Cisco Basics

Home Router Setup - Part 2: Interfaces & Services

2010-05-13T23:41:00.004+01:00

In this post I'll be setting up my network interfaces and some network services, DNS and DHCP.

Below is a diagram of the lab I'll be using.

Part 2 - Interfaces and Services

Here I will set up the 2 network interfaces and remove CDP from the Test Network interface.

Router1(config)#interface ethernet 0
Router1(config-if)#ip address 10.0.2.254 255.255.255.0
Router1(config-if)#no cdp enable
Router1(config-if)#exit

Router1(config)#interface ethernet 1
Router1(config-if)#ip address 10.0.1.254 255.255.255.0
Router1(config-if)#no shut
Router1(config-if)#exit

I configure the router to use the Extreme router as it's default gateway. I will also configure it to use OpenDNS name servers and to resolve DNS queries for other network hosts.

Router1(config)#ip route 0.0.0.0 0.0.0.0 10.0.1.1
Router1(config)#ip domain-lookup
Router1(config)#ip name-server 208.67.222.222
Router1(config)#ip name-server 208.67.220.220
Router1(config)#ip dns server
Router1(config)#exit

Next I configure DHCP for the Test Network.

Router1(config)#service dhcp
Router1(config)#ip dhcp pool TEST_NETWORK_DHCP_POOL
Router1(dhcp-config)#network 10.0.2.0 /24
Router1(dhcp-config)#domain-name walliford.local
Router1(dhcp-config)#dns-server 10.0.2.254
Router1(dhcp-config)#default-router 10.0.2.254
Router1(dhcp-config)#lease 7
Router1(dhcp-config)#exit

I include exclusions so only 10.0.2.10 - 10.0.2.20 are used for DHCP clients.

Router1(config)#ip dhcp excluded-address 10.0.2.1 10.0.2.9
Router1(config)#ip dhcp excluded-address 10.0.2.21 10.0.2.255
Router1(config)#end

Home Router Setup - Part 1: Ports

2010-05-12T22:39:00.008+01:00

The next few posts will be a series about the setup of a Cisco 800 Series router as a home router. I will detail everything from setting up the interfaces, users, DNS, DHCP, SSH, NAT and more.

Below is a diagram that illustrates the network layout for this series of posts.

Lab Network - 10.0.1.0/24
Test Network - 10.0.2.0/24

Part 1 - Initial Configuration

In this part I will configure my ports and apply some security to the router.

I name the router, apply an enable password and create a banner.

Router#configure terminal
Router(config)#hostname Router1
Router1(config)#enable secret cisco123
Router1(config)#banner motd % No Unauthorised Access %

I create a local user.

Router1(config)#username bob secret cisco123
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local

I set the domain, create SSH keys and apply some SSH settings.

Router1(config)#ip domain-name walliford.local
Router1(config)#crypto key generate rsa general-keys modulus 1024

The name for the keys will be: Router1.walliford.local
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Router1(config)#ip ssh time-out 120
Router1(config)#ip ssh version 2
Router1(config)#ip ssh authentication-retries 2

I create an ACL which I will be applying to my telnet ports

Router1(config)#ip access-list standard ADMIN_ACCESS
Router1(config-std-nacl)#permit 10.0.1.0 0.0.0.255 log
Router1(config-std-nacl)#deny any log
Router1(config-std-nacl)#exit

I configure the console port to use the local user account and apply some timeout values.

Router1(config)#line console 0
Router1(config-line)#logging synchronous
Router1(config-line)#login authentication local_auth
Router1(config-line)#exec-timeout 30 0
Router1(config-line)#exit

I apply several settings to the Aux port so it cannot be used.

Router1(config)#line aux 0
Router1(config-line)#no password
Router1(config-line)#no exec
Router1(config-line)#exec-timeout 0 0
Router1(config-line)#transport input none
Router1(config-line)#exit

I configure my telnet ports to use SSH and telnet only and the local user account. I apply some timeout values and apply the ACL so only hosts from the Lab network can access the router.

Router1(config)#line vty 0 4
Router1(config-line)#logging synchronous
Router1(config-line)#login authentication local_auth
Router1(config-line)#transport input ssh telnet
Router1(config-line)#exec-timeout 30 0
Router1(config-line)#access-class ADMIN_ACCESS in
Router1(config-line)#end

I prevent 3 of the 5 telnet ports from being used.

Router1(config)#line vty 2 4
Router1(config-line)#transport input none
Router1(config-line)#exit

I set the clock, timezone and daylight saving settings.

Router1(config)#clock timezone GMT 0
Router1(config)#clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
Router1(config)#end
Router1#clock set 21:24:00 12 May 2010

I apply timeout values to login attempts to prevent brute-force attacks.

Router1(config)#login block-for 20 attempts 3 within 20
Router1(config)#login delay 2

Frame Relay - Point to Point

2010-05-09T22:48:00.005+01:00

In this post I will configure my lab to use frame relay in a point to point configuration. Below is a diagram of the lab I will be using.

R0

R0#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R0(config)#interface serial 0/0
R0(config-if)#encapsulation frame-relay
R0(config-if)#exit

R0(config)#interface serial 0/0.100 point-to-point
R0(config-subif)#ip address 192.168.1.1 255.255.255.0
R0(config-subif)#frame-relay interface-dlci 100
R0(config-fr-dlci)#exit
R0(config-subif)#exit

R0(config)#interface serial 0/0.101 point-to-point
R0(config-subif)#ip address 192.168.2.1 255.255.255.0
R0(config-subif)#frame-relay interface-dlci 101
R0(config-fr-dlci)#exit
R0(config-subif)#exit

R0(config)#interface serial 0/0
R0(config-if)#no shut

R1

R1(config)#interface serial 0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#exit

R1(config)#interface serial 0/0.200 point-to-point
R1(config-subif)#ip address 192.168.1.2 255.255.255.0
R1(config-subif)#frame-relay interface-dlci 200
R1(config-fr-dlci)#exit
R1(config-subif)#exit

R1(config)#interface serial 0/0
R1(config-if)#no shutdown

R2

R2(config)#interface serial 0/0
R2(config-if)#encapsulation frame-relay
R2(config-if)#exit

R2(config)# interface serial 0/0.300 point-to-point
R2(config-subif)#ip address 192.168.2.2 255.255.255.0
R2(config-subif)#frame-relay interface-dlci 300
R2(config-fr-dlci)#exit
R2(config-subif)#exit

R2(config)#interface serial 0/0
R2(config-if)#no shutdown

Show Commands

R2#show frame-relay pvc
PVC Statistics for interface Serial0/0 (Frame Relay DTE)

Active Inactive Deleted Static
Local 1 0 0 0
Switched 0 0 0 0
Unused 0 0 0 0

DLCI = 300, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0.300

input pkts 349 output pkts 358 in bytes 31010
out bytes 30951 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 344 out bcast bytes 29735
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 00:32:46, last time pvc status changed 00:31:55

R2#show frame-relay lmi
LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = ANSI
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 25 Num Status msgs Rcvd 26
Num Update Status Rcvd 0 Num Status Timeouts 0
Last Full Status Req 00:00:56 Last Full Status Rcvd 00:00:56

R2# sh frame-relay map
Serial0/0.300 (up): point-to-point dlci, dlci 300(0x12C,0x48C0), broadcast
status defined, active

After configuring frame relay I am able to ping routers on the same network but not the other networks, so currently R2 cannot talk to R1.

R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

I have no route to the 192.168.1.0 network in my routing table.

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.2.0/24 is directly connected, Serial0/0.300

To fix this problem I enable EIGRP on all my routers using the config below.

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router eigrp 10
R2(config-router)#network 192.168.0.0 0.0.255.255
R2(config-router)#end

Now I try again.

R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/12 ms

And my routing table shows the routes created by EIGRP.

R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
D 192.168.1.0/24 [90/2681856] via 192.168.2.1, 00:01:20, Serial0/0.300
C 192.168.2.0/24 is directly connected, Serial0/0.300

Frame-Relay - Multipoint

2010-05-07T20:36:00.003+01:00

In this post I'll detail the configuration used to set up frame-relay in a multipoint configuration for the lab shown in the diagram below.

R0

R0(config)#interface serial 0/0
R0(config-if)#ip address 192.168.1.1 255.255.255.0
R0(config-if)#encapsulation frame-relay
R0(config-if)#no shut

R0(config-if)#frame-relay map ip 192.168.1.2 100 broadcast
R0(config-if)#frame-relay map ip 192.168.1.3 101 broadcast
R0(config-if)#end

R1

R1(config)#interface serial 0/0
R1(config-if)#ip address 192.168.1.2 255.255.255.0
R1(config-if)#encapsulation frame-relay
R1(config-if)#no shut

R1(config-if)#frame-relay map ip 192.168.1.1 200 broadcast
R1(config-if)#frame-relay map ip 192.168.1.3 200 broadcast
R1(config-if)#end

R2

R2(config)#interface serial 0/0
R2(config-if)#ip address 192.168.1.3 255.255.255.0
R2(config-if)#encapsulation frame-relay
R2(config-if)#no shut
R2(config-if)#exit

R2(config)#interface serial 0/0
R2(config-if)#frame-relay map ip 192.168.1.1 300 broadcast
R2(config-if)#frame-relay map ip 192.168.1.2 300 broadcast
R2(config-if)#end

Show Commands

R2#show frame-relay lmi

LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = ANSI
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 168 Num Status msgs Rcvd 80
Num Update Status Rcvd 0 Num Status Timeouts 89
Last Full Status Req 00:00:04 Last Full Status Rcvd 00:00:04

R2#show frame-relay map
Serial0/0 (up): ip 192.168.1.1 dlci 300(0x12C,0x48C0), static,
broadcast,
CISCO, status defined, active
Serial0/0 (up): ip 192.168.1.2 dlci 300(0x12C,0x48C0), static,
broadcast,
CISCO, status defined, active

Debug Commands

R2#debug frame-relay lmi interface serial 0/0
Frame Relay LMI debugging is on
Displaying lmi data from interface Serial0/0 only
*Mar 1 00:58:02.583: Serial0/0(out): StEnq, myseq 100, yourseen 97, DTE up
*Mar 1 00:58:02.587: datagramstart = 0x7A019D4, datagramsize = 14
*Mar 1 00:58:02.587: FR encap = 0x00010308
*Mar 1 00:58:02.587: 00 75 95 01 01 01 03 02 64 61
*Mar 1 00:58:02.595:
*Mar 1 00:58:02.607: Serial0/0(in): Status, myseq 100, pak size 14
*Mar 1 00:58:02.607: RT IE 1, length 1, type 1
*Mar 1 00:58:02.607: KA IE 3, length 2, yourseq 98, myseq 100

Time Based Access Control Lists

2010-04-18T23:30:00.003+01:00

This is just a quick post to show how to configure Time Based Access Control Lists. My aim is to only allow telnet access to the Jet Direct in the Test network between 18:00 and 23:59 on a daily basis.

So this post makes sense I should mention that I am using the network in the diagram below and I am NAT'ing 10.0.1.243 to the host in the Test network on 10.0.2.10.

Router1

Create a static NAT mapping to the Jet Direct Printer

Router1(config)#ip nat inside source static 10.0.2.10 10.0.1.243

I then check I can ping the Jet Direct and telnet to it.

MacBook

MacBook:~ syn$ ping -c 2 10.0.1.243
PING 10.0.1.243 (10.0.1.243): 56 data bytes
64 bytes from 10.0.1.243: icmp_seq=0 ttl=59 time=9.490 ms
64 bytes from 10.0.1.243: icmp_seq=1 ttl=59 time=3.068 ms

MacBook:~ syn$ telnet 10.0.1.243
Trying 10.0.1.243...
Connected to 10.0.1.243.
Escape character is '^]'.

HP JetDirect

Please type "?" for HELP, or "/" for current settings
> exit
EXITING WITHOUT SAVING ANY ENTRIES
> Connection closed by foreign host.

Router1

Now I create the access list.

Router1(config)#ip access-list extended TELNET_TO_JETDIRECT
Router1(config-ext-nacl)#permit tcp 10.0.1.0 0.0.0.255 10.0.1.243 0.0.0.0 eq 23 time-range EVENING log
Router1(config-ext-nacl)#deny tcp 10.0.1.0 0.0.0.255 10.0.1.243 0.0.0.0 eq 23 log
Router1(config-ext-nacl)#permit ip any any
Router1(config-ext-nacl)#exit

I create a time range for the ACL

Router1(config)#time-range EVENING
Router1(config-time-range)#periodic daily 18:00 to 23:59

I check the ACL

Router1#sh ip access-lists
Extended IP access list TELNET_TO_JETDIRECT
10 permit tcp 10.0.1.0 0.0.0.255 host 10.0.2.10 eq telnet log time-range EVENING (active)
20 deny tcp 10.0.1.0 0.0.0.255 host 10.0.2.10 eq telnet log
30 permit ip any any

I apply the ACL to an interface

Router1(config)#interface ethernet 1
Router1(config-if)#ip access-group TELNET_TO_JETDIRECT in
Router1(config-if)#end

I check the ACL has applied

Router1#sh ip interface ethernet 1 | include Inbound
Inbound access list is TELNET_TO_JETDIRECT

Recheck the ACL after telneting to the JetDirect

Router1#sh ip access-lists
Extended IP access list TELNET_TO_JETDIRECT
5 permit tcp 10.0.1.0 0.0.0.255 host 10.0.1.243 eq telnet log time-range EVENING (active) (9 matches)
20 deny tcp 10.0.1.0 0.0.0.255 host 10.0.1.243 eq telnet log
30 permit ip any any (60 matches)

Configure NTP

2010-03-21T23:19:00.004Z

In this post I will go through the steps to configure my router to use a NTP server as a time source.

First I will check the current configuration. I will then ping the public NTP server before setting up the router to use it.

router1#sh clock detail
23:18:28.123 GMT Sun Mar 21 2010
Time source is user configuration

router1#ping 130.88.203.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 130.88.203.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/24 ms

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#ntp server 130.88.203.12

Useful show commands to check the NTP settings are:

show ntp status
show ntp associations

Terminal Emulation Settings

2010-03-21T23:05:00.003Z

This is just a very brief post to list the correct settings that are used to connect to the router or switch using a terminal program such as HyperTerminal and the console cable.

Bits per sec    :  9600 
Data bits       :     8 
Parity          :  none 
Stop bits       :     1 
Flow control    :  none 


Rarely some routers may require different Bits per second settings.  Simply try 1200, 2400 or 4800.

Configure Time & Date

2010-03-20T14:12:00.001Z

In this short post I will configure my router with the correct timezone, time and date.

router1#sh clock detail
*01:56:43.478 UTC Mon Oct 19 2009
No time source

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#clock timezone GMT 0
router1(config)#end

router1#sh clock detail
*01:59:54.390 GMT Mon Oct 19 2009
No time source

router1#clock set 14:10:00 20 MARCH 2010

router1#sh clock detail
14:10:16.183 GMT Sat Mar 20 2010
Time source is user configuration

Static NAT & Dynamic NAT with Overload

2010-03-18T23:17:00.003Z

In this short post I will configure my router allow to NAT a single port only.

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#ip nat inside source static udp 10.0.2.2 514 10.0.1.245 514 extendable

This command will allow the router accept syslog messages sent to UDP port 514 on 10.0.1.245 and translate them to UDP 514 on 10.0.2.2 which is the syslog server. Only port 514 will be available for translation.

Configure a DNS Server

2010-03-18T23:00:00.004Z

In this short post I will configure my router to act as a DNS server for hosts on my network.

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#ip domain name lab.local
router1(config)#ip domain-lookup
router1(config)#ip name-server 8.8.8.8
router1(config)#ip dns server

The router will now pass and DNS requests to 8.8.8.8 (Google) to resolve.

Static NAT

2010-03-09T22:19:00.003Z

In this post I will configure a Static NAT entry on Router1 for the Win7 host. I'll be using the network in the diagram below.

First I remove the NAT configuration from my last post.

router1(config)#no ip nat inside source list NAT pool NAT_POOL overload
Dynamic mapping in use, do you want to delete all entries? [no]: y

Now I configure NAT to map Win7 (10.0.2.1) to 10.0.1.240

router1(config)#ip nat inside source static 10.0.2.1 10.0.1.240

I verify I can reach the internet from the NAT'd host and check the NAT translations

router1(config)#do sh ip nat tran
Pro Inside global Inside local Outside local Outside global
tcp 10.0.1.240:1328 10.0.2.1:1328 208.43.202.17:80 208.43.202.17:80

Dynamic NAT Using Pools

2010-03-09T21:50:00.004Z

In this post I will remove my previous NAT entry and create a pool of addresses to use for NAT. I'll be using the network in the diagram below and configuring Router1.

First I'll remove the previous NAT (from my last post) configuration.

router1(config)#no ip nat inside source list NAT interface Ethernet0 overload
Dynamic mapping in use, do you want to delete all entries? [no]: yes

After removing the config I verify that I cannot access the internet or ping the internet from the Win7 host.

Now I create a NAT pool with three addresses.

router1(config)#ip nat pool NAT_POOL 10.0.1.250 10.0.1.252 netmask 255.255.255.0

I already have the NAT access-list created from my previous post so I'll use that again.

router1(config)#ip nat inside source list NAT pool NAT_POOL overload

Now I access the internet from the Win7 host and verify that I am being NAT'd.

router1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.0.1.251:1231 10.0.2.1:1231 208.43.202.17:80 208.43.202.17:80

I can also check the NAT statistics.

router1#sh ip nat statistics
Total active translations: 41 (0 static, 41 dynamic; 41 extended)
Outside interfaces:
Ethernet0
Inside interfaces:
Ethernet1
Hits: 24714 Misses: 1339
CEF Translated packets: 25094, CEF Punted packets: 1907
Expired translations: 1666
Dynamic mappings:
-- Inside Source
[Id: 3] access-list NAT pool NAT_POOL refcount 41
pool NAT_POOL: netmask 255.255.255.0
start 10.0.1.250 end 10.0.1.252
type generic, total addresses 3, allocated 1 (33%), misses 0
Queued Packets: 0

Basic NAT with Overload

2010-03-08T21:01:00.004Z

In this post I will configure basic NAT with overload to NAT addresses from the 10.0.2.0/24 network (inside) to the outside interface Ethernet 0.

I have already configured DHCP to hand out addresses to computers on the 10.0.2.0/24 network. I have also configured the router to be the DNS server for those computers.

I create a standard access-list defining the addresses I want to NAT.

router1(config)#ip access-list standard NAT
router1(config-std-nacl)#permit 10.0.2.0 0.0.0.255
router1(config-std-nacl)#end

I use a show command to view the access-list.

router1#sh ip access-lists
Standard IP access list NAT
10 permit 10.0.2.0, wildcard bits 0.0.0.255

I check my interfaces to make sure I know which I want to name as inside and outside.

router1(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 unassigned YES unset down down
Ethernet0 10.0.1.254 YES NVRAM up up
Ethernet1 10.0.2.254 YES NVRAM up up

I name the interfaces Inside and Outside

router1(config)#interface ethernet 0
router1(config-if)#ip nat outside
router1(config-if)#exit

router1(config)#interface ethernet 1
router1(config-if)#ip nat inside
router1(config-if)#exit

I Configue NAT to translate any addresses in the source access-list to the outside interface with overload.

router1(config)#ip nat inside source list NAT interface ethernet 0 overload

To test the configuration I connect to a website with a client that is behind the inside interface. Then I check the NAT translations on my router.

router1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 10.0.1.254:123 10.0.2.1:123 207.46.232.182:123 207.46.232.182:123
tcp 10.0.1.254:1149 10.0.2.1:1149 174.36.30.70:443 174.36.30.70:443

Create a Named Extended ACL

2010-03-05T23:40:00.003Z

In this post I'll be creating a named Access-List which will will block ICMP from R0 to R3. I'll also perform a little troubleshooting and I'll update the ACL. I'll be using the network shown in the diagram below.

I start off by checking I can currently Ping R3 from R0.

R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms

On R1 I create the ACL and apply it to the interface nearest to the source.

R1

R1(config)#ip access-list extended ping_block
R1(config-ext-nacl)#deny icmp host 192.168.1.49 192.168.1.58 0.0.0.0 log
R1(config-ext-nacl)#permit ip any any log
R1(config-ext-nacl)#exit

R1(config)#int ethernet 0/0
R1(config-if)#ip access-group block_ping in
R1(config-if)#end

R1#sh ip access-lists
Extended IP access list ping_block
10 deny icmp host 192.168.1.49 host 192.168.1.58 log
20 permit ip any any log

Now I test ping again.

R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/16 ms

What went wrong? Lets look at the interface I applied the rule to.

R1#sh ip interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Internet address is 192.168.1.50/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is block_ping
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled

Ah, a typo. I applied a named access-list to the interface but the name was block_ping not ping_block. I'll remove it and enter the correct ACL name.

R1(config)#interface ethernet 0/0
R1(config-if)#no ip access-group block_ping in
R1(config-if)#ip access-group ping_block in
R1(config-if)#end

Now I'll test the ping again.

R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Great, no response. Can I ping R1 and R2?

R0#ping r1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/36 ms

R0#ping r2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.54, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms

Brilliant. And on R1 I see the packets hitting the statement and being logged to the screen.

R1

*Mar 1 00:29:49.719: %SEC-6-IPACCESSLOGDP: list ping_block denied icmp 192.168.1.49 -> 192.168.1.58 (0/0), 1 packet
R1#
*Mar 1 00:31:07.123: %SEC-6-IPACCESSLOGDP: list ping_block permitted icmp 192.168.1.49 -> 192.168.1.50 (0/0), 1 packet
R1#
*Mar 1 00:31:12.175: %SEC-6-IPACCESSLOGDP: list ping_block permitted icmp 192.168.1.49 -> 192.168.1.54 (0/0), 1 packet

The benefit of using a named ACL is I can modify the access-list on the fly. Here I can see each statement is numbered.

R1#sh ip access-lists Extended IP access list ping_block
10 deny icmp host 192.168.1.49 host 192.168.1.58 log (5 matches)
20 permit ip any any log (35 matches)

Now i'll update the ACL to include a statement to block R0 from pinging R2.

R1(config)#ip access-list extended ping_block
R1(config-ext-nacl)#15 deny icmp host 192.168.1.49 host 192.168.1.54 log

R1#sh ip access-lists
Extended IP access list ping_block
10 deny icmp host 192.168.1.49 host 192.168.1.58 log (5 matches)
15 deny icmp host 192.168.1.49 host 192.168.1.54 log
20 permit ip any any log (51 matches)

Now I test the updated ACL

R0

R0#ping r2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.54, timeout is 2 seconds: U.U.U
Success rate is 0 percent (0/5)

Brilliant.

Extended ACLs

2010-03-03T21:21:00.005Z

In this post I will create an Extended ACL to block Telnet traffic from the 192.168.1.48/30 network reaching the R3 router. I'll be working with the network in the diagram below.

Unlike Standard ACL's which are placed as near to the destination as possible, Extended ACL's are placed as near to the source as possible, this is to reduce processing on the routers.

R1

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#deny 192.168.1.48 0.0.0.3 192.168.1.58 0.0.0.0 eq 23 log
R1(config-ext-nacl)#permit ip any any log
R1(config-ext-nacl)#exit

I have created an access-list to block all the 192.168.1.48/30 subnet from access R3 with Telnet.

R1(config-if)#ip access-group 100 in
R1(config-if)#end

I have applied the list to interface ethernet 0/0 on R1

R1#sh ip inter ethernet 0/0
Ethernet0/0 is up, line protocol is up
Internet address is 192.168.1.50/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is 100
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled

I test that I can telnet to R3 from R1.

R1#telnet 192.168.1.58
Trying 192.168.1.58 ... Open
User Access Verification
Password:
Last login: Wed Mar 3 21:06:01 on ttys001

Now on R0 I attempt to telnet to R3

R0

R0#telnet 192.168.1.58
Trying 192.168.1.58 ...
% Destination unreachable; gateway or host down

R0#ping 192.168.1.58
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms

My telnet fails but ping works just fine. I check R1 to see the statement being hit.

R1

*Mar 1 00:10:52.315: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.1.49(22404) -> 192.168.1.58(23), 1 packet
R1#
*Mar 1 00:11:02.615: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 192.168.1.49 -> 192.168.1.58 (8/0), 1 packet
R1#

Standard ACL's

2010-03-02T23:18:00.006Z

In this post I will be creating a standard access-list to prevent traffic from R0 reaching from reaching the R3 router.

I'll be using the diagram below for my network layout.

As Standard ACL's can only filter based on the source address they should be placed as near to the destination as possible. Standard access-lists can be numbered from 1-99 or 1300-1999 (expanded range). Standard access-lists can also be named. In this post I'll be using a numbered Standard ACL.

I begin by verifying connectivity before the rule is created.

R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/16 ms

Next I create the standard access-list

R1

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list standard 1
R1(config-std-nacl)#deny host 192.168.1.49 log
R1(config-std-nacl)#permit any log
R1(config-std-nacl)#exit

I have enabled logging so I can see as each statement is hit. There is an implicit deny all statement so none is required in the access-list itself.

I place the access-list as near to the destination as possible. In this case it will be on e0/2 on R1, and it will be outgoing. Placing the list any nearer to R0 would affect traffic to R2.

R1(config)#int
R1(config)#interface ethernet 0/2
R1(config-if)#ip access-group 1 out
R1(config-if)#end

I can check the ACL with a show command.

R1#sh ip access-lists 1
Standard IP access list 1
10 deny 192.168.1.49 log (0 matches)
20 permit any log (0 matches)

I can also check which interface the rule is applied to.

R1#sh ip interface ethernet 0/2
Ethernet0/2 is up, line protocol is up
Internet address is 192.168.1.57/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is 1
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled

From the output above I can see that the ACL is applied to the right interface in the right direction. Only one access-list can be applied per interface per direction.

Now I check my pings fail to reach R3 from R0

R0

R0#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Back on R1 I can see the deny statement has been hit.

R1

*Mar 1 00:33:33.783: %SEC-6-IPACCESSLOGNP: list 1 denied 0 192.168.1.49 -> 192.168.1.58, 1 packet

To verify that my traffic can still hit R2 I attempt to ping it from R0.

R0

R0#ping r2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.54, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/24 ms

R2

I can also check that traffic from R2 can reach R3.

R2#ping r3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.58, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

R1

This can be seen hitting the permit statement in the access-list.

*Mar 1 00:42:00.419: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.1.54 -> 192.168.1.58, 1 packet

Checking the access-list again I can see a number of hits.

R1#sh ip access-lists 1
Standard IP access list 1
10 deny 192.168.1.49 log (5 matches)
20 permit any log (5 matches)

As R3 is receiving its route updates from R1 it will still know about R0 and how to find it.

R3

R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 6 subnets, 2 masks
C 192.168.1.32/28 is directly connected, Ethernet0/1
C 192.168.1.56/30 is directly connected, Ethernet0/0
R 192.168.1.48/30 [120/1] via 192.168.1.57, 00:00:15, Ethernet0/0
R 192.168.1.52/30 [120/1] via 192.168.1.57, 00:00:15, Ethernet0/0
R 192.168.1.0/28 [120/2] via 192.168.1.57, 00:00:15, Ethernet0/0
R 192.168.1.16/28 [120/2] via 192.168.1.57, 00:00:15, Ethernet0/0

However, R3 cannot recieving ping responses from R0 because the echo replies will be blocked by the access-list.

R3#ping r0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.49, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Using a debug command on R0 I can see the pings hit the router but they cannot get back.

R0

R0#debug ip icmp
ICMP packet debugging is on
R0#
*Mar 1 00:56:11.823: ICMP: echo reply sent, src 192.168.1.49, dst 192.168.1.58
*Mar 1 00:56:11.835: ICMP: dst (192.168.1.49) administratively prohibited unreachable rcv from 192.168.1.50

I finish up by removing the ACL from the interface and the router.

R1

R1(config)#interface ethernet 0/2
R1(config-if)#no ip access-group 1 out
R1(config-if)#exit

R1(config)#no access-list 1
R1(config)#end

Configure a Router on a Stick

2010-02-27T22:41:00.005Z

In this post I will configure a router to route traffic between VLANs using just one router interface, this is commonly referred to as a Router on a Stick.

Below is a diagram of the network I'll be working with in this post.

My goal is for UserA in VLAN 64 to communicate with UserB in VLAN 128. To do this my router and switch must use a fastethernet port running at 100Mb full duplex.

To begin with I will configure the ports on Switch1 to be in the correct VLANs. These commands will also create the VLANs because the don't already exist. I have named the VLANs to be the same as the networks to keep things simple.

Switch1

switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch1(config)#interface range fastEthernet 0/9 - 16
switch1(config-if-range)#switchport access vlan 64
% Access VLAN does not exist. Creating vlan 64
switch1(config-if-range)#exit

switch1(config)#interface range fastEthernet 0/17 - 23
switch1(config-if-range)#switchport access vlan 128
% Access VLAN does not exist. Creating vlan 128
switch1(config-if-range)#end

I have now created the VLANs and I check this with a show command.

switch1#sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8
2 dmz active
64 VLAN0064 active Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16
128 VLAN0128 active Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

On switch2 I configure the port that will be connected to the router as a trunk port. I also configure the port to be fixed at 100Mb full duplex.

Switch2

switch2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch2(config)#interface fastEthernet 0/2
switch2(config-if)#speed 100
switch2(config-if)#duplex full
switch2(config-if)#switchport mode trunk
switch2(config-if)#end

I check the configuration using a show command. This tells me which interfaces are trunking and for which VLANs.

switch2#sh interfaces trunk

Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Po5 desirable 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/2 1-4094
Po5 1-4094

Port Vlans allowed and active in management domain
Fa0/2 1-2,64,128
Po5 1-2,64,128

Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1-2,64,128
Po5 1-2,64,128

On Router2 I create 2 sub-interfaces off the FastEthernet interface (fa0). I name these the same as the VLANs, again to keep thing simple. I also configure the sub-interfaces to support dot1q trunking.

Router2

Router2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#interface fastEthernet 0.64
Router2(config-subif)#encapsulation dot1Q 64
Router2(config-subif)#ip address 192.168.1.62 2 55.255.255.192
Router2(config-subif)#no shut
Router2(config-subif)#exit

Router2(config)#interface fastEthernet 0.128
Router2(config-subif)#encapsulation dot1Q 128
Router2(config-subif)#ip address 192.168.1.190 2 55.255.255.192
Router2(config-subif)#no shut
Router2(config-subif)#exit

Once the hosts are configured with valid IP addresses and subnet masks (as shown in the diagram) they are given the default gateway of the IP address that the sub-interface was configured with.

UserA
IP Address - 192.168.1.65
Subnet Mask - 255.255.255.192
Default Gateway - 192.168.1.126

UserB
IP Address - 192.168.1.129
Subnet Mask - 255.255.255.192
Default Gateway - 192.168.1.190

Now I will be able communicate between the hosts in the 2 VLANs.

Configuring EIGRP

2010-02-26T13:25:00.003Z

In this post I will configure the network in the diagram below to use EIGRP as its routing protocol.

Before I get into the config I'll just mention that EIGRP is a Cisco proprietary hybrid routing protocol. It has all the features of OSPF but can be easily set up like RIP. The downside is that it can only run on Cisco routers. With that said, lets get on with the fun stuff.

I have subnetted the 192.168.1.0 network using VLSM to cater or networks of the following sizes:

192.168.1.0 - 60 Hosts
192.168.1.64 - 40 Hosts
192.168.1.128 - 30 Hosts
192.168.1.160 - 25 Hosts

First I configure EIGRP on R1 on just one interface (linked to R2).

R1

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router eigrp 10
R1(config-router)#network 192.168.1.193 0.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#end

I have used 10 as the AS for EIGRP, this must be the same for all the routers. I have turned off auto-summary so I can have better control of summarisation. I use some show commands to check its running on just the specified interface.

R1#sh ip eigrp interfaces
IP-EIGRP interfaces for process 10

Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/0 0 0/0 0 0/1 0 0

I can also see that there are currently no neighbors.

R1#sh ip eigrp neighbors
IP-EIGRP neighbors for process 10

I now enable EIGRP on R2 and I see the adjacency form.

R2

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router eigrp 10
R2(config-router)#network 192.168.1.194 0.0.0.0
R2(config-router)#network 192.168.1.197 0.0.0.0
R2(config-router)#
*Mar 1 00:42:40.399: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.168.1.193 (Ethernet0/3) is up: new adjacency

Back on R1 i check the neighbor table.

R1

R1#sh ip eigrp neighbors
IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.194 Et0/0 12 00:00:39 13 200 0 3

Checking the route table on R1 i can also see the EIGRP route.

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/30 is subnetted, 3 subnets
C 192.168.1.204 is directly connected, Ethernet0/1
C 192.168.1.192 is directly connected, Ethernet0/0
D 192.168.1.196 [90/307200] via 192.168.1.194, 00:04:36, Ethernet0/0

On R4 I enable EIGRP.

R4

R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#router eigrp 10
R4(config-router)#network 192.168.1.198 0.0.0.0
R4(config-router)#network 192.168.1.202 0.0.0.0

And on R3 I enable EIGRP.

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router eigrp 10
R3(config-router)#network 192.168.1.201 0.0.0.0
R3(config-router)#network 192.168.1.206 0.0.0.0
R3(config-router)#network 192.168.1.161 0.0.0.0

From R3 I check the routing table and I can see routes to the all the other networks I have configured so far.

R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 5 subnets, 2 masks
C 192.168.1.200/30 is directly connected, Ethernet0/1
C 192.168.1.204/30 is directly connected, Ethernet0/0
D 192.168.1.192/30 [90/332800] via 192.168.1.202, 00:00:09, Ethernet0/1
D 192.168.1.196/30 [90/307200] via 192.168.1.202, 00:00:09, Ethernet0/1
C 192.168.1.160/27 is directly connected, Ethernet0/2

What is missing from my routing table is routes for all the networks hanging off R2. This is because I used the wildcard mask of 0.0.0.0 to specify that EIGRP only ran on certain interfaces. To enable EIGRP for all networks on R2 I will add a new network with no wildcard mask. This is similar to commands used when setting up RIP.

R2

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router eigrp 10
R2(config-router)#network 192.168.1.0

Now when I check the routing table on R3 i can see all the new networks attached to R2.

R3

R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 8 subnets, 3 masks
D 192.168.1.64/26 [90/332800] via 192.168.1.202, 00:02:14, Ethernet0/1
D 192.168.1.0/26 [90/332800] via 192.168.1.202, 00:02:14, Ethernet0/1
C 192.168.1.200/30 is directly connected, Ethernet0/1
C 192.168.1.204/30 is directly connected, Ethernet0/0
D 192.168.1.192/30 [90/332800] via 192.168.1.202, 00:04:25, Ethernet0/1
D 192.168.1.196/30 [90/307200] via 192.168.1.202, 00:04:25, Ethernet0/1
C 192.168.1.160/27 is directly connected, Ethernet0/2
D 192.168.1.128/27 [90/332800] via 192.168.1.202, 00:02:14, Ethernet0/1

Now I can see all the networks.

I want to test my reliance between R3 and R2. To do this I will test connectivity and then shut down an interface on R4. Hopefully routing will continue.

R3

R3#ping r2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.197, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/16 ms

R3 can ping R2 successfully. Now I shutdown R4's interface.

R4

R4(config)#int ethernet 0/0
R4(config-if)#shut

R3

R3#ping r2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.197, timeout is 2 seconds:
..
*Mar 1 01:16:28.347: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.168.1.202 (Ethernet0/1) is down: holding time expired...
Success rate is 0 percent (0/5)

Pings fail! I check R1 and find that it is only routing for network 192.168.1.192 (on interface 192.168.1.193).

R1

R1#sh ip protocols
Routing Protocol is "eigrp 10"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 10
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
192.168.1.193/32
Routing Information Sources:
Gateway Distance Last Update
192.168.1.194 90 00:01:37
Distance: internal 90 external 170

I add the other interface into EIGRP for AS 10.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router eigrp 10
R1(config-router)#network 192.168.1.205 0.0.0.0

Back on R3 I attempt to contact R2 again.

R3

R3#ping r2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.197, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/12 ms

And looking at my routing table I can see that the next hop to get to R2 is R1 whereas before it was R4

R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 8 subnets, 3 masks
D 192.168.1.64/26 [90/332800] via 192.168.1.205, 00:01:22, Ethernet0/0
D 192.168.1.0/26 [90/332800] via 192.168.1.205, 00:01:22, Ethernet0/0
C 192.168.1.200/30 is directly connected, Ethernet0/1
C 192.168.1.204/30 is directly connected, Ethernet0/0
D 192.168.1.192/30 [90/307200] via 192.168.1.205, 00:01:22, Ethernet0/0
D 192.168.1.196/30 [90/332800] via 192.168.1.205, 00:01:22, Ethernet0/0
C 192.168.1.160/27 is directly connected, Ethernet0/2
D 192.168.1.128/27 [90/332800] via 192.168.1.205, 00:01:22, Ethernet0/0

Configure OSPF Routing

2010-02-22T22:07:00.006Z

In this post I will configure the network below to use OSPF routing.

OSPF uses areas to define it's structure, i'll be configuring a single area in this post so I will use area 0. OSPF runs under a process on each router, this does not have to be the same but i'll keep thing simple and use process 10 on each router.

Currently all routers can only see directly connected routers. Here is the routing table on R0.

R0

R0#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

195.211.64.0/30 is subnetted, 1 subnets
C 195.211.64.0 is directly connected, Serial1/1
C 192.168.1.0/24 is directly connected, Serial1/0
S* 0.0.0.0/0 is directly connected, Serial1/1

I enable OSPF and configure it to advertise the 192.168.1.0 network.

R0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R0(config)#router ospf 10
R0(config-router)#network 192.168.1.1 0.0.0.0 area 0
R0(config-router)#end

By specifying the interface with a wilcard of 0.0.0.0 I am telling OSPF to only advertise out of that single interface.

I configure OSPF on R1, R2 and R3 for the networks they are connected to. After configuration I check routing tables.

R0

R0#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

192.168.4.0/32 is subnetted, 1 subnets
O 192.168.4.1 [110/85] via 192.168.1.2, 00:00:56, Serial1/0
195.211.64.0/30 is subnetted, 1 subnets
C 195.211.64.0 is directly connected, Serial1/1
C 192.168.1.0/24 is directly connected, Serial1/0
O 192.168.2.0/24 [110/74] via 192.168.1.2, 00:00:56, Serial1/0
O 192.168.3.0/24 [110/84] via 192.168.1.2, 00:00:56, Serial1/0
S* 0.0.0.0/0 is directly connected, Serial1/1

So on each router I have advertised each interface into the OSPF area. Now I would like to advertise the default route and check it on R3.

R0

I first configure a static route pointing towards the interface I want traffic to go and then I advertise that into OSPF.

R0(config)#ip route 0.0.0.0 0.0.0.0 serial 1/1
R0(config)#router ospf 10
R0(config-router)#default-information originate
R0(config-router)#end

Now I check the routing tables across the routers finishing with R3.

R3

R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.3.1 to network 0.0.0.0

C 192.168.4.0/24 is directly connected, Loopback0
O 192.168.1.0/24 [110/84] via 192.168.3.1, 00:05:49, Ethernet0/0
O 192.168.2.0/24 [110/20] via 192.168.3.1, 00:05:49, Ethernet0/0
C 192.168.3.0/24 is directly connected, Ethernet0/0
O*E2 0.0.0.0/0 [110/1] via 192.168.3.1, 00:05:49, Ethernet0/0

Below are some show commands which are useful when troubleshooting OSPF.

R3#sh ip ospf
Routing Process "ospf 10" with ID 192.168.4.1
Start time: 00:38:51.280, Time elapsed: 00:33:41.280
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 1. Checksum Sum 0x008F40
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 2 (1 loopback)
Area has no authentication
SPF algorithm last executed 00:09:44.096 ago
SPF algorithm executed 3 times
Area ranges are
Number of LSA 6. Checksum Sum 0x03A79E
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

R3#sh ip ospf interface
Ethernet0/0 is up, line protocol is up
Internet Address 192.168.3.2/24, Area 0
Process ID 10, Router ID 192.168.4.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.3.1, Interface address 192.168.3.1
Backup Designated router (ID) 192.168.4.1, Interface address 192.168.3.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:09
Supports Link-local Signaling (LLS)
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.3.1 (Designated Router)
Suppress hello for 0 neighbor(s)
Loopback0 is up, line protocol is up
Internet Address 192.168.4.1/24, Area 0
Process ID 10, Router ID 192.168.4.1, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host

Configure Default Routing

2010-02-21T22:07:00.007Z

In this post I will create a default route and distribute it using RIP.

Below is a diagram of the network I'll be using in this post.

Currently on R0 I have no default route.

R0

R0#sh ip route
Gateway of last resort is not set
R 192.168.4.0/24 [120/1] via 192.168.1.2, 00:00:08, Serial1/0
C 192.168.1.0/24 is directly connected, Serial1/0
R 192.168.2.0/24 [120/1] via 192.168.1.2, 00:00:08, Serial1/0
R 192.168.3.0/24 [120/1] via 192.168.1.2, 00:00:08, Serial1/0

I will configured interface S1/1 on R0 as being the interface that is connected to my ISP.

R0(config)#interface serial 1/1
R0(config-if)#ip address 195.211.64.2 255.255.255.252
R0(config-if)#no keepalive
R0(config-if)#no shut
R0(config-if)#end

I also check the default route on R3

R3

R3#sh ip route
Gateway of last resort is not set
C 192.168.4.0/24 is directly connected, Loopback0
R 192.168.1.0/24 [120/1] via 192.168.3.1, 00:00:25, Ethernet0/0
R 192.168.2.0/24 [120/1] via 192.168.3.1, 00:00:25, Ethernet0/0
C 192.168.3.0/24 is directly connected, Ethernet0/0

Back on R0 I create a default route pointing to Serial 1/1 and distribute it with RIP.

R0

R0(config)#ip route 0.0.0.0 0.0.0.0 s1/1
R0(config)#router rip
R0(config-router)#default-information originate
R0(config-router)#end

Checking my route table I can see I have a gateway of last resort set and a default route is set.

R0#sh ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
R 192.168.4.0/24 [120/1] via 192.168.1.2, 00:00:15, Serial1/0
195.211.64.0/30 is subnetted, 1 subnets
C 195.211.64.0 is directly connected, Serial1/1
C 192.168.1.0/24 is directly connected, Serial1/0
R 192.168.2.0/24 [120/1] via 192.168.1.2, 00:00:16, Serial1/0
R 192.168.3.0/24 [120/1] via 192.168.1.2, 00:00:16, Serial1/0
S* 0.0.0.0/0 is directly connected, Serial1/1

On R3 I check the routing table to make sure it has a default route set and it is sending the packets out the right interface.

R3

R3#sh ip route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
C 192.168.4.0/24 is directly connected, Loopback0
R 192.168.1.0/24 [120/1] via 192.168.3.1, 00:00:26, Ethernet0/0
R 192.168.2.0/24 [120/1] via 192.168.3.1, 00:00:26, Ethernet0/0
C 192.168.3.0/24 is directly connected, Ethernet0/0
R* 0.0.0.0/0 [120/3] via 192.168.3.1, 00:00:26, Ethernet0/0

Configuring RIP

2010-02-17T20:01:00.011Z

In this post I will configure a small network with RIP routing.

Currently all routers can only communicate with the routers they are directly connected to. I will enable RIP v2 across all routers and perform some troubleshooting steps along the way.

R0

On R0 I enable RIP and turn on debugging to view the RIP updates when RIP is enabled on a connected router.

R0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R0(config)#router rip
R0(config-router)#version 2
R0(config-router)#network 192.168.1.0
R0(config-router)#end

R0#debug ip rip

R1

On R1 I enable RIP.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#network 192.168.1.0
R1(config-router)#network 192.168.2.0
R1(config-router)#end

R0

Back on R0 I can see the R0 sending updates to the multicast address and I can see it receive updates RIP updates from R1.

R0#
*Mar 1 00:26:29.483: RIP: sending v2 update to 224.0.0.9 via Serial1/0 (192.168.1.1)
*Mar 1 00:26:29.487: RIP: build update entries - suppressing null update
R0#
*Mar 1 00:26:35.091: RIP: received v2 request from 192.168.1.2 on Serial1/0
*Mar 1 00:26:35.095: RIP: sending update with long TTL
*Mar 1 00:26:35.099: RIP: sending v2 update to 192.168.1.2 via Serial1/0 (192.168.1.1)
*Mar 1 00:26:35.099: RIP: build update entries - suppressing null update
R0#
*Mar 1 00:26:44.539: RIP: received v2 update from 192.168.1.2 on Serial1/0
*Mar 1 00:26:44.543: 192.168.2.0/24 via 0.0.0.0 in 1 hops
R0#
*Mar 1 00:26:46.543: RIP: sending v2 flash update to 224.0.0.9 via Serial1/0 (192.168.1.1)
*Mar 1 00:26:46.547: RIP: build flash update entries - suppressing null update
R0#
*Mar 1 00:26:58.951: RIP: sending v2 update to 224.0.0.9 via Serial1/0 (192.168.1.1)
*Mar 1 00:26:58.955: RIP: build update entries - suppressing null update

I know check the routing table.

R0#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.1.0/24 is directly connected, Serial1/0
R 192.168.2.0/24 [120/1] via 192.168.1.2, 00:00:07, Serial1/0

I can see the RIP route to the 192.168.2.0 network listed.

I can verify connectivity with ping.

R0#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms

I can also check details of my routing protocols.

R0#sh ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 2 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/0 2 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
192.168.1.2 120 00:00:03
Distance: (default is 120)

Here I can see information on the timers, the protocols and version and the interfaces RIP is enabled on.

Now I configure RIP on the rest of the network and test connectivity.

R2

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#network 192.168.2.0
R2(config-router)#network 192.168.3.0
R2(config-router)#end

R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms

R2#sh ip route
--cut--
R 192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:24, Ethernet0/0
C 192.168.2.0/24 is directly connected, Ethernet0/0
C 192.168.3.0/24 is directly connected, Ethernet0/1

All good. R2 can communicate with R0 so RIP is working fine.

R3

Finally I enable RIP and test connectivity.

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router rip
R3(config-router)#network 192.168.3.0
R3(config-router)#end

R3#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/18/36 ms

Great that all works. But wait a minute. Lets add another interface in a new network and see if R0 can see it. I'll just use a loopback interface to simulate a network.

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#int loopback 0
R3(config-if)#ip address 192.168.4.1 255.255.255.0
R3(config-if)#no keepalive
R3(config-if)#end

R3#sh ip route
--cut--
C 192.168.4.0/24 is directly connected, Loopback0
R 192.168.1.0/24 [120/1] via 192.168.3.1, 00:00:11, Ethernet0/0
R 192.168.2.0/24 [120/1] via 192.168.3.1, 00:00:11, Ethernet0/0
C 192.168.3.0/24 is directly connected, Ethernet0/0

R3#ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Now I add the new route in.

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router rip
R3(config-router)#network 192.168.4.0
R3(config-router)#end

Great. And back on R0....

R0

R0#ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Strange. I'll try the other interface...

R0#ping 192.168.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms

Well I can get to that one. What does the routing table on R0 show?

R0#sh ip route
--cut--
C 192.168.1.0/24 is directly connected, Serial1/0
R 192.168.2.0/24 [120/1] via 192.168.1.2, 00:00:02, Serial1/0
R 192.168.3.0/24 [120/1] via 192.168.1.2, 00:00:02, Serial1/0

Well there is no route for the 192.168.4.0 network. Lets do some debugging.

Ah here we are ...

R2

R2#debug ip rip
*Mar 1 02:34:39.755: RIP: ignored v1 packet from 192.168.3.2 (illegal version)
R2#
*Mar 1 02:34:48.511: RIP: sending v2 update to 224.0.0.9 via Ethernet0/1 (192.168.3.1)

R3 is still configured to send RIP version 1 updates. A closer look at the the output of show ip protocols tells us this.

R3

R3#sh ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 24 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 1, receive any version
Interface Send Recv Triggered RIP Key-chain
Ethernet0/0 1 1 2
Loopback0 1 1 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
192.168.3.0
192.168.4.0
Routing Information Sources:
Gateway Distance Last Update
192.168.3.1 120 00:00:11
Distance: (default is 120)

Line 7 of the output tells us that it will only send version 1 but will receive any version. Unfortunately RIP version 2 will only send and receive RIP version 2 so the RIP v1 updates will not be added to the route table.

I fix the problem on R3 by changing the version to RIP v2 and recheck connectivity from R0.

R3

R3(config)#router rip
R3(config-router)#version 2
R3(config-router)#end

R0

R0#sh ip route
--cut--
R 192.168.4.0/24 [120/1] via 192.168.1.2, 00:00:09, Serial1/0
C 192.168.1.0/24 is directly connected, Serial1/0
R 192.168.2.0/24 [120/1] via 192.168.1.2, 00:00:09, Serial1/0
R 192.168.3.0/24 [120/1] via 192.168.1.2, 00:00:09, Serial1/0

R0#ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/20 ms

There we go. Everything working just fine.

Finally a few things about RIP for my exam:

RIP v1

Distance Vector Protocol
Classfull Routing Protocol
Uses Broadcast to send updates
Administrative Distance is 120
Max Hops 15
Sends Updates Every 30 Seconds
Holddown Timer is 180 Seconds
Invalid after 180 Seconds
Route Flushed after 240 Seconds

RIP v2

Distance Vector Protocol
Classless Routing Protocol (supports VLSM)
Uses Multicast to send updates (224.0.0.9)
Administrative Distance is 120
Supports Authentication
Max Hops 15
Sends Updates Every 30 Seconds
Holddown Timer is 180 Seconds
Invalid after 180 Seconds
Route Flushed after 240 Seconds

Loop Prevention

Rip uses the follow mechanisms to prevent routing loops:

Maximum Distance (15 hops)
Poison Reverse
Holddown Timers
Split Horizen
Triggered Updates

Creating Static Routes

2010-02-15T22:31:00.006Z

In this post I will create a static route to route traffic from R0 (192.168.1.0/30 network) to R2 (192.168.1.4/30 network).

To begin with I check my routing table on R0.

R0#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0

Currently I can only see directly connected interfaces. Without any static routes or routing protocols traffic from one network cannot reach the other.

R0#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/11/24 ms

R0#ping 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

I can ping the R1 interface on my network but not the interface on the other network. This is because R0 does not know where 192.168.1.5 is. By creating a static route I tell R0 which interface to send packets out of.

R0(config)#ip route 192.168.1.4 255.255.255.252 192.168.1.3
R0(config)#end

Now when I examine the route table I can see the static route I have created.

R0#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/30 is subnetted, 2 subnets
C 192.168.1.0 is directly connected, Serial1/0
S 192.168.1.4 [1/0] via 192.168.1.3

Now If I attempt to ping the ethernet interface on R1 I get a response.

R0#ping 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms

So what about R2?

R0#ping 192.168.1.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Well R2 is receiving the ICMP ping packets but it doesn't know how to get them back to me. By going to R2 and giving it a route to get back it will know which direction to send packets back.

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip route 192.168.1.0 255.255.255.252 192.168.1.4

Because R1 know which networks it is directly connect to it happily passes the packets to the correct interface.

R1#sh ip route connected
192.168.1.0/30 is subnetted, 2 subnets
C 192.168.1.0 is directly connected, Serial0/0
C 192.168.1.4 is directly connected, Ethernet1/0

Attempting to ping R2 from R0 now produces the desired result.

R0#ping 192.168.1.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/12/24 ms

Documenting a Network with CDP

2010-02-13T19:34:00.013Z

In this post I will use the information available from CDP to help me create a logical network diagram.

CDP is the Cisco Discovery Protocol and is enabled on all router and switch interfaces by default. The switch or router sends a CDP packet out of each interface every 60 seconds, any connected device records the delivery of these packets into a CDP table for a holdtime period of 180 seconds. If after 180 seconds the device has not received any more CDP packets on that interface it removes the entry from the table. CDP can be disabled entirely or on any individual interface.

I begin by connecting to my switch and I check the CDP settings.

switch1#sh cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled

From the output I can see the CDP time settings and the version. Next I look at the connected devices.

switch1#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch2.lab.localFas 0/1 160 S I WS-C2950-2Fas 0/1
switch2.lab.localFas 0/24 160 S I WS-C2950-2Fas 0/24

Here I can see that I have 2 ports (1 & 24) connected to switch2 (also using ports 1 & 24). I can also see that switch2 is a Catalyst 2950.

This is a great summary but for my diagram I could do with knowing the IP address of switch2.

switch1#sh cdp entry *
-------------------------
Device ID: switch2.lab.local
Entry address(es):
IP address: 10.0.1.211
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/1
Holdtime : 142 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000CCE3E3EC0FF0000
VTP Management Domain: 'lab.local'
Native VLAN: 1
Duplex: full

-------------------------
Device ID: switch2.lab.local
Entry address(es):
IP address: 10.0.1.211
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/24, Port ID (outgoing port): FastEthernet0/24
Holdtime : 142 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000CCE3E3EC0FF0000
VTP Management Domain: 'lab.local'
Native VLAN: 1
Duplex: full

This detailed output gives me additional useful information such as the VLAN and the IOS version.

Next I head over to switch2 and look at it's CDP information.

switch2#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 168 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 168 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/2 175 R Cisco C831Eth 0
router1.lab.localFas 0/23 175 R Cisco C831Eth 1

Here I can see the connections to switch1 and additional connections to router1. Again I look at the detailed information to get the IP address of the router.

switch2#sh cdp entry *
-------------------------
Device ID: switch1
Entry address(es):
IP address: 10.0.1.210
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/24, Port ID (outgoing port): FastEthernet0/24
Holdtime : 152 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000C8582C600FF0000
VTP Management Domain: 'lab.local'
Native VLAN: 1
Duplex: full

-------------------------
Device ID: switch1
Entry address(es):
IP address: 10.0.1.210
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/1
Holdtime : 152 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000C8582C600FF0000
VTP Management Domain: 'lab.local'
Native VLAN: 1
Duplex: full

-------------------------
Device ID: router1.lab.local
Entry address(es):
IP address: 10.0.2.254
Platform: Cisco C831, Capabilities: Router
Interface: FastEthernet0/23, Port ID (outgoing port): Ethernet1
Holdtime : 176 sec

Version :
Cisco IOS Software, C831 Software (C831-K9O3Y6-M), Version 12.4(4)T1, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 22-Dec-05 01:39 by ccai

advertisement version: 2
Duplex: half

-------------------------
Device ID: router1.lab.local
Entry address(es):
IP address: 10.0.1.254
Platform: Cisco C831, Capabilities: Router
Interface: FastEthernet0/2, Port ID (outgoing port): Ethernet0
Holdtime : 176 sec

Version :
Cisco IOS Software, C831 Software (C831-K9O3Y6-M), Version 12.4(4)T1, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 22-Dec-05 01:39 by ccai

advertisement version: 2
Duplex: full

From the output I am able to determine the IP addresses of the connected router interfaces and I can also see that one interface is configured to half duplex. Now I have some good information to begin populating my diagram with.

From here I would probably move to the router and look at the CDP table. But supposing I want to prevent CDP packets from leaving an interface? After all, quite detailed information is included in CDP that you might not want everyone to view.

I connect to the device that I want to stop sending CDP packets and turn CDP off on that particular interface. In my case I would like to stop router1 from sending CDP packets on interface ethernet 1.

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#int ethernet 1
router1(config-if)#no cdp enable
router1(config-if)#end

Now when I check the switch that router1 is connected to I see that the holdtime decreases as the switch receives no CDP packet on the interface until after 180 seconds it reaches 0 and the entry is removed from the table.

switch2#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 159 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 159 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/23 6 R Cisco C831Eth 1
router1.lab.localFas 0/2 126 R Cisco C831Eth 0

switch2#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 153 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 152 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/23 0 R Cisco C831Eth 1
router1.lab.localFas 0/2 179 R Cisco C831Eth 0

switch2#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 147 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 147 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/2 174 R Cisco C831Eth 0

Duplex Configuration

2010-02-09T21:48:00.005Z

Mismatched duplex settings can cause a network connection to perform poorly. Often a duplex mismatch is caused by a PC's network card or routers interface being configured to full or half duplex whilst the switch port being set to auto detect. If there is a duplex mismatch the CDP will report it, and these can be seen on screen by enabling the terminal monitor.

Below I have enabled terminal monitor and error messages are printed to the terminal.

switch1#terminal monitor
switch1#
03:16:25: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/23 (not half duplex), with router1.lab.local Ethernet1 (half duplex).
switch1#
03:17:25: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/23 (not half duplex), with router1.lab.local Ethernet1 (half duplex).
switch1#

I can see that every 60 seconds as CDP packets are received I receive a warning that there is a duplex mismatch.

To very quickly check all the ports on my switch I use the following show command:

switch1#show interfaces status

Port Name Status Vlan Duplex Speed Type
Fa0/1 connected trunk a-full a-100 10/100BaseTX
Fa0/2 connected 1 a-full a-100 10/100BaseTX
Fa0/3 connected 1 a-full a-100 10/100BaseTX
Fa0/4 notconnect 1 auto auto 10/100BaseTX
Fa0/5 notconnect 1 auto auto 10/100BaseTX
Fa0/6 notconnect 1 auto auto 10/100BaseTX
Fa0/7 notconnect 1 auto auto 10/100BaseTX
Fa0/8 notconnect 1 auto auto 10/100BaseTX
Fa0/9 notconnect 1 auto auto 10/100BaseTX
Fa0/10 notconnect 1 auto auto 10/100BaseTX
Fa0/11 notconnect 1 auto auto 10/100BaseTX
Fa0/12 notconnect 1 auto auto 10/100BaseTX
Fa0/13 notconnect 1 auto auto 10/100BaseTX
Fa0/14 notconnect 1 auto auto 10/100BaseTX
Fa0/15 notconnect 1 auto auto 10/100BaseTX
Fa0/16 notconnect 1 full auto 10/100BaseTX
Fa0/17 notconnect 2 auto auto 10/100BaseTX
Fa0/18 notconnect 2 auto auto 10/100BaseTX
Fa0/19 notconnect 2 auto auto 10/100BaseTX
Fa0/20 notconnect 2 auto auto 10/100BaseTX
Fa0/21 notconnect 2 auto auto 10/100BaseTX
Fa0/22 notconnect 2 auto auto 10/100BaseTX
Fa0/23 connected 2 full 10 10/100BaseTX
Fa0/24 connected trunk a-full a-100 10/100BaseTX
Po5 connected trunk a-full a-100

From the output I can see that although most ports are set to auto, some are configured with specific speed and duplex settings. Fa0/1,2,3 and fa0/24 are configured to auto for duplex and speed but have detected that the connect devices are set to full duplex and 100Mb.

Fa0/16 is configured as full duplex and the speed is set to auto. Fa0/23 which is the port which is shown in the error message is configured as full duplex and 10Mb.

03:17:25: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/23 (not half duplex), with router1.lab.local Ethernet1 (half duplex).

Upon closer inspection of the error message I can see that the connected device (router1) is configured to half duplex on interface Ethernet 1.

I can either change the router interface or the switch port so the duplex settings match but when I do the port will briefly shutdown. I decide to make the change on the router so both ports are configured to full duplex.

After connecting to router1 I can use a show command to take a good look at the interface settings and the counters.

router1#show interfaces ethernet 1
Ethernet1 is up, line protocol is up
Hardware is PQUICC_FEC, address is 000e.3884.8540 (bia 000e.3884.8540)
Internet address is 10.0.2.254/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:06, output 00:00:06, output hang never
Last clearing of "show interface" counters 23:42:46
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
3182 packets input, 362199 bytes, 0 no buffer
Received 1581 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
9407 packets output, 644928 bytes, 0 underruns
35 output errors, 377 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

From the output above I can see that the interface is configured as half duplex and 10Mb. I change the interface to full duplex to match the switch interface. I can also see that there are some errors and collisions on the interface.

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#interface ethernet 1
router1(config-if)#duplex full
router1(config-if)#end

I verify the configuration and reset the counters on both interfaces so I can easily see if more issues occur.

router1#clear counters ethernet 1
Clear "show interface" counters on this interface [confirm]
router1#

switch1#clear counters fastEthernet0/23
Clear "show interface" counters on this interface [confirm]
switch1#
04:00:19: %CLEAR-5-COUNTERS: Clear counter on interface FastEthernet0/23 by vty0 (10.0.1.4)

It is always a good idea to configure interfaces on both servers and routers to match those of the switch rather than leave them at auto detect.

Schedule a Reload

2010-02-08T21:17:00.004Z

Occasionally I might make changes to a switch or router that may lock me out. If I am sat next to the device this isn't a problem, if I am not it is. By scheduling a reboot or reload I can be sure that the change I make is removed when the device reloads because it will reload the startup-config which I saved at the start of the session.

First I save the running configuration to make sure the startup-config is current. I then schedule my reload to allow me enough time to make my changes. If the reload isn't required I simply cancel it.

switch1#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
switch1#reload in 015
Reload scheduled in 15 minutes
Proceed with reload? [confirm]

switch1#reload cancel
switch1#
***
*** --- SHUTDOWN ABORTED ---
***
switch1#

Configure Port Protection

2010-02-07T15:46:00.006Z

Port Protection can be utilised to protect hosts from malware and abuse. By placing ports into protected mode the connected hosts are unable to talk to other hosts connected to ports that are also in protected mode.

Hosts connected to ports in protected mode can communicate with hosts on non-protected ports. Typically hosts offering services should not be connected to ports that have been placed in protected mode.

Below I configure ports 9 to 16 as protected ports. I use a show command to view the running config.

switch2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch2(config)#interface range fastEthernet 0/9 - 16
switch2(config-if-range)#switchport protected
switch2(config-if-range)#end

switch2#show run | begin interface FastEthernet0/9
interface FastEthernet0/9
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/10
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/11
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/12
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/13
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/14
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/15
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/16
switchport protected
no ip address
spanning-tree portfast
!

Using ping I verify that hosts on protected ports cannot communicate with each other but can still access services on non-protected ports.

Configure Logging

2010-02-07T15:14:00.006Z

In this post I will configure my switch to log to a syslog server on my mac (10.0.1.4)

switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch1(config)#logging trap debugging
switch1(config)#logging 10.0.1.4
switch1(config)#logging on

Switch1 now logs to a remote syslog server.

# tail -f /var/log/switch.log
Feb 7 15:11:55 10.0.1.210 35: 00:09:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down
Feb 7 15:12:00 10.0.1.210 36: 00:09:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up
Feb 7 15:12:03 10.0.1.210 37: 00:09:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to up

A switch can also be configured to log to the buffer. Below I will configure Switch2 to log notification messages to the buffer. Finally I will use a show command to view the messages.

switch2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch2(config)#logging buffered notifications
switch2(config)#end

switch2#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: level debugging, 23 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level notifications, 1 messages logged
Exception Logging: size (4096 bytes)
File logging: disabled
Trap logging: level informational, 27 message lines logged

Log Buffer (4096 bytes):

00:37:19: %SYS-5-CONFIG_I: Configured from console by vty0 (10.0.1.4)

To configure the mac as a syslog server follow the instructions below.

1. Amend syslog.conf
# echo "local7.debug /var/log/switch.log" >> /etc/syslog.conf

2. Create new log file
# touch /var/log/switch.log

3. Change syslogd startup procedure by uncommenting the section (at the end) to accept remote logging in /System/Library/LaunchDaemons/com.apple.syslogd.plist

4. Restart syslogd
# launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
# launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

5. Allow syslog (/usr/bin/syslog) through the firewall.

Configure a SPAN Port

2010-02-06T22:47:00.003Z

In this post I will create a SPAN port on my switch to send a copy of all sent and received traffic from port 10 to port 13.

switch1(config)#monitor session 1 source interface fastEthernet 0/10 both
switch1(config)#monitor session 1 destination interface fastEthernet 0/13
switch1(config)#end

I verify the configuration with a show command.

switch1#show monitor session 1
Session 1
---------
Type : Local Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/10
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/13
Encapsulation: Native
Reflector Port: None
Filter VLANs: None
Dest RSPAN VLAN: None

Configure EtherChannel

2010-02-05T22:52:00.008Z

In this post I will configure 2 ports on 2 switches to be an EtherChannel. This effectively bundles the lines to increase bandwidth and allows any link in the bundle to fail without affecting service.

The diagram below shows the layout of the switches.

Before starting I make sure all interfaces that I will be configuring for EtherChannel have no configuration and are in the same VLAN.

I use the following commands to configure EtherChannel on the switches.

switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch1(config)#interface fastEthernet 0/1
switch1(config-if)#channel-group 5 mode desirable
Creating a port-channel interface Port-channel 5
switch1(config-if)#exit
switch1(config)#interface fastEthernet 0/24
switch1(config-if)#channel-group 5 mode desirable
Creating a port-channel interface Port-channel 5
switch1(config-if)#end

switch2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch2(config)#interface fastEthernet 0/1
switch2(config-if)#channel-group 5 mode desirable
Creating a port-channel interface Port-channel 5
switch2(config-if)#exit
switch2(config)#interface fastEthernet 0/24
switch2(config-if)#channel-group 5 mode desirable
Creating a port-channel interface Port-channel 5
switch2(config-if)#end

I verify the configuration by checking the running config.

switch2#sh run
Building configuration...

Current configuration : 2447 bytes
!
------cut------
!
interface Port-channel5
no ip address
flowcontrol send off
!
interface FastEthernet0/1
no ip address
channel-group 5 mode desirable
!
-----cut--------
!
interface FastEthernet0/24
no ip address
channel-group 5 mode desirable

When I ping the remote switch and disconnect a cable I have no packet loss.

I also use the following useful show command to view EtherChannel information.

switch1#sh etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
u - unsuitable for bundling
U - in use f - failed to allocate aggregator

d - default port
Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
5 Po5(SU) PAgP Fa0/1(Pd) Fa0/24(P)

Spanning Tree Protocol

2010-02-05T20:30:00.011Z

In this post I'll be checking that Spanning Tree is working correctly between Switch1 and Switch2. Finally I will configure the non-Root Bridge as the Root and verify the configuration.

The switches are connected as shown in the diagram below.

I check the switches to determine which is the root switch.

switch1#show spanning-tree root

Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 32769 000c.8582.c600 0 2 20 15
VLAN0002 32770 000c.8582.c600 0 2 20 15
switch1#show spanning-tree summary
Root bridge for: VLAN0001, VLAN0002.
Extended system ID is enabled.
PortFast BPDU Guard is disabled
EtherChannel misconfiguration guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Default pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 4 4
VLAN0002 0 0 0 2 2
---------------------- -------- --------- -------- ---------- ----------
2 vlans 0 0 0 6 6

I can see this (Switch1) is the root bridge for both VLANs. As this is the root bridge I check a non-root bridge (Switch2) to see which ports are in blocking mode.

switch2#sh spanning-tree blockedports

Name Blocked Interfaces List
-------------------- ------------------------------------
VLAN0001 Fa0/24
VLAN0002 Fa0/24

Number of blocked ports (segments) in the system : 2

From the output I can determine that port Fa0/24 on Switch2 is in blocking mode.

To test Spanning Tree is working I ping Switch2 from a PC connected to Switch1 and disconnect the uplink on fa0/1

MacBook:~ syn$ ping 10.0.1.211
PING 10.0.1.211 (10.0.1.211): 56 data bytes
64 bytes from 10.0.1.211: icmp_seq=0 ttl=255 time=22.273 ms
64 bytes from 10.0.1.211: icmp_seq=1 ttl=255 time=4.341 ms
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
--------cut----------
Request timeout for icmp_seq 27
Request timeout for icmp_seq 28
Request timeout for icmp_seq 29
Request timeout for icmp_seq 30
Request timeout for icmp_seq 31
Request timeout for icmp_seq 32
64 bytes from 10.0.1.211: icmp_seq=33 ttl=255 time=4.376 ms
64 bytes from 10.0.1.211: icmp_seq=34 ttl=255 time=4.117 ms
64 bytes from 10.0.1.211: icmp_seq=35 ttl=255 time=4.111 ms
^C
--- 10.0.1.211 ping statistics ---
36 packets transmitted, 5 packets received, 86.1% packet loss
round-trip min/avg/max/stddev = 4.111/7.844/22.273/7.216 ms

As can be seen from the ping results it takes 30 seconds for STP to converge and failover to port Fa0/24

switch2#sh spanning-tree root

Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- ------ ----- --- --- ----------------
VLAN0001 32769 000c.8582.c600 19 2 20 15 Fa0/24
VLAN0002 32770 000c.8582.c600 19 2 20 15 Fa0/24

Reconnecting the uplink cable causes STP to failover back to the Fa0/1 because Fa0/1 has the lowest priority.

To view detailed information about Spanning Tree on a ports use the following show command.

switch2#show spanning-tree active detail
------cut---------
Port 24 (FastEthernet0/24) of VLAN0002 is blocking
Port path cost 19, Port priority 128, Port Identifier 128.24.
Designated root has priority 32770, address 000c.8582.c600
Designated bridge has priority 32770, address 000c.8582.c600
Designated port id is 128.24, designated path cost 0
Timers: message age 2, forward delay 0, hold 0
Number of transitions to forwarding state: 4
Link type is point-to-point by default
BPDU: sent 8, received 8232

Here I can see the ports priority details, timers and how many times the port has transitioned into a forwarding state.

To configure Switch2 as the Root Bridge for both VLAN's I use the following command.

switch2(config)#spanning-tree vlan 1-2 root primary

I verify this with the following show command.

switch2#show spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0001-VLAN0002
EtherChannel misconfiguration guard is enabled
Extended system ID is enabled
Portfast is disabled by default
PortFast BPDU Guard is disabled by default
Portfast BPDU Filter is disabled by default
Loopguard is disabled by default
UplinkFast is disabled
BackboneFast is disabled
Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 3 3
VLAN0002 0 0 0 3 3
---------------------- -------- --------- -------- ---------- ----------
2 vlans 0 0 0 6 6

Switch1 being the non-Root Bridge now has interfaces in blocking state.

switch1#show spanning-tree blockedports

Name Blocked Interfaces List
-------------------- ------------------------------------
VLAN0001 Fa0/24
VLAN0002 Fa0/24

Number of blocked ports (segments) in the system : 2

Configure VTP

2010-02-04T23:35:00.004Z

In this post I will configure VTP. I will be working with Switch1 and Switch2. I will configure port fa0/9 on each switch as a trunk port, configure VTP for the domain lab.local with a VTP password of cisco. I will configure Switch2 to be a VTP Client. Finally I will verify VTP is working with some useful show and debugging commands.

Switch 1

switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch1(config)#int fastEthernet 0/9
switch1(config-if)#switchport mode trunk
switch1(config-if)#exit

switch1(config)#vtp domain lab.local
Changing VTP domain name from NULL to lab.local
switch1(config)#vtp password cisco
Setting device VLAN database password to cisco.
switch1(config)#end

switch1#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 6
VTP Operating Mode : Server
VTP Domain Name : lab.local
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x12 0xBF 0xAA 0x37 0xDC 0x26 0xF2 0x03
Configuration last modified by 10.0.1.210 at 3-1-93 03:11:00
Local updater ID is 10.0.1.210 on interface Vl1 (lowest numbered VLAN interface found)

Switch2

switch2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch2(config)#interface fastEthernet 0/9
switch2(config-if)#switchport mode trunk
switch2(config-if)#exit

switch2(config)#vtp domain lab.local
Changing VTP domain name from NULL to lab.local
switch2(config)#vtp password cisco
Setting device VLAN database password to cisco
switch2(config)#vtp mode client
Setting device to VTP CLIENT mode.
switch2(config)#end

switch2#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 6
VTP Operating Mode : Client
VTP Domain Name : lab.local
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x12 0xBF 0xAA 0x37 0xDC 0x26 0xF2 0x03
Configuration last modified by 10.0.1.210 at 3-1-93 03:11:00

Turn on debugging for VTP events on Switch2

switch2#terminal monitor
switch2#debug sw-vlan vtp events
vtp events debugging is on

Create a new VLAN on Switch1

switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch1(config)#vlan 3
switch1(config-vlan)#name test-vlan
switch1(config-vlan)#end

Switch2 displays the VTP events.

00:11:10: VTP LOG RUNTIME: Summary packet received, domain = lab.local, rev = 1, followers = 1

00:11:10: VTP LOG RUNTIME: Summary packet rev 1 greater than domain lab.local rev 0

00:11:10: VTP LOG RUNTIME: Domain lab.local currently not in updating state

00:11:10: VTP LOG RUNTIME: Subset packet received, domain = lab.local, rev = 1, seq = 1, length = 244

00:11:10: VTP LOG RUNTIME: Transmit vtp summary, domain lab.local, rev 1, followers 1
MD5 digest calculated = C5 62 5F 4A 7B 07 69 C7 0E CD E9 42 0E 7C AF 5C

I verify that the VTP revision number has incremented on switch2

switch2#sh vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Client
VTP Domain Name : lab.local
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xC5 0x62 0x5F 0x4A 0x7B 0x07 0x69 0xC7
Configuration last modified by 10.0.1.210 at 3-1-93 00:20:13

Attempts to create a VLAN on switch2 fails as it is in Client mode

switch2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch2(config)#vlan 4
VTP VLAN configuration not allowed when device is in CLIENT mode.

Configure SSH

2010-02-03T21:51:00.006Z

In this post I will configure SSH version 2 on the router to have a 1024 bit key, allow 3 failed login attempt and set time-out to 30 mins. I will then configure my vty ports to use either telnet or SSH and I will enable aaa new-model and create a user called syn with a password of cisco. Lastly I will check my running config and use a show command to view the setup.

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#ip domain-name lab.local
router1(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: router1.lab.local
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
router1(config)#ip ssh authentication-retries 3
router1(config)#ip ssh time-out 30
router1(config)#ip ssh version 2

router1(config)#line vty 0 4
router1(config-line)#transport input ssh telnet
router1(config-line)#end

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#aaa new-model
router1(config)#username syn secret cisco
router1(config)#end

router1#show run
Building configuration...
Current configuration : 1564 bytes
!
version 12.4
!
aaa new-model
!
ip domain name lab.local
ip ssh time-out 30
ip ssh source-interface Ethernet0
ip ssh version 2
!
username syn secret 5 $1$mU38$MPCu0GOeTzhKnQBNMKxe30
!
line vty 0 4
exec-timeout 0 0
password 7 02050D480809
logging synchronous
transport input telnet ssh
!
end

router1#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 30 secs; Authentication retries: 3
router1#

Port Security

2010-02-03T20:55:00.006Z

In this post I will configure a port with port security as sticky port (will learn the first mac address). I then configure the switch to re-enable the port after 2 minutes of shutdown.

Finally I will use some useful show commands to view the interface configuration, state of the port and verify that the correct settings are in the running config.

switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch1(config)#interface fastEthernet 0/17
switch1(config-if)#switchport port-security
switch1(config-if)#switchport port-security mac-address sticky
switch1(config-if)#end

switch1(config)#errdisable recovery cause psecure-violation
switch1(config)#errdisable recovery interval 120

switch1#sh run interface fastEthernet 0/17
Building configuration...

Current configuration : 254 bytes
!
interface FastEthernet0/17
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001e.68ff.d35f
no ip address
spanning-tree portfast
end

switch1#show port-security interface fastEthernet 0/17
Port Security : Enabled
Port status : SecureUp
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 0

switch1#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
2 001e.68ff.d35f SecureSticky Fa0/17 -
-------------------------------------------------------------------
Total Addresses in System : 1
Max Addresses limit in System : 1024

switch1#show running-config | include errdisable
errdisable recovery cause psecure-violation
errdisable recovery interval 120

Useful DHCP Show Commands

2010-02-03T20:03:00.006Z

In this post I will demonstrate a few useful show commands that will help me see the state of the routers DHCP server which I set up in the previous post.

show ip dhcp binding
show ip dhcp pool
show ip dhcp server statistics

These commands were run after a computer was issued the IP 10.0.2.1 from the dmz pool.

router1#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.2.1 0100.1e68.ffd3.5f Oct 13 2009 10:08 PM Automatic

router1#show ip dhcp pool
Pool dmz :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 1
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.0.2.2 10.0.2.1 - 10.0.2.254 1

router1#show ip dhcp server statistics
Memory usage 23991
Address pools 1
Database agents 0
Automatic bindings 1
Manual bindings 0
Expired bindings 0
Malformed messages 9
Secure arp entries 0

Message Received
BOOTREQUEST 0
DHCPDISCOVER 8
DHCPREQUEST 12
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 5

Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 4
DHCPNAK 0

Confgure a DHCP Server

2010-02-02T23:04:00.006Z

In this post I will configure DHCP Settings on my router. I turn on the DHCP service, create a pool and configure it with an IP range, domain name, DNS server, default router and lease. I add in exclusions for the addresses I do not want leased. Finally I check the running config.

router1(config)#service dhcp
router1(config)#ip dhcp pool dmz
router1(dhcp-config)#network 10.0.2.0 /24
router1(dhcp-config)#domain-name lab.local
router1(dhcp-config)#dns-server 8.8.8.8
router1(dhcp-config)#default-router 10.0.2.254
router1(dhcp-config)#lease 7
router1(dhcp-config)#exit
router1(config)#ip dhcp excluded-address 10.0.2.10 10.0.2.255
router1(config)#end

router1#sh run

!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.2.10 10.0.2.255
!
ip dhcp pool dmz
network 10.0.2.0 255.255.255.0
domain-name lab.local
dns-server 8.8.8.8
default-router 10.0.2.254
lease 7
!
!

Create a Static Host Mapping

2010-02-02T22:33:00.004Z

In this post I will create a static host entry for router on the IP address 10.0.1.254. I check the configuration with the show hosts command. Finally I ping 10.0.1.254 using the host name.

switch1#ping router
Translating "router"
% Unrecognized host or address, or protocol not running.

switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch1(config)#ip host router 10.0.1.254
switch1(config)#end

switch1#show hosts
Default domain is not set
Name/address lookup uses static mappings

Host Port Flags Age Type Address(es)
router None (perm, OK) 0 IP 10.0.1.254

switch1#ping router
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

Create a MOTD Banner

2010-02-02T22:13:00.005Z

In this post I will create a MOTD banner for my switch and verify the configuration with a show command.

switch1#conf t
switch1(config)#banner motd $ Authorised Access Only $
switch1(config)#end

switch1#sh run | include banner
banner motd ^C Authorised Access Only ^C
switch1#

Configure Switch VTY Ports

2010-02-02T22:00:00.006Z

In this post I will configure all my VTY (Telnet ports) to have logging synchronous and a 30 minute exec timeout (max idle time). I give the ports a password of cisco, configure the switch to require a login on the VTY ports and display the motd banner. Finally I use a show command to check the running config.

switch1#conf t
switch1(config)#line vty 0 15
switch1(config-line)#logging synchronous
switch1(config-line)#exec-timeout 30 0
switch1(config-line)#password cisco
switch1(config-line)#login
switch1(config-line)#motd-banner
switch1(config-line)#end

switch1#sh run | begin line vty
line vty 0 4
exec-timeout 30 0
password 7 01100F175804
logging synchronous
login
line vty 5 15
exec-timeout 30 0
password 7 01100F175804
logging synchronous
login
!
end

Creating a VLAN

2010-02-02T21:40:00.011Z

In this post I list the commands to create VLAN 2, name it to dmz and place a range of ports in the VLAN. Finally I use a show command to look at the VLAN configuration.

switch1#conf t
switch1(config)#vlan 2
switch1(config-vlan)#name dmz
switch1(config-vlan)#end

switch1#conf t
switch1(config)#interface range FastEthernet 0/17 - 24
switch1(config-if-range)#switchport access vlan 2
switch1(config-if-range)#end

switch1#sh vlan brief

Show Version

2010-01-30T20:32:00.003Z

The show version command is very useful. From running the command I can see the following useful pieces of information about my router.

Model
Uptime
IOS Version & software release
CPU, RAM, NVRAM & Flash details
Configuration Register setting

Router>show version

Cisco IOS Software, 3600 Software (C3640-JK9S-M), Version 12.4(16), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Wed 20-Jun-07 11:43 by prod_rel_team

ROM: ROMMON Emulation Microcode

ROM: 3600 Software (C3640-JK9S-M), Version 12.4(16), RELEASE SOFTWARE (fc1)

Router uptime is 1 minute

System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19

System image file is "tftp://255.255.255.255/unknown"

Cisco 3640 (R4700) processor (revision 0xFF) with 124928K/6144K bytes of memory.

Processor board ID 00000000

R4700 CPU at 100MHz, Implementation 33, Rev 1.2

DRAM configuration is 64 bits wide with parity enabled.

125K bytes of NVRAM.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2142

Router>

Introduction

2010-01-30T14:45:00.002Z

I will be using this blog to post notes of the commands used to configure firewalls, routers and switches in my lab. The posts are primarily created to help me as a study aid, if they help you too then that's great.