Who knew that the dating life of OSPF devices were controlled by the IT ELF?

First off if you are not subscribed to Keith’s Youtube channel and you are working on your CCNA, what are you thinking?  Follow this link and subscribe!  https://www.youtube.com/user/Keith6783

So IT Elf is an acronym for the OSPF states

• I – Init
• T – Two-way
• E – Estart & Exchange
• L – Loading
• F – Full

Now as far as the dating portion, I will leave the video to explain that in detail but know that the DR (Designated Router) and BDR (Backup Designated Router) are a bit of a player as they are the only devices that build a full relationship will all the other devices.  The devices that become DROTHER routers build two way relationship with the other DROTHER devices but will build a full relationship with DR and BDR.

Check out Keith’s OSPF Neighbor States | Cisco CCNA 200-301 video

 

 

 

Numbered Standard ACL

• Standard ACL Numbers
  • 1-99, 1300-1999
• Configure a number standard route to allow one subnet to pass-though while denying another subnet to a third subnet.
  • As soon as a rule is applied there is also a deny all rule applied to the access list also.
  • Standard Access lists only check the source address as opposed to extended ACL that checks both source and destination.
    • This requires that the list be completed on the outbound port toward the subnet that needs to be blocked.
  • Commands
    • Create the outbound ACL on interface sending traffic to the subnet to be denied
      • (config-if)#ip access-group [Standard ACL#] out
    • Add rules to the newly created ACL
      • (config-if)#exit
      • (config)#access-group 1 deny [restricted subnet] [restricted wildcard mask]
      • (config)#access-group 1 permit [allowed subnet] [allowed wildcard mask]
        • This is needed as the default Deny All rule that is applied to all ACLs
  • In the lab, they create the ACL rules first and then create the ACL that will house these rules.  This makes sense as when you apply the ACL all traffic will be blocked until a permit rule is put in place.

Numbered Extended ACL

• Extended ACL Numbers
  • 100-199, 2000-2699
• Configure a numbered extended ACL to permit telnet access to a single IP address while denying all other IP addresses.
  • I did this incorrectly as I applied two rules while three are needed (all rules were provided on the inbound interface on the router for the subnet making the request.
    • I provided the permit rule for the single IP address and a deny rule for all other IP addresses.  The default deny all traffic on the ACL blocked all other traffic.
    • Since numbered ACLs cannot be reordered, the ACL was deleted and re-applied the rules in the ordered needed.
  • Commands
    • (config)#access-list 100 permit tcp host 10.0.1.10 host 10.0.0.2 eq telnet
    • (config)#access-list 100 deny tcp 10.0.1.0 0.0.0.255 host 10.0.0.2 eq telnet
    • (config)#access-list 100 permit ip any any
    • (config)#int [inbound interface]
    • (config-if)#ip access-list 100 in

Named Extended ACL

• Remove the number extended ACL
  • Command
    • (config-if)#no ip access-group [group#] in
• Configure and apply a named extended ACL
  • (config)#ip access-list extended [Name]
  • (config-ext-nacl)#permit tcp host 10.0.1.10 host 10.0.0.2 eq telnet
  • (config-ext-nacl)#deny tcp 10.0.1.0 0.0.0.255 host 10.0.0.2 eq telnet
  • (config-ext-nacl)#permit icmp host 10.0.1.11 host 10.0.0.2 echo
  • (config-ext-nacl)#deny icmp host 10.0.1.0 host 10.0.0.2 echo
  • (config-ext-nacl)#permit ip any any
• Apply ACL to interface
  • (config-if)#ip access-group [access-list name] in|out

Disable Unused ports

• (config)#int range f0/1-24
• (config-if-range)shut

Port Security Configuration

• (config-if)#switchport mode access
  • must be an access port to apply port-security
• (config-if)#switchport port-security
• (config-if)#switchport port-security maximum [number of MACs allowed]
• (config-if)#switchport port-security mac-address [mac address]
  • To statically assign a MAC address to a port.

 

Configure EtherChannel

• Each side of the etherchannel needs to be configured the same.
• Types 
  • LACP
    • Active – Active = Connection
    • Active – Passive = Connection
    • Passive – Passive = No connection
  • PAgP
    • auto – auto = No connection
    • auto – desirable = Connection
    • desirable – desirable = Connection
  • Static
    • on – on = Connection
• Commands
  • (config)#int range [interfaces]
  • (config-if-range)#channel-group [group#] mode [active, passive, auto, desirable, on]
  • (config-if-range)#int po[group#]
  • (config-if)#switchport mode trunk
  • (config-if)#switchport trunk native vlan [vlan#]

Verify EtherChannel status

• #show etherchannel summary

StackWise, VSS and vPC

• Depending on the switch it will use one of the three versions.  This allows two different switches to support upload links using IP addresses instead of layer two information.
• Commands are very similar to layer 2 except for an additional command in the config-if-range and instead of setting trunk mode in the config-if you set an IP address
  • (config)#int range [interfaces]
  • (config-if-range)#channel-group [group#] mode [active, passive, auto, desirable, on]
  • (config-if-range)#no switchport
  • (config-if-range)#int po[group#]
  • (config-if)#ip address [IPAddress] [Subnet]
  • (config-if)#no shut

Spanning Tree Troubleshooting

• Identify the routing path of traffic 
  • Is there any HSRP
    • #show standby
  • Check VLANs
    • #show vlan brief
  • Which switch is the root switch and which ports are block ports
    • Check the spanning-tree details and find the root bridge
      • #show spanning-tree vlan [vlan#]
        • Summary and details of Root and Bridge ID and interface details
        • Verify all switches have matching spanning tree Root Bridge
        • Check Priority
• Set switch as Span-tree Primary and Secondary
  • Primary
    • (config)#spanning-tree vlan [vlan#] root primary
    • (config)#spanning-tree vlan [vlan#] root secondary
• Portfast and bpduguard is set on an interfaces or can be set at default for all access ports
  •  Interface
    • (config)#int [interface]
    • (config-if)#spanning-tree portfast
    • (config-if)#spanning-tree bpduguard enable
  • Default on all access ports
    • (config)# spanning-tree portfast bpduguard default

HSRP Configuration

• Basic HSRP
  • Configure basic HSRP of the 10.10.10.0/24 network
    • R1(config-if)#standby ip 10.10.10.1
    • R2(config-if)#standby ip 10.10.10.1
      • I missed a priority  when entering the standby, so it automatically set the group to zero and the priority to 100
      • #no standby 0 ip 10.10.10.1 and replace it by “standby group# ip VIP-IP”
      • When I changed one router to use group 1 I got a constant stream of Duplicate address 
  • Check HSRP active router
    • #show standby brief
    • #show standby
  • What is physical MAC address
    • show int g0/1
  • What is HSRP virtual interface MAC address
    • #show standby
• Priority and Pre-emption
  • Set router 1 has the preferred router
    • (config-if)standby 1 priority 110

Moving and studying do no go hand in hand, but I am in my new place and the network is about all setup.  It will be rough trying to get all the studying that I need in and the test taken before the end of the month, but I am going to keep focusing and time will tell.

 

So I have decided that I am going to move toward getting my next piece of paper (certification) and take a back seat to applying for positions.  Maybe something will come out of the ones that I have already applied for but as this is all items that I know and I just need to focus on how Cisco wants the answered so that I can ensure my future employers can confirm I know CCNA subject matter,  time to focus on CCNA.

Lab 19 – IGP Interior Gateway Protocol Fundamentals Configuration

• Configure RIP on all routers
  • (config)#route rip
  • (config-router)#no auto
  • (config-router)#network 10.0.0.0
• Verify routes
  • (config-router)#do show ip route
• Add Internet route to RIP on router R4 and make interface f1/1 passive to make sure rip info is not passed.
  • (config-router)#passive-interface f1/1
  • (config-router)#network 203.0.113.0
• Add default route on R4 using 203.0.113.2
  • (config)#ip route 0.0.0.0 0.0.0.0 203.0.113.2
• Distribute default route over rip
  • (config)#route rip
  • (config-router)#default-information originate
    • So the first time I did it will out looking at the answer I put in “network 0.0.0.0” before the originate command.  When I verified the routes on the other routers the 0.0.0.0 did not appear until I added “network 0.0.0.0”, but decided it was best to reset the entire RIP routing with a “no route rip” to clear everything out.
•