Lab Assignment: Multi-protocol Topology

The physical topology is as shown in the figure below:

Lab Exercise

This exercise will simulate a real word scenario in which a company might use two gateways to balance

traffic going out into external networks (Internet for example).

Your task is to configure the network in the diagram above to allow connectivity between PC1 and

PC2 to the external network 8.8.8.8/32. PC1 will use Gateway 1 as the default gateway with Gateway

2 as secondary and PC2 will use Gateway 2 as the primary default gateway with Gateway 1 as

secondary. PC1 will be located in VLAN 10, while PC2 will be located in VLAN20. HSRP will be

configured for each VLAN between the two gateways. Gateway 1 will learn the external network

through EIGRP, while Gateway 2 will learn about the external network through OSPF. The gateways

will be configured with NAT.

IP addressing details:

External_router Fa0/0: 192.168.1.1/24

External_router Fa0/1: 192.168.2.1/24

Gateway1 Fa0/0: 192.168.1.2/24

www.howtonetwork.com Copyright Reality Press Ltd.

Gateway1 Fa0/1.10: 10.0.10.1/24

Gateway1 Fa0/1.20: 10.0.20.1/24

Gateway2 Fa0/0: 192.168.2.2/24

Gateway2 Fa0/1.10: 10.0.10.2/24

Gateway2 Fa0/1.20: 10.0.20.2/24

VLAN 10 HSRP address: 10.0.10.3

VLAN 20 HSRP address: 10.0.20.3

PC1: 10.0.10.10/24, gateway: 10.0.10.3

PC2: 10.0.20.10/24, gateway: 10.0.20.3

VLAN 10 NAT Pool on Gateway1: 192.168.1.10

VLAN 20 NAT Pool on Gateway1: 192.168.1.11

VLAN 10 NAT Pool on Gateway2: 192.168.2.10

VLAN 20 NAT Pool on Gateway2: 192.168.2.11

Lab Objectives

1. Configure VLANs on the Switch;

2. Configure full Layer 3 addressing between the devices;

3. Configure EIGRP;

4. Configure OSPF;

5. Configure HSRP;

6. Configure NAT on the gateways;

7. Test connectivity.
Purpose

Practice the following technologies:

OSPF

EIGRP

www.howtonetwork.com Copyright Reality Press Ltd.

VLANs

HSRP

Access-lists

NAT

Lab Walk-Through

1. Configure the necessary VLANs on the switch. We need trunk ports towards the gateways

(carrying VLANs 10 and 20) and access ports towards the PCs.

Switch(config)#int fa1/1

Switch(config)#sw mode trunk

Switch(config)#sw trunk encapsulation dot

Switch(config)#sw trunk all vlan 10,20

Switch(config)#no shut

Switch(config)#int fa1/2

Switch(config)#sw mode trunk

Switch(config)#sw trunk encapsulation dot

Switch(config)#sw trunk all vlan 10,20

Switch(config)#no shut

Switch(config)#int fa1/3

Switch(config)#sw mode access

Switch(config)#sw access vlan 10

Switch(config)#no shut

Switch(config)#int fa1/4

Switch(config)#sw mode access

Switch(config)#sw access vlan 20

Switch(config)#no shut

2. Configure Layer 3 addressing on the devices.

External_Router:

www.howtonetwork.com Copyright Reality Press Ltd.

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

External_Router#sho ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.1 YES manual up up

Serial0/0 unassigned YES manual administratively down down

FastEthernet0/1 192.168.2.1 YES manual up up

Serial0/1 unassigned YES manual administratively down down

Loopback0 8.8.8.8 YES manual up up

Gateway1:

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 10.0.10.1 255.255.255.0

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 10.0.20.1 255.255.255.0

Gateway1#sho ip int br

Any interface listed with OK? value NO does not have a valid

configuration

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.2 YES manual up up

www.howtonetwork.com Copyright Reality Press Ltd.

Serial0/0 unassigned YES manual administratively down down

FastEthernet0/1 unassigned YES manual up up

FastEthernet0/1.10 10.0.10.1 YES manual up up

FastEthernet0/1.20 10.0.20.1 YES manual up up

Serial0/1 unassigned YES manual administratively down down

NVI0 unassigned NO unset up up

Gateway2:

interface FastEthernet0/0

ip address 192.168.2.2 255.255.255.0

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 10.0.10.2 255.255.255.0

interface FastEthernet0/1.20
encapsulation dot1Q 20

ip address 10.0.20.2 255.255.255.0

Gateway2#sho ip int br

Any interface listed with OK? value NO does not have a valid

configuration

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.2.2 YES manual up up

Serial0/0 unassigned YES manual administratively down down

FastEthernet0/1 unassigned YES manual up up

FastEthernet0/1.10 10.0.10.2 YES manual up up

FastEthernet0/1.20 10.0.20.2 YES manual up up

Serial0/1 unassigned YES manual administratively down down

www.howtonetwork.com Copyright Reality Press Ltd.

NVI0 unassigned NO unset up up

Note: you can use both real workstations or routers for PC1 and PC2. We have choosen to use routers

for this exercise for simplicity. In order to configure a router to react as a workstation with 1 NIC, just

disable IP routing, set the default gateway and the IP address on the interface.

We will also configure the default gateway on PC1 and PC2. This is the HSRP address of VLAN10 for

PC1 and the HSRP address of VLAN20 for PC2.

PC1(config)#no ip routing

PC1(config)#ip default-gateway 10.0.10.3

PC1(config)#int fa0/0

PC1(config-if)#ip add 10.0.10.10 255.255.255.0

PC2(config)#no ip routing

PC2(config)#ip default-gateway 10.0.20.3

PC2(config)#int fa0/0

PC2(config-if)#ip add 10.0.20.10 255.255.255.0

3. Configure EIGRP between the External_Router and Gateway1, advertise 8.8.8.8/32 towards

the internal network via EIGRP.

External_Router(config)#router eigrp 100

External_Router(config-router)#network 8.8.8.8 0.0.0.0

External_Router(config-router)#network 192.168.1.0 0.0.0.255

External_Router(config-router)#no auto-summary

Gateway1(config)#router eigrp 100

Gateway1(config-router)#network 192.168.1.0 0.0.0.255

www.howtonetwork.com Copyright Reality Press Ltd.

Gateway1(config-router)#no auto-summary

External_Router#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO

Q Seq

(sec) (ms)

Cnt Num

0 192.168.1.2 Fa0/0 13 01:10:05 1267 5000

04
Gateway1#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO

Q Seq

(sec) (ms)

Cnt Num

0 192.168.1.1 Fa0/0 12 01:09:57 70 420

03

Gateway1#show ip route eigrp

8.0.0.0/32 is subnetted, 1 subnets

D 8.8.8.8 [90/409600] via 192.168.1.1, 01:10:24,

FastEthernet0/0

We can see the 8.8.8.8/32 network is being learned by Gateway1 via EIGRP.

4. Configure OSPF between the External_Router and Gateway2, advertise 8.8.8.8/32 towards

the internal network via OSPF. Yes, we will advertise the same subnet via both EIGRP and

OSPF to different neighbors. This is possible in Cisco IOS.

www.howtonetwork.com Copyright Reality Press Ltd.

External_Router(config)#int fa0/1

External_Router(config-if)#ip ospf 1 area 0

External_Router(config-if)#lo0

External_Router(config-if)#ip ospf 1 area 0

Gateway2(config)#int fa0/1

Gateway2(config-if)#ip ospf 1 area 0

External_Router#show ip ospf nei

Neighbor ID Pri State Dead Time Address

Interface

192.168.2.2 1 FULL/DR 00:00:38 192.168.2.2

FastEthernet0/1

Gateway2#show ip ospf nei

Neighbor ID Pri State Dead Time Address

Interface

8.8.8.8 1 FULL/BDR 00:00:36 192.168.2.1

FastEthernet0/0

Gateway2#show ip route ospf

8.0.0.0/32 is subnetted, 1 subnets

O 8.8.8.8 [110/11] via 192.168.2.1, 01:21:28, FastEthernet0/0

We can see the 8.8.8.8/32 network is being learned by Gateway2 via OSPF.

www.howtonetwork.com Copyright Reality Press Ltd.

5. Configure HSRP for both VLANs. Gateway1 will be the primary gateway for VLAN10 and

Gateway2 will be the primary gateway for VLAN20. If either of the routers fails, the other

will assume default gateway functionality.

We will configure Gateway1 with priority 110 for VLAN 10 and with priority 100 for VLAN

20 (default) and the other way around for Gateway 2.

Gateway1(config)#int fa0/1.10

Gateway1(config-subif)#standby 10 ip 10.0.10.3
Gateway1(config-subif)#standby 10 priority 110

Gateway1(config-subif)#standby 10 preempt

Gateway1(config)#int fa0/1.20

Gateway1(config-subif)#standby 20 ip 10.0.20.3

Gateway1(config-subif)#standby 20 preempt

Gateway2(config)#int fa0/1.10

Gateway2(config-subif)#standby 10 ip 10.0.10.3

Gateway2(config-subif)#standby 10 preempt

Gateway2(config)#int fa0/1.20

Gateway2(config-subif)#standby 20 ip 10.0.20.3

Gateway2(config-subif)#standby 20 priority 110

Gateway2(config-subif)#standby 20 preempt

Gateway1#show standby brief

P indicates configured to preempt.

Interface Grp Pri P State Active Standby

Virtual IP

www.howtonetwork.com Copyright Reality Press Ltd.

Fa0/1.10 10 110 P Active local 10.0.10.2

10.0.10.3

Fa0/1.20 20 100 P Standby 10.0.20.2 local

10.0.20.3

Gateway2#show standby brief

P indicates configured to preempt.

Interface Grp Pri P State Active Standby

Virtual IP

Fa0/1.10 10 100 P Standby 10.0.10.1 local

10.0.10.3

Fa0/1.20 20 110 P Active local 10.0.20.1

10.0.20.3

6. Configure NAT.

On Gateway1 we want to translate the internal address for any packet sourced from VLAN 10 to

192.168.1.10. In the same time, we want to translate the internal address for any packet souced

from VLAN 20 to 192.168.1.11. Even though traffic originated in VLAN 20 will not reach Gateway1 in

a normal day of operations, this will happen if Gateway2 is down, as Gateway1 will assume the role

of primary HSRP gateway. So we want to configure rules for both VLAN 10 and VLAN 20 on both

routers.

On Gateway2, we will assign an external IP address of 192.168.2.10 for traffic sourced in VLAN 10

and of 192.168.2.11 for traffic sourced in VLAN 20.

We will also configure PAT (also known NAT overload) on both devices, so multiple internal sources

in the same VLAN can share the same external IP address.

Gateway1(config)#int fa0/0

Gateway1(config-if)#ip nat outside

Gateway1(config)#int fa0/1.10

Gateway1(config-if)#ip nat inside

Gateway1(config)#int fa0/1.20

www.howtonetwork.com Copyright Reality Press Ltd.

Gateway1(config-if)#ip nat inside

Gateway1(config)#ip nat inside source list VLAN10 pool VLAN10_OUT

overload

Gateway1(config)#ip nat inside source list VLAN20 pool VLAN20_OUT

overload

Gateway1(config)#ip nat pool VLAN10_OUT 192.168.1.10 192.168.1.10

netmask 255.255.255.0

Gateway1(config)#ip nat pool VLAN20_OUT 192.168.1.11 192.168.1.11

netmask 255.255.255.0

Gateway1(config)#ip access-list standard VLAN10

Gateway1(config-std-nacl)# permit 10.0.10.0 0.0.0.255

Gateway1(config)#ip access-list standard VLAN20

Gateway1(config-std-nacl)# permit 10.0.20.0 0.0.0.255

Gateway2(config)#int fa0/0

Gateway2(config-if)#ip nat outside

Gateway2(config)#int fa0/1.10

Gateway2(config-if)#ip nat inside

Gateway2(config)#int fa0/1.20

Gateway2(config-if)#ip nat inside

Gateway2(config)#ip nat inside source list VLAN10 pool VLAN10_OUT

overload

Gateway2(config)#ip nat inside source list VLAN20 pool VLAN20_OUT

overload

Gateway2(config)#ip nat pool VLAN10_OUT 192.168.2.10 192.168.2.10

netmask 255.255.255.0

Gateway2(config)#ip nat pool VLAN20_OUT 192.168.2.11 192.168.2.11

netmask 255.255.255.0

Gateway2(config)#ip access-list standard VLAN10

Gateway2(config-std-nacl)# permit 10.0.10.0 0.0.0.255

Gateway2(config)#ip access-list standard VLAN20

www.howtonetwork.com Copyright Reality Press Ltd.

Gateway2(config-std-nacl)# permit 10.0.20.0 0.0.0.255

7. Test connectivity from PC1 and PC2 towards the external network. We will issue a ping

both from PC1 and PC2 towards the external destination and we will then check traffic

from each PC will hit a different gateway router. In this way traffic is load balanced

toward the external networks.

PC1#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 24/44/72

ms

PC2#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 16/62/140

ms

Gateway1#sho ip nat translations

Pro Inside global Inside local Outside local Outside

global

icmp 192.168.1.10:3 10.0.10.10:3 8.8.8.8:3

8.8.8.8:3

Gateway2#sho ip nat translations

www.howtonetwork.com Copyright Reality Press Ltd.

Pro Inside global Inside local Outside local Outside

global

icmp 192.168.2.11:5 10.0.20.10:5 8.8.8.8:5

8.8.8.8:5

As you can see from the output of show ip nat translation, traffic sourced from 10.0.10.10 (VLAN 10)

is translated on Gateway1 and traffic sourced from 10.0.20.10 (VLAN 20) is translated on Gateway2.

Show Runs

External_Router#show run

Building configuration...

Current configuration : 1305 bytes

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname External_Router

boot-start-marker
boot-end-marker

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

no ip domain lookup

multilink bundle-name authenticated

archive

log config

hidekeys

ip tcp synwait-time 5

ip ssh version 1

www.howtonetwork.com Copyright Reality Press Ltd.

interface Loopback0

ip address 8.8.8.8 255.255.255.255

ip ospf 1 area 0

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!
interface Serial0/0

no ip address

shutdown

clock rate 2000000

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

ip ospf 1 area 0

duplex auto

speed auto

interface Serial0/1

no ip address

shutdown

clock rate 2000000

router eigrp 100

network 8.8.8.8 0.0.0.0

network 192.168.1.0

no auto-summary

router ospf 1

log-adjacency-changes

ip forward-protocol nd

no ip http server

no ip http secure-server
!

no cdp log mismatch duplex

control-plane

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

www.howtonetwork.com Copyright Reality Press Ltd.

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

End

Gateway1#show run

Building configuration...

Current configuration : 1907 bytes

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Gateway1
!

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

no ip domain lookup

multilink bundle-name authenticated

archive

log config

hidekeys

ip tcp synwait-time 5

ip ssh version 1

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!
www.howtonetwork.com Copyright Reality Press Ltd.

interface Serial0/0

no ip address

shutdown

clock rate 2000000

interface FastEthernet0/1

no ip address

duplex auto

speed auto

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 10.0.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

standby 10 ip 10.0.10.3

standby 10 priority 110

standby 10 preempt

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 10.0.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

standby 20 ip 10.0.20.3

standby 20 preempt

interface Serial0/1
no ip address

shutdown

clock rate 2000000

router eigrp 100

network 192.168.1.0

no auto-summary

ip forward-protocol nd

no ip http server

no ip http secure-server

ip nat pool VLAN10_OUT 192.168.1.10 192.168.1.10 netmask

255.255.255.0

ip nat pool VLAN20_OUT 192.168.1.11 192.168.1.11 netmask

255.255.255.0

ip nat inside source list VLAN10 pool VLAN10_OUT overload

ip nat inside source list VLAN20 pool VLAN20_OUT overload

www.howtonetwork.com Copyright Reality Press Ltd.

ip access-list standard VLAN10

permit 10.0.10.0 0.0.0.255

ip access-list standard VLAN20

permit 10.0.20.0 0.0.0.255

no cdp log mismatch duplex

!
control-plane

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

End

Gateway2#show run

Building configuration...

Current configuration : 1907 bytes

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Gateway2

boot-start-marker

boot-end-marker
!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

no ip domain lookup

multilink bundle-name authenticated

www.howtonetwork.com Copyright Reality Press Ltd.

archive

log config

hidekeys

ip tcp synwait-time 5

ip ssh version 1

interface FastEthernet0/0

ip address 192.168.2.2 255.255.255.0

ip nat outside

ip virtual-reassembly

ip ospf 1 area 0

duplex auto

speed auto

interface Serial0/0

no ip address
shutdown

clock rate 2000000

interface FastEthernet0/1

no ip address

duplex auto

speed auto

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 10.0.10.2 255.255.255.0

ip nat inside

ip virtual-reassembly

standby 10 ip 10.0.10.3

standby 10 preempt

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 10.0.20.2 255.255.255.0

ip nat inside

ip virtual-reassembly

standby 20 ip 10.0.20.3

standby 20 priority 110

standby 20 preempt

interface Serial0/1

no ip address

shutdown

clock rate 2000000

!

router ospf 1

www.howtonetwork.com Copyright Reality Press Ltd.

log-adjacency-changes

ip forward-protocol nd

no ip http server

no ip http secure-server

ip nat pool VLAN20_OUT 192.168.2.11 192.168.2.11 netmask

255.255.255.0

ip nat pool VLAN10_OUT 192.168.2.10 192.168.2.10 netmask

255.255.255.0

ip nat inside source list VLAN10 pool VLAN10_OUT overload

ip nat inside source list VLAN20 pool VLAN20_OUT overload

ip access-list standard VLAN10

permit 10.0.10.0 0.0.0.255

ip access-list standard VLAN20

permit 10.0.20.0 0.0.0.255

no cdp log mismatch duplex

control-plane

line con 0

exec-timeout 0 0
privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

End

PC1#show run

Building configuration...

Current configuration : 1186 bytes

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

www.howtonetwork.com Copyright Reality Press Ltd.

hostname PC1

boot-start-marker

boot-end-marker

no aaa new-model
memory-size iomem 5

no ip routing

no ip icmp rate-limit unreachable

no ip cef

no ip domain lookup

multilink bundle-name authenticated

archive

log config

hidekeys

ip tcp synwait-time 5

ip ssh version 1

interface FastEthernet0/0

ip address 10.0.10.10 255.255.255.0

no ip route-cache

duplex auto

speed auto

interface Serial0/0

no ip address

no ip route-cache

shutdown

clock rate 2000000

interface FastEthernet0/1
no ip address

no ip route-cache

shutdown

duplex auto

speed auto

interface Serial0/1

no ip address

no ip route-cache

shutdown

clock rate 2000000

www.howtonetwork.com Copyright Reality Press Ltd.

ip default-gateway 10.0.10.3

ip forward-protocol nd

no ip http server

no ip http secure-server

no cdp log mismatch duplex

control-plane

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous
line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

end

PC2#show run

Building configuration...

Current configuration : 1208 bytes

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname PC2

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

no ip routing

no ip icmp rate-limit unreachable

no ip cef

!
no ip domain lookup

www.howtonetwork.com Copyright Reality Press Ltd.

multilink bundle-name authenticated

ip tcp synwait-time 5

ip ssh version 1

interface FastEthernet0/0

ip address 10.0.20.10 255.255.255.0

no ip route-cache

duplex auto

speed auto

interface Serial0/0

no ip address

no ip route-cache

shutdown

clock rate 2000000

interface FastEthernet0/1

ip address 10.0.20.10 255.255.255.0

no ip route-cache

shutdown

duplex auto

speed auto

interface Serial0/1
no ip address

no ip route-cache

shutdown

clock rate 2000000

ip default-gateway 10.0.20.3

ip forward-protocol nd

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

end