Information Technologies: CCNA

Showing posts with label CCNA. Show all posts

Monday, January 24, 2011

CCNA 640-802 Study Note–VLSM Revisit

As mentioned in one of my post, Variable-Length Subnet Mask (VLSM) can help to have a more efficient use of IP address. We will use a simple example to look at why is this the case.

Imagine you were given a subnet 192.168.10.64/26. With this subnet, you can have up to 62 hosts (2⁶– 2). Now you need to have 4 VLANs for the Sales, IT, HR and Finance departments. Each department will have at most 10 hosts and 1 IP for the router interface. One option is to ask for more subnets (e.g. 192.168.10.0/26, 192.168.10.128/26 and 192.168.10.192/26). However, with this option, you will be wasting 51 hosts IP for each subnet. Okay, you asked for more subnets and was rejected.

“Sorry, we are running out of P addresses. Please make do with what is given. Thank you.”

You stared hard at the subnet 192.168.10.64/26. Suddenly you thought of VLSM and came out with the following.

Network: 192.168.10.64/28
Host Range: 192.168.10.65 - 192.168.10.78

Network: 192.168.10.80/28
Host Range: 192.168.10.81 - 192.168.10.94

Network: 192.168.10.96/28
Host Range: 192.168.10.97 - 192.168.10.110

Network: 192.168.10.112/28
Host Range: 192.168.10.113 - 192.168.10.126

Hooray, you just managed to achieve what you need by further subnetting a subnet. You have 4 subnets with each subnet giving you 14 hosts. You have saved 204 IP addresses!

Below is a simplified snapshot of what you have just achieved.

SwitchA#sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gig1/1
Gig1/2
2 Sales active Fa0/1
3 IT active Fa0/2
4 HR active Fa0/3
5 Finance active Fa0/4
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

This is really a very simple example. When this small little network gets connected to other networks which requires exchanging of routing information, we will need a routing protocol that can support VLSM. The 3 routing protocols covered in CCNA that support VLSM are RIPv2, OSPF and EIGRP.

If you feel like playing around with this setup, you can download the Packet Tracer Network File from http://www.mediafire.com/?26p52w69hbwr92x.

Pin It

Saturday, January 22, 2011

CCNA 640-802 Study Note ACL Answer

Here is my answer for the question of my previous post.

For the first case, we want to achieve the following by implementing ACL on the CoreRouter.

Only Laptop0 in the IT Department Network is allow to FTP to the FTPServer in the Server Network.
All other traffics from all hosts should be allow into the Server Network.

This is how I will implement the ACL.

CoreRouter(config)#access-list 101 permit tcp host 10.2.2.7 host 10.1.1.7 eq ftp
CoreRouter(config)#access-list 101 deny tcp any host 10.1.1.7 eq ftp
CoreRouter(config)#access-list 101 permit ip any any
CoreRouter(config)#int fa0/0
CoreRouter(config-if)#ip access-group 101 out

The first line is to allow Laptop0 to FTP to the FTPServer. The second line blocks all other hosts from FTPing to the FTPServer. The third line allows all other traffics from all hosts to pass through. Remember that there is an implicit deny in the end if there is no match to any of the line so the third line is important. We also need to bind the ACL to an interface and state the direction. In this case, we bind it to the fa0/0 interface and the outbound traffic.

For the second case, we have 2 choices. The first choice is to create a different ACL as shown below and bind it to the inbound traffic of the s0/0/1 interface.

CoreRouter(config)#access-list 102 deny ip host 10.3.3.6 10.1.1.0 0.0.0.255
CoreRouter(config)#access-list 102 permit ip any any
CoreRouter(config)#int s0/0/1
CoreRouter(config-if)#ip access-group 102 in

The other choice is to modify the first ACL to include the blocking of PC4 in the Sales Department Network from accessing all resources in the Server Network. The modified ACL will look like this. Since the Packet Tracer does not support line numbered ACL, you will need to remove the permit ip any any statement first, add in the additional deny statement and add back the permit ip any any statement.

CoreRouter(config)#access-list 101 permit tcp host 10.2.2.7 host 10.1.1.7 eq ftp
CoreRouter(config)#access-list 101 deny tcp any host 10.1.1.7 eq ftp
CoreRouter(config)#access-list 101 deny ip host 10.3.3.6 10.1.1.0 0.0.0.255
CoreRouter(config)#access-list 101 permit ip any any
CoreRouter(config)#int fa0/0
CoreRouter(config-if)#ip access-group 101 out

The above is my answer to the question so you might have solved it differently. In any case, do perform some simple testing to ensure your solution works. Do make sure you practise implementing ACL and be very familiar with it.

Pin It

Friday, January 21, 2011

CCNA 640-802 Study Note–Access Control List

I have created this lab to practise on Access Control List (ACL).

This is how the network looks like.

In the first case, you were ask to restrict the following traffic.

Only Laptop0 in the IT Department Network is allow to FTP to the FTPServer in the Server Network.
All other traffics from all hosts should be allow into the Server Network.

Extending from the first case, you were told to block PC4 in the Sales Department Network from accessing all resources in the Server Network. Other hosts in the Sales Department Network should continue to be able to access the resources in the Server Network. You have to configure the ACL on CoreRouter.

If you have Cisco Packet Tracer 5.3, you can download the Packet Tracer Network File for this setup from http://www.mediafire.com/?nclxqpc4md89syv.

The password for console, vty and privileged EXEC is ccna. Use the ConsoleLT laptop to console to CoreRouter to perform the task.

I will post my answer to this question tomorrow. Happy ACLing…

Pin It

Thursday, January 20, 2011

Passed CCNA Exam

I took my CCNA Exam today and passed with a score of 936. The exam was not extremely tough provided you have a good understanding of all the topics covered and practise all the IOS commands either using simulation software or real Cisco’s devices.

Here are some of my opinions on preparing the exam.

Make sure you have good knowledge of basic networking stuffs and I really mean basic.
Know the OSI model well and how it translates to the TCP/IP model.
Must understand how things work at Layer 2 (e.g. frames, VLAN, VTP, STP) and at Layer 3 (e.g. IP and routing protocols)
Ability to do subnetting, VLSM and wildcard mask fast. You don’t really have time to do it slowly.
Practise a lot on ACL and routing protocols. Use simulation software or real devices. Learn how to troubleshoot problems using all the show commands.
Have a good basic understanding of IPv6, WLAN, WAN and the router booting process.

When you are taking the exam, it is very important not to panic. Read the questions and answers carefully. Do not procrastinate too much when you answer because it won’t help and it will well take up your time in answering other questions.

If you already have a Cisco account, you should try out some of the questions at https://learningnetwork.cisco.com/community/certifications/ccna/ccna_exam?view=overview.

I am still in the “recovery” state after the exam but I will try to post some more of my study notes in the coming days.

Need to have a good night sleep to recover Smile

Pin It

Tuesday, January 11, 2011

CCNA 640-802 Study Note EIGRP Auto-Summary

By default, EIGRP automatically summarizes routes at the classful boundary. However, we might want to turn it off for some cases such as having discontinuous networks. If we don’t disable automatic summarization for this case, the routers might not get the correct routing information. Here we will simulate such a case.

Continue from our previous setup of EIGRP, we have added a loopback 1 interface on RouterA and assign an IP address of 172.16.2.1 to it. We have also configure EIGRP on RouterA to advertise the loopback 1 network 172.16.0.0.

RouterA#sh ip protocols

Routing Protocol is "eigrp 100 "
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 100
Automatic network summarization is in effect
Automatic address summarization:
    192.168.1.0/24 for FastEthernet0/0, Serial0/0/1, Serial0/0/0, Loopback1
      Summarizing with metric 128256
    10.0.0.0/8 for Loopback0, Loopback1
      Summarizing with metric 28160
    172.16.0.0/16 for Loopback0, FastEthernet0/0, Serial0/0/1, Serial0/0/0
      Summarizing with metric 128256
Maximum path: 4
Routing for Networks:
     10.0.0.0
     192.168.1.0
     172.16.0.0
Routing Information Sources:
    Gateway         Distance      Last Update
    10.140.1.1      90            5377
    10.23.23.2      90            7263
Distance: internal 90 external 170

Now if we try to ping 172.16.31.100 which is the loopback 0 interface on the CoreRouter using the source IP of loopback 1 interface on RouterA, it will fail.

RouterA#ping
Protocol [ip]:
Target IP address: 172.16.31.100
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.2.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.31.100, timeout is 2 seconds:
Packet sent with a source address of 172.16.2.1
UUUUU
Success rate is 0 percent (0/5)

Let’s check the routing table on RouterA and the CoreRouter to see what’s going on.

On RouterA

RouterA#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D       10.0.0.0/8 is a summary, 00:47:06, Null0
D       10.1.1.0/24 [90/2172416] via 10.140.1.1, 00:47:01, Serial0/0/0
C       10.2.2.0/24 is directly connected, FastEthernet0/0
D       10.3.3.0/24 [90/2172416] via 10.23.23.2, 00:46:59, Serial0/0/1
C       10.23.23.0/24 is directly connected, Serial0/0/1
C       10.140.1.0/24 is directly connected, Serial0/0/0
D       10.140.2.0/24 [90/2681856] via 10.140.1.1, 00:47:01, Serial0/0/0
                      [90/2681856] via 10.23.23.2, 00:46:58, Serial0/0/1
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D       172.16.0.0/16 is a summary, 00:38:09, Null0
C       172.16.2.0/24 is directly connected, Loopback1
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
D       192.168.1.0/24 is a summary, 00:47:06, Null0
C       192.168.1.64/28 is directly connected, Loopback0

On CoreRouter

CoreRouter#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D       10.0.0.0/8 is a summary, 00:47:53, Null0
C       10.1.1.0/24 is directly connected, FastEthernet0/0
D       10.2.2.0/24 [90/2172416] via 10.140.1.2, 00:47:47, Serial0/0/0
D       10.3.3.0/24 [90/2172416] via 10.140.2.2, 00:47:45, Serial0/0/1
D       10.23.23.0/24 [90/2681856] via 10.140.1.2, 00:47:47, Serial0/0/0
                      [90/2681856] via 10.140.2.2, 00:47:45, Serial0/0/1
C       10.140.1.0/24 is directly connected, Serial0/0/0
C       10.140.2.0/24 is directly connected, Serial0/0/1
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D       172.16.0.0/16 is a summary, 00:47:53, Null0
C       172.16.31.0/24 is directly connected, Loopback0
D    192.168.1.0/24 [90/2297856] via 10.140.1.2, 00:47:47, Serial0/0/0
                    [90/2297856] via 10.140.2.2, 00:47:45, Serial0/0/1

As shown in the routing tables, EIGRP has summarized the 172.16.2.0/24 and 172.16.31.0/24 networks into 172.16.0.0/16 and there is no route between these 2 networks.

Let’s disable auto-summary on both the routers and check out the routing tables again.

RouterA(config)#router eigrp 100
RouterA(config-router)#no auto-summary

CoreRouter(config)#router eigrp 100
CoreRouter(config-router)#no auto-summary

On RouterA

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 6 subnets
D       10.1.1.0 [90/2172416] via 10.140.1.1, 00:00:23, Serial0/0/0
C       10.2.2.0 is directly connected, FastEthernet0/0
D       10.3.3.0 [90/2172416] via 10.23.23.2, 00:04:29, Serial0/0/1
C       10.23.23.0 is directly connected, Serial0/0/1
C       10.140.1.0 is directly connected, Serial0/0/0
D       10.140.2.0 [90/2681856] via 10.23.23.2, 00:04:29, Serial0/0/1
                   [90/2681856] via 10.140.1.1, 00:00:23, Serial0/0/0
     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D       172.16.0.0/16 [90/2809856] via 10.23.23.2, 00:00:23, Serial0/0/1
C       172.16.2.0/24 is directly connected, Loopback1
D       172.16.31.0/24 [90/2297856] via 10.140.1.1, 00:00:23, Serial0/0/0
   192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
D       192.168.1.0/24 [90/2297856] via 10.23.23.2, 00:04:29, Serial0/0/1
C       192.168.1.64/28 is directly connected, Loopback0

On CoreRouter

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 6 subnets
C       10.1.1.0 is directly connected, FastEthernet0/0
D       10.2.2.0 [90/2172416] via 10.140.1.2, 00:00:07, Serial0/0/0
D       10.3.3.0 [90/2172416] via 10.140.2.2, 00:00:07, Serial0/0/1
D       10.23.23.0 [90/2681856] via 10.140.1.2, 00:00:07, Serial0/0/0
                   [90/2681856] via 10.140.2.2, 00:00:07, Serial0/0/1
C       10.140.1.0 is directly connected, Serial0/0/0
C       10.140.2.0 is directly connected, Serial0/0/1
     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D       172.16.0.0/16 [90/2809856] via 10.140.2.2, 00:00:07, Serial0/0/1
D       172.16.2.0/24 [90/2297856] via 10.140.1.2, 00:00:07, Serial0/0/0
C       172.16.31.0/24 is directly connected, Loopback0
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
D       192.168.1.0/24 [90/2297856] via 10.140.2.2, 00:00:07, Serial0/0/1
D       192.168.1.64/28 [90/2297856] via 10.140.1.2, 00:00:07, Serial0/0/0

By disabling auto-summary, both routers are exchanging subnets information. If we try the ping test again, it should work now.

Automatic is not always the best!

Pin It

Sunday, January 09, 2011

CCNA 640-802 Study Note Enhanced Interior Gateway Routing Protocol (EIGRP)

Besides OSPF, EIGRP is another routing protocol that supports classless routing. EIGRP is an advanced vector routing protocol developed by Cisco. OSPF is a link-state routing protocol.

We have a similar network setup as the OSPF lab but this time we are going to implement EIGRP instead of OSPF.

We will run the following commands on RouterA, RouterB and the CoreRouter.

On CoreRouter
CoreRouter(config)#router eigrp 100
CoreRouter(config-router)#network 10.0.0.0
CoreRouter(config-router)#network 172.16.31.0

On RouterB
RouterB(config)#router eigrp 100
RouterB(config-router)#network 10.0.0.0
RouterB(config-router)#network 192.168.1.0

On RouterA
RouterA(config)#router eigrp 100
RouterA(config-router)#network 10.0.0.0
RouterA(config-router)#network 192.168.1.0

The router eigrp 100 command creates an EIGRP routing process with an Autonomous System (AS) number of 100. The AS number must be the same on all routers exchanging routing information with each other.

The network command defines the major network number to which the router is directly connected.

Wanted to test out the EIRGP authentication but unfortunately the Cisco Packet Tracer simulator does not have the commands for configuring this. I only managed to run the command on a physical router (2600 series). Below is the command I used on the physical router.

RouterA(config)#key chain RouterAChain
RouterA(config-keychain)#key 1
RouterA(config-keychain-key)#key-string apple
RouterA(config-keychain-key)#int s0/0/0
RouterA(config-if)#ip authentication mode eigrp 100 md5
RouterA(config-if)#ip authentication key-chain eigrp 100 RouterAChain
RouterA(config-if)#int s0/0/1
RouterA(config-if)#ip authentication mode eigrp 100 md5
RouterA(config-if)#ip authentication key-chain eigrp 100 RouterAChain

Basically, we need to do the following to enable md5 authentication for the EIGRP routing exchange.

Create a key chain on each of the router taking part in the EIGRP routing exchange. For example, key chain RouterAChain.
Create key(s) for the key chain. For example, key 1.
Assign a password to the key. For example, key-string apple where apple is the password.
C0nfigure the interfaces to use authentication. ip authentication mode eigrp 100 md5 enable md5 authentication and ip authentication key-chain eigrp 100 RouterAChain specifies that the RouterAChain key chain to be used.

We can use the following command to check on the key chain configuration.

RouterA#sh key chain
Key-chain RouterAChain:
    key 1 -- text "apple"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

We use the following show commands to verify our EIGRP routing.

sh ip route – show the routing table and verify routes learned by EIGRP.
sh ip protocols – verify that EIGRP is enabled and the EIGRP recognizes the autonomous system (our AS number is 100).
sh ip eigrp neighbors – check the neighbors’ status.

Here are the output of the 3 show commands on RouterA.

Those in red are routes learned by EIGRP.

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D       10.0.0.0/8 is a summary, 00:09:35, Null0
D       10.1.1.0/24 [90/2172416] via 10.140.1.1, 00:09:25, Serial0/0/0
C       10.2.2.0/24 is directly connected, FastEthernet0/0
D       10.3.3.0/24 [90/2172416] via 10.23.23.2, 00:09:29, Serial0/0/1
C       10.23.23.0/24 is directly connected, Serial0/0/1
C       10.140.1.0/24 is directly connected, Serial0/0/0
D       10.140.2.0/24 [90/2681856] via 10.23.23.2, 00:09:27, Serial0/0/1
                      [90/2681856] via 10.140.1.1, 00:09:25, Serial0/0/0
D    172.16.0.0/16 [90/2297856] via 10.140.1.1, 00:09:25, Serial0/0/0
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
D       192.168.1.0/24 is a summary, 00:09:35, Null0
C       192.168.1.64/28 is directly connected, Loopback0

Our AS number is 100.

RouterA#sh ip protocols

Routing Protocol is "eigrp 100 "
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 100
Automatic network summarization is in effect
Automatic address summarization:
    192.168.1.0/24 for FastEthernet0/0, Serial0/0/1, Serial0/0/0
      Summarizing with metric 128256
    10.0.0.0/8 for Loopback0
      Summarizing with metric 28160
Maximum path: 4
Routing for Networks:
     10.0.0.0
     192.168.1.0
Routing Information Sources:
    Gateway         Distance      Last Update
    10.23.23.2      90            5960
    10.140.1.1      90            9360
Distance: internal 90 external 170

We can see the status of the neighbors connected to s0/0/0 and s0/0/1.

RouterA#sh ip eigrp neighbors
IP-EIGRP neighbors for process 100
H   Address         Interface      Hold Uptime    SRTT   RTO   Q   Seq
                                   (sec)          (ms)        Cnt Num
0   10.23.23.2      Se0/0/1        11   00:25:01 40     1000 0   11
1   10.140.1.1      Se0/0/0        10   00:24:57 40     1000 0   12

Do a ping test to the TFTP server and it should work.

RouterA#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/59/63 ms

Okay, we have now EIGRP running on our network.

Pin It

CCNA 640-802 Study Note Troubleshooting OSPF

Continue from our previous setup, we are now having some routing issue on our RouterA.

From RouterA, we tried to ping the TFTP server 10.1.1.1 but the ping test failed.

RouterA#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

So, first we make sure that the serial interfaces are in the up/up state.

RouterA#sh ip int s0/0/0
Serial0/0/0 is up, line protocol is up (connected)
Internet address is 10.140.1.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
<Output cut>

RouterA#sh ip int s0/0/1
Serial0/0/1 is up, line protocol is up (connected)
Internet address is 10.23.23.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
<Output cut>

Okay, both serial interfaces are in the up/up state. Now, let’s check the routing table.

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 3 subnets
C       10.2.2.0 is directly connected, FastEthernet0/0
C       10.23.23.0 is directly connected, Serial0/0/1
C       10.140.1.0 is directly connected, Serial0/0/0
     192.168.1.0/28 is subnetted, 1 subnets
C       192.168.1.64 is directly connected, Loopback0

Hmm…, all the OSPF route entries are missing. Let’s check on the routing protocols on the router.

RouterA#sh ip protocols

Routing Protocol is "ospf 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 192.168.1.65
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
192.168.1.65 0.0.0.0 area 0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 110)

Okay, the OSPF process 100 is still running but there is only 1 network configured for routing and that is on the loopback interface.

Let’s check on the OSPF statistics on the 2 serial interfaces and the Fast Ethernet interface.

RouterA#sh ip ospf int s0/0/0
%OSPF: OSPF not enabled on Serial0/0/0

RouterA#sh ip ospf int s0/0/1
%OSPF: OSPF not enabled on Serial0/0/1

RouterA#sh ip ospf int f0/0
%OSPF: OSPF not enabled on FastEthernet0/0

Try checking the status of the OSPF neighbour using the sh ip ospf neighbor command and it returns nothing.

Okay, someone has removed the others 3 networks from the OSPF process. Let’s quickly put them back.

RouterA(config)#router ospf 100
RouterA(config-router)#network 10.2.2.3 0.0.0.0 area 0
RouterA(config-router)#network 10.140.1.2 0.0.0.0 area 0
RouterA(config-router)#network 10.23.23.1 0.0.0.0 area 0

Let’s check the OSPF routing protocol again.

RouterA#sh ip protocols

Routing Protocol is "ospf 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 192.168.1.65
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
    192.168.1.65 0.0.0.0 area 0
    10.2.2.3 0.0.0.0 area 0
    10.140.1.2 0.0.0.0 area 0
    10.23.23.1 0.0.0.0 area 0
Routing Information Sources:
    Gateway         Distance      Last Update
Distance: (default is 110)

Good, the other 3 networks have added back. We can also use the sh ip ospf int command to verify this.

Let’s retry the ping test again.

RouterA#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

What? It still failed and if you check the routing table, there is no routing entries from the OSPF.

Gateway of last resort is not set

What’s going on now? Should I wait longer but it shouldn’t take that long for such tiny network. Okay, let’s turn on debugging for the OSPF process.

RouterA#debug ip ospf events
OSPF events debugging is on
RouterA#
00:50:14: OSPF: Rcv pkt from 10.140.1.1, Serial0/0/0 : Mismatch Authentication type. Input packet specified type 1, we use type 0

00:50:23: OSPF: Rcv pkt from 10.23.23.2, Serial0/0/1 : Mismatch Authentication type. Input packet specified type 1, we use type 0

Alright, there is a mismatch in authentication type. RouterA is using type 0 (null or no authentication) but RouterB and CoreRouter are using type 1 (plaintext authentication). If it shows type 2 then it is MD5. Stop the debugging using the no debug all command.

no debug all
All possible debugging has been turned off

Remember that in the previous setup, we enabled plaintext authentication and use pass-word as our password. Let’s us enable back the plaintext authentication with pass-word as the password on both the serial interfaces.

RouterA(config)#int s0/0/0
RouterA(config-if)#ip ospf authentication-key pass-word
RouterA(config-if)#ip ospf authentication
RouterA(config-if)#int s0/0/1
RouterA(config-if)#ip ospf authentication-key pass-word
RouterA(config-if)#ip ospf authentication

We shall check on the routing table again.

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 6 subnets
O       10.1.1.0 [110/1563] via 10.140.1.1, 00:01:13, Serial0/0/0
C       10.2.2.0 is directly connected, FastEthernet0/0
O       10.3.3.0 [110/1563] via 10.23.23.2, 00:00:53, Serial0/0/1
C       10.23.23.0 is directly connected, Serial0/0/1
C       10.140.1.0 is directly connected, Serial0/0/0
O       10.140.2.0 [110/3124] via 10.140.1.1, 00:01:13, Serial0/0/0
                   [110/3124] via 10.23.23.2, 00:00:53, Serial0/0/1
     172.16.0.0/32 is subnetted, 1 subnets
O       172.16.31.99 [110/1563] via 10.140.1.1, 00:01:13, Serial0/0/0
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.64/28 is directly connected, Loopback0
O       192.168.1.81/32 [110/1563] via 10.23.23.2, 00:00:53, Serial0/0/1

Oh great, our missing routing entries have come back. Do the ping test again.

RouterA#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 33/56/63 ms

YEAH! RouterA is routing again! Now the mystery has been solved, let’s call it a day. Before that, remember to save your running configuration to the startup configuration! See you again Smile

Pin It

Saturday, January 08, 2011

CCNA 640-802 Study Note Open Shortest Path First (OSPF)

The previous CCNA study note, we have a look at VLSM and some benefits of using it. But how to do we use these classless networks and move packets between different networks. Yes, we need IP routing and that is the job of a router. We also need to use a routing protocol that supports VLSM. RIPv2, EIGRP and OSPF are such routing protocols. We will be looking at implementing OSPF on routers.

By the way, there is a difference between routing protocol and routed protocol. Routing protocol such as RIPv2, EIGRP and OSPF is used by routers to facilitate the exchange of routing information between networks, allowing routers to build routing tables dynamically. Routed protocol is any network protocol that provides enough information in its network layer address to allow a packet to be forwarded from one host to another host based on the addressing scheme, without knowing the entire path from source to destination. IP is an example of routed protocol.

Okay, let’s try implementing OSPF in our simple setup here.

We have the 3 routers connected to each other via serial connection so we need to assign a clock rate at the DCE end. You can use the sh controllers serial command to check which side is DCE or DTE and also the clock rate. The example below shows that it is DCE but no clock rate set.

CoreRouter#sh controllers serial 0/0/1
Interface Serial0/0/1
Hardware is PowerQUICC MPC860
DCE V.35, no clock
idb at 0x81081AC4, driver data structure at 0x81084AC0
SCC Registers:
General [GSMR]=0x2:0x00000000, Protocol-specific [PSMR]=0x8
Events [SCCE]=0x0000, Mask [SCCM]=0x0000, Status [SCCS]=0x00
Transmit on Demand [TODR]=0x0, Data Sync [DSR]=0x7E7E

You can set the clock rate using the clock rate command.

CoreRouter(config)#int s0/0/1
CoreRouter(config-if)#clock rate 64000

Before we configured OSPF on the 3 routers (RouterA, RouterB and CoreRouter), we will do some simple ping test.

On each router, ping the directly connected interface’s IP address of the neighbour devices. For example, on RouterA, ping 10.2.2.11 (SwitchA VLAN 1), 10.23.23.2 (RouterB s0/0/1) and 10.140.1.1 (CoreRouter s0/0/0). The ping should be successful because they are all directly connected as shown in the routing table.

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 3 subnets
C       10.2.2.0 is directly connected, FastEthernet0/0
C       10.23.23.0 is directly connected, Serial0/0/1
C       10.140.1.0 is directly connected, Serial0/0/0

However, if you try to ping 10.1.1.3 on RouterA, it will fail because it has no idea how to route that packet to 10.1.1.3. That’s why we need a routing protocol to help us to find and fill in these entries in the routing table. We will configure the OSPF routing protocol on the 3 routers to make our simple network routable.

We start by configuring loopback interfaces on each router and assigned them IP address higher than IP address of other interfaces on each router. For example, we configure loopback interface 0 on RouterA with IP address 192.168.1.65/28. We are doing this so that the IP address of the loopback interface will become the router ID when the OSPF process starts. The highest IP address on an active interface at the moment of OSPF process start up, will become the router ID.

Next we will enable OSPF and configure the OSPF network using the following commands.

router ospf process-id	This command enable OSPF. process-id is an unique ID to identify the OSPF process on a router. It does not need to match the OSPF process-id on other OSPF routers.
network address wildcard-mask area-id	This command identifies which IP networks on the router are part of the OSPF network. address is IP network to be included. wildcard-mask identifies the part of the IP address to be matched. 0 is a match and 1 is don’t care. area-id is the area that is to be associated with the OSPF address range.

Below is how we enable and configure OSPF on RouterA. 100 is the process-id and for simplicity, all wildcard-masks are 0.0.0.0 (match all 32 bits of the IP address). 192.168.1.65, 10.2.2.3, 10.140.1.2 and 10.23.23.1 are the IP addresses configured on the 4 interfaces of RouterA (including the loopback interface).

RouterA(config)#router ospf 100
RouterA(config-router)#network 192.168.1.65 0.0.0.0 area 0
RouterA(config-router)#network 10.2.2.3 0.0.0.0 area 0
RouterA(config-router)#network 10.140.1.2 0.0.0.0 area 0
RouterA(config-router)#network 10.23.23.1 0.0.0.0 area 0

Similar configuration will be applied on RouterB and CoreRouter. Remember the process-id needs not be the same but for ease of remembering, we will make it the same. The addresses will be different for each router but the area-id must be the same (in this case is 0).

Next, we are going to set on each router, the bandwidth of all the serial interfaces to be 64Kb. Bandwidth is one of the elements which is used by routing protocols (in this case OSPF) to determine the best route. Setting the bandwidth does not increase or decrease the speed of the physical link. You might want to check out Clarifying the Cisco IOS bandwidth command if you are still confuse. Below is an example of setting the bandwidth to 64Kb on the s0/0/0 of RouterA.

RouterA(config)#int s0/0/0
RouterA(config-if)#bandwidth 64

The sh int command can be used to verify the bandwidth set.

RouterA#sh int s0/0/0
Serial0/0/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)

By default, OSPF uses null authentication so routing exchanges over the network are not authenticated. OSPF supports 2 types of authentication which are plaintext password and MD5. Here we are going to setup plaintext password for the routing exchanges.

On each of the serial interface, we will assign a password and enable the ospf authentication. Below is an example of setting pass-word as the password on s0/0/0 of CoreRouter. The last command, ip ospf authentication enable the authentication. All the serial interfaces must have the same password and authentication setup to work.

CoreRouter(config)#int s0/0/0
CoreRouter(config-if)#ip ospf authentication-key pass-word
CoreRouter(config-if)#ip ospf authentication

The sh ip ospf int command can be used to verify that plaintext password has been enabled.

CoreRouter#sh ip ospf int s0/0/0
Serial0/0/0 is up, line protocol is up
Internet address is 10.140.1.1/24, Area 0
Process ID 100, Router ID 172.16.31.99, Network Type POINT-TO-POINT, Cost: 1562
Transmit Delay is 1 sec, State POINT-TO-POINT, Priority 0
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:08
Index 4/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1 , Adjacent neighbor count is 1
Adjacent with neighbor 192.168.1.65
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

Now we shall verify our OSPF configuration and test it out.

We will take a look at the routing table on each router first. Below is an example from CoreRouter. Those in red are entries by OSPF. We can see that now it has routing information to networks other than those that are directly connected. For example, to reach 10.3.3.0 network, the packet will be routed to 10.140.2.2 (IP address of s0/0/0 interface on RouterB) from its own s0/0/1 interface. RouterB has a direct connection to the 10.3.3.0 network.

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 6 subnets
C       10.1.1.0 is directly connected, FastEthernet0/0
O       10.2.2.0 [110/1563] via 10.140.1.2, 02:35:07, Serial0/0/0
O       10.3.3.0 [110/1563] via 10.140.2.2, 02:34:57, Serial0/0/1
O       10.23.23.0 [110/3124] via 10.140.2.2, 02:34:57, Serial0/0/1
                   [110/3124] via 10.140.1.2, 02:34:57, Serial0/0/0
C       10.140.1.0 is directly connected, Serial0/0/0
C       10.140.2.0 is directly connected, Serial0/0/1
     172.16.0.0/28 is subnetted, 1 subnets
C       172.16.31.96 is directly connected, Loopback0
     192.168.1.0/32 is subnetted, 2 subnets
O       192.168.1.65 [110/1563] via 10.140.1.2, 02:35:07, Serial0/0/0
O       192.168.1.81 [110/1563] via 10.140.2.2, 02:34:57, Serial0/0/1

Next, we use the sh ip protocols command to verify the configuration of our OSFP is correct. Below is an example from the CoreRouter. Here we can check that the process-id is correct, the router ID is the IP address of the loopback interface and we have added all the necessary networks.

CoreRouter#sh ip protocols

Routing Protocol is "ospf 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 172.16.31.99
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
    172.16.31.99 0.0.0.0 area 0
    10.1.1.3 0.0.0.0 area 0
    10.140.1.1 0.0.0.0 area 0
    10.140.2.1 0.0.0.0 area 0
Routing Information Sources:
    Gateway         Distance      Last Update
    10.140.1.2           110      00:14:25
    10.140.2.2           110      00:14:25
Distance: (default is 110)

Finally we can use the sh ip ospf neighbor to check the status of the neighbour. The state should be FULL when the router and its neighbour router have successfully formed an OSPF adjacency.

CoreRouter#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.65      0   FULL/ -        00:00:38    10.140.1.2      Serial0/0/0
192.168.1.81      0   FULL/ -        00:00:32    10.140.2.2      Serial0/0/1

Alright, we have just implemented OSPF on our simple little network. Hurray!

Pin It

Wednesday, January 05, 2011

CCNA 640-802 Study Note Subnetting, VLSM and Route Summarization

You are given a class A network 10.0.0.0/8 (the /8 is known as the classful prefix length of class A network). However, you have 4 VLANs so you need to have 4 different networks, each for the 4 VLANs. Getting more networks is not an option so you figure out that you need to do subnetting. Just how will it looks like after subnetting?

Two simple rules to remember:

Number of subnets available depends on the number of bits borrowed from the host ID. In this case, we need 4 subnets so we need to borrow 2 bits from the host ID (2² = 4).

Number of hosts per subnet depends on the number of bits not borrowed from the host ID. In this case, there are 22 bits remains in the host ID. Therefore, per subnet can have 2²² – 2 = 4,194,302 hosts. We need to minus 2 because one address is reserved as the network address (e.g. 10.0.0.0, 10.64.0.0, 10.128.0.0, 10.192.0.0) and one address is reserved as the broadcast address (e.g. 10.63.255.255, 10.127.255.255, 10.191.255.255, 10.255.255.255).

Another example using a class B network 172.18.0.0/16. We need 100 subnets and maximizes the number of host addresses for each subnet.

So we need to find out how many bits is needed to have 100 subnets. If we choose 6 bits, we only get 64 subnets so we try 7. 7 bits will give us 128 subnets so we will need to borrow 7 bits from the host ID.

What will be the new subnet mask? Since we have borrowed 7 bits, the new prefix length will be /23 (8+8+7) and the subnet mask will be 255.255.254.0. If you look at the table below, treat each column as 1 bit and start adding from left to right, you will get 254 (128+64+32+16+8+4+2). In this case, it will be faster if you just take 255-1.

128	64	32	16	8	4	2	1
2⁷	2⁶	2⁵	2⁴	2³	2²	2¹	2⁰

What will be the first 5 subnets? The first 5 subnets will be 172.18.0.0, 172.18.2.0, 172.18.4.0, 172.18.6.0 and 172.18.8.0. You can use the table below to verify. Bits in red are those borrowed for subnetting. One trick to do this faster is to take the remaining number of bits left over in the octet where the host bits have been borrowed and do a power of 2 to that number. In this case, the remaining number of bits in the 3rd octet is one and 2¹ = 2. Therefore, each subnet increases by 2.

Subnets	Binary form
172.18.0.0	1010 1100.0001 0010.0000 0000.0000 0000
172.18.2.0	1010 1100.0001 0010.0000 0010.0000 0000
172.18.4.0	1010 1100.0001 0010.0000 0100.0000 0000
172.18.6.0	1010 1100.0001 0010.0000 0110.0000 0000
172.18.8.0	1010 1100.0001 0010.0000 1000.0000 0000

Does the trick still work if you borrow 10 bits to have 1024 subnets? Yes, it still work and below are the first 9 subnets. You increase each subnet by 64 (2⁶=64). If you notice, after x.x.x.192, the increment will move up to the 3rd octet and the 4th octet start from 0 again because 192+64=256.

172.18.0.0
172.18.0.64
172.18.0.128
172.18.0.192
172.18.1.0
172.18.1.64
172.18.1.128
172.18.1.192
172.18.2.0

What are the ranges of host addresses for the first 5 subnets?

Network Address	First Host	Last Host	Broadcast Address
172.18.0.0	172.18.0.1	172.18.1.254	172.18.1.255
172.18.2.0	172.18.2.1	172.18.3.254	172.18.3.255
172.18.4.0	172.18.4.1	172.18.5.254	172.18.5.255
172.18.6.0	172.18.6.1	172.18.7.254	172.18.7.255
172.18.8.0	172.18.8.1	172.18.9.254	172.18.9.255

How many hosts are there per subnet? There are 2⁹– 2 = 512 – 2 = 510 hosts.

Okay, now we are done with subnetting. But now, you may want to have some subnets with say just 2 hosts to be used on WAN links connection (e.g. Router to Router). For the example above, if you use 172.18.8.0/23 for this purpose, 510 – 2 = 508 host IDs will be “wasted”.

To have a more efficient use of the IP addresses you have, we will use Variable-Length Subnet Mask (VLSM). Basically, we are going to subnet an already subnetted network. Okay, let’s try it on the 172.18.8.0/23 subnet to further subnet it into VLSM subnet with only 2 hosts in each VLSM subnet. Bits in red are those bits used in the original subnet which give us 172.18.8.0/23. Bits in blue are bits we used for the VLSM subnetting to get 2 hosts per subnet. We can also apply the trick where we add increase each subnet by 4.

VLSM Subnets	Binary form
172.18.8.0	1010 1100.0001 0010.0000 1000.0000 0000
172.18.8.4	1010 1100.0001 0010.0000 1000.0000 0100
172.18.8.8	1010 1100.0001 0010.0000 1000.0000 1000
172.18.8.12	1010 1100.0001 0010.0000 1000.0000 1100
172.18.8.16	1010 1100.0001 0010.0000 1000.0001 0000

So, we can pick one VLSM subnet say 172.18.8.4 to use for the WAN link.

Routing table in a router is used to determine how to route a packet to its destination. As the number of subnets increased, the routing table will start to grow as well. To reduce memory use on routers and routing protocol network traffic, route summarization has been used. Route summarization is also called route aggregation or supernetting. Okay, let’s try to summarize the route for our 5 subnets.

Subnets	Binary form
172.18.0.0	1010 1100.0001 0010.0000 0000.0000 0000
172.18.2.0	1010 1100.0001 0010.0000 0010.0000 0000
172.18.4.0	1010 1100.0001 0010.0000 0100.0000 0000
172.18.6.0	1010 1100.0001 0010.0000 0110.0000 0000
172.18.8.0	1010 1100.0001 0010.0000 1000.0000 0000

To determine the summary route, we determine the number of highest order bits that match in all the addresses. Those are highlighted in yellow above and that give us 20 bits. We will have a route summary of 172.18.0.0/20; mask of 255.255.240.0. However, the route summary also includes the 172.18.10.0, 172.18.12.0 and 172.18.14.0 subnets. If we don’t own these subnets and if those subnets appeared somewhere else in your inter-connected network, routing issue might occur. To play safe, we can choose to only summarize the first four subnets into 172.18.0.0/21; mask of 255.255.248. The 5th subnet will be 172.18.8.0/23 as a single entry in the routing table.

Okay, enough of decimal to binary and binary to decimal conversion for the day. It is killing my brain cell…

Pin It

Tuesday, January 04, 2011

CCNA 640-802 Study Note Spanning Tree Protocol

Building redundancy into the network can help to eliminate single point of failure. However, it also introduce some other problems. Some of the problems are as follows:

Broadcast storms: This occurs when each switch on a redundant network floods broadcast frames endlessly.
Multiple frame transmission: This happens when multiple copies of the unicast frames get delivered to the destination device.
MAC database instability: When copies of the same frame was received from different ports of a switch, it caused the switch to keep updating its MAC address table. The switch not able to cope with the MAC database instability can have problem forwarding frames.

To resolve the above problems, some kind of loop avoidance mechanism is needed and Spanning Tree Protocol (STP) is the answer to it.

Basically, STP put certain ports in the redundant network into a standby mode so that those ports do not listen to, forward or flood data frames. This ensures that there is only 1 path to each network segment that is active at any time. When there is problem with the active path, STP will activate the standby path to re-establish the connectivity.

The basic concept of STP consists of the following:

Bridge ID: Make up of Bridge Priority and MAC address. For Per VLAN STP, it is make up of Bridge Priority, Extend System ID (VLAN) and MAC address.
Root bridge: One per broadcast domain. Switch with the lowest Bridge ID will be the root bridge. All of its ports are designated ports in forwarding state.
Root port on nonroot bridge: Root port is the port with the lowest-cost path from the nonroot bridge to the root bridge. Root ports are normally in the forwarding state.
Designated port: Designated port is selected on the bridge that has the lowest cost path to the root bridge and is in the forwarding state.
Non-designated port: Non-designated port will be in the blocking state which logically break the loop. In blocking state, the port still receive traffic but do not forward.

Each port transits through several different states when STP is enabled. The 5 STP port states are Blocking, Listening, Learning, Forwarding and Disabled. It typically takes 30s to 50s for a port to transit from blocking state to forwarding state. However, Rapid STP needs just a few seconds to transit from blocking state to forwarding state.

STP uses the following Spanning Tree Path Cost to compute the lowest cost path for the selection of root port and designated port.

Link Speed	Cost
10 Gb/s	2
1 Gb/s	4
100 Mb/s	19
10 Mb/s	100

Because it takes time for spanning tree to converge, switch ports that are meant for access (e.g. connecting to end user workstations) should have PortFast enabled. With PortFast enabled, it will allow the switch ports to transit from blocking state to forwarding state.

The following enable PortFast on interface fa0/2 of SwitchA.

SwitchA(config)#int f0/2
SwitchA(config-if)#spanning-tree portfast

The following command enable PortFast on all non-trunking ports.

SwitchA(config)#spanning-tree portfast default

To verify PortFast has been enabled on an interface, use the following command.

SwitchA#sh run int f0/2

Okay, let’s try out spanning tree on this little setup.

Here is how the setup was done.

Interface fa0/2 on both SwitchA and SwitchB have their PortFast enabled to minimize the time for the ports to converge.

VLAN 2 was added on SwitchA, CoreSwitchA and CoreSwitchB.

VLAN 3 was added on SwitchB, CoreSwitchA and CoreSwitchB.

Make the CoreSwitchA as the root bridge for VLAN 2 and 3 by lowering the priority value to 28672. The default priority value is 32768.

CoreSwitchA(config)#spanning-tree vlan 2 priority 28672
CoreSwitchA(config)#spanning-tree vlan 3 priority 28672

As you can see that we have created multiple links for VLAN 2 and 3 to forward frames. For example, for VLAN 2, if SwitchA needs to forward a frame to CoreSwitchA, it can go through the following paths. This creates redundancy so that frames can continue to be forwarded even 1 of the path was down but also the problem of looping.

fa0/11 (SwitchA) –> fa0/1 (CoreSwitchA)
fa0/12 (SwitchA) –> fa0/1 (CoreSwitchB) –>fa0/13 (CoreSwitchB) –> fa0/13 (CoreSwitchA)
fa0/12 (SwitchA) –> fa0/1 (CoreSwitchB) –>fa0/14 (CoreSwitchB) –> fa0/14 (CoreSwitchA)

Now, we will configure rapid spanning tree for VLAN 2 and 3.

SwitchA(config)#spanning-tree mode rapid-pvst
SwitchB(config)#spanning-tree mode rapid-pvst

Okay, done. The spanning tree will start to converge.

We will just look at how the spanning tree for VLAN 2 workout to be since it is going to be the same for VLAN 3.

We will run the sh spanning-tree command on SiwthcA, CoreSwitchA and CoreSwitchB to find out who is the root bridge, which ports are the designated ports, root ports and non-designated ports.

SwitchA#sh spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol rstp
Root ID    Priority    24578
             Address     0003.E4D0.4862
             Cost        19
             Port        11(FastEthernet0/11)
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32770 (priority 32768 sys-id-ext 2)
             Address     00D0.BCEC.E8C3
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/11           Root FWD 19        128.11   P2p
Fa0/12           Altn BLK 19        128.12   P2p

SwitchA is an non-root bridge. Fa0/2 is a designated port, fa0/11 is a root port and both are in forwarding state. Fa0/12 is a non-designated port with a blocking state.

CoreSwitchA#sh spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID    Priority    24578
             Address     0003.E4D0.4862
             This bridge is the root
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    24578 (priority 24576 sys-id-ext 2)
             Address     0003.E4D0.4862
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/13           Desg FWD 19        128.13   P2p
Fa0/14           Desg FWD 19        128.14   P2p
Fa0/23           Desg FWD 19        128.23   P2p

CoreSwitchA is the root bridge. Therefore, all its ports are designated ports and all are in forwarding state.

CoreSwitchB#sh spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID    Priority    24578
             Address     0003.E4D0.4862
             Cost        19
             Port        13(FastEthernet0/13)
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32770 (priority 32768 sys-id-ext 2)
             Address     0001.426D.309B
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/13           Root FWD 19        128.13   P2p
Fa0/14           Altn BLK 19        128.14   P2p

CoreSwitchB is an non-root bridge. Fa0/1 and fa0/2 are designated ports, fa0/13 is a root port and all are in forwarding state. Fa0/14 is a non-designated port with a blocking state.

From the information gathered, we can figure out that the active path is the one highlighted in yellow on the diagram below. The red crosses show that fa0/12 of SwitchA and fa0/14 are in blocking state so no frames will be forwarded through that 2 links.

However, if there is connectivity issue, for example, fa0/11 on SwitchA is down. The spanning tree will re-converge and it will bring up fa0/12 to take the alternate path.

You can also used the following commands to configure a switch to be the root bridge and another switch as a backup root bridge. The following example, it made CoreSwitchA as the root bridge of VLAN 2 and CoreSwitchB as the standby root bridge.

CoreSwitchA(config)#spanning-tree vlan 2 root primary
CoreSwitchB(config)#spanning-tree vlan 2 root secondary

Okay, onto VLSM next and I can start to see those ones and zeros floating in front of my eyes!!!

Pin It

CCNA 640-802 Study Note Port-Security

You can use the port-security feature to restrict the number of maximum number of devices allowed to connect to a switchport or specify what devices are allowed to connect to the switchport. This is by checking against the MAC address of the connecting device.

Let’s try this in the following simple setup. There is a SwitchA and RouterA. The MAC address of interface fa0/0 on RouterA is 0001.6469.2301. We are going to connect interface fa0/0 on RouterA to the interface fa0/11 on SwitchA. We are also going to restrict fa0/11 on SwitchA to only allow maximum 1 device to use the switchport and the MAC address of the device must be 0001.6469.2301.

So before connecting, we will enable port-security on interface fa0/11 of SwitchA.

SwitchA(config)#int f0/11
SwitchA(config-if)#switchport mode access
SwitchA(config-if)#switchport port-security
SwitchA(config-if)#switchport port-security maximum 1
SwitchA(config-if)#switchport port-security mac-address 0001.6469.2301

The switchport which is fa0/11 in this case must be in access mode to have port-security enabled and the command switchport mode access does that. The command switchport port-security enabled the port-security on fa0/11. The next 2 commands set the maximum number of connecting device allowed and the static MAC address of the allowed connecting device.

You can verify the port-security of fa0/11 using the sh port-security command.

SwitchA#sh port-security int f0/11
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

As shown, if there is a violation, the switchport will be shutdown. You can alter the violation action by using the switchport port-security violation command.

SwitchA(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode

The protect and restrict mode do not shutdown the port but will drop frames sending through the port.

Now, let’s connect RouterA and SwitchA.

If you check the MAC address on interface fa0/11, you will see the static MAC address 0001.6469.2301.

SwitchA#sh mac-address-table int f0/11
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

1 0001.6469.2301 STATIC Fa0/11

The sh port-security command shows that the port status is secure-up.

SwitchA#sh port-security int f0/11
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0001.6469.2301:1
Security Violation Count   : 0

Now we introduced another router called SpareRouter. The MAC address of interface fa0/0 on SpareRouter is 0001.4219.7301.

We are going to disconnect SwitchA and RouterA. We will then connect fa0/11 of SwitchA to fa0/0 of SpareRouter. Make sure the fa0/0 on SpareRouter is up by using the no shut command.

Once you connect up SwitchA and SpareRouter, you will see that the link is down.

%LINK-5-CHANGED: Interface FastEthernet0/11, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/11, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to down

Even if you tried to bring the interface fa0/11 up, it will still go down.

SwitchA(config)#int f0/11
SwitchA(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/11, changed state to down

If you do sh int f0/11, you will see that the port is err-disabled.

SwitchA#sh int f0/11
FastEthernet0/11 is down, line protocol is down (err-disabled)
Hardware is Lance, address is 0001.43e8.ca0b (bia 0001.43e8.ca0b)
BW 100000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:08, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     956 packets input, 193351 bytes, 0 no buffer
     Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     2357 packets output, 263570 bytes, 0 underruns
     0 output errors, 0 collisions, 10 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

Check on the port-security of f0/11 and you will see that it is now in secure-shutdown state.

SwitchA#sh port-security int f0/11
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0001.4219.7301:1
Security Violation Count   : 1

Okay, to bring the port up again, we need to first remove the connection to SpareRouter. Then we run shut to shutdown the fa0/11 interface on SwitchA and no shut to up the fa0/11 interface again.

SwitchA(config-if)#shut

%LINK-5-CHANGED: Interface FastEthernet0/11, changed state to administratively down
SwitchA(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/11, changed state to down

Remember that the port-security on fa0/11 is still on. If you connect that port to another other device not having the MAC address specified, it will still err-disabled. If we connect it back to fa0/0 of RouterA, it will work again. If you really want to connect fa0/11 on SwitchA to other device, clear the port-security configuration and disabled port-security using the no version of the commands. For example, no switchport port-security.

There are other options you can set on the port-security. One of them is the sticky MAC address option. By using this option, you save the trouble of entering the MAC address manually.

SwitchA(config-if)#switchport port-security mac-address sticky

If we used this instead of switchport port-security mac-address 0001.6469.2301, the MAC address of the first connecting device will be learned. The MAC address of that device will be converted secure MAC address and added to the running configuration. Copying the running configuration to the startup configuration (e.g. copy run start), will save the learned MAC address to the start-up configuration file. If we reload the switch, the switch port does not need to relearn the MAC address.

Broadcast storm is coming, I need to find my spanning tree…

Pin It