6CoLabs. The Shrike
©Fabrice Bobes 2002 (Single User License)
Page 1
1
The Shrike – 6CoLabs Part 0: Pre Lab Setup
0.1 Load the initial configs.
0.2 The major Network is 150.4.0.0
0.3 Create a loopback interface (Lo0) on each router.
This loopback interface’s address must be 150.4.x.x where x is the router number. The subnet mask is /24.
0.4 Default routes, static routes and routes to null0 are not permitted unless otherwise specified
0.5 At the end of your work, verify the IP connectivity. Unless it is otherwise specified, every interface must be “pingable”
from any router.
Part 1: Bridging and Switching (16 points)
1.1 Catalysts 3550 configuration (7 points)
1.1.1 On Cat35-1, the vtp domain name must be 6Colabs and the vtp mode server.
Cat35-2 must synchronize its VLAN configuration with Cat35-1. You can’t change Cat35-2’s VLAN configuration.
1.1.2 Vlans Configuration:
6CoLabs. The Shrike
©Fabrice Bobes 2002 (Single User License)
Page 2
2
1.4 ATM configuration (4 points)
1.4.1 Configure Classical IP between R13 and R14. You must specify the Esi-address on both sides. R14 is the ARP
server. Don't use any subinterface. Part 2: IP IGP Protocols (26 points)
2.1 OSPF Configuration (10 points)
2.1.1 Configure the OSPF areas as shown in the diagram.
Enable OSPF by specifying the entire mask in your network statement.
On R5, R6, R8 and R14, assign the loopback interface Lo0 to the OSPF area of your choice.
2.1.2 Configure area 0 to use the highest level of authentication possible. Use the password cisco.
2.1.3 Do not advertise the loopback interfaces as host routes (/32 mask)
2.2 RIP Configuration (4 points)
2.2.1 Configure RIP between R5 and R1. Add the loopbacks and the ethernet networks on R1 to the RIP process.
2.2.2 Make sure that R1 can only send and receive RIP v1 updates on its Ethernet interface.
2.2.3 Don't summarize the routes on R1 and R5
2.2.4 Configure RIP authentication between R1 and R5. Use the highest level of authentication possible.
3Part 4: BGP (23 points)
4.1 IBGP Configuration (3 points)
4.1.1 Configure R6, R8 and R14 in AS65005. R6 and R14 should have only one neighbor within AS 65005.
4.1.2 Don't turn off synchronization in AS65005
4.1.3 Every BGP router must use its loopback address when peering
4.2 EBGP Configuration (8 points)
4.2.1 Configure router R1 in AS65001 to peer with router R5 in AS2
4.2.2 Configure router R6 in AS3 to peer with router R5 in AS2.
4.2.3 Configure router R14 in AS3 to peer with router R13 in AS4 and with Cat35-2 in AS5.
4.2.4 Every BGP router must use its loopback address when peering except between AS5 and AS3. 4.3 Redistribution/Filtering (12 points)
4.3.1 Create a loopback interface Lo10 on R1 with IP subnet 172.16.1.0/24 and inject it into BGP.
Make sure that every router within AS3 know about this subnet.
4.3.2 Don't advertise the network 172.16.1.0/24 to AS4 or AS5. You can only make the change on R6.
4.3.3 Configure R1 to advertise all the networks 192.168.x.0/24 and summarize them as a single network. Use the
Page 4
4
Part 6: Voice (8 points)
6.1.1 Configure Phone A on R13 with the number 1301
6.1.2 Configure Phone B on R13 with the number 1302
6.1.3 Configure Phone C on R14 with the number 1401
6.1.4 You must be able to dial any number from Phone C and ring Phone B. You must still connect to the right
extension. Num-exp is not allowed.
6.1.5 Configure Phone A to be able to call Phone C
6.1.6 Picking up Phone B must ring automatically Phone A
6.1.7 The voice quality is of the highest importance and you have plenty of network bandwidth:
- choose a codec with the highest quality
- enable the transmission of silence packets
6.1.8 Reserve the equivalent of 10% of an OC3 link for the voice traffic with a maximun of 80kbps per single-flow.
Only R13 will request the reservation of bandwidth.
Part 7: Other IOS Features (9 points)
7.1.1 You want to prevent DOS (Denial of Service) attacks coming from the network attached to e0/0 on R1.
a) - Enable the feature that will discard IP packets that lack a verifiable IP source address.
6CoLabs. The Shrike
©Fabrice Bobes 2002 (Single User License)
Page 1
1
The Shrike – 6CoLabs
ANSWERS
(the answers are written in italics)
Part 0: Pre Lab Setup
0.1 Load the initial configs.
0.2 The major Network is 150.4.0.0
0.3 Create a loopback interface (Lo0) on each router.
This loopback interface’s address must be 150.4.x.x where x is the router number. The subnet mask is /24.
0.4 Default routes, static routes and routes to null0 are not permitted unless otherwise specified
0.5 At the end of your work, verify the IP connectivity. Unless otherwise specified, every interface must be be
“pingable” from any router.
6CoLabs. The Shrike
©Fabrice Bobes 2002 (Single User License)
Its IP address is 150.4.114.51/24.
A: On Cat35-1, you need to enter the following configuration:
vlan 10
name VLAN-A
vlan 20
name VLAN-B
vlan 30
name VLAN-C
vlan 40
name VLAN-D
vlan 50
name VLAN-E
interface Vlan30
ip address 150.4.114.50 255.255.255.0
Cat35-2:
interface Vlan30
ip address 150.4.114.51 255.255.255.0
1.1.3 Configure a Trunk on an EtherChannel bundle between Cat35-1 and Cat35-2. Use dot1Q for the trunk
encapsulation. Disable Trunk negotiation. You must manually configure EtherChannel and the trunk.
A: Create the Etherchannel first with the following commands on Cat35-1 and Cat35-2
Int fa0/19
Channel-group 1 mode on
Int fa0/20
Channel-group 1 mode on
Check your entries with:
6CoLabs. The Shrike
1.1.5 Reduce the startup delay of the Cat35-2’s FastEthernet ports 0/1 to 0/12 without turning Spanning-Tree off.
A: Enable PortFast.
interface range fastEthernet 0/1 – 12
spanning-tree portfast 1.2 Frame-Relay Configuration (3 points)
1.2.1 Configure R6 and R5 over Frame-Relay. Use only subinterfaces.
1.2.2 Configure R6 and R14 over Frame-Relay. Don't use a subinterface on R14.
1.2.3 Configure R1 and R5 over Frame-Relay.
The frame-relay switch R7 has been configured with fully meshed PVCs. Use only the PVCs shown in the diagram.
A: Disable inverse-arp
Interface serial 0/0
No frame-relay inverse-arp
1.3 PPP configuration (2 points)
1.3.1 The encapsulation for the serial connection between R6 and R8 must be PPP.
Use a clock rate of 256000 on R6 S0/1
1.3.2 Configure R6 to shutdown the link if the quality drops below 80%.
A: Link Quality Monitor (LQM) will monitor the link and shutdown the router interface if the quality drops.
On R6:
Interface s0/1
Encapsulation ppp
Ppp quality 80
6CoLabs. The Shrike
!
pvc 0/16 ilmi
R13:
interface ATM2/0
ip address 150.4.100.13 255.255.255.0
atm esi-address 131313131313.00
no atm ilmi-keepalive
atm arp-server nsap 47.009181000000123456789012.141414141414.00
pvc 0/5 qsaal
!
pvc 0/16 ilmi
Verify your entries on R14:
Show atm arp-server
IP Address TTL ATM Address
ATM2/0:
* 150.4.100.13 17:37 4700918100000012345678901213131313131300
* 150.4.100.14 17:21 4700918100000012345678901214141414141400
6CoLabs. The Shrike
©Fabrice Bobes 2002 (Single User License)
Page 5
5
Part 2: IP IGP Protocols (26 points)
2.1 OSPF Configuration (10 points)
A: Add:
interface Ethernet0/0
ip rip send version 1
ip rip receive version 1
2.2.3 Don't summarize the routes on R1 and R5
A: You must use RIPv2 between R1 and R5
2.2.4 Configure RIP authentication between R1 and R5. Use the highest level of authentication possible.
A. To enable MD5 authentication for RIP v2, you must add the following config to R1 and to R5 :
key chain rip
key 1
key-string cisco
int s0/0 (int s0/1on R5)
ip rip authentication mode md5
ip rip authentication key-chain rip
6CoLabs. The Shrike
©Fabrice Bobes 2002 (Single User License)
Page 6
6
2.3 EIGRP configuration (4 points)
2.3.1 Configure EIGRP as shown in the diagram. Include R13 loopback interface into the EIGRP process.
2.4 Redistribution configuration. (8 points)
On R8:
Router ospf 1
Distance 175
6CoLabs. The Shrike
©Fabrice Bobes 2002 (Single User License)
Page 7
7Part 3: Dial (10 points)
3.1 The ISDN link must come up only when the Frame-Relay link is down.
Use the Frame-Relay feature that checks if the remote end of the VC is up or down via keepalive requests.
A: You are asked to use the frame-relay end-to-end keepalive feature. This feature is a great addition to the backup
interface command.
The relevant configuration for R6 is:
interface Serial0/0.1 point-to-point
frame-relay class freek
map-class frame-relay freek
frame-relay end-to-end keepalive mode reply
On R5:
interface Serial0/0.1 point-to-point
frame-relay class freek
map-class frame-relay freek
frame-relay end-to-end keepalive mode request
3.2 Only R5 must initiate the call. When the frame-relay goes down, the ISDN link must be brought up in less than 5
4.1.2 Don't turn off synchronization in AS65005
4.1.3 Every BGP router must use its loopback address when peering
4.2 EBGP Configuration (8 points)
4.2.1 Configure router R1 in AS65001 to peer with router R5 in AS2
4.2.2 Configure router R6 in AS3 to peer with router R5 in AS2.
A: R6 in AS3 implies you must configure BGP confederation
4.2.3 Configure router R14 in AS3 to peer with router R13 in AS4 and with Cat35-2 in AS5.
4.2.4 Every BGP router must use its loopback address when peering except between AS5 and AS3. 4.3 Redistribution/Filtering (12 points)
4.3.1 Create a loopback interface Lo10 on R1 with IP subnet 172.16.1.0/24 and inject it into BGP.
Make sure that every router within AS3 know about this subnet.
A: Turn off auto-summarization on R1
Router bgp 1
Network 172.16.1.0 mask 255.255.255.0
No auto
You need to redistribute the network into an IGP on R6. Don’t redistribute it into OSPF or the network won’t show up
on R14. This is due to the route reflection.
Router eigrp 100
Redistribute bgp 65005
4.3.2 Don't advertise the network 172.16.1.0/24 to AS4 or AS5. You can only make the change on R6.
Origin IGP, localpref 100, valid, internal, synchronized, best
Community: local-AS
Originator: 150.4.6.6, Cluster list: 150.4.8.8
4.3.3 Configure R1 to advertise all the networks 192.168.x.0/24 and summarize them as a single network. Use the
shortest prefix possible. You must redistribute the networks into BGP without using the network command.
A: The relevant configuration for R1 is:
Router bgp 65001
aggregate-address 192.168.0.0 255.255.248.0 summary-only
redistribute connected route-map c2b
access-list 1 permit 192.168.0.0 0.0.7.255
route-map c2b permit 10
match ip address 1
4.3.4 AS3 must see the networks learned from R1 without AS path containing AS65001.
The change must be done on R5. Don’t use a route-map.
A: AS65001 is a private AS and you can easily remove it from the AS path via the following command on R5:
Neighbor 150.4.6.6 remove-private-as
4.3.5 Create a loopback interface on R6 with IP subnet 210.210.210.0/24 and inject it into BGP.
Make sure that this subnet shows up in every router within AS3, AS4 and AS5 only.
Don’t advertise this subnet via BGP nor IGP to R1 and R5.
A: You need to make some change on R5 to reflect the change of R6’s router-ID.
R5:
Router ospf 1
area 10 virtual-link 210.210.210.1
area 56 virtual-link 210.210.210.1
5.1.2 Configure R5 to peer with R6 in case the DLSW connection between R5 and R8 fails. Use DLSW Lite
encapsulation between R5 and R6.
Make sure that the link between R5 and R6 doesn't stay up when the link between R5 and R8 is restored.
A: You need to configure a backup peer. Add the option linger 0 to make sure that the backup link doesn’t stay up
when the primary link comes back. Actually this option is essential or you may end up having frames from the same
MAC address coming from two different paths.
On R5:
dlsw remote-peer 0 frame-relay interface Serial0/0.1 506 backup-peer 150.4.8.8 linger 0
5.1.3 Only R5 must establish the DLSW connections. Don’t use the option promiscuous on R6 and R8.
A: The option passive will prevent the router from actively establish the DLSW connections to the remote peers.
On R6:
dlsw local-peer peer-id 150.4.6.6 passive
On R8:
dlsw local-peer peer-id 150.4.8.8 passive
5.1.4 Eliminate unnecessary traffic by disabling spanning-tree negotiation protocol
A: bridge-group x spanning-disabled
5.1.5 Configure a filter on R5 that will allow only Netbios traffic to R6 and R8.
A: On R5:
access-list 200 permit 0xF0F0 0x0101
dlsw remote-peer 0 tcp 150.4.8.8 lsap-output-list 200
dlsw remote-peer 0 frame-relay interface Serial0/0.1 506 lsap-output-list 200 backup-peer 150.4.8.8 linger 0
6CoLabs. The Shrike
6.1.4 You must be able to dial any number from Phone C and ring Phone B. You must still connect to the right
extension. Num-exp is not allowed.
A: On R14:
dial-peer voice 2 voip
destination-pattern 1301
session target ipv4:150.4.13.13
!
dial-peer voice 3 voip
destination-pattern T
session target ipv4:150.4.13.13
On R13, you need to modify the pots dial-peer configuration if you want Phone B to ring when dialing any number
from Phone C:
dial-peer voice 2 pots
destination-pattern T
port 3/0/1 6.1.5 Configure Phone A to be able to call Phone C
A: R13
dial-peer voice 3 voip
destination-pattern 1401
session target ipv4:150.4.14.14
On R13:
Interface ATM2/0
ip rsvp bandwidth 15500 80
dial-peer voice 3 voip
req-qos controlled-load
On R14:
Interface ATM2/0
ip rsvp bandwidth 15500 80 On R13, you can check your work with the following command:
R13#sh ip rsvp reservation
To From Pro DPort Sport Next Hop I/F Fi Serv BPS Bytes
150.4.100.13 150.4.100.14 UDP 18628 18902 FF LOAD 80K 400
6CoLabs. The Shrike
©Fabrice Bobes 2002 (Single User License)
Page 13
13Part 7: Other IOS Features (9 points)
7.1.1 You want to prevent DOS (Denial of Service) attacks coming from the network attached to e0/0 on R1.
a) - Enable the feature that will discard IP packets that lack a verifiable IP source address.
b) - Protect the TCP servers on the network 150.4.0.0/16 from TCP SYN-flooding attacks
A: a) Enable Unicast Reverse Path Forwarding on R1:
7.1.3 Telnet access to the Catalyst Cat35-2 must be only permitted from R5. R5 must use the address of its loopback
address as the source address for Telnet.
A: On Cat35-2, use access-class:
Access-list 1 permit 150.4.5.5
Line vty 0 4
Access-class 1 in
On R5, use the global command ip telnet source-interface
ip telnet source-interface lo0
To successfully Telnet, you need a password as well:
Line vty 0 4
Access-class 1 in
Login
Password cisco
6CoLabs. The Shrike
©Fabrice Bobes 2002 (Single User License)
Page 14
14
7.1.4 Configure R5 to serve as a DHCP Server for the clients attached to R5’s E0/0. You must exclude the following
addresses from the pool: 150.4.50.101 – 150.4.50.254
Configure the following configuration:
- DNS Server: 150.4.114.253 150.4.114.254
- Wins Server: 150.4.114.253
- Netbios-node-type: Hybrid
- Lease: 3 Days
- Default Router: 150.4.50.5
Check your work. You should be able to reach every network from every router.
Answer: Did you add a default route on Cat35-1?
You don’t need a default route or a default gateway on the Cat35-1
to make its management interface reachable fom any router.
Why? On R14, proxy-arp is enabled by default. R1.txt
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
logging rate-limit console 10 except errors
!
memory-size iomem 15
ip subnet-zero
!
!
no ip finger
ip tcp intercept list 101
no ip domain-lookup
!
ip cef
ip audit notify log
Page 1
R1.txt
ip address 192.168.4.1 255.255.255.0
!
interface Loopback5
ip address 192.168.5.1 255.255.255.0
!
interface Loopback6
ip address 192.168.6.1 255.255.255.0
!
interface Loopback7
ip address 192.168.7.1 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
ip verify unicast reverse-path
ip rip send version 1
ip rip receive version 1
half-duplex
!
interface Serial0/0
ip address 150.4.15.1 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain rip
encapsulation frame-relay
no fair-queue
frame-relay map ip 150.4.15.5 105 broadcast
no frame-relay inverse-arp
!
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.7.255
access-list 101 permit tcp any 150.4.0.0 0.0.255.255
access-list 102 permit tcp any host 150.4.50.3 eq smtp
access-list 102 permit tcp any host 150.4.50.3 eq www
access-list 102 permit tcp any host 150.4.50.2 eq ftp
access-list 102 permit tcp any host 150.4.50.2 eq ftp-data
access-list 102 permit tcp any eq www 150.4.114.0 0.0.0.255 establi
shed
access-list 102 permit udp any host 255.255.255.255
access-list 102 deny ip any any log
route-map c2b permit 10
match ip address 1
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
R 150.4.6.0/24 [120/2] via 150.4.15.5, 00:00:15, Serial0/0
R 150.4.5.0/24 [120/1] via 150.4.15.5, 00:00:16, Serial0/0
R 150.4.10.0/29 [120/2] via 150.4.15.5, 00:00:16, Serial0/0
R 150.4.8.0/24 [120/2] via 150.4.15.5, 00:00:16, Serial0/0
R 150.4.14.0/24 [120/2] via 150.4.15.5, 00:00:16, Serial0/0
C 150.4.15.0/24 is directly connected, Serial0/0
R 150.4.13.0/24 [120/2] via 150.4.15.5, 00:00:16, Serial0/0
R 150.4.50.0/24 [120/1] via 150.4.15.5, 00:00:16, Serial0/0
R 150.4.56.4/30 [120/2] via 150.4.15.5, 00:00:16, Serial0/0
R 150.4.86.0/24 [120/2] via 150.4.15.5, 00:00:16, Serial0/0
R 150.4.68.0/30 [120/2] via 150.4.15.5, 00:00:16, Serial0/0
R 150.4.114.0/24 [120/2] via 150.4.15.5, 00:00:16, Serial0/0
R 150.4.100.0/24 [120/2] via 150.4.15.5, 00:00:16, Serial0/0
C 192.168.3.0/24 is directly connected, Loopback3
B 192.168.0.0/21 [200/0] via 0.0.0.0, 03:22:14, Null0
R1#sh ip bgp
BGP table version is 18, local router ID is 192.168.7.1
Status codes: s suppressed, d damped, h history, * valid, > best, i
-
internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 172.16.1.0/24 0.0.0.0 0 32768 i
*> 192.168.0.0/21 0.0.0.0 32768 i
s> 192.168.1.0 0.0.0.0 0 32768 ?
s> 192.168.2.0 0.0.0.0 0 32768 ?
s> 192.168.3.0 0.0.0.0 0 32768 ?
s> 192.168.4.0 0.0.0.0 0 32768 ?
s> 192.168.5.0 0.0.0.0 0 32768 ?
s> 192.168.6.0 0.0.0.0 0 32768 ?
Copyright: Tài liệu đại học ©