Sample-Narbik CCIE Foundation Book

Share Embed Donate


Short Description

Descripción: Narbik CCIE Foundation Book Sample...

Description

CCIE Foundation 5.0 www.MicronicsTraining.com Narbik Kocharians CCIE #12410 R&S, Security, SP

VOL-I

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 1 of 124

Table of Content:

Subject Topology

Page 4

Section One: Logical or Physical Subject Lab 1 – Physical to Logical Topology I Lab 2 – Physical to Logical Topology II Lab 3 – Physical to Logical Topology III

Page 10 21 36

Section Two: 3560 Switching Subject Lab 1 – Basic 3560 configuration Lab 2 – Spanning-tree 802.1d

Page 56 91

Section Three: Frame-relay Subject Lab 1 – Multipoint Hub-n-Spoke Using Frame-relay maps Lab 2 - Multipoint Hub-n-Spoke Using Frame-relay sub-interfaces Lab 3 – Frame-relay configurstion in a Point-to-point manner Lab 4 – Mixture of Point-to-point & Multipoint Frame-relay Lab 5 – Running PPP on Frame-relay

Page 107 122 127 132 137

Section Four: RIPv2 Subject Lab 1 – Configuring RIPv2 Lab 2 – RIPv2 Authentication (Clear text and MD5) Lab 3 – Configuring different RIPv2 Update methods Lab 4 – Injection of Default routes in RIPv2 Lab 5 – Filtering RIPv2 routes

Page 145 153 159 166 177

Section five: Eigrp Lab 1 – Configuring Eigrp and Adjusting the Timers Lab 2 – Eigrp Metric Lab 3 – Eigrp Summarization Lab 4 – Eigrp Authentication & Advanced Configuration Lab 5 – Eigrp Stub R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

185 195 198 209 215 Page 2 of 124

Section Six: OSPF Subject Lab 1 – Advertising Networks Lab 2 – OSPF Non-Broadcast Networks Lab 3 – OSPF Broadcast Networks Lab 4 – OSPF Point-to-point Networks Lab 5 – OSPF Point-to-Multipoint Networks Lab 6 – OSPF Point-to-Multipoint Non-Broadcast Networks Lab 7 – OSPF Cost Lab 8 – OSPF Authentication Lab 9 – OSPF Summarization Lab 10 – OSPF Filtering Lab 11 – Virtual-Links and GRE Tunnels Lab 12 – OSPF Stub, T/Stubby, NSSA, NSS-Stub, NSS-T/Stub

Page 228 244 252 259 265 274 280 287 317 328 358 369

Section Seven: Redistribution Subject Lab 1 – Redistribution Basics

Page 389

Section Eight: BGP Subject Lab 1 – Establishing Neighbor Adjacency Lab 2 – Route reflectors, Originator-ID and Cluster-ID Lab 3 – Conditional Advertisement & BGP Backdoor Lab 4 – The Community Attribute Lab 5 – The AS-Path Attribute Lab 6 – The Weight Attribute Lab 7 – The Multi Exist Discriminator (MED) Attribute Lab 8 – Filtering Using Access-lists and Prefix-lists Lab 9 – Regular Expressions Lab 10 – BGP Confederation

Page 5 15 35 51 65 76 86 105 118 137

Section Nine: IPv6 Subject Lab 1 – Configuring Basic IPv6 Lab 2 – Configuring Point-to-point, Multipoint and Multi-access links Lab 3 – Configuring RIPng Lab 4 – Configuring EIGRPv6 Lab 5 – Configuring OSPFv3 Lab 6 – OSPFv3 Non-Broadcast Netywork Type Lab 7 – OSPFv3 Broadcast Network Type R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 145 158 178 191 203 225 235

Page 3 of 124

Lab 8 – OSPFv3 Point-to-point Network Type Lab 9 – OSPFv3 Point-to-Multipoint Broadcast Network Type Lab 10 – OSPFv3 Point-to-Multipoint Non-Broadcast Network Type

242 250 259

Section Ten: QoS Subject Lab 1 – MLS QoS Lab 2 – DSCP-Mutation Lab 3 – DSCP-CoS Lab 4 – CoS-DSCP Lab 5 – IP-Prec-to-DSCP Lab 6 – Individual Rate Policer Lab 7 – Policed-DSCP Lab 8 – Aggregate Policer Lab 9 – Frame-relay Traffic Shaping Lab 10 – Basic Class-Based Policing

Page 272 287 299 306 313 319 325 331 337 345

Section Eleven: IP Services and Network Optimization & Advanced Features Subject Lab 1 – HSRP Lab 2 – VRRP Lab 3 – GLBP Lab 4 – NTP Lab 5 – OER/PFR Configuration Lab 6 – EEM

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 357 385 420 438 448 465

Page 4 of 124

Switch -1

Switch -2

F0/1

F0/0

F0/2

F0/0

F0/3

F0/0

F0/4

F0/0

F0/5

F0/0

F0/6

F0/1

F0/1

F0/1

F0/2

F0/1

F0/3

F0/1

F0/4

F0/1

F0/5

R1

R2

R3

R4

R5 F0/0

F0/1

R6

F0/11

F0/0

F0/12

F0/0

F0/13

F0/0

F0/1

F0/11

F0 /1

Switch -3

BB1

BB2

BB3

F0/6

F0 /1

F0/12 F0/13

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 5 of 124

The Serial Connection Between R1 and R3

R1

S0/1 DCE

DTE S0/1

R3

The Serial Connection Between R4 and R5

R4

S0/1 DCE

DTE S0/1

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

R5

Page 6 of 124

Frame-Relay Switch Connections S0/0

R1 S0/0

R2

S0/0 S0/1

S0/1

R3

R4

R5

S 0/ 0

S0/2

S0/0

S0/3

S0/0

/0

S1/0

S0/0

/0

S1/1

R6

S1/2

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 7 of 124

Frame-Relay DLCI Connections: Router: R1

R2

R3

R4

R5

R6

Local DLCI: 102 112 103 104 105 106 164 201 211 203 204 205 206 301 302 304 305 306 401 402 403 405 406 461 501 502 503 504 506 601 602 603 604 605

Connecting to: R2 R2 R3 R4 R5 R6 R4 R1 R1 R3 R4 R5 R6 R1 R2 R4 R5 R6 R1 R2 R3 R5 R6 R1 R1 R2 R3 R4 R6 R1 R2 R3 R4 R5

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 8 of 124

Switch-to-Switch connections:

F0/18 F0/19 F0/20

F0/24 F0/23

F0/23

F0/21

F0/22

SW2 F0/22

F0/21

SW1

F0/24

SW3

F0/19 F0/20

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

SW4

Page 9 of 124

CCIE Foundation 5.0 www.MicronicsTraining.com Narbik Kocharians CCIE #12410 R&S, Security, SP

Configuring Logical Topology from the Physical Topology R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 10 of 124

LAB 1Physical to Logical Topology Basic configuration

VLAN 12

R1 .1 F0/1

VLAN 11

F0/0 .2

F0/0 .1

100.1.1.0/24

R2 F0/1 .2

12.1.1.0/24

VLAN 23

23.1.1.0/24

F0/1 .11

.3 F0/1

BB1

R3

F0/0 .11

.3 F0/0

VLAN 123

VLAN 345

123.1.1.0/24 .22 F0/0

BB2

200.1.1.0/24 .33 F0/1

BB3

F0/0 .4

.5 F0/1

R4

R5 .5 F0/1 56.1.1.0/24

VLAN 56

F0/0 .6

R6

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 11 of 124

Task 1 Shutdown all ports on all switches.

On All Switches SWx(config)#Int range f0/1-24 SWx(config-if-range)#Shut

Task 2 Configure the above topology, if this configuration is performed successfully, every router should be able to ping its neighboring routers in the same subnet. Let’s start with R1 and R2’s connection in VLAN 12, we can see that these two routers are connected via their F0/0 interfaces, and the other interfaces of these two routers are connected to other routers via their F0/1 interface, meaning that the F0/0 interface is not used to connect to other routers, we will see how to configure that scenario in the next lab. If the physical topology is checked, you can easily see that the F0/0 interfaces of these two routers are connected to SW1 ports F0/1 and F0/2 for R1 and R2 respectively, so let’s configure these two ports on SW1 in VLAN 12 and verify.

On SW1 SW1(config)#Int range f0/1-2 SW1(config-if-range)#Swi mode acc SW1(config-if-range)#swi acc v 12 SW1(config-if-range)#No shut

Let’s verify: On SW1 SW1#Show vlan brief | Exc unsup VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 12 of 124

12

VLAN0012

active

Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Gi0/1, Gi0/2 Fa0/1, Fa0/2

Let’s configure the F0/0 interfaces of R1 and R2:

On R1 R1(config)#Int F0/0 R1(config-if)#Ip addr 12.1.1.1 255.255.255.0 R1(config-if)#No shut

On R2 R2(config)#Int F0/0 R2(config-if)#Ip addr 12.1.1.2 255.255.255.0 R2(config-if)#No shut

To verify the configuration: On R1 R2#Ping 12.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms We can configure R2’s connection to R3 or R1’s connection to BB1, the following configures R1’s connection to BB1: Before we assign an IP address to the interfaces of these routers, let’s configure the F0/1 interfaces of R1 and BB1 in VLAN 11, and then, configure the F0/1 interfaces of R1 and BB1. We can see that these interfaces are connected to SW2’s F0/1 and F0/11 for R1 and BB1 respectively, therefore, these two ports on SW2 should be configured in VLAN 11:

On SW2 W2(config)#Int Range f0/1,f0/11 SW2(config-if-range)#Swi mode acc SW2(config-if-range)#Swi acc v 11 SW2(config-if-range)#No shut

On R1 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 13 of 124

R1(config)#Int F0/1 R1(config-if)#Ip address 100.1.1.1 255.255.255.0 R1(config-if)#No shut

On BB1 BB1(config)#Int F0/1 BB1(config-if)#Ip addr 100.1.1.11 255.255.255.0 BB1(config-if)#No shut

To verify the configuration: On R1 R1#Ping 100.1.1.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.1.1.11, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms NOW…let’s configure the R2 and R3’s F0/1 interface in VLAN 23, we can see that these two interfaces are connected to SW2’s F0/2 for R2’s F0/1 and F0/3 for R3’s F0/1 interface.

On SW2 SW2(config)#Int Range F0/2-3 SW2(config-if-range)#Swi mode acc SW2(config-if-range)#swi acc v 23 SW2(config-if-range)#No shut

On R2 R2(config)#Int F0/1 R2(config-if)#Ip addr 23.1.1.2 255.255.255.0 R2(config-if)#No shut

On R3 R3(config)#Int F0/1 R3(config-if)#Ip addr 23.1.1.3 255.255.255.0 R3(config-if)#No shut

To verify the configuration: R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 14 of 124

On R2 R2#Ping 23.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms Let’s move on to BB1, BB2 and BB3’s configuration in VLAN 123. In this case we can see that BB1’s F0/0 interface is connected to SW1’s port F0/11, and BB2’s F0/0 interface is connected to SW1’s F0/12 interface, but BB3’s F0/1 is connected to SW3’s F0/13 interface. But how do we get these routers in the same VLAN? Well……SW3 and SW1 are connected va their F0/21 and F0/22 interfaces, we can use one of these two interfaces, in this case let’s choose F0/21, therefore, the F0/1 interfaces of SW1 and SW3 should be configured as a trunk allowing VLAN 123 to traverse through this trunk, let’s configure the trunk and the VLANs before we configure the routers:

To configure ports F0/11 and F0/12 in VLAN 123: On SW1 SW1(config)#Int Range f0/11-12 SW1(config-if-range)#Swi mode acc SW1(config-if-range)#Swi acc v 123 SW1(config-if-range)#No shut

To configure a trunk: On SW1 and SW3 SWx(config)#Int F0/21 SWx(config-if)#Swi trunk encap dot SWx(config-if)#swi mode trunk SWx(config-if)#No shut Lastly the F0/13 interface of SW3 is configured in VLAN 123

On SW3 Sw3(config)#Int F0/13 Sw3(config-if)#Swi mode acc Sw3(config-if)#swi acc v 123 Sw3(config-if)#No shut

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 15 of 124

Let’s verify the VLAN configuration: On SW1 SW1#Show vlan br | Exc unsup VLAN Name Status Ports ---- -------------------------------- --------- -----------------------------1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 12 VLAN0012 active Fa0/1, Fa0/2 123 VLAN0123 active Fa0/11, Fa0/12

Let’s verify the trunk link and ensure that VLAN 123 can traverse through this trunk link:

On SW1 SW1#Show interfaces trunk Port Fa0/21

Mode on

Encapsulation 802.1q

Status trunking

Native vlan 1

Port Fa0/21

Vlans allowed on trunk 1-4094

Port Fa0/21

Vlans allowed and active in management domain 1,12,123

Port Fa0/21

Vlans in spanning tree forwarding state and not pruned 1,12,123

Let’s verify the VLAN configuration and the trunk interface configured on SW3:

On SW3 Sw3#Show interface trunk Port Fa0/21

Mode on

Encapsulation 802.1q

Port Fa0/21

Vlans allowed on trunk 1-4094

Status trunking

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Native vlan 1

Page 16 of 124

Port Fa0/21

Vlans allowed and active in management domain 1,123

Port Fa0/21

Vlans in spanning tree forwarding state and not pruned 1,123

Sw3#Show vlan br | exc unsup VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/2 123 VLAN0123 active Fa0/13

Let’s configure the routers:

On BB1 BB1(config)#Int F0/0 BB1(config-if)#Ip addr 123.1.1.11 255.255.255.0 BB1(config-if)#No shut

On BB2 BB2(config)#Int F0/0 BB2(config-if)#Ip addr 123.1.1.22 255.255.255.0 BB2(config-if)#No shut

On BB3 BB3(config)#Int F0/1 BB3(config-if)#IP addr 123.1.1.33 255.255.255.0 BB3(config-if)#No shut

To test the configuration: On BB1 BB1#Ping 123.1.1.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 123.1.1.22, timeout is 2 seconds: R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 17 of 124

.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms BB1#Ping 123.1.1.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 123.1.1.33, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms The ONLY VLAN left to be configured is VLAN 345, by looking at the interfaces of the routers used in this VLAN we can see that R5 is using its F0/1 interface and not its F0/0, which means that R5’s F0/1 interface is not connected to the same Switch as the one that connects R3 and R4. By looking at the physical topology, we can see that R5’s F0/1 interface is connected to SW2’s F0/5 interface whereas, the F0/0 interfaces of R3 and R4’s connected to SW1, this tells us that we need a trunk connection between SW1 and SW2 allowing VLAN 345 to traverse through this trunk. Since SW1 and SW2 have three connections between them, in this lab the F0/20 interface is used for the trunk.

On SW1 and SW2 SWx(config)#Int F0/20 SWx(config-if)#Swi tru enc dot SWx(config-if)#Swi mode tru SWx(config-if)#No shut

To verify the configuration: On SW1 SW2#Show inter trunk Port Fa0/20

Mode on

Encapsulation 802.1q

Status trunking

Native vlan 1

Port Fa0/20

Vlans allowed on trunk 1-4094

Port Fa0/20

Vlans allowed and active in management domain 1,11,23

Port Fa0/20

Vlans in spanning tree forwarding state and not pruned none

We do not see VLAN 123 over this trunk because it is not configured, let’s configure VLAN 123 on SW1 and SW2, or configure both switches in the same VTP domain and then configure VLAN 123 on one of R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 18 of 124

the switches, and have VTP messages propagate the VLAN.dat, in this case the later is chosen:

On SW1 SW1(config)#VTP domain TST Changing VTP domain name from NULL to TST Remember that a name MUST be assigned or else the VLAN.dat will not be propagated. The following configures interfaces F0/3 and F0/4 interfaces of SW1 in VLAN 123: SW1(config)#Int Range f0/3-4 SW1(config-if-range)#Swi mode acc SW1(config-if-range)#Swi acc v 345 SW1(config-if-range)#No shu Let’s configure the F0/5 interface of SW2 in VLAN 123:

On SW2 SW2(config)#Int F0/5 SW2(config-if)#Swi mode acc SW2(config-if)#Swi acc v 345 SW2(config-if)#No shut

Let’s verify the configuration On SW2 SW2#Show interface trunk Port Fa0/20

Mode on

Encapsulation 802.1q

Status trunking

Native vlan 1

Port Fa0/20

Vlans allowed on trunk 1-4094

Port Fa0/20

Vlans allowed and active in management domain 1,12,123,345

Port Fa0/20

Vlans in spanning tree forwarding state and not pruned 1,12,123,345

On SW1 SW1#Show interface trunk R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 19 of 124

Port Fa0/20 Fa0/21

Mode on on

Encapsulation 802.1q 802.1q

Status trunking trunking

Native vlan 1 1

Port Fa0/20 Fa0/21

Vlans allowed on trunk 1-4094 1-4094

Port Fa0/20 Fa0/21

Vlans allowed and active in management domain 1,12,123,345 1,12,123,345

Port Fa0/20 Fa0/21

Vlans in spanning tree forwarding state and not pruned 1,12,123,345 1,12,123,345

Let’s configure R3-5:

On R3 R3(config)#Int F0/0 R3(config-if)#Ip addr 200.1.1.3 255.255.255.0 R3(config-if)#No shut

On R4 R4(config)#Int F0/0 R4(config-if)#Ip addr 200.1.1.4 255.255.255.0 R4(config-if)#No shut

On R5 R5(config)#Int F0/1 R5(config-if)#Ip addr 200.1.1.5 255.255.255.0 R5(config-if)#No shut

To verify the configuration: On R3 R3#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: .!!!! R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 20 of 124

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms R3#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

Task 3 Erase the startup configuration and reload the routers and switches before proceeding to the next lab.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 21 of 124

LAB 2Physical to Logical Topology Intermediate Configuration VLAN 13 13.1.1.0/24 F0/0 .1

R1

F0/0 .3

.1 F0/0

VLAN 12 12.1.1.0/24

R3 F0/1 .3

VLAN 24 F0/0 .2

R2

VLAN 34

24.1.1.0/24 .2 F0/0

.4 F0/1 F0/0 .4

F0/0 .2

VLAN 22

R4 .4 F0/1

22.1.1.0/24

34.1.1.0/24

VLAN 45 45.1.1.0/24

F0/0 .22

BB2

BB3

F0/0 .22

.33 F0/0

F0/1 .5

R5 .5 F0/1

VLAN 123 123.1.1.0/24

VLAN 56 F0/0 .11

BB1

F0/0 .11

F0/0 .6 F0/0 .4

VLAN 16

56.1.1.0/24

R6

16.1.1.0/24

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 22 of 124

Task 1 Shutdown all ports on all switches.

On All Switches SWx(config)#Int range f0/1-24 SWx(config-if-range)#Shut

Task 2 Configure the above topology, if this configuration is performed successfully, every router should be able to ping its neighboring routers in the same subnet. Let’s do a top down configuration starting from VLAN 13. NOTE: The F0/0 interface of R3 is configured in this VLAN, and the other Ethernet interfaces of this router are configured in other VLANs, whereas, the F0/0 interface of R1 is configured in two VLANs. Since this is Physically impossible, logical interfaces can be configured to accomplish this task; to accomplish this task a trunk is configured with different DOT1q VLAN tags for different VLANs. Since the F0/0 interface of all routers are connected to SW1, let’s configure SW1 for these routers:

On SW1 SW1(config)#Int F0/3 SW1(config-if)#Swi mode acc SW1(config-if)#Swi acc vlan 13 SW1(config-if)#No shut NOTE: Since the F0/1 interface of SW1 is connected to R1’s F0/0 interface, and R1’s F0/0 interface must be configured in different VLANs, the F0/1 interface of this switch MUST be configured as a trunk. SW1(config)#Int F0/1 SW1(config-if)#Swi trunk encap dot1q SW1(config-if)#Swi mode trunk SW1(config-if)#No shut Let’s configure the routers starting with R3:

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 23 of 124

On R3 R3(config)#Int F0/0 R3(config-if)#IP addr 13.1.1.3 255.255.255.0 R3(config-if)#No shut

On R1 R1(config)#Int F0/0 R1(config-if)#No shut R1(config-if)#Int F0/0.13 R1(config-subif)#Encap dot1q 13 R1(config-subif)#Ip addr 13.1.1.1 255.255.255.0

To verify the configuration: On SW1 SW1#Show interface trunk Port Fa0/1

Mode on

Encapsulation 802.1q

Status trunking

Native vlan 1

Port Fa0/1

Vlans allowed on trunk 1-4094

Port Fa0/1

Vlans allowed and active in management domain 1,13

Port Fa0/1

Vlans in spanning tree forwarding state and not pruned 1,13

On R1 R1#Ping 13.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.1.1.3, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms NOW….let’s configure VLAN 34 connecting R3 to R4: We need some configuration on the switch to which these routers are connected to. Let’s begin with the R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 24 of 124

Switch configuration: Since the F0/1 interface of R3 is connected to SW2, the F0/3 interface of SW2 must be configured in VLAN 34:

On SW2 SW2(config)#Int F0/3 SW2(config-if)#Swi mode acc SW2(config-if)#Swi acc vlan 34 SW2(config-if)#No shut NOTE: R4’s F0/1 interface is also connected to SW2, but this interface is also configured in another VLAN (VLAN 45), so we know that the F0/1 interface of R4 must be configured as a trunk and the port on the switch (SW2) to which it is connected should also be configured as trunk.

On SW2 SW2(config)#int F0/4 SW2(config-if)#Swi trun encap dot1q SW2(config-if)#Swi mode trunk SW2(config-if)#No shut Since the switch is configured, let’s move on to the routers starting with R3. This router’s configuration is very basic and all we need to do is assign an IP address and “NO SHUT” the F0/1 interface.

On R3 R3(config)#Int F0/1 R3(config-if)#Ip addr 34.1.1.3 255.255.255.0 R3(config-if)#No shut Let’s configure R4; we know that the F0/1 interface of this router must be configured as a trunk.

On R4 R4(config)#Int F0/1 R4(config-if)#No shut R4(config)#int F0/1.34 R4(config-subif)#Encap dot1q 34 R4(config-subif)#Ip addr 34.1.1.4 255.255.255.0

To verify and test the configuration: R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 25 of 124

On SW2 SW2#Show interface trunk Port Fa0/4

Mode on

Encapsulation 802.1q

Status trunking

Native vlan 1

Port Fa0/4

Vlans allowed on trunk 1-4094

Port Fa0/4

Vlans allowed and active in management domain 1,34

Port Fa0/4

Vlans in spanning tree forwarding state and not pruned 1,34

R4#Ping 34.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.1.1.3, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms So we can see that when a Physical Ethernet interface is configured in multiple VLANs, the interface of the router MUST be configured as a trunk, and the port on the switch that it is connected MUST also be configured as a trunk. Let’s configure VLAN 12. Just like any VLAN configuration we have some configuration to perform on the switch/es and some configuration on the router/s. In this VLAN, R1’s F0/0 interface must be configured with another sub-interface, remember earlier the F0/0 interface of R1 was configured with a sub-interface for VLAN 13; we also know that the F0/1 interface of the switch “SW1” is already configured as a trunk, let’s verify this information:

On SW1 SW1#Show interface trunk Port Fa0/1

Mode on

Encapsulation 802.1q

Status trunking

Port Fa0/1

Vlans allowed on trunk 1-4094

Port

Vlans allowed and active in management domain R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Native vlan 1

Page 26 of 124

Fa0/1

1,13

Port Fa0/1

Vlans in spanning tree forwarding state and not pruned 1,13

Let’s configure SW1 for R2, but once again we can see that the F0/0 interface of R2 is configured in two different VLANs, this means that the F0/0 interface of R1 and the port to which it is connected to MUST be configured as trunk.

On SW1 SW1(config)#Int F0/2 SW1(config-if)#Swi trunk encap dot1q SW1(config-if)#Swi mode trunk SW1(config-if)#No shut

On R1 R1(config)#Int F0/0.12 R1(config-subif)#Encap dot1q 12 R1(config-subif)#Ip address 12.1.1.1 255.255.255.0

On R2 R2(config)#Int F0/0 R2(config-if)#No shut R2(config)#Int F0/0.12 R2(config-subif)#Encap dot1q 12 R2(config-subif)#Ip addr 12.1.1.2 255.255.255.0

To verify the configuration: On R1 R1#Ping 12.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) What went wrong? Let’s verify and see if the VLAN is allowed to traverse over the trunk links:

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 27 of 124

On SW1 SW1#Show interface trunk Port Fa0/1 Fa0/2

Mode on on

Encapsulation 802.1q 802.1q

Status trunking trunking

Native vlan 1 1

Port Fa0/1 Fa0/2

Vlans allowed on trunk 1-4094 1-4094

Port Fa0/1 Fa0/2

Vlans allowed and active in management domain 1,13 1,13

Port Fa0/1 Fa0/2

Vlans in spanning tree forwarding state and not pruned 1,13 1,13

ONLY VLAN 13 is allowed over the trunk, but WHY? Let’s see all the configured VLANs:

On SW1 SW1#Show vlan brie | Exc unsup VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/2 13 VLAN0013 active Fa0/3

VLAN 13 was created when the F0/3 interface of SW1 was placed in VLAN 13, since none of the interfaces of SW1 is implicitly configured in VLAN 12 this VLAN was never created. Let’s configure VLAN 12 on SW1:

On SW1 SW1(config)#VLAN 12 SW1(config-vlan)#Exit R1#Ping 12.1.1.2 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 28 of 124

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms Let’s configure VLAN 24:

On SW1 NOTE: Since by placing the F0/4 interface of SW1 in VLAN 24, the IOS will auto-create this VLAN, therefore, we won’t run into the previous problem. SW1(config)#int F0/4 SW1(config-if)#Swi mode acc SW1(config-if)#Swi acc vlan 24 SW1(config-if)#No shut

On R2 Another sub-interface is configured in VLAN 24: R2(config)#Int F0/0.24 R2(config-subif)#Encap dot1q 24 R2(config-subif)#Ip addr 24.1.1.2 255.255.255.0

On R4 R4(config)#Int F0/0 R4(config-if)#Ip addr 24.1.1.4 255.255.255.0 R4(config-if)#No shut

To verify the configuration: On R2 R2#Ping 24.1.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.1.1.4, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms NEXT VLAN is VLAN 22. We can easily see that another sub-interface must be configured on R2. The switch, SW1’s F0/2 interface is already configured as trunk. BB2’s F0/0 interface is in two different VLANs, so a trunk must be configured on the F0/0 interface of the BB2 and the port to which the R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 29 of 124

interface is connected to. Let’s start with SW1’s configuration:

On SW1 The port that BB2’s F0/0 interface is connected is configured as a trunk to allow VLANs 22 and 123 to traverse through: SW1(config)#Int F0/12 SW1(config-if)#Swi tru encap dot1q SW1(config-if)#SWi mode trunk SW1(config-if)#No shut VLAN 22 MUST be configured on the switch: SW1(config)#Vlan 22 SW1(config-vlan)#exit Let’s configure another sub-interface for VLAN 22:

On R2 R2(config)#Int F0/0.22 R2(config-subif)#Encap dot1q 22 R2(config-subif)#Ip addr 22.1.1.2 255.255.255.0

On BB2 BB2(config)#Int F0/0 BB2(config-if)#No shut BB2(config)#Int F0/0.22 BB2(config-subif)#Encap dot1q 22 BB2(config-subif)#Ip addr 22.1.1.22 255.255.255.0

To verify the configuration: On R2 R2#Ping 22.1.1.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.1.1.22, timeout is 2 seconds: .!!!! R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 30 of 124

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms Before going further into the configuration of this topology, let’s summarize what we have covered in this lab: When configuring routers in a VLAN we MUST pay attention to the following: If the router’s interface is in ONE VLAN, then, configure the VLAN on the switch and place the interface to which the router is connected to in that VLAN. If the router’s interface is configured in multiple VLANs, then configure the interface of the router as a trunk. ISL encapsulation is only available on the older IOS and routers, therefore the ONLY encapsulation is DOT1q, and this means we configure multiple sub-interfaces on the router. Each subinterface should be configured in the appropriate VLAN as identified in the topology. The switchport to which the router is connected to, must also be configured as a trunk, YOU MUST ENSURE THAT THE VLAN IS CONFIGURED AND IT IS ALLOWED TO TRAVERSE THROUGH THE TRUNK. Let’s configure VLAN 45. R4 needs another sub-interface configuration; R5’s F0/1 interface must be configured as trunk because it is in two different VLANs, and the F0/5 interface of SW2 should also be configured as a trunk and VLAN 45 MUST be configured/created on SW2.

On SW2 SW2(config)#Int F0/5 SW2(config-if)#Swi trunk encap dot1q SW2(config-if)#Swi mode trunk SW2(config-if)#No shut SW2(config)#Vlan 45 SW2(config-vlan)#exit

On R4 R4(config)#Int F0/1.45 R4(config-subif)#encap dot1q 45 R4(config-subif)#Ip addr 45.1.1.4 255.255.255.0

On R5 R5(config)#Int F0/1 R5(config-if)#No shut R5(config)#Int F0/1.45 R5(config-subif)#Encap dot1q 45 R5(config-subif)#Ip addr 45.1.1.5 255.255.255.0 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 31 of 124

To verify the configuration: On R4 R4#Ping 45.1.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 45.1.1.5, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms Let’s configure VLAN 123. We know that the following must be configured:  The F0/0 interface of BB3 must be configured in VLAN 123  The F0/13 interface of SW1 must be configured in VLAN 123, this is the interface that BB3’s F0/0 interface is connected to  BB1’s F0/0 must be configured as a trunk, since it is a member of multiple VLANs, VLAN 123, and VLAN 16.  The interface of the switch to which BB1 is connected to must also be configured as a trunk.  Another sub-interface must be configured on BB2.

On SW1 SW1(config)#Int F0/13 SW1(config-if)#Swi mode acc SW1(config-if)#Swi acc vlan 123 SW1(config-if)#No shut

On BB3 BB3(config)#Int F0/0 BB3(config-if)#Ip addr 123.1.1.33 255.255.255.0 BB3(config-if)#No shut

On BB1 BB1(config)#Int F0/0 BB1(config-if)#No shut BB1(config-if)#Int F0/0.123 BB1(config-subif)#Encap dot1q 123 BB1(config-subif)#Ip addr 123.1.1.11 255.255.255.0

On SW1 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 32 of 124

SW1(config)#Int F0/11 SW1(config-if)#Swi tru encap dot1q SW1(config-if)#Swi mode trunk SW1(config-if)#No shu

On BB2 BB2(config)#Int F0/0.123 BB2(config-subif)#Encap dot1q 123 BB2(config-subif)#Ip addr 123.1.1.22 255.255.255.0

To verify the configuration: On BB2 BB2#Ping 123.1.1.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 123.1.1.11, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms BB2#Ping 123.1.1.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 123.1.1.33, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms The second to last VLAN is VLAN 16. To configure this VLAN we must configure the following:  The F0/0 interface of R6 should be configured as a trunk, because it is connected to two different VLANs, VLAN 16 and VLAN 56.  The F0/6 interface of SW1 must be configured as a trunk; this is the interface to which R6’s F0/0 interface is connected to.  VLAN 16 must be configured on this switch.  Another sub-interface must be configured on BB1 for this VLAN.

On R6 R6(config)#Int F0/0 R6(config-if)#No shut R6(config)#Int F0/0.16 R6(config-subif)#Encap dot1q 16 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 33 of 124

R6(config-subif)#Ip addr 16.1.1.6 255.255.255.0

On SW1 SW1(config)#Int F0/6 SW1(config-if)#Swi trunk encap dot1q SW1(config-if)#Swi mode trunk SW1(config-if)#No shut SW1(config)#VLAN 16 SW1(config-vlan)#Exit

On BB1 BB1(config)#Int F0/0.16 BB1(config-subif)#Encap dot1q 16 BB1(config-subif)#Ip addr 16.1.1.11 255.255.255.0

To verify the configuration: On BB1 BB1#Ping 16.1.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 16.1.1.6, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms NOW……the last VLAN in this topology, VLAN 56.  In this case we can see that R5 is using its F0/1 and R6 is using its F0/0 interface, this means that they are connected to two different switches. This means that a trunk must be configured to connect these two switches and the trunk must allow the VLAN to traverse through this trunk link.  A sub-interface must be configured on R5 for this VLAN  A sub-interface must be configured on R6 for this VLAN  VLAN 56 must be configured on BOTH SWITCHES, or VTP messages must be configured to propagate the VLAN.

On SW1

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 34 of 124

SW1(config)#Vlan 56 SW1(config-vlan)#exit

On SW2 SW2(config)#Vlan 56 SW2(config-vlan)#exit To configure a trunk link between the switches:

On SW1 and SW2 SWx(config)#Int F0/18 SWx(config-if)#Swi tru enc dot SWx(config-if)#Swi mode trunk SWx(config-if)#No shu

On R5 R5(config)#Int F0/1.56 R5(config-subif)#Encap dot 56 R5(config-subif)#Ip addr 56.1.1.5 255.255.255.0

On R6 R6(config)#Int F0/0.56 R6(config-subif)#Encap dot 56 R6(config-subif)#Ip addr 56.1.1.6 255.255.255.0

To verify and test the configuration On SW1 SW1#Show inter F0/18 trunk Port Fa0/18

Mode on

Encapsulation 802.1q

Status trunking

Port Fa0/18

Vlans allowed on trunk 1-4094

Port Fa0/18

Vlans allowed and active in management domain 1,12-13,16,22,24,56,123

Port

Vlans in spanning tree forwarding state and not pruned R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Native vlan 1

Page 35 of 124

Fa0/18

1,12-13,16,22,24,56,123

On SW2 SW2#Show interface f0/18 trunk Port Fa0/18

Mode on

Encapsulation 802.1q

Status trunking

Native vlan 1

Port Fa0/18

Vlans allowed on trunk 1-4094

Port Fa0/18

Vlans allowed and active in management domain 1,34,45,56

Port Fa0/18

Vlans in spanning tree forwarding state and not pruned 1,34,45,56

On R5 R5#Ping 56.1.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 56.1.1.6, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

Task 3 Erase the startup configuration and reload the routers and switches before proceeding to the next lab.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 36 of 124

LAB 2- Spanning-tree Protocol 802.1D

F0/19 F0/20

SW1

SW2

Task 1 Shutdown all ports on the four switches.

On All Switches: Switch(config)#Int range f0/1-24 Switch(config-if-range)#Shut

To verify the configuration: On All Switches: Switch#Show interface status | Exc disabled|notconnect Port

Name

Status

Vlan

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Duplex

Speed Type

Page 37 of 124

Task 2 Configure Dot1q trunking on the F0/19 and F0/20 interfaces of SW1 and SW2.

On SW1 and SW2 SW2(config)#Int range f0/19-20 SW2(config-if-range)#Switchport trunk encapsulation dot1q SW2(config-if-range)#Switchport mode trunk SW2(config-if-range)#No shut

To verify the configuration: On SW1 SW1#Show inter trunk Port Fa0/19 Fa0/20

Mode on on

Encapsulation 802.1q 802.1q

Status trunking trunking

Native vlan 1 1

Port Fa0/19 Fa0/20

Vlans allowed on trunk 1-4094 1-4094

Port Fa0/19 Fa0/20

Vlans allowed and active in management domain 1 1

Port Fa0/19 Fa0/20

Vlans in spanning tree forwarding state and not pruned none none

Task 3 Which switch is the root bridge and why? Before we start with the show commands, let’s review the STP protocol: When the switches come up, they will both think of themselves as the root bridge, and they will send BPDUs out every port advertising them as the root bridge. What does a BPDU look like? R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 38 of 124

2 Bytes

1 Byte

1 Byte

1 Byte

8 Bytes

Protocol-ID

Version

Msg Type

Flags

Root ID Root-Path-Cost Bridge-ID

4 Bytes

8 Bytes

2 Bytes 2 Bytes

2 Bytes

Port-ID Msg Age Max Age

2 Bytes

2 Bytes

Hello Time

Forward-delay

Let’s explain the fields:

Protocol-ID Version Message Type Flags

Root ID Root Path Cost Bridge ID Port ID Message Age Max-Age Hello Time Forward-delay

Indicates the type of the protocol, it’s set to zero Identifies the version of the protocol, it’s set to zero Indicates the type of message, it’s set to zero This field includes one of the following:  TC-bit, which signals a topology change  TCA-bit, which is set to ACK the receipt of a configuration Message with the TC-bit set The BID of the root bridge Cumulative cost of the sending bridge to the root bridge Indicates the Priority and the BID of the sending bridge Indicates the port number through which the BPDU was sent The elapsed time since the root bridge sent the configuration message Indicates when the current configuration message should be deleted The time between the root bridge configuration messages indicates the legth of time that the bridge should wait before transitioning to a new state after a topology change

So initially, every switch will set the Root-ID and the Bridge-ID to the local BID’s value. Let’s see the BID of each switch:

On SW1 SW1#Show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0012.7f40.9380 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 0012.7f40.9380 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 39 of 124

Interface ---------------Fa0/19 Fa0/20

Role ---Desg Desg

Sts --FWD FWD

Cost --------19 19

Prio.Nbr -------128.21 128.22

Type ---------------------P2p P2p

We can see that the BID which is a concatenation of Priority value and the MAC address in the BridgeID and the Root ID section of the above show command are identical, which means that this bridge MUST be the root bridge, and the area that is highlighted in green clearly states that the “This bridge is the root”. The receiving bridge compares the Root-id to its own Root-id, and the lower value wins and if the received Root-id is better (Lower) than the local Root-id, then, the local Root-id is replaced with the Root-id in the received BPDUs. Since the MAC address is different on every switch, the priority is looked at first, and as a tie breaker the switch with a lowest MAC address becomes the Root bridge. Let’s look at SW2:

On SW2 SW2#Show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0012.7f40.9380 Cost 19 Port 21 (FastEthernet0/19) Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 001d.e5d6.0000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300

Interface ---------------Fa0/19 Fa0/20

Role ---Root Altn

Sts --FWD BLK

Cost --------19 19

Prio.Nbr -------128.21 128.22

Type -------------P2p P2p

Another way of knowing which switch is the Root bridge is to use the following command:

On SW2 SW2#Show spanning-tree root R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 40 of 124

Root Hello Max Fwd Vlan Root ID Cost Time Age Dly ---------------- -------------------- --------- ----- --- --VLAN0001 32769 0012.7f40.9380 19 2 20 15

Root Port --------Fa0/19

NOTE: The last field (Root Port) indicates that the root bridge is found through F0/19 interface. Let’s use CDP to find out the device that is connected to F0/19 interface: SW2#Show cdp neighbor F0/19 | B Device ID Device ID SW1

Local Intrfce Fas 0/19

Holdtme 173

Capability S I

Platform Port ID WS-C3560-2Fas 0/19

Let’s check SW1: SW1#Show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly ---------------- -------------------- --------- ----- --- --VLAN0001 32769 0012.7f40.9380 0 2 20 15

Root Port ----------

NOTE: The “Root Port” column is empty, which indicates that this switch is the Root bridge.

Task 4 Which port is the Root-Port?

Every None Root Bridge must select a Root Port. The Root Port is the closest port to the Root Bridge. The Root port calculation is based on the Root-Path-Cost, which is the cumulative cost of all links to the Root Bridge. In this topology, SW2 is the None Root Bridge, so let’s find out the Root Port:

On SW2 SW2#Show spanning-tree | B Interface Interface ---------------Fa0/19 Fa0/20

Role ---Root Altn

Sts --FWD BLK

Cost --------19 19

Prio.Nbr -------128.21 128.22

Type ----P2p P2p

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 41 of 124

We can clearly see that the F0/19 of SW2 is the root port, but what if there is a tie? Let’s go through the golden rules that STP uses to break ties:    

A lower Root BID A lower Path cost to the Root Bridge A lower Sending BID A lower Sending Port-ID, which is the combination of “Priority.Port-id”

Since the Root Bridge is already known, let’s go with the second rule and check the Path cost to the Root Bridge:

On SW2 SW2#Sh spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly ---------------- -------------------- --------- ----- --- --VLAN0001 32769 0012.7f40.9380 19 2 20 15

Root Port ---------Fa0/19

Let’s shutdown the F0/19 interface and check the cost through F0/20 interface: SW2(config)#Int F0/19 SW2(config-if)#Shut SW2#Show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly ---------------- -------------------- --------- ----- --- --VLAN0001 32769 0012.7f40.9380 19 2 20 15

Root Port ---------Fa0/20

Let’s enable the F0/19 interface of SW2:

On SW2 SW2(config)#Int F0/19 SW2(config-if)#No shut In this case both F0/19 and F0/20 have the same cost. So since the cost to the Root Bridge is the same through both paths, let’s check the next rule, which is the “Lower Sending BID”, in this case it will be the same, since both interfaces are connected to the same Switch (SW1); therefore, let’s look at the last rule, “The lowest sending Port-ID”, to find out the R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 42 of 124

lowest sending port-id, we can use the “Show spanning-tree” command:

On SW2 SW2#Show spanning-tree | B Interface Interface ---------------Fa0/19 Fa0/20

Role ---Root Altn

Sts --FWD BLK

Cost --------19 19

Prio.Nbr -------128.21 128.22

Type ----P2p P2p

We can see why the F0/19 interface is the Root port and the F0/20 interface is in “BLK” state, the “Prio.Nbr” column reveals the priority.Port-ID of the neighboring switch. You can see that the F0/19 interface and the F0/20 interface receive the same port-priority value from SW1, but the port-id is lower through the local F0/19 interface versus the F0/20 interface of SW2.

Task 5 Which port is the Designated-Port for the two segments?

There should be one designated port per segment, there are two segments connecting the two switches, since SW1 is the Root Bridge, and all the ports on the Root bridge will always be in designated state, ports F0/19 and F0/20 of SW1 is elected as the designated ports on the two segments; the designated ports are elected based on the lowest path cost. let’s verify:

On SW1 SW1#Show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly ---------------- -------------------- --------- ----- --- --VLAN0001 32769 0012.7f40.9380 0 2 20 15

Root Port ----------

NOTE: No matter which port is used on the root bridge (SW1), the cost is zero, and that is why all interfaces on the Root bridge will always be in designated state because they will always be the closest interface to the root bridge.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 43 of 124

Task 6 Which port is in the “BLK” state?

Once all the designated ports and the Root ports are determined, the rest of the port/s (Left over ports) will be in blocked state, let’s verify:

On SW1 SW1#Show spanning-tree blockedports Name Blocked Interfaces List -------------------- -----------------------------------Number of blocked ports (segments) in the system : 0 Of course, there should NOT be any ports in blocking state on the root bridge. Let’s verify the blocked port on SW2:

On SW2 SW2#Show spanning-tree blockedports Name Blocked Interfaces List -------------------- -----------------------------------VLAN0001 Fa0/20 Number of blocked ports (segments) in the system : 1 Let’s verify that information:

On SW2 SW2#Show spanning-tree | B Interface Interface ---------------Fa0/19 Fa0/20

Role ---Root Altn

Sts --FWD BLK

Cost --------19 19

Prio.Nbr -------128.21 128.22

Type ----P2p P2p

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 44 of 124

Task 7 Configure SW2 such that its F0/20 interface transitions into “FWD” state and the F0/19 interface transitions into “BLK” state. The “BLK” port is the port with the highest path cost, therefore, if the cost of the F0/20 interface is changed to be lower than the F0/19 interface, then the F0/20 interface will transition into “FWD” state and the F0/19 interafce will transition into “BLK” state. Let’s test this:

On SW2 SW2(config)#Int F0/20 SW2(config-if)#Spanning-tree cost 10

To verify the configuration: On SW2 SW2#Show spanning-tree | B Interface Interface ---------------Fa0/19 Fa0/20

Role ---Altn Root

Sts --BLK LIS

Cost --------19 10

Prio.Nbr -------128.21 128.22

Type ----P2p P2p

Prio.Nbr -------128.21 128.22

Type ----P2p P2p

SW2#Show spannin | B Interface Interface ---------------Fa0/19 Fa0/20

Role ---Altn Root

Sts --BLK LRN

Cost --------19 19

SW2#Show spanning-tree | B Interface Interface ---------------Fa0/19 Fa0/20

Role ---Altn Root

Sts --BLK FWD

Cost --------19 10

Prio.Nbr -------128.21 128.22

Type ----P2p P2p

We can see that the F0/20 goes through Listenening and learning state and transitions into “FWD” state, and the F0/19 transitions into “BLK” state.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 45 of 124

Task 8 Remove the configuration commands from the previous task, and configure SW1 such that the F0/20 interface of SW2 transitions into “FWD” state and the F0/19 interface of SW2 transitions into “BLK” state.

On SW2 SW2(config)#int f0/20 SW2(config-if)#No Spanning-tree cost 10

To verify the configuration: On SW2 SW2#Show spanning-tree | B Interface Interface ---------------Fa0/19 Fa0/20

Role ---Root Altn

Sts --FWD BLK

Cost --------19 19

Prio.Nbr -------128.21 128.22

Type ----P2p P2p

To configure SW1 SW1(config)#Int F0/20 SW1(config-if)#Spanning-tree port-priority 0

To verify the configuration: On SW1 SW1#Show spanning-tree | B Interface Interface

Role Sts Cost

Prio.Nbr Type

---------------- ---- --- --------- -------- ----Fa0/19 Desg FWD 19 128.21 P2p Fa0/20 Desg FWD 19 0.22 P2p

On SW2 SW2#Show spanning-tree | B Interface

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 46 of 124

Interface ---------------Fa0/19 Fa0/20

Role ---Altn Root

Sts --BLK FWD

Cost --------19 19

Prio.Nbr -------128.21 128.22

Type ----P2p P2p

As you can see, when it comes to port-pirority, it affects the neighboring switch.

Task 9 Configure SW2 to be the root bridge. You should use a macro to accomplish this task. To accomplish this task using a MACRO, we can use, the “root Primary”, let’s test this MACRO:

On SW2 SW2(config)#Spanning-tree

vlan 1 root primary

To verify the configuration: On SW2 SW2#Show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 001d.e5d6.0000 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 24577 (priority 24576 sys-id-ext 1) Address 001d.e5d6.0000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15

Interface ---------------Fa0/19 Fa0/20

Role ---Desg Desg

Sts --FWD FWD

Cost --------19 19

Prio.Nbr -------128.21 128.22

Type -----P2p P2p

NOTE: The default priority is 32768, and with every VLAN, the default value is incremented by the VLAN ID, in this case the ONLY VLAN in the Database is VLAN 1, therefore, 32768 + 1 = 32769. R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 47 of 124

Using the “Spanning-tree root primary” Macro, the total priority is reduced by 8192, so: 32769 – 8192 = 24577, and we know that the switch with the lowest priority will become the root bridge.

Task 10 Remove the command from the previous task, and configure SW2 to be the root bridge. You should NOT use a macro to accomplish this task.

On SW2 SW2(config)#No spanning-tree vlan 1 root pri

To verify the configuration: On SW1 SW1#Show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0012.7f40.9380 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 0012.7f40.9380 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15

Interface ---------------Fa0/19 Fa0/20

Role ---Desg Desg

Sts --FWD FWD

Cost Prio.Nbr Type --------- -------- ----19 128.21 P2p 19 0.22 P2p

On SW2 SW2(config)#Spanning-tree vlan 1 priority 0

To verify the configuration: R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 48 of 124

On SW2 SW2#Show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 1 Address 001d.e5d6.0000 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 1 (priority 0 sys-id-ext 1) Address 001d.e5d6.0000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15

Interface ---------------Fa0/19 Fa0/20

Role ---Desg Desg

Sts --FWD FWD

Cost --------19 19

Prio.Nbr -------128.21 128.22

Type ----P2p P2p

Task 11 Remove the command from the previous task, and configure two VLANs 100 and 200. SW1 should be configured such that on SW2 the traffic for VLAN 100 takes the F0/19 interface, whereas, the traffic for VLAN 200 takes the F0/20 interface.

On SW2 SW2(config)#No Spanning-tree vlan 1 priority 0

On SW1 SW1(config)#int f0/20 SW1(config-if)#No spanning-tree port-priority 0 SW1(config)#vtp domain tst Changing VTP domain name from NULL to tst SW1(config)#VLAN 100,200 SW1(config-vlan)#exit

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 49 of 124

To verify the configuration: On SW2 SW2#Show vlan brie | Exc unsup VLAN Name Status Ports ---- -------------------------------- --------- -----------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/2

100 200

VLAN0100 VLAN0200

active active

We can see that the configured VLANs (100 and 200) are propagated to SW2 via VTP messages. Let’s configure the load sharing part of this task: SW1(config)#Int F0/19 SW1(config-if)# Spanning-tree vlan 100 port-priority 16 SW1(config-if)#int f0/20 SW1(config-if)#Spanning-tree vlan 200 port-priority 16

To verify the configuration: On SW2 The output of the following show commands reveal that on SW2 the traffic for VLAN 100 uses the F0/19 interface, whereas, the traffic for VLAN 200 uses the F0/20 interface. SW2#Show spanning-tree vlan 100 | B Interface Interface ---------------Fa0/19 Fa0/20

Role ---Root Altn

Sts --FWD BLK

Cost --------19 19

Prio.Nbr -------128.21 128.22

Type ----P2p P2p

SW2#Show spanning-tree vlan 200 | B Interface Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- ----Fa0/19 Altn BLK 19 128.21 P2p R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 50 of 124

Fa0/20

Root FWD 19

128.22

P2p

Let’s verify these values on SW1 On SW1 SW1#Show spanning-tree vlan 100 | B Interface Interface ---------------Fa0/19 Fa0/20

Role ---Desg Desg

Sts --FWD FWD

Cost Prio.Nbr Type --------- -------- ----19 16.21 P2p 19 128.22 P2p

SW1#Show spanning-tree vlan 200 | B Interface Interface ---------------Fa0/19 Fa0/20

Role ---Desg Desg

Sts --FWD FWD

Cost Prio.Nbr Type --------- -------- ----19 128.21 P2p 19 16.22 P2p

Task 12 Erase the startup configuration and vlan.dat and reload the switches before proceeding to the next lab.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 51 of 124

Lab 1 – Multipoint Hub-n-Spoke using Frame-relay map statements

R1

R1

10.1.1.1 /24 S0/0

104 103

102

201

401 301 10.1.1.4 /24

R4

S0/0

S0/0

10.1.1.2 /24

R2

10.1.1.3 /24 S0/0

R3 IP addressing and DLCI information Chart: Routers

IP address

Local DLCI

Connecting to:

R1’s S0/0

10.1.1.1 /24

R2’s S0/0 R3’s S0/0 R4’s S0/0

10.1.1.2 /24 10.1.1.3 /24 10.1.1.4 /24

102 103 104 201 301 401

R2 R3 R4 R1 R1 R1

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 52 of 124

Task 1 Configure a frame-relay Hub and spoke using frame-relay map statements. Use the IP addressing in the above chart. Disable inverse-arp such that the routers do not generate inverse-arp request packets, and ensure that only the assigned DLCIs in the above diagram are used and mapped, these mappings should be as follows:  On R1: DLCIs 102, 103 and 104 should be mapped to R2, R3 and R4 respectively.  On R2, R3 and R4: DLCIs 201, 301 and 401 should be used on R2, R3 and R4 respectively for their mappings to R1 (The hub). In the future Eigrp routing protocol will be configured on these routers, ensure that the routers can handle the Multicast traffic generated by the Eigrp routing protocol. DO NOT configure any sub-interface(s) to accomplish this task.

On R1 R1(config)#Int S0/0 R1(config-if)#IP address 10.1.1.1 255.255.255.0 R1(config-if)#Encapsulation frame R1(config-if)#Frame-relay map ip 10.1.1.2 102 broadcast R1(config-if)#Frame-relay map ip 10.1.1.3 103 broadcast R1(config-if)#Frame-relay map ip 10.1.1.4 104 broadcast R1(config-if)#NO frame-relay inverse-arp R1(config-if)#NO shut

To verify the configuration: On R1 R1#Show frame-relay map Serial0/0 (up): ip 10.1.1.2 broadcast, CISCO, status Serial0/0 (up): ip 10.1.1.3 broadcast, CISCO, status Serial0/0 (up): ip 10.1.1.4 broadcast, CISCO, status

dlci 102(0x66,0x1860), static, defined, inactive dlci 103(0x67,0x1870), static, defined, inactive dlci 104(0x68,0x1880), static, defined, inactive

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 53 of 124

You may see DLCIs 105 and 106 mapped to 0.0.0.0 IP address, these dynamic mappings may not affect Unicast traffic, but they will affect Multicast and/or Broadcast traffic, therefore, they should be removed from the mapping table. The “Clear frame-relay inarp” command will NOT have any effect on these entries, whereas, saving the configuration and then reloading the routers will definitely clear the 0.0.0.0 mappings. Another way to clear the “0.0.0.0” mapping is to remove the encapsulation and reconfigure the encapsulation back again, but once the encapsulation is removed, the frame-relay commands configured under the interface are also removed. The output of the above show command shows that the DLCIs are all in “inactive” status, this means that the problem is on the other side of the VC, in this case, the other end of these VCs are not configured yet, and once they are configured, the status should transition to active state. Let’s configure the spoke routers:

On R2 R2(config)#Int S0/0 R2(config-if)#Ip address 10.1.1.2 255.255.255.0 R2(config-if)#Encapsulation frame R2(config-if)#Frame-relay map ip 10.1.1.1 201 broadcast R2(config-if)#NO frame-relay inverse-arp R2(config-if)#NO shut

To verify the configuration: On R2 Let’s start with layer one and see if we have a serial cable connected to the Frame-relay switch, if so, which end of the cable is connected to our router, DTE or DCE? The output of the following show command shows that the DTE end of the cable is connected to our local router, and the “Clocks detected” tells us that we are receiving clocking from a DCE device. This should always be the first step in troubleshooting frame-relay. If the output of the following command showed that we have the DCE end of the cable connected to our router, then, the local router has to provide clocking, which means that the “Clock rate” command MUST be configured on the physical interface or else the VC will NOT transition into UP/UP state. R2#Show controller S0/0 | Inc clocks DTE V.35 TX and RX clocks detected. In the next step, we should see if the local router is exchanging LMIs with the frame-relay switch. NOTE: Keepalive LMIs are exchanged every 10 seconds, which means that if the frame-relay switch is configured correctly and the LMI types are also configured correctly (They match on the router and R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 54 of 124

the switch), then, you should see the number of status Enquires sent and received increment every 10 seconds. R2#Show frame-relay lmi | Inc Num Num Status Enq. Sent 68 Num Update Status Rcvd 0

Num Status msgs Rcvd 69 Num Status Timeouts 0

R2#Show frame-relay lmi | Inc Num Num Status Enq. Sent 69 Num Update Status Rcvd 0

Num Status msgs Rcvd 70 Num Status Timeouts 0

Next the frame-relay maps are checked: R2#Show frame-relay map 201 Serial0/0 (up): ip 10.1.1.1 dlci 201(0xC9,0x3090), static, broadcast, CISCO, status defined, active NOTE: The output of the above show command reveals that the remote IP address of 10.1.1.1 is mapped to the local DLCI of 201. Make sure you see the correct IP address. In the paranthesis, DLCI 201 is presented in Hexadecimal and Q922 format. If the Hexadecimal value of “0xC9” is converted to decimal, the result is 201, which is the local DLCI number. The second Hexadecimal value of “0x3090”, indicates how the DLCI is split into two sections within the Frame-relay header; a DLCI is a 10 bit digit and the first 6 bits (The most significant 6 bits) are in the first byte and the last 4 bits of the DLCI, is found in the beginning of the second byte of the Framerelay frame, as follows:

Frame Relay header structure

Notice how the 10 bits are divided? 6 bits are in the first BYTE and the remaining 4 bits are in the second Byte. If the hex value of “0x3090” is converted to decimal, you will once again see a DLCI value of 201. As follows: R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 55 of 124

Convert 0x3090 to Binary: 3 0011

0 0000

9 1001

0 0000

Take the most significant 6 bits, in this case: 001100 Take the most significant 4 bits of the second byte, in this case: 1001 Note the most significant 6 bits of the first byte and the most significant 4 bits of the second byte are concatenated into a 10 bit value, as follows: 0011001001 If the above binary number is converted to decimal (1 + 8 + 64 + 128), you should get 201. In the final step, an end to end reachability is tested: R2#Ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms

Let’s configure R3: On R3 R3(config)#Int S0/0 R3(config-if)#Ip address 10.1.1.3 255.255.255.0 R3(config-if)#Encapsulation frame R3(config-if)#Frame-relay map ip 10.1.1.1 301 broadcast R3(config-if)#NO frame-relay inverse-arp R3(config-if)#NO shut

To verify the configuration: On R3 R3#Ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 56 of 124

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms R3#Show frame map Serial0/0 (up): ip 10.1.1.1 dlci 301(0x12D,0x48D0), static, broadcast, CISCO, status defined, active

Let’s configure R4: On R4 R4(config)#Int S0/0 R4(config)#Ip address 10.1.1.4 255.255.255.0 R4(config)#Encapsulation frame R4(config)#Frame-relay map ip 10.1.1.1 401 broadcast R4(config)#NO frame-relay inverse-arp R4(config)#NO shut

To verify the configuration: On R4 R4#Ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/50/52 ms R4#Show frame-relay map Serial0/0 (up): ip 10.1.1.1 dlci 401(0x191,0x6410), static, broadcast, CISCO, status defined, active

Task 2 Ensure that every router can ping every IP address connected to the cloud. When configuring this task, ensure that the hub router does NOT receive redundant routing traffic.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 57 of 124

NOTE: “Every IP address connected to the cloud” also includes the local router’s IP address. Let’s test the existing situation: Remember router’s IP address is also connected to the cloud

On R1 R1#Ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) The ping is NOT successful. Let’s enable the “Debug Frame-relay packet” and try the ping again: R1#Debug Frame-relay packet Frame Relay packet debugging is on R1#Ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: You should see the following debug output: Serial0/0:Encaps Serial0/0:Encaps Serial0/0:Encaps Serial0/0:Encaps Serial0/0:Encaps

failed--no failed--no failed--no failed--no failed--no

map map map map map

entry entry entry entry entry

link link link link link

7(IP). 7(IP). 7(IP). 7(IP). 7(IP).

Success rate is 0 percent (0/5) Let’s disable the debug:

On R1 R1#u all The output of the above debug states that there is NO mapping and encapsulation failed because of that; Frame-relay can be configured in two different ways: Multipoint and Point-to-point. There is ONLY one way to configure frame-relay in a point-to-point manner, and that’s through a point-to-point sub-interface configuration, whereas, a multipoint can be configurd in two ways: R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 58 of 124

 

Perform the entire configuration directly under the main interface. Configure a sub-interface in a multipoint manner.

Since the entire configuration was performed without the use of sub-interfaces, this is a multipoint interface. In a multipoint frame-relay configuration two conditions must be met before an IP address is reachable: A. The destination IP address must be in the routing table with a valid next hop. B. There must be a frame-relay mapping for that destination. In this case the destination IP address is in the routing table, but the frame-relay mapping is missing. When configuring the frame-relay mapping, you can use any active DLCI on the local router:

On R1 R1(config)#Interface S0/0 R1(config-if)#Frame-relay map ip 10.1.1.1 102 NOTE: Since the local router will NOT be sending Multicast or Broadcast traffic to itself, there is no need to add the “Broadcast” keyword for this mapping configuration.

To verify the configuration: On R1 R1#Ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 100/101/108 ms

Let’s test R2’s reachability, we already know that it needs a frame-relay map or else it will not be able to ping its own IP address, let’s configure one and test:

On R2 R2(config)#Int S0/0 R2(config-if)#Frame-relay map ip 10.1.1.2 201

To test the configuration: On R2 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 59 of 124

R2#Ping 10.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/100/108 ms Let’s see if R2 can ping the other spokes:

On R2 R2#Ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 10.1.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Do we have frame-relay mappings for these destinations? Let’s check:

On R2 R2#Show frame-relay map Serial0/0 (up): ip 10.1.1.2 CISCO, status Serial0/0 (up): ip 10.1.1.1 broadcast, CISCO, status

dlci 201(0xC9,0x3090), static, defined, active dlci 201(0xC9,0x3090), static, defined, active

NOTE: There are two frame-relay mappings, one for 10.1.1.2 and the second one is for 10.1.1.1 IP addresses. Let’s add two more frame-relay mappings, one for 10.1.1.3 and the second one for 10.1.1.4:

On R2 R2(config)#Int S0/0 R2(config-if)#Frame-relay map ip 10.1.1.3 201 R2(config-if)#Frame-relay map ip 10.1.1.4 201 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 60 of 124

There are two points that you need to remember: a. The destination IP address must be in the routing table with a valid next hop. b. There must be a frame-relay mapping for that destination.

To test the configuration: On R2 R2#Ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Let’s turn on the “Debug Frame-relay packet” and ping again and see the result:

On R2 R2#Deb frame pack Frame Relay packet debugging is on R2#Ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: Serial0/0(o): Serial0/0(o): Serial0/0(o): Serial0/0(o): Serial0/0(o):

dlci dlci dlci dlci dlci

201(0x3091), 201(0x3091), 201(0x3091), 201(0x3091), 201(0x3091),

pkt pkt pkt pkt pkt

type type type type type

0x800(IP), 0x800(IP), 0x800(IP), 0x800(IP), 0x800(IP),

datagramsize datagramsize datagramsize datagramsize datagramsize

104. 104. 104. 104. 104.

Success rate is 0 percent (0/5) It seems like the local router (R2) is sending the packets out, let’s enable the same debugging on R3 and see the result:

On R2 R2#Ping 10.1.1.3 Type escape sequence to abort.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 61 of 124

Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

On R3 Serial0/0(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/0:Encaps failed--no map entry link 7(IP) It looks like R3 is missing frame-relay map back to R2. Let’s configure a frame-relay map on R3 for R2 and test again:

On R3 R3(config)#Int S0/0 R3(config-if)#Frame-relay map ip 10.1.1.2 301

To verify the configuration: On R2 R2#Ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 100/100/100 ms

Perfect…..Let’s do the same on R4.

On R4 R4(config)#Int S0/0 R4(config-if)#Frame-relay map ip 10.1.1.2 401

To verify the configuration: On R2 R2#Ping 10.1.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/100/108 ms R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 62 of 124

When configuring the frame-relay mapping from one spoke to another spoke, the “Broadcast” keyword should not be used, if this keyword is used, the hub router will receive redundant routing traffic. This can be verified by running RIPv2 and performing a “Debug ip rip” command on the hub router.

Task 3 Configure the routers such that the LMI status inquiries are sent every 5 seconds and Full Status LMI requests are sent every 3 cycles instead of 6.

By default, frame-relay routers generate LMI Status inquiries every 10 seconds, and a full status inquiry every 6th cycle (Every 60 seconds). The interval for status inquiries can be changed using the “Keepalive” command, whereas, the “Frame-relay lmi-n391dte” command can be used to change the interval for the complete status inquiries. NOTE: The output of the following debug command reveals the status inquiries and full status inquiries:

On R1 R1#Debug frame lmi Serial0/0(out): StEnq, myseq 125, yourseen 124, DTE up datagramstart = 0x3F401ED4, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 7D 7C Serial0/0(in): Status, myseq 125, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 125, myseq 125 Serial0/0(out): StEnq, myseq 126, yourseen 125, DTE up datagramstart = 0x3F6B0294, datagramsize = 14 FR encap = 0x00010308 407: 00 75 95 01 01 01 03 02 7E 7D Serial0/0(in): Status, myseq 126, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 126, myseq 126 Serial0/0(out): StEnq, myseq 127, yourseen 126, DTE up datagramstart = 0x3F400C14, datagramsize = 14 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 63 of 124

FR encap = 0x00010308 00 75 95 01 01 01 03 02 7F 7E Serial0/0(in): Status, myseq 127, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 127, myseq 127 Serial0/0(out): StEnq, myseq 128, yourseen 127, DTE up datagramstart = 0x3F6AF394, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 80 7F Serial0/0(in): Status, myseq 128, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 128, myseq 128 Serial0/0(out): StEnq, myseq 129, yourseen 128, DTE up datagramstart = 0x3F644ED4, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 81 80 Serial0/0(in): Status, myseq 129, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 129, myseq 129 Serial0/0(out): StEnq, myseq 130, yourseen 129, DTE up datagramstart = 0x3F6B03D4, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 00 03 02 82 81 Serial0/0(in): Status, myseq 130, pak size 59 RT IE 1, length 1, type 0 KA IE 3, length 2, yourseq 130, myseq 130 PVC PVC PVC PVC PVC

IE IE IE IE IE

0x7 0x7 0x7 0x7 0x7

, , , , ,

length length length length length

0x3 0x3 0x3 0x3 0x3

, , , , ,

dlci dlci dlci dlci dlci

102, 103, 104, 105, 106,

status status status status status

0x2 0x2 0x2 0x0 0x0

Note the status inquiries are sent every 10 seconds, these messages are “type 1s”, whereas, the complete status inquiries are generated by the local router every 6th cycle, these message are “type 0” messages, and when the frame-relay switch receives these messages it responds with all the DLCIs that are configured for that given router.

To change these timers:

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 64 of 124

On all routers Rx(config)#Interface S0/0 Rx(config-if)#Keepalive 5 Rx(config-if)#Frame-relay lmi-n391dte 3

To test and verify the configuration: Rx#Debug frame LMI *Nov *Nov *Nov *Nov

24 24 24 24

20:13:52.411: 20:13:52.411: 20:13:52.411: 20:13:52.411:

Serial0/0(out): StEnq, myseq 221, yourseen 220, DTE up datagramstart = 0x3F6AEFD4, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 DD DC

*Nov 24 20:13:52.415: Serial0/0(in): Status, myseq 221, pak size 14 *Nov 24 20:13:52.415: RT IE 1, length 1, type 1 *Nov 24 20:13:52.415: KA IE 3, length 2, yourseq 221, myseq 221 *Nov *Nov *Nov *Nov

24 24 24 24

20:13:57.411: 20:13:57.411: 20:13:57.411: 20:13:57.411:

Serial0/0(out): StEnq, myseq 222, yourseen 221, DTE up datagramstart = 0x3F400D54, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 DE DD

*Nov 24 20:13:57.415: Serial0/0(in): Status, myseq 222, pak size 14 *Nov 24 20:13:57.415: RT IE 1, length 1, type 1 *Nov 24 20:13:57.415: KA IE 3, length 2, yourseq 222, myseq 222 *Nov *Nov *Nov *Nov

24 24 24 24

20:14:02.411: 20:14:02.411: 20:14:02.411: 20:14:02.411:

Serial0/0(out): StEnq, myseq 223, yourseen 222, DTE up datagramstart = 0x3F6AF394, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 00 03 02 DF DE

*Nov *Nov *Nov *Nov *Nov *Nov *Nov *Nov

24 24 24 24 24 24 24 24

20:14:02.423: 20:14:02.423: 20:14:02.423: 20:14:02.423: 20:14:02.423: 20:14:02.423: 20:14:02.423: 20:14:02.423:

Serial0/0(in): Status, myseq 223, pak size RT IE 1, length 1, type 0 KA IE 3, length 2, yourseq 223, myseq 223 PVC IE 0x7 , length 0x3 , dlci 102, status PVC IE 0x7 , length 0x3 , dlci 103, status PVC IE 0x7 , length 0x3 , dlci 104, status PVC IE 0x7 , length 0x3 , dlci 105, status PVC IE 0x7 , length 0x3 , dlci 106, status

59 0x2 0x2 0x2 0x0 0x0

Note initially the router and the frame-relay switch exchange two “type 1” inquiries, and the third message that the local router generates is a “type 0” messages which tells the switch to respond with all the DLCIs.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 65 of 124

Task 4 Erase the startup configuration and reload the routers before proceeding to the next lab.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 66 of 124

Lab 8 – OSPF Authentication

Lo0 2.2.2.2 /24

R2

.2 20 1

S0/0.21 S0/0.23

20 3

12 .1 .

1. 0

/2 4

23 .1

.1 .0

/2 4

10 2

30 2

0. 12

S

.1

S 0/

0/ 0.

R1

R3 .3

Lo0 5.5.5.5 /24

R5

R5

4 /0.5 S0/0

.5

504

45.1.1.0 /24

405

.4 S0/0.45

S0/0.43

34.1.1.0 /24

Area 0

R1

Lo0 3.3.3.3 /24

.3

32

S0/0.34

Lo0 1.1.1.1 /24

304

403

.4

Lo0 4.4.4.4 /24

R4

Task 1 Configure the routers based on the above diagram. DO NOT configure OSPF.

On R1

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 67 of 124

R1(config)#Default inter s0/0 R1(config)#Int S0/0 R1(config-if)#Encap frame R1(config-if)#Int S0/0.12 point-to-point R1(config-subif)#IP address 12.1.1.1 255.255.255.0 R1(config-subif)#Frame interface-dlci 102 R1(config)#Int S0/0 R1(config-if)#No shut R1(config)#Int Lo0 R1(config-if)#Ip addr 1.1.1.1 255.255.255.0

On R2 R2(config)#Int S0/0 R2(config-if)#Encap frame R2(config-if)#Int S0/0.21 point-to-point R2(config-subif)#IP address 12.1.1.2 255.255.255.0 R2(config-subif)#Frame interface-dlci 201 R2(config)#Int S0/0.23 point-to-point R2(config-subif)#IP address 23.1.1.2 255.255.255.0 R2(config-subif)#Frame interface-dlci 203 R2(config)#Int S0/0 R2(config-if)#No shut R2(config)#Int Lo0 R2(config-if)#IP address 2.2.2.2 255.255.255.0

On R3 R3(config)#Int S0/0 R3(config-if)#Encap frame R3(config-if)#Int S0/0.32 point-to-point R3(config-subif)#IP address 23.1.1.3 255.255.255.0 R3(config-subif)#Frame interface-dlci 302 R3(config)#Int S0/0.34 point-to-point R3(config-subif)#IP address 34.1.1.3 255.255.255.0 R3(config-subif)#Frame interface-dlci 304 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 68 of 124

R3(config)#Int S0/0 R3(config-if)#No shut R3(config-if)#Int Lo0 R3(config-if)#Ip addres 3.3.3.3 255.255.255.0

On R4 R4(config)#Int S0/0 R4(config-if)#Encap frame R4(config)#Int S0/0.43 point-to-point R4(config-subif)#Ip address 34.1.1.4 255.255.255.0 R4(config-subif)#Frame interface-dlci 403 R4(config)#Int S0/0.45 point-to-point R4(config-subif)#IP address 45.1.1.4 255.255.255.0 R4(config-subif)#Frame interface-dlci 405 R4(config)#Int S0/0 R4(config-if)#No shut R4(config)#Int Lo0 R4(config-if)#IP address 4.4.4.4 255.255.255.0

On R5 R5(config)#Int S0/0/0 R5(config-if)#Encap frame R5(config)#Int S0/0/0.54 point-to-point R5(config-subif)#IP address 45.1.1.5 255.255.255.0 R5(config-subif)#Frame interface-dlci 504 R5(config)#Int S0/0/0 R5(config-if)#No shut R5(config)#Int Lo0 R5(config-if)#IP address 5.5.5.5 255.255.255.0

To verify the configuration: On R2 R2#Ping 12.1.1.1 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 69 of 124

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/52/56 ms R2#Ping 23.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms

On R4 R4#Ping 34.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/52/56 ms R4#Ping 45.1.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 45.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/51/52 ms

Task 2 Configure the frame-relay interface/s and the loopback interface/s of all routers in area 0, and ensure that the loopback interfaces are advertised with their correct mask. The router-id of the routers in this area should NOT be based on any IP address.

On All Routers Rx(config)#int lo0 Rx(config-if)#ip ospf net point-to-point

On R1

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 70 of 124

R1(config)#Router ospf 1 R1(config-router)#router-id 0.0.0.1 R1(config-router)#netw 1.1.1.1 0.0.0.0 are 0 R1(config-router)#netw 12.1.1.1 0.0.0.0 are 0

On R2 R2(config-if)#router ospf 1 R2(config-router)#router-id 0.0.0.2 R2(config-router)#netw 2.2.2.2 0.0.0.0 area 0 R2(config-router)#netw 12.1.1.2 0.0.0.0 area 0 R2(config-router)#netw 23.1.1.2 0.0.0.0 area 0

On R3 R3(config-if)#router ospf 1 R3(config-router)#router-id 0.0.0.3 R3(config-router)#netw 3.3.3.3 0.0.0.0 area 0 R3(config-router)#netw 23.1.1.3 0.0.0.0 area 0 R3(config-router)#netw 34.1.1.3 0.0.0.0 area 0

On R4 R4(config-if)#router ospf 1 R4(config-router)#router-id 0.0.0.4 R4(config-router)#netw 4.4.4.4 0.0.0.0 area 0 R4(config-router)#netw 34.1.1.4 0.0.0.0 area 0 R4(config-router)#netw 45.1.1.4 0.0.0.0 area 0

On R5 R5(config-if)#router ospf 1 R5(config-router)#router-id 0.0.0.5 R5(config-router)#netw 45.1.1.5 0.0.0.0 area 0 R5(config-router)#netw 5.5.5.5 0.0.0.0 area 0

To verify the configuration: On R1 R1#Show ip route ospf | Inc O O O

34.1.1.0 [110/192] via 12.1.1.2, 00:02:27, Serial0/0.12 2.2.2.0 [110/65] via 12.1.1.2, 00:03:55, Serial0/0.12 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 71 of 124

O O O O O

3.3.3.0 [110/129] via 12.1.1.2, 00:02:27, Serial0/0.12 4.4.4.0 [110/193] via 12.1.1.2, 00:00:46, Serial0/0.12 5.5.5.0 [110/257] via 12.1.1.2, 00:01:12, Serial0/0.12 23.1.1.0 [110/128] via 12.1.1.2, 00:03:55, Serial0/0.12 45.1.1.0 [110/256] via 12.1.1.2, 00:01:12, Serial0/0.12

On R3 R3#Show ip route ospf | Inc O O O O O O O

1.1.1.0 [110/129] via 23.1.1.2, 00:03:22, Serial0/0.32 2.2.2.0 [110/65] via 23.1.1.2, 00:03:22, Serial0/0.32 4.4.4.0 [110/65] via 34.1.1.4, 00:01:10, Serial0/0.34 5.5.5.0 [110/129] via 34.1.1.4, 00:02:02, Serial0/0.34 12.1.1.0 [110/128] via 23.1.1.2, 00:03:22, Serial0/0.32 45.1.1.0 [110/128] via 34.1.1.4, 00:02:02, Serial0/0.34

On R5 R5#Show ip route ospf | Inc 45.1.1.4 O O O O O O O

1.1.1.0 [110/257] via 45.1.1.4, 00:02:45, Serial0/0/0.54 2.2.2.0 [110/193] via 45.1.1.4, 00:02:45, Serial0/0/0.54 3.3.3.0 [110/129] via 45.1.1.4, 00:02:45, Serial0/0/0.54 4.4.4.0 [110/65] via 45.1.1.4, 00:01:40, Serial0/0/0.54 12.1.1.0 [110/256] via 45.1.1.4, 00:02:45, Serial0/0/0.54 23.1.1.0 [110/192] via 45.1.1.4, 00:02:45, Serial0/0/0.54 34.1.1.0 [110/128] via 45.1.1.4, 00:02:45, Serial0/0/0.54

Task 3 Configure plain text authentication on all the Frame-relay links in this area. You MUST use a router configuration command as part of the solution to this task. Use “Cisco” as the password for this authentication.

OSPF supports two types of authentication, plain text (64 bit password) and MD5 (Which consists of a key ID and 128 bit password). In OSPF, authentication must be enabled and then applied. In OSPF, enabling authentication can be configured in two different ways; one way to enable OSPF authentication is to configure it in the router configuration mode, in which case authentication is enabled globally on all OSPF enabled interfaces in the specified area. The second choice is to enable authentication directly on the interface for which authentication is required. R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 72 of 124

Since this task states that a router configuration mode must be used, OSPF authentication is enabled in the router configuration mode: To understand OSPF’s authentication, let’s enable “Debug IP ospf packet”:

On R1 R1#Debug ip ospf packet OSPF packet debugging is on You should see the following debug messages: OSPF: rcv. v:2 t:1 l:48 rid:0.0.0.2 aid:0.0.0.0 chk:EC97 aut:0 auk: from Serial0/0.12 The output of the above debug message states the following:        

V:2 – OSPF Version 2 T:1 – TTL of these messages are set to 1 l:48 – The length of these messages are 48 Bytes rid:0.0.0.2 – This is the router-id of R2, the sending router aid:0.0.0.0 – This is the area id aut:0 – This means that there is no authentication auk: - No authentication key is defined from Serial0/0.12 – The packet is received through the local router’s S0/0.12

R1(config)#router ospf 1 R1(config-router)#area 0 authentication R1(config-router)#int S0/0.12 R1(config-subif)#ip ospf authentication-key Cisco

On R2 R2(config)#router ospf 1 R2(config-router)#area 0 authentication R2(config-router)#int S0/0.21 R2(config-subif)#ip ospf authentication-key Cisco

On R1 You should see that the output of the OSPF debug packets have their authentication type set to 1, this means clear text authentication; we will see MD5 authentication type later in this lab. R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 73 of 124

OSPF: rcv. v:2 t:1 l:48 rid:0.0.0.2 aid:0.0.0.0 chk:EC96 aut:1 auk: from Serial0/0.12 Let’s continue with R2’s configuration:

On R2 R2(config-subif)#int S0/0.23 R2(config-subif)#ip ospf authentication-key Cisco

To verify the configuration: On R1 and R2 To turn off the debugs: R2#U all All possible debugging has been turned off R2#Show ip ospf interface S0/0.21 | Inc auth Simple password authentication enabled Note the output of the above “Show” command verifies that a simple password authentication is enabled and applied to this interface. R2#Show ip ospf neighbor Neighbor ID 1.1.1.1

Pri 0

State FULL/

-

Dead Time 00:00:38

Address 10.1.12.1

Interface Serial0/0.21

R2#Show ip route ospf | Inc O O

1.1.1.0 [110/65] via 12.1.1.1, 00:05:00, Serial0/0.21

Let’s configure R3 and R4: On R3 R3(config)#router ospf 1 R3(config-router)#area 0 authentication R3(config)#int S0/0.32 R3(config-subif)#ip ospf authentication-key Cisco R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 74 of 124

R3(config)#int S0/0.34 R3(config-subif)#ip ospf authentication-key Cisco

To verify the configuration: On R3 R3#Show ip route ospf | Inc O O O O

1.1.1.0 [110/129] via 23.1.1.2, 00:00:59, Serial0/0.32 2.2.2.0 [110/65] via 23.1.1.2, 00:00:59, Serial0/0.32 12.1.1.0 [110/128] via 23.1.1.2, 00:00:59, Serial0/0.32

On R4 R4(config-subif)#router ospf 1 R4(config-router)#area 0 authentication R4(config)#int S0/0.43 R4(config-subif)#ip ospf authentication-key Cisco R4(config-subif)#int S0/0.45 R4(config-subif)#ip ospf authentication-key Cisco

To verify the configuration: On R4 You should NOT see 5.5.5.0/24 prefix in R4’s routing table, if you still see this prefix in R4’s routing table, you may have to wait for the adjacency to R5 to go down before entering the following show command: R4#Show ip route ospf | Inc O O O O O O

1.1.1.0 [110/193] via 34.1.1.3, 00:00:26, Serial0/0.43 2.2.2.0 [110/129] via 34.1.1.3, 00:00:26, Serial0/0.43 3.3.3.0 [110/65] via 34.1.1.3, 00:00:26, Serial0/0.43 23.1.1.0 [110/128] via 34.1.1.3, 00:00:26, Serial0/0.43 12.1.1.0 [110/192] via 34.1.1.3, 00:00:26, Serial0/0.43

Let’s configure R5: On R5

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 75 of 124

R5(config)#Router ospf 1 R5(config-router)#area 0 authentication R5(config-router)#int S0/0/0.54 R5(config-subif)#ip ospf authentication-key Cisco

To verify the configuration: On R5 R5#Show ip route ospf | Inc O O O O O O O O

1.1.1.0 [110/257] via 10.1.45.4, 00:00:44, Serial0/0.54 2.2.2.0 [110/193] via 10.1.45.4, 00:00:44, Serial0/0.54 3.3.3.0 [110/129] via 10.1.45.4, 00:00:44, Serial0/0.54 4.4.4.0 [110/65] via 10.1.45.4, 00:00:44, Serial0/0.54 10.1.12.0 [110/256] via 10.1.45.4, 00:00:44, Serial0/0.54 10.1.23.0 [110/192] via 10.1.45.4, 00:00:44, Serial0/0.54 10.1.34.0 [110/128] via 10.1.45.4, 00:00:44, Serial0/0.54

Task 4 Remove the authentication configuration from the previous task and ensure that every router sees every route advertised in area 0.

On All Routers Rx(config)#router ospf 1 Rx(config-router)#NO area 0 authentication

On R1 R1(config)#int S0/0.12 R1(config-subif)#NO ip ospf authentication-key Cisco

On R2 R2(config-subif)#int S0/0.21 R2(config-subif)#NO ip ospf authentication-key Cisco R2(config-subif)#int S0/0.23 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 76 of 124

R2(config-subif)#NO ip ospf authentication-key Cisco

On R3 R3(config-router)#int S0/0.32 R3(config-subif)#NO ip ospf authentication-key Cisco R3(config-subif)#int S0/0.34 R3(config-subif)#NO ip ospf authentication-key Cisco

On R4 R4(config)#int S0/0.43 R4(config-subif)#NO ip ospf authentication-key Cisco R4(config)#int S0/0.45 R4(config-subif)#NO ip ospf authentication-key Cisco

On R5 R5(config)#int S0/0/0.54 R5(config-subif)#NO ip ospf authentication-key Cisco

To verify the configuration: On R1 R1#Show ip route ospf | Inc O O O O O O O O

2.2.2.0 [110/65] via 10.1.12.2, 00:00:10, Serial0/0.12 3.3.3.0 [110/129] via 10.1.12.2, 00:00:10, Serial0/0.12 4.4.4.0 [110/193] via 10.1.12.2, 00:00:10, Serial0/0.12 5.5.5.0 [110/257] via 10.1.12.2, 00:00:10, Serial0/0.12 10.1.23.0 [110/128] via 10.1.12.2, 00:00:10, Serial0/0.12 10.1.45.0 [110/256] via 10.1.12.2, 00:00:10, Serial0/0.12 10.1.34.0 [110/192] via 10.1.12.2, 00:00:10, Serial0/0.12

Task 5 Configure MD5 authentication on all the Frame-relay links in this area. You should use a router configuration command as part of the solution to this task. Use “Cisco” as the password for this authentication. R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 77 of 124

The following command enables MD5 authentication on the routers using the router configuration mode:

On All Routers Rx(config)#router ospf 1 Rx(config-router)#area 0 authentication message-digest

On R1 R1(config)#int S0/0.12 R1(config-subif)#ip ospf message-digest-key 1 MD5 Cisco

On R2 R2(config)#int S0/0.21 R2(config-subif)#ip ospf message-digest-key 1 MD5 Cisco Let’s see the Debug output and verify the authentication type and key:

On R1 R1#Debug ip ospf packet OSPF packet debugging is on You should see the following debug output on your console: OSPF: rcv. v:2 t:1 l:48 rid:0.0.0.2 aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7F55B1 from Serial0/0.12 You can clearly see the “aut: 2”, this is identifying the authentication type which is set to 2, meaning that it’s MD5 authentication, and the “keyid: 1” which means that the key value used in the configuration is set to 1. R2(config-subif)#int S0/0.23 R2(config-subif)#ip ospf message-digest-key 1 MD5 Cisco

To verify the configuration: Before we verify the configuration, let’s disable the debug on R1

On R1

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 78 of 124

R1#U all All possible debugging has been turned off

On R2 R2#Show ip ospf interface S0/0.21 | B Message Message digest authentication enabled Youngest key id is 1 NOTE: The output of the above show command reveals that MD5 authentication is enabled and applied and the key id is set to 1. R2#Show ip route ospf O

1.0.0.0/24 is subnetted, 1 subnets 1.1.1.0 [110/65] via 10.1.12.1, 00:01:50, Serial0/0.21

On R3 R3(config)#int S0/0.32 R3(config-subif)#ip ospf message-digest-key 1 MD5 Cisco R3(config)#int S0/0.34 R3(config-subif)#ip ospf message-digest-key 1 MD5 Cisco

To verify the configuration: On R3 R3#Show ip route ospf | Inc O O O O

1.1.1.0 [110/129] via 10.1.23.2, 00:00:11, Serial0/0.32 2.2.2.0 [110/65] via 10.1.23.2, 00:00:11, Serial0/0.32 10.1.12.0 [110/128] via 10.1.23.2, 00:00:11, Serial0/0.32

On R4 R4(config)#int S0/0.45 R4(config-subif)#ip ospf message-digest-key 1 MD5 Cisco R4(config)#int S0/0.43 R4(config-subif)#ip ospf message-digest-key 1 MD5 Cisco

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 79 of 124

To verify the configuration: On R4 R4#Show ip route ospf | Inc O O O O O O

1.1.1.0 [110/193] via 34.1.1.3, 00:01:44, Serial0/0.43 2.2.2.0 [110/129] via 34.1.1.3, 00:01:44, Serial0/0.43 3.3.3.0 [110/65] via 34.1.1.3, 00:01:44, Serial0/0.43 23.1.1.0 [110/128] via 34.1.1.3, 00:01:44, Serial0/0.43 12.1.1.0 [110/192] via 34.1.1.3, 00:01:44, Serial0/0.43

On R5 R5(config)#int S0/0/0.54 R5(config-subif)#ip ospf message-digest-key 1 MD5 Cisco

To verify the configuration: On R5 R5#Show ip route ospf | Inc O O O O O O O O

34.1.1.0 [110/128] via 45.1.1.4, 00:02:42, Serial0/0/0.54 1.1.1.0 [110/257] via 45.1.1.4, 00:01:34, Serial0/0/0.54 2.2.2.0 [110/193] via 45.1.1.4, 00:01:34, Serial0/0/0.54 3.3.3.0 [110/129] via 45.1.1.4, 00:01:34, Serial0/0/0.54 4.4.4.0 [110/65] via 45.1.1.4, 00:02:42, Serial0/0/0.54 23.1.1.0 [110/192] via 45.1.1.4, 00:01:34, Serial0/0/0.54 12.1.1.0 [110/256] via 45.1.1.4, 00:01:34, Serial0/0/0.54

Task 6 Remove the authentication configuration from the previous task and ensure that every router sees every route advertised in area 0.

On All Routers: Rx(config)#router ospf 1 Rx(config-router)#NO area 0 authentication message-digest

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 80 of 124

On R1 R1(config)#int S0/0.12 R1(config-if)#NO ip ospf message-digest-key 1 MD5 Cisco

On R2 R2(config)#int S0/0.21 R2(config-subif)#NO ip ospf message-digest-key 1 MD5 Cisco R2(config-subif)#int S0/0.23 R2(config-subif)#NO ip ospf message-digest-key 1 MD5 Cisco

On R3 R3(config)#int S0/0.32 R3(config-subif)#NO ip ospf message-digest-key 1 MD5 Cisco R3(config)#int S0/0.34 R3(config-subif)#NO ip ospf message-digest-key 1 MD5 Cisco

On R4 R4(config)#int S0/0.43 R4(config-subif)#NO ip ospf message-digest-key 1 MD5 Cisco R4(config)#int S0/0.45 R4(config-subif)#NO ip ospf message-digest-key 1 MD5 Cisco

On R5 R5(config)#int S0/0/0.54 R5(config-subif)#NO ip ospf message-digest-key 1 MD5 Cisco

To verify the configuration: On R5 R5#Show ip route ospf | Inc O O O O O

34.1.1.0 [110/128] via 45.1.1.4, 00:02:42, Serial0/0/0.54 1.1.1.0 [110/257] via 45.1.1.4, 00:01:34, Serial0/0/0.54 2.2.2.0 [110/193] via 45.1.1.4, 00:01:34, Serial0/0/0.54 3.3.3.0 [110/129] via 45.1.1.4, 00:01:34, Serial0/0/0.54 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 81 of 124

O O O

4.4.4.0 [110/65] via 45.1.1.4, 00:02:42, Serial0/0/0.54 23.1.1.0 [110/192] via 45.1.1.4, 00:01:34, Serial0/0/0.54 12.1.1.0 [110/256] via 45.1.1.4, 00:01:34, Serial0/0/0.54

Task 7 Configure MD5 authentication on the Frame-relay link connecting R1 to R2, you should use a router configuration command as part of the solution to this task. The password should be “ccie”.

On Both Routers: Rx(config)#router ospf 1 Rx(config-router)#area 0 authentication message-digest

On R1 R1(config)#int S0/0.12 R1(config-subif)#ip ospf message-digest-key 1 MD5 ccie

On R2 R2(config)#int S0/0.21 R2(config-subif)#ip ospf message-digest-key 1 MD5 ccie

To verify the configuration: On R2 R2#Show ip route ospf | Inc O O

1.1.1.0 [110/65] via 10.1.12.1, 00:00:43, Serial0/0.21

Note because authentication is enabled in the router configuration mode, it is applied to every interface in area 0, therefore, every router in area 0 MUST have authentication enabled. Since R3 does NOT have authentication enabled, these routers will drop their adjacency when the dead interval expires, therefore, they will NOT exchange updates. You should see the following console message on R2: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.3 on Serial0/0.23 from FULL to DOWN, Neighbor Down: Dead timer expired

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 82 of 124

To verify the configuration: On R2 R2#Sh ip ospf nei Neighbor ID 0.0.0.1

Pri 0

State FULL/

-

Dead Time 00:00:35

Address 12.1.1.1

Interface Serial0/0.21

There are two solutions to fix this problem: 1. Enable authentication on R3, but if authentication is enabled on R3 under router ospf, then R4 will drop the adjacency, therefore, if router configuration mode MUST be used as part of the solution (Based on the task), authentication needs to be enabled on R3, R4 and R5. 2. Disable authentication under the S0/0.23 interface Let’s configure the above solutions and verify: Solution 1:

On R3, R4 and R5 Rx(config)#Router ospf 1 Rx(config-router)#area 0 authentication message-digest You should see the following console message: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.2 on Serial0/0.32 from LOADING to FULL, Loading Done

To verify the configuration: On R2 R2#Show ip route ospf | Inc O O O O O O O

34.1.1.0 [110/128] via 23.1.1.3, 00:02:33, Serial0/0.23 1.1.1.0 [110/65] via 12.1.1.1, 01:43:46, Serial0/0.21 3.3.3.0 [110/65] via 23.1.1.3, 00:02:33, Serial0/0.23 4.4.4.0 [110/129] via 23.1.1.3, 00:02:33, Serial0/0.23 5.5.5.0 [110/193] via 23.1.1.3, 00:02:33, Serial0/0.23 45.1.1.0 [110/192] via 23.1.1.3, 00:02:33, Serial0/0.23

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 83 of 124

Let’s try the second solution:

On R3, R4 and R5 Rx(config)#Router ospf 1 Rx(config-router)#NO area 0 authentication message-digest

To verify the configuration: On R2 R2#Show ip route ospf | Inc O O

1.1.1.0 [110/65] via 12.1.1.1, 01:47:26, Serial0/0.21

In this solution, authentication is disabled on R2’s interface facing R3 using the “IP OSPF authentication null” interface configuration command, meaning that there is no need to have authentication downstream S0/0.23 interface of R2. Therefore, R3, R4 and R5 DON’T need to have authentication enabled.

On R2 R2(config)#Int S0/0.23 R2(config-subif)#IP Ospf authentication null You should see the following console message on R2: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.3 on Serial0/0.23 from LOADING to FULL, Loading Done

To verify the configuration: On R2 R2#Show ip route ospf | Inc O O O O O O O

34.1.1.0 [110/128] via 23.1.1.3, 00:10:22, Serial0/0.23 1.1.1.0 [110/65] via 12.1.1.1, 02:01:13, Serial0/0.21 3.3.3.0 [110/65] via 23.1.1.3, 00:10:22, Serial0/0.23 4.4.4.0 [110/129] via 23.1.1.3, 00:10:22, Serial0/0.23 5.5.5.0 [110/193] via 23.1.1.3, 00:10:22, Serial0/0.23 45.1.1.0 [110/192] via 23.1.1.3, 00:10:22, Serial0/0.23

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 84 of 124

Task 8 Re-configure the authentication password on R1 and R2 to be “CCIE12” without interrupting the links operation.

To see the current configuration: On R1 Rx#Show ip ospf int S0/0.12 | B Mess Message digest authentication enabled Youngest key id is 1 R1#Show run int S0/0.12 | Inc ip ospf ip ospf message-digest-key 1 md5 ccie

On R2 R2#Sh ip ospf int s0/0.21 | B Mess Message digest authentication enabled Youngest key id is 1 R2#Show run int s0/0.21 | Inc ip ospf ip ospf message-digest-key 1 md5 ccie R2#Show ip route ospf | Inc O O O O O O O

34.1.1.0 [110/128] via 23.1.1.3, 00:14:55, Serial0/0.23 1.1.1.0 [110/65] via 12.1.1.1, 02:05:47, Serial0/0.21 3.3.3.0 [110/65] via 23.1.1.3, 00:14:55, Serial0/0.23 4.4.4.0 [110/129] via 23.1.1.3, 00:14:55, Serial0/0.23 5.5.5.0 [110/193] via 23.1.1.3, 00:14:55, Serial0/0.23 45.1.1.0 [110/192] via 23.1.1.3, 00:14:55, Serial0/0.23

In order to change the password without any interruption to the link, the second key is entered with the required password.

On R1 R1(config)#int S0/0.12 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 85 of 124

R1(config-subif)# ip ospf message-digest-key 2 md5 CCIE12

To verify the configuration: On R1 R1#Show run int S0/0.12 | Inc ip ospf ip ospf message-digest-key 1 md5 ccie ip ospf message-digest-key 2 md5 CCIE12 R1#Show ip ospf inter S0/0.12 | B Message Message digest authentication enabled Youngest key id is 2 Rollover in progress, 1 neighbor(s) using the old key(s): key id 1 Even though the second key (key 2) is only configured on R1, R1 and R2 are still authenticating based on the first key (key 1), this is revealed in the second line of the above show command. But the router knows that the second key is configured (The second line in the above display) and it knows that the rollover is in progress (The third line), but the other end (R2) has not been configured yet.

On R2 R2(config-subif)#int S0/0.21 R2(config-if)# ip ospf message-digest-key 2 md5 CCIE12

To verify the configuration: On R2 R2#Sh ip ospf inter S0/0.21 | b Message Message digest authentication enabled Youngest key id is 2 NOTE: Once R2 is configured, both routers (R1 and R2) will switchover and use the second key for their authentication.

On R1

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 86 of 124

R1#Show ip ospf interface S0/0.12 | b Message Message digest authentication enabled Youngest key id is 2 Once R1 and R2’s key rollover is completed and both routers display the same youngest key without the “rollover in progress” message, we can safely remove the prior key, in this case key id 1. Remember that the newest key is NOT determined based on the numerically higher value.

On R1 R1#Show run int S0/0.12 | Inc ip ospf ip ospf message-digest-key 1 md5 ccie ip ospf message-digest-key 2 md5 CCIE12 R1(config)#int S0/0.12 R1(config-subif)#NO ip ospf message-digest-key 1 md5 ccie

On R2 R2#Show run int S0/0.21 | Inc ip ospf ip ospf message-digest-key 1 md5 ccie ip ospf message-digest-key 2 md5 CCIE12 R2(config)#int S0/0.21 R2(config-subif)#NO ip ospf message-digest-key 1 md5 ccie

Task 9 Configure MD5 authentication on the link that connects R4 to R5 using “Cisco45” as the password. You should NOT use a router configuration mode to accomplish this task.

On R5 R5(config)#Int S0/0/0.54 R5(config-subif)#IP Ospf authentication message-digest R5(config-subif)#IP Ospf message-digest-key 1 md5 Cisco45

On R4 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 87 of 124

R4(config)#Int S0/0.45 R4(config-subif)#IP Ospf authentication message-digest R4(config-subif)#IP Ospf message-digest-key 1 md5 Cisco45 NOTE: The authentication is enabled and applied directly under the interface for which authentication was required. When authentication is enabled directly under a given interface, it enables authentication on that given interface ONLY, therefore, ONLY the neighbor/s through that interface should have authentication enabled. This is called per-interface authentication.

To verify the configuration: On R5 R5#Show ip route ospf | Inc O O O O O O O O

34.1.1.0 [110/128] via 45.1.1.4, 00:04:08, Serial0/0/0.54 1.1.1.0 [110/257] via 45.1.1.4, 00:04:08, Serial0/0/0.54 2.2.2.0 [110/193] via 45.1.1.4, 00:04:08, Serial0/0/0.54 3.3.3.0 [110/129] via 45.1.1.4, 00:04:08, Serial0/0/0.54 4.4.4.0 [110/65] via 45.1.1.4, 00:04:08, Serial0/0/0.54 23.1.1.0 [110/192] via 45.1.1.4, 00:04:08, Serial0/0/0.54 12.1.1.0 [110/256] via 45.1.1.4, 00:04:08, Serial0/0/0.54

Task 10 Re-configure OSPF Areas based on the following chart and remove all the authentications configured on the routers, these routers should see all the routes advertised in this routing domain.

Router

Interface

Area

R1

S0/0.12 Loopback 0 S0/0.21 S0/0.23 Loopback 0 S0/0.32 S0/0.34 Loopback 0 S0/0.43 S0/0.45

0 0 0 1 1 1 2 2 2 3

R2

R3

R4

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 88 of 124

R5

Loopback 0 S0/0.54 Loopback 0

3 3 3

On All Routers Rx(config)#No Router ospf 1

On R1 R1(config)#Router ospf 1 R1(config-router)#router-id 0.0.0.1 R1(config-router)#netw 1.1.1.1 0.0.0.0 area 0 R1(config-router)#netw 12.1.1.1 0.0.0.0 area 0 R1(config)#Int S0/0.12 R1(config-subif)#No ip ospf message-digest-key 2 md5 CCIE12

On R2 R2(config)#Router ospf 1 R2(config-router)#router-id 0.0.0.2 R2(config-router)#Netw 12.1.1.2 0.0.0.0 area 0 R2(config-router)#Netw 23.1.1.2 0.0.0.0 area 1 R2(config-router)#Netw 2.2.2.2 0.0.0.0 area 1 R2(config)#Int S0/0.21 R2(config-subif)#No ip ospf message-digest-key 2 md5 CCIE12 R2(config)#Int S0/0.23 R2(config-subif)#No ip ospf authentication null

On R3 R3(config)#Router ospf 1 R3(config-router)#router-id 0.0.0.3 R3(config-router)#Netw 3.3.3.3 0.0.0.0 area 2 R3(config-router)#Netw 34.1.1.3 0.0.0.0 area 2 R3(config-router)#Netw 23.1.1.3 0.0.0.0 area 1

On R4 R4(config)#Router ospf 1 R4(config-router)#router-id 0.0.0.4 R4(config-router)#Netw 4.4.4.4 0.0.0.0 area 3 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 89 of 124

R4(config-router)#Netw 45.1.1.4 0.0.0.0 area 3 R4(config-router)#Netw 34.1.1.4 0.0.0.0 area 2 R4(config)#Int S0/0.45 R4(config-subif)#No ip ospf message-digest-key 1 md5 Cisco45 R4(config-subif)#No ip ospf authentication message-digest

On R5 R5(config)#Router ospf 1 R5(config-router)#router-id 0.0.0.5 R5(config-router)#Netw 5.5.5.5 0.0.0.0 area 3 R5(config-router)#Netw 45.1.1.5 0.0.0.0 area 3 R5(config)#Int S0/0/0.54 R5(config-subif)#No ip ospf message-digest-key 1 md5 Cisco45 R5(config-subif)#No ip ospf authentication message-digest In order for these routers to see all the routes advertised in this routing domain, we MUST configure virtual-links because NOT all areas have connectivity to area 0. Area 1 has a connection to area 0, but areas 2 and 3 do not. Let’s begin with area 2:

On R2 R2(config)#Router ospf 1 R2(config-router)#Area 1 virtual-link 0.0.0.3

On R3 R3(config)#Router ospf 1 R3(config-router)#Area 1 virtual-link 0.0.0.2 You should see the following console message: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.2 on OSPF_VL0 from LOADING to FULL, Loading Done To connect area 3 to area 0:

On R3 R3(config)#Router ospf 1 R3(config-router)#Area 2 virtual-link 0.0.0.4

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 90 of 124

On R4 R4(config)#Router ospf 1 R4(config-router)#Area 2 virtual-link 0.0.0.3 You should see the following console message: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.3 on OSPF_VL0 from LOADING to FULL, Loading Done

To verify the configuration: On R5 R5#Show ip route ospf | Inc O O O O O O O O

IA IA IA IA IA IA

34.1.1.0 [110/128] via 45.1.1.4, 00:00:42, Serial0/0/0.54 1.1.1.0 [110/257] via 45.1.1.4, 00:00:32, Serial0/0/0.54 2.2.2.0 [110/193] via 45.1.1.4, 00:00:32, Serial0/0/0.54 3.3.3.0 [110/129] via 45.1.1.4, 00:00:42, Serial0/0/0.54 4.4.4.0 [110/65] via 45.1.1.4, 00:10:15, Serial0/0/0.54 23.1.1.0 [110/192] via 45.1.1.4, 00:00:32, Serial0/0/0.54 12.1.1.0 [110/256] via 45.1.1.4, 00:00:32, Serial0/0/0.54

Task 11 Configure MD5 authentication on the link between R1 and R2 in area 0, the password for this authentication should be set to “Micronics”, you should use router configuration mode to accomplish this task.

On R1 and R2 Rx(config)#router ospf 1 Rx(config-router)#area 0 authentication message-digest

On R1 R1(config)#Int S0/0.12 R1(config-subif)#ip ospf message-digest-key 1 md5 Micronics

On R2 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 91 of 124

R2(config)#int S0/0.21 R2(config-subif)#ip ospf message-digest-key 1 md5 Micronics

To verify the configuration: On R2 R2#Show ip route ospf | Inc O O

1.1.1.0 [110/65] via 10.1.12.1, 00:02:32, Serial0/0.21

If you see other routes in the routing table, wait till you see the following console message: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.3 on OSPF_VL0 from FULL to DOWN, Neighbor Down: Dead timer expired NOTE: R2 does not have any other prefix in its routing table; this is because authentication is enabled directly under the router configuration mode of R1 and R2, when authentication is enabled in the router configuration mode, it is enabled on all links in area 0 and since virtual-links are always in area 0, authentication must also be enabled on those links. There are two ways to fix this problem: 1.

Enable authentication on R3, R4 and R5 under their router configuration mode

2.

Enable authentication directly on the virtual-links

3.

Disable authentication on R2’s virtual-link

Let’s implement the first solution: On R3 and R4 Rx(config)#router ospf 1 Rx(config-router)#area 0 authentication message-digest

To verify the configuration: On R5 R5#Show ip route ospf | Inc O O O O O

IA IA IA IA

34.1.1.0 [110/128] via 45.1.1.4, 00:20:24, Serial0/0/0.54 1.1.1.0 [110/257] via 45.1.1.4, 00:00:23, Serial0/0/0.54 2.2.2.0 [110/193] via 45.1.1.4, 00:20:15, Serial0/0/0.54 3.3.3.0 [110/129] via 45.1.1.4, 00:20:24, Serial0/0/0.54 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 92 of 124

O O IA O IA

4.4.4.0 [110/65] via 45.1.1.4, 00:29:57, Serial0/0/0.54 23.1.1.0 [110/192] via 45.1.1.4, 00:20:15, Serial0/0/0.54 12.1.1.0 [110/256] via 45.1.1.4, 00:00:23, Serial0/0/0.54

On R2 R2#Show ip route ospf | Inc O O O O O O O

IA

34.1.1.0 [110/128] via 23.1.1.3, 00:01:13, Serial0/0.23 1.1.1.0 [110/65] via 12.1.1.1, 00:09:53, Serial0/0.21 3.3.3.0 [110/65] via 23.1.1.3, 00:01:13, Serial0/0.23 4.4.4.0 [110/129] via 23.1.1.3, 00:01:13, Serial0/0.23 5.5.5.0 [110/193] via 23.1.1.3, 00:01:13, Serial0/0.23 45.1.1.0 [110/192] via 23.1.1.3, 00:01:13, Serial0/0.23

IA IA IA IA

Remember....when authentication is enabled in router configuration mode, authentication is enabled on all links/interfaces in area 0, since virtual-links are always in area 0, authentication will be enabled on all virtual-links.

Let’s implement the second solution: Before the second option is configured and verified, the configuration from the previous solution is removed:

On R3 and R4 Rx(config)#router ospf 1 Rx(config-router)#No area 0 authentication message-digest Rx#Clear ip ospf process Reset ALL OSPF processes? [no]: y

To verify the configuration: On R2 R2#Sh ip route ospf O

1.0.0.0/24 is subnetted, 1 subnets 1.1.1.0 [110/65] via 12.1.1.1, 00:01:50, Serial0/0.21

To enable authentication on the virtual-links:

On R3 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 93 of 124

R3(config)#Router ospf 1 R3(config-router)#Area 1 virtual-link 0.0.0.2 authentication message-digest R3(config-router)#Area 2 virtual-link 0.0.0.4 authentication message-digest

On R4 R4(config)#Router ospf 1 R4(config-router)#Area 1 virtual-link 0.0.0.3 authentication message-digest You should see the following console message on R4: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.3 on OSPF_VL0 from LOADING to FULL, Loading Done

To verify the configuration: On R5 R5#Show ip route ospf | Inc O O O O O O O O

IA IA IA IA IA IA

34.1.1.0 [110/128] via 45.1.1.4, 00:06:23, Serial0/0/0.54 1.1.1.0 [110/257] via 45.1.1.4, 00:00:36, Serial0/0/0.54 2.2.2.0 [110/193] via 45.1.1.4, 00:00:36, Serial0/0/0.54 3.3.3.0 [110/129] via 45.1.1.4, 00:03:06, Serial0/0/0.54 4.4.4.0 [110/65] via 45.1.1.4, 00:06:33, Serial0/0/0.54 23.1.1.0 [110/192] via 45.1.1.4, 00:00:37, Serial0/0/0.54 12.1.1.0 [110/256] via 45.1.1.4, 00:00:37, Serial0/0/0.54

Let’s implement the third solution: Before the third option is configured and verified, the configuration from the previous solution is removed:

On R3 R3(config)#Router ospf 1 R3(config-router)#No area 1 virtual-link 0.0.0.2 R3(config-router)#No area 2 virtual-link 0.0.0.4 R3(config-router)#Area 1 virtual-link 0.0.0.2 R3(config-router)#Area 2 virtual-link 0.0.0.4

On R4 R4(config)#Router ospf 1 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 94 of 124

R4(config-router)#No area 2 virtual-link 0.0.0.3 R4(config-router)#Area 2 virtual-link 0.0.0.3

To verify the configuration: On R1 R1#Show ip route ospf | Inc O O IA O IA

2.2.2.0 [110/65] via 12.1.1.2, 00:14:32, Serial0/0.12 23.1.1.0 [110/128] via 12.1.1.2, 00:14:32, Serial0/0.12

To implement the third solution:

On R2 R2(config)#Router ospf 1 R2(config-router)#Area 1 virtual-link 0.0.0.3 authentication null

On All Routers R2#Clear ip ospf proc Reset ALL OSPF processes? [no]: Y

On R2 R2#Show ip route ospf | Inc O O O O O O O

IA IA IA IA IA

34.1.1.0 [110/128] via 23.1.1.3, 00:03:23, Serial0/0.23 1.1.1.0 [110/65] via 12.1.1.1, 00:03:49, Serial0/0.21 3.3.3.0 [110/65] via 23.1.1.3, 00:03:23, Serial0/0.23 4.4.4.0 [110/129] via 23.1.1.3, 00:03:23, Serial0/0.23 5.5.5.0 [110/193] via 23.1.1.3, 00:03:23, Serial0/0.23 45.1.1.0 [110/192] via 23.1.1.3, 00:03:23, Serial0/0.23

On R5 R5#Show ip route ospf | Inc O O O O O O O

IA IA IA IA IA

34.1.1.0 [110/128] via 45.1.1.4, 00:08:33, Serial0/0/0.54 1.1.1.0 [110/257] via 45.1.1.4, 00:03:38, Serial0/0/0.54 2.2.2.0 [110/193] via 45.1.1.4, 00:08:23, Serial0/0/0.54 3.3.3.0 [110/129] via 45.1.1.4, 00:08:33, Serial0/0/0.54 4.4.4.0 [110/65] via 45.1.1.4, 00:08:48, Serial0/0/0.54 23.1.1.0 [110/192] via 45.1.1.4, 00:08:23, Serial0/0/0.54 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 95 of 124

O IA

12.1.1.0 [110/256] via 45.1.1.4, 00:03:38, Serial0/0/0.54

Task 12 Erase the startup configuration and reload the routers before proceeding to the next lab.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 96 of 124

Lab 1 – HSRP Configuration

Lo0 1.1.1.1/32

R1 S0/0.12 12.1.1.1/24

S0/0.13 13.1.1.1/24

102

103

301

201 Lo0 2.2.2.2/32

S0/0.21 12.1.1.2/24

R1

S0/0.31 13.1.1.3/24

Lo0 3.3.3.3/32

R3

R2 .2 F0/0

.3 F0/0

10.1.1.0 /24 .4 F0/0

R4

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 97 of 124

Task 1 Configure the routers based on the following policy: 

Configure R1 to have two point-to-point frame-relay connections, one connecting R1 to R2, and the other connecting R1 to R3.



R2 and R3 should each be configured with a frame-relay point-to-point connection to R1.



Configure R2, R3, and R4’s F0/0 interface in VLAN 234.

On SW1 SW1(config)#Int range F0/2-4 SW1(config-if-range)#Switchport mode access SW1(config-if-range)#Switchport access vlan 234

On R1, R2 and R3 R1(config)#Default interface S0/0

On R1 R1(config)#Int S0/0 R1(config-if)#Encapsulation Frame-relay R1(config-if)#Int S0/0.12 Point-to-point R1(config-subif)#IP addr 12.1.1.1 255.255.255.0 R1(config-subif)#Frame-relay interface-dlci 102 R1(config-subif)#Int S0/0.13 Point-to-point R1(config-subif)#Ip address 13.1.1.1 255.255.255.0 R1(config-subif)#Frame-relay interface-dlci 103 R1(config-fr-dlci)#Int S0/0 R1(config-if)#No shut R1(config-if)#Int Lo0 R1(config-if)#Ip addr 1.1.1.1 255.255.255.255

On R2 R2(config)#Int S0/0 R2(config-if)#Encapsulation Frame-relay R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 98 of 124

R2(config-if)#Int S0/0.21 Point-to-point R2(config-subif)#Ip address 12.1.1.2 255.255.255.0 R2(config-subif)#Frame-relay interface-dlci 201 R2(config)#Int S0/0 R2(config-if)#No shut R2(config)#Int F0/0 R2(config-if)#Ip addr 10.1.1.2 255.255.255.0 R2(config-if)#No shut R2(config)#Int lo0 R2(config-if)#ip addr 2.2.2.2 255.255.255.255

On R3 R3(config)#Int S0/0 R3(config-if)#Encapsulation Frame-relay R3(config-if)#Int S0/0.31 Point-to-point R3(config-subif)#Ip addr 13.1.1.3 255.255.255.0 R3(config-subif)#Frame-relay interface-dlci 301 R3(config)#Int S0/0 R3(config-if)#No shut R3(config)#int F0/0 R3(config-if)#Ip addr 10.1.1.3 255.255.255.0 R3(config-if)#No shut R3(config)#Int Lo0 R3(config-if)#Ip addr 3.3.3.3 255.255.255.255

On R4 R4(config)#Int F0/0 R4(config-if)#Ip addr 10.1.1.4 255.255.255.0 R4(config-if)#No shut

To verify the configuration: On R1 R1#Ping 12.1.1.2

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 99 of 124

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/52/56 ms R1#Ping 13.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/53/56 ms

On R2 R2#Ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms R2#Ping 10.1.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Task 2 Configure RIPv2 on R1, R2 and R3. Advertise their Loopback 0 interface and their framerelay link in this routing domain. Disable the auto-summarization. R2 and R3 should be configured to redistribute network 10.1.1.0 /24 into the RIP routing domain.

On R1 R1(config)#Router rip R1(config-router)#No au R1(config-router)#ver 2 R1(config-router)#Netw 1.0.0.0 R1(config-router)#Netw 12.0.0.0 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 100 of 124

R1(config-router)#Netw 13.0.0.0

On R2 R2(config)#Router rip R2(config-router)#No au R2(config-router)#ver 2 R2(config-router)#Netw 2.0.0.0 R2(config-router)#Netw 12.0.0.0

On R3 R3(config)#Router rip R3(config-router)#No au R3(config-router)#ver 2 R3(config-router)#Netw 3.0.0.0 R3(config-router)#Netw 13.0.0.0

On R2 and R3 The following redistributes the F0/0 interfaces of R2 and R3 into the RIP routing domain. The purpose of this configuration is for the return traffic back to R4, or the Ethernet segment. In the later tasks R4 will Ping 1.1.1.1/32 prefix, and if R1 does NOT have a return path back to that 10.1.1.0 /24 segment, the test will fail. R2(config)#Route-map tst permit 10 R2(config-route-map)#match inter f0/0 R2(config)#Router rip R2(config-router)#redistribute connected route-map tst

To verify the configuration: On R3 R3#Show ip route rip | I R R R R

1.1.1.1 [120/1] via 13.1.1.1, 00:00:06, Serial0/0.31 2.2.2.2 [120/2] via 13.1.1.1, 00:00:06, Serial0/0.31 12.1.1.0 [120/1] via 13.1.1.1, 00:00:06, Serial0/0.31

To verify the configuration: On R3 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 101 of 124

R3#Ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/53/56 ms R3#Ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 104/105/108 ms

Task 3 Configure VLAN 100 such that the host/s (In this case R4) in this VLAN use R2 as primary and R3 as the backup default gateway. Use the following policy to accomplish this task:    

You must use 10.1.1.23 IP addresses DO NOT use static route/s DO NOT change the IP address of any router Use HSRP

The Hot Standby Router Protocol or HSRP is designed to allow for transparent failover of the FirstHop IP router (The default gateways). With HSRP, HSRP’s virtual IP address (VIP) is configured as the default gateway, and the primary router is the responsible router for this VIP. Once HSRP is configured on a network segment, it provides a VIP and a Virtual MAC Address (VMAC) that is shared among a group of routers running HSRP. Only one of the routers within the group is chosen as the primary or the active router. The active/Primary router receives and routes packets destined for the MAC address of the group, this is the VMAC. HSRP detects when the active/Primary router fails and selects another router from the HSRP Group as the active/primary router. The active and Standby (The Backup) election is based on the configured priority. By default, all routers within the group have a priority of 100, and the router with a higher priority value will be elected as the active/primary. R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 102 of 124

The routers running HSRP use a hello mechanism to detect router failure, this mechanism uses UDPbased Multicast. When the active/primary router fails to send a hello message within a configured period of time, the standby router with the highest priority or next highest priority will transition into active/primary router. This process is completely transparent to the hosts on that given segment. Let’s configure HSRP on R2 and R3:

On R2 and R3 R3(config)#Int F0/0 R3(config-if)#Standby 1 ip 10.1.1.23 You should see the following console message on R2: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby You should see the following console message on R3: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

Let’s verify HSRP On R2 On R2 R2#Show standby FastEthernet0/0 - Group 1 State is Standby 1 state change, last state change 00:02:14 Virtual IP address is 10.1.1.23 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.592 secs Preemption disabled Active router is 10.1.1.3, priority 100 (expires in 9.588 sec) Standby router is local Priority 100 (default 100) Group name is "hsrp-Fa0/0-1" (default) The output of the above show command reveals the following:   

HSRP group is 1 The state of the local router is Standby VIP address is 10.1.1.23 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 103 of 124

     

VMAC address id 0000.0c07.ac01 Hellos are set to 3 seconds, and the Hold time is set to three times as much as the hello interval Preemption is disable The IP address of the active/primary router is 10.1.1.3 The local router is in standby mode The name of the HSRP group is hsrp-Fa0/0-1

In HSRP we can have multiple groups; this will be configured and discussed in later tasks. The local router is in Standby mode. In this case, the priorities of these two routers were not configured, why did R3 become the active router? If the priority of the routers within a group is identical, the router with the highest IP address will transition into Active/Primary state. When HSRP is configured, the group number is specified, the VMAC address is derived from the configured group number. The VMAC address is “0000.0c07.acxx”, where xx is the group number. If a group number is not specified in the configuration, the IOS will assign “group 0” automatically, in which case the VMAC address will be 0000.0c07.ac00”. By default, the hello intervals are set to 3 seconds and the Hold time is set to 10 seconds. The preemption is disabled by default; this feature will be discussed and configured in later tasks. The IP address of the active/Primary. The Group-name, the group name of the configured HSRP

On R2 R2#Show standby brief P indicates configured to preempt. | Interface Grp Pri P State Active Standby Fa0/0 1 100 Standby 10.1.1.3 local

Virtual IP 10.1.1.23

The above show command reveals the important aspects of the configured HSRP. To complete the configuration, R4’s default gateway MUST be configured to point to the VIP address, in this case 10.1.1.23.

On R4 R4(config)#Ip route 0.0.0.0 0.0.0.0 10.1.1.23

To test the configuration: R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 104 of 124

On R4 R4(config)#Int F0/0 R4(config-if)#Shut Wait for the interface to go down, then: R4(config-if)#No shut R4#Traceroute 1.1.1.1 Type escape sequence to abort. Tracing the route to 1.1.1.1 1 10.1.1.3 0 msec 0 msec 0 msec 2 13.1.1.1 28 msec * 24 msec The output of the above traceroute shows that R3 is the next-hop to reach the 1.1.1.1/32 prefix. R4#Show arp Protocol Internet Internet

Address 10.1.1.4 10.1.1.23

Age (min) 0

Hardware Addr 000e.84b9.bf10 0000.0c07.ac01

Type ARPA ARPA

Interface FastEthernet0/0 FastEthernet0/0

You can see that the VMAC address is used instead of the real MAC address of R3. R4#Ping 10.1.1.23 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.23, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Let’s test by shutting down the F0/0 interface of the active router (R3), and check if the failover occurs:

On R3 R3(config)#Int F0/0 R3(config-if)#Shut You should see the following console message: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Init %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 105 of 124

administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down Let’s Traceroute to 1.1.1.1 IP address on R4 again and verify the output:

On R4 R4#Traceroute 1.1.1.1 Type escape sequence to abort. Tracing the route to 1.1.1.1 1 10.1.1.2 0 msec 0 msec 0 msec 2 12.1.1.1 24 msec * 24 msec R4#Show arp Protocol Internet Internet

Address 10.1.1.4 10.1.1.23

Age (min) 1

Hardware Addr 000e.84b9.bf10 0000.0c07.ac01

Type ARPA ARPA

Interface FastEthernet0/0 FastEthernet0/0

We can see that the failover worked, but the default gateway of R4 was not changed and the ARP table verifies that R4 is still using 10.1.1.23 with a MAC address of 0000.0c07.ac01. To ensure that R3 is the active and R2 is the Standby router:

On R2 and R3 Rx(config)#Int F0/0 Rx(config-if)#Shut Rx(config-if)#No shut

Task 4 Configure the appropriate router/s such that as long as R2 is up, it is the active router, if R2 goes down, R3 should take the active role and become the active router, but if R2 comes back up, R2 should become the active router and R3 should transition into the Standby mode. Let’s test and verify the result before configuring the routers:

On R2 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 106 of 124

R2#Show standby brief P indicates configured to preempt. | Interface Grp Pri P State Active Standby Fa0/0 1 100 Standby 10.1.1.3 local

Virtual IP 10.1.1.23

On R3 R3#Show standby brief P indicates configured to preempt. | Interface Grp Pri P State Active Standby Fa0/0 1 100 Active local 10.1.1.2

Virtual IP 10.1.1.23

Let’s verify the configuration of HSRP: On R2 R2#Show run int f0/0 | B interface interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 duplex auto speed auto standby 1 ip 10.1.1.23 end R2#Show standby FastEthernet0/0 - Group 1 State is Standby 18 state changes, last state change 00:10:51 Virtual IP address is 10.1.1.23 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.192 secs Preemption disabled Active router is 10.1.1.3, priority 100 (expires in 8.232 sec) Standby router is local Priority 100 (default 100) Group name is "hsrp-Fa0/0-1" (default)

On R3

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 107 of 124

R3#Show run int f0/0 | B interface interface FastEthernet0/0 ip address 10.1.1.3 255.255.255.0 duplex auto speed auto standby 1 ip 10.1.1.23 end R3#Show standby FastEthernet0/0 - Group 1 State is Active 14 state changes, last state change 00:11:19 Virtual IP address is 10.1.1.23 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.236 secs Preemption disabled Active router is local Standby router is 10.1.1.2, priority 100 (expires in 9.192 sec) Priority 100 (default 100) Group name is "hsrp-Fa0/0-1" (default) To configure this task, preemption must be configured. Preemption enables the HSRP router with the highest priority to immediately become the active router. Priority is determined first by the configured priority value, in which case the router with the highest priority value will become the active router, and in an event of a tie, the router with the highest IP address will have the highest priority.

On R2 R2(config)#Int F0/0 R2(config-if)#Standby 1 priority 101 NOTE: R3 is still the active router, to verify this:

On R2 R2(config-if)#Do Show standby brief P indicates configured to preempt. | Interface Grp Pri P State Active Standby Fa0/0 1 101 Standby 10.1.1.3 local R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Virtual IP 10.1.1.23 Page 108 of 124

NOW……let’s configure the “Standby preempt” command and verify the result:

On R2 R2(config-if)#Standby 1 preempt You should see the following console message immediately: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

To test: On R2 R2(config)#Int F0/0 R2(config-if)#Shut

On R3 R3#Show standby brie Interface Fa0/0

Grp 1

P indicates configured to preempt. | Pri P State Active Standby 100 Active local unknown

Virtual IP 10.1.1.23

NOTE: The Standby router is unknown, because the F0/0 interface of R2 is shutdown. Let’s enable the F0/0 interface of R2:

On R2 R2(config)#Int F0/0 R2(config-if)#No shut You should see the following console messages: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Listen -> Active

To verify the configuration: On R3 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 109 of 124

R3#Show standby brie Interface Fa0/0

Grp 1

P indicates configured to preempt. | Pri P State Active Standby 100 Standby 10.1.1.2 local

Virtual IP 10.1.1.23

Task 5 Configure the appropriate router/s such that if the R2’s frame-Relay connection to R1 goes down, the other router (R3) will become the active router.

On R2 R2(config)#Int F0/0 R2(config-if)#Standby 1 track S0/0.21 2

On R3 R3(config)#Int F0/0 R3(config-if)#Standby 1 preempt The above command configures interface tracking for the HSRP group 1. This command tells the router for group 1 to track interface S0/0.21 and if it goes down, the process should reduce the priority of this router by 2, which means: 101 (The configured priority) – 2 (From the Standby track command) = 99 Since the default priority is 100. If R3 is configured with the “Standby 1 preempt” command, then R3 will become the active router.

To test the configuration: On R2 R2(config)#Int S0/0.21 R2(config-subif)#Shut You should also see the following console message: %TRACKING-5-STATE: 1 interface Se0/0.21 line-protocol Up->Down %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 110 of 124

%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby R2#Show standby brief Interface Fa0/0

Grp 1

P indicates configured to preempt. | Pri P State Active Standby 99 P Standby 10.1.1.3 local

Virtual IP 10.1.1.23

To test the configuration further: On R2 R2(config)#Int S0/0.21 R2(config-subif)#No shut %TRACKING-5-STATE: 1 interface Se0/0.21 line-protocol Down->Up %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active R2#Show standby brief Interface Fa0/0

Grp 1

P indicates configured to preempt. | Pri P State Active Standby 101 P Active local 10.1.1.3

Virtual IP 10.1.1.23

Task 6 Configure the hello and hold time interval for groups 1 to 5 and 15 seconds respectively. A “Show Standby” command reveals that the default hello and hold timer is set to 3 and 10 seconds respectively, to change these timers perform the following:

On R2 and R3 Rx#Show Standby | Inc Hello Hello time 3 sec, hold time 10 sec To change the timers: Rx(config)#Int F0/0 Rx(config-if)#Standby 1 timers 5 15 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 111 of 124

To verify the configuration: On R3 R3#Show Standby | Inc Hello Hello time 5 sec, hold time 15 sec

Task 7 Configure the name of group 1 to R2-3-HSPR-G1.

On R2 and R3 Rx(config-if)#Standby 1 name R2-3-HSRP-G1

To verify the configuration: On R3 R3#Show standby | Inc name Group name is "R2-3-HSRP-G1" (cfgd)

Task 8 Ensure that the routers send SNMP traps to the NMS located at 1.2.3.4.

On Both routers Rx(config)#snmp-server enable traps hsrp Rx(config)#snmp-server host 192.168.1.100 public hsrp The first command enables the router to send SNMP traps, informs, and HSRP notification. The second command specifies the recipient of an SNMP notification operation, and that hsrp notification is sent to the host with an IP address of 1.2.3.4.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 112 of 124

Task 9 Configure VLAN100 such that half of the users use R2 as the primary default gateway and R3 as the backup. The other half should use R3 as the primary and R2 as their backup default gateway. Use the following IP addresses to accomplish this task: 10.1.1.22 and 10.1.1.33

Multiple HSRP groups enables load-sharing with a given network, with this feature configured, redundancy an also be fully utilized. With this feature R2 can be the active router for group 1 and standby for group 2, whereas, R3 can be the active router for Group 2 and the standby router for Group 1. This feature can be used for multiple VLANs or a single VLAN.

On R2 R2(config)#Int F0/0 R2(config-if)#Standby 1 ip 10.1.1.22 R2(config-if)#Standby 2 ip 10.1.1.33

On R3 R3(config)#Int F0/0 R3(config-if)#Standby R3(config-if)#Standby R3(config-if)#Standby R3(config-if)#Standby

1 2 2 2

ip 10.1.1.22 priority 101 preempt ip 10.1.1.33

To see the configuration of these routers: On R2 R2#Show run int F0/0 | B interface interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 standby 1 ip 10.1.1.22 standby 1 timers 5 15 standby 1 priority 101 standby 1 preempt standby 1 name R2-3-HSRP-G1 standby 1 track Serial0/0.21 2 standby 2 ip 10.1.1.33 end

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 113 of 124

On R3 R3#Show run int F0/0 | B interface interface FastEthernet0/0 ip address 10.1.1.3 255.255.255.0 standby 1 ip 10.1.1.22 standby 1 timers 5 15 standby 1 preempt standby 1 name R2-3-HSRP-G1 standby 2 ip 10.1.1.33 standby 2 priority 101 standby 2 preempt end

To verify the configuration: On R2 R2#Show Standby brief P | Interface Grp Pri P Fa0/0 1 101 P Fa0/0 2 100

indicates configured to preempt. State Active Active local Standby 10.1.1.3

Standby 10.1.1.3 local

Virtual IP 10.1.1.22 10.1.1.33

On R3 R3#Show standby brief P | Interface Grp Pri P Fa0/0 1 100 P Fa0/0 2 101 P

indicates configured to preempt. State Active Standby 10.1.1.2 Active local

Standby local 10.1.1.2

Virtual IP 10.1.1.22 10.1.1.33

Task 10 Configure HSRP group 1 to be plain text authenticated using “Cisco” as the password.

HSRP ignores unauthenticated HSRP protocol messages. The default authentication type is test authentication, and the string is “cisco”. This means that both ends MUST be configured with the same R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 114 of 124

string, unless ONLY one end is configured using “cisco” as the string. HSRP authentication protects against false HSRP hello packets causing a DoS attacks. A host can send HSRP hellos with a higher priority to become the active router. HSRP offers two kinds of authentications:  

Plain text MD5

MD5 authentication provides greater security than the alternative plain text authentication scheme. This authentication can be applied to a given group, meaning that different groups can have different authentication strings. In order to test the default string, let’s configure authentication on R2 and use “cisco” as the string:

On R2 R2(config)#Int F0/0 R2(config-if)#Standby 1 authentication cisco Nothing happened. Let’s check the status of the HSRP groups:

On R2 R2#Show standby brief P | Interface Grp Pri P Fa0/0 1 101 P Fa0/0 2 100

indicates configured to preempt. State Active Active local Standby 10.1.1.3

Standby 10.1.1.3 local

Virtual IP 10.1.1.22 10.1.1.33

On R3 R3#Show standby brief P | Interface Grp Pri P Fa0/0 1 100 P Fa0/0 2 101 P

indicates configured to preempt. State Active Standby 10.1.1.2 Active local

Standby local 10.1.1.2

Virtual IP 10.1.1.22 10.1.1.33

Let’s verify the configuration in detail: On R2 R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 115 of 124

R2#Show Standby | Inc Authentication R2# The reason we do not see authentication in the output of any show command is because the “cisco” string is the default, to verify this information, let’s configure the string to be “Cisco” as the task stated. NOTE: The letter “C” in “Cisco” is now upper case.

On R2 R2(config)#Int F0/0 R2(config-if)#Standby 1 authentication Cisco You should see the following console message: %HSRP-4-BADAUTH: Bad authentication from 10.1.1.3, group 1, remote state Standby %HSRP-4-BADAUTH: Bad authentication from 10.1.1.3, group 1, remote state Active

To verify the configuration On R2 R2#Show Standby brief P | Interface Grp Pri P Fa0/0 1 101 P Fa0/0 2 100

indicates configured to preempt. State Active Active local Standby 10.1.1.3

Standby unknown local

Virtual IP 10.1.1.22 10.1.1.33

On R3 R3#Show Standby brief P | Interface Grp Pri P Fa0/0 1 100 P Fa0/0 2 101 P

indicates configured to preempt. State Active Active

Active local local

Standby unknown 10.1.1.2

Virtual IP 10.1.1.22 10.1.1.33

Let’s verify the configuration in detail: On R2 R2#Show Standby | Inc Authentication R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 116 of 124

Authentication text "Cisco" Let’s configure R3 to authenticate using “Cisco” as the string:

On R3 R3(config)#Int F0/0 R3(config-if)#Standby 1 authentication Cisco

To verify the configuration On R3 R3#Show standby brief P | Interface Grp Pri P Fa0/0 1 100 P Fa0/0 2 101 P

indicates configured to preempt. State Active Standby 10.1.1.2 Active local

Standby local 10.1.1.2

Virtual IP 10.1.1.22 10.1.1.33

On R2 R2#Show Standby brief P | Interface Grp Pri P Fa0/0 1 101 P Fa0/0 2 100

indicates configured to preempt. State Active Active local Standby 10.1.1.3

Standby 10.1.1.3 local

Virtual IP 10.1.1.22 10.1.1.33

Task 11 Configure HSRP group 2 to be MD5 authenticated using “HSRP” as the password.

On R2 and R3 Rx(config)#Key chain tst Rx(config-keychain)#Key 1 Rx(config-keychain-key)#Key-string HSRP Rx(config)#Int F0/0 Rx(config-if)#Standby 2 authentication md5 key-chain tst R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 117 of 124

To verify the configuration On R3 R3#Show Standby brief P | Interface Grp Pri P Fa0/0 1 100 P Fa0/0 2 101 P

indicates configured to preempt. State Active Standby 10.1.1.2 Active local

Standby local 10.1.1.2

Virtual IP 10.1.1.22 10.1.1.33

On R2 R2#Show Standby brief P | Interface Grp Pri P Fa0/0 1 101 P Fa0/0 2 100

indicates configured to preempt. State Active Active local Standby 10.1.1.3

Standby 10.1.1.3 local

Virtual IP 10.1.1.22 10.1.1.33

R2#Show Standby | Inc Authentication|Group FastEthernet0/0 - Group 1 Authentication text "Cisco" Group name is "R2-3-HSRP-G1" (cfgd) FastEthernet0/0 - Group 2 Authentication MD5, key-chain "tst" Group name is "hsrp-Fa0/0-2" (default)

Task 12 The F0/0 interfaces of R2 and R3 are connected to SW1’s port F0/2 and F0/3 respectively. Configure SW1’s F0/2 and F0/3 interfaces with “Port-Security” using the default parameters. Configure HSRP to accommodate this request. The default parameters of “Port-Security” only allows a single MAC address to be attached, how are we going to configure this task, since HSRP will also use a virtual MAC address. Let’s see the Macaddress-Table of SW1:

On SW1

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 118 of 124

SW1#Show mac-address-table dynamic vlan 234 Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ------------------------234 0000.0c07.ac01 DYNAMIC Fa0/2 234 0000.0c07.ac02 DYNAMIC Fa0/3 234 000e.84b9.bf10 DYNAMIC Fa0/4 234 000e.84de.46e0 DYNAMIC Fa0/3 234 0014.a932.f9f0 DYNAMIC Fa0/2 Total Mac Addresses for this criterion: 5 You can see that each port on the switch has two MAC addresses, the HSRP’s VMAC and the MAC address of the router. Therefore, if the “Port-Security” is configured on F0/2 and F0/3, the ports will transition into “err-disable” state.

On R2 and R3 Rx(config)#int f0/0 Rx(config-if)#Standby use-bia Rx(config-if)#Shut Rx(config-if)#No Shut

To verify the configuration: On SW1 SW1#Show mac-address-table dynamic vlan 234 Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ------------------------234 000e.84b9.bf10 DYNAMIC Fa0/4 234 000e.84de.46e0 DYNAMIC Fa0/3 234 0014.a932.f9f0 DYNAMIC Fa0/2 Total Mac Addresses for this criterion: 3 NOTE: HSRP uses the MAC addresses of the routers instead of the default HSRP MAC addresses. Let’s enable port-security on the F0/2 and F0/3 interfaces of SW1: R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 119 of 124

On SW1 SW1(config)#Int Range f0/2-3 SW1(config-if-range)#Switchport port-security

To verify the configuration: On SW1 SW1#Show port-security interface F0/2 Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count

: : : : : : : : : : : :

Enabled Secure-up Shutdown 0 mins Absolute Disabled The VLAN 1 1 0 0 0014.a932.f9f0:234 0

On R2 R2#Show interface F0/0 | Inc bia Hardware is Gt96k FE, address is 0014.a932.f9f0 (bia 0014.a932.f9f0) SW1#Show port-security interface F0/3 Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count

: : : : : : : : : : : :

Enabled Secure-up Shutdown 0 mins Absolute Disabled 1 1 0 0 000e.84de.46e0:234 0

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 120 of 124

On R3 R3#Show interface F0/0 | Inc bia Hardware is Gt96k FE, address is 000e.84de.46e0 (bia 000e.84de.46e0) To test this feature properly, let’s remove the “Standby use-bia”, and verify the result:

On R2 and R3 Rx(config)#int f0/0 Rx(config-if)#No Standby use-bia Rx(config-if)#Shut Rx(config-if)#No Shut You should see the following console messages: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down NOTE: The interface came up and went down and stayed down, let’s see why:

On SW1 SW1#Show port-security interface F0/2 Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count

: : : : : : : : : : : :

Enabled Secure-shutdown Shutdown 0 mins Absolute Disabled 1 0 0 0 0000.0c07.ac01:234 1

SW1#Show interface F0/2 status Port Fa0/2

Name

Status Vlan err-disabled 234

Duplex auto

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Speed Type auto 10/100BaseTX

Page 121 of 124

That’s exactly what we expected to see. Let’s re-configure the “Standby use-bia” command.

On R2 and R3 Rx(config)#int f0/0 Rx(config-if)#Standby use-bia Rx(config-if)#Shut Rx(config-if)#No Shut

To verify the configuration: On SW1 SW1#Show port-security inter f0/2 Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count

: : : : : : : : : : : :

Enabled Secure-up Shutdown 0 mins Absolute Disabled 1 1 0 0 0014.a932.f9f0:234 0

Task 13 Remove the “Standby 1 track S0/0.21 2” command that was configure in task 5, and reconfigure the same task using HSRP “Object Tracking”.

On R2 R2(config)#Int F0/0 R2(config-if)#Standby 1 track S0/0.21 2 To configure Object Tracking: An object is tracked, in this case the object is the S0/0.21 sub-interface: R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 122 of 124

On R2 R2(config)#Int F0/0 R2(config)#Track 21 interface S0/0.21 line-protocol NOTE: The above command tracks the line-protocol of R2’s S0/0.21 sub-interface and it uses an identifier of 21. R2(config-if)#Standby 1 track 21 decrement 2 The above command tracks the state of object 21 and if the state of this object is down, it will reduce/decrement the priority by 2.

To test the configuration: On R2 Let’s shutdown the S0/0.21 sub-interface of R2: R2(config)#Int S0/0.21 R2(config-subif)#Shut You should see the following console messages on R2: The state of the tracked object transitions from up to down: %TRACKING-5-STATE: 21 interface Se0/0.21 line-protocol Up->Down The HSRP’s priority for R2 is decremented by 2, and because R3 has the “Standby preempt” command configured, it will take over as the active, and R2 will transition into Standby: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby

To verify the configuration: On R2 R2#Show Standby brief P | Interface Grp Pri P Fa0/0 1 99 P Fa0/0 2 100

indicates configured to preempt. State Active Standby 10.1.1.3 Standby 10.1.1.3

Standby local local

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Virtual IP 10.1.1.22 10.1.1.33

Page 123 of 124

On R3 R3#Show Standby brief P | Interface Grp Pri P Fa0/0 1 100 P Fa0/0 2 101 P

indicates configured to preempt. State Active Active

Active local local

Standby 10.1.1.2 10.1.1.2

Virtual IP 10.1.1.22 10.1.1.33

Let’s enable the S0/0.21 sub-interface of R2: R2(config)#Int S0/0.21 R2(config-subif)#No shut You should see the following console messages on R2: %TRACKING-5-STATE: 21 interface Se0/0.21 line-protocol Down->Up %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

On R2 R2#Show Standby brief P | Interface Grp Pri P Fa0/0 1 101 P Fa0/0 2 100

indicates configured to preempt. State Active Active local Standby 10.1.1.3

Standby 10.1.1.3 local

Virtual IP 10.1.1.22 10.1.1.33

Task 14 Erase the startup config and reload the routers before proceeding to the next lab.

R&S Foundation by Narbik Kocharians CCIE R&S Foundation 5.0 © 2013 Narbik Kocharians. All rights reserved

Page 124 of 124

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF