Our lab is running on these platform and devices:
- VmWare 17.0.2 Pro (or newer) with the network interface mode as NAT
- PnetLAB version 6
- Images used in this lab
- ASW1: i86bi_Linux-L2-Adventerprisek9-ms.SSA.high_iron_20190423.bin
- ASW2: i86bi_Linux-L2-Adventerprisek9-ms.SSA.high_iron_20190423.bin
- DCORE-SW1: viosl2-adventerprisek9-m.ssa.high_iron_20200929
- DCORE-SW2: viosl2-adventerprisek9-m.ssa.high_iron_20200929
- BDR1: vios-adventerprisek9-m-15.4-1.3.0-181
- BDR2: vios-adventerprisek9-m-15.4-1.3.0-181
- You can download the images and PnetLAB version 6 from here: https://labhub.eu.org/
- Installation instruction can be found here: https://www.youtube.com/watch?v=GwdE8FW0hgI
LAB TIME
TOPOLOGY
OBJECTIVE
As we can see on the topology above, here are the summary:
- Lab topology is a 2-Tier or collapsed network
- Has 2 ISPs (Main & Backup)
- Has 2 Cisco routers for the gateway (failover), the IPs got from ISP of the both border routers are DHCP
- Has 2 Cisco Switches which act as Core & Distribution
- Has 2 access Switches which directly connect to the clients or the end users
- Has 2 VLANs (10 & 20)
- The routing protocol using in this lab is OSPF
- Implementing also InterVLAN routing
- When a border router is down, it will automatically forward the traffic to the another border router
- Same applied for the core switches, if one fail/down the traffic will redirect to another core switch with the different gateway
- The client IP is DHCP and must access the outside world via NAT in border router
IP ADDRESSING
Device | Interface | IPv4 Address | Subnet Mask | Default Gateway |
BDR1 | Gi0/0 | DHCP | DHCP | DHCP |
Gi0/1 | 172.16.50.1 | 255.255.255.248 | DHCP |
BDR2 | Gi0/0 | DHCP | DHCP | DHCP |
Gi0/1 | 172.16.60.1 | 255.255.255.248 | DHCP |
DCORE-SW1 | Gi0/0 | 172.16.50.2 | 255.255.255.248 | 172.16.50.1 |
DCORE-SW2 | Gi0/0 | 172.16.60.2 | 255.255.255.248 | 172.16.60.1 |
VLAN10 HSRP |
| 172.16.10.0 | 255.255.255.0 | 172.16.10.1 - 2 172.16.10.3 |
VLAN20 HSRP |
| 172.16.20.0 | 255.255.255.0 | 172.16.20.1 - 2 172.16.10.3 |
CONFIGURATION
Default Template
Let’s configure all the basic configuration including login, banner, ssh, SNMP, etc. Just copy and paste the configuration below, and make sure to change the config accordingly to your needs on every Cisco devices such as:
Hostname,
Username,
Passwords,
Banner.
hostname BDR1
!
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
!
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
username asau algorithm-type scrypt secret pass123
enable algorithm-type scrypt secret pass123
service password-encryption
!
no ip domain lookup
ip domain name asau.lab
!
no logging console
logging buffered 8192 debug
!
ip ssh version 2
crypto key generate rsa modulus 2048
!
snmp-server group ReadGroup v3 auth
snmp-server user admin ReadGroup v3 auth sha MyLab
snmp-server location Caicoli Dili
snmp-server ifindex persist
!
banner login ^
2 Tier Network Design Lab
Asau Lab
^
!
line con 0
transport preferred none
escape-character 3
exec-timeout 30 0
!
line aux 0
transport preferred none
escape-character 3
exec-timeout 30 0
!
line vty 0 4
transport preferred none
transport input ssh
escape-character 3
exec-timeout 30 0
! end Wr ! |
We will configure the border router interfaces
BDR1-Addressing
conf t
int g0/0
ip add dhcp
no shut
exit
int g0/1
ip add 172.16.50.1 255.255.255.248
no shut
end
Wr ! |
BDR2-Addressing
conf t
int g0/0
ip add dhcp
no shut
exit
int g0/1
ip add 172.16.60.1 255.255.255.248
no shut
end
wr ! |
Verify the IP from the ISP on the both routers and make sure both able to ping to the outside by executing the following command:
The output should look like this, your may vary:
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.7.132 YES DHCP up up
GigabitEthernet0/1 172.16.50.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down |
Now you should have Internet connection by pinging to the outside (8.8.8.8)
BDR1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 77/153/207 ms |
Do the same to the BDR2.
DCORE-SW1 - Interface
Configure the interfaces including IP addressing and trunking ports of the core switches
conf t
ip routing
int range g0/1 - 3, g1/0
switchport trunk encapsulation dot1q
switchport mode trunk
exit
int g0/0
no switchport
ip add 172.16.50.2 255.255.255.248
no shut
end
wr
! |
DCORE-SW2 - Interface
conf t
ip routing
int range g0/1 - 3, g1/0
switchport trunk encapsulation dot1q
switchport mode trunk
exit
int g0/0
no switchport
ip add 172.16.60.2 255.255.255.248
no shut
end
wr
! |
Now these core switches are still not able to ping to the public, because there are no routing tables configured in both routers. Let’s verify the routing entries by using the following command:
The output will tell us that the gateway is not set, so we can not ping to the public.
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.50.0/29 is directly connected, GigabitEthernet0/0
L 172.16.50.2/32 is directly connected, GigabitEthernet0/0
|
BDR1 - OSPF Routing
Now we add the OSPF routing to the both of the border routers
conf t
router ospf 1
int g0/1
ip ospf 1 area 0
end
wr
! |
BDR2 - OSPF Routing
conf t
router ospf 1
int g0/1
ip ospf 1 area 0
end
wr
! |
We have to make both routers as failover, by executing the following command
BDR1 - OSPF Routing Failover
conf t
router ospf 1
default-information originate end
wr
! |
BDR2 - OSPF Routing Failover
conf t
router ospf 1
default-information originate metric 5
end
wr
! |
DCORE-SW1 - VLAN | SVI | Vlan OSPF Routing
conf t
vlan 10
name admin
vlan 20
name support
int vlan 10
ip add 172.16.10.1 255.255.255.0
no shut
int vlan 20
ip add 172.16.20.1 255.255.255.0
no shut
exit
int g0/0
ip ospf 1 area 0
int vlan 10
ip ospf 1 area 0
int vlan 20
ip ospf 1 area 0
end
wr
! |
DCORE-SW2 - VLAN | SVI | Vlan OSPF Routing
conf t
vlan 10
name admin
vlan 20
name support
int vlan 10
ip add 172.16.10.2 255.255.255.0
no shut
int vlan 20
ip add 172.16.20.2 255.255.255.0
no shut
exit
int g0/0
ip ospf 1 area 0
int vlan 10
ip ospf 1 area 0
int vlan 20
ip ospf 1 area 0
end
wr
! |
Verify the connection
Now on the both core switches, verify the routing table/information, both core switches are able to ping to the public because we have defined the routing table on the both border routers. Execute the following command to verify routing table:
show ip ospf neighbor
show ip route ping 8.8.8.8 |
DCORE-SW1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.7.132 1 FULL/DR 00:00:39 172.16.50.1 GigabitEthernet0/0 |
DCORE-SW1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 172.16.50.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 172.16.50.1, 00:00:13, GigabitEthernet0/0
172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
C 172.16.10.0/24 is directly connected, Vlan10
L 172.16.10.1/32 is directly connected, Vlan10
C 172.16.20.0/24 is directly connected, Vlan20
L 172.16.20.1/32 is directly connected, Vlan20
C 172.16.50.0/29 is directly connected, GigabitEthernet0/0
L 172.16.50.2/32 is directly connected, GigabitEthernet0/0 |
DCORE-SW1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!.!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 187/206/225 ms |
DCORE-SW1 - DHCP Pool Configuration
Now we are going to create the DHCP Pool on the both core switches
conf t
ip dhcp pool admin
default-router 172.16.10.1
network 172.16.10.0 255.255.255.0
dns-server 180.189.160.161
exit
ip dhcp pool support
default-router 172.16.20.1
network 172.16.20.0 255.255.255.0
dns-server 180.189.160.161
end
wr
! |
DCORE-SW2 - DHCP Pool Configuration
conf t
ip dhcp pool admin
default-router 172.16.10.2
network 172.16.10.0 255.255.255.0
dns-server 180.189.160.161
exit
ip dhcp pool support
default-router 172.16.20.2
network 172.16.20.0 255.255.255.0
dns-server 180.189.160.161
end
wr
! |
Verify the DHCP Pools
DCORE-SW1#sh ip dhcp pool
Pool admin :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Excluded addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
172.16.10.1 172.16.10.1 - 172.16.10.254 0 / 0 / 254
Pool support :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Excluded addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
172.16.20.1 172.16.20.1 - 172.16.20.254 0 / 0 / 254 |
ASW1 - Configuration
We add switchport mode access to the vlan interface for the security reason, just in case someone tries to plug in that vlan socket they will make that port trunk.
conf t
int range e0/0, e0/1
switchport trunk encapsulation dot1q
switchport mode trunk
vlan 10
name admin
vlan 20
name support
int e0/2
switchport access vlan 10
switchport mode access
int e0/3
switchport access vlan 20
switchport mode access
end
wr
! |
ASW2 - Configuration
conf t
int range e0/0, e0/1
switchport trunk encapsulation dot1q
switchport mode trunk
vlan 10
name admin
vlan 20
name support
int e0/2
switchport access vlan 10
switchport mode access
int e0/3
switchport access vlan 20
switchport mode access
end
wr
! |
CLIENT1 (VPCS) - VLAN20
Execute the following command to get the IP from the DHCP Server pool address on the core switches.
VPCS> ip dhcp
DDORA IP 172.16.20.3/24 GW 172.16.20.2 |
As we can see, the client is able to get the IP address from the DHCP Pool. But they are not able to access the Internet. Verify the connection by execute the trace command on the VPCS:
PCS> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 172.16.10.1 10.452 ms 12.922 ms 11.550 ms
2 172.16.50.1 10.765 ms 7.672 ms 6.973 ms
3 192.168.7.2 8.611 ms 11.021 ms 5.862 ms
4 * * *
5 * * *
6 * * *
7 * * *
8 * * * |
As we can see, the client is able to reach the gateway 172.16.50.1 (main gateway, backup gateway is 172.16.60.1) but still not able to ping the internet, because of the NAT problem.
CLIENT2 (VPCS) - VLAN10
VPCS> ip dhcp
DDORA IP 172.16.10.3/24 GW 172.16.10.1 |
BDR1 - NAT and Access List
conf t
access-list 1 permit 172.16.10.0 0.0.0.7
access-list 1 permit 172.16.20.0 0.0.0.7
ip nat inside source list 1 interface g0/0 overload
int g0/1
ip nat inside
int g0/0
ip nat outside
end
wr
! |
BDR2 - NAT and Access List
conf t
access-list 1 permit 172.16.10.0 0.0.0.7
access-list 1 permit 172.16.20.0 0.0.0.7
ip nat inside source list 1 interface g0/0 overload
int g0/1
ip nat inside
int g0/0
ip nat outside
end
wr
! |
Verify the connection II
Now the clients are able to ping to the outside.
VPCS> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=126 time=191.491 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=126 time=183.475 ms |
Failover testing
Now we will do failover testing for our border gateways. We will shut down the interface connected to the BDR1 from DCORE-SW1 which is Gi0/0. The gateway will automatically pass to the 172.16.60.1 on BDR2.
Do trace on both clients VLAN10 and VLAN20, the result of the gateway IP is 172.16.50.1 on BDR1:
VPCSVLAN20> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 172.16.10.1 12.038 ms 15.334 ms 9.788 ms
2 172.16.50.1 6.148 ms 4.996 ms 11.151 ms
3 192.168.7.2 11.959 ms 6.184 ms 15.849 ms |
VPCSVLAN10> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 172.16.10.1 12.038 ms 15.334 ms 9.788 ms
2 172.16.50.1 6.148 ms 4.996 ms 11.151 ms
3 192.168.7.2 11.959 ms 6.184 ms 15.849 ms
4 * * * |
On DCORE-SW1:
On client do trace again, the gateway IP should be 172.16.60.1 on BDR2
VPCSVLAN20> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 172.16.20.2 10.779 ms 4.057 ms 8.651 ms
2 172.16.60.1 10.802 ms 5.744 ms 10.217 ms
3 192.168.7.2 14.871 ms 7.473 ms 17.370 ms |
VPCSVLAN10> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 172.16.10.1 9.256 ms 11.105 ms 6.388 ms
2 172.16.20.2 10.770 ms 5.405 ms 5.239 ms
3 172.16.60.1 6.037 ms 6.535 ms 7.594 ms
4 192.168.7.2 7.207 ms 7.702 ms 7.532 ms |
It means that our failover testing is done perfectly. In the real world we can assume that the BDR1 is down/fail then the BDR1 will provide the Internet as backup.
Do not forget to bring-up the interface on DCORE-SW1 again and save the configuration as well:
NEXT: We are going to bundle two interfaces connected on both core switches. First verify the ports by executing the following command:
The output:
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- --------
Gi0/1 Root FWD 4 128.2 P2p
Gi0/2 Altn BLK 4 128.3 P2p |
As you can see the interface Gi0/2 status is BLK (Blocked), we will configure the PAGP on the next config below.
DCORE-SW1 - Port Aggregation
conf t
int range g0/1 - 2
channel-group 1 mode desirable
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary
end
wr
! |
DCORE-SW2 - Port Aggregation
conf t
int range g0/1 - 2
channel-group 1 mode auto
spanning-tree vlan 10 root secondary
spanning-tree vlan 20 root secondary
end
wr
! |
Now execute the following command on both core switches to verify the port bundle status:
show etherchannel summary |
Output:
Group Port-channel Protocol Ports
------+-------------+-----------+------------------------------------------
1 Po1(SU) PAgP Gi0/1(P) Gi0/2(P) |
And check the spanning tree:
The port changed to Po1 and status as FWD (forward):
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- --------------
Gi0/3 Desg FWD 4 128.4 P2p
Gi1/0 Desg FWD 4 128.5 P2p
Gi1/1 Desg FWD 4 128.6 P2p
Gi1/2 Desg FWD 4 128.7 P2p
Gi1/3 Desg FWD 4 128.8 P2p
Po1 Root FWD 3 128.65 P2p |
We will configure failover on core switches, so in case one core switch is down/fail, the traffic will forward to the back switch (DCORE-SW2) and access to the Internet via BDR2 with the gateway 172.16.60.1.
As of now the VLANs gateway are:
VLAN10: 172.16.10.1
VLAN20: 172.16.20.1
VLAN10: 172.16.10.2
VLAN10: 172.16.20.2 |
We are going to create VLAN virtual gateway IP for both VLANs (VLAN10 & VLAN20). We will assign the VLAN gateway for both:
VLAN10: 172.16.10.3
VLAN10: 172.16.20.3 |
DCORE-SW1 - HSRP
conf t
int vlan 10
standby 10 ip 172.16.10.3
standby 10 priority 150
standby 10 preempt
exit
ip dhcp pool admin
default-router 172.16.10.3
exit
int vlan 20
standby 20 ip 172.16.20.3
standby 20 priority 150
standby 20 preempt
exit
ip dhcp pool support
default-router 172.16.20.3
end
wr
! |
DCORE-SW2 - HSRP
conf t
int vlan 10
standby 10 ip 172.16.10.3
standby 10 priority 200
standby 10 preempt
exit
ip dhcp pool admin
default-router 172.16.10.3
exit
int vlan 20
standby 20 ip 172.16.20.3
standby 20 priority 200
standby 20 preempt
exit
ip dhcp pool support
default-router 172.16.20.3
end
wr |
Execute following command to check the standby status of HSRP:
DCORE-SW1#show standby br
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl10 10 150 P Standby 172.16.10.2 local 172.16.10.3
Vl20 20 150 P Standby 172.16.20.2 local 172.16.20.3 |
DCORE-SW2#show standby br
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl10 10 200 P Active local 172.16.10.1 172.16.10.3
Vl20 20 200 P Active local 172.16.20.1 172.16.20.3 |
As the output above the DCORE-SW1 act as STANDBY and DCORE-SW2 act as ACTIVE.
On clients, try to reissue the DHCP command to get the new DHCP IP:
VPCSVLAN20> ip dhcp
DORA IP 172.16.20.4/24 GW 172.16.20.3 |
VPCSVLAN10> ip dhcp
DORRA IP 172.16.10.4/24 GW 172.16.10.3 |
VPCSVLAN20> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=126 time=70.127 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=126 time=132.660 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=126 time=57.944 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=126 time=72.582 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=126 time=62.801 ms |
VPCSVLAN10> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=126 time=65.283 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=126 time=120.641 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=126 time=69.903 ms |
Core Switches Failover testing
Now we are going to do the failover testing on the core switches. We will shutdown the interface on ACS1 which is e0/0 connected to the DCORE-SW1.
Just execute the ping to the outside, so we can see the connection interruption during the failover testing.
84 bytes from 8.8.8.8 icmp_seq=16 ttl=126 time=62.625 ms
84 bytes from 8.8.8.8 icmp_seq=17 ttl=126 time=83.232 ms
84 bytes from 8.8.8.8 icmp_seq=18 ttl=126 time=60.384 ms
8.8.8.8 icmp_seq=19 timeout
8.8.8.8 icmp_seq=20 timeout
8.8.8.8 icmp_seq=21 timeout
8.8.8.8 icmp_seq=22 timeout
8.8.8.8 icmp_seq=23 timeout
8.8.8.8 icmp_seq=24 timeout
8.8.8.8 icmp_seq=25 timeout
8.8.8.8 icmp_seq=26 timeout
8.8.8.8 icmp_seq=27 timeout
8.8.8.8 icmp_seq=28 timeout
8.8.8.8 icmp_seq=29 timeout
8.8.8.8 icmp_seq=30 timeout
8.8.8.8 icmp_seq=31 timeout
8.8.8.8 icmp_seq=32 timeout
8.8.8.8 icmp_seq=33 timeout
84 bytes from 8.8.8.8 icmp_seq=34 ttl=126 time=83.892 ms
84 bytes from 8.8.8.8 icmp_seq=35 ttl=126 time=59.278 ms
84 bytes from 8.8.8.8 icmp_seq=36 ttl=126 time=70.046 ms
84 bytes from 8.8.8.8 icmp_seq=37 ttl=126 time=60.387 ms |
As you can see the timeout above is the interruption during the traffic hangover between the core switches when we shutdown the interface connected to the DCORE-SW1.
We can also make a failover test by shutdown the interface on the other DCORE-SW2.
Summary
Our lab is successfully configured. Please do practice by doing the lab from the beginning again. So you will be familiar with the basic CCNA networking LAB. Below are the command using for the troubleshoot:
Commands | Objective |
no cdp logs mismatch duplex | Stop logs (in case the annoying logs appear) |
sh history | Show last execute command |
sh ip ospf neighbors | Check ospf routing |
sh ip route | Check the routing table |
sh ip int br | Show configured IP on interfaces |
sh ip dhcp pool | check dhcp pool |
sh vlan br | Show configured VLAN |
sh run int e0/2 | Show only summary of the individual interface configured |
sh spanning-tree | Show spanning tree configured |
show standby br | Show standby of HSRP |
show mac address | Show mac address table entries of the connected devices |
sh int e0/2 switchport | Show trunking status port |
clear ip ospf process | Clear ospf neighbors databases (do not do this on real devices) |
sh etherchannel summary | Show port bundle status |
Source: Workshops & Training, YouTube, Cisco.com, PnetLAB, eve-ng, Mr. Google.
