Just another Cisco blog
CCIP Practice Lab Topology
I’m bored with the CCDA stuff so I’m going back to the CCIP. In preparation for this I’ve made up a new topology. Figured it couldn’t hurt to share.
(click image for fullsize)
I plan on making up some requirements for a few different labs using this topology, lots of BGP and MPLS VPNs. Hopefully I can get one posted by the end of the week or early next week. I’m considering making a new page dedicated to lab challenges.
Here’s the .net file I’ve created for this one:
CCIP Lab .net file
Tell me what you guys think. Also, if anyone has some good lab requirements to throw out, I’d love to hear them.
Related Posts:
| Print article | This entry was posted by Colby on January 27, 2010 at 4:09 pm, and is filed under Labs. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
No trackbacks yet.
OSPF Authentication
about 1 year ago - 3 comments
This post is about the different OSPF authentication methods. It will be part of a series outlining OSPF commands/technologies.
We can configure OSPF to use authentication for an entire area, or just for a single interface. Today we’ll go over both. Here’s the topology:
First we’ll setup authentication for all of area 0:
R1(config)#interface FastEthernet0/0 R1(config-if)#ip ospf message-digest-key 1 md5 cisco R1(config-if)#ip ospf 100 area 0 R1(config-if)# R1(config-if)#router ospf 100 R1(config-router)#area 0 authentication message-digest R2(config)#interface FastEthernet0/0 R2(config-if)#ip ospf message-digest-key 1 md5 cisco R2(config-if)#ip ospf 100 area 0 R2(config-if)# R2(config-if)#router ospf 100 R2(config-router)#area 0 authentication message-digest R3(config)#interface FastEthernet0/0 R3(config-if)#ip ospf message-digest-key 1 md5 cisco R3(config-if)#ip ospf 100 area 0 R3(config-if)# R3(config-if)#router ospf 100 R3(config-router)#area 0 authentication message-digest |
Nothing crazy here, we configure OSPF and an MD5 key under our area 0 interfaces, then we specify that all of area 0 should use MD5 authentication. Note that the commands differ slightly if we want to use clear-text, it would be “ip ospf authentication-key [key]” and “area 0 authentication” under the OSPF 100 process.
Let’s verify:
R1#sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 00:00:32 10.1.123.2 FastEthernet0/0
3.3.3.3 1 FULL/DROTHER 00:00:35 10.1.123.3 FastEthernet0/0
R1#sh ip ospf int fa0/0
...
Message digest authentication enabled
Youngest key id is 1 |
Everything is working, our neighbors are up and we see that authentication is enabled with the key we specifcied. Note, if we leave off a key, the neigbhors will still form and MD5 will still be enabled, but it will say key 0:
R1(config)#int fa0/0
R1(config-if)#no ip ospf message-digest-key 1 md5 cisco
R2(config)#int fa0/0
R2(config-if)#no ip ospf message-digest-key 1 md5 cisco
R2#sh ip ospf int fa0/0
...
Message digest authentication enabled
No key configured, using default key id 0 |
We see that no key is being used, but MD5 is still working. Not critical knowledge, but may be useful sometime.
Next we’ll configure MD5 between routers R3 and R4:
R3(config)#interface Serial0/0 R3(config-if)#ip ospf authentication message-digest R3(config-if)#ip ospf message-digest-key 2 md5 cisco R3(config-if)#ip ospf 100 area 34 R4(config)#interface Serial0/0 R4(config-if)#ip ospf authentication message-digest R4(config-if)#ip ospf message-digest-key 2 md5 cisco R4(config-if)#ip ospf 100 area 34 |
Notice that here we have not made any changes under the OSPF process, this is all at the interface level. We use the “ip ospf authentication message-digest” command to run MD5 on this interface, then we specify a key the same way as earlier.
We’ll verify this config:
R3#sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
4.4.4.4 0 FULL/ - 00:00:36 10.1.34.4 Serial0/0
R3#sh ip ospf int s0/0
...
Message digest authentication enabled
Youngest key id is 2 |
As expected, everything is working.
That’s OSPF authentication. Both ways could be asked on the CCIE Lab, so this is good stuff to know.
Related Posts:
BGP Multipath-Relax
about 1 year ago - 7 comments
So I learned a new command today. As usual I want to share with everyone. Today’s command is “bgp bestpath as-path multipath-relax”, which is actually hidden in IOS.
To give some background, BGP will not load balance across multiple paths by default. We can configure it to do so with the “maximum-paths n” command, which is pretty well known. The criteria of this command is that all attributes must match (Weight, LP, AS Path, etc). This is acceptable if we are multihomed to a single AS, but what if we are multihomed to different ASes? In that case we are not able to load balance across theoretically equal paths. Enter the “bgp bestpath as-path multipath-relax” command…
Here’s our first topology:
(click for fullsize)
Now the config:
R1(config)#router bgp 100 R1(config-router)#no synchronization R1(config-router)#neighbor 10.1.12.2 remote-as 200 R1(config-router)#neighbor 10.1.13.3 remote-as 200 R1(config-router)#no auto-summary |
Here we see the basic BGP config on R1. We will only be configuring R1 in this post.
Let’s look at the BGP table and RIB.
R1#sh ip bgp
...
Network Next Hop Metric LocPrf Weight Path
* 192.168.1.0 10.1.12.2 0 200 400 i
*> 10.1.13.3 0 200 400 i
R1#sh ip route
...
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.13.0 is directly connected, Serial0/1
C 10.1.12.0 is directly connected, Serial0/0
B 192.168.1.0/24 [20/0] via 10.1.13.3, 00:01:16 |
We see that BGP has selected the path through R3 and put the router in its RIB.
Now we will configure BGP to use two paths, then we’ll verify:
R1(config)#router bgp 100
R1(config-router)#maximum-paths 2
R1#sh ip route
...
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.13.0 is directly connected, Serial0/1
C 10.1.12.0 is directly connected, Serial0/0
B 192.168.1.0/24 [20/0] via 10.1.13.3, 00:03:18
[20/0] via 10.1.12.2, 00:00:15 |
Simple command under the BGP process, we see that R1 is now equally load balancing across both paths.
Now we will change it up a bit.
Here’s our second topology:
(click for fullsize)
This time R2 and R3 are in separate ASes. Let’s try “maximum-paths” again and see what happens:
R1(config)#router bgp 100
R1(config-router)# maximum-paths 2
R1#sh ip bgp
...
Network Next Hop Metric LocPrf Weight Path
* 192.168.1.0 10.1.13.3 0 300 400 i
*> 10.1.12.2 0 200 400 i
R1#sh ip route
...
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.13.0 is directly connected, Serial0/1
C 10.1.12.0 is directly connected, Serial0/0
B 192.168.1.0/24 [20/0] via 10.1.12.2, 00:00:04 |
As expected we see that R1 is not load balancing because it does no see the paths as “equal” (different AS Paths).
This is where “bgp bestpath as-path multipath-relax” comes in:
R1(config)#router bgp 100
R1(config-router)#bgp bestpath as-path ?
% Unrecognized command
R1(config-router)#bgp bestpath as-path multipath-relax
R1(config-router)#
R1#sh run | sec bgp
router bgp 100
bgp bestpath as-path multipath-relax
neighbor 10.1.12.2 remote-as 200
neighbor 10.1.13.3 remote-as 300
maximum-paths 2
R1#sh ip route
...
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.13.0 is directly connected, Serial0/1
C 10.1.12.0 is directly connected, Serial0/0
B 192.168.1.0/24 [20/0] via 10.1.13.3, 00:00:16
[20/0] via 10.1.12.2, 00:00:16 |
And it works! Notice that the command doesn’t show up when we use the “?”. It is a hidden command. I’m not sure why at this point, just that it is. We do see it when we look at R1′s BGP config though.
That’s it for this one, just a short post on something new I learned today.
Related Posts:
OSPF Lab #2 Tasks
about 1 year ago - 5 comments
This is the second OSPF post I’ll be doing for CCIE lab preparation. Today I’m posting the tasks, then tomorrow or the day after (or possibly after the weekend, depending how busy I am) I’ll post the walkthrough. If any of you work on this before the walkthrough, leave a comment.
Here’s the topology:
(Click image for fullsize)
Click here for the initial configs
Here are the tasks:
1. Configure R1, R2 and R3′s S0/0 interfaces in Area 0. Ensure that DR and BDR are elected. Advertise all loopback0s on all routers into OSPF.
2. Configure R1 as the default gateway for all OSPF routers. Do not use the “default-information” command.
3. Configure R6 to use the path through R4 to get to area 0 Do not use any interface level commands to accomplish this.
4. Configure R4 to filter any type 3, 4, 5 and 7 LSAs from entering area 45.
5. Resolve discontigous area issues.
6. R5 is using a low-speed, high cost serial link to connect to R4. Ensure that the link is only used when needed.
7. Filter all loopback0s from entering R2′s RIB. Use a distribute list.
8. Configure loopback IPs 192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24 and 192.168.4.1/24 on R1. Inject a summary for these networks into OSPF, ensure that R2 and R3 see this summary and no specific routes. Do not use any summarization commands under the OSPF process to accomplish this.
9. Configure area 67 to elect a DR and BDR.
(Some of this might change during the walkthrough)
Here’s the .net file:
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
OSPF Lab #1 Walkthrough
about 1 year ago - 1 comment
This is the walkthrough for OSPF Lab #1.
Here’s the topology:
Click here for the initial configs
Here is task one:
1. Configure R1′s s0/0.102 interface and R2′s s0/0.201 interface in area 12, this area should not receive any Type 5 LSAs. Configure R1′s s0/0.103 interface and R3′s s0/0.301 interface in area 13, R1 should only receive a default route from R3, no other OSPF routes should be in R1′s RIB (from R3). Do not use network statements to accomplish this task.
Config:
R1(config)#interface Serial0/0.102 point-to-point R1(config-subif)#ip ospf 100 area 12 R1(config-subif)# R1(config-subif)#interface Serial0/0.103 point-to-point R1(config-subif)#ip ospf 100 area 13 R1(config-subif)# R1(config-subif)#router ospf 100 R1(config-router)#area 12 stub R1(config-router)#area 13 stub R2(config)#interface Serial0/0.201 point-to-point R2(config-subif)#ip ospf 100 area 12 R2(config-subif)# R2(config-subif)#router ospf 100 R2(config-router)#area 12 stub R3(config)#interface Serial0/0.301 point-to-point R3(config-subif)#ip ospf 100 area 13 R3(config-subif)# R3(config-subif)#router ospf 100 R3(config-router)#area 13 stub no-summary |
Here we configure OSPF 100 under the routers’ interfaces (avoiding network statements). Then we configure R1 and R2′s link/area as a stub. Last we configure R1 and R3′s link/area as a totally stubby area, preventing R3 from sending anything buy a default route to R1.
Task two:
2. Configure R2, R3 and R4′s ethernet interfaces in area 0. R4 and R5′s serial interfaces should be in area 45. Area 45 should not receive any type 5 LSAs. R5 is an ASBR connected to the internet, it should be the default gateway for the entire OSPF domain.
Config:
R2(config)#interface Loopback0 R2(config-if)#ip ospf 100 area 0 R2(config-if)# R2(config-if)#interface FastEthernet0/0 R2(config-if)#ip ospf 100 area 0 R3(config)#interface Loopback0 R3(config-if)#ip ospf 100 area 0 R3(config-if)# R3(config-if)#interface FastEthernet0/0 R3(config-if)#ip ospf 100 area 0 R4(config)#interface Loopback0 R4(config-if)#ip ospf 100 area 0 R4(config-if)# R4(config-if)#interface FastEthernet0/0 R4(config-if)#ip ospf 100 area 0 R4(config-if)# R4(config-if)#interface Serial0/0 R4(config-if)#ip ospf 100 area 45 R4(config-if)# R4(config-if)#router ospf 100 R4(config-router)#area 45 nssa R5(config)#interface Loopback0 R5(config-if)#ip ospf 100 area 45 R5(config-if)# R5(config-if)#interface Serial0/0 R5(config-if)#ip ospf 100 area 45 R5(config-if)# R5(config-if)#router ospf 100 R5(config-router)#area 45 nssa default-information-originate |
This one is long, but pretty basic. We configure the ethernet interfaces and we configure R4 and R5′s link in Area 45. Finally we make area 45 a not so stubby area and tell R5 to originate a default route, which is then propagated throughout the OSPF domain.
Task three:
3. Ensure that all loopbacks are accessible from all routers in the OSPF domain. Ensure that the loopbacks are advertised with their configured masks. Change the OSPF timers on the ethernet segment to be twice as fast as the default.
Config:
R1(config)#interface Loopback0 R1(config-if)#ip ospf network point-to-point R1(config-if)#ip ospf 100 area 12 R2(config)#interface Loopback0 R2(config-if)#ip ospf 100 area 0 R2(config-if)#ip ospf network point-to-point R2(config-if)# R2(config)#interface FastEthernet0/0 R2(config-if)#ip ospf hello-interval 5 R2(config-if)#ip ospf dead-interval 20 R3(config)#interface Loopback0 R3(config-if)#ip ospf 100 area 0 R3(config-if)#ip ospf network point-to-point R3(config-if)# R3(config)#interface FastEthernet0/0 R3(config-if)#ip ospf hello-interval 5 R3(config-if)#ip ospf dead-interval 20 R4(config)#interface Loopback0 R4(config-if)#ip ospf 100 area 0 R4(config-if)#ip ospf network point-to-point R4(config-if)# R4(config)#interface FastEthernet0/0 R4(config-if)#ip ospf hello-interval 5 R4(config-if)#ip ospf dead-interval 20 R5(config)#interface Loopback0 R5(config-if)#ip ospf 100 area 45 R5(config-if)#ip ospf network point-to-point |
For this one we configure all the loopbacks and make sure the OSPF network type is point to point, this causes the correct mask to be advertised. Then on R2, R3, and R4 we change the hello and dead timers to be twice as fast as the default. Note: I did not have to manually set the dead timer as it’s four times the hello timer by default.
Task four:
4. Configure loopback IPs 192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24 and 192.168.4.1/24 on R3. Inject them into OSPF. These routes should be in Type 5 LSAs. .1.0/24 and .2.0/24 should show a cost of 50, the other two routes’ cost should increment as they travel through the network.
Config:
R3(config)#interface Loopback1 R3(config-if)#ip address 192.168.1.1 255.255.255.0 R3(config-if)# R3(config-if)#interface Loopback2 R3(config-if)#ip address 192.168.2.1 255.255.255.0 R3(config-if)# R3(config-if)#interface Loopback3 R3(config-if)#ip address 192.168.3.1 255.255.255.0 R3(config-if)# R3(config-if)#interface Loopback4 R3(config-if)#ip address 192.168.4.1 255.255.255.0 R3(config-if)# R3(config-if)#ip access-list standard E1_Routes R3(config-std-nacl)#permit 192.168.3.0 0.0.0.255 R3(config-std-nacl)#permit 192.168.4.0 0.0.0.255 R3(config-std-nacl)# R3(config-std-nacl)#ip access-list standard E2_Routes R3(config-std-nacl)#permit 192.168.1.0 0.0.0.255 R3(config-std-nacl)#permit 192.168.2.0 0.0.0.255 R3(config-std-nacl)# R3(config-std-nacl)#route-map Redist_Conn permit 10 R3(config-route-map)#match ip address E1_Routes R3(config-route-map)#set metric-type type-1 R3(config-route-map)# R3(config-route-map)#route-map Redist_Conn permit 20 R3(config-route-map)#match ip address E2_Routes R3(config-route-map)#set metric 50 R3(config-route-map)# R3(config-route-map)#router ospf 100 R3(config-router)#redistribute connected subnets route-map Redist_Conn |
This is a fun one and it’s a bit tricky. The task tells us that two of the routes need to be E1 (default, cost doesn’t increment) and the other two need to be E2 (cost does increment). First we configure the loopbacks, we match .3.0/24 and .4.0/24 in the E1 ACL, then we match the other two in the E2 ACL. Next we configure the first line of our route map to match the E1 ACL and set them to E1 routes, then in the second line we match the other routes and set the cost to 50, notice that we don’t need to set the type here because E2 is the default.
This one we’ll verify:
R4#sh ip route ospf O E2 192.168.1.0/24 [110/50] via 10.2.2.3, 00:57:45, FastEthernet0/0 O E2 192.168.2.0/24 [110/50] via 10.2.2.3, 00:57:45, FastEthernet0/0 O E1 192.168.3.0/24 [110/30] via 10.2.2.3, 00:57:45, FastEthernet0/0 O E1 192.168.4.0/24 [110/30] via 10.2.2.3, 00:57:45, FastEthernet0/0 |
We can see that .1 and .2 are E2 with a cost of 50 while the others are E2 with the cost incrementing.
Task five:
5. Configure the OSPF domain to compensate for gigabit link speeds and calculate cost accordingly. Configure strong authentication between R1 and R3 using the password “cisco”.
Config:
R1(config)#router ospf 100 R1(config-router)#auto-cost reference-bandwidth 1000 R1(config-router)# R1(config-router)#interface Serial0/0.103 point-to-point R1(config-subif)#ip ospf authentication message-digest R1(config-subif)#ip ospf message-digest-key 1 md5 cisco R2(config)#router ospf 100 R2(config-router)#auto-cost reference-bandwidth 1000 R3(config)#router ospf 100 R3(config-router)#auto-cost reference-bandwidth 1000 R3(config-router)# R3(config-router)#interface Serial0/0.301 point-to-point R3(config-subif)#ip ospf authentication message-digest R3(config-subif)#ip ospf message-digest-key 1 md5 cisco R4(config)#router ospf 100 R4(config-router)#auto-cost reference-bandwidth 1000 R5(config)#router ospf 100 R5(config-router)#auto-cost reference-bandwidth 1000 |
Again, pretty basic. We change the reference bandwidth for OSPF and configure authentication between R1 and R3.
That’s it for this one. Please post any thought or mistakes you’ve noticed.
Here’s the .net file:
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
Quick BGP Challenge #1
about 1 year ago - 19 comments
This is the first little challenge I’m posting on here. If you frequent the forums, you likely saw the one I had for OSPF. I thought of another challenge while talking to a buddy. Here’s the topology:
Make R1 prefer the path through R3 for the 192.168.1.0/24 network. The configuration must be on R1. Do not use Weight or Local Preference to accomplish this. Assume that all previous configuration is correct.
This one is a little different than the OSPF challenge in that there are many ways to accomplish it. I’ve thought of a few, I want to see what everyone else comes up with.
Go!
Related Posts:
OSPF Lab #1 Tasks
about 1 year ago - 9 comments
This is the first OSPF post I’ll be doing for CCIE lab preparation. Sorry guys, I’ve been slacking with updates. Today I’m posting the tasks, then tomorrow or the day after I’ll post the walkthrough. If any of you work on this before the walkthrough, leave a comment.
Here’s the topology:
Click here for the initial configs
Here are the tasks:
1. Configure R1′s s0/0.102 interface and R2′s s0/0.201 interface in area 12, this area should not receive any Type 5 LSAs. Configure R1′s s0/0.103 interface and R3′s s0/0.301 interface in area 13, R1 should only receive a default route from R3, no other OSPF routes should be in R1′s RIB (from R3). Do not use network statements to accomplish this task.
2. Configure R2, R3 and R4′s ethernet interfaces in area 0. R4 and R5′s serial interfaces should be in area 45. Area 45 should not receive any type 5 LSAs. R5 is an ASBR connected to the internet, it should be the default gateway for the entire OSPF domain.
3. Ensure that all loopbacks are accessible from all routers in the OSPF domain. Ensure that the loopbacks are advertised with their configured masks. Change the OSPF timers on the ethernet segment to be twice as fast as the default.
4. Configure loopback IPs 192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24 and 192.168.4.1/24 on R3. Inject them into OSPF. These routes should be in Type 5 LSAs. .1.0/24 and .2.0/24 should show a cost of 50, the other two routes’ cost should increment as they travel through the network.
5. Configure the OSPF domain to compensate for gigabit link speeds and calculate cost accordingly. Configure strong authentication between R1 and R3 using the password “cisco”.
Here’s the .net file:
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
EIGRP Lab #1
about 1 year ago - 2 comments
This is the first EIGRP post I’ll be doing for CCIE lab preparation.
I’ve tried to include a lot in this one without making it too long. Here’s the topology:
Click here for the initial configs
Here is task one:
1. Advertise all connected loopbacks into EIGRP AS 100. Ensure that only interfaces connected to other routers will form adjacencies. Do not allow EIGRP to summarize automatically.
Simple stuff:
R1(config)#router eigrp 100 R1(config-router)#passive-interface default R1(config-router)#no passive-interface Virtual-Template12 R1(config-router)#no passive-interface Virtual-Template13 R1(config-router)#network 1.0.0.0 R1(config-router)#network 10.0.0.0 R1(config-router)#no auto-summary R1(config)#interface Virtual-Template12 R1(config-if)#ip address 10.1.12.1 255.255.255.0 R1(config-if)# R1(config-if)#interface Virtual-Template13 R1(config-if)#ip address 10.1.13.1 255.255.255.0 R1(config-if)# R1(config-if)#interface Serial0/0.102 point-to-point R1(config-subif)#frame-relay interface-dlci 102 ppp Virtual-Template12 R1(config-subif)# R1(config-fr-dlci)#interface Serial0/0.103 point-to-point R1(config-subif)# frame-relay interface-dlci 103 ppp Virtual-Template13 |
This EIGRP config is basic, we’ve started the EIGRP 100 process, added our passive interface and network statements. We also disable auto-summarization. I’m only showing R1 here as the config is nearly identical across the board. We’ve also configured PPP on the FR links with Virtual Templates, this will be needed later in the config (leak maps).
Task two:
2. Configure strong authentication between R1 and R3 using the password “cisco”. Change the Hold and Hello timers between R1 and R2 to twice the default. Change the SIA timers on R4 to three times the default.
Config:
R1(config)#key chain EIGRP R1(config-keychain)# key 1 R1(config-keychain-key)#key-string cisco R1(config)# R1(config)#interface Virtual-Template13 R1(config-if)#ip authentication mode eigrp 100 md5 R1(config-if)# R1(config-if)#interface Virtual-Template12 R1(config-if)#ip hello-interval eigrp 100 10 R1(config-if)#ip hold-time eigrp 100 30 R4(config)#router eigrp 100 R4(config-router)#timers active-time 9 |
First we configure the key chain on R1 with the string “cisco”, then we assign it to our virtual-template interface connected to R3 (note, this will bounce the neighbors). Next we configure our hello and hold timers on R1. We change the hello and hold timers to twice the default (default hello is 5 seconds, default hold is 15). Last we configure the SIA timer on R4 to nine minutes, three times the default.
Task three:
3. Configure 50.0.0.0 to be the candidate default originated by R1 for the EIGRP AS. Prevent any routes over eight hops from being added to R3′s RIB.
Config:
R1(config)#ip route 50.0.0.0 255.0.0.0 Null0
R1(config)#ip default-network 50.0.0.0
R1(config)#
R1(config)#router eigrp 100
R1(config-router)#redistribute static
R3#sh ip route | i Gate
Gateway of last resort is 10.1.13.1 to network 50.0.0.0
R3#sh ip route | i \*
ia - IS-IS inter area, * - candidate default, U - per-user static route
D*EX 50.0.0.0/8 [170/2585600] via 10.1.13.1, 00:02:30, Virtual-Access1
R3(config)#router eigrp 100
R3(config-router)#metric maximum-hops 8 |
Here we configure a static route for 50.0.0.0, then we add the default-network statement and redistribute static on R1. We verify on R3 that 50.0.0.0 is our candidate default. Next we configure the maximum-hops statement on R3.
Task four:
4. Configure loopback IPs 172.30.1.1/24, 172.30.2.1/24, and 172.30.3.1/24 on R5, advertise these networks into EIGRP. Configure R4 as a stub, but ensure that all R5′s connected networks are present in R1, R2 and R3′s routing tables with the exception of 172.30.2.0/24.
Config:
R5(config)#interface Loopback1
R5(config-if)#ip address 172.16.1.1 255.255.255.0
R5(config-if)#interface Loopback2
R5(config-if)#ip address 172.16.2.1 255.255.255.0
R5(config-if)#interface Loopback3
R5(config-if)#ip address 172.16.3.1 255.255.255.0
R5(config-if)#
R5(config-if)#ip access-list standard Match-172
R5(config-std-nacl)#permit 172.16.1.0 0.0.0.255
R5(config-std-nacl)#permit 172.16.2.0 0.0.0.255
R5(config-std-nacl)#permit 172.16.3.0 0.0.0.255
R5(config-std-nacl)#
R5(config-std-nacl)#route-map Redist-Conn permit 10
R5(config-route-map)#match ip address Match-172
R5(config-route-map)#
R5(config-route-map)#router eigrp 100
R5(config-router)#redistribute connected route-map Redist-Conn
R4(config)#ip access-list standard Match-Leak
R4(config-std-nacl)#deny 172.16.2.0 0.0.0.255
R4(config-std-nacl)#permit any
R4(config-std-nacl)#
R4(config-std-nacl)#route-map Leak-172 permit 10
R4(config-route-map)#match ip address Match-Leak
R4(config-route-map)#
R4(config-route-map)#router eigrp 100
R4(config-router)#eigrp stub leak-map Leak-172
R3#sh ip route eigrp
D 5.0.0.0/8 [90/2300416] via 10.2.2.4, 00:08:48, FastEthernet0/0
172.16.0.0/24 is subnetted, 3 subnets
D EX 172.16.1.0 [170/2300416] via 10.2.2.4, 00:08:48, FastEthernet0/0
D EX 172.16.3.0 [170/2300416] via 10.2.2.4, 00:08:48, FastEthernet0/0 |
We start on R5 by configuring the loopbacks, we then match them in an ACL and redistribute. Then on R4 we configure an ACL to block only the 172.16.2.0/24 network, we match it in a route-map and configure R4 as an EIGRP stub while using the leak-map to allow all routes other than 172.16.2.0/24 to be advertised. We verify that it’s working on R3.
Task five:
5. Configure loopback IPs 192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24 and 192.168.4.1/24 on R1. Inject the most specific summary possible into the EIGRP AS. Inject the full 192.168.3.0/24 route into EIGRP, do this all on R1. Originate a default route on R1. Do not use the “ip default-network” command to accomplish this.
Config:
R1(config)#interface Loopback0 R1(config-if)#ip address 1.1.1.1 255.0.0.0 R1(config-if)#interface Loopback1 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#interface Loopback2 R1(config-if)#ip address 192.168.2.1 255.255.255.0 R1(config-if)#interface Loopback3 R1(config-if)#ip address 192.168.3.1 255.255.255.0 R1(config-if)#interface Loopback4 R1(config-if)#ip address 192.168.4.1 255.255.255.0 R1(config-if)# R1(config-if)#ip access-list standard Match-192 R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255 R1(config-std-nacl)#permit 192.168.2.0 0.0.0.255 R1(config-std-nacl)#permit 192.168.3.0 0.0.0.255 R1(config-std-nacl)#permit 192.168.4.0 0.0.0.255 R1(config-std-nacl)# R1(config-std-nacl)#route-map Redist-Conn permit 10 R1(config-route-map)#match ip address Match-192 R1(config-route-map)# R1(config-route-map)#router eigrp 100 R1(config-router)#redistribute connected route-map Redist-Conn R1(config-router)# R1(config-router)#ip prefix-list EIGRP_Leak seq 10 permit 192.168.3.0/24 R1(config)# R1(config)#route-map Leak-192.168.3.0 permit 10 R1(config-route-map)#match ip address prefix-list EIGRP_Leak R1(config-route-map)# R1(config-route-map)#interface Virtual-Template12 R1(config-if)#ip summary-address eigrp 100 192.168.0.0 255.255.248.0 5 leak-map Leak-192.168.3.0 R1(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0 5 R1(config-if)# R1(config-if)#interface Virtual-Template13 R1(config-if)#ip summary-address eigrp 100 192.168.0.0 255.255.248.0 5 leak-map Leak-192.168.3.0 R1(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0 5 R3#sh ip route eigrp D EX 192.168.3.0/24 [170/2713600] via 10.1.13.1, 00:33:21, Virtual-Access1 D* 0.0.0.0/0 [90/2585600] via 10.1.13.1, 00:33:21, Virtual-Access1 D 192.168.0.0/21 [90/2713600] via 10.1.13.1, 00:33:21, Virtual-Access1 |
First we add our loopbacks, next we match them in an ACL and redistribute them into EIGRP. Then we configure a prefix list to match the route we want to leak, next we match the prefix list in our route-map. Finally we add our summaries to the interfaces and use the “leak-map” command to reference our route-map. We verify that we’re seeing the default, 192 summary and leaked route on R3.
Task six:
6. Set the “bandwidth” command to 1000 on the R1′s link to R2 and 500 on R1′s link to R3. Configure EIGRP to load balance across these two links.
Config:
R1(config)#interface Virtual-Template12
R1(config-if)#bandwidth 1000
R1(config-if)#
R1(config-if)#interface Virtual-Template13
R1(config-if)#bandwidth 500
R1(config-if)#
R1(config-if)#router eigrp 100
R1(config-router)#variance 2
R1#sh ip route eigrp
D EX 172.16.30.0 [170/7705600] via 10.1.13.3, 00:37:14, Virtual-Access2
[170/5148160] via 10.1.12.2, 00:37:14, Virtual-Access1 |
This one is pretty basic, we set the bandwidth commands and then configure variance under EIGRP. This tells EIGRP to unequally load balance across links using a multiple of 2. We have verified that R1 has added both routes to the RIB.
Task seven:
7. Prevent R4 from learning the 10.1.13.0/24 prefix from R3. Configure a static route for 172.16.30.0/24 on R3, redistribute this into EIGRP with the metric set to 50mbps, 100ms delay, maximum reliability, minimum load, and 1500 byte MTU. Do not use the “default-metric” command to accomplish this.
Config:
R3(config)#ip access-list standard Filter-10.1.1.13.2 R3(config-std-nacl)#deny 10.1.13.0 0.0.0.255 R3(config-std-nacl)# R3(config-std-nacl)#ip route 172.16.30.0 255.255.255.0 Null0 R3(config-std-nacl)# R3(config)#ip access-list standard Match-172 R3(config-std-nacl)#permit 172.16.30.0 0.0.0.255 R3(config-std-nacl)# R3(config-std-nacl)#route-map Redist-Static permit 10 R3(config-route-map)#match ip address Match-172 R3(config)#router eigrp 100 R3(config-router)#$redistribute static metric 50000 100 255 1 1500 route-map Redist-Static R3(config-router)#distribute-list Filter-10.1.1.13.2 out |
First we configures a filter for the 10.1.13.0/24 network, next we added a route for 172.16.30.0/24 pointing to null0, then we match this route in an ACL and match the ACL in a route-map. Next we redistribute static routes using the route-map we configured, we also set the metric for these routes to match the task. Finally we use a distribute-list to filter the 10.1.13.0/24 route.
This one is a bit longer than the others, but I think it has some good information. Please let me know if you have any thoughts or spot any mistakes, I did this one pretty fast and recklessly.
Here’s the .net file:
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
RIP Lab #2
about 1 year ago - 3 comments
This is the second and last RIP post I’ll be doing to prepare for the CCIE.
I’ve tried to include a lot in this one without making it too long. Here’s the topology:
(Click image for fullsize)
Click here for the initial configs
Here is task one:
1. Configure RIPv2 on all routers and advertise their directly connected interfaces. Ensure that these routers have full NLRI to all the loopback interfaces advertised into RIP. Ensure that all routers can ping all loopbacks. Configure RIP not to advertise on any interface by default.
Let’s go through the config:
R1(config)#router rip R1(config-router)# version 2 R1(config-router)# no auto-summary R1(config-router)# network 1.0.0.0 R1(config-router)# network 10.0.0.0 R1(config-router)# passive-interface default R1(config-router)# no passive-interface Serial0/0.102 R1(config-router)# no passive-interface Serial0/0.103 |
I’m only showing R1 here as the other routers will be nearly identical. First we enable RIP, configure the version, turn of auto-summary and configure our network statements. Then we use the “passive-interface default” command, which tells RIP that all interfaces are passive unless explicity configured otherwise. Last we configure the configure s0/0.102 and s0/0.103 NOT to be passive.
Task two:
2. Configure the strongest authentication for RIPv2 between R2, R3 and R4 using the key “cisco”.
Config:
R2(config)#key chain RIP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string cisco
R2(config-keychain-key)#exit
R2(config)#int fa0/0
R2(config-if)#ip rip authentication mode md5
R2(config-if)#ip rip authentication key-chain RIP
R2#sh ip proto
Routing Protocol is "rip"
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2 RIP |
Again, only doing this on one router. First we configure the key-chain, we name it RIP and define the first key in the sequence with the string “cisco”. Then we configure the authentication mode on fa0/0 to use MD5. Last we apply the key-chain to the interface. We verify the config with “sh ip protocols”.
Task three:
3. Originate a default route on R1, ensure that it propagates throughout the RIP domain.
Config:
R1(config-router)#default-information originate R4#sh ip route rip ... R* 0.0.0.0/0 [120/2] via 10.2.2.2, 00:00:23, FastEthernet0/0 |
That was an easy one, we simply tell R1 to originate a default route. We see that is has propagated to R4.
Task four:
4. Configure RIPv2 to only send triggered updates across the Frame-Relay cloud.
Config:
R1(config-subif)# ip rip triggered
R1(config)#int s0/0.103
R1(config-subif)# ip rip triggered
R2(config)#int s0/0.201
R2(config-subif)#ip rip triggered
R3(config)#int s0/0.301
R3(config-subif)#ip rip triggered
R2#sh ip proto
Routing Protocol is "rip"
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2 RIP
Serial0/0.201 2 2 Yes |
Another easy one. We’ve configured all the FR links to send triggered updates instead of periodic updates. We verify this with “sh ip protocols”.
Task five:
5. Configure R1 and R2 to communicate via Broadcast updates, configure R1 and R3 to configure via Unicast updates.
Config:
R1(config)#int s0/0.102 R1(config-subif)#ip rip v2-broadcast R2(config)#int s0/0.201 R2(config-subif)#ip rip v2-broadcast R1(config)#router rip R1(config-router)#passive-interface Serial0/0.103 R1(config-router)#neighbor 10.1.13.3 R3(config)#router rip R3(config-router)#passive-interface s0/0.301 R3(config-router)#neighbor 10.1.13.1 |
To configure broadcast updates we go under the respective interfaces and use the “ip rip v2-broadcast”. To configure unicast updates we set the interface as passive under RIP, then configure static neighbor statements.
Task six:
6. Make R4 prefer the path through R2 to get to R1′s loopback. Ensure that R4 will failover to R3′s path if R2 is down.
Config:
R3(config)#ip access-list st R1-Loopback R3(config-std-nacl)#permit 1.0.0.0 R3(config-std-nacl)#exit R3(config)#router rip R3(config-router)# offset-list R1-Loopback out 5 FastEthernet0/0 (R2's fa0/0 up) R4#sh ip route rip R 1.0.0.0/8 [120/2] via 10.2.2.2, 00:00:37, FastEthernet0/0 (R2's fa0/0 is down) R4#sh ip route rip R 1.0.0.0/8 [120/7] via 10.2.2.3, 00:00:07, FastEthernet0/0 |
We configured an ACL to match R1′s loopback network, we are adding 5 to the metric (hop count) when adveritsing out fa0/0. We see that the path through R2 is chosen, when we shut R2′s fa0/0 port we see it failover to the path through R3.
Here’s the .net file:
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
Related Posts:
Guest Post On NF Blog
about 1 year ago - No comments
I wrote a BGP Lab post on the Networking-Forum Blog. Here’s a preview:
Topology:
Tasks:
1. Configure the Oustside Border Router in AS 6500. Peer with ISP-1 and ISP-2. Ensure that the DMZ subnet is advertised to the internet.
2. Prevent AS 6500 from being used as a transit between ASes 1111 and 2222.
3. The link through ISP-1 is much faster than the link through ISP-2. Configure outgoing traffic to use ISP-1 as the primary, only use the link through ISP-2 if the primary link is down.
4. Configure incoming traffic to use the link through ISP-1 as the primary.
5. Ensure that NAT is setup to use both ISPs.
Check it out if you’re interested!
Related Posts:
RIP Lab #1
about 1 year ago - 5 comments
This is the first in a series of lab posts I’ll be doing to prepare for the CCIE.
Today’s lab is from Narbik’s Volume One workbook. It’s a RIPv2 lab with some tricks thrown in. Here’s the topology:
(Click image for fullsize)
Click here for the initial configs
Here is task one:
1. Configure RIPv2 on all routers and advertise their directly connected interfaces. Ensure that these routers have full NLRI to all the loopback interfaces advertised into RIP. Ensure that all routers can ping all loopbacks.
Let’s go through the config:
R1: R1(config)#router rip R1(config-router)#ver 2 R1(config-router)#no auto R1(config-router)#network 10.0.0.0 R1(config-router)#network 1.0.0.0 R2: R2(config)#router rip R2(config-router)#ver 2 R2(config-router)#no auto R2(config-router)#network 10.0.0.0 R2(config-router)#network 2.0.0.0 R3: R3(config)#router rip R3(config-router)#ver 2 R3(config-router)#no auto R3(config-router)#network 10.0.0.0 R3(config-router)#network 3.0.0.0 |
Looks pretty simple, but I’m sure you guys see that this won’t work correctly. Let’s look at R2 and R3′s routing tables:
R2#sh ip route
...
R 1.0.0.0/8 [120/1] via 10.1.1.1, 00:00:15, Serial0/0
C 2.0.0.0/8 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial0/0
R3#sh ip route
...
R 1.0.0.0/8 [120/1] via 10.1.1.1, 00:00:06, Serial0/0
C 3.0.0.0/8 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial0/0 |
We see that R2 and R3 are missing routes to each other’s loopbacks. This is due to split horizon. To refresh everyone’s memory, split horizon is a rule that a router will not advertise a route out the same interface from which it has learned the route. This prevents loops. Split horizon applies here because we aren’t using sub-interfaces for each spoke.
Let’s disable split horizon:
R1(config-subif)#no ip split-horizon R1(config)#int s0/0.123 |
We’ll verify on R2:
R2#sh ip route
...
R 1.0.0.0/8 [120/1] via 10.1.1.1, 00:00:26, Serial0/0
C 2.0.0.0/8 is directly connected, Loopback0
R 3.0.0.0/8 [120/2] via 10.1.1.3, 00:00:26, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial0/0
R2#ping 3.3.3.3
.....
Success rate is 0 percent (0/5) |
So we now have the route in the table, but no reachability. This is another curveball. Look at the next hope for R3′s loopback, it is 10.1.1.3, which is R3′s serial interface. The issue here is that we don’t know how to get to that IP. We need a Frame-Relay map statement:
R2(config)#int s0/0 R2(config-if)#frame-relay map ip 10.1.1.3 201 R3(config)#int s0/0 R3(config-if)#frame-relay map ip 10.1.1.2 301 R3#ping 2.2.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/12 ms |
It works! We now have reachability to all loopbacks. Notice we did not use the broadcast option at the end of our map statement as it is not needed here.
Now onto the next task:
2. Remove the no ip split-horizon command and the Frame map statements from R2 and R3 configured in the first step from R2 and R3. Then configure R2 and R3 such that they can ping each others’ loopbacks. DO NOT configure static routes or extra Frame maps to accomplish this. Ensure that the next hop IP is NOT changed and is still the address of the originating router.
First we’ll remove our previous commands:
R1(config-subif)#ip split-horizon R2(config-if)#no frame-relay map ip 10.1.1.3 201 R3(config-if)#no frame-relay map ip 10.1.1.2 301 |
This one is a little trickier. How can we accomplish this without map statements or static routes? Good ole PPP. Let’s configure it:
R1(config-subif)#no ip add R1(config-subif)#frame-relay interface-dlci 102 ppp virtual-Template 123 R1(config-fr-dlci)#exit R1(config-subif)#frame-relay interface-dlci 103 ppp virtual-Template 123 R1(config-fr-dlci)#exit R1(config)#interface virtual-template 123 R1(config-if)#ip add 10.1.1.1 255.255.255.0 R2(config)#int s0/0 R2(config-if)#no ip add R2(config-if)#frame-relay interface-dlci 201 ppp virtual-Template 123 R2(config-fr-dlci)#exit R2(config)#interface virtual-template 123 R2(config-if)#ip add 10.1.1.2 255.255.255.0 R3(config)#int s0/0 R3(config-if)#no ip add R3(config-if)#frame-relay interface-dlci 301 ppp virtual-Template 123 R3(config-fr-dlci)#exit R3(config)#interface virtual-template 123 R3(config-if)#ip add 10.1.1.3 255.255.255.0 |
We removed all IP address from the interface, then we configured PPP over FR using a virtual-template. We then configure our IP on the template. Now we’ll verify our routing table and connectivity:
R3#sh ip route
...
R 1.0.0.0/8 [120/1] via 10.1.1.1, 00:00:25, Virtual-Access1
R 2.0.0.0/8 [120/2] via 10.1.1.2, 00:00:25, Virtual-Access1
C 3.0.0.0/8 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
R 10.1.1.2/32 [120/1] via 10.1.1.1, 00:00:25, Virtual-Access1
C 10.1.1.0/24 is directly connected, Virtual-Access1
C 10.1.1.1/32 is directly connected, Virtual-Access1
R3#ping 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/12 ms |
Our routing table is populated correctly and we do have reachability. The important things to note here are that we now have host routes in the table added by PPP. We have accomplished reachability without using map statements or turning off split horizon.
That’s it for this one. It’s a short lab, but it has a lot of valuable information.
The Dynagen/GNS3 .net file
(you will need to change the paths to make it work)
about 2 years ago
Are 1, 2, 3, and 4 reflectors? I’ll be honest, I haven’t d/l’d the config, apologies if the answer is in there.
about 2 years ago
There isn’t any router config, just the .net file. So looking at it wouldn’t have answered your question anyway.:p
Do you mean P1-4? Those are the MPLS P/Core routers. I actually don’t have any reflectors in my current config, iBGP is fully meshed.
about 2 years ago
Yes it is! I’m retarded! Good deal!
about 2 years ago
I’ve been thinking of doing a new topology for the MPLS labs myself.
You going to run any ATM? A lot of MPLS over ATM in the MPLS exam
about 2 years ago
Nah, no ATM for me. I’ll take as much as I can from the MPLS books, but I don’t want to learn to configure that crap.:(
about 7 months ago
hello guys,
im ccna/np certified, going to start studying for ccip. how many switches & routers do you think i’d need to make my own labs for BGP/QoS/MPLS. any suggestions will be appreciated. Thanks,