In this topic we will configure OSPF, verify and troubleshoot using show commands and what kinds of problems we can expect and how we can resolve these.
I have made some changes to our switch diagrams and added a couple of routers and re-jigged things around:
To enable OSPF we first need to enable the routing protocol:
router ospf 1
The value 1 is the instance number, this can be anything between 1 and 65535. Next we need to let the routing process know which networks we want to advertise, for example:
network 192.168.0.1 0.0.0.255 area 0
OSPF uses inverse (wildcard) subnet mask. The 0’s mean we want this part of the IP to exactly match (192.168.0.) and the last octet 255 means it can be any value. Area 0 is the backbone area for OSPF. I have kept this simple.
We can stop OSPF hellos being sent out of an interface using the passive-interface command. This can be useful on FastEthernet links that are connected to a switch network that do not need to receive routing updates. Sending routing updates to unnecessarily links can waste bandwidth and CPU resources also enhances security.
OSPF by default uses the highest IP address for its routing process ID. The routing process ID is used to elect DR and BDR as well as advertise routes. For this reason, it may be a good idea to create a loopback interface to override this to ensure that becomes RID, Cisco even suggests using loopbacks.
Configuring a loopback is easy, lets do this on RouterC:
interface loopback 1
ip address 192.168.0.1 255.255.255.0
This doesn’t automatically make the RID become 192.168.0.1 we must either reload the router – Which could be inconvenient in a live environment or we can using the command router-id 192.168.0.1 to force the change.
We can advertise default routes via the default-information originate command under the OSPF configuration. We can also use default-information originate always (not supported in Packet Tracer) – This advertises a default route even if one doesn’t exist, it will generate one and advertise this. To create a default route:
ip route 0.0.0.0 0.0.0.0 s0/1
Lets first begin by checking the RID of RouterC – We can verify this by using the show ip ospf command on RouterC:
We can check OSPF routes via the show ip route command:
We can verify WAN connectivity by pinging each PC from each other. I’m going to demonstrate PC3 pinging PC1:
show ip osfneighbor will show information about all neighbors:
show ip ospf interface s0/0 will display information about the interface state whether it is up and OSPF information such as timers, what area the interface is in and network type.
Ensure you’re using a wildcard mask and not a subnet mask when configuring OSPF
Check IP addressing and subnet masks are correctly configured on WAN links
Serial interfaces with a DCE cable attached must be configured with the clock rate command
Routers running OSPF must have the same hello and dead timers to form a adjacency
If using OSPF authentication must be match on other routers
You may have accidentally configured passive-interface on a Serial interface running OSPF – this will stop advertisements
debug ip ospf adj – shows elections for DR and BDR
debug ip ospf packet – shows ospf hello packets being received by the router
debug ip ospf hello – shows more in depth information relating to hello packets including being sent and received by the router
In this topic we will discuss basic switch security and how we can lock down the ports on a switch. I found when using Packet Tracer the port-security didn’t work constantly and in some cases didn’t work at all.
I would recommend configuring this if possible on real equipment. Packet Tracer will accept the commands but the desired effect might not happen.
Our three switches have 24 ports each, currently only three ports are used on each switch. With the remaining ports we will turn these into access ports to stop someone from plugging in a switch and creating a trunk link but we will also shut them down.
By default switches are in desired mode, meaning if another switch is plugged in it will trunk.
interface range fa0/4-fa0/24
switchport mode access
We’ll now configure fa0/3 on Switch A to dynamically learn the connected PC’s MAC address and setup violation so the port shutdowns if an unknown MAC address such as another device is plugged into fa0/3.
This topic will cover configuring, verifying and troubleshooting the rapid spanning tree protocol.
To enable rapid spanning tree protocol on our three switches:
spanning-tree mode rapid-pvst
spanning-tree mode rapid-pvst
spanning-tree mode rapid-pvst
We will also enable portfast on our access ports (PCs connected to the switches) – This will enable the ports to go straight to a forwarding state meaning the ports will instantly come up. You do not want to enable this on trunk links, this may cause issues with switching loops.
You will get a warning message about enabling portfast on trunk links.
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/3 but will only
have effect when the interface is in a non-trunking mode.
That’s all that’s needed to enabled rapid spanning-tree and portfast. Lets go one step further and lets force switch C become the root bridge for VLAN 1. Currently Switch B is the root.
We can do this two ways, one to set the priority of VLAN 1 to a much lower value for example 4096 or force the switch as the root.
I have gone with changing the priority to 4096, The above will only change the root bridge for VLAN 1.
Now if we do a show spanning-tree vlan 1 on Switch C:
The above shows a show spanning-tree output from Switch C. We can see the priority address has been changed to 4096+VLAN 1 (4097) and the bridge is the root for VLAN 1.
To verify RSTP has been configured correctly we can go through the configuration by using the show running-config command and verifying spanning-tree mode rapid-pvst has been entered on all three switches.
The next command we can verify RSTP with is show spanning-tree, this will show what type of spanning-tree is enabled and root bridge/interface statuses.
Show spanning-tree summary can be used to give a quick indication of what mode spanning tree is configured for and some other useful information such as what VLANs are taken part in spanning-tree.
Ensure all switches are configured for rapid-spanning tree – rapid-spanning tree is backwards compatible meaning it will match the normal spanning-tree timers and can cause slowness
Check cables between switches are correct – Crossover cable
Check you haven’t made a trunk link portfast by mistake
Using the verify commands above can greatly help with understanding why RSTP isn’t work (root bridge incorrect, port blocked, rapid-spanning tree not configured)
No need to specify the server mode. By default switches are servers. If required to change between client/transparent the command is vtp mode server.
On Switch C we will create four VLANs 10, 20 30 and 40. VLAN 10 and 20 are already configured, We’re just naming them here:
If we go to Switch B and switch A and issue a show vlan command we will notice the two VLANs have automatically been created for us:
Lets try and configure VLAN 50 on Switch A:
We are unable to do so! VTP is working correctly.
VTP Pruning isn’t supported as of writing this on Packet Tracer version 5.3.3. The command would be vtp pruning under global configuration. This will stop the advertisement of unused VLANs to other switches. This cannot be set on clients only servers but will propagate down to VTP clients. You could instead use switchport trunk allowed vlan #vlan under each interface to manually prune – this does give you much greater control.
I haven’t configured a transparent switch, the command to make a transparent switch is vtp mode transparent. A transparent switch will forward VTP information but has its own local database.
The following commands will help with verifying VTP on each switch:
show vtp status
The show VTP status command will show what VTP version is running, how many revisions, operating mode and VTP domain name.
The VTP version is in fact 1, I’m not sure why its showing 2. Trying to force VTP version 1 results in the following:
Switch C(config)#vtp version 1
VTP mode already in V1.
show running-config – to verify vtp is configured correctly
show vlan – will show the VLANs that have been created
show vtp status – checking revision numbers are consistent across switches will indicate if VTP is working correctly
show vtp password will display the password if you’ve forgotten it
Ensure Domain name, version and password are the same – these are case sensitive!
If you cannot add a VLAN, the switch may be configured with client instead of server
We will configure PC1 and PC2 with an IP address and default gateway.
IP Address: 10.0.0.2
Default Gateway: 10.0.0.1
IP Address: 10.0.1.2
Default Gateway: 10.0.1.1
If we try and ping PC2 from PC1 the result will fail. Why? Because there’s no way for VLAN 10 and VLAN 20 to communicate, Also they’re in different subnets.
To allow these two PCs to communicate we need to configure Router A to route frames between VLAN 10 and VLAN 20.
If you noticed we set default gateways on PC1 and PC2, we will now configure these on Router A. This way, when PC1 or PC2 wants to send a frame to a different subnet, it will forward to the default gateway, the default gateway will lookup to see if it has an entry in its routing table if it does, it will forward otherwise it will drop the frame.
We will configure two sub interfaces on Router A under fa0/0 one for VLAN 10 and one for VLAN20. First we need to bring up the fast ethernet 0/0 interface up, otherwise the sub interfaces once configured will not work.
Now to configure the sub interfaces on Router A:
encapsulation dot1q 10
ip address 10.0.0.1 255.255.255.0
encapsulation dotq1 20
ip address 10.0.1.1 255.255.255.0
I tend to create sub-interfaces that match the VLAN number, this is handy when trying to troubleshoot as you can quickly identify which VLAN belongs to which sub-interface.
The encapsulation dot1q 10/20 command defines the sub interface as a trunk link and that it expects to send/receive VLAN 10/20 traffic on this interface.
That’s pretty much it. If we try to ping PC2 from PC1 we should see a successful ping: