Professional Documents
Culture Documents
Yasser Auda CCIEv5 Workbook PDF
Yasser Auda CCIEv5 Workbook PDF
Lab 1
R1
int s1/0
ip add 10.1.14.1 255.255.255.0
no sh
int s1/1
ip add 10.1.15.1 255.255.255.0
no sh
int loop 1
ip add 1.1.1.1 255.255.255.255
int loop 2
ip add 11.11.11.11 255.255.255.255
1
R2
int s1/0
ip add 10.1.24.2 255.255.255.0
no sh
int e0/0
ip add 2.2.2.10 255.255.255.0
no sh
int loop 0
ip add 192.168.2.1 255.255.255.0
int loop 1
ip add 12.12.12.12 255.255.255.255
int loop 2
ip add 22.22.22.22 255.255.255.255
R3
int loop 0
ip add 192.168.3.1 255.255.255.0
int e0/0
ip add 3.3.3.10 255.255.255.0
no sh
R4
int s1/1
ip add 10.1.24.4 255.255.255.0
no sh
int s1/0
ip add 10.1.14.4 255.255.255.0
no sh
int loop 1
ip add 4.4.4.4 255.255.255.255
int loop 2
ip add 44.44.44.44 255.255.255.255
R5
int loop 0
ip add 192.168.1.1 255.255.255.0
int e0/0
ip add 1.1.1.10 255.255.255.0
no sh
2
int s1/0
ip add 10.1.15.5 255.255.255.0
no sh
SW1
ip routing
ip cef
vlan 1
vlan 2
vlan 3
int e1/1
sw acc vlan 1
int e0/2
sw acc vlan 2
int e0/3
sw acc vlan 3
int vlan 1
ip add 1.1.1.100 255.255.255.0
no sh
int vlan 2
ip add 2.2.2.100 255.255.255.0
no sh
int vlan 3
ip add 3.3.3.100 255.255.255.0
no sh
we will need to make R5 , R2 , R3 had layer3 connectivity to each other so we go on each one of them
and create default route point to SW1
by doing this ,SW1 will simulated as internet and connecting the three routers while they use
different subnets ,this will help us later in DMVPN Task
on R5
ip route 0.0.0.0 0.0.0.0 1.1.1.100
on R2
ip route 0.0.0.0 0.0.0.0 2.2.2.100
on R3
ip route 0.0.0.0 0.0.0.0 3.3.3.100
3
VPN Site To Site using pre shared key Task
Create VPN site to site connection between R2 & R4 using pre shared key “Cbtme” and according to
following requirements:
-VPN connection must be established if loop1 in R4 communicate with loop1 in R2 or vice versa using IP
protocol or ICMP.
-Confidentiality must be secured with AES and integrity with sha in both IKE1 & IK2 phases
- make sure key will be changed after 86400 seconds
-IPsec will use Tunnel protocol
-R2 & R4 loop 1, loop 2 will be advertised using static route
-R1 & R4 will run EIGRP AS 101 and both will advertise all connected physical interfaces but not R1 s1/1
-R1 will advertise its own loop 0 in EIGRP domain
-Both routers must configured with EIGRP md5 authentication using key #1 , Key string (cbtme)
-Both routers any physical interface will not be connected to EIGRP domain must never send any EIGRP
hello messages. And make sure auto summarization is disabled .
-R1 will use EIGRP named mode , R4 will use Classic mode
-R4 interface s1/0 will have ipv6 add 2001:10:1:14::4/64 , loop0 2001:4:4:4::4/128
-R1 interface s1/0 will have ipv6 add 2001:10:1:14::1/64 , loop0 2001:1:1:1::1/128
-Run EIGRPv6 with same requirements we follow above for ipv4 domain.
-Redistribute OSPF 100 into EIGRP 101 in R1 (in next task we will create this OSPF process)
4
OSPF BFD Task
-Run OSPF 100 between R1 s1/1 & R5 s1/0 using router-id 0.0.0.x where x is the router number
-Both routers will be in area 0
-Advertise R1 loop1 into your OSPF domain
-Run BFD feature in both routers interfaces but make sure its enabled only in each OSPF enabled
physical interface
-Redistribute EIGRP101 into OSPF 100
EPC Task
-In R5 capture all icmp & ipv4 packets send or receive between R5 & R1 for 15 minutes
-Create buffer with name "MYBUFFER" with size 2048 and support maximum packet size to 1518
-your capture point name must be "MYPOINT"
-export captured packet to TFTP server 10.1.34.100 so later you can analyze using wireshark
5
DMVPN Task
-any communication between these three routers to reach their loop 0 subnets must go through our
mGRE tunnels
R5 loop 0 network 192.168.1.1 255.255.255.0
R2 loop 0 network 192.168.2.1 255.255.255.0
R3 loop 0 network 192.168.3.1 255.255.255.0
6
Lab 1 Answers
VPN site to site Task
Configure ISAKMP (ISAKMP Phase 1)
Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
1-Configure ISAKMP (IKE) - (ISAKMP Phase 1) and create static routes to provide layer three connectivity
to loop 0 & loop 1 as Task required .
IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate
an SA (an ISAKMP SA) relationship with the peer.
R2
ip route 4.4.4.4 255.255.255.255 10.1.24.4
ip route 44.44.44.44 255.255.255.255 10.1.24.4
Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the
following command:
The peer’s pre shared key is set to cisco and its public IP Address is 10.1.24.4 Every time R2 tries to
establish a VPN tunnel with R4 (10.1.24.4), this pre shared key will be used.
7
Creating Extended ACL
We’ve named our crypto map MYMAP. The ipsec-isakmp tag tells the router that this crypto map is an
IPsec crypto map.
int S1/0
crypto map MYMAP
R4
8
exit
crypto ipsec transform-set TS1 esp-aes esp-sha-hmac
crypto ipsec security-ass lifetime seconds 86400
crypto map MYMAP 100 ipsec-isakmp
match address VPN_Networks
set peer 10.1.24.2
set pfs group2
set transform-set TS1
exit
int S1/1
crypto map MYMAP
Verification :
As we can see IPsec Tunnel was down but once we triggered it by ping ip address 12.12.12.12 using
source 4.4.4.4 which match ACL we made before , tunnel become up and ping traffic send & received
encrypted . your friend command here is Show Crypto Session
9
EIGRP named mode
R4 will run Classic EIGRP commands ( the ones we used to type normally)
R4
key chain cisco
key 1
key-string cbtme
int s1/0
ip authentication mode eigrp 101 md5
ip authentication key-chain eigrp 101 cisco
ipv6 unicast-routing
ipv6 router eigrp 101
router-id 0.0.0.4
no shutdown
int s1/0
ipv6 add 2001:10:1:14::4/64
ipv6 eigrp 101
int loop0
ipv6 add 2001:4:4:4::4/128
ipv6 eigrp 101
when you finish typing these commands notice on show run that EIGRP commands not in one place ,
some commands under EIGRP section , others under interfaces it self which make your troubleshooting
in the future not easy .
10
R1 will run EIGRP Named Mode , where we can have one name represent all our EIGRP configuration
this including ipv4 or ipv6 commands and whatever its made for RIB or for VRFs using address family
concept we used to use with BGP . in EIGRP named mode NO AUTO SUMMARY IS ENABLED BY
DEFAULT .
R1
key chain cisco
key 1
key-string cbtme
topology base
redistribute ospf 100 metric 1000 100 255 1 1500
exit
af-interface default
passive-interface
exit
af-interface serial 1/0
no passive-interface
authentication mode md5
authentication key-chain cisco
exit
exit
exit
ipv6 unicast-routing
int s1/0
ipv6 add 2001:10:1:14::1/64
int loop 0
ipv6 add 2001:1:1:1::1/128
11
12
Notice All our configuration in one place in running configuration file
In EIGRP Named Mode we have four address families available
For IPv4:
R2(config-router)#address-family ipv4 unicast autonomous-system 1
For IPv6:
R2(config-router)#address-family ipv6 unicast autonomous-system 1
13
A) Address-family configuration mode:
In this mode, you can configure networks, EIGRP neighbor, EIGRP Router-id, metric etc. From this mode
you can access the other two configuration modes used in EIGRP named configuration.
R2(config-router-af)#
R2(config-router-af)#af-interface fa0/0
R2(config-router-af-interface)#?
14
authentication authentication subcommands
R2(config-router-af-interface)#
In traditional way if we want run EIGRP on all interface we use "network 0.0.0.0 0.0.0.0" command.
Here you can use “af-interface default” to function same.
R2(config-router-af)#af-interface default
R2(config-router-af-interface)#
R2(config-router-af-interface)#exit
R2(config-router-af)#topology base
R2(config-router-af-topology)#?
15
Address Family Topology configuration commands:
R2(config-router-af-topology)#
16
OSPF BFD Task
R1
router ospf 100
router-id 0.0.0.1
network 10.1.15.1 0.0.0.0 area 0
net 11.11.11.11 0.0.0.0 area 0
bfd all-interfaces
int s1/1
bfd interval 50 min_rx 50 multiplier 5
(bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier)
int s1/0
ip ospf bfd disable
R5
router ospf 100
router-id 0.0.0.5
network 10.1.15.5 0.0.0.0 area 0
int s1/0
ip ospf bfd
bfd interval 50 min_rx 50 multiplier 5
Your friend commands are : SHOW BFD ENIGHBORS , SHOW BFD DROPS , SHOW BFD SUMAMRY
17
BFD provide better way to check neighbors availability other than hello messages
It will not replace hello messages but will add additional functionality where we can send Keepalive
messages to our neighbors in milliseconds
BFD modes
Asynchronous mode
o continuous and periodic BFD packets
Demand mode
o BFD packets only after a demand
BFD echo (where a stream of echo packets is sent and received) is the most common function
for both modes.
Cisco supports the asynchronous mode and the echo function by default.
BFD control packets are always sent as unicast packets to the BFD peer.
The encapsulation of BFD Control packets for multihop application in IPv4 and IPv6 is identical
to that above, except that the UDP destination port is 4784.
Each system reports in the BFD Control packet how rapidly it would like to transmit BFD
packets, as well as how rapidly it is prepared to receive them. This allows either system to
determine the max packet rate (minimum interval) in both directions.
18
EPC Task
R5
config t
ip access-list ext 101
permit icmp any any
permit ip any any
exit
19
DMVPN Task
R1 HUB
int loop 0
ip add 192.168.1.1 255.255.255.0
int e0/0
ip add 1.1.1.10 255.255.255.0
no sh
int tunnel 0
ip add 172.16.0.1 255.255.255.0
no ip redirects
tunnel source 1.1.1.10
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp network-id 1
used to identify this DMVPN cloud. All routers participating in this DMVPN cloud must have the same
network-id configured in order for tunnels to form between them.
ip nhrp authentication
used to allow the authenticated updates and queries to the NHRP Database, ensuring unwanted queries
are not provided with any information about the DMVPN network.
20
R2 SPOKE
int loop 0
192.168.2.1 255.255.255.0
int f0/0
ip add 2.2.2.10 255.255.255.0
no sh
int tunnel 0
ip add 172.16.0.2 255.255.255.0
no ip redirects
tunnel source e0/0
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp map 172.16.0.1 1.1.1.10
ip nhrp map multicast 1.1.1.10
ip nhrp nhs 172.16.0.1
R3 SPOKE
int loop 0
192.168.3.1 255.255.255.0
int f0/0
ip add 3.3.3.10 255.255.255.0
no sh
int tunnel 0
ip add 172.16.0.3 255.255.255.0
no ip redirects
tunnel source e0/0
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp map 172.16.0.1 1.1.1.10
ip nhrp map multicast 1.1.1.10
ip nhrp nhs 172.16.0.1
21
tunnel source FastEthernet0/1
All spokes with dynamic WAN IP address must be configured to bind the physical WAN
interface as the tunnel source. This way, when the spoke’s WAN IP changes, it will be able to
update the NHS server with its new WAN IP address.
Note: In R2’s configuration, we’ve configured a static IP address on its WAN interface
FastEthernet0/1, but for the sake of this example, let us assume it was dynamically provided by
the ISP.
R2/R3
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key firewall.cx address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
22
now lets create routing for internal networks in all of our routers
On the R5 hub router:
ip route 192.168.2.0 255.255.255.0 172.16.0.2
ip route 192.168.3.0 255.255.255.0 172.16.0.3
On R2 spoke router:
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip route 192.168.3.0 255.255.255.0 172.16.0.3
On R3 spoke router:
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip route 192.168.2.0 255.255.255.0 172.16.0.2
23
Your Friend command here is SHOW DMVPN , notice once we ping R2 loop0 from R3 , Dynamic mGRE
tunnel created and shown in your show dmvpn output , also your crypto session is up one for HUB and
one for Spoke you communicate with which is R2 in our case above.
24
Soon Lab2 will be added covering Tasks for :
-GRE with IPsec Tunnel
- GRE with IPsec Tunnel VTI
-IPv6 FHS
EPC
https://supportforums.cisco.com/document/139686/configuration-example-embedded-packet-
capture-cisco-ios-and-ios-xe
http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-embedded-packet-
capture/index.html
BFD
https://supportforums.cisco.com/video/12061606/bfd-configuration-troubleshooting-cisco-ios-
and-xr-routers
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/12-4t/irb-12-4t-
book/Bidirectional_Forwarding_Detection.html
https://supportforums.cisco.com/blog/11939146/glimpse-eigrp-name-mode-configuration
http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/enhanced-interior-
gateway-routing-protocol-eigrp/Advances_In_EIGRP.pdf
http://www.youtube.com/watch?v=XsV6Rq8eiJ0
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-
ipsec.html
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-
site-ipsec-vpn.html
25
DMVPN
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-services-tech/896-cisco-dmvpn-
intro.html
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpn-
configuration.html
http://blog.ine.com/2008/08/02/dmvpn-explained/
http://www.youtube.com/watch?v=CIWcYSClbio
http://www.youtube.com/watch?v=DA9K0eGG17E
IPV6 FHS
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-
solution/whitepaper_c11-602135.html
http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2s/ipv6-15-2s-book/ip6-
first-hop-security.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-s/ip6f-15-s-
book.pdf
http://www.youtube.com/watch?v=Zv-stl5kRnI
http://www.youtube.com/watch?v=UtsHZmb1CYc
http://www.youtube.com/watch?v=goHublIvV-8
Good Luck
CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasser.r.a?view=documents
https://www.youtube.com/user/yasserramzyauda
26