Cisco routers and switches online configuration FAQ

The following are all the problems you will encounter when working through theCCIE RS LAB EXAM.

When doing a project, I often encounter such a small project. That is the customer only buys a Cisco router and a core switch. Now you need to configure the router and switch for the client to access the Internet. In fact, this small project looks very simple but it is very important and often encounters unsuccessful configuration or fails to meet customer requirements. Here is a detailed analysis of such a small project because through this such small projects can be derived from many different configurations and requirements, such as dual exports, etc. First look at the configuration of the router.

Router#sh run | b interface

interface Ethernet0/0

ip address

ip nat outside

interface Ethernet0/1

ip address

ip nat inside

I believe that everyone is familiar with the configuration of these interfaces. The main configuration is the address of the WAN port that telecom gives to you, as well as the address of the intranet. Of course, NAT is generally required so NAT will be configured. INSIDE and OUTSIDE interface. Qtherwise, there is no way to do NAT. The internal network cannot be on the public network.

Then you need to configure the default route mainly to access the public network

ip route

So in theory, you can PING the public network address such as PING is theoretically achievable. If it is said, it may be an interface problem or an ISP problem. This is also an idea for troubleshooting. For example, if the public network is unreachable, you should first check whether the WNG public network address can be found on the router.

Now you can do NAT conversion. There are two main steps to do NAT conversion. The first step is to specify the scope of a conversion. What does it mean? It is possible that there are many network segments on the intranet, not every network segment. Public network, some companies require that only part of it can go to the public network. Part of it cannot be on the public network, such as protecting the security of some data and so on. Because ISP now only assigns an IP address to you so do port address translation. This port is the configured OUTSIDE interface.


ip nat inside source list 100 interface Ethernet0/0 overload

access-list 100 permit ip any

The above two commands that the second rule specifies the range that can be converted. Of course, this network segment is enlarged here. Under normal circumstances, it can be enlarged mainly when writing ACL is simpler and it can be written very finely. This is to look at the actual situation when doing NAT Wait, you can see that it is doing end product address conversion.

When these two commands are hit, the network segment above the core switch can access the external network in the theory. Why is it theoretical? For example, now there is nothing configured on the core switch. Only a network segment is divided. In this case, the public network above the main river.

Of course, it is not so simple in general. You need to configure a routing protocol on the router and most importantly is to send a default route.

router ospf 1

network area 0

default-information originate always

Note that this is, which is mainly safer.

The configuration of the router is basically completed. Let's look at the configuration of the core switch.

The core switch can be Layer 2 or Layer 3. Now it is usually Layer 3. Now let's talk about the specific configuration requirements of the Layer 3 switch:

interface G0/1

no switchport

ip address

interface Vlanl0

ip address

interface Vlan20

ip address

The above configuration is very simple. Configure an interface that is interconnected with the router and then come out in several network segments to isolate the client below.

Configure a routing protocol so that the router can access the network segment of the core switch.

router ospf 1

network area 0

network area 0

If you do not configure a routing protocol, you can also configure a static route. Here, the core switch is configured with a default route, and the router is the master. To configure a static route, you can access the following network segment otherwise it will not be able to communicate.

Finally, the port can be divided into different VLANs. Basically, the configuration of the core switch is like this. In this case, the current client should be able to access the public network.

Question 1: The customer now needs to be able to access each other between the network segments but can be connected to the public network.

interface Vlan10

ip address

ip access-group 100 in

interface Vlan20

ip address

ip access-group 101 in

access-list 100 deny ip

access-list 100 deny ip

access-list 100 permit ip any any

access-list 101 deny ip

access-list 101 permit ip any any

The above configuration is well understood. The network segment is grabbed and then restricted. Then applied to the VLAN interface below. In the actual project, it’s often encountered ,such configuration requirements.

Question 2: Switches can access each other but one network segment cannot be connected to the public network.

Switch#sh run | b access-list 100

access-list 100 permit ip

access-list 100 deny ip any any

interface Vlan10

ip address

ip access-group 100 in

Question 3: Only one host can access each other and cannot access the public network.

Switch#sh run | in access-list 100

access-list 100 permit ip host host

Summary: In fact, you can see that although the router and switch configuration on the public network is very simple, also encountered the most and is the most used configuration in the actual project and can pass the above analysis.

Everyone is troubleshooting , there will be very steps. For example, if you can't get on the public network, the first step is to check the router. No PING public network address mainly to see if the ISP has a problem. Then, check whether the router to the core switch can communicate. Whether the core switch to the access layer switch can pass and finally whether the access layer switch to the client can through. As long as the mind is clear, troubleshooting is also an easy task.

Let's take a look at the configuration in the actual project and delete some unused configurations.

1941#sh run

Building configuration...

Current configuration : 1785 bytes

Last configuration change at 05:58:15 UTC Tue Sep 24 2013 by cisco

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec no service password-encryption


boot system flash0:/cl900-universalk9-mz.SPA.153-3.M.bin


enable secret 5 $l$FGLC$Y/iyOOH5xkYLI3mWkijL91

enable password cisco

no aaa new-model

ip dhcp excluded-address

ip dhcp pool ccna




license udi pid CISC01941/K9 sn FGL1721109D

license accept end user agreement

license boot module cl900 technology-package securityk9

username CISCO privilege 15 password 0 cisco

interface GigabitEthernet0/0

description wan

ip address

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

interface GigabitEthernet0/1

description lan

ip address

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

ip nat inside source list natout interface GigabitEthernet0/0 overload

ip route

ip access-list standard natout


Note that DHCP is configured above. This can be configured on the router or on the core switch. Pay attention to the current IOS version. This is 15.3. It is basically new. The router comes with the IOS default BUG comparison maybe more.

It is recommended to upgrade to the latest IOS!


More you may be interested:

Where can I buy the latest dumps?

How to choose Cisco dumps?

CCIE experts tell you how to pass the CCIE lab exam in 3 months

Tags: Cisco routers switches configuration FAQ CCIE RS LAB

If you wish to make your career in network, the Certifications is considered to be the best certification, to jump-start your career. But gaining this certification isn’t considered to be that much easy. You have to go through lots and lots of study process unless you have the help of the CCNP 300-725 SWSA Dumps offered at the EveDumps.


Leave a comment