CS1.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Case Study 1: CLI IPsec and Frame-Mode MPLS
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/LabCS1/workingconfig
[[3725]]
# Specify 3725 IOS image on Linux here:
image = /opt/dynamips/images/c3725-ad.bin
ram = 256
idlepc =0x60bf8d58
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router R1]]
model = 3725
console = 2001
slot1 = NM-4T
[[Router R2]]
model = 3725
console = 2002
slot1 = NM-4T
s1/0 = R1 s1/0
s1/1 = R3 s1/1
[[Router R3]]
model = 3725
console = 2003
slot1 = NM-4T
[[Router R4]]
model = 3725
console = 2004
slot1 = NM-4T
s1/2 = R3 s1/2
Basic Configuration:
R1-4:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host R*
Scenario
The International Travel Agency needs parts of its network set up with IPsec and Multiprotocol Label Switching (MPLS) with the given specifications and the topology shown in the diagram. This case study should be completed using the Cisco IOS command-line interface (CLI), without using the Cisco Security Device Manager (SDM).
‧ Configure all interfaces using the addressing scheme shown in the topology diagram.
R1(config)#interface loopback 0
R1(config-if)#ip address 172.16.1.1 255.255.255.0
R1(config)#interface serial 1/0
R1(config-if)#ip address 172.16.12.1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#no shutdown
R2(config)#interface loopback 0
R2(config-if)#ip address 172.16.2.1 255.255.255.0
R2(config)#interface serial 1/0
R2(config-if)#ip address 172.16.12.2 255.255.255.0
R2(config-if)#no shutdown
R2(config)#interface serial 1/1
R2(config-if)#ip address 172.16.23.2 255.255.255.0
R2(config-if)#clock rate 64000
R2(config-if)#no shutdown
R3(config)#interface loopback 0
R3(config-if)#ip address 172.16.3.1 255.255.255.0
R3(config)#interface serial 1/1
R3(config-if)#ip address 172.16.23.3 255.255.255.0
R3(config-if)#no shutdown
R3(config)#interface serial 1/2
R3(config-if)#ip address 172.16.34.3 255.255.255.0
R3(config-if)#clock rate 64000
R3(config-if)#no shutdown
R4(config)#interface loopback 0
R4(config-if)#ip address 172.16.4.1 255.255.255.0
R4(config)#interface serial 1/2
R4(config-if)#ip address 172.16.34.4 255.255.255.0
R4(config-if)#no shutdown
‧ Run Enhanced Interior Gateway Routing Protocol (EIGRP) AS 1 in the entire International Travel Agency core network. All subnets should be included.
All Switch:
All Switch(config)#router eigrp 1
All Switch(config-router)#no auto-summary
All Switch(config-router)#network 172.16.0.0
‧ Create an IPsec tunnel between R1 and R3 with an appropriate transform set and Internet Security Association and Key Management Protocol (ISAKMP) policy.
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime 3600
R1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac
R1(config)#crypto ipsec security-association lifetime seconds 1800
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 5
R3(config-isakmp)#lifetime 3600
R3(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac
R3(config)#crypto ipsec security-association lifetime seconds 1800
‧ This IPsec tunnel should only encrypt traffic between R1’s loopback network and R4’s loopback network.
R1(config)#access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
R3(config)#access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255
‧ Use pre-shared keys for authentication in the ISAKMP policy.
R1(config)#crypto isakmp key 6 cisco address 172.16.23.3
R3(config)#crypto isakmp key 6 cisco address 172.16.12.1
‧ Do not create any new interfaces to achieve this task.
‧ Use any encryption algorithms desired for the tasks listed above that use the crypto suite of protocols.
R1(config)#crypto map MYMAP 20 ipsec-isakmp
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#set transform-set 50
R1(config-crypto-map)#set peer 172.16.23.3
R1(config-crypto-map)#set pfs group5
R1(config-crypto-map)#set security-association lifetime seconds 900
R1(config)#interface serial 1/0
R1(config-if)#crypto map MYMAP
R3(config)#crypto map MYMAP 20 ipsec-isakmp
R3(config-crypto-map)#match address 101
R3(config-crypto-map)#set transform-set 50
R3(config-crypto-map)#set peer 172.16.12.1
R3(config-crypto-map)#set pfs group5
R3(config-crypto-map)#set security-association lifetime seconds 900
R3(config)#interface serial 1/1
R3(config-if)#crypto map MYMAP
‧ Configure MPLS on both ends of the link between R3 and R4.
R3(config)#interface serial 1/2
R3(config-if)#mpls ip
R4(config)#interface serial 1/2
R4(config-if)#mpls ip
‧ Configure R1 to send system logging messages at the error severity level to an imaginary host located at 172.16.2.200.
R1(config)#logging host 172.16.2.200
R1(config)#logging trap errors
‧ Set up the correct time on R4 using the clock set command. Use the inline IOS help system if you do not know the syntax of this command.
R4#clock set 00:00:00 1 jan 2008
R4#show clock
00:00:07.079 UTC Tue Jan 1 2008
‧ Configure R4 as an Network Time Protocol (NTP) master with stratum 5.
R4(config)#ntp master 5
‧ Configure R3 as an NTP client of R4.
R3#show clock
*02:45:23.711 UTC Fri Mar 1 2002
R3(config)#ntp server 172.16.34.4
R3#show clock
00:02:04.334 UTC Tue Jan 1 2008
Questions
‧ Will R3 or R4 send the NTP queries as MPLS frames? Explain.
‧ Will R3 or R4 send any packets destined to the other router as MPLS frames? Explain.
‧ Will R3 or R4 send any packets at all as MPLS frames? Explain.
‧ Differentiate among the algorithms by explaining which algorithms in your IPsec policy apply to encryption, which to authentication, and which to message integrity. According to your reading, which of the available algorithms in each category is most secure?
‧ How does NTP help prepare a network for system logging? Explain. 2
Final Configurations
R1:
hostname R1
!
no ip domain lookup
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key 6 cisco address 172.16.23.3
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 20 ipsec-isakmp
set peer 172.16.23.3
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Serial1/0
ip address 172.16.12.1 255.255.255.0
clock rate 64000
crypto map MYMAP
no shutdown
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
logging trap errors
logging 172.16.2.200
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
R2:
hostname R2
!
no ip domain lookup
!
interface Loopback0
ip address 172.16.2.1 255.255.255.0
!
interface Serial1/0
ip address 172.16.12.2 255.255.255.0
no shutdown
!
interface Serial1/1
ip address 172.16.23.2 255.255.255.0
clock rate 64000
no shutdown
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
R3:
hostname R3
!
!
no ip domain lookup
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key 6 cisco address 172.16.12.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 20 ipsec-isakmp
set peer 172.16.12.1
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
interface Loopback0
ip address 172.16.3.1 255.255.255.0
!
interface Serial1/1
ip address 172.16.23.3 255.255.255.0
crypto map MYMAP
no shutdown
!
interface Serial1/2
ip address 172.16.34.3 255.255.255.0
mpls ip
clock rate 64000
no shutdown
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255
!
line con 0
exec-timeout 0 0
logging synchronous
!
ntp server 172.16.34.4
!
end
R4:
hostname R4
!
no ip domain lookup
!
interface Loopback0
ip address 172.16.4.1 255.255.255.0
!
interface Serial1/2
ip address 172.16.34.4 255.255.255.0
mpls ip
no shutdown
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
line con 0
exec-timeout 0 0
logging synchronous
!
ntp master 5
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.10.29 / 2018.06.11
0 comments:
張貼留言