everything runs smoothly.
Endpoints: These are the devices you use to connect to the internet, like your computer, phone, or tablet. They're the starting and ending points for data traveling across the network.
Servers: Servers are like big, powerful computers that store and share information with other devices on the network. They might hold websites, files, or even games that you can access.
PoE: Power over Ethernet is a clever trick that lets certain devices, like security cameras or Wi-Fi access points, get both power and data through the same cable. It's like having a power outlet and an internet connection all in one.
You can take look at Lab topology and see how tings are connected and imagine how they work in there places as a Network Device.
title: Task - 1.1[ Netwotk Fundamentals ]
version: 0.2.2

33
lab-topologies/ccna/Domain_1/1.1-explore_fundamentals/Task_-_1.1__Netwotk_Fundamentals__.yaml Normal file
View File

@@ -0,0 +1,33 @@
annotations:
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: true
text_content: |2+
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -240.0
y1: -40.0
z_index: 0
nodes: []
links: []
lab:
description: In this Lab, we'll explore the fundamental components of network infrastructure
and their crucial roles in enabling seamless communication and data exchange.
From routers directing internet traffic to access points providing wireless connectivity,
we'll delve into the functions of Layer 2 and Layer 3 switches, next-generation
firewalls, controllers like Cisco DNA Center and WLC, endpoints, servers, and
Power over Ethernet technology. By understanding these components and their analogies
to everyday scenarios, we'll gain insights into the intricate workings of networks
and their significance in modern connectivity.
notes: |-
#Task-1.1
Do a small research on Network components and role and functionality. We will see small topology in solution Lab and devices roles and function.
title: Task - 1.1[ Netwotk Fundamentals ]
version: 0.2.2

1081
lab-topologies/ccna/Domain_1/1.6-configure_ipv4_addressing/1.6_IPv4_Router_Config_Problem.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

1077
lab-topologies/ccna/Domain_1/1.6-configure_ipv4_addressing/1.6_IPv4_Router_Config_Solution.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
lab-topologies/ccna/Domain_1/1.6-configure_ipv4_addressing/1.6_IPv4_Router_Config_Solution_Topology.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

5
lab-topologies/ccna/Domain_1/1.6-configure_ipv4_addressing/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Configure and verify IPv4 addressing and subnetting
Configure IPv4 Links on two routers to add connectivity to a new office site. Created in CML 2.5 using the devnet sandbox CML environment
![Lab Topology](https://github.com/CiscoDevNet/cml-community/blob/master/lab-topologies/ccna//Domain_1/1.6-configure_ipv4_addressing/1.6_IPv4_Router_Config_Solution_Topology.png)

2190
lab-topologies/ccna/Domain_2/2.1-configure_vlans_1/CML_Contest_Topo_Initial_topo.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

2229
lab-topologies/ccna/Domain_2/2.1-configure_vlans_1/CML_Contest_Topo_Solution_fetch.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

5
lab-topologies/ccna/Domain_2/2.1-configure_vlans_1/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Configure and verify VLANs (normal range) spanning multiple switches
CML version 2.7Inter-VLAN routing using Router-On-A-Stick and SVI
![Lab Topology](https://github.com/CiscoDevNet/cml-community/blob/master/lab-topologies/ccna//Domain_2/2.1-configure_vlans_1/Topology.PNG)

BIN
lab-topologies/ccna/Domain_2/2.1-configure_vlans_1/Topology.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 262 KiB

599
lab-topologies/ccna/Domain_2/2.1-configure_vlans_2/2.1_Initial_topology.yaml Normal file
View File

@@ -0,0 +1,599 @@
annotations:
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#316C3FB2'
thickness: 1
type: rectangle
x1: -480.0
y1: 40.0
x2: 280.0
y2: 80.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#D93D3D'
rotation: 0
text_bold: false
text_content: Trunk
text_font: monospace
text_italic: false
text_size: 23
text_unit: pt
thickness: 1
type: text
x1: -400.0
y1: 80.0
z_index: 1
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#D23EB4'
thickness: 1
type: rectangle
x1: -600.0
y1: -120.0
x2: 160.0
y2: 120.0
z_index: 2
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#D23EB4'
thickness: 1
type: rectangle
x1: -240.0
y1: 200.0
x2: 160.0
y2: 160.0
z_index: 2
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#3EADD2'
thickness: 1
type: rectangle
x1: -600.0
y1: 200.0
x2: 160.0
y2: 160.0
z_index: 2
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#3EADD2'
thickness: 1
type: rectangle
x1: -240.0
y1: -160.0
x2: 160.0
y2: 160.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: true
text_content: VLAN 20
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -600.0
y1: 200.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: true
text_content: VLAN 20
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -200.0
y1: -160.0
z_index: 3
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#3EADD2'
thickness: 1
type: rectangle
x1: -960.0
y1: -40.0
x2: 160.0
y2: 120.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: VLAN 30
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -560.0
y1: -120.0
z_index: 4
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: VLAN 30
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -200.0
y1: 320.0
z_index: 4
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#D23EB4'
thickness: 1
type: rectangle
x1: -960.0
y1: 120.0
x2: 160.0
y2: 120.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: VLAN 30
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -920.0
y1: 120.0
z_index: 4
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: true
text_content: VLAN 20
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -920.0
y1: -40.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -920.0
y1: 0.0
z_index: 5
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: false
text_content: |-
VLAN 20
192.168.1.0 /24
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -960.0
y1: 0.0
z_index: 6
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: |-
VLAN 30
192.168.20.0 /24
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -960.0
y1: 160.0
z_index: 4
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: false
text_content: '.10'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 280.0
z_index: 7
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: false
text_content: '.20'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -240.0
y1: -80.0
z_index: 7
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: '.10'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 0.0
z_index: 8
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: '.30'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -120.0
y1: 240.0
z_index: 9
nodes:
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: SW1
node_definition: iosvl2
parameters: {}
ram: null
tags: []
x: -480
y: 80
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- id: i5
label: GigabitEthernet1/0
slot: 4
type: physical
- id: i6
label: GigabitEthernet1/1
slot: 5
type: physical
- id: i7
label: GigabitEthernet1/2
slot: 6
type: physical
- id: i8
label: GigabitEthernet1/3
slot: 7
type: physical
- id: i9
label: GigabitEthernet2/0
slot: 8
type: physical
- id: i10
label: GigabitEthernet2/1
slot: 9
type: physical
- id: i11
label: GigabitEthernet2/2
slot: 10
type: physical
- id: i12
label: GigabitEthernet2/3
slot: 11
type: physical
- id: i13
label: GigabitEthernet3/0
slot: 12
type: physical
- id: i14
label: GigabitEthernet3/1
slot: 13
type: physical
- id: i15
label: GigabitEthernet3/2
slot: 14
type: physical
- id: i16
label: GigabitEthernet3/3
slot: 15
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: SW2
node_definition: iosvl2
parameters: {}
ram: null
tags: []
x: -200
y: 80
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- id: i5
label: GigabitEthernet1/0
slot: 4
type: physical
- id: i6
label: GigabitEthernet1/1
slot: 5
type: physical
- id: i7
label: GigabitEthernet1/2
slot: 6
type: physical
- id: i8
label: GigabitEthernet1/3
slot: 7
type: physical
- id: i9
label: GigabitEthernet2/0
slot: 8
type: physical
- id: i10
label: GigabitEthernet2/1
slot: 9
type: physical
- id: i11
label: GigabitEthernet2/2
slot: 10
type: physical
- id: i12
label: GigabitEthernet2/3
slot: 11
type: physical
- id: i13
label: GigabitEthernet3/0
slot: 12
type: physical
- id: i14
label: GigabitEthernet3/1
slot: 13
type: physical
- id: i15
label: GigabitEthernet3/2
slot: 14
type: physical
- id: i16
label: GigabitEthernet3/3
slot: 15
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: desktop-0
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -520
y: -80
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: desktop-1
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -520
y: 320
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: desktop-2
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -160
y: -80
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n5
image_definition: null
label: desktop-3
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -160
y: 280
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
links:
- id: l0
n1: n0
n2: n1
i1: i16
i2: i16
conditioning: {}
label: SW1-GigabitEthernet3/3<->SW2-GigabitEthernet3/3
- id: l1
n1: n3
n2: n0
i1: i0
i2: i1
conditioning: {}
label: desktop-1-eth0<->SW1-GigabitEthernet0/0
- id: l2
n1: n2
n2: n0
i1: i0
i2: i2
conditioning: {}
label: desktop-0-eth0<->SW1-GigabitEthernet0/1
- id: l3
n1: n4
n2: n1
i1: i0
i2: i2
conditioning: {}
label: desktop-2-eth0<->SW2-GigabitEthernet0/1
- id: l4
n1: n5
n2: n1
i1: i0
i2: i1
conditioning: {}
label: desktop-3-eth0<->SW2-GigabitEthernet0/0
lab:
description: ''
notes: |-
Lab guide for 2.1 Configure and verify VLANs (normal range) spanning multiple switches
In this lab, you will create VLANs on both switches in the topology, assign VLANs to switch access ports,verify that VLANs are working as expected, and then create a VLAN trunk between the two switches to allow hosts in the same VLAN to communicate through the trunk, regardless of which switch the host is actually attached to.
Step 1: For each Switch, Configure the hostname according to the Topology.
Step 2: Configure the ports between the two switches as trunk ports as per the Topology.
Step 3: Create the VLANs listed on the Topology on each switch, then Assign the relevant VLAN to the corresponding ports listed on the Topology as Access ports EG: VLAN 30 to desktop-3.
Step 4: Copy the Running configuration to the startup configuration on each switch.
Step 5: Assign the relevant IP Addresses to the end devices within each VLAN as per the Topology.
Step 6. Verify on each switch that the correct port is assigned. Using the show vlan brief command.
Step 7: Verify connectivity between devices within the same VLAN across other switches.
title: Lab at Mon 08:49 AM
version: 0.2.2

BIN
lab-topologies/ccna/Domain_2/2.1-configure_vlans_2/2.1_Screenshot_of_lab_topology.JPG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 191 KiB

957
lab-topologies/ccna/Domain_2/2.1-configure_vlans_2/2.1_Solution_Topology.yaml Normal file
View File

@@ -0,0 +1,957 @@
annotations:
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#316C3FB2'
thickness: 1
type: rectangle
x1: -480.0
y1: 40.0
x2: 280.0
y2: 80.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#D93D3D'
rotation: 0
text_bold: false
text_content: Trunk
text_font: monospace
text_italic: false
text_size: 23
text_unit: pt
thickness: 1
type: text
x1: -400.0
y1: 80.0
z_index: 1
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#D23EB4'
thickness: 1
type: rectangle
x1: -560.0
y1: -120.0
x2: 160.0
y2: 120.0
z_index: 2
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#D23EB4'
thickness: 1
type: rectangle
x1: -240.0
y1: 200.0
x2: 160.0
y2: 160.0
z_index: 2
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#3EADD2'
thickness: 1
type: rectangle
x1: -600.0
y1: 200.0
x2: 160.0
y2: 160.0
z_index: 2
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#3EADD2'
thickness: 1
type: rectangle
x1: -240.0
y1: -160.0
x2: 160.0
y2: 160.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: true
text_content: VLAN 20
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -600.0
y1: 200.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: true
text_content: VLAN 20
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -200.0
y1: -160.0
z_index: 3
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#3EADD2'
thickness: 1
type: rectangle
x1: -960.0
y1: -40.0
x2: 160.0
y2: 120.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: VLAN 30
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -560.0
y1: -120.0
z_index: 4
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: VLAN 30
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -240.0
y1: 280.0
z_index: 4
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#D23EB4'
thickness: 1
type: rectangle
x1: -960.0
y1: 120.0
x2: 200.0
y2: 120.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: VLAN 30 - Students
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -960.0
y1: 120.0
z_index: 4
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: true
text_content: VLAN 20 - Staff
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -960.0
y1: -40.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -920.0
y1: 0.0
z_index: 5
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: false
text_content: |-
VLAN 20
192.168.1.0 /24
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -960.0
y1: 0.0
z_index: 6
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: |-
VLAN 30
192.168.20.0 /24
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -960.0
y1: 160.0
z_index: 4
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: false
text_content: '.10'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: 280.0
z_index: 7
- border_color: '#00000000'
border_style: ''
color: '#F6FF3F'
rotation: 0
text_bold: false
text_content: '.20'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -160.0
y1: -40.0
z_index: 7
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: '.10'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -480.0
y1: -40.0
z_index: 8
- border_color: '#00000000'
border_style: ''
color: '#28FF73'
rotation: 0
text_bold: false
text_content: '.30'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -120.0
y1: 240.0
z_index: 9
nodes:
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
Building configuration...
Current configuration : 3427 bytes
!
! Last configuration change at 09:43:10 UTC Mon May 6 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport access vlan 20
switchport mode access
negotiation auto
!
interface GigabitEthernet0/1
switchport access vlan 30
switchport mode access
negotiation auto
!
interface GigabitEthernet0/2
negotiation auto
!
interface GigabitEthernet0/3
negotiation auto
!
interface GigabitEthernet1/0
negotiation auto
!
interface GigabitEthernet1/1
negotiation auto
!
interface GigabitEthernet1/2
negotiation auto
!
interface GigabitEthernet1/3
negotiation auto
!
interface GigabitEthernet2/0
negotiation auto
!
interface GigabitEthernet2/1
negotiation auto
!
interface GigabitEthernet2/2
negotiation auto
!
interface GigabitEthernet2/3
negotiation auto
!
interface GigabitEthernet3/0
negotiation auto
!
interface GigabitEthernet3/1
negotiation auto
!
interface GigabitEthernet3/2
negotiation auto
!
interface GigabitEthernet3/3
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
!
control-plane
!
banner exec ^C
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner incoming ^C
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner login ^C
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
login
!
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: SW1
node_definition: iosvl2
parameters: {}
ram: null
tags: []
x: -480
y: 80
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- id: i5
label: GigabitEthernet1/0
slot: 4
type: physical
- id: i6
label: GigabitEthernet1/1
slot: 5
type: physical
- id: i7
label: GigabitEthernet1/2
slot: 6
type: physical
- id: i8
label: GigabitEthernet1/3
slot: 7
type: physical
- id: i9
label: GigabitEthernet2/0
slot: 8
type: physical
- id: i10
label: GigabitEthernet2/1
slot: 9
type: physical
- id: i11
label: GigabitEthernet2/2
slot: 10
type: physical
- id: i12
label: GigabitEthernet2/3
slot: 11
type: physical
- id: i13
label: GigabitEthernet3/0
slot: 12
type: physical
- id: i14
label: GigabitEthernet3/1
slot: 13
type: physical
- id: i15
label: GigabitEthernet3/2
slot: 14
type: physical
- id: i16
label: GigabitEthernet3/3
slot: 15
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
Building configuration...
Current configuration : 3427 bytes
!
! Last configuration change at 09:43:08 UTC Mon May 6 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport access vlan 30
switchport mode access
negotiation auto
!
interface GigabitEthernet0/1
switchport access vlan 20
switchport mode access
negotiation auto
!
interface GigabitEthernet0/2
negotiation auto
!
interface GigabitEthernet0/3
negotiation auto
!
interface GigabitEthernet1/0
negotiation auto
!
interface GigabitEthernet1/1
negotiation auto
!
interface GigabitEthernet1/2
negotiation auto
!
interface GigabitEthernet1/3
negotiation auto
!
interface GigabitEthernet2/0
negotiation auto
!
interface GigabitEthernet2/1
negotiation auto
!
interface GigabitEthernet2/2
negotiation auto
!
interface GigabitEthernet2/3
negotiation auto
!
interface GigabitEthernet3/0
negotiation auto
!
interface GigabitEthernet3/1
negotiation auto
!
interface GigabitEthernet3/2
negotiation auto
!
interface GigabitEthernet3/3
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
!
control-plane
!
banner exec ^C
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner incoming ^C
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner login ^C
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
login
!
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: SW2
node_definition: iosvl2
parameters: {}
ram: null
tags: []
x: -200
y: 80
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- id: i5
label: GigabitEthernet1/0
slot: 4
type: physical
- id: i6
label: GigabitEthernet1/1
slot: 5
type: physical
- id: i7
label: GigabitEthernet1/2
slot: 6
type: physical
- id: i8
label: GigabitEthernet1/3
slot: 7
type: physical
- id: i9
label: GigabitEthernet2/0
slot: 8
type: physical
- id: i10
label: GigabitEthernet2/1
slot: 9
type: physical
- id: i11
label: GigabitEthernet2/2
slot: 10
type: physical
- id: i12
label: GigabitEthernet2/3
slot: 11
type: physical
- id: i13
label: GigabitEthernet3/0
slot: 12
type: physical
- id: i14
label: GigabitEthernet3/1
slot: 13
type: physical
- id: i15
label: GigabitEthernet3/2
slot: 14
type: physical
- id: i16
label: GigabitEthernet3/3
slot: 15
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname inserthostname-here
# configurable user account
USERNAME=cisco
PASSWORD=cisco
echo '127.0.0.1 Desktop-0' >> /etc/hosts
ip address add 192.168.20.10/255.255.255.0 dev eth0
route add default gw 192.168.20.1 eth0
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: desktop-0
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -520
y: -80
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname inserthostname-here
# configurable user account
USERNAME=cisco
PASSWORD=cisco
echo '127.0.0.1 Desktop-1' >> /etc/hosts
ip address add 192.168.1.20/255.255.255.0 dev eth0
route add default gw 192.168.1.1 eth0
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: desktop-1
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -520
y: 320
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname inserthostname-here
# configurable user account
USERNAME=cisco
PASSWORD=cisco
echo '127.0.0.1 Desktop-2' >> /etc/hosts
ip address add 192.168.1.20/255.255.255.0 dev eth0
route add default gw 192.168.1.1 eth0
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: desktop-2
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -160
y: -120
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname inserthostname-here
# configurable user account
USERNAME=cisco
PASSWORD=cisco
echo '127.0.0.1 Desktop-3' >> /etc/hosts
ip address add 192.168.20.30/255.255.255.0 dev eth0
route add default gw 192.168.20.1 eth0
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n5
image_definition: null
label: desktop-3
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -160
y: 320
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
links:
- id: l0
n1: n0
n2: n1
i1: i16
i2: i16
conditioning: {}
label: SW1-GigabitEthernet3/3<->SW2-GigabitEthernet3/3
- id: l1
n1: n3
n2: n0
i1: i0
i2: i1
conditioning: {}
label: desktop-1-eth0<->SW1-GigabitEthernet0/0
- id: l2
n1: n2
n2: n0
i1: i0
i2: i2
conditioning: {}
label: desktop-0-eth0<->SW1-GigabitEthernet0/1
- id: l3
n1: n4
n2: n1
i1: i0
i2: i2
conditioning: {}
label: desktop-2-eth0<->SW2-GigabitEthernet0/1
- id: l4
n1: n5
n2: n1
i1: i0
i2: i1
conditioning: {}
label: desktop-3-eth0<->SW2-GigabitEthernet0/0
lab:
description: ''
notes: |-
Lab guide for 2.1 Configure and verify VLANs (normal range) spanning multiple switches
In this lab, you will create VLANs on both switches in the topology, assign VLANs to switch access ports,verify that VLANs are working as expected, and then create a VLAN trunk between the two switches to allow hosts in the same VLAN to communicate through the trunk, regardless of which switch the host is actually attached to.
Step 1: For each Switch, Configure the hostname according to the Topology.
Step 2: Configure the ports between the two switches as trunk ports as per the Topology.
Step 3: Create the VLANs listed on the Topology on each switch, then Assign the relevant VLAN to the corresponding ports listed on the Topology as Access ports EG: VLAN 30 to desktop-3.
Step 4: Copy the Running configuration to the startup configuration on each switch.
Step 5: Assign the relevant IP Addresses to the end devices within each VLAN as per the Topology. Note: You will need to console onto the desktops to change their IP's Manually using the following Command:"sudo ifconfig eth0 192.168.X.X netmask 255.255.255.0"
Step 6. Verify on each switch that the correct port is assigned. Using the show vlan brief command.
Step 7: Verify connectivity between devices within the same VLAN across other switches.
title: Lab at Mon 08:49 AM
version: 0.2.2

5
lab-topologies/ccna/Domain_2/2.1-configure_vlans_2/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Configure and verify VLANs (normal range) spanning multiple switches
In this lab, I have created VLANs on both switches in the topology, assign VLANs to switch access ports,verify that VLANs are working as expected, and then create a VLAN trunk between the two switches to allow hosts in the same VLAN to communicate through the trunk, regardless of which switch the host is actually attached to. I used the SandboxDevnet CML. I am unsure how to verify the version, I believe its 2.X.
![Lab Topology](https://github.com/CiscoDevNet/cml-community/blob/master/lab-topologies/ccna//Domain_2/2.1-configure_vlans_2/2.1_Screenshot_of_lab_topology.JPG)

BIN
lab-topologies/ccna/Domain_2/2.1-configure_vlans_3/Lab_at_Mon_06_26_AM____CML²_-_Google_Chrome_29-04-2024_12_35_21.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 256 KiB

9
lab-topologies/ccna/Domain_2/2.1-configure_vlans_3/README.md Normal file
View File

@@ -0,0 +1,9 @@
# Configure and verify VLANs (normal range) spanning multiple switches
CML Version used: 2.7.0+build.4 In this Lab, we'll explore the fundamental components of network infrastructure and their crucial roles in enabling seamless communication and data exchange. From routers directing internet traffic to access points providing wireless connectivity, we'll delve into the functions of Layer 2 and Layer 3 switches, next-generation firewalls, controllers like Cisco DNA Center and WLC, endpoints, servers, and Power over Ethernet technology. By understanding these components and their analogies to everyday scenarios, we'll gain insights into the intricate workings of networks and their significance in modern connectivity. notes: |- #Task-1.1 Do a small research on Network components and role and functionality. We will see small topology in solution Lab and devices roles and function. title: Task - 1.1[ Netwotk Fundamentals ]
New Value:
CML Version used: 2.7.0+build.4 Welcome to our lab on setting up VLANs, which are like separate virtual networks, on multiple switches! VLANs (Virtual LANs): Think of VLANs as dividing a big house into different rooms. Each room can have its own stuff and people, but they're all still in the same house. Similarly, VLANs let us divide a big network into smaller, separate parts. This helps keep things organized and secure. Access Ports: Imagine these as doors to rooms in our house. Access ports connect devices (like computers or phones) to the network. We have two types: one for regular data and another for voice (like phones). Default VLAN: Every switch has a default room where devices automatically go when they're connected. It's like when you first move into a house, you're assigned a room until you decide where you want to be. The default VLAN is similar; devices are initially put there until we assign them to another VLAN. InterVLAN Connectivity: This is like having secret passages or corridors between rooms in our house. Normally, devices in one room can't talk to devices in another, but with InterVLAN connectivity, they can. This lets different VLANs communicate with each other. So, in this lab, we'll learn how to set up these VLANs, connect devices to access ports, deal with the default VLAN, and make sure devices in different VLANs can talk to each other. Ready to dive in? Let's go! notes: |- #Task-2.1 step1: Configure Vlan 10, 20, 30 and give names managment, HR Team , VIP in IOL-L2-0 switch. step 2: verfiy the working of Vlan step 3: configure the router and switch so that inter vlan communication can happen. step 4: configure the router or switch so that inter vlan communication can happen. step 5: Verfiy the connectvity between managment desktop and infra employee desktop. title: Task-2.1[Configure and verify VLANs]
Reason:
![Lab Topology](https://github.com/CiscoDevNet/cml-community/blob/master/lab-topologies/ccna//Domain_2/2.1-configure_vlans_3/Lab_at_Mon_06_26_AM____CML²_-_Google_Chrome_29-04-2024_12_35_21.png)

569
lab-topologies/ccna/Domain_2/2.1-configure_vlans_3/Task-2.1_Configure_and_verify_VLANs_.yaml Normal file
View File

@@ -0,0 +1,569 @@
annotations:
- border_color: '#EFF48C'
border_radius: 0
border_style: ''
color: '#EFF48C'
thickness: 1
type: rectangle
x1: -520.0
y1: -200.0
x2: 320.0
y2: 280.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 40.0
y1: -360.0
z_index: 1
- border_color: '#86F6C2'
border_radius: 0
border_style: ''
color: '#86F6C2'
thickness: 1
type: rectangle
x1: 120.0
y1: -200.0
x2: 320.0
y2: 280.0
z_index: 0
- border_color: '#D0A3F9'
border_radius: 0
border_style: ''
color: '#D0A3F9'
thickness: 1
type: rectangle
x1: -200.0
y1: 120.0
x2: 320.0
y2: 200.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#050000'
rotation: 0
text_bold: true
text_content: HR-Team
text_font: cursive
text_italic: false
text_size: 20
text_unit: pt
thickness: 1
type: text
x1: -440.0
y1: -80.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#050000'
rotation: 0
text_bold: true
text_content: Managment
text_font: cursive
text_italic: false
text_size: 20
text_unit: pt
thickness: 1
type: text
x1: -120.0
y1: 160.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 720.0
y1: 200.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#050000'
rotation: 0
text_bold: true
text_content: VIP
text_font: cursive
text_italic: false
text_size: 20
text_unit: pt
thickness: 1
type: text
x1: 240.0
y1: -80.0
z_index: 2
nodes:
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: iol-l2-0
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: -40
y: -80
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- id: i5
label: Ethernet1/0
slot: 4
type: physical
- id: i6
label: Ethernet1/1
slot: 5
type: physical
- id: i7
label: Ethernet1/2
slot: 6
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: desktop-0
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -360
y: -160
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: desktop-1
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -360
y: 0
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: desktop-2
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -160
y: 200
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: desktop-3
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 80
y: 200
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n5
image_definition: null
label: desktop-4
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 280
y: 0
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n6
image_definition: null
label: desktop-5
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 280
y: -160
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
Building configuration...
Current configuration : 1876 bytes
!
! Last configuration change at 07:34:48 UTC Mon Apr 29 2024
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname inserthostname-here
!
boot-start-marker
boot-end-marker
!
!
no logging console
no aaa new-model
!
!
!
no ip routing
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 192.168.2.1 192.168.2.5
ip dhcp excluded-address 192.168.3.1 192.168.3.5
!
ip dhcp pool HR-Team[Vlan-10]
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
dns-server 192.168.1.1
!
ip dhcp pool Managment[Vlan-20]
network 192.168.2.0 255.255.255.0
default-router 192.168.2.2
dns-server 192.168.2.1
!
ip dhcp pool VIP_Pool[Vlan-30]
network 192.168.3.0 255.255.255.0
default-router 192.168.3.2
dns-server 192.168.3.1
!
!
!
no ip cef
login on-success log
no ipv6 cef
!
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
memory free low-watermark processor 81225
!
!
spanning-tree mode rapid-pvst
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip route-cache
!
interface Ethernet0/0.1
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
no ip route-cache
!
interface Ethernet0/0.2
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
no ip route-cache
!
interface Ethernet0/0.3
encapsulation dot1Q 30
ip address 192.168.3.1 255.255.255.0
no ip route-cache
!
interface Ethernet0/1
no ip address
no ip route-cache
shutdown
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
!
ip forward-protocol nd
!
!
ip http server
ip http secure-server
ip ssh bulk-mode 131072
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
login
transport input ssh
!
!
!
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n7
image_definition: null
label: iol-0
node_definition: iol-xe
parameters: {}
ram: null
tags: []
x: -40
y: -400
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n8
image_definition: null
label: ext-conn-0
node_definition: external_connector
parameters: {}
ram: null
tags: []
x: -280
y: -400
interfaces:
- id: i0
label: port
slot: 0
type: physical
links:
- id: l0
n1: n0
n2: n7
i1: i1
i2: i1
conditioning: {}
label: iol-l2-0-Ethernet0/0<->iol-0-Ethernet0/0
- id: l1
n1: n0
n2: n1
i1: i2
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet0/1<->desktop-0-eth0
- id: l2
n1: n0
n2: n2
i1: i3
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet0/2<->desktop-1-eth0
- id: l3
n1: n0
n2: n3
i1: i4
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet0/3<->desktop-2-eth0
- id: l4
n1: n0
n2: n4
i1: i5
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet1/0<->desktop-3-eth0
- id: l5
n1: n0
n2: n6
i1: i6
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet1/1<->desktop-5-eth0
- id: l6
n1: n0
n2: n5
i1: i7
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet1/2<->desktop-4-eth0
- id: l7
n1: n7
n2: n8
i1: i2
i2: i0
conditioning: {}
label: iol-0-Ethernet0/1<->ext-conn-0-port
lab:
description: |-
Welcome to our lab on setting up VLANs, which are like separate virtual networks, on multiple switches!
VLANs (Virtual LANs): Think of VLANs as dividing a big house into different rooms. Each room can have its own stuff and people, but they're all still in the same house. Similarly, VLANs let us divide a big network into smaller, separate parts. This helps keep things organized and secure.
Access Ports: Imagine these as doors to rooms in our house. Access ports connect devices (like computers or phones) to the network. We have two types: one for regular data and another for voice (like phones).
Default VLAN: Every switch has a default room where devices automatically go when they're connected. It's like when you first move into a house, you're assigned a room until you decide where you want to be. The default VLAN is similar; devices are initially put there until we assign them to another VLAN.
InterVLAN Connectivity: This is like having secret passages or corridors between rooms in our house. Normally, devices in one room can't talk to devices in another, but with InterVLAN connectivity, they can. This lets different VLANs communicate with each other.
So, in this lab, we'll learn how to set up these VLANs, connect devices to access ports, deal with the default VLAN, and make sure devices in different VLANs can talk to each other. Ready to dive in? Let's go!
notes: |-
#Task-2.1
step1: Configure Vlan 10, 20, 30 and give names managment, HR Team , VIP in IOL-L2-0 switch.
step 2: verfiy the working of Vlan
step 3: configure the router and switch so that inter vlan communication can happen.
step 4: configure the router or switch so that inter vlan communication can happen.
step 5: Verfiy the connectvity between managment desktop and infra employee desktop.
title: Task-2.1[Configure and verify VLANs]
version: 0.2.2

775
lab-topologies/ccna/Domain_2/2.1-configure_vlans_3/Task-2.1_Configure_and_verify_VLANs__(Solution).yaml Normal file
View File

@@ -0,0 +1,775 @@
annotations:
- border_color: '#EFF48C'
border_radius: 0
border_style: ''
color: '#EFF48C'
thickness: 1
type: rectangle
x1: -520.0
y1: -200.0
x2: 320.0
y2: 280.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 40.0
y1: -360.0
z_index: 1
- border_color: '#86F6C2'
border_radius: 0
border_style: ''
color: '#86F6C2'
thickness: 1
type: rectangle
x1: 120.0
y1: -200.0
x2: 320.0
y2: 280.0
z_index: 0
- border_color: '#D0A3F9'
border_radius: 0
border_style: ''
color: '#D0A3F9'
thickness: 1
type: rectangle
x1: -200.0
y1: 120.0
x2: 320.0
y2: 200.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#050000'
rotation: 0
text_bold: true
text_content: HR-Team
text_font: cursive
text_italic: false
text_size: 20
text_unit: pt
thickness: 1
type: text
x1: -440.0
y1: -80.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#050000'
rotation: 0
text_bold: true
text_content: Managment
text_font: cursive
text_italic: false
text_size: 20
text_unit: pt
thickness: 1
type: text
x1: -120.0
y1: 160.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: 720.0
y1: 200.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#050000'
rotation: 0
text_bold: true
text_content: VIP
text_font: cursive
text_italic: false
text_size: 20
text_unit: pt
thickness: 1
type: text
x1: 240.0
y1: -80.0
z_index: 2
nodes:
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
Building configuration...
Current configuration : 1433 bytes
!
! Last configuration change at 08:18:04 UTC Mon Apr 29 2024
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Iol-l2-0
!
boot-start-marker
boot-end-marker
!
!
no logging console
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
ip audit notify log
ip audit po max-events 100
ip cef
login on-success log
no ipv6 cef
!
!
!
!
!
!
!
vtp version 1
multilink bundle-name authenticated
!
!
!
!
memory free low-watermark processor 80589
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
vlan internal allocation policy ascending
!
!
!
!
!
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 20
!
interface Ethernet1/0
switchport access vlan 20
!
interface Ethernet1/1
switchport access vlan 30
!
interface Ethernet1/2
switchport access vlan 30
!
interface Ethernet1/3
!
interface Vlan10
ip address 192.168.1.2 255.255.255.0
!
interface Vlan20
ip address 192.168.2.2 255.255.255.0
!
interface Vlan30
ip address 192.168.3.2 255.255.255.0
!
ip forward-protocol nd
!
!
ip http server
ip http secure-server
ip ssh bulk-mode 131072
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
login
transport input ssh
!
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: iol-l2-0
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: -40
y: -80
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- id: i5
label: Ethernet1/0
slot: 4
type: physical
- id: i6
label: Ethernet1/1
slot: 5
type: physical
- id: i7
label: Ethernet1/2
slot: 6
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: desktop-0
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -360
y: -160
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: desktop-1
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -360
y: 0
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: desktop-2
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -160
y: 200
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: desktop-3
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 80
y: 200
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n5
image_definition: null
label: desktop-4
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 280
y: 0
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n6
image_definition: null
label: desktop-5
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 280
y: -160
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
Building configuration...
Current configuration : 1876 bytes
!
! Last configuration change at 08:18:06 UTC Mon Apr 29 2024
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname inserthostname-here
!
boot-start-marker
boot-end-marker
!
!
no logging console
no aaa new-model
!
!
!
no ip routing
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 192.168.2.1 192.168.2.5
ip dhcp excluded-address 192.168.3.1 192.168.3.5
!
ip dhcp pool HR-Team[Vlan-10]
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
dns-server 192.168.1.1
!
ip dhcp pool Managment[Vlan-20]
network 192.168.2.0 255.255.255.0
default-router 192.168.2.2
dns-server 192.168.2.1
!
ip dhcp pool VIP_Pool[Vlan-30]
network 192.168.3.0 255.255.255.0
default-router 192.168.3.2
dns-server 192.168.3.1
!
!
!
no ip cef
login on-success log
no ipv6 cef
!
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
memory free low-watermark processor 81225
!
!
spanning-tree mode rapid-pvst
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip route-cache
!
interface Ethernet0/0.1
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
no ip route-cache
!
interface Ethernet0/0.2
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
no ip route-cache
!
interface Ethernet0/0.3
encapsulation dot1Q 30
ip address 192.168.3.1 255.255.255.0
no ip route-cache
!
interface Ethernet0/1
no ip address
no ip route-cache
shutdown
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
!
ip forward-protocol nd
!
!
ip http server
ip http secure-server
ip ssh bulk-mode 131072
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
login
transport input ssh
!
!
!
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n7
image_definition: null
label: iol-0
node_definition: iol-xe
parameters: {}
ram: null
tags: []
x: -40
y: -400
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n8
image_definition: null
label: ext-conn-0
node_definition: external_connector
parameters: {}
ram: null
tags: []
x: -280
y: -400
interfaces:
- id: i0
label: port
slot: 0
type: physical
links:
- id: l0
n1: n0
n2: n7
i1: i1
i2: i1
conditioning: {}
label: iol-l2-0-Ethernet0/0<->iol-0-Ethernet0/0
- id: l1
n1: n0
n2: n1
i1: i2
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet0/1<->desktop-0-eth0
- id: l2
n1: n0
n2: n2
i1: i3
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet0/2<->desktop-1-eth0
- id: l3
n1: n0
n2: n3
i1: i4
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet0/3<->desktop-2-eth0
- id: l4
n1: n0
n2: n4
i1: i5
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet1/0<->desktop-3-eth0
- id: l5
n1: n0
n2: n6
i1: i6
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet1/1<->desktop-5-eth0
- id: l6
n1: n0
n2: n5
i1: i7
i2: i0
conditioning: {}
label: iol-l2-0-Ethernet1/2<->desktop-4-eth0
- id: l7
n1: n7
n2: n8
i1: i2
i2: i0
conditioning: {}
label: iol-0-Ethernet0/1<->ext-conn-0-port
lab:
description: |-
Welcome to our lab on setting up VLANs, which are like separate virtual networks, on multiple switches!
VLANs (Virtual LANs): Think of VLANs as dividing a big house into different rooms. Each room can have its own stuff and people, but they're all still in the same house. Similarly, VLANs let us divide a big network into smaller, separate parts. This helps keep things organized and secure.
Access Ports: Imagine these as doors to rooms in our house. Access ports connect devices (like computers or phones) to the network. We have two types: one for regular data and another for voice (like phones).
Default VLAN: Every switch has a default room where devices automatically go when they're connected. It's like when you first move into a house, you're assigned a room until you decide where you want to be. The default VLAN is similar; devices are initially put there until we assign them to another VLAN.
InterVLAN Connectivity: This is like having secret passages or corridors between rooms in our house. Normally, devices in one room can't talk to devices in another, but with InterVLAN connectivity, they can. This lets different VLANs communicate with each other.
So, in this lab, we'll learn how to set up these VLANs, connect devices to access ports, deal with the default VLAN, and make sure devices in different VLANs can talk to each other. Ready to dive in? Let's go!
notes: |-
#Task-2.1
step1: Configure Vlan 10, 20, 30 and give names managment, HR Team , VIP in IOL-L2-0 switch.
login into Iol-l2-0 switch and enter into global configuration mode.
#enable
#configuration mode
#vlan 10
#name HR-Team
#vlan 20
#name Managment
#vlan 30
#name VIP
Now assign the Vlan's to the ports.
#interface E0/1
#switchport mode access vlan 10
repeat the commands to all ports according to their corresponding Vlans
step 2: verfiy the working of Vlan
To verfiy the working before that you need to add the IP address to the desktops for each.
Esle you can just put the below configuration on Iol-l2-0
#en
#conf t
#interface E0/0
#switchport encapulation dot1q
#switchport mode trunk
#do wr
#end
once applied above configuration reboot all desktops so that IP can get assigned.
Note: Please ignore the working of above commands. You will learning about tagging[Trunk port], DHCP in up-comming labs.
Verfication:
#show vlan brief
#show vlan
Now you are able to ping with in the vlan not out side of it.
example: you can ping desktop-0 to 1 but not desktop-2,4...
step 3: Verfiy the status of port(Access or Trunk for managment desktop connected port on switch)
#show interface trunk
Port Mode Encapsulation Status Native vlan
Et0/0 on 802.1q trunking 1
Port Vlans allowed on trunk
Et0/0 1-4094
Port Vlans allowed and active in management domain
Et0/0 1,10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Et0/0 1,10,20,30
If port refelects here then that port is trunk port not the Access port. Here it is showing only Et0/0 is trunk port.
step 4: configure the router or switch so that inter vlan communication can happen.
Note: You will learn about this in upcomming Labs(inter Vlan routing[router on stick])
We can make L3 swhich is capable of doing routing and create virtual interfaces.
#en
#conf t
#ip routing
#int vlan 10
#ip add 192.168.1.2 255.255.255.0
simarly configure interface vlan 20, 30 with ip address 192.168.2.2, 192.168.3.2(make sure that the default gateway of desktop is virtual interface IP).
step 5: Verfiy the connectvity between managment desktop and infra employee desktop.
To verfiy now all switches are able to ping each other.
inserthostname-here:~$ ping 192.168.3.6
PING 192.168.3.6 (192.168.3.6): 56 data bytes
64 bytes from 192.168.3.6: seq=0 ttl=42 time=0.638 ms
64 bytes from 192.168.3.6: seq=1 ttl=42 time=0.628 ms
64 bytes from 192.168.3.6: seq=2 ttl=42 time=1.070 ms
64 bytes from 192.168.3.6: seq=3 ttl=42 time=0.865 ms
64 bytes from 192.168.3.6: seq=4 ttl=42 time=1.064 ms
64 bytes from 192.168.3.6: seq=5 ttl=42 time=0.655 ms
64 bytes from 192.168.3.6: seq=6 ttl=42 time=0.598 ms
64 bytes from 192.168.3.6: seq=7 ttl=42 time=0.982 ms
^C
--- 192.168.3.6 ping statistics ---
8 packets transmitted, 8 packets received, 0% packet loss
round-trip min/avg/max = 0.598/0.812/1.070 ms
inserthostname-here:~$
title: Task-2.1[Configure and verify VLANs]
version: 0.2.2

170
lab-topologies/ccna/Domain_2/2.2-configure_interswitch_connectivity_1/2.2_Configure_and_verify_interswitch_connectivity-Initial.yaml Normal file
View File

@@ -0,0 +1,170 @@
annotations:
- border_color: '#808080FF'
border_style: ''
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: -200.0
y1: 0.0
x2: -200.0
y2: 0.0
z_index: 0
nodes:
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: iol-l2-0
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: -200
y: 0
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: iol-l2-1
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: 0
y: 0
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: desktop-0
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -360
y: 80
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: desktop-1
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 160
y: 80
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
links:
- id: l0
n1: n0
n2: n1
i1: i1
i2: i1
conditioning: {}
label: iol-l2-0-Ethernet0/0<->iol-l2-1-Ethernet0/0
- id: l1
n1: n2
n2: n0
i1: i0
i2: i2
conditioning: {}
label: desktop-0-eth0<->iol-l2-0-Ethernet0/1
- id: l2
n1: n3
n2: n1
i1: i0
i2: i2
conditioning: {}
label: desktop-1-eth0<->iol-l2-1-Ethernet0/1
lab:
description: |-
2.2 Configure and verify interswitch connectivity
2.2.a Trunk ports
2.2.b 802.1Q
2.2.c Native VLAN
CML ver 2.7
notes: |-
Add two IOLL2 switches and two clients
Connect both switches together and form a trunk
Connect one client to each switch
Assign an Ip address to each client and verify connectivity
Create a vlan named "vlan 10"
Add ports where each client is connected to vlan 10
Verify connectivity by pinging each client
title: 2.2 Configure and verify interswitch connectivity
version: 0.2.2

374
lab-topologies/ccna/Domain_2/2.2-configure_interswitch_connectivity_1/2.2_Configure_and_verify_interswitch_connectivity-Solution.yaml Normal file
View File

@@ -0,0 +1,374 @@
annotations:
- border_color: '#808080FF'
border_style: ''
color: '#FFFFFFFF'
line_end: null
line_start: null
thickness: 1
type: line
x1: -200.0
y1: 0.0
x2: -200.0
y2: 0.0
z_index: 0
nodes:
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
Building configuration...
Current configuration : 1025 bytes
!
! Last configuration change at 06:36:22 UTC Wed May 1 2024
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no logging console
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
ip audit notify log
ip audit po max-events 100
ip cef
login on-success log
no ipv6 cef
!
!
!
!
!
!
!
vtp version 1
multilink bundle-name authenticated
!
!
!
!
memory free low-watermark processor 80589
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
vlan internal allocation policy ascending
!
!
!
!
!
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
ip forward-protocol nd
!
!
ip http server
ip http secure-server
ip ssh bulk-mode 131072
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
login
transport input ssh
!
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: iol-l2-0
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: -200
y: 0
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
Building configuration...
Current configuration : 1025 bytes
!
! Last configuration change at 06:36:22 UTC Wed May 1 2024
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
!
no logging console
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
ip audit notify log
ip audit po max-events 100
ip cef
login on-success log
no ipv6 cef
!
!
!
!
!
!
!
vtp version 1
multilink bundle-name authenticated
!
!
!
!
memory free low-watermark processor 80589
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
vlan internal allocation policy ascending
!
!
!
!
!
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
ip forward-protocol nd
!
!
ip http server
ip http secure-server
ip ssh bulk-mode 131072
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
login
transport input ssh
!
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: iol-l2-1
node_definition: ioll2-xe
parameters: {}
ram: null
tags: []
x: 0
y: 0
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: Ethernet0/0
slot: 0
type: physical
- id: i2
label: Ethernet0/1
slot: 1
type: physical
- id: i3
label: Ethernet0/2
slot: 2
type: physical
- id: i4
label: Ethernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: desktop-0
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -360
y: 80
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: desktop-1
node_definition: desktop
parameters: {}
ram: null
tags: []
x: 160
y: 80
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
links:
- id: l0
n1: n0
n2: n1
i1: i1
i2: i1
conditioning: {}
label: iol-l2-0-Ethernet0/0<->iol-l2-1-Ethernet0/0
- id: l1
n1: n2
n2: n0
i1: i0
i2: i2
conditioning: {}
label: desktop-0-eth0<->iol-l2-0-Ethernet0/1
- id: l2
n1: n3
n2: n1
i1: i0
i2: i2
conditioning: {}
label: desktop-1-eth0<->iol-l2-1-Ethernet0/1
lab:
description: |-
2.2 Configure and verify interswitch connectivity
2.2.a Trunk ports
2.2.b 802.1Q
2.2.c Native VLAN
CML ver 2.7
notes: |-
Add two IOLL2 switches and two clients
Connect both switches together and form a trunk
Connect one client to each switch
Assign an Ip address to each client and verify connectivity
Create a vlan named "vlan 10"
Add ports where each client is connected to vlan 10
Verify connectivity by pinging each client
title: 2.2 Configure and verify interswitch connectivity
version: 0.2.2

5
lab-topologies/ccna/Domain_2/2.2-configure_interswitch_connectivity_1/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Configure and verify interswitch connectivity
2.2 Configure and verify interswitch connectivity2.2.a Trunk ports2.2.b 802.1Q2.2.c Native VLAN
![Lab Topology](https://github.com/CiscoDevNet/cml-community/blob/master/lab-topologies/ccna//Domain_2/2.2-configure_interswitch_connectivity_1/Screenshot_2024-04-30_230639.png)

BIN
lab-topologies/ccna/Domain_2/2.2-configure_interswitch_connectivity_1/Screenshot_2024-04-30_230639.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

848
lab-topologies/ccna/Domain_2/2.2-configure_interswitch_connectivity_2/2.2_Completed_Lab.yaml Normal file
View File

@@ -0,0 +1,848 @@
annotations:
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#CB6666'
thickness: 1
type: rectangle
x1: -600.0
y1: 320.0
x2: 240.0
y2: 200.0
z_index: 0
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#66AACB'
thickness: 1
type: rectangle
x1: -280.0
y1: 320.0
x2: 280.0
y2: 200.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -680.0
y1: 280.0
z_index: 1
- border_color: '#00000000'
border_style: ''
color: '#FFE430'
rotation: 0
text_bold: false
text_content: "VLAN 10 \n"
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -560.0
y1: 320.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#A3FEA5'
rotation: 0
text_bold: false
text_content: "VLAN 20 \n"
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -80.0
y1: 320.0
z_index: 2
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#66AACB'
thickness: 1
type: rectangle
x1: -640.0
y1: 0.0
x2: 200.0
y2: 120.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#A3FEA5'
rotation: 0
text_bold: false
text_content: |-
VLAN 20
192.168.2.1 /24
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -600.0
y1: 40.0
z_index: 2
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#CB6666'
thickness: 1
type: rectangle
x1: -640.0
y1: 160.0
x2: 200.0
y2: 120.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#FFE430'
rotation: 0
text_bold: false
text_content: |-
VLAN 10
10.0.0.1 /16
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -600.0
y1: 200.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -200.0
y1: 480.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#A3FEA5'
rotation: 0
text_bold: false
text_content: '.20
'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -80.0
y1: 400.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#A3FEA5'
rotation: 0
text_bold: false
text_content: '.40
'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -200.0
y1: 440.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#FFE430'
rotation: 0
text_bold: false
text_content: '.50
'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -400.0
y1: 440.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#FFE430'
rotation: 0
text_bold: false
text_content: '.60
'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -560.0
y1: 400.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: |-
G0/3.1 10.0.0.1 /16
G0/3.2 192.168.2.1/24
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -280.0
y1: 120.0
z_index: 4
nodes:
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
Building configuration...
Current configuration : 3552 bytes
!
! Last configuration change at 07:53:42 UTC Thu May 9 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
!
!
!
!
!
!
!
no ip domain-lookup
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet0/2
negotiation auto
!
interface GigabitEthernet0/3
negotiation auto
!
interface GigabitEthernet1/0
negotiation auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode access
negotiation auto
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
negotiation auto
!
interface GigabitEthernet1/3
negotiation auto
!
interface GigabitEthernet2/0
negotiation auto
!
interface GigabitEthernet2/1
negotiation auto
!
interface GigabitEthernet2/2
negotiation auto
!
interface GigabitEthernet2/3
negotiation auto
!
interface GigabitEthernet3/0
negotiation auto
!
interface GigabitEthernet3/1
negotiation auto
!
interface GigabitEthernet3/2
negotiation auto
!
interface GigabitEthernet3/3
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
!
control-plane
!
banner exec ^CC
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner incoming ^CC
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner login ^CC
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
login
!
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: SW1
node_definition: iosvl2
parameters: {}
ram: null
tags: []
x: -320
y: 280
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- id: i5
label: GigabitEthernet1/0
slot: 4
type: physical
- id: i6
label: GigabitEthernet1/1
slot: 5
type: physical
- id: i7
label: GigabitEthernet1/2
slot: 6
type: physical
- id: i8
label: GigabitEthernet1/3
slot: 7
type: physical
- id: i9
label: GigabitEthernet2/0
slot: 8
type: physical
- id: i10
label: GigabitEthernet2/1
slot: 9
type: physical
- id: i11
label: GigabitEthernet2/2
slot: 10
type: physical
- id: i12
label: GigabitEthernet2/3
slot: 11
type: physical
- id: i13
label: GigabitEthernet3/0
slot: 12
type: physical
- id: i14
label: GigabitEthernet3/1
slot: 13
type: physical
- id: i15
label: GigabitEthernet3/2
slot: 14
type: physical
- id: i16
label: GigabitEthernet3/3
slot: 15
type: physical
- boot_disk_size: null
configuration:
- name: ios_config.txt
content: |-
Building configuration...
Current configuration : 3177 bytes
!
! Last configuration change at 07:53:46 UTC Thu May 9 2024
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3.1
encapsulation dot1Q 10
ip address 10.0.0.1 255.255.0.0
!
interface GigabitEthernet0/3.2
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
!
!
control-plane
!
banner exec ^CC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^CC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^CC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
login
transport input none
!
no scheduler allocate
!
end
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: R1
node_definition: iosv
parameters: {}
ram: null
tags: []
x: -320
y: 80
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname inserthostname-here
# configurable user account
USERNAME=cisco
PASSWORD=cisco
hostname PC0
echo '127.0.0.1 PC1' >> /etc/hosts
ip address add 10.0.0.60/255.255.0.0 dev eth0
route add default gw 10.0.0.1 eth0
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: PC0
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -560
y: 440
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname inserthostname-here
# configurable user account
USERNAME=cisco
PASSWORD=cisco
hostname PC1
echo '127.0.0.1 PC1' >> /etc/hosts
ip address add 10.0.0.50/255.255.0.0 dev eth0
route add default gw 10.0.0.1 eth0
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: PC1
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -440
y: 480
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname inserthostname-here
# configurable user account
USERNAME=cisco
PASSWORD=cisco
hostname PC2
echo '127.0.0.1 PC1' >> /etc/hosts
ip address add 192.168.2.40/255.255.255.0 dev eth0
route add default gw 192.168.2.1 eth0
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: PC2
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -120
y: 480
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration:
- name: node.cfg
content: |-
# this is a shell script which will be sourced at boot
hostname inserthostname-here
# configurable user account
USERNAME=cisco
PASSWORD=cisco
hostname PC3
echo '127.0.0.1 PC1' >> /etc/hosts
ip address add 192.168.2.20/255.255.255.0 dev eth0
route add default gw 192.168.2.1 eth0
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n5
image_definition: null
label: PC3
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -40
y: 440
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
links:
- id: l0
n1: n0
n2: n1
i1: i16
i2: i4
conditioning: {}
label: SW1-GigabitEthernet3/3<->R1-GigabitEthernet0/3
- id: l1
n1: n2
n2: n0
i1: i0
i2: i1
conditioning: {}
label: PC0-eth0<->SW1-GigabitEthernet0/0
- id: l2
n1: n3
n2: n0
i1: i0
i2: i2
conditioning: {}
label: PC1-eth0<->SW1-GigabitEthernet0/1
- id: l3
n1: n4
n2: n0
i1: i0
i2: i6
conditioning: {}
label: PC2-eth0<->SW1-GigabitEthernet1/1
- id: l4
n1: n5
n2: n0
i1: i0
i2: i7
conditioning: {}
label: PC3-eth0<->SW1-GigabitEthernet1/2
lab:
description: ''
notes: |-
A method of providing routing and connectivity for multiple VLANs is through the use of an 802.1Q trunk between one or more switches and a single router interface. This method is also known as router-on-a-stick inter-VLAN routing. In this method, the physical router interface is divided into multiple subinterfaces that provide logical pathways to all VLANs connected.
In this lab, you will configure trunk-based inter-VLAN routing and verify connectivity to hosts on different VLANs as well as with a loopback on the router.
Step 1: For each Switch and Router and end device, Configure the hostname according to the Topology.
Step 2: On the Switches, Configure the ports between them as Trunk, You will also need to configure the port connected to R1 as a trunk port as per the Topology.
Step 3 Create the VLANs listed in the Topology on each switch. Next, assign the relevant VLAN to the corresponding ports based on the Topology.
EG: assign VLAN 20 to port G1/1, which connects to PC 2.
NOTE: Keep in mind that Access ports are designated for end devices, while Trunk ports are utilized between routers and switches.
Step 4: On Router 1, Configure Sub Interfaces for each VLAN on the connection from S1 to R1. Use the Address schema as per the Topology. Note: When creating the subinterfaces, you should use the encapsulation dot1q command to enable communication between vlans. Remember to bring up the physical Interface by issuing the no shutdown command
Step 5: Copy the Running configuration to the startup configuration on each switch and router.
Step 6: Assign the relevant IP Addresses to the end devices within each VLAN as per the Topology. Note: You may need to use the sudo ifconfig eth0 Command on the Desktops.
Step 7: Verify on each switch that the correct VLAN is assigned. Using the show vlan brief command.
Step 8: Verify connectivity between devices by pinging other VLAN devices.
title: Lab at Thu 06:34 AM
version: 0.2.2

488
lab-topologies/ccna/Domain_2/2.2-configure_interswitch_connectivity_2/2.2_Initial_Lab.yaml Normal file
View File

@@ -0,0 +1,488 @@
annotations:
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#CB6666'
thickness: 1
type: rectangle
x1: -600.0
y1: 320.0
x2: 240.0
y2: 200.0
z_index: 0
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#66AACB'
thickness: 1
type: rectangle
x1: -280.0
y1: 320.0
x2: 280.0
y2: 200.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -680.0
y1: 280.0
z_index: 1
- border_color: '#00000000'
border_style: ''
color: '#FFE430'
rotation: 0
text_bold: false
text_content: "VLAN 10 \n"
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -560.0
y1: 480.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#A3FEA5'
rotation: 0
text_bold: false
text_content: "VLAN 20 \n"
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -200.0
y1: 480.0
z_index: 2
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#66AACB'
thickness: 1
type: rectangle
x1: -640.0
y1: 0.0
x2: 200.0
y2: 120.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#A3FEA5'
rotation: 0
text_bold: false
text_content: |-
VLAN 20
192.168.2.1 /24
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -600.0
y1: 40.0
z_index: 2
- border_color: '#808080FF'
border_radius: 0
border_style: ''
color: '#CB6666'
thickness: 1
type: rectangle
x1: -640.0
y1: 160.0
x2: 200.0
y2: 120.0
z_index: 0
- border_color: '#00000000'
border_style: ''
color: '#FFE430'
rotation: 0
text_bold: false
text_content: |-
VLAN 10
10.0.0.1 /16
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -600.0
y1: 200.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#808080FF'
rotation: 0
text_bold: false
text_content: ''
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -200.0
y1: 480.0
z_index: 3
- border_color: '#00000000'
border_style: ''
color: '#A3FEA5'
rotation: 0
text_bold: false
text_content: '.20
'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -80.0
y1: 400.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#A3FEA5'
rotation: 0
text_bold: false
text_content: '.40
'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -120.0
y1: 440.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#FFE430'
rotation: 0
text_bold: false
text_content: '.50
'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -400.0
y1: 440.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#FFE430'
rotation: 0
text_bold: false
text_content: '.60
'
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -560.0
y1: 360.0
z_index: 2
- border_color: '#00000000'
border_style: ''
color: '#000000'
rotation: 0
text_bold: false
text_content: |-
G0/3.1 10.0.0.1 /16
G0/3.2 192.168.2.1/24
text_font: monospace
text_italic: false
text_size: 12
text_unit: pt
thickness: 1
type: text
x1: -280.0
y1: 120.0
z_index: 4
nodes:
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n0
image_definition: null
label: SW1
node_definition: iosvl2
parameters: {}
ram: null
tags: []
x: -320
y: 280
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- id: i5
label: GigabitEthernet1/0
slot: 4
type: physical
- id: i6
label: GigabitEthernet1/1
slot: 5
type: physical
- id: i7
label: GigabitEthernet1/2
slot: 6
type: physical
- id: i8
label: GigabitEthernet1/3
slot: 7
type: physical
- id: i9
label: GigabitEthernet2/0
slot: 8
type: physical
- id: i10
label: GigabitEthernet2/1
slot: 9
type: physical
- id: i11
label: GigabitEthernet2/2
slot: 10
type: physical
- id: i12
label: GigabitEthernet2/3
slot: 11
type: physical
- id: i13
label: GigabitEthernet3/0
slot: 12
type: physical
- id: i14
label: GigabitEthernet3/1
slot: 13
type: physical
- id: i15
label: GigabitEthernet3/2
slot: 14
type: physical
- id: i16
label: GigabitEthernet3/3
slot: 15
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n1
image_definition: null
label: R1
node_definition: iosv
parameters: {}
ram: null
tags: []
x: -320
y: 80
interfaces:
- id: i0
label: Loopback0
type: loopback
- id: i1
label: GigabitEthernet0/0
slot: 0
type: physical
- id: i2
label: GigabitEthernet0/1
slot: 1
type: physical
- id: i3
label: GigabitEthernet0/2
slot: 2
type: physical
- id: i4
label: GigabitEthernet0/3
slot: 3
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n2
image_definition: null
label: PC0
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -560
y: 400
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n3
image_definition: null
label: PC1
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -440
y: 480
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n4
image_definition: null
label: PC2
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -120
y: 480
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
- boot_disk_size: null
configuration: []
cpu_limit: null
cpus: null
data_volume: null
hide_links: false
id: n5
image_definition: null
label: PC3
node_definition: desktop
parameters: {}
ram: null
tags: []
x: -40
y: 440
interfaces:
- id: i0
label: eth0
slot: 0
type: physical
links:
- id: l0
n1: n0
n2: n1
i1: i16
i2: i4
conditioning: {}
label: SW1-GigabitEthernet3/3<->R1-GigabitEthernet0/3
- id: l1
n1: n2
n2: n0
i1: i0
i2: i1
conditioning: {}
label: PC0-eth0<->SW1-GigabitEthernet0/0
- id: l2
n1: n3
n2: n0
i1: i0
i2: i2
conditioning: {}
label: PC1-eth0<->SW1-GigabitEthernet0/1
- id: l3
n1: n4
n2: n0
i1: i0
i2: i6
conditioning: {}
label: PC2-eth0<->SW1-GigabitEthernet1/1
- id: l4
n1: n5
n2: n0
i1: i0
i2: i7
conditioning: {}
label: PC3-eth0<->SW1-GigabitEthernet1/2
lab:
description: ''
notes: |-
A method of providing routing and connectivity for multiple VLANs is through the use of an 802.1Q trunk between one or more switches and a single router interface. This method is also known as router-on-a-stick inter-VLAN routing. In this method, the physical router interface is divided into multiple subinterfaces that provide logical pathways to all VLANs connected.
In this lab, you will configure trunk-based inter-VLAN routing and verify connectivity to hosts on different VLANs as well as with a loopback on the router.
Step 1: For each Switch and Router and end device, Configure the hostname according to the Topology.
Step 2: On the Switches, Configure the ports between them as Trunk, You will also need to configure the port connected to R1 as a trunk port as per the Topology.
Step 3 Create the VLANs listed in the Topology on each switch. Next, assign the relevant VLAN to the corresponding ports based on the Topology.
EG: assign VLAN 20 to port G1/1, which connects to PC 2.
NOTE: Keep in mind that Access ports are designated for end devices, while Trunk ports are utilized between routers and switches.
Step 4: On Router 1, Configure Sub Interfaces for each VLAN on the connection from S1 to R1. Use the Address schema as per the Topology. Note: When creating the subinterfaces, you should use the encapsulation dot1q command to enable communication between vlans. Remember to bring up the physical Interface by issuing the no shutdown command
Step 5: Copy the Running configuration to the startup configuration on each switch and router.
Step 6: Assign the relevant IP Addresses to the end devices within each VLAN as per the Topology. Note: You may need to use the sudo ifconfig eth0 Command on the Desktops.
Step 7: Verify on each switch that the correct VLAN is assigned. Using the show vlan brief command.
Step 8: Verify connectivity between devices by pinging other VLAN devices.
title: Lab at Thu 06:34 AM
version: 0.2.2

BIN
lab-topologies/ccna/Domain_2/2.2-configure_interswitch_connectivity_2/2.2__Initial_Topology.JPG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 102 KiB

5
lab-topologies/ccna/Domain_2/2.2-configure_interswitch_connectivity_2/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Configure and verify interswitch connectivity
This lab we configure the dot1q trunking to implement Router on a stick and inter-VLAN connectivity. CML version 2.X (Sandbox version)
![Lab Topology](https://github.com/CiscoDevNet/cml-community/blob/master/lab-topologies/ccna//Domain_2/2.2-configure_interswitch_connectivity_2/2.2__Initial_Topology.JPG)

Some files were not shown because too many files have changed in this diff Show More