Jump to content
Floatplane payments are migrating! Read more... ×
Search In
  • More options...
Find results that contain...
Find results in...

BSpendlove

Member
  • Content Count

    246
  • Joined

  • Last visited

Awards


This user doesn't have any awards

2 Followers

About BSpendlove

  • Title
    Member
  • Birthday 1996-07-13

Contact Methods

  • Origin
    BSpendlove
  • Steam
    BSpendlove
  • Twitch.tv
    bspendlove
  • Twitter
    @BSpendlove

Profile Information

  • Gender
    Male
  • Location
    Essex, UK
  • Interests
    Piano, Composition, Orchestration, Technology and Networking
  • Biography
    I love piano, networking and cats.
  • Occupation
    Network Engineer

System

  • CPU
    Intel i7-6700K @ 4.5GHz
  • Motherboard
    MSI Z170 Gaming M5
  • RAM
    2x8GB Kingston HyperX Savage DDR4 @ 3000Mhz
  • GPU
    2 x MSI GTX 1080ti Gaming X
  • Case
    ThermalTake X71
  • Storage
    2TB HDD and 250GB Samsung 850 SSD
  • PSU
    Corsair RM1000i
  • Display(s)
    LG 34UM88 - 3440x1440 IPS Superwide
  • Cooling
    Corsair H115i AIO
  • Operating System
    Windows 10 Pro
  • PCPartPicker URL

Recent Profile Visitors

2,583 profile views
  1. BSpendlove

    CCNP Help

    That's alright, Yeah R&S for sure, it's always been a goal, wasn't too keen on pursuing it this soon because of my previous jobs but now employer is paying for it and is really pushing me to go get it. I'm trying to look through my old resources but never put everything in a single document/location, some other resources I found useful were: Rob Riker - Youtube (Has training online but has posted snippets of his courses on youtube) Kevin Wallace - Youtube (also does a ton of books including one of the OCGs) Packetlife - Nice blogs for a wide range of CCNA/CCNP topics NetworkLessons - Very good style blogs I find TheLanTamer - Streams literally every day of his CCIE journey but can pick up a ton of stuff for the CCNP Cisco Community Forums If you are also one of those guys who likes reading, I recommend highly to get a Safari books online subscription since you will be cushioned with knowledge and technical books
  2. BSpendlove

    CCNP Help

    Don't worry too much, the jump between CCNA and CCNP is very friendly and isn't a massive gap (for R&S) anyway. There are a few things you get introduced to but it just recapping knowledge and ensuring you do know all your basics about things like OSPF, EIGRP, how packets are actually routed from a technical perspective with the RIB/FIB/CEF/etc.., Spanning Tree, a bit of security like securing your routing protocols, securing the management plane of a cisco device, route filtering, route summurization, ensuring you fully understand VLANs (literally the very little details with STP/RSTP/PVLANS etc..). You already learn how to setup neighborships and exchange routes between different routing protocols but the CCNP tries to introduce you into the more detailed theory with OSPF and how the protocol works under the hood with LSAs, the ospf database (LSDB), how the metric formula works in EIGRP, how to filter routes when doing redistribution between 2 routing protocols, again, it's just expanding your current knowledge while introducing into some other basic rules/operations) For Route, I found the OCG, Udemy, INE and a ton of blogs online to be the best resource. Switch I only used the OCG and 3750X documentation from cisco. Tshoot, I just recapped over everything from previous and they have the topology released online that you can study and make in GNS3/real lab and do a ton of config/break/fix repeat... CBT Nuggets was alright but a very simple overview of each topic, doesn't go into much depth with Route/Switch. Udemy (Chris Bryant) was also the same, like a high level overview. I also read a few other books along with the CCNP and still re-reading them for the ccie such as TCP/IP Volume 1/2, OSPF: Anatomy, Cisco design guides, Internet Routing Architectures 2nd edition, and more. I personally wouldn't rely on just the OCGs for all the exams (unless you're literally doing it to just pass the exam, I always express my opinion that you should try to learn for the knowledge and not just to get a piece of paper that says 'Pass') I tried putting my CCNP Switch notes into gdrive and haven't had the time to do route: https://drive.google.com/open?id=0B2kaqHUWZdXxM3dfRWF5d3NWNGM Hit me up if you want to join a discord, I've been talking to a guy over the past year that is studying for his CCNP right now and we try to get on voice quite a bit and always lab together/share ideas.
  3. A few personal projects I've been working on, mainly just putting together a load of useful functions in python along with the netmiko library to pull specific data from Cisco IOS devices (mainly ISRs and Catalyst, not been designed for Nexus, ASAs, other vendors yet etc..) I've mainly been testing some open source IPAM solutions such as netbox and PHPIPAM to see if I can do some neat little tricks and I've created a few things for both solutions on the side of my job because I want to expand my programming knowledge (have been doing a lot of python + c# lately) Here is a basic example to connect to a cisco switch, pull the data into a kind of JSON format to be used when creating a new vlan using Netbox's API + python API module. (Beware, I'm also using a module that I have on github over at https://github.com/BSpendlove/BCPTools (follow the readme to install the library and use some of the basic functions I use in this netbox example) from pprint import pprint from netbox import NetBox from BCPTools.BCPTFunctions import bcp_create_session from BCPTools.BCPTFunctions import bcp_show_vlans #Cisco Switch connection details for Netmiko/BCPTools conn = { 'device_type': 'cisco_ios', 'ip': '192.168.1.109', 'username': 'hume', 'password': 'cisco', 'secret': 'cisco' } ##---------------------- NETBOX API Login details ------------------------------## myToken = 'mytoken123mytoken123mytoken123mytoken123' api_login = NetBox(host='192.168.1.9', port=80, use_ssl=False, auth_token=myToken) ##------------------------------------------------------------------------------## class bcp_vlan_functions(object): def create_vlan_group(self, netbox, name, slug, checkExists=True): if checkExists == True: vlan_group = netbox.ipam.get_vlan_groups(name=name) if not vlan_group: results = netbox.ipam.create_vlan_group(name=name, slug=slug) return results if name in vlan_group[0]['name']: print(name.lower() + " has already been configured as a VLAN Group... checkExist must be False if you would like to create a duplicate VLAN Group...") print("Local Database ID for vlan group: {0} is {1}\n".format(name,str(vlan_group[0]['id']))) else: results = netbox.ipam.create_vlan_group(name=name,slug=slug) return results else: print("Create vlan function without simple duplication...\n") results = netbox.ipam.create_vlan_group(name=name,slug=slug) return results def create_vlan(self, netbox, name, vlanid, groupid): vlan_check = netbox.ipam.get_vlans(name=name) if not vlan_check: results = netbox.ipam.create_vlan(vlan_name=name,vid=vlanid,group=groupid) print("VLAN{0} ({1}) has been created...\n".format(vlanid, name)) return results if name in vlan_check[0]['name']: if not vlan_check[0]['group']: print("VLAN{0} exists in the Netbox Database although is not registered with VLAN Group: {1}... Have not performed any action...\n".format(vlanid, groupid)) #netbox.ipam.create_vlan(vlan_name=name,vid=vlanid,group=groupid) elif groupid == vlan_check[0]['group']['id']: print("VLAN{0} ({1}) is already configured in VLAN Group: {2}\n".format(vlanid, name, vlan_check[0]['group']['name'])) def get_vlan_group(self, netbox, vlanname): #Try to use either id or name to filter through VLAN groups, obviously ID is better if you have duplicate vlan group names, but with some common practice, you shouldn't configure 2 sites with the same 'VLAN group name'!!! return netbox.ipam.get_vlan_groups(name=vlanname) def save_vlans_to_netbox(self, netbox, groupname): session = bcp_create_session(conn) vlans = bcp_show_vlans(session) vlangroup = self.get_vlan_group(netbox, groupname) if not vlangroup: print("VLAN Group {0} can not be found...".format(groupname)) else: vlangroupid = vlangroup[0]['id'] for vlan in vlans: self.create_vlan(netbox, vlan['name'], vlan['vlan_id'],vlangroupid) bcp_vlan_functions().create_vlan_group(api_login,"PYTHON-TEST-NETBOX","python-test-netbox") bcp_vlan_functions().save_vlans_to_netbox(api_login, "PYTHON-TEST-NETBOX") For example, I have a switch at 192.168.1.109 with the following as the 'show vlan' output: W17BS-SW01#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3 Fa1/0/4, Fa1/0/6, Fa1/0/7 Fa1/0/8, Fa1/0/9, Fa1/0/10 Fa1/0/11, Fa1/0/12, Fa1/0/13 Fa1/0/14, Fa1/0/15, Fa1/0/16 Fa1/0/17, Fa1/0/18, Fa1/0/19 Fa1/0/20, Fa1/0/21, Fa1/0/22 Fa1/0/23, Fa1/0/24, Gi1/0/1 Gi1/0/2 10 IT active Fa1/0/5 20 ACCOUNTS active 30 SALES active 40 HR active 50 INTERNAL active 100 CAMERAS active 101 GUEST-WIFI active I've amended some interfaces to go in the other vlans so now my function from my BCPTools library on github will return this data as: and now from the Netbox point of view: after running the netbox function I've created to pull the vlans from a cisco switch, and then use the API to create these vlans in the VLAN group called 'Python-test-netbox': (virtualenvironment) brandon@ubuntu:~/brandon_scripts/NETBOX_API_EXAMPLES$ python3 netbox_cisco_switch_vlans.py python-test-netbox has already been configured as a VLAN Group... checkExist must be False if you would like to create a duplicate VLAN Group... Local Database ID for vlan group: PYTHON-TEST-NETBOX is 7 VLAN1 (default) has been created... VLAN10 (IT) has been created... VLAN20 (ACCOUNTS) has been created... VLAN30 (SALES) has been created... VLAN40 (HR) has been created... VLAN50 (INTERNAL) has been created... VLAN100 (CAMERAS) has been created... VLAN101 (GUEST-WIFI) has been created... VLAN1002 (fddi-default) has been created... VLAN1003 (token-ring-default) has been created... VLAN1004 (fddinet-default) has been created... VLAN1005 (trnet-default) has been created... (obviously filtering out VLAN1 and 1002-1005 would be best but this is a just a quick dirty function to show some basics with python automation and networking/inventory purposes)
  4. BSpendlove

    Networking/Server YouTube Channels?

    I like LANTamer, he's currently on the last few days before doing his CCIE Lab and has so many videos for the journey of his studies... I watch quite a few others: Jorge Almazan, Computerphile (has a few cool videos on some subjects around networking), Rob riker, trying to look through my history but I watch too much on youtube and never subscribe to people idk why haha There are quite a few twitch streamers from another community that have made a discord, quite active in terms of networking/servers when talking, ton of them stream... from very basic configuration up to showing off the latest technology in terms of network design etc..
  5. BSpendlove

    Which router Linus uses at home?

    If is in the $1000 range then it must be good!
  6. BSpendlove

    Ideas for routing?

    It isn't routing that is going to be a problem, you know everyone is going to recommend the bottom method (where your computers are hard wired in) because it's always going to be the more reliable method. You mentioned that your computer is wireless, you're not really going to be running into any speed issues without first changing from wireless to wired, I wouldn't be worried about your method of connecting devices unless there was a specific device that bottlenecked such as the wireless card in your actual PC, or the signal/strength between your pc and the ac5300. or even running bad cable between your router and switch (or having a 100Mbps switch with internet speed higher than 100Mbps)
  7. BSpendlove

    one and two level subnetting

    More like overlapping vlsm? :')
  8. BSpendlove

    TCP/UDP Help needed

    Probably looking into the more specifics of TCP and UDP (compare and contrast) with features such as how TCP and windowing works, the 3 way handshake, latency, Maximum segment size, tcp slow starts, demonstrating a good knowledge of what TCP should look like with the acknowledging, sequencing and how UDP can affect TCP traffic within a stream since standard UDP would drain out TCP since it has no in-built features into the protocol itself to reduce a 'bottleneck' or what I mean is UDP can't dynamically adjust packets being sent between hosts that both agree how much data they can receive like TCP does with windowing. (maybe compared to something like people that implement TCP like features within upper layers with UDP) You can't just define TCP as: "oh it uses a three way handshake, has sequencing and acknowledgements, and is also more reliable than UDP"... the TCP/IP illustrated book is a well known book that dives deep into the gritty basics of tcp/udp/also routing protocols etc..
  9. DMVPN is mentioned in the official CCNA guide and also in the CCNP (specifically Routing and Switching I'm talking here) but it isn't really listed to configure in the exam topics for the CCNP route. The exam blueprints state you need to 'Describe' but if you've ever attempted a Cisco exam before then you might know, that doesn't mean you might get a question related to the configuration side. We are going to be looking at a simple lab with some theory behind DMVPN without the encryption, but a basic explanation what DMVPN is: DMVPN (Dynamic Multipoint VPN) isn't a protocol within itself, but is crafted by the various protocols used together to achieve what DMVPN does. It allows us to create a hub-spoke like topology with spokes being able to dynamically form a VPN between other remote spokes and the Hub. The protocols that create DMVPN: -Multipoint GRE -NHRP -A dynamic routing protocol (common: EIGRP or OSPF) IPSec is also a common protocol used but it isn't actually a requirement (although it is preferred since running plain GRE isn't the best idea...). Technically you don't actually need to run a dynamic routing protocol and have static routes but again it is very common to see a dynamic routing protocol. Before moving onto a basic introduction to configuration and the design, DMVPN can scale very large (thousands of remote sites) and not only allows our spokes with dynamic IP addresses to participate in the design but also the configuration is very effective instead of creating static tunnels for loads of remote sites. The single hub topology design This topology will use the internet as the underlay to transport our packets, although we will create an 'overlay' using multipoint GRE to carry our site traffic (10.x.x.x) using EIGRP. In DMVPN, we use the terms 'underlay' and 'overlay' a bit similar to GRE over IPSec where IPSec is used as the protocol to transport GRE otherwise we will have no protection. GRE is normally used to transport different traffic since IPSec itself can only carry unicast traffic, it you want to take advantage of multicast and other types of traffic then you can encapsulate with GRE and then send it over the IPSec tunnel as a unicast packet. In our case, we could even just use IPSec without GRE and just define the neighbors in our routing protocol so our updates and hellos etc.. are sent via unicast instead of multicast, that bypasses the learning and fun we'll see in this post! Multipoint GRE Why not use typical GRE point to point tunnels? Firstly, this defeats the whole purpose what DMVPN achieves, it allows us to manage our design with ease and dynamically form tunnels with remote spokes and with the HUB. If we have a static tunnel configuration, think about it we need X amount of tunnels configured on the HUB depending how many spokes are in our design and then a tunnel from the spoke to the HUB, and then finally a tunnel from SpokeX to every single other spoke that exist if you need Spoke-Spoke communication without traffic traversing through the HUB. Multipoint GRE allows a single tunnel configuration to then dynamically form tunnels without the need of loads of 'interface tunnel x' in the configuration. It can take the configuration of the single interface and then use NHRP to dynamically form tunnels to other routers. NHRP Next Hop resolution protocol is the protocol in DMVPN which makes it possible for spokes to register their public IP address according to their tunnel interface IP address whether the public facing interface is static or dynamic. Everyone explains NHRP like ARP but on the internet instead of within a local LAN. The protocol works as a server-client model where clients would point to a server to register their address (more specifically their NBMA aka Non Broadcast Multi Access). We will look at NHRP in more detail not only with configuration but also verification commands and more theory when we actually see outputs. Dynamic Routing Protocol As I've mentioned, a routing protocol isn't actually a requirement for DMVPN although as you may know, a dynamic routing protocol makes routing more scalable when working with a large amount of subnets/networks. We will be using EIGRP in this example. IPSec There are many design guides and generic guides on the web which show different methods such as using an IPSec profile directly in IOS or even having a firewall which offloads the resources for IPSec tunnels and then a router performing the GRE/NHRP etc.. In our example, I won't be using IPSec since the ipsec configuration is straight forward to lab but also very easy to setup using preshared keys, it gets more interesting when you begin to introduce a PKI server for certificates and IPSec enrollment instead of using keys/shared secrets... Basic configuration Starting with the basic configuration of all the routers so you can follow along: Starting with a basic check, we can ping each spoke from the HUB: HUB#ping 1.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms HUB#ping 2.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms HUB#ping 3.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms Firstly, lets start with some basic tunnel configuration. What we need to configure, an overlay which will use the 192.168.254.0/24 network for the tunnels to communicate. Lets go ahead and actually configure some other important commands on our HUB which will also act as the 'Next Hop Server aka NHS' for NHRP. HUB Configuration (Phase 1) interface Tunnel0 ip address 192.168.254.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 10 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic On the hub, this command serves to map multicast packets to the mappings that are created within the NHRP database. ip nhrp network-id 10 This is similar to the tunnel key command, where we can identify specific NHRP networks but this must match on all routers, this is required in a NHRP configuration. tunnel key 1 The tunnel key command in a tunnel configuration mode allows us to define which tunnel specific packets belong to, this is important when we have multiple tunnels on the interface and as a best practice I like to specify this even with a single tunnel configuration. Spoke Configuration (Phase 1) interface tunnel 0 ip address 192.168.254.(x) 255.255.255.0 !Spoke-1 .10, Spoke-2 .20 and Spoke-3 as .30 no ip redirects ip nhrp map 192.168.254.1 20.0.0.1 ip nhrp network-id 10 ip nhrp nhs 192.168.254.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 1 Let's capture some packets! If I shut down the tunnel interface on Spoke-1 and turn it back on, this looks like the things thing that happens relating to NHRP, which also reflects the configuration we have done. Let's look into the NHRP packet itself and then see what conversation is going on. We'll look into the interesting stuff without getting into too much depth: Firstly, Spoke-1 sends a NHRP Registration request (to 20.0.0.1 which is the HUB), you can see this request holds some information which will build the NHRP database we will see shortly. Spoke-1 actually announces its own NBMA address and the protocol address (in our case its our tunnel: 192.168.254.10, destination to 192.168.254.1 the tunnel interface on the HUB). These NHRP requests will be sent every 1/3rd of the Hold timer which by default is 7200s (found under the 'Client Information Entry'). The client expects a reply and will keep sending out NHRP requests double time (from 1, 2, 4 etc.. to 32... that is the theory for those CCNP exam takers!) Next, we receive a reply from 20.0.0.1 (HUB), which looks like: If we take a quick look at RFC2332, its states that Code 0 is indeed a successful register with the NHS. The next 2 packets were actually a repeated request/successful request which we won't dive into because they look the same as the above 2 request and reply NHRP packets. With all the spokes configured, this process happens fairly quickly in our lab environment and we can now see a populated NHRP database which can be found using: HUB#show dmvpn Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:3, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.0.0.1 192.168.254.10 UP 00:16:59 D 1 2.0.0.1 192.168.254.20 UP 00:15:08 D 1 3.0.0.1 192.168.254.30 UP 00:14:54 D HUB#ping 192.168.254.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/8 ms HUB#ping 192.168.254.20 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.20, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/8 ms HUB#ping 192.168.254.30 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.30, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms Do you think we would be able to ping Spoke-1 (192.168.254.10) from Spoke-2? Spoke-2#ping 192.168.254.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/12/25 ms The answer is yes! Although something happens behind the scenes. How could Spoke-2 possibly know how to get to 192.168.254.10? What happened was Spoke-2 actually send an NHRP request to its NHS (192.168.254.1). Because we have mapped the public IP address 20.0.0.1 to reach the HUB/NHS we can instantly send a request for 192.168.254.10. You can see above, we sent our NBMA and the Tunnel address, but the destination is 192.168.254.10. We are going to practically be asking, what is the NMBA address for 192.168.254.10? Now this is the part where NHRP gets interesting, try to see if something looks different below: If we just explain a quick overview, we send an NHRP request for 192.168.254.10 to 20.0.0.1 (which is our NHS). When the request hits the NHS, it will actually send it to the NMBA which is registered in the NHRP database (being 1.0.0.1). Spoke-1 (1.0.0.1) actually replies with its information (NMBA and Tunnel address 192.168.254.10). If we do a traceroute from Spoke-2 when the NHRP table is cleared on Spoke-2, have a look at the results that prove this: Spoke-2#traceroute 192.168.254.10 1 192.168.254.1 9 msec 192.168.254.10 7 msec 6 msec Spoke-2#show dmvpn Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 20.0.0.1 192.168.254.1 UP 00:27:00 S 1 1.0.0.1 192.168.254.10 UP 00:00:23 D Spoke-2#traceroute 192.168.254.10 1 192.168.254.10 8 msec 7 msec * If the entry is not in our NHRP database, then the first few packets/traffic will traverse through the HUB until we receive the reply with the NBMA address of Spoke-1. This is the dynamic part of DMVPN already in action, because we learn the address to send traffic to if we want to directly communicate with that Spoke. When we start advertising our networks from the spokes, this will change and then we can start talking about the different phases that can change the flow of traffic and how routes are propagated throughout this DMVPN design. We are going to configure EIGRP to setup a relationship which each neighbor but also advertise the loopbacks into EIGRP. router eigrp 1 network 10.0.0.0 0.255.255.255 network 192.168.254.0 0.0.0.255 We can put a more granular network statement to chose what participates into EIGRP but let us keep it simple and sweet. We'll look at the phases in DMVPN which can change our traffic flow and how we learn routes. Before moving on, we can come across an issue with EIGRP neighbor flapping with the tunnels, we must include a command in our tunnel configuration on each spoke which allows us to map multicast traffic to the NBMA address of the Hub. interface tunnel 0 ip nhrp map multicast 20.0.0.1 Confirming EIGRP neighbors on the HUB: HUB#sh ip eigrp ne EIGRP-IPv4 Neighbors for AS(1) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 2 192.168.254.30 Tu0 14 00:02:02 12 1506 0 5 1 192.168.254.20 Tu0 13 00:02:07 624 3744 0 5 0 192.168.254.10 Tu0 11 00:02:16 9 1506 0 6 EIGRP issues If we have a look at the routes that the HUB has dynamically learned via EIGRP: HUB#sh ip route eigrp 10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks D 10.10.1.0/24 [90/27008000] via 192.168.254.10, 00:05:46, Tunnel0 D 10.10.2.0/24 [90/27008000] via 192.168.254.20, 00:05:38, Tunnel0 D 10.10.3.0/24 [90/27008000] via 192.168.254.30, 00:05:30, Tunnel0 There is an issue that can occur because of the default behaviour with EIGRP, if we take a look at the routing table for Spoke-3: Spoke-3#show ip route eigrp 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks D 10.0.0.0/24 [90/27008000] via 192.168.254.1, 00:06:29, Tunnel0 D 10.0.1.0/24 [90/27008000] via 192.168.254.1, 00:06:29, Tunnel0 D 10.0.2.0/24 [90/27008000] via 192.168.254.1, 00:06:29, Tunnel0 D 10.0.3.0/24 [90/27008000] via 192.168.254.1, 00:06:29, Tunnel0 We can see routes behind the HUB (eg. loopbacks) that can successfully be reached via the Tunnel interface, the issue is with routes from other spokes. The default behaviour with EIGRP is to not advertise a route out of an interface which it was received on (eg. Tunnel 0), this is a very good example of Split Horizon which is also apart of RIP and how that protocol works. We can simply solve this with an interface command on the HUB: interface tunnel 0 no ip split-horizon eigrp 1 Looking back at the routing table for Spoke-3: Spoke-3#show ip route eigrp 10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks D 10.0.0.0/24 [90/27008000] via 192.168.254.1, 00:09:07, Tunnel0 D 10.0.1.0/24 [90/27008000] via 192.168.254.1, 00:09:07, Tunnel0 D 10.0.2.0/24 [90/27008000] via 192.168.254.1, 00:09:07, Tunnel0 D 10.0.3.0/24 [90/27008000] via 192.168.254.1, 00:09:07, Tunnel0 D 10.10.1.0/24 [90/28288000] via 192.168.254.1, 00:00:12, Tunnel0 D 10.10.2.0/24 [90/28288000] via 192.168.254.1, 00:00:12, Tunnel0 DMVPN Phases The phases are kind of steps during the DMVPN process when you have: Phase 1) Only Hub-Spoke traffic Phase 2) Spokes can then dynamically form tunnels with other spokes, no need to go through the HUB (firstly initial traffic will go through HUB because of the NHRP request) Phase 3) Spokes can dynamically reply to a NHRP request and spokes can work together without the HUB to initiate traffic between them Phase 1 During phase 1, our traffic will ALWAYS go through the HUB because although we have turned off 'split horizon', the HUB will advertise the routes from other spokes via itself. The next hop IP address in the routing table will show the HUBs IP address as shown below: (Notice all routes are reachable via 192.168.254.1) Spoke-1#show ip route eigrp 10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks D 10.0.0.0/24 [90/27008000] via 192.168.254.1, 00:49:16, Tunnel0 D 10.0.1.0/24 [90/27008000] via 192.168.254.1, 00:49:16, Tunnel0 D 10.0.2.0/24 [90/27008000] via 192.168.254.1, 00:49:16, Tunnel0 D 10.0.3.0/24 [90/27008000] via 192.168.254.1, 00:49:16, Tunnel0 D 10.10.2.0/24 [90/28288000] via 192.168.254.1, 00:40:05, Tunnel0 D 10.10.3.0/24 [90/28288000] via 192.168.254.1, 00:40:05, Tunnel0 If we simply use a command on the HUB, we can allow the routes to be pushed out without the HUB adding itself as the next hop to reach the network. This is also moving the DMVPN into phase 2 where direct communication between spokes don't need to transverse the HUB all the time. interface Tunnel0 no ip next-hop-self eigrp 1 Before looking into what this does, now we will take another look at the routing table: Spoke-1#show ip route eigrp 10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks D 10.0.0.0/24 [90/27008000] via 192.168.254.1, 00:00:21, Tunnel0 D 10.0.1.0/24 [90/27008000] via 192.168.254.1, 00:00:21, Tunnel0 D 10.0.2.0/24 [90/27008000] via 192.168.254.1, 00:00:21, Tunnel0 D 10.0.3.0/24 [90/27008000] via 192.168.254.1, 00:00:21, Tunnel0 D 10.10.2.0/24 [90/28288000] via 192.168.254.20, 00:00:21, Tunnel0 D 10.10.3.0/24 [90/28288000] via 192.168.254.30, 00:00:21, Tunnel0 We can now see, 10.10.2.0/24 via 192.168.254.20 and 10.10.3.0/24 via 192.168.254.30. This command will not make the HUB advertise the routes via itself. Back to Phase 3, the spoke itself can reply directly to a request because currently the request is being sent to the HUB and then the HUB is forwarding that request towards the destination. Here is an example of a basic packet capture when Spoke-1 tries to ping 10.10.3.1 (Spoke-3): You can see, the original source (1.0.0.1 - Spoke-1) is sent towards 20.0.0.1(HUB) and then, 20.0.0.1(HUB) sends it to 3.0.0.1(Spoke-3). To make this into Phase 3, we can simply add 2 commands on the hub and then a command on each spoke: !HUB interface tunnel 0 ip nhrp redirect ip nhrp shortcut !SPOKES interface tunnel 0 ip nhrp shortcut Its 3:34AM and I need sleep (said this an hour ago...) so will update this when I get some time tomorrow...
  10. BSpendlove

    Cisco 9-part training for just $59 USD. Is it any good?

    Are you an idiot?
  11. Cool stuff ey? It doesn't always mean your connected onto a l3/multilayer switch since you can also get Ethernet modules for a router that are switch ports. Although if you have a look at the number of physical interfaces in either: #show version or #show ip int brief (I like the output of show ip int brief even if they are just switch ports!) Most likely that it would be the case, or even getting used to the series of switches/line ups when you #show inventory or #show version.
  12. As above, cdp and lldp would be a good start. If you are running purely all cisco then don't bother with lldp. You'll be able to find which device connects to what, local and remote interface that connects them together, management IP address, the cisco ios version for each device in your local cdp table. If you have the management IP then go ahead and try to connect via telnet or ssh, see if the username/password/enable is the same as the device you can access, that is definitely something I would try in the real world. The clue for that detailed command is literally..... 'detail' You can also obtain some other information via cdp such as the capabilities of the connected device and the platform. On a local device I would recommend some commands such as: show inventory - you'll find the model name and serial numbers show version - you won't only find the IOS version but also things like memory, capacity in the flash, the boot image it's using, other technical information like the base mac address used in varies of protocols (depending on the platform that is) Remember that with the IOS and other cisco platforms you can filter specific commands to only grab lines which include/exclude words. Instead of going though a ton of info, you can always use something like #show version | include IOS
  13. BSpendlove

    So I Bought A Cisco Router....

    As mentioned, you only have a single Ethernet port on that model, lucky you didn't get the standard Ethernet 10mbps model which I think is the 2610! That isdn module you can unscrew and also wack in another module but be careful because you should look at the compatible modules. You'll most probably be able to buy something like a 4ESW module which is 4 switch ports so you can connect to the lan part of your network. The serial module will be useful if you ever study the ccent/ccna/ccnp material since they still cover technologies that use serial like ppp and hdlc. You can do some really wacky stuff with only a single interface since if you have a switch capable of VLAN tagging then you can logically create 2 interfaces on fa0/0 and have 1 as a WAN interface if you manage to get the ISP modem/router on the same vlan on a switch and the other interface as your LAN gateway. I wouldn't recommend running this solution but it's cool to learn about! Although the switch modules are fairly cheap in the UK, not sure about where you are located.
  14. BSpendlove

    DoS ICMP attacks

    That'll fix nothing, as above said, Filtering is fine and don't need to buy a dedicated firewall to 'fix' this problem, the line will still saturate and hog the bandwidth. No you can't just filter icmp also for others suggesting it and a firewall will do nothing other than drop the packets when it hits the public facing interface if told to do so.
  15. BSpendlove

    Question about network switches

    Lol, if your running 100mbps now days then you need to cry
×