CCNP 2 - Case Study 1

aliveboonevilleΔίκτυα και Επικοινωνίες

28 Οκτ 2013 (πριν από 3 χρόνια και 7 μήνες)

118 εμφανίσεις

1











CCNP

2
-

Case Study 1

CLI IPsec and Frame
-
Mode MPLS







Jeremy Carver



n
6144497

Vasily Shapochka


n5498708






2



Table of Contents


1. Outline

................................
................................
................................
................................
................................
.

3

2. Summary of the Company and Network Requirements

................................
................................
...........................

3

3. Logical diagram

................................
................................
................................
................................
.....................

4

4. Physical diagram

................................
................................
................................
................................
...................

5

3. Discussion on the implementation of Routing

................................
................................
................................
.........

6

4. Discussion on the physical layer design and equipment

................................
................................
...........................

6

5. Discussion on testing and verification strategies

................................
................................
................................
.....

6

6. Recommendations for future network upgrades

................................
................................
................................
.....

7

7. Router Interface Table
................................
................................
................................
................................
...........

7

8. Equipment Table
................................
................................
................................
................................
...................

7

9. Questions

................................
................................
................................
................................
.............................

8

10. Router Configurations

................................
................................
................................
................................
.........

9

Router R1

................................
................................
................................
................................
.............................

9

Router R2

................................
................................
................................
................................
...........................

11

Router R3

................................
................................
................................
................................
...........................

12

Router R4

................................
................................
................................
................................
...........................

14

11. Testing Results

................................
................................
................................
................................
..................

16

Router R1

................................
................................
................................
................................
...........................

16

Router R2

................................
................................
................................
................................
...........................

19

Router R3

................................
................................
................................
................................
...........................

20

Router R4

................................
................................
................................
................................
...........................

25


3



1. Outline


International Travel Agency
is

migrating to a network with Multi protocol Label Switching (MPLS)

and VPN
. This will
provide a customer edge to the Wide Area Network (WAN)
that

allows
a more efficient data switching and a secure
transfe
r of data from one office to another.


2.
Summary of the Company and Network Requirements



The International Travel Agency requires a network that im
plements MPLS and VPN technologies
.
It will use MPLS
between the CE and PE and require a VPN tunnel betwe
en the local PE and remote PE to ensure the data travels
securely through the Internet cloud.


The addressing scheme that was provided in the scenario will be adhered to, allowing the existing infrastructure to
migrate without interruption.
EIGRP should be

used as a fast
-
converging routing protocol.


Detailed requirements of the company are as follows:




Configure all interfaces using the addressing scheme shown in the topology diagram.



Run Enhanced Interior Gateway Routing Protocol (EIGRP) AS 1 in the enti
re International Travel Agency core
network. All subnets should be included.



Create an
IPSec

tunnel between R1 and R3 with an appropriate transform set and Internet Security Association
and Key Management Protocol (ISAKMP) policy.



This
IPSec

tunnel shoul
d only encrypt traffic between R1’s loopback network and R4’s loopback network.



Use pre
-
shared keys for authentication in the ISAKMP policy.



Do not create any new interfaces to achieve this task.



Use any encryption algorithms desired for the tasks liste
d above that use the crypto suite of protocols.



Configure MPLS on both ends of the link between R3 and R4.



Configure R1 to send system logging messages at the error severity level to an imaginary host located at
172.16.2.200.



Set up the correct time on
R4 using the
clock set

command. Use the inline IOS help system if you do not know
the syntax of this command.



Configure R4 as
a

Network Time Protocol (NTP) master with stratum 5.



Configure R3 as an NTP client of R4.



4


3. Logical diagram



5


4. P
hysical diagram



6


3
. Discussion on the implementation of Routing


Enhanced Interior Gateway Routing Protocol (EIGRP)
is the best choice for the International Travel Agency
. It is a
classless routing protocol, and has elements of both distance vector, and

link
-
state

algorithms.



Every directly connected network must be entered into the
router
’s

configuration. The router will then have three
routing tables dedicated to EIGRP
:
topology, neighbor and routing tables. Rapid convergence
and future scalability
w
ill
be realized using this protocol, as well as efficient use of bandwidth. If any sudden changes occur to th
e network
topology,
EIGRP allows all converged routers to update simultaneously.

4
. Discussion on the physical layer design and equipment


The tes
t
-
bed for this upgrade has been performed on the latest equipment. Cisco
36
00 series routers have been utilized
and fully configured. This allows us to fully implement our solution in a realistic fashion.

Serial port modules were used to simulate Wide Are
a Network links

and Cisco CAB
-
SS
-
V35 cables were used to directly
connect routers from port to port.


The test
-
bed physical design is very simple although the real implementation will include other devices such as CSU
-
DSUs.

5
. Discussion on testing and ver
ification strategies


In order to test the ITA network, each implementation phase was followed by a number of commands issued on the
router to make sure a high degree of reliability was achieved before moving to the next implementation stage. The
following

tests are ordered based upon the project time line. As previously stated, logic is used when determining
which stage in the process these tests take place.





A thorough testing of connectivity has been conducted at first using the Ping utility (see result
s below). This
test
s

overall routers reachability and
correct EIGRP configuration.




An extended Ping was used to activate the VPN tunnel

and test ACLs for interesting traffic
.




The
show crypto ipsec sa

command (see below) was used to make sure the traffic

is going through the tunnel
successfully.




MPLS was further tester with
traceroute

and
show interface serial 0/2/1 accounting

to make sure packets are
getting tagged by the protocol when needed
.




The
debug ntp packets

command was used to test communicatio
n between the NTP server and NTP client.




The

interface serial 0/2/1 accounting

command was used to verify that MPLS packets are being sent and
received.

7



6
. Recommendations for future network upgrades


The previously implement network represents a connec
tion between two
ITA remote offices. In order to reduce
connection cost, an IPSec tunnel is created over an Internet link between two offices to provide secure connectivity and
data transfer.

MPLS that is used between the CE and PE may be extended in the f
uture inside the provider’s network in order to
speed up the delivery between two locations.

At the customer edge on both sides, the company may consider using a firewall solution to filter incoming and outgoing
traffic as its routers are directly connecte
d to the Internet which represents a potential risk for the internal network.

7
. Router Interface Table


Router

Interface

IP Address

R1

Serial 0/2/0

172.16.12.1

R1

Loopback 0

172.16.1.1

R2

Serial 0/2/0

172.16.12.2

R2

Serial 0/2/1

172.16.23.2

R2

Loopba
ck 0

172.16.2.1

R3

Serial 0/2/0

172.16.23.3

R3

Serial 0/2/1

172.16.34.3

R3

Loopback 0

172.16.3.1

R4

Serial 0/2/0

172.16.34.4

R4

Loopback 0

172.16.4.1


8.

Equipment Table


Equipment

Quantity

Cisco 3600 Series Router (w. 1x T1 interface card module)

3

Cisco CAB
-
SS
-
V35 Cable

3

8



9. Questions


1.

R3 and R4 will not send NTP queries as MPLS frames. R3 and R4 are two directly connected routers and the NTP
protocol works only between them two. Therefore because of the PHP function, MPLS will not need to tag t
he
packets as they would need to be removed on the next hop. To avoid overhead MPLS sends packets as normal
IP packets.

2.

R3 and R4 will not send packets as MPLS to each other because of the PHP function

and because they are two
directly connected routers
.

3.

R4 will send packets destined to R1 and R2 as MPLS frames but R3 will obviously remove the tag before
forwarding further to R1 and R2. R3 will not send any packets as MPLS frames because on one side R1 and R2
are not configured with MPLS and on the other s
ide the PHP function removes the tag before any packet is sent
towards R4.

R4 will not send as MPLS packets destined to R3 but will tag packets for other networks such as R2 and R1
although those tags will be removed by R3
.

4.

In the network configuration,
th
e
ESP protocol provides origin authenticity, integrity, and confidentiality
protection of a packet
. The ESP protocol is defined in ITA network configuration as
esp
-
aes 256 esp
-
sha
-
hmac

inside the transform set
.
The AH
protocol on the other side
is intended

to guarantee integrity and data origin
authentication of IP
packets
. Encapsulating Security Payload provides confidentiality and the Authentication
Header provides integrity
.
In the current configuration it is defined as
ah
-
sha
-
hmac
. ESP with AES encrypti
on of
256 bits is currently the most secure algorithm as it provides as many as 256 bits for encryption which is the
maximum value available nowadays.

5.

The NTP server will ensure that routers in the network are configured with correct time. This will provi
de
accurate time indication when error and other messages are logged to the server. It is crucial to ensure that
timestamps are correct when errors or attacks are recorded.


9


10
.

Router Configurations


Router R1

Current configuration : 2027 bytes

!

version

12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password
-
encryption

!

hostname R1

!

boot
-
start
-
marker

boot
-
end
-
marker

!

enable secret 5 $1$68v.$0pF2U4rVQiSFjMd/aTRmo.

enable password 7 060503205F5D49

!

no aaa new
-
m
odel

memory
-
size iomem 15

!

!

ip cef

!

!

no ip domain lookup

ip host R2 172.16.12.2

!

!

!

crypto isakmp policy 10


encr aes 256


authentication pre
-
share


group 5


lifetime 3600

crypto isakmp key cisco address 172.16.23.3

!

crypto ipsec security
-
associatio
n lifetime seconds 1800

!

crypto ipsec transform
-
set 50 ah
-
sha
-
hmac esp
-
aes 256 esp
-
sha
-
hmac

!

crypto map MYMAP 10 ipsec
-
isakmp


set peer 172.16.23.3


set security
-
association lifetime seconds 900


set transform
-
set 50

10



set pfs group5


match address 101

!

interface Loopback0


description network connected to router 1


ip address 172.16.1.1 255.255.255.0

!

interface FastEthernet0/0


no ip address


shutdown


duplex auto


speed auto

!

interface FastEthernet0/1


no ip address


shutdown


duplex auto


speed auto

!

interface Serial0/2/0


description Link to Router 2


ip address 172.16.12.1 255.255.255.0


clock rate 64000


crypto map MYMAP

!

router eigrp 1


network 172.16.0.0


no auto
-
summary

!

!

!

ip http server

no ip http secure
-
server

!

logging trap errors

loggin
g 172.16.2.200

access
-
list 101 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255

!

!

banner motd ^CC This is a secure system. Authorized Personnel Only! ^C

!

line con 0


exec
-
timeout 0 0


password 7 045802150C2E


logging synchronous

line aux 0

line vty 0

4


password 7 02050D480809

11



login

!

end


Router R2

Current configuration : 1474 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password
-
encryption

!

hostname R2

!

boot
-
start
-
marker

boot
-
end
-
marker

!

enable secret 5 $1$k7cB$tzf98Aglqnj2MJZdUhLFR1

enable password 7 01100A05481846

!

no aaa new
-
model

memory
-
size iomem 15

no network
-
clock
-
participate wic 3

!

!

ip cef

!

!

no ip domain lookup

ip host R1 172.16.12.1

ip host R3 172.16.23.3

!

!

!

interface Lo
opback0


description network connected to router


ip address 172.16.2.1 255.255.255.0

!

interface Serial0/2/0

ip address 172.16.12.2 255.255.255.0


no fair
-
queue

!

interface Serial0/2/1

ip address 172.16.23.2 255.255.255.0


clock rate 64000

!

router eigrp
1

12



network 172.16.0.0


no auto
-
summary

!

!

!

ip http server

no ip http secure
-
server

!

!

!

banner motd ^CC This is a secure system. Authorized Personnel Only! ^C

!

line con 0


exec
-
timeout 0 0


password 7 00071A150754


logging synchronous

line aux 0

line v
ty 0 4


password 7 14141B180F0B6A


login

!

end


Router R3

Current configuration : 2321 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password
-
encryption

!

hostname R3

!

boot
-
start
-
marker

boot
-
end
-
m
arker

!

enable secret 5 $1$JIRS$AbZjQcNdIODnanFoCjzj70

enable password 7 0205085A18154F

!

no aaa new
-
model

memory
-
size iomem 15

no network
-
clock
-
participate wic 3

!

!

ip cef

!

!

13


no ip domain lookup

ip host R4 172.16.34.4

ip host R2 172.16.23.2

!

!

crypto i
sakmp policy 10


encr aes 256


authentication pre
-
share


group 5


lifetime 3600

crypto isakmp key cisco address 172.16.12.1

!

crypto ipsec security
-
association lifetime seconds 1800

!

crypto ipsec transform
-
set 50 ah
-
sha
-
hmac esp
-
aes 256 esp
-
sha
-
hmac

!

cry
pto map MYMAP 10 ipsec
-
isakmp


set peer 172.16.12.1


set security
-
association lifetime seconds 900


set transform
-
set 50


set pfs group5


match address 101

!

!

!

!

interface Loopback0


description network connected to router


ip address 172.16.3.1 255.255.
255.0

!

interface Serial0/2/0


description Link to Router 4


ip address 172.16.23.3 255.255.255.0


no fair
-
queue


crypto map MYMAP

!

interface Serial0/2/1


description Link to Router 2


ip address 172.16.34.3 255.255.255.0


mpls ip


no fair
-
queue


clock ra
te 2000000

!

!

router eigrp 1


network 172.16.0.0


no auto
-
summary

!

14


!

!

ip http server

no ip http secure
-
server

!

access
-
list 101 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255

!

!

!

!

banner motd ^CC This is a secure system.


Authorized Personnel On
ly! ^C

!

line con 0


exec
-
timeout 0 0


password 7 02050D4808094F


logging synchronous

line aux 0

line vty 0 4


password 7 03075218050061


login

!

scheduler allocate 20000 1000

ntp clock
-
period 17179893

ntp server 172.16.34.4

!

End


Router R4

version 12.4

s
ervice timestamps debug datetime msec

service timestamps log datetime msec

service password
-
encryption

!

hostname R4

!

boot
-
start
-
marker

boot
-
end
-
marker

!

enable secret 5 $1$pKHY$Pilw1Ad7IjxaPuLSasSea0

enable password 7 121A091601184C

!

no aaa new
-
model

me
mory
-
size iomem 15

no network
-
clock
-
participate wic 1

!

15


!

ip cef

!

!

no ip domain lookup

ip host R3 172.16.34.3

!

!

!

interface Loopback0


description network connected to router


ip address 172.16.4.1 255.255.255.0

!

interface Serial0/2/0


description Lin
k to Router 3


ip address 172.16.34.4 255.255.255.0


mpls ip


no fair
-
queue

!

router eigrp 1


network 172.16.0.0


no auto
-
summary

!

!

!

ip http server

no ip http secure
-
server

!

banner motd ^CC This is a secure system. Authorized Personnel Only! ^C

!

line
con 0


exec
-
timeout 0 0


password 7 02050D4808094F


logging synchronous

line aux 0

line vty 0 4


password 7 13061E01080344


login

!

scheduler allocate 20000 1000

ntp master 5

!

end



16


1
1
. Testing Results


Router R1


R1#ping 172.16.12.2


Type escape sequence

to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 28/28/32 ms

R1#ping 172.16.2.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.2.1, t
imeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 28/28/32 ms

R1#ping 172.16.23.2


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5
/5), round
-
trip min/avg/max = 28/28/32 ms

R1#ping 172.16.23.3


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.23.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 56/56/60 ms

R1#ping 172.16.
3.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 56/56/60 ms

R1#ping 172.16.4.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICM
P Echos to 172.16.4.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 56/56/60 ms

R1#ping 172.16.34.3


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.34.3, timeout is 2 seconds:

!!!!!

Succes
s rate is 100 percent (5/5), round
-
trip min/avg/max = 56/56/56 ms

17


R1#ping 172.16.34.4


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 56/
56/60 ms



R1#show ip route

Codes: C
-

connected, S
-

static, R
-

RIP, M
-

mobile, B
-

BGP


D
-

EIGRP, EX
-

EIGRP external, O
-

OSPF, IA
-

OSPF inter area


N1
-

OSPF NSSA external type 1, N2
-

OSPF NSSA external type 2


E1
-

OSPF external

type 1, E2
-

OSPF external type 2


i
-

IS
-
IS, su
-

IS
-
IS summary, L1
-

IS
-
IS level
-
1, L2
-

IS
-
IS level
-
2


ia
-

IS
-
IS inter area, *
-

candidate default, U
-

per
-
user static route


o
-

ODR, P
-

periodic downloaded static route


Gateway of
last resort is not set



172.16.0.0/24 is subnetted, 7 subnets

D 172.16.34.0 [90/3193856] via 172.16.12.2, 03:35:47, Serial0/2/0

D 172.16.23.0 [90/2681856] via 172.16.12.2, 03:42:18, Serial0/2/0

C 172.16.12.0 is directly connected, Se
rial0/2/0

D 172.16.4.0 [90/3321856] via 172.16.12.2, 03:35:46, Serial0/2/0

C 172.16.1.0 is directly connected, Loopback0

D 172.16.2.0 [90/2297856] via 172.16.12.2, 03:43:24, Serial0/2/0

D 172.16.3.0 [90/2809856] via 172.16.12.2, 03:
42:17, Serial0/2/0






R1#show ip eigrp neighbors

IP
-
EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq


(sec) (ms) Cnt Num

0 172.16.12.2

Se0/2/0 12 03:44:08 21 200 0 18




R1#show logging

Syslog logging: enabled (11 messages dropped, 2 messages rate
-
limited,


0 flushes, 0 overruns, xml disabled, filtering disabled)


Console logging: level debuggin
g, 46 messages logged, xml disabled,


filtering disabled


Monitor logging: level debugging, 0 messages logged, xml disabled,


filtering disabled


Buffer logging: disabled, xml disabled,

18



filt
ering disabled


Logging Exception size (4096 bytes)


Count and timestamp logging messages: disabled


No active filter modules.



Trap logging: level errors, 40 message lines logged


Logging to 172.16.2.200(global) (udp port 514, audit disab
led, link up)

, 2 message lines logged, xml disabled,


filtering disabled



R1#sh crypto ipsec sa


interface: Serial0/2/0


Crypto map tag: MYMAP, local addr 172.16.12.1



protected vrf: (none)


local ident (addr/mask/prot/port): (172
.16.1.0/255.255.255.0/0/0)


remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)


current_peer 172.16.23.3 port 500


PERMIT, flags={origin_is_acl,}


#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13


#pkts decaps: 13, #pkts
decrypt: 13, #pkts verify: 13


#pkts compressed: 0, #pkts decompressed: 0


#pkts not compressed: 0, #pkts compr. failed: 0


#pkts not decompressed: 0, #pkts decompress failed: 0


#send errors 0, #recv errors 0



local crypto endpt.: 172.16.
12.1, remote crypto endpt.: 172.16.23.3


path mtu 1500, ip mtu 1500, ip mtu idb Serial0/2/0


current outbound spi: 0xBB8C7C26(3146546214)



inbound esp sas:


spi: 0x348BD124(881578276)


transform: esp
-
256
-
aes esp
-
sha
-
hmac ,


in use settings ={Tunnel, }


conn id: 3004, flow_id: NETGX:4, crypto map: MYMAP


sa timing: remaining key lifetime (k/sec): (4505698/146)


IV size: 16 bytes


replay detection support: Y


Status: ACTIVE



inbound ah sa
s:


spi: 0x7EE5715A(2128965978)


transform: ah
-
sha
-
hmac ,


in use settings ={Tunnel, }


conn id: 3004, flow_id: NETGX:4, crypto map: MYMAP

19



sa timing: remaining key lifetime (k/sec): (4505698/144)


replay detection s
upport: Y


Status: ACTIVE



inbound pcp sas:



outbound esp sas:


spi: 0xBB8C7C26(3146546214)


transform: esp
-
256
-
aes esp
-
sha
-
hmac ,


in use settings ={Tunnel, }


conn id: 3003, flow_id: NETGX:3, crypto map: MYMAP



sa timing: remaining key lifetime (k/sec): (4505698/144)


IV size: 16 bytes


replay detection support: Y


Status: ACTIVE



outbound ah sas:


spi: 0xCC6044(13393988)


transform: ah
-
sha
-
hmac ,


in use settin
gs ={Tunnel, }


conn id: 3003, flow_id: NETGX:3, crypto map: MYMAP


sa timing: remaining key lifetime (k/sec): (4505698/142)


replay detection support: Y


Status: ACTIVE



Router R2


R2#sh ip route

Codes: C
-

connected, S
-

stat
ic, R
-

RIP, M
-

mobile, B
-

BGP


D
-

EIGRP, EX
-

EIGRP external, O
-

OSPF, IA
-

OSPF inter area


N1
-

OSPF NSSA external type 1, N2
-

OSPF NSSA external type 2


E1
-

OSPF external type 1, E2
-

OSPF external type 2


i
-

IS
-
IS, su
-

IS
-
IS summary, L1
-

IS
-
IS level
-
1, L2
-

IS
-
IS level
-
2


ia
-

IS
-
IS inter area, *
-

candidate default, U
-

per
-
user static route


o
-

ODR, P
-

periodic downloaded static route


Gateway of last resort is not set



172.16.0.0/24 is subnetted, 7

subnets

D 172.16.34.0 [90/2681856] via 172.16.23.3, 03:32:14, Serial0/2/1

C 172.16.23.0 is directly connected, Serial0/2/1

C 172.16.12.0 is directly connected, Serial0/2/0

D 172.16.4.0 [90/2809856] via 172.16.23.3, 03:32:13, Serial
0/2/1

D 172.16.1.0 [90/2297856] via 172.16.12.1, 03:39:51, Serial0/2/0

C 172.16.2.0 is directly connected, Loopback0

20


D 172.16.3.0 [90/2297856] via 172.16.23.3, 03:38:44, Serial0/2/1



R2#sh ip eigrp neigh

IP
-
EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq


(sec) (ms) Cnt Num

1 172.16.23.3 Se0/2/1 13 03:38:58 19 200 0 11

0 172.16.12.1

Se0/2/0 11 03:40:05 17 200 0 8



R2#ping 172.16.1.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 28/28/32 ms

R2#ping
172.16.4.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 28/29/32 ms

R2#ping 172.16.3.1


Type escape sequence to abort.

Sending 5, 100
-
b
yte ICMP Echos to 172.16.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 28/28/32 ms

R2#ping 172.16.23.3


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.23.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 28/28/32 ms

R2#ping 172.16.34.4


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/ma
x = 28/29/32 ms


Router R3


R3#sh mpls forwarding
-
table

Local Outgoing Prefix Bytes tag Outgoing Next Hop

21


tag tag or VC or Tunnel Id switched interface

16 Untagged 172.16.12.0/24 1560 Se0/2/0 point2point

17

Untagged 172.16.1.0/24 4088 Se0/2/0 point2point

18 Untagged 172.16.2.0/24 0 Se0/2/0 point2point

19 Pop tag 172.16.4.0/24 0 Se0/2/1 point2point





R3#show interfaces s0/2/1 accounting

Seria
l0/2/1 Link to Router 2


Protocol Pkts In Chars In Pkts Out Chars Out


Other 2 648 53 1272


IP 292 19601 310 21785


CDP

11 3564 11 3564


Tag 25 2700 0 0

R3#show interfaces s0/2/1 accounting

Serial0/2/1 Link to Router 2


Protocol Pkts In Chars In Pkts Out Chars Out



Other 2 648 56 1344


IP 309 20721 332 23425


CDP 12 3888 12 3888


Tag 30 3240 0

0


R3#show interfaces s0/2/1 accounting

Serial0/2/1 Link to Router 2


Protocol Pkts In Chars In Pkts Out Chars Out


Other 2 648 17 408


IP 104

7065 113 8275


CDP 5 1620 5 1620


Tag 15 1620 0 0



R3#ping 172.16.4.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 1
72.16.4.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms


R3#show interfaces s0/2/1 accounting

Serial0/2/1 Link to Router 2


Protocol
Pkts In

Chars In Pkts Out Chars Out



Other 2 648 20 480


IP 123 8509 133 9785


CDP 6 1944 6 1944


Tag
15

1620 0

0


22


R3#sh crypto ipsec sa


interface: Serial0/2/0


Crypto map tag: MYMAP, local addr 172.16.23.3



protected vrf: (none)


local ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)


remote ident (addr/mask/prot/port): (172.16.1.0/255.
255.255.0/0/0)


current_peer 172.16.12.1 port 500


PERMIT, flags={origin_is_acl,}


#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13


#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13


#pkts compressed: 0, #pkts decompressed: 0


#
pkts not compressed: 0, #pkts compr. failed: 0


#pkts not decompressed: 0, #pkts decompress failed: 0


#send errors 2, #recv errors 0



local crypto endpt.: 172.16.23.3, remote crypto endpt.: 172.16.12.1


path mtu 1500, ip mtu 1500, ip mtu id
b Serial0/2/0


current outbound spi: 0x348BD124(881578276)



inbound esp sas:


spi: 0xBB8C7C26(3146546214)


transform: esp
-
256
-
aes esp
-
sha
-
hmac ,


in use settings ={Tunnel, }


conn id: 3004, flow_id: NETGX:4, crypto map: M
YMAP


sa timing: remaining key lifetime (k/sec): (4546509/842)


IV size: 16 bytes


replay detection support: Y


Status: ACTIVE



inbound ah sas:


spi: 0xCC6044(13393988)


transform: ah
-
sha
-
hmac ,


in use s
ettings ={Tunnel, }


conn id: 3004, flow_id: NETGX:4, crypto map: MYMAP


sa timing: remaining key lifetime (k/sec): (4546509/840)


replay detection support: Y


Status: ACTIVE



inbound pcp sas:



outbound esp sas:


spi: 0x348BD124(881578276)


transform: esp
-
256
-
aes esp
-
sha
-
hmac ,


in use settings ={Tunnel, }


conn id: 3003, flow_id: NETGX:3, crypto map: MYMAP


sa timing: remaining key lifetime (k/sec): (4546509/840)

23



IV size: 16 byt
es


replay detection support: Y


Status: ACTIVE



outbound ah sas:


spi: 0x7EE5715A(2128965978)


transform: ah
-
sha
-
hmac ,


in use settings ={Tunnel, }


conn id: 3003, flow_id: NETGX:3, crypto map: MYMAP


s
a timing: remaining key lifetime (k/sec): (4546509/840)


replay detection support: Y


Status: ACTIVE


R3#show ip route

Codes: C
-

connected, S
-

static, R
-

RIP, M
-

mobile, B
-

BGP


D
-

EIGRP, EX
-

EIGRP external, O
-

OSPF, IA
-

OSPF i
nter area


N1
-

OSPF NSSA external type 1, N2
-

OSPF NSSA external type 2


E1
-

OSPF external type 1, E2
-

OSPF external type 2


i
-

IS
-
IS, su
-

IS
-
IS summary, L1
-

IS
-
IS level
-
1, L2
-

IS
-
IS level
-
2


ia
-

IS
-
IS inter area, *
-

candi
date default, U
-

per
-
user static route


o
-

ODR, P
-

periodic downloaded static route


Gateway of last resort is not set



172.16.0.0/24 is subnetted, 7 subnets

C 172.16.34.0 is directly connected, Serial0/2/1

C 172.16.23.0 is direct
ly connected, Serial0/2/0

D 172.16.12.0 [90/2681856] via 172.16.23.2, 03:33:46, Serial0/2/0

D 172.16.4.0 [90/2297856] via 172.16.34.4, 03:27:16, Serial0/2/1

D 172.16.1.0 [90/2809856] via 172.16.23.2, 03:33:46, Serial0/2/0

D 172.16.2
.0 [90/2297856] via 172.16.23.2, 03:33:46, Serial0/2/0

C 172.16.3.0 is directly connected, Loopback0



R3#show ip eigrp neighbors

IP
-
EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq



(sec) (ms) Cnt Num

1 172.16.34.4 Se0/2/1 10 03:29:37 5 200 0 3

0 172.16.23.2 Se0/2/0 13 03:36:07 21 200 0 19



R3#show ntp status

Clock is synchron
ized, stratum 6, reference is 172.16.34.4

nominal freq is 250.0000 Hz, actual freq is 249.9996 Hz, precision is 2**18

reference time is CA934B03.CB52988D (05:37:07.794 UTC Thu Sep 13 2007)

clock offset is 0.1988 msec, root delay is 2.26 msec

root dispersio
n is 1.02 msec, peer dispersion is 0.79 msec

24



R3#show ntp associations



address ref clock st when poll reach delay offset disp

*~172.16.34.4 127.127.7.1 5 49 64 377 2.3 0.20 0.8


* master (synced), # ma
ster (unsynced), + selected,
-

candidate, ~ configured




R3#ping 172.16.4.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

R3#p
ing 172.16.34.4


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

R3#ping 172.16.2.1


Type escape sequence to abort.

Sending 5, 10
0
-
byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 28/28/32 ms

R3#ping 172.16.23.2


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:

!!
!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 28/28/32 ms

R3#ping 172.16.12.2


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg
/max = 28/28/32 ms

R3#ping 172.16.12.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 56/56/56 ms

R3#ping 172.16.1.1


Type escape sequen
ce to abort.

25


Sending 5, 100
-
byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 56/56/60 ms



Router R4


R4#ping 172.16.3.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to

172.16.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

R4#ping 172.16.23.2


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:

!!!!!

Success rate is 100

percent (5/5), round
-
trip min/avg/max = 28/29/32 ms

R4#ping 172.16.12.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 56/57/60 ms

R4#p
ing 172.16.1.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 56/56/60 ms

R4#ping 172.16.4.1


Type escape sequence to abort.

Sending 5, 1
00
-
byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/1/4 ms










26


R4#sh mpls forwarding
-
table

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC o
r Tunnel Id switched interface

16 Pop tag 172.16.3.0/24 0 Se0/2/0 point2point

17 Pop tag 172.16.23.0/24 0 Se0/2/0 point2point

18 18 172.16.2.0/24 0 Se0/2/0 point2point

19

16 172.16.12.0/24 0 Se0/2/0 point2point

20 17 172.16.1.0/24 0 Se0/2/0 point2point



R4#ping

Protocol [ip]:

Target IP address: 172.16.1.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

E
xtended commands [n]: y

Source address or interface: 172.16.4.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]: y

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape s
equence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.4.1

Reply data will be validated

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 104/106/108 ms


R4#sh ntp a
ssociations



address ref clock st when poll reach delay offset disp

*~127.127.7.1 127.127.7.1 4 53 64 377 0.0 0.00 0.0


* master (synced), # master (unsynced), + selected,
-

candidate, ~ configured


R4#
sh ntp status

Clock is synchronized, stratum 5, reference is 127.127.7.1

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18

reference time is CA9349DF.768D5947 (05:32:15.463 UTC Thu Sep 13 2007)

clock offset is 0.0000 msec, root de
lay is 0.00 msec

root dispersion is 0.02 msec, peer dispersion is 0.02 msec


R4#sh ip route

Codes: C
-

connected, S
-

static, R
-

RIP, M
-

mobile, B
-

BGP


D
-

EIGRP, EX
-

EIGRP external, O
-

OSPF, IA
-

OSPF inter area


N1
-

OSPF NSSA external
type 1, N2
-

OSPF NSSA external type 2

27



E1
-

OSPF external type 1, E2
-

OSPF external type 2


i
-

IS
-
IS, su
-

IS
-
IS summary, L1
-

IS
-
IS level
-
1, L2
-

IS
-
IS level
-
2


ia
-

IS
-
IS inter area, *
-

candidate default, U
-

per
-
user static route



o
-

ODR, P
-

periodic downloaded static route


Gateway of last resort is not set



172.16.0.0/24 is subnetted, 7 subnets

C 172.16.34.0 is directly connected, Serial0/2/0

D 172.16.23.0 [90/21024000] via 172.16.34.3, 03:25:30, Serial0/2
/0

D 172.16.12.0 [90/21536000] via 172.16.34.3, 03:25:30, Serial0/2/0

C 172.16.4.0 is directly connected, Loopback0

D 172.16.1.0 [90/21664000] via 172.16.34.3, 03:25:30, Serial0/2/0

D 172.16.2.0 [90/21152000] via 172.16.34.3, 03:25:
30, Serial0/2/0

D 172.16.3.0 [90/20640000] via 172.16.34.3, 03:25:30, Serial0/2/0



R4#sh ip eigrp neigh

IP
-
EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq



(sec) (ms) Cnt Num

0 172.16.34.3 Se0/2/0 14 03:25:48 3 1140 0 12



R4#ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate

is 100 percent (5/5), round
-
trip min/avg/max = 56/56/60 ms


R4#show interface s0/2/0 accounting

Serial0/2/0 Link to Router 3


Protocol Pkts In Chars In Pkts
Out

Chars Out


Other 0 0 197

4728


IP 692 49415 704 48153


CDP 26 8424 27 8748


Tag 0 0
5

540


R4#ping 172.16.1.1


Type escape sequence

to abort.

Sending 5, 100
-
byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 56/57/60 ms


R4#show interface s0/2/0 accounting

Serial0/2/0 Link to Router 3


Protocol Pkts
In Chars In Pkts
Out

Chars Out

28



Other 0 0 198 4752


IP 703 50323 711 48587


CDP 26 8424 27 8748



Tag 0 0
10

1080