Firewall & Routing Hub

🚀 **DHCP & DHCP Relay Agent – Simplified Networking Guide**
🔥
=================================================

Today I’m sharing an excellent learning resource on **DHCP (Dynamic Host Configuration Protocol)** and **DHCP Relay Agent**, which are among the most important topics in networking and CCNA/CCNP studies.

This document explains how devices automatically receive IP addresses and how communication works when the DHCP server is located on a different subnet or VLAN.

📘 **What you will learn from this guide:**

✅ What DHCP is and why it is essential in modern networks
✅ Automatic IP assignment process for PCs, laptops, phones, and other devices
✅ DHCP Client-Server architecture
✅ Complete **DORA Process**:
• Discover
• Offer
• Request
• Acknowledgement (ACK)

✅ DHCP Lease mechanism and lease renewal process
✅ UDP Ports used in DHCP
• UDP 67 (Server)
• UDP 68 (Client)

✅ Detailed packet flow explanation with screenshots and Wireshark captures
✅ DHCP Server configuration on Cisco devices
✅ DHCP Client configuration using `ip address dhcp`
✅ Troubleshooting commands such as:
• `show ip dhcp pool`
• `show ip dhcp binding`
• `show running-config | include dhcp`

🔁 **DHCP Relay Agent – Key Concept**
In enterprise networks, DHCP servers are often centralized. Since routers do not forward broadcast traffic, DHCP Discover packets cannot cross subnets directly.

A **DHCP Relay Agent** solves this problem by forwarding DHCP broadcast messages as unicast packets to the remote DHCP server.

💡 The guide also explains:
✔️ Broadcast limitation in routed networks
✔️ `ip helper-address` configuration
✔️ giaddr field usage
✔️ Real-world enterprise VLAN scenarios
✔️ Relay Agent packet flow diagrams and Cisco configuration examples

This is a very useful resource for:
🎯 CCNA Students
🎯 CCNP Aspirants
🎯 Network Engineers
🎯 Lab Practice in EVE-NG / GNS3 / Packet Tracer

===========================================
🙏 **Special thanks to the original uploader, Urvish Patel, for sharing this excellent content and helping the networking community learn and grow.**
===========================================

📢 I am going to share this document to my WhatsApp channel as well, so make sure to join the channel and download the complete guide.

Follow the Firewall & Routing Hub channel on WhatsApp: https://whatsapp.com/channel/0029VbBh8F84NViiDpCGkh1u

🚀 **VRF Lite Lab in GNS3 | Advanced Network Segmentation without MPLS** 🔥
==========================================================

Today’s CCNP class was focused on one of the most important enterprise networking concepts — VRF Lite (Virtual Routing and Forwarding). We performed a complete hands-on lab in GNS3 to understand how enterprises achieve traffic isolation and multi-tenant routing without using MPLS.

This lab demonstrates how organizations can achieve **secure Layer 3 segmentation** without deploying a full MPLS infrastructure.

📌 **What is VRF Lite?**
VRF (Virtual Routing and Forwarding) Lite allows a single router to maintain **multiple independent routing tables**.
This means different departments, customers, or services can use the same physical router while remaining logically separated.

💡 In simple words:
➡️ One router behaves like multiple virtual routers.
➡️ Traffic from one VRF cannot communicate with another VRF unless explicitly configured.

🔧 **Lab Highlights:**
✅ VLAN-based Layer 2 segmentation
✅ VRF-based Layer 3 isolation
✅ Multiple routing protocols running simultaneously inside different VRFs
✅ OSPF configured in one VRF
✅ EIGRP configured in another VRF
✅ Static routing implementation for additional VRFs
✅ Centralized core router (R1) handling all VRFs
✅ Route separation verification using `show ip route vrf` commands

🖥️ **Topology Overview:**
🔹 R1 acts as the core router
🔹 Separate VRFs created for isolated networks
🔹 OSPF neighbors formed successfully between R1–R2 and R1–R5
🔹 EIGRP adjacency established between R1–R3 and R1–R6
🔹 Static routes configured for R4 and R7 networks
🔹 End-to-end route isolation successfully verified

🎯 **Why this lab is important:**
This type of setup is widely used in:
✔️ Enterprise networks
✔️ Service provider environments
✔️ Data centers
✔️ Multi-department network design
✔️ Customer traffic isolation

📚 **Key Learning Outcomes:**
🔸 Understanding VRF architecture
🔸 Running multiple routing protocols inside isolated routing tables
🔸 Route leaking concepts preparation
🔸 Foundation for MPLS VPN technologies
🔸 Better understanding of enterprise segmentation strategies

🔥 **Big Takeaway:**
VRF Lite is an excellent technology for building secure and scalable segmented networks without the complexity of MPLS. It’s a must-learn concept for anyone preparing for CCNA, CCNP Enterprise, or Service Provider tracks.

I’ll also be sharing more labs related to:
➡️ Route Leaking
➡️ MPLS Basics
➡️ MP-BGP
➡️ Advanced Enterprise Routing
➡️ Data Center Networking

📌 Follow my page for more hands-on networking labs, real-world topologies, and cybersecurity content 🚀

📒✍️ FHRP Quick Revision Notes: HSRP vs VRRP vs GLBP
=========================================

In networking, configuring gateway redundancy is important — but truly understanding how each FHRP works is what sets skilled Network Engineers apart.

To make revision easier, I created these quick handwritten-style notes covering the three major First Hop Redundancy Protocols (FHRPs):

🔁 HSRP (Hot Standby Router Protocol)
• Cisco proprietary protocol
• Works in an Active / Standby model
• Provides gateway redundancy only
• No load balancing support
• Great for simple and stable failover setups

🌐 VRRP (Virtual Router Redundancy Protocol)
• Open standard protocol
• Supports multi-vendor environments
• Uses Master / Backup roles
• Faster default convergence compared to HSRP
• Best choice for heterogeneous networks

⚖️ GLBP (Gateway Load Balancing Protocol)
• Cisco proprietary protocol
• Offers redundancy + load balancing
• Uses AVG (Active Virtual Gateway) & AVF (Active Virtual Forwarder)
• Utilizes multiple routers efficiently
• Ideal when both redundancy and traffic distribution are required

🧠 Quick Comparison:
✔ Need basic failover → HSRP
✔ Need vendor-neutral redundancy → VRRP
✔ Need failover + load sharing → GLBP

💡 Real-World Advice:
Don’t stop at configuration alone. Test failover events, observe convergence behavior, monitor packet flow, and fine-tune timers based on your network requirements. Practical testing is where real learning happens.

📌 These notes are useful for:
• CCNA / CCNP / CCIE preparation
• Interview revision
• Troubleshooting concepts
• Real-world network design understanding

Which FHRP do you prefer in production environments — HSRP, VRRP, or GLBP? 👇

🚀 *Understanding Switch Stacking in Enterprise Networks* 🔗⚡
============================================

Today, I explored one of the most important concepts in enterprise switching environments — *Switch Stacking*.

📌 *What is Stacking?*
Stacking allows multiple physical switches to operate as a *single logical switch*. Up to 9 switches can be interconnected and managed using just *one management IP address*, making administration easier and improving network performance.

🔥 *Why is Switch Stacking Important?*

✅ *High Availability*
If one switch fails, the remaining switches continue operating without affecting the network significantly.

✅ *Scalability & Performance*
By combining multiple switches, we increase:
• CPU power
• Memory resources
• Number of ports

This creates a much larger and more efficient switching infrastructure.

✅ *High-Speed Communication*
Dedicated stack links provide ultra-fast communication between switches with minimal latency.

📚 *Types of Cisco Stack Technologies*

🔹 *FlexStack*
• Supports up to 4 switches
• Stack bandwidth up to 10 Gbps

🔹 *FlexStack+*
• Supports up to 8 switches
• Stack bandwidth up to 40 Gbps

🔹 *StackWise*
• Supports up to 9 switches
• Stack bandwidth up to 64 Gbps

👑 *Master Switch Election*
In a stack, one switch becomes the *Master Switch*, responsible for managing the entire stack.

The master switch can be selected:

🛠️ *Manually*
By assigning priorities:
• Switch 1 → Priority 15
• Switch 2 → Priority 14

⚙️ *Automatically*
Based on:
• Lowest MAC Address
• Latest IOS Version

🧪 *Useful Verification Commands*

🔹 show switch stack-ports
➡️ Verifies stack connectivity between switches

🔹 show switch stack-ring speed
➡️ Displays stack bandwidth/speed

🌐 *Related Technologies*

🔸 *VSS (Virtual Switching System)*
Allows two switches to work as one logical switch using standard connections. Easier deployment, but lower speed compared to hardware stacking.

🔸 *vPC (Virtual Port Channel)*
Used mainly in Cisco Nexus environments to provide redundancy and load balancing while avoiding STP blocking issues.

💡 Understanding stacking technologies is essential for CCNA, CCNP, Data Center, and Enterprise Networking professionals.

📈 Follow my page for more hands-on networking labs, Cisco concepts, firewall technologies, and cybersecurity content.

Ubuntu's websites went down for about 4 days last week but it should all be back now.

Starting April 30, Canonical's web services faced what the company described as a "sustained, cross-border" attack. The ubuntu.com website, Snap store, Launchpad, and several other Canonical-owned services went offline or became unreliable.

The attack lasted until around May 4, when services were gradually restored. As of today, Canonical's official status page shows everything fully operational. Let's hope it stays that way.

What was actually affected: The ubuntu.com website, Snap store (snapcraft.io), Launchpad (including PPAs), login.ubuntu.com, keyserver.ubuntu.com, and Canonical's own website.

What was NOT affected: Your Ubuntu installation, package updates (APT repositories are mirrored across the world and kept working), ISO downloads, and the Ubuntu operating system itself. Your system was never at risk.

Canonical has not released a detailed post-incident report yet. A hacktivist group called 313 reportedly claimed responsibility, but this has not been confirmed by Canonical.

If you had trouble running snap install commands or pulling from a PPA last week — that's why. Everything should be working normally now.

No data was compromised. No user systems were affected. The attack targeted web availability, not security.

⎯⎯⎯

Keep following.

Most network engineers know MPLS. But can you explain it in 60 seconds?
==================================================

MPLS (Multiprotocol Label Switching) sits between Layer 2 and Layer 3 — and it's the reason large WAN networks can forward packets fast, efficiently, and at scale. Instead of looking up complex IP routing tables at every hop, MPLS uses short labels. That's it. But the simplicity is deceptive.

Here's what you actually need to know:

The forwarding process (LSP)
Packets enter at the Ingress LSR (PUSH a label), get switched through Core LSRs (SWAP labels), and exit at the Egress LSR after the Penultimate LSR pops the label (PHP). Clean. Deterministic. Fast.

The 4-byte MPLS header
20-bit Label + 3-bit EXP (QoS) + 1-bit Stack indicator + 8-bit TTL. Everything you need to route, prioritize, and stack labels in a single compact header.

LDP — how labels get distributed
LDP (Label Distribution Protocol) runs over UDP 646 (discovery) and TCP 646 (sessions) to assign labels to FECs and build LSPs. On-demand or proactive — your choice based on your traffic pattern.

Basic LDP vs Targeted LDP
Basic LDP works hop-by-hop using IGP info. Targeted LDP (tLDP) establishes LSPs between non-directly connected routers — the key to MPLS Traffic Engineering and avoiding congestion.

Why MPLS still matters in 2026
High-performance switching, smaller forwarding tables (LFIB vs FIB/RIB), traffic engineering, QoS with EXP bits, and the foundation for L3VPN and L2VPN services. MPLS isn't going anywhere.

If you're working in telco, ISP, or enterprise WAN — understanding MPLS deeply (not just conceptually) is still a differentiator. Save this cheat sheet.

What part of MPLS gave you the most trouble when you first learned it? Drop it in the comments.

🚀 **CCNA Lab Deep Dive: Multilayer Network Design (Core–Distribution–Access)** 🔐
============================================================

Today in my CCNA class, I guided students through a **complete enterprise-grade multilayer network topology**—designed exactly the way real-world networks are built. This hands-on lab is not just configuration… it's about understanding *why* networks are designed this way.

🧠 **What we built together:**
We implemented a **3-tier architecture**:

🔹 **Core Layer**
• High-speed backbone connectivity
• Connected to routers using networks **10.1.1.0/24 & 10.1.2.0/24**
• Ensures fast and reliable data transport

🔹 **Distribution Layer (Layer 3 Switches)**
• Inter-VLAN routing using SVIs
• Redundant links between switches (for high availability)
• Implemented **HSRP** for gateway redundancy
• Ran **OSPF** to dynamically exchange routes with core routers

🔹 **Access Layer (User Connectivity)**
• Multiple switches connecting end devices (PCs & Servers)
• Configured **access ports** and **trunk links**
• End-user segmentation based on VLANs

📡 **VLAN & IP Design:**
✔️ VLAN 10 – Sales → 192.168.10.0/24 (PC1, PC5, PC8)
✔️ VLAN 20 – Market → 192.168.20.0/24 (PC2, PC6)
✔️ VLAN 30 – IT → 192.168.30.0/24 (PC3, PC7)
✔️ VLAN 40 – Admin → 192.168.40.0/24 (Servers S1, S2 + PCs)

🔁 **Redundancy with HSRP:**
• Virtual gateways configured (e.g., **192.168.X.254**)
• Active/Standby roles verified
• Seamless failover ensures zero downtime for users

🌐 **Routing & Switching Concepts Applied:**
• 802.1Q Trunking between switches
• VLAN propagation using VTP
• Inter-VLAN routing via Layer 3 switches
• OSPF adjacency with core routers
• Real-time connectivity testing using ping

🧪 **Verification Results:**
✔️ Successful inter-VLAN communication
✔️ PCs reaching HSRP virtual gateways
✔️ OSPF routes learned dynamically
✔️ Stable network with redundancy working perfectly

💡 **Teaching Insight:**
In class, I emphasize not just configuration, but **design thinking**

👉 Why do we use a hierarchical model?
👉 How does HSRP improve availability?
👉 Why is OSPF preferred in enterprise networks?

This is how students move from *command memorization* → to *real network engineering mindset*.

📢 If you're learning CCNA or Network Security, follow my page for more **real lab scenarios, breakdowns, and hands-on learning content!**

🔥 Let’s grow together in networking!

===========================================
# # 🚀 Policy-Based Routing (PBR) on FortiGate | EVE-NG Lab 🔥
===========================================

I recently completed a **hands-on lab on Policy-Based Routing (PBR)** using **FortiGate VM in EVE-NG**, simulating a real-world enterprise scenario with **dual ISP redundancy and service-based traffic control** 💡

This lab is extremely useful for anyone preparing for **Network Security / SOC / CCNA / CCNP roles**.

# # 🔹 🔧 Lab Topology Overview 🔧🔹 # #
===============================

✔️ Two internal VLAN networks (HR & Sales) connected via a switch to FortiGate
✔️ FortiGate connected to **two ISPs (ACT & TATA)**
✔️ External Linux server hosted behind ISP network (60.0.0.10)
✔️ End-to-end traffic flow validation using HTTP & SSH

# # 🔹 🖥️ Internal Network (LAN Setup)

Created segmented VLAN architecture for better control and isolation:

👨‍💼 **HR VLAN (VLAN 10)**
➡️ Subnet: 192.168.1.0/24
➡️ Gateway: 192.168.1.1

💼 **Sales VLAN (VLAN 20)**
➡️ Subnet: 192.168.2.0/24
➡️ Gateway: 192.168.2.1

📌 Configured on **port2** using VLAN interfaces
📌 Created firewall address objects:

* HR-LAN
* SALES-LAN
* LINUX-SERVER (60.0.0.10)

# # 🔹 🌐 WAN / ISP Configuration

Simulated dual ISP environment:

🌍 **WAN1 – ACT (port3)**
➡️ Network: 20.0.0.0/8
➡️ Gateway: 20.0.0.2

🌍 **WAN2 – TATA (port4)**
➡️ Network: 30.0.0.0/8
➡️ Gateway: 30.0.0.2

✔️ Configured **static default routes** for both ISPs
✔️ Ensured reachability to external network (60.0.0.0/8)

# # 🔹 🔐 Firewall Policy Configuration

✔️ Created LAN → WAN policy
✔️ Allowed traffic from HR & Sales to Internet
✔️ Enabled NAT for outbound connectivity
✔️ No security profiles (kept simple for lab validation)

# # 🔹 ⚙️ Policy-Based Routing (Core Concept)

This is where the real magic happens 👇

Instead of relying on destination-based routing, I implemented **service-based routing decisions**:

# # # ✅ Rule 1: HTTP Traffic (Port 80)

➡️ Source: HR + Sales
➡️ Destination: Linux Server
➡️ Route via: **WAN1 (ACT ISP)**

# # # ✅ Rule 2: SSH Traffic (Port 22)

➡️ Source: HR + Sales
➡️ Destination: Linux Server
➡️ Route via: **WAN2 (TATA ISP)**

🎯 This ensures **different applications use different ISPs** — a key enterprise requirement.

# # 🔹 🧪 Testing & Verification

✔️ HTTP access → Successfully routed via WAN1
✔️ SSH login → Successfully routed via WAN2
✔️ Verified using:

* `diagnose firewall proute list`
* Hit count increment ✅
* Active session tracking ✅

✔️ Web page accessed:
👉 *“Hello World! This file is located in /home/httpd”*

✔️ SSH login confirmed via PuTTY

# # 🎉 Final Result

✔️ PBR working perfectly
✔️ Traffic steering based on service achieved
✔️ Dual ISP utilization validated
✔️ Real-world enterprise scenario successfully simulated

# # 💡 Key Learnings

🔸 VLAN segmentation (Inter-VLAN routing)
🔸 Static routing fundamentals
🔸 FortiGate firewall policy design
🔸 Policy-Based Routing (PBR)
🔸 Application-aware traffic steering
🔸 CLI-based verification techniques

===========================================
# # 🙏 Credits
🔸 Special thanks to Darshan P for sharing the lab topology 👏
===========================================

# # 📣 Want More Labs Like This?

I regularly share **real-world cybersecurity & networking labs** 🚀

👉 Follow my profile
👉 Join my WhatsApp channel (link in comments)
👉 Stay updated with practical learning

# # # 🚀 **New Lab Guide Released – Firewall and Routing Hub**🔥
==============================================

I’m excited to share my latest practical lab guide:
📘 **Site-to-Site IPSec VPN in Fortinet (EVE-NG Lab)**

This guide is designed for anyone preparing for **real-world networking, CCNA, CCNP, or Network Security roles**. It covers everything from basic concepts to actual implementation and verification.

🔐 **What you’ll learn:**
✔️ IPSec VPN (Phase 1 & Phase 2)
✔️ Secure LAN-to-LAN communication
✔️ Firewall policy configuration
✔️ Static routing with VPN
✔️ Traffic verification using CLI

💡 This is not just theory — it’s a **hands-on lab based on real enterprise scenarios**.

📥 **Download the full PDF from my WhatsApp channel**

👉 Link shared in the channel — make sure to join!
Follow the Firewall & Routing Hub channel on WhatsApp: https://whatsapp.com/channel/0029VbBh8F84NViiDpCGkh1u

📘 **Follow my page for more networking labs & content**
👉 https://www.facebook.com/people/Firewall-Routing-Hub/61579950964383/

🙏 Your support means a lot—keep learning and growing together!