CCIE Pursuit Blog

January 27, 2008

Internetwork Expert Volume III: Lab 4 – Section 5

Exterior Gateway Routing – 6 Points

5.1 BGP Peerings

This was a pretty easy BGP peering task.  You need to set up a confederation, so you’ll need to be familiar with:

bgp confederation identifier

bgp confederation peers

I did mess up a little bit. I configured “neighbor 150.1.5.5 ebgp-multihop” on r4.

r4 (AS 100) <— r6 (no BGP) —> bb1 (AS 54)

It turns out that I don’t need this command because r6 is bridging, not routing.

neighbor ebgp-multihop

I also missed “neighbor 152.1.37.3 next-hop-self” on sw1, but I did eventually catch that error when I found that I was not installing the bb2 routes on r3:

Without “neighbor 152.1.37.3 next-hop-self” on sw1:

r3#sh ip route bgp
B    119.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    118.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    117.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    116.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    115.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    114.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    113.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    112.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44

r3#sh ip bgp | i Network|192.10.1.254
   Network          Next Hop            Metric LocPrf Weight Path
*  205.90.31.0      192.10.1.254             0    100      0 (7000) 254 ?
220.20.3.0       192.10.1.254             0    100      0 (7000) 254 ?
*  222.22.2.0       192.10.1.254             0    100      0 (7000) 254 ?

r3#sh ip route 192.10.1.254
% Network not in table

With “neighbor 152.1.37.3 next-hop-self” on sw1:

r3#sh ip route bgp
B    119.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    118.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    222.22.2.0/24 [200/0] via 152.1.37.7, 00:00:15
B    117.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    220.20.3.0/24 [200/0] via 152.1.37.7, 00:00:15
B    116.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    115.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    114.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    113.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    112.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    205.90.31.0/24 [200/0] via 152.1.37.7, 00:00:15

r3#sh ip bgp | i Network|152.1.37.7
   Network          Next Hop            Metric LocPrf Weight Path
*> 205.90.31.0      152.1.37.7               0    100      0 (7000) 254 ?
*> 220.20.3.0       152.1.37.7               0    100      0 (7000) 254 ?
*> 222.22.2.0       152.1.37.7               0    100      0 (7000) 254 ?

r3#sh ip route 152.1.37.7
Routing entry for 152.1.37.0/24
  Known via “connected”, distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via FastEthernet0/0
      Route metric is 0, traffic share count is 1

5.2 BGP Bestpath Selection

“Configure the network so that AS 100 routes through r1 to reach prefixes originated in AS 254.”
“Use MED to accomplish this.”

set metric (BGP, OSPF, RIP)

I had the right idea for this task, but I boned it up.  IE used an aggregate-address on sw1 to ensure reachability to all networks advertised by the backbone routers.  They have a short writeup to explain their method.

aggregate-address

I REALLY need to study BGP some more.

Internetwork Expert Volume III: Lab 4 – Section 4

Interior Gateway Routing – 27 Points

4.1 Bridging

“Disable ip routing on r6”

r6(config)#no ip routing

“Bridge IP between the Frame Relay and Ethernet segments on r6”

That explains why fa0/0 does not have an IP address configured. 🙂

After this task, I can finally ping bb1:

r6#p 54.1.10.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 54.1.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 100/286/1032 ms

4.2 Bridging

This task confused the crap out of me.  My bridging skills are pretty poor.

“Configure the IP address of 54.1.10.6/24 on r6.”

Ummmm….that’s already configured as the IP address of the Frame connection to bb1.  I guess that we’re going to use the same IP address for fa0/0 as well.

“r6 should have reachability to any address of the 54.1.10.0/24 subnet.”
“Don’t use IRB for this task.”

No IRB.  CRB?  Actually, the IE solution doesn’t use IRB or CRB.  The last two subtasks are basically red herrings.  I will need to review bridging.

r6#sh bridge 1 group

Bridge Group 1 is running the IEEE compatible Spanning Tree protocol

   Port 4 (FastEthernet0/0) of bridge group 1 is forwarding
   Port 11 (Serial0/0.1 Frame Relay) of bridge group 1 is forwarding

r6#sh ip int br | i 54.1.10.6
FastEthernet0/0            54.1.10.6       YES manual up                    up
Serial0/0.1                54.1.10.6       YES manual up                    up

r6#p 54.1.10.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 54.1.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 48/89/100 ms

r6#p 54.1.10.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 54.1.10.100, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

I can’t ping r4 but I can ping bb1.  This poster has the opposite problem:

Task 4.2 can not ping 54.1.10.254

r6#sh cdp neigh
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
BB1              Ser 0/0.1          147       R T S I     2821      Ser 0/0/0:0.401
sw2              Fas 0/0            174         S I       WS-C3560- Fas 0/6
r6#

sw2#sh run int fa0/6
interface FastEthernet0/6 <-that’s a minimal configuration 🙂
end

How did I miss this?????  Because the port on r6 was initially shut down so I didn’t see it with “show cdp neighbor” on sw2.  Arrgh!!!  I need vlan 46 assigned to this port.

sw2(config)#int fa0/6
sw2(config-if)#swit acc vl 46

r6#p 54.1.10.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 54.1.10.100, timeout is 2 seconds:
!!!!!

I guess that I can take solace in the fact that I was able to find my mistake.  I just barely missed going down a deep rabbit hole chasing bridging options.

4.3 RIPv2

I initially thought that there was an error in the IE lab because although r6 was shown as running RIP on the protocol diagram, there was no mention of r6 in the task.  That’s because r6 is bridging the 54.1.10.0/24 network.  I turned off ip routing in task 4.1 so I wouldn’t be able to configure RIP on r6:

r6(config)#router rip
IP routing not enabled

This means that we should be able to see the routes from bb1(54.1.10.254) on r4:

r4#sh ip route rip | i 54.1.10.254
R    212.18.1.0/24 [120/1] via 54.1.10.254, 00:00:12, FastEthernet0/0
R    212.18.0.0/24 [120/1] via 54.1.10.254, 00:00:12, FastEthernet0/0
R    212.18.3.0/24 [120/1] via 54.1.10.254, 00:00:12, FastEthernet0/0
R    212.18.2.0/24 [120/1] via 54.1.10.254, 00:00:12, FastEthernet0/0

4.4 Network Redundancy

backup interface

Hmmmm….this is the reason for the point-to-point subinterface on r4 back in task 3.2

r4#sh ip int br | i Serial
Serial0/0                  unassigned      YES NVRAM  up                    up
Serial0/0.1                unassigned      YES unset  up                    up
Serial0/1                  152.1.54.4      YES NVRAM  standby mode          down

r4#sh backup
Primary Interface   Secondary Interface   Status
—————–   ——————-   ——
Serial0/0.1         Serial0/1             normal operation

4.5 EIGRP

Basic.

4.6  OSPF

“Use the OSPF network type that was specifically designed to handle issues with routers on the same logical IP subnet not having direct communication with each other.”

Remember that we have a multipoint subinterface on the hub (r3) and point-to-point subinterfaces on the hubs (r1 and r2).  The task calls for the point-to-multipoint OSPF network type.

r3#sh ip os nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
150.1.2.2         0   FULL/  –        00:01:49    152.1.123.2     Serial0/0:0.1
150.1.1.1         0   FULL/  –        00:01:54    152.1.123.1     Serial0/0:0.1

r3#sh ip route os
     152.1.0.0/16 is variably subnetted, 5 subnets, 2 masks
O       152.1.123.2/32 [110/65] via 152.1.123.2, 00:00:07, Serial0/0:0.1
O       152.1.123.1/32 [110/65] via 152.1.123.1, 00:00:07, Serial0/0:0.1

4.7 OSPF

Basic

4.8 OSPF

In this task you need to advertise the loopbacks on r1 and r2 into area 0.  But r1 and r2 are not in area 0.  Time for a couple of virtual circuits.

4.9 OSPF Loopback Advertisement

“Advertise the Loopback0 networks of r3 and sw1 into OSPF.”
“These networks should appear in each other routing tables as intra-area routes.”

Since I’m not told which area to advertise the loopbacks into, can’t I just make this simple by advertising both loopbacks into area 37?  Answer: YES!

sw1#sh ip route | i 150.1.3.
O       150.1.3.3/32 [110/2] via 152.1.37.3, 00:00:37, Vlan37

r3#sh ip route | i 150.1.7.
O       150.1.7.7/32 [110/2] via 152.1.37.7, 00:00:00, FastEthernet0/0

4.10 IGP Redistribution

Four points of mutual redistribution.  Ugh.  The first two points are no worry (discontiguous RIP).  The other two are dangerous though.  I’ll work on those in task 4.11

4.11 Redistribution Loop Prevention

“Ensure that EIGRP extenal routes that are redistributed into OSPF on r1 and r2 do not get redistributed back into EIGRP.”
“Use AD to accomplish this.”

Here is a (simplified) view of the the two network redistribution points on r1 and r2:
                         ————(D)r1(O)———–
r4(R<->D)—r5(D)                                     (O)r3—(O<->R)sw1
                         ————(D)r2(O)———–
If we do mutual redistribution between EIGRP and OSPF on r1 and r2 we’re going to have problems with D EX routes (AD of 170) being reflected back into the EIGRP domain.  We’re given the method for preventing this.

I missed an issue on sw1 though:

Task 4.11 Redist Loop Prevention

You need to change the RIP distance or SW1 sees the routes learnt from BB3 as OSPF external routes which it uses over the correct RIP routes. if you check the routing table on SW1, the next hop for all the BB3 subnets is R3. This is resolved by changing the AD [router rip – distance 109].

Internetwork Expert Volume III: Lab 4 – Section 3

WAN Technologies – 11 Points

3.1 Hub and Spoke

For some reason I could not get my Frame Relay hub-and-spoke network to come up.  I quick look at the configuration showed the problem.  This is the fourth initial configuration error:

r3 – Hub:
interface Serial0/0:0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type ansi <- from initial configuration
interface Serial0/0:0.1 multipoint
 ip address 152.1.123.3 255.255.255.0
 frame-relay map ip 152.1.123.1 301 broadcast
 frame-relay map ip 152.1.123.2 302 broadcast

r3#sh frame lmi | i TYPE
LMI Statistics for interface Serial0/0:0 (Frame Relay DTE) LMI TYPE = ANSI

r2 – Spoke:
r2#sh run | sec Serial0/0/0
interface Serial0/0/0
 no ip address
 encapsulation frame-relay
interface Serial0/0/0.1 point-to-point
 ip address 152.1.123.2 255.255.255.0
 frame-relay interface-dlci 203

r2#sh frame lmi | i TYPE
LMI Statistics for interface Serial0/0/0 (Frame Relay DTE) LMI TYPE = CISCO

r1 – Spoke
r1#sh run | sec Serial0/0
interface Serial0/0
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type cisco <- from initial configuration
interface Serial0/0.1 point-to-point
 ip address 152.1.123.1 255.255.255.0
 frame-relay interface-dlci 103

r1#sh frame lmi | i TYPE
LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = CISCO

I set the LMI type on r3 to cisco (default) as that’s what my Frame Relay switch is running.

frame-relay lmi-type

r3(config-if)#frame lmi-type ?
 cisco
  ansi
  q933a

Nicely played IE.  🙂

task 3.1 : lmi type missing in SG?

3.2 PPPoFR

Crap.  This is another of those subjects that I am weak in.  Luckilly, the IE blog had a recent post that gives a very good overview of how to configure PPPoFR:

Understanding PPP over Frame Relay (PPPoFR)

frame-relay interface-dlci

interface virtual-template

This was actually a very easy configuration as the task did not require PPP authentication.

r4(config)#int virtual-template1
r4(config-if)#ip address 152.1.45.4 255.255.255.0
r4(config-if)#int s0/0
r4(config-if)#frame interface-dlci 405 ?
  ppp       Use RFC1973 Encapsulation to support PPP over FR
  switched  Define a switched DLCI
  <cr>

r4(config-if)#frame interface-dlci 405 ppp ?
  Virtual-Template  Virtual Template interface

r4(config-if)#frame interface-dlci 405 ppp virtual-Template ?
  <1-200>  Virtual-Template interface number

r4(config-if)#frame interface-dlci 405 ppp virtual-Template 1 ?
  <cr>

r4(config-if)#frame interface-dlci 405 ppp virtual-Template 1

r4#show interface virtual-template1
Virtual-Template1 is down, line protocol is down <-expected behavior

  Hardware is Virtual Template interface
  Internet address is 152.1.45.4/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Closed, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 5 seconds on reset
  Last input never, output never, output hang never
  Last clearing of “show interface” counters 00:14:45
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions

r4#sh int virtual-access1
Virtual-Access1 is up, line protocol is up
 
  Hardware is Virtual Access interface
  Internet address is 152.1.45.4/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP
  PPPoFR vaccess, cloned from Virtual-Template1
  Vaccess status 0x44
  Bound to Serial0/0 DLCI 405, Cloned from Virtual-Template1, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 5 seconds on reset
  Last input 00:00:02, output never, output hang never
  Last clearing of “show interface” counters 00:03:54
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 2 packets/sec
  5 minute output rate 2000 bits/sec, 2 packets/sec
     153 packets input, 151680 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     157 packets output, 151616 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions

r4#p 152.1.45.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 152.1.45.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 4/6/8 ms

r4#sh ip route 152.1.45.5
Routing entry for 152.1.45.5/32
  Known via “connected”, distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Virtual-Access2
      Route metric is 0, traffic share count is 1

Do the same on r5 (different IP address and DLCI obviously) et voila!

The IE solution show that they used a point-to-point subinterface on r4 (no idea why) but not on r5 for this task.  Again, no idea why?

3.3 Point-To-Point

Basic….except that I expected to be able to ping bb1 (54.1.10.254) after this step.  I’ll need to wait until I do some bridging in section 4.

Task 3.3

3.4 PPP

Basic.

3.5 PPP Authentication

Easy task because you are asked to authenticate each other using a hash (CHAP).
 

January 26, 2008

Internetwork Expert Volume III: Lab 4 – Section 2

Bridging and Switching – 9 Points

2.1 Trunking

Speed tip -Use ‘interface range’ to configure multiple, non-contiguous interfaces at one time:

sw3(config)#int range fa0/13, fa0/16, fa0/17, fa0/19, fa0/21

sw4(config-if-range)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      desirable    n-isl          trunking      1
Fa0/14      desirable    n-isl          trunking      1
Fa0/15      desirable    n-isl          trunking      1
Fa0/16      desirable    n-isl          trunking      1
Fa0/17      desirable    n-isl          trunking      1
Fa0/18      desirable    n-isl          trunking      1
Fa0/19      on           802.1q         trunking       1
Fa0/20      desirable    n-isl          trunking      1
Fa0/21      on           802.1q         trunking       1 

The eternal question: to shut or not to shut the dynamically negotiated trunks?  Since the  IE solution does not show these trunks in the “show int trunk” output I went ahead and shut them down (on one side at least).

2.2 Etherchannel

WTF?

sw3(config-if-range)#channel-group 23 mode active
% Interface range command failed for FastEthernet0/17

00:55:00: %EC-5-ERRPROT: Channel protocol mismatch for interface Fa0/17 in group 23: the interface can not be added to the channel group

sw3(config-if-range)#do sh run int fa0/17
interface FastEthernet0/17
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 125
 switchport mode trunk
 switchport nonegotiate
 channel-protocol pagp  <-where did that come from?

sw3(config-if-range)#do sh start | b 0/17
interface FastEthernet0/17
 switchport mode dynamic desirable
 channel-protocol pagp

Yet another initial config error.

task 2.2 : command is missing in SG

Fix:

sw3(config-if-range)#int fa0/17
sw3(config-if)#no channel-protocol pagp
sw3(config-if)#channel-g 23 mode active

sw3(config-if)#do sh eth sum | b Group
Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
23     Po23(SU)        LACP      Fa0/16(P)   Fa0/17(P)

2.3 VTP

“Configure the VTP domain CCIE on all four switches.”

Should I put only one of the switches in VTP Server mode?  sw3 would be the obvious candidate to be the VTP server.  I did that.  IE did not.  They left all switches as VTP servers.

“Configure VLAN assignments per the diagram”

Crap! I usually miss some VLANs when I do this.  This time was no exception.

“Filter traffic on the 802.1q trunk links so that only necessary VLAN traffic is sent over them.”

Easy enough…vtp pruning.  BUT if you are told not to shut down the dynamically negotiated trunks then those trunks will negotiate to ISL by default.  This would make this task a lot more difficult and time-consuming because VTP pruning cannot be enabled for dot1q encapsulation and not ISL or vice versa.

IE solution did not use VTP pruning.  They explicitly configured that allowed VLANs on each trunk. This might be a result of the the “802.1q trunk links” verbiage – VTP pruning would work – but on all trunks regardless of the encapsulation type used.  Pretty tricky putting this task under the VTP section.  🙂

Task 2.3, VTP

vtp (global configuration)

Follow these guidelines when setting VTP pruning:

•VTP pruning removes information about each pruning-eligible VLAN from VTP updates if there are no stations belonging to that VLAN.

If you enable pruning on the VTP server, it is enabled for the entire management domain for VLAN IDs 1 to 1005.

•Only VLANs in the pruning-eligible list can be pruned.

•Pruning is supported with VTP Version 1 and Version 2.

VTP Pruning with ISL trunk:

sw1(config-if)#do sh vtp status | i run
VTP Pruning Mode                : Enabled
sw1(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/16      on           isl            trunking      1

Port        Vlans allowed on trunk
Fa0/16      1-4094

Port        Vlans allowed and active in management domain
Fa0/16      1,3-5,37,46,72-73,125

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/16      1,3-5,46,72-73,125

VTP Pruning with dot1 q trunk: 

sw1(config-if)#do sh vtp stat | i run
VTP Pruning Mode                : Enabled
sw1(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/16      on           802.1q         trunking      125

Port        Vlans allowed on trunk
Fa0/16      1-4094

Port        Vlans allowed and active in management domain
Fa0/16      1,3-5,37,46,72-73,125

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/16      1,3-5,46,72-73,125
sw1, 2, 4

Hmmmm…..can’t ping bb2 from sw1 (VLAN 72):

sw1(config-if)#do p 192.10.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

Route: sw1 fa0/16 (trunk) -> (trunk) fa0/13 sw3 po23 (trunk) -> (trunk) po23 sw2 int fa0/24 (vlan 72) -> (vlan 72) gi1/0/1 bb2

Start at last hop before bb2:

sw2#sh int fa0/24 status

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/24                       notconnect   72           auto   auto 10/100BaseTX 

Problem = dead port on my bb2 router (actually 3750 switch.  ARGGH!!!!

Shut/no shut fixed it…..weird!!!

sw1#ping 192.10.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 1/202/1006 ms

Internetwork Expert Volume III: Lab 4 – Section 1

Troubleshooting – 2 Points

There are supposedly two faults in the initial configurations.  There are at least four faults and as many as six – depending on how you count them.  I’ll just list the two (I counted this as four because there were four misaddressed IP addresses) that IE shows in the solution guide.  I will point out the other two in the sections that I discovered them.

1) VLAN 3 is configured with the wrong subnet (sw3 and r3)

r3#sh ip int br | i net0/1
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/1            152.1.39.3      YES manual up                    up

r3(config)#int fa0/1
r3(config-if)#ip add 152.1.3.3 255.255.255.0

sw3#sh ip int br | e ass
Interface              IP-Address      OK? Method Status                Protocol
Vlan39                 152.1.39.9      YES manual down                  down

sw3(config)#no int vlan39
sw3(config)#no vlan39
sw3(config)#vlan 3
sw3(config)#int vlan 3
sw3(config-if)#ip add 152.1.3.9 255.255.255.0

2) VLAN 5 is configured with the wrong subnet (sw4 and r5)

r5#sh ip int br | i net0/1
FastEthernet0/1            152.1.105.5     YES manual up                    up

r5(config)#int fa0/1
r5(config-if)#ip add 152.1.5.5 255.255.255.0

sw4#sh ip int br | e ass
Interface              IP-Address      OK? Method Status                Protocol
Vlan105                152.1.105.10    YES manual down                  down

sw3(config)#no int vlan105
sw3(config)#no vlan 105
sw3(config)#vlan 5
sw3(config)#int vlan 5
sw3(config-if)#ip add 152.1.3.9 255.255.255.0

January 19, 2008

Internetwork Expert Volume II: Lab 4 – Section 11

Exterior Gateway Routing – 8 Points

11.1 BGP Peering

“The BGP peering session between r4 and r5 should remain up if r4 loses both the frame Relay and Ethernet segments to r5.”

Peer loopbacks between r4 and r5.  These routers have 3 connections between them, so if the Frame and Ethernet drop, the PTP connection will kick in.  Remember to configure ‘ebgp-multihop’ when peering loopbacks.

11.2 BGP Filtering

You need to configure r6 so that it is only advertising the routes shown in a command output to r2.

“Do not use communities, IP access-lists, or prefix-list filtering to accomplish this.”

From my output I need to filter the following routes:

*> 205.90.31.0      141.1.123.2                            0 200 254 ?
*> 220.20.3.0       141.1.123.2                            0 200 254 ?
*> 222.22.2.0       141.1.123.2                            0 200 254 ?

I should be able to filter on as path for these networks based on as_path.  Or does that count as an “ip access-list”?  IE solution guide says “go ahead”.  🙂

ip as-path access-list

r6(config)#ip as-path access-list 71 permit _54$
r6(config)#router bgp 100
r6(config-router)#neigh 141.1.123.2 filter-list 71 out
r6(config-router)#do sh ip bgp neigh 141.1.123.2 adv | b Network
Network          Next Hop            Metric LocPrf Weight Path
*> 112.0.0.0        54.1.1.254               0             0 54 50 60 i
*> 113.0.0.0        54.1.1.254               0             0 54 50 60 i
*> 114.0.0.0        54.1.1.254               0             0 54 i
*> 115.0.0.0        54.1.1.254               0             0 54 i
*> 116.0.0.0        54.1.1.254               0             0 54 i
*> 117.0.0.0        54.1.1.254               0             0 54 i
*> 118.0.0.0        54.1.1.254               0             0 54 i
*> 119.0.0.0        54.1.1.254               0             0 54 i

I think that there is a typo in the output because there are routes from bb3 present, but we are not peering with bb3 in this lab:

bb3#sh ip bgp | b Network
 Network          Next Hop            Metric LocPrf Weight Path
*> 28.119.16.0/24   0.0.0.0                  0         32768 i
*> 28.119.17.0/24   0.0.0.0                  0         32768 i

11.2 BGP filtering – typo?

Or is it a typo?  According to this port bb3 should peer with bb1 and then pass the routes to r6? 

Task 11.2

I’m just going to ignore those routes.  I don’t have a peering between bb1 and bb3 in my lab.

11.3 BGP Connectivity

I hit the wall on this task.  I’ll have to come back and revisit it as I was so wiped from labbing that I just couldn’t handle mucking about with BGP redistribution.  😦

Internetwork Expert Volume II: Lab 4 – Section 10

IP Services – 5 Points

10.1 DNS

A DNS entry has been incorrectly configured to point to 141.1.0.22.  You need to:

“Without applying this IP address to any interface, permit users to telnet to r2 using this DNS entry or IP address.”
“Do not use NAT to accomplish this task.”

So I need a way to route traffic for the DNS name “r2” to 150.1.2.2 rather than 141.1.0.22.

I knew how to do this task because I have used the “show ip alias” command many times to harvest IP  addresses for my ping scripts.

ip alias

r2(config)#ip alias 141.1.0.22 ?
  <0-65535>  IP port number

r2(config)#ip alias 141.1.0.22 23

r2#sh ip alias
Address Type             IP Address      Port
Interface                141.1.0.2
Alias                    141.1.0.22     23
Interface                141.1.25.2
Interface                141.1.123.2
Interface                150.1.2.2

r4#telnet 141.1.0.22
Trying 141.1.0.22 … Open

User Access Verification

Username: NOC  <-from earlier task
Password:

    NOC Options

    1          Ping r5’s loopback 0

    2          Ping r6’s loopback 0

    3          Trace to r5’s loopback 0

    4          Trace to r6’s loopback 0

    5          Quit (Access CLI)

10.2 Gateway Redundancy

Long winded way of saying configure HSRP.  🙂

The first subtask was well written in that it is pretty easy to get thrown off task if it confuses you.  I was initially wondering how I would get half of the clients to use one gateway and the other half to use the other.  A quick reread showed that I needn’t worry.

standby ip

Just make sure that you configure preempt.

r3#sh standby brief
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/1       36  110  P Active   local           141.1.36.6      141.1.36.1
Fa0/1       63  100    Standby  141.1.36.6      local           141.1.36.2

r6#sh stand brief
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       36  100    Standby  141.1.36.3      local           141.1.36.1
Fa0/0       63  110  P Active   local           unknown         141.1.36.2

This forum posting brings up an interesting point about this task violating the  “do not create additional IP addresses unless specified” rule:

10.2 Gateway Redundancy

10.3  Failure Message

“Configure r3 to display a “Host Failed” message of “Connection Unsuccessful” when a telnet session to r4’s loopback 0 interface fails.”

No idea.  I tried to find something in the Command Guide, but I did not have luck on my side.

I have never heard of this command before:

busy-message

To create a “host failed” message that displays when a connection fails, use the busy-message command in global configuration mode. To disable the “host failed” message from displaying on the specified host, use the no form of this command.

busy-message host-name d message d

r3(config)#busy-message r4 #
Enter TEXT message.  End with the character ‘#’.
Connection Unsuccessful#
Unable to set busy message for r4

You’ll need to configure ‘ip host’ for r4 in order for this to work:

r3(config)#ip host r4 150.1.4.4
r3(config)#busy-message r4 #
Enter TEXT message.  End with the character ‘#’.
Connection Unsuccessful#

Internetwork Expert Volume II: Lab 4 – Section 9

System Management- 4 Points

9.1 SNMP

Configuring SNMP Support

snmp-server host

snmp-server community

“The first network management server will be using SNMPv1 and the second SNMP server will be using SNMPv2c.”

r3(config)#snmp-server host 141.1.7.100 version ?
  1   Use SNMPv1 <-default
  2c  Use SNMPv2c
  3   Use SNMPv3

r3(config)#snmp-server host 141.1.7.100 version 1CISCO
r3(config)#snmp-server host 141.1.7.100 version 2cCISCO hsrp

r6#sh snmp host
Notification host: 141.1.7.100  udp-port: 162   type: trap
user: CISCO     security model: v1

Notification host: 141.1.77.100udp-port: 162   type: trap
user: CISCO     security model: v2c

When configuring snmp-server community strings, it is a good idea to ask the proctor if you need to tie these down with an ACL so only the network management servers can access them.  I didn’t see anything in this task that specified this, but the IE solution used an ACL to limit access to the community strings to the network management servers only (a very important real world step).

9.1 WHY acl on snmp-server

The IE solution also specified tty traps for the first server?

Task 9.1 Solution – Why “tty”?

Task 9.1 SNMP

In the Lab 4 Breakdown COD, IE states that the tty at the end of the line was a default value entered by the IOS.  They also say that the access-list for the community strings is optional for this task.

9.2 IOS Menu

This is an easy, but somewhat time-consuming task.  I did this task in notepad and then pasted it into the router.

Managing Connections, Menus, and System Banners
Creating Menus

menu (EXEC)

“The menu should be activated whenever the user NOC logs in using the password CISCO.”

I can see that I need to create a user/pass of NOC/CISCO (and ‘login local’ under the vty lines), but how do I automatically launch the menu for this user when they log in?

I found this under the related commands for ‘menu command”:

autocommand 

To automatically execute a command when a user connects to a particular line, use the autocommand command in line configuration mode. To disable the automatic execution, use the no form of this command.

I was on the right path, but configuring this under the vty lines was going to affect ALL vty users, not just the NOC.  There is an option to use this command with the ‘username‘  command:

autocommand
 (Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

r3#telnet 150.1.2.2
Trying 150.1.2.2 … Open
User Access Verification

Username: NOC
Password: [CISCO]

NOC Options

    1          Ping r5’s loopback 0

    2          Ping r6’s loopback 0

    3          Trace to r5’s loopback 0

    4          Trace to r6’s loopback 0

    5          Quit (Access CLI)

“Ensure that NOC users can exit the menu, but do NOT allow them to have access to the CLI when they do so.”

The default behaviour of the menu-exit menu command is to exit the menu into exec CLI mode.

menu command

The menu command command has a special keyword for the command argument, menu-exit, that is available only within menus. It is used to exit a submenu and return to the previous menu level, or to exit the menu altogether and return to the EXEC command prompt.

So should I just log the user out instead?  That’s what I did.  Instead of ‘menu-exit’ for option 5, I used ‘exit’ instead:

menu NOCMENU text 5 Quit (Access CLI)
menu NOCMENU command 5 exit

The IE solution also uses “menu options x pause” for each menu option, but I don’t see anything in the task that requires this.

menu options

pause
 Pauses after the command is entered before redrawing the menu. 
 

Internetwork Expert Volume II: Lab 4 – Section 8

Section 8 – Security – 4 Points

8.1 Traffic Filtering

You need to filter five different types of traffic on inbound from bb1 on r6.

ip access-list

“Permit ICMP echo requests and replies”

Does this mean allow ANY hosts to ping inbound on interface s0/0 ?  Or just bb1?  I chose any.

r6(config-ext-nacl)#permit icmp any any ?
  —output truncated—
  echo                         Echo (ping)
  echo-reply                   Echo reply

Then I hit this:

“Permit DNS lookups and zone transfers.”

No clue.

The IE solution guide has a good write up about this.  Basically:

DNS Zone Transfers: TCP port 53
DNS Lookups: UDP port 53

I’ll need to find out where to find information like this in the DOC as I don’t think that I’m going to memorize a bunch of ports before the exam.

“Permit any TCP and UDP sessions initiated from behind r6 to return.”

Crap.  This sounds like reflexive ACL.  Something that I’ve managed not to study.  😦

In the real lab, I would just skip this task.  This is an especially dangerous task because if you screw it up, you could mess up other tasks (i.e. IGP and EGP) that you’ve already successfully completed.  In this case, you’ll need to open up BGP as well as RIP. 

permit (reflexive)

Task 8.1 (IE Forum)

8.2 Spoof Detection

“…configure r4 to drop packets without a verifiable source address on the connection to bb3.”

I had no clue on this task, but I decided to see if I could find something in the command list containing any or all of the words “verifiable source address”.  I found this:

ip verify unicast source reachable-via

Use the ip verify unicast source reachable-via interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate DoS attacks on the basis of source IP address spoofing.

Note:It is very important for CEF to be configured globally in the router. Unicast RPF will not work without CEF.

Note:Unicast RPF is an input function and is applied on the interface of a router only in the ingress direction.

r4(config)#ip cef
r4(config)#int fa0/1
r4(config-if)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received

rx
 Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode).
 
any
 Examines incoming packets to determine whether the source address is in the FIB and permits the packet if the source is reachable through any interface (sometimes referred to as loose mode).
 

rx sounds like the better choice.

r4(config-if)#ip verify unicast source reachable-via rx

I got this right.  The IE solution guide shows that there is also a legacy command available:

r4(config-if)#ip verify unicast reverse-path

Verification of verification  🙂

r4#sh ip int fa0/1 | i verif
  IP verify source reachable-via RX
  0 verification drops
  0 suppressed verification drops

January 14, 2008

Nerd Humor

From Internetwork Expert’s Volume II lab 4:

Task 4.2

“You are concerned with suspicious activities that have been occurring in area 51.”

🙂

Next Page »

Blog at WordPress.com.