CCRG-4-1-2 (1)

Solution/Services: FeatureRelated: N/ANAT Overload using Pool of IP Addresses • Configure NAT Overload for all inside addresses on the 192.168.10.0 network to use one of the outside IP’s in the defined pool (1.1.1.5 – 1.1.1.6) for accessing the Internet.access-list 101 permit ip 192.168.10.0 0.0.0.255 anyip nat pool NATPOOL 1.1.1.5 1.1.1.6 netmask 255.255.255.0ip nat inside source list 101 pool NATPOOL overloadinterface GigabitEthernet0/0ip address 1.1.1.1 255.255.255.0ip nat outsideinterface GigabitEthernet0/1ip address 192.168.10.1 255.255.255.0ip nat insideshow ip nat translations Configuration Reference Guide | [N] 351

NAT Overload using WAN interface • Configure NAT Overload for all inside addresses on the 192.168.10.0 network to use the IP address on the WAN facing interface of the Cisco router (1.1.1.1) for accessing the Internet.access-list 101 permit ip 192.168.10.0 0.0.0.255 anyip nat inside source list 101 interface GigabitEthernet0/0 overloadinterface GigabitEthernet0/0ip address 1.1.1.1 255.255.255.0ip nat outsideinterface GigabitEthernet0/1ip address 192.168.10.1 255.255.255.0ip nat insideshow ip nat translations Configuration Reference Guide | [N] 352













































































L3 Port Channel between two Cisco Switches (using LACP) • Configure L3 Port Channel between two Cisco Switches • Port Channel protocol is LACP • Port Channel group will be “1” • Interfaces GE0/1 & GE0/2 will be added to Port Channel group between the switches>>SW1<<interface Port-Channel1no switchportip address 10.1.2.1 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arpinterface GigabitEthernet0/1no switchportno ip addresschannel-protocol lacpchannel-group 1 mode activeinterface GigabitEthernet0/2no switchportno ip addresschannel-protocol lacpchannel-group 1 mode active>>SW2<<interface Port-Channel1ip address 10.1.2.2 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arpinterface GigabitEthernet0/1no switchportno ip addresschannel-protocol lacpchannel-group 1 mode activeinterface GigabitEthernet0/2no switchportno ip addresschannel-protocol lacpchannel-group 1 mode active Configuration Reference Guide | [P] 391

L2 Port Channel between two Cisco Switches (using LACP) • Configure L2 Port Channel between two Cisco Switches • Port Channel protocol is LACP • Port Channel group will be “1” • Interfaces GE0/1 & GE0/2 will be added to Port Channel group between the switches • Allow VLAN tags 10,11,50,200, and 250 between SW1 and SW2>>SW1<<interface Port-Channel1switchport trunk encapsulation dot1qswitchport trunk allowed vlan 10-11,50,200,250switchport mode trunkswitchport nonegotiateinterface range GigabitEthernet0/1 - 2switchport trunk encapsulation dot1qswitchport trunk allowed vlan 10-11,50,200,250switchport mode trunkswitchport nonegotiatechannel-protocol lacpchannel-group 1 mode active>>SW2<<interface Port-Channel1switchport trunk encapsulation dot1qswitchport trunk allowed vlan 10-11,50,200,250switchport mode trunkswitchport nonegotiateinterface range GigabitEthernet0/1 - 2switchport trunk encapsulation dot1qswitchport trunk allowed vlan 10-11,50,200,250switchport mode trunkswitchport nonegotiatechannel-protocol lacpchannel-group 1 mode active Configuration Reference Guide | [P] 392

Port Channel on Cisco IOS Routers • Configure Port Channel between a Cisco Switch and a Cisco IOS Router • Port Channel protocol is PAgP (default) • Port Channel group will be “1” • Interfaces GE0/0 & GE0/1 will be added to Port Channel group • Extend VLANs 10interface Port-channel1no ip addresshold-queue 150 ininterface Port-channel1.10encapsulation dot1Q 10ip address 192.168.10.1 255.255.255.0interface GigabitEthernet0/0no ip addressduplex autospeed automedia-type rj45channel-group 1interface GigabitEthernet0/0.10channel-group 1interface GigabitEthernet0/1no ip addressduplex autospeed automedia-type rj45channel-group 1 Configuration Reference Guide | [P] 393

interface GigabitEthernet0/1.10channel-group 1Port Channel on Cisco 2900/3500XL Switches • Configuration applicable for Cisco Catalyst 2900XL/3500XL switches ; older IOS • Configure L2 Port Channel between two Cisco Switches • Port Channel group will be “1” • Interfaces FA0/1 & FA0/2 will be added to Port Channel group between the switches>>SW1<<interface fastethernet 0/1port group 1switchport trunk encapsulation dot1qswitchport mode trunkinterface fastethernet 0/2port group 1switchport trunk encapsulation dot1qswitchport mode trunk>>SW2<<interface fastethernet 0/1port group 1switchport trunk encapsulation dot1qswitchport mode trunkinterface fastethernet 0/2port group 1switchport trunk encapsulation dot1qswitchport mode trunk Configuration Reference Guide | [P] 394

Solution/Services: Administration/SystemRelated: N/APort Monitor • We want to capture all traffic from the server and firewall on interfaces Gi0/1 and Gi0/2 • Send the captured traffic from those interface(s) to Gi0/24 which has a connected SNIFFER runningmonitor session 1 source interface Gi0/1 – 2monitor session 1 destination interface Gi0/24 Configuration Reference Guide | [P] 395

RSPAN • RSPAN allows capturing traffic from ports connected on another switch. • RSPAN VLAN will be 200 • We want to capture all traffic from all Server switch ports (Gi0/2, Gi0/3) on the Access Switch which is placed into VLAN200 • Send the captured traffic from those interface(s) to Gi0/7 on the Core switch which has a connected SNIFFER running>>AS01TRA<< Sourcevlan 200remote spaninterface GigabitEhernet 0/1description TO: CS01TRAswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 200switchport mode trunkmonitor session 1 source interface gigabitethernet0/2monitor session 1 source interface gigabitethernet0/3monitor session 1 destination remote vlan 200 Configuration Reference Guide | [P] 396

>>CS01TRA<< Destinationvlan 200remote spaninterface GigabitEhernet 0/1description TO: AS01TRAswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 200switchport mode trunkmonitor session 1 source remote vlan 200monitor session 1 destination interface gigabitethernet0/7 Configuration Reference Guide | [P] 397

Solution/Services: LAN Switching, SecurityRelated: N/APort Security using Maximum Value • Enable interface for Port Security and restrict no more than 5 connected devicesinterface GigabitEthernet0/1switchport mode accessswitchport port-securityswitchport port-security violation restrictswitchport port-security aging type inactivityswitchport port-security maximum 5switchport port-security aging time 20Port Security using Mac Address • Enable interface for Port Security for only a connected device with the MAC address 0014.1cc1.0e00interface GigabitEthernet0/1switchport mode accessswitchport port-securityswitchport port-security violation restrictswitchport port-security aging type inactivityswitchport port-security mac-address 0014.1cc1.0e00switchport port-security aging time 20 Configuration Reference Guide | [P] 398

Port Security using Sticky Mac Address • Enable interface GE0/1 for Port Security using Sticky MAC address method. This means, the first MAC address learned on this interface will be added for port security.interface GigabitEthernet0/1switchport mode accessswitchport port-securityswitchport port-security violation restrictswitchport port-security mac-address sticky Configuration Reference Guide | [P] 399

Solution/Services: LAN Switching, SecurityRelated: N/Ainterface fastethernet 0/Xswitchport mode accessswitchport protectedswitchport block unicastswitchport block multicast Configuration Reference Guide | [P] 400