VRRP Configuration Example | Complete Lab Included

The Virtual Router Redundancy Protocol (VRRP) provides automatic assignment of available routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on a subnet.

VRRP creates a virtual router, which is an abstract representation of multiple routers, i.e. master and backup routers, acting as a group. In the lab shown below, Host 1 is a PC with a gateway 11.11.10.254. R2 and R3 use the industry standard redundancy protocol VRRP to maintain a virtual gateway 11.11.10.254. R2 has a higher priority.

 

Network Diagram: VRRP Configuration Example

Configuration:
Confiure VRRP on R2 & R3

R2:
interface FastEthernet0/0
ip address 11.11.10.2 255.255.255.0
vrrp 1 ip 11.11.10.254
vrrp 1 priority 120

R3:
interface FastEthernet0/0
ip address 11.11.10.3 255.255.255.0
vrrp 1 ip 11.11.10.254

R2: show run int f0/0
R3: show run int f0/0

Final State:
R2 has been assigned as the master router in VRRP group1 and R3 is a backup router.

R2: show vrrp
R3: show vrrp

R1: trace 11.11.10.254

Tip: The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link to utilize the same virtual IP address.

Our unique lab format (Qmap) gives you access to step-by-step guide for configuring Voice VLANs and show-commands which highlight the impact of the configuration. You will need NetBrain Qmap Reader to view these details with an in-depth topology diagram.

Download Qmap

Note: If you don’t have NetBrain Qmap Reader, click here to download it. To view more labs, visit Qmap Learning Center.

Three Methods of Configuring Voice VLANs | Complete Lab Included

The Voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default.

There are three methods to configure Voice VLANs:

1) Separate the Data VLAN for the PC and the Voice VLAN for the IP phone
2) Use a single VLAN for Data and Voice.
3) Use a single VLAN for Data and Voice but add the 902.1p CoS tag

Network Diagram: Configuring Voice VLANs

OPTION 1
Separate the Data VLAN for the PC and the Voice VLAN for the IP Phone. The internal IP Phone switch will tag VoIP traffic with the respective VLAN number and apply a CoS value of 5. The data frames are set untagged and received by the upstream switch on the configured access VLAN. The connection between the IP Phone and the upstream switch is an 802.1q trunk with the native VLAN equal to the Data VLAN.

SW1:
interface FastEthernet0/2
switchport access vlan 10
switchport voice vlan 800
spanning-tree portfast

Switch: show run int f0/2

OPTION 2
Use a single VLAN for Data and Voice. The IP Phone’s internal switch does not tag the frames and acts as a simple bridge. The connection between the IP Phone and the upstream switch is an access port.

SW1:
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,800
switchport mode trunk
switchport voice vlan 800
spanning-tree portfast trunk
spanning-tree bpdufilter enable

Switch: show run int f0/4

OPTION 3
Use a single VLAN for Data and Voice, but to add an 802.1p CoS tag. Data frames received from the PCon the phone, along with VolP frames sent from the phone get a special 802.1q header that carries a VLAN ID equal to zero and has the CoS field set to 5 for VoIP and the value instructed from the switch for data frames. The Catalyst switch acccepts the frames with VLAN zero as if they are in the access VLAN, but also honors the CoS bits to calculate the switch’s internal QoS tag.

SW1:
interface FastEthernet0/6
switchport access vlan 10
switchport voice vlan dot1p
spanning-tree portfast

Switch: show run int f0/6

Tip: As soon as the switchport Voice VLAN command is applied to the port, the spanning-tree portfast feature is automatically enabled.

Our unique lab format (Qmap) gives you access to step-by-step guide for configuring Voice VLANs and show-commands which highlight the impact of the configuration. You will need NetBrain Qmap Reader to view these details with an in-depth topology diagram.

Download Qmap

Note: If you don’t have NetBrain Qmap Reader, click here to download it. To view more labs, visit Qmap Learning Center.

Lab Credit: Frank Tan

Configure Context Based Access Control (CBAC) | Complete Lab Included

Context-based Access Control (CBAC) inspects generic TCP/UDP connections to check their integrity and open a hole for qualifying returning traffic.

Configuration Example

R4’s serial interfaces are considered the protected network and the interface between R1 and R4 connects to the outside network. R1 is configured as a stateful firewall, denying all packets from R4 to the outside network. In this lab, we configure a CBAC to allow ICMP packets sourced from R2 & R3 to cross the firewall to R4.

 

Network Diagram: Context Based Access Control

Tip: CBAC does not provide intelligent filtering for all protocols; it only works for the protocols that you specify. If you don’t specify a certain protocol for CBAC, the existing access lists will determine how that protocol is filtered. No temporary openings will be created for protocols not specified for CBAC inspection.

Our unique lab format (Qmap) gives you access to step-by-step guide for configuring Context Based Access Control and show-commands which highlight the impact of the configuration. You will need NetBrain Qmap Reader to view these details with an in-depth topology diagram.

Download Qmap

Note: If you don’t have NetBrain Qmap Reader, click here to download it. To view more labs, visit Qmap Learning Center.

Cisco MSDP Configuration | Complete Lab Included

Multicast Source Discovery Protocol (MSDP) allows multicast sources for a group to be known to all rendezvous point (RPs) in different domains. Each PIM-SM domain uses its own RPs and does not depend on RPs in other domains. An RP runs MSDP over the Transmission Control Protocol (TCP) to discover multicast sources in other domains.

In the configuration example below, we use MSDP to connect Domain 1 to Domain 2. R1 & R2 are in multicast Domain 1 with R1 Fa0/0 receiving multicast traffic from 224.1.1.1 and R2 loopback0 as the RP. R4, R5, & R6 are in Domain 2 with R4 as the RP and R5 as a member of multicast group 224.2.2.2. R3 multicast-routing has been disabled.

Network Diagram: Cisco MSDP Configuration

Our unique lab format (Qmap) gives you access to step-by-step guide for MSDP Configuration and show-commands which highlight the impact of the configuration. You will need NetBrain Qmap Reader to view these details with an in-depth topology diagram.

Download Qmap

Note: If you don’t have NetBrain Qmap Reader, click here to download it. To view more labs, visit Qmap Learning Center.

Lab Credit: Frank Tan

Disable Dynamic Trunking Protocol (DTP) | Complete Lab Included

Dynamic Trunking Protocol (DTP) is enabled by default on all modern Cisco switches. A careful network engineer will think twice before keeping this default configuration as is. There are two key reasons why you should not allow switches to  form their own trunks:

• Trunks should be present only where they are intended.
• Leaving switch ports in dynamic mode causes a security hole because an intruder could easily inject traffic into whichever VLANs are allowed on the port (all of them, by default).

Hence, you might want to consider disabling DTP. Refer to the lab in the picture below for an example:

Network Diagram: Disable Dynamic Trunking Protocol (DTP)

In this lab, the links between switches are configured to trunk. SW1 actively negotiates trunking. We disable Dynamic Trunking Protocol on the trunk links of SW1 & SW2 and verify that trunking is still occurring between them without the use of DTP.

Our unique lab format (Qmap) gives you access to step-by-step guide for disabling DTP and show-commands which highlight the impact of the configuration. You will need NetBrain Qmap Reader to view these details with an in-depth topology diagram.

Download Qmap

Note: If you don’t have NetBrain Qmap Reader, click here to download it. To view more labs, visit Qmap Learning Center.

Lab Credit: Frank Tan

Cisco Private VLAN Configuration | Complete Lab Included

Private VLANs are used to partition layer 2 broadcast domains of VLANs into subdomains so that you can isolate the ports on the switch from each other. A subdomain comprises of a primary VLAN and one or more secondary VLANs.

All VLANs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID is used to differentiate between then subdomains. The secondary VLANs could be either: isolated or community VLANs. Isolated VLAN’s host can only communicate with the assigned promiscuous port in its primary VLAN. Community VLANs’ hosts can communicate with their peers and the assigned promiscuous port. However, they cannot communicate with the ports in other community VLANs.

Refer to the example in the lab below to learn private VLAN configuration.

Network Diagram: Cisco Private VLAN Configuration

The objective of this lab is to configure SW1 and SW2 in a way that:

• PC1 and PC2 cannot communicate with PC3 and PC4
• PC1, PC2, PC3, and PC4 should each be allowed to communicate with the TFP-Server connected to port Fa0/8 of SW1

Also remember: Private VLANs require VTP to run in transparent mode!

Our unique lab format (Qmap) gives you access to step-by-step Private VLAN configuration and show-commands which highlight the impact of the configuration. You will need NetBrain Qmap Reader to view these details with an in-depth topology diagram.

Download Qmap

Note: If you don’t have NetBrain Qmap Reader, click here to download it. To view more labs, visit Qmap Learning Center.

Cisco Port Security Configuration | Complete Lab Included

You can use port security to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.

In the lab example below, we will configure SW1 Fa0/1 with a maximum of 1 MAC address allowed on the port .

Network Diagram: Cisco Port Security Configuration

First, set the maximun number of secure addresses to 1 with a sticky option. Set ports that are error-disabled with the psecure-violation command to be re-enabled after 3 hours. SW1 Fa0/1 will transition to error-disabled and shutdown when it learns more than 1 address. It will be automatically re-enabled after 3 hours.

By downloading this lab, you’ll learn:

• You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning.
•  A port security violation causes the interface to become error-disabled and to shut down immediately. You can bring a secure port out of the error-disabled state, with the errdisable recovery cause psecure-violation global configuration command. Alternatively, you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.

Our unique lab format (Qmap) gives you access to step-by-step Cisco Port Security configuration and show-commands which highlight the impact of the configuration. You will need NetBrain Qmap Reader to view these details with an in-depth topology diagram.

Download Qmap

Note: If you don’t have NetBrain Qmap Reader, click here to download it. To view more labs, visit Qmap Learning Center.

Cisco HSRP Configuration Example with Complete Lab

HSRP (Hot Standby Router Protocol) is Cisco’s standard method of providing high network availability using first-hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. It establishes a framework between routers in order to achieve default gateway failover in the event the primary gateway becomes inaccessible. When HSRP is configured on a network segment it provides a virtual MAC address and IP address that is shared among a group of router interfaces running HSRP.

In this lab, we use Cisco HSRP to configure a fault tolerant virtual gateway for Host 1. Host 1 is a PC with a gateway 11.11.10.254. We configure R2 and R3 to use Cisco’s standard redundancy protocol HSRP to maintain a virtual gateway 11.11.10.254. Set R2 with a higher priority.

Network Diagram: Cisco HSRP Configuration Example

Our unique lab format (Qmap) gives you access to step-by-step HSRP configuration and show-commands which highlight the impact of the configuration. You will need NetBrain Qmap Reader to view these details with an in-depth topology diagram.

Download Qmap

Note: If you don’t have NetBrain Qmap Reader already, click here to download it. To view more labs, visit Qmap Learning Center.

Real Cisco Lab or Simulators: What’s Your Plan?

You need solid CLI hands-on experience to do well in your Cisco certifications. One can achieve that experience by using real routers and switches or simulators. Many students are not sure about what makes an ideal lab? This really depends on your budget and future Cisco certification goals. Network World conducted a poll to see what most CCNA candidates think:

Please comment on this post to let readers know about your vote!

If you’re preparing for CCNA and not sure about your future in networking, you might want to use GNS3 or Packet Tracer. Most reviews say that GNS3 is the best simulator out there – even those who don’t support simulators at all. Some experts also believe that GNS3 might pose a steep learning curve for those who’re very new to networking and they should pursue Packet Tracer. As long as the simulator you use is good: supports the commands, gives realistic output, and so on – you can certainly learn plenty to pass. If you’re planning to further enhance your career by preparing for CCNP or CCIE, building a lab makes sense. The importance of real lab increases with these advanced certifications.

I agree that building a lab is expensive – it might cost few hundred dollars. But there are few things that you just cannot do with a simulator. You cannot disconnect a cable, connect it in an incorrect location or configure the interface incorrectly. It is important to know what happens when you make these mistakes. Depending on what you do, interface or protocols will be down and return clues for troubleshooting. You will soon find out that mistake made on one router affects another. With real gear, you get to see the interfaces, see the actual console messages when the routers boot, experience software upgrades more realistically, and a few other things that you just can’t do with a simulator.

At some point, you might also want to think about benefits of your study beyond CCNA or CCENT.  Your real networking job will require you to work on real gear and utilize your CLI skills. Wouldn’t it be nice if there were means for students to use real gear without spending all that money? Do you have ideas for building labs at a reasonable price? Comment below to discuss with other readers.

If you already have a lab/GNS3, are you documenting your practice? NetBrain PE is a free tool that helps you preserve your practice so that you can review it down the road without the hassle of having to rebuild it. When you’re done, share your Qmap with your study group so everyone can benefit.

Flex Link Configuration | Complete Lab Included

Flex Links are a pair of a Layer 2 interfaces (switch ports or port channels) where one interface is configured to act as a backup to the other. The feature provides an alternative solution to the Spanning Tree Protocol (STP). Users can disable STP and still retain basic link redundancy. Flex Link is typically configured in service provider or enterprise networks where customers do not want to run STP on the switch. If the switch is running STP, Flex Links is not necessary because STP already provides link-level redundancy or backup.

You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link shuts down. At any given time, only one of the interfaces is in the linkup state and forwarding traffic. If the primary link shuts down, the standby link starts forwarding traffic. When the active link comes back up, it goes into standby mode and does not forward traffic. STP is disabled on Flex Link interfaces.

Network Diagram: Flex Link Configuration

This network diagram describes our lab for configuring flex link instead of spanning-tree. Initially, the Layer-2 network uses spanning-tree to avoid loops. We configure a Flex Link to add failover capability to the path between SW1 and SW3. The primary path should be through the EtherChannel between SW1 and SW2.  The backup path should be f0/13 between SW1 and SW3. Then we use 500 pings to test if the Flex Link is working. Shutdown the port-channel 12 when pings begin.

Our unique lab format (Qmap) gives you access to step-by-step Flex Link configuration and show-commands which highlight the impact of the configuration. You will need NetBrain Qmap Reader to view these details with an in-depth topology diagram.

Download Qmap

Note: If you don’t have NetBrain Qmap Reader already, click here to download it. To view more labs, visit Qmap Learning Center.