Cisco

All things Cisco

Cisco IOS Switch Basic Setup

Network Topology

image.png

Router0 Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)# interface fastEthernet 0/1
Router0(config-if)#ip address 172.16.1.1 255.255.255.0
Router0(config-if)#no shutdown
Router0(config-if)#interface fastEthernet 0/0
Router0(config-if)#ip address 192.168.10.1 255.255.255.0
Router0(config-if)#no shutdown
Router0(config-if)#exit
Router0(config)#exit
Router0#show ip interface brief

image.png

Remote Laptop Configuration

image.png

image.png

image.png

Switch0 Configuration Commands using Local Laptop and Console Cable

Connect to Switch0 using Terminal

image.png

Set hostname of the switch to Switch0

Switch>enable
Switch#configure terminal
Switch(config)#hostname Switch0
Switch0(config)#

Configure the message of the day as "Authorized access only. Unauthorized access is forbidden."

Switch0(config)#banner motd #
Enter TEXT message.  End with the character '#'.
Authorized access only. Unauthorized access is forbidden.#
Switch0(config)#end
Switch0#exit

image.png

Configure the password for privileged mode access as "cisco". The password must be md5 encrypted

Switch0>enable
Switch0#configure terminal
Switch0(config)#enable secret cisco
Switch0(config)#service password-encryption

Configure CONSOLE access with the following settings:

Switch0(config)#line con 0
Switch0(config-line)#password ciscoconsole
Switch0(config-line)#logging synchronous
Switch0(config-line)#login
Switch0(config-line)#history size 20
Switch0(config-line)#exec-timeout 5 30
Switch0(config-line)#exit
Switch0(config)#

Configure TELNET access with the following settings:

Switch0(config)#line vty 0 15
Switch0(config-line)#password ciscotelnet
Switch0(config-line)#logging synchronous
Switch0(config-line)#login
Switch0(config-line)#history size 20
Switch0(config-line)#exec-timeout 10 45
Switch0(config-line)#exit
Switch0(config)#

Configure the IP address of Switch0 as 192.168.10.2/24 and its default gateway IP (192.168.10.1).

Switch0(config)#interface vlan1
Switch0(config-if)#ip address 192.168.10.2 255.255.255.0
Switch0(config-if)#ip default-gateway 192.168.10.1
Switch0(config-if)#end
Switch0(config)#exit
Switch0>

Test Telnet Connectivity from the Remote Laptop Using Telnet Client

image.png

Change the Connection Type to Telnet and then put in Switch0's IP address.  Then click Connect.

image.png

Notice the MOTD Banner and the prompt for the telnet password.  Enter ciscotelnet.

image.png

We're in!

image.png

Cisco Packet Tracer File

net8 basic switch setup.pkt

Cisco IOS Router Static Route

Network Topology

image.png

Router0 Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)# interface fastEthernet 0/0
Router0(config-if)#ip address 172.16.1.1 255.255.255.248
Router0(config-if)#no shutdown
Router0(config-if)#interface fastEthernet 0/1
Router0(config-if)#ip address 192.168.10.1 255.255.255.0
Router0(config-if)#no shutdown
Router0(config-if)#exit
Router0(config)#ip route 192.168.20.0 255.255.255.0 172.16.1.2
Router0(config)#exit
Router0#show ip interface brief

image.png

Router0#show ip route

image.png

Router1 Configuration Commands

Router1>enable
Router1#configure terminal
Router1(config)# interface fastEthernet 0/0
Router1(config-if)#ip address 172.16.1.2 255.255.255.248
Router1(config-if)#no shutdown
Router1(config-if)#interface fastEthernet 0/1
Router1(config-if)#ip address 192.168.20.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#ip route 192.168.10.0 255.255.255.0 172.16.1.1
Router1(config)#exit
Router1#show ip interface brief

image.png

Router1#show ip route

image.png

Switch0 Configuration Commands

Switch0>enable
Switch0#configure terminal
Switch0(config)#int vlan1
Switch0(config-if)#ip address 192.168.10.2 255.255.255.0
Switch0(config-if)#ip default-gateway 192.168.10.1
Switch0(config-if)#no shutdown
Switch0(config-if)# exit
Switch0(config)#show interface vlan 1

image.png

Switch1 Configuration Commands

Switch1>enable
Switch1#configure terminal
Switch1(config)#int vlan1
Switch1(config-if)#ip address 192.168.20.2 255.255.255.0
Switch1(config-if)#ip default-gateway 192.168.20.1
Switch1(config-if)#no shutdown
Switch1(config-if)# exit
Switch1(config)#show interface vlan 1

image.png

PC0 Configuration

image.png

image.png

PC1 Configuration

image.png

image.png

Test Connectivity via Static Route

image.png

image.png

Cisco Packet Tracer File

net9 static routing.pkt

Cisco IOS Router on a Stick

Network Topology

image.png

Router0 Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)#interface fastEthernet 0/0
Router0(config-if)#no shutdown
Router0(config-if)#interface fastEthernet 0/0.10
Router0(config-subif)#encapsulation dot1q 10
Router0(config-subif)#ip address 192.168.10.1 255.255.255.0
Router0(config-if)#interface fastEthernet 0/0.20
Router0(config-subif)#encapsulation dot1q 20
Router0(config-subif)#ip address 192.168.20.1 255.255.255.0
Router0(config-if)#interface fastEthernet 0/0.30
Router0(config-subif)#encapsulation dot1q 30
Router0(config-subif)#ip address 192.168.30.1 255.255.255.0
Router0(config-subif)#end
Router0#show ip interface brief

image.png

Router0#show interfaces

image.png

Switch0 Configuration Commands

Switch0>enable
Switch0#configure terminal
Switch0(config)#interface fastEthernet 0/1
Switch0(config-if)#switchport mode trunk
Switch0(config-if)#interface fastEthernet 0/2
Switch0(config-if)#switchport access vlan 10
Switch0(config-if)#interface fastEthernet 0/3
Switch0(config-if)#switchport access vlan 20
Switch0(config-if)#interface fastEthernet 0/4
Switch0(config-if)#switchport access vlan 30
Switch0(config-if)#end
Switch0#show vlan brief

image.png

Switch0#show interfaces status

image.png

Configure the Three PCs

PC0

image.png

image.png

PC1

image.png

image.png

PC2

image.png

image.png

Test with Ping and Tracert

image.png

image.png

image.png

Cisco Packet Tracer File

net12 router on a stick.pkt

Cisco IOS Discovery Protocol

Network Topology

image.png

Premise

When you have a detailed topology map like the one above it is easy to know what interfaces and what devices you are working with.  However, a topology map like this is often not readily available.  Instead, you are on one end of the equation in a wiring closet or data center removed from the far side equipment and you are staring at a console screen like this.

image.png

And it is left to you to figure out what is connected to your device on the other end.  What can you use to figure this out? Cisco provides some help by the way of the Cisco Discovery Protocol (CDP). CDP is enabled by default on Cisco devices and works on directly connected interfaces. The CDP messages are configured to broadcast every 60 seconds by default.  This interval can be modified. When a device receives a CDP broadcast the information is stored in a table.  Using the show CDP neighbors will display information about directly connected Cisco devices.

Now suppose instead of a nice all-filled-in topology diagram you have this. You have been told that there are routers connected to the other end of the Router0 interfaces.  One router is a Cisco 1841 but the technician is not sure what the other router is.  The interface connected to the 1841 is in the 192.168.10.0/24 network.  The other interface should be configured within the 192.168.20.0/24 network.

image.png

Solution

Router0 Commands

Router0>enable
Router0#configure terminal
Router0(config)#interface fastEthernet 0/0
Router0(config-if)#no shutdown
Router0(config)#interface fastEthernet 0/1
Router0(config-if)#no shutdown
Router0(config-if)#end
Router0#show ip interface brief

image.png

As can be seen by the show ip interface brief command, the interfaces are up but there are no L3 IP addresses configured.  This is something that will need to be addressed later.  But for now, we can find out more about which devices are connected to which interfaces by using the show CDP commands.  First, we will check that CDP protocol is configured and working on Router0

Router0#show cdp interface

image.png

Yes, CDP is configured and sending packets every 60 seconds as is the default behavior. No let's see if there are any CDP packets coming from Cisco devices on the other in of the ethernet connections.

Router0#show cdp neighbors

image.png

The results of the show cdp neighbors command indicates that there are Cisco attached devices.  On the fast Ethernet 0/1 port the Cisco 1841 router is connected just as the technician had stated.  On the fast Ethernet port 0/0 there is a Cisco 2900 router.  In addition, we can see from the output that on the 1841 the connection is on fast Ethernet 0/0 while on the 2900 we are connected to gigabit Ethernet 0/2.  If we want more details, we can use the command show cdp entry *

Router0#show cdp entry *

image.png

From this we can see the configured IP addresses of the two connected devices.  We can verify that the connected device types are in fact routers. We can even see the Cisco IOS version installed on the routers.  Finally, we can see that the CDP type is version 2 as shown by the 'advertisement version'.

Let's jump back into Router0 and configure some IP addressing now that we know the IP addresses on the far side of the connections.

Router0(config)#interface fastEthernet 0/0
Router0(config-if)#ip address 192.168.20.2 255.255.255.0
Router0(config)#interface fastEthernet 0/1
Router0(config-if)#ip address 192.168.10.2 255.255.255.0
Router0(config-if)#end
Router0#show ip interface brief

image.png

Router0#ping 192.168.10.1

image.png

Router0#ping 192.168.20.1

image.png

Success!

Cisco Packet Tracer File

net10 cdp neighbors.pkt




Cisco IOS RIPv2 Protocol

Network Topology

image.png

Router0 Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)#interface serial 0/0/0
Router0(config-if)#ip address 172.16.1.1 255.255.255.248
Router0(config-if)#no shutdown
Router0(config-if)#interface gigabitEthernet 0/0
Router0(config-if)#ip address 192.168.10.1 255.255.255.0
Router0(config-if)#no shutdown
Router0(config-if)#exit
Router0(config)#router rip
Router0(config-router)#version 2
Router0(config-router)#network 192.168.10.0
Router0(config-router)#network 172.16.1.0
Router1(config-router)#no auto-summary
Router0(config-router)#end

Router1 Configuration Commands

Router1>enable
Router1#configure terminal
Router1(config)#interface serial 0/0/0
Router1(config-if)#ip address 172.16.1.2 255.255.255.248
Router1(config-if)#no shutdown
Router1(config-if)#interface gigabitEthernet 0/0
Router1(config-if)#ip address 192.168.20.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#router rip
Router1(config-router)#version 2
Router1(config-router)#network 192.168.20.0 
Router1(config-router)#network 172.16.1.0
Router1(config-router)#no auto-summary
Router1(config-router)#end

Verify RIPv2 Configuration

Router0#show ip route

image.png

Router0#show ip rip database

image.png

Router0#show ip protocols

image.png

Ping and Tracert Check

image.png

Cisco Packet Tracer File

net18 ripv2.pkt

Cisco IOS EIGRP Protocol

Network Topology

image.png

Router0 Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)#interface serial 0/0/0
Router0(config-if)#ip address 172.16.1.1 255.255.255.248
Router0(config-if)#no shutdown
Router0(config-if)#interface gigabitEthernet 0/0
Router0(config-if)#ip address 192.168.10.1 255.255.255.0
Router0(config-if)#no shutdown
Router0(config-if)#exit
Router0(config)#router eigrp 100
Router0(config-router)#network 192.168.10.0 0.0.0.0
Router0(config-router)#network 172.16.1.0 0.0.0.0
Router0(config-router)#no auto-summary
Router0(config-router)#end

Router1 Configuration Commands

Router1>enable
Router1#configure terminal
Router1(config)#interface serial 0/0/0
Router1(config-if)#ip address 172.16.1.2 255.255.255.248
Router1(config-if)#no shutdown
Router1(config-if)#interface gigabitEthernet 0/0
Router1(config-if)#ip address 192.168.20.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#router eigrp 100
Router1(config-router)#network 192.168.20.0 0.0.0.0
Router1(config-router)#network 172.16.1.0 0.0.0.0
Router0(config-router)#no auto-summary
Router1(config-router)#end

Comments on a Couple of Configuration Items

A couple of notes about the configurations.  First, the network commands show a wildcard of 0.0.0.0, this denotes an exact match for the specific IP on the interfaces.  I could have also made the command be for a subnet with network 192.168.10.0 0.0.0.255  It was simply a preference on my part for this configuration.

Second, the command no auto-summary.  EIGRP is a routing protocol that supports auto summarization.  This isn't very intuitive to understand. Auto summarization in EIGRP means that it will automatically advertise the classful A, B, or C subnet if it is not told otherwise.  Let's take a look at another network topology to demonstrate the auto-summary effect.

image.png

In the above example there are three routers configured for eigrp.  In the initial setup Router0 and Router2 have auto-summary on for EIGRP. All three networks 192.168.2.0, 172.16.1.0, and 1.1.1.0 are configured in the EIGRP router for Router0.

image.png

Similarly, Router 2 has EIGRP configured and 1.3.3.0 and 192.168.20.0 are configured.  Also, auto-summary has been explicitely turned on.

image.png

Router1 is pretty vanilla with EIGRP configured and advertising the 192.168.10.0 and 192.168.20.0 networks.  No auto-summary is on for Router1.  The interesting thing is taking a look at the routing tables of each of the routers to see what auto-summary does in this scenario. And how it will break the routing.  Let's look at Router0 first.

image.png

The 1.1.1.0 /24 network has been summarized the classful A network of 1.0.0.0 /8. Similarly, the 172.16.1.0 /24 has been summarized to the classful B network of 172.16.0.0 /16.  This isn't necessary bad when you just look at it from Router0's perspective but hold that thought until we take a closer look at Router1 in a moment.  One last note for Router0, the network 192.168.10.0 /24 is as expected becasue it is already a class C network.

No let's look at Router2 and then we will get to Router1.

image.png

Now, you can already start to see the problem, Router2 is advertising a summarized classful A for 1.0.0.0 /8 just as Router0 was.  And what does that do to Router1, confuses the heck out of its routing table, that's what! Let's look.

image.png

So, now Router1 is advertising that 1.0.0.0 /8, which is the summarized subnet for both 1.1.1.0 and 1.3.3.0 is reachable through both the other routers.  This is what unchecked auto-summary can do to EIGRP if you are not careful.  The fix is to turn off auto-summary in Router0 and Router1. And problem resolved. Take a look at Router1, the one that was so confused before we turned off auto-summary, it has the correct routes now.

image.png

Back to the EIGRP Configuration

Verify the configuration

Router0#show ip route

image.png

Router0#show ip eigrp neighbors

image.png

Router0#show ip eigrp topology

image.png

Router0#show ip eigrp interfaces

image.png

Router0#show ip eigrp traffic

image.png

Ping and Tracert Tests

image.png

Cisco Packet Tracer Files

net16 eigrp.pkt

net17 eigrp auto-summary.pkt


OSPF Open Shortest Path First Protocol

OSPF Limerick

There once was a routing protocol
OSPF was its name, it was droll
It spread updates with care
To routers everywhere
So that packets would never grow stale.

How does it differ from other routing protocols?

Distance Vector Protocols

Distance Vector routing protocols base their decisions on the best path to a given destination based on the distance.

Distance is usually measured in hops, though the distance metric could be delay, packets lost, or something similar.

If the distance metric is hop, then each time a packet goes through a router, a hop is considered to have traversed. The route with the least number of hops to a given network is concluded to be the best route towards that network.

The vector shows the direction to that specific network. Distance vector protocols send their entire routing table to directly connected neighbors.

* source - Pluralsight - Dynamic Routing Protocols: Distance Vector and Link State

Link state protocols are also called shortest-path-first protocols. Link state routing protocols have a complete picture of the network topology. Hence they know more about the whole network than any distance vector protocol.

Three separate tables are created on each link state routing enabled router. One table is used to hold details about directly connected neighbors, one is used to hold the topology of the entire internetwork and the last one is used to hold the actual routing table.

Link state protocols send information about directly connected links to all the routers in the network.

* source - Pluralsight - Dynamic Routing Protocols: Distance Vector and Link State

RIP and IGRP OSPF and IS-IS  (EIGRP is considered a hybrid protocol because it uses both distance vector and link state.)
Only communicates with neighbor routers Communicates with all other routers in an area
Calculates path based on distance and vector Calculates shortest path based on link-state parameters
Passes entire routing table to directly connected neighbor routers Passes link-state routing updates to other routers


1. LSR

Router A send a link-state request (LSR) to gather route information from the neighbor router -- Router B

2. LSU

Router B replies with a Link -State Update (LSU) containing the requested Link-State Advertisement (LSA) information.

3. LSAck

Router A receives the LSU with LSA attached and sends a Link-State Acknowledgement (LSAck) back to Router B

image.png

Dijkstra's Algorithm

The speed of OSPF can be attributed to the Dijkstra Algorithm (Shortest Path First)

Dijkstra's algorithm is a method for finding the shortest path between two points in a graph. The graph could represent, for example, a map with cities as nodes and roads as edges, where the length of the edges represents the distance between the cities. The algorithm starts at one node, called the "source" node, and explores all the paths to the other nodes, called "destination" nodes, in the graph. It keeps track of the shortest path to each destination node that it has found so far, and updates this information as it explores new paths.

At each step, the algorithm selects the destination node that can be reached with the shortest known path from the source node, and explores the paths to all the other nodes that can be reached from this node. This process is repeated until the algorithm has found the shortest path to the destination node that you are interested in.

The algorithm is called Dijkstra's algorithm because it was invented by a Dutch computer scientist named Edsger W. Dijkstra in the 1950s. Dijkstra's algorithm is also famous because it's the first algorithm that uses a priority queue(heap) rather than a queue to proceed from one node to the other.

It is often used for finding the shortest path in a navigation or transportation network, or for routing packets of data in a computer network



Illustration of Dijkstra's algorithm finding a path from a start node (lower left, red) to a goal node (upper right, green) in a robot motion planning problem. Open nodes represent the "tentative" set (aka set of "unvisited" nodes). Filled nodes are the visited ones, with color representing the distance: the greener, the closer. Nodes in all the different directions are explored uniformly, appearing more-or-less as a circular wavefront as Dijkstra's algorithm uses a heuristic identically equal to 0.

* source: https://en.wikipedia.org/wiki/Dijkstra%27s_algorithm

OSPF Path Selection

OSFP History

image.png

OSPF Areas

An OSPF Area is a network where routers all have the same routing information (LSAs) Network updates are localized per area and routers share topology information within the second table mentioned above (topology table).  To reduce the size of the topology table in very large OSPF implementations the areas can be broken up into different OSPF area limits.  Thus, the network updates will only be applied to the specifically identified area.

image.png

Area 0 is the Backbone and all other areas must connect back to Area 0

Adding an Area3 through Area 1 (as in the diagram below) would not be a correct or allowed configuration as Area 3 is NOT connected to Area 0, the Backbone.

image.png

Adding Area 3 by connecting it to the backbone is the correct method for adding another OSPF Area as in the updated diagram below.

image.png

OSPF Neighbor Requirements

Hello timer Defaults: Sent every 10 seconds on broadcast or P2P networks. Sent every 30 seconds on non-broadcast multiple assess networks (NBMA) (i.e.; Frame Relay).  Hello packets are sent to all other routers to the following broadcast addresses depending on IP version

When sending Hello packets to designated routers the following addresses are used.  What is a designated router? See Below.

Dead timer Defaults: 4 times the hello timer.


image.png

Wait timer is the number of seconds a router waits for the designated router or backup designated router to be advertised before beginning an election.

Retransmit is the number of seconds a router waits before retransmitting an OSPF packet that has not been acknowledged.

How to Change the Various Intervals

image.png

Router0(config)# interface gigabitEthernet 0/1
Router0(Config-if)#ip ospf hello-interval 20

Designated Router (DR) and Backup Designated Router (BDR)

Router adjacencies are neighbor routers that share LSUs and database description packets. 

A large network could have a huge number of adjacencies as show by this formula:

[n*(n-1]/2

So for 4 routers the number of adjacencies would be [4*(4-1)]/2 = 6. And for 10 the number of adjacencies would be [10*(10-1)]/2 = 45.  As you can see the number of adjacencies becomes large very quickly. And a router will not be 'close' to all these adjacencies. Instead, an OSPF router is close to a specific router (neighbor) and that router is deemed the designated router (DR). And they also form an adjacency with a backup designated router (BDR).  This is to reduce the adjacency volume.


image.png

How does a router select its DR and BDR?

Router1(config-if)# ip ospf priority [#]

Router1(config)#router ospf 1
Router1(config-router)#router-id [id]

image.png

Not all network types conduct a DR/BDR election

Network Type DR/BDR Election?
Point to Point No
Broadcast Yes
Non broadcast multiple access (NMBA) Yes
Point to Multipoint No

Area Border Router (ABR)

image.png

Typically an ABR has more processing power that an non ABR since they will have to store the routing tables for multiple OSPF Areas.

Autonomous System Boundary Router (ASBR)

image.png

This router has one interface connected to OSPF and another interface with an entirely different routing protocol (i.e.; EIGRP)

LSA Types

image.png

image.png

Router0#show ip ospf database

image.png

Stub Areas

An area that is only connected to the backbone and is not connected to any other autonomous systems

Route Summarization

In IPv4 networking, route summarization, also known as route aggregation, is a technique used to reduce the number of routing table entries on a router. This is done by grouping together several smaller networks into a single, larger network, and then advertising the summary route to other routers instead of the individual smaller networks.

For example, imagine a network with several subnets, such as 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, and so on. Instead of having a separate routing table entry for each of these subnets, route summarization allows a router to group them together into a single network, such as 10.1.0.0/22. This single entry will take the place of all the individual entries, reducing the size of the routing table and making it more efficient.

Route summarization is done by using a mask (also called a subnet mask) that is longer than the original subnet mask. This allows a group of subnets to be represented by a single IP address and mask.

The benefit of this technique is that it can help reduce the number of routing table entries and improve the performance of the routing process. By reducing the size of the routing table, routers can make faster and more efficient routing decisions. It also can help to reduce the amount of routing information that needs to be exchanged between routers.

It's important to note that while route summarization can help to improve the scalability and performance of a network, it can also create potential problem like black hole routing, where packets might be dropped if they are not delivered to the correct destination. Therefore, it's important to be mindful of the address space being used and make sure that the summary route being advertised not overlap with other routes that exist in the network.

Example
Decimal Octet 1 Octet 2 Octet 3 Octet 4
192.168.8.0 11000000 10101000 00001000 00000000
192.168.9.0 11000000 10101000 00001001 00000000
192.168.10.0 11000000 10101000 00001010 00000000
192.168.11.0 11000000 10101000 00001011 00000000
SUMMARY IP 11000000 10101000 00001000 00000000

192 168 8 0
Subnet Mask 11111111 11111111 11111100 00000000
/22 255 255 252 0

Summarization Result = 192.168.8.0 with subnet 255.255.252.0 (/22)



Cisco IOS OSPF Protocol

Network Topology


image.png

Router0 Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)#interface serial 0/0/0
Router0(config-if)#ip address 172.16.1.2 255.255.255.248
Router0(config-if)#no shutdown
Router0(config-if)#interface gigabitEthernet 0/0
Router0(config-if)#ip address 192.168.10.1 255.255.255.0
Router0(config-if)#no shutdown
Router0(config-if)#exit
Router0(config)#router ospf 1
Router0(config-router)#network 192.168.10.0 0.0.0.255 area 0
Router0(config-router)#network 172.16.1.0 0.0.0.7 area 0
Router0(config-router)#end

Router1 Configuration Commands

Router1>enable
Router1#configure terminal
Router1(config)#interface serial 0/0/0
Router1(config-if)#ip address 172.16.1.1 255.255.255.248
Router1(config-if)#no shutdown
Router1(config)#interface serial 0/0/1
Router1(config-if)#ip address 172.16.2.1 255.255.255.248
Router1(config-if)#no shutdown
Router1(config-if)#interface gigabitEthernet 0/0
Router1(config-if)#ip address 192.168.20.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#router ospf 1
Router1(config-router)#network 192.168.20.0 0.0.0.255 area 0
Router1(config-router)#network 172.16.1.0 0.0.0.7 area 0
Router1(config-router)#network 172.16.2.0 0.0.0.7 area 0
Router1(config-router)#end

Router2 Configuration Commands

Router2>enable
Router2#configure terminal
Router2(config)#interface serial 0/0/0
Router2(config-if)#ip address 172.16.2.2 255.255.255.248
Router2(config-if)#no shutdown
Router2(config-if)#interface gigabitEthernet 0/0
Router2(config-if)#ip address 192.168.30.1 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
Router2(config)#router ospf 1
Router2(config-router)#network 192.168.30.0 0.0.0.255 area 0
Router2(config-router)#network 172.16.2.0 0.0.0.7 area 0
Router2(config-router)#end

PC Configurations

image.png

image.png

image.png

Verify OSPF Configuration

Router0#show ip route

image.png

Router1#show ip route

image.png

Router2#show ip route

image.png

Router0# show ip ospf neighbor

image.png

Router1#show ospf neighbor

image.png

Router2#show ip ospf neighbor

image.png

Router0#show ip ospf

image.png

Router1#show ip ospf

image.png

Router2#show ip ospf

image.png

Ping and Tracert Checks

image.png

Cisco Packet Tracer File

net15 ospf.pkt


Cisco IOS OSPF Router ID

Network Topology

image.png

What is the OSPF Router ID (RID)?

The OSPF Router ID (RID) is a 32-bit value used to uniquely identify an OSPF router in a network. The Router ID takes the form of an IPv4 network address (i.e.; 1.1.1.1)  It is used by OSPF routers to identify themselves to each other, and is also used as a key for certain OSPF data structures. The RID is typically chosen as the highest IP address of a router's interfaces that are configured for OSPF. If there are multiple interfaces with the same IP address, the RID will be chosen based on the interface's MAC address or on the order in which the interfaces were configured. The RID is used in the OSPF header of OSPF packets, and is also used in the LSA (Link State Advertisement) packets that OSPF routers exchange to form and maintain their routing tables.

How is the OSPF Router ID Selected?

A router chooses its OSPF Router ID (RID) based on the following priority:

  1. The highest IP address of a loopback interface that is configured for OSPF. A loopback interface is a virtual interface that is always up, and is typically used for management purposes.
  2. If there is no loopback interface configured, the highest IP address of a physical interface that is configured for OSPF.
  3. If there are multiple interfaces with the same IP address, the RID will be chosen based on the interface's MAC address.
  4. If all above methods fails to get a unique RID, the router will choose the RID based on the order in which the interfaces were configured.

It is important to note that, once chosen, the RID cannot be changed without restarting the OSPF process on the router. It is also important that all OSPF routers in a single OSPF domain must have unique RIDs.

Router ID in Action with Network Topology Above

The topology above has two physical interfaces and two Loopback interfaces.

Router0# show ip interface brief

image.png

We can start the OSPF router process with the following command:

Router0(config)#router ospf 1
Router0(config-router)end

Now let's check the OSPF Router ID by issuing the command:

Router0#show ip protocols

image.png

As can be seen above the ospf 1 process has chosen the Loopback interface with the highest IP address as its Router ID as we expected from #1 in the explanation above. Now let's remove the Loopback interfaces and see how that effects the OSPF Router ID.

Router0#configure terminal
Router0(config)#no interface loopback 0
Router0(config)#no interface loopback 1
Router0(config)#do show ip interface brief

image.png

Confirmed that the Loopback interfaces have been removed. Let's check the OSPF Router ID now.

Router0(config)#end
Router0#show ip protocols

image.png

The Router ID has not changed! Just like the note above states the OSPF Router ID once chosen cannot be changed without a restart of the OSPF process.  How can we restart the OSPF process?  With this command:

Router0#clear ip ospf process

image.png

Now we can check the Router ID again.

Router0#show ip protocols

image.png

After the reset of the OSPF process the Router ID has been selected from the physical interface with the highest IP address.  Again, just like we would expect from #2 from the explanation above.

Now, what if we did not want the OSPF process to choose it's own Router ID?  What if we wanted to manually set the Router ID, can we do that? Yes! As long as we make sure to set it in the correct format of the 32-bit value with a 4 octet IPv4 decimal notation address.

Router0#configure terminal
Router0(config)#router ospf 1
Router0(config-fouter)#router-id 10.10.10.10
Router0(config-router#end
Router0#show ip protocols

image.png

As you can see the Router ID is now set to what we manually entered 10.10.10.10.


Cisco IOS eBGP (External) Protocol

Network Topology

image.png

As of Cisco Packet Tracer 8.2 internal BGP (iBGP) is not supported only external BGP (eBGP) is supported.  If you try and configure iBGP on Packet Tracer, you will see the following message.

image.png

So, in this example the focus will be on setting up eBGP between two separate autonomous systems.

Router0 Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)#interface serial 0/0/0
Router0(config-if)#ip address 172.16.1.1 255.255.255.248
Router0(config-if)#no shutdown
Router0(config-if)#interface gigabitEthernet 0/0
Router0(config-if)#ip address 192.168.10.1 255.255.255.0
Router0(config-if)#no shutdown
Router0(config-if)#int Loopback 0
Router0(config-if)#ip address 1.1.1.1 255.0.0.0
Router0(config-if)#no shutdown
Router0(config-if)#exit
Router0#router bgp 65001
Router0(config-router)#neighbor 172.16.1.2 remote-as 65002
Router0(config-router)#network 1.1.1.1 mask 255.0.0.0
Router0(config-router)#network 192.168.10.0 mask 255.255.255.0
Router0(config-router)#bgp router-id 1.1.1.1
Router0(config-router)#no synchronization

Router1 Configuration Commands

Router1>enable
Router1#configure terminal
Router1(config)#interface serial 0/0/0
Router1(config-if)#ip address 172.16.1.2 255.255.255.248
Router1(config-if)#no shutdown
Router1(config-if)#interface gigabitEthernet 0/0
Router1(config-if)#ip address 192.168.20.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#int Loopback 0
Router1(config-if)#ip address 2.2.2.2 255.0.0.0
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1#router bgp 65001
Router1(config-router)#neighbor 172.16.1.1 remote-as 65001
Router1(config-router)#network 2.2.2.2 mask 255.0.0.0
Router1(config-router)#network 192.168.20.0 mask 255.255.255.0
Router1(config-router)#bgp router-id 2.2.2.2
Router1(config-router)#no synchronization

A Special Word about the No Synchronization Command

The site BGPExpert has an excellent explanation of what the no synchronization command is and what is does.

Check BGP Configuration

Router0#show ip route

image.png

Router0#show ip bgp summary

image.png

Router0#show ip bgp

image.png

Router0#show bgp ipv4 unicast neighbor 172.16.1.2 advertised-routes

This is another command that is not available in Cisco Packet Tracer as of v8.2.  So, here is an example from GNS3.

image.png

Ping and Tracert Connectivity Tests

image.png

image.png

More Notes on BGP

Directly Connected BGP Neighbors
Multihop BGP Neighbors
BGP will use the Arp table to locate the Layer 2 address of the peer. BGP will use routing table information to find the peer's IP address.
Private 16-bit ASN Range
Private 32-bit ASN Range
64,512 - 65,535 4,200,000,000 - 4,294,967,294

Router0#show ip bgp neighbors

image.png

Another Limitation of Cisco Packet Tracer

As of Packet Tracer 8.2 there isn't a command for debug ip bgp which is very odd because there are debug commands for other protocols

image.png

So, for this next section I will be using GNS3 to show the BGP connection handshake.  The BGP establishes a TCP session with a neighboring BGP peer or peers. The connection between the peers may report the following states while the connection is established.

The states can be quite fluid in the ordering as can be seen by and official Cisco diagram showing the states.

bgpstates.jpg

To demo these states in GNS3 I will initiate a debug for the BGP protocol.

Router0#debug ip bgp
Router0#clear ip bgp *

IDLE:

image.png

CONNECT:

For the connect phase, I never explicitly saw this reported in the debug logs.  I tried two different routers with different Cisco IOS versions and in both cases Idle to Connect never logged. This must be what Cisco was referring to when they said, "The connection between the peers may report the following states while the connection is established."

ACTIVE:

image.png

OPENSENT:

image.png

OPENCONFIRM:

image.png

ESTABLISHED:

image.png

Now we can check the TCP connectivity.

Router0#show tcp brief

image.png

The connection is established.  Note that the TCP port on the peer (foreign address) is 179.  This peer has the higher IP address and thus manages the connect phase and establishes the port 179 connectivity. The peer with the lower IP will get a randomized port for the connectivity.  In this example the randomized port is 57597.

Additional Information about BGP from Cloudflare

Additional Information about BGP Neighbor States and Connectivity from CiscoPress


Cisco Packet Tracer File

net14 bgp.pkt

BGP Path Attributes

BGP Path Attributes

BGP (Border Gateway protocol is a path vector routing protocol, meaning it uses path attributes to determine the best routing path. There are eight (8) attributes that BGP uses in the determination of that best path.

Mnemonic First Letter BGP Path Attribute
We W Weight
Love L Local_pref
Oranges O Originate
As A AS_path
Oranges O Origin type
Mean M MED (Multiple Exit Discriminator)
Pure P Paths
Refreshment R Router-ID

This is not inclusive of all 13 path attributes but this covers the majority of them. particularly those that we often see used in practice. 

WEIGHT

image.png

LOCAL PREFERENCE (Local_pref)

This parameter often gets used for route manipulation.

image.png

ORIGINATE
AUTONOMOUS SYSTEM PATH (AS_path)

image.png

ORIGIN TYPE
  1. IGP
  2. EGP
  3. ? Incomplete

image.png

MED (Multi-exit Discriminator)

image.png

PATHS (eBGP vs iBGP)
eBGP iBGP
Administrative distance: 20 Administrative distance: 200
ROUTER-ID


Summary of the Attributes

Mnemonic First Letter BGP Path Attribute Preference
We W Weight Higher
Love L Local_pref Higher
Oranges O Originate Local vs Aggregate
As A AS_path Lower
Oranges O Origin type IGP vs EGP vs ?
Mean M MED Lower
Pure P Paths eBGP vs oBGP
Refreshment R Router-ID Lower

BGP Route Manipulation

image.png

Scenario: Make the preferred path for the 20.0.0.0 network go through another router

R4(config)#ip prefix-list PREF20 permit 20.0.0.0/24
R4(config)#route-map MAP20 permit 10
R4(config-route-map)#match ip address prefix-list PREF20
R4(config-route-map)#set ?

image.png

R4(config-route-map)#set weight 999
R4(config-route-map)#exit
R4(config)#route-map MAP20 permit 20
R4(config-route-map)#exit
R4(config)#router bgp 65004
R4(config-router)#neighbor 34.34.34.1 route-map MAP20 in
R4(config-router)#end
R4#clear ip bgp *

image.png

Summary of Route Manipulation Steps

Create a prefix list Router(config)#ip prefix-list [list name] permit [network IP]
Create a route map

Router(config)#route-map [map name] permit [line #]
Router(config-route-map)#match ip address prefix-list [list name]

Router(config-route-map)#set weight [value]

Apply the route map to BGP configuration Router(config-router)#neighbor [neighbor IP address] route-map [map name] [in/out]

BGP Transitive and Non-transitive Attributes

Transitive Attributes are those BGP attributes that are ALLOWED to be sent to other BGP peers.  Non-transitive attributes  are NOT allowed to be sent to other peers.

There are four categories of path attributes:

Well-known mandatory This attribute MUST exist in the BGP UPDATE. If this attribute is missing a NOTIFICATION error is generated and the session is closed. Must be recognized by all BGP routers and must be included in every update message. Routing information errors occur without this attribute.
Well-known discretionary Can be recognized by all BGP routers; can be included in every update message as needed.
Optional transitive Transitive attribute between ASs. A BGP router not supporting this attribute can still receive routes with this attribute and advertise them to other peers.
Optional non-transitive If a BGP router does not support this attribute, it will not advertise routes with this attribute.

 

BGP Path Attribute Category
Weight Cisco specific local to router
Local_pref Well-known discretionary
AS_path Well-known mandatory
Origin type Well-known mandatory
MED Optional non-transitive

Troubleshooting BGP

Cisco IOS Basic MPLS VPN

Network Topology

image.png

What is MPLS?

Multiprotocol Label Switching (MPLS) is a type of data-carrying technique for high-performance telecommunications networks. It directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. MPLS can provide better performance, security, and service-level agreements (SLAs) for data traffic. The MPLS protocol is used to create virtual private networks (VPNs) and traffic engineering (TE) networks. It is often used in service provider networks, but can also be used in enterprise networks. MPLS can be used to forward packets using labels, rather than routing them based on their IP addresses. This allows for faster forwarding decisions, because the label can be looked up quickly in a table. MPLS also allows for the creation of virtual links, which can be used to connect different networks together, even if they use different routing protocols.

Multiprotocol Label Switching (MPLS) can be used to create Virtual Private Networks (VPNs). A VPN is a private network that uses a public network (such as the Internet) to connect remote sites or users together. MPLS VPNs use MPLS labels to forward packets between sites, instead of routing them based on their IP addresses. This allows for more efficient and secure communications, as well as the ability to create different virtual networks for different customers or applications.

MPLS VPNs can be configured in different ways, such as:

In both cases, MPLS VPNs use a technique called "VPN label" to identify the different VPNs and forward the packets to the correct destination. MPLS VPNs can also use security features such as encryption, to ensure that the data cannot be intercepted or tampered with while in transit.

MPLS VPNs are widely used by service providers to offer VPN services to their customers. They can also be used in enterprise networks to connect remote sites or branch offices together securely. It's also a good choice for interconnecting multiple sites of a large enterprise as it can provide high performance and better security compared to traditional VPN technologies.

MPLS vs SD-WAN

Multiprotocol Label Switching (MPLS) and Software-Defined WAN (SD-WAN) are both technologies used to connect remote sites or users together, but they have some key differences:

In summary, MPLS is a proven and reliable technology that is well-suited for organizations that require high levels of security and Quality of Service (QoS), while SD-WAN is a cost-effective and flexible option that is well-suited for organizations that need to connect multiple sites or users together in a dynamic way.

Configure the Interface Settings on All Routers and PCs (including Loopback Interfaces on Routers)

HQ>enable
HQ#configure terminal
HQ(config)#interface gigabitEthernet g0/1
HQ(config-if)#ip address 192.168.1.1 255.255.255.0
HQ(config-if)#no shutdown
HQ(config)#interface gigabitEthernet g0/3
HQ(config-if)#ip address 192.168.0.1 255.255.255.0
HQ(config-if)#no shutdown
HQ(config-if)#exit
HQ(config)#interface loopback 0
HQ(config-if)#ip address 1.1.1.1 255.255.255.0
HQ(config-if)#end

PE1>enable
PE1#configure terminal
PE1(config)#interface gigabitEthernet g0/0
PE1(config-if)#ip address 192.168.2.1 255.255.255.0
PE1(config-if)#no shutdown
PE1(config)#interface gigabitEthernet g0/1
PE1(config-if)#ip address 192.168.1.2 255.255.255.0
PE1(config-if)#no shutdown
PE1(config-if)#exit
PE1(config)#interface loopback 0
PE1(config-if)#ip address 2.2.2.2 255.255.255.0
PE1(config-if)#end

PR>enable
PR#configure terminal
PR(config)#interface gigabitEthernet g0/0
PR(config-if)#ip address 192.168.2.2 255.255.255.0
PR(config-if)#no shutdown
PR(config)#interface gigabitEthernet g0/1
PR(config-if)#ip address 192.168.3.1 255.255.255.0
PR(config-if)#no shutdown
PR(config-if)#exit
PR(config)#interface loopback 0
PR(config-if)#ip address 3.3.3.3 255.255.255.0
PR(config-if)#end

PE2>enable
PE2#configure terminal
PE2(config)#interface gigabitEthernet g0/0
PE2(config-if)#ip address 192.168.4.1 255.255.255.0
PE2(config-if)#no shutdown
PE2(config)#interface gigabitEthernet g0/1
PE2(config-if)#ip address 192.168.3.2 255.255.255.0
PE2(config-if)#no shutdown
PE2(config-if)#exit
PE2(config)#interface loopback 0
PE2(config-if)#ip address 4.4.4.4 255.255.255.0
PE2(config-if)#end

BO>enable
BO#configure terminal
BO(config)#interface gigabitEthernet g0/0
BO(config-if)#ip address 192.168.4.2 255.255.255.0
BO(config-if)#no shutdown
BO(config-if)#interface gigabitEthernet g0/3
BO(config-if)#ip address 192.168.5.1 255.255.255.0
BO(config-if)#no shutdown
BO(config-if)#exit
BO(config)#interface loopback 0
BO(config-if)#ip address 5.5.5.5 255.255.255.0
BO(config-if)#end

HQPC1>ip 192.168.0.10/24 192.168.0.1

BOPC1>ip 192.168.5.10/24 192.168.5.1

Setup OSPF Topology for the Provider Edge Routers (PE1 and PE2) and Provider Backbone Router (PR)

PE1>enable
PE1#configure terminal
PE1(config)#router ospf 1
PE1(config-router)#network 192.168.2.0 0.0.0.255 area 0
PE1(config-router)#network 2.2.2.0 0.0.0.255 area 0
PE1(config-router)#passive-interface gigabitEthernet 0/1

PR>enable
PR#configure terminal
PR(config)#router ospf 1
PR(config-router)#network 192.168.2.0 0.0.0.255 area 0
PR(config-router)#network 192.168.3.0 0.0.0.255 area 0
PR(config-router)#network 3.3.3.0 0.0.0.255 area 0

PE2>enable
PE2#configure terminal
PE2(config)#router ospf 1
PE2(config-router)#network 192.168.3.0 0.0.0.255 area 0
PE2(config-router)#network 4.4.4.0 0.0.0.255 area 0
PE2(config-router)#passive-interface gigabitEthernet 0/0

Setup MPLS on the Provider Router Interfaces DO NOT Include the Interfaces Facing the Customer Routers (HQ and BO) on PE1 and PE2

PE1>enable
PE1#configure terminal
PE1(config)#interface gigabitEthernet 0/0
PE1(config-if)#mpls ip

PR>enable
PR#configure terminal
PR(config)#interface gigabitEthernet 0/0
PR(config-if)#mpls ip
PR(config)#interface gigabitEthernet 0/1
PR(config-if)#mpls ip

PE2>enable
PE2#configure terminal
PE2(config)#interface gigabitEthernet 0/1
PE2(config-if)#mpls ip

*You should see a message on the console about the LDP Neighbor switching to a status of UP. 

Now let's take a look at the Loopback interfaces by entering the command show mpls forwarding-table.

image.png

The mask shown on the Loopback interfaces is reporting incorrect so we need to fix this.

PE1(config)#interface loopback 0
PE1(config-if)#ip ospf network point-to-point

PR(config)#interface loopback 0
PR(config-if)#ip ospf network point-to-point

PE2(config)#interface loopback 0
PE2(config-if)#ip ospf network point-to-point

Check the MPLS forwarding-table again to see if the mask is correct on the Loopback

image.png

Looks good. the loopback interfaces now have the correct subnet mask of /24

One more thing let's manually force the router-id for mpls to be the Loopback interface IP.  

PE1(config)#mpls ldp router-id loopback 0

PR(config)#mpls ldp router-id loopback 0

PE2(config)#mpls ldp router-id loopback 0

Setup Virtual Routing and Forwarding (VRF) for the Customer

PE1>enable
PE1#configure terminal
PE1(config)#ip vrf CUSTOMER
PE1(config-vrf)#rd 100:1
PE1(config-vrf)#route-target both 1:100
PE1(config-vrf)#exit
PE1(config)#interface gigabitEthernet 0/1
PE1(config-if)#ip vrf forwarding CUSTOMER

After setting the vrf on the interface the IP address will be removed and you will have to re-configure it.

image.png

PE1(config-if)#ip address 192.168.1.2 255.255.255.0

Now setup the VRF on router PE2 the same way.

PE2>enable
PE2#configure terminal
PE2(config)#ip vrf CUSTOMER
PE2(config-vrf)#rd 100:1
PE2(config-vrf)#route-target both 1:100
PE2(config-vrf)#exit
PE2(config)#interface gigabitEthernet 0/0
PE2(config-if)#ip vrf forwarding CUSTOMER

And don't forget to re-enter the IP configuration for the interface after.

PE2(config-if)ip address 192.168.4.1 255.255.255.0

After setting up the VRF you will not be able to ping the interface on the HQ router (192.168.1.1).  This is because just using a regular ping without designating the VRF will use the global routing table instead of the virtual routing table for the CUSTOMER VRF. Instead, you have to designate the VRF in the ping command as follows ping vrf CUSTOMER 192.168.1.1

image.png

Configure Dynamic Routing Protocols

EIGRP

HQ>enable
HQ#configure terminal
HQ(config)#router eigrp 100
HQ(config-router)#network 192.168.0.0
HQ(config-router)#network 192.168.1.0
HQ(config-router)#network 1.1.1.0
HQ(config-router)#no auto-summary

BO>enable
BO#configure terminal
BO(config)#router eigrp 100
BO(config-router)#network 192.168.4.0
BO(config-router)#network 192.168.5.0
BO(config-router)#network 5.5.5.0
BO(config-router)#no auto-summary

PE1>enable
PE1#configure terminal
PE1(config)#router eigrp1
PE1(config-router)#address-family ipv4 vrf CUSTOMER
PE1(config-router-af)#autonomous-system 100
PE1(config-router-af)#network 192.168.1.0
PE1(config-router-af)#no auto-summary

You should see the EIGRP adjacency message popup

image.png

PE2>enable
PE2#configure terminal
PE2(config)#router eigrp1
PE2(config-router)#address-family ipv4 vrf CUSTOMER
PE2(config-router-af)#autonomous-system 100
PE2(config-router-af)#network 192.168.4.0
PE2(config-router-af)#no auto-summary

In order to show the EIGRP neighbors from the Provider Edge Routers (PE1 and PE2) keep in mind you have to include the vrf in the command show ip eigrp vrf CUSTOMER neighbors.

image.png

We can also check the routing tables from the Provider routers, but again remember to include the correct VRF designation. show ip route vrf CUSTOMER

image.png

As can be seen above the PE1 Provide Edge Router has learned about the Loopback interface IP of the HQ router as well as the LAN network of 192.168.0.0 And notice that I can ping HQPC1 from the gigabitEthernet 0/1 interface of PE1 but not gigabitEthernet 0/0

image.png

This is as expected because the 0/1 interface is participating in the VRF and knows about the virtual routing table pointing to HQ while the 0/0 interface is not part of the VRF.

iBGP (Internal)

PE1>enable
PE1#configure terminal
PE1(config)#router bgp 1
PE1(config-router)#neighbor 4.4.4.4 remote-as 1
PE1(config-router)#neighbor 4.4.4.4 update-source loopback 0

PE2>enable
PE2#configure terminal
PE2(config)#router bgp 1
PE2(config-router)#neighbor 2.2.2.2 remote-as 1
PE2(config-router)#neighbor 2.2.2.2 update-source loopback 0

You should see the BGP neighbor messages on PE1 and PE2 like below.

image.png

image.png

Now that we have BGP routing configured we still need to configure the address family and ensure that we are sending communities. In Cisco BGP (Border Gateway Protocol) configuration, the "send-community" command is used to configure the sending of community attributes to other BGP peers. Community attributes are used to group routes together and apply a common set of policies to them. The "send-community" command can be used to specify whether or not to send the standard, extended, or both types of community attributes to BGP peers. The command can also be used to specify whether or not to send the community attributes in both the outbound and inbound directions.

PE1(config)#router bgp 1
PE1(config-router)#address-family vpnv4
PE1(config-router-af)#neighbor 4.4.4.4 activate
PE1(config-router-af)#neighbor 4.4.4.4 send-community both

PE2(config)#router bgp 1
PE2(config-router)#address-family vpnv4
PE2(config-router-af)#neighbor 2.2.2.2 activate
PE2(config-router-af)#neighbor 2.2.2.2 send-community both

Redistribute Protocols

BGP into EIGRP

PE1#configure terminal
PE1(config)#router eigrp 1
PE1(config-router)#address-family ipv4 vrf CUSTOMER
PE1(config-router-af)#redistribute bgp 1 metric 1500 4000 200 10 1500

PE2#configure terminal
PE2(config)#router eigrp 1
PE2(config-router)#address-family ipv4 vrf CUSTOMER
PE2(config-router-af)#redistribute bgp 1 metric 1500 4000 200 10 1500

EIGRP into BGP

PE1#configure terminal
PE1(config)#router bgp 1
PE1(config-router)#address-family ipv4 vrf CUSTOMER
PE1(config-router-af)#redistribute eigrp 100

PE2#configure terminal
PE2(config)#router bgp 1
PE2(config-router)#address-family ipv4 vrf CUSTOMER
PE2(config-router-af)#redistribute eigrp 100

Verify Configuration

HQPC1>ping 192.168.5.10

image.png

BOPC1>ping 192.168.0.10

image.png

HQ# show ip eigrp topology

image.png

HQ#show ip route

image.png

PE1#show ip vrf

image.png

PE1#show ip vrf interfaces

image.png

PE1#show ip route vrf CUSTOMER

image.png

PE1#traceroute vrf CUSTOMER 192.168.5.10

image.png

PE1#show mpls interfaces

image.png

PE1#show mpls forwarding-table

image.png

PE1#show mpls ldp bindings

image.png

PE1#show mpls ldp neighbor

image.png

PE1#show bgp vpnv4 unicast all summary

image.png

PE1#show bgp vpnv4 unicast all neighbor 4.4.4.4 advertised-routes

image.png

PE1#show bgp vpnv4 unicast all neighbor 4.4.4.4 routes

image.png

Reference for Commands

GNS3 File

basic mpls.gns3

Cisco IOS Configure Router as DHCP Server

Network Lab Topology

CiscoRouterDHCP.png

Router0 Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)# interface fastEthernet 0/0
Router0(config-if)#ip address 192.168.10.1 255.255.255.0
Router0(config-if)#no shutdown
Router0(config-if)#exit
Router0(config)#service dhcp
Router0(config)#ip dhcp pool MAIN-POOL
Router0(dhcp-config)#network 192.168.10.0 255.255.255.0
Router0(dhcp-config)#default-router 192.168.10.1
Router0(dhcp-config)#dns-server 192.168.10.2
Router0(dhcp-config)#exit
Router0(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.10

Cisco Packet Tracer File

net2 router dhcp.pkt

Cisco IOS Configure DHCP Relay with IP Helper Address

Network Topology

dhcprelaytopo.pkt.png

Router1 Configuration Commands

Router1>enable
Router1#configure terminal
Router1(config)# interface fastEthernet 0/0
Router1(config-if)#ip address 172.16.1.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#service dhcp
Router1(config)#ip dhcp pool MAIN-POOL
Router1(dhcp-config)#network 192.168.10.0 255.255.255.0
Router1(dhcp-config)#default-router 192.168.10.1
Router1(dhcp-config)#dns-server 192.168.10.2
Router1(dhcp-config)#exit
Router1(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.10
Router1(config)#ip route 192.168.10.0 255.255.255.0 172.16.1.2

Router0 Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)# interface fastEthernet 0/1
Router0(config-if)#ip address 172.16.1.2 255.255.255.0
Router0(config-if)#no shutdown
Router0(config)# interface fastEthernet 0/0
Router0(config-if)#ip address 192.168.10.1 255.255.255.0
Router0(config-if)#ip helper-address 172.16.1.1
Router0(config-if)#no shutdown

Router1 DHCP Commands

Router1>enable
Router1#show ip dhcp pool MAIN-POOL

image.png

Router1#show ip dhcp binding

image.png

Cisco Packet Tracer File

net4 dhcp relay.pkt

Cisco IOS Configure Router as DNS Server

Network Topology

image.png

To create this topology, I used GNS3 instead of Cisco Packet Tracer because Packet Tracer routers do not simulate the "ip dns server" command.  In the above network Router0 is being configured as a DNS server.  Through the configuration of Router0 I wanted to not only demonstrate the ability for the router to resolve local hosts on the network, but I also wanted to show how DNS resolution that Router0 was unable to do could be forwarded to a real DNS server (1.1.1.1) on the Internet.  In this way Router0 has been configured to forward unknown requests to the Cloudflare and APNIC's DNS server at 1.1.1.1.  I also decided to use a real Windows 2016 Server appliance in the topology.  I could have just as easily used another VPCS QEMU device, but it gave me an opportunity to revisit GNS3 Windows appliances. Also, it is not the best practice to use a networking router as the DNS server, but it can be done as this shows.

Router0 Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)# interface gigabitEthernet 0/0
Router0(config-if)#ip address 192.168.10.1 255.255.255.0
Router0(config-if)#no shutdown
Router0(config-if)#interface gigabitEthernet 0/1
Router0(config-if)#ip address 172.16.1.1 255.255.255.248
Router0(config-if)#no shutdown
Router0(config-if)#exit
Router0(config)#ip dns server
Router0(config)#ip domain-name local
Router0(config)#ip name-server 1.1.1.1
Router0(config)# ip host fileserver.local 192.168.10.2
Router0(config)# ip host pc1.local 192.168.10.3
Router0(config)# ip host pc2.local 192.168.10.4
Router0(config)# ip host router0.local 192.168.10.1
Router0(config)# ip host router1.local 172.16.1.2
Router0(config)# ip host router2.local 172.16.2.1
Router0(config)# ip default-network 192.168.2.0
Router0(config)# router ospf 1
Router0(config-router)# network 172.16.1.0 0.0.0.7 area 0
Router0(config-router)# network 192.168.10.0 0.0.0.255 area 0

Router1 Configuration Commands

Router1>enable
Router1#configure terminal
Router1(config)# interface gigabitEthernet 0/0
Router1(config-if)#ip address 172.16.1.2 255.255.255.248
Router1(config-if)#no shutdown
Router1(config-if)#interface gigabitEthernet 0/1
Router1(config-if)#ip address 172.16.2.2 255.255.255.248
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#ip name-server 172.16.1.1
Router1(config)# ip default-network 192.168.2.0
Router1(config)# router ospf 1
Router1(config-router)# network 172.16.1.0 0.0.0.7 area 0
Router1(config-router)# network 172.16.2.0 0.0.0.7 area 0

Router2 Configuration Commands

Router2>enable
Router2#configure terminal
Router2(config)# interface gigabitEthernet 0/0
Router2(config-if)#ip address dhcp
Router2(config-if)#no shutdown
Router2(config-if)#ip nat outside
Router2(config-if)#interface gigabitEthernet 0/1
Router2(config-if)#ip address 172.16.2.1 255.255.255.248
Router2(config-if)#no shutdown
Router2(config-if)#ip nat inside
Router2(config-if)#exit
Router2(config)#ip nat inside source list 1 interface gigabitEthernet0/0 overload
Router2(config)#access-list 1 permit any
Router2(config)# router ospf 1
Router2(config-router)# network 192.168.2.0 0.0.0.255 area 0
Router2(config-router)# network 172.16.2.0 0.0.0.7 area 0

The configuration of nat on Router2 is so that the network can communicate to the connected network and then to the Internet through the GNS3 cloud object.  I did this to demonstrate the DNS forwarder on Router0 to 1.1.1.1  Also, the IP address on gigabitEthernet 0/0 is set for DHCP as it is getting an address from my network DHCP server.  You could also make this a static address if desired. If you do set a static IP address, remember to configure a gateway of last resort.  The DHCP setting configures that for the interface automatically.

Check DNS (a few ping examples)

PC1>ping fileserver.local

image.png

PC1>ping router2.local

image.png

PC1>ping www.google.com

image.png

Check the configured DNS Hosts on Router0

Router0#show hosts

image.png

GNS3 File

net11 cisco router dns server.gns3

Cisco IOS VRF-Lite

Network Topology

image.png

Difference Between VRF and VRF-Lite Explained

VRF (Virtual Routing and Forwarding) and VRF-Lite (also known as Multi-VRF CE or MVPN) are both technologies used in networking to create multiple virtual routing and forwarding instances within a single physical router.

The main difference between the two is in the scope of their implementation. VRF is typically used in service provider networks, where it allows for multiple customers to share the same physical infrastructure while still maintaining separate and isolated routing domains. VRF-Lite, on the other hand, is typically used in enterprise networks, where it allows for multiple logical networks to be created within a single physical network infrastructure.

In summary, VRF is used for service provider networks, and VRF-Lite is used for enterprise networks.

Scenario

Company A has just completed an M&A process and acquired Company B. As part of the post acquisition integration process the decision was made to move Company B's IT equipment into the datacenter hosting facility used by Company A.  However, there are some critical elements in Company B such as network addressing and routing that cannot be immediately changed and must stay in place. It is a must, at least in the near to medium term to keep the Company B Accounting and Finance systems separate and secured from other parts of the overall company network while still providing the necessary access to authorized users and their computers.  Additionally it was discovered that Company B uses the same network subnet as Company B for the uplink to the Company B main router.  This has further complicated the plan to consolidate the topology to just one main router (HQ_DC).  However, you have a plan to use VRF-Lite and some VLAN architecture to solve these challenges.

Configuration

These configuration steps will demonstrate the configuration for both Company A and Company B for completeness.  Obviously in the scenario much of Company A's infrastructure configuration would already be done.

CompanyA Router

CompanyA>enable
CompanyA#configure terminal
CompanyA(config)#interface gigabitEthernet 0/3
CompanyA(config-if)#ip address 192.168.10.1 255.255.255.0
CompanyA(config-if)#no shutdown
CompanyA(config-if)#interface gigabitEthernet 0/0
CompanyA(config-if)#ip address 172.16.0.1 255.255.255.252
CompanyA(config-if)#no shutdown
CompanyA(config-if)#exit
CompanyA(config)#router eigrp 100
CompanyA(config-router)#network 0.0.0.0 0.0.0.0
CompanyA(config-router)#no auto-summary
CompanyA(config-router)#end

CompanyB Router

CompanyB>enable
CompanyB#configure terminal
CompanyA(config)#interface gigabitEthernet 0/3
CompanyA(config-if)#ip address 192.168.20.1 255.255.255.0
CompanyA(config-if)#no shutdown
CompanyA(config-if)#interface gigabitEthernet 0/0
CompanyA(config-if)#ip address 172.16.0.1 255.255.255.252
CompanyA(config-if)#no shutdown
CompanyA(config-if)#exit
CompanyA(config)#router eigrp 100
CompanyA(config-router)#network 0.0.0.0 0.0.0.0
CompanyA(config-router)#no auto-summary
CompanyA(config-router)#end

HQ_DC Router

HQ_DC>enable
HQ_DC#configure terminal
HQ_DC(config)#ip vrf COMPANYA
HQ_DC(config-vrf)#exit
HQ_DC(config)#ip vrf COMPANYB
HQ_DC(config-vrf)#exit
HQ_DC(config)#interface gigabitEthernet 0/0
HQ_DC(config-if)#ip address 172.16.0.2 255.255.255.252
HQ_DC(config-if)#description COMPANYA main circuit
HQ_DC(config-if)#ip vrf forwarding COMPANYA
HQ_DC(config-if)#exit
HQ_DC(config)#interface gigabitEthernet 0/1
HQ_DC(config-if)#ip address 172.16.0.2 255.255.255.252
HQ_DC(config-if)#description COMPANYB main circuit
HQ_DC(config-if)#ip vrf forwarding COMPANYB
HQ_DC(config-if)#exit
HQ_DC(config)#interface gigabitEthernet 0/2
HQ_DC(config-if)#no shutdown
HQ_DC(config-if)#interface gigabitEthernet 0/2.100
HQ_DC(config-subif)#description COMPANYA dc circuit
HQ_DC(config-subif)#encapsulation dot1q 100
HQ_DC(config-subif)#ip vrf forwarding COMPANYA
HQ_DC(config-subif)#ip address 192.168.100.1 255.255.255.0
HQ_DC(config-if)#interface gigabitEthernet 0/2.200
HQ_DC(config-subif)#description COMPANYB dc circuit
HQ_DC(config-subif)#encapsulation dot1q 200
HQ_DC(config-subif)#ip vrf forwarding COMPANYB
HQ_DC(config-subif)#ip address 192.168.200.1 255.255.255.0
HQ_DC(config-subif)#exit
HQ_DC(config)#router eigrp 1
HQ_DC(config-router)#address-family ipv4 vrf COMPANYA
HQ_DC(config-router-af)#network 0.0.0.0 0.0.0.0
HQ_DC(config-router-af)#autonomous-system 100
HQ_DC(config-router-af)#no auto-summary
HQ_DC(config-router-af)#exit
HQ_DC(config-router)#address-family ipv4 vrf COMPANYB
HQ_DC(config-router-af)#network 0.0.0.0 0.0.0.0
HQ_DC(config-router-af)#autonomous-system 100
HQ_DC(config-router-af)#no auto-summary

HQ_DC_SW1 Switch

HQ_DC_SW1>enable
HQ_DC_SW1#configure terminal
HQ_DC_SW1(config)#vlan 100
HQ_DC_SW1(config-vlan)#name COMPANYA
HQ_DC_SW1)config-vlan)#exit
HQ_DC_SW1(config)#vlan 200
HQ_DC_SW1(config-vlan)#name COMPANYB
HQ_DC_SW1)config-vlan)#exit
HQ_DC_SW1(config)#interface gigabitEthernet 0/2
HQ_DC_SW1(config-if)#switchport trunk encapsulation dot1q
HQ_DC_SW1(config-if)#switchport mode trunk
HQ_DC_SW1(config-if)#switchport trunk allowed vlan 100,200
HQ_DC_SW1(config-if)#interface gigabitEthernet 0/0
HQ_DC_SW1(config-if)#switchport access vlan 100
HQ_DC_SW1(config-if)#interface gigabitEthernet 0/1
HQ_DC_SW1(config-if)#switchport access vlan 200
HQ_DC_SW1(config-if)#exit
HQ_DC_SW1(config)#interface vlan 100
HQ_DC_SW1(config-if)#ip address 192.168.100.2 255.255.255.0
HQ_DC_SW1(config-if)#exit
HQ_DC_SW1(config)#interface vlan 200
HQ_DC_SW1(config-if)#ip address 192.168.200.2 255.255.255.0

PCs and Servers

PC1>ip 192.168.10.10/24 192.168.10.1

PC2>ip 192.168.20.20/24 192.168.20.1

COMPA_ACCT> ip address 192.168.100.10/24 192.168.100.1

COMPB_ACCT> ip address 192.168.200.20/24 192.168.200.1

Test and Verify Connectivity and Configuration

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

GNS3 File

vrf2.gns3

Cisco IOS Site to Site VPN (Router)

Network Topology

image.png

In this network configuration a site-to-site VPN between Router1 and Router2 across the link through Router0.

First let's set up the IP and routing information on all three routers as well as the two PCs.

Router0 IP and Routing Configuration Commands

Router0>enable
Router0#configure terminal
Router0(config)# interface serial 0/0/0
Router0(config-if)#ip address 172.16.1.1 255.255.255.248
Router0(config-if)#no shutdown
Router0(config-if)#interface serial 0/0/1
Router0(config-if)#ip address 172.16.2.1 255.255.255.248
Router0(config-if)#no shutdown
Router0(config-if)#exit
Router0(config)#ip route 192.168.10.0 255.255.255.0 172.16.1.2
Router0(config)#ip route 192.168.20.0 255.255.255.0 172.16.2.2

Router1 IP and Routing Configuration Commands

Router1>enable
Router1#configure terminal
Router1(config)# interface serial 0/0/0
Router1(config-if)#ip address 172.16.1.2 255.255.255.248
Router1(config-if)#no shutdown
Router1(config-if)#interface fastEthernet 0/0
Router1(config-if)#ip address 192.168.10.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1

Router2 IP and Routing Configuration Commands

Router1>enable
Router1#configure terminal
Router1(config)# interface serial 0/0/0
Router1(config-if)#ip address 172.16.2.2 255.255.255.248
Router1(config-if)#no shutdown
Router1(config-if)#interface fastEthernet 0/0
Router1(config-if)#ip address 192.168.20.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.1

PC Computers IP Configuration

image.png

image.png

Now that all the routers and PCs have their IP addressing and routing information configured it is time to move on the the specific configuration for enabling the Site-to-Site VPN.  This process can be divided into four phases.

Phase 1 - The Key Exchange Setup
Phase 1 Commands Notes
crypto isakmp enable
crypto isakmp policy 10  The number can be any number between 1 and 10,000. It identifies the priority of the policy.
encryption aes this could be 3des but aes is more robust.
hash sha sha = secure hash algorithm.  md5 could be used but sha is more robust.
group 1 Specifies the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. Group 1 is 768-bit
lifetime 3600 Specifies the Security Association (SA) lifetime. The default is 86,400 seconds or 24 hours. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations (up to a point). However, with shorter lifetimes, the security appliance sets up future IPsec SAs more quickly.
authentication pre-share
crypto isakmp key ciscokey123 address 172.16.2.2 The italicized text is just a text string that has to match on both sides of the connection.  The IP address is the public IP address of our peer on the other side of the VPN connection.
Phase 2 - Encrypting the Tunnel
Phase 2 Commands Notes
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac The italicized text is the set name and can be changed. This could be esp-3des and esp-md5-hmac
crypto map vpnset 10 ipsec-isakmp The number is any number between 1 and 65,535 that identifies the sequence to insert into the crypto map.
set transform-set vpnset
match address 100 Match the addresses in the access control list coming up.  This will identify the inside-to-inside traffic flow.
set peer 172.16.2.2 This is the other router's outside interface.
Phase 3 - Applying the Crypto Map to the Outside Router Interface
Phase 3 Commands Notes
int s0/0/0 Whatever the outside interface of the router is (f0/0, g0/2, etc.)
crypto map vpnset
Phase 4 - Creating an Access List to Identify the Traffic Flow (inside to inside LAN traffic)
Phase 4 Commands Notes
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 These are the inside addresses of both routers.

Let's start with Router1

Router1 VPN Configuration Commands

Router1>enable
Router1#configure terminal
Router1(config)#crypto isakmp enable
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption aes
Router1(config-isakmp)#hash sha
Router1(config-isakmp)#group 1
Router1(config-isakmp)#lifetime 3600
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#exit
Router1(config)#crypto isakmp key ciscokey123 address 172.16.2.2
Router1(config)#crypto map vpnset 10 ipsec-isakmp
Router1(config-crypto-map)#set transform-set vpnset
Router1(config-crypto-map)#match address 100
Router1(config-crypto-map)#set peer 172.16.2.2
Router1(config-crypto-map)#exit
Router1(config)#int serial 0/0/0
Router1(config-if)#crypto map vpnset
Router1(config-if)#exit
Router1(config)#access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Router2 VPN Configuration Commands

Router2>enable
Router2#configure terminal
Router2(config)#crypto isakmp enable
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#encryption aes
Router2(config-isakmp)#hash sha
Router2(config-isakmp)#group 1
Router2(config-isakmp)#lifetime 3600
Router2(config-isakmp)#authentication pre-share
Router2(config-isakmp)#exit
Router2(config)#crypto isakmp key ciscokey123 address 172.16.1.2
Router2(config)#crypto map vpnset 10 ipsec-isakmp
Router2(config-crypto-map)#set transform-set vpnset
Router2(config-crypto-map)#match address 100
Router2(config-crypto-map)#set peer 172.16.1.2
Router2(config-crypto-map)#exit
Router2(config)#int serial 0/0/0
Router2(config-if)#crypto map vpnset
Router2(config-if)#exit
Router2(config)#access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Check Status of VPN

Check the status of the Internet Security Association Management Protocol (ISAKMP) Security Associations (SAs) built between the peers.

Router1#show crypto isakmp sa

image.png

If you run the command right after establishing the VPN you might see a very blank status screen.  You can wait for connections to start establishing across the VPN or you can simply do a ping across the VPN.  Then when you run the command again you should see a more informative status like this.

image.png

You can see from the output above the destination's (Router2) IP address and the source (Router1).  And most importantly the status shows that the security association (link) is ACTIVE.

Check the Internet Security Association Management Protocol (ISAKMP) Policy

Router1#show crypto isakmp policy

image.png

As you can see our new ISAKMP policy is at a higher priority than the default protection suite policy.  This output shows the priority, the encryption type (AES), the authentication method (pre-shared), the Diffie-Hellman group (1), and the lifetime (3600).  These are all the values we set in the configuration.

Check the Crypto Map Settings

Router1#show crypto map

image.png

A wealth of information about the configured cryto map including the name and sequence number.  The configured peer is visible.  The access-list is present as well as the interface that the map is assigned.

Check the IPSEC Security Association


Router1#show crypto ipsec sa

image.png

There is a lot of information given in this command but probably the most valuable is the highlighted area above showing that encapsulation and decapsulation is taking place across the VPN. Additionally, you can see status for inbound and outbound tunnel and the configured encryption algorithms.

Check Ping from PC0 to PC1 and visa versa

image.png

The first ping will most likely lose some packets, but subsequent pings will complete 100%

image.png

Cisco Packet Tracer File

net13 site to site vpn.pkt

Cisco ASA 5505 Internet Access

Network Topology

image.png

Step 1 - Remove Existing ASA Configuration

In Cisco Packet Tracer the ASA 5505 already starts out with some configuration as show by the show running-config command output below.

image.png

It also has a dhcpd server enabled and partially configured.

image.png

In addition, there are configure vlan interfaces with assigned interfaces.

image.png

To create our own configuration, we will have to first dismantle the configuration elements that already are in place.

ciscoasa>enable
password:
ciscoasa#configure terminal
ciscoasa(config)#hostname ASA0
ASA0(config)#interface vlan 1
ASA0(config-if)#no ip address
ASA0(config-if)#exit
ASA0(config)#no dhcpd address 192.168.1.5-192.168.1.36 inside
ASA0(config)#end
ASA0#show running-config

image.png

Step 2 - Configure VLAN Interfaces, Assign Ethernet Interfaces to Correct VLANs, and Ensure Correct Security-Levels

ASA0#configure terminal
ASA0(config)#interface vlan 1
ASA0(config-if)#ip address 192.168.10.1 255.255.255.0
ASA0(config-if)#nameif inside
ASA0(config-if)#security-level 100
ASA0(config-if)#no shutdown
ASA0(config-if)#exit
ASA0(config)#interface vlan 2
ASA0(config-if)#ip address 172.16.1.1 255.255.255.0
ASA0(config-if)#nameif outside
ASA0(config-if)#security-level 0
ASA0(config-if)#no shutdown
ASA0(config-if)#exit
ASA0(config)#interface ethernet 0/1
ASA0(config-if)#switchport access vlan 1
ASA0(config-if)#exit
ASA0(config)#interface ethernet 0/0
ASA0(config-if)#switchport access vlan 2
ASA0(config-if)#end
ASA#show running-config

image.png

ASA#show switch vlan

image.png

Step 3 - Configure the ISP Router

Now it's time to configure the router.  This router (Router0) is like the ISP router on the far side of our connection to the Internet. In this configuration I will be using OSPF to dynamically route the networks of 172.16.1.0/24 and 8.8.8.0/24.  You could just as easily use static routes and default gateways or even another dynamic routing protocol.  I just chose OSPF.

Router0>enable
Router0#configure terminal
Router0(config)#interface fastEthernet 0/0
Router(config-if)#ip address 172.16.1.2 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#interface fasEthernet  0/1
Router(config-if)#ip address 8.8.8.1 255.255.255.0
Router0(config-if)#exit
Router0(config)#router ospf 1
Router0(config-router)#network 172.16.1.0 0.0.0.255 area 0
Router0(config-router)#network 8.8.8.0 0.0.0.255 area 0
Router0(config-router)#end
Router0#

Step 4 - Configure DHCP Server on ASA

Next let's configure the dhcp server addressing on the ASA0 firewall.  The dhcpd is already enabled we just have to configure the correct addressing to match our internal LAN subnet addressing. Before we configure the ASA through, make sure the PC0 and PC1 are set to obtain their IP addresses via DHCP.

image.png

ASA0#configure terminal
ASA0(config)#dhcpd address 192.168.10.20-192.168.10.30 inside
ASA0(config)#dhcpd dns 8.8.8.8 interface inside
ASA0(config)#end
ASA0#show running-config

image.png

Check PC0 and PC1 IP addresses

image.png

image.png

DHCP is working properly.

Step 5 - Configure Default Route on ASA, Create Network Object, and Configure Network Address Translation (NAT)

ASA0#configure terminal
ASA0(config)#route outside 0.0.0.0 0.0.0.0 172.16.1.2
ASA0(config)#object network LAN
ASA0(config-network-object)#subnet 192.168.10.0 255.255.255.0
ASA0(config-network-object)#nat (inside,outside) dynamic interface
ASA0(config-network-object)#exit
ASA0(config)#access-list in_to_internet extended permit tcp any any
ASA0(config)#access-list in_to_internet extended permit icmp any any
ASA0(config)#access-group in_to_internet in interface outside
ASA0(config)#

Now check ping to the server at 8.8.8.8 from PC0 or PC1

image.png

Now we will verity NAT

ASA0#show xlate

image.png

Nothing to show so start a continuous ping from PC0 and PC1 ping -t 8.8.8.8 and re-run the show xlate command on the ASA

ASA0#show xlate

image.png

ASA0#show nat

image.png

Cisco Packet Trace File

asa 5505 internet access.pkt

Cisco IOS Private VLANs

Network Topology

image.png

What is a Private VLAN?

A private VLAN, also known as a private LAN, is a VLAN (Virtual Local Area Network) that is used to segment a larger network into smaller, more secure subnets. It is used to isolate different types of traffic or to separate sensitive or confidential information from other network traffic.

A private VLAN typically consists of three types of ports: promiscuous ports, host ports, and community ports. Promiscuous ports can communicate with all other ports in the private VLAN, while host ports can only communicate with promiscuous ports. Community ports can only communicate with other ports in the same community. This allows for a high level of granularity in terms of controlling access and isolating different types of traffic on a network.

Promiscuous ports, isolated ports, and community ports are different types of ports that are used in private VLAN (PVLAN) environments to control access and isolate different types of traffic on a network.

  1. Promiscuous Ports: These ports can communicate with all other ports in the private VLAN, including host and community ports. They are typically used for gateway or router connections and can be used to access shared resources or provide access to other networks.
  2. Isolated Ports: These ports can only communicate with the associated promiscuous port and cannot communicate with other isolated or community ports. They are typically used to isolate sensitive or confidential information and prevent it from being accessed by other parts of the network.
  3. Community Ports: These ports can only communicate with other ports within the same community and not with other communities or promiscuous ports. They are used to create isolated groups within a private VLAN and to control access to shared resources.

In summary, promiscuous ports allow communication with all other ports in the PVLAN, isolated ports are used to isolate sensitive information and prevent it from being accessed by other parts of the network, and community ports are used to create isolated groups within a PVLAN and control access to shared resources.

Private VLANs are often used in enterprise networks, data centers, and service provider environments to segment traffic and provide additional security. They can also be used to isolate guest or IoT traffic, to separate different departments or groups within an organization, or to separate different types of traffic on a network.

What is a Private Isolated VLAN?

A private isolated VLAN is a good solution for keeping sensitive or confidential information separate from other network traffic. It can be used for segmenting a network into secure and non-secure zones, for example, to isolate traffic from a secure server or database from the rest of the network. Additionally, it can be used to create secure zones for specific departments or groups within an organization, or to separate different types of traffic on a network, such as guest or IoT traffic. Some things that Private VLANs can be beneficial for include:

  1. Segmenting a network into secure and non-secure zones: In this scenario, a private isolated VLAN would be used to separate sensitive or confidential information from other network traffic. This could include separating a secure server or database from the rest of the network, or isolating traffic from a specific department or group that handles sensitive information.
  2. Isolating guest traffic: In a scenario where guest wireless access is provided, a private isolated VLAN could be used to separate guest traffic from internal network traffic. This would help to prevent guests from accessing sensitive or confidential information on the internal network.
  3. Isolating IoT traffic: In a scenario where there are a large number of IoT devices connected to a network, a private isolated VLAN could be used to separate IoT traffic from other network traffic. This would help to prevent IoT devices from accessing sensitive or confidential information on the network and also prevent any potential security risks from these devices.
  4. Isolating different types of traffic: In a scenario where there are multiple types of traffic on a network, such as voice and data traffic, a private isolated VLAN could be used to separate the different types of traffic. This would help to ensure that voice traffic, for example, is prioritized over data traffic, and that there is no interference between the different types of traffic on the network.

Configuration

This configuration is being done in GNS3. In order to accomplish this topology in GNS3 you have to have the Cisco IOSvL2 switch image. The scenario is that the company has three network segments (VLANs 100, 200, and 400) that the departments in those VLANs where the PCs can communicate within the designated VLAN and out through the Gateway. However, as a matter of policy, those three VLANs are not allowed to communicate with e other VLANs. Lastly there is a fourth VLAN (VLAN 300) that is in a LAN segment that has been designated as needing a high degree of security. Therefore, VLAN 300 will be set up as a private isolated VLAN. Thus, the PCs in this VLAN will only be able to communicate with the Gateway. They will even be prevented from communications with each other as part of the isolated private VLANs.
PCs

PC100_1>ip 192.168.1.1/24 192.168.1.254
PC100_2>ip 192.168.1.2/24 192.168.1.254
PC200_1>ip 192.168.1.3/24 192.168.1.254
PC200_2>ip 192.168.1.4/24 192.168.1.254
PC300_1>ip 192.168.1.5/24 192.168.1.254
PC300_2>ip 192.168.1.6/24 192.168.1.254
PC400_1>ip 192.168.1.7/24 192.168.1.254
PC400_2>ip 192.168.1.8/24 192.168.1.254

Gateway

Gateway>enable
Gateway#configure terminal
Gateway(config)#interface gigabitEthernet 0/0
Gateway((config-if)#ip address 192.168.1.254 255.255.255.0
Gateway(config-if)#no shutdown

SW1

SW1>enable
SW1#configure terminal
SW1(config)#vtp mode transparent
SW1(config)#vlan 100
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#exit
SW1(config)#vlan 200
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#exit
SW1(config)#vlan 300
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#exit
SW1(config)#vlan 400
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#exit
SW1(config)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association 100,200,300,400
SW1(config-vlan)#exit
SW1(config)#interface gigabitEthernet g0/1
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 500 100
SW1(config)#interface gigabitEthernet g0/2
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 500 100
SW1(config)#interface gigabitEthernet g0/3
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 500 200
SW1(config)#interface gigabitEthernet g1/0
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 500 200
SW1(config)#interface gigabitEthernet g2/0
SW1(config-if)#switchport mode private-vlan host
SW1(confi-if)#switchport private-vlan host-association 500 300
SW1(config)#interface gigabitEthernet g1/3
SW1(config-if)#switchport mode private-vlan host
SW1(confi-if)#switchport private-vlan host-association 500 300
SW1(config)#interface gigabitEthernet g1/2
SW1(config-if)#switchport mode private-vlan host
SW1(confi-if)#switchport private-vlan host-association 500 400
SW1(config)#interface gigabitEthernet g1/1
SW1(config-if)#switchport mode private-vlan host
SW1(confi-if)#switchport private-vlan host-association 500 400
SW1(config)#interface gigabitEthernet g0/0
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(confi-if)#switchport private-vlan mapping 500 100,200,300,400
SW1(confi-if)#end

Illustrated Scenarios

Intra-community VLAN Communication will be Successful.

image.png

image.png

Extra-community VLAN Communication will Fail.

image.png

image.png

Community-isolated Communications will Fail.

image.png

image.png

Intra-isolated Communications will Fail.

image.png

image.png

Community-gateway Communicatons will be Successful.
Isolated-gateway Communications will also be Successful.

image.png

image.png

image.png

GNS3 File

private vlan 2.gns3