ccnp2 (iscw) - case study 2
TRANSCRIPT
All credit goes to my teachers, who are always source of inspiration for me!!
Using the Cisco IOS CLI: • Configure all interfaces using the addressing scheme shown in the topology diagram. For HQ Router: HQ(config)#int lo 0 HQ(config-if)#ip add 172.16.4.1 255.255.255.0 HQ(config-if)#exit HQ(config)#int fa0/0 HQ(config-if)#ip add 172.16.34.4 255.255.255.0 HQ(config-if)#no sh HQ(config-if)#exit
For FW Router: FW(config)#int lo 0 FW(config-if)#ip add 172.16.3.1 255.255.255.0 FW(config-if)#exit FW(config)#int fa0/0 FW(config-if)#ip add 172.16.34.3 255.255.255.0 FW(config-if)#no sh FW(config-if)#exit FW(config)#int s0/1/1 FW(config-if)#ip add 192.168.23.3 255.255.255.0 FW(config-if)#no sh FW(config-if)#exit
For BRANCH Router: BRANCH(config)#int lo 0 BRANCH(config-if)#ip add 172.16.1.1 255.255.255.0 BRANCH(config-if)#exit BRANCH(config)#int s0/1/0 BRANCH(config-if)#ip add 192.168.12.1 255.255.255.0
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
BRANCH(config-if)#clock rate 64000 BRANCH(config-if)#no sh BRANCH(config-if)#exit
For BRANCH Router: ISP(config)#int s0/1/0 ISP(config-if)#ip add 192.168.12.2 255.255.255.0 ISP(config-if)#no sh ISP(config-if)#exit ISP(config)#int s0/1/1 ISP(config-if)#ip add 192.168.23.2 255.255.255.0 ISP(config-if)#clock rate 64000 ISP(config-if)#no sh ISP(config-if)#exit
• Configure HQ, FW, and BRANCH to run EIGRP in AS 1. (Until the tunnel is created, BRANCH will not have any EIGRP adjacencies.) • Add the major 172.16.0.0 network to EIGRP and disable automatic summarization. HQ(config)#router eigrp 1 HQ(config-router)#network 172.16.0.0 HQ(config-router)#no auto-summary FW(config)#router eigrp 1 FW(config-router)#network 172.16.0.0 FW(config-router)#no auto-summary BRANCH(config)#router eigrp 1 BRANCH(config-router)#network 172.16.0.0 BRANCH(config-router)#no auto-summary
• Configure a static default route on FW towards ISP, and redistribute this into EIGRP. FW(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2 FW(config)#router eigrp 1 FW(config-router)#redistribute static
• Configure a static default route on BRANCH toward ISP. BRANCH(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2
• Create a static route on ISP for 172.16.0.0/16 toward FW.
ISP(config)#ip route 172.16.0.0 255.255.0.0 192.168.23.3
• After configuring the static routes, make sure you can ping between FW and BRANCH. FW#ping 192.168.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
BRANCH#ping 192.168.23.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
• Configure the host with the IP address shown in the topology diagram and make FW its default gateway.
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
• Configure FW and BRANCH for SDM access from the host. FW(config)#username Arbab privilege level 15 password casestudy2 FW(config)#ip domain-name www.hh.se FW(config)#crypto key generate rsa FW(config)#ip http server FW(config)#ip http authentication local FW(config)#line vty 0 4 FW(config-line)#login local FW(config-line)#transport input ssh FW(config-line)#exit BRANCH(config)#username Arbab privilege level 15 password casestudy2 BRANCH(config)#ip domain-name www.hh.se BRANCH(config)#crypto key generate rsa BRANCH(config)#ip http server BRANCH(config)#ip http authentication local BRANCH(config)#line vty 0 4 BRANCH(config-line)#login local BRANCH(config-line)#transport input ssh BRANCH(config-line)#exit
Using Cisco SDM: • Create a secure GRE tunnel between FW and BRANCH using IPsec. • Use the addressing shown on the diagram for the tunnel addressing. • Run EIGRP across the tunnel. • You should use the tunnel wizard to configure one end of the tunnel, and generate a mirror configuration using Cisco SDM for the other end. You may use the command-line interface (CLI) to implement the mirror tunnel configuration on BRANCH. • Apply any encryption algorithms desired for the secure GRE tunnel.
FW Router:
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
BRANCH Router:
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
• Configure FW as a firewall using the basic firewall wizard. Assign the interface facing the ISP router to be the outside interface. Trust traffic from all other interfaces.
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
• If SDM does not automatically allow IPsec traffic through the firewall, explicitly allow it. • Use the SDM IPS wizard to configure BRANCH to enable the intrusion prevention system (IPS) on the ingress interface facing the ISP router.
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks
Arbab Nazar Network Engineer
B.Sc. CE, M.Sc. Computer Networks