CCIE Pursuit Blog

August 10, 2008

Internetwork Expert Volume II: Lab 5 – Section 10

Section 10 – IP Services – 4 Points

10.1 DNS

Configure your network so that telnet sessions from r6 can reach other routers by their DNS names.  This sounds like a simple matter of just assigning host names to the routers’ loopback addresses. But they also specify a DNS server IP address.  There’s also this:

“This configuration should not affect any other [that vty 0 4] lines on r6”

Configuring DNS

The solution is very simple:

r6(config)#ip name-server 192.10.1.100

And then it gets weird:

r6(config)#ip domain-lookup
r6(config)#line con 0
r6(config-line)#transport preferred none

I say weird because one of the requirements is “if a user mistypes a command while on the console port it should not try to look it up in DNS.”  Generally, “no ip domain-lookup” takes care of this. It turns out that “transport preferred none” will handle this as well, but at the line level.  So as long as you are connected via the console port you’ll be fine.  Turning on “ip domain-lookup” globally will ensure that all other users (not on the console port) will endure the frustration of DNS lookups for fat-fingered commands. 

10.2 Local Authorization

Configure r6 so that NOC users login (via telnet) at privilege level 2 and can only see the running configuration for hostname, interfaces, interface encapsulations, and any IP access-lists applied to interfaces.

r6(config)#username NOC privilege 2 password CISCO
r6(config-line)#do sh run | sec vty
line vty 0 4
 password cisco
 login
r6(config)#line vty 0 4
r6(config-line)#login local

Now to configure what options privilege level 2 users can see:

privilege interface level 2 ip access-group
privilege interface level 2 ip <- IOS added this
privilege interface level 2 encapsulation
privilege configure level 2 interface
privilege configure level 2 hostname
privilege exec level 2 show running-config
privilege exec level 2 show <- IOS added this

Testing it out: 

r5#telnet 150.1.6.6
Trying 150.1.6.6 … Open

User Access Verification

Username: NOC
Password:
r6#sh privi
Current privilege level is 2
r6#sh run
Building configuration…

Current configuration : 204 bytes
!
!
hostname r6
!
boot-start-marker
boot-end-marker
!
!
!
!
!
interface Loopback0
!
interface FastEthernet0/0
!
interface Serial0/0
!
interface Serial0/0.1 multipoint
!
interface FastEthernet0/1
!
!
end

r6#

That looks right except for the encapsulation.  s0/0 is configured for Frame-Relay and that should show up.  If I changed it to “privilege interface level 2 encapsulation frame-relay” then it would work.

I also don’t understand why IE did not set up a NOC username and login local under the vty line.

Advertisements

Internetwork Expert Volume II: Lab 5 – Section 9

Section 9 – System Management – 6 Points

9.1 SNMP

This is a basic SNMP task.  You’ll see variations of this same task in nearly all of the IE Volume II labs.  The only possible “gotcha” requirements are:

“This (192.10.1.10) is the only station that should be allowed to manage r6.”
“Attempts by other devices to manage r6 via snmp should be logged.”

Our ACL should look like this:

r6(config)#access-list 91 perm 192.10.1.101
r6(config)#access-list 91 deny any log

You need to add the explicit deny any statement in order to log traffic from sources other that the management station in the permit statement.

r6(config)#snmp-server community CISCORO ro 91
r6(config)#snmp-server community CISCORW rw 91

9.2 Syslog

This was an easy task as well.  The only slightly odd bit:

“r4 and r5 should include their hostname in the syslog messages.”

You can find this (as well as the commands for the other requirements) by just issuing “logg ?” in configuration mode:

r4(config)#logg ?
  origin-id            Add origin ID to syslog messages

logging origin-id

r4(config)#logg origin-id ?
  hostname  Use origin hostname as ID
  ip        Use origin IP address as ID
  string    Define a unique text string as ID

r4(config)#logg origin-id hostname

Internetwork Expert Volume II: Lab 5 – Section 8

Section 8 – Security – 6 Points

8.1 Traffic Filtering

Allow ICMP, UPD, and TCP traffic originated from inside the network to go out to and back from r4 to BB3.  We also need to allow r4 to ping and telnet to BB3.  That’s going to need a reflexive ACL. Filter everything else except the routing protocols (RIP and BGP) between r4 and BB3.

This is 3 points that I would definitely skip in the lab.  Breaking connectivity to a backbone device could end up costing you $1500.  🙂

r4(config)#ip access-l ex IN_FROM_BB3
r4(config-ext-nacl)#perm icmp any any echo-reply
r4(config-ext-nacl)#perm tcp any eq telnet any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections  
r4(config-ext-nacl)#perm tcp any eq telnet any established
4(config-ext-nacl)#permit tcp any any eq bgp
r4(config-ext-nacl)#permit tcp any eq bgp any  <- I usually forget this 😦
r4(config-ext-nacl)#permit udp any any eq rip
r4(config-ext-nacl)#evaluate REFLEXIVE

r4(config-ext-nacl)#ip access-list ex OUT_TO_BB3
r4(config-ext-nacl)#perm tcp any any reflect REFLEXIVE
r4(config-ext-nacl)#perm udp any any reflect REFLEXIVE
r4(config-ext-nacl)#perm icmp any any reflect REFLEXIVE

r4(config-ext-nacl)#int fa0/0
r4(config-if)#ip access-group IN_FROM_BB3 in
r4(config-if)#ip access-group OUT_TO_BB3 out

This is the first time that I’ve actually seen an “A” on a traceroute:

bb3#trace 150.1.3.3

Type escape sequence to abort.
Tracing the route to 150.1.3.3

  1 204.12.1.4 !A  *  !A

A = Administratively unreachable.  Usually, this output means that an access list is blocking traffic.

8.2 DoS Prevention

“…configure r1 and r6 to not receive any ICMP echo request sourced from the 205.90.31.0/24 network inbound on their interfaces attached to VLAN 162.”
“Do not apply any configuration on either r1 or r6 to accomplish this.”

r1 and r6 connect to BB2 on an Ethernet connection.  If we can’t configure r1 or r6 then we must need to configure the switch port connected to BB2 (sw2 fa0/24).

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

Sweet.  So I set up my ACL:

sw2(config)#do sh run | i 182
access-list 182 permit tcp 205.90.31.0 0.0.0.255 192.10.1.0 0.0.0.255

and then I tried to enable TCP Intercept:

sw2(config)#ip tcp intercept list 182
                   ^
% Invalid input detected at ‘^’ marker.

sw2(config)#ip tcp ?
  async-mobility      Configure async-mobility
  chunk-size          TCP chunk size
  mss                 TCP initial maximum segment size
  path-mtu-discovery  Enable path-MTU discovery on new TCP connections
  queuemax            Maximum queue of outgoing TCP packets
  selective-ack       Enable TCP selective-ACK
  synwait-time        Set time to wait on new TCP connections
  timestamp           Enable TCP timestamp option
  window-size         TCP window size

Great.  This is not available on the 3560.

Ummm…it turns out that I needed to read the tasks closer.  I keyed in on DoS prevention and forgot that I was just supposed to filter ICMP echo requests.  🙂

Starting over – this looks like a simple VACL task.  Just drop ICMP echo requests from a specific network for VLAN 162.

Configuring VLAN Maps

First match the traffic that we want to drop (VACL use a logic similar to route-maps):

sw2(config)#access-list 182 permit icmp 205.90.31.0 0.0.0.255 any echo

Now build the VACL:

sw2(config)#vlan access-map TASK_8_2
sw2(config-access-map)#match ip add 182
sw2(config-access-map)#action drop

Remember to include a statement to forward all other traffic:

sw2(config)#vlan access-map TASK_8_2 1000
sw2(config-access-map)#action forward

Now just add the VACL to the VLAN with the ‘vlan filter’ command. Don’t do this:

sw2(config)#flanfilter TASK_8_2 vlan-list 162
% Unrecognized command

It’s sad that the IOS does not know about the tasty dessert that is flan, but the IOS does not get out much.  🙂

sw2(config)#vlan filter TASK_8_2 vlan-list 162

sw2#sh vlan access-map
Vlan access-map “TASK_8_2”  10
  Match clauses:
    ip  address: 182
  Action:
    drop
Vlan access-map “TASK_8_2”  1000
  Match clauses:
  Action:
    forward

sw2#sh vlan filter
VLAN Map TASK_8_2 is filtering VLANs:
  162

August 9, 2008

Internetwork Expert Volume II: Lab 5 – Section 6

Section 5 – IP Multicast – 9 Points

5.1 PIM

You are asked to configured IP Multicast on a number of specific interfaces.  You are not told which PIM mode to use, but the last requirement is:

“Multicast groups without an active RP should run in dense mode.”

This statement (and the following tasks) shows that there will be an RP.  We run sparse mode with RPs.  But we need to make sure that if a group finds itself without an active RP it should run in dense mode.  This means we need to run sparse-dense mode.

r1(config)#ip multicast-routing
r1(config)#int fa0/0
r1(config-if)#ip pim sparse-dense-mode

5.2 RP Assignment

Configure a couple of loopbacks as RP candidates via Auto-RP.  You are also asked to have r1 act as the mapping agent and to map 239.0.0.0-239.255.255.255 to r3 and 226.0.0.0-238.255.255.255 to r5.  The final requirement is:

“Use the minimum number of access-lists and access list entries on r1 to accomplish this.”

Let’s set up our RP candidates first

ip pim send-rp-announce

To use Auto-RP to configure groups for which the router will act as a rendezvous point (RP), use the ip pim send-rp-announce command in global configuration mode. To unconfigure this router as an RP, use the no form of this command.

r3:

r3(config)#int lo0
r3(config-if)#ip pim sparse-dense-mode

r3(config)#access-list 31 perm 239.0.0.0 0.255.255.255

r3(config)#ip pim send-rp-announce lo0 scope 16 group-list 31

The last requirement is for the minimal ACL lines on r1, not r5, so I can be as verbose as I like 🙂

r5(config)#int lo0
r5(config-if)#ip pim sparse-dense-mode

r5(config)#access-list 51 perm 226.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 227.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 228.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 229.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 230.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 231.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 232.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 233.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 234.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 235.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 236.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 237.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 238.0.0.0 0.255.255.255

Now the mapping agent:

r1(config)#int lo0
r1(config-if)#ip pim sparse-dense-mode

ip pim send-rp-discovery

r1(config)#ip pim send-rp-discovery lo0 scope 16

Okay.  Now to assign the correct RP to the correct groups:

ip pim rp-announce-filter

To filter incoming Auto-RP announcement messages coming from the rendezvous point (RP), use the ip pim rp-announce-filter command in global configuration mode. To remove the filter, use the no form of this command.

ip pim [vrf vrf-name] rp-announce-filter rp-list access-list group-list access-list
no ip pim [vrf vrf-name] rp-announce-filter rp-list access-list group-list access-list

Syntax Description
 vrf
 (Optional) Supports the multicast Virtual Private Network (VPN) routing and forwarding (VRF) instance.
 
vrf-name
 (Optional) Name assigned to the VRF.
 
rp-list access-list
 Specifies the number or name of a standard access list of RP addresses that are allowable for the group ranges

supplied in the group-list access-list combination.

group-list access-list
 Specifies the number or name of a standard access list that describes the multicast groups the RPs serve.

It looks like we’ll need two ACLs for each RP filter – one that matches the RP and another that matches the groups we want assigned that RP.

r1(config)#access-list 3 perm 150.1.3.3 <-r3’s loopback
r1(config)#access-list 5 perm 150.1.5.5 <-r3’s loopback

r1(config)#access-list 31 perm 239.0.0.0 0.255.255.255 <-groups associated with r3’s loopback

Now the hard part, or “How I Lost The Three Points”

I fell for the trap on the “minimal ACL:

226 – 1110|0010
238 – 1110|1110

224.0.0.0 15.255.255.255

r1(config)#access-list 51 perm 224.0.0.0 15.255.255.255

Unfortunately that range overlaps.  IE had the following:

access-list 51 deny 224.0.0.0 1.255.255.255
access-list 51 deny 239.0.0.0 0.255.255.255
access-list 51 permit 224.0.0.0 15.255.255.255

The first 2 lines deny the overlapping space.  There’s a nice breakdown on this in the solution guide.

I did get the rest correct, but I had already lost the 3 points:

r1(config)#ip pim rp-announce-filter rp-list 3 group-list 31
r1(config)#ip pim rp-announce-filter rp-list 5 group-list 51

r1#sh ip pim rp mapping 239.0.0.0
PIM Group-to-RP Mappings
This system is an RP-mapping agent (Loopback0)

Group(s) 239.0.0.0/8
  RP 150.1.3.3 (?), v2v1
    Info source: 150.1.3.3 (?), elected via Auto-RP
         Uptime: 00:18:32, expires: 00:02:23

r1#sh ip pim rp mapping 238.0.0.0
PIM Group-to-RP Mappings
This system is an RP-mapping agent (Loopback0)

Group(s) 238.0.0.0/8
  RP 150.1.5.5 (?), v2v1
    Info source: 150.1.5.5 (?), elected via Auto-RP
         Uptime: 00:01:38, expires: 00:02:21

5.3 Multicast Security

“For security reasons do not allow BB2 to become a PIM neighbor with r1.”

Cool.  Two easy points.

ip pim neighbor-filter

r1(config)#access-list 53 deny 192.10.1.254
r1(config)#access-list 53 permit any
r1(config)#int fa0/0
r1(config-if)#ip pim neighbor-filter 53

5.4 Multicast Filtering

Configure sw2 so that it will not receive any administratively scoped multicast groups.

I pulled this one out of my butt by searching for “administratively scoped” in the IP Multicast command reference.

ip multicast boundary

The configuration example was exactly what I need:

Examples
The following example shows how to set up an IP multicast boundary for all administratively scoped IPv4 multicast addresses by denying the entire administratively scoped IPv4 multicast address space (239.0.0.0/8).

All other Class D addresses are permitted (224.0.0.0/4).

access-list 1 deny 239.0.0.0 0.255.255.255
access-list 1 permit 224.0.0.0 15.255.255.255
interface ethernet 0
 ip multicast boundary 1

r3(config)#access-list 54 deny 239.0.0.0 0.255.255.255
r3(config)#access-list 54 permit 224.0.0.0 15.255.255.255
r3(config)#int fa0/0
r3(config-if)#ip multicast boundary 54

5.5 Multicast Distribution

Configure the network so that the multicast groups that use r3 as their RP must always use a shared tree.

Okay.  I had NO clue on this one.

ip pim spt-threshold

To configure when a Protocol Independent Multicast (PIM) leaf router should join the shortest path source tree for the specified group, use the ip pim spt-threshold command in global configuration mode.

If the infinity keyword is specified, all sources for the specified group will use the shared tree. Specifying a group list access list indicates the groups to which the threshold applies.

r1(config)#access-list 55 permit 239.0.0.0 0.255.255.255
r1(config)#ip pim spt-threshold infinity group-list 52

April 29, 2008

Internetwork Expert Volume II: Lab 5 – Section 7

QoS – 8 Points

7.1 Frame Relay Traffic Shaping

We need to configure FRTS on r1.

AIR = 512Kbps
CIR = 384Kbps
MINCIR = 256Kbps
Be = Up to port speed
Tc = 100ms

We also know that we need to use adaptive shaping.

Bc = CIR * (Tc/1000)
Be = (AR – CIR) * (Tc/1000)

Adaptive Frame Relay Traffic Shaping for Interface Congestion

Frame-Relay Traffic Shaping

We can knock out the easy ones first:

map-class frame-relay FRTS
 frame-relay cir 384000
 frame-relay mincir 256000
 frame-relay adaptive-shaping becn

Now we just need to configure Bc and Be.

Bc = CIR * (Tc/100)
Bc = 384000 * (100/1000)
Bc = 384000 * .1
Bc = 38400

Be = (AR – CIR) * (Tc/1000)
Be = (512000 – 384000) * (100/1000)
Be = (128000) * (.1)
Be = 12800

So our final map-class is:

map-class frame-relay FRTS
 frame-relay cir 384000
 frame-relay bc 38400
 frame-relay be 12800
 frame-relay mincir 256000
 frame-relay adaptive-shaping becn

r1(config#int s0/0
r1(config-if)#frame traffic
r1(config-if)#frame interface-dlci 113
r1(config-fr-dlci)#class FRTS

r1(config-if)#do sh traffic

Interface   Se0/0
       Access Target    Byte   Sustain   Excess    Interval  Increment Adapt
VC     List   Rate      Limit  bits/int  bits/int  (ms)      (bytes)   Active
103           56000     875    7000      0         125       875       –
104           56000     875    7000      0         125       875       –
105           56000     875    7000      0         125       875       –
113           384000    6400   38400     12800     100       4800      BECN 
102           56000     875    7000      0         125       875       –

IE simply applies the map-class to the interface.  I don’t agree with their solution as all PVCs are affected and not just the PVC to r1.  Of course, only DLCI 113 is actually being used so…..ask your friendly proctor for clarification.  🙂

7.2 RTP Header Compression

Configure the Frame connection between r3 and r4 to support RTP header compression. 

ip rtp header-compression

r3’s s0/0 is a multipoint, physical Frame-Relay interface and we need to configure this only on the DLCI to r4.  I had to peek the answer on this one.

frame-relay map ip rtp header-compression

r3(config-if)# frame-relay map ip 162.1.0.4 304 rtp header-compression ?
  active            Always compress RTP headers
  connections       Maximum number of compressed RTP connections
  passive           Compress for destinations sending compressed RTP headers
  periodic-refresh  Send periodic refresh packets
  <cr>

Ummmm….did this blow away my broadcast capability

Before:
r3(config-if)#do sh run int s0/0:0 | i 162.1.0.4
 frame-relay map ip 162.1.0.4 304 broadcast

After:
r3(config-if)#do sh run int s0/0:0 | i 162.1.0.4
 frame-relay map ip 162.1.0.4 304 rtp header-compression passive connections 15

r3(config)#do sh frame map | sec 162.1.0.4
Serial0/0:0 (up): ip 162.1.0.4 dlci 304(0x130,0x4C00), static,
              CISCO, status defined, active
              RTP Header Compression (enabled), passive (enabled), connections: 15

Make sure that you leave your broadcast keyword in your map:

frame-relay map ip 162.1.0.4 304 broadcastrtp header-compression passive connections 15

Your connections need to match on both sides:

r4(config-if)#do sh run int s0/0 | i header
 frame-relay map ip 162.1.0.3 403 broadcast rtp header-compression connections 15

r3#sh ip rtp header-compression
RTP/UDP/IP header compression statistics:
 DLCI 304        Link/Destination info: ip 162.1.0.4
  Interface Serial0/0:0 DLCI 304 (compression off, Cisco, RTP, passive)
    Rcvd:    0 total, 0 compressed, 0 errors, 0 status msgs
             0 dropped, 0 buffer copies, 0 buffer failures
    Sent:    0 total, 0 compressed, 0 status msgs, 0 not predicted
             0 bytes saved, 0 bytes sent
    Connect: 15 rx slots, 15 tx slots,
             0 misses, 0 collisions, 0 negative cache hits, 15 free contexts

7.3 Bandwidth Limiting

“…Microsoft SQL traffic is limited to an average rate of 256Kbps on r2’s connection to the Frame Realy cloud.”
“Up to 2048 SQL packets in excess of 256Kbps should be queued up by r2 before packet loss occurs.”

Sounds like queueing to me.

“Do not use an access-list to accomplish this.”

That means we’ll be using a class-map with NBAR to match the traffic.

r2(config-cmap)#match protocol ?
—output truncated—
  sqlnet            SQL*NET for Oracle
  sqlserver         MS SQL Server

—output truncated—

We need to match on MICROSOFT SQL:

class-map match-all TASK_73
 match protocol sqlserver

r2(config-if)#policy-map TASK_73
r2(config-pmap)#class TASK_73
r2(config-pmap-c)#shape average 256000
r2(config-pmap-c)#shape ?
  adaptive        Enable Traffic Shaping adaptation to BECN
  average         configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
                  send out Bc only per interval
  fecn-adapt      Enable Traffic Shaping reflection of FECN as BECN
  fr-voice-adapt  Enable rate adjustment depending on voice presence
  max-buffers     Set Maximum Buffer Limit
  peak            configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
                  send out Bc+Be per interval

shape max-buffers

r2(config-pmap-c)#shape max-buffers 2048

r2(config-pmap-c)#int s0/0/0.1
r2(config-subif)#service-policy output TASK_73

r2(config-subif)#do sh policy-map int s0/0/0.1

 Serial0/0/0.1

  Service-policy output: TASK_73

    Class-map: TASK_73 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol sqlserver
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)
           256000/256000    1984   7936      7936      31        992

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        –      0         0         0         0         0         no

    Class-map: class-default (match-any)
      23 packets, 2598 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

 

Internetwork Expert Volume II: Lab 5 – Section 6

IPv6 – 12 Points

6.1 IPv6 Addressing

Very basic IPv6 addressing task.

6.2 IPv6 over Frame Relay

Easy IPv6 over Frame Relay task. 

The IE solution configured a link-local address on r1 and r3.  I did not.  This is a point-to-point connection so I saw no need for a link-local address.

Task 6.2

I did configure the link-local addresses on r2, r3, and r4 (along with frame maps) but it looks like those addresses and maps were not needed (actually, they used them later in the BGP IPv6 sections).

6.3 IPv6 BGP Advertisements

6.4 IPv6 BGP Summarization

6.5 IPV6 BGP

Since IPv6 BGP is not on the exam I simply read the solution guide for task 6.3 – 5 and configured my routers to match.

April 28, 2008

Internetwork Expert Volume II: Lab 5 – Section 5

Exterior Gateway Routing – 10 Points

4.1 BGP Peering

Basic peering task.  Keep in mind that sw3 and sw4 don’t have an IGP running.

I’m still having problems with know when to apply ‘next-hop-self’.  I need to do some more work on BGP. 😦

Task 4.1 – BGP Next-Hop-Self

4.2 AS-Path Manipulation

We need to make sure that the private AS’s do not get outside of AS 300:

Before:
r4#sh ip bgp quote _650.._
BGP table version is 10, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
              r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 150.1.9.0/24     162.1.0.3                              0 300 65002 65034 i
*> 150.1.10.0/24    162.1.0.3                              0 300 65002 65034 i
*> 162.1.7.0/24     162.1.0.2                              0 300 65001 i
*> 162.1.18.0/24    162.1.0.3                              0 300 65002 i

r3#sh ip bgp neigh 162.1.0.4 adv
BGP table version is 10, local router ID is 150.1.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
              r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 28.119.16.0/24   162.1.0.4                              0 100 54 i
*> 28.119.17.0/24   162.1.0.4                              0 100 54 i
*> 150.1.9.0/24     162.1.38.8                             0 65002 65034 i
*> 150.1.10.0/24    162.1.38.8                             0 65002 65034 i
*>i162.1.7.0/24     162.1.27.7               0    100      0 65001 i
*> 162.1.18.0/24    162.1.38.8               0             0 65002 i
*> 205.90.31.0      162.1.13.1                             0 200 254 ?
*> 220.20.3.0       162.1.13.1                             0 200 254 ?
*> 222.22.2.0       162.1.13.1                             0 200 254 ?

Total number of prefixes 9

r3(config)#ip as-path access-list 42 perm _650.._
r3(config)#route-map TASK_42 deny 10
r3(config-route-map)# match as-path 42
r3(config-route-map)#route-map TASK_42 perm 1000
r3(config-route-map)#router bg 300
r3(config-router)#neigh 162.1.0.4 route-map TASK_42 out
r3(config-router)#neigh 162.1.13.1 route-map TASK_42 out

After:
r3#sh ip bgp neigh 162.1.0.4 adv
BGP table version is 10, local router ID is 150.1.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
              r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 205.90.31.0      162.1.13.1                             0 200 254 ?
*> 220.20.3.0       162.1.13.1                             0 200 254 ?
*> 222.22.2.0       162.1.13.1                             0 200 254 ?

Total number of prefixes 3

r4#sh ip bgp
BGP table version is 14, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
              r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 28.119.16.0/24   204.12.1.254             0             0 54 i
*> 28.119.17.0/24   204.12.1.254             0             0 54 i
*> 205.90.31.0      162.1.0.3                              0 300 200 254 ?
*> 220.20.3.0       162.1.0.3                              0 300 200 254 ?
*> 222.22.2.0       162.1.0.3                              0 300 200 254 ?

My solution works (umm…technically 🙂  ), but I’m actually filtering off the routes (which I did not think broke the task).  There’s a much easier way:

neighbor remove-private-as

Usage Guidelines
This command is available for external BGP (eBGP) neighbors only.

When an update is passed to the external neighbor, if the autonomous system path includes private autonomous system numbers, the software will drop the private autonomous system numbers.

If the autonomous system path includes both private and public autonomous system numbers, the software considers this to be a configuration error and does not remove the private autonomous system numbers.

If the autonomous system path contains the autonomous system number of the eBGP neighbor, the private autonomous system numbers will not be removed.

If this command is used with confederation, it will work as long as the private autonomous system numbers follow the confederation portion of the autonomous path.

The private autonomous system values are from 64512 to 65535.

There is a much better solution.  The prefixes are still advertised to the eBGP neighbor but do not show up on the neighbor:

r3#sh ip bgp neigh 162.1.0.4 adv
BGP table version is 10, local router ID is 150.1.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
              r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 28.119.16.0/24   162.1.0.4                              0 100 54 i
*> 28.119.17.0/24   162.1.0.4                              0 100 54 i
*> 150.1.9.0/24     162.1.38.8                             0 65002 65034 i
*> 150.1.10.0/24    162.1.38.8                             0 65002 65034 i

*>i162.1.7.0/24     162.1.27.7               0    100      0 65001 i
*> 162.1.18.0/24    162.1.38.8               0             0 65002 i
*> 205.90.31.0      162.1.13.1                             0 200 254 ?
*> 220.20.3.0       162.1.13.1                             0 200 254 ?
*> 222.22.2.0       162.1.13.1                             0 200 254 ?

Total number of prefixes 9

r4#sh ip bgp neigh 162.1.0.3 routes
BGP table version is 20, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
              r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 150.1.9.0/24     162.1.0.3                              0 300 i
*> 150.1.10.0/24    162.1.0.3                              0 300 i
*> 162.1.7.0/24     162.1.0.2                              0 300 i
*> 162.1.18.0/24    162.1.0.3                              0 300 i
*> 205.90.31.0      162.1.0.3                              0 300 200 254 ?
*> 220.20.3.0       162.1.0.3                              0 300 200 254 ?
*> 222.22.2.0       162.1.0.3                              0 300 200 254 ?

Total number of prefixes 7

4.3 BGP Filtering

Configure a new loopback interface on r5 and advertise it into BGP.  r4 should not pass this prefix on.  Configure this on r5.

Use the ‘no-advertise’ BGP community.

set community

(Optional) Well know communities can be specified by using the following keywords:

•internet
•local-as
•no-advertise
•no-export

ip prefix-list TASK_43 seq 5 permit 162.1.15.0/24
!
route-map TASK_43 permit 10
 match ip address prefix-list TASK_43
 set community no-advertise
!
route-map TASK_43 permit 1000
!
router bgp 500
 neighbor 150.1.4.4 send-community  <- don’t forget this line
 neighbor 150.1.4.4 route-map TASK_43 out

r4#sh ip bgp 162.1.15.0
BGP routing table entry for 162.1.15.0/24, version 22
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to any peer)
Flag: 0x880
  Not advertised to any peer 
  500
    150.1.5.5 (metric 66) from 150.1.5.5 (150.1.5.5)
      Origin IGP, metric 0, localpref 100, valid, external, best
      Community: no-advertise

IE used an as-path access-list matching ^$ instead of a prefix-list matching the network.  Both methods work, but the IE method would match any additional networks that you decide to advertise on r5 in the future.

4.4 BGP Table Stability

Pretty simple task using BGP dampening on routes learned from BB3 with the variables specified in the task.

bgp dampening

half-life: 15 minutes
reuse: 750
suppress: 2000
max-suppress-time: 4 times half-life

We are asked to set the max-suppress-time to 30 minutes.  This can be usually be done two ways.  Set the max-suppress-time to number of minutes specified, or set the half-life to 1/4 of that amount.  In this task we cannot use 1/4 of the max-suppress-time (30 minutes) for the half-life because it is not a whole number (7.5).

(Optional) Maximum time (in minutes) a route can be suppressed. The range is from 1 to 20000; the default is 4 times the half-life. If the half-life value is allowed to default, the maximum suppress time defaults to 60 minutes. When the max-suppress-time is configured, the maximum penalty will never be exceeded, regardless of the number of times that the prefix dampens. The maximum penalty is computed with the following formula:

Max penalty = reuse-limit *2^(maximum suppress time/half time)

I applied the dampening only to routes from AS 54:

r4(config)#ip as-path access-list 44 permit ^54$
r4(config)#route-map TASK_44 permit 10
r4(config-route-map)#match as-path 44
r4(config-route-map)#set dampening 15 1000 3000 30
r4(config-route-map)#router bgp 100
r4(config-router)#bgp dampening route-map TASK_44

The IE solution applied BGP dampening to all prefixes on r4???

Task 4.4

r4#sh ip bgp dampening parameters
 dampening 15 1000 3000 30 (route-map TASK_44 10)
  Half-life time      : 15 mins       Decay Time       : 370 secs
  Max suppress penalty:  4000         Max suppress time: 30 mins
  Suppress penalty    :  3000         Reuse penalty    : 1000

 

Internetwork Expert Volume II: Lab 5 – Section 3

Interior Gateway Routing – 20 Points

3.1 OSPF

You need to configure OSPF over the partial-mesh Frame Relay cloud, but you cannot change the OSPF network type on r3:

r2(config-router)#do sh ip os int s0/0/0.1 | i Type
  Process ID 100, Router ID 150.1.2.2, Network Type POINT_TO_POINT, Cost: 64

r3(config-router)#do sh ip os int s0/0:0 | i Type
  Process ID 100, Router ID 150.1.3.3, Network Type NON_BROADCAST, Cost: 65

r4(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID 150.1.4.4, Network Type NON_BROADCAST, Cost: 65

r5(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID 150.1.5.5, Network Type NON_BROADCAST, Cost: 65

So all that really means is that you’ll need to use the OSPF non-broadcast network type.  You’ll also need to configure neighbor statements.  Since r3 is the only device with direct connections to all of the other routers, you’ll want to make it the DR.

r3(config-router)#do sh ip os nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
150.1.2.2         0   FULL/DROTHER    00:01:46    162.1.0.2       Serial0/0:0
150.1.5.5         0   FULL/DROTHER    00:01:51    162.1.0.5       Serial0/0:0
150.1.4.4         0   FULL/DROTHER    00:01:51    162.1.0.4       Serial0/0:0

The only point that I wasn’t clear on was whether or not to establish a neighbor relationship between r4 and r5.  I did not configure them as peers, but I would have clarified this with the proctor.  If you were to peer these routers then you would need to make one of them the DR so you would need to remove the ‘ip ospf priority 0’ on one of the routers.  You would also need to configure a neighbor statement on the DR.

The IE solution did not peer these routers.

3.2 OSPF

Configure OSPF area 27 on sw1 and then ensure that the only OSPF route it will see is a default route generated by r2.  This sounds like a totally stubby area:

Before:
sw1#sh ip route os
     162.1.0.0/24 is subnetted, 5 subnets
O IA    162.1.55.0 [110/66] via 162.1.27.2, 00:00:15, Vlan27
O IA    162.1.0.0 [110/65] via 162.1.27.2, 00:00:15, Vlan27
O IA    162.1.5.0 [110/66] via 162.1.27.2, 00:00:15, Vlan27
     150.1.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA    150.1.5.5/32 [110/66] via 162.1.27.2, 00:00:15, Vlan27
O IA    150.1.4.4/32 [110/66] via 162.1.27.2, 00:00:15, Vlan27
O IA    150.1.3.3/32 [110/66] via 162.1.27.2, 00:00:15, Vlan27
O IA    150.1.2.2/32 [110/2] via 162.1.27.2, 00:00:15, Vlan27

After:
r2
(config)#router os 100
r2(config-router)#area 27 stub no-summary

sw1(config)#router os 100
sw1(config-router)#area 27 stub

sw1#sh ip route os
O*IA 0.0.0.0/0 [110/2] via 162.1.27.2, 00:00:41, Vlan27

3.3 EIGRP

“Enable EIGRP on all interfaces of sw2, but do not use redistribution or more than one network statement to accomplish this.”

sw2(config)#ip routi
sw2(config)#router ei 200
sw2(config-router)#net 0.0.0.0

sw2(config-router)#do sh ip ei int
IP-EIGRP interfaces for process 200

                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Vl8                0        0/0         0       0/10           0           0
Vl88               0        0/0         0       0/10           0           0
Fa0/15             1        0/0         1       0/10          50           0
Po32               0        0/0         0       0/10           0           0
Lo0                0        0/0         0       0/10           0           0

3.4 EIGRP

Configure EIGRP to use bandwidth, delay, and load to compute the EIGRP metric.  Bandwidth should be three times more significant than either delay or load.

metric weights (EIGRP)

Command Defaults
tos: 0
k1: 1
k2: 0
k3: 1
k4: 0
k5: 0

You need to be careful with these k-values.  You can use the EIGRP metric equation to decipher which k-value refers to with metric variable:

If k5 equals 0, the composite EIGRP metric is computed according to the following formula:

metric = [k1 * bandwidth + (k2 * bandwidth)/(256 – load) + k3 * delay]

If k5 does not equal zero, an additional operation is performed:

metric = metric * [k5/(reliability + k4)]

k1 = bandwidth
k2 = load
k3 = delay

sw2(config-router)#metric weights 0 3 1 1 0 0

r3(config-router)#do sh ip proto | i EIGRP metric
  EIGRP metric weight K1=3, K2=1, K3=1, K4=0, K5=0

3.5 Default Routing

Configure r3 to adverise a default route to the rest of the OSPF network.

“In order to help prevent traffic black holses ensure that r3 drops traffic for all destinations it does not have a longer match for.”

default-information originate (OSPF)

The software still must have a default route for itself before it generates one, except when you have specified the always keyword.

(Optional) Always advertises the default route regardless of whether the software has a default route.

The IE solution guide has a nice write up about the benifits and pitfalls of the ‘always’ keyword.

3.6 Routing Redundancy

Configure r5 to use the PTP serial interface (no advertised into any IGP) if the Frame Relay connection is lost.  You are allowed to use static routes to accomplish this.

Sounds like a floating static route to me (I wish I would have recognized this on a recent Mock Lab…oh well).

r5(config)#ip route 0.0.0.0 0.0.0.0 162.1.45.4 111

r4(config)#do sh ip route | i via 162.1.0.5
O       162.1.55.0/24 [110/66] via 162.1.0.5, 00:11:12, Serial0/0
O       162.1.5.0/24 [110/66] via 162.1.0.5, 00:11:12, Serial0/0
O       150.1.5.5/32 [110/66] via 162.1.0.5, 00:11:12, Serial0/0

r4(config)#ip route 162.1.55.0 255.255.255.0 162.1.45.5 111
r4(config)#ip route 162.1.5.0 255.255.255.0 162.1.45.5 111
r4(config)#ip route 162.1.5.5 255.255.255.255 162.1.45.5 111

r4(config)#router os 100
r4(config-router)#redist static subnets

Let’s test this by shutting down r5’s connection to the Frame cloud:
r5(config)#int s0/0
r5(config-if)#shut

r5#sh ip route | b Gate
Gateway of last resort is 162.1.45.4 to network 0.0.0.0
 

     162.1.0.0/16 is variably subnetted, 4 subnets, 2 masks
C       162.1.45.4/32 is directly connected, Serial0/1
C       162.1.45.0/24 is directly connected, Serial0/1
C       162.1.55.0/24 is directly connected, FastEthernet0/1
C       162.1.5.0/24 is directly connected, FastEthernet0/0
     150.1.0.0/24 is subnetted, 1 subnets
C       150.1.5.0 is directly connected, Loopback0
S*   0.0.0.0/0 [111/0] via 162.1.45.4 

I did run into a problem with connectivity between r3 and r5:

r3#p 162.1.55.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 162.1.55.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms

r3#p 162.1.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 162.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

r3#p 162.1.45.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 162.1.45.5, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

r3#p 150.1.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

r3#sh ip route 162.1.45.5
% Subnet not in table

Makes sense since it’s not being advertised via an IGP (we’ll take care of this during the redistribution task).

r3#sh ip route 150.1.5.5
Routing entry for 150.1.0.0/16
  Known via “eigrp 200”, distance 90, metric 207460, type internal
  Redistributing via eigrp 200
  Last update from 162.1.38.8 on FastEthernet0/0, 00:53:52 ago
  Routing Descriptor Blocks:
  * 162.1.38.8, from 162.1.38.8, 00:53:52 ago, via FastEthernet0/0
      Route metric is 207460, traffic share count is 1
      Total delay is 5100 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1

Ummmm…..I think I missed a “no auto-summary” somewhere.  🙂

sw2(config-router)#do sh run | b router ei
router eigrp 200
 network 0.0.0.0
 metric weights 0 3 1 1 0 0
 auto-summary

sw2(config-router)#router ei 200
sw2(config-router)#no au

I’ve been doing that a lot lately.  😦

r3#sh ip route 150.1.5.5
% Subnet not in table

That’s odd, I thought that I had a floating static route to the loopback on r4:

r4#sh run | i ip route
ip route 162.1.5.0 255.255.255.0 162.1.45.5 111
ip route 162.1.5.5 255.255.255.255 162.1.45.5 111
ip route 162.1.55.0 255.255.255.0 162.1.45.5 111

Damn these fat fingers!!!!

r4(config)#no ip route 162.1.5.5 255.255.255.255 162.1.45.5 111
r4(config)#ip route 150.1.5.5 255.255.255.255 162.1.45.5 111

r3#sh ip route | i 150.1.5.
O E2    150.1.5.5/32 [110/20] via 162.1.0.4, 00:00:33, Serial0/0:0

r3#p 150.1.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms

Much better.

3.7 RIPv2

Easy RIP task.  One slight twist:

“As an additional security precaution configure r1 and r6 so that no unautorized devices can receive RIP updates sent out on VLAN 162.”

neighbor (RIP)

The IE solution guide has r6 advertising VLAN 6 into RIP although it is not mentioned in the task (although it does look like it should be advertised into RIP based on the IGP drawing).

3.8 IGP Redistribution

“Redistribute in the minumum places necessary to gain full reachability thoughout the network.”
“Routers in the OSPF domain should have the miniumum amount of routes neeeded to reach the RIP routes learned from bb3.”
“Do not overlap any address space to accomplish this.”

If you hadn’t figured out that they were asking for a summary route that last requirement kind of makes it obvious.

r4#sh ip route rip
     31.0.0.0/16 is subnetted, 4 subnets
R       31.3.0.0 [120/1] via 204.12.1.254, 00:00:15, FastEthernet0/0
R       31.2.0.0 [120/1] via 204.12.1.254, 00:00:15, FastEthernet0/0
R       31.1.0.0 [120/1] via 204.12.1.254, 00:00:15, FastEthernet0/0
R       31.0.0.0 [120/1] via 204.12.1.254, 00:00:15, FastEthernet0/0
     30.0.0.0/16 is subnetted, 4 subnets
R       30.2.0.0 [120/1] via 204.12.1.254, 00:00:15, FastEthernet0/0
R       30.3.0.0 [120/1] via 204.12.1.254, 00:00:15, FastEthernet0/0
R       30.0.0.0 [120/1] via 204.12.1.254, 00:00:15, FastEthernet0/0
R       30.1.0.0 [120/1] via 204.12.1.254, 00:00:15, FastEthernet0/0

We can try to do this with a single summary but we’ll be overlapping address space, so we need two /14 summaries:

r4(config)#router os 100
r4(config-router)#summary-address 30.0.0.0 255.252.0.0
r4(config-router)#summary-address 31.0.0.0 255.252.0.0

r4#sh ip os sum

OSPF Process 100, Summary-address

30.0.0.0/255.252.0.0 Metric 16777215, Type 0, Tag 0
31.0.0.0/255.252.0.0 Metric 16777215, Type 0, Tag 0

The redistribution task was fairly easy.  There are no mutiple points of mutual redistribution between two protocols.  The only ‘gotcha’ is to remember to advertise the s0/1 interface into OSPF on r4.  This will ensure that we have reachability to 162.1.45.5 if the s0/0 interface goes down on r5 (task 3.6)

With r5’s s0/0 shut down:
r3#p 162.1.45.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 162.1.45.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

The IE solution guide has some strangeness on r3:

Task 3.8 on solution guide Why only VLAN162 in

Internetwork Expert Volume II: Lab 5 – Section 2

Bridging and Switching – 16 Points

2.1 VLAN Assignments

Easy enough task with all four switches running in VTP Transparent mode.  I actually finished all of the Layer 2 tasks (including Frame Relay) and then came back to this task to see which VLANs would need to be added.  The only connection that was not working was r4 (fa0/0 in VLAN4 on sw2) to BB3 (VLAN 4 on sw3).  There was no direct trunk between sw2 and sw3 so I need to add VLAN 4 to sw1:

sw1(config)#vlan 4
sw1(config-vlan)#exit

r4#p 204.12.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

The IE solution is missing VLAN 2005 on sw1.

2.2 Etherchannel

Easy EtherChannel task.

2.3 Load Distribution

Configure an EtherChannel so that it is optimized for multiple clients behind sw1 reaching a single server behind sw2.

We can use the example cited here:

Load Balancing and Forwarding Methods

port-channel load-balance

We want sw1 (workstations) to use source-based forwarding and sw2 (single server) to use destination-based forwarding.  This will most widely balance our traffic.

dst-ip
 Load distribution is based on the destination host IP address.
 
dst-mac
 Load distribution is based on the destination host MAC address. Packets to the same destination are sent on the same port, but packets to different destinations are sent on different ports in the channel.
 
src-dst-ip
 Load distribution is based on the source and destination host IP address.
 
src-dst-mac
 Load distribution is based on the source and destination host MAC address.
 
src-ip
 Load distribution is based on the source host IP address.
 
src-mac
 Load distribution is based on the source MAC address. Packets from different hosts use different ports in the channel, but packets from the same host use the same port.

Do we want to source on MAC or IP address????

sw2(config)#port-channel load-balance ?
  dst-ip       Dst IP Addr
  dst-mac      Dst Mac Addr
  src-dst-ip   Src XOR Dst IP Addr
  src-dst-mac  Src XOR Dst Mac Addr
  src-ip       Src IP Addr
  src-mac      Src Mac Addr

Task 2.3

For this task traffic from the file server located behind BB2 will be sent across the trunk with the source MAC address of BB2’s Ethernet interface and source IP address of this server. By default all of this traffic would use only one of the Etherchannel trunk links since the default is to load balance based on the source MAC address. With IP address destination based load balancing enabled on SW2 this traffic will now be distributed across both links. Traffic destined to BB2 will have the same source MAC address of R1, the same destination MAC address of BB2 and the same destination IP address, so we need IP address source based load balancing on SW1.

sw1#show etherchannel load-balance
EtherChannel Load-Balancing Operational State (src-ip):
Non-IP: Source MAC address
  IPv4: Source IP address
  IPv6: Source IP address

sw2#show etherchannel load-balance
EtherChannel Load-Balancing Operational State (dst-ip):
Non-IP: Destination MAC address
  IPv4: Destination IP address
  IPv6: Destination IP address

2.4 CAM Table Maintenance

“…configure sw2 so that it discards inactive entries from VLAN 8 and VLAN 88 after 10 seconds.”

mac address-table aging-time

Defaults
The default is 300 seconds.

sw2(config)#mac-address-table aging-time 10 vlan 8
sw2(config)#mac-address-table aging-time 10 vlan 88

sw2#sh mac address-table aging-time
Vlan    Aging Time
—-    ———-
   1     300
  27     300
   4     300
 162     300
   8      10
  88      10

2.5 EtherChannel

Basic layer 3 EtherChannel.  You get to set up an EtherChannel with only one connection.  🙂

 

Internetwork Expert Volume II: Lab 5 – Section 1

WAN Technologies – 9 Points

1.1 Partial Mesh Frame Relay

IE switched up the order in this lab and started with Frame Relay.  I skipped ahead and did section 2 (Bridging and Switching) first and then returned to this section.

Easy task.  First time that I’ve seen IE use a dedicated DLCI between two spokes (well…’would be spokes’).

“Traffic from r5 destined for r2 should transit r4.”

Traffic will follow this path:

R5 (504) -> (405) r4 (403) -> (304) r3 (302) -> (203) r2.

r5#trace 162.1.0.2

Type escape sequence to abort.
Tracing the route to 162.1.0.2

  1 162.1.0.48 msec 4 msec 4 msec
  2 162.1.0.3 4 msec 4 msec 4 msec
  3 162.1.0.28 msec *  4 msec

1.2 Point-to-Point Frame Relay

Easy task.

1.3 Point-to-Point Frame Relay

Interesting task.  You need to match this Frame mapping on r6:

r6#sh frame map
Serial0/0.1(up): ip 54.1.1.254 dlci 101(0x65,0x1850), dynamic,
              broadcast,, status defined, active

So you need to use a subinterface as well as Frame Inverse-ARP.  That means that you’ll need to use a multipoint subinterface as inarp will not run on a point-to-point subinterface.

r6#sh run | sec l0/0
interface Serial0/0
 no ip address
 encapsulation frame-relay
interface Serial0/0.1 multipoint
 ip address 54.1.1.6 255.255.255.0
 frame-relay interface-dlci 101

1.4 PPP

“…configure r4 and r5 to support reliable transport over the circuit.”

???

A quick search of the (12.3) Master Command Index for the term ‘reliable’ pulled this up:

ppp reliable-link

You can use the show interface command to determine whether LAPB has been established on the link. You can troubleshoot PPP reliable link by using the debug lapb command and the debug ppp negotiations, debug ppp errors, and debug ppp packets commands.

r4#sh int s0/1 | sec LAPB
  LAPB DTE, state CONNECT, modulo 8, k 7, N1 12048, N2 3
      T1 3000, T2 0, interface outage (partial T3) 0, T4 0, PPP over LAPB
      VS 3, VR 3, tx NR 3, Remote VR 3, Retransmissions 0
      Queues: U/S frames 0, I frames 0, unack. 0, reTx 0
      IFRAMEs 19/19 RNRs 0/0 REJs 0/0 SABM/Es 1/1 FRMRs 0/0 DISCs 0/0, loopback not set

r5#sh int s0/1 | sec LAPB
  LAPB DCE, state CONNECT, modulo 8, k 7, N1 12048, N2 3
      T1 3000, T2 0, interface outage (partial T3) 0, T4 0, PPP over LAPB
      VS 0, VR 0, tx NR 0, Remote VR 0, Retransmissions 0
      Queues: U/S frames 0, I frames 0, unack. 0, reTx 0
      IFRAMEs 32/32 RNRs 0/0 REJs 0/0 SABM/Es 1/1 FRMRs 0/0 DISCs 0/0, loopback not set

Next Page »

Create a free website or blog at WordPress.com.