Lab 215 - Extended ACL Established

Prerequisites: CCNP level skills.

NOTE!
Initial configuration for this lab can be downloaded here.

Topology

Pic 1. Topology Diagram.

Task 1

On BB1 enable static routing towards 172.16.0.0 subnets using R3 as the gateway. Create Loopback0 address on BB2 with the address of 10.101.101.254/24. Ensure R3 is the gateway of last resort for EIGRP AS 1. You can use a static route to accomplish the task.

Task 2
Configure an extended ACL on R3 allowing all TCP traffic from EIGRP AS 1 reach 10.100.100.0/24 only if it was originated from EIGRP AS 1.

Solution

Task 1

On BB1 enable static routing towards 172.16.0.0 subnets using R3 as the gateway. Create Loopback0 address on BB2 with the address of 10.101.101.254/24. Ensure R3 is the gateway of last resort for EIGRP AS 1. You can use a static route to accomplish the task.

BB1 Config:
!
interface Loopback0
 ip address 10.101.101.254 255.255.255.0
!
ip route 172.16.0.0 255.255.0.0 203.0.113.3
!

R3 Config:
!
ip route 0.0.0.0 0.0.0.0 203.0.113.254
!
router eigrp 1
 redistribute static metric 1 1 1 1 1
 network 10.0.3.3 0.0.0.0
 network 172.16.123.3 0.0.0.0
 no auto-summary
!


Verification:

Pic. 2 - Ping/Traceroute Test.

 

Task 2
Configure an extended ACL on R3 allowing all TCP traffic from EIGRP AS 1 reach 10.100.100.0/24 only if it was originated from EIGRP AS 1.

R3 Config:
!
access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
!
interface FastEthernet0/0
 ip address 203.0.113.3 255.255.255.0
 ip access-group 100 in
 speed 100
 full-duplex
!

Verification:

Pic. 3 - TCP Traffic Originated From EIGRP AS 1.

Pic. 4 - Traffic Originated Outside EIGRP AS 1.

REMOVE the ACL configured in Task 2.

Lab 214 - Extended ACL

Prerequisites: CCNP level skills.

NOTE!
Initial configuration for this lab can be downloaded here.

Topology

Pic 1. Topology Diagram.

Task 1

Enable HTTP service on R5 for testing purposes.

Task 2
On R5 configure ACL which is going to block HTTP traffic from Vlan 27 towards R5's loopback address (10.0.5.5). HTTP traffic from any source towards 172.16.215.5 destination should be allowed. All other traffic should be allowed as well.

Solution

Task 1

Enable HTTP service on R5 for testing purposes.

R5 Config:
!
ip http server
!


Task 2
On R5 configure ACL which is going to block HTTP traffic from Vlan 27 towards R5's loopback address (10.0.5.5). HTTP traffic from any source towards 172.16.215.5 destination should be allowed. All other traffic should be allowed as well.

 
R5 Config:
!
access-list 100 deny   tcp 172.16.27.0 0.0.0.255 host 10.0.5.5 eq www
access-list 100 permit ip any any!
interface FastEthernet0/1
 ip address 172.16.215.5 255.255.255.0
 ip access-group 100 in
 speed 100
 full-duplex
!

Verification:

Pic. 2 - Telnet Test.

 

lab 213 - Standard ACL

Prerequisites: CCNP level skills.

NOTE!
Initial configuration for this lab can be downloaded here.

Topology

Pic 1. Topology Diagram.

Task 1

Enable EIGRP AS 1 in Vlan 27, Vlan 215, and on frame-relay connections between R1, R2 and R3 (as per topology diagram). Advertise loopbacks of R1, R2, R3, R5, SW1 and SW2 into EIGRP AS 1. Ensure connectivity between all those loopback addresses.

Task 2

Using standard ACL filter out the traffic from Vlan 27 destined for R1's Loopback0 interface (10.0.1.1/24) and all the destinations behind R1.

Task 3
Upon successful completion of the Task 2, remove ACL from the router.

Solution

Task 1

Enable EIGRP AS 1 in Vlan 27, Vlan 215, and on frame-relay connections between R1, R2 and R3 (as per topology diagram). Advertise loopbacks of R1, R2, R3, R5, SW1 and SW2 into EIGRP AS 1. Ensure connectivity between all those loopback addresses.

R1 Config:
!
router eigrp 1
 network 10.0.1.1 0.0.0.0
 network 172.16.123.1 0.0.0.0
 network 172.16.215.1 0.0.0.0
 no auto-summary
!

R2 Config:
!
interface Serial0/0
 ip address 172.16.123.2 255.255.255.0
 encapsulation frame-relay
 no ip split-horizon eigrp 1
 clock rate 2000000
 frame-relay map ip 172.16.123.1 201 broadcast
 frame-relay map ip 172.16.123.2 201
 frame-relay map ip 172.16.123.3 203 broadcast
 no frame-relay inverse-arp
!
router eigrp 1
 network 10.0.2.2 0.0.0.0
 network 172.16.27.2 0.0.0.0
 network 172.16.123.2 0.0.0.0
 no auto-summary
!

R3 Config:
!
router eigrp 1
 network 10.0.3.3 0.0.0.0
 network 172.16.123.3 0.0.0.0
 no auto-summary
!

R5 Config:
!
router eigrp 1
 network 10.0.5.5 0.0.0.0
 network 172.16.215.5 0.0.0.0
 no auto-summary
!

SW1 Config:
! the below command required when you use a real L3 switch not dynamips
ip routing
!
router eigrp 1
 network 10.0.7.7 0.0.0.0
 network 172.16.27.7 0.0.0.0
 no auto-summary
!

SW2 Config:
! the below command required when you use a real L3 switch not dynamips
ip routing
!
router eigrp 1
 network 10.0.8.8 0.0.0.0
 network 172.16.215.8 0.0.0.0
 no auto-summary
!

Verification:
Using tcl script on R2 (tclsh = enters the shell, tclquit = leaves the shell):

foreach address {
10.0.1.1
10.0.2.2
10.0.3.3
10.0.5.5
10.0.7.7
10.0.8.8
} { ping $address }

Pic. 2 - Ping Test.

Task 2

Using standard ACL filter out the traffic from Vlan 27 destined for R1's Loopback0 interface (10.0.1.1/24) and all destinations behind R1. 

R1 Config:
!
access-list 1 deny   172.16.27.0 0.0.0.255
access-list 1 permit any
!
interface Serial0/0
 ip address 172.16.123.1 255.255.255.0
 ip access-group 1 in
 encapsulation frame-relay
 clock rate 2000000
 frame-relay map ip 172.16.123.2 102 broadcast
 no frame-relay inverse-arp
!

Verification:

Pic. 3 - Ping Test.

Note!
Ping sourced off of Vlan 27 fails, but sourced off of SW1's loopback (not 172.16.27.0) the ping test succeeds.


Task 3
Upon successful completion of the Task 2, remove ACL from the router.

R1 Config:

!

no access-list 1

!

int s0/0

 no ip access-group 1 in

!

Lab 212 - IPv6 MP-BGP

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
Using previous lab's IPv6 configuration, create new loopback interface on R1 and SW2. Use the following IPv6 addresses:

• R1 - Loopback1 = 2002:a00:101:1111::1/128
• SW2 - Loopback1 = 2002:a00:101:8888::8/128

Task 2
Enable IPv6 MP-BGP peering between R1 (AS100) and SW2 (AS800). Advertise IPv6 addresses configured on Loopback1 interface of both devices into IPv6 MP-BGP. Check the connectivity.

Solution

Task 1
Using previous lab's IPv6 configuration, create new loopback interface on R1 and SW2. Use the following IPv6 addresses:

• R1 - Loopback1 = 2002:a00:101:1111::1/128
• SW2 - Loopback1 = 2002:a00:101:8888::8/128

R1 Config:
!
interface Loopback1
 no ip address
 ipv6 address 2002:A00:101:1111::1/128
!

SW2 Config:
!
interface Loopback1
 no ip address
 ipv6 address 2002:A00:101:8888::8/128
!
  
Task 2
Enable IPv6 BGP peering between R1 (AS100) and SW2 (AS800). Advertise IPv6 addresses configured on Loopback1 interface of both devices into IPv6 MP-BGP. Check the connectivity.

R1 Config:
!
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 neighbor 2002:A00:101:D7::8 remote-as 800
 no neighbor 2002:A00:101:D7::8 activate
 no auto-summary
 !
 address-family ipv6
  neighbor 2002:A00:101:D7::8 activate
  network 2002:A00:101:1111::1/128
 exit-address-family
!

NOTICE!
The configuration of IPv6 address family may be different on your router. It depends on the IOS version you use (neighbor and network statements should be configured in ipv6 address-family but may show like in my example).

SW2 Config:
!
router bgp 800
 no synchronization
 bgp log-neighbor-changes
 neighbor 2002:A00:101:D7::1 remote-as 100
 no neighbor 2002:A00:101:D7::1 activate
 no auto-summary
 !
 address-family ipv6
  neighbor 2002:A00:101:D7::1 activate
  network 2002:A00:101:8888::8/128
 exit-address-family
!

Verification:

Pic. 2 - IPv6 MP-BGP Neighbor.

Pic. 3 - IPv6 MP-BGP Table.

 

Pic. 4 - Connectivity Test.

Lab 211 - Automatic 6to4 Tunnel

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1

Enable connectivity between two IPv6 sites (presented in the topology diagram in green). Vlans 7, 9, 27, 79, 99, 107 should have connectivity to Vlan 215. The following stipulations should be considered while creating the solution to the problem:

• The tunnel IPv6 address should use 2002:: prefix reserved for this method.
• You are allowed to use one static route on R1 and SW4 to solve the problem.
• Use RIPng on both sites, but there is not supposed to be RIPng prefix exchange between Vlan 215 and other Vlans on the remote site.

Solution

Task 1
Enable connectivity between two IPv6 sites (presented in the topology diagram in green). Vlans 7, 9, 27, 79, 99, 107 should have connectivity to Vlan 215. The following stipulations should be considered while creating the solution to the problem:

• The tunnel IPv6 address should use 2002:: prefix reserved for this method.
• You are allowed to use one static route on R1 and SW4 to solve the problem.
• Use RIPng on both sites, but there is not supposed to be RIPng prefix exchange between Vlan 215 and other Vlans on the remote site.

The method implies Automatic 6to4 tunnelling. Configure appropriate addressing scheme for all the Vlans in question. The method assumes the following prefix to be used:

2002:border-router-ipv4-address-in-hex::/48

Step 1
Create addressing scheme for all Vlans in question and the tunnel interface.

Border-Router-Prefix (based on the loopbacks) of R1 and SW4 (leading 0s in IPv6 address groups can be omitted).

Step 2
Configure the addresses on all interfaces in question and enable RIPng on those.

Vlans:
Dec: 7     ==> Hex: 7
Dec: 9     ==> Hex: 9
Dec: 27   ==> Hex: 1B
Dec: 79   ==> Hex: 4F
Dec: 99   ==> Hex: 63
Dec: 107 ==> Hex: 6B
Dec: 215 ==> Hex: D7

Site 1 (behind R1) Addressing Scheme (based off of R1's Loopback0):

2002:A00:101::/48

Site 2 (behind SW4) Addressing Scheme (based off of SW4's Loobpack0):

2002:A00:A0A::/48

Pic. 2 - IPv6 addresses.

SITE 1 ADDRESSES

R1 IPv6 Address and RIPng Config:
!
interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
 ipv6 address 2002:A00:101:D7::1/64
 ipv6 rip CCIE enable
!

R5 IPv6 Address and RIPng Config:
!
interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
 ipv6 address 2002:A00:101:D7::5/64
 ipv6 rip CCIE enable
!

SW2 IPv6 Address and RIPng Config:
!
interface Vlan215
 no ip address
 ipv6 address 2002:A00:101:D7::8/64
 ipv6 rip CCIE enable
!

SITE 2 ADDRESSES

SW1 IPv6 Address and RIPng Config:
!
interface Vlan7
 no ip address
 ipv6 address 2002:A00:A0A:7::7/64
 ipv6 rip CCIE enable
!
interface Vlan79
 no ip address
 ipv6 address 2002:A00:A0A:4F::7/64
 ipv6 rip CCIE enable
!
interface Vlan107
 no ip address
 ipv6 address 2002:A00:A0A:6B::7/64
 ipv6 rip CCIE enable
!
interface FastEthernet1/2
 no switchport
 no ip address
 duplex full
 speed 100
 ipv6 address 2002:A00:A0A:1B::7/64
 ipv6 rip CCIE enable
!

SW3 IPv6 Address and RIPng Config:
!
interface Vlan9
 no ip address
 ipv6 address 2002:A00:A0A:9::9/64
 ipv6 rip CCIE enable
!
interface Vlan79
 no ip address
 ipv6 address 2002:A00:A0A:4F::9/64
 ipv6 rip CCIE enable
!


SW4 IPv6 Address and RIPng Config:
!
interface Vlan99
 no ip address
 ipv6 address 2002:A00:A0A:63::9/64
 ipv6 rip CCIE enable
!
interface Vlan107
 no ip address
 ipv6 address 2002:A00:A0A:6B::A/64
 ipv6 rip CCIE enable
!

After checking neighbor-to-neighbor connectivity proceed to step 3.

Step 3
Configure tunnel and static routing between the sites.

R1 Config:
!
interface Tunnel0
 no ip address
 no ip redirects
 ipv6 address 2002:A00:101::1/64
 tunnel source Loopback0
 tunnel mode ipv6ip 6to4
!
!
! Since we only have two sites, we can use easy static routing like the one shown below:
!
ipv6 route 2002::/16 tunnel 0
!
ipv6 router rip CCIE
 redistribute static metric 1
!

SW4 Config:
!
interface Tunnel0
 no ip address
 no ip redirects
 ipv6 address 2002:A00:A0A::A/64
 tunnel source Loopback0
 tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 tunnel 0
!
ipv6 router rip CCIE
 redistribute static metric 1
!

Verification

Pic. 3 - Simple Ping Test.

Pic. 4 - Traceroute Test.