Back
Lesson 5 of 5

Initial Config Complete Challenge

Lab Objectives

  • Configure initial, secure management access on all routers (R1–R4) and switches (S1–S3).
  • Apply interface IP addressing for router interconnects and a management SVI on each switch (VLAN 30).
  • Verify management plane access (local user + vty), console logging sync, and SNMP communities.

Topology (BASE LAB TOPOLOGY — exact IPs shown)

                [Internet]
               203.0.113.1
                    |
               R1 (Gateway)
              Gi0/0: 10.10.10.1
              Gi0/1: 10.10.20.1
              Gi0/2: 10.10.30.1
              /     |     \
           R2      R3      R4

Gi0/0: 10.10.10.2 Gi0/0: 10.10.20.2 Gi0/0: 10.10.30.2 Gi0/1: 10.10.40.1 / \ | S1 S2 S3 / \ | /
PC1 PC2 PC3 PC4 PC5

Important IP subnets used in this lesson:

NetworkPurpose
10.10.10.0/24R1 ↔ R2 link
10.10.20.0/24R1 ↔ R3 link
10.10.30.0/24R1 ↔ R4 link
10.10.40.0/24R2 ↔ S1 link
192.168.1.0/24VLAN 10 (Sales) — shown for context
192.168.2.0/24VLAN 20 (Engineering) — shown for context
192.168.3.0/24VLAN 30 (Management) — used for switch SVIs
203.0.113.0/24Internet simulation

Tip: Think of the SVI (interface VLAN) on each switch as the device's management IP address — like giving each switch a mailbox on the management network so routers and admins can reach it.

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Configure Router Base Management & Interfaces

On R1–R4:

  • Set a hostname.
  • Disable DNS lookups.
  • Configure the physical Gi interfaces with the IP addresses exactly as in the topology.
  • On R1 add a default route to the Internet (203.0.113.1).
  • Create a local admin user (username: nhprep, privilege 15, secret: Lab@123).
  • Enable vty login to use local authentication.

Task 2: Configure Switch Base Management

On S1–S3 (assume capable of SVIs):

  • Set a hostname.
  • Disable DNS lookups.
  • Enable IP routing (if the switch platform supports it).
  • Create VLAN 30 (Management) and configure "interface vlan 30" with the management IPs:
    • S1: 192.168.3.2/24
    • S2: 192.168.3.3/24
    • S3: 192.168.3.4/24
  • Configure the uplink interface toward the router as a trunk.
  • Create the same local admin user and apply line vty 0 4 to use local authentication.

Task 3: Configure SNMP Read/Write Communities

  • On every device add SNMP communities:
    • Read-only: public
    • Read-write: private

Think About It: Why is it important to have a local admin user and line vty 0 4 configured to login local before putting the device on the network and allowing SSH/telnet?

Lab Solution

Task 1 Solution: Configure Router Base Management & Interfaces

What we are doing: Apply basic device hardening and IP addressing so each router can reach its neighbors and management access is protected by a local account.

! On R1
hostname R1
no ip domain lookup
username nhprep privilege 15 secret Lab@123
line vty 0 4
 login local

interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 no shutdown

interface GigabitEthernet0/1
 ip address 10.10.20.1 255.255.255.0
 no shutdown

interface GigabitEthernet0/2
 ip address 10.10.30.1 255.255.255.0
 no shutdown

ip route 0.0.0.0 0.0.0.0 203.0.113.1

What just happened:

  • hostname R1 — sets the device name (used in prompts and certificates).
  • no ip domain lookup — prevents accidental DNS queries when mistyping commands.
  • username ... secret — creates an administrative local account with encrypted secret (prefer secret over plain password).
  • line vty 0 4 + login local — forces vty (telnet/ssh) to use local username database for authentication.
  • interface GigabitEthernet... ip address ... no shutdown — assigns IPs and brings interfaces up so neighboring routers can form adjacency.
  • ip route 0.0.0.0 0.0.0.0 203.0.113.1 — sends all unknown traffic to the Internet gateway.

Verify:

show ip interface brief

Expected snippet:

Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     10.10.10.1      YES manual up                    up
GigabitEthernet0/1     10.10.20.1      YES manual up                    up
GigabitEthernet0/2     10.10.30.1      YES manual up                    up

Repeat similar configuration on R2, R3, R4 (example for R2):

! On R2
hostname R2
no ip domain lookup
username nhprep privilege 15 secret Lab@123
line vty 0 4
 login local

interface GigabitEthernet0/0
 ip address 10.10.10.2 255.255.255.0
 no shutdown

interface GigabitEthernet0/1
 ip address 10.10.40.1 255.255.255.0
 no shutdown

! If R2 needs to reach the management networks on switches add static routes as required.

Verify vty local authentication:

show running-config | section line vty

Expected output:

line vty 0 4
 login local

Task 2 Solution: Configure Switch Base Management

What we are doing: Give each switch a management IP in VLAN 30, ensure the uplink to the router is a trunk, and enable line con 0 logging sync for console stability.

! On S1
hostname S1
no ip domain lookup
line con 0
 logg sync
 no exec-timeout

ip routing
vlan 30

interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk

interface Vlan30
 ip address 192.168.3.2 255.255.255.0
 no shutdown

username nhprep privilege 15 secret Lab@123
line vty 0 4
 login local

snmp-server community public ro
snmp-server community private rw

What just happened:

  • hostname S1, no ip domain lookup — basic identification and prevents DNS delays.
  • line con 0 logg sync — synchronizes console output so log messages don't disrupt typed commands.
  • ip routing — enables L3 switching (only on platforms that support it — the 9300 in reference uses this).
  • vlan 30 — creates the management VLAN.
  • interface GigabitEthernet0/1 configured as a trunk — allows VLAN 30 to traverse to the router or upstream.
  • interface Vlan30 ip address 192.168.3.2 — SVI provides the switch a management IP on VLAN 30.
  • local user + vty as before — secures remote access.
  • snmp-server community lines — provide RO and RW community strings.

Verify:

show ip interface brief

Expected snippet (S1):

Interface              IP-Address      OK? Method Status                Protocol
Vlan30                 192.168.3.2     YES manual up                    up
GigabitEthernet0/1     unassigned      YES unset  up                    up

Verify SNMP entries:

show running-config | include snmp

Expected:

snmp-server community public ro
snmp-server community private rw

Task 3 Solution: Configure SNMP Read/Write Communities

(SNMP commands already added to each device as shown above — they are required for monitoring.)

Verify SNMP:

show running-config | include snmp

Expected:

snmp-server community public ro
snmp-server community private rw

Why it matters: In production networks SNMP is how monitoring systems collect health and inventory data. Use RO for general polling and RW only when necessary (and restrict access in production with ACLs — omitted here because ACL commands are outside the given reference).

Troubleshooting Scenario

Scenario: Switch S1 cannot be pinged from R2

Symptom: From R2, ping 192.168.3.2 fails. Your task: Find and fix the issue. Hint: Check S1 SVI status and uplink port mode.

Solution steps:

  • On S1: show ip interface brief — confirm Vlan30 is up.
  • If Vlan30 is down, ensure no shutdown on interface Vlan30.
  • On S1: verify uplink is trunking: show interfaces GigabitEthernet0/1 switchport — ensure Operational Mode: trunk.
  • Common fix: If uplink is in access mode, configure:
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk

Explanation: If the link is not a trunk, VLAN 30 frames won't traverse between switch and router, so the router and other devices cannot reach the SVI.

Verification Checklist

  • Each router has a hostname and no ip domain lookup.
  • All router interconnect interfaces configured and no shutdown.
  • R1 has default route to 203.0.113.1.
  • Each device has local user nhprep (priv 15) with secret Lab@123.
  • line vty 0 4 is configured with login local on all devices.
  • Console line has logg sync on switches.
  • Switches have VLAN 30 SVI with IPs: S1 .2, S2 .3, S3 .4.
  • SNMP communities public (ro) and private (rw) present.

Common Mistakes

SymptomCauseFix
Cannot SSH/telnet to deviceline vty not configured to login local or no local user existsConfigure username nhprep privilege 15 secret Lab@123 and line vty 0 4 / login local
Switch SVI is downNo VLAN created or SVI administratively downvlan 30 then interface Vlan30 / no shutdown
Unable to reach management IP across linkUplink not trunking VLAN 30Set uplink to trunk: switchport trunk encapsulation dot1q and switchport mode trunk
Logs interrupt console inputlogging sync not enabledUnder line con 0 configure logg sync (important for stable console use)

Challenge Task

Without step-by-step guidance, extend this design so that VLAN 10 and VLAN 20 exist on S1 with SVIs 192.168.1.2/24 and 192.168.2.2/24, and ensure R2 has routes to reach those VLANs. Do this using only static routes and the commands shown earlier.

Final note: Always verify with show ip interface brief, show running-config | section line vty, and show running-config | include snmp after making management-plane changes. These show the exact state of interfaces, authentication, and monitoring settings.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security