CCIE Pursuit Blog

August 17, 2008

Internetwork Expert Volume II: Lab 8 – Section 9

Section 9 – IP Services – 8 Points

9.1 Default Gateways

Users in VLAN 26 have their default-gateway set to their own IP address instead of r6’s address.  Configure r2 and r6 to support them.

WTF?  No clue.

The answer: turn off proxy-arp on those segments.

UPDATE:

It turns out that I read the question wrong. The requirement is:

“Configure r2 and r6 not [sic] support these users.”

It make sense to disable proxy-arp so as NOT to support these users.  The users are set up to ARP for everything.  Proxy-ARP is enabled by default so r2 and r6 will respond to ARPs with their own MAC address if they have a route for the address that the users ARP for. By disabling proxy-arp, the routers will not respond to those ARP requests.

9.2 Web Caching

Configure WCCP for users in VLAN 4.  The web servers are out the Frame link.

“Configure r4 to support this setup, but don not attempt to cache HTTP traffic between VLANs 4 and 45.”

How to Configure WCCP

r4(config)#int fa0/0
r4(config-if)#ip wccp web-cache redirect in
r4(config-if)#int s0/0
r4(config-if)#ip wccp web-cache redirect out

r4(config)#ip wccp ?
  <0-254>             Dynamically defined service identifier number
  check               Enable a WCCP check
  outbound-acl-check  Enable acl check on original outbound interface
  version             protocol version
  web-cache           Standard web caching service

r4(config)#ip wccp web-cache ?
  group-address  Set the multicast group
  group-list     Set the access-list used to permit group membership

  password       Authentication password (key)
  redirect-list  Set the access-list used to permit redirection
  <cr>

The three options that stand out as possibly being useful for the last requirement are the outbound-acl-check, the group-list, and the redirect-list.

I peeked the solution guide. 

Huh?

IE just enabled WCCP globally and then set s0/0 to redirect out???  Does that last requirement mean ALL HTTP request on VLANs 4 and 45 or just the traffic between those two VLANs (as I understood it)?

I get it now.  There are only two egress point for traffic from VLAN 4 or 45.  They can either egress the other VLAN or out the Frame link.  So IE’s solution makes sense.

9.3 IP SLA

This is a basic IP SLA task in which you must set up IP SLA on r6 to ping 115.0.0.1 every 30 seconds with 1250 byte packets and a timeout of 25ms.

I kept getting failures:

r6#sh ip sla mo stat
Round trip time (RTT)   Index 1
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *05:04:09.895 UTC Mon Mar 18 2002
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 4
 
Operation time to live: 3503 sec

The reason was simple.  My packets were not fast enough.  🙂

r6#p 115.0.0.1 si 1250

Type escape sequence to abort.
Sending 5, 1250-byte ICMP Echos to 115.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

9.4 Gateway Redundancy

You need to use the SLA monitor in the last task with HSRP.  R6 should be VLAN 26’s default gateway but only if the SLA monitor is successful, otherwise they should use r2.

r6(config)#track 1 rtr 1

r6(config-track)#int f0/1.26
r6(config-subif)#stand 1 track 1decre 20
r6(config-subif)#stand 1 ip 174.1.26.1
r6(config-subif)#stand 1 preempt

r2(config)#int g0/0.26
r2(config-subif)#stand 1 ip 174.1.26.1
r2(config-subif)#stand 1 preempt
r2(config-subif)#stand 1 prio 90

Since my SLA monitor is failing, r2 should be active and r6 should have a priority of 80:

r2#sh stand
GigabitEthernet0/0.26 – Group 1
  State is Active
    1 state change, last state change 00:01:12
  Virtual IP address is 174.1.26.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.556 secs
  Preemption enabled
  Active router is local
  Standby router is 174.1.26.6, priority 80 (expires in 7.556 sec)
  Priority 90 (configured 90)
  IP redundancy name is “hsrp-Gi0/0.26-1” (default)

r6#sh stand
FastEthernet0/1.26 – Group 1
  State is Standby
    4 state changes, last state change 00:01:22
  Virtual IP address is 174.1.26.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.232 secs
  Preemption enabled
  Active router is 174.1.26.2, priority 90 (expires in 7.232 sec)
  Standby router is local
  Priority 80 (default 100)
    Track object 1 state Down decrement 20
  IP redundancy name is “hsrp-Fa0/1.26-1” (default)

Just to see if it will come up I deleted the SLA monitor and re-added it with a timeout and threshold of 50ms:

no ip sla monitor 1
ip sla monitor 1
type echo protocol ipIcmpEcho 115.0.0.1
request-data-size 1250
timeout 50
threshold 50
freq 5

ip sla monitor schedule 1 start-time now

r6#sh ip sla monitor stat
Round trip time (RTT)   Index 1
        Latest RTT: 28 ms
Latest operation start time: *05:14:18.275 UTC Mon Mar 18 2002
Latest operation return code: OK
Number of successes: 12 
Number of failures: 0

Operation time to live: 3543 sec

r6#sh stand
FastEthernet0/1.26 – Group 1
  State is Active
    8 state changes, last state change 00:01:09
  Virtual IP address is 174.1.26.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.296 secs
  Preemption enabled
  Active router is local
  Standby router is 174.1.26.2, priority 90 (expires in 7.296 sec)
  Priority 100 (default 100)
    Track object 1 state Up decrement 20
  IP redundancy name is “hsrp-Fa0/1.26-1” (default)

r2#sh stand
GigabitEthernet0/0.26 – Group 1
  State is Standby
    5 state changes, last state change 00:01:33
  Virtual IP address is 174.1.26.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.280 secs
  Preemption enabled
  Active router is 174.1.26.6, priority 100 (expires in 8.276 sec)
  Standby router is local
  Priority 90 (configured 90)
  IP redundancy name is “hsrp-Gi0/0.26-1” (default)

Advertisements

August 13, 2008

Internetwork Expert Volume II: Lab 12 – Section 11

Section 11  – IP Services – 2 Points

11.1 DNS

Configure all devices to use DNS server 129.x.3.100.

An easy task to end the lab.  🙂

ip name-server

To specify the address of one or more name servers to use for name and address resolution, use the ip name-server command in global configuration mode.

Rack16R1(config)#ip name-server 129.16.3.100

Verify:
Rack16SW4#fuck <- I truly am a child  🙂
Translating “fuck”…domain server (129.16.3.100)

The IE solution guide shows that you should apply the configuration to “r1 – sw2”.  Think that  this was an old lab converted from 2 switches to 4?  🙂

August 10, 2008

Internetwork Expert Volume II: Lab 5 – Section 10

Section 10 – IP Services – 4 Points

10.1 DNS

Configure your network so that telnet sessions from r6 can reach other routers by their DNS names.  This sounds like a simple matter of just assigning host names to the routers’ loopback addresses. But they also specify a DNS server IP address.  There’s also this:

“This configuration should not affect any other [that vty 0 4] lines on r6”

Configuring DNS

The solution is very simple:

r6(config)#ip name-server 192.10.1.100

And then it gets weird:

r6(config)#ip domain-lookup
r6(config)#line con 0
r6(config-line)#transport preferred none

I say weird because one of the requirements is “if a user mistypes a command while on the console port it should not try to look it up in DNS.”  Generally, “no ip domain-lookup” takes care of this. It turns out that “transport preferred none” will handle this as well, but at the line level.  So as long as you are connected via the console port you’ll be fine.  Turning on “ip domain-lookup” globally will ensure that all other users (not on the console port) will endure the frustration of DNS lookups for fat-fingered commands. 

10.2 Local Authorization

Configure r6 so that NOC users login (via telnet) at privilege level 2 and can only see the running configuration for hostname, interfaces, interface encapsulations, and any IP access-lists applied to interfaces.

r6(config)#username NOC privilege 2 password CISCO
r6(config-line)#do sh run | sec vty
line vty 0 4
 password cisco
 login
r6(config)#line vty 0 4
r6(config-line)#login local

Now to configure what options privilege level 2 users can see:

privilege interface level 2 ip access-group
privilege interface level 2 ip <- IOS added this
privilege interface level 2 encapsulation
privilege configure level 2 interface
privilege configure level 2 hostname
privilege exec level 2 show running-config
privilege exec level 2 show <- IOS added this

Testing it out: 

r5#telnet 150.1.6.6
Trying 150.1.6.6 … Open

User Access Verification

Username: NOC
Password:
r6#sh privi
Current privilege level is 2
r6#sh run
Building configuration…

Current configuration : 204 bytes
!
!
hostname r6
!
boot-start-marker
boot-end-marker
!
!
!
!
!
interface Loopback0
!
interface FastEthernet0/0
!
interface Serial0/0
!
interface Serial0/0.1 multipoint
!
interface FastEthernet0/1
!
!
end

r6#

That looks right except for the encapsulation.  s0/0 is configured for Frame-Relay and that should show up.  If I changed it to “privilege interface level 2 encapsulation frame-relay” then it would work.

I also don’t understand why IE did not set up a NOC username and login local under the vty line.

April 5, 2008

Internetwork Expert Volume II: Lab 6 – Section 10

IP Services – 2 Points

10.1 CDP

Configure CDP with the following parameters:

1) Send updates every 5 seconds
2) Discard CDP entries after 15 seconds
3) r4 should include it’s lo0 IP address in the CDP packet for identification

This should be easy…except that we’re dealing with the LAN segment that we used L2 tunneling on back in section 1.  But that doesn’t matter because we need to make these changes in global configuration.

cdp timer

Defaults
60 seconds

cdp holdtime

Defaults
180 seconds

cdp source-interface

r4(config)#cdp timer 5
r4(config)#cdp hold 15
r4(config)#cdp source-interface lo0
r4(config)#do sh cdp
Global CDP information:
        Sending CDP packets every 5 seconds
      Sending a holdtime value of 15 seconds
        Sending CDPv2 advertisements is  enabled
        Source interface is Loopback0

Before setting CDP source interface to lo0:
sw2(config)#do sh cdp nei fa0/18 det
————————-
Device ID: r4
Entry address(es):
  IP address: 191.1.48.4
Platform: Cisco 2651XM,  Capabilities: Router Switch IGMP
Interface: FastEthernet0/18,  Port ID (outgoing port): FastEthernet0/1
Holdtime : 11 sec
—output truncated—

After setting CDP source interface to lo0:
sw2(config)#do sh cdp nei fa0/18 det
————————-
Device ID: r4
Entry address(es):
  IP address: 150.1.4.4
Platform: Cisco 2651XM,  Capabilities: Router Switch IGMP
Interface: FastEthernet0/18,  Port ID (outgoing port): FastEthernet0/1
Holdtime : 12 sec
—output truncated—

10.2 UDP Echo

I had no idea on this task:

“Configure sw2 to respond to UPD echoes from a network management station with the IP address 191.1.77.100.”
“sw2 should not respond to packets sent to the UDP ‘discard’ and ‘chargen’ ports from this network management station.”

service udp-small-servers

sw2(config)#access-list 100 deny udp any any eq ?
  discard        Discard (9)

‘chargen’ = ?

Chargen

Chargen is short for Character Generator and is a service that generates random characters either in one UDP packet containing a random number (between 0 and 512) of characters, or a TCP session. The UDP Chargen server looks for a UDP packet on port 19 and responds with the random character packet.

I had to travel to the InterTubes to find this, but IE has a slick trick:

sw2#telnet 150.1.8.8 ?
—output truncated—
  chargen            Character generator (19) <-there’s my UDP port
  cmd                Remote commands (rcmd, 514)
  daytime            Daytime (13)
  discard            Discard (9)
—output truncated—

Create a free website or blog at WordPress.com.