Multiarea OSPF for the CCNA

Multiarea OSPF Overview

Multiarea OSPF is used in large or enterprise networks where there are so many routers that having every router communicating every link in their link state database with every other router in the network, even when it is a small change becomes taxing on the network. In this type of situation you don’t need every router, lets say there are 30 or more routers, running the shortest path first algorithm if an interface is momentarily shut down.

The solution is to use multi-area OSPF instead of single area OSPF where every network is in Area 0. In multiarea OSPF you still have to have a backbone area named Area 0 but you can add additional networks in other areas. The result is that routers will only share their entire link state databases with routers in there own area and other areas will be configured to receive only summary information from the area. This way, when there is a change in the network the SPF algorithm will only need to run on routers in the effected area.

I created a packet tracer lab activity that goes with a video tutorial series. Watch all of the videos in-order below, while you follow along with the downloadable packet activity here: multi-area-ospf-begin

Multiarea OSPF Video Tutorial

 

 

HSRP – Hot Standby Routing Protocol Packet Tracer Activity

HSRP Overview

If your gateway goes down it is a good idea to have a backup that takes over immediately. Using Cisco’s Hot Standby Routing Protocol (HSRP) you can configure a router to be an automatic backup gateway without having to change all of your network client’s default gateways, by reconfiguring your DHCP server, and releasing all of the gateway addresses on your network. {loadposition adposition5}In this graded Packet Tracer activity you configure HSRP to create active and standby router gateways.

In the activity, R1 is the current gateway router at 192.168.1.2. Your task is to configure a virtual IP address on both router R1 and R2 G0/0 interfaces. You will configure R1 as the active router and R2 as the standby. Once that is done you will change the default gateway address on PC-A to the new virtual IP address and test. Download the Packet Tracer file and following along with my video tutorial.

Instructions

1. Configure router R1 G0/0 interface with the following hot standby attributes:
standby 1 ip address 192.168.1.1
standby 1 priority 105
standby 1 preempt
standby 1 track g0/1
2. Configure router R2 G0/0 interface with the following hot standby attributes:
standby 1 ip address 192.168.1.1
3. Change the default gateway on PC-A to 192.168.1.1
4. Disable either of the Ethernet links to R1 and test to see if you can still ping the ISP.

Download

HSRP_activity.zip

Note: You will need to have Packet Tracer version 6.1 installed on your computer in order to open the file.

Video Tutorial

EtherChannel

EtherChannel Overview

EtherChannel is a Cisco technology that enables the aggregation or bundling of switchports into one logical link. Bundling multiple switchport ethernet links into one logical channel increases bandwidth as well creating redundancy and fault tolerance. For example, a bundle of four switchports into one EtherChannel would provide four times the bandwidth coming to and from the switch. EtherChannel bundles or port groups can be run from switch-to-switch or switch-to-server if the server’s network interfaces cards (NICs) support EtherChannel. You can bundle up to eight switchports in one Etherchannel port group with no more than six EtherChannel port groups per switch.

Instructions

In this Packet Tracer 6.2 activity you configure different forms of EtherChannel on switches S1, S2 and S3. The PCs have already been configured with IP addresses, subnet masks and default gateways.

1. Create VLANs 10 and 20 on all three switches
2. On both S1 and S2 configure switchport 0/1 as an access port and add it to VLAN10. Configure switchport 0/10 as an access port and add it to VLAN20.
3. Configure the open standard for EtherChannel, Link Aggregation Control Protocol (LACP 802.3ad) as channel-group 1 on both S1 and S2 Gigabit Ethernet switchports 0/1 and 0/2.
4. Configure Cisco’s Port Aggregation Protocol (PAgP) for EtherChannel as channel-group 2 between S2 and S3 Fast Ethernet switchports 0/21-24.
5. Configure Cisco’s EtherChannel manually with no PAgP as channel-group 3 between S3 and S1 Fast Ethernet switchports 0/17-20.
6. Configure all three resulting virtual or logical interfaces (port-channel interfaces) as trunks and allowing only VLANs 10 and 20.
7. Verify the EtherChannels with show etherchannel commands and by pinging from PC0 to PC2 and PC1 to PC3.

 

Download

 etherchannel-begin.zip

Note: This Packet Tracer activity requires Packet Tracer version 6.2 minimum.

Video Walkthrough Tutorial

 

 

CLI Command Examples

S1(config)# vlan 10
S1(config-vlan)# vlan 20

S1(config-vlan)# exit
S1(config)# int f0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# int f0/10
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
<repeat commands above on S2>

S1(config)# int range g0/1-2
S1(config-if)# channel-group 1 mode active
S1(config-if)# exit
S1(config)# int port-channel 1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 10,20

S2(config)# int range g0/1-2
S2(config-if)# channel-group 1 mode passive
S2(config-if)# exit
S2(config)# int port-channel 1
S2(config-if)# switchport mode trunk
S2(config-if)# switchport trunk allowed vlan 10,20

S3(config)# vlan 10
S3(config-vlan)# vlan 20

S3(config)# int range f0/21-24
S3(config-if)# channel-group 2 mode desirable
S3(config-if)# exit
S3(config)# int port-channel 2
S3(config-if)# switchport mode trunk
S3(config-if)# switchport trunk allowed vlan 10,20

S2(config)# int range f0/21-24
S2(config-if)# channel-group 2 mode auto
S2(config-if)# exit
S2(config)# int port-channel 2
S2(config-if)# switchport mode trunk
S2(config-if)# switchport trunk allowed vlan 10,20

S3(config)# int range f0/17-20
S3(config-if)# channel-group 3 mode on
S3(config-if)# exit
S3(config)# int port-channel 3
S3(config-if)# switchport mode trunk
S3(config-if)# switchport trunk allowed vlan 10,20

S1(config)# int range f0/17-20
S1(config-if)# channel-group 3 mode on
S1(config-if)# exit
S1(config)# int port-channel 3
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 10,20

EIGRP Packet Tracer Lab Part 3

 

 

EIGRP Practice Network Graded Packet Tracer Lab

Instructions

In order to finish the EIGRP Packet Tracer lab with a 100% completion rate, follow the directions below. The directions are divided up by network device. You can download the Packet Tracer Lab at the bottom of this page:

PC0 – PC3:

1. all pc hosts need to have the tenth (.10) ip address in their networks,
2. all pc hosts need to have the correct subnet mask and gateway

R0

1. hostname set to: R0
2. enable secret password set to: class
3. banner motd set to: No unauthorized access!
4. line console 0 configured with password set to: cisco
5. line vty 0-4 configured with password set to: cisco
6. interfaces fa0/0, fa0/1, eth0/1/0 and s0/0/0 should all have the first usable host address in the network
7. s0/0/0 should have bandwidth set to 384 kbps,
8. should run EIGRP with process ID# 100,
9. should add all EIGRP networks with wildcard masks,
10. should use a manual EIGRP summary address on S0/0/0, for its 192.168.x.x networks,
11. should use EIGRP passive interfaces where appropriate,
12. should use EIGRP no auto-summary to avoid the presence of “null 0” routes in the routing table

R1

1. hostname set to: R1
2. enable secret password set to: class
3. banner motd set to: Get Out!
4. line console 0 configured with password set to: cisco
5. line vty 0-4 configured with password set to: cisco
6. interface s0/0/0 should have the second usable host address in the network, and as the DCE, the clock rate should be set to 64000
7. interfaces s0/0/1 and fa0/0 should both have the first usable host address in the network
8. s0/0/0 should have bandwidth set to 384 kbps,
9. should run EIGRP with process ID# 100,
10. should add all EIGRP networks with wildcard masks,
11. should not advertise the 209.12.12.32/30 network with EIGRP,
12. should have a default route to the ISP router,
13. should use EIGRP to distribute the default route to R0,
14. should use EIGRP passive interfaces where appropriate,
15. should use EIGRP no auto-summary to avoid the presence of “null 0” routes in the routing table

ISP

1. hostname set to: ISP
2. interface s0/0/1 should have the second usable host address in the network, and as the DCE, the clock rate should be set to 64000
3. does not participate in EIGRP
4. uses static routes:
a summary route to reach the 192.168.x.x networks,
a static route to the 172.16.5.0/30 network

Router CLI Commands:

router>enable
router#
router#configure terminal
router(config)#

router(config)#hostname <router name>
router(config)#enable secret <secret-password>
router(config)#banner motd <$banner message$>

router(config)#line console 0
router(config-line)#password <password>
router(config-line)#login
router(config-line)#exit
router(config)#line vty 0 4
router(config-line)#password <password>
router(config-line)#login
router(config-line)#exit

router(config)#interface <interface type> <interface number>
router(config-if)#ip address <ip address> <subnet mask>
router(config-if)#no shutdown
//some of the interfaces will also need:
router(config-if)#clock rate <rate>
router(config-if)#bandwidth <speed>
router(config-if)#ip summary-address eigrp <process ID#> <ip address> <subnet mask>

router(config)#router eigrp <process ID#>
router(config-router)#network <network address> <wildcard mask>
router(config-router)#network <network address> <wildcard mask>
router(config-router)#network <network address> <wildcard mask>
router(config-router)#no auto-summary
router(config-router)#passive-interface <interface>
router(config-router)#redistribute static

Packet Tracer 5.3.3 Graded Exercise

EIGRP practice network.zip

Established ACLs

Configure a TCP Established ACL in Packet Tracer

In the video tutorial below I use Packet Tracer to demonstrate how a layer 3 access-list based firewall functions in a network scenario featuring a private LAN and a public DMZ. The goal is to improve security by using a layer 4 firewall that is TCP aware. You can add layer 4 firewall capability with a TCP Established ACL (Access List).

In the second tutorial, I demonstrate how a hacker could bypass a layer 2 access-list firewall by masquerading the port number. I also demonstrate how to solve this problem by using a tcp-established access list.

Two further advancements in Cisco stateful firewalls are the CBAC firewall and Zone Based Firewall. Both of these modular firewalls were great improvements over the early TCP established firewall.

Today, there are even more advanced firewalls that can detect application data at layer 7 and connect to cloud based security centers to share and respond to potential zero day threats with global analysis and response.

Extended Access Lists – ACL

Overview

Extended access lists offer greater flexibility than standard access list due to the fact that you can filter, not only source IP addresses, but also destination IP addresses, as well as other protocols ports and services, like TCP port 23 telnet for instance. Since you are able to declare both the source and the destination addresses, you can apply the extended ACL on the router that is closest to the source network, this allows you to immediately filter packets from the network, without allowing them to traverse the entire network before being filtered and dropped; applied in this way extended ACLs can conserve bandwidth and router resources.

Standard ACL (1-99)

Extended ACL (100-199)

applied closest to the destination applied closest to the source
Denies or Permits:
source IP address
Denies or Permits:
source IP address,
destination IP address,
port or service (optional)

Two Steps:

1. create the access list (standard or extended)
2. apply the access list to an interface (inbound or outbound)

1. Create:

Standard ACL (1-99, and 2000-2699):
denies or permits: 1) source IP address
Extended ACL (100-199):
denies or permits: 1) source IP address, 2) destination IP address, 3) port (service) (optional)

2. Apply:

Where to apply an ACL?
A standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic.
An extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic.

IOS Commands

Extended access list command formats:
access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits> <operator> <port or service>
access-list <100-199> <deny | permit> <protocol> host <source ip address> host <destination ip address> <operator> <port or service>
access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits>

Extended access list examples:

Deny and permit a source class c network to a destination class c network: 
router(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255
192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

Deny or permit a source host to a destination /24 network:
router(config)#access-list 100 deny ip 192.168.1.100 0.0.0.0 192.168.4.0 0.0.0.255
router(config)#access-list 100 deny ip host 192.168.1.100 192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip 192.168.1.101 0.0.0.0 192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip host 192.168.1.101 192.168.4.0 0.0.0.255

Deny or permit any host to any destination on port 80 (http):
router(config)#access-list 100 deny tcp any any eq 80
router(config)#access-list 100 permit tcp any any eq 80

Deny or permit all hosts: 
router(config)#access-list 100 deny any any
router(config)#access-list 100 permit any any

Apply the access list to a router interface outbound and inbound

router(config)#interface fastethernet 0/0
router(config-if)#ip access-group 100 out

router(config)#interface fastethernet 0/1
router(config-if)#ip access-group 100 in

Video Tutorial

If you would like to follow along in Packet Tracer, click here to download the PT starter file:

In part 1, I demonstrate how to write and apply a basic extended access list

In part 2, I demonstrate how to permit only a port (service) using an extended access list 

RSTP & Rapid-PVST+

RSTP Overview

Rapid Spanning Tree Protocol (RSTP) is an enhancement of the original STP 802.1D protocol. The RSTP 802.1w protocol is an IEEE open implementation. Cisco has its own proprietary implementation of RSTP, that includes the benefits of its Per-VLAN spanning tree protocols, called Rapid-PVST+. Rapid-PVST+ and RSTP are important enhancements to the original STP protocol because they can switch ports from blocking to forwarding without relying on timers, execute spanning tree calculations and converge the network faster than STP. In STP, network convergence can take up to 50 seconds, with RSTP and Rapid-PVST+ network convergence can happen in just over 6 seconds. In RSTP and Rapid-PVST+, switchports transition from discarding (blocking) to forwarding based solely on a switch-to-switch proposal and agreement process, using BID priority, instead of having to also wait for timers.

RSTP includes many of Cisco’s earlier proprietary 802.1D enhancements. It is also backwards compatible with STP and can work with legacy switches running STP. RSTP and its variants are widely implemented so it is beneficial to understand a little about how RSTP works.

RSTP Characteristics

BPDU
– RSTP messages or advertisements are called version 2, BPDUs, and has all the same fields, making it backwards compatible with 802.1D STP BPDUs.
– As with STP, RSTP version 2 BPDUs  are sent every 2 seconds.
– With RSTP BPDUs, the version field is set to 2, and Flag field is used for RSTP control information, including the Proposal and Agreement bits.
– The proposal and agreement bits in the flag field are responsible for faster convergence and transitions to port forwarding states.

Edge Ports and Non-Edge Ports
– In RSTP, ports are defined as either edge ports and non-edge ports. Edge ports are ports that are not intended to be connected to other switches. Edge ports can go immediately into forwarding mode since they do not need to negotiate BPDU messages with other switches.
– Non-edge ports can have either a point-to-point or shared link type. Non-edge ports are temporarily blocked during the proposal and agreement process. {loadposition adposition6}

Link Types – Point-to-Point and Shared

– With RSTP, non-edge ports can be configured as either a point-to-point link type or a shared link type. The shared link type is for a port that is connected to other switches by way of a shared device like a hub.
– Point-to-point link types can switch to forwarding state quickly depending on its port role

Port Roles and Port States

Root Port – port that is closest to the root bridge. It goes directly to the forwarding state.
Designated Port – only one designated port allowed per network segment (switch-to-switch link), this can either be an alternate port and a designated port, or a root port and a designated port. When there are two designated ports in the same segment the proposal and agreement process will result in one of them becoming an alternate (discarding) port. In this way designated ports make the most use of the proposal and agreement process. A designated port will eventually be a forwarding port though it can temporarily transition to the listening (discarding) state during the proposal and agreement process.
Alternate Port – available to transition to designated and forwarding if needed, otherwise discarding (blocking)
Backup Port – used with a redundant switch-to-switch port link. Is in the discarding state.

Port States
STP                            RSTP

Blocking      ————     Discarding
Listening      ————     Discarding
Learning       ———-        Learning
Forwarding      ———-       Forwarding

IOS CLI Commands

Activate the Rapid-PVST+ protocol:
switch(config)#spanning-tree mode rapid-pvst

Configure the switch non-edge ports to either the point-to-point or shared link types:

switch(config)#int gi0/1
switch(config-if)#spanning-tree link-type point-to-point
switch(config-if)#spanning-tree link-type shared

Clear previous STP protocols:
switch(config)#clear spanning-tree detected-protocols

Change the root bridge election and force the switch to be the root bridge or backup root bridge by manually setting the bridge priority number to a number lower than default number of 32768:
switch(config)#spanning-tree vlan <num> priority <num>

Rig the root bridge election and force the switch to be the root bridge or backup root bridge by automatically using the root primary or root secondary designation. This command simply changes the bridge priority number to predefined numbers lower than the default:
switch(config)#spanning-tree vlan <num> root primary
switch(config)#spanning-tree vlan <num> root secondary

Video Tutorials

If you would like to follow along with the video download the PT start file here: rapid-pvst-start.zip

In this tutorial, I configure the switches for Rapid-PVST+

In this video, I finish with the Rapid-PVST+ configurations, and then test the network for connectivity.

PVST+

PVST+ Overview

Per-VLAN spanning tree protocol plus (PVST+) is a Cisco proprietary protocol that expands on the Spanning Tree Protocol (STP) by allowing a separate spanning tree for each VLAN. Cisco first developed this protocol as PVST, which worked with the Cisco ISL trunking protocol, and then later developed PVST+ which utilizes the 802.1Q trunking protocol.

{loadposition adposition5}By creating a separate spanning tree for each VLAN, data traffic from the different VLANs can take different paths across the network, as opposed to all switched traffic taking the same path. This can effectively create a load balancing situation and improve network efficiency.

By default the Cisco switches in Packet Tracer appear to be using PVST+ as the default implementation of spanning tre protocol.

IOS CLI Commands

Activate the PVST protocol:
switch(config)#spanning-tree mode pvst

Rig the root bridge election and force the switch to be the root bridge or backup root bridge by manually setting the bridge priority number to a number lower than default number of 32768.
switch(config)#spanning-tree vlan <num> priority <num>

Rig the root bridge election and force the switch to be the root bridge or backup root bridge by automatically using the root primary or root secondary designation. This command simply changes the bridge priority number to predefined numbers lower than the default
switch(config)#spanning-tree vlan <num> root primary
switch(config)#spanning-tree vlan <num> root secondary

Video Tutorials

In part 1, I configure switches to utilize PVST+ features within a multi VLAN network

If you want to follow along with the tutorial, download the PT starter file here: PVST-begin.zip

In part 2, I finish PVST+ configurations including Portfast and BPDUguard on the switch access ports

In part 3, I test the PVST+ network implementation by running ICMP Ping tests and show commands