CCNA Bootcamp Session 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello hello hello we are back i decided to change up the way that i was doing the live deploy or going live a little bit differently i'm not using obs this time uh there was a lot of lag um so i'm choosing to go a different direction with it so let me make let's make sure that everybody can hear me and all that good stuff give me a uh let me know that the video and audio are working before we get started here it should be but good stuff see that's that's what i'm looking for that's like way faster than going through obs so awesome good stuff all right since this is going to be way more this is the actual interaction i'm looking for i mean before it was like 20 30 seconds of delay between me saying something and you guys hearing me so um with that being said before we get started with our next session does anybody have any questions any topics that you guys want to discuss before we get started and it doesn't make sense that i you know can help you guys figure out or understand before we get started oh well good i i hope you could so if not that's fine i just want to make sure that i'm cognizant of everybody on the call so i think i just need to run the labs a few times to fully get it all fair enough uh see i was trying to set up the dcp and i'm not getting any any address set up on the pcs are you using packet tracer okay um so can you on the packet tracer pc are you sending it obviously you're saying it to dhcp right okay so do you i don't even know if you can do this let me share screen and i'm gonna share screen three and do this oh good it does okay cool after the exclusions i did service dhcp okay so i'm not even sure you can do this on this box bug ip hey you can't do it so um to so [Music] yeah i was about to say i honestly don't know how to oh so there's a couple different ways that you can do it um so what i would recommend you do is make sure that the vlans are across the um are both set up correctly and that the trunking is there and that you can set a static ip address on your pc and then try to ping your default gateway that's what i recommend you do and that would be the the ideals next step uh dhcp might be buggy but um all but i'm layer two's gotta be in place first and if layer two is in place then dhap should kick in so just be aware of that stuff i was thinking about that as well i should set up eve as well like yeah um that's going to be the obviously the cat's meow the quicker you can get the that going the better off you're going to be long term so that'll make the most sense can i move this oh won't let me move it bonzer because i want to move this over to the right that's okay i can put the uh put this over here so you guys will still be able to see what i'm doing all right so as i mentioned in the uh at the end of the last session we're going to focus some more on static routing at this point and go from there so just to recap where we're at we do have dhcp working if i do a uh the show ip okay the acp is working here everything's looking pretty good if your dhcp is not working um maybe we'll spend a few minutes on that towards the end of a little further along but uh i will post the configurations that i've put in play in the google drive so you guys will all have that and you'll be able to um deal with that later on so that is basically what we're going to go ahead and do from here on we're going to just take a look at static routing and setting up nat so we're going to basically allow our pcs here to hit router 3 where i will basically i'll allow it to be pingable and stuff like that and then i will i have the internet here i there's a way to uh set up eve in such a way to where you can actually punch a hole through eve and get outside to the internet the the legitimate internet so if you have like a windows vm installed inside of eve or a linux box and you're trying to test out stuff like python for example you can go ahead and deploy your linux box and then connect it to the internet and then voila there you go so there's that piece so it does work it's not very difficult at all to do maybe i will set that up i don't know yet um so what i'm going to do is we're going to talk a little bit about static routing uh is anybody here not comfortable with static routing they understand the concept or you struggle to get static routes to work and things like that trying to gauge the the level of comfort here with what we've got going on before i move any further you'll find that static routing is one of those things that once you understand it understand the basics to static routing it's not very difficult but what i do recommend people do is once you understand static routing move away from it to dynamic routing because the reality of it is if you do static routing everywhere that's a lot i get it but i can't remember what types of static cross there are okay yeah we can we can uh dive into those specifics here and i can lay out what they are because nice thing about it is i have full ios so i can actually configure the floating static routes i can configure the fully specified the recursive static routes i can take a look at all of those versions and show you what they look like because they're all pretty much the same configuration as just there are certain uh aspects of each one that changes how they're con what they're defined to be doing and that type of stuff so um so yeah we'll get that squared away and depending on how much time it takes us to get through static routing and the nat i don't yeah for sure i'm i have no doubt that there's little details like that that messed me up too and don't feel bad it happens to the best of us so we'll definitely be taking a look at how that comes into play at some point in the future let me see if there's okay so anyway um with that being said one of the things that i have done a lot in the deployments that i've done is what i've got set up here and what i basically have set up here is i have my core switches right my core switches my core distribution so this would be my core distribution i don't do typically do a vlan in between here so i don't really configure a vlan or put this port into a vlan normally what i do is i convert this port gig003 to a routed port you might say what's a routed port a routed port is a port that you go underneath the interface config mode and you type in no switch port when you type in no switch port you convert that port to be a router port the only caveat with that is it must be done on a layer 3 capable switch so if you've got a 2960 or 2950 or some other type of port that does not support ip routing then layer 3 ports won't work here you will be stuck with doing it one of two different ways let me go ahead and do the white boarding down here at the bottom essentially you have two different ways of doing this you have your switch and you have your router you're going to set up a connection so a routed connection will be this port right here is given the no switchboard command and then you give it an ip address of say 10.1.6.6 24. this side is given an ip address of say dot one this will be dot six and now you are a router port so you can ping back and forth on the subnet and then you can enable you know you can configure static routing you can do ospf you can do eigrp you can do bgp it's up to you what you want to do lots of flexibility the other variation to this and this one is a little bit more difficult to understand because it's taking uh right it's taking something that most people don't do which is a little bit tricky to understand so let me go ahead and draw this out so if you don't want to do or if you can't do a router port so you're working on one of these platforms up here 2960 2950 something that doesn't support layer 3 connectivity what you do is you create a vlan let's say vlan 10 and you place this port inside of vlan 10 as an access port what you do then is you create an svi for vlan 10. and what you do is you give it an ip address let's say we give it 10.1.6.6 24. and what you do with that is the svi is vlan 10 and because vmware antenna is applied to this port right here then you've essentially given it you you've given the vlan a routed interface and at this site over here is configured with dot one then what'll end up happening is traffic from 10.1.6.1 to 10.1.6. or sorry 10.1.6.6 to 10.1.6.1 will be able to communicate so instead of communicating from here to here it'll actually communicate from here to inside of the switch and that'll go back out and you'll be able to communicate back and forth but it'll be the svi that will be responding to the ping not the interface itself the interface itself will be a port that's providing access to the vlan and you'll be able to receive traffic in and on that port so that's basically how that comes into play so this one here is more difficult this one here is easier because you can basically look at it like a routed port this is a router port on a router they're always routed right you can you uh you know shut the main interface and then you can create sub interfaces on it the where you're creating an svi and associating a vlan id to it this one's a little bit more difficult to understand does that differentiation help with when it comes to determining routed ports and a vlan or a svi that responds to um vlan communication does that help i'm hoping it does because that's basically a little uh the idea behind it we're going to be going with this methodology right here because this is the one that makes more sense now can i run ospf eigrp bgp everything that i can run here i can run down here it would just be the sbi that would be forming the connection so everybody here familiar with what a loopback address is or what the loopback addresses purpose is okay so essentially we're doing the same thing the loopback address would be the same concept as a svi so because the sbi we're able to configure routing on it and it would just be responding for the traffic the the only difference is the svi isn't sitting on the edge it's not a physically attached to the port it's internal and that's the part that messes with people so that's why i like to explain it the way that i do so beyond that what we're going to do on switch 6 and switch 7 is i'm going to convert both of these ports to be routed ports i'm going to configure their subnets appropriately and then i'm going to set up r1 and rs and switch 6 to be able to communicate with each other so a static route pointing this way to reach the 10 110 and 10 120 subnets and then a default route pointing this way to reach r1 because r1 essentially is going to be our edge and so will r2 when we get into dynamic routing a little bit later and into nat we'll talk about more of a high availability type of scenario where if i'm working through a situation this type of stuff comes up and if i need to alternate my path from r1 to r2 how would i go about doing that with real ios i can demonstrate this with packet tracer i'm not because packet tracer doesn't have the capability of pulling that off all right so with that being said i like the fact that the the latency the delay is gone you guys are able to keep up with me on time which is really nice i'm going to go ahead and switch gears and we're going to go through the configuration piece and get the guys squared away so on switch six i'm going to go in here to go to global config i'm going to type interface gig 0 three and i'm gonna type in uh no switch port and then if you do show ip interface brief you can see that gig 0 slash 3 is still up right but if i type in switch port access vlan 10 it's going to say gig 0 3 is not a switching port it's a router port now which means i had to give it an ip address of 10.1.6.6 24. now that guy's squared away actually you know what maybe i go ahead and i do one side with the rider port the other one i'll do an svi so you guys can see how both are configured i'll do that instead that'll make more sense so you guys will see both examples on r1 i'm going to come over here and show ip interface brief i've got nothing configured so i'm going to go to global config interface 0 0 ip address here will be 10.1.6.1 slash 24 no shut just that simple all right so now i'm going to wait for that port to come online there we go so now i have to go and do what i have to set up my static routes right so if i do show ip route will i be able to reach the 10 110 and 10 120 subnets from r1 i won't be able to right why not can anybody explain to me why because let's let's play the technical interview for just a minute yeah if you could in like a one sentence why can't we reach 10 110 and 10 120 any ideas i think since there are not any in the same vlans okay no default route there's no route to 10 exactly okay so ed's so ed's the most specific response and marco is good there's no default route but you wouldn't want to put a default route on r1 pointing internally right because then that would potentially cause a loop where you're saying r1 point back to switch six switch six isn't going to have the internet on it so you're not gonna want to point a default route from r1 back towards switch six you're going to point a default route r1 out towards r3 which is going to be our internet router so they're not on the same vlan so you're all technically right but ed is the most correct so let's explain why so if i look at switch 6 right and i do show ip route i can see that i have 10 1 6 10 1 10 10 120 now if i'm on this guy if i'm on pc 11 will i be able to ping 10.1.6.1 i'm going to get nowhere fast right because i don't have any routing setup so let's go ahead and on switch six i'm going to go and create a default route default route everybody should be familiar with the default route if you're not you're about to get educated once i have an ip route and the command is going to be zero to 0.0.0 zero that zero that's zero to zero and i'm gonna set my next top so we have a couple different ways that you can do this you can for what pete was mentioning a little bit ago regarding the fully specified versus the static route things like that if i wanted to create a recursive static route i'm going to type in 10.1.6.1 that is a recursive static route what's the difference between a recursive static route and a fully specified static route is this if i come in here and i define my outgoing interface if i type in gigabit zero slash three question mark and then a next top 10.1.6.5 that is a fully specified route i do show run pipe include iprout so you guys can see both of them side by side you're going to see that this is my recursive static route i'm basically saying if you don't know where to send the traffic send it out to 10.1.6.1 but at the same point in time if i look in my routing table if i receive traffic in on switch six and i don't have a route my routing table but i do have this default route in my routing table i then need to figure out what interface do i leave out of to reach 10.1.6.1 so i have to go look it up recursive lookup i have to go like somebody comes to my front door and knocks at the door i answer the door and they're like hey is so-and-so here i don't know so i have to go look right that's what they refer to as a recursive static look uh recursive static route a fully specified route is saying if i have a default route if i traffic come in and there's no more specific route than the default i'm going to use the default i'm going to go ahead and automatically move traffic to the gig zero gig zero slash three interface and then point out to the next type of 10.1.6.1 this is fully specified meaning we don't have to go look anything up we've already defined the egress interface and the next stop ip address and that's where that comes into play now any questions on that before i go any further does that make sense sure thing good stuff all right now the question i have for you guys will i be able to ping 10.1.6 now that i've got that default routes configured on switch 6. will i be able to reach it you should be able to reach it okay any ideas as to why i'm not any takers now i'm actually going to not make anybody answer this question a second time but remember when ed said there's no route to 10. what do i not have on this guy i don't have a route to reach the pin 110 network or the 10 120 for that matter so i can't reach something if i don't know how to get there so switch six will actually send the traffic if i was to go back to pc 11 and do a i believe i can do a trace trace to 10.1.6.1 is 10.1.10.6 and it's like well not really sure what else to do captain so what i'm going to do is on r1 i'm going to create a route ip route back to 10.1.10.0 you need a route to connect the 10 network wouldn't you also need a route from 10 to connect to 6. no because if i'm on r are you talking from the pc 11 or uh out or r1 to pc11 direction which way are you referencing r1 to pc11 okay no you wouldn't because when when you're on r1 you just need a pointer because switch 6 is the layer 3 boundary for that those vlans so because it's the layer 3 boundary r1 just needs to say in order to reach 10.1.10.0624 and 10.1.20 point yourself to switch 6 or 10.1.6.6 and you'll be able to reach that switch six is the termination point for or the default gateway for those vlans and he has direct access to them so you wouldn't need a route to get to here you just need a route to get to here and you're gonna be pointing to switch six in order to get that you don't need because you're directly connected to six already you don't need a because you're directly connected to it right here since you're directly connected you don't need another route to it anything that you're not directly attached to you need a pointer to reach so you switch this switch six ultron ports no switch six on gig three currently is a routed port all the other ports 0 1 and 2 are trunk ports still so 10.1.6.6 okay so now i've got a that route i'm going to go ahead and add in a 10.1 dot do show iprout and now i have my routes in the routing table i have a curse of static routes on my routing table now if i go back to pc11 i try to ping that you think it'll work now i like your confidence yes of course it will because we have pointed them to each other now if i do a trace it's it's going to get to where it's got to go all day long it's able to reach its destination which means now i can reach r1 right now i have reachability to r1 and that's really the big the big ticket item here is we can reach r1 because we can reach our one means that other things will be able to work so if we go to configure nat that should be we should be able to reach r3 and after we configure that we're not going to configure it right this second but the the the concept applies so let me do this real quick let me come over here let me right click on um let me right click on switch six and go to capture on gig zero slash three but open up wireshark oh the connection was abandoned so in case anybody is interested in knowing about this stuff when you if you uh is basically going to try to ssh into my eve instance and what i need to do is close that out real quick and close this out i need to open up ssh or putty and i need to connect to 10.255.1.30 on 422 with ssh and all i need is this i just need to accept the thumbprint i'm going to say yes i'm going to close out the putty session i'm going to right click on here capture gig zero slash three open wireshark again and now my connection is going to establish so we see this communication going back and forth i'm going to go ahead and pull up this guy again and pull up secure crt and let's do a ping let's do the ping we can see the icmp ping going back and forth right i come in here and we can see that i'm going from back and forth i'm going from 10.1.6.1 to 10.1.10.1 i'm going back and forth all day if i do the trace same thing except for we're going to have udp going back and forth because it's a combination of udp and icmp udp to go out icmp unreachables to identify the trace so that's working like that i'm going to keep that open as we're going along i'm going to minimize that hopefully the wireshark captures will help with a reinforcing what's going on all right so with that being said let's go ahead and take a look at our next top or actually before i do that is there any questions regarding anything that we've covered i will talk about floating static routes here in a little bit once we get a little bit further along but that wasn't part of my agenda but i can talk about a floating static route but any questions up to this point that anybody has if you don't that's fine fair to ask all right doesn't look like there's any questions which is super fine to me i will continue moving forward okay so so you can figure as a next hop the gateway port right so you can figure it as a next top gateway port yes so i think you're preferencing this yeah so on switch six we configure a static route we went and we converted gig zero slash three to a to a router port and then we went ahead and configured a couple different default routes right i have a fully specified and recursive static so we what in what you're referencing here is we configure this is the next top that's the next top and that is what we're going to point to in order to find that we have to look in the writing table but this one here we don't have to look in the writing table because we were nice enough to our switch and told it what interface to send traffic out towards and the next top ip address but regardless if you do a fully specified or recursive static the next stop by pdrs needs to be defined now there are some arguments that would say that i don't need to do that i could just do this and it says default route without any gateway if not a point-to-point interface may impact performance fair enough but if i do show up run pipe include ip route i'm going to have all three show up but the one that i'm going to rely on is going to be this guy they should all show up in the writing table as well so the two that the one that you're going to see the most in production is going to be this one right here the recursive static route this guy right here will be the most common one you see because it's just pointing to a next top you look in the writing table you go oh okay that's reachable out this next stop this out outgoing interface let me go ahead and just move my traffic to that particular port and send it on its merry way that's basically what's happening here that answer your question i hope so we shall soon see okay well i don't want to just be okay i mean how does it know which port to go out of so well i've technically already covered that but you're going to so the way that this works is you have a track your traffic coming in on the switch and it looks in the writing table and there's not as more specific route so the default route triggers and says okay hey i i'm a catch-all for everything and i need to point out a to a next top so when i look at this guy right here i'm gonna say if that's my only static rot in my routing table i'm going to go ahead and say do show iprout for 10.1.6.1 and that 1.601 shows up and it says oh it's known via connected this is a connected interface to me meaning that i'm going to come in on say gig 0 0 do a writing table lookup on switch 6 realize that i need to go out towards router 1 via 10.1.6.1 and the outgoing interface is going to be gig zero slash three so if it doesn't know what interface this ip dress is associated to it's essentially doing this right here finding out through this and then moving it from the inbound interface to the outbound interface and then sending it on its way another way to look at it is the show ipceph internal where if i am going to be a default route i'm going to point it out the next hop right there this is the forwarding engine this is the actual data plane forwarding capability of the router it's going to look and say next top 10.1.6.1 is reachable out gig zero slash three check go and it'll be able to reach it that way yeah that's how that works packet tracer's not going to give you this type of detail that's why i like dealing with regular ios so that's how that would work all right with that being said um clear as mud everybody good to go before i move on to nat i feel like we're in we're making nice progress nice thing about it is these are being recorded and you guys will be able to watch them in playback it's clearing some cobwebs okay show ipsef so sef sef stands for cisco express forwarding it's how the router actually moves packets through itself or the switch in this case it's a actually the switching engine of the device so you have the routing table that learns all the routes or populates all the routes that's where you configure your static routes or you know all the any routes that are going to be used to forward traffic throughout the on the device you know are going to exist in this in the writing table all that information is downloaded into the cef table the ceph table is your forwarding engine or what they commonly refer to and i'm looking for the word right now right here fib the fib is the forwarding information base this is going to be the data plane portion of the router this is how traffic moves through the box so this is going to tell you exactly how something is being moved through a box that's how that works this is a little bit more of an advanced command but it's if you're having problems trying to figure out why traffic isn't moving through the router this would be a great way to identify that and actually let me clean up some of my static routing so that it's not so um from any of them i'm gonna remove the fully specified and the connected because i can throw people off i'm just going to use what most people are going to use which is the recursive yeah something like that not exactly but it's pretty close let me go ahead and do a show ip route now we can see that we had a sync a simple static route in the routing table and if i show ipsef again or if i do except internal you're gonna see that the ip address for this guy is saying that in order to reach the default route the outgoing interface is this and that's how it's reachable connected to gig zero three and that's basically how that's gonna work it's really not that complicated it's just a matter of once you once you know what next top ip address is going to be used it's actually easier to correlate it this way it's easier to do a show ip route figure out okay my default rod is this it's going out this next stop ip address and do do show ip route for 10.1.6.1 and it says connected via gig 0 3. all right sorry about that anyway so um does that help clear everything up hopefully maybe i don't want to make it sound like it's super super simple but it really is that's when that's as complicated as static routing gets there are a couple of more extreme scenarios but i'm not going to get into them today the one thing that i want everybody to remember is that the majority of things that you're going to see in production most of the time you're not going to see static routes you might see a handful here and there but for the most part it's going to be dynamic routing for any size environment any sizable environment i should say all right all right so i'm going to move on to nat unless anybody else has a question or needs some clarity if you type in iprot 192.168. 1.1 would it throw an error no it would not it should not ip route 192.168.1.1 it doesn't care what the next topic address is and do show iprout it's not going to show up in the writing table the reason why it's not going to show up in the routing table is because there's no interfaces on the router or i should say on the switch that have 192.168 associated to it so if you type in any arbitrary ip address into your router or into your switch for a default route the only way that that rod is going to take effect is if there's an interface with that uh that subnet applied to an interface that's the thing you got to remember it has the interface has to be up up and it has to have an ip address associated to it that's you know so we do show ip interface brief you're going to see that these are my subnets 10 1 6 10 110 and 10 120. i don't have any 192.168. so the router is going to be like yeah sure whatever i'll take whatever you want to throw at me i just won't use it until i add a interface that's got 192.168 um associated to it going to get rid of that all right if you have additional questions on stuff like that let me know i have no problem circling back and answering your question but uh with that being said uh any objections to moving on to nat we're going to do some basic gnat and get into how it can uh connects us to router 3 and we'll do some setting that up if not we can always we can continue down this discussion i'm fine with that too by trying to push you guys in a particular direction you're ready for some that okay sounds good all right network address translation so we're going to talk about this in terms of how you would get access to the internet right so there's a couple different types of mat and i'm not going to go through all the super specific details because i don't want to like lose anybody so essentially when it comes to network address translation what's the goal of nat nat's goal is part of the word is translation so it's basically designed to take any rfc 1918 address space so the ten slash eight the one seven two dot sixteen slash twelve and the one ninety two dot one sixty eight dot or slash sixteen and or anything private i p address right any private ip address i like to reference rfc 1918 that's what it falls under and it's going to translate those ip addresses into ip addresses that are associated to your outside interface say like 13.0.0.0.24. it's translating it so if i have a router and i have my internet interface and i have my internal interface actually let's not say internal i'll say inside so that it looks different with the writing and let's say i've got 10.1.10.0.24 oops that's a supposed to be a four not a nine this is dot one okay and i have my internet and it comes out here and i have 13.0.0.1 here and i've got dot three over here and let's pretend like this guy right here is the internet cloud i'm no artist so don't make fun of me so how does the translation actually work how does nat actually do its job can anybody can anybody give me a high level definition in your own words like we talked a little bit about earlier um if you had to describe that let's do a technical interview for just a moment you have to describe nat what is nat's job to do and how would it do it if you don't feel comfortable throwing an answer out there that's fine you can you can stay quiet that's fine i don't want to make anybody feel uncomfortable i'm just curious to see if anybody has a general understanding of how that works we'll go through it here but it takes the nsaid address private and i'll put it into a public address it's a good way of describing it actually pretty good i'll put a public address correct translates public ips to private ips and vice versa mapping inside addresses to outside addresses okay you guys are all right on point when it comes to how that works right it's really not it's nothing more than that the one thing i want to caution everybody on and this is this actually helped me when i was studying that a long long time ago there was i forget who said it to me but the the advice i was giving because i was trying to like okay how does it do it and because i was like you know one of those nerdy type of people that wanted to know how the process actually worked and i had somebody that was far senior to me say rob it doesn't really matter how it just matters that it does i was like okay you know and it was he was trying to bring me back down to earth in terms of my head in the clouds trying to learn all this stuff and trying to make that bigger and better than it actually was yeah exactly exactly i like that there is no how only do exactly like yoda do or do not there is no try so with that being said it's really no more nothing more than that so there's a couple pieces of of information that we need to provide to the router in order to make nat work right and the first one is going to be what we have to label the in the interfaces so i'll say the end config so on this side right here we're going to type in ipnat inside and over here on the internet side we're going to type in ipnat outside very obvious definitions right can i have more than one interface configured for nat inside and outside i can but when you start getting into more advanced snap configs you are going to need to call in what they call a route map and we're not going to be dealing with that today we might look at that in an upcoming session but and it won't be tomorrow rot maps are a little bit more complicated and more of a ccnp level topic we could talk about that at a later point in time but if you have just an internal interface or maybe you have multiple internal interfaces maybe you're routing for a bunch of different traffic uh if you're a router with a bunch of sub-interfaces on it like over here then it would make sense to have ipnet insight on all of your sub uh all of your sub interfaces right and we'll take a look at that we can set up net on r4 and r5 to demonstrate what that would look like but for however many interfaces you have on the inside if traffic is coming this way i p net inside so when the traffic is coming this direction it's going to get translated from 10 10.1.10.10 over to 13.0.0.1 then that process is going to take care of that for us we don't have to do anything fancy this right here is a public ip address right it's reachable on the public internet which means that the rest of the internet is going to know how to find that ip address and because it's going to know how to find that ip address that's going to be how traffic is going to go out to the internet and do something online and then that traffic is going to find its way back to us that's how that works pretty straightforward stuff as you can see the last piece to it is just actually i'm sorry there's two other pieces to this the second so this would be the first is the interface configuration the second is going to be an access list the access list can be either a standard or an extended acl it's up to you and how you want to do it i actually prefer extended acls because if i need to be specific on something or i've got a particular use case in play maybe i've got a site-to-site vpn set up and i need to exclude certain traffic from being natable and allow it to go over the vpn there's a couple of use cases that would come into play with that but i typically like to use an extended acl because it gives me more granularity i'm i'm an engineer right i don't want to just take the easy way out or you can use a standard acl it's up to you and how you want to do it either way will work we're going to be using extended acls but if you use a standard acl just make sure you're calling the correct subnet 10.1.10.0 10.1.20.0 each with a slash 24 mask voila there you go the third and the most important one is the global config global config if you might imagine is the ipnat inside source command and i'm not going to type it all out because it's a rather lengthy config but that's basically what's going to end up happening you're going to i p nat source and source list the access list name uh interface and then overload overload specifically is a key command that we want to talk about anybody know what overloading does what overloads job is to do why we use the term overload not overlord but overload any ideas why we use that that's a good way to reference it actually overload that one public public address i like that actually for more inside ip right so over subscription that would work too so what you're doing is you're saying i don't care how many internal addresses i might have i might have a hundred i might have hundreds oops not an exclamation point i meant to say a comma hundreds of internal users trying to go out to the internet right and i need to be able to translate all these addresses over to this guy and the way that it does that is via port address translation so every new flow that goes out of the box is going to get a new port number associated to it that the original port might get changed to something else you might send traffic with colon uh or sorry the destination port will change if i'm trying to reach say 21.16.8.3 colon 80 and i'm using 2727 this port might get changed this port typically the destination port you're trying to reach typically is going to stay the same the destination port isn't really going to change at all the source port will change and yeah the source port will change and the destination or sorry the source ip address will change as well they're going to get moved over to 13 and it'll be a colon like 27 27 or this might be a 3751 so on and so forth but the bottom line to that is port address translation means that we're going to use the same single ip address over and over and over again but just with a different port address port number associated to it so we can provide uniqueness the port number provides uniqueness on a per flow basis and that's basically how that so i'm going to go ahead and any questions on any any of the stuff that i've covered so far i'm going to go ahead go ahead and configure it but i want to make sure that i answer any questions you guys might have before i go and dive into it anything that doesn't make sense clarification i i understand it this way but i'm want to make sure that i'm looking at it correct okay cool are you going to go over the default originate command i will be bo when we get into eigrp sure sounds good all right i'm gonna go ahead and set up the configuration now go ahead and pull secure crt up now on r1 i need to do a show ip route i have a couple of internal routes pointing towards 10 110 and 10 120. what i need to go do is i need to configure a default route on r1 that points to r3 and i need to also configure r3 to um have an ip address so i'm going to come up here i'm going to type in iprout a default route to 10 dot or sorry this case here will be 13.0.0.3 if i do show ip interface brief you'll notice that i don't have any ipad any interface is configured with that ip address so if i do show ip route again my default route won't show up in the writing table so on geek061 i'm going to type an ip address here is going to be 13.00 24. i'm going to note shut the interface i'm going to do the exact same thing to r3 just to get him squared away type in interface 0 1 ip address here will be 13.0.3 24. and no shut it and that's all i need give that a couple seconds to come online and then we'll be able to move forward all right so now if i go back to r1 and i hit the up arrow and do show ip route that's what shows up in the writing table now my default route because now i have an ip address associated to an interface that's been configured and is in the up up state now i can go ahead and move forward with my configuration of nav because now i have an outside interface that i can tie to that make sense so far that answers the question that was asked a minute ago about the other ip address so i'm going to go ahead and move to this next step which is going to be configuring that i like to do things in a little bit of a different flow the order that you configure nat for uh pat which means that you're gonna configure the interfaces create the access list and then apply the acl globally with the ip nat command the order in which you do it is 100 arbitrary you can use whatever order you want you can configure the interfaces first then the global config then you can set the acl or you can do the acl first then the interface then global config the order is doesn't matter so i'm going to say the ip access list i'm going to say extended i'm going to say nat something very very obvious i'm going to type in permit ip from 10.1.0.0.0.0.255.255. basically anything internally or 10-1 which is going to include 10.1.10 and 10.1.20 and i'm going to say the destination i don't care about it could be anything on the internet and that's it that's all i have to use i'm going to go ahead and exit out next thing i'm going to do is interface gig 0 0 because that's my inside interface ipnat inside now this is going to hang up for a second because the router is uh gotta do some internal config so that'll take just a minute for it to do its thing and you'll see a uh the the nat virtual interface zero came online and you're gonna see that it's a um uh cpu hog for doing that all right so now that that's done i'll be able to go to interface gig 0 1 and type in ipnat outside okay now my next thing if i do show ip interface brief you'll see now that i have an nvio n161 what i'm going to do now is i'm going to type in ipnat inside source where's the traffic coming from that i want to nap what's the access list that i'm going to be calling the access list name is going to be nat what interface do i want to tie it to i'm going to be specific i'm going to say interface gig 0 1 and i want to overload it overloading allows me to do pat and that's it there's really nothing more to it than that i'm gonna do a show ipnat translations i don't have anything set up yet so the next question is what do i have to do in terms of connectivity do i need to configure any routing on r3 do i need to configure any routing on switch six do you think there's any additional steps that i need to go through in order to make this work or you think i'm good to go and just to recap real quick on switch six i have a show ip route i have a default route pointing towards r1 on r1 show ip route i have a default route pointing towards our r3 for public access and then i have two static routes internally pointing back towards switch six to reach my internal subnets so any guesses as to whether or not this will work if i was to ping let me go on r3 real quick and i'm gonna say ipad or it's our interface loopback zero ip address here will be quad 8 32 so we can simulate google all right so here's the here is our test will this work sounds like it would work to me by that logic it would be testing it anyway yeah 100 agree with you on that one so i'm going to go ahead i'm going to pain quality see what happens it goes out i'm able to ping it now let's go to r1 hit the up arrow a couple times there i have my translations i have traffic coming from 10.1.10.1 on port 30585 is being translated to thirteen zero zero one three zero five eighty five and my outside local and my outside global are both quad a basically internet reachability so internally i'm adding 10 110 1 over to 13 0 0 1 and it's working 100 so if i was to come over here to r3 i don't know if i'll be able to do this but i'll debug um ip icmp and i think on on interface e0 one no ip route cache and interface low back zero let me go ahead and try that again okay yep so if i look over here we can see that we are getting um i am doing a debugging the ping so we can see that we are echo reply sent with the source of quad eight or the destination of thirteen zero zero one so we have end-to-end reachability which is what we wanted to have right so there's no ip route cache that i turned off on the interfaces is disabling ceph at the interface level from being able to handle the processing if i was to turn ip route caching on i don't think the uh the icmp would respond um and what i'm doing is i'm doing a control plane check because the cpu of r3 is responding to the pings from pc11 and therefore it's gonna allow the debug to to trigger so that's working now let's try from pc13 if i was to ping quad eight it's also working and we get an icmp response and let me just make sure that it's going the right direction here pc13 i was able to ping it let me do a oh from so it's hitting switch seven so here's a scenario that we want to be cautious on when we're doing our configuration if i go to pc11 and i do a trace to quad eight right i get the 10 1 10 110 6 which is going to be switch 6 so my default gateway i go to r1 r1 sends it on to r3 and i get the icmp the type code type 3 code 3 designation portion unreachable and if i look at r13 i can see that communication now we go to pc13 and i do the same trace to quad eight i hit seven and seven points to ten 120.7 and says i don't know how to get there so what's the problem why is why is vlan 10 able to reach the internet but vlan 20 is not any ideas and if you don't that's fine i'll we'll definitely show you what the problem is no clue okay fair enough so the idea is that traffic is from pc13 pc traffic is going this direction right here traffic is coming up here and then going to switch 7. have we done any configuration between switch 7 and r2 in order to get the static routing set up on here or set up nat to point to this guy or anything like that have we done anything on switch 7 or r2 yet nope right so that's one possible solution we can go on let me go ahead and move my mouse out of the way we can configure the static routing between these guys set up a default route here pointing this direction can we do a route via switch six okay and marco actually called out the other option or we can figure hsrp on this guy here to be for 20 this to be the active forwarder because right now it's not so if i was to go look back at hsrp and look at switch six and do a show standby brief who is my active forwarder 10 120.7 right so switch seven is who i'm sending my traffic towards is that the way that it should be i mean it really depends but could i make an adjustment on switch six and switch seven to make switch six the primary egress point and allow traffic to flow through switch six to r1 to reach the to three sure so there's a couple different ways that you can solve it you can either adjust the hsrp configuration on switch 6 and switch 7 to make switch 6 the default gateway for both vlans or you can go on switch 7 and r2 and configure them identically to switch 6 and r1 and that's actually what you'd want to do you'd want to have whatever you're configuring on these guys up here you'd also want to have down here we just haven't gotten that far yet because i wanted to make sure that i was walking you guys through this effectively so everybody's able to keep up and follow along or glbp that would work too so you would obviously want to move whatever's here down to this guy and that would allow for the communication to happen and then switch 7 would be able to send traffic out but it would have a different source ip address we'd be doing nat 23002 versus zero 13001. so i'm going to test out both let's go ahead and i'm gonna make the modification on switch six do show run interface vlan 20. everybody's been in 20 i'm going to say standby 20 priority is going to be 255. and then on switch 7 interface vlan 20 standby 20 priority is going to be 60. so after a couple seconds we should see them flip over where switch 6 will become the active forwarder show standby brief screen is a little bit slower this time okay i will keep that in mind as we're moving forward to go a little bit slower can you see it is it caught up now is that just you or is it everybody else okay all right so i will keep that in mind as i move forward to do things a little bit slower so but the recording will catch it for sure all right so now that i've got that in play and now switch 6 is the active forwarder if i go back to pc 13 and i hit my up arrow get out to the internet right i hit 10.1.20.6 i hit 10.1.6.1 and then i hit 13003. if i look at router 3 i can see communications happening and if i do that ping again i can ping all day long which is what we want to see all right does that make sense to everybody that the failover process and how the routing can be if the routing isn't set up correctly then it can cause adverse reactions all right got it as long as you're getting it that's the key thing all right so what i'm going to do now is i'm going to go on switch 7 and r2 i'm going to do that svi vlan thing that i was talking about a little bit ago i'm going to get that configured we're going to configure our static routes like we did on switch 6 and r1 we're going to do that to switch 7 and r2 we're going to get them configured i'm going to set up nat on r2 i'm not gonna i'm gonna try not to go fast so the screen keeps up with it and if you guys have any questions you can ask and then i will revert the hsrp config back to the way it was where switch 7 will be the default gateway for vlan 20 and then we'll be able to send our internet traffic out towards r2 versus r1 if you guys have any questions at any point in time go ahead and throw them in the chat i'll be keeping an eye on it as we're moving forward but on switch 7 me go ahead and get this party started so do show and i'm going to create vlan 27 because i'm going to be sitting between 7 and r2 i'm going to use the subnet of 27 to do it excuse me so i'm going to say vlan 27 uh okay that's right i forgot about that so let's come over here and type in global config vlan 27 aim is going gonna be uh vlan 27 over here to switch seven do show vlan brief and then i'm gonna type in interface gig zero slash three we switch port access vlan 27 switch port mode of access and spanning report fast and then i'm going to create interface vlan 27 on switch 7. i'm going to give it an ip address of 10.2.7.7 slash 24 and i'm going to no shut the port then on r2 i'm going to configure r2 on interface 0 0 i'm going to say ip address here will be 10.2.7.2 24. i'm going to go ahead and no shut it and get that guy online all right i'm going to do ping 10.2.7.7 see if i can ping it and i can so my ping is going from r2 over to switch seven on gig zero slash three it's coming in at gig zero slash three and then it's hitting going in the vlan of vlan 27 and then hitting the svi of switch 7. so if i came in here and do show arp i will see that i have the the mac address of router 2 showing up in my arp table so it's not that much of a difference from having a routed port on gig zero slash three on switch six same concept applies i'm just putting the ip address on a different interface that's all that's happening here all right i'm going to go ahead and configure a default route on switch 7 to point to 10.2.7.2 1.2.7.2 just like that and on r2 i'm going to create a static route that's going to point back towards 10.1.2.0 so 10.1.20.0 24 to 10.2.7.7 that's the config that i have in play now what i'm also going to go do is i'm going to go back to switch 6 and i'm going to flip the hsrp back so that switch 7 is the active forwarder to do that i'm going to type in interface vlan 20 i'm going i'll type in the standby 20 priority will be 60 and on switch 7 interface vlan 20 standby 20 priority will be 255. of the original configuration that we went in and put in we're going to wait for that to flip over and now that i have i should be able to go from r2 i should be able to do ping 10.1.20.1 and i can't if i go to pc 13 and i try to do a trace to 10.2.7.2 i get there all day long so identical configuration to what we did on switch 6 and r1 just on switch 7 and r2 to make it work the way that we needed to all right the next thing i need to go do is on switch 7 i've i'm sorry on uh r2 as i need to go configure nat so just like i did before i'm going to say ip access list or i'm sorry i need to go to interface gig 0 1 and you can figure the ip address ip address here will be 23.0.0.2 slash 24. i'll shut that guy and then r3 do the exact same thing your getting 0 slash 2 ip address here will be 23.0.3 24. and no shot all right now back on r2 i will configure a default route ip route 0 to 0 to 0 to 0 0 to 0.0.0 to 23.0.3 do a show ip route make sure that it's there and it is i am going to go to configure my nat now which is going to be ip access list extended and call it nat and then a permit 10.1.20.0 zero to three that i'll go ahead and just throw in the 0.0 0.0.255. a 255 to any destination that's i'm sorry a permit ip first and foremost now that i have the acl configured i'm going to go ahead and go to interface gig 0 0 ipnat inside we're going to give that a moment to do its thing and we'll be able to get the config knocked out it's interesting that you are using slash 24 on point-to-point links between routers it is uh the subnetting is super super simple though i don't have to sit there and try to think of slash 30 point to point subnets but yeah you're right that's the beauty of working in a lab right you can use whatever you want but if you want to use point-to-point links you could that's the ideal situation obviously all right so now that's done i'm going to go to interface gig zero slash one and do the same thing i'm gonna i p net outside and then i'm gonna go i p nat inside source list nat interface big 0 1 overload all right so now i go back to pc 13 and i try to ping google reach it and if i go to router 2 oip nat translations i'm seeing a bunch of translations show up so i've got traffic from vlan 10 is going this way and trevor from vlan 20 is going this way what do they call this ladies and gentlemen i should say gentlemen because there are ladies on this call any idea what they call this one-sided rowdy i like that that's funny so this is a highly available deployment which means i'm basically active active at the same time in the event that there's a problem in the network normally you wouldn't do this although you could so what i'm what i'm demonstrating here is the fact that i have a relatively highly available network because i have two different ways that i can send traffic out i can have switch 6 or switch 7 as my default gateway and here i'm sending traffic out for one vlan out switch six and one out uh towards switch seven and r1 and r2 are nat enabled but if i had a situation where i wanted everything to be sitting i wanted to be active standby and that my active standby would mean that let me switch over to a let me practice up one active standby would mean that if i wanted this guy to hear to be my active and this guy right here to be my standby all my traffic would flow through here between my endpoints everything would go through switch 6 r2 and then land down where it's got to go and then in the event that this guy or this guy failed let's say switch colors if let's say this guy failed my traffic would then switch gears and i'll use orange as a backup path my traffic would then flow this direction as a standby path this is these might be my standby flows i can do it either way i can either have an active standby type of scenario or i could have a active active it's up to you and you this is one of those things that you'd be able to bring to your manager if you're designing something like this and say hey this is what i'm thinking about doing but this is some of the cool stuff that goes along with it in terms of how everything comes together and stuff like that so with that being said multiple when would be h a correct highly available yep and then you could scale this right you could have it scaled out and you could have a number of vlans terminating on switch six and a number of vlans terminated on switch seven you know i've had several conversations with customers where they have a very similar setup to this and they're like rob we really need to have something in play to where if something happens we can we we need to be highly available and i don't want to sit there and you know have users complaining that things are down and whatever and i'm like we don't have to be down we can go ahead and you be highly available and that's all what i'm about that's the majority of the customer conversations that i've had it goes in this direction but if i want to have a active standby design i can do that as well it's really up to you right it's just how you configure it will change its operational mode all right so i've got nat down right everybody good so far any questions comments concerns feedback that's the whole thing man it's uh when you're looking at something like this you do you really really want to get woken up at four in the morning for a network outage all right do you really want to be on call or on-call won't be something that you'll it you'll always be on call right unless you unless you don't do engineering work there's always going to be a level of on-call right so would you rather get woken up at four in the morning because people are not being able to access whatever they need to be or would you rather get an alert at four in the morning sleep till whatever time it is that you sleep till and then wake up look at your phone be like oh crap the network went down to four this morning and then you know you look at your monitoring software and you realize oh well it doesn't matter because then it failed over right away so back in the day this was a much more difficult thing to to get across to managers but not so much anymore so if we don't have any other questions we are at the point now where we can start switching into eigrp or i'm gonna leave it up to you guys um we've been going at this now for three and a half hours would you guys rather because i've got 30 minutes left roughly so would you guys rather would you guys rather we uh wrap up to uh wrap up today now or um pick up eigrp and ospf and some acls tomorrow and go that route where we have more time you're right it's not it's not a defined topic on the exam you're right however it is a writing protocol nonetheless even though they don't call it out it is something you're going to want to be aware of so that's why it's still gonna i'm still gonna cover it because it's something you're gonna need to know about anyway so but we've made good progress let me go back over to my my desktop so um we've covered a lot today so far um actually a little further ahead than i wanted to be correct yeah i would say that even though it's not a defined bullet item i have read the official certification guide and eigrp is sprinkled in there quite a bit so we'll definitely talk about that and the reason why i'm i'm giving you guys i'm probably going to just call it here in the next few minutes just simply for the fact that um i think we would need a dedicated piece of time to go through both eigrp and ospf and understand how they work at a high level and then get them working but um we've covered nat we didn't we configured sourcenap we didn't configure um okay yeah we can definitely take a look at that tomorrow for sure so uh put together a list of things that you would like to to dive into with those and we can cover them i'll do my best with spamming tree but i'll be honest with you i am so far out of touch with spanning tree that other than talking about the port states and the roles and some of the basics that other than turning it on and letting it sitting the root bridge um it's kind of a figure it figures itself out so yeah we can definitely cover ospf tomorrow for sure so yeah we covered a lot we're gonna dive into some more of the other options as well i'm figuring tomorrow the first session we can cover dynamic routing with ospf and eigrp dive into it there's not a lot to go into huh destroyed me it yeah that's you gotta definitely pony up those areas we covered dhcp we didn't really cover ntp though we did sourcenap we've done dhcp um dns i don't know if we're gonna get to dynamic arp inspection and other stuff like that but um we could always have another one of these sessions some other weekend down the road but so with that being said let me go ahead and sure we can we can have more sessions like this for sure i'm actually thinking about changing it up and not doing it on crowdcast and putting it just on youtube just go live on youtube for a few hours and doing it that way and um just charging for the membership which is only 10 bucks i think i get a lot more yeah that's the whole thing i'm not a like the audience that we have the five people that we have here today is nice because it's um when people have specific questions i can actually take the time to break it down um but yeah i'm thinking about going just the youtube route and on a regular basis for a few hours each week go through and cover a bunch of different topics and stuff like that now i personally am on a vmware path but that doesn't mean that you guys have to be but um anyway i think i'm gonna call i'm gonna go ahead and call this where that's half an hour left tomorrow we're gonna pick up on dynamic routine the first two hour session and then in the second two hour session we'll focus on anything that you guys need to go a little bit deeper on but um is this working for you guys this the way that we're doing stuff let's see do you lab using yes i do i do labs using vsphere a lot um i'm actually doing a deep dive on nsx right now and it's i'm loving it i'm that's the direction i'm going will you be also doing sessions like this vmware yeah i mean i can do the only um the only problem with doing it on vmware is um it takes a lot longer for things to happen so i'd have to time it to where if i'm gonna do a particular thing like install this or turn that on i'd have to be cautious about my timing and stuff like that but because i wouldn't want to sit there as i'm watching something spin and install that would take forever but but yeah it's uh it's good stuff anyway you guys are awesome thanks so much for stopping by and hanging out with me um we will definitely be doing this again in the future we'll do a tomorrow session as well 1 to 5 30 same time frames and all that good stuff um what i will be doing is i'll take the configurations that i've already put and i'll put them into uh notepad docs in the google drive that i shared to you guys and you'll be able to download them and basically dump them into your devices so i highly suggest you guys get eve because packet tracer sucks um especially for some of the issues that i've been seeing lately of it but um i use the only thing that i use the lab up with when it's cisco stuff every that and i'm doing the vmware so but anyway you guys uh definitely take it easy have your just need to wait a few weeks to go okay i see what you're saying yeah i don't know when i'll be able to get to the next one um uh the next time we'll be able to do this i'm thinking definitely a uh it'll be a youtube version of it and then uh go that route and that'll make it easier to to do this and i'll just push out that the everything that people will need will be in the membership aspect and try to grow that out so but uh that's the direction i'm gonna go crowdcast has been nice but there's been there's a few things that i wish were different but um anyway with that being said you guys have a nice rest of your saturday i'm gonna go and get some food because i'm hungry and uh go that direction with it so you guys have a nice rest of your saturday and i will see all of you on sunday at 1. yes sir thank you sir you guys have a nice day

Info

Channel: Rob Riker's Tech Channel

Views: 736

Rating: undefined out of 5

Keywords:

Id: tDtHQhDYG8Q

Channel Id: undefined

Length: 91min 10sec (5470 seconds)

Published: Wed Jun 02 2021