CS3.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Case Study 3: CLI IPSec and Frame-Mode MPLS
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/LabCS3/workingconfig
[[3725]]
# Specify 3725 IOS image on Linux here:
image = /opt/dynamips/images/c3725-ad.bin
ram = 256
idlepc =0x60bf8d58
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router R1]]
model = 3725
console = 2001
slot1 = NM-4T
s1/0 = R2 s1/0
[[Router R2]]
model = 3725
console = 2002
slot1 = NM-4T
[[Router R3]]
model = 3725
console = 2003
slot1 = NM-4T
s1/2 = R4 s1/2
[[Router R4]]
model = 3725
console = 2004
slot1 = NM-4T
[[Router SW1]]
model = 3725
console = 2005
slot1 = NM-16ESW
f1/2 = R2 f0/0
f1/3 = R3 f0/0
Basic Configuration:
R1-4:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host R*
SW1:
enable
configure terminal
!
no ip domain lookup
!
no ip routing
!
line console 0
logging synchronous
exec-timeout 0 0
!
host SW1
Scenario
The International Travel Agency needs parts of its network set up with IPSec and
Multiprotocol Label Switching (MPLS) with the given specifications and the topology
shown in the diagram. This case study should be completed using the Cisco IPS
command-line interface (CLI), without using the Cisco Security Device Manager
(SDM).
· Configure all interfaces using the addressing scheme shown in the topology diagram.
R1:
interface Loopback0
ip address 172.16.1.10 255.255.255.0
no shutdown
!
interface Serial1/0
ip address 172.16.12.1 255.255.255.0
clock rate 64000
no shutdown
R2:
interface FastEthernet0/0
ip address 172.16.24.1 255.255.255.0
speed 100
full-duplex
no shutdown
!
interface Serial1/0
ip address 172.16.12.2 255.255.255.0
no shutdown
R3:
interface Loopback0
ip address 172.16.3.10 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.24.2 255.255.255.0
speed 100
full-duplex
no shutdown
!
interface Serial1/2
ip address 172.16.34.1 255.255.255.0
clock rate 64000
no shutdown
R4:
interface Loopback0
ip address 172.16.4.10 255.255.255.0
!
interface Serial1/2
ip address 172.16.34.2 255.255.255.0
no shutdown
· Run Enhanced Interior Gateway Routing Protocol (EIGRP) AS 1 in the entire International
Travel Agency core network. All subnets should be included.
R1-4:
router eigrp 1
network 172.16.0.0
no auto-summary
· Create an IPsec tunnel between R1 and R4 with an appropriate transform set and
Internet Security Association and Key Management Protocol (ISAKMP) policy.
R1:
crypto ipsec transform-set happypeter ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
R4:
crypto ipsec transform-set happypeter ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
· This IPsec tunnel should only be encrypt traffic between hosts in the local R1 and R4 LANs.
R1:
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
R4:
access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255
· Use pre-shared keys for authentication in the ISAKMP policy.
R1:
crypto isakmp key 6 cisco address 172.16.34.2
R4:
crypto isakmp key 6 cisco address 172.16.12.1
· Do not create any new interfaces to achieve this task.
· Use any encryption algorithms desired for the tasks listed above that use the crypto
suite of protocols.
R1:
crypto map petermap 20 ipsec-isakmp
set peer 172.16.34.2
set security-association lifetime seconds 900
set transform-set happypeter
set pfs group5
match address 101
!
interface Serial1/0
crypto map petermap
R4:
crypto map petermap 20 ipsec-isakmp
set peer 172.16.12.1
set security-association lifetime seconds 900
set transform-set happypeter
set pfs group5
match address 101
!
interface Serial1/2
crypto map petermap
R1#ping 172.16.4.10 source 172.16.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.10, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms
R1#
R1#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: petermap, local addr 172.16.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
current_peer 172.16.34.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.16.12.1, remote crypto endpt.: 172.16.34.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x9B4C2246(2605457990)
inbound esp sas:
spi: 0x58AFC642(1487914562)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: petermap
sa timing: remaining key lifetime (k/sec): (4452654/835)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
spi: 0xE3746F67(3816058727)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: petermap
sa timing: remaining key lifetime (k/sec): (4452654/834)
replay detection support: Y
Status: ACTIVE
inbound pcp sas:
outbound esp sas:
spi: 0x9B4C2246(2605457990)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: petermap
sa timing: remaining key lifetime (k/sec): (4452654/834)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
spi: 0x76AEB718(1991161624)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: petermap
sa timing: remaining key lifetime (k/sec): (4452654/833)
replay detection support: Y
Status: ACTIVE
outbound pcp sas:
R1#
· Configure MPLS on routers R1, R2 and R3 in accordance to the diagram.
R1:
interface Serial1/0
mpls ip
R2:
interface FastEthernet0/0
mpls ip
mpls mtu 1508
!
interface Serial1/0
mpls ip
R3:
interface FastEthernet0/0
mpls ip
mpls mtu 1508
R1#show mpls interfaces
Interface IP Tunnel Operational
Serial1/0 Yes (ldp) No Yes
R1#
R2#show mpls interfaces
Interface IP Tunnel Operational
FastEthernet0/0 Yes (ldp) No Yes
Serial1/0 Yes (ldp) No Yes
R2#
R3#show mpls interfaces
Interface IP Tunnel Operational
FastEthernet0/0 Yes (ldp) No Yes
R3#
· Set the switch SW1 to accept ‘jumbo’ packets on all used ports.
Dynamips do not supply this feature.
Jumbo/Giant Frame Support on Catalyst Switches Configuration Example
http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml
Catalyst 2900XL/3500XL Series
3500XL(config)#int fastEthernet 0/3
3500XL(config-if)#mtu 1508
Catalyst 3550 Series /3560 Series
3550(config)#system mtu 1508
· Configure R1 to send system logging messages at the debug severity level to
host 172.16.3.10 located at R3.
R1:
logging host 172.16.3.10
logging trap debugging
Tasks
· Generate some traffic from Host in R1 towards Host in R4.
· Capture the packets at the Host marked as ‘Wireshark’.
· Will these packets be encapsulated as MPLS frames? Explain.
· On R1, turn on debug for ‘crypto ipsec sa’ and ‘crypto isakmp sa’.
· Clear the tunnel between R1 and R4.
· Generate the traffic between the hosts again and watch your Syslog on host172.16.3.10.
· Watch the traffic between R1 and the host 172.16.3.10. Is it framed as MPLS?
· Generate some traffic from R1 (router not the host) towards the host R4.
· What are the results of the capture? Encrypted packets? MPLS packets? Both?
· What would happen if R3 was to be made a FW with the outside interface facing R4
and the inside interface facing R2? Will the IPsec tunnel still form? If not, what
should you do to allow the tunnel through the FW?
Final Configurations
R1:
hostname R1
!
!
no ip domain lookup
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key 6 cisco address 172.16.34.2
!
crypto ipsec transform-set happypeter ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map petermap 20 ipsec-isakmp
set peer 172.16.34.2
set security-association lifetime seconds 900
set transform-set happypeter
set pfs group5
match address 101
!
interface Loopback0
ip address 172.16.1.10 255.255.255.0
!
interface Serial1/0
ip address 172.16.12.1 255.255.255.0
mpls ip
clock rate 64000
crypto map petermap
no shutdown
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
logging trap debugging
logging 172.16.3.10
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
R2:
hostname R2
!
no ip domain lookup
!
interface FastEthernet0/0
ip address 172.16.24.1 255.255.255.0
speed 100
full-duplex
mpls ip
mpls mtu 1508
no shutdown
!
interface Serial1/0
ip address 172.16.12.2 255.255.255.0
mpls ip
no shutdown
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
R3:
hostname R3
!
no ip domain lookup
!
interface Loopback0
ip address 172.16.3.10 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.24.2 255.255.255.0
speed 100
full-duplex
mpls ip
mpls mtu 1508
no shutdown
!
interface Serial1/2
ip address 172.16.34.1 255.255.255.0
clock rate 64000
no shutdown
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
R4:
hostname R4
!
no ip domain lookup
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 172.16.12.1
!
crypto ipsec transform-set happypeter ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map petermap 20 ipsec-isakmp
set peer 172.16.12.1
set security-association lifetime seconds 900
set transform-set happypeter
set pfs group5
match address 101
!
interface Loopback0
ip address 172.16.4.10 255.255.255.0
!
interface Serial1/2
ip address 172.16.34.2 255.255.255.0
crypto map petermap
no shutdown
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
SW1:
hostname SW1
!
no ip routing
!
no ip domain lookup
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.10.29 / 2018.06.11
0 comments:
張貼留言