Thứ Năm, 28 tháng 8, 2014

Session 4 OpenLab - Final



CCNA Routing and Switching
S4-Openlab-version 5.0-News
Note: Internet Zone, Frame Relay Switch and all servers are configured completely, except DHCP server. All PCs has no IP address, but  INS1 PC and Staff1 PC had configured mail service completely.
IP ADDRESSING SCHEME
Interface/Device
IP address
Interface/Device
IP address
Gate1-S0/0/0
200.0.0.1/29
Gate2-S0/3/0
200.0.0.33/30
Gate1-G0/0
10.0.17.2/24
Gate2-S0/0/0
10.1.0.2/30
Gate1-G0/1
10.2.2.2/24
Core2-S0/0/0
10.1.1.2/30
WAN1-S0/0/0
10.1.1.1/30
Core2-S0/0/1
10.1.0.1/30
WAN1-G0/0
10.0.16.2/24
Core2-G0/2.22
10.1.22.2/24
Core1-G0/1
10.0.17.1/24
Core2-G0/2.33
10.1.33.2/24
Core1-G0/2
10.0.16.1/24
Core2-G0/2.44
10.1.44.2/24
Core1-Interface VLAN 11
10.0.11.1/24
Core2-G0/2.99
10.1.99.2/24
Core1-Interface VLAN 12
10.0.12.1/24


Core1-Interface VLAN 13
10.0.13.1/24


Core1-Interface VLAN 15
10.0.15.1/24


Core1-Interface VLAN 99
10.0.99.1/24


1.      SITE 1
Etherchannel
Core1-Access1
LACP, Group 1, active-active
Core1-Access2
PaGP, Group 2, desirable-desirable
Access1-Access2
PaGP, Group 3, desirable-desirable

Access1:
int range fa 0/21-22
channel-protocol lacp
channel-group 1 mode active
exit
int range fa 0/23-24
channel-protocol pagp
channel-group 3 mode desirable
exit
Access2:
int range fa 0/21-22
channel-protocol pagp
channel-group 2 mode desirable
exit
int range fa 0/23-24
channel-protocol pagp
channel-group 3 mode desirable
exit
Core1:
int range fa 0/1-2
channel-protocol lacp
channel-group 1 mode active
exit
int range fa 0/3-4
channel-protocol pagp
channel-group 2 mode desirable
exit

VLAN
SITE1-VLAN
DHCP server : Core 1
Vlan 11 : INS
Vlan 12 : Student
Vlan 13 : Staff
Vlan 15 : SERVER_FARM
Vlan 99 : Management
10.0.X.0/24
Pool name : INS and Student
Maximum client : 200
Start IP : +10
Dns server : 10.0.15.8
STP : Core 1- Root brigde for all VLAN
Core1: 
int port-channel 1
swi mode trunk
exit
int port-channel 2
swi mode trunk
exit
vlan 11
name INS
exit
vlan 12
name Student
exit
vlan 13
name Staff
exit
vlan 15
name SERVER_FARM
exit
vlan 99
name Management
exit
int fa 0/5
swi mode access
swi access vlan 15
exit
ip routing
int vlan 11
no shut
ip add 10.0.11.1 255.255.255.0
exit
int vlan 12
no shut
ip add 10.0.12.1 255.255.255.0
exit
int vlan 13
no shut
ip add 10.0.13.1 255.255.255.0
exit
int vlan 15
no shut
ip add 10.0.15.1 255.255.255.0
exit
int vlan 99
no shut
ip add 10.0.99.1 255.255.255.0
exit
ip dhcp pool INS
network 10.0.11.0 255.255.255.0
default-router 10.0.11.1
dns-server 10.0.15.8
exit
ip dhcp excluded-address 10.0.11.1 10.0.11.9
ip dhcp excluded-address 10.0.11.210 10.0.11.255
ip dhcp pool Student
network 10.0.12.0 255.255.255.0
default-router 10.0.12.1
dns-server 10.0.15.8
exit
ip dhcp excluded-address 10.0.12.1 10.0.12.9
ip dhcp excluded-address 10.0.12.210 10.0.12.255


2.      SITE2
Etherchannel
SW1-SW2
LACP, Group 1, active-active

SW1
int range fa 0/1-2
channel-protocol lacp
channel-group 1 mode active
exit

SW2
int range fa 0/1-2
channel-protocol lacp
channel-group 1 mode active
exit

VLAN
SITE2-VLAN
DHCP server
Vlan 22 : Staff
Vlan 33 : Marketing
Vlan 44 : DHCP
Vlan 99 : Management
10.1.X.0/24
Pool name : Staff and Marketing
Maximum client : 200
Start IP : +10
Dns server : 8.8.8.8
STP : SW1- Root brigde for all VLAN
SW1:
int port-channel 1
swi mode trunk
exit
int g 1/1
swi mode trunk
exit
vlan 22
name Staff
exit
vlan 33
name Marketing
exit
vlan 44
name DHCP
exit
vlan 99
name Management
exit
int fa 0/3
swi mode access
swi access vlan 22
exit
spanning-tree vlan 22,33,44,99 root primary


3.      FRAME-RELAY, PPP and NAT
- On serial link of WAN1 and WAN2 config Frame Relay, using physical interface.
WAN1:
encapsulation frame-relay
CORE2:
encapsulation frame-relay
- On serial link of Gate1 and Gate2 config PPP and authentication 1 way, Gate1 and Gate2 must send username/password to authenticate with ISP.
GATE1:
int S0/0/0
no shut
encapsulation ppp
exit
GATE2:
int s0/3/0
no shut
encapsulation ppp
exit

+ Gate1 uses CHAP 1 way, with username: ISP, password: bkacad.
username ISP pass bkacad

+ Gate2 uses PAP 1 way, with username: Site2, password: bkacad.
int s0/3/0
ppp pap sent-username Site2 pass bkacad
exit

- NAT:  
+ On Gate1 config static NAT to public Mail server (using IP 200.0.0.3) and Web server (using IP 200.0.0.4).
ip nat inside source static 10.2.2.3 200.0.0.3
ip nat inside source static 10.2.2.4 200.0.0.4

+ Configuring NAT overload on GATE1 with standard name ACL “NATOVERLOAD-ACL” (permit range ip 10.0.0.0/16)
ip access-list standard NATOVERLOAD-ACL
permit 10.0.0.0 0.0.255.255
exit
ip nat inside source list NATOVERLOAD-ACL int s0/0/0 overload
int g0/0
ip nat inside
exit
int g0/1
ip nat inside
exit
int s0/0/0
ip nat outside
exit
+ Configuring NAT overload on GATE2 with standard name ACL “NATOVERLOAD-ACL” (permit range ip 10.1.0.0/16)
ip access-list standard NATOVERLOAD-ACL
permit 10.1.0.0 0.0.255.255
exit
ip nat inside source list NATOVERLOAD-ACL int s0/3/0 overload
int s0/0/0
ip nat inside
exit
int s0/3/0
ip nat outside
exit

4.      GRE over IPsec
-  GRE tunnel
Device
Tunnel-id
IP address
Gate1
Tunnel 0
10.3.3.1/30
Gate2
Tunnel 0
10.3.3.2/30
Gate1:
int tunnel 0
ip add 10.3.3.1 255.255.255.252
tunnel source s0/0/0
tunnel des 200.0.0.33
tunnel mode gre ip
exit

Gate2:
int tunnel 0
ip add 10.3.3.2 255.255.255.252
tunnel source s0/3/0
tunnel des 200.0.0.1
tunnel mode gre ip
exit

-  Configuring IPsec

Gate1
Gate2
IKE phase 1
Priority 10, 3DES, hash SHA, DH2, authentication pre-share key : cisco@123
Priority 10, 3DES, hash SHA, DH2, authentication pre-share key : cisco@123
IKE phase 2
Transform-set:SITE1SITE2-VPN,sequence 10
esp-aes, esp-sha-hmac
Transform-set:SITE1SITE2-VPN, sequence 10
esp-aes, esp-sha-hmac
Crypto ACL
ACL 100
ACL 100
Crypto map
VPNSITETOSITE
VPNSITETOSITE

Gate1:
crypto isakmp policy 10
encryption 3des
hash sha
group 2
authen pre-share
exit
crypto isakmp key cisco@123 address 200.0.0.33
crypto ipsec transform-set SITE1SITE2-VPN esp-aes esp-sha-hmac
access-list 100 permit gre host 200.0.0.1 host 200.0.0.33
crypto map VPNSITETOSITE 10 ipsec-isakmp
set peer 200.0.0.33
set transform-set SITE1SITE2-VPN
match address 100
exit
int s0/0/0
crypto map VPNSITETOSITE
exit

Gate2:
crypto isakmp policy 10
encryption 3des
hash sha
group 2
authen pre-share
exit
crypto isakmp key cisco@123 address 200.0.0.1
crypto ipsec transform-set SITE1SITE2-VPN esp-aes esp-sha-hmac
access-list 100 permit gre host 200.0.0.33 host 200.0.0.1
crypto map VPNSITETOSITE 10 ipsec-isakmp
set peer 200.0.0.1
set transform-set SITE1SITE2-VPN
match address 100
exit
int s0/3/0
crypto map VPNSITETOSITE
exit

5.      ROUTING
SITE 1
SITE2
+Configuring EIGRP AS 100 on GATE1 , Core 1 and WAN1
+ Enable EIGRP routing protocol on GRE tunnel
+Configuring the default route on GATE1 and redistribute this route into EIGRP domain
+Configuring EIGRP AS 100 on Gate2 and Core 2
+Enable EIGRP routing protocol on GRE tunnel
+Configuring the default route on GATE2 and redistribute this route into EIGRP domain

Core1:
router eigrp 100
network 10.0.11.0 0.0.0.255
network 10.0.12.0 0.0.0.255
network 10.0.13.0 0.0.0.255
network 10.0.15.0 0.0.0.255
network 10.0.99.0 0.0.0.255
network 10.0.16.0 0.0.0.255
network 10.0.17.0 0.0.0.255
exit


Core2:
router eigrp 100
network 10.1.22.0 0.0.0.255
network 10.1.33.0 0.0.0.255
network 10.1.44.0 0.0.0.255
network 10.1.99.0 0.0.0.255
network 10.1.0.0 0.0.0.3
network 10.1.1.0 0.0.0.3
exit


Gate1:
router eigrp 100
network 10.2.2.0 0.0.0.255
network 10.0.17.0 0.0.0.255
redistribute static
exit
ip route 0.0.0.0 0.0.0.0 s0/0/0

Gate2
router eigrp 100
network 10.1.0.0 0.0.0.3
redistribute static
exit
ip route 0.0.0.0 0.0.0.0 s0/3/0

Wan1
router eigrp 100
network 10.0.16.0 0.0.0.255
network 10.1.1.0 0.0.0.3
exit

6.      SECURITY and MONITORING
+ On Gate1-G0/1: Create extended name ACL “SERVICE-ALLOW” permit
+ smtp and pop3 request traffic from all user to Mail server
+ http request traffic from all user to Web Server
ip access-list extended SERVICE-ALLOW
 permit tcp any host 10.2.2.3 eq smtp
 permit tcp any host 10.2.2.3 eq pop3
 permit tcp any host 10.2.2.4 eq www
exit
interface GigabitEthernet0/1
 ip access-group SERVICE-ALLOW out
exit

+ Management :
+Create standard name ACL “TELNET-ACL” allow vlan INS telnet to all router and Core1 And apply this ACL on line vty
Gate1:
ip access-list standard TELNET-ACL
 permit 10.0.11.0 0.0.0.255
exit

Core1, Core2, Gate1, Gate2, WAN1:
line vty 0 4
 ipv6 access-class TELNET-ACL in
exit

+Configuring the syslog server on all router and Core1Trap debugging
logging trap debugging
logging 10.0.15.10



Không có nhận xét nào:

Đăng nhận xét