CCNA Routing and Switching
S4-Openlab-version 5.0-News
Note: Internet Zone, Frame Relay Switch and all servers are configured completely, except DHCP server. All PCs has no IP address, but INS1 PC and Staff1 PC had configured mail service completely.
S4-Openlab-version 5.0-News
Note: Internet Zone, Frame Relay Switch and all servers are configured completely, except DHCP server. All PCs has no IP address, but INS1 PC and Staff1 PC had configured mail service completely.
IP ADDRESSING SCHEME
|
Interface/Device
|
IP address
|
Interface/Device
|
IP address
|
|
Gate1-S0/0/0
|
200.0.0.1/29
|
Gate2-S0/3/0
|
200.0.0.33/30
|
|
Gate1-G0/0
|
10.0.17.2/24
|
Gate2-S0/0/0
|
10.1.0.2/30
|
|
Gate1-G0/1
|
10.2.2.2/24
|
Core2-S0/0/0
|
10.1.1.2/30
|
|
WAN1-S0/0/0
|
10.1.1.1/30
|
Core2-S0/0/1
|
10.1.0.1/30
|
|
WAN1-G0/0
|
10.0.16.2/24
|
Core2-G0/2.22
|
10.1.22.2/24
|
|
Core1-G0/1
|
10.0.17.1/24
|
Core2-G0/2.33
|
10.1.33.2/24
|
|
Core1-G0/2
|
10.0.16.1/24
|
Core2-G0/2.44
|
10.1.44.2/24
|
|
Core1-Interface VLAN 11
|
10.0.11.1/24
|
Core2-G0/2.99
|
10.1.99.2/24
|
|
Core1-Interface VLAN 12
|
10.0.12.1/24
|
|
|
|
Core1-Interface VLAN 13
|
10.0.13.1/24
|
|
|
|
Core1-Interface VLAN 15
|
10.0.15.1/24
|
|
|
|
Core1-Interface VLAN 99
|
10.0.99.1/24
|
|
|
1. SITE 1
Etherchannel
|
Core1-Access1
|
LACP, Group 1, active-active
|
|
Core1-Access2
|
PaGP, Group 2, desirable-desirable
|
|
Access1-Access2
|
PaGP, Group 3, desirable-desirable
|
Access1:
int range fa 0/21-22
channel-protocol lacp
channel-group 1 mode active
exit
int range fa 0/23-24
channel-protocol pagp
channel-group 3 mode desirable
exit
channel-protocol lacp
channel-group 1 mode active
exit
int range fa 0/23-24
channel-protocol pagp
channel-group 3 mode desirable
exit
Access2:
int range fa 0/21-22
channel-protocol pagp
channel-group 2 mode desirable
exit
int range fa 0/23-24
channel-protocol pagp
channel-group 3 mode desirable
exit
channel-protocol pagp
channel-group 2 mode desirable
exit
int range fa 0/23-24
channel-protocol pagp
channel-group 3 mode desirable
exit
Core1:
int range fa 0/1-2
channel-protocol lacp
channel-group 1 mode active
exit
int range fa 0/3-4
channel-protocol pagp
channel-group 2 mode desirable
exit
channel-protocol lacp
channel-group 1 mode active
exit
int range fa 0/3-4
channel-protocol pagp
channel-group 2 mode desirable
exit
VLAN
|
SITE1-VLAN
|
DHCP server : Core 1
|
|
Vlan 11 : INS
Vlan 12 : Student
Vlan 13 : Staff
Vlan 15 : SERVER_FARM
Vlan 99 : Management
10.0.X.0/24
|
Pool name : INS and Student
Maximum client : 200
Start IP : +10
Dns server : 10.0.15.8
|
|
STP
: Core 1- Root brigde for all VLAN
|
|
Core1:
int port-channel 1
swi mode trunk
exit
int port-channel 2
swi mode trunk
exit
vlan 11
name INS
exit
vlan 12
name Student
exit
vlan 13
name Staff
exit
vlan 15
name SERVER_FARM
exit
vlan 99
name Management
exit
int fa 0/5
swi mode access
swi access vlan 15
exit
ip routing
int vlan 11
no shut
ip add 10.0.11.1 255.255.255.0
exit
int vlan 12
no shut
ip add 10.0.12.1 255.255.255.0
exit
int vlan 13
no shut
ip add 10.0.13.1 255.255.255.0
exit
int vlan 15
no shut
ip add 10.0.15.1 255.255.255.0
exit
int vlan 99
no shut
ip add 10.0.99.1 255.255.255.0
exit
ip dhcp pool INS
network 10.0.11.0 255.255.255.0
default-router 10.0.11.1
dns-server 10.0.15.8
exit
ip dhcp excluded-address 10.0.11.1 10.0.11.9
ip dhcp excluded-address 10.0.11.210 10.0.11.255
ip dhcp pool Student
network 10.0.12.0 255.255.255.0
default-router 10.0.12.1
dns-server 10.0.15.8
exit
ip dhcp excluded-address 10.0.12.1 10.0.12.9
ip dhcp excluded-address 10.0.12.210 10.0.12.255
swi mode trunk
exit
int port-channel 2
swi mode trunk
exit
vlan 11
name INS
exit
vlan 12
name Student
exit
vlan 13
name Staff
exit
vlan 15
name SERVER_FARM
exit
vlan 99
name Management
exit
int fa 0/5
swi mode access
swi access vlan 15
exit
ip routing
int vlan 11
no shut
ip add 10.0.11.1 255.255.255.0
exit
int vlan 12
no shut
ip add 10.0.12.1 255.255.255.0
exit
int vlan 13
no shut
ip add 10.0.13.1 255.255.255.0
exit
int vlan 15
no shut
ip add 10.0.15.1 255.255.255.0
exit
int vlan 99
no shut
ip add 10.0.99.1 255.255.255.0
exit
ip dhcp pool INS
network 10.0.11.0 255.255.255.0
default-router 10.0.11.1
dns-server 10.0.15.8
exit
ip dhcp excluded-address 10.0.11.1 10.0.11.9
ip dhcp excluded-address 10.0.11.210 10.0.11.255
ip dhcp pool Student
network 10.0.12.0 255.255.255.0
default-router 10.0.12.1
dns-server 10.0.15.8
exit
ip dhcp excluded-address 10.0.12.1 10.0.12.9
ip dhcp excluded-address 10.0.12.210 10.0.12.255
2. SITE2
Etherchannel
|
SW1-SW2
|
LACP, Group 1, active-active
|
SW1
int range fa 0/1-2
channel-protocol lacp
channel-group 1 mode active
exit
SW2
int range fa 0/1-2
channel-protocol lacp
channel-group 1 mode active
exit
VLAN
|
SITE2-VLAN
|
DHCP server
|
|
Vlan 22 : Staff
Vlan 33 : Marketing
Vlan 44 : DHCP
Vlan 99 : Management
10.1.X.0/24
|
Pool name : Staff and Marketing
Maximum client : 200
Start IP : +10
Dns server : 8.8.8.8
|
|
STP
: SW1- Root brigde for all VLAN
|
|
SW1:
int port-channel 1
swi mode trunk
exit
int g 1/1
swi mode trunk
exit
vlan 22
name Staff
exit
vlan 33
name Marketing
exit
vlan 44
name DHCP
exit
vlan 99
name Management
exit
int fa 0/3
swi mode access
swi access vlan 22
exit
spanning-tree vlan 22,33,44,99 root primary
3. FRAME-RELAY, PPP and NAT
- On serial link of WAN1 and
WAN2 config Frame Relay, using physical interface.
WAN1:
encapsulation frame-relay
CORE2:
encapsulation frame-relay
- On serial link of Gate1 and
Gate2 config PPP and authentication 1 way, Gate1 and Gate2 must send
username/password to authenticate with ISP.
GATE1:
int S0/0/0
no shut
encapsulation ppp
exit
no shut
encapsulation ppp
exit
GATE2:
int s0/3/0
no shut
encapsulation ppp
exit
+ Gate1
uses CHAP 1 way, with username: ISP, password: bkacad.
username ISP pass bkacad
+ Gate2
uses PAP 1 way, with username: Site2, password: bkacad.
int s0/3/0
ppp pap sent-username Site2 pass bkacad
exit
- NAT:
+ On Gate1 config static
NAT to public Mail server (using IP 200.0.0.3) and Web server (using IP
200.0.0.4).
ip nat inside source static 10.2.2.3 200.0.0.3
ip nat inside source static 10.2.2.4 200.0.0.4
+ Configuring NAT overload on GATE1 with standard name ACL
“NATOVERLOAD-ACL” (permit range ip 10.0.0.0/16)
ip access-list standard NATOVERLOAD-ACL
permit 10.0.0.0
0.0.255.255
exit
ip nat inside source list NATOVERLOAD-ACL int s0/0/0 overload
int g0/0
ip nat inside
exit
int g0/1
ip nat inside
exit
int s0/0/0
ip nat outside
exit
exit
ip nat inside source list NATOVERLOAD-ACL int s0/0/0 overload
int g0/0
ip nat inside
exit
int g0/1
ip nat inside
exit
int s0/0/0
ip nat outside
exit
+ Configuring NAT overload on GATE2 with standard name ACL
“NATOVERLOAD-ACL” (permit range ip 10.1.0.0/16)
ip access-list standard NATOVERLOAD-ACL
permit 10.1.0.0 0.0.255.255
exit
ip nat inside source list NATOVERLOAD-ACL int s0/3/0 overload
int s0/0/0
ip nat inside
exit
int s0/3/0
ip nat outside
exit
4. GRE over IPsec
- GRE tunnel
|
Device
|
Tunnel-id
|
IP address
|
|
Gate1
|
Tunnel 0
|
10.3.3.1/30
|
|
Gate2
|
Tunnel 0
|
10.3.3.2/30
|
Gate1:
int tunnel 0
ip add 10.3.3.1 255.255.255.252
tunnel source s0/0/0
tunnel des 200.0.0.33
tunnel mode gre ip
exit
Gate2:
int tunnel 0
ip add 10.3.3.2 255.255.255.252
tunnel source s0/3/0
tunnel des 200.0.0.1
tunnel mode gre ip
exit
- Configuring IPsec
|
|
Gate1
|
Gate2
|
|
IKE phase 1
|
Priority 10, 3DES, hash SHA, DH2, authentication pre-share
key : cisco@123
|
Priority 10, 3DES, hash SHA, DH2, authentication pre-share
key : cisco@123
|
|
IKE phase 2
|
Transform-set:SITE1SITE2-VPN,sequence 10
esp-aes, esp-sha-hmac
|
Transform-set:SITE1SITE2-VPN, sequence 10
esp-aes, esp-sha-hmac
|
|
Crypto ACL
|
ACL 100
|
ACL 100
|
|
Crypto map
|
VPNSITETOSITE
|
VPNSITETOSITE
|
Gate1:
crypto isakmp policy 10
encryption 3des
hash sha
group 2
authen pre-share
exit
crypto isakmp key cisco@123 address 200.0.0.33
crypto ipsec transform-set SITE1SITE2-VPN esp-aes
esp-sha-hmac
access-list 100 permit gre host 200.0.0.1 host 200.0.0.33
crypto map VPNSITETOSITE 10 ipsec-isakmp
set peer 200.0.0.33
set transform-set SITE1SITE2-VPN
match address 100
exit
int s0/0/0
crypto map VPNSITETOSITE
exit
Gate2:
crypto isakmp policy 10
encryption 3des
hash sha
group 2
authen pre-share
exit
crypto isakmp key cisco@123 address 200.0.0.1
crypto ipsec transform-set SITE1SITE2-VPN esp-aes esp-sha-hmac
access-list 100 permit gre host 200.0.0.33 host 200.0.0.1
crypto map VPNSITETOSITE 10 ipsec-isakmp
set peer 200.0.0.1
set transform-set SITE1SITE2-VPN
match address 100
exit
int s0/3/0
crypto map VPNSITETOSITE
exit
5. ROUTING
|
SITE 1
|
SITE2
|
|
+Configuring EIGRP AS 100 on GATE1
, Core 1 and WAN1
+ Enable EIGRP routing protocol on
GRE tunnel
+Configuring the default route on
GATE1 and redistribute this route into EIGRP domain
|
+Configuring EIGRP AS 100 on Gate2
and Core 2
+Enable EIGRP routing protocol on
GRE tunnel
+Configuring the default route on
GATE2 and redistribute this route into EIGRP domain
|
Core1:
router eigrp 100
network 10.0.11.0 0.0.0.255
network 10.0.12.0 0.0.0.255
network 10.0.13.0 0.0.0.255
network 10.0.15.0 0.0.0.255
network 10.0.99.0 0.0.0.255
network 10.0.16.0 0.0.0.255
network 10.0.17.0 0.0.0.255
exit
Core2:
network 10.0.11.0 0.0.0.255
network 10.0.12.0 0.0.0.255
network 10.0.13.0 0.0.0.255
network 10.0.15.0 0.0.0.255
network 10.0.99.0 0.0.0.255
network 10.0.16.0 0.0.0.255
network 10.0.17.0 0.0.0.255
exit
Core2:
router eigrp 100
network 10.1.22.0 0.0.0.255
network 10.1.33.0 0.0.0.255
network 10.1.44.0 0.0.0.255
network 10.1.99.0 0.0.0.255
network 10.1.0.0 0.0.0.3
network 10.1.1.0 0.0.0.3
exit
Gate1:
network 10.1.22.0 0.0.0.255
network 10.1.33.0 0.0.0.255
network 10.1.44.0 0.0.0.255
network 10.1.99.0 0.0.0.255
network 10.1.0.0 0.0.0.3
network 10.1.1.0 0.0.0.3
exit
Gate1:
router eigrp 100
network 10.2.2.0 0.0.0.255
network 10.0.17.0 0.0.0.255
redistribute static
exit
ip route 0.0.0.0 0.0.0.0 s0/0/0
ip route 0.0.0.0 0.0.0.0 s0/0/0
Gate2
router eigrp 100
network 10.1.0.0 0.0.0.3
redistribute static
exit
ip route 0.0.0.0 0.0.0.0 s0/3/0
ip route 0.0.0.0 0.0.0.0 s0/3/0
Wan1
router eigrp 100
network 10.0.16.0 0.0.0.255
network 10.1.1.0 0.0.0.3
exit
6. SECURITY and MONITORING
+ On Gate1-G0/1: Create extended name ACL
“SERVICE-ALLOW” permit
+ smtp and pop3 request traffic from all user to Mail
server
+ http request traffic from all user to Web Server
ip access-list extended
SERVICE-ALLOW
permit tcp any host
10.2.2.3 eq smtp
permit tcp any host
10.2.2.3 eq pop3
permit tcp any host
10.2.2.4 eq www
exit
interface
GigabitEthernet0/1
ip access-group
SERVICE-ALLOW out
exit
+ Management :
+Create standard name ACL “TELNET-ACL” allow vlan INS
telnet to all router and Core1 And apply this ACL on line vty
Gate1:
ip access-list standard TELNET-ACL
permit 10.0.11.0 0.0.0.255
exit
Core1, Core2, Gate1, Gate2, WAN1:
line vty 0 4
ipv6 access-class TELNET-ACL in
exit
Gate1:
ip access-list standard TELNET-ACL
permit 10.0.11.0 0.0.0.255
exit
Core1, Core2, Gate1, Gate2, WAN1:
line vty 0 4
ipv6 access-class TELNET-ACL in
exit
+Configuring the syslog server on all router
and Core1 : Trap
debugging
logging trap debugging
logging 10.0.15.10
logging trap debugging
logging 10.0.15.10
Không có nhận xét nào:
Đăng nhận xét