You are on page 1of 27

CCNP 2 - Case

Study 1
CLI IPsec and Frame-Mode MPLS

Jeremy Carver – n6144497

Vasily Shapochka – n5498708

1
2
Table of Contents

CCNP 2 - Case Study 1................................................................................................................... 1

CLI IPsec and Frame-Mode MPLS....................................................................................................1

Jeremy Carver – n6144497.........................................................................................................1

Vasily Shapochka – n5498708....................................................................................................1

1. Outline....................................................................................................................................... 4

2. Summary of the Company and Network Requirements.............................................................4

3. Logical diagram......................................................................................................................... 5

4. Physical diagram........................................................................................................................ 6

3. Discussion on the implementation of Routing............................................................................7

4. Discussion on the physical layer design and equipment............................................................7

5. Discussion on testing and verification strategies.......................................................................7

6. Recommendations for future network upgrades........................................................................8

7. Router Interface Table............................................................................................................... 8

8. Equipment Table........................................................................................................................ 8

9. Questions...................................................................................................................................9

10. Router Configurations............................................................................................................10

Router R1.................................................................................................................................. 10

Router R2.................................................................................................................................. 12

Router R3.................................................................................................................................. 13

Router R4.................................................................................................................................. 15

11. Testing Results...................................................................................................................... 16

Router R1.................................................................................................................................. 16

Router R2.................................................................................................................................. 19

Router R3.................................................................................................................................. 21
3
Router R4.................................................................................................................................. 25

1. Outline

International Travel Agency is migrating to a network with Multi protocol Label Switching (MPLS)
and VPN. This will provide a customer edge to the Wide Area Network (WAN) that allows a more
efficient data switching and a secure transfer of data from one office to another.

2. Summary of the Company and Network Requirements

The International Travel Agency requires a network that implements MPLS and VPN
technologies. It will use MPLS between the CE and PE and require a VPN tunnel between the
local PE and remote PE to ensure the data travels securely through the Internet cloud.
The addressing scheme that was provided in the scenario will be adhered to, allowing the
existing infrastructure to migrate without interruption. EIGRP should be used as a fast-
converging routing protocol.

Detailed requirements of the company are as follows:

• Configure all interfaces using the addressing scheme shown in the topology diagram.
• Run Enhanced Interior Gateway Routing Protocol (EIGRP) AS 1 in the entire International
Travel Agency core network. All subnets should be included.
• Create an IPSec tunnel between R1 and R3 with an appropriate transform set and Internet
Security Association and Key Management Protocol (ISAKMP) policy.
• This IPSec tunnel should only encrypt traffic between R1’s loopback network and R4’s
loopback network.
• Use pre-shared keys for authentication in the ISAKMP policy.
• Do not create any new interfaces to achieve this task.
• Use any encryption algorithms desired for the tasks listed above that use the crypto suite
of protocols.
• Configure MPLS on both ends of the link between R3 and R4.
• Configure R1 to send system logging messages at the error severity level to an imaginary
host located at 172.16.2.200.
• Set up the correct time on R4 using the clock set command. Use the inline IOS help
system if you do not know the syntax of this command.
• Configure R4 as a Network Time Protocol (NTP) master with stratum 5.
• Configure R3 as an NTP client of R4.

4
3. Logical diagram

5
4. Physical diagram

6
3. Discussion on the implementation of Routing

Enhanced Interior Gateway Routing Protocol (EIGRP) is the best choice for the International
Travel Agency. It is a classless routing protocol, and has elements of both distance vector, and
link-state algorithms.

Every directly connected network must be entered into the router’s configuration. The router
will then have three routing tables dedicated to EIGRP: topology, neighbor and routing tables.
Rapid convergence and future scalability will be realized using this protocol, as well as efficient
use of bandwidth. If any sudden changes occur to the network topology, EIGRP allows all
converged routers to update simultaneously.

4. Discussion on the physical layer design and equipment

The test-bed for this upgrade has been performed on the latest equipment. Cisco 3600 series
routers have been utilized and fully configured. This allows us to fully implement our solution in
a realistic fashion.
Serial port modules were used to simulate Wide Area Network links and Cisco CAB-SS-V35
cables were used to directly connect routers from port to port.

The test-bed physical design is very simple although the real implementation will include other
devices such as CSU-DSUs.

5. Discussion on testing and verification strategies

In order to test the ITA network, each implementation phase was followed by a number of
commands issued on the router to make sure a high degree of reliability was achieved before
moving to the next implementation stage. The following tests are ordered based upon the
project time line. As previously stated, logic is used when determining which stage in the
process these tests take place.

• A thorough testing of connectivity has been conducted at first using the Ping utility (see
results below). This tests overall routers reachability and correct EIGRP configuration.

• An extended Ping was used to activate the VPN tunnel and test ACLs for interesting
traffic.

• The show crypto ipsec sa command (see below) was used to make sure the traffic is
going through the tunnel successfully.

• MPLS was further tester with traceroute and show interface serial 0/2/1 accounting to
make sure packets are getting tagged by the protocol when needed.

• The debug ntp packets command was used to test communication between the NTP
server and NTP client.
7
• The interface serial 0/2/1 accounting command was used to verify that MPLS packets are
being sent and received.

6. Recommendations for future network upgrades

The previously implement network represents a connection between two ITA remote offices. In
order to reduce connection cost, an IPSec tunnel is created over an Internet link between two
offices to provide secure connectivity and data transfer.
MPLS that is used between the CE and PE may be extended in the future inside the provider’s
network in order to speed up the delivery between two locations.
At the customer edge on both sides, the company may consider using a firewall solution to filter
incoming and outgoing traffic as its routers are directly connected to the Internet which
represents a potential risk for the internal network.

7. Router Interface Table

Router Interface IP Address

R1 Serial 0/2/0 172.16.12.1

R1 Loopback 0 172.16.1.1

R2 Serial 0/2/0 172.16.12.2

R2 Serial 0/2/1 172.16.23.2

R2 Loopback 0 172.16.2.1

R3 Serial 0/2/0 172.16.23.3

R3 Serial 0/2/1 172.16.34.3

R3 Loopback 0 172.16.3.1

R4 Serial 0/2/0 172.16.34.4

R4 Loopback 0 172.16.4.1

8. Equipment Table

Equipment Quantity
Cisco 3600 Series Router (w. 1x T1 interface card module) 3
8
Cisco CAB-SS-V35 Cable 3

9. Questions

1. R3 and R4 will not send NTP queries as MPLS frames. R3 and R4 are two directly
connected routers and the NTP protocol works only between them two. Therefore
because of the PHP function, MPLS will not need to tag the packets as they would need to
be removed on the next hop. To avoid overhead MPLS sends packets as normal IP
packets.

2. R3 and R4 will not send packets as MPLS to each other because of the PHP function and
because they are two directly connected routers.

3. R4 will send packets destined to R1 and R2 as MPLS frames but R3 will obviously remove
the tag before forwarding further to R1 and R2. R3 will not send any packets as MPLS
frames because on one side R1 and R2 are not configured with MPLS and on the other
side the PHP function removes the tag before any packet is sent towards R4.

R4 will not send as MPLS packets destined to R3 but will tag packets for other networks
such as R2 and R1 although those tags will be removed by R3.

4. In the network configuration, the ESP protocol provides origin authenticity, integrity, and
confidentiality protection of a packet. The ESP protocol is defined in ITA network
configuration as esp-aes 256 esp-sha-hmac inside the transform set. The AH protocol on
the other side is intended to guarantee integrity and data origin authentication of IP
packets. Encapsulating Security Payload provides confidentiality and the Authentication
Header provides integrity. In the current configuration it is defined as ah-sha-hmac. ESP
with AES encryption of 256 bits is currently the most secure algorithm as it provides as
many as 256 bits for encryption which is the maximum value available nowadays.

5. The NTP server will ensure that routers in the network are configured with correct time.
This will provide accurate time indication when error and other messages are logged to
the server. It is crucial to ensure that timestamps are correct when errors or attacks are
recorded.

9
10. Router Configurations

Router R1
Current configuration : 2027 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$68v.$0pF2U4rVQiSFjMd/aTRmo.
enable password 7 060503205F5D49
!
no aaa new-model
memory-size iomem 15
!
!
ip cef
!
!
no ip domain lookup
ip host R2 172.16.12.2
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 172.16.23.3
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 172.16.23.3
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
10
interface Loopback0
description network connected to router 1
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/2/0
description Link to Router 2
ip address 172.16.12.1 255.255.255.0
clock rate 64000
crypto map MYMAP
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
logging trap errors
logging 172.16.2.200
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
!
!
banner motd ^CC This is a secure system. Authorized Personnel Only! ^C
!
line con 0
exec-timeout 0 0
password 7 045802150C2E
logging synchronous
line aux 0
line vty 0 4
password 7 02050D480809
login
!
end

11
Router R2
Current configuration : 1474 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$k7cB$tzf98Aglqnj2MJZdUhLFR1
enable password 7 01100A05481846
!
no aaa new-model
memory-size iomem 15
no network-clock-participate wic 3
!
!
ip cef
!
!
no ip domain lookup
ip host R1 172.16.12.1
ip host R3 172.16.23.3
!
!
!
interface Loopback0
description network connected to router
ip address 172.16.2.1 255.255.255.0
!
interface Serial0/2/0
ip address 172.16.12.2 255.255.255.0
no fair-queue
!
interface Serial0/2/1
ip address 172.16.23.2 255.255.255.0
clock rate 64000
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
12
!
!
banner motd ^CC This is a secure system. Authorized Personnel Only! ^C
!
line con 0
exec-timeout 0 0
password 7 00071A150754
logging synchronous
line aux 0
line vty 0 4
password 7 14141B180F0B6A
login
!
end

Router R3
Current configuration : 2321 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$JIRS$AbZjQcNdIODnanFoCjzj70
enable password 7 0205085A18154F
!
no aaa new-model
memory-size iomem 15
no network-clock-participate wic 3
!
!
ip cef
!
!
no ip domain lookup
ip host R4 172.16.34.4
ip host R2 172.16.23.2
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 172.16.12.1
13
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 172.16.12.1
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
!
!
!
interface Loopback0
description network connected to router
ip address 172.16.3.1 255.255.255.0
!
interface Serial0/2/0
description Link to Router 4
ip address 172.16.23.3 255.255.255.0
no fair-queue
crypto map MYMAP
!
interface Serial0/2/1
description Link to Router 2
ip address 172.16.34.3 255.255.255.0
mpls ip
no fair-queue
clock rate 2000000
!
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
!
!
banner motd ^CC This is a secure system.

Authorized Personnel Only! ^C


!
14
line con 0
exec-timeout 0 0
password 7 02050D4808094F
logging synchronous
line aux 0
line vty 0 4
password 7 03075218050061
login
!
scheduler allocate 20000 1000
ntp clock-period 17179893
ntp server 172.16.34.4
!
End

Router R4
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$pKHY$Pilw1Ad7IjxaPuLSasSea0
enable password 7 121A091601184C
!
no aaa new-model
memory-size iomem 15
no network-clock-participate wic 1
!
!
ip cef
!
!
no ip domain lookup
ip host R3 172.16.34.3
!
!
!
interface Loopback0
description network connected to router
ip address 172.16.4.1 255.255.255.0
!
interface Serial0/2/0
description Link to Router 3
ip address 172.16.34.4 255.255.255.0
mpls ip
15
no fair-queue
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
banner motd ^CC This is a secure system. Authorized Personnel Only! ^C
!
line con 0
exec-timeout 0 0
password 7 02050D4808094F
logging synchronous
line aux 0
line vty 0 4
password 7 13061E01080344
login
!
scheduler allocate 20000 1000
ntp master 5
!
end

11. Testing Results

Router R1

R1#ping 172.16.12.2

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R1#ping 172.16.2.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R1#ping 172.16.23.2

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:
16
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R1#ping 172.16.23.3

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms
R1#ping 172.16.3.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms
R1#ping 172.16.4.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms
R1#ping 172.16.34.3

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.34.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R1#ping 172.16.34.4

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms

R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 7 subnets


D 172.16.34.0 [90/3193856] via 172.16.12.2, 03:35:47, Serial0/2/0
D 172.16.23.0 [90/2681856] via 172.16.12.2, 03:42:18, Serial0/2/0
C 172.16.12.0 is directly connected, Serial0/2/0
D 172.16.4.0 [90/3321856] via 172.16.12.2, 03:35:46, Serial0/2/0
C 172.16.1.0 is directly connected, Loopback0
17
D 172.16.2.0 [90/2297856] via 172.16.12.2, 03:43:24, Serial0/2/0
D 172.16.3.0 [90/2809856] via 172.16.12.2, 03:42:17, Serial0/2/0

R1#show ip eigrp neighbors


IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.12.2 Se0/2/0 12 03:44:08 21 200 0 18

R1#show logging
Syslog logging: enabled (11 messages dropped, 2 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 46 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled

No active filter modules.

Trap logging: level errors, 40 message lines logged


Logging to 172.16.2.200(global) (udp port 514, audit disabled, link up)
, 2 message lines logged, xml disabled,
filtering disabled

R1#sh crypto ipsec sa

interface: Serial0/2/0
Crypto map tag: MYMAP, local addr 172.16.12.1

protected vrf: (none)


local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
current_peer 172.16.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
18
local crypto endpt.: 172.16.12.1, remote crypto endpt.: 172.16.23.3
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/2/0
current outbound spi: 0xBB8C7C26(3146546214)

inbound esp sas:


spi: 0x348BD124(881578276)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4505698/146)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:
spi: 0x7EE5715A(2128965978)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4505698/144)
replay detection support: Y
Status: ACTIVE

inbound pcp sas:

outbound esp sas:


spi: 0xBB8C7C26(3146546214)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4505698/144)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:
spi: 0xCC6044(13393988)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4505698/142)
replay detection support: Y
Status: ACTIVE

Router R2

R2#sh ip route
19
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 7 subnets


D 172.16.34.0 [90/2681856] via 172.16.23.3, 03:32:14, Serial0/2/1
C 172.16.23.0 is directly connected, Serial0/2/1
C 172.16.12.0 is directly connected, Serial0/2/0
D 172.16.4.0 [90/2809856] via 172.16.23.3, 03:32:13, Serial0/2/1
D 172.16.1.0 [90/2297856] via 172.16.12.1, 03:39:51, Serial0/2/0
C 172.16.2.0 is directly connected, Loopback0
D 172.16.3.0 [90/2297856] via 172.16.23.3, 03:38:44, Serial0/2/1

R2#sh ip eigrp neigh


IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.23.3 Se0/2/1 13 03:38:58 19 200 0 11
0 172.16.12.1 Se0/2/0 11 03:40:05 17 200 0 8

R2#ping 172.16.1.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2#ping 172.16.4.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms
R2#ping 172.16.3.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2#ping 172.16.23.3

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.23.3, timeout is 2 seconds:
!!!!!
20
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2#ping 172.16.34.4

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms

Router R3

R3#sh mpls forwarding-table


Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Untagged 172.16.12.0/24 1560 Se0/2/0 point2point
17 Untagged 172.16.1.0/24 4088 Se0/2/0 point2point
18 Untagged 172.16.2.0/24 0 Se0/2/0 point2point
19 Pop tag 172.16.4.0/24 0 Se0/2/1 point2point

R3#show interfaces s0/2/1 accounting


Serial0/2/1 Link to Router 2
Protocol Pkts In Chars In Pkts Out Chars Out
Other 2 648 53 1272
IP 292 19601 310 21785
CDP 11 3564 11 3564
Tag 25 2700 0 0
R3#show interfaces s0/2/1 accounting
Serial0/2/1 Link to Router 2
Protocol Pkts In Chars In Pkts Out Chars Out
Other 2 648 56 1344
IP 309 20721 332 23425
CDP 12 3888 12 3888
Tag 30 3240 0 0

R3#show interfaces s0/2/1 accounting


Serial0/2/1 Link to Router 2
Protocol Pkts In Chars In Pkts Out Chars Out
Other 2 648 17 408
IP 104 7065 113 8275
CDP 5 1620 5 1620
Tag 15 1620 0 0

R3#ping 172.16.4.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:
21
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R3#show interfaces s0/2/1 accounting


Serial0/2/1 Link to Router 2
Protocol Pkts In Chars In Pkts Out Chars Out
Other 2 648 20 480
IP 123 8509 133 9785
CDP 6 1944 6 1944
Tag 15 1620 0 0

R3#sh crypto ipsec sa

interface: Serial0/2/0
Crypto map tag: MYMAP, local addr 172.16.23.3

protected vrf: (none)


local ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 172.16.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0

local crypto endpt.: 172.16.23.3, remote crypto endpt.: 172.16.12.1


path mtu 1500, ip mtu 1500, ip mtu idb Serial0/2/0
current outbound spi: 0x348BD124(881578276)

inbound esp sas:


spi: 0xBB8C7C26(3146546214)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4546509/842)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:
spi: 0xCC6044(13393988)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4546509/840)
replay detection support: Y
Status: ACTIVE

22
inbound pcp sas:

outbound esp sas:


spi: 0x348BD124(881578276)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4546509/840)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:
spi: 0x7EE5715A(2128965978)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4546509/840)
replay detection support: Y
Status: ACTIVE

R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 7 subnets


C 172.16.34.0 is directly connected, Serial0/2/1
C 172.16.23.0 is directly connected, Serial0/2/0
D 172.16.12.0 [90/2681856] via 172.16.23.2, 03:33:46, Serial0/2/0
D 172.16.4.0 [90/2297856] via 172.16.34.4, 03:27:16, Serial0/2/1
D 172.16.1.0 [90/2809856] via 172.16.23.2, 03:33:46, Serial0/2/0
D 172.16.2.0 [90/2297856] via 172.16.23.2, 03:33:46, Serial0/2/0
C 172.16.3.0 is directly connected, Loopback0

R3#show ip eigrp neighbors


IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.34.4 Se0/2/1 10 03:29:37 5 200 0 3
0 172.16.23.2 Se0/2/0 13 03:36:07 21 200 0 19

R3#show ntp status


23
Clock is synchronized, stratum 6, reference is 172.16.34.4
nominal freq is 250.0000 Hz, actual freq is 249.9996 Hz, precision is 2**18
reference time is CA934B03.CB52988D (05:37:07.794 UTC Thu Sep 13 2007)
clock offset is 0.1988 msec, root delay is 2.26 msec
root dispersion is 1.02 msec, peer dispersion is 0.79 msec

R3#show ntp associations

address ref clock st when poll reach delay offset disp


*~172.16.34.4 127.127.7.1 5 49 64 377 2.3 0.20 0.8
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

R3#ping 172.16.4.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#ping 172.16.34.4

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#ping 172.16.2.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3#ping 172.16.23.2

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3#ping 172.16.12.2

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3#ping 172.16.12.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R3#ping 172.16.1.1
24
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms

Router R4

R4#ping 172.16.3.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#ping 172.16.23.2

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms
R4#ping 172.16.12.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms
R4#ping 172.16.1.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms
R4#ping 172.16.4.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R4#sh mpls forwarding-table


25
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 172.16.3.0/24 0 Se0/2/0 point2point
17 Pop tag 172.16.23.0/24 0 Se0/2/0 point2point
18 18 172.16.2.0/24 0 Se0/2/0 point2point
19 16 172.16.12.0/24 0 Se0/2/0 point2point
20 17 172.16.1.0/24 0 Se0/2/0 point2point

R4#ping
Protocol [ip]:
Target IP address: 172.16.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.4.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]: y
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.4.1
Reply data will be validated
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/106/108 ms

R4#sh ntp associations

address ref clock st when poll reach delay offset disp


*~127.127.7.1 127.127.7.1 4 53 64 377 0.0 0.00 0.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

R4#sh ntp status


Clock is synchronized, stratum 5, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CA9349DF.768D5947 (05:32:15.463 UTC Thu Sep 13 2007)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
26
Gateway of last resort is not set

172.16.0.0/24 is subnetted, 7 subnets


C 172.16.34.0 is directly connected, Serial0/2/0
D 172.16.23.0 [90/21024000] via 172.16.34.3, 03:25:30, Serial0/2/0
D 172.16.12.0 [90/21536000] via 172.16.34.3, 03:25:30, Serial0/2/0
C 172.16.4.0 is directly connected, Loopback0
D 172.16.1.0 [90/21664000] via 172.16.34.3, 03:25:30, Serial0/2/0
D 172.16.2.0 [90/21152000] via 172.16.34.3, 03:25:30, Serial0/2/0
D 172.16.3.0 [90/20640000] via 172.16.34.3, 03:25:30, Serial0/2/0

R4#sh ip eigrp neigh


IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.34.3 Se0/2/0 14 03:25:48 3 1140 0 12

R4#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms

R4#show interface s0/2/0 accounting


Serial0/2/0 Link to Router 3
Protocol Pkts In Chars In Pkts Out Chars Out
Other 0 0 197 4728
IP 692 49415 704 48153
CDP 26 8424 27 8748
Tag 0 0 5 540

R4#ping 172.16.1.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms

R4#show interface s0/2/0 accounting


Serial0/2/0 Link to Router 3
Protocol Pkts In Chars In Pkts Out Chars Out
Other 0 0 198 4752
IP 703 50323 711 48587
CDP 26 8424 27 8748
Tag 0 0 10 1080

27