Private Vlan

Sometimes it is necessary to have policy and separate your Vlan like below diagram. In this diagram, WWW and FTP server have communication together, so we put in community. On the other hand, SQL server shouldn’t be seen by FTP or WWW server, so, we put on isolated. In fact, there are three types of sub Vlan in Private Vlan:

  • Promiscuous: can be reached by sub Vlan

  • Isolated : can not be seen by other Vlans

  • Community: only can see community member

Enter a caption for this image (optional)

Imagine we want to make primary vlan for these sub Vlan. We make a Vlan “100” as a primary:

SW# conf t
SW(config)#vtp mode transparent
SW(config)#vlan 100
SW(config-vlan)# private-vlan primary

Then, make sub Vlan for www and FTP as 101 and SQL as 102

SW(config)#vlan 101
SW(config-vlan)# private-vlan community
SW(config)#vlan 102
SW(config-vlan)# private-vlan isolated

After that, we put www, FTP and SQL in primary Vlan:

SW(config)#vlan 100
SW(config-vlan)#private-vlan association 101,102

Next, we assign interface to each Vlan

SW(config)#int fa0/1
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 101
SW(config)#int fa0/2
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 101
SW(config)#int fa0/3
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 102
SW(config)#int fa0/10
SW(config-if)# switchport mode private-vlan promiscuous
SW(config-if)# switchport private-vlan mapping 100 101,102

To use show command:

SW# show vlan private-vlan

STP-PVST-RSTP-MSTP

1-STP(Spanning-Tree Protocol) (802.1D)

To prevent loop between switches, Cisco uses Spanning-Tree protocol. STP is the simplest and oldest protocol which is enable by default in Cisco devices. STP is a industry standard which is used by other vendors to prevent loops in devices.

STP uses BPDU(bridge protocol data unit) to detect loops in devices. If there is any loops in Cisco devices, block redundant links. As you can see in figure 1, we have 3 switches with the same priority and in the root bridge selection, switch with the lowest priority selects as a root bridge. Now, we have the same priority, so the second feature in root bridge selection is the lowest Mac-Address. Therefore, switch A becomes root bridge and switch B and C use their shortest path to reach root bridge. This port is called root port. Then, we have selection between switch B and C, as we mentioned, switch B has the lowest Mac-Address, so it becomes Designated port and in switch C connection will be blocked.

Figure 1: STP States
Enter a caption for this image (optional)

Default priority of switch is 32768 and is multiple of 4096( between 0-61440) while, default port-priority in switch is 128 and multiple of 16.

In STP , we have 5 states, namely:

disabled, blocking(20sec), listening(15sec), learning(15sec), forwarding

It means, we have to wait at least 50 seconds until fully convergence.

We can configure switch for STP and change the priority or make a switch as primary root:

sw1(config)# spanning-tree vlan 1 priority 4096
or
sw1(config)# spanning-tree vlan 1 root primary

you can use show command to see the root or states of connections:

sw1# show spanning-tree
or
sw1# show spanning-tree vlan 1
2- PVST+ (Per Vlan Spanning-Tree)

This is the same idea of STP . The only difference here is using in Vlan instead of STP. The delay in receiving BPDUs can cause problems like convergence time problems. Per-VLAN Spanning Tree (PVST) is a solution for these problems. PVST operates a separate instance of STP for each individual VLAN . So, it helps load-balancing more efficiently.

3- RSTP(Rapid Spanning-Tree Protocol) (802.1w)

Cisco enhanced the original 802.1D specification with features such as Uplink Fast, Backbone Fast, and Port Fast to speed up the convergence time of a bridged network. In RSTP we have five states, namely:

STP (802.1D) Port State

RSTP (802.1w) Port State

Disabled

Discarding

Blocking

Discarding

Listening

Discarding

Learning

Learning

Forwarding

Forwarding

It means, by removing listening states now convergence takes on 30 seconds. To configure, simply add:

sw1(config)# spanning-tree mode rapid-pvst

Figure 2: RSTP port states
Enter a caption for this image (optional)

As you see in Figure 2, we have Alternate port instead of block port in RSTP. Also, RSTP can detect edge port and separate root port from edge port.

3-1 PortFast

PortFast causes a switch or trunk port to enter the spanning tree forwarding state immediately, bypassing the listening and learning states.

You can use PortFast on switch or trunk ports that are connected to a single workstation, switch, or server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.

The most secure implementation of PortFast is to enable it only on ports that connect end stations to switches. To config it:

sw1(config)# int fa0/1
sw1(config-if)# spanning-tree portfast
3-2 BPDU guard and BPDU Filter

PortFast BPDU guard prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that port. When you enable BPDU guard on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs. Cisco recommend every ports connected to endpoint devices should have BPDU guard. BPDU guard:

  • Change the interface to errdisable state

  • Prevent from receiving BPDU

To enable BPDU guard:

sw1(config)# int fa0/1
sw1(config-if)# spanning-tree bpduguard enable

While, BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. BPDU filtering:

  • Prevent from sending and receiving BPDU

  • Stop spanning-tree in the interface

3-3 Loop Guard and Root Guard

BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP. You must manually reenable the port that is put into errdisable state or configure errdisable-timeout.

Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.

sw1(config)# int fa0/1
sw1(config-if)# spanning-tree guard root

When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop.

The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop.

sw1(config)# int fa0/1
sw1(config-if)# spanning-tree guard loop
4-MSTR(Multiple Spanning-tree Protocol) (802.1s)

MST extends the IEEE 802.1w rapid spanning tree (RST) algorithm to multiple spanning trees. This extension provides both rapid convergence and load balancing in a VLAN environment. MST converges faster than Per VLAN Spanning Tree Plus (PVST+) and is backward compatible with 802.1D STP, 802.1w (Rapid Spanning Tree Protocol [RSTP]), and the Cisco PVST+ architecture.

MST allows you to build multiple spanning trees over trunks. You can group and associate VLANs to spanning tree instances. Each instance can have a topology independent of other spanning tree instances. This architecture provides multiple forwarding paths for data traffic and enables load balancing. Network fault tolerance is improved because a failure in one instance (forwarding path) does not affect other instances.

In large networks, you can more easily administer the network and use redundant paths by locating different Vlan and spanning tree instance assignments in different parts of the network.

MST includes some regions and each region contains Vlans. As it shown in below code, we have different instances and in each instance we have Vlans. If Vlans don’t have any instance, it goes to instance 0.

sw(config)# spanning-tree mst conf
sw(config-mst)# name HRT
sw(config-mst)# revision 1
sw(config-mst)# instance 1 vlan 2-3
sw(config-mst)# instance 2 vlan 4-8
sw(config-mst)# instance 3 vlan 9-11
sw(config-mst)# exit
sw(config)#spanning-tree mode mst

to show mst configuration:

sw# show spanning-tree mst conf

NetFlow

NetFlow is a networking analysis protocol that gives the ability to collect detailed information about network traffic as it flows through a router interface. NetFlow helps network administrators answers the questions of who (users), what (application), when (time of day), where (source and destination IP addresses) and how network traffic is flowing.

Enter a caption for this image (optional)
NetFlow components

+NetFlow Monitor: a component applied to an interface and collects information about flows. Flow monitors consist of a record and a cache. You add the record to the flow monitor after the flow monitor is created. In the topology above, we can apply the NetFlow Monitors to the s0/0, Fa0/0 and Fa0/1 interfaces of the router to collect traffic information of these interfaces + NetFlow Exporter: aggregates packets into flows, stores IP flow information in its NetFlow cache and exports them in the form of flow records to the NetFlow collector + NetFlow Collector: collects flow records sent from the NetFlow exporters, parsing and storing the flows. Usually a collector is a separate software running on a network server. NetFlow records are exported to a NetFlow collector using User Datagram Protocol (UDP) + NetFlow Sampler: used to reduce the number of packets that are selected for analysis. It is applied to a NetFlow Monitor to reduce the overhead load because the number of packets that the flow monitor must analyze is reduced. But notice that the accuracy of the information stored in the flow monitor’s cache is also reduced correspondingly.

How NetFlow Exporter works

When packets arrive at the NetFlow Exporter, each of them is inspected for one or many IP packet attributes. These attributes are used to determine if the packet is unique or similar to other packets. If it is similar then it is classified as in the same flow.

NetFlow_Exporter.jpg
Enter a caption for this image (optional)

There are seven key IP packet attributes that can be used by NetFlow to classify packets into separate flows: + IP source address + IP destination address + Source port + Destination port + Layer 3 protocol type + Class of Service (or Type of Service – ToS) Byte + Input (Router or switch) interface

Other attributes can be also used and they are called non-key attributes such as timestamps, packet and byte counters, TCP flag information…

After inspecting these attributes, the NetFlow Exporter condenses them into flow records and save in a database called the NetFlow cache. These flow records can also be exported to a NetFlow Collector.

How to view NetFlow data

There are two main methods to view NetFlow data:

+ Command Line Interface (CLI): Because the NetFlow cache is a part of the NetFlow Exporter so we can view this cache directly via the Command-Line-Interface (CLI), which is very useful for troubleshooting, with the “show ip cache flow” command. An example output of this command is shown below:

show_ip_cache_flow.jpg
Enter a caption for this image (optional)

+ A NetFlow reporting tool: there are many tools that can collect NetFlow packets sent to the NetFlow Collector and display a comprehensive view. Below is an example of what SolarWinds NetFlow Traffic Analyzer can analyze:

NetFlow_Reporting_tool.jpg
Enter a caption for this image (optional)
NetFlow versions

Version 1: the original format supported in the initial NetFlow releases. Versions 2, 3 and 4 were not released. Version 5: an enhancement that adds Border Gateway Protocol (BGP) autonomous system information, flow sequence numbers and a few additional fields. This is the standard and most common NetFlow version. Only support IPv4. Version 6: similar to version 7 Version 7: Cisco-specific version for Catalyst 5000 series switches but not compatible with Cisco routers Version 8: choice of aggregation schemes in order to reduce resource usage Version 9: support flow-record format and it is known as Flexible NetFlow technology. NetFlow version 9 includes a template to describe what is being exported. It supports extensible file export format to enable easier support. It also supports additional fields & technologies such as MPLS, IPv6, IPSec, NBAR protocols, Multicast, VLAN ID…

In general, the two most important NetFlow versions are Version 5 and Version 9 which we will learn how to configure them.

Note: NetFlow version 5 only supports monitoring inbound statistics using the “ip flow ingress” command while NetFlow v9 allows to monitor traffic leaving each interface via “ip flow egress” command.

Configure NetFlow version 9

To configure NetFlow version 9 (Flexible NetFlow), we need to configure three components: 1. Flow Record 2. Flow Exporter 3. Flow Monitor

The following configuration enables NetFlow version 9 on Fa0/1 interface and export to a NetFlow collector at 10.1.1.1 on UDP port 2055.

1. Configure the Flow Record:

Router(config)# flow record TUT_Record
Router(config-flow-record)# match ipv4 destination address
Router(config-flow-record)# match ipv4 source address

2. Configure the Exporter:

Router(config)# flow exporter TUT_Exporter
Router(config-flow-exporter)# destination 10.1.1.1

3. Configure the Exporter:

Router(config)# flow monitor TUT_Monitor
Router(config-flow-monitor)# record TUT_Record //Must match the above Flow Record name
Router(config-flow-monitor)# exporter TUT_Exporter //Must match the above Exporter name

4. Apply to an interface

Router(config)#interface fa0/1
Router(config-if)#ip flow monitor TUT_Monitor input //Monitor the receiving

SPAN-RSPAN

1-SPAN(Switched Port Analyzer Network)

To sniff or to analyse traffic on specific port or Vlan you can use SPAN. As it is shown in Figure 1, we want to have traffic of FastEthernet0/1 on port FastEthernet0/10. So, simple we can define monitor session for interface FastEthernet0/1 as a source and FastEthernet0/10 as a destination.

Figure 1: SPAN
Enter a caption for this image (optional)
SW# conf t
SW(config)#monitor session 1 source int fa0/1
SW(config)#monitor session 1 destination int fa0/10

You can define a receive, transmit or both in monitor session:

SW(config)#monitor session 1 source int fa0/1 rx | tx | both

2- RSPAN(Remotely Switched Port Analyzer Network)

This is exactly the same scenario of SPAN, but here we remotely monitor a port in switch. First, you have to define separate Vlan between two switches. Then, you can specify source and destination.

Enter a caption for this image (optional)
SW1# conf t
SW1(config)#vlan 20
SW1(config)#remote-span
SW1(config)#exit
SW1(config)#monitor session 1 source int fa0/1
SW1(config)#monitor session 1 destination remote-vlan 20
SW1# conf t
SW1(config)#monitor session 1 source remote-vlan 20
SW1(config)#monitor session 1 destination int fa0/10
3- show command
SW# show monitor session 1 detail

SNMP(V1-2-3)

1- What is SNMP?

SNMP is an application-layer protocol that provides a message format for communication between managers and agents. The SNMP system consists of:

  • an SNMP manager,

  • an SNMP agent,

  • and a MIB.

The SNMP agent contains MIB variables whose values the SNMP manager can request or change. A manager can get a value from an agent or store a value into the agent. The agent gathers data from the MIB, the repository for information about device parameters and network data. The agent can also respond to a manager’s requests to get or set data.

An agent can send unsolicited traps to the manager. Traps are messages alerting the SNMP manager to a condition on the network. Traps can mean improper user authentication, restarts, link status (up or down), MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant events.

SNMP Versions

Model

Level

Authentication

Encryption

Result

SNMPv1

noAuthNoPriv

Community string

No

Uses a community string match for authentication.

SNMPv2C

noAuthNoPriv

Community string

No

Uses a community string match for authentication.

SNMPv3

noAuthNoPriv

Username

No

Uses a username match for authentication.

SNMPv3

authNoPriv

Message Digest 5 (MD5) or Secure Hash Algorithm (SHA)

No

Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.

SNMPv3

authPriv (requires the cryptographic software image)

MD5 or SHA

Data Encryption Standard (DES) or Advanced Encryption Standard (AES)

Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Allows specifying the User-based Security Model (USM) with these encryption algorithms: DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard. 3DES 168-bit encryption AES 128-bit, 192-bit, or 256-bit encryption

configuring SNMPV2 is so simple, just write :

SW# conf t
SW(conf t)# snmp-server community HRT ro

ro means read only and rw means read/write

configuring SNMPV3 needs three steps:

1- Defining View

SW(conf t)# snmp-server view View_Name iso|family|interface included

iso means everything in MIB.

2- Defining Group

SW(conf t)# snmp-server group Group_Name V3 priv read View_Name

3- Defining User

SW(conf t)# snmp-server user UserName Group_Name v3 auth sha|md5 Password des56/AES Your_Preshared_Key
2- Connect your Device to PRTG

PRTG is really good tool for grabbing information from devices which are working with SNMP. You can download this software and connecting around 100 sensors are free. In other word, you can use it for small business.

1-First, Add a New Device, and IPV4 address.

Enter a caption for this image (optional)

2- Second, Select SNMP version, type of Authentication(SHA-MD5) and enter your username and password.

Enter a caption for this image (optional)

3- Third, enter encryption type and Pre-shared key.

Enter a caption for this image (optional)

4- Add your desire sensor, there are alot of sensors for different devices, for example I add ping to this device.

Enter a caption for this image (optional)

TACACS and RADIUS

TACACS+ and Radius is a security application that provides centralized validation of users attempting to gain access to a router or network access server. In Table 1 main difference between TACACS and Radius are mentioned:

Feature

TACACS+

RADIUS

Encryption

Packet fully encrypted

Password encrypted

Protocol

TCP

UDP

Standard

Cisco

Industry

AAA

Separate AAA

Combine AAA

To configure Radius or TACACS+ , first we define a new model and then we use dot1x authentication:

Server Side
SW# conf t
SW(config)# aaa new-model
SW(config)# aaa authentication dot1x default group radius
SW(config)# dot1x system-auth-control
SW(config)# dot1x port-control (auto | force-authorized | force-unauthorized)
Client Side
SW# conf t
SW(config)# aaa new-model
SW(config)# radius-server|tacacs-server host a.b.c.d key password
SW(config)# aaa authentication dot1x default group radius

High Availability(HSRP-VRRP-GLBP)

1- Understanding HSRP

HSRP is the Cisco standard method of providing high network availability by providing first-hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. HSRP allows two or more HSRP-configured routers to use the MAC address and IP network address of a virtual router. The virtual router does not exist; it represents the common target for routers that are configured to provide backup to each other. One of the routers is selected to be the active router and another to be the standby router, which assumes control of the group MAC address and IP address should the designated active router fail.

HSRP has two versions:

  • HSRPv1—Version 1 of the HSRP, the default version of HSRP. It has these features:

    The HSRP group number can be from 0 to 255.

    HSRPv1 uses the multicast address 224.0.0.2 to send hello packets, which can conflict with Cisco Group Management Protocol (CGMP) leave processing. You cannot enable HSRPv1 and CGMP at the same time; they are mutually exclusive.

  • HSRPv2—Version 2 of the HSRP has these features:

    To match the HSRP group number to the VLAN ID of a subinterface, HSRPv2 can use a group number from 0 to 4095 and a MAC address from 0000.0C9F.F000 to 0000.0C9F.FFFF.

    HSRPv2 uses the multicast address 224.0.0.102 to send hello packets. HSRPv2 and CGMP leave processing are no longer mutually exclusive, and both can be enabled at the same time.

    HSRPv2 has a different packet format than HRSPv1.

    A switch running HSRPv1 cannot identify the physical router that sent a hello packet because the source MAC address of the router is the virtual MAC address.

HSRPv2 has a different packet format than HSRPv1. A HSRPv2 packet uses the type-length-value (TLV) format and has a 6-byte identifier field with the MAC address of the physical router that sent the

I use again cisco website to compare these two vesions:

eature

Default Setting

HSRP version

Version 1

HSRP groups

None configured

Standby group number

0

Standby MAC address

System assigned as: 0000.0c07.acXX, where XX is the HSRP group number

Standby priority

100

Standby delay

0 (no delay)

Standby track interface priority

10

Standby hello time

3 seconds

Standby holdtime

10 seconds

HSRPV1 —> 0000.0c07.ac** (where ** is the HSRP group number)

HSRPV2 —> 0000.0c9f.f0** (where ** is the HSRP group number)

HSRP consists of 6 states:

State

Description

Initial

This is the beginning state. It indicates HSRP is not running. It happens when the configuration changes or the interface is first turned on

Learn

The router has not determined the virtual IP address and has not yet seen an authenticated hello message from the active router. In this state, the router still waits to hear from the active router.

Listen

The router knows both IP and MAC address of the virtual router but it is not the active or standby router. For example, if there are 3 routers in HSRP group, the router which is not in active or standby state will remain in listen state.

Speak

The router sends periodic HSRP hellos and participates in the election of the active or standby router.

Standby

In this state, the router monitors hellos from the active router and it will take the active state when the current active router fails (no packets heard from active router)

Active

The router forwards packets that are sent to the HSRP group. The router also sends periodic hello messages

Enter a caption for this image (optional)
router1# conf t
router1(config)# int fa0/1
router1(config-if)# standby 1 ip 172.16.0.1
router1(config-if)# standby 1 priority 150
router1(config-if)# standby 1 preempt
router2# conf t
router2(config)# int fa0/2
router2(config-if)# standby 1 ip 172.16.0.2
router2(config-if)# standby 1 priority 120
router2(config-if)# standby 1 preempt
router2(config-if)# standby 1 track fa0/1 60
router2(config-if)# standby 1 timers 1 3

track fa0/1 means if fa0/1 goes down, decrease priority 60 unit.

Standby 1 timers 1 (Hello-Second) 3(Dead-Second)

to see HSRP configuration:

#show standby

2- Understanding VRRP

Virtual Router Redundancy Protocol(VRRP) is created by IETF in 1999. It is the same concept of HSRP except it has faster timer than HSRP. Hello timer is 1 second and hold timer is 3 seconds by default. VRRP uses master/backup instead of active/standby and VRRP group instead of standby group.

router1# conf t
router1(config)# int fa0/1
router1(config-if)# vrrp 10 ip 172.16.0.1
router1(config-if)# vrrp 10 priority 150
router1(config-if)# vrrp 10 preempt
router1(config-if)# vrrp 10 timers advertise msec 100

to see VRRP configuration:

#show vrrp

3- Understanding GLBP

The main disadvantage of HSRP and VRRP is that only one gateway is elected to be the active gateway and used to forward traffic whilst the rest are unused until the active one fails. Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol and performs the similar function to HSRP and VRRP but it supports load balancing among members in a GLBP group.

When the routers are configured to a GLBP group, they first elect one gateway to be the Active Virtual Gateway (AVG) for that group. The election is based on the priority of each gateway (highest priority wins). If all of them have the same priority then the gateway with the highest real IP address becomes the AVG. The AVG, in turn, assigns a virtual MAC address to each member of the GLBP group. Each gateway which is assigned a virtual MAC address is called Active Virtual Forwarder (AVF). A GLBP group only has a maximum of four AVFs. If there are more than 4 gateways in a GLBP group then the rest will become Standby Virtual Forwarder (SVF) which will take the place of a AVF in case of failure. The virtual MAC address in GLBP is 0007.b400.xxyy where xx is the GLBP group number and yy is the different number of each gateway (01, 02, 03…).

Each AVF listens to others, if one AVF can no more forward traffic, all listening AVFs will compete to take the responsibility of the failed AVF vMAC along with its own (AVF with higher weighting wins).

To detect a gateway failure, GLBP members communicate between each other through hello messages sent every 3 seconds to the multicast address 224.0.0.102, User Datagram Protocol (UDP) port 3222.

GLBP supports up to 1024 virtual routers (GLBP groups) per physical interface of a router.

GLBP has three authentication types: + No authentication + MD5 authentication + Plain text authentication

router1# conf t
router1(config)# int fa0/1
router1(config-if)# glbp 1 ip 172.16.0.1
router1(config-if)# glbp 1 priority 150
router1(config-if)# glbp 1 preempt
router1(config-if)# glbp 1 timers 15 15
router1(config-if)# glbp 1 load-balancing weighted| round-robin | host-dependent

to see GLBP configuration:

#show glbp brief

GRE

Tunneling provides a mechanism to transport packets of one protocol within another protocol. The protocol that is carried is called as the passenger protocol, and the protocol that is used for carrying the passenger protocol is called as the transport protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.

R1(config)# int tunnel 1
R1(config-if)# ip address 172.16.1.1 255.255.255.0
R1(config)# tunnel source 1.1.1.1
R1(config)# tunnel destination 2.2.2.2
R2(config)# int tunnel 1
R2(config-if)# ip address 172.16.1.2 255.255.255.0
R2(config)# tunnel source 2.2.2.2
R2(config)# tunnel destination 1.1.1.1
R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.1.2
R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.1.1

Etherchannel(layer2-layer3)

EtherChannel is a port link aggregation technology or port-channel architecture used primarily on Cisco switches. It allows grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers(wiki).

Enter a caption for this image (optional)

There are two protocols in ether-channel:

  • PAGP (Cisco proprietary )

    • on

    • auto

    • desirable

  • LACP(Industry Standard)(802.3AD)

    • on

    • active

    • passive

To implement layer 2 PAGP:

SW1# conf t
SW1(config)#int range fa0/1-2
SW1(config-if)#channel-group 1 mode auto
SW1(config-if)#no shut
SW2# conf t
SW2(config)#int range fa0/1-2
SW2(config-if)#channel-group 1 mode desirable
SW2(config-if)#no shut

To implement layer 2 LACP:

SW1# conf t
SW1(config)#int range fa0/1-2
SW1(config-if)#channel-group 1 mode active
SW1(config-if)#no shut
SW2# conf t
SW2(config)#int range fa0/1-2
SW2(config-if)#channel-group 1 mode passive
SW2(config-if)#no shut

Layer 3 Etherchannel
Enter a caption for this image (optional)

In layer3, we use virtual ip address in port channel to define PAGP:

SW1# conf t
SW1(config)#interface port-channel 1
SW1(config)#no switchport
SW1(config)#ip address 10.1.1.1 255.255.255.0
SW1(config)#interface range fa0/1-2
SW1(config-if)#channel-group 1 mode desirable
SW2# conf t
SW2(config)#interface port-channel 1
SW2(config)#no switchport
SW2(config)#ip address 10.1.1.2 255.255.255.0
SW2(config)#interface range fa0/1-2
SW2(config-if)#channel-group 1 mode auto

Static Routing

Routing is a huge concept in Cisco and I don’t want to dive into routing protcols concept, but I want to focus on simple routing which is called Static Routing. To know this concept look at this diagram. In static routnig, to reach from network1 to network2 , you need to define networks in router1 and router 2.

Enter a caption for this image (optional)

R1 knows just their interfaces, for reaching to network 192.168.3.0/24, we use interface 192.168.2.2, therefore we write:

R1(config)# ip route 192.168.3.0 255.255.255.0 192.168.2.2

R2 knows just their interfaces, for reaching to network 192.168.1.0/24, we use interface 192.168.2.1, therefore we write:

R2(config)# ip route 192.168.1.0 255.255.255.0 192.168.2.1

NAT

Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device(wiki).

In simple word, translating IP address to another IP is called NAT. Imagine that, we have one static IP address and we want to use this IP for diffenet services in local network. For example:

FTP : 192.168.20.100

HTTP : 192.168.20. 101

HTTPS: 192.168.20.102

Static IP: 205.174.165.23

How we can use this static IP address for different services?

NAT. By using NAT, you can map static IP address to different services, like below:

205.174.165.23: 21 –> 192.168.20.100

205.174.165.23: 80 –> 192.168.20.101

205.174.165.23: 443 –> 192.168.20.102

Enter a caption for this image (optional)

We can simple write in router to map IP 192.168.20.100 to 205.174.165.23 on port 21:

router# conf t
router(config)# ip nat inside source static tcp 192.168.20.100 21 205.174.165.23 21

If we have bunch of static IP address, we can define pool and access-list and pass it to NAT:

router# conf t
router(config)# ip nat pool mypool 205.174.165.23 205.174.165.89 netmask 255.255.255.0
router(config)# access-list 1 permit 192.168.20.0 0.0.0.255
router(config)# ip nat inside source 1 pool mypool overload

“overload” simply translate all ports in static IP address to inside local address.