In this topic we will configure OSPF, verify and troubleshoot using show commands and what kinds of problems we can expect and how we can resolve these.
I have made some changes to our switch diagrams and added a couple of routers and re-jigged things around:
To enable OSPF we first need to enable the routing protocol:
configure terminal
router ospf 1
The value 1 is the instance number, this can be anything between 1 and 65535. Next we need to let the routing process know which networks we want to advertise, for example:
network 192.168.0.1 0.0.0.255 area 0
OSPF uses inverse (wildcard) subnet mask. The 0’s mean we want this part of the IP to exactly match (192.168.0.) and the last octet 255 means it can be any value. Area 0 is the backbone area for OSPF. I have kept this simple.
We can stop OSPF hellos being sent out of an interface using the passive-interface command. This can be useful on FastEthernet links that are connected to a switch network that do not need to receive routing updates. Sending routing updates to unnecessarily links can waste bandwidth and CPU resources also enhances security.
OSPF by default uses the highest IP address for its routing process ID. The routing process ID is used to elect DR and BDR as well as advertise routes. For this reason, it may be a good idea to create a loopback interface to override this to ensure that becomes RID, Cisco even suggests using loopbacks.
Configuring a loopback is easy, lets do this on RouterC:
configre terminal
interface loopback 1
ip address 192.168.0.1 255.255.255.0
This doesn’t automatically make the RID become 192.168.0.1 we must either reload the router – Which could be inconvenient in a live environment or we can using the command router-id 192.168.0.1 to force the change.
We can advertise default routes via the default-information originate command under the OSPF configuration. We can also use default-information originate always (not supported in Packet Tracer) – This advertises a default route even if one doesn’t exist, it will generate one and advertise this. To create a default route:
configure terminal
ip route 0.0.0.0 0.0.0.0 s0/1
Verify OSPF
Lets first begin by checking the RID of RouterC – We can verify this by using the show ip ospf command on RouterC:
We can check OSPF routes via the show ip route command:
We can verify WAN connectivity by pinging each PC from each other. I’m going to demonstrate PC3 pinging PC1:
show ip osfneighbor will show information about all neighbors:
show ip ospf interface s0/0 will display information about the interface state whether it is up and OSPF information such as timers, what area the interface is in and network type.
Troubleshoot OSPF
Ensure you’re using a wildcard mask and not a subnet mask when configuring OSPF
Check IP addressing and subnet masks are correctly configured on WAN links
Serial interfaces with a DCE cable attached must be configured with the clock rate command
Routers running OSPF must have the same hello and dead timers to form a adjacency
If using OSPF authentication must be match on other routers
You may have accidentally configured passive-interface on a Serial interface running OSPF – this will stop advertisements
debug ip ospf adj – shows elections for DR and BDR
debug ip ospf packet – shows ospf hello packets being received by the router
debug ip ospf hello – shows more in depth information relating to hello packets including being sent and received by the router
In this topic we will discuss basic switch security and how we can lock down the ports on a switch. I found when using Packet Tracer the port-security didn’t work constantly and in some cases didn’t work at all.
I would recommend configuring this if possible on real equipment. Packet Tracer will accept the commands but the desired effect might not happen.
Our three switches have 24 ports each, currently only three ports are used on each switch. With the remaining ports we will turn these into access ports to stop someone from plugging in a switch and creating a trunk link but we will also shut them down.
By default switches are in desired mode, meaning if another switch is plugged in it will trunk.
configure terminal
interface range fa0/4-fa0/24
switchport mode access
shutdown
We’ll now configure fa0/3 on Switch A to dynamically learn the connected PC’s MAC address and setup violation so the port shutdowns if an unknown MAC address such as another device is plugged into fa0/3.
Restrict: This mode allows known MAC addresses to continue sending frames whilst blocking unknown MAC addresses from sending. A violation message is sent to a SNMP service if configured.
Protect: This mode allows known MAC addresses to continue sending frames whilst blocking unknown MAC addresses from sending. A violated message is not sent.
Configuring violations are all well and good but what happens if a PC hasn’t been live on a port for a while? a new PC will come along and the port may be put into a shutdown state.
We can configure how long before the MAC addresses are pruned using the aging command:
switchport port-security aging time 10
The aging timer is done in minutes, so 10 minutes in this example.
We can also prune the MAC addresses if the port has had no activity:
switchport port-security aging type inactivity
Verifying:
show port-security interface <interface>
show port-security address
Switch security practises:
Ensure physical access to switches is restricted
Set login password/enable passwords on switches and configure banners
Web service can be disabled if the switch supports web service (no ip http server/secure server)
Access-lists can be used to restrict SSH/telnet access by only allowing a specific subnet or host to SSH/telnet to the switch
Use SSH rather than telnet as it’s more secure – Telnet is sent in plain text, SSH is encrypted
This topic will cover configuring, verifying and troubleshooting the rapid spanning tree protocol.
To enable rapid spanning tree protocol on our three switches:
Switch A:
configure terminal
spanning-tree mode rapid-pvst
Switch B:
configure terminal
spanning-tree mode rapid-pvst
Switch C:
configure terminal
spanning-tree mode rapid-pvst
We will also enable portfast on our access ports (PCs connected to the switches) – This will enable the ports to go straight to a forwarding state meaning the ports will instantly come up. You do not want to enable this on trunk links, this may cause issues with switching loops.
You will get a warning message about enabling portfast on trunk links.
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/3 but will only
have effect when the interface is in a non-trunking mode.
That’s all that’s needed to enabled rapid spanning-tree and portfast. Lets go one step further and lets force switch C become the root bridge for VLAN 1. Currently Switch B is the root.
We can do this two ways, one to set the priority of VLAN 1 to a much lower value for example 4096 or force the switch as the root.
I have gone with changing the priority to 4096, The above will only change the root bridge for VLAN 1.
Now if we do a show spanning-tree vlan 1 on Switch C:
The above shows a show spanning-tree output from Switch C. We can see the priority address has been changed to 4096+VLAN 1 (4097) and the bridge is the root for VLAN 1.
Verifying:
To verify RSTP has been configured correctly we can go through the configuration by using the show running-config command and verifying spanning-tree mode rapid-pvst has been entered on all three switches.
The next command we can verify RSTP with is show spanning-tree, this will show what type of spanning-tree is enabled and root bridge/interface statuses.
Show spanning-tree summary can be used to give a quick indication of what mode spanning tree is configured for and some other useful information such as what VLANs are taken part in spanning-tree.
Troubleshooting:
Ensure all switches are configured for rapid-spanning tree – rapid-spanning tree is backwards compatible meaning it will match the normal spanning-tree timers and can cause slowness
Check cables between switches are correct – Crossover cable
Check you haven’t made a trunk link portfast by mistake
Using the verify commands above can greatly help with understanding why RSTP isn’t work (root bridge incorrect, port blocked, rapid-spanning tree not configured)
No need to specify the server mode. By default switches are servers. If required to change between client/transparent the command is vtp mode server.
On Switch C we will create four VLANs 10, 20 30 and 40. VLAN 10 and 20 are already configured, We’re just naming them here:
configure terminal
vlan 10
name Marketing
vlan 20
name IT
vlan 30
name Finance
vlan 40
name HR
If we go to Switch B and switch A and issue a show vlan command we will notice the two VLANs have automatically been created for us:
Switch B:
Lets try and configure VLAN 50 on Switch A:
We are unable to do so! VTP is working correctly.
VTP Pruning isn’t supported as of writing this on Packet Tracer version 5.3.3. The command would be vtp pruning under global configuration. This will stop the advertisement of unused VLANs to other switches. This cannot be set on clients only servers but will propagate down to VTP clients. You could instead use switchport trunk allowed vlan #vlan under each interface to manually prune – this does give you much greater control.
I haven’t configured a transparent switch, the command to make a transparent switch is vtp mode transparent. A transparent switch will forward VTP information but has its own local database.
Verifying:
The following commands will help with verifying VTP on each switch:
show vtp status
The show VTP status command will show what VTP version is running, how many revisions, operating mode and VTP domain name.
The VTP version is in fact 1, I’m not sure why its showing 2. Trying to force VTP version 1 results in the following:
Switch C(config)#vtp version 1
VTP mode already in V1.
show running-config – to verify vtp is configured correctly
show vlan – will show the VLANs that have been created
Troubleshooting:
show vtp status – checking revision numbers are consistent across switches will indicate if VTP is working correctly
show vtp password will display the password if you’ve forgotten it
Ensure Domain name, version and password are the same – these are case sensitive!
If you cannot add a VLAN, the switch may be configured with client instead of server
In this topic I will discuss how to configure interVLAN routing typically known as Router on a Stick.
This is the setup we will be working with in packet tracer:
Notice that PC1 and PC2 are in different VLANs and different IP subnets. We are going to allow them to communicate with each other via Router A.
First we are going to configure the trunk links between each of the switches and between switch C and Router A. I will use the range command to save keep typing the individual interfaces.
Switch A
configure terminal
interface range fa0/1-fa0/2
switchport mode trunk
Switch B
configure terminal
interface range fa0/1-fa0/2
switchport mode trunk
Switch C
configure terminal
interface range fa0/1-fa0/3
switchport mode trunk
We will come back to Router A a little later on to finish the trunk configuration.
We need to configure the access ports and VLANs between the switches connected to PCs.
We will configure PC1 and PC2 with an IP address and default gateway.
PC1:
IP Address: 10.0.0.2
Subnet: 255.255.255.0
Default Gateway: 10.0.0.1
PC2:
IP Address: 10.0.1.2
Subnet: 255.255.255.0
Default Gateway: 10.0.1.1
If we try and ping PC2 from PC1 the result will fail. Why? Because there’s no way for VLAN 10 and VLAN 20 to communicate, Also they’re in different subnets.
To allow these two PCs to communicate we need to configure Router A to route frames between VLAN 10 and VLAN 20.
If you noticed we set default gateways on PC1 and PC2, we will now configure these on Router A. This way, when PC1 or PC2 wants to send a frame to a different subnet, it will forward to the default gateway, the default gateway will lookup to see if it has an entry in its routing table if it does, it will forward otherwise it will drop the frame.
We will configure two sub interfaces on Router A under fa0/0 one for VLAN 10 and one for VLAN20. First we need to bring up the fast ethernet 0/0 interface up, otherwise the sub interfaces once configured will not work.
Router A:
configure terminal
interface fa0/0
no shutdown
Now to configure the sub interfaces on Router A:
configure terminal
interface fa0/0.10
encapsulation dot1q 10
ip address 10.0.0.1 255.255.255.0
interface fa0/0.20
encapsulation dotq1 20
ip address 10.0.1.1 255.255.255.0
I tend to create sub-interfaces that match the VLAN number, this is handy when trying to troubleshoot as you can quickly identify which VLAN belongs to which sub-interface.
The encapsulation dot1q 10/20 command defines the sub interface as a trunk link and that it expects to send/receive VLAN 10/20 traffic on this interface.
That’s pretty much it. If we try to ping PC2 from PC1 we should see a successful ping:
We verified that PC1 can communicate with PC2 above.
We can show the routing table on RouterA:
The above shows two directly connected routes, one for VLAN 10 and one for VLAN 20 this is how the router knows where to route to.
show running-config can be used on the switches and routers to ensure correct access VLAN assigned, trunk links are configured and correct IP addresses.
show vlan on the switches will show what VLANs are assigned to which ports.
Ping can we be used to verify connectivity, if you cant ping the destination IP, ensure you can ping your local default gateway and then destination gateway to try and figure where the problems lies.
Troubleshooting:
Ensure the links between switches and routers are trunked
Make sure PCs are in correct VLANs
Make sure PCs have correct IP Subnet / Default Gateway addresses
Use tracert on the PCs to see where the frames are failing
Check the router to make sure has the correct sub-interfaces and they match the default gateway of the PCs
The fast ethernet port on the router should be up (no shutdown) otherwise sub-interfaces will not work
Correct cables must be used between PC and switch (straight through) switch to switch (crossover) and switch to router (straight through)