# Cisco # Cisco IOS Switch Basic Setup #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/BMmimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/BMmimage.png) #### Router0 Configuration Commands Router0>enable Router0#configure terminal Router0(config)# interface fastEthernet 0/1 Router0(config-if)#ip address 172.16.1.1 255.255.255.0 Router0(config-if)#no shutdown Router0(config-if)#interface fastEthernet 0/0 Router0(config-if)#ip address 192.168.10.1 255.255.255.0 Router0(config-if)#no shutdown Router0(config-if)#exit Router0(config)#exit Router0#show ip interface brief [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/IYbimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/IYbimage.png) #### Remote Laptop Configuration [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/wozimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/wozimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/mQJimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/mQJimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/yP6image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/yP6image.png) #### Switch0 Configuration Commands using Local Laptop and Console Cable **Connect to Switch0 using Terminal** [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/SLbimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/SLbimage.png) **Set hostname of the switch to Switch0** Switch>enable Switch#configure terminal Switch(config)#hostname Switch0 Switch0(config)# **Configure the message of the day as "Authorized access only. Unauthorized access is forbidden."** Switch0(config)#banner motd # Enter TEXT message. End with the character '#'. Authorized access only. Unauthorized access is forbidden.# Switch0(config)#end Switch0#exit [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/M4gimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/M4gimage.png) **Configure the password for privileged mode access as "cisco". The password must be md5 encrypted** Switch0>enable Switch0#configure terminal Switch0(config)#enable secret cisco Switch0(config)#service password-encryption **Configure CONSOLE access with the following settings:** - Login enabled - Password: ciscoconsole - History size: 20 commands - Timeout: 5m 30s' - Synchronous logging Switch0(config)#line con 0 Switch0(config-line)#password ciscoconsole Switch0(config-line)#logging synchronous Switch0(config-line)#login Switch0(config-line)#history size 20 Switch0(config-line)#exec-timeout 5 30 Switch0(config-line)#exit Switch0(config)# **Configure TELNET access with the following settings:** - Login enabled - Password: ciscotelnet - History size: 20 commands - Timeout: 10m 45s - Synchronous logging Switch0(config)#line vty 0 15 Switch0(config-line)#password ciscotelnet Switch0(config-line)#logging synchronous Switch0(config-line)#login Switch0(config-line)#history size 20 Switch0(config-line)#exec-timeout 10 45 Switch0(config-line)#exit Switch0(config)# **Configure the IP address of Switch0 as 192.168.10.2/24 and its default gateway IP (192.168.10.1).** Switch0(config)#interface vlan1 Switch0(config-if)#ip address 192.168.10.2 255.255.255.0 Switch0(config-if)#ip default-gateway 192.168.10.1 Switch0(config-if)#end Switch0(config)#exit Switch0> #### Test Telnet Connectivity from the Remote Laptop Using Telnet Client [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/sV7image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/sV7image.png) **Change the Connection Type to Telnet and then put in Switch0's IP address. Then click Connect.** [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/H6cimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/H6cimage.png) **Notice the MOTD Banner and the prompt for the telnet password. Enter ciscotelnet.** [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/5MUimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/5MUimage.png) **We're in!** [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/HYCimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/HYCimage.png) #### Cisco Packet Tracer File [net8 basic switch setup.pkt](https://bookstack.taylorhome.run/attachments/1) # Cisco IOS Router Static Route #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/7r3image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/7r3image.png) #### Router0 Configuration Commands Router0>enable Router0#configure terminal Router0(config)# interface fastEthernet 0/0 Router0(config-if)#ip address 172.16.1.1 255.255.255.248 Router0(config-if)#no shutdown Router0(config-if)#interface fastEthernet 0/1 Router0(config-if)#ip address 192.168.10.1 255.255.255.0 Router0(config-if)#no shutdown Router0(config-if)#exit Router0(config)#ip route 192.168.20.0 255.255.255.0 172.16.1.2 Router0(config)#exit Router0#show ip interface brief [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/WRpimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/WRpimage.png) Router0#show ip route [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/0s2image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/0s2image.png) #### Router1 Configuration Commands Router1>enable Router1#configure terminal Router1(config)# interface fastEthernet 0/0 Router1(config-if)#ip address 172.16.1.2 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#interface fastEthernet 0/1 Router1(config-if)#ip address 192.168.20.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#exit Router1(config)#ip route 192.168.10.0 255.255.255.0 172.16.1.1 Router1(config)#exit Router1#show ip interface brief [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/eIfimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/eIfimage.png) Router1#show ip route [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/r3iimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/r3iimage.png) #### Switch0 Configuration Commands Switch0>enable Switch0#configure terminal Switch0(config)#int vlan1 Switch0(config-if)#ip address 192.168.10.2 255.255.255.0 Switch0(config-if)#ip default-gateway 192.168.10.1 Switch0(config-if)#no shutdown Switch0(config-if)# exit Switch0(config)#show interface vlan 1 [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/LFBimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/LFBimage.png) #### Switch1 Configuration Commands Switch1>enable Switch1#configure terminal Switch1(config)#int vlan1 Switch1(config-if)#ip address 192.168.20.2 255.255.255.0 Switch1(config-if)#ip default-gateway 192.168.20.1 Switch1(config-if)#no shutdown Switch1(config-if)# exit Switch1(config)#show interface vlan 1 [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/DVYimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/DVYimage.png) #### PC0 Configuration [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/xZnimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/xZnimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/kAVimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/kAVimage.png) #### PC1 Configuration [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/ceQimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/ceQimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/0dRimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/0dRimage.png) #### Test Connectivity via Static Route [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/xFwimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/xFwimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/pG6image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/pG6image.png) #### Cisco Packet Tracer File [net9 static routing.pkt](https://bookstack.taylorhome.run/attachments/4) # Cisco IOS Router on a Stick #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/STlimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/STlimage.png) #### Router0 Configuration Commands Router0>enable Router0#configure terminal Router0(config)#interface fastEthernet 0/0 Router0(config-if)#no shutdown Router0(config-if)#interface fastEthernet 0/0.10 Router0(config-subif)#encapsulation dot1q 10 Router0(config-subif)#ip address 192.168.10.1 255.255.255.0 Router0(config-if)#interface fastEthernet 0/0.20 Router0(config-subif)#encapsulation dot1q 20 Router0(config-subif)#ip address 192.168.20.1 255.255.255.0 Router0(config-if)#interface fastEthernet 0/0.30 Router0(config-subif)#encapsulation dot1q 30 Router0(config-subif)#ip address 192.168.30.1 255.255.255.0 Router0(config-subif)#end Router0#show ip interface brief [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/WkXimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/WkXimage.png) Router0#show interfaces [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/AYVimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/AYVimage.png) #### Switch0 Configuration Commands Switch0>enable Switch0#configure terminal Switch0(config)#interface fastEthernet 0/1 Switch0(config-if)#switchport mode trunk Switch0(config-if)#interface fastEthernet 0/2 Switch0(config-if)#switchport access vlan 10 Switch0(config-if)#interface fastEthernet 0/3 Switch0(config-if)#switchport access vlan 20 Switch0(config-if)#interface fastEthernet 0/4 Switch0(config-if)#switchport access vlan 30 Switch0(config-if)#end Switch0#show vlan brief [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/EgWimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/EgWimage.png) Switch0#show interfaces status [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Asiimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Asiimage.png) #### Configure the Three PCs **PC0** [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/uQAimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/uQAimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Ud5image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Ud5image.png) **PC1** [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/XYDimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/XYDimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/cyzimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/cyzimage.png) **PC2** [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/lwiimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/lwiimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/RQ8image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/RQ8image.png) #### Test with Ping and Tracert [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/WRrimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/WRrimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/sipimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/sipimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/FRVimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/FRVimage.png) #### Cisco Packet Tracer File [net12 router on a stick.pkt](https://bookstack.taylorhome.run/attachments/7) # Cisco IOS Discovery Protocol #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/xTnimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/xTnimage.png) #### Premise When you have a detailed topology map like the one above it is easy to know what interfaces and what devices you are working with. However, a topology map like this is often not readily available. Instead, you are on one end of the equation in a wiring closet or data center removed from the far side equipment and you are staring at a console screen like this. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/2uSimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/2uSimage.png) And it is left to you to figure out what is connected to your device on the other end. What can you use to figure this out? Cisco provides some help by the way of the [Cisco Discovery Protocol (CDP)](https://learningnetwork.cisco.com/s/article/cisco-discovery-protocol-cdp-x). CDP is enabled by default on Cisco devices and works on directly connected interfaces. The CDP messages are configured to broadcast every 60 seconds by default. This interval can be modified. When a device receives a CDP broadcast the information is stored in a table. Using the show CDP neighbors will display information about directly connected Cisco devices. Now suppose instead of a nice all-filled-in topology diagram you have this. You have been told that there are routers connected to the other end of the Router0 interfaces. One router is a Cisco 1841 but the technician is not sure what the other router is. The interface connected to the 1841 is in the 192.168.10.0/24 network. The other interface should be configured within the 192.168.20.0/24 network. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/Pufimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/Pufimage.png) #### Solution #### Router0 Commands Router0>enable Router0#configure terminal Router0(config)#interface fastEthernet 0/0 Router0(config-if)#no shutdown Router0(config)#interface fastEthernet 0/1 Router0(config-if)#no shutdown Router0(config-if)#end Router0#show ip interface brief [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/lwyimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/lwyimage.png) As can be seen by the show ip interface brief command, the interfaces are up but there are no L3 IP addresses configured. This is something that will need to be addressed later. But for now, we can find out more about which devices are connected to which interfaces by using the show CDP commands. First, we will check that CDP protocol is configured and working on Router0 Router0#show cdp interface [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/Dw5image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/Dw5image.png) Yes, CDP is configured and sending packets every 60 seconds as is the default behavior. No let's see if there are any CDP packets coming from Cisco devices on the other in of the ethernet connections. Router0#show cdp neighbors [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/ozNimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/ozNimage.png) The results of the show cdp neighbors command indicates that there are Cisco attached devices. On the fast Ethernet 0/1 port the Cisco 1841 router is connected just as the technician had stated. On the fast Ethernet port 0/0 there is a Cisco 2900 router. In addition, we can see from the output that on the 1841 the connection is on fast Ethernet 0/0 while on the 2900 we are connected to gigabit Ethernet 0/2. If we want more details, we can use the command show cdp entry \* Router0#show cdp entry \* [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/jWvimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/jWvimage.png) From this we can see the configured IP addresses of the two connected devices. We can verify that the connected device types are in fact routers. We can even see the Cisco IOS version installed on the routers. Finally, we can see that the CDP type is version 2 as shown by the 'advertisement version'. Let's jump back into Router0 and configure some IP addressing now that we know the IP addresses on the far side of the connections. Router0(config)#interface fastEthernet 0/0 Router0(config-if)#ip address 192.168.20.2 255.255.255.0 Router0(config)#interface fastEthernet 0/1 Router0(config-if)#ip address 192.168.10.2 255.255.255.0 Router0(config-if)#end Router0#show ip interface brief [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/MO6image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/MO6image.png) Router0#ping 192.168.10.1 [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/zfIimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/zfIimage.png) Router0#ping 192.168.20.1 [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/5Gzimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/5Gzimage.png) Success! #### Cisco Packet Tracer File [net10 cdp neighbors.pkt](https://bookstack.taylorhome.run/attachments/5) # Cisco IOS RIPv2 Protocol #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/9BWimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/9BWimage.png) #### Router0 Configuration Commands Router0>enable Router0#configure terminal Router0(config)#interface serial 0/0/0 Router0(config-if)#ip address 172.16.1.1 255.255.255.248 Router0(config-if)#no shutdown Router0(config-if)#interface gigabitEthernet 0/0 Router0(config-if)#ip address 192.168.10.1 255.255.255.0 Router0(config-if)#no shutdown Router0(config-if)#exit Router0(config)#router rip Router0(config-router)#version 2 Router0(config-router)#network 192.168.10.0 Router0(config-router)#network 172.16.1.0 Router1(config-router)#no auto-summary Router0(config-router)#end #### Router1 Configuration Commands Router1>enable Router1#configure terminal Router1(config)#interface serial 0/0/0 Router1(config-if)#ip address 172.16.1.2 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#interface gigabitEthernet 0/0 Router1(config-if)#ip address 192.168.20.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#exit Router1(config)#router rip Router1(config-router)#version 2 Router1(config-router)#network 192.168.20.0 Router1(config-router)#network 172.16.1.0 Router1(config-router)#no auto-summary Router1(config-router)#end #### Verify RIPv2 Configuration Router0#show ip route [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/7asimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/7asimage.png) Router0#show ip rip database [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/mt2image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/mt2image.png) Router0#show ip protocols [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/fUpimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/fUpimage.png) #### Ping and Tracert Check [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/265image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/265image.png) #### Cisco Packet Tracer File [net18 ripv2.pkt](https://bookstack.taylorhome.run/attachments/13) # Cisco IOS EIGRP Protocol #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Synimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Synimage.png) #### Router0 Configuration Commands Router0>enable Router0#configure terminal Router0(config)#interface serial 0/0/0 Router0(config-if)#ip address 172.16.1.1 255.255.255.248 Router0(config-if)#no shutdown Router0(config-if)#interface gigabitEthernet 0/0 Router0(config-if)#ip address 192.168.10.1 255.255.255.0 Router0(config-if)#no shutdown Router0(config-if)#exit Router0(config)#router eigrp 100 Router0(config-router)#network 192.168.10.0 0.0.0.0 Router0(config-router)#network 172.16.1.0 0.0.0.0 Router0(config-router)#no auto-summary Router0(config-router)#end #### Router1 Configuration Commands Router1>enable Router1#configure terminal Router1(config)#interface serial 0/0/0 Router1(config-if)#ip address 172.16.1.2 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#interface gigabitEthernet 0/0 Router1(config-if)#ip address 192.168.20.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#exit Router1(config)#router eigrp 100 Router1(config-router)#network 192.168.20.0 0.0.0.0 Router1(config-router)#network 172.16.1.0 0.0.0.0 Router0(config-router)#no auto-summary Router1(config-router)#end #### Comments on a Couple of Configuration Items A couple of notes about the configurations. First, the network commands show a wildcard of 0.0.0.0, this denotes an exact match for the specific IP on the interfaces. I could have also made the command be for a subnet with network 192.168.10.0 0.0.0.255 It was simply a preference on my part for this configuration. Second, the command no auto-summary. EIGRP is a routing protocol that supports auto summarization. This isn't very intuitive to understand. Auto summarization in EIGRP means that it will automatically advertise the classful A, B, or C subnet if it is not told otherwise. Let's take a look at another network topology to demonstrate the auto-summary effect. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Fo5image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Fo5image.png) In the above example there are three routers configured for eigrp. In the initial setup Router0 and Router2 have auto-summary on for EIGRP. All three networks 192.168.2.0, 172.16.1.0, and 1.1.1.0 are configured in the EIGRP router for Router0. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/xc6image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/xc6image.png) Similarly, Router 2 has EIGRP configured and 1.3.3.0 and 192.168.20.0 are configured. Also, auto-summary has been explicitely turned on. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/kzLimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/kzLimage.png) Router1 is pretty vanilla with EIGRP configured and advertising the 192.168.10.0 and 192.168.20.0 networks. No auto-summary is on for Router1. The interesting thing is taking a look at the routing tables of each of the routers to see what auto-summary does in this scenario. And how it will break the routing. Let's look at Router0 first. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/EwDimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/EwDimage.png) The 1.1.1.0 /24 network has been summarized the classful A network of 1.0.0.0 /8. Similarly, the 172.16.1.0 /24 has been summarized to the classful B network of 172.16.0.0 /16. This isn't necessary bad when you just look at it from Router0's perspective but hold that thought until we take a closer look at Router1 in a moment. One last note for Router0, the network 192.168.10.0 /24 is as expected becasue it is already a class C network. No let's look at Router2 and then we will get to Router1. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/gbkimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/gbkimage.png) Now, you can already start to see the problem, Router2 is advertising a summarized classful A for 1.0.0.0 /8 just as Router0 was. And what does that do to Router1, confuses the heck out of its routing table, that's what! Let's look. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/vgNimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/vgNimage.png) So, now Router1 is advertising that 1.0.0.0 /8, which is the summarized subnet for both 1.1.1.0 and 1.3.3.0 is reachable through both the other routers. This is what unchecked auto-summary can do to EIGRP if you are not careful. The fix is to turn off auto-summary in Router0 and Router1. And problem resolved. Take a look at Router1, the one that was so confused before we turned off auto-summary, it has the correct routes now. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/bU1image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/bU1image.png) #### Back to the EIGRP Configuration Verify the configuration Router0#show ip route [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/h94image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/h94image.png) Router0#show ip eigrp neighbors [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/de0image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/de0image.png) Router0#show ip eigrp topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/o87image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/o87image.png) Router0#show ip eigrp interfaces [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/gz9image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/gz9image.png) Router0#show ip eigrp traffic [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/XL4image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/XL4image.png) #### Ping and Tracert Tests [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/VY6image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/VY6image.png) #### Cisco Packet Tracer Files [net16 eigrp.pkt](https://bookstack.taylorhome.run/attachments/11) [net17 eigrp auto-summary.pkt](https://bookstack.taylorhome.run/attachments/12) # OSPF Open Shortest Path First Protocol #### OSPF Limerick There once was a routing protocol OSPF was its name, it was droll It spread updates with care To routers everywhere So that packets would never grow stale. - Most widely used interior gateway routing protocol - Open standard (non-proprietary) - Fast convergence - It's been around since 1989. How does it differ from other routing protocols?
##### **Distance Vector Protocols** Distance Vector routing protocols base their decisions on the best path to a given destination based on the distance. Distance is usually measured in hops, though the distance metric could be delay, packets lost, or something similar. If the distance metric is hop, then each time a packet goes through a router, a hop is considered to have traversed. The route with the least number of hops to a given network is concluded to be the best route towards that network. The vector shows the direction to that specific network. Distance vector protocols send their entire routing table to directly connected neighbors. \* source - Pluralsight - [Dynamic Routing Protocols: Distance Vector and Link State](https://www.pluralsight.com/blog/it-ops/dynamic-routing-protocol#:~:text=The%20vector%20shows%20the%20direction,IGRP%20%2D%20Interior%20Gateway%20Routing%20Protocol.) ##### **Link State Protocols** Link state protocols are also called shortest-path-first protocols. Link state routing protocols have a complete picture of the network topology. Hence they know more about the whole network than any distance vector protocol. Three separate tables are created on each link state routing enabled router. One table is used to hold details about directly connected neighbors, one is used to hold the topology of the entire internetwork and the last one is used to hold the actual routing table. Link state protocols send information about directly connected links to all the routers in the network. \* source - Pluralsight - [Dynamic Routing Protocols: Distance Vector and Link State](https://www.pluralsight.com/blog/it-ops/dynamic-routing-protocol#:~:text=The%20vector%20shows%20the%20direction,IGRP%20%2D%20Interior%20Gateway%20Routing%20Protocol.)
RIP and IGRP**OSPF** and IS-IS (EIGRP is considered a hybrid protocol because it uses both distance vector and link state.)
Only communicates with neighbor routersCommunicates with **all** other routers in an area
Calculates path based on distance and vectorCalculates shortest path based on link-state parameters
Passes entire routing table to directly connected neighbor routersPasses link-state routing updates to other routers
#### #### Link-State Routing - Routers share their entire routing table via link-state advertisements (LSAs) - LSAs include router and network information - LSAs are stored in the routers' Link-State Database (LSDB) - LSDB can be thought of like a network topology map. - LSAs are the networking information NOT the packet. The packet that carries the LSA information is called the Link-State Update (LSU).
##### 1. LSR Router A send a link-state request (LSR) to gather route information from the neighbor router -- Router B ##### 2. LSU Router B replies with a Link -State Update (LSU) containing the requested Link-State Advertisement (LSA) information. ##### 3. LSAck Router A receives the LSU with LSA attached and sends a Link-State Acknowledgement (LSAck) back to Router B
[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/42Timage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/42Timage.png) #### Dijkstra's Algorithm The speed of OSPF can be attributed to the [Dijkstra Algorithm](https://en.wikipedia.org/wiki/Dijkstra%27s_algorithm) (Shortest Path First) Dijkstra's algorithm is a method for finding the shortest path between two points in a graph. The graph could represent, for example, a map with cities as nodes and roads as edges, where the length of the edges represents the distance between the cities. The algorithm starts at one node, called the "source" node, and explores all the paths to the other nodes, called "destination" nodes, in the graph. It keeps track of the shortest path to each destination node that it has found so far, and updates this information as it explores new paths. At each step, the algorithm selects the destination node that can be reached with the shortest known path from the source node, and explores the paths to all the other nodes that can be reached from this node. This process is repeated until the algorithm has found the shortest path to the destination node that you are interested in. The algorithm is called Dijkstra's algorithm because it was invented by a Dutch computer scientist named Edsger W. Dijkstra in the 1950s. Dijkstra's algorithm is also famous because it's the first algorithm that uses a priority queue(heap) rather than a queue to proceed from one node to the other. It is often used for finding the shortest path in a navigation or transportation network, or for routing packets of data in a computer network
![](https://upload.wikimedia.org/wikipedia/commons/2/23/Dijkstras_progress_animation.gif) Illustration of Dijkstra's algorithm finding a path from a start node (lower left, red) to a goal node (upper right, green) in a [robot](https://en.wikipedia.org/wiki/Robotics "Robotics") [motion planning](https://en.wikipedia.org/wiki/Motion_planning "Motion planning") problem. Open nodes represent the "tentative" set (aka set of "unvisited" nodes). Filled nodes are the visited ones, with color representing the distance: the greener, the closer. Nodes in all the different directions are explored uniformly, appearing more-or-less as a circular [wavefront](https://en.wikipedia.org/wiki/Wavefront "Wavefront") as Dijkstra's algorithm uses a [heuristic](https://en.wikipedia.org/wiki/Consistent_heuristic "Consistent heuristic") identically equal to 0. \* source: [https://en.wikipedia.org/wiki/Dijkstra%27s\_algorithm](https://en.wikipedia.org/wiki/Dijkstra%27s_algorithm)
#### OSPF Path Selection - Link-state information is flooded throughout the network, from router to router within an area, enabling all the routers within the area to have a synchronized and identical map of the network area. - The Dijkstra's Algorithm (Shortest Path First) is then applied to this map of information to calculate the best (shortest) path. - Once the Dijkstra Algorithm is applied and discovers the best routes the routes are applied to the routing table in the routers. #### OSFP History [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/cajimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/cajimage.png) #### OSPF Areas An OSPF Area is a network where routers all have the same routing information (LSAs) Network updates are localized per area and routers share topology information within the second table mentioned above (topology table). To reduce the size of the topology table in very large OSPF implementations the areas can be broken up into different OSPF area limits. Thus, the network updates will only be applied to the specifically identified area. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/0TEimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/0TEimage.png) Area 0 is the Backbone and all other areas must connect back to Area 0 Adding an Area3 through Area 1 (as in the diagram below) would not be a correct or allowed configuration as Area 3 is NOT connected to Area 0, the Backbone. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/qXUimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/qXUimage.png) Adding Area 3 by connecting it to the backbone is the correct method for adding another OSPF Area as in the updated diagram below. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/ztDimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/ztDimage.png) #### OSPF Neighbor Requirements - Must be on the same Area - Must match the following fields: - **Hello timer** - the interval in seconds that a router sends hello messages out of an OSPF-enabled interface - **Dead timer** - the time in seconds that an OSPF enabled interface will wait to receive a hello message from a neighbor before considering that neighbor to be down. - **Authentication** - **Maximum transmission unit (MTU)** - **Stub flags** Hello timer Defaults: Sent every 10 seconds on broadcast or P2P networks. Sent every 30 seconds on non-broadcast multiple assess networks (NBMA) (i.e.; Frame Relay). Hello packets are sent to all other routers to the following broadcast addresses depending on IP version - IPv4 - 224.0.0.5 - IPv6 - FF02::5 When sending Hello packets to designated routers the following addresses are used. What is a designated router? See Below. - IPv4 - 224.0.0.6 - IPv6 - FF02::6 Dead timer Defaults: 4 times the hello timer. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/IwFimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/IwFimage.png) **Wait timer** is the number of seconds a router waits for the designated router or backup designated router to be advertised before beginning an election. **Retransmit** is the number of seconds a router waits before retransmitting an OSPF packet that has not been acknowledged. #### How to Change the Various Intervals [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Q5Zimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Q5Zimage.png) Router0(config)# interface gigabitEthernet 0/1 Router0(Config-if)#ip ospf hello-interval 20 #### Designated Router (DR) and Backup Designated Router (BDR) Router adjacencies are neighbor routers that share LSUs and database description packets. A large network could have a huge number of adjacencies as show by this formula: ```matlab [n*(n-1]/2 ``` So for 4 routers the number of adjacencies would be \[4\*(4-1)\]/2 = 6. And for 10 the number of adjacencies would be \[10\*(10-1)\]/2 = 45. As you can see the number of adjacencies becomes large very quickly. And a router will not be 'close' to all these adjacencies. Instead, an OSPF router is close to a specific router (neighbor) and that router is deemed the designated router (DR). And they also form an adjacency with a backup designated router (BDR). This is to reduce the adjacency volume. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/vo9image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/vo9image.png) How does a router select its DR and BDR? - Priority level (default is 1) The higher the priority the better. - To adjust the priority level go to the interface global config and enter Router1(config-if)# ip ospf priority \[#\] - - If you do not want a router to be considered as a DR or BDR set the priority level to zero (0) and it will no longer participate in the election. - Router ID - Router ID can be configured Router1(config)#router ospf 1 Router1(config-router)#router-id \[id\] - Loopback interface IP address - Interface IP address [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/GWvimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/GWvimage.png) Not all network types conduct a DR/BDR election
**Network Type****DR/BDR Election?**
Point to PointNo
BroadcastYes
Non broadcast multiple access (NMBA)Yes
Point to MultipointNo
#### Area Border Router (ABR) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/cEfimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/cEfimage.png) Typically an ABR has more processing power that an non ABR since they will have to store the routing tables for multiple OSPF Areas. #### Autonomous System Boundary Router (ASBR) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/kAhimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/kAhimage.png) This router has one interface connected to OSPF and another interface with an entirely different routing protocol (i.e.; EIGRP) #### LSA Types - Type 1: Router LSA - this LAS type is what the routers use to advertise directly attached networks. - Type 1: Network LSA - used in transit networks for DR/BDR elections - No need for Type 2 Network LSA in Point to Point (except Frame Relay) or Point to Multipoint - No need for Type 2 Network LSA of links going to end devices - Type 3: Summary LSA - these LSAs come into play for Area Border Routers (ABR) - Type 4 and Type 5 LSAs are created when an OSPF network is connected to another autonomous system (i.e.; EIGRP) - Type 4: Summary ASBR LSA - Created by an ABR to tell an Area how to reach and ASBR [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/sbJimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/sbJimage.png) - - Type 5: AS External LSA - Type 5 is created by the ASBR to advertise networks in different autonomous systems [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/7Yhimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/7Yhimage.png) Router0#show ip ospf database [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/CBCimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/CBCimage.png) #### Stub Areas An area that is only connected to the backbone and is not connected to any other autonomous systems #### Route Summarization In IPv4 networking, route summarization, also known as route aggregation, is a technique used to reduce the number of routing table entries on a router. This is done by grouping together several smaller networks into a single, larger network, and then advertising the summary route to other routers instead of the individual smaller networks. For example, imagine a network with several subnets, such as 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, and so on. Instead of having a separate routing table entry for each of these subnets, route summarization allows a router to group them together into a single network, such as 10.1.0.0/22. This single entry will take the place of all the individual entries, reducing the size of the routing table and making it more efficient. Route summarization is done by using a mask (also called a subnet mask) that is longer than the original subnet mask. This allows a group of subnets to be represented by a single IP address and mask. The benefit of this technique is that it can help reduce the number of routing table entries and improve the performance of the routing process. By reducing the size of the routing table, routers can make faster and more efficient routing decisions. It also can help to reduce the amount of routing information that needs to be exchanged between routers. It's important to note that while route summarization can help to improve the scalability and performance of a network, it can also create potential problem like black hole routing, where packets might be dropped if they are not delivered to the correct destination. Therefore, it's important to be mindful of the address space being used and make sure that the summary route being advertised not overlap with other routes that exist in the network. ##### Example
DecimalOctet 1Octet 2Octet 3Octet 4
192.168.8.011000000101010000000100000000000
192.168.9.011000000101010000000100100000000
192.168.10.011000000101010000000101000000000
192.168.11.011000000101010000000101100000000
SUMMARY IP11000000101010000000100000000000
19216880
Subnet Mask11111111111111111111110000000000
/222552552520
Summarization Result = 192.168.8.0 with subnet 255.255.252.0 (/22) # Cisco IOS OSPF Protocol #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/5tsimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/5tsimage.png) #### Router0 Configuration Commands Router0>enable Router0#configure terminal Router0(config)#interface serial 0/0/0 Router0(config-if)#ip address 172.16.1.2 255.255.255.248 Router0(config-if)#no shutdown Router0(config-if)#interface gigabitEthernet 0/0 Router0(config-if)#ip address 192.168.10.1 255.255.255.0 Router0(config-if)#no shutdown Router0(config-if)#exit Router0(config)#router ospf 1 Router0(config-router)#network 192.168.10.0 0.0.0.255 area 0 Router0(config-router)#network 172.16.1.0 0.0.0.7 area 0 Router0(config-router)#end #### Router1 Configuration Commands Router1>enable Router1#configure terminal Router1(config)#interface serial 0/0/0 Router1(config-if)#ip address 172.16.1.1 255.255.255.248 Router1(config-if)#no shutdown Router1(config)#interface serial 0/0/1 Router1(config-if)#ip address 172.16.2.1 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#interface gigabitEthernet 0/0 Router1(config-if)#ip address 192.168.20.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#exit Router1(config)#router ospf 1 Router1(config-router)#network 192.168.20.0 0.0.0.255 area 0 Router1(config-router)#network 172.16.1.0 0.0.0.7 area 0 Router1(config-router)#network 172.16.2.0 0.0.0.7 area 0 Router1(config-router)#end #### Router2 Configuration Commands Router2>enable Router2#configure terminal Router2(config)#interface serial 0/0/0 Router2(config-if)#ip address 172.16.2.2 255.255.255.248 Router2(config-if)#no shutdown Router2(config-if)#interface gigabitEthernet 0/0 Router2(config-if)#ip address 192.168.30.1 255.255.255.0 Router2(config-if)#no shutdown Router2(config-if)#exit Router2(config)#router ospf 1 Router2(config-router)#network 192.168.30.0 0.0.0.255 area 0 Router2(config-router)#network 172.16.2.0 0.0.0.7 area 0 Router2(config-router)#end #### PC Configurations [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/H7Qimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/H7Qimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/PNjimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/PNjimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/7Ffimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/7Ffimage.png) #### Verify OSPF Configuration Router0#show ip route [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/rCnimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/rCnimage.png) Router1#show ip route [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/wJOimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/wJOimage.png) Router2#show ip route [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Pwzimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Pwzimage.png) Router0# show ip ospf neighbor [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/GBCimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/GBCimage.png) Router1#show ospf neighbor [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/ihaimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/ihaimage.png) Router2#show ip ospf neighbor [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/fTVimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/fTVimage.png) Router0#show ip ospf [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/xtyimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/xtyimage.png) Router1#show ip ospf [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/yNoimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/yNoimage.png) Router2#show ip ospf [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Egdimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Egdimage.png) #### Ping and Tracert Checks [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/TAAimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/TAAimage.png) #### Cisco Packet Tracer File [net15 ospf.pkt](https://bookstack.taylorhome.run/attachments/10) # Cisco IOS OSPF Router ID #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/CGbimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/CGbimage.png) #### What is the OSPF Router ID (RID)? The OSPF Router ID (RID) is a 32-bit value used to uniquely identify an OSPF router in a network. The Router ID takes the form of an IPv4 network address (i.e.; 1.1.1.1) It is used by OSPF routers to identify themselves to each other, and is also used as a key for certain OSPF data structures. The RID is typically chosen as the highest IP address of a router's interfaces that are configured for OSPF. If there are multiple interfaces with the same IP address, the RID will be chosen based on the interface's MAC address or on the order in which the interfaces were configured. The RID is used in the OSPF header of OSPF packets, and is also used in the LSA (Link State Advertisement) packets that OSPF routers exchange to form and maintain their routing tables. #### How is the OSPF Router ID Selected? A router chooses its OSPF Router ID (RID) based on the following priority: 1. The highest IP address of a loopback interface that is configured for OSPF. A loopback interface is a virtual interface that is always up, and is typically used for management purposes. 2. If there is no loopback interface configured, the highest IP address of a physical interface that is configured for OSPF. 3. If there are multiple interfaces with the same IP address, the RID will be chosen based on the interface's MAC address. 4. If all above methods fails to get a unique RID, the router will choose the RID based on the order in which the interfaces were configured. It is important to note that, once chosen, the RID cannot be changed without restarting the OSPF process on the router. It is also important that all OSPF routers in a single OSPF domain must have unique RIDs. #### Router ID in Action with Network Topology Above The topology above has two physical interfaces and two Loopback interfaces. Router0# show ip interface brief [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/EUlimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/EUlimage.png) We can start the OSPF router process with the following command: Router0(config)#router ospf 1 Router0(config-router)end Now let's check the OSPF Router ID by issuing the command: Router0#show ip protocols [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/AQ2image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/AQ2image.png) As can be seen above the ospf 1 process has chosen the Loopback interface with the highest IP address as its Router ID as we expected from #1 in the explanation above. Now let's remove the Loopback interfaces and see how that effects the OSPF Router ID. Router0#configure terminal Router0(config)#no interface loopback 0 Router0(config)#no interface loopback 1 Router0(config)#do show ip interface brief [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/ys0image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/ys0image.png) Confirmed that the Loopback interfaces have been removed. Let's check the OSPF Router ID now. Router0(config)#end Router0#show ip protocols [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/WAXimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/WAXimage.png) The Router ID has not changed! Just like the note above states the OSPF Router ID once chosen cannot be changed without a restart of the OSPF process. How can we restart the OSPF process? With this command: Router0#clear ip ospf process [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/rFDimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/rFDimage.png) Now we can check the Router ID again. Router0#show ip protocols [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/it1image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/it1image.png) After the reset of the OSPF process the Router ID has been selected from the physical interface with the highest IP address. Again, just like we would expect from #2 from the explanation above. Now, what if we did not want the OSPF process to choose it's own Router ID? What if we wanted to manually set the Router ID, can we do that? Yes! As long as we make sure to set it in the correct format of the 32-bit value with a 4 octet IPv4 decimal notation address. Router0#configure terminal Router0(config)#router ospf 1 Router0(config-fouter)#router-id 10.10.10.10 Router0(config-router#end Router0#show ip protocols [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/CDJimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/CDJimage.png) As you can see the Router ID is now set to what we manually entered 10.10.10.10. # Cisco IOS eBGP (External) Protocol #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/XMximage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/XMximage.png) As of Cisco Packet Tracer 8.2 internal BGP (iBGP) is not supported only external BGP (eBGP) is supported. If you try and configure iBGP on Packet Tracer, you will see the following message. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/eskimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/eskimage.png) So, in this example the focus will be on setting up eBGP between two separate autonomous systems. #### Router0 Configuration Commands Router0>enable Router0#configure terminal Router0(config)#interface serial 0/0/0 Router0(config-if)#ip address 172.16.1.1 255.255.255.248 Router0(config-if)#no shutdown Router0(config-if)#interface gigabitEthernet 0/0 Router0(config-if)#ip address 192.168.10.1 255.255.255.0 Router0(config-if)#no shutdown Router0(config-if)#int Loopback 0 Router0(config-if)#ip address 1.1.1.1 255.0.0.0 Router0(config-if)#no shutdown Router0(config-if)#exit Router0#router bgp 65001 Router0(config-router)#neighbor 172.16.1.2 remote-as 65002 Router0(config-router)#network 1.1.1.1 mask 255.0.0.0 Router0(config-router)#network 192.168.10.0 mask 255.255.255.0 Router0(config-router)#bgp router-id 1.1.1.1 Router0(config-router)#no synchronization #### Router1 Configuration Commands Router1>enable Router1#configure terminal Router1(config)#interface serial 0/0/0 Router1(config-if)#ip address 172.16.1.2 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#interface gigabitEthernet 0/0 Router1(config-if)#ip address 192.168.20.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#int Loopback 0 Router1(config-if)#ip address 2.2.2.2 255.0.0.0 Router1(config-if)#no shutdown Router1(config-if)#exit Router1#router bgp 65001 Router1(config-router)#neighbor 172.16.1.1 remote-as 65001 Router1(config-router)#network 2.2.2.2 mask 255.0.0.0 Router1(config-router)#network 192.168.20.0 mask 255.255.255.0 Router1(config-router)#bgp router-id 2.2.2.2 Router1(config-router)#no synchronization #### A Special Word about the No Synchronization Command The site [BGPExpert](https://bgpexpert.com/nosync.php) has an excellent explanation of what the *no synchronization* command is and what is does. #### Check BGP Configuration Router0#show ip route [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Xniimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Xniimage.png) Router0#show ip bgp summary [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/3uWimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/3uWimage.png) Router0#show ip bgp [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/T5eimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/T5eimage.png) Router0#show bgp ipv4 unicast neighbor 172.16.1.2 advertised-routes This is another command that is not available in Cisco Packet Tracer as of v8.2. So, here is an example from GNS3. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/309image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/309image.png) #### Ping and Tracert Connectivity Tests [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/KKGimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/KKGimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/71Bimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/71Bimage.png) #### More Notes on BGP - BGP communicates using TCP port 179 - BGP can form neighbor adjacencies with directly connected routers, which isn't a surprise as other routing protocols do that. But BGP can also form neighbor adjacencies with routers multiple hops away.
##### Directly Connected BGP Neighbors ##### Multihop BGP Neighbors
BGP will use the Arp table to locate the Layer 2 address of the peer.BGP will use routing table information to find the peer's IP address.
- BGP is a path-vector routing protocol meaning it uses path attributes that are associated with each network path when selecting the best route. This also helps ensure that the path taken is loop free. - BGP path attributes are defined in RFC 4271 (January 2006 release date). - RFC 1654 defined BGP and termed it an Inter-Autonomous System routing protocol. - The 'AS' in the network topology is short for Autonomous System. An Autonomous System is. 'the entire routing domain controlled by a company, ISP, or other organization. - Inter-Autonomous means that BGP is able to route packets across organizations' routing domains. This makes BGP perfect for the routing of the Internet. - An organization requests an Autonomous System Number (ASN) from the Internet Service Provider (ISP) or more typically from the Internet Assigned Numbers Authority [IANA](https://www.iana.org/). - The ASN is a 16-bit or 32-bit number. - 32-bit ASN length provides for 4,294,967,295 unique ASNs. - There are private ASNs that any organization can use. These are similar in concept to the private IP ranges that any organization can use internally listed below. - Class A 10.0.0.0 - 10.255.255.255 - Class B 172.16.0.0 - 172.31.255.255 - Class C 192.168.0.0 - 192.168.255.255
##### Private 16-bit ASN Range ##### Private 32-bit ASN Range
64,512 - 65,5354,200,000,000 - 4,294,967,294
- BGP Peer Communication Message types: - Open Message - establishes the BGP adjacency - Contains - BGP version number, AS number, Hold down timer, other parameters - Keep Alive - Ensures the neighbors are still active - KeepAlive timer set for every 60 seconds by default - 1/3 of the HoldDown timer, which is 180 seconds by default. - Update - These messages are for an update/change to the network. - NLRI - [Network Layer Reachability Information](https://www.inetdaemon.com/tutorials/internet/ip/routing/bgp/operation/messages/update/nlri.shtml) is included in an update message - Notification - Error detected - Neighbor down - Expiration of HoldDown timer - BGP Session Reset Requests (clear ip bgp \*) Router0#show ip bgp neighbors [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Klsimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Klsimage.png) #### Another Limitation of Cisco Packet Tracer As of Packet Tracer 8.2 there isn't a command for debug ip bgp which is very odd because there are debug commands for other protocols [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/mglimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/mglimage.png) So, for this next section I will be using GNS3 to show the BGP connection handshake. The BGP establishes a TCP session with a neighboring BGP peer or peers. The connection between the peers **may** report the following states while the connection is established. - Idle - Connect - Active - OpenSent - OpenConfirm - Established The states can be quite fluid in the ordering as can be seen by and official Cisco diagram showing the states. [![bgpstates.jpg](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/bgpstates.jpg)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/bgpstates.jpg) To demo these states in GNS3 I will initiate a debug for the BGP protocol. Router0#debug ip bgp Router0#clear ip bgp \* IDLE: [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Xhzimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Xhzimage.png) CONNECT: For the connect phase, I never explicitly saw this reported in the debug logs. I tried two different routers with different Cisco IOS versions and in both cases Idle to Connect never logged. This must be what Cisco was referring to when they said, "*The connection between the peers **may** report the following states while the connection is established."* ACTIVE: [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/mdrimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/mdrimage.png) OPENSENT: [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/qHTimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/qHTimage.png) OPENCONFIRM: [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/1npimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/1npimage.png) ESTABLISHED: [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/MtNimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/MtNimage.png) Now we can check the TCP connectivity. Router0#show tcp brief [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/N3Jimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/N3Jimage.png) The connection is established. Note that the TCP port on the peer (foreign address) is 179. This peer has the higher IP address and thus manages the connect phase and establishes the port 179 connectivity. The peer with the lower IP will get a randomized port for the connectivity. In this example the randomized port is 57597. #### [Additional Information about BGP from Cloudflare](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/) #### [Additional Information about BGP Neighbor States and Connectivity from CiscoPress](https://www.ciscopress.com/articles/article.asp?p=2756480&seqNum=4) #### Cisco Packet Tracer File [net14 bgp.pkt](https://bookstack.taylorhome.run/attachments/14) # BGP Path Attributes #### BGP Path Attributes BGP (Border Gateway protocol is a path vector routing protocol, meaning it uses path attributes to determine the best routing path. There are eight (8) attributes that BGP uses in the determination of that best path.
**Mnemonic****First Letter****BGP Path Attribute**
WeWWeight
LoveLLocal\_pref
OrangesOOriginate
AsAAS\_path
OrangesOOrigin type
MeanMMED (Multiple Exit Discriminator)
PurePPaths
RefreshmentRRouter-ID
This is not inclusive of all 13 path attributes but this covers the majority of them. particularly those that we often see used in practice. ##### WEIGHT - Cisco specific parameter - Local to the router - Preference: highest weight [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/VjYimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/VjYimage.png) ##### LOCAL PREFERENCE (Local\_pref) This parameter often gets used for route manipulation. - Default value of 100 - Preference: highest local\_pref [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/vFqimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/vFqimage.png) ##### ORIGINATE - How a path was sourced - Preference: local paths from network or redistribute commands are preferred versus local aggregates via aggregate-address command ##### AUTONOMOUS SYSTEM PATH (AS\_path) - The number of autonomous systems in the path - Preference: shortest AS\_path - It is the number of autonomous systems in the path **NOT** the number of routers in the path. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Qirimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Qirimage.png) ##### ORIGIN TYPE - Preference: lowest origin type 1. IGP 2. EGP 3. ? Incomplete [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Ohwimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Ohwimage.png) ##### MED (Multi-exit Discriminator) - Optional non-transitive attribute - A hint to external neighbors about the preferred path into an autonomous system (AS) that has multiple entry points - Preference: lowest MED [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/HbOimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/HbOimage.png) ##### PATHS (eBGP vs iBGP) - Preference: eBGP over iBGP
**eBGP****iBGP**
Administrative distance: **20**Administrative distance: **200**
##### ROUTER-ID - Preference: route from the lowest router ID #### Summary of the Attributes
**Mnemonic****First Letter****BGP Path Attribute****Preference**
WeWWeightHigher
LoveLLocal\_prefHigher
OrangesOOriginateLocal vs Aggregate
AsAAS\_pathLower
OrangesOOrigin typeIGP vs EGP vs ?
MeanMMEDLower
PurePPathseBGP vs oBGP
RefreshmentRRouter-IDLower
#### BGP Route Manipulation [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Qkrimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Qkrimage.png) Scenario: Make the preferred path for the 20.0.0.0 network go through another router R4(config)#ip prefix-list PREF20 permit 20.0.0.0/24 R4(config)#route-map MAP20 permit 10 R4(config-route-map)#match ip address prefix-list PREF20 R4(config-route-map)#set ? [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/ipqimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/ipqimage.png) R4(config-route-map)#set weight 999 R4(config-route-map)#exit R4(config)#route-map MAP20 permit 20 R4(config-route-map)#exit R4(config)#router bgp 65004 R4(config-router)#neighbor 34.34.34.1 route-map MAP20 in R4(config-router)#end R4#clear ip bgp \* [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/4pbimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/4pbimage.png) #### Summary of Route Manipulation Steps
**Create a prefix list**Router(config)#ip prefix-list \[list name\] permit \[network IP\]
**Create a route map**Router(config)#route-map \[map name\] permit \[line #\] Router(config-route-map)#match ip address prefix-list \[list name\] Router(config-route-map)#set weight \[value\]
**Apply the route map to BGP configuration**Router(config-router)#neighbor \[neighbor IP address\] route-map \[map name\] \[in/out\]
#### BGP Transitive and Non-transitive Attributes Transitive Attributes are those BGP attributes that are ALLOWED to be sent to other BGP peers. Non-transitive attributes are NOT allowed to be sent to other peers. There are four categories of path attributes:
**Well-known mandatory**This attribute MUST exist in the BGP UPDATE. If this attribute is missing a NOTIFICATION error is generated and the session is closed. Must be recognized by all BGP routers and must be included in every update message. Routing information errors occur without this attribute.
**Well-known discretionary**Can be recognized by all BGP routers; can be included in every update message as needed.
**Optional transitive**Transitive attribute between ASs. A BGP router not supporting this attribute can still receive routes with this attribute and advertise them to other peers.
**Optional non-transitive**If a BGP router does not support this attribute, it will not advertise routes with this attribute.
**BGP Path Attribute****Category**
WeightCisco specific local to router
Local\_prefWell-known discretionary
AS\_pathWell-known mandatory
Origin typeWell-known mandatory
MEDOptional non-transitive
#### [Troubleshooting BGP](https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/22166-bgp-trouble-main.html) # Cisco IOS Basic MPLS VPN #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/EXEimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/EXEimage.png) #### What is MPLS? Multiprotocol Label Switching (MPLS) is a type of data-carrying technique for high-performance telecommunications networks. It directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. MPLS can provide better performance, security, and service-level agreements (SLAs) for data traffic. The MPLS protocol is used to create virtual private networks (VPNs) and traffic engineering (TE) networks. It is often used in service provider networks, but can also be used in enterprise networks. MPLS can be used to forward packets using labels, rather than routing them based on their IP addresses. This allows for faster forwarding decisions, because the label can be looked up quickly in a table. MPLS also allows for the creation of virtual links, which can be used to connect different networks together, even if they use different routing protocols. Multiprotocol Label Switching (MPLS) can be used to create Virtual Private Networks (VPNs). A VPN is a private network that uses a public network (such as the Internet) to connect remote sites or users together. MPLS VPNs use MPLS labels to forward packets between sites, instead of routing them based on their IP addresses. This allows for more efficient and secure communications, as well as the ability to create different virtual networks for different customers or applications. MPLS VPNs can be configured in different ways, such as: - MPLS Layer 3 VPNs, which use MPLS to forward packets between sites based on their IP addresses. This allows for the creation of virtual networks that use the same IP addresses as the underlying public network. - MPLS Layer 2 VPNs, which use MPLS to forward packets between sites based on their MAC addresses. This allows for the creation of virtual networks that use different MAC addresses than the underlying public network. In both cases, MPLS VPNs use a technique called "VPN label" to identify the different VPNs and forward the packets to the correct destination. MPLS VPNs can also use security features such as encryption, to ensure that the data cannot be intercepted or tampered with while in transit. MPLS VPNs are widely used by service providers to offer VPN services to their customers. They can also be used in enterprise networks to connect remote sites or branch offices together securely. It's also a good choice for interconnecting multiple sites of a large enterprise as it can provide high performance and better security compared to traditional VPN technologies. #### MPLS vs SD-WAN Multiprotocol Label Switching (MPLS) and Software-Defined WAN (SD-WAN) are both technologies used to connect remote sites or users together, but they have some key differences: - MPLS is a type of data-carrying technique that directs data from one network node to the next based on short path labels rather than long network addresses. It is primarily used by service providers to offer VPN services to their customers and can also be used in enterprise networks to connect remote sites or branch offices together. - SD-WAN, on the other hand, is a software-based approach to managing WAN connections. It allows for the use of multiple types of connections (such as broadband, cellular, or MPLS) and automatically chooses the best one for each application or user based on factors such as cost, quality, or security. SD-WAN also allows for better visibility and control over network traffic, as well as the ability to easily add or remove sites from the network. - MPLS is typically more expensive than SD-WAN, but it offers better security, QoS and SLAs. On the other hand, SD-WAN is more flexible and cost-effective, but it may not provide the same level of security and performance as MPLS. - MPLS is a more traditional approach that has been used for more than two decades while SD-WAN is a newer technology that uses software to manage network connections. - MPLS is a Layer 3 technology while SD-WAN is a Layer 4-7 technology. In summary, MPLS is a proven and reliable technology that is well-suited for organizations that require high levels of security and Quality of Service (QoS), while SD-WAN is a cost-effective and flexible option that is well-suited for organizations that need to connect multiple sites or users together in a dynamic way. #### Configure the Interface Settings on All Routers and PCs (including Loopback Interfaces on Routers) HQ>enable HQ#configure terminal HQ(config)#interface gigabitEthernet g0/1 HQ(config-if)#ip address 192.168.1.1 255.255.255.0 HQ(config-if)#no shutdown HQ(config)#interface gigabitEthernet g0/3 HQ(config-if)#ip address 192.168.0.1 255.255.255.0 HQ(config-if)#no shutdown HQ(config-if)#exit HQ(config)#interface loopback 0 HQ(config-if)#ip address 1.1.1.1 255.255.255.0 HQ(config-if)#end PE1>enable PE1#configure terminal PE1(config)#interface gigabitEthernet g0/0 PE1(config-if)#ip address 192.168.2.1 255.255.255.0 PE1(config-if)#no shutdown PE1(config)#interface gigabitEthernet g0/1 PE1(config-if)#ip address 192.168.1.2 255.255.255.0 PE1(config-if)#no shutdown PE1(config-if)#exit PE1(config)#interface loopback 0 PE1(config-if)#ip address 2.2.2.2 255.255.255.0 PE1(config-if)#end PR>enable PR#configure terminal PR(config)#interface gigabitEthernet g0/0 PR(config-if)#ip address 192.168.2.2 255.255.255.0 PR(config-if)#no shutdown PR(config)#interface gigabitEthernet g0/1 PR(config-if)#ip address 192.168.3.1 255.255.255.0 PR(config-if)#no shutdown PR(config-if)#exit PR(config)#interface loopback 0 PR(config-if)#ip address 3.3.3.3 255.255.255.0 PR(config-if)#end PE2>enable PE2#configure terminal PE2(config)#interface gigabitEthernet g0/0 PE2(config-if)#ip address 192.168.4.1 255.255.255.0 PE2(config-if)#no shutdown PE2(config)#interface gigabitEthernet g0/1 PE2(config-if)#ip address 192.168.3.2 255.255.255.0 PE2(config-if)#no shutdown PE2(config-if)#exit PE2(config)#interface loopback 0 PE2(config-if)#ip address 4.4.4.4 255.255.255.0 PE2(config-if)#end BO>enable BO#configure terminal BO(config)#interface gigabitEthernet g0/0 BO(config-if)#ip address 192.168.4.2 255.255.255.0 BO(config-if)#no shutdown BO(config-if)#interface gigabitEthernet g0/3 BO(config-if)#ip address 192.168.5.1 255.255.255.0 BO(config-if)#no shutdown BO(config-if)#exit BO(config)#interface loopback 0 BO(config-if)#ip address 5.5.5.5 255.255.255.0 BO(config-if)#end HQPC1>ip 192.168.0.10/24 192.168.0.1 BOPC1>ip 192.168.5.10/24 192.168.5.1 #### Setup OSPF Topology for the Provider Edge Routers (PE1 and PE2) and Provider Backbone Router (PR) PE1>enable PE1#configure terminal PE1(config)#router ospf 1 PE1(config-router)#network 192.168.2.0 0.0.0.255 area 0 PE1(config-router)#network 2.2.2.0 0.0.0.255 area 0 PE1(config-router)#passive-interface gigabitEthernet 0/1 PR>enable PR#configure terminal PR(config)#router ospf 1 PR(config-router)#network 192.168.2.0 0.0.0.255 area 0 PR(config-router)#network 192.168.3.0 0.0.0.255 area 0 PR(config-router)#network 3.3.3.0 0.0.0.255 area 0 PE2>enable PE2#configure terminal PE2(config)#router ospf 1 PE2(config-router)#network 192.168.3.0 0.0.0.255 area 0 PE2(config-router)#network 4.4.4.0 0.0.0.255 area 0 PE2(config-router)#passive-interface gigabitEthernet 0/0 #### Setup MPLS on the Provider Router Interfaces DO NOT Include the Interfaces Facing the Customer Routers (HQ and BO) on PE1 and PE2 PE1>enable PE1#configure terminal PE1(config)#interface gigabitEthernet 0/0 PE1(config-if)#mpls ip PR>enable PR#configure terminal PR(config)#interface gigabitEthernet 0/0 PR(config-if)#mpls ip PR(config)#interface gigabitEthernet 0/1 PR(config-if)#mpls ip PE2>enable PE2#configure terminal PE2(config)#interface gigabitEthernet 0/1 PE2(config-if)#mpls ip \*You should see a message on the console about the LDP Neighbor switching to a status of UP. Now let's take a look at the Loopback interfaces by entering the command **show mpls forwarding-table**. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/H4Gimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/H4Gimage.png) The mask shown on the Loopback interfaces is reporting incorrect so we need to fix this. PE1(config)#interface loopback 0 PE1(config-if)#ip ospf network point-to-point PR(config)#interface loopback 0 PR(config-if)#ip ospf network point-to-point PE2(config)#interface loopback 0 PE2(config-if)#ip ospf network point-to-point Check the MPLS forwarding-table again to see if the mask is correct on the Loopback [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/fd3image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/fd3image.png) Looks good. the loopback interfaces now have the correct subnet mask of /24 One more thing let's manually force the router-id for mpls to be the Loopback interface IP. PE1(config)#mpls ldp router-id loopback 0 PR(config)#mpls ldp router-id loopback 0 PE2(config)#mpls ldp router-id loopback 0 #### Setup Virtual Routing and Forwarding (VRF) for the Customer PE1>enable PE1#configure terminal PE1(config)#ip vrf CUSTOMER PE1(config-vrf)#rd 100:1 PE1(config-vrf)#route-target both 1:100 PE1(config-vrf)#exit PE1(config)#interface gigabitEthernet 0/1 PE1(config-if)#ip vrf forwarding CUSTOMER After setting the vrf on the interface the IP address will be removed and you will have to re-configure it. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Ic8image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Ic8image.png) PE1(config-if)#ip address 192.168.1.2 255.255.255.0 Now setup the VRF on router PE2 the same way. PE2>enable PE2#configure terminal PE2(config)#ip vrf CUSTOMER PE2(config-vrf)#rd 100:1 PE2(config-vrf)#route-target both 1:100 PE2(config-vrf)#exit PE2(config)#interface gigabitEthernet 0/0 PE2(config-if)#ip vrf forwarding CUSTOMER And don't forget to re-enter the IP configuration for the interface after. PE2(config-if)ip address 192.168.4.1 255.255.255.0 After setting up the VRF you will not be able to ping the interface on the HQ router (192.168.1.1). This is because just using a regular ping without designating the VRF will use the global routing table instead of the virtual routing table for the CUSTOMER VRF. Instead, you have to designate the VRF in the ping command as follows **ping vrf CUSTOMER 192.168.1.1** [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/IK1image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/IK1image.png) #### Configure Dynamic Routing Protocols ##### EIGRP HQ>enable HQ#configure terminal HQ(config)#router eigrp 100 HQ(config-router)#network 192.168.0.0 HQ(config-router)#network 192.168.1.0 HQ(config-router)#network 1.1.1.0 HQ(config-router)#no auto-summary BO>enable BO#configure terminal BO(config)#router eigrp 100 BO(config-router)#network 192.168.4.0 BO(config-router)#network 192.168.5.0 BO(config-router)#network 5.5.5.0 BO(config-router)#no auto-summary PE1>enable PE1#configure terminal PE1(config)#router eigrp1 PE1(config-router)#address-family ipv4 vrf CUSTOMER PE1(config-router-af)#autonomous-system 100 PE1(config-router-af)#network 192.168.1.0 PE1(config-router-af)#no auto-summary You should see the EIGRP adjacency message popup [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/PbCimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/PbCimage.png) PE2>enable PE2#configure terminal PE2(config)#router eigrp1 PE2(config-router)#address-family ipv4 vrf CUSTOMER PE2(config-router-af)#autonomous-system 100 PE2(config-router-af)#network 192.168.4.0 PE2(config-router-af)#no auto-summary In order to show the EIGRP neighbors from the Provider Edge Routers (PE1 and PE2) keep in mind you have to include the vrf in the command **show ip eigrp vrf CUSTOMER neighbors.** [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/ZNKimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/ZNKimage.png) We can also check the routing tables from the Provider routers, but again remember to include the correct VRF designation. **show ip route vrf CUSTOMER** [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/qDMimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/qDMimage.png) As can be seen above the PE1 Provide Edge Router has learned about the Loopback interface IP of the HQ router as well as the LAN network of 192.168.0.0 And notice that I can ping HQPC1 from the gigabitEthernet 0/1 interface of PE1 but not gigabitEthernet 0/0 [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/7O2image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/7O2image.png) This is as expected because the 0/1 interface is participating in the VRF and knows about the virtual routing table pointing to HQ while the 0/0 interface is not part of the VRF. ##### iBGP (Internal) PE1>enable PE1#configure terminal PE1(config)#router bgp 1 PE1(config-router)#neighbor 4.4.4.4 remote-as 1 PE1(config-router)#neighbor 4.4.4.4 update-source loopback 0 PE2>enable PE2#configure terminal PE2(config)#router bgp 1 PE2(config-router)#neighbor 2.2.2.2 remote-as 1 PE2(config-router)#neighbor 2.2.2.2 update-source loopback 0 You should see the BGP neighbor messages on PE1 and PE2 like below. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/zIeimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/zIeimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/sy0image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/sy0image.png) Now that we have BGP routing configured we still need to configure the address family and ensure that we are sending communities. In Cisco BGP (Border Gateway Protocol) configuration, the "send-community" command is used to configure the sending of community attributes to other BGP peers. Community attributes are used to group routes together and apply a common set of policies to them. The "send-community" command can be used to specify whether or not to send the standard, extended, or both types of community attributes to BGP peers. The command can also be used to specify whether or not to send the community attributes in both the outbound and inbound directions. PE1(config)#router bgp 1 PE1(config-router)#address-family vpnv4 PE1(config-router-af)#neighbor 4.4.4.4 activate PE1(config-router-af)#neighbor 4.4.4.4 send-community both PE2(config)#router bgp 1 PE2(config-router)#address-family vpnv4 PE2(config-router-af)#neighbor 2.2.2.2 activate PE2(config-router-af)#neighbor 2.2.2.2 send-community both #### Redistribute Protocols ##### BGP into EIGRP PE1#configure terminal PE1(config)#router eigrp 1 PE1(config-router)#address-family ipv4 vrf CUSTOMER PE1(config-router-af)#redistribute bgp 1 metric 1500 4000 200 10 1500 PE2#configure terminal PE2(config)#router eigrp 1 PE2(config-router)#address-family ipv4 vrf CUSTOMER PE2(config-router-af)#redistribute bgp 1 metric 1500 4000 200 10 1500 ##### EIGRP into BGP PE1#configure terminal PE1(config)#router bgp 1 PE1(config-router)#address-family ipv4 vrf CUSTOMER PE1(config-router-af)#redistribute eigrp 100 PE2#configure terminal PE2(config)#router bgp 1 PE2(config-router)#address-family ipv4 vrf CUSTOMER PE2(config-router-af)#redistribute eigrp 100 #### Verify Configuration HQPC1>ping 192.168.5.10 [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/TRkimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/TRkimage.png) BOPC1>ping 192.168.0.10 [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/4cgimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/4cgimage.png) HQ# show ip eigrp topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Aqdimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Aqdimage.png) HQ#show ip route [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/pCoimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/pCoimage.png) PE1#show ip vrf [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/xrIimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/xrIimage.png) PE1#show ip vrf interfaces [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/J6Zimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/J6Zimage.png) PE1#show ip route vrf CUSTOMER [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/1xsimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/1xsimage.png) PE1#traceroute vrf CUSTOMER 192.168.5.10 [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/5NRimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/5NRimage.png) PE1#show mpls interfaces [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/1GUimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/1GUimage.png) PE1#show mpls forwarding-table [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/4fzimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/4fzimage.png) PE1#show mpls ldp bindings [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Cxfimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Cxfimage.png) PE1#show mpls ldp neighbor [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Jlyimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Jlyimage.png) PE1#show bgp vpnv4 unicast all summary [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/d9nimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/d9nimage.png) PE1#show bgp vpnv4 unicast all neighbor 4.4.4.4 advertised-routes [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/tdtimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/tdtimage.png) PE1#show bgp vpnv4 unicast all neighbor 4.4.4.4 routes [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/z6Ximage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/z6Ximage.png) #### [Reference for Commands](https://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/13733-mpls-vpn-basic.html) #### GNS3 File [basic mpls.gns3](https://bookstack.taylorhome.run/attachments/17) # Cisco IOS Configure Router as DHCP Server #### Network Lab Topology [![CiscoRouterDHCP.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/ciscorouterdhcp.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/ciscorouterdhcp.png) #### Router0 Configuration Commands Router0>enable Router0#configure terminal Router0(config)# interface fastEthernet 0/0 Router0(config-if)#ip address 192.168.10.1 255.255.255.0 Router0(config-if)#no shutdown Router0(config-if)#exit Router0(config)#service dhcp Router0(config)#ip dhcp pool MAIN-POOL Router0(dhcp-config)#network 192.168.10.0 255.255.255.0 Router0(dhcp-config)#default-router 192.168.10.1 Router0(dhcp-config)#dns-server 192.168.10.2 Router0(dhcp-config)#exit Router0(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.10 #### Cisco Packet Tracer File [net2 router dhcp.pkt](https://bookstack.taylorhome.run/attachments/2) # Cisco IOS Configure DHCP Relay with IP Helper Address #### Network Topology [![dhcprelaytopo.pkt.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/dhcprelaytopo-pkt.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/dhcprelaytopo-pkt.png) #### Router1 Configuration Commands Router1>enable Router1#configure terminal Router1(config)# interface fastEthernet 0/0 Router1(config-if)#ip address 172.16.1.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#exit Router1(config)#service dhcp Router1(config)#ip dhcp pool MAIN-POOL Router1(dhcp-config)#network 192.168.10.0 255.255.255.0 Router1(dhcp-config)#default-router 192.168.10.1 Router1(dhcp-config)#dns-server 192.168.10.2 Router1(dhcp-config)#exit Router1(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.10 Router1(config)#ip route 192.168.10.0 255.255.255.0 172.16.1.2 #### Router0 Configuration Commands Router0>enable Router0#configure terminal Router0(config)# interface fastEthernet 0/1 Router0(config-if)#ip address 172.16.1.2 255.255.255.0 Router0(config-if)#no shutdown Router0(config)# interface fastEthernet 0/0 Router0(config-if)#ip address 192.168.10.1 255.255.255.0 Router0(config-if)#ip helper-address 172.16.1.1 Router0(config-if)#no shutdown #### Router1 DHCP Commands Router1>enable Router1#show ip dhcp pool MAIN-POOL [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/image.png) Router1#show ip dhcp binding [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/SJLimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/SJLimage.png) #### Cisco Packet Tracer File [net4 dhcp relay.pkt](https://bookstack.taylorhome.run/attachments/3) # Cisco IOS Configure Router as DNS Server #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/scaled-1680-/Ldtimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2022-12/Ldtimage.png) To create this topology, I used GNS3 instead of Cisco Packet Tracer because Packet Tracer routers do not simulate the "ip dns server" command. In the above network Router0 is being configured as a DNS server. Through the configuration of Router0 I wanted to not only demonstrate the ability for the router to resolve local hosts on the network, but I also wanted to show how DNS resolution that Router0 was unable to do could be forwarded to a real DNS server (1.1.1.1) on the Internet. In this way Router0 has been configured to forward unknown requests to the Cloudflare and APNIC's DNS server at 1.1.1.1. I also decided to use a real Windows 2016 Server appliance in the topology. I could have just as easily used another VPCS QEMU device, but it gave me an opportunity to revisit GNS3 Windows appliances. Also, it is not the best practice to use a networking router as the DNS server, but it can be done as this shows. #### Router0 Configuration Commands Router0>enable Router0#configure terminal Router0(config)# interface gigabitEthernet 0/0 Router0(config-if)#ip address 192.168.10.1 255.255.255.0 Router0(config-if)#no shutdown Router0(config-if)#interface gigabitEthernet 0/1 Router0(config-if)#ip address 172.16.1.1 255.255.255.248 Router0(config-if)#no shutdown Router0(config-if)#exit Router0(config)#ip dns server Router0(config)#ip domain-name local Router0(config)#ip name-server 1.1.1.1 Router0(config)# ip host fileserver.local 192.168.10.2 Router0(config)# ip host pc1.local 192.168.10.3 Router0(config)# ip host pc2.local 192.168.10.4 Router0(config)# ip host router0.local 192.168.10.1 Router0(config)# ip host router1.local 172.16.1.2 Router0(config)# ip host router2.local 172.16.2.1 Router0(config)# ip default-network 192.168.2.0 Router0(config)# router ospf 1 Router0(config-router)# network 172.16.1.0 0.0.0.7 area 0 Router0(config-router)# network 192.168.10.0 0.0.0.255 area 0 #### Router1 Configuration Commands Router1>enable Router1#configure terminal Router1(config)# interface gigabitEthernet 0/0 Router1(config-if)#ip address 172.16.1.2 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#interface gigabitEthernet 0/1 Router1(config-if)#ip address 172.16.2.2 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#exit Router1(config)#ip name-server 172.16.1.1 Router1(config)# ip default-network 192.168.2.0 Router1(config)# router ospf 1 Router1(config-router)# network 172.16.1.0 0.0.0.7 area 0 Router1(config-router)# network 172.16.2.0 0.0.0.7 area 0 #### Router2 Configuration Commands Router2>enable Router2#configure terminal Router2(config)# interface gigabitEthernet 0/0 Router2(config-if)#ip address dhcp Router2(config-if)#no shutdown Router2(config-if)#ip nat outside Router2(config-if)#interface gigabitEthernet 0/1 Router2(config-if)#ip address 172.16.2.1 255.255.255.248 Router2(config-if)#no shutdown Router2(config-if)#ip nat inside Router2(config-if)#exit Router2(config)#ip nat inside source list 1 interface gigabitEthernet0/0 overload Router2(config)#access-list 1 permit any Router2(config)# router ospf 1 Router2(config-router)# network 192.168.2.0 0.0.0.255 area 0 Router2(config-router)# network 172.16.2.0 0.0.0.7 area 0 The configuration of nat on Router2 is so that the network can communicate to the connected network and then to the Internet through the GNS3 cloud object. I did this to demonstrate the DNS forwarder on Router0 to 1.1.1.1 Also, the IP address on gigabitEthernet 0/0 is set for DHCP as it is getting an address from my network DHCP server. You could also make this a static address if desired. If you do set a static IP address, remember to configure a gateway of last resort. The DHCP setting configures that for the interface automatically. #### Check DNS (a few ping examples) PC1>ping fileserver.local [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/image.png) PC1>ping router2.local [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/B9zimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/B9zimage.png) PC1>ping www.google.com [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/NDUimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/NDUimage.png) Check the configured DNS Hosts on Router0 Router0#show hosts [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/30qimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/30qimage.png) #### GNS3 File [net11 cisco router dns server.gns3](https://bookstack.taylorhome.run/attachments/6) # Cisco IOS VRF-Lite #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Lvsimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Lvsimage.png) #### Difference Between VRF and VRF-Lite Explained VRF (Virtual Routing and Forwarding) and VRF-Lite (also known as Multi-VRF CE or MVPN) are both technologies used in networking to create multiple virtual routing and forwarding instances within a single physical router. The main difference between the two is in the scope of their implementation. VRF is typically used in service provider networks, where it allows for multiple customers to share the same physical infrastructure while still maintaining separate and isolated routing domains. VRF-Lite, on the other hand, is typically used in enterprise networks, where it allows for multiple logical networks to be created within a single physical network infrastructure. In summary, VRF is used for service provider networks, and VRF-Lite is used for enterprise networks. #### Scenario Company A has just completed an M&A process and acquired Company B. As part of the post acquisition integration process the decision was made to move Company B's IT equipment into the datacenter hosting facility used by Company A. However, there are some critical elements in Company B such as network addressing and routing that cannot be immediately changed and must stay in place. It is a must, at least in the near to medium term to keep the Company B Accounting and Finance systems separate and secured from other parts of the overall company network while still providing the necessary access to authorized users and their computers. Additionally it was discovered that Company B uses the same network subnet as Company B for the uplink to the Company B main router. This has further complicated the plan to consolidate the topology to just one main router (HQ\_DC). However, you have a plan to use VRF-Lite and some VLAN architecture to solve these challenges. #### Configuration These configuration steps will demonstrate the configuration for both Company A and Company B for completeness. Obviously in the scenario much of Company A's infrastructure configuration would already be done. ##### CompanyA Router CompanyA>enable CompanyA#configure terminal CompanyA(config)#interface gigabitEthernet 0/3 CompanyA(config-if)#ip address 192.168.10.1 255.255.255.0 CompanyA(config-if)#no shutdown CompanyA(config-if)#interface gigabitEthernet 0/0 CompanyA(config-if)#ip address 172.16.0.1 255.255.255.252 CompanyA(config-if)#no shutdown CompanyA(config-if)#exit CompanyA(config)#router eigrp 100 CompanyA(config-router)#network 0.0.0.0 0.0.0.0 CompanyA(config-router)#no auto-summary CompanyA(config-router)#end ##### CompanyB Router CompanyB>enable CompanyB#configure terminal CompanyA(config)#interface gigabitEthernet 0/3 CompanyA(config-if)#ip address 192.168.20.1 255.255.255.0 CompanyA(config-if)#no shutdown CompanyA(config-if)#interface gigabitEthernet 0/0 CompanyA(config-if)#ip address 172.16.0.1 255.255.255.252 CompanyA(config-if)#no shutdown CompanyA(config-if)#exit CompanyA(config)#router eigrp 100 CompanyA(config-router)#network 0.0.0.0 0.0.0.0 CompanyA(config-router)#no auto-summary CompanyA(config-router)#end ##### HQ\_DC Router HQ\_DC>enable HQ\_DC#configure terminal HQ\_DC(config)#ip vrf COMPANYA HQ\_DC(config-vrf)#exit HQ\_DC(config)#ip vrf COMPANYB HQ\_DC(config-vrf)#exit HQ\_DC(config)#interface gigabitEthernet 0/0 HQ\_DC(config-if)#ip address 172.16.0.2 255.255.255.252 HQ\_DC(config-if)#description COMPANYA main circuit HQ\_DC(config-if)#ip vrf forwarding COMPANYA HQ\_DC(config-if)#exit HQ\_DC(config)#interface gigabitEthernet 0/1 HQ\_DC(config-if)#ip address 172.16.0.2 255.255.255.252 HQ\_DC(config-if)#description COMPANYB main circuit HQ\_DC(config-if)#ip vrf forwarding COMPANYB HQ\_DC(config-if)#exit HQ\_DC(config)#interface gigabitEthernet 0/2 HQ\_DC(config-if)#no shutdown HQ\_DC(config-if)#interface gigabitEthernet 0/2.100 HQ\_DC(config-subif)#description COMPANYA dc circuit HQ\_DC(config-subif)#encapsulation dot1q 100 HQ\_DC(config-subif)#ip vrf forwarding COMPANYA HQ\_DC(config-subif)#ip address 192.168.100.1 255.255.255.0 HQ\_DC(config-if)#interface gigabitEthernet 0/2.200 HQ\_DC(config-subif)#description COMPANYB dc circuit HQ\_DC(config-subif)#encapsulation dot1q 200 HQ\_DC(config-subif)#ip vrf forwarding COMPANYB HQ\_DC(config-subif)#ip address 192.168.200.1 255.255.255.0 HQ\_DC(config-subif)#exit HQ\_DC(config)#router eigrp 1 HQ\_DC(config-router)#address-family ipv4 vrf COMPANYA HQ\_DC(config-router-af)#network 0.0.0.0 0.0.0.0 HQ\_DC(config-router-af)#autonomous-system 100 HQ\_DC(config-router-af)#no auto-summary HQ\_DC(config-router-af)#exit HQ\_DC(config-router)#address-family ipv4 vrf COMPANYB HQ\_DC(config-router-af)#network 0.0.0.0 0.0.0.0 HQ\_DC(config-router-af)#autonomous-system 100 HQ\_DC(config-router-af)#no auto-summary ##### HQ\_DC\_SW1 Switch HQ\_DC\_SW1>enable HQ\_DC\_SW1#configure terminal HQ\_DC\_SW1(config)#vlan 100 HQ\_DC\_SW1(config-vlan)#name COMPANYA HQ\_DC\_SW1)config-vlan)#exit HQ\_DC\_SW1(config)#vlan 200 HQ\_DC\_SW1(config-vlan)#name COMPANYB HQ\_DC\_SW1)config-vlan)#exit HQ\_DC\_SW1(config)#interface gigabitEthernet 0/2 HQ\_DC\_SW1(config-if)#switchport trunk encapsulation dot1q HQ\_DC\_SW1(config-if)#switchport mode trunk HQ\_DC\_SW1(config-if)#switchport trunk allowed vlan 100,200 HQ\_DC\_SW1(config-if)#interface gigabitEthernet 0/0 HQ\_DC\_SW1(config-if)#switchport access vlan 100 HQ\_DC\_SW1(config-if)#interface gigabitEthernet 0/1 HQ\_DC\_SW1(config-if)#switchport access vlan 200 HQ\_DC\_SW1(config-if)#exit HQ\_DC\_SW1(config)#interface vlan 100 HQ\_DC\_SW1(config-if)#ip address 192.168.100.2 255.255.255.0 HQ\_DC\_SW1(config-if)#exit HQ\_DC\_SW1(config)#interface vlan 200 HQ\_DC\_SW1(config-if)#ip address 192.168.200.2 255.255.255.0 ##### PCs and Servers PC1>ip 192.168.10.10/24 192.168.10.1 PC2>ip 192.168.20.20/24 192.168.20.1 COMPA\_ACCT> ip address 192.168.100.10/24 192.168.100.1 COMPB\_ACCT> ip address 192.168.200.20/24 192.168.200.1 #### Test and Verify Connectivity and Configuration [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/i14image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/i14image.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/yHQimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/yHQimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Z7himage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Z7himage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/9FEimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/9FEimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/ZhFimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/ZhFimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/0Mzimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/0Mzimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/cDjimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/cDjimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/i2Ximage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/i2Ximage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/clAimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/clAimage.png) #### GNS3 File [vrf2.gns3](https://bookstack.taylorhome.run/attachments/18) # Cisco IOS Site to Site VPN (Router) #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/CMvimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/CMvimage.png) In this network configuration a site-to-site VPN between Router1 and Router2 across the link through Router0. First let's set up the IP and routing information on all three routers as well as the two PCs. #### Router0 IP and Routing Configuration Commands Router0>enable Router0#configure terminal Router0(config)# interface serial 0/0/0 Router0(config-if)#ip address 172.16.1.1 255.255.255.248 Router0(config-if)#no shutdown Router0(config-if)#interface serial 0/0/1 Router0(config-if)#ip address 172.16.2.1 255.255.255.248 Router0(config-if)#no shutdown Router0(config-if)#exit Router0(config)#ip route 192.168.10.0 255.255.255.0 172.16.1.2 Router0(config)#ip route 192.168.20.0 255.255.255.0 172.16.2.2 #### Router1 IP and Routing Configuration Commands Router1>enable Router1#configure terminal Router1(config)# interface serial 0/0/0 Router1(config-if)#ip address 172.16.1.2 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#interface fastEthernet 0/0 Router1(config-if)#ip address 192.168.10.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#exit Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1 #### Router2 IP and Routing Configuration Commands Router1>enable Router1#configure terminal Router1(config)# interface serial 0/0/0 Router1(config-if)#ip address 172.16.2.2 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#interface fastEthernet 0/0 Router1(config-if)#ip address 192.168.20.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#exit Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.1 #### PC Computers IP Configuration [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/06Timage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/06Timage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/O0fimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/O0fimage.png) Now that all the routers and PCs have their IP addressing and routing information configured it is time to move on the the specific configuration for enabling the Site-to-Site VPN. This process can be divided into four phases. ##### Phase 1 - The Key Exchange Setup
Phase 1 CommandsNotes
crypto isakmp enable
crypto isakmp policy 10 The number can be any number between 1 and 10,000. It identifies the priority of the policy.
encryption aesthis could be 3des but aes is more robust.
hash shasha = secure hash algorithm. md5 could be used but sha is more robust.
group 1Specifies the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. Group 1 is 768-bit
lifetime 3600Specifies the Security Association (SA) lifetime. The default is 86,400 seconds or 24 hours. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations (up to a point). However, with shorter lifetimes, the security appliance sets up future IPsec SAs more quickly.
authentication pre-share
crypto isakmp key *ciscokey123* address 172.16.2.2The italicized text is just a text string that has to match on both sides of the connection. The IP address is the public IP address of our **peer on the other side of the VPN connection**.
##### Phase 2 - Encrypting the Tunnel
Phase 2 CommandsNotes
crypto ipsec transform-set *vpnset* esp-aes esp-sha-hmacThe italicized text is the set name and can be changed. This could be esp-3des and esp-md5-hmac
crypto map vpnset 10 ipsec-isakmpThe number is any number between 1 and 65,535 that identifies the sequence to insert into the crypto map.
set transform-set vpnset
match address 100Match the addresses in the access control list coming up. This will identify the inside-to-inside traffic flow.
set peer 172.16.2.2This is the other router's outside interface.
##### Phase 3 - Applying the Crypto Map to the Outside Router Interface
Phase 3 CommandsNotes
int s0/0/0Whatever the outside interface of the router is (f0/0, g0/2, etc.)
crypto map vpnset
##### Phase 4 - Creating an Access List to Identify the Traffic Flow (inside to inside LAN traffic)
Phase 4 CommandsNotes
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255These are the inside addresses of both routers.
Let's start with Router1 #### Router1 VPN Configuration Commands Router1>enable Router1#configure terminal Router1(config)#crypto isakmp enable Router1(config)#crypto isakmp policy 10 Router1(config-isakmp)#encryption aes Router1(config-isakmp)#hash sha Router1(config-isakmp)#group 1 Router1(config-isakmp)#lifetime 3600 Router1(config-isakmp)#authentication pre-share Router1(config-isakmp)#exit Router1(config)#crypto isakmp key ciscokey123 address 172.16.2.2 Router1(config)#crypto map vpnset 10 ipsec-isakmp Router1(config-crypto-map)#set transform-set vpnset Router1(config-crypto-map)#match address 100 Router1(config-crypto-map)#set peer 172.16.2.2 Router1(config-crypto-map)#exit Router1(config)#int serial 0/0/0 Router1(config-if)#crypto map vpnset Router1(config-if)#exit Router1(config)#access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 #### Router2 VPN Configuration Commands Router2>enable Router2#configure terminal Router2(config)#crypto isakmp enable Router2(config)#crypto isakmp policy 10 Router2(config-isakmp)#encryption aes Router2(config-isakmp)#hash sha Router2(config-isakmp)#group 1 Router2(config-isakmp)#lifetime 3600 Router2(config-isakmp)#authentication pre-share Router2(config-isakmp)#exit Router2(config)#crypto isakmp key ciscokey123 address 172.16.1.2 Router2(config)#crypto map vpnset 10 ipsec-isakmp Router2(config-crypto-map)#set transform-set vpnset Router2(config-crypto-map)#match address 100 Router2(config-crypto-map)#set peer 172.16.1.2 Router2(config-crypto-map)#exit Router2(config)#int serial 0/0/0 Router2(config-if)#crypto map vpnset Router2(config-if)#exit Router2(config)#access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 #### Check Status of VPN ##### Check the status of the Internet Security Association Management Protocol (ISAKMP) Security Associations (SAs) built between the peers. Router1#show crypto isakmp sa [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/wXMimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/wXMimage.png) If you run the command right after establishing the VPN you might see a very blank status screen. You can wait for connections to start establishing across the VPN or you can simply do a ping across the VPN. Then when you run the command again you should see a more informative status like this. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/35dimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/35dimage.png) You can see from the output above the destination's (Router2) IP address and the source (Router1). And most importantly the status shows that the security association (link) is ACTIVE. ##### Check the Internet Security Association Management Protocol (ISAKMP) Policy Router1#show crypto isakmp policy [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/4viimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/4viimage.png) As you can see our new ISAKMP policy is at a higher priority than the default protection suite policy. This output shows the priority, the encryption type (AES), the authentication method (pre-shared), the Diffie-Hellman group (1), and the lifetime (3600). These are all the values we set in the configuration. ##### Check the Crypto Map Settings Router1#show crypto map [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/QmIimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/QmIimage.png) A wealth of information about the configured cryto map including the name and sequence number. The configured peer is visible. The access-list is present as well as the interface that the map is assigned. ##### Check the IPSEC Security Association Router1#show crypto ipsec sa [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/hF3image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/hF3image.png) There is a lot of information given in this command but probably the most valuable is the highlighted area above showing that encapsulation and decapsulation is taking place across the VPN. Additionally, you can see status for inbound and outbound tunnel and the configured encryption algorithms. #### Check Ping from PC0 to PC1 and visa versa [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/0rmimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/0rmimage.png) The first ping will most likely lose some packets, but subsequent pings will complete 100% [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/IN1image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/IN1image.png) #### Cisco Packet Tracer File [net13 site to site vpn.pkt](https://bookstack.taylorhome.run/attachments/8) # Cisco ASA 5505 Internet Access #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/AoXimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/AoXimage.png) #### Step 1 - Remove Existing ASA Configuration In Cisco Packet Tracer the ASA 5505 already starts out with some configuration as show by the show running-config command output below. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/i9gimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/i9gimage.png) It also has a dhcpd server enabled and partially configured. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/TNJimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/TNJimage.png) In addition, there are configure vlan interfaces with assigned interfaces. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/urtimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/urtimage.png) To create our own configuration, we will have to first dismantle the configuration elements that already are in place. ciscoasa>enable password: ciscoasa#configure terminal ciscoasa(config)#hostname ASA0 ASA0(config)#interface vlan 1 ASA0(config-if)#no ip address ASA0(config-if)#exit ASA0(config)#no dhcpd address 192.168.1.5-192.168.1.36 inside ASA0(config)#end ASA0#show running-config [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/9bYimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/9bYimage.png) #### Step 2 - Configure VLAN Interfaces, Assign Ethernet Interfaces to Correct VLANs, and Ensure Correct Security-Levels ASA0#configure terminal ASA0(config)#interface vlan 1 ASA0(config-if)#ip address 192.168.10.1 255.255.255.0 ASA0(config-if)#nameif inside ASA0(config-if)#security-level 100 ASA0(config-if)#no shutdown ASA0(config-if)#exit ASA0(config)#interface vlan 2 ASA0(config-if)#ip address 172.16.1.1 255.255.255.0 ASA0(config-if)#nameif outside ASA0(config-if)#security-level 0 ASA0(config-if)#no shutdown ASA0(config-if)#exit ASA0(config)#interface ethernet 0/1 ASA0(config-if)#switchport access vlan 1 ASA0(config-if)#exit ASA0(config)#interface ethernet 0/0 ASA0(config-if)#switchport access vlan 2 ASA0(config-if)#end ASA#show running-config [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/9vIimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/9vIimage.png) ASA#show switch vlan [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/ajTimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/ajTimage.png) #### Step 3 - Configure the ISP Router Now it's time to configure the router. This router (Router0) is like the ISP router on the far side of our connection to the Internet. In this configuration I will be using OSPF to dynamically route the networks of 172.16.1.0/24 and 8.8.8.0/24. You could just as easily use static routes and default gateways or even another dynamic routing protocol. I just chose OSPF. Router0>enable Router0#configure terminal Router0(config)#interface fastEthernet 0/0 Router(config-if)#ip address 172.16.1.2 255.255.255.0 Router(config-if)#no shutdown Router(config-if)#interface fasEthernet 0/1 Router(config-if)#ip address 8.8.8.1 255.255.255.0 Router0(config-if)#exit Router0(config)#router ospf 1 Router0(config-router)#network 172.16.1.0 0.0.0.255 area 0 Router0(config-router)#network 8.8.8.0 0.0.0.255 area 0 Router0(config-router)#end Router0# #### Step 4 - Configure DHCP Server on ASA Next let's configure the dhcp server addressing on the ASA0 firewall. The dhcpd is already enabled we just have to configure the correct addressing to match our internal LAN subnet addressing. Before we configure the ASA through, make sure the PC0 and PC1 are set to obtain their IP addresses via DHCP. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/TfIimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/TfIimage.png) ASA0#configure terminal ASA0(config)#dhcpd address 192.168.10.20-192.168.10.30 inside ASA0(config)#dhcpd dns 8.8.8.8 interface inside ASA0(config)#end ASA0#show running-config [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/l47image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/l47image.png) Check PC0 and PC1 IP addresses [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/BCaimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/BCaimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/yayimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/yayimage.png) DHCP is working properly. #### Step 5 - Configure Default Route on ASA, Create Network Object, and Configure Network Address Translation (NAT) ASA0#configure terminal ASA0(config)#route outside 0.0.0.0 0.0.0.0 172.16.1.2 ASA0(config)#object network LAN ASA0(config-network-object)#subnet 192.168.10.0 255.255.255.0 ASA0(config-network-object)#nat (inside,outside) dynamic interface ASA0(config-network-object)#exit ASA0(config)#access-list in\_to\_internet extended permit tcp any any ASA0(config)#access-list in\_to\_internet extended permit icmp any any ASA0(config)#access-group in\_to\_internet in interface outside ASA0(config)# Now check ping to the server at 8.8.8.8 from PC0 or PC1 [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/XXNimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/XXNimage.png) Now we will verity NAT ASA0#show xlate [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/GwLimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/GwLimage.png) Nothing to show so start a continuous ping from PC0 and PC1 ping -t 8.8.8.8 and re-run the show xlate command on the ASA ASA0#show xlate [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/00gimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/00gimage.png) ASA0#show nat [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Ddbimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Ddbimage.png) #### Cisco Packet Trace File [asa 5505 internet access.pkt](https://bookstack.taylorhome.run/attachments/16) # Cisco IOS Private VLANs #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/R4Zimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/R4Zimage.png) #### What is a Private VLAN? A private VLAN, also known as a private LAN, is a VLAN (Virtual Local Area Network) that is used to segment a larger network into smaller, more secure subnets. It is used to isolate different types of traffic or to separate sensitive or confidential information from other network traffic. A private VLAN typically consists of three types of ports: promiscuous ports, host ports, and community ports. Promiscuous ports can communicate with all other ports in the private VLAN, while host ports can only communicate with promiscuous ports. Community ports can only communicate with other ports in the same community. This allows for a high level of granularity in terms of controlling access and isolating different types of traffic on a network. Promiscuous ports, isolated ports, and community ports are different types of ports that are used in private VLAN (PVLAN) environments to control access and isolate different types of traffic on a network.
1. Promiscuous Ports: These ports can communicate with all other ports in the private VLAN, including host and community ports. They are typically used for gateway or router connections and can be used to access shared resources or provide access to other networks. 2. Isolated Ports: These ports can only communicate with the associated promiscuous port and cannot communicate with other isolated or community ports. They are typically used to isolate sensitive or confidential information and prevent it from being accessed by other parts of the network. 3. Community Ports: These ports can only communicate with other ports within the same community and not with other communities or promiscuous ports. They are used to create isolated groups within a private VLAN and to control access to shared resources.
In summary, promiscuous ports allow communication with all other ports in the PVLAN, isolated ports are used to isolate sensitive information and prevent it from being accessed by other parts of the network, and community ports are used to create isolated groups within a PVLAN and control access to shared resources. Private VLANs are often used in enterprise networks, data centers, and service provider environments to segment traffic and provide additional security. They can also be used to isolate guest or IoT traffic, to separate different departments or groups within an organization, or to separate different types of traffic on a network. #### What is a Private Isolated VLAN? A private isolated VLAN is a good solution for keeping sensitive or confidential information separate from other network traffic. It can be used for segmenting a network into secure and non-secure zones, for example, to isolate traffic from a secure server or database from the rest of the network. Additionally, it can be used to create secure zones for specific departments or groups within an organization, or to separate different types of traffic on a network, such as guest or IoT traffic. Some things that Private VLANs can be beneficial for include:
1. Segmenting a network into secure and non-secure zones: In this scenario, a private isolated VLAN would be used to separate sensitive or confidential information from other network traffic. This could include separating a secure server or database from the rest of the network, or isolating traffic from a specific department or group that handles sensitive information. 2. Isolating guest traffic: In a scenario where guest wireless access is provided, a private isolated VLAN could be used to separate guest traffic from internal network traffic. This would help to prevent guests from accessing sensitive or confidential information on the internal network. 3. Isolating IoT traffic: In a scenario where there are a large number of IoT devices connected to a network, a private isolated VLAN could be used to separate IoT traffic from other network traffic. This would help to prevent IoT devices from accessing sensitive or confidential information on the network and also prevent any potential security risks from these devices. 4. Isolating different types of traffic: In a scenario where there are multiple types of traffic on a network, such as voice and data traffic, a private isolated VLAN could be used to separate the different types of traffic. This would help to ensure that voice traffic, for example, is prioritized over data traffic, and that there is no interference between the different types of traffic on the network.
#### Configuration
This configuration is being done in GNS3. In order to accomplish this topology in GNS3 you have to have the Cisco IOSvL2 switch image. The scenario is that the company has three network segments (VLANs 100, 200, and 400) that the departments in those VLANs where the PCs can communicate within the designated VLAN and out through the Gateway. However, as a matter of policy, those three VLANs are not allowed to communicate with e other VLANs. Lastly there is a fourth VLAN (VLAN 300) that is in a LAN segment that has been designated as needing a high degree of security. Therefore, VLAN 300 will be set up as a private isolated VLAN. Thus, the PCs in this VLAN will only be able to communicate with the Gateway. They will even be prevented from communications with each other as part of the isolated private VLANs.
##### PCs PC100\_1>ip 192.168.1.1/24 192.168.1.254 PC100\_2>ip 192.168.1.2/24 192.168.1.254 PC200\_1>ip 192.168.1.3/24 192.168.1.254 PC200\_2>ip 192.168.1.4/24 192.168.1.254 PC300\_1>ip 192.168.1.5/24 192.168.1.254 PC300\_2>ip 192.168.1.6/24 192.168.1.254 PC400\_1>ip 192.168.1.7/24 192.168.1.254 PC400\_2>ip 192.168.1.8/24 192.168.1.254 ##### Gateway Gateway>enable Gateway#configure terminal Gateway(config)#interface gigabitEthernet 0/0 Gateway((config-if)#ip address 192.168.1.254 255.255.255.0 Gateway(config-if)#no shutdown ##### SW1 SW1>enable SW1#configure terminal SW1(config)#vtp mode transparent SW1(config)#vlan 100 SW1(config-vlan)#private-vlan community SW1(config-vlan)#exit SW1(config)#vlan 200 SW1(config-vlan)#private-vlan community SW1(config-vlan)#exit SW1(config)#vlan 300 SW1(config-vlan)#private-vlan isolated SW1(config-vlan)#exit SW1(config)#vlan 400 SW1(config-vlan)#private-vlan community SW1(config-vlan)#exit SW1(config)#vlan 500 SW1(config-vlan)#private-vlan primary SW1(config-vlan)#private-vlan association 100,200,300,400 SW1(config-vlan)#exit SW1(config)#interface gigabitEthernet g0/1 SW1(config-if)#switchport mode private-vlan host SW1(config-if)#switchport private-vlan host-association 500 100 SW1(config)#interface gigabitEthernet g0/2 SW1(config-if)#switchport mode private-vlan host SW1(config-if)#switchport private-vlan host-association 500 100 SW1(config)#interface gigabitEthernet g0/3 SW1(config-if)#switchport mode private-vlan host SW1(config-if)#switchport private-vlan host-association 500 200 SW1(config)#interface gigabitEthernet g1/0 SW1(config-if)#switchport mode private-vlan host SW1(config-if)#switchport private-vlan host-association 500 200 SW1(config)#interface gigabitEthernet g2/0 SW1(config-if)#switchport mode private-vlan host SW1(confi-if)#switchport private-vlan host-association 500 300 SW1(config)#interface gigabitEthernet g1/3 SW1(config-if)#switchport mode private-vlan host SW1(confi-if)#switchport private-vlan host-association 500 300 SW1(config)#interface gigabitEthernet g1/2 SW1(config-if)#switchport mode private-vlan host SW1(confi-if)#switchport private-vlan host-association 500 400 SW1(config)#interface gigabitEthernet g1/1 SW1(config-if)#switchport mode private-vlan host SW1(confi-if)#switchport private-vlan host-association 500 400 SW1(config)#interface gigabitEthernet g0/0 SW1(config-if)#switchport mode private-vlan promiscuous SW1(confi-if)#switchport private-vlan mapping 500 100,200,300,400 SW1(confi-if)#end #### Illustrated Scenarios Intra-community VLAN Communication will be **Successful**. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/fg2image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/fg2image.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/PHhimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/PHhimage.png) Extra-community VLAN Communication will **Fail**. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/OTSimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/OTSimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Kbfimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Kbfimage.png) Community-isolated Communications will **Fail**. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/zaXimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/zaXimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/1OSimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/1OSimage.png) Intra-isolated Communications will **Fail**. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/9wTimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/9wTimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/a2pimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/a2pimage.png) Community-gateway Communicatons will be **Successful**. Isolated-gateway Communications will also be **Successful**. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/S0Vimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/S0Vimage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/af2image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/af2image.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/MATimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/MATimage.png) #### GNS3 File [private vlan 2.gns3](https://bookstack.taylorhome.run/attachments/19)