EIGRP_Show_IPROUTE_RouterC

Cisco ICND2 – Configure, verify and troubleshoot EIGRP

Next routing protocol up is configure, verify and troubleshoot EIGRP.

Using the same layout from OSPF, we will re-configure for EIGRP.

OSPF_Diagram

First turn off ospf on the routers

configure terminal
no router ospf 1

Configuring EIGRP is similar to that of OSPF.

RouterA

configure terminal
router eigrp 1
network 10.0.3.68 0.0.0.3
network 10.0.3.72 0.0.0.3
network 10.0.3.32 0.0.0.31
network 10.0.0.0 0.0.0.255
no auto-summary

RouterB

configure terminal
router eigrp 1
network 10.0.1.0 0.0.0.255
network 10.0.3.64 0.0.0.3
network 10.0.3.0 0.0.0.31
network 10.0.3.68 0.0.0.3
no auto-summary

RouterC

configure terminal
router eigrp 1
network 10.0.2.0 0.0.0.255
network 10.0.3.64 0.0.0.3
network 10.0.3.72 0.0.0.3
no auto-summary

Verify EIGRP

Router A routing table:

EIGRP_Show_IPROUTE_RouterA

Router B routing table:

EIGRP_Show_IPROUTE_RouterB

Router C routing table:

EIGRP_Show_IPROUTE_RouterC

  • show ip route eigrp
  • show ip eigrp neighbors
  • show ip eigrp topology
  • show ip protocols
  • ping remote computers/WAN links

Troubleshoot EIGRP

  • Autonomous number must match
  • Like OSPF, the EIGRP timers must match
  • If routing tables not advertising correct routes, auto summary may be enabled, I like to turn auto  summary off
  • debug eigrp packet
  • debug ip eigrp neighbor
OSPF_Diagram

Cisco ICND2 – Configure, verify and troubleshoot OSPF

In this topic we will configure OSPF, verify and troubleshoot using show commands and what kinds of problems we can expect and how we can resolve these.

I have made some changes to our switch diagrams and added a couple of routers and re-jigged things around:

OSPF_Diagram

To enable OSPF we first need to enable the routing protocol:

configure terminal
router ospf 1

The value 1 is the instance number, this can be anything between 1 and 65535. Next we need to let the routing process know which networks we want to advertise, for example:

network 192.168.0.1 0.0.0.255 area 0

OSPF uses inverse (wildcard) subnet mask. The 0’s mean we want this part of the IP to exactly match (192.168.0.) and the last octet 255 means it can be any value. Area 0 is the backbone area for OSPF. I have kept this simple.

We can stop OSPF hellos being sent out of an interface using the passive-interface command. This  can be useful on FastEthernet links that are connected to a switch network that do not need to receive routing updates. Sending routing updates to unnecessarily links can waste bandwidth and CPU resources also enhances security.

configure terminal
router ospf 1
passive-interface FastEthernet0/0

Below are the outputs of the commands for each device needed to make the diagram above fully functional:

RouterA:

configure terminal
interface FastEthernet 0/0
no shutdown
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.0.1 255.255.255.0
interface FastEthernet1/0
no shutdown
interface FastEthernet1/0.50
encapsulation dot1Q 50
ip address 10.0.3.33 255.255.255.224
interface Serial0/0
ip address 10.0.3.73 255.255.255.252
interface Serial0/1
ip address 10.0.3.70 255.255.255.252
router ospf 1
network 10.0.3.68 0.0.0.3 area 0
network 10.0.3.0 0.0.0.127 area 0
network 10.0.3.72 0.0.0.3 area 0
network 10.0.0.0 0.0.0.255 area 0
passive-interface FastEthernet 0/0
passive-interface FastEthernet 1/0

RouterB:

configure terminal
interface FastEthernet0/0
no shutdown
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.1.1 255.255.255.0
interface FastEthernet1/0
no shutdown
interface FastEthernet1/0.40
encapsulation dot1Q 40
ip address 10.0.3.1 255.255.255.224
interface Serial0/0
ip address 10.0.3.66 255.255.255.252
interface Serial0/1
ip address 10.0.3.69 255.255.255.252
clock rate 64000
router ospf 1
network 10.0.1.0 0.0.0.255 area 0
network 10.0.3.64 0.0.0.3 area 0
network 10.0.3.0 0.0.0.127 area 0
network 10.0.3.68 0.0.0.3 area 0
passive-interface FastEthernet 0/0
passive-interface FastEthernet 1/0

RouterC:

configure terminal
interface FastEthernet0/0
no shutdown
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.2.1 255.255.255.0
interface Serial0/0
ip address 10.0.3.74 255.255.255.252
clock rate 64000
interface Serial0/1
ip address 10.0.3.65 255.255.255.252
clock rate 64000
router ospf 1
network 10.0.2.0 0.0.0.255 area 0
network 10.0.3.72 0.0.0.3 area 0
network 10.0.3.64 0.0.0.3 area 0
passive-interface FastEthernet0/0

SwitchA:

configure terminal
spanning-tree mode rapid-pvst
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
interface range FastEthernet0/3-24
switchport mode access
spanning-tree portfast

SwitchB:

configure terminal
spanning-tree mode rapid-pvst
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface range FastEthernet0/3-24
switchport mode access
spanning-tree portfast

SwitchC:

configure terminal
spanning-tree mode rapid-pvst
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 30
switchport mode access
spanning-tree portfast
interface range FastEthernet0/3-24
switchport mode access
spanning-tree portfast

SwitchD:

configure terminal
spanning-tree mode rapid-pvst
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 50
switchport mode access
spanning-tree portfast
interface Range FastEthernet0/3-24
switchport mode access
spanning-tree portfast

SwitchE:

configure terminal
spanning-tree mode rapid-pvst
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 40
switchport mode access
spanning-tree portfast
interface Range FastEthernet0/3-24
switchport mode access
spanning-tree portfast

OSPF by default uses the highest IP address for its routing process ID. The routing process ID is used to elect DR and BDR as well as advertise routes. For this reason, it may be a good idea to create a loopback interface to override this to ensure that becomes RID, Cisco even suggests using loopbacks.

Configuring a loopback is easy, lets do this on RouterC:

configre terminal
interface loopback 1
ip address 192.168.0.1 255.255.255.0

This doesn’t automatically make the RID become 192.168.0.1 we must either reload the router – Which could be inconvenient in a live environment or we can using the command router-id 192.168.0.1 to force the change.

configure terminal
router ospf 1
router-id 192.168.0.1

We can advertise default routes via the default-information originate command under the OSPF configuration. We can also use default-information originate always (not supported in Packet Tracer) – This advertises a default route even if one doesn’t exist, it will generate one and advertise this. To create a default route:

configure terminal
ip route 0.0.0.0 0.0.0.0 s0/1

Verify OSPF

Lets first begin by checking the RID of RouterC – We can verify this by using the show ip ospf command on RouterC:

Show_IP_OSPF_RouterC

We can check OSPF routes via the show ip route command:
OSPF_Show_IP_Route_RouterC

We can verify WAN connectivity by pinging each PC from each other. I’m going to demonstrate PC3 pinging PC1:

OSPF_Ping_PC1_From_PC2

show ip osfneighbor will show information about all neighbors:

OSPF_Show_IP_neighbor_RouterB

show ip ospf interface s0/0 will display information about the interface state whether it is up and OSPF information such as timers, what area the interface is in and network type.
OSPF_Show_IP_int_RouterA

Troubleshoot OSPF

  • Ensure you’re using a wildcard mask and not a subnet mask when configuring OSPF
  • Check IP addressing and subnet masks are correctly configured on WAN links
  • Serial interfaces with a DCE cable attached must be configured with the clock rate command
  • Routers running OSPF must have the same hello and dead timers to form a adjacency
  • If using OSPF authentication must be match on other routers
  • You may have accidentally configured passive-interface on a Serial interface running OSPF – this will stop advertisements
  • debug ip ospf adj – shows elections for DR and BDR
  • debug ip ospf packet – shows ospf hello packets being received by the router
  • debug ip ospf hello – shows more in depth information relating to hello packets including being sent and received by the router

You can download the Packet Tracer file here:
Download Packet Tracer OSPF configuration

Cisco ICND2 – Implement basic switch security (including: port security, unassigned ports, trunk access, etc.)

Basic switch security

In this topic we will discuss basic switch security and how we can lock down the ports on a switch. I found when using Packet Tracer the port-security didn’t work constantly and in some cases didn’t work at all.

I would recommend configuring this if possible on real equipment. Packet Tracer will accept the commands but the desired effect might not happen.

interVLA _DiagramOur three switches have 24 ports each, currently only three ports are used on each switch. With the remaining ports we will turn these into access ports to stop someone from plugging in a switch and creating a trunk link but we will also shut them down.

By default switches are in desired mode, meaning if another switch is plugged in it will trunk.

configure terminal
interface range fa0/4-fa0/24
switchport mode access
shutdown

We’ll now configure fa0/3 on Switch A to dynamically learn the connected PC’s MAC address and setup violation so the port shutdowns if an unknown MAC address such as another device is plugged into fa0/3.

configure terminal
interface fa0/3
switchport port-security 
switchport port-security mac sticky
switchport port-security violation shutdown

The sticky command is useful for the switch to detect the MAC address, we can manually set the MAC address:

configure terminal
interface fa/0/3
switchport port-security MAC

It’s possible to allow more than one MAC address assigned to a switchport:

configure terminal
interface fa0/3
switchport port-security maximum 2

Other violation modes:

switchport port-security violation restrict
switchport port-security violation protect

Restrict: This mode allows known MAC addresses to continue sending frames whilst blocking unknown MAC addresses from sending. A violation message is sent to a SNMP service if configured.

Protect: This mode allows known MAC addresses to continue sending frames whilst blocking unknown MAC addresses from sending. A violated message is not sent.

Configuring violations are all well and good but what happens if a PC hasn’t been live on a port for a while? a new PC will come along and the port may be put into a shutdown state.

We can configure how long before the MAC addresses are pruned using the aging command:

switchport port-security aging time 10

The aging timer is done in minutes, so 10 minutes in this example.

We can also prune the MAC addresses if the port has had no activity:

switchport port-security aging type inactivity

Verifying:

  • show port-security interface <interface>
  • show port-security address

Switch security practises:

  • Ensure physical access to switches is restricted
  • Set login password/enable passwords on switches and configure banners
  • Web service can be disabled if the switch supports web service (no ip http server/secure server)
  • Access-lists can be used to restrict SSH/telnet access by only allowing a specific subnet or host to SSH/telnet to the switch
  • Use SSH rather than telnet as it’s more secure – Telnet is sent in plain text, SSH is encrypted
  • Config logging to SNMP to capture violation etc
RSTP_Show_Spanning_Tree

Cisco ICND2 – Configure, verify, and troubleshoot RSTP operation

This topic will cover configuring, verifying and troubleshooting the rapid spanning tree protocol.

To enable rapid spanning tree protocol on our three switches:

Switch A:

configure terminal
spanning-tree mode rapid-pvst

Switch B:

configure terminal
spanning-tree mode rapid-pvst

Switch C:

configure terminal
spanning-tree mode rapid-pvst

We will also enable portfast on our access ports (PCs connected to the switches) – This will enable the ports to go straight to a forwarding state meaning the ports will instantly come up. You do not want to enable this on trunk links, this may cause issues with switching loops.

Switch A:

configure terminal
interface fa0/3
spanning-tree portfast

Switch B:

configure terminal
interface fa0/3
spanning-tree portfast

You will get a warning message about enabling portfast on trunk links.

%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface  when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet0/3 but will only
have effect when the interface is in a non-trunking mode.

That’s all that’s needed to enabled rapid spanning-tree and portfast. Lets go one step further and lets force switch C become the root bridge for VLAN 1. Currently Switch B is the root.

We can do this two ways, one to set the priority of VLAN 1 to a much lower value for example 4096 or force the switch as the root.

Set the priority lower on Switch C:

configure terminal
spanning-tree vlan 1 priority 4096

Force switch as root:

configure terminal
spanning-tree vlan 1 root primary

I have gone with changing the priority to 4096, The above will only change the root bridge for VLAN 1.

Now if we do a show spanning-tree vlan 1 on Switch C:

RSTP_Show_Spanning_Tree

The above shows a show spanning-tree output from Switch C. We can see the priority address has been changed to 4096+VLAN 1 (4097) and the bridge is the root for VLAN 1.

Verifying:

To verify RSTP has been configured correctly we can go through the configuration by using the show running-config command and verifying spanning-tree mode rapid-pvst has been entered on all three switches.

The next command we can verify RSTP with is show spanning-tree, this will show what type of spanning-tree is enabled and root bridge/interface statuses.

RSTP_Show_Spanning_Tree_SwitchB

Show spanning-tree summary can be used to give a quick indication of what mode spanning tree is configured for and some other useful information such as what VLANs are taken part in spanning-tree.

RSTP_Show_Spanning_Tree_SwitchA

Troubleshooting:

  • Ensure all switches are configured for rapid-spanning tree – rapid-spanning tree is backwards compatible meaning it will match the normal spanning-tree timers and can cause slowness
  • Check cables between switches are correct – Crossover cable
  • Check you haven’t made a trunk link portfast by mistake
  • Using the verify commands above can greatly help with understanding why RSTP isn’t work (root bridge incorrect, port blocked, rapid-spanning tree not configured)
VTP_SwitchA_VTP_Client

Cisco ICND2 – Configure, verify, and troubleshoot VTP

In this topic I will discuss how to configure VTP on our switches. From this point onwards I will try to use our topology from the interVLAN topic.

interVLA _Diagram

We will configure Switch C and switch B as our VTP servers and Switch A as our VTP client.

These are global settings we will used on our three switches: (Note these are case-sensitive)

VTP Domain: Cstark
VTP Password: cisco

Switch A:

configure terminal
vtp domain Cstark
vtp password cisco
vtp mode client

Switch B:

configure terminal
vtp domain Cstark
vtp password cisco

Switch C:

configure terminal
vtp domain Cstark
vtp password cisco

No need to specify the server mode. By default switches are servers. If required to change between client/transparent the command is vtp mode server.

On Switch C we will create four VLANs 10, 20 30 and 40. VLAN 10 and 20 are already configured, We’re just naming them here:

configure terminal
vlan 10
name Marketing
vlan 20
name IT
vlan 30
name Finance
vlan 40
name HR

If we go to Switch B and switch A and issue a show vlan command we will notice the two VLANs have automatically been created for us:

VTP_SwitchA_Show_VLAN

Switch B:

VTP_SwitchB_Show_VLAN

Lets try and configure VLAN 50 on Switch A:

VTP_SwitchA_VTP_Client

We are unable to do so! VTP is working correctly.

VTP Pruning isn’t supported as of writing this on Packet Tracer version 5.3.3. The command would be vtp pruning under global configuration. This will stop the advertisement of unused VLANs to other switches. This cannot be set on clients only servers but will propagate down to VTP clients. You could instead use switchport trunk allowed vlan #vlan under each interface to manually prune – this does give you much greater control.

I haven’t configured a transparent switch, the command to make a transparent switch is vtp mode transparent. A transparent switch will forward VTP information but has its own local database.

Verifying:

The following commands will help with verifying VTP on each switch:

  • show vtp status

The show VTP status command will show what VTP version is running, how many revisions, operating mode and VTP domain name.

VTP_SwitchC_VTP_Status

The VTP version is in fact 1, I’m not sure why its showing 2. Trying to force VTP version 1 results in the following:

Switch C(config)#vtp version 1
VTP mode already in V1.
  • show running-config – to verify vtp is configured correctly
  • show vlan – will show the VLANs that have been created

Troubleshooting:

  • show vtp status – checking revision numbers are consistent across switches will indicate if VTP is working correctly
  • show vtp password will display the password if you’ve forgotten it
  • Ensure Domain name, version and password are the same – these are case sensitive!
  • If you cannot add a VLAN, the switch may be configured with client instead of server
  • VTP only supports 255 VLANs
interVLA _Diagram

Cisco ICND2 – Configure, verify, and troubleshoot interVLAN routing

In this topic I will discuss how to configure interVLAN routing typically known as Router on a Stick.

This is the setup we will be working with in packet tracer:

interVLA _Diagram

Notice that PC1 and PC2 are in different VLANs and different IP subnets. We are going to allow them to communicate with each other via Router A.

First we are going to configure the trunk links between each of the switches and between switch C and Router A. I will use the range command to save keep typing the individual interfaces.

Switch A

configure terminal
interface range fa0/1-fa0/2
switchport mode trunk

Switch B

configure terminal
interface range fa0/1-fa0/2
switchport mode trunk

Switch C

configure terminal
interface range fa0/1-fa0/3
switchport mode trunk

We will come back to Router A a little later on to finish the trunk configuration.

We need to configure the access ports and VLANs between the switches connected to PCs.

Switch A:

configure terminal
interface fa0/3
switchport access vlan 10

Switch B:

configure terminal
interface fa0/3
switchpport access vlan 20

We will configure PC1 and PC2 with an IP address and default gateway.

PC1:
IP Address: 10.0.0.2
Subnet: 255.255.255.0
Default Gateway: 10.0.0.1

interVLAN_PC1

PC2:
IP Address: 10.0.1.2
Subnet: 255.255.255.0
Default Gateway: 10.0.1.1

interVLAN_PC2

If we try and ping PC2 from PC1 the result will fail. Why? Because there’s no way for VLAN 10 and VLAN 20 to communicate, Also they’re in different subnets.

To allow these two PCs to communicate we need to configure Router A to route frames between VLAN 10 and VLAN 20.

If you noticed we set default gateways on PC1 and PC2, we will now configure these on Router A. This way, when PC1 or PC2 wants to send a frame to a different subnet, it will forward to the default gateway, the default gateway will lookup to see if it has an entry in its routing table if it does, it will forward otherwise it will drop the frame.

We will configure two sub interfaces on Router A under fa0/0 one for VLAN 10 and one for VLAN20. First we need to bring up the fast ethernet 0/0 interface up, otherwise the sub interfaces once configured will not work.

Router A:

configure terminal
interface fa0/0
no shutdown

Now to configure the sub interfaces on Router A:

configure terminal
interface fa0/0.10
encapsulation dot1q 10
ip address 10.0.0.1 255.255.255.0
interface fa0/0.20
encapsulation dotq1 20
ip address 10.0.1.1 255.255.255.0

I tend to create sub-interfaces that match the VLAN number, this is handy when trying to troubleshoot as you can quickly identify which VLAN belongs to which sub-interface.

The encapsulation dot1q 10/20 command defines the sub interface as a trunk link and that it expects to send/receive VLAN 10/20 traffic on this interface.

That’s pretty much it. If we try to ping PC2 from PC1 we should see a successful ping:

interVLAN_PC1_Ping

And from PC2 to PC1:

interVLAN_PC2_Ping

Verifying:

We verified that PC1 can communicate with PC2 above.

We can show the routing table on RouterA:

interVLAN_RouterA_RoutingTable

The above shows two directly connected routes, one for VLAN 10 and one for VLAN 20 this is how the router knows where to route to.

show running-config can be used on the switches and routers to ensure correct access VLAN assigned, trunk links are configured and correct IP addresses.

show vlan on the switches will show what VLANs are assigned to which ports.

Ping can we be used to verify connectivity, if you cant ping the destination IP, ensure you can ping your local default gateway and then destination gateway to try and figure where the problems lies.

Troubleshooting:

  • Ensure the links between switches and routers are trunked
  • Make sure PCs are in correct VLANs
  • Make sure PCs have correct IP Subnet / Default Gateway addresses
  • Use tracert on the PCs to see where the frames are failing
  • Check the router to make sure has the correct sub-interfaces and they match the default gateway of the PCs
  • The fast ethernet port on the router should be up (no shutdown) otherwise sub-interfaces will not work
  • Correct cables must be used between PC and switch (straight through) switch to switch (crossover) and switch to router (straight through)