Professional Documents
Culture Documents
Lab 1
R2
int s1/0
ip add 10.1.24.2 255.255.255.0
no sh
int e0/0
ip add 2.2.2.10 255.255.255.0
no sh
int loop 0
ip add 192.168.2.1 255.255.255.0
int loop 1
ip add 12.12.12.12 255.255.255.255
int loop 2
ip add 22.22.22.22 255.255.255.255
R3
int loop 0
ip add 192.168.3.1 255.255.255.0
int e0/0
ip add 3.3.3.10 255.255.255.0
no sh
R4
int s1/1
ip add 10.1.24.4 255.255.255.0
no sh
int s1/0
ip add 10.1.14.4 255.255.255.0
no sh
int loop 1
ip add 4.4.4.4 255.255.255.255
int loop 2
ip add 44.44.44.44 255.255.255.255
R5
int loop 0
ip add 192.168.1.1 255.255.255.0
int e0/0
ip add 1.1.1.10 255.255.255.0
no sh
2
int s1/0
ip add 10.1.15.5 255.255.255.0
no sh
SW1
ip routing
ip cef
vlan 1
vlan 2
vlan 3
int e1/1
sw acc vlan 1
int e0/2
sw acc vlan 2
int e0/3
sw acc vlan 3
int vlan 1
ip add 1.1.1.100 255.255.255.0
no sh
int vlan 2
ip add 2.2.2.100 255.255.255.0
no sh
int vlan 3
ip add 3.3.3.100 255.255.255.0
no sh
we will need to make R5 , R2 , R3 had layer3 connectivity to each other so we go on each one of them
and create default route point to SW1
by doing this ,SW1 will simulated as internet and connecting the three routers while they use
different subnets ,this will help us later in DMVPN Task
on R5
ip route 0.0.0.0 0.0.0.0 1.1.1.100
on R2
ip route 0.0.0.0 0.0.0.0 2.2.2.100
on R3
ip route 0.0.0.0 0.0.0.0 3.3.3.100
Create VPN site to site connection between R2 & R4 using pre shared key Cbtme and according to
following requirements:
-VPN connection must be established if loop1 in R4 communicate with loop1 in R2 or vice versa using IP
protocol or ICMP.
-Confidentiality must be secured with AES and integrity with sha in both IKE1 & IK2 phases
- make sure key will be changed after 86400 seconds
-IPsec will use Tunnel protocol
-R2 & R4 loop 1, loop 2 will be advertised using static route
EIGRP Named Mode Task
-R1 & R4 will run EIGRP AS 101 and both will advertise all connected physical interfaces but not R1 s1/1
-R1 will advertise its own loop 0 in EIGRP domain
-Both routers must configured with EIGRP md5 authentication using key #1 , Key string (cbtme)
-Both routers any physical interface will not be connected to EIGRP domain must never send any EIGRP
hello messages. And make sure auto summarization is disabled .
-R1 will use EIGRP named mode , R4 will use Classic mode
-R4 interface s1/0 will have ipv6 add 2001:10:1:14::4/64 , loop0 2001:4:4:4::4/128
-R1 interface s1/0 will have ipv6 add 2001:10:1:14::1/64 , loop0 2001:1:1:1::1/128
-Run EIGRPv6 with same requirements we follow above for ipv4 domain.
-Redistribute OSPF 100 into EIGRP 101 in R1 (in next task we will create this OSPF process)
-Run OSPF 100 between R1 s1/1 & R5 s1/0 using router-id 0.0.0.x where x is the router number
-Both routers will be in area 0
-Advertise R1 loop1 into your OSPF domain
-Run BFD feature in both routers interfaces but make sure its enabled only in each OSPF enabled
physical interface
-Redistribute EIGRP101 into OSPF 100
EPC Task
-In R5 capture all icmp & ipv4 packets send or receive between R5 & R1 for 15 minutes
-Create buffer with name "MYBUFFER" with size 2048 and support maximum packet size to 1518
-your capture point name must be "MYPOINT"
-export captured packet to TFTP server 10.1.34.100 so later you can analyze using wireshark
DMVPN Task
Lab 1 Answers
VPN site to site Task
Configure ISAKMP (ISAKMP Phase 1)
Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
1-Configure ISAKMP (IKE) - (ISAKMP Phase 1) and create static routes to provide layer three connectivity
to loop 0 & loop 1 as Task required .
IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate
an SA (an ISAKMP SA) relationship with the peer.
R2
ip route 4.4.4.4 255.255.255.255 10.1.24.4
ip route 44.44.44.44 255.255.255.255 10.1.24.4
crypto isakmp enable
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
exit
The above commands define the following (in listed order):
3DES - The encryption method to be used for Phase 1.
MD5 - The hashing algorithm
Pre-share - Use Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or
seconds. Value set is the default value.
Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the
following command:
crypto isakmp key 0 cisco address 10.1.24.4 255.255.255.0
The peers pre shared key is set to cisco and its public IP Address is 10.1.24.4 Every time R2 tries to
establish a VPN tunnel with R4 (10.1.24.4), this pre shared key will be used.
2- Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
To configure IPSec we need to setup the following in order:
- Create extended ACL
- Create IPSec Transform
- Create Crypto Map
- Apply crypto map to the public interface
exit
crypto ipsec transform-set TS1 esp-aes esp-sha-hmac
crypto ipsec security-ass lifetime seconds 86400
crypto map MYMAP 100 ipsec-isakmp
match address VPN_Networks
set peer 10.1.24.2
set pfs group2
set transform-set TS1
exit
int S1/1
crypto map MYMAP
Verification :
As we can see IPsec Tunnel was down but once we triggered it by ping ip address 12.12.12.12 using
source 4.4.4.4 which match ACL we made before , tunnel become up and ping traffic send & received
encrypted . your friend command here is Show Crypto Session
10
R1 will run EIGRP Named Mode , where we can have one name represent all our EIGRP configuration
this including ipv4 or ipv6 commands and whatever its made for RIB or for VRFs using address family
concept we used to use with BGP . in EIGRP named mode NO AUTO SUMMARY IS ENABLED BY
DEFAULT .
R1
key chain cisco
key 1
key-string cbtme
router eigrp Yasser
no shutdown
add ipv4 unicast as 101
network 10.1.14.1 0.0.0.0
network 2.2.2.2 0.0.0.0
topology base
redistribute ospf 100 metric 1000 100 255 1 1500
exit
af-interface default
passive-interface
exit
af-interface serial 1/0
no passive-interface
authentication mode md5
authentication key-chain cisco
exit
exit
exit
ipv6 unicast-routing
int s1/0
ipv6 add 2001:10:1:14::1/64
int loop 0
ipv6 add 2001:1:1:1::1/128
router eigrp yasser
add ipv6 unicast as 101
( no need to write networks he will advertise all)
af-interface s1/1
passive-interface
shutdown
exit
11
12
maximum-prefix
metric
neighbor
network
no
shutdown
timers
topology
R2(config-router-af)#
B) Address-family interface configuration mode:
This mode takes all the interface specific commands that were previously configured on an actual
interface (logical or physical) and moves them into the EIGRP configuration. EIGRP authentication,
Bandwidth-percentage, split-horizon, and summary-address configuration are some of the options that
are now configured here instead of in interface configuration mode.
R2(config-router-af)#af-interface fa0/0
R2(config-router-af-interface)#?
Address Family Interfaces configuration commands:
14
authentication
authentication subcommands
next-hop-self
no
split-horizon
summary-address
R2(config-router-af-interface)#
In traditional way if we want run EIGRP on all interface we use "network 0.0.0.0 0.0.0.0" command.
Here you can use af-interface default to function same.
R2(config-router-af)#af-interface default
R2(config-router-af-interface)#
distribute-list
eigrp
exit-af-topology
fast-reroute
Configure Fast-Reroute
maximum-paths
metric
no
offset-list
summary-metric
timers
traffic-share
variance
redistribute
snmp
R2(config-router-af-topology)#
16
Your friend commands are : SHOW BFD ENIGHBORS , SHOW BFD DROPS , SHOW BFD SUMAMRY
BFD (Bidirectional Forwarding Detection) is defined in RFC 5880.
BFD for one-hop IPv4/IPv6 is defined in RFC 5881.
BFD for multi-hop is defined in RFC 5883.
BFD for MPLS LSPs is defined in RFC 5884
17
BFD provide better way to check neighbors availability other than hello messages
It will not replace hello messages but will add additional functionality where we can send Keepalive
messages to our neighbors in milliseconds
BFD modes
Asynchronous mode
o continuous and periodic BFD packets
Demand mode
o BFD packets only after a demand
BFD echo (where a stream of echo packets is sent and received) is the most common function
for both modes.
Cisco supports the asynchronous mode and the echo function by default.
BFD payload control packets are encapsulated in UDP packets
BFD control packets are always sent as unicast packets to the BFD peer.
The encapsulation of BFD Control packets for multihop application in IPv4 and IPv6 is identical
to that above, except that the UDP destination port is 4784.
Each system reports in the BFD Control packet how rapidly it would like to transmit BFD
packets, as well as how rapidly it is prepared to receive them. This allows either system to
determine the max packet rate (minimum interval) in both directions.
18
EPC Task
R5
config t
ip access-list ext 101
permit icmp any any
permit ip any any
exit
monitor capture buffer MYBUFFER
monitor capture buffer MYBUFFER size 2048 max-size 1518 circular
monitor capture buffer MYBUFFER filter access-list 101
monitor capture point ip cef MYPOINT serial 1/0 both
monitor capture point associate MYPOINT MYBUFFER
monitor capture mycap limit duration 900
19
DMVPN Task
R1 HUB
int loop 0
ip add 192.168.1.1 255.255.255.0
int e0/0
ip add 1.1.1.10 255.255.255.0
no sh
int tunnel 0
ip add 172.16.0.1 255.255.255.0
no ip redirects
tunnel source 1.1.1.10
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1
20
R2 SPOKE
int loop 0
192.168.2.1 255.255.255.0
int f0/0
ip add 2.2.2.10 255.255.255.0
no sh
int tunnel 0
ip add 172.16.0.2 255.255.255.0
no ip redirects
tunnel source e0/0
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp map 172.16.0.1 1.1.1.10
ip nhrp map multicast 1.1.1.10
ip nhrp nhs 172.16.0.1
R3 SPOKE
int loop 0
192.168.3.1 255.255.255.0
int f0/0
ip add 3.3.3.10 255.255.255.0
no sh
int tunnel 0
ip add 172.16.0.3 255.255.255.0
no ip redirects
tunnel source e0/0
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp map 172.16.0.1 1.1.1.10
ip nhrp map multicast 1.1.1.10
ip nhrp nhs 172.16.0.1
ip nhrp nhs 172.16.0.1
tells our spoke router who the Next Hop Server (NHS) is, while the ip nhrp map 172.16.0.1 1.1.1.10
command maps the NHS address (172.16.0.1) to the Hubs (R1) public IP address (1.1.1.10).
ip nhrp map multicast 1.1.1.10
ensures multicast traffic is sent only from spokes to the hub and not from spoke to spoke. All multicast
traffic should be received by the hub, processed and then updates are sent out to the spokes
21
now lets create routing for internal networks in all of our routers
On the R5 hub router:
ip route 192.168.2.0 255.255.255.0 172.16.0.2
ip route 192.168.3.0 255.255.255.0 172.16.0.3
On R2 spoke router:
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip route 192.168.3.0 255.255.255.0 172.16.0.3
On R3 spoke router:
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip route 192.168.2.0 255.255.255.0 172.16.0.2
23
Your Friend command here is SHOW DMVPN , notice once we ping R2 loop0 from R3 , Dynamic mGRE
tunnel created and shown in your show dmvpn output , also your crypto session is up one for HUB and
one for Spoke you communicate with which is R2 in our case above.
24
EPC
https://supportforums.cisco.com/document/139686/configuration-example-embedded-packetcapture-cisco-ios-and-ios-xe
http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-embedded-packetcapture/index.html
BFD
https://supportforums.cisco.com/video/12061606/bfd-configuration-troubleshooting-cisco-iosand-xr-routers
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/12-4t/irb-12-4tbook/Bidirectional_Forwarding_Detection.html
EIGRP Named Mode
https://supportforums.cisco.com/blog/11939146/glimpse-eigrp-name-mode-configuration
http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/enhanced-interiorgateway-routing-protocol-eigrp/Advances_In_EIGRP.pdf
Video from IPexpert:
http://www.youtube.com/watch?v=XsV6Rq8eiJ0
GRE with ipsec
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-greipsec.html
VPN site to site
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-tosite-ipsec-vpn.html
25
DMVPN
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-services-tech/896-cisco-dmvpnintro.html
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpnconfiguration.html
http://blog.ine.com/2008/08/02/dmvpn-explained/
Videos from INE:
http://www.youtube.com/watch?v=CIWcYSClbio
http://www.youtube.com/watch?v=DA9K0eGG17E
IPV6 FHS
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6solution/whitepaper_c11-602135.html
http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2s/ipv6-15-2s-book/ip6first-hop-security.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-s/ip6f-15-sbook.pdf
Videos from INE:
http://www.youtube.com/watch?v=Zv-stl5kRnI
http://www.youtube.com/watch?v=UtsHZmb1CYc
http://www.youtube.com/watch?v=goHublIvV-8
Good Luck
CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasser.r.a?view=documents
https://www.youtube.com/user/yasserramzyauda
26