CCNA Big Topology (all in one)

All show command

# sh run | s ^valn

Big Topology-

Task 1: Basic Router Configuration on West BR1
Basic Router Configuration
- Set router clock to the current date and time
Router#clock set 03:35:00 23 apr 2014
Router#show clock
*3:35:3.965 UTC Wed Apr 23 2014
- Configuring the router hostname to WB1
Router(config)#hostname WB1
- Set Banner Message of the Day to Unauthorized Access Prohibited!
WB1(config)#banner motd #Unauthorized Access Prohibited!#
- Newly-entered passwords must have a minimum length of 6 characters.
WB1(config)#security passwords min-length 6
- Protect device configurations from unauthorized access with the encrypted password. Set the password to Manirul.
WB1(config)#enable secret Manirul
- Secure all the ways to access the router. Set the passwords to Rexona.
WB1(config)#line console 0
WB1(config-line)#password Rexona
WB1(config-line)#login
WB1(config-line)#exit
WB1(config)#line vty 0 4
WB1(config-line)#password Rexona
WB1(config-line)#login
WB1(config-line)#exit
- Prevent all passwords from being viewed in clear text in device configuration files.
WB1(config)#service password-encryption
- Prevent device status messages from interrupting command line entries at the device console.
WB1(config)#line console 0
WB1(config-line)#logging synchronous
WB1(config-line)#exit
- Prevent the router from attempting to resolve command line entries to IP addresses.
WB1(config)#no ip domain-lookup
Configuring SSH
- Use SSH version to 2. Use the value 1024 for encryption key strength. Set time out to 60 seconds and limit authentication retries to 5.
WB1(config)#ip domain-name smaviation.com
WB1(config)#crypto key generate rsa
The name for the keys will be: WB1.smaviation.com
2 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
WB1(config)#ip ssh version 2
WB1(config)#ip ssh time-out 60
WB1(config)#ip ssh authentication-retries 5
- Create a user having username: admin and password: admin123. Configure user authentication for in-band management connections.
WB1(config)#username admin secret admin123
WB1(config)#line vty 0 4
WB1(config-line)#transport input ssh
WB1(config-line)#login local
WB1(config-line)#exit
- To test SSH configuration, open the command prompt of ITAdmin PC and try to remotely login to WB1 Router. SSH should be successful.
PC>ssh -l admin 172.16.2.1
Open
Password:
Configuring NTP, SNMP and Syslog Settings
a. Configuring NTP
- Network Time Protocol (NTP) is a UDP based protocol used to synchronize time clocks amongst network devices. NTP is especially useful to ensure that timestamps on log messages are consistent throughout the entire network.
- NTP uses a stratum, or hop count, in order to determine how close a device is to a master time source. A lower stratum is better, and devices with a stratum of 1 are assumed to be the authoritative time source. Devices which receive their time directly from a stratum 1 device have a stratum of 2, and so on and so forth.
- Configure West BR1 to use Management Server as its NTP Server. Use a key value of 15.
WB1(config)#ntp trusted-key 15
WB1(config)#ntp server 172.16.2.2 key 15
WB1#show ntp status Clock is synchronized, stratum 2, reference is 172.16.2.2
nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**19
reference time is D6DCD6BD.000000EE (04:31:57.238 UTC Wed Apr 23 2014)
clock offset is 0.00 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec.
3 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
b. Configuring SNMP
- SNMP was developed to allow administrators to manage nodes, such as servers, workstations, routers, switches, and security appliances, on an IP network.
- SNMP is an application layer protocol that provides a message format for communication between managers and agents. The SNMP system consists of three elements:
o SNMP manager
o SNMP agents (managed node)
o Management Information Base (MIB)
- The SNMP agent and MIB reside on networking device clients. Network devices that must be managed, such as switches, routers, servers, firewalls, and workstations, are equipped with an SMNP agent software module. MIBs store data about the device operation and are meant to be available to authenticated remote users. The SNMP agent is responsible for providing access to the local MIB of objects that reflects resources and activity.
- SNMP uses UDP, port number 162, to retrieve and send management information.
- For SNMP to operate, the NMS must have access to the MIB. To ensure that access requests are valid, some form of authentication must be in place. SNMPv1 and SNMPv2c use community strings that control access to the MIB. Community strings are plaintext passwords. SNMP community strings authenticate access to MIB objects.
There are two types of community strings:
o Read-only (ro) - Provides access to the MIB variables, but does not allow these variables to be changed, only read. Because security is minimal in version 2c, many organizations use SNMPv2c in read-only mode.
o Read-write (rw) - Provides read and write access to all objects in the MIB.
4 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
- Use an SNMP community string of CiscoPTSA. Allow the SNMP management station only read only rights.
WB1(config)#ip access-list standard SNMP_ACL
WB1(config-std-nacl)#permit host 172.16.2.3
WB1(config-std-nacl)#exit
WB1(config)#snmp-server community CiscoPTSA ro
5 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Now open MIB Browser from the Desktop of ITAdmin PC. Click Advanced and provide SNMP parameters.
Now Select object from SNMP MIB Tree and Click GO.
6 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
c. Configuring Syslog
- When certain events occur on a network, networking devices have trusted mechanisms to notify the administrator with detailed system messages. These messages can be either non-critical or significant. Network administrators have a variety of options for storing, interpreting, and displaying these messages, and for being alerted to those messages that could have the greatest impact on the network infrastructure. The most common method of accessing system messages that networking devices provide is to use a protocol called syslog.
- Every syslog message contains a severity level and a facility.
- Configuration
o Configure West BR1 to use time stamps when logging. The timestamps should include milliseconds.
o Configure Syslog to send log entries to the Management Server.
o Set the message trapping for Syslog to the debugging level.
WB1(config)#service timestamps log datetime msec
WB1(config)#logging host 172.16.2.2
WB1(config)#logging trap debugging
You can use the show logging command to view any messages that are logged.
7 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Configuring Access-Control List (ACL) - Restrict access to the vty lines on Central:
 Create a named standard ACL using the name RSTVTY. Be sure that you use this name exactly as it appears in these instructions (case and spelling).
 Allow only the Admin Host (ITAdmin) to access the vty lines of Central.
WB1(config)#ip access-list standard RSTVTY
WB1(config-std-nacl)#permit host 172.16.2.3
WB1(config-std-nacl)#exit
WB1(config)#line vty 0 4
WB1(config-line)#access-class RSTVTY in
WB1(config-line)#exit
Now try to SSH from Management Server. It would fail.
SERVER>ssh -l admin 172.16.2.1
% Connection refused by remote host
Task 2: Configure VLAN, Voice VLAN, VTP and Inter-VLAN Routing in East BR1
Step 1: Configure Trunking on EB1DLSW, EB1ALSW1 and EB1ALSW2
Trunking ports for EB1DLSW, EB1ALSW1 and EB1ALSW2 are all ports attached to another switch or router. Set all trunking ports to trunk mode, and assign VLAN 6 as the native VLAN.
On EB1DLSW, configure port Fa0/1-4 and Gig1/1 as trunk port. The range command greatly reduces the amount of repetitive commands you must enter when configuring the same commands on multiple ports.
EB1DLSW(config)#int range g1/1, f0/1-4
EB1DLSW(config-if-range)#switchport mode trunk
EB1DLSW(config-if-range)#switchport trunk native vlan 6
EB1DLSW(config-if-range)#exit
On EB1ALSW1, configure port Fa0/1-4 as trunk port.
EB1ALSW1(config)#int range f0/1-4
EB1ALSW1(config-if-range)#switchport mode trunk
EB1ALSW1(config-if-range)#switchport trunk native vlan 6
EB1ALSW1(config-if-range)#exit
On EB1ALSW2, configure port Fa0/1-4 as trunk port.
EB1ALSW2(config)#int range f0/1-4
EB1ALSW2(config-if-range)#switchport mode trunk
EB1ALSW2(config-if-range)#switchport trunk native vlan 6
EB1ALSW2(config-if-range)#exit
8 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
To view trunk ports, use the following command:
EB1ALSW2#show interfaces trunk
Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 6 Fa0/2 on 802.1q trunking 6 Fa0/3 on 802.1q trunking 6 Fa0/4 on 802.1q trunking 6
Step 2: Configure VTP Settings.
 EB1DLSW is server and EB1ALSW1 and EB1ALSW2 is client
 The domain name is dreamnet
 The password is ccna
Configure EB1DLSW as server and set the domain name and password.
EB1DLSW(config)#vtp mode server
EB1DLSW(config)#vtp domain dreamnet
EB1DLSW(config)#vtp password ccna
Configure EB1ALSW1 as client and set the domain name and password.
EB1ALSW1(config)#vtp mode client EB1ALSW1(config)#vtp domain dreamnet
EB1ALSW1(config)#vtp password ccna
Also configure EB1ALSW2 as client and set the domain name and password.
EB1ALSW2(config)#vtp mode client EB1ALSW2(config)#vtp domain dreamnet
EB1ALSW2(config)#vtp password ccna
To view VTP status, use the following command:
EB1ALSW2#show vtp status VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 5 VTP Operating Mode : client VTP Domain Name : dreamnet
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xA3 0x68 0x28 0xA3 0x72 0xB4 0x95 0x5C
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
9 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
To view VTP password, use the following command:
EB1ALSW2#show vtp password VTP Password: ccna
Step 3: Create and Name the VLANs
Create and name the following VLANs on VTP Server EB1DLSW only:
 VLAN 2, name = Wireless
 VLAN 3, name = Sales
 VLAN 4, name = Marketing
 VLAN 5, name = IT
 VLAN 6, name = MgmtNnative
 VLAN 99, name = Spare
EB1DLSW(config)#vlan 2
EB1DLSW(config-vlan)#name Wireless
EB1DLSW(config-vlan)#vlan 3
EB1DLSW(config-vlan)#name Sales
EB1DLSW(config-vlan)#vlan 4
EB1DLSW(config-vlan)#name Marketing
EB1DLSW(config-vlan)#vlan 5
EB1DLSW(config-vlan)#name IT
EB1DLSW(config-vlan)#vlan 6
EB1DLSW(config-vlan)#name MgmtNnative
EB1DLSW(config-vlan)#vlan 99
EB1DLSW(config-vlan)#name Spare
EB1DLSW(config-vlan)#exit
Step 4: Verify VLAN Configuration
After creating the VLANs, return to privileged EXEC and issue the show vlan brief command to verify the creation of the new VLANs.
EB1DLSW#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2 2 Wireless active 3 Sales active 4 Marketing active
10 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
5 IT active 6 MgmtNnative active 99 Spare active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Step 5: Verify VLANs were sent to E1ALSW1 and E1ALSW2
The newly created VLANs in EB1DLSW should now be propagated to E1ALSW1 and E1ALSW2. Issue the show vlan brief command in privileged EXEC mode to verify the VLAN information in both E1ALSW1 and E1ALSW2.
EB1ALSW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2 2 Wireless active 3 Sales active 4 Marketing active 5 IT active 6 MgmtNnative active 99 Spare active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Step 6: Assign Ports to VLANs and verify port assignments
Assign ports of EB1DLSW to their corresponding VLANs. For security purpose, put all unused switchports (Fa0/5-24, Gig1/2) to Spare VLAN (VLAN ID: 99) and shutdown the ports.
EB1DLSW(config)#int range f0/5-24, g1/2
EB1DLSW(config-if-range)#switchport mode access
EB1DLSW(config-if-range)#switchport access vlan 99
EB1DLSW(config-if-range)#shutdown
EB1DLSW(config-if-range)#exit
11 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Assign ports of EB1ALSW1 to their corresponding VLANs. Assign Fa0/5 to Sales VLAN (VLAN ID: 3), Fa0/6 to Marketing VLAN (VLAN ID: 4), Fa0/7 to Wireless VLAN (VLAN ID: 2), Fa0/8 to voice VLAN (default VLAN), and Fa0/9 to default VLAN. For security purpose, put all unused switchports (Fa0/10-24, Gig1/1-2) to Spare VLAN (VLAN ID: 99) and shutdown the ports.
EB1ALSW1(config)#int f0/5
EB1ALSW1(config-if)#switchport mode access
EB1ALSW1(config-if)#switchport access vlan 3
EB1ALSW1(config-if)#exit
EB1ALSW1(config)#int f0/6
EB1ALSW1(config-if)#switchport mode access
EB1ALSW1(config-if)#switchport access vlan 4
EB1ALSW1(config-if)#exit
EB1ALSW1(config)#int f0/7
EB1ALSW1(config-if)#switchport mode access
EB1ALSW1(config-if)#switchport access vlan 2
EB1ALSW1(config-if)#exit
EB1ALSW1(config)#int f0/8
EB1ALSW1(config-if)#switchport mode access
EB1ALSW1(config-if)#switchport voice vlan 1
EB1ALSW1(config-if)#exit
EB1ALSW1(config)#int f0/9
EB1ALSW1(config-if)#switchport mode access
EB1ALSW1(config-if)#switchport access vlan 1
EB1ALSW1(config-if)#exit
EB1ALSW1(config)#int range f0/10-24, g1/1-2
EB1ALSW1(config-if-range)#switchport mode access
EB1ALSW1(config-if-range)#switchport access vlan 99
EB1ALSW1(config-if-range)#shutdown
EB1ALSW1(config-if-range)#exit
Assign ports of EB1ALSW2 to their corresponding VLANs. Assign Fa0/5 to Sales VLAN (VLAN ID: 3), Fa0/6 to Marketing VLAN (VLAN ID: 4) and Fa0/7 to voice VLAN (default VLAN). For security purpose, put all unused switchports (Fa0/8-24, Gig1/1-2) to Spare VLAN (VLAN ID: 99) and shutdown the ports.
EB1ALSW2(config)#int f0/5
EB1ALSW2(config-if)#switchport mode access
EB1ALSW2(config-if)#switchport access vlan 3
EB1ALSW2(config-if)#exit
EB1ALSW2(config)#int f0/6
EB1ALSW2(config-if)#switchport mode access
EB1ALSW2(config-if)#switchport access vlan 4
EB1ALSW2(config-if)#exit
12 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
EB1ALSW2(config)#int f0/7
EB1ALSW2(config-if)#switchport mode access
EB1ALSW2(config-if)#switchport voice vlan 1
EB1ALSW2(config-if)#exit
EB1ALSW2(config)#int range f0/8-24, g1/1-2
EB1ALSW2(config-if-range)#switchport mode access
EB1ALSW2(config-if-range)#switchport access vlan 99
EB1ALSW2(config-if-range)#shutdown
After port assignments, return to privileged EXEC and issue the show vlan brief command to check the new port assignments.
Step 7: Assign IP address to Hosts and test Intra-VLAN communication
Assign IP address to Sales PC1, MKT PC1, Printer, Sales PC2, and MKT PC2 from their corresponding subnet. At this point you should be able to reach the hosts of the same VLAN. But you won’t be able to reach hosts of other VLAN. In order for you to reach hosts of different VLANs, you now need to configure Inter-VLAN routing.
Try to ping Sales PC1 (172.16.1.66) to Sales PC2 (172.16.1.67) and you should be successful.
PC>ping 172.16.1.67
Pinging 172.16.1.67 with 32 bytes of data:
Reply from 172.16.1.67: bytes=32 time=0ms TTL=128
Reply from 172.16.1.67: bytes=32 time=3ms TTL=128
Reply from 172.16.1.67: bytes=32 time=0ms TTL=128
Reply from 172.16.1.67: bytes=32 time=1ms TTL=128
Ping statistics for 172.16.1.67:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 3ms, Average = 1ms
Now try to ping Sales PC1 (172.16.1.66) to MKT PC1 (172.16.1.98). It will not be successful.
13 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Step 8: Configure Router-on-the-stick Inter-VLAN Routing on East BR1
Activate Gig 0/0 on East BR1 and configure inter-VLAN routing. The subinterface number corresponds to the VLAN number and use the first addresses in the VLAN networks for the interfaces.
EB1(config)#int g0/0 EB1(config-if)#no shutdown
EB1(config-if)#exit
EB1(config)#int g0/0.1
EB1(config-subif)#encapsulation dot1q 1
EB1(config-subif)#ip address 172.16.1.1 255.255.255.224
EB1(config-subif)#exit
EB1(config)#int g0/0.2
EB1(config-subif)#encapsulation dot1Q 2
EB1(config-subif)#ip address 172.16.1.33 255.255.255.224
EB1(config-subif)#exit
EB1(config)#int g0/0.3
EB1(config-subif)#encapsulation dot1Q 3
EB1(config-subif)#ip add 172.16.1.65 255.255.255.224
EB1(config-subif)#exit
EB1(config)#int g0/0.4
EB1(config-subif)#encapsulation dot1Q 4
EB1(config-subif)#ip address 172.16.1.97 255.255.255.224
EB1(config-subif)#exit
EB1(config)#int g0/0.5
EB1(config-subif)#encapsulation dot1Q 5
EB1(config-subif)#ip address 172.16.1.129 255.255.255.240
EB1(config-subif)#exit
EB1(config)#int g0/0.6
EB1(config-subif)#encapsulation dot1q 6 native
EB1(config-subif)#ip address 172.16.1.161 255.255.255.240
EB1(config-subif)#exit
At this point you should be able to reach the hosts of different VLANs. Try to ping from Sales PC1 (172.16.1.66) to MKT PC1 (172.16.1.98). It will now be successful.
14 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Task 3: Configure DHCP on router East BR1
Configure DHCP for voice VLAN.
EB1(config)#ip dhcp excluded-address 172.16.1.1 172.16.1.5
EB1(config)#ip dhcp pool VoicePool
EB1(dhcp-config)#network 172.16.1.0 255.255.255.224
EB1(dhcp-config)#default-router 172.16.1.1
EB1(dhcp-config)#dns-server 172.16.1.2
EB1(dhcp-config)#exit
IP Phones should now get IP address from respective DHCP pool.
Task 4: Configure Switchport Security Feature in EB1ALSW1 and EB1ALSW2
 Protect — This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed MAC address limit. When configured with this mode, no notification action is taken when traffic is dropped.
 Restrict — This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed MAC address limit. When configured with this mode, a syslog message is logged, a Simple Network Management Protocol (SNMP) trap is sent, and a violation counter is incremented when traffic is dropped.
 Shutdown — This mode is the default violation mode; when in this mode, the switch will automatically force the switchport into an error disabled (err-disable) state when a violation occurs. While in this state, the switchport forwards no traffic. The switchport can be brought out of this error disabled state by issuing the errdisable recovery cause CLI command or by disabling and reenabling the switchport.
Configure Switchport Security Feature in EB1ALSW1 and EB1ALSW2.
- Each active access port should accept only two MAC addresses before a security action occurs.
- The learned MAC addresses should be recorded in the running configuration.
- If a security violation occurs, the switch ports should provide notification that a violation has occurred but not place the interface in an err-disabled state.
EB1ALSW1(config)#int range f0/5-9
EB1ALSW1(config-if-range)#switchport port-security
EB1ALSW1(config-if-range)#switchport port-security maximum 2
EB1ALSW1(config-if-range)#switchport port-security mac-address sticky
EB1ALSW1(config-if-range)#switchport port-security violation restrict
EB1ALSW1(config-if-range)#exit
15 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
EB1ALSW2(config)#int range f0/5-7
EB1ALSW2(config-if-range)#switchport port-security
EB1ALSW2(config-if-range)#switchport port-security maximum 2
EB1ALSW2(config-if-range)#switchport port-security mac-address sticky
EB1ALSW2(config-if-range)#switchport port-security violation restrict
EB1ALSW2(config-if-range)#exit
Task 5: Configure Etherchannel
Configure Etherchannel on EB1DLSW
EB1DLSW(config)#int range f0/1-2
EB1DLSW(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
EB1DLSW(config-if-range)#exit
EB1DLSW(config)#int port-channel 1
EB1DLSW(config-if)#switchport mode trunk
EB1DLSW(config-if)#switchport trunk native vlan 6
EB1DLSW(config-if)#exit
EB1DLSW(config)#int range f0/3-4
EB1DLSW(config-if-range)#channel-group 2 mode active
Creating a port-channel interface Port-channel 2
EB1DLSW(config)#int port-channel 2
EB1DLSW(config-if)#switchport mode trunk
EB1DLSW(config-if)#switchport trunk native vlan 6
EB1DLSW(config-if)#exit
Configure Etherchannel on EB1ALSW1
EB1ALSW1(config)#int range f0/1-2
EB1ALSW1(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
EB1ALSW1(config-if-range)#exit
EB1ALSW1(config)#int port-channel 1
EB1ALSW1(config-if)#switchport mode trunk
EB1ALSW1(config-if)#switchport trunk native vlan 6
EB1ALSW1(config-if)#exit
EB1ALSW1(config)#int range f0/3-4
EB1ALSW1(config-if-range)#channel-group 3 mode desirable
Creating a port-channel interface Port-channel 3
EB1ALSW1(config)#int port-channel 3
EB1ALSW1(config-if)#switchport mode trunk
EB1ALSW1(config-if)#switchport trunk native vlan 6
EB1ALSW1(config-if)#exit
16 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Configure Etherchannel on EB1ALSW2
EB1ALSW2(config)#int range f0/1-2
EB1ALSW2(config-if-range)#channel-group 2 mode active
Creating a port-channel interface Port-channel 2
EB1ALSW2(config-if-range)#exit
EB1ALSW2(config)#int port-channel 2
EB1ALSW2(config-if)#switchport mode trunk
EB1ALSW2(config-if)#switchport trunk native vlan 6
EB1ALSW2(config-if)#exit
EB1ALSW2(config)#int range f0/3-4
EB1ALSW2(config-if-range)#channel-group 3 mode desirable
Creating a port-channel interface Port-channel 3
EB1ALSW2(config)#int port-channel 3
EB1ALSW2(config-if)#switchport mode trunk
EB1ALSW2(config-if)#switchport trunk native vlan 6
EB1ALSW2(config-if)#exit
To view Etherchannel summary:
EB1ALSW1#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------
1 Po1(SU) LACP Fa0/1(P) Fa0/2(P) 3 Po3(SU) PAgP Fa0/3(P) Fa0/4(P)
17 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Task 6: Configure Spanning-Tree Protocol
a. Configure Rapid PVST+ on EB1DLSW, EB1ALSW1, EB1ALSW2
EB1DLSW
EB1DLSW(config)#spanning-tree mode rapid-pvst
EB1ALSW1
EB1ALSW1(config)#spanning-tree mode rapid-pvst
EB1ALSW1(config)#spanning-tree vlan 2,4 root primary
EB1ALSW1(config)#spanning-tree vlan 3,5 root secondary
EB1ALSW2
EB1ALSW2(config)#spanning-tree mode rapid-pvst
EB1ALSW2(config)#spanning-tree vlan 3,5 root primary
EB1ALSW2(config)#spanning-tree vlan 2,4 root secondary
b. Configure PortFast and BPDU Guard on the active EB1ALSW1 and EB1ALSW2 switch access ports
EB1ALSW1
EB1ALSW1(config)#int range f0/5-6, f0/9
EB1ALSW1(config-if-range)#spanning-tree portfast
EB1ALSW1(config-if-range)#spanning-tree bpduguard enable
EB1ALSW2
EB1ALSW2(config)#int range f0/5-6
EB1ALSW1(config-if-range)#spanning-tree portfast
EB1ALSW1(config-if-range)#spanning-tree bpduguard enable
18 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Task 7: Configure full mesh Frame Relay between WB1, WB2 and WB3 Frame Relay DLCI Mapping (Point-to-Point) Branch DLCI IP Address Space
WB1  WB2
102  201
172.16.3.0/30
.1  .2
WB1  WB3
103  301
172.16.3.4/30
.5  .6
WB2  WB3
104  401
172.16.3.8/30
.9  .10
Step 1: Configure and activate the Serial 0/0/0 interface on WB1
Configure the interface with the following information:
 IP Address
 Frame Relay encapsulation
 Mappings to WB2 and WB3
WB1(config)#int Se0/0/0 WB1(config-if)#encapsulation frame-relay
WB1(config-if)#no shutdown
WB1(config-if)#exit
WB1(config)#int Se0/0/0.1 point-to-point
WB1(config-subif)# description WB1 -> WB2
WB1(config-subif)# ip address 172.16.3.1 255.255.255.252
WB1(config-subif)# frame-relay interface-dlci 102
WB1(config-subif)#exit
WB1(config)#int Se0/0/0.2 point-to-point
WB1(config-subif)# description WB1 -> WB3
WB1(config-subif)# ip address 172.16.3.5 255.255.255.252
WB1(config-subif)# frame-relay interface-dlci 103
WB1(config-subif)#exit
Return to privileged EXEC and issue the command show frame-relay map command to verify the mapping.
Step 2: Configure and activate the Serial 0/0/0 interface on WB2
Configure the interface with the following information:
 IP Address
 Frame Relay encapsulation
 Mappings to WB1 and WB3
WB2(config)#int Se0/0/0 WB2(config-if)#encapsulation frame-relay
WB2(config-if)#no shutdown
WB2(config-if)#exit
19 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
WB2(config)#int Se0/0/0.1 point-to-point
WB2(config-subif)# description WB2 -> WB1
WB2(config-subif)# ip address 172.16.3.2 255.255.255.252
WB2(config-subif)# frame-relay interface-dlci 201
WB2(config-subif)#exit
WB2(config)#int Se0/0/0.2 point-to-point
WB2(config-subif)# description WB2 -> WB3
WB2(config-subif)# ip address 172.16.3.9 255.255.255.252
WB2(config-subif)# frame-relay interface-dlci 104
WB2(config-subif)#exit
Return to privileged EXEC and issue the command show frame-relay map command to verify the mapping.
Step 3: Configure and activate the Serial 0/0/0 interface on WB3
Configure the interface with the following information:
 IP Address
 Frame Relay encapsulation
 Mappings to WB1 and WB2
WB3(config)#int Se0/0/0 WB3(config-if)#encapsulation frame-relay
WB3(config-if)#no shutdown
WB3(config-if)#exit
WB3(config)#int Se0/0/0.1 point-to-point
WB3(config-subif)# description WB3 -> WB1
WB3(config-subif)# ip address 172.16.3.6 255.255.255.252
WB3(config-subif)# frame-relay interface-dlci 301
WB3(config-subif)#exit
WB3(config)#int Se0/0/0.2 point-to-point
WB3(config-subif)# description WB3 -> WB2
WB3(config-subif)# ip address 172.16.3.10 255.255.255.252
WB3(config-subif)# frame-relay interface-dlci 401
WB3(config-subif)#exit
Return to privileged EXEC and issue the command show frame-relay map command to verify the mapping.
20 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Task 8: Configure PPP
- Configure the link between Central and West BR1 with PPP. Configure interface addressing according to information provided in the topology.
- Authenticate the PPP connection with CHAP on both ends of the link.
- Use the password of PTSAchap
Step 1: Configure router Central
Router(config)#hostname Central
Central(config)#int s0/0/1
Central(config-if)#ip address 172.16.16.1 255.255.255.252
Central(config-if)#clock rate 128000
Central(config-if)#no shutdown
Central(config-if)#exit
Central(config)#username WB1 password PTSAchap
Central(config)#int s0/0/1
Central(config-if)#encapsulation ppp
Central(config-if)#ppp authentication chap
Central(config-if)#ppp pap sent-username Central password PTSAchap
Step 2: Configure router West BR1
WB1(config)#int s0/0/1
WB1(config-if)#ip address 172.16.16.2 255.255.255.252
WB1(config-if)#no shutdown
WB1(config-if)#exit
WB1(config)#username Central password PTSAchap
WB1(config)#int s0/0/1
WB1(config-if)#encapsulation ppp
WB1(config-if)#ppp authentication chap
WB1(config-if)#ppp pap sent-username WB1 password PTSAchap
Task 9: Configure HDLC
- Configure the link between Central and East BR1 with HDLC. Configure interface addressing according to information provided in the topology
Step 1: Configure router Central
Central(config)#int s0/0/0
Central(config-if)#ip address 172.16.16.5 255.255.255.252
Central(config-if)#clock rate 128000
Central(config-if)#encapsulation hdlc
Central(config-if)#no shutdown
Central(config-if)#exit
21 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Step 2: Configure router EB1
EB1(config)#int s0/0/0
EB1(config-if)#ip address 172.16.16.6 255.255.255.252
EB1(config-if)#encapsulation hdlc
EB1(config-if)#no shutdown
Task 10: Configure OSPF
- Configure multi-area OSPFv2 to route between all internal networks. Use a process ID of 1.
- Use the area numbers shown in the topology.
- Use the correct wild card masks for all network statements.
- Prevent routing updates from being sent to the LANs.
- Configure OSPF MD5 Authentication between Central and EB1 link and Central and WB1 link
o Use a key value of 1.
o Use xyz_OSPF as the password.
o Apply MD5 authentication to the required interfaces.
Configure OSPF on router Central
Central(config)#router ospf 1
Central(config-router)#network 172.16.6.0 0.0.0.3 area 0
Central(config-router)#network 172.16.6.4 0.0.0.3 area 0
Central(config-router)#network 172.16.16.0 0.0.0.3 area 0
Central(config-router)#network 172.16.16.4 0.0.0.3 area 0
Central(config-router)#exit
Configure OSPF on router EB1
EB1(config)#router ospf 1
EB1(config-router)#network 172.16.1.0 0.0.0.31 area 1
EB1(config-router)#network 172.16.1.32 0.0.0.31 area 1
EB1(config-router)#network 172.16.1.64 0.0.0.31 area 1
EB1(config-router)#network 172.16.1.96 0.0.0.31 area 1
EB1(config-router)#network 172.16.1.128 0.0.0.15 area 1
EB1(config-router)#network 172.16.1.160 0.0.0.15 area 1
EB1(config-router)#network 172.16.16.4 0.0.0.3 area 0
EB1(config-router)#passive-interface g0/0.1
EB1(config-router)#passive-interface g0/0.2
EB1(config-router)#passive-interface g0/0.3
EB1(config-router)#passive-interface g0/0.4
EB1(config-router)#passive-interface g0/0.5
EB1(config-router)#passive-interface g0/0.6
22 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Configure OSPF on router RnD-R1
RnD-R1(config)#router ospf 1
RnD-R1(config-router)#network 172.16.5.0 0.0.0.255 area 0
RnD-R1(config-router)#network 172.16.6.0 0.0.0.3 area 0
RnD-R1(config-router)#passive-interface f0/0
Configure OSPF on router RnD-R2
RnD-R2(config)#router ospf 1
RnD-R2(config-router)#network 172.16.5.0 0.0.0.255 area 0
RnD-R2(config-router)#network 172.16.6.4 0.0.0.3 area 0
RnD-R2(config-router)#passive-interface f0/0
Configure OSPF on router WB1
WB1(config)#router ospf 1
WB1(config-router)#network 172.16.2.0 0.0.0.63 area 2
WB1(config-router)#network 172.16.3.0 0.0.0.3 area 2
WB1(config-router)#network 172.16.3.4 0.0.0.3 area 2
WB1(config-router)#network 172.16.16.0 0.0.0.3 area 0
WB1(config-router)#passive-interface g0/0
Configure OSPF on router WB2
WB2(config)#router ospf 1
WB2(config-router)#network 172.16.3.0 0.0.0.3 area 2
WB2(config-router)#network 172.16.3.8 0.0.0.3 area 2
WB2(config-router)#network 172.16.4.0 0.0.0.31 area 2
WB2(config-router)#passive-interface g0/0
Configure OSPF on router WB3
WB3(config)#router ospf 1
WB3(config-router)#network 172.16.3.4 0.0.0.3 area 2
WB3(config-router)#network 172.16.3.8 0.0.0.3 area 2
WB3(config-router)#network 172.16.8.0 0.0.0.255 area 2
WB3(config-router)#network 172.16.9.0 0.0.0.255 area 2
WB3(config-router)#passive-interface g0/0
WB3(config-router)#passive-interface g0/1
23 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Configure OSPF MD5 Authentication between Central and EB1 link
Central(config)#int s0/0/0
Central(config-if)#ip ospf message-digest-key 1 md5 xyz_OSPF
Central(config-if)#ip ospf authentication message-digest
Central(config-if)#exit
EB1(config)#int s0/0/0
EB1(config-if)#ip ospf message-digest-key 1 md5 xyz_OSPF
EB1(config-if)#ip ospf authentication message-digest
EB1(config-if)#exit
Use the show ip ospf interface command to view the authentication type configured for an interface, as this output shows. Here, the Serial 0/0/0 interface has been configured for MD5 authentication with key ID "1".
EB1#show ip ospf interface s0/0/0
Serial0/0/0 is up, line protocol is up
Internet address is 172.16.16.6/30, Area 0
Process ID 1, Router ID 172.16.16.6, Network Type POINT-TO-POINT, Cost: 64
Transmit Delay is 1 sec, State POINT-TO-POINT, Priority 0
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07
Index 7/7, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 209.165.200.242
Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1
Configure OSPF MD5 Authentication between Central and WB1 link
Central(config)#int s0/0/1
Central(config-if)#ip ospf message-digest-key 1 md5 xyz_OSPF
Central(config-if)#ip ospf authentication message-digest
Central(config-if)#exit
WB1(config)#int s0/0/1
WB1(config-if)#ip ospf message-digest-key 1 md5 xyz_OSPF
WB1(config-if)#ip ospf authentication message-digest
WB1(config-if)#exit
24 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Verify OSPF Configuration and examine routing table
Return to privileged EXEC and issue the following commands to verify OSPF configuration.
show run
show ip ospf neighbor
show ip route
Configure EIGRP
Activate Serial Interface and Configure EIGRP on router WB3
WB3(config)#int Se0/0/1
WB3(config-if)#ip address 192.168.1.1 255.255.255.252
WB3(config-if)#clock rate 128000
WB3(config-if)#no shutdown
WB3(config-if)#exit
WB3(config)#router eigrp 65001 WB3(config-router)# network 192.168.1.0
WB3(config-router)# no auto-summary
WB3(config-router)#exit
Activate Serial Interface and Configure EIGRP on router TweetLinks
TweetLinks(config)#int Se0/0/0
TweetLinks(config-if)#ip address 192.168.1.2 255.255.255.252
TweetLinks(config-if)#no shutdown
TweetLinks(config-if)#exit
TweetLinks(config)#router eigrp 65001 TweetLinks(config-router)# network 192.168.1.0
TweetLinks(config-router)# network 192.168.2.0
TweetLinks(config-router)# no auto-summary
TweetLinks(config-router)#exit
Verify EIGRP Configuration on router WB3 and TweetLinks and examine routing table
Return to privileged EXEC and issue the following commands to verify EIGRP configuration.
show run
show ip eigrp neighbors
show ip eigrp topology
show ip route
At this point you should not be able to see OSPF routes in TweetLinks Router. You need to do mutual redistribution in WB3.
25 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Configure Mutual Redistribution
Examine EIGRP Metric values on EIGRP interface
WB3#show interfaces s0/0/1
Serial0/0/1 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 192.168.1.1/30 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
-----------------------Output Omitted-----------------------
Configure mutual redistribution in router WB3
WB3(config)#router eigrp 65001
WB3(config-router)#redistribute ospf 1 metric 1544 2000 255 1 1500
WB3(config-router)#exit
TweetLinks(config)#router ospf 1 TweetLinks(config-router)# redistribute eigrp 65001 subnets
TweetLinks(config-router)#exit
Examine routing table changes
Return to privileged EXEC and issue show ip route command and examine changes in the routing table. You should now be able to see all the OSPF routes in router TweetLinks and EIGRP routes in Central and WB3 as well.
TweetLinks#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 18 subnets, 5 masks D EX 172.16.1.0/27 [170/2681856] via 192.168.1.1, 00:00:25, Serial0/0/0 D EX 172.16.1.32/27 [170/2681856] via 192.168.1.1, 00:00:25, Serial0/0/0 D EX 172.16.16.0/30 [170/2681856] via 192.168.1.1, 00:00:23, Serial0/0/0
----------------------------Output Omitted------------------------- D EX 172.16.16.4/30 [170/2681856] via 192.168.1.1, 00:00:23, Serial0/0/0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial0/0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0
26 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Central#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 23 subnets, 6 masks
O IA 172.16.1.0/27 [110/65] via 172.16.16.6, 00:11:12, Serial0/0/0
----------------------------Output Omitted--------------------- O E2 192.168.1.0/30 [110/20] via 172.16.16.2, 00:00:10, Serial0/0/1 O E2 192.168.2.0/24 [110/20] via 172.16.16.2, 00:00:10, Serial0/0/1
209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.200.240/29 is directly connected, Serial0/1/0
Configure Static and Default Route
Configure Default Route to ISP on router Central
Central(config)# ip route 0.0.0.0 0.0.0.0 209.165.200.241
Redistribute Default Route
Central(config)# route ospf 1
Central(config-router)# default-information originate
Central(config-router)# exit
Configure Default Route to ISP on router Data-Center
Data-Center(config)# ip route 0.0.0.0 0.0.0.0 209.165.200.225
Configure Static Route to Data-Center on router ISP
ISP(config)#ip route 209.165.200.232 255.255.255.248 209.165.200.226
Configure ACL on Router ISP
ISP(config)#ip access-list standard RST-PRIVATE
ISP(config-std-nacl)#remark Restrict Class A Private
ISP(config-std-nacl)#deny 10.0.0.0 0.255.255.255
ISP(config-std-nacl)#remark Restrict Class B Private
ISP(config-std-nacl)#deny 172.16.0.0 0.15.255.255
ISP(config-std-nacl)#remark Restrict Class C Private
ISP(config-std-nacl)#deny 192.168.0.0 0.0.255.255
ISP(config-std-nacl)#remark Allow All Other IP
ISP(config-std-nacl)#permit any
ISP(config-std-nacl)#exit
27 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
ISP(config)#int s0/0/0
ISP(config-if)#ip access-group RST-PRIVATE in
ISP(config-if)#exit
ISP(config)#int s0/0/1
ISP(config-if)#ip access-group RST-PRIVATE in
ISP(config-if)#exit
Configure PAT on router Central
Define an access list named NAT-SOURCE that will match the inside private IP addresses
The NAT ACL must not translate the Central LAN addresses if they are destined to the Data-Center LAN. This will be required when the IPsec VPN is configured.
Central(config)#ip access-list extended NAT-SOURCE
Central(config-ext-nacl)#remark Do not translate Central LAN to Data Center LAN
Central(config-ext-nacl)#deny ip 172.16.0.0 0.0.255.255 10.10.0.0 0.0.255.255
Central(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
Central(config-ext-nacl)#remark Translate Central LAN to all other internet destinations
Central(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 any
Central(config-ext-nacl)#permit ip 192.168.0.0 0.0.255.255 any
Central(config-std-nacl)#exit
Configure NAT Overload
Central(config)#ip nat inside source list NAT-SOURCE interface s0/1/0 overload
Specify the interfaces
The active interfaces on the router need to be identified as either inside or outside interfaces with respect to NAT. To do this, use the ip nat inside or ip nat outside command.
Central(config)#int s0/0/0
Central(config-if)#ip nat inside
Central(config-if)#exit
Central(config)#int s0/0/1
Central(config-if)#ip nat inside
Central(config-if)#exit
Central(config)#int s0/1/1
Central(config-if)#ip nat inside
Central(config-if)#exit
Central(config)#int s0/2/0
Central(config-if)#ip nat inside
Central(config-if)#exit
Central(config)#int s0/1/0
Central(config-if)#ip nat outside
Central(config-if)#exit
28 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Configure Dynamic NAT on router Data-Center
Define the pool of usable public IP addresses
Data-Center(config)#ip nat pool NAT-POOL 209.165.200.235 209.165.200.238 netmask 255.255.255.248
Define an access list named NAT-SOURCE that will match the inside private IP addresses
The NAT ACL must not translate the Data-Center LAN addresses if they are destined to the Central LAN. This will be required when the IPsec VPN is configured.
Data-Center(config)#ip access-list extended NAT-SOURCE
Data-Center(config-ext-nacl)#remark Do not translate Data Center LAN to Central LAN
Data-Center(config-ext-nacl)#deny ip 10.10.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Data-Center(config-ext-nacl)#deny ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
Data-Center(config-ext-nacl)#remark Translate Data-Center to all internet destinations
Data-Center(config-ext-nacl)#permit ip 10.10.0.0 0.0.255.255 any
Data-Center(config-std-nacl)#exit
Configure NAT
Data-Center(config)#ip nat inside source list NAT-SOURCE pool NAT-POOL overload
Specify the interfaces
The active interfaces on the router need to be identified as either inside or outside interfaces with respect to NAT. To do this, use the ip nat inside or ip nat outside command.
Data-Center(config)#int range g0/0-1
Data-Center(config-if-range)#ip nat inside
Data-Center(config-if-range)#exit
Data-Center(config)#int s0/0/0
Data-Center(config-if)#ip nat outside
Data-Center(config-if)#exit
Configure Static Mapping on router Data-Center for Corporate Web Server
Data-Center(config)#ip nat inside source static 10.10.20.238 209.165.200.233
29 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Configure HSRP
Configure HSRP group 1 on RnD-R1 and RnD-R2 using 172.16.5.1 as the standby virtual IP address. By default, Packet Tracer supports HSRP version 2. RnD-R1 will be configured as the Active HSRP default-gateway and RnD-R2 will be configured as Standby. Preemption is configured on both routers.
RnD-R1
RnD-R1(config)#int f0/0
RnD-R1(config-if)#standby 1 ip 172.16.5.1
RnD-R1(config-if)#standby 1 preempt
RnD-R1(config-if)#exit
RnD-R2
RnD-R2(config)#int f0/0
RnD-R2(config-if)#standby 1 ip 172.16.5.1
RnD-R2(config-if)#standby 1 preempt
RnD-R2(config-if)#standby 1 priority 95
RnD-R2(config-if)#exit
After a few moments, use the show standby and show standby brief commands on RnD-R1 and RnD-R2 to verify that HSRP is operating correctly. RnD-R1 should be the Active router and RnD-R2 should be Standby.
RnD-R1#show standby
FastEthernet0/0 - Group 1 (version 2) State is Active
5 state changes, last state change 01:22:13 Virtual IP address is 172.16.5.1
Active virtual MAC address is 0000.0C9F.F001
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.867 secs
Preemption enabled
Active router is local Standby router is 172.16.5.3 Priority 100 (default 100)
Group name is hsrp-Fa0/0-1 (default)
RnD-R2#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 95 P Standby 172.16.5.2 local 172.16.5.1
30 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Configure Site-to-Site VPN between Central and Data-Center
ISAKMP Phase 1 Policy Parameters Parameters Central Data-Center
Key distribution method
Manual or ISAKMP
ISAKMP
ISAKMP
Encryption algorithm
DES, 3DES, or AES
AES
AES
Hash algorithm
MD5 or SHA-1
SHA-1
SHA-1
Authentication method
Pre-shared keys or RSA
pre-share
pre-share
Key exchange
DH Group 1, 2, or 5
DH 2
DH 2
IKE SA Lifetime
86400 seconds or less
86400
86400
ISAKMP Key
cisco
ISAKMP Key
Bolded parameters are defaults. Other parameters need to be explicitly configured.
IPsec Phase 2 Policy Parameters Parameters Central Data-Center
Transform Set
VPN-SET
VPN-SET
Peer Hostname
Data-Center
Central
Peer IP Address
209.165.200.226
209.165.200.242
Crypto Map Name
VPN-MAP
VPN-MAP
SA Establishment
ipsec-isakmp
Ipsec-isakmp
Part 1: Enable Security Features
Step 1: Activate securityk9 module
a) Issue the show version command in the user EXEC or privileged EXEC mode to verify that the Security Technology Package license is activated.
Technology Package License Information for Module:'c2900'
-----------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9 security None None None
uc None None None
data None None None
Configuration register is 0x2102
b) If not, activate the securityk9 module for the next boot of the router, accept the license, save the configuration, and reboot.
Central(config)#license boot module c2900 technology-package securityk9
Central(config)#exit
Central#write
Central#reload
31 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
c) After the reloading is completed, issue the show version again to verify the Security Technology Package license activation.
Technology Package License Information for Module:'c2900'
-----------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9 security securityk9 Evaluation securityk9
uc None None None
data None None None
d) Repeat Steps 1a to 1c with Data-Center Router.
Part 2: Configure IPSec Parameters on router Central
Step 1: Identify Interesting Traffic on router Central
Configure ACL to identify the traffic from the LAN on Central to the LAN on Data-Center as interesting. This interesting traffic will trigger the IPsec VPN to be implemented whenever there is traffic between Central to Data-Center LANs. All other traffic sourced from the LANs will not be encrypted.
Central(config)#ip access-list extended Central-VPN-ACL
Central(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 10.10.0.0 0.0.255.255
Central(config-ext-nacl)#permit ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
Central(config-ext-nacl)#exit
Step 2: Configure the ISAKMP Phase 1 properties on router Central
ISAKMP Policy specifies the initial VPN security details. Configure the crypto ISAKMP policy 1 properties on router Central along with the shared crypto key cisco. Refer to the ISAKMP Phase 1 table for the specific parameters to configure. Default values do not have to be configured therefore only the encryption, key exchange method, and DH method must be configured.
Central(config)#crypto isakmp policy 1
Central(config-isakmp)#encryption aes
Central(config-isakmp)#authentication pre-share
Central(config-isakmp)#group 2
Central(config-isakmp)#exit
Central(config)#crypto isakmp key cisco address 209.165.200.226
Step 3: Configure the ISAKMP Phase 2 properties on router Central
Transform-set specifies how the IPSec packet will be encapsulated. Create the transform-set VPN-SET to use esp-3des and esp-sha-hmac. Then create the crypto map VPN-MAP that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it as an ipsec-isakmp map.
32 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Central(config)#crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
Central(config)#crypto map VPN-MAP 10 ipsec-isakmp
Central(config-crypto-map)#description VPN Connection to Data Center
Central(config-crypto-map)#set peer 209.165.200.226
Central(config-crypto-map)#set transform-set VPN-SET
Central(config-crypto-map)#match address Central-VPN-ACL
Central(config-crypto-map)#exit
Step 4: Configure the crypto map on the outgoing interface
Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/1/0 interface.
Central(config)#int s0/1/0
Central(config-if)#crypto map VPN-MAP
Central(config-if)#exit
Part 3: Configure IPSec Parameters on router Data-Center
Step 1: Identify Interesting Traffic on router Data-Center
Data-Center(config)#ip access-list extended DC-VPN-ACL
Data-Center(config-ext-nacl)#permit ip 10.10.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Data-Center(config-ext-nacl)#permit ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
Data-Center(config-ext-nacl)#exit
Step 2: Configure the ISAKMP Phase 1 properties on router Data-Center
Data-Center(config)#crypto isakmp policy 1
Data-Center(config-isakmp)#encryption aes
Data-Center(config-isakmp)#authentication pre-share
Data-Center(config-isakmp)#group 2
Data-Center(config-isakmp)#exit
Data-Center(config)#crypto isakmp key cisco address 209.165.200.242
Step 3: Configure the ISAKMP Phase 2 properties on router Central
Data-Center(config)#crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
Data-Center(config)#crypto map VPN-MAP 10 ipsec-isakmp
Data-Center(config-crypto-map)#description VPN Connection to Central
Data-Center(config-crypto-map)#set peer 209.165.200.242
Data-Center(config-crypto-map)#set transform-set VPN-SET
Data-Center(config-crypto-map)#match address DC-VPN-ACL
Data-Center(config-crypto-map)#exit
Step 4: Configure the crypto map on the outgoing interface
Data-Center(config)#int s0/0/0
Data-Center(config-if)#crypto map VPN-MAP
Data-Center(config-if)#exit
33 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Part 4: Implement GRE over IPSec
Step 1: Configure GRE Tunnel Interface on router Central and Data-Center
A GRE tunnel over IPsec can be implemented between the Data-Center and Central sites. The tunnel will protect all corporate LAN traffic. As a bonus, GRE can forward multicast and broadcast traffic, so dynamic routing can also be enabled.
Central Router
Central(config)#interface Tunnel0
Central(config-if)#ip address 172.16.100.1 255.255.255.252
Central(config-if)#tunnel source s0/1/0
Central(config-if)#tunnel destination 209.165.200.226
Central(config-if)#exit
Data-Center Router
Data-Center(config)#interface Tunnel0
Data-Center(config-if)#ip address 172.16.100.2 255.255.255.252
Data-Center(config-if)#tunnel source s0/0/0
Data-Center(config-if)#tunnel destination 209.165.200.242
Data-Center(config-if)#exit
Verify connectivity across the tunnel by pinging the tunnel destination on the Central router. The pings should be successful.
The pings successfully reach the other side of the tunnel. But is the traffic being encrypted? Display the IPsec VPN specifics.
Central#show crypto session detail
The IPsec VPN is down because the tunnel traffic has not been identified in the crypto ACL. To solve this problem, replace the crypto ACL to make GRE traffic interesting on the Central and Data-Center routers.
Central Router
Central(config)#no ip access-list extended Central-VPN-ACL
Central(config)#ip access-list extended Central-VPN-ACL
Central(config-ext-nacl)#remark Central to DC GRE traffic to trigger VPN
Central(config-ext-nacl)#permit gre host 209.165.200.242 host 209.165.200.226
Central(config-ext-nacl)#exit
Data-Center Router
Data-Center(config)#ip access-list extended DC-VPN-ACL
Data-Center(config-ext-nacl)#remark DC to Central GRE traffic to trigger VPN
Data-Center(config-ext-nacl)#permit gre host 209.165.200.226 host 209.165.200.242
Data-Center(config-ext-nacl)#exit
34 Prepared by: Md. Manirul Islam (manirul@aiub.edu)
Ping the link again and display the IPSec Session details.
Central# show crypto session detail
The IPsec tunnel is now up and active. The “permit 47” identifies GRE traffic as interesting. The value 47 refers to the GRE protocol number.
Now Ping from LAN to LAN. The pings are unsuccessful because there is no specific route to the other LAN. The traffic is finally routed using the default route, which bypasses the GRE tunnel. The Central router and the Data-Center router must be configured to share each other’s LAN information.
Step 2: Configure Dynamic Routing Protocol
Configure EIGRP, and advertise the LANs and the tunnel segment on the Central and Data-Center routers.
Central Router
Central(config)#router eigrp 1
Central(config-router)#network 172.16.100.0 0.0.0.3
Central(config-router)#redistribute ospf 1 metric 1544 2000 255 1 1500
Central(config-router)#no auto-summary
Central(config-router)#exit
Central(config)#router ospf 1
Central(config-router)#redistribute eigrp 1 subnets
Central(config-router)#exit
Data-Center Router
Data-Center(config)#router eigrp 1
Data-Center(config-router)#network 10.10.10.0 0.0.0.255
Data-Center(config-router)#network 10.10.20.0 0.0.0.255
Data-Center(config-router)#network 172.16.100.0 0.0.0.3
Data-Center(config-router)#no auto-summary
Data-Center(config-router)#exit
Now, test the LAN-to-LAN connectivity and Trace the path that the packets take from the Central LAN to the corporate web server using the inside private address.