Skip to Content
Home Network Fundamentals Router Example 01 — Two LANs Connected by One Router

Network Fundamentals

0 %

Completed

Course content

Router Example 01 — Two LANs Connected by One Router

Prev Next
Fullscreen Share 
═══════════════════════════════════════════════════════════════════

   RESTRICTED DISTRIBUTION — DICDP PROGRAM PARTICIPANTS ONLY

═══════════════════════════════════════════════════════════════════
═══════════════════════════════════════════════════════════════════

 RED IRISH GLOBAL SERVICES

 Defense Information Capacity Development Program (DICDP)

 Communications and Information Systems (CIS) Track — Foundation Level

 Foundation Networking Course | Day 06 Command Reference — Basic Router Configuration

 Document ID:        DICDP-CIS-FNC-D06-CMDREF-EX01-v1

 Issued:             [date]

 Controlled by:      Program Director, DICDP, Red Irish Global Services

 Redirect requests:  ops@redirish.global

 Distribution:       RESTRICTED — Program participants only

═══════════════════════════════════════════════════════════════════

Restricted Distribution Statement

This material is the intellectual property of Red Irish Global Services. Distribution is authorized only to participants enrolled in the Defense Information Capacity Development Program (DICDP). Reproduction, transmission, posting to public networks or social media, sharing with non-participants, or use as the basis for derivative training materials, in whole or in part, requires prior written authorization from Red Irish Global Services. Other requests shall be referred to: ops@redirish.global

Router Example 01 — Two LANs Connected by One Router

Step-by-Step Command Reference

This reference covers every command required to connect two LANs through one router on Cisco Packet Tracer. Follow the steps in order: configure the PCs first, then connect the switches and cables, then configure the router, then test with ping. Each step shows the exact commands to enter, the prompt that appears, and a one-line explanation of what the command does.

The reference uses the same structure as the Day 03 switch configuration command reference. The major new concept introduced here is that routers, unlike switches, receive an IP address on every physical port — explained in the section Why a Router Gets an IP on Every Port before Part C, and reinforced again at Steps C9–C10 where this concept becomes the central action of the entire lesson.

Topology

   WS-NIPR-01                                       WS-NIPR-02

   10.10.10.10/24                                   10.10.20.10/24

   GW: 10.10.10.1                                   GW: 10.10.20.1

        │                                                │

        │ Fa0                                        Fa0 │

        │                                                │

   [SW-LAN-NIPR-01]                              [SW-LAN-NIPR-02]

   2960 — unconfigured                           2960 — unconfigured

        │ Fa0/1                                  Fa0/1 │

        │                                                │

        └──── Gi0/0 ────[ RTR-IG-01 ]──── Gi0/1 ────────┘

              10.10.10.1   1941 router    10.10.20.1

                            (RTR-IG-01)

Two PCs in two different IP networks (10.10.10.0/24 and 10.10.20.0/24). One router (1941) with two GigabitEthernet interfaces — each interface is the default gateway for its own LAN. Two switches sit in the middle but stay at their factory default configuration — for this basic exercise we only need them to forward frames.

Address Plan

Device

Interface

IP Address

Subnet Mask

Default Gateway

RTR-IG-01

Gi0/0

10.10.10.1

255.255.255.0

— (this is the gateway)

RTR-IG-01

Gi0/1

10.10.20.1

255.255.255.0

— (this is the gateway)

WS-NIPR-01

NIC

10.10.10.10

255.255.255.0

10.10.10.1

WS-NIPR-02

NIC

10.10.20.10

255.255.255.0

10.10.20.1

SW-LAN-NIPR-01

(unconfigured)

SW-LAN-NIPR-02

(unconfigured)



⚠ Scope of This Exercise — Read Before You Start

This is a learning exercise, not a real deployment task.

The goal of this document is to teach you the foundational process of router configuration:

  • How to navigate the IOS modes

  • How to set a hostname, passwords, and SSH

  • How to assign an IP address to a physical router interface

  • How a router uses those IP addresses to connect two different networks

  • How to verify your work with show commands and ping

What this exercise is: the "hello world" of router configuration — the minimum needed to prove the concept that a router connects two networks. It is the same starting-point exercise used in every introductory Cisco curriculum worldwide.

What this exercise is NOT: a production-ready DoD router configuration. A real military or enterprise router carries many additional controls that we do not configure here, including:

  • VLANs on the switches (everything would be in VLAN 1 here — not acceptable on any real network)

  • Port security locking each switch port to specific MAC addresses

  • Unused ports shut down and assigned to a dark VLAN

  • AAA authentication (TACACS+ or RADIUS) with per-user accounts — not the shared Str0ng@Pass1 we use here

  • ACLs on every router interface to filter ingress and egress traffic

  • Routing protocols (OSPF) for any network with more than one router

  • Logging to a centralized syslog/SIEM server

  • NTP for time synchronization

  • SNMP monitoring by a network management system

  • Control plane policingDHCP snooping, and Dynamic ARP Inspection for switch hardening

  • Configuration archival and backup to a secure server

  • STIG compliance settings required by DoD policy

All of these are taught in later sessions of this course. By the end of the program, you will know how to build a complete, production-ready, STIG-compliant configuration.

For now: focus on the foundational process. Understand exactly what each command does and why each step matters. Do not deploy this configuration as-is on a real network.

Think of this exercise the way a new driver thinks about learning to go forward in an empty parking lot. That is a real skill, and you cannot drive a real car without it — but it is not what driving on a real road looks like. The parking lot exercise has to come first.

IOS Mode Quick Reference — Router

The router uses the same IOS modes as the switch you configured in Day 03. The only difference you will notice is the prompt — it shows Router> instead of Switch> by default.

Mode

Prompt

Purpose

Enter

Exit

User EXEC

Router>

Basic monitoring and ping only. No configuration.

Default on login

exit

Privileged EXEC

Router#

Full show commands, save config, enter configuration.

enable

disable

Global Configuration

Router(config)#

Configure the whole device — hostname, interfaces, security.

configure terminal

end or Ctrl+Z

Interface Configuration

Router(config-if)#

Configure one specific port.

interface <name> from global config

exit

Line Configuration

Router(config-line)#

Configure console and VTY (remote access) lines.

line console 0 or line vty 0 4

exit



Note: A 1941 router has 5 VTY lines by default (line vty 0 4), not 16 like the 2960 switch (line vty 0 15). Otherwise the modes work identically.

PART A — Configure the PCs

We configure the PCs first. With the PCs' IP addresses and default gateways already in place, we will see at every later stage of the lab exactly what is — and is not — yet working.

Step A1 — Add the PCs to the workspace

In the bottom-left device panel:

  1. Click End Devices (icon shaped like a small monitor)

  2. From the inner panel, click End Devices again

  3. Drag two PC icons onto the workspace

You should now have PC0 and PC1 on the workspace.

Step A2 — Rename the PCs

Click each PC → Config tab → in the Display Name field at the top, change the name:

  • PC0 → WS-NIPR-01

  • PC1 → WS-NIPR-02

Step A3 — Set IP, mask, and gateway on WS-NIPR-01

Click WS-NIPR-01 → Desktop tab → IP Configuration. Select Static. Enter:

Field

Value

IP Address

10.10.10.10

Subnet Mask

255.255.255.0 (auto-fills when you Tab off the IP field)

Default Gateway

10.10.10.1

DNS Server

(leave blank for this exercise)



Close the window. Packet Tracer saves automatically.

Step A4 — Set IP, mask, and gateway on WS-NIPR-02

Click WS-NIPR-02 → Desktop → IP Configuration. Select Static. Enter:

Field

Value

IP Address

10.10.20.10

Subnet Mask

255.255.255.0

Default Gateway

10.10.20.1



Step A5 — Verify PC configuration

On each PC, click Desktop → Command Prompt and run:

ipconfig

Expected output on WS-NIPR-01:

FastEthernet0 Connection:(default port)



   Link-local IPv6 Address.........: FE80::...

   IP Address......................: 10.10.10.10

   Subnet Mask.....................: 255.255.255.0

   Default Gateway.................: 10.10.10.1

Confirm: the IP, mask, and gateway you entered now appear. Repeat on WS-NIPR-02 — same values except 10.10.20.10.

What we just did: the PCs now know their own IP address and know that any traffic destined outside their own /24 network should be sent to their default gateway. We have not yet configured the gateway itself — that comes in Part C.

PART B — Connect the Switches and Cables

For this basic exercise the switches do not need any configuration. A Cisco 2960 with a factory-default configuration will already forward frames between ports — that is all we need.

Step B1 — Add the switches to the workspace

In the bottom-left device panel:

  1. Click Network Devices (icon to the left of End Devices)

  2. From the inner panel, click Switches

  3. Drag two 2960 switches onto the workspace

You should now have Switch0 and Switch1 on the workspace.

Step B2 — Rename the switches

Click each switch → Config tab → in the Display Name field at the top, change the name:

  • Switch0 → SW-LAN-NIPR-01

  • Switch1 → SW-LAN-NIPR-02

Step B3 — How to use the Connections tool

Cables are added using the Connections tool.

  1. In the bottom-left device panel, click the Connections icon (the orange lightning bolt symbol)

  2. From the inner panel, click Copper Straight-Through (the solid black line — not the dashed one, which is crossover)

  3. Your mouse cursor changes to a cable/connector symbol

  4. Click the first device — a small menu appears showing the available ports on that device

  5. Click the port you want to use

  6. Click the second device — the port menu appears again

  7. Click the port you want to use

  8. The cable appears connecting the two ports

Port names you will see in the menu by device type:
  • On a PCFastEthernet0 (the only Ethernet option on a default PC)
  • On a 2960 switchFastEthernet0/1 through FastEthernet0/24, plus two GigabitEthernet0/1 and GigabitEthernet0/2
  • On a 1941 routerGigabitEthernet0/0 and GigabitEthernet0/1 (the router has Gigabit interfaces — use these, not FastEthernet)

Step B4 — Connect the cables per the topology

Make all four connections using Copper Straight-Through cables:

From

Port

To

Port

WS-NIPR-01

FastEthernet0

SW-LAN-NIPR-01

FastEthernet0/1

SW-LAN-NIPR-01

GigabitEthernet0/1

RTR-IG-01

GigabitEthernet0/0

WS-NIPR-02

FastEthernet0

SW-LAN-NIPR-02

FastEthernet0/1

SW-LAN-NIPR-02

GigabitEthernet0/1

RTR-IG-01

GigabitEthernet0/1



Note: RTR-IG-01 is not on the workspace yet — you will add it in Step C0. Cable the PCs and switches now; cable the switch-to-router connections after Step C0.

Step B5 — Verify link lights

Wait 30 seconds for the switches to converge. All link lights should be green on both ends of every cable.

If any link light is red:

  • Wrong cable type — make sure you used Copper Straight-Through, not Crossover

  • Or the cable was applied to the wrong port — click the cable on the workspace, press Delete, redo the connection

If any link light stays amber, wait another 30 seconds — that is spanning-tree converging on the switch.

What we just did: we cabled the physical topology. The PCs can now reach the switches, but the switches cannot reach anything beyond themselves yet — because the router is not on the workspace.
Optional confirmation — ping inside the same LAN: at this stage WS-NIPR-01 cannot ping WS-NIPR-02 (they are in different networks and the router is not yet configured), but it can ping itself: try ping 10.10.10.10 on WS-NIPR-01. A successful local ping confirms the PC's own IP stack is working.

Why a Router Gets an IP on Every Port

Before we configure the router, understand what makes it different from the switch you configured in Day 03.

On a switch:

Switch ports are LAYER 2.

They forward frames based on MAC addresses.

They do not have IP addresses.



To manage the switch over IP, you create ONE virtual interface (SVI):

   interface vlan 99

    ip address 192.168.99.2 255.255.255.0

That single IP address is the entire switch's management address.

On a router:

Router ports are LAYER 3.

They forward packets based on IP addresses.

EVERY physical port gets its own IP address.



   interface GigabitEthernet0/0

    ip address 10.10.10.1 255.255.255.0

   interface GigabitEthernet0/1

    ip address 10.10.20.1 255.255.255.0



Each port's IP is the default gateway for the LAN connected to it.

The router has no separate management IP — you manage it through

one of its existing interface IPs, because they all already have one.

Why the difference exists:

A switch's job is to move frames around inside one network. Every device on that network already shares the same IP subnet — the switch does not need to participate in IP at all to do its job. The single SVI exists only so a network administrator can SSH to the switch for management.

A router's job is to move packets between different networks. To do that, it must be a member of every network it connects to — which means having an IP address on every physical interface that touches one of those networks. The IP address is not for management; it is what makes the router an active participant in each LAN's IP layer.

The practical rule:

Question

Switch

Router

Does every physical port get an IP?

No

Yes

Where does the management IP go?

On the SVI (interface vlan X)

Not needed — every interface already has one

What is each port doing?

Forwarding frames in one network

Forwarding packets between networks



Keep this distinction in mind. Steps C9 and C10 below are where this concept becomes the actual command you type.

PART C — Configure the Router

Step C0 — Add the Router to the Workspace

In the bottom-left device panel:

  1. Click Network Devices (icon showing a switch/router)

  2. From the inner panel, click Routers

  3. Drag a 1941 router onto the workspace

You should now have Router0 on the workspace.

Rename the router

  1. Click the router on the workspace

  2. Click the Config tab

  3. In the Display Name field at the top, change Router0 to RTR-IG-01

  4. Close the window

The router now shows as RTR-IG-01 on the workspace.

Important — Display Name is NOT the same as IOS hostname. The Display Name only changes the label shown on the workspace. The router's actual IOS hostname is still Router (you will see this in the CLI prompt — Router>). You will set the real hostname with the hostname command in Step C4. Both should match for clarity — that is why we set the Display Name now and the hostname later to the same value.

Cable the router to the switches

Now go back to the Connections tool (Step B3) and add the two switch-to-router cables you skipped earlier:

From

Port

To

Port

SW-LAN-NIPR-01

GigabitEthernet0/1

RTR-IG-01

GigabitEthernet0/0

SW-LAN-NIPR-02

GigabitEthernet0/1

RTR-IG-01

GigabitEthernet0/1



Note: the router interface link lights will stay red until you finish Step C9 and Step C10 (no shutdown on Gi0/0 and Gi0/1). That is normal — router interfaces are administratively down by default.

Step C1 — Access the router CLI

Click RTR-IG-01 on the workspace → click the CLI tab → press Enter to wake the prompt.

What you will see — and what to do about it

The very first time you open a fresh router's CLI, the router will show you this exact message:

         --- System Configuration Dialog ---



Would you like to enter the initial configuration dialog? [yes/no]:

This is a wizard that asks you ~15 questions and configures the router for you, step by step.

We are NOT using the wizard. We are configuring the router manually with commands, because that is the entire point of this lesson — to learn the commands. The wizard hides what is happening behind the scenes and we want you to see every command.

Type no and press Enter.

Would you like to enter the initial configuration dialog? [yes/no]: no

After you type no and press Enter, you will land at the User EXEC prompt:

Router>

This is where the lesson begins. Continue to Step C2.

Common mistakes — and how to fix them

If you press Enter without typing anything:

The router will respond with % Please answer 'yes' or 'no'. and ask the question again. It will keep asking until you type one of those two words and press Enter.

If you accidentally typed yes:

You are now inside the wizard. Press Ctrl + C immediately. This aborts the wizard and discards anything you typed. You will land at Router# and can start over from Step C2.

If Ctrl + C does not respond in your terminal, the wizard will continue asking questions — hostname, enable secret, enable password, virtual terminal password, SNMP, interface configurations, and more. Answer no to as many questions as you can to skip them. The wizard cannot be exited just by pressing Enter — it requires either Ctrl + C, or running through to the very end where it asks:

[0] Go to the IOS command prompt without saving this config.

[1] Return back to the setup without saving this config.

[2] Save this configuration to nvram and exit.

Enter your selection [2]:

Type 0 and press Enter. This discards everything the wizard collected and gives you a clean Router> prompt — the same place you would have been if you had typed no to the very first question.

Why the wizard exists (and why we don't use it)


Wizard

Manual (this lesson)

Who it's for

Non-technical staff who need a working device fast

Network engineers learning the platform

What you learn

Almost nothing — the wizard runs commands for you, hidden

Every command, what it does, and the order they go in

Suitable for production

No — limited, basic settings only

Yes — every Cisco network is configured this way

Suitable for this course

No

Yes



The wizard is the "easy mode" of router configuration. Real network engineers never use it. You will not see it again after Step C1 because we always type no at this prompt.

Step C2 — Enter Privileged EXEC mode

Router> enable

Router#

enable — moves from User EXEC to Privileged EXEC. You now have access to all show commands and can enter configuration mode.

Step C3 — Enter Global Configuration mode

Router# configure terminal

Router(config)#

configure terminal — enters the mode where all device-wide configuration commands are accepted. Shortcut: conf t.

Step C4 — Set the IOS hostname and disable DNS lookup

Router(config)# hostname RTR-IG-01

RTR-IG-01(config)# no ip domain-lookup

Command

What it does

hostname <name>

Assigns the IOS hostname. From now on the CLI prompt shows this name. This is the real device name — not just a workspace label.

no ip domain-lookup

Disables the CLI's automatic attempt to resolve mistyped commands as DNS hostnames. Without this, mistyped commands cause a multi-second CLI hang.



Step C5 — Set the enable secret and enable password encryption

RTR-IG-01(config)# enable secret Str0ng@Pass1

RTR-IG-01(config)# service password-encryption

enable secret <password> — protects Privileged EXEC mode with an MD5-hashed password. Anyone who types enable will be prompted for this.

service password-encryption — applies a reversible type-7 cipher to all plaintext line passwords stored in the configuration. Always use enable secret, not enable password — the secret uses a stronger hash.

Step C6 — Secure the console line

RTR-IG-01(config)# line console 0

RTR-IG-01(config-line)# password Str0ng@Pass1

RTR-IG-01(config-line)# login

RTR-IG-01(config-line)# exec-timeout 5 0

RTR-IG-01(config-line)# exit

The console line is the physical blue console port on the router — the one a laptop connects to with a rollover cable for direct local access.

Command

What it does

line console 0

Enters Line Configuration mode for the physical console port.

password <password>

Sets the password required at the console login prompt.

login

Activates the password check. Without this, the password is set but never asked for.

exec-timeout 5 0

Disconnects idle console sessions after 5 minutes.

exit

Returns to Global Configuration mode.



Step C7 — Configure SSH and Secure the VTY Lines

This step has two parts: first we generate the RSA keys that SSH needs, then we configure the VTY lines and restrict them to SSH only.

Part A — Generate the RSA keys

RTR-IG-01(config)# ip domain-name rdf.com

RTR-IG-01(config)# crypto key generate rsa

After you press Enter, the router prompts you interactively:

The name for the keys will be: RTR-IG-01.rdf.com



Choose the size of the key modulus in the range of 360 to 4096 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.



How many bits in the modulus [512]:

Type 2048 and press Enter:

How many bits in the modulus [512]: 2048

% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]



RTR-IG-01(config)#

The RSA keys now exist. Continue with the SSH version:

RTR-IG-01(config)# ip ssh version 2

Command

What it does

ip domain-name <name>

Sets the DNS domain. Required before RSA key generation — the key name is hostname + domain name (RTR-IG-01.rdf.com).

crypto key generate rsa

Starts the interactive RSA key generation. The router asks you the modulus size as a separate prompt. Do not put modulus 2048 on the same line — Packet Tracer's IOS does not accept that syntax. Run the command alone, then answer 2048 when asked.

ip ssh version 2

Forces SSH version 2 only. Version 1 has known vulnerabilities.



Part B — Configure the VTY lines (Virtual Terminal Lines)

What VTY lines are. A router has three ways someone can log into it:

Method

Where you connect from

Which "line" handles it

Console

A laptop physically plugged into the blue console port

line console 0 (Step C6)

Telnet

Any computer on the network, over IP — but unencrypted (cleartext passwords)

line vty 0 4

SSH

Any computer on the network, over IP — encrypted

line vty 0 4



VTY stands for Virtual Teletype. They are not physical ports — they are virtual terminal lines that handle any remote login over the network. Both Telnet and SSH come in through the same VTY lines. A 1941 router has 5 VTY lines (numbered 0–4) by default.

What we are doing in this step: securing the VTY lines and blocking Telnet so that only encrypted SSH is allowed.

RTR-IG-01(config)# line vty 0 4

RTR-IG-01(config-line)# password Str0ng@Pass1

RTR-IG-01(config-line)# login

RTR-IG-01(config-line)# transport input ssh

RTR-IG-01(config-line)# exec-timeout 5 0

RTR-IG-01(config-line)# exit

Command

What it does

line vty 0 4

Enters Line Configuration mode for all 5 virtual terminal lines (numbered 0–4) on a 1941 router.

password <password>

Sets the password for remote SSH login.

login

Activates the password check on these lines.

transport input ssh

Blocks Telnet. SSH only. Telnet sends passwords in cleartext — never allow it on a production network.

exec-timeout 5 0

Disconnects idle SSH sessions after 5 minutes.



Step C8 — Set the login banner

RTR-IG-01(config)# banner motd #

The router responds with:

Enter TEXT message.  End with the character '#'.

Type your banner text, then on a new blank line type # alone and press Enter:

******************************************************************

  AUTHORIZED ACCESS ONLY

  This system is the property of Red Irish Global Services.

  Unauthorized access is prohibited and will be prosecuted.

  Disconnect immediately if you are not an authorized user.

******************************************************************

#

RTR-IG-01(config)#
═══════════════════════════════════════════════════════════════════

  THE MAIN POINT: ASSIGNING IP ADDRESSES TO ROUTER INTERFACES

═══════════════════════════════════════════════════════════════════

Steps C9–C10 — Assign IP Addresses to the Router's Physical Interfaces

This is what makes a router a router.

Everything before this point — hostname, passwords, SSH, banner — is the same on a switch and a router. None of that lets the router do its actual job.

A router's job is to connect two different IP networks. To do that, the router must have one foot in each network — which means every physical interface that connects to a LAN must have its own IP address in that LAN's subnet.

What we're doing

Where the IP goes

Connecting RTR-IG-01 to the 10.10.10.0/24 LAN

Gi0/0 gets the IP 10.10.10.1

Connecting RTR-IG-01 to the 10.10.20.0/24 LAN

Gi0/1 gets the IP 10.10.20.1



Each interface IP is also the default gateway for the LAN on the other end of that cable — the IP the PCs were configured with in Part A.

Remember from the earlier section — Why a Router Gets an IP on Every Port: a switch's ports are Layer 2 and have no IP addresses; only a single SVI gives the switch a management IP. A router's ports are Layer 3 and every physical port gets its own IP. The two steps below are where this concept becomes reality.

Step C9 — Configure Gi0/0 — the LAN interface for WS-NIPR-01's network

RTR-IG-01(config)# interface GigabitEthernet0/0

RTR-IG-01(config-if)# description LAN-to-SW-LAN-NIPR-01

RTR-IG-01(config-if)# ip address 10.10.10.1 255.255.255.0

RTR-IG-01(config-if)# no shutdown

RTR-IG-01(config-if)# exit

Command

What it does

interface GigabitEthernet0/0

Enters Interface Configuration mode for Gi0/0. Shortcut: int gi0/0.

description <text>

A label for the interface. Appears in show output. Strongly recommended on every router interface.

ip address <ip> <mask>

Assigns the IP address to this physical port. This is the central command of the entire lesson. This IP is the default gateway for the LAN on the other end of the cable.

no shutdown

Enables the port. Router interfaces are administratively down by default and must be explicitly enabled — unlike switch ports, which are up by default.

exit

Returns to Global Configuration mode.



After no shutdown, the router will print:

%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up

The link light on Gi0/0 turns green.

Step C10 — Configure Gi0/1 — the LAN interface for WS-NIPR-02's network

RTR-IG-01(config)# interface GigabitEthernet0/1

RTR-IG-01(config-if)# description LAN-to-SW-LAN-NIPR-02

RTR-IG-01(config-if)# ip address 10.10.20.1 255.255.255.0

RTR-IG-01(config-if)# no shutdown

RTR-IG-01(config-if)# exit

Same pattern as Step C9, different LAN, different IP. The router now has two interface IPs — one for each network it connects to.

What just happened: RTR-IG-01 now has IP addresses on both of its physical interfaces — one in each LAN. The router is now an active participant in both networks. You will verify this in Part D with show ip route — both networks will appear with code C (directly connected), and the router will route between them automatically.

Step C11 — Exit and save

RTR-IG-01(config)# end

RTR-IG-01# copy running-config startup-config

Destination filename [startup-config]?

Building configuration...

[OK]

Command

What it does

end

Exits all configuration modes and returns directly to Privileged EXEC.

copy running-config startup-config

Writes the active configuration from RAM to NVRAM. Without this, all configuration is lost on reboot.



PART D — Verification

Run these from Privileged EXEC on the router and from Command Prompt on the PCs.

D1 — Verify router interfaces are up

RTR-IG-01# show ip interface brief

Expected output:

Interface              IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0     10.10.10.1      YES manual up                    up

GigabitEthernet0/1     10.10.20.1      YES manual up                    up

Vlan1                  unassigned      YES unset  administratively down down

Confirm: both Gi0/0 and Gi0/1 show manual for Method (the IP was set by hand, not by DHCP) and both Status and Protocol show up.

  • If you see administratively down, you forgot no shutdown on that interface.

  • If you see up for Status but down for Protocol, the cable on the other end is not connected, or the switch on the other end is off.

What is Vlan1? The 1941 router supports an optional internal Layer 2 switching module that uses Vlan1 if present. We are not using it. It shows administratively down and stays that way — ignore it. We never configure it in this lesson.

D2 — Verify the connected routes appear in the routing table

RTR-IG-01# show ip route

Expected output (relevant lines):

Gateway of last resort is not set



     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C       10.10.10.0/24 is directly connected, GigabitEthernet0/0

L       10.10.10.1/32 is directly connected, GigabitEthernet0/0

C       10.10.20.0/24 is directly connected, GigabitEthernet0/1

L       10.10.20.1/32 is directly connected, GigabitEthernet0/1

What the codes mean

Every router interface with an IP address produces two routing table entries — one C and one L:

Code

Stands for

What it represents

C

Connected

The network that an interface is part of. This is what the router uses to forward packets — "to reach the 10.10.10.0/24 network, send out Gi0/0."

L

Local

The router's own IP address on that interface — a /32 host route (a single, specific IP). This is the IP the router itself answers to. When something pings 10.10.10.1, this is the entry that tells the router "that's me."



The pattern in your output:

Gi0/0 has IP 10.10.10.1/24


   ├─► C    10.10.10.0/24      (the network it sits in — used for routing)

   └─► L    10.10.10.1/32      (the router's own IP — used for "this is me")

So for two interfaces, you see four entries total: two C routes and two L routes.

Why the distinction matters

  • C routes answer the question "how do I reach a destination?" — they cover the whole network.

  • L routes answer the question "is this packet for me, the router itself?" — they cover only the router's own IP.

Without L routes, a router could mistakenly forward a packet destined for its own IP back out an interface instead of processing it locally. The L entry guarantees the router recognizes its own address.

Confirm in your output: both 10.10.10.0/24 and 10.10.20.0/24 appear with code C, and the router's own interface IPs 10.10.10.1/32 and 10.10.20.1/32 appear with code LThis is what makes the router able to route between the two networks. Because it has an interface in each one, it automatically knows how to reach both.

D3 — Ping test from PC to PC

On WS-NIPR-01, open Command Prompt and run:

ping 10.10.20.10

Expected result:

Pinging 10.10.20.10 with 32 bytes of data:



Reply from 10.10.20.10: bytes=32 time<1ms TTL=127

Reply from 10.10.20.10: bytes=32 time<1ms TTL=127

Reply from 10.10.20.10: bytes=32 time<1ms TTL=127

Reply from 10.10.20.10: bytes=32 time<1ms TTL=127



Ping statistics for 10.10.20.10:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

TTL=127 is the giveaway. The PCs send pings with TTL=128. Each router hop decrements the TTL by 1. Seeing TTL=127 in the reply confirms that the packet crossed exactly one router — proving the router did its job.

If the first ping shows "Request timed out" but subsequent pings succeed, that is normal — the first packet was delayed by ARP resolution (PC1 had to learn the gateway's MAC address before it could send the ping).

D4 — Prove the Router Is What Makes This Work

This is a cause-and-effect test — not a backup or save operation. The goal is to demonstrate that the router interface is the thing carrying traffic between the two networks. We do it by turning the interface off, watching the ping fail, then turning it back on and watching it work again.

Test 1 — Confirm the ping works right now

From WS-NIPR-01, open Command Prompt and run:

ping 10.10.20.10

Expected: four successful replies.

Test 2 — Turn off interface Gi0/1 on the router

On RTR-IG-01, run the following commands exactly in this order:

RTR-IG-01> enable

RTR-IG-01# configure terminal

RTR-IG-01(config)# interface GigabitEthernet0/1

RTR-IG-01(config-if)# shutdown

RTR-IG-01(config-if)# end

Command

Mode it puts you in

Why you run it

enable

Privileged EXEC (#)

You cannot enter configuration mode from User EXEC. Skip this if you are already at #.

configure terminal

Global Configuration ((config)#)

Required before touching any interface.

interface GigabitEthernet0/1

Interface Configuration ((config-if)#)

Selects the specific port to modify.

shutdown

(same — applies the change)

Administratively turns the interface off.

end

Back to Privileged EXEC (#)

Returns you to where you can run show and ping.



After shutdown, the router prints:

%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down

The link light on Gi0/1 turns red on the workspace.

Test 3 — Confirm the ping now fails

From WS-NIPR-01, run again:

ping 10.10.20.10

Expected: all four packets show Request timed out or Destination host unreachable.

This proves the router was carrying the traffic. With Gi0/1 turned off, the 10.10.20.0/24 network is unreachable from the router — and since there is no other path to it, the ping fails.

Test 4 — Turn interface Gi0/1 back on

On RTR-IG-01, run:

RTR-IG-01# configure terminal

RTR-IG-01(config)# interface GigabitEthernet0/1

RTR-IG-01(config-if)# no shutdown

RTR-IG-01(config-if)# end

Command

Mode it puts you in

Why you run it

configure terminal

Global Configuration ((config)#)

Required before touching any interface.

interface GigabitEthernet0/1

Interface Configuration ((config-if)#)

Selects Gi0/1 specifically.

no shutdown

(same — applies the change)

Turns the interface back on.

end

Back to Privileged EXEC (#)

Returns you to where you can run show and ping.



After no shutdown, the router prints:

%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

The link light turns green again. Wait 5 seconds for ARP to settle.

Test 5 — Confirm the ping works again

From WS-NIPR-01, run:

ping 10.10.20.10

Expected: four successful replies.

The conclusion

The router interface is what connects the two networks. Without it, two PCs in different IP networks cannot reach each other — no matter how many switches and cables sit between them.

Complete Router Configuration — All Commands in Sequence

enable



configure terminal



hostname RTR-IG-01

no ip domain-lookup



enable secret Str0ng@Pass1

service password-encryption



line console 0

 password Str0ng@Pass1

 login

 exec-timeout 5 0

 exit



ip domain-name rdf.com



line vty 0 4

 password Str0ng@Pass1

 login

 transport input ssh

 exec-timeout 5 0

 exit



banner motd #

******************************************************************

  AUTHORIZED ACCESS ONLY

  Unauthorized access is prohibited and will be prosecuted.

******************************************************************

#



interface GigabitEthernet0/0

 description LAN-to-SW-LAN-NIPR-01

 ip address 10.10.10.1 255.255.255.0

 no shutdown

 exit



interface GigabitEthernet0/1

 description LAN-to-SW-LAN-NIPR-02

 ip address 10.10.20.1 255.255.255.0

 no shutdown

 exit



end

Then from Privileged EXEC, run the interactive RSA key generation separately:

configure terminal

crypto key generate rsa

When prompted How many bits in the modulus [512]: — type 2048 and press Enter.

ip ssh version 2

end

copy running-config startup-config
crypto key generate rsa is interactive — it cannot be pasted with the rest of the block. Run it separately and answer 2048 when the router asks for the modulus size.

Switch vs Router — Side-by-Side

Step

On the Day 03 switch

On this router

Enter Privileged EXEC

enable

enable (identical)

Enter Global Config

configure terminal

configure terminal (identical)

Set hostname

hostname SW-ACCESS-01

hostname RTR-IG-01 (identical syntax)

Set enable secret

enable secret <pw>

enable secret <pw> (identical)

Configure VTY lines

line vty 0 15 (16 lines)

line vty 0 4 (5 lines)

Give the device an IP

interface vlan 99 then ip address ... (one virtual interface for management only)

interface GigabitEthernet 0/0 then ip address ... (every physical port gets its own IP)

no shutdown on physical ports

Usually not required — switch ports are up by default

Required — router interfaces are administratively down by default

Save config

copy running-config startup-config

copy running-config startup-config (identical)



Command Quick Reference — Router

Command

Mode

What it does

enable

User EXEC

Enter Privileged EXEC mode

configure terminal

Privileged EXEC

Enter Global Configuration mode

hostname <name>

Global config

Set the router hostname

no ip domain-lookup

Global config

Disable CLI DNS resolution

enable secret <pw>

Global config

Set MD5-hashed privileged mode password

service password-encryption

Global config

Apply type-7 cipher to all plaintext passwords

line console 0

Global config

Enter console line config

line vty 0 4

Global config

Enter VTY lines config (5 lines on 1941 router)

password <pw>

Line config

Set line password

login

Line config

Activate the password check

exec-timeout <min> <sec>

Line config

Auto-disconnect idle sessions

transport input ssh

Line config

Restrict remote access to SSH only

ip domain-name <name>

Global config

Set domain name (required before RSA key generation)

crypto key generate rsa

Global config

Generate RSA key pair for SSH (interactive — answer modulus when prompted)

ip ssh version 2

Global config

Force SSH version 2 only

banner motd #<text>#

Global config

Set pre-login warning message

interface GigabitEthernet 0/<n>

Global config

Enter interface config for a router port

description <text>

Interface config

Label for the interface

ip address <ip> <mask>

Interface config

Assign IP address to a router port

no shutdown

Interface config

Enable the interface (required on router ports)

shutdown

Interface config

Administratively turn off the interface

end

Any config mode

Return to Privileged EXEC immediately

exit

Any mode

Go up one level in the mode hierarchy

copy running-config startup-config

Privileged EXEC

Save configuration to NVRAM

show running-config

Privileged EXEC

Display active configuration in RAM

show ip interface brief

Privileged EXEC

Display interface IP and status

show ip route

Privileged EXEC

Display the routing table

show ip ssh

Privileged EXEC

Display SSH version and status



Document History

Version

Date

Changes

v1.0

[date]

Initial release as Router Example 01 (Two LANs Connected by One Router) — the first in a series of Day 06 router configuration command references. Document Title: changed from "Basic Router Configuration" to "Router Example 01 — Two LANs Connected by One Router" so future examples in the series (RouterEx02 static routing, RouterEx03 router-on-a-stick, etc.) have a consistent naming pattern. Document ID changed to DICDP-CIS-FNC-D06-CMDREF-EX01-v1 from the previous DICDP-CIS-FNC-D06-CMDREF-v3 scheme. Predecessor traceability: the content of this document was previously released as FNC_Day_06_CmdRef_BasicRouterConfig_v1 through v3 under the same project; this v1 release continues directly from BasicRouterConfig v3 with no content changes — only renaming and Document ID restructuring. The full content history of the predecessor document is preserved in BasicRouterConfig v1, v2, and v3 in the project archive, covering: (a) v1 initial creation with the four-part PC/switch/router/verify workflow, the Why a Router Gets an IP on Every Port conceptual section, and the Switch-vs-Router side-by-side comparison; (b) v2's ten hands-on validation corrections (domain dicdp.local → rdf.com, workspace device-adding GUI steps, Display Name vs IOS hostname distinction, Connections tool walkthrough with per-device port names, full System Configuration Dialog handling, interactive crypto key generate rsa syntax with 360-4096 modulus range, VTY lines explanation, Steps C9–C10 main-point section break, Gi0/2 ghost line removed from D1, C/L route code explanation in D2, Step D4 rewritten as a cause-and-effect test with full command sequences and plain-English "turn off / turn back on" wording); and (c) v3's addition of the "⚠ Scope of This Exercise" callout.



═══════════════════════════════════════════════════════════════════ Red Irish Global Services | DICDP | CIS Track | FNC DICDP-CIS-FNC-D06-CMDREF-EX01-v1 | Issued: [date] ═══════════════════════════════════════════════════════════════════

═══════════════════════════════════════════════════════════════════ RESTRICTED DISTRIBUTION — DICDP PROGRAM PARTICIPANTS ONLY ═══════════════════════════════════════════════════════════════════


Rating
0 0

There are no comments for now.

Join this Course
to be the first to leave a comment.