Cisco Archives - Page 3 of 6

Cisco ICND2 – Describe the purpose and types of access control lists

March 16, 2013January 1, 2016 Chris Stark Leave a comment

Describe the purpose and types of access control lists – Access lists are used to restrict or allow access to traffic via an interface. You may want to allow redirect port 25 (SMTP) to your Exchange server and allow traffic to flow in and out of the port. This is possible with access lists.

There are two types of access lists standard and extended.

Standard

Standard access lists filter based on source IP address. Telnet, Web, SMTP etc cannot be filtered by a standard access list. Standard access-lists can be created between 1-99 and 1300-1999. An example:

configure terminal
access-list 1 permit 10.0.0.1 0.0.0.255

Extended

Extended access list can filter by source, destination and port. Extended access lists can be created byween 100-199 and 2000-2699.

configure terminal
access-list 100 permit tcp any eq 25 host 10.0.0.1

Both standard and extended access lists can be placed either inbound or outbound on an interface allowing for greater control on what packets can be sent/received.

configure terminal
interface s0/0
ip access-group 100 in
ip access-group 100 out

Cisco ICND2 – Implement basic router security

March 15, 2013March 12, 2013 Chris Stark Leave a comment

Basic router security includes but not limited to:

Configuring an enable secret

configure terminal
enable secret 'password'

Secure passwords

configure terminal
service password-encryption

Displaying a motd

configure terminal
banner #motd#
banner #login#

Locking down the console port

configure terminal
line console 0
password 'password'
login

Configuring terminal lines for remote access

configure terminal
line vty 0 4
password 'password'
login
transport input telnet ssh (remove telnet for ssh only)

Cisco ICND2 – Verify router hardware and software operation using SHOW & DEBUG commands

March 14, 2013March 12, 2013 Chris Stark Leave a comment

The following commands can be used to display information on hardware/software and to verify/debug:

show version

show ip protocols
show ip route
show interface <interface>
debug eigrp packet
debug ip eigrp neighbor
debug ip ospf adj
debug ip ospf packet
debug ip ospf hello

Cisco ICND2 – Troubleshoot routing implementation issues

March 13, 2013March 11, 2013 Chris Stark Leave a comment

Troubleshooting OSPF and EIGRP can be found in the two following links:

Cisco ICND2 – Verify configuration and connectivity using ping, traceroute, and telnet or SSH

March 12, 2013March 10, 2013 Chris Stark Leave a comment

Listed below is a quick list of tools that can be used to troubleshoot connectivity issue.

Ping

Ping can be used to verify connectivity between end devices. Note – A device such as a firewall may block the ICMP packet.

Tracert

Shows routing paths from source to destination on a PC.

Telnet

Telnet can be used to connect to a router/switch although data is sent in plain text

SSH

Same as Telnet, but data is encrypted.

Ipconfig /all

Display IP information that can be verified against network documentation. IP/Subnet mask/Default gateway information can be seen. DNS/WINS is also provided.

arp -a

Shows the MAC address table from a PC.

show ip arp

Shows the MAC address table from a router/switch.

Cisco ICND2 – Configure, verify and troubleshoot EIGRP

March 11, 2013March 11, 2013 Chris Stark Leave a comment

Next routing protocol up is configure, verify and troubleshoot EIGRP.

Using the same layout from OSPF, we will re-configure for EIGRP.

First turn off ospf on the routers

configure terminal
no router ospf 1

Configuring EIGRP is similar to that of OSPF.

RouterA

configure terminal
router eigrp 1
network 10.0.3.68 0.0.0.3
network 10.0.3.72 0.0.0.3
network 10.0.3.32 0.0.0.31
network 10.0.0.0 0.0.0.255
no auto-summary

RouterB

configure terminal
router eigrp 1
network 10.0.1.0 0.0.0.255
network 10.0.3.64 0.0.0.3
network 10.0.3.0 0.0.0.31
network 10.0.3.68 0.0.0.3
no auto-summary

RouterC

configure terminal
router eigrp 1
network 10.0.2.0 0.0.0.255
network 10.0.3.64 0.0.0.3
network 10.0.3.72 0.0.0.3
no auto-summary

Verify EIGRP

Router A routing table:

Router B routing table:

Router C routing table:

show ip route eigrp
show ip eigrp neighbors
show ip eigrp topology
show ip protocols
ping remote computers/WAN links

Troubleshoot EIGRP

Autonomous number must match
Like OSPF, the EIGRP timers must match
If routing tables not advertising correct routes, auto summary may be enabled, I like to turn auto summary off
debug eigrp packet
debug ip eigrp neighbor

Cisco ICND2 – Configure, verify and troubleshoot OSPF

February 26, 2013March 18, 2013 Chris Stark 1 Comment

In this topic we will configure OSPF, verify and troubleshoot using show commands and what kinds of problems we can expect and how we can resolve these.

I have made some changes to our switch diagrams and added a couple of routers and re-jigged things around:

To enable OSPF we first need to enable the routing protocol:

configure terminal
router ospf 1

The value 1 is the instance number, this can be anything between 1 and 65535. Next we need to let the routing process know which networks we want to advertise, for example:

network 192.168.0.1 0.0.0.255 area 0

OSPF uses inverse (wildcard) subnet mask. The 0’s mean we want this part of the IP to exactly match (192.168.0.) and the last octet 255 means it can be any value. Area 0 is the backbone area for OSPF. I have kept this simple.

We can stop OSPF hellos being sent out of an interface using the passive-interface command. This can be useful on FastEthernet links that are connected to a switch network that do not need to receive routing updates. Sending routing updates to unnecessarily links can waste bandwidth and CPU resources also enhances security.

configure terminal
router ospf 1
passive-interface FastEthernet0/0

Below are the outputs of the commands for each device needed to make the diagram above fully functional:

RouterA:

configure terminal
interface FastEthernet 0/0
no shutdown
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.0.1 255.255.255.0
interface FastEthernet1/0
no shutdown
interface FastEthernet1/0.50
encapsulation dot1Q 50
ip address 10.0.3.33 255.255.255.224
interface Serial0/0
ip address 10.0.3.73 255.255.255.252
interface Serial0/1
ip address 10.0.3.70 255.255.255.252
router ospf 1
network 10.0.3.68 0.0.0.3 area 0
network 10.0.3.0 0.0.0.127 area 0
network 10.0.3.72 0.0.0.3 area 0
network 10.0.0.0 0.0.0.255 area 0
passive-interface FastEthernet 0/0
passive-interface FastEthernet 1/0

RouterB:

configure terminal
interface FastEthernet0/0
no shutdown
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.1.1 255.255.255.0
interface FastEthernet1/0
no shutdown
interface FastEthernet1/0.40
encapsulation dot1Q 40
ip address 10.0.3.1 255.255.255.224
interface Serial0/0
ip address 10.0.3.66 255.255.255.252
interface Serial0/1
ip address 10.0.3.69 255.255.255.252
clock rate 64000
router ospf 1
network 10.0.1.0 0.0.0.255 area 0
network 10.0.3.64 0.0.0.3 area 0
network 10.0.3.0 0.0.0.127 area 0
network 10.0.3.68 0.0.0.3 area 0
passive-interface FastEthernet 0/0
passive-interface FastEthernet 1/0

RouterC:

configure terminal
interface FastEthernet0/0
no shutdown
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.2.1 255.255.255.0
interface Serial0/0
ip address 10.0.3.74 255.255.255.252
clock rate 64000
interface Serial0/1
ip address 10.0.3.65 255.255.255.252
clock rate 64000
router ospf 1
network 10.0.2.0 0.0.0.255 area 0
network 10.0.3.72 0.0.0.3 area 0
network 10.0.3.64 0.0.0.3 area 0
passive-interface FastEthernet0/0

SwitchA:

configure terminal
spanning-tree mode rapid-pvst
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
interface range FastEthernet0/3-24
switchport mode access
spanning-tree portfast

SwitchB:

configure terminal
spanning-tree mode rapid-pvst
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface range FastEthernet0/3-24
switchport mode access
spanning-tree portfast

SwitchC:

configure terminal
spanning-tree mode rapid-pvst
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 30
switchport mode access
spanning-tree portfast
interface range FastEthernet0/3-24
switchport mode access
spanning-tree portfast

SwitchD:

configure terminal
spanning-tree mode rapid-pvst
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 50
switchport mode access
spanning-tree portfast
interface Range FastEthernet0/3-24
switchport mode access
spanning-tree portfast

SwitchE:

configure terminal
spanning-tree mode rapid-pvst
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 40
switchport mode access
spanning-tree portfast
interface Range FastEthernet0/3-24
switchport mode access
spanning-tree portfast

OSPF by default uses the highest IP address for its routing process ID. The routing process ID is used to elect DR and BDR as well as advertise routes. For this reason, it may be a good idea to create a loopback interface to override this to ensure that becomes RID, Cisco even suggests using loopbacks.

Configuring a loopback is easy, lets do this on RouterC:

configre terminal
interface loopback 1
ip address 192.168.0.1 255.255.255.0

This doesn’t automatically make the RID become 192.168.0.1 we must either reload the router – Which could be inconvenient in a live environment or we can using the command router-id 192.168.0.1 to force the change.

configure terminal
router ospf 1
router-id 192.168.0.1

We can advertise default routes via the default-information originate command under the OSPF configuration. We can also use default-information originate always (not supported in Packet Tracer) – This advertises a default route even if one doesn’t exist, it will generate one and advertise this. To create a default route:

configure terminal
ip route 0.0.0.0 0.0.0.0 s0/1

Verify OSPF

Lets first begin by checking the RID of RouterC – We can verify this by using the show ip ospf command on RouterC:

We can check OSPF routes via the show ip route command:

We can verify WAN connectivity by pinging each PC from each other. I’m going to demonstrate PC3 pinging PC1:

show ip osfneighbor will show information about all neighbors:

show ip ospf interface s0/0 will display information about the interface state whether it is up and OSPF information such as timers, what area the interface is in and network type.

Troubleshoot OSPF

Ensure you’re using a wildcard mask and not a subnet mask when configuring OSPF
Check IP addressing and subnet masks are correctly configured on WAN links
Serial interfaces with a DCE cable attached must be configured with the clock rate command
Routers running OSPF must have the same hello and dead timers to form a adjacency
If using OSPF authentication must be match on other routers
You may have accidentally configured passive-interface on a Serial interface running OSPF – this will stop advertisements
debug ip ospf adj – shows elections for DR and BDR
debug ip ospf packet – shows ospf hello packets being received by the router
debug ip ospf hello – shows more in depth information relating to hello packets including being sent and received by the router

You can download the Packet Tracer file here:
Download Packet Tracer OSPF configuration

Category: Cisco