- Equipment List
- Setting Up the Lab
- Pre-Lab Tasks
- General Guidelines
- Practice Lab 1
- Section 1: Bridging and Switching (15 Points)
- Section 2: IP IGP Protocols (28 Points)
- Section 3: ISDN (8 Points)
- Section 4: EGP Protocols (17 Points)
- Section 5: Voice (6 Points)
- Section 6: DLSw+ (4 Points)
- Section 7: IOS and IP Features (10 Points)
- Section 8: QoS (8 Points)
- Section 9: Multicast (4 Points)
- Practice Lab 1: "Ask the Proctor"
- Section 1.1: Frame Relay Configuration
- Section 1.2: 3550 LAN Switch Configuration
- Section 1.3: ATM Configuration
- Section 2.1: RIP
- Section 2.2: EIGRP
- Section 2.3: Redistribution
- Section 3: ISDN
- Section 4: EGP Protocols
- Section 5: Voice
- Section 6: DLSw+
- Section 7: IOS and IP Features
- Section 8: QoS
- Section 9: Multicast
- Practice Lab 1 Debrief
- Section 1: Bridging and Switching (15 Points)
- Section 2: IP IGP Protocols (28 Points)
- Section 3: ISDN (8 Points)
- Section 4: EGP Protocols (17 Points)
- Section 5: Voice (6 Points)
- Section 6: DLSw+ (4 Points)
- Section 7: IOS and IP Features (10 Points)
- Section 8: QoS (8 Points)
- Section 9: Multicast (4 Points)
Section 7: IOS and IP Features (10 Points)
R2 is sited in a shared data center; make the serial link back into R1 as secure as possible at Layer 2.
Did you think about IP Security (IPsec)? Well that is Layer 3; as is any form of access-list, you should realize that PPP is Layer 2 and this protocol has the capability to run CHAP over it, which makes the serial link very secure. PPP with CHAP over a serial link is just as happy as PPP over ISDN; the configuration is exactly the same. If you have configured this correctly as in Example 1-56 and Example 1-57, you have scored 2 points. Example 1-58 shows CHAP in action over the serial link.
Example 1-56 R1 Serial Line PPP CHAP Configuration
username disco password 0 cisco ! interface Serial0/0 ip address 10.90.90.2 255.255.255.240 encapsulation ppp clockrate 2000000 ppp authentication chap ppp chap hostname misco
Example 1-57 R2 Serial Line PPP CHAP Configuration
username misco password 0 cisco ! interface Serial0/0 ip address 10.90.90.1 255.255.255.240 encapsulation ppp ppp authentication chap ppp chap hostname disco
Example 1-58 R1 debug ppp authentication Output
R1#debug ppp authentication PPP authentication debugging is on 3d23h: Se0/0 PPP: Treating connection as a dedicated line 3d23h: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up 3d23h: Se0/0 CHAP: Using alternate hostname misco 3d23h: Se0/0 CHAP: O CHALLENGE id 2 len 26 from "misco" 3d23h: Se0/0 CHAP: I CHALLENGE id 5 len 26 from "disco" 3d23h: Se0/0 CHAP: Using alternate hostname misco 3d23h: Se0/0 CHAP: O RESPONSE id 5 len 26 from "misco" 3d23h: Se0/0 CHAP: I RESPONSE id 2 len 26 from "disco" 3d23h: Se0/0 CHAP: O SUCCESS id 2 len 4 3d23h: Se0/0 CHAP: I SUCCESS id 5 len 4 3d23h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
Ensure traffic from VLAN4, including any attached router interfaces to VLAN4, is hidden behind R5 Lo0 address when directed toward all external router networks.
The question requires NAT configuration from VLAN4 R5 FastEthernet0/0 to all external networks egressing from R5 ATM3/0. The configuration is not complex so this should start the alarm bells ringing again. Where else did you hear them? The DLSw+ was not difficult so it may be worth checking as this does not break any previous connectivity. In fact, you should get into the habit of frequently checking your work to ensure your points are still safe.
With NAT enabled, R5's VLAN4 interface will NAT from the original source address 10.50.50.1 into source address 10.5.5.5; this will affect the DLSw+ peering that has been configured. When DLSW+ initiates, two connections are set up between the routers; after a capabilities exchange, the router with the lowest peer IP address has its connection dropped with the other maintained. Originally R5 (10.50.50.1) had a higher peer IP address than R8 (10.8.8.8), so it dropped the connection to R8. Now R5 has been NAT'd into source address 10.5.5.5; however, R5 still uses the source address 10.50.50.1 for its peering and drops the connection to R8 believing it is lower than its own source address. R8, as it is promiscuous, sees a connection coming in from 10.5.5.5 and then drops the connection, which is lower than its own peer address of 10.8.8.8. You can imagine that the DLSW+ will never peer correctly now with both peers dropping their connections as shown in Example 1-59. The only way to overcome this is by excluding the actual DLSw+ process from the NAT. To do this you will have to know that DLSw+ over TCP uses ports 2065 and 2067 for read and write; these should, therefore, not be NAT'd. You could gain the port information from an appropriate debug but ideally you should know this. If you have configured this correctly as in Example 1-60, you have scored 3 points.
Example 1-59 R5 debug dlsw Output
R5#debug dlsw 4w0d: DLSw: START-TPFSM (peer 10.8.8.8(2065)): event:DLX-KEEPALIVE REQ state:CONNECT 4w0d: DLSw: dtp_action_q() keepalive request from peer 10.8.8.8(2065) 4w0d: DLSw: Keepalive Response sent to peer 10.8.8.8(2065)) 4w0d: DLSw: END-TPFSM (peer 10.8.8.8(2065)): state:CONNECT->CONNECT 4w0d: DLSw: dlsw_tcpd_fini() for peer 10.8.8.8(2065) 4w0d: DLSw: tcp fini closing connection for peer 10.8.8.8(2065) 4w0d: DLSw: START-TPFSM (peer 10.8.8.8(2065)): event:ADMIN-CLOSE CONNECTION state:CONNECT 4w0d: DLSw: dtp_action_b() close connection for peer 10.8.8.8(2065) 4w0d: DLSw: END-TPFSM (peer 10.8.8.8(2065)): state:CONNECT->DISCONN
Example 1-60 R5 Required NAT Modification Configuration
interface FastEthernet0/0 ip address 10.50.50.1 255.255.255.248 ip nat inside interface ATM3/0 ip address 10.99.99.2 255.255.255.248 ip nat outside ! ip nat inside source list 100 interface Loopback0 overload ! access-list 100 deny tcp host 10.50.50.1 eq 2065 host 10.8.8.8 access-list 100 deny tcp host 10.50.50.1 eq 2067 host 10.8.8.8 access-list 100 deny tcp host 10.50.50.1 host 10.8.8.8 eq 2065 access-list 100 deny tcp host 10.50.50.1 host 10.8.8.8 eq 2067 access-list 100 permit ip 10.50.50.0 0.0.0.255 any
A router is to be installed onto VLAN4 in the future. This router will have a default configuration, so allow R6 to assist dynamically to aid the configuration process. The router will require an IP address of 10.50.50.6 and should load a configuration file called R9-config from a fictitious TFTP server on 172.16.0.59.
The question requires that AutoInstall is used. This is a recent feature, which allows you to place a router with a default configuration onto a network, and it can be configured dynamically by receiving a DHCP address and TFTP server location for its own valid configuration. R6 is required to issue the DHCP address, TFTP server details, and default-router of R5 (10.50.50.1) that the router requires to contact the TFTP server on 172.16.0.59. The DHCP pool configuration on R6 excludes the majority of host addresses for network 10.50.50.0/29; this ensures that the only address offered to DHCP request is 10.50.50.6. You should notice that R6 is not connected to VLAN4 and AutoInstall works by DHCP request; for this reason, you must configure a helper-address on R5 to forward the request to R6. If you have configured this correctly as shown in Example 1-61 and Example 1-62, you have scored 5 points.
Example 1-61 R6 Required Configuration for AutoInstall
service dhcp ! ip dhcp excluded-address 10.50.50.1 10.50.50.5 ! ip dhcp pool 1 network 10.50.50.0 255.255.255.248 bootfile R9-config option 150 ip 172.16.0.59 default-router 10.50.50.1 !
Example 1-62 R5 VLAN4 DHCP Relay Configuration
interface FastEthernet0/0 ip address 10.50.50.1 255.255.255.248 ip helper-address 10.6.6.6