Just another Cisco blog
Added Dynamips/GNS3 Page
It will be nicer to have a page dedicated solely to .net files. You can now see them all from the link in the header. Or click here.
There aren’t many files yet, but I promise more will come.
Related Posts:
| Print article | This entry was posted by Colby on December 2, 2009 at 4:26 am, and is filed under Announcement. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
No comments yet.
No trackbacks yet.
OSPF Lab #2 Tasks
about 1 year ago - 5 comments
This is the second OSPF post I’ll be doing for CCIE lab preparation. Today I’m posting the tasks, then tomorrow or the day after (or possibly after the weekend, depending how busy I am) I’ll post the walkthrough. If any of you work on this before the walkthrough, leave a comment.
Here’s the topology:
(Click image for fullsize)
Click here for the initial configs
Here are the tasks:
1. Configure R1, R2 and R3′s S0/0 interfaces in Area 0. Ensure that DR and BDR are elected. Advertise all loopback0s on all routers into OSPF.
2. Configure R1 as the default gateway for all OSPF routers. Do not use the “default-information” command.
3. Configure R6 to use the path through R4 to get to area 0 Do not use any interface level commands to accomplish this.
4. Configure R4 to filter any type 3, 4, 5 and 7 LSAs from entering area 45.
5. Resolve discontigous area issues.
6. R5 is using a low-speed, high cost serial link to connect to R4. Ensure that the link is only used when needed.
7. Filter all loopback0s from entering R2′s RIB. Use a distribute list.
8. Configure loopback IPs 192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24 and 192.168.4.1/24 on R1. Inject a summary for these networks into OSPF, ensure that R2 and R3 see this summary and no specific routes. Do not use any summarization commands under the OSPF process to accomplish this.
9. Configure area 67 to elect a DR and BDR.
(Some of this might change during the walkthrough)
Here’s the .net file:
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
OSPF Lab #1 Walkthrough
about 1 year ago - 1 comment
This is the walkthrough for OSPF Lab #1.
Here’s the topology:
Click here for the initial configs
Here is task one:
1. Configure R1′s s0/0.102 interface and R2′s s0/0.201 interface in area 12, this area should not receive any Type 5 LSAs. Configure R1′s s0/0.103 interface and R3′s s0/0.301 interface in area 13, R1 should only receive a default route from R3, no other OSPF routes should be in R1′s RIB (from R3). Do not use network statements to accomplish this task.
Config:
R1(config)#interface Serial0/0.102 point-to-point R1(config-subif)#ip ospf 100 area 12 R1(config-subif)# R1(config-subif)#interface Serial0/0.103 point-to-point R1(config-subif)#ip ospf 100 area 13 R1(config-subif)# R1(config-subif)#router ospf 100 R1(config-router)#area 12 stub R1(config-router)#area 13 stub R2(config)#interface Serial0/0.201 point-to-point R2(config-subif)#ip ospf 100 area 12 R2(config-subif)# R2(config-subif)#router ospf 100 R2(config-router)#area 12 stub R3(config)#interface Serial0/0.301 point-to-point R3(config-subif)#ip ospf 100 area 13 R3(config-subif)# R3(config-subif)#router ospf 100 R3(config-router)#area 13 stub no-summary |
Here we configure OSPF 100 under the routers’ interfaces (avoiding network statements). Then we configure R1 and R2′s link/area as a stub. Last we configure R1 and R3′s link/area as a totally stubby area, preventing R3 from sending anything buy a default route to R1.
Task two:
2. Configure R2, R3 and R4′s ethernet interfaces in area 0. R4 and R5′s serial interfaces should be in area 45. Area 45 should not receive any type 5 LSAs. R5 is an ASBR connected to the internet, it should be the default gateway for the entire OSPF domain.
Config:
R2(config)#interface Loopback0 R2(config-if)#ip ospf 100 area 0 R2(config-if)# R2(config-if)#interface FastEthernet0/0 R2(config-if)#ip ospf 100 area 0 R3(config)#interface Loopback0 R3(config-if)#ip ospf 100 area 0 R3(config-if)# R3(config-if)#interface FastEthernet0/0 R3(config-if)#ip ospf 100 area 0 R4(config)#interface Loopback0 R4(config-if)#ip ospf 100 area 0 R4(config-if)# R4(config-if)#interface FastEthernet0/0 R4(config-if)#ip ospf 100 area 0 R4(config-if)# R4(config-if)#interface Serial0/0 R4(config-if)#ip ospf 100 area 45 R4(config-if)# R4(config-if)#router ospf 100 R4(config-router)#area 45 nssa R5(config)#interface Loopback0 R5(config-if)#ip ospf 100 area 45 R5(config-if)# R5(config-if)#interface Serial0/0 R5(config-if)#ip ospf 100 area 45 R5(config-if)# R5(config-if)#router ospf 100 R5(config-router)#area 45 nssa default-information-originate |
This one is long, but pretty basic. We configure the ethernet interfaces and we configure R4 and R5′s link in Area 45. Finally we make area 45 a not so stubby area and tell R5 to originate a default route, which is then propagated throughout the OSPF domain.
Task three:
3. Ensure that all loopbacks are accessible from all routers in the OSPF domain. Ensure that the loopbacks are advertised with their configured masks. Change the OSPF timers on the ethernet segment to be twice as fast as the default.
Config:
R1(config)#interface Loopback0 R1(config-if)#ip ospf network point-to-point R1(config-if)#ip ospf 100 area 12 R2(config)#interface Loopback0 R2(config-if)#ip ospf 100 area 0 R2(config-if)#ip ospf network point-to-point R2(config-if)# R2(config)#interface FastEthernet0/0 R2(config-if)#ip ospf hello-interval 5 R2(config-if)#ip ospf dead-interval 20 R3(config)#interface Loopback0 R3(config-if)#ip ospf 100 area 0 R3(config-if)#ip ospf network point-to-point R3(config-if)# R3(config)#interface FastEthernet0/0 R3(config-if)#ip ospf hello-interval 5 R3(config-if)#ip ospf dead-interval 20 R4(config)#interface Loopback0 R4(config-if)#ip ospf 100 area 0 R4(config-if)#ip ospf network point-to-point R4(config-if)# R4(config)#interface FastEthernet0/0 R4(config-if)#ip ospf hello-interval 5 R4(config-if)#ip ospf dead-interval 20 R5(config)#interface Loopback0 R5(config-if)#ip ospf 100 area 45 R5(config-if)#ip ospf network point-to-point |
For this one we configure all the loopbacks and make sure the OSPF network type is point to point, this causes the correct mask to be advertised. Then on R2, R3, and R4 we change the hello and dead timers to be twice as fast as the default. Note: I did not have to manually set the dead timer as it’s four times the hello timer by default.
Task four:
4. Configure loopback IPs 192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24 and 192.168.4.1/24 on R3. Inject them into OSPF. These routes should be in Type 5 LSAs. .1.0/24 and .2.0/24 should show a cost of 50, the other two routes’ cost should increment as they travel through the network.
Config:
R3(config)#interface Loopback1 R3(config-if)#ip address 192.168.1.1 255.255.255.0 R3(config-if)# R3(config-if)#interface Loopback2 R3(config-if)#ip address 192.168.2.1 255.255.255.0 R3(config-if)# R3(config-if)#interface Loopback3 R3(config-if)#ip address 192.168.3.1 255.255.255.0 R3(config-if)# R3(config-if)#interface Loopback4 R3(config-if)#ip address 192.168.4.1 255.255.255.0 R3(config-if)# R3(config-if)#ip access-list standard E1_Routes R3(config-std-nacl)#permit 192.168.3.0 0.0.0.255 R3(config-std-nacl)#permit 192.168.4.0 0.0.0.255 R3(config-std-nacl)# R3(config-std-nacl)#ip access-list standard E2_Routes R3(config-std-nacl)#permit 192.168.1.0 0.0.0.255 R3(config-std-nacl)#permit 192.168.2.0 0.0.0.255 R3(config-std-nacl)# R3(config-std-nacl)#route-map Redist_Conn permit 10 R3(config-route-map)#match ip address E1_Routes R3(config-route-map)#set metric-type type-1 R3(config-route-map)# R3(config-route-map)#route-map Redist_Conn permit 20 R3(config-route-map)#match ip address E2_Routes R3(config-route-map)#set metric 50 R3(config-route-map)# R3(config-route-map)#router ospf 100 R3(config-router)#redistribute connected subnets route-map Redist_Conn |
This is a fun one and it’s a bit tricky. The task tells us that two of the routes need to be E1 (default, cost doesn’t increment) and the other two need to be E2 (cost does increment). First we configure the loopbacks, we match .3.0/24 and .4.0/24 in the E1 ACL, then we match the other two in the E2 ACL. Next we configure the first line of our route map to match the E1 ACL and set them to E1 routes, then in the second line we match the other routes and set the cost to 50, notice that we don’t need to set the type here because E2 is the default.
This one we’ll verify:
R4#sh ip route ospf O E2 192.168.1.0/24 [110/50] via 10.2.2.3, 00:57:45, FastEthernet0/0 O E2 192.168.2.0/24 [110/50] via 10.2.2.3, 00:57:45, FastEthernet0/0 O E1 192.168.3.0/24 [110/30] via 10.2.2.3, 00:57:45, FastEthernet0/0 O E1 192.168.4.0/24 [110/30] via 10.2.2.3, 00:57:45, FastEthernet0/0 |
We can see that .1 and .2 are E2 with a cost of 50 while the others are E2 with the cost incrementing.
Task five:
5. Configure the OSPF domain to compensate for gigabit link speeds and calculate cost accordingly. Configure strong authentication between R1 and R3 using the password “cisco”.
Config:
R1(config)#router ospf 100 R1(config-router)#auto-cost reference-bandwidth 1000 R1(config-router)# R1(config-router)#interface Serial0/0.103 point-to-point R1(config-subif)#ip ospf authentication message-digest R1(config-subif)#ip ospf message-digest-key 1 md5 cisco R2(config)#router ospf 100 R2(config-router)#auto-cost reference-bandwidth 1000 R3(config)#router ospf 100 R3(config-router)#auto-cost reference-bandwidth 1000 R3(config-router)# R3(config-router)#interface Serial0/0.301 point-to-point R3(config-subif)#ip ospf authentication message-digest R3(config-subif)#ip ospf message-digest-key 1 md5 cisco R4(config)#router ospf 100 R4(config-router)#auto-cost reference-bandwidth 1000 R5(config)#router ospf 100 R5(config-router)#auto-cost reference-bandwidth 1000 |
Again, pretty basic. We change the reference bandwidth for OSPF and configure authentication between R1 and R3.
That’s it for this one. Please post any thought or mistakes you’ve noticed.
Here’s the .net file:
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
OSPF Lab #1 Tasks
about 1 year ago - 9 comments
This is the first OSPF post I’ll be doing for CCIE lab preparation. Sorry guys, I’ve been slacking with updates. Today I’m posting the tasks, then tomorrow or the day after I’ll post the walkthrough. If any of you work on this before the walkthrough, leave a comment.
Here’s the topology:
Click here for the initial configs
Here are the tasks:
1. Configure R1′s s0/0.102 interface and R2′s s0/0.201 interface in area 12, this area should not receive any Type 5 LSAs. Configure R1′s s0/0.103 interface and R3′s s0/0.301 interface in area 13, R1 should only receive a default route from R3, no other OSPF routes should be in R1′s RIB (from R3). Do not use network statements to accomplish this task.
2. Configure R2, R3 and R4′s ethernet interfaces in area 0. R4 and R5′s serial interfaces should be in area 45. Area 45 should not receive any type 5 LSAs. R5 is an ASBR connected to the internet, it should be the default gateway for the entire OSPF domain.
3. Ensure that all loopbacks are accessible from all routers in the OSPF domain. Ensure that the loopbacks are advertised with their configured masks. Change the OSPF timers on the ethernet segment to be twice as fast as the default.
4. Configure loopback IPs 192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24 and 192.168.4.1/24 on R3. Inject them into OSPF. These routes should be in Type 5 LSAs. .1.0/24 and .2.0/24 should show a cost of 50, the other two routes’ cost should increment as they travel through the network.
5. Configure the OSPF domain to compensate for gigabit link speeds and calculate cost accordingly. Configure strong authentication between R1 and R3 using the password “cisco”.
Here’s the .net file:
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
EIGRP Lab #1
about 1 year ago - 2 comments
This is the first EIGRP post I’ll be doing for CCIE lab preparation.
I’ve tried to include a lot in this one without making it too long. Here’s the topology:
Click here for the initial configs
Here is task one:
1. Advertise all connected loopbacks into EIGRP AS 100. Ensure that only interfaces connected to other routers will form adjacencies. Do not allow EIGRP to summarize automatically.
Simple stuff:
R1(config)#router eigrp 100 R1(config-router)#passive-interface default R1(config-router)#no passive-interface Virtual-Template12 R1(config-router)#no passive-interface Virtual-Template13 R1(config-router)#network 1.0.0.0 R1(config-router)#network 10.0.0.0 R1(config-router)#no auto-summary R1(config)#interface Virtual-Template12 R1(config-if)#ip address 10.1.12.1 255.255.255.0 R1(config-if)# R1(config-if)#interface Virtual-Template13 R1(config-if)#ip address 10.1.13.1 255.255.255.0 R1(config-if)# R1(config-if)#interface Serial0/0.102 point-to-point R1(config-subif)#frame-relay interface-dlci 102 ppp Virtual-Template12 R1(config-subif)# R1(config-fr-dlci)#interface Serial0/0.103 point-to-point R1(config-subif)# frame-relay interface-dlci 103 ppp Virtual-Template13 |
This EIGRP config is basic, we’ve started the EIGRP 100 process, added our passive interface and network statements. We also disable auto-summarization. I’m only showing R1 here as the config is nearly identical across the board. We’ve also configured PPP on the FR links with Virtual Templates, this will be needed later in the config (leak maps).
Task two:
2. Configure strong authentication between R1 and R3 using the password “cisco”. Change the Hold and Hello timers between R1 and R2 to twice the default. Change the SIA timers on R4 to three times the default.
Config:
R1(config)#key chain EIGRP R1(config-keychain)# key 1 R1(config-keychain-key)#key-string cisco R1(config)# R1(config)#interface Virtual-Template13 R1(config-if)#ip authentication mode eigrp 100 md5 R1(config-if)# R1(config-if)#interface Virtual-Template12 R1(config-if)#ip hello-interval eigrp 100 10 R1(config-if)#ip hold-time eigrp 100 30 R4(config)#router eigrp 100 R4(config-router)#timers active-time 9 |
First we configure the key chain on R1 with the string “cisco”, then we assign it to our virtual-template interface connected to R3 (note, this will bounce the neighbors). Next we configure our hello and hold timers on R1. We change the hello and hold timers to twice the default (default hello is 5 seconds, default hold is 15). Last we configure the SIA timer on R4 to nine minutes, three times the default.
Task three:
3. Configure 50.0.0.0 to be the candidate default originated by R1 for the EIGRP AS. Prevent any routes over eight hops from being added to R3′s RIB.
Config:
R1(config)#ip route 50.0.0.0 255.0.0.0 Null0
R1(config)#ip default-network 50.0.0.0
R1(config)#
R1(config)#router eigrp 100
R1(config-router)#redistribute static
R3#sh ip route | i Gate
Gateway of last resort is 10.1.13.1 to network 50.0.0.0
R3#sh ip route | i \*
ia - IS-IS inter area, * - candidate default, U - per-user static route
D*EX 50.0.0.0/8 [170/2585600] via 10.1.13.1, 00:02:30, Virtual-Access1
R3(config)#router eigrp 100
R3(config-router)#metric maximum-hops 8 |
Here we configure a static route for 50.0.0.0, then we add the default-network statement and redistribute static on R1. We verify on R3 that 50.0.0.0 is our candidate default. Next we configure the maximum-hops statement on R3.
Task four:
4. Configure loopback IPs 172.30.1.1/24, 172.30.2.1/24, and 172.30.3.1/24 on R5, advertise these networks into EIGRP. Configure R4 as a stub, but ensure that all R5′s connected networks are present in R1, R2 and R3′s routing tables with the exception of 172.30.2.0/24.
Config:
R5(config)#interface Loopback1
R5(config-if)#ip address 172.16.1.1 255.255.255.0
R5(config-if)#interface Loopback2
R5(config-if)#ip address 172.16.2.1 255.255.255.0
R5(config-if)#interface Loopback3
R5(config-if)#ip address 172.16.3.1 255.255.255.0
R5(config-if)#
R5(config-if)#ip access-list standard Match-172
R5(config-std-nacl)#permit 172.16.1.0 0.0.0.255
R5(config-std-nacl)#permit 172.16.2.0 0.0.0.255
R5(config-std-nacl)#permit 172.16.3.0 0.0.0.255
R5(config-std-nacl)#
R5(config-std-nacl)#route-map Redist-Conn permit 10
R5(config-route-map)#match ip address Match-172
R5(config-route-map)#
R5(config-route-map)#router eigrp 100
R5(config-router)#redistribute connected route-map Redist-Conn
R4(config)#ip access-list standard Match-Leak
R4(config-std-nacl)#deny 172.16.2.0 0.0.0.255
R4(config-std-nacl)#permit any
R4(config-std-nacl)#
R4(config-std-nacl)#route-map Leak-172 permit 10
R4(config-route-map)#match ip address Match-Leak
R4(config-route-map)#
R4(config-route-map)#router eigrp 100
R4(config-router)#eigrp stub leak-map Leak-172
R3#sh ip route eigrp
D 5.0.0.0/8 [90/2300416] via 10.2.2.4, 00:08:48, FastEthernet0/0
172.16.0.0/24 is subnetted, 3 subnets
D EX 172.16.1.0 [170/2300416] via 10.2.2.4, 00:08:48, FastEthernet0/0
D EX 172.16.3.0 [170/2300416] via 10.2.2.4, 00:08:48, FastEthernet0/0 |
We start on R5 by configuring the loopbacks, we then match them in an ACL and redistribute. Then on R4 we configure an ACL to block only the 172.16.2.0/24 network, we match it in a route-map and configure R4 as an EIGRP stub while using the leak-map to allow all routes other than 172.16.2.0/24 to be advertised. We verify that it’s working on R3.
Task five:
5. Configure loopback IPs 192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24 and 192.168.4.1/24 on R1. Inject the most specific summary possible into the EIGRP AS. Inject the full 192.168.3.0/24 route into EIGRP, do this all on R1. Originate a default route on R1. Do not use the “ip default-network” command to accomplish this.
Config:
R1(config)#interface Loopback0 R1(config-if)#ip address 1.1.1.1 255.0.0.0 R1(config-if)#interface Loopback1 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#interface Loopback2 R1(config-if)#ip address 192.168.2.1 255.255.255.0 R1(config-if)#interface Loopback3 R1(config-if)#ip address 192.168.3.1 255.255.255.0 R1(config-if)#interface Loopback4 R1(config-if)#ip address 192.168.4.1 255.255.255.0 R1(config-if)# R1(config-if)#ip access-list standard Match-192 R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255 R1(config-std-nacl)#permit 192.168.2.0 0.0.0.255 R1(config-std-nacl)#permit 192.168.3.0 0.0.0.255 R1(config-std-nacl)#permit 192.168.4.0 0.0.0.255 R1(config-std-nacl)# R1(config-std-nacl)#route-map Redist-Conn permit 10 R1(config-route-map)#match ip address Match-192 R1(config-route-map)# R1(config-route-map)#router eigrp 100 R1(config-router)#redistribute connected route-map Redist-Conn R1(config-router)# R1(config-router)#ip prefix-list EIGRP_Leak seq 10 permit 192.168.3.0/24 R1(config)# R1(config)#route-map Leak-192.168.3.0 permit 10 R1(config-route-map)#match ip address prefix-list EIGRP_Leak R1(config-route-map)# R1(config-route-map)#interface Virtual-Template12 R1(config-if)#ip summary-address eigrp 100 192.168.0.0 255.255.248.0 5 leak-map Leak-192.168.3.0 R1(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0 5 R1(config-if)# R1(config-if)#interface Virtual-Template13 R1(config-if)#ip summary-address eigrp 100 192.168.0.0 255.255.248.0 5 leak-map Leak-192.168.3.0 R1(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0 5 R3#sh ip route eigrp D EX 192.168.3.0/24 [170/2713600] via 10.1.13.1, 00:33:21, Virtual-Access1 D* 0.0.0.0/0 [90/2585600] via 10.1.13.1, 00:33:21, Virtual-Access1 D 192.168.0.0/21 [90/2713600] via 10.1.13.1, 00:33:21, Virtual-Access1 |
First we add our loopbacks, next we match them in an ACL and redistribute them into EIGRP. Then we configure a prefix list to match the route we want to leak, next we match the prefix list in our route-map. Finally we add our summaries to the interfaces and use the “leak-map” command to reference our route-map. We verify that we’re seeing the default, 192 summary and leaked route on R3.
Task six:
6. Set the “bandwidth” command to 1000 on the R1′s link to R2 and 500 on R1′s link to R3. Configure EIGRP to load balance across these two links.
Config:
R1(config)#interface Virtual-Template12
R1(config-if)#bandwidth 1000
R1(config-if)#
R1(config-if)#interface Virtual-Template13
R1(config-if)#bandwidth 500
R1(config-if)#
R1(config-if)#router eigrp 100
R1(config-router)#variance 2
R1#sh ip route eigrp
D EX 172.16.30.0 [170/7705600] via 10.1.13.3, 00:37:14, Virtual-Access2
[170/5148160] via 10.1.12.2, 00:37:14, Virtual-Access1 |
This one is pretty basic, we set the bandwidth commands and then configure variance under EIGRP. This tells EIGRP to unequally load balance across links using a multiple of 2. We have verified that R1 has added both routes to the RIB.
Task seven:
7. Prevent R4 from learning the 10.1.13.0/24 prefix from R3. Configure a static route for 172.16.30.0/24 on R3, redistribute this into EIGRP with the metric set to 50mbps, 100ms delay, maximum reliability, minimum load, and 1500 byte MTU. Do not use the “default-metric” command to accomplish this.
Config:
R3(config)#ip access-list standard Filter-10.1.1.13.2 R3(config-std-nacl)#deny 10.1.13.0 0.0.0.255 R3(config-std-nacl)# R3(config-std-nacl)#ip route 172.16.30.0 255.255.255.0 Null0 R3(config-std-nacl)# R3(config)#ip access-list standard Match-172 R3(config-std-nacl)#permit 172.16.30.0 0.0.0.255 R3(config-std-nacl)# R3(config-std-nacl)#route-map Redist-Static permit 10 R3(config-route-map)#match ip address Match-172 R3(config)#router eigrp 100 R3(config-router)#$redistribute static metric 50000 100 255 1 1500 route-map Redist-Static R3(config-router)#distribute-list Filter-10.1.1.13.2 out |
First we configures a filter for the 10.1.13.0/24 network, next we added a route for 172.16.30.0/24 pointing to null0, then we match this route in an ACL and match the ACL in a route-map. Next we redistribute static routes using the route-map we configured, we also set the metric for these routes to match the task. Finally we use a distribute-list to filter the 10.1.13.0/24 route.
This one is a bit longer than the others, but I think it has some good information. Please let me know if you have any thoughts or spot any mistakes, I did this one pretty fast and recklessly.
Here’s the .net file:
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
RIP Lab #2
about 1 year ago - 3 comments
This is the second and last RIP post I’ll be doing to prepare for the CCIE.
I’ve tried to include a lot in this one without making it too long. Here’s the topology:
(Click image for fullsize)
Click here for the initial configs
Here is task one:
1. Configure RIPv2 on all routers and advertise their directly connected interfaces. Ensure that these routers have full NLRI to all the loopback interfaces advertised into RIP. Ensure that all routers can ping all loopbacks. Configure RIP not to advertise on any interface by default.
Let’s go through the config:
R1(config)#router rip R1(config-router)# version 2 R1(config-router)# no auto-summary R1(config-router)# network 1.0.0.0 R1(config-router)# network 10.0.0.0 R1(config-router)# passive-interface default R1(config-router)# no passive-interface Serial0/0.102 R1(config-router)# no passive-interface Serial0/0.103 |
I’m only showing R1 here as the other routers will be nearly identical. First we enable RIP, configure the version, turn of auto-summary and configure our network statements. Then we use the “passive-interface default” command, which tells RIP that all interfaces are passive unless explicity configured otherwise. Last we configure the configure s0/0.102 and s0/0.103 NOT to be passive.
Task two:
2. Configure the strongest authentication for RIPv2 between R2, R3 and R4 using the key “cisco”.
Config:
R2(config)#key chain RIP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string cisco
R2(config-keychain-key)#exit
R2(config)#int fa0/0
R2(config-if)#ip rip authentication mode md5
R2(config-if)#ip rip authentication key-chain RIP
R2#sh ip proto
Routing Protocol is "rip"
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2 RIP |
Again, only doing this on one router. First we configure the key-chain, we name it RIP and define the first key in the sequence with the string “cisco”. Then we configure the authentication mode on fa0/0 to use MD5. Last we apply the key-chain to the interface. We verify the config with “sh ip protocols”.
Task three:
3. Originate a default route on R1, ensure that it propagates throughout the RIP domain.
Config:
R1(config-router)#default-information originate R4#sh ip route rip ... R* 0.0.0.0/0 [120/2] via 10.2.2.2, 00:00:23, FastEthernet0/0 |
That was an easy one, we simply tell R1 to originate a default route. We see that is has propagated to R4.
Task four:
4. Configure RIPv2 to only send triggered updates across the Frame-Relay cloud.
Config:
R1(config-subif)# ip rip triggered
R1(config)#int s0/0.103
R1(config-subif)# ip rip triggered
R2(config)#int s0/0.201
R2(config-subif)#ip rip triggered
R3(config)#int s0/0.301
R3(config-subif)#ip rip triggered
R2#sh ip proto
Routing Protocol is "rip"
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2 RIP
Serial0/0.201 2 2 Yes |
Another easy one. We’ve configured all the FR links to send triggered updates instead of periodic updates. We verify this with “sh ip protocols”.
Task five:
5. Configure R1 and R2 to communicate via Broadcast updates, configure R1 and R3 to configure via Unicast updates.
Config:
R1(config)#int s0/0.102 R1(config-subif)#ip rip v2-broadcast R2(config)#int s0/0.201 R2(config-subif)#ip rip v2-broadcast R1(config)#router rip R1(config-router)#passive-interface Serial0/0.103 R1(config-router)#neighbor 10.1.13.3 R3(config)#router rip R3(config-router)#passive-interface s0/0.301 R3(config-router)#neighbor 10.1.13.1 |
To configure broadcast updates we go under the respective interfaces and use the “ip rip v2-broadcast”. To configure unicast updates we set the interface as passive under RIP, then configure static neighbor statements.
Task six:
6. Make R4 prefer the path through R2 to get to R1′s loopback. Ensure that R4 will failover to R3′s path if R2 is down.
Config:
R3(config)#ip access-list st R1-Loopback R3(config-std-nacl)#permit 1.0.0.0 R3(config-std-nacl)#exit R3(config)#router rip R3(config-router)# offset-list R1-Loopback out 5 FastEthernet0/0 (R2's fa0/0 up) R4#sh ip route rip R 1.0.0.0/8 [120/2] via 10.2.2.2, 00:00:37, FastEthernet0/0 (R2's fa0/0 is down) R4#sh ip route rip R 1.0.0.0/8 [120/7] via 10.2.2.3, 00:00:07, FastEthernet0/0 |
We configured an ACL to match R1′s loopback network, we are adding 5 to the metric (hop count) when adveritsing out fa0/0. We see that the path through R2 is chosen, when we shut R2′s fa0/0 port we see it failover to the path through R3.
Here’s the .net file:
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
Guest Post On NF Blog
about 1 year ago - No comments
I wrote a BGP Lab post on the Networking-Forum Blog. Here’s a preview:
Topology:
Tasks:
1. Configure the Oustside Border Router in AS 6500. Peer with ISP-1 and ISP-2. Ensure that the DMZ subnet is advertised to the internet.
2. Prevent AS 6500 from being used as a transit between ASes 1111 and 2222.
3. The link through ISP-1 is much faster than the link through ISP-2. Configure outgoing traffic to use ISP-1 as the primary, only use the link through ISP-2 if the primary link is down.
4. Configure incoming traffic to use the link through ISP-1 as the primary.
5. Ensure that NAT is setup to use both ISPs.
Check it out if you’re interested!
Related Posts:
RIP Lab #1
about 1 year ago - 5 comments
This is the first in a series of lab posts I’ll be doing to prepare for the CCIE.
Today’s lab is from Narbik’s Volume One workbook. It’s a RIPv2 lab with some tricks thrown in. Here’s the topology:
(Click image for fullsize)
Click here for the initial configs
Here is task one:
1. Configure RIPv2 on all routers and advertise their directly connected interfaces. Ensure that these routers have full NLRI to all the loopback interfaces advertised into RIP. Ensure that all routers can ping all loopbacks.
Let’s go through the config:
R1: R1(config)#router rip R1(config-router)#ver 2 R1(config-router)#no auto R1(config-router)#network 10.0.0.0 R1(config-router)#network 1.0.0.0 R2: R2(config)#router rip R2(config-router)#ver 2 R2(config-router)#no auto R2(config-router)#network 10.0.0.0 R2(config-router)#network 2.0.0.0 R3: R3(config)#router rip R3(config-router)#ver 2 R3(config-router)#no auto R3(config-router)#network 10.0.0.0 R3(config-router)#network 3.0.0.0 |
Looks pretty simple, but I’m sure you guys see that this won’t work correctly. Let’s look at R2 and R3′s routing tables:
R2#sh ip route
...
R 1.0.0.0/8 [120/1] via 10.1.1.1, 00:00:15, Serial0/0
C 2.0.0.0/8 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial0/0
R3#sh ip route
...
R 1.0.0.0/8 [120/1] via 10.1.1.1, 00:00:06, Serial0/0
C 3.0.0.0/8 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial0/0 |
We see that R2 and R3 are missing routes to each other’s loopbacks. This is due to split horizon. To refresh everyone’s memory, split horizon is a rule that a router will not advertise a route out the same interface from which it has learned the route. This prevents loops. Split horizon applies here because we aren’t using sub-interfaces for each spoke.
Let’s disable split horizon:
R1(config-subif)#no ip split-horizon R1(config)#int s0/0.123 |
We’ll verify on R2:
R2#sh ip route
...
R 1.0.0.0/8 [120/1] via 10.1.1.1, 00:00:26, Serial0/0
C 2.0.0.0/8 is directly connected, Loopback0
R 3.0.0.0/8 [120/2] via 10.1.1.3, 00:00:26, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial0/0
R2#ping 3.3.3.3
.....
Success rate is 0 percent (0/5) |
So we now have the route in the table, but no reachability. This is another curveball. Look at the next hope for R3′s loopback, it is 10.1.1.3, which is R3′s serial interface. The issue here is that we don’t know how to get to that IP. We need a Frame-Relay map statement:
R2(config)#int s0/0 R2(config-if)#frame-relay map ip 10.1.1.3 201 R3(config)#int s0/0 R3(config-if)#frame-relay map ip 10.1.1.2 301 R3#ping 2.2.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/12 ms |
It works! We now have reachability to all loopbacks. Notice we did not use the broadcast option at the end of our map statement as it is not needed here.
Now onto the next task:
2. Remove the no ip split-horizon command and the Frame map statements from R2 and R3 configured in the first step from R2 and R3. Then configure R2 and R3 such that they can ping each others’ loopbacks. DO NOT configure static routes or extra Frame maps to accomplish this. Ensure that the next hop IP is NOT changed and is still the address of the originating router.
First we’ll remove our previous commands:
R1(config-subif)#ip split-horizon R2(config-if)#no frame-relay map ip 10.1.1.3 201 R3(config-if)#no frame-relay map ip 10.1.1.2 301 |
This one is a little trickier. How can we accomplish this without map statements or static routes? Good ole PPP. Let’s configure it:
R1(config-subif)#no ip add R1(config-subif)#frame-relay interface-dlci 102 ppp virtual-Template 123 R1(config-fr-dlci)#exit R1(config-subif)#frame-relay interface-dlci 103 ppp virtual-Template 123 R1(config-fr-dlci)#exit R1(config)#interface virtual-template 123 R1(config-if)#ip add 10.1.1.1 255.255.255.0 R2(config)#int s0/0 R2(config-if)#no ip add R2(config-if)#frame-relay interface-dlci 201 ppp virtual-Template 123 R2(config-fr-dlci)#exit R2(config)#interface virtual-template 123 R2(config-if)#ip add 10.1.1.2 255.255.255.0 R3(config)#int s0/0 R3(config-if)#no ip add R3(config-if)#frame-relay interface-dlci 301 ppp virtual-Template 123 R3(config-fr-dlci)#exit R3(config)#interface virtual-template 123 R3(config-if)#ip add 10.1.1.3 255.255.255.0 |
We removed all IP address from the interface, then we configured PPP over FR using a virtual-template. We then configure our IP on the template. Now we’ll verify our routing table and connectivity:
R3#sh ip route
...
R 1.0.0.0/8 [120/1] via 10.1.1.1, 00:00:25, Virtual-Access1
R 2.0.0.0/8 [120/2] via 10.1.1.2, 00:00:25, Virtual-Access1
C 3.0.0.0/8 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
R 10.1.1.2/32 [120/1] via 10.1.1.1, 00:00:25, Virtual-Access1
C 10.1.1.0/24 is directly connected, Virtual-Access1
C 10.1.1.1/32 is directly connected, Virtual-Access1
R3#ping 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/12 ms |
Our routing table is populated correctly and we do have reachability. The important things to note here are that we now have host routes in the table added by PPP. We have accomplished reachability without using map statements or turning off split horizon.
That’s it for this one. It’s a short lab, but it has a lot of valuable information.
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
Simple IPv6 Tutorial
about 1 year ago - 9 comments
Today we’ll configure a basic IPv6 network. I’m not a big fan of IPv6. I’ve never used it in the real world, so it’s hard for me to keep it in my head, but I’ve been studying the hell out of it for the Written, so here goes.
We have a simple topology, only three routers. We will be running OSFPv3 on our serial links and loopbacks. Here’s our topology:
(Click image for fullsize)
First we’ll configure our IPv6 addresses:
R1: R1(config)#ipv6 unicast-routing R1(config)#int s0/0 R1(config-if)#ip add 10.1.12.1 255.255.255.0 R1(config-if)#ipv6 add 10:1:1:12::1/64 R1(config-if)#no shut R2: R2(config)#ipv6 unicast-routing R2(config)# int s0/0 R2(config-if)#ip add 10.1.12.2 255.255.255.0 R2(config-if)#ipv6 add 10:1:1:12::2/64 R2(config-if)#no shut R2(config-if)#exit R2(config)#int s0/1 R2(config-if)#ip add 10.1.23.2 255.255.255.0 R2(config-if)#ipv6 add 10:1:1:23::2/64 R2(config-if)#no shut R3: R3(config)#ipv6 unicast-routing R3(config-if)#int s0/1 R3(config-if)#ip add 10.1.23.3 255.255.255.0 R3(config-if)#ipv6 add 10:1:1:23::3/64 |
The first thing we do on each router is enable IPv6 routing. Then we give the interface an IPv4 address and finally an IPv6 address.
Let’s verify connectivity from R2:
Serial0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C001:71FF:FE12:0
Global unicast address(es):
10:1:1:12::2, subnet is 10:1:1:12::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:2
FF02::1:FF12:0
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Hosts use stateless autoconfig for addresses.
Serial0/1 is administratively down, line protocol is down
IPv6 is enabled, link-local address is FE80::C001:71FF:FE12:0 [TEN]
Global unicast address(es):
10:1:1:23::2, subnet is 10:1:1:23::/64 [TEN]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:2
FF02::1:FF12:0
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Hosts use stateless autoconfig for addresses.
R2#sh ipv int b
Serial0/0 [up/up]
FE80::C001:71FF:FE12:0
10:1:1:12::2
Serial0/1 [up/up]
FE80::C001:71FF:FE12:0
10:1:1:23::2
R2#ping 10:1:1:12::1
Sending 5, 100-byte ICMP Echos to 10:1:1:12::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/4 ms
R2#ping 10:1:1:23::3
Sending 5, 100-byte ICMP Echos to 10:1:1:23::3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/12 ms |
We have connectivity between interfaces on the same subnet.
Now we’ll configure our loopbacks and OSPFv3:
R1: R1(config-if)#int lo0 R1(config-if)#ipv6 add 1:1:1::1/64 R1(config-if)#ipv6 ospf 20 area 0 R1(config-if)#int s0/0 R1(config-if)#ipv6 ospf 20 area 0 R2: R2(config)#int lo0 R2(config-if)#ipv6 add 2:2:2::2/64 R2(config-if)#ipv6 ospf 20 area 0 R2(config-if)#int s0/0 R2(config-if)#ipv6 ospf 20 area 0 R2(config-if)#int s0/1 R2(config-if)#ipv6 ospf 20 area 0 R3: R3(config)#int lo0 R3(config-if)#ipv6 add 3:3:3::3/64 R3(config-if)#ipv6 ospf 20 area 0 R3(config-if)#int s0/1 R3(config-if)#ipv6 ospf 20 area 0 |
With v6 we enable OSPF directly under the interface on which it runs.
Now let’s verify that everything is working:
R1#sh ipv6 route ospf
...
O 2:2:2::2/128 [110/64]
via FE80::C001:71FF:FE12:0, Serial0/0
O 3:3:3::3/128 [110/128]
via FE80::C001:71FF:FE12:0, Serial0/0
O 10:1:1:23::/64 [110/128]
via FE80::C001:71FF:FE12:0, Serial0/0
R2#sh ipv6 route ospf
...
O 1:1:1::1/128 [110/64]
via FE80::C000:71FF:FE12:0, Serial0/0
O 3:3:3::3/128 [110/64]
via FE80::C002:71FF:FE12:0, Serial0/1
R3#sh ipv6 route ospf
...
O 1:1:1::1/128 [110/128]
via FE80::C001:71FF:FE12:0, Serial0/1
O 2:2:2::2/128 [110/64]
via FE80::C001:71FF:FE12:0, Serial0/1
O 10:1:1:12::/64 [110/128]
via FE80::C001:71FF:FE12:0, Serial0/1 |
We see that our IPv6 routing tables are populated as expected.
Now we will try pinging R3′s loopback from R1:
R1#ping 3:3:3::3 Sending 5, 100-byte ICMP Echos to 3:3:3::3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/4 ms |
It works!
So that’s IPv6 and OSPFv3. Simple stuff.
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Note: I’m using 3725s here because 3640s were giving me all kinds of issues. I don’t know if it was my IOS or what.
Related Posts:
New Troubleshooting Lab Topology
about 1 year ago - 6 comments
The old topology I’ve been using for the weekly labs is pretty limited. I created a new one today which should keep us going for awhile. It’s relatively complex, it consists of two customer MPLS VPNs and lots of routing. The two customer VPNs also have internet access through one of their sites. We are simulating the internet with Peer1 and Peer2. Here’s the diagram:
(click image for fullsize)
I should have the first lab up early next week after I work out some issues I’m having. So tell me what you guys think.
Here’s the .net file:
New Troubleshooting .net file
Related Posts:
Troubleshooting Lab #5
about 1 year ago - 7 comments
This one might be easy, but I’m having trouble gauging it after last week. Same topology, users are having trouble communicating from one VLAN to the other. Soon I’ll make a new (bigger) topology with more diverse technologies, I haven’t had the time lately.
You can run the .net on your own Dynamips server or you can use mine. Run the topology and login with username “tshoot” and password “tshoot”. This user only has privilege level 1, so show commands will be available, but show run will not be. You can also login with username: “shrun” and password: “shrun”, this will print the running config and boot you out. I would like to grant full privilege 15 access, but I’m worried about people messing with the configs, this is after all a public post. Obviously you could get around this pretty easily, but that would defeat the purpose. 
Here’s our topology:
(Click for fullsize)
I’m attaching the .net file with the configs saved inside.
The Troubleshooting Lab #5 .net file
(Don’t forget to change your paths)