Simulation Lab 6.1: Module 06 – Configure a SOHO Router
How to set up a small office/home office router in a Cisco‑style simulation environment, step by step.
Opening hook
Ever tried to set up a home network and felt like you’d need a PhD in networking? That's why most people think configuring a router is a mystery, but once you break it into bite‑size pieces it’s surprisingly straightforward. Day to day, in this lab we’ll walk through every command you need to turn a virtual router into a fully‑functional SOHO gateway. You’re not alone. By the end, you’ll not only have a lab that runs, but you’ll understand why each line matters.
What Is a SOHO Router?
Think of a SOHO router as the traffic controller for a small office or a smart home. It routes packets between your local network and the wider Internet, applies NAT (Network Address Translation) so you can share a single public IP, and often includes basic firewall rules, DHCP services, and sometimes even Wi‑Fi. In a simulation lab, the router is a virtual machine that mimics the behavior of a real Cisco ISR (Integrated Services Router) or a home‑grade device like a Netgear or TP‑Link Small thing, real impact. Simple as that..
Key Features We’ll Cover
- Interface configuration – setting IPs, enabling/disabling ports
- Routing protocols – static routes and OSPF for dynamic learning
- NAT & ACLs – translating private addresses, filtering traffic
- DHCP – handing out IPs to client devices
- Security – basic password protection and SSH access
Why It Matters / Why People Care
You might wonder, “Why go through all this if my ISP already gives me a router?” In practice, a dedicated SOHO router gives you control over:
- Performance – tune QoS, prioritize VoIP or video traffic
- Security – set up VPNs, block unwanted ports, monitor logs
- Scalability – add VLANs, segment the network as it grows
- Learning – if you’re chasing a CCNA or just want to understand how the Internet works
When you skip the configuration steps, you’re left with a “plug‑and‑play” device that offers limited customization and can become a bottleneck or a security risk.
How It Works (or How to Do It)
Below is a step‑by‑step guide that mirrors what you’d do in a Cisco Packet Tracer or GNS3 lab. I’ll use the Router1 alias; feel free to rename it in your environment Took long enough..
1. Access the Router Console
Router> enable
Router# configure terminal
Router(config)#
2. Set Hostname and Domain
Router(config)# hostname SOHO-RT
SOHO-RT(config)# ip domain-name myhome.local
3. Create a Secure Password
SOHO-RT(config)# enable secret MyStrongPass123
4. Configure Interfaces
Assume we have two interfaces: GigabitEthernet0/0 (WAN) and GigabitEthernet0/1 (LAN).
WAN Side
SOHO-RT(config)# interface GigabitEthernet0/0
SOHO-RT(config-if)# ip address dhcp
SOHO-RT(config-if)# no shutdown
Why DHCP here? The ISP usually assigns a public IP via DHCP, so we let the router request it automatically.
LAN Side
SOHO-RT(config)# interface GigabitEthernet0/1
SOHO-RT(config-if)# ip address 192.168.1.1 255.255.255.0
SOHO-RT(config-if)# no shutdown
5. Enable NAT (Static PAT)
SOHO-RT(config)# ip nat inside source list 1 interface GigabitEthernet0/0 overload
SOHO-RT(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Quick note: overload allows many LAN hosts to share the single public IP.
6. Configure DHCP for LAN Clients
SOHO-RT(config)# ip dhcp pool LAN_POOL
SOHO-RT(dhcp-config)# network 192.168.1.0 255.255.255.0
SOHO-RT(dhcp-config)# default-router 192.168.1.1
SOHO-RT(dhcp-config)# dns-server 8.8.8.8 8.8.4.4
SOHO-RT(dhcp-config)# lease 7
7. Set Up Basic ACL to Allow Outbound Traffic
SOHO-RT(config)# access-list 100 permit tcp any any eq 80
SOHO-RT(config)# access-list 100 permit tcp any any eq 443
SOHO-RT(config)# access-list 100 deny ip any any
SOHO-RT(config)# interface GigabitEthernet0/0
SOHO-RT(config-if)# ip access-group 100 in
8. Enable SSH for Remote Management
SOHO-RT(config)# ip domain-name myhome.local
SOHO-RT(config)# crypto key generate rsa
Key modulus size? 512 (choose 2048 for better security)
SOHO-RT(config)# username admin privilege 15 secret adminpass
SOHO-RT(config)# line vty 0 4
SOHO-RT(config-line)# login local
SOHO-RT(config-line)# transport input ssh
9. Save the Configuration
SOHO-RT# write memory
10. Verify the Setup
- Check interface status:
show ip interface brief - Confirm NAT translation:
show ip nat translations - Test connectivity: ping a public IP (e.g., 8.8.8.8) from a LAN client.
- Review logs:
show loggingfor any denied packets.
Common Mistakes / What Most People Get Wrong
- Leaving interfaces shut down – A simple
no shutdownis often forgotten. - Wrong NAT ACL – Using
access-list 1for NAT but not matching your LAN subnet will break outbound traffic. - DHCP pool conflicts – If another device is already using the same subnet, you’ll see duplicate IPs and ARP storms.
- Overly permissive ACL – Granting
permit ip any anybefore a deny will let everything through, defeating the purpose of the filter. - SSH key size – Using a 512‑bit RSA key is quick but insecure; 2048 or 4096 is the sweet spot.
- Forgetting to save – A reboot wipes all changes unless you
write memoryorcopy running-config startup-config.
Practical Tips / What Actually Works
- Document your IP scheme – Keep a simple spreadsheet of VLANs, subnets, and gateway IPs.
- Use descriptive interface names –
Gig0/1 LANinstead of justGig0/1makes troubleshooting easier. - Enable logging for ACLs – Add
logto your ACL lines to see which packets are denied. - Test NAT before DHCP – Verify that a static IP client can reach the Internet; then add DHCP.
- Keep firmware updated – In a real device, check for IOS updates; in simulation, ensure your software is the latest stable release.
- Practice basic troubleshooting – Use
traceroute,debug ip routing, andshow ip protocolsto understand where packets are dropping.
FAQ
Q1: Why do I need both a WAN and LAN interface?
A1: The WAN interface connects to your ISP and usually gets a public IP. The LAN interface connects to your internal network, using private IPs. The router translates between the two.
Q2: Can I use a static public IP instead of DHCP on the WAN side?
A2: Yes, replace ip address dhcp with ip address <public-ip> <subnet-mask> and adjust the NAT ACL accordingly And it works..
Q3: How do I add VPN support in this lab?
A3: You’d need to configure an IPsec or OpenVPN profile, set up a crypto map, and define a remote peer. That’s a whole other module—just remember the basics: encryption, authentication, and tunnel endpoints.
Q4: What if my LAN devices can’t access the Internet after NAT?
A4: Check that ip nat inside is applied to the LAN interface and ip nat outside to the WAN. Also ensure the ACL for NAT matches the LAN subnet Worth keeping that in mind. Simple as that..
Q5: Is it safe to leave SSH enabled on all vty lines?
A5: In a lab, yes. In production, limit the range of allowed IPs with access-group on the vty lines to only trusted management stations Practical, not theoretical..
Closing paragraph
You’ve just turned a blank virtual router into a working SOHO gateway, complete with NAT, DHCP, ACLs, and secure remote access. And the steps may look like a laundry list, but each command is a building block in the bigger picture of network design. Next time you’re stuck with a misbehaving home router, remember this lab: a clear interface configuration, a solid NAT rule, and a dash of SSH security go a long way. Happy routing!
7. Fine‑tuning the Lab for Real‑World Scenarios
Even though the lab runs on a virtual router, mimicking production‑grade practices will make the transition to physical gear painless.
| Goal | What to Add | Why It Matters |
|---|---|---|
| Redundant WAN | interface Gig0/2 → ip address dhcp → ip nat outside → ip route 0.0.Still, 0. 0 0.0.0.0 <next‑hop‑2> |
If the primary ISP fails, traffic will automatically fall back to the secondary link. |
| QoS for VoIP | class-map VOICE → match ip dscp ef<br>policy-map OUTBOUND → class VOICE → priority percent 30<br>service-policy output OUTBOUND on the WAN interface |
Guarantees low‑latency bandwidth for voice packets, preventing jitter when the network is congested. |
| Syslog Centralisation | logging host 10.0.Day to day, 0. 10<br>logging trap informational |
Sends all router logs to a dedicated log server where they can be archived and correlated with other devices. |
| SNMP Monitoring | snmp-server community public RO<br>snmp-server enable traps |
Allows a network‑management system (NMS) to poll interface counters, CPU load, and temperature—critical for proactive health checks. |
| IPv6 Enablement | ipv6 unicast-routing<br>interface Gig0/1 → ipv6 address 2001:db8:1::1/64<br>ipv6 nat inside source list 101 interface Gig0/0 overload |
Future‑proofs the lab; many ISPs now hand out IPv6 prefixes, and many devices are IPv6‑first. |
Tip: When you add any of the above, always verify with the corresponding
showcommand (show ip nat translations,show policy-map interface,show logging,show snmp,show ipv6 interface) before moving on. A single mis‑typed ACL number can silently break NAT, and a missingipv6 unicast-routingline will prevent any IPv6 traffic from leaving the router.
8. Automating the Build with a Script
If you find yourself recreating this topology for multiple labs, copy the following Cisco‑style configuration into a text file (lab‑router.cfg) and load it in one go:
enable
configure terminal
hostname Lab-Router
!--- WAN (Internet) -------------------------------------------------
interface GigabitEthernet0/0
description WAN – ISP Link
ip address dhcp
ip nat outside
no shutdown
--- LAN (Internal) ------------------------------------------------
interface GigabitEthernet0/1
description LAN – Home Network
ip address 10.0.0.1 255.Because of that, 255. 255.Plus, 0
ip nat inside
ip dhcp pool LAN_POOL
network 10. Now, 0. 0.Even so, 0 255. 255.255.0
default-router 10.0.Practically speaking, 0. But 1
dns-server 8. Plus, 8. 8.Even so, 8 8. 8.4.
--- NAT -----------------------------------------------------------
access-list 101 permit ip 10.Which means 0. Which means 0. 0 0.0.0.
--- ACL for management ---------------------------------------------
access-list 110 permit tcp any host 10.0.0.
!--- SSH -----------------------------------------------------------
crypto key generate rsa modulus 2048
ip domain-name lab.local
username admin privilege 15 secret 0 StrongP@ssw0rd
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
!--- Save -----------------------------------------------------------
end
write memory
Load it with:
copy tftp:///lab-router.cfg running-config
Or, if you’re using a modern simulator (GNS3, Cisco Packet Tracer, EVE‑NG), simply paste the block into the console and press Enter. The router will be fully configured in seconds, freeing you to focus on testing and troubleshooting And it works..
9. Common Pitfalls – Quick Checklist
- ACL order matters – The first matching line wins. If you place a
deny anybefore yourpermitfor LAN traffic, NAT will never see the packet. - Interface direction mismatch –
ip nat insideon the wrong side creates a “no translation” condition that is hard to spot. Runshow ip nat statisticsto confirm the counters are moving. - Missing default route – Without
ip route 0.0.0.0 0.0.0.0 …the router will drop all outbound traffic, even if NAT is perfect. - DHCP pool overlap – Ensure the DHCP network does not intersect with any statically assigned IPs on the router itself.
- SSH key size – A 1024‑bit RSA key will still work on most lab devices, but many modern IOS images reject it with a warning. Stick to 2048‑bit or higher.
Cross‑checking each item before you close the console can save you 15‑30 minutes of “why isn’t this working?” debugging time.
Conclusion
By walking through interface assignment, NAT, DHCP, ACLs, and secure remote access, you’ve built a miniature but fully functional SOHO gateway from the ground up. The process illustrates three core principles that every network engineer should internalise:
- Layered design – Start with a clean physical layout, then add services (IP addressing, routing, NAT, security) one layer at a time.
- Verification after every change –
showcommands are your eyes; a quick glance after each configuration step catches errors before they cascade. - Documentation and automation – A tidy spreadsheet, a reusable config script, and consistent naming conventions turn a one‑off lab into a repeatable learning platform.
When you move from a virtual box to a rack‑mount router, the commands stay the same; only the stakes get higher. Keep the checklist handy, back up your configuration regularly (copy running-config startup-config), and treat each new feature—QoS, IPv6, redundancy—as an incremental addition rather than a rewrite.
Now you’re ready to graduate from “router‑in‑a‑box” to real‑world deployments, confident that the fundamentals you just practiced will keep your networks stable, secure, and scalable. Happy routing!
