CCNA,  Cisco,  Command Line,  Network Infrastructure,  Network Lab,  Networking,  PersonalBlog

A CISCO Lab

Merry Christmas to those celebrating it. Hanuka for those celebrating that. Kwanzaa for others, and a number of other year-end/year-beginning festivals as well. I wish all of you peace, and good health for yourselves and your families.

In another week or two I will be taking the CCNA as one of the final parts of my Bachelor’s degree, so I’m doing a lot of labs. In packet-tracer(from Cisco) and on the Cisco equipment I bought in pursuit of a career in network engineering/operations and security. As part of that process I’ve consumed a lot of content from many sources. From my WGU (my college), from LinkdIn Learning, Pluralsight, Udemy. from YouTube, and a number of sundry sources. And I have to say it’s mixed bag all around for quality of training, quality/accuracy of data provided, style, relevancy, and more.

This blog post is about a lab I found on YouTube that I really liked. I duplicated it, and added to it. That more advanced lab is what this post is about. I have included an image of the finished lab and the scripts to type(copy/paste) into the Cisco terminal for the devices used.

The following is a picture of that lab. There are three switches in it, one router, and 6 hosts. The switches are divided up into two Vlans numbered 10 and 20. With three different trunks between the switches, and a router on a stick allowing communication between the Vlans. The router also does DHCP and acts as an NTP server for the network. Going forward I will likely use this as a start for more network formations and technologies.

The names of the switches reflect where they are on the diagram. North, East, and South. The router is placed in what would be the west location, but the router’s name is just StickRouter. I have 4 different scripts to enter into each of the devices to set them all up. Just copy-past if you want to just get going. Feel free to make changes of course to see how things all work. I tried to make the scripts as fully-featured as I can. I have collated the code portions that work towards the main goals of: providing identity and authentication, setting up the framework in which the network will run and securing the switchports, and actually setting up the ports for access and trunkage that make the network go.

First comes providing identity, and authentication:

This part is almost identical for the switches and the router. The domain name must be set before ssh keys can be created due to the need for some kind of seed. As I understand it the Hostname and Banner also feed into this seed, but it’s good practice to set all this up right at the start regardless if it’s strictly needed for the SSH seed.

So we set up a username and ‘enable secret’ password, encrypt passwords, banner, domain-name, hostname, and SSH key. Then we select SSH v2, shut off ip domain-lookups, and lock down the console and tty 0 through 4 with the need to login.

Note that the above is true for all 4 devices. Switches and the router as well. In this lab all get the same username and password ‘cisco’, in practice of course you would utilize a much better set of credentials.

From this point the devices take very different actions since they are doing completely different things in service to the network. The switches set up vlans, secure ports, then actually create the infrastructure for the communication protocols before opening the ports back up for business.

Setting up the Router on a stick.

The router sets up the two DHCP pools it will need to serve the two networks and the two sub-ports it needs to serve as a router ‘on a stick’ to the network. I like to think of saying this like comedian Jeff Dunham says “on a steeeek”. I had no idea that routers provide more than one DHCP services in one device, but for an enterprise-level device it made sense, so when I looked it up I was not surprised to find they did it and how straightforward it all is. That’s really all there is. The router has the fewest lines of script to get it going by far. I suppose in an actual network, if there is enough inter-vlan traffic to warrant it, the router could be moved to the gigabit ports and utilize one for Vlan10 and the other for Vlan 20, thereby providing a ton more bandwidth, but that’s kind of easy and negates the training aspect of the lab!

It’s important to go over the whole encapsulation thing. When I was first going through the training material I went from start to finish without really trying to understand in-depth any portion of it. And that was a good thing because encapsulation touches on everything, and only when you see what it actually does for you that things start to make sense. You see, in order for data to be segregated to Vlans at all there must be some additional technology at work beyond standard packets. This is the encapsulation being mentioned.

You see, 802.1q ‘dot1q’ is an open standard and is the default method of encapsulation but there are others. You are only asked to specify it when the device you are working with is capable of other types of encapsulation. All the devices must be working with the same rules or things will fall apart rapidly, so if you are not asked or can not specify a type of encapsulation you can safely assume the device will be using dot1a.

Setting up the Vlans and locking them all down.

The two working Vlans are 10(Home) and 20(Office). Set up on ports 1-5 and 6-10 respectively. The Vlans are then given actual port status and IP addresses are requested via DHCP. Vlan 92 is then created to provide a path for Native traffic down the trunks, Vlan 787 is created to provide an alternative default network for all ports and is then administratively shut down.

All ports are then moved to Vlan 787 as a new default Vlan and are all then also shut down administratively. At this point the switch is then told to look towards the router address for Vlan 10, and the router is set up to serve NTP from that address.

Setting up the ports for Access and Trunks.

All thee switches first set up the two service Vlans. Using ports 1-5 for Vlan10 and 6-10 for Vlan 20, Switch North uses port 11 for the trunk to the StickRouter. The other three block off ports 13-24 to allow up to 4 ports to connect the three connecting trunks together. North→East uses LACP, East to South uses PAgP, and South to North uses plain Etherchannel. All can use the 4 lines, some can use much more, and load balancing as a furthering of the lab is not even touched on here.

In my configuration, I’ve included all the stuff I can remember without going to the Cisco source material and going over the list of tech required for mastery in order to pass the CCNA. Lots of which were not included in the YouTube video I originally found this lab in.

This includes establishing a native Vlan that will be used network-wide for moving around the non-encapsulated low-level admin-level packets that have nothing to do with our actual network traffic. Creating a new ‘Default’ Vlan, moving ALL ports to that Vlan, and then shutting it down which prevents traffice from moving from port to port regardless of the state of the port itself. Of which all unused ports are also shut down.

In a future video I will explore this network. First by adding additional switches given ‘real world’ examples showing how important DHCP is, probably adding stanzas that give static IPs for specific MAC addresses on servers. And having actual servers that would handle things like SQL or NAS functions to say nothing of SSO. But I feel that a video is a better venue to explore things like the various SHOW commands to inspect aspects of the network as it is, and as we will make it!

My YouTube channel is at:
https://www.youtube.com/channel/UCh8-BmD1BX8Izr_CLy80F7w

Have a great holiday season! Stay safe out there.

In the image you cannot see that the lines between North and Stick are on G0/0 on the router and F0/11 on North. Between North and South are on F0/13-14 for both, North and East are on F017-18 for both, and East and South are on F0/21-22 for both.

Following are the scripts for the four devices:

StickRouter

clock set 14:00:00 Dec 25 2020
enable
configure terminal
clock timezone est -8
username cisco secret cisco
hostname StickRouter
banner motd &## [StickRouter] Lab:Etherchannel-L1 olympicSoftworks.org] ##&
ip domain-name olysoft.org
crypto key generate rsa general-keys modulus 2048
ip ssh version 2
no ip domain-lookup
line console 0
login local
logging synchronous
line vty 0 4
login local
transport input ssh
logging synchronous
exit

ip dhcp pool Home
domain-name olysoft.org
dns-server 1.1.1.1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.254
do show ip dhcp pool Home

ip dhcp pool Office
network 192.168.20.0 255.255.255.0
domain-name olysoft.org
dns-server 1.1.1.1
default-router 192.168.20.254
ip dhcp excluded-address 192.168.20.1 192.168.20.99
ip dhcp excluded-address 192.168.20.254
do show ip dhcp pool Office

interface g0/0.1
description HomeVLan
encapsulation dot1q 10
ip address 192.168.10.254 255.255.255.0
interface g0/0.2
description OfficeVLan
encapsulation dot1q 20
ip address 192.168.20.254 255.255.255.0
interface g0/0
no shut

ntp master 1
exit

NorthSwitch

enable
configure terminal
username cisco secret cisco
hostname NorthSwitch
banner motd &## [NorthSwitch] Lab:Etherchannel-L1 [OlympicSoftworks.org] ##&
ip domain-name olysoft.org
crypto key generate rsa general-keys modulus 2048
ip ssh version 2
no ip domain-lookup
line console 0
login local
logging synchronous
line vty 0 4
login local
transport input ssh
logging synchronous
exit

vlan 10
name Home
interface vlan 10
ip address dhcp
no shut
vlan 20
name Office
interface vlan 20
ip address dhcp
no shut
vlan 92
name Nat
vlan 787
name def
interface vlan 787
shut
interface range f0/1-24
switchport mode access
switchport access vlan 787
shut
exit
interface range g0/1-2
switchport mode access
switchport access vlan 787
shut
exit
ntp server 192.168.10.254

interface range f0/1-5
switchport access vlan 10
no shut
interface range f0/6-10
switchport access vlan 20
no shut
interface f0/11
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trun native vlan 92
no shut

interface range f0/13-16
channel-group 1 mode on
exit
interface port-channel 1
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 92
no shut
exit
interface range f0/13-16
no shut
exit

interface range f0/17-20
channel-group 2 mode desirable
exit
interface port-channel 2
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 92
no shut
exit
interface range f0/17-20
no shut
exit

EastSwitch

enable
configure terminal
username cisco secret cisco
hostname EastSwitch
banner motd &## [EastSwitch] Lab:Etherchannel-L1 [OlympicSoftworks.org] ##&
ip domain-name olysoft.org
crypto key generate rsa general-keys modulus 2048
ip ssh version 2
no ip domain-lookup
line console 0
login local
logging synchronous
line vty 0 4
login local
transport input ssh
logging synchronous
exit

vlan 10
name Home
interface vlan 10
ip address dhcp
no shut
vlan 20
name Office
interface vlan 20
ip address dhcp
no shut
vlan 92
name Nat
vlan 787
name def
interface vlan 787
shut
interface range f0/1-24
switchport mode access
switchport access vlan 787
shut
exit
interface range g0/1-2
switchport mode access
switchport access vlan 787
shut
exit
ntp server 192.168.10.254

interface range f0/1-5
switchport access vlan 10
no shut
interface range f0/6-10
switchport access vlan 20
no shut

interface range f0/17-20
channel-group 2 mode auto
exit
interface port-channel 2
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 92
no shut
exit
interface range f0/17-20
no shut
exit

interface range f0/21-24
channel-group 3 mode active
exit
interface port-channel 3
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 92
no shut
exit
interface range f0/21-24
no shut
exit

exit
show etherchannel summary
show vlan brief

Southswitch

enable
configure terminal
username cisco secret cisco
hostname SouthSwitch
banner motd &## [SouthSwitch] Lab:Etherchannel-L1 [OlympicSoftworks.org] ##&
ip domain-name olysoft.org
crypto key generate rsa general-keys modulus 2048
ip ssh version 2
no ip domain-lookup
line console 0
login local
logging synchronous
line vty 0 4
login local
transport input ssh
logging synchronous
exit

vlan 10
name Home
interface vlan 10
ip address dhcp
no shut
vlan 20
name Office
interface vlan 20
ip address dhcp
no shut
vlan 92
name Nat
vlan 787
name def
interface vlan 787
shut
interface range f0/1-24
switchport mode access
switchport access vlan 787
shut
exit
interface range g0/1-2
switchport mode access
switchport access vlan 787
shut
exit
ntp server 192.168.10.254

interface range f0/1-5
switchport access vlan 10
no shut
interface range f0/6-10
switchport access vlan 20
no shut

interface range f0/21-24
channel-group 3 mode passive
exit
interface port-channel 3
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 92
no shut
exit
interface range f0/21-24
no shut
exit

interface range f0/13-16
channel-group 1 mode on
exit
interface port-channel 1
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 92
no shut
exit
interface range f0/13-16
no shut
exit

exit
show etherchannel summary
show vlan brief

Leave a Reply

Your email address will not be published. Required fields are marked *