Published 6月 11, 2018 by with 0 comment

CCNP-ISCW-v5.0 Lab Case Study 3: CLI IPSec and Frame-Mode MPLS


CS3.net file for Dynamips:

##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Case Study 3: CLI IPSec and Frame-Mode MPLS
# By Happy Peter  http://blog.xuite.net/juilin77/happy
#
##################################################

autostart=false
[localhost:7200]
 workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/LabCS3/workingconfig

[[3725]]
# Specify 3725 IOS image on Linux here:
 image = /opt/dynamips/images/c3725-ad.bin
 ram = 256
 idlepc =0x60bf8d58
 mmap = true
 ghostios = true
 confreg = 0x2102

###########################
#
# Define router instances 1
#
###########################
 
[[Router R1]]
 model = 3725
 console = 2001
 slot1 = NM-4T
 s1/0 = R2 s1/0

[[Router R2]]
 model = 3725
 console = 2002
 slot1 = NM-4T

[[Router R3]]
 model = 3725
 console = 2003
 slot1 = NM-4T
 s1/2 = R4 s1/2

[[Router R4]]
 model = 3725
 console = 2004
 slot1 = NM-4T

[[Router SW1]]
 model = 3725
 console = 2005
 slot1 = NM-16ESW
 f1/2 = R2 f0/0
 f1/3 = R3 f0/0



Basic Configuration:
R1-4:
enable
configure terminal
!
no ip domain lookup
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
host R*

SW1:
enable
configure terminal
!
no ip domain lookup
!
no ip routing
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
host SW1


Scenario
The International Travel Agency needs parts of its network set up with IPSec and
Multiprotocol Label Switching (MPLS) with the given specifications and the topology
shown in the diagram. This case study should be completed using the Cisco IPS
command-line interface (CLI), without using the Cisco Security Device Manager
(SDM).

· Configure all interfaces using the addressing scheme shown in the topology diagram.
R1:
interface Loopback0
 ip address 172.16.1.10 255.255.255.0
 no shutdown
!
interface Serial1/0
 ip address 172.16.12.1 255.255.255.0
 clock rate 64000
 no shutdown

R2:
interface FastEthernet0/0
 ip address 172.16.24.1 255.255.255.0
 speed 100
 full-duplex
 no shutdown
!
interface Serial1/0
 ip address 172.16.12.2 255.255.255.0
 no shutdown

R3:
interface Loopback0
 ip address 172.16.3.10 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.24.2 255.255.255.0
 speed 100
 full-duplex
 no shutdown
!             
interface Serial1/2
 ip address 172.16.34.1 255.255.255.0
 clock rate 64000
 no shutdown

R4:
interface Loopback0
 ip address 172.16.4.10 255.255.255.0
!
interface Serial1/2
 ip address 172.16.34.2 255.255.255.0
 no shutdown


· Run Enhanced Interior Gateway Routing Protocol (EIGRP) AS 1 in the entire International
 Travel Agency core network. All subnets should be included.
R1-4:
router eigrp 1
 network 172.16.0.0
 no auto-summary


· Create an IPsec tunnel between R1 and R4 with an appropriate transform set and
 Internet Security Association and Key Management Protocol (ISAKMP) policy.
R1:
crypto ipsec transform-set happypeter ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600

R4:
crypto ipsec transform-set happypeter ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600


· This IPsec tunnel should only be encrypt traffic between hosts in the local R1 and R4 LANs.
R1:
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255

R4:
access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255


· Use pre-shared keys for authentication in the ISAKMP policy.
R1:
crypto isakmp key 6 cisco address 172.16.34.2

R4:
crypto isakmp key 6 cisco address 172.16.12.1


· Do not create any new interfaces to achieve this task.
· Use any encryption algorithms desired for the tasks listed above that use the crypto
 suite of protocols.
R1:
crypto map petermap 20 ipsec-isakmp
 set peer 172.16.34.2
 set security-association lifetime seconds 900
 set transform-set happypeter
 set pfs group5
 match address 101
!
interface Serial1/0
 crypto map petermap

R4:
crypto map petermap 20 ipsec-isakmp
 set peer 172.16.12.1
 set security-association lifetime seconds 900
 set transform-set happypeter
 set pfs group5
 match address 101
!
interface Serial1/2
 crypto map petermap


R1#ping 172.16.4.10 source 172.16.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.10, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms
R1#
R1#show crypto ipsec sa

interface: Serial1/0
    Crypto map tag: petermap, local addr 172.16.12.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
   current_peer 172.16.34.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 172.16.12.1, remote crypto endpt.: 172.16.34.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
     current outbound spi: 0x9B4C2246(2605457990)

     inbound esp sas:
      spi: 0x58AFC642(1487914562)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: petermap
        sa timing: remaining key lifetime (k/sec): (4452654/835)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:
      spi: 0xE3746F67(3816058727)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: petermap
        sa timing: remaining key lifetime (k/sec): (4452654/834)
        replay detection support: Y
        Status: ACTIVE

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9B4C2246(2605457990)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: petermap
        sa timing: remaining key lifetime (k/sec): (4452654/834)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:
      spi: 0x76AEB718(1991161624)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: petermap
        sa timing: remaining key lifetime (k/sec): (4452654/833)
        replay detection support: Y
        Status: ACTIVE

     outbound pcp sas:
R1#


· Configure MPLS on routers R1, R2 and R3 in accordance to the diagram.
R1:
interface Serial1/0
 mpls ip

R2:
interface FastEthernet0/0
 mpls ip
 mpls mtu 1508
!
interface Serial1/0
 mpls ip

R3:
interface FastEthernet0/0
 mpls ip
 mpls mtu 1508

R1#show mpls interfaces
Interface              IP            Tunnel   Operational
Serial1/0              Yes (ldp)     No       Yes       
R1#

R2#show mpls interfaces
Interface              IP            Tunnel   Operational
FastEthernet0/0        Yes (ldp)     No       Yes       
Serial1/0              Yes (ldp)     No       Yes       
R2#

R3#show mpls interfaces
Interface              IP            Tunnel   Operational
FastEthernet0/0        Yes (ldp)     No       Yes       
R3#


· Set the switch SW1 to accept ‘jumbo’ packets on all used ports.
Dynamips do not supply this feature.
Jumbo/Giant Frame Support on Catalyst Switches Configuration Example
http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml

Catalyst 2900XL/3500XL Series
3500XL(config)#int fastEthernet 0/3
3500XL(config-if)#mtu 1508

Catalyst 3550 Series /3560 Series
3550(config)#system mtu 1508


· Configure R1 to send system logging messages at the debug severity level to
host 172.16.3.10 located at R3.
R1:
logging host 172.16.3.10
logging trap debugging


Tasks
· Generate some traffic from Host in R1 towards Host in R4.
· Capture the packets at the Host marked as ‘Wireshark’.
· Will these packets be encapsulated as MPLS frames? Explain.
· On R1, turn on debug for ‘crypto ipsec sa’ and ‘crypto isakmp sa’.
· Clear the tunnel between R1 and R4.
· Generate the traffic between the hosts again and watch your Syslog on host172.16.3.10.
· Watch the traffic between R1 and the host 172.16.3.10. Is it framed as MPLS?
· Generate some traffic from R1 (router not the host) towards the host R4.
· What are the results of the capture? Encrypted packets? MPLS packets? Both?
· What would happen if R3 was to be made a FW with the outside interface facing R4
 and the inside interface facing R2? Will the IPsec tunnel still form? If not, what
 should you do to allow the tunnel through the FW?


Final Configurations
R1:
hostname R1
!
!
no ip domain lookup
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key 6 cisco address 172.16.34.2
!
crypto ipsec transform-set happypeter ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map petermap 20 ipsec-isakmp
 set peer 172.16.34.2
 set security-association lifetime seconds 900
 set transform-set happypeter
 set pfs group5
 match address 101
!
interface Loopback0
 ip address 172.16.1.10 255.255.255.0
!
interface Serial1/0
 ip address 172.16.12.1 255.255.255.0
 mpls ip
 clock rate 64000
 crypto map petermap
 no shutdown
!
router eigrp 1
 network 172.16.0.0
 no auto-summary
!
logging trap debugging
logging 172.16.3.10
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end

R2:
hostname R2
!
no ip domain lookup
!
interface FastEthernet0/0
 ip address 172.16.24.1 255.255.255.0
 speed 100
 full-duplex
 mpls ip
 mpls mtu 1508
 no shutdown
!
interface Serial1/0
 ip address 172.16.12.2 255.255.255.0
 mpls ip
 no shutdown
!
router eigrp 1
 network 172.16.0.0
 no auto-summary
!       
line con 0
 exec-timeout 0 0
 logging synchronous
!
end

R3:
hostname R3
!
no ip domain lookup
!
interface Loopback0
 ip address 172.16.3.10 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.24.2 255.255.255.0
 speed 100
 full-duplex
 mpls ip
 mpls mtu 1508
 no shutdown
!
interface Serial1/2
 ip address 172.16.34.1 255.255.255.0
 clock rate 64000
 no shutdown
!
router eigrp 1
 network 172.16.0.0
 no auto-summary
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end

R4:
hostname R4
!
no ip domain lookup
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 172.16.12.1
!
crypto ipsec transform-set happypeter ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map petermap 20 ipsec-isakmp
 set peer 172.16.12.1
 set security-association lifetime seconds 900
 set transform-set happypeter
 set pfs group5
 match address 101
!
interface Loopback0
 ip address 172.16.4.10 255.255.255.0
!
interface Serial1/2
 ip address 172.16.34.2 255.255.255.0
 crypto map petermap
 no shutdown
!
router eigrp 1
 network 172.16.0.0
 no auto-summary
!
access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end

SW1:
hostname SW1
!
no ip routing
!
no ip domain lookup
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html

CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual


最初發表 / 最後更新: 2008.10.29 / 2018.06.11

0 comments:

張貼留言