MODNET Final
MODNET Final
-------------------------------
College seal
INDEX
TOPOLOGY:
Objectives
• Configure and verify the IP SLA feature.
• Test the IP SLA tracking feature.
• Verify the configuration and operation using show and debug commands.
Step 1: Prepare the routers and configure the router hostname and interface
addresses.
Router R1 hostname R1
interface Loopback 0
description R1 LAN
ip address 192.168.1.1 255.255.255.0
interface Serial0/0/0 description R1 -->
ISP1 ip address 209.165.201.2
255.255.255.252 clock rate 128000 bandwidth
128 no shutdown
interface Serial0/0/1 description R1 -->
ISP2 ip address 209.165.202.130
255.255.255.252 bandwidth 128 no shutdown
Router ISP1 (R2)
hostname ISP1 interface Loopback0
description Simulated Internet Web Server
ip address 209.165.200.254 255.255.255.255
interface Loopback1 description ISP1 DNS
Server ip address 209.165.201.30
255.255.255.255 interface Serial0/0/0
description ISP1 --> R1
ip address 209.165.201.1 255.255.255.252
bandwidth 128 no shutdown interface
Serial0/0/1 description ISP1 --> ISP2 ip
address 209.165.200.225 255.255.255.252
clock rate 128000 bandwidth 128 no shutdown Router
ISP2 (R3)
hostname ISP2 interface Loopback0
description Simulated Internet Web Server
ip address 209.165.200.254 255.255.255.255
interface Loopback1 description ISP2 DNS
Server ip address 209.165.202.158
255.255.255.255
interface Serial0/0/0 description ISP2 -->
R1 ip address 209.165.202.129
255.255.255.252 clock rate 128000 bandwidth 128
no shutdown interface Serial0/0/1 description
ISP2 --> ISP1
ip address 209.165.200.226 255.255.255.252
bandwidth 128 no shutdown
Verify the configuration by using the show interfaces description command. The output
from router R1 is shown here as an example.
Router R1
R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.1
R1(config)#
Router ISP1 (R2)
ISP1(config)# router eigrp 1
ISP1(config-router)# network 209.165.200.224 0.0.0.3
ISP1(config-router)# network 209.165.201.0 0.0.0.31
ISP1(config-router)# no auto-summary
ISP1(config-router)# exit
ISP1(config)#
ISP1(config-router)# ip route 192.168.1.0 255.255.255.0 209.165.201.2
ISP1(config)#
Router ISP2 (R3)
ISP2(config)# router eigrp 1
ISP2(config-router)# network 209.165.200.224 0.0.0.3
ISP2(config-router)# network 209.165.202.128 0.0.0.31
ISP2(configrouter)# no auto-summary ISP2(config-router)# exit
ISP2(config)#
ISP2(config)# ip route 192.168.1.0 255.255.255.0 209.165.202.130
ISP2(config)#
b. The Cisco IOS IP SLA feature enables an administrator to monitor network performance between
Cisco devices (switches or routers) or from a Cisco device to a remote IP device. IP SLA probes
continuously check the reachability of a specific destination, such as a provider edge router interface,
the DNS server of the ISP, or any other specific destination, and can conditionally announce a default
route only if the connectivity is verified.
a. Create an ICMP echo probe on R1 to the primary DNS server on ISP1 using the ip sla
command.
R1(config)# ip sla 11
R1(config-ip-sla)# icmp-echo 209.165.201.30
R1(config-ip-sla-echo)# frequency 10
R1(config-ip-sla-echo)# exit
R1(config)#
R1(config)# ip sla schedule 11 life forever start-time now
R1(config)#
b. Verify the IP SLAs configuration of operation 11 using the show ip sla configuration 11
command.
c. Issue the show ip sla statistics command to display the number of successes, failures, and
results of the latest operations.
e. Verify the new probe using the show ip sla configuration and show ip sla statistics
commands.
R1#
R1#
R1# show ip sla statistics 22
IPSLAs Latest Operation Statistics
IPSLA operation id:22 Latest
RTT: 16 milliseconds
Latest operation start time: 10:38:29 UTC Sat Jan 10 2015
Latest operation return code:OK
Number of successes: 82
Number of failures: 0
c. From global configuration mode on R1, use the track 1 ip sla 11 reachability command to enter
the config-track subconfiguration mode.
b. On R1, observe the debug output being generated. Recall that R1 will wait up to 10 seconds
before initiating action therefore several seconds will elapse before the output is generated.
R1# Jan 10 10:53:59.551: %TRACK-6-STATE: 1 ip sla 11 reachability Up
->
Down
Jan 10 10:53:59.551: RT: del 0.0.0.0 via 209.165.201.1, static
metric[2/0]
Jan 10 10:53:59.551: RT: delete network route to 0.0.0.0/0
Jan 10 10:53:59.551: RT: default path has been cleared Jan
10 10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578
209.165.202.129
Jan 10 10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.201.1 0 1048578
Number of failures: 45
Operation time to live: Forever
IPSLA operation id: 22
Latest RTT: 8 milliseconds
Latest operation start time: 11:01:09 UTC Sat Jan 10 2015
Latest operation return code: OK
Number of successes: 218
Number of failures: 0
Operation time to live: Forever R1#
e. On R1, initiate a trace to the web server from the internal LAN IP address.
ISP1(config-if)# no shutdown
Jan 10 11:05:45.847: %LINK-3-UPDOWN: Interface Loopback1, changed
state to up
Jan 10 11:05:46.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Objectives
• Use BGP commands to prevent private AS numbers from being advertised to the outside world.
• Use the AS_PATH attribute to filter BGP routes based on their source AS numbers.
a .Apply the following configuration to each router along with the appropriate hostname. The
exectimeout 0 0 command should only be used in a lab environment.
Step 1: Configure interface addresses.
b. Using the addressing scheme in the diagram, create the loopback interfaces and apply IPv4
addresses to these and the serial interfaces on SanJose (R1), ISP (R2), and CustRtr (R3). The ISP
loopbacks simulate real networks. Set a clock rate on the DCE serial interfaces.
c. Use ping to test the connectivity between the directly connected routers.
Note: SanJose will not be able to reach either ISP’s loopback (10.2.2.1) or CustRtr’s loopback
(10.3.3.1), nor will it be able to reach either end of the link joining ISP to CustRtr (172.24.1.17 and
172.24.1.18).
b.Verify that these routers have established the appropriate neighbor relationships by issuing the
show ip bgp neighbors command on each router.
Step
3: Remove the private AS.
a.Display the SanJose routing table using the show ip route command. SanJose should have a route
to both 10.2.2.0 and 10.3.3.0. Troubleshoot if necessary.
b.Ping the 10.3.3.1 address from SanJose.
c. Ping again, this time as an extended ping, sourcing from the Loopback0 interface address.
Note:
You can bypass extended ping mode and specify a source address using one of these
commands:
Or
d.Check the BGP table from SanJose by using the show ip bgp command. Note the AS path for the
10.3.3.0 network. The AS 65000 should be listed in the path to 10.3.3.0.
e.Configure ISP to strip the private AS numbers from BGP routes exchanged with SanJose using the
following commands.
f. After issuing these commands, use the clear ip bgp * command on ISP to reestablish the BGP
relationship between the three routers. Wait several seconds and then return to SanJose to check its
routing table.
Note: The clear ip bgp * soft command can also be used to force each router to resend its BGP
table.
SanJose should be able to ping 10.3.3.1 using its loopback 0 interface as the source of the ping.
Step 4: Use the AS_PATH attribute to filter routes.
a.Configure a special kind of access list to match BGP routes with an AS_PATH attribute that both
begins and ends with the number 100. Enter the following commands on ISP.
b.Apply the configured access list using the neighbor command with the filter-list option.
The
out keyword specifies that the list is applied to routing information sent to this neighbor.
c. Use the clear ip bgp * command to reset the routing information. Wait several seconds and then
check the routing table for ISP. The route to 10.1.1.0 should be in the routing table.
Note: To force the local router to resend its BGP table, a less disruptive option is to use the clear ip
bgp * out or clear ip bgp * soft command (the second command performs both outgoing and
incoming route resync).
f.Run the following Tcl script on all routers to verify whether there is connectivity. All pings from ISP
should be successful. SanJose should not be able to ping the CustRtr loopback 10.3.3.1 or the WAN
link 172.24.1.16/30. CustRtr should not be able to ping the SanJose loopback 10.1.1.1 or the WAN
link 192.168.1.4/30.
PRACTICAL 3
AIM: Configuring IBGP
and EBGP Sessions,
Local Preference, and
MED TOPOLOGY
Objectives:
• For IBGP peers to correctly exchange routing information, use the next-hop-self
command with the Local-Preference and MED attributes.
• Ensure that the flat-rate, unlimited-use T1 link is used for sending and receiving data to
and from the AS 200 on ISP and that the metered T1 only be used in the event that the
primary T1 link has failed.
Router(config)# no ip domain-lookup
Router(config)# line con 0
Router(config-line)# logging synchronous
a.Using the addressing scheme in the diagram, create the loopback interfaces and apply IPv4
addresses to these and the serial interfaces on ISP (R1), SanJose1 (R2), and SanJose2 (R3).
Router R1 (hostname ISP)
ISP(config)# interface Loopback0
ISP(config-if)# ip address 192.168.100.1 255.255.255.0
ISP(config-if)# exit
ISP(config)# interface Serial0/0/0
ISP(config-if)# ip address 192.168.1.5 255.255.255.252
ISP(config-if)# clock rate 128000
ISP(config-if)# no shutdown
ISP(config-if)# exit
ISP(config)# interface Serial0/0/1
ISP(config-if)# ip address 192.168.1.1 255.255.255.252
ISP(config-if)# no shutdown
ISP(config-if)# end
ISP#
Router R2 (hostname SanJose1)
SanJose1(config)# interface Loopback0
SanJose1(config-if)# ip address 172.16.64.1 255.255.255.0
SanJose1(config-if)# exit
SanJose1(config)# interface Serial0/0/0
SanJose1(config-if)# ip address 192.168.1.6 255.255.255.252
SanJose1(config-if)# no shutdown
SanJose1(config-if)# exit
SanJose1(config)# interface Serial0/0/1
SanJose1(config-if)# ip address 172.16.1.1 255.255.255.0
SanJose1(config-if)# clock rate 128000
SanJose1(config-if)# no shutdown
SanJose1(config-if)# end
SanJose1#
Router R3 (hostname SanJose2)
SanJose2(config)# interface Loopback0
SanJose2(config-if)# ip address 172.16.32.1 255.255.255.0
SanJose2(config-if)# exit
SanJose2(config)# interface Serial0/0/0
SanJose2(config-if)# ip address 192.168.1.2 255.255.255.252
SanJose2(config-if)# clock rate 128000
SanJose2(config-if)# no shutdown
SanJose2(config-if)# exit
SanJose2(config)# interface Serial0/0/1
SanJose2(config-if)# ip address 172.16.1.2 255.255.255.0
SanJose2(config-if)# no shutdown
SanJose2(config-if)# end
SanJose2#
b.Use ping to test the connectivity between the directly connected routers. Both SanJose routers
should be able to ping each other and their local ISP serial link IP address. The ISP router cannot
reach the segment between SanJose1 and SanJose2.
Step 2: Configure EIGRP.
Configure EIGRP between the SanJose1 and SanJose2 routers. (Note: If using an IOS prior
to 15.0, use the no auto-summary router configuration command to disable automatic
summarization. This command is the default beginning with IOS 15.)
SanJose1(config)# router eigrp 1
SanJose1(config-router)# network 172.16.0.0
The link between SanJose1 and SanJose2 should be identified as an internal link indicating
an IBGP peering relationship, as shown in the output.
summary output.
In Step 4, the show ip bgp neighbors command was used to verify that SanJose1 and ISP had
reached the established state. A useful alternative command is show ip bgp summary. The
output should be similar to the following.
SanJose2# show ip bgp summary
BGP router identifier 172.16.32.1, local AS number 64512
Up/Down State/PfxRcd
172.16.64.1 4 64512 27 26 6 0 0
00:18:15 2
192.168.1.1 4 200 10 7 6 0 0
00:01:42 1 SanJose2#
j. At this point, the ISP router should be able to get to each network connected to SanJose1 and
SanJose2 from the loopback address 192.168.100.1. Use the extended ping command and
specify the source address of ISP Lo0 to test.
a. To better understand the next-hop-self command we will remove ISP advertising its two WAN
links and shutdown the WAN link between ISP and SanJose2. The only possible path from
SanJose2 to ISP’s 192.168.100.0/24 is through SanJose1.
Serial0/0/1
SanJose2#
SanJose2#
d. The show ip route command on SanJose2 now displays the 192.168.100.0/24 network
because SanJose1 is the next hop, 172.16.64.1, which is reachable from SanJose2.
a. Before configuring the next BGP attribute, restore the WAN link between ISP and SanJose3.
This will change the BGP table and routing table on both routers. For example, SanJose2’s routing
table shows 192.168.100.0/24 will now have a better path through ISP.
SECONDARY_T1_IN in
b. Use the clear ip bgp * soft command after configuring this new policy. When the conversations
have been reestablished, issue the show ip bgp command on SanJose1 and SanJose2.
SanJose1# clear ip bgp * soft SanJose2# clear
ip bgp * soft
To verify this, the simplest solution is to issue the show ip bgp command on the ISP router as
was done above. What if access was not given to the ISP router? Traffic returning from the
Internet should not be passed across the metered T1. Is there a simple way to verify before
receiving the monthly bill? How can it be checked instantly?
a. Use an extended ping command to verify this situation. Specify the record option and
compare your output to the following. Notice the return path using the exit interface 192.168.1.1 to
SanJose2.
(192.168.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
(192.168.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Reply to request 2 (20 ms). Received packet has options Total
option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)
(192.168.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
(192.168.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
(192.168.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
b. Create a new policy to force the ISP router to return all traffic via SanJose1. Create a
second route map utilizing the MED (metric) that is shared between EBGP neighbors.
PRIMARY_T1_MED_OUT out
SECONDARY_T1_MED_OUT out
c. Use the clear ip bgp * soft command after issuing this new policy. Issuing the show
ip bgp command as follows on SanJose1 or SanJose2 does not indicate anything about this
newly defined policy.
d. Reissue an extended ping command with the record command. Notice the change in
return path using the exit interface 192.168.1.5 to SanJose1.
(192.168.1.5)
(172.16.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
(192.168.1.5)
(172.16.1.1) (172.16.32.1)
<*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Reply to request 4 (28 ms). Received packet has options Total
option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)
(192.168.1.5)
(172.16.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Serial0/0/1
C 172.16.64.0/24 is directly connected, Loopback0
L 172.16.64.1/32 is directly connected, Loopback0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.4/30 is directly connected, Serial0/0/0
L 192.168.1.6/32 is directly connected, Serial0/0/0
SanJose1#
d. Using the traceroute command verify that packets to 10.0.0.1 is using the default
route through SanJose1.
f. Verify that both routers are modified their routing tables with the default route using
the path between SanJose2 and ISP.
Serial0/0/1
C 172.16.64.0/24 is directly connected, Loopback0
L 172.16.64.1/32 is directly connected, Loopback0
B 192.168.100.0/24 [200/0] via 172.16.32.1, 00:00:06
SanJose1#
g.Verify the new path using the traceroute command to 10.0.0.1 from SanJose1. Notice the default
route is now through SanJose2.
PRACTICAL 4
Objectives:
• Secure management access.
• Configure enhanced username password security.
• Enable AAA RADIUS authentication.
• Enable secure remote management.
Step 1: Configure loopbacks and assign addresses.
R1 hostname R1
interface Loopback 0
description R1 LAN
ip address 192.168.1.1
255.255.255.0 exit ! interface
Serial0/0/0 description R1 --> R2
ip address 10.1.1.1
255.255.255.252 clock rate 128000
no shutdown exit ! end
R2
hostname R2
!
interface Serial0/0/0 description
R2 --> R1 ip address 10.1.1.2
255.255.255.252 no shutdown exit
interface Serial0/0/1 description
R2 --> R3 ip address 10.2.2.1
255.255.255.252 clock rate 128000 no
shutdown exit ! end R3
hostname R3
!
interface Loopback0
description R3 LAN ip address
192.168.3.1 255.255.255.0 exit
interface Serial0/0/1 description
R3 --> R2 ip address 10.2.2.2 255.255.255.252
no shutdown exit !
End
foreach address {
192.168.1.1
10.1.1.1 10.1.1.2
10.2.2.1
10.2.2.2 192.168.3.1
} {
ping $address }
R1# tclsh
R1(tcl)#foreach address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2 +>(tcl)#192.168.3.1
+>(tcl)#} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16
ms Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16
ms R1(tcl)#
login
R1(config-line)# logging synchronous
R1(config-line)# exit
R1(config)#
e. The aux port is a legacy port used to manage a router remotely using a modem and is hardly
ever used. Therefore, disable the aux port.
f. Enter privileged EXEC mode and issue the show run command. Can you read the enable
secret password? Why or why not?
g. Use the service password-encryption command to encrypt the line console and vty
passwords.
b. Set the console line to use the locally defined login accounts.
c. Set the vty lines to use the locally defined login accounts.
e. To verify the configuration, telnet to R3 from R1 and login using the ADMIN local
database account.
Step 5: Enabling AAA RADIUS Authentication with Local User for Backup.
a. Always have local database accounts created before enabling AAA. Since we created two local
database accounts in the previous step, then we can proceed and enable AAA on R1.
R1(config)# aaa new-model
b. Configure the specifics for the first RADIUS server located at 192.168.1.101. Use
RADIUS1pa55w0rd as the server password.
R1(config)# radius server RADIUS-1
R1(config-radius-server)# address ipv4 192.168.1.101
R1(config-radius-server)# key RADIUS-1-pa55w0rd
R1(config-radius-server)# exit
R1(config)#
c. Configure the specifics for the second RADIUS server located at 192.168.1.102. Use
RADIUS2pa55w0rd as the server password.
R1(config)# radius server RADIUS-2
R1(config-radius-server)# address ipv4 192.168.1.102
R1(config-radius-server)# key RADIUS-2-pa55w0rd
R1(config-radius-server)# exit
R1(config)#
d. Assign both RADIUS servers to a server group.
R1(config)# aaa group server radius RADIUS-GROUP
R1(config-sg-radius)# server name RADIUS-1
R1(config-sg-radius)# server name RADIUS-2
R1(config-sg-radius)# exit
R1(config)#
e.Enable the default AAA authentication login to attempt to validate against the server group. If they
are not available, then authentication should be validated against the local database..
R1(config)# aaa authentication login default group RADIUS-GROUP local
R1(config)#
f.Enable the default AAA authentication Telnet login to attempt to validate against the server group. If
they are not available, then authentication should be validated against a case sensitive local
database.
R1(config)# aaa authentication login TELNET-LOGIN group RADIUS-GROUP
local-case R1(config)#
g. Alter the VTY lines to use the TELNET-LOGIN AAA authentiaito0n method.
i.To verify the configuration, telnet to R3 from R1 and login using the ADMIN local database account.
c. Generate the RSA encryption key pair for the router. Configure the RSA keys with 1024 for
the number of modulus bits. The default is 512, and the range is from 360 to 2048.
AAAAB3NzaC1yc2EAAAADAQABAAAAgQC3Lehh7ReYlgyDzls6wq+mFzxqzoaZFr9XGx+Q/yio
dFYw00hQo80tZy1W1Ff3Pz6q7Qi0y00urwddHZ0kBZceZK9EzJ6wZ+9a87KKDETCWrGSLi6c8lE/y4K+
Z/oVrMMZk7bpTM1MFdP41YgkTf35utYv+TcqbsYo++KJiYk+xw==
R1#
h. Although a user can SSH from a host using the SSH option of TeraTerm of PuTTY, a router
can also SSH to another SSH enabled device. SSH to R3 from R1.
R1# ssh -l ADMIN 10.2.2.2
Password:
Unauthorized access strictly prohibited!
R3>
R3> en
Password:
R3#
PRACTICAL 5
AIM: Configure and Verify Path Control Using PBR
TOPOLOGY:
Objectives:
• Configure and verify policy-based routing.
• Select the required tools and commands to configure policy-based routing operations.
• Verify the configuration and operation by using the proper show and debug commands.
192.168.4.0 network
172.16.34.0 0.0.0.7
no auto-summary
Cnt Num
0 172.16.34.3 Se0/0/0 10
00:02:22 37 2340 0 11
R4#
b. Run the following Tcl script on all routers to verify full connectivity.
R1# tclsh
foreach address {
172.16.12.1
172.16.12.2
172.16.13.1
172.16.13.3
172.16.23.2
172.16.23.3
172.16.34.3
172.16.34.4
192.168.1.1 192.168.2.1
192.168.3.1
192.168.4.1
192.168.4.129 } { ping
$address }
Serial0/0/0
D 172.16.34.0/29 [90/41024000] via 172.16.13.3, 00:07:22,
Serial0/0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback1
L 192.168.1.1/32 is directly connected, Loopback1
D 192.168.2.0/24 [90/20640000] via 172.16.12.2, 00:07:22,
Serial0/0/0 D 192.168.3.0/24 [90/21152000] via
172.16.12.2, 00:07:22,
Serial0/0/0
192.168.4.0/25 is subnetted, 2 subnets
D 192.168.4.0 [90/41152000] via 172.16.13.3, 00:07:14,
Serial0/0/1 D 192.168.4.128 [90/41152000] via
172.16.13.3, 00:07:14,
Serial0/0/1 R1#
b. On R4, use the traceroute command to the R1 LAN address and source the ICMP packet
from R4 LAN A and LAN B.
a. On R3, use the show ip route command and note that the preferred route from R3 to R1 LAN
192.168.1.0/24 is via R2 using the R3 exit interface S0/0/1.
Serial0/0/1
C 172.16.13.0/29 is directly connected, Serial0/0/0
L 172.16.13.3/32 is directly connected, Serial0/0/0
C 172.16.23.0/29 is directly connected, Serial0/0/1
L 172.16.23.3/32 is directly connected, Serial0/0/1
C 172.16.34.0/29 is directly connected, Serial0/1/0
L 172.16.34.3/32 is directly connected, Serial0/1/0
D 192.168.1.0/24 [90/21152000] via 172.16.23.2, 00:10:54
Serial0/0/1 D 192.168.2.0/24 [90/20640000] via
172.16.23.2, 00:10:54, Serial0/0/1
192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.0/24 is directly connected, Loopback3
L 192.168.3.1/32 is directly connected, Loopback3
192.168.4.0/25 is subnetted, 2 subnets
D 192.168.4.0 [90/40640000] via 172.16.34.4, 00:10:47,
Serial0/1/0 D 192.168.4.128 [90/40640000] via
172.16.34.4, 00:10:47,
Serial0/1/0
R3#
a. On R3, use the show interfaces serial 0/0/0 and show interfaces s0/0/1 commands.
bandwidth of the serial link between R3 and R2 (S0/0/1) is set to 128 Kb/s.
a. Confirm that R3 has a valid route to reach R1 from its serial 0/0/0 interface using the show ip
eigrp topology 192.168.1.0 command.
192.168.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is
21152000
Descriptor Blocks:
172.16.23.2 (Serial0/0/1), from 172.16.23.2, Send flag is 0x0
Composite metric is ( 21152000/20640000), route is Internal
Vector metric:
b. Create a route map called R3-to-R1 that matches PBR-ACL and sets the next-hop interface to the
R1 serial 0/0/1 interface.
c. Apply the R3-to-R1 route map to the serial interface on R3 that receives the traffic from R4.
Use the ip policy route-map command on interface S0/1/0.
R3# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)# access-list 1 permit 192.168.4.0 0.0.0.255
R3(config)# exit
b. Enable PBR debugging only for traffic that matches the R4 LANs.
a. Test the policy from R4 with the traceroute command, using R4 LAN B as the source
network.
R3#
R3#
Jan 10 10:50:04.283: IP: s=192.168.4.129 (Serial0/1/0),
d=192.168.1.1, len 28,policy match
Jan 10 10:50:04.283: IP: route map R3-toR1, item 10, permit
Jan 10 10:50:04.283: IP: s=192.168.4.129 (Serial0/1/0), d=192.168.1.1
TOPOLOGY:
Objectives
• Configure and verify the IP SLA feature.
• Test the IP SLA tracking feature.
• Verify the configuration and operation using show and debug commands.
interface Loopback 0
description R1 LAN
ip address 192.168.1.1 255.255.255.0
interface Loopback1
description ISP2 DNS Server
ip address 209.165.202.158 255.255.255.255
Router R1
R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.1
R1(config)#
Router ISP1 (R2)
ISP1(config)# router eigrp 1
ISP1(config-router)# network 209.165.200.224 0.0.0.3
ISP1(config-router)# network 209.165.201.0 0.0.0.31
ISP1(config-router)# no auto-summary
ISP1(config-router)# exit
ISP1(config)#
ISP1(config-router)# ip route 192.168.1.0 255.255.255.0 209.165.201.2
ISP1(config)#
Router ISP2 (R3)
ISP2(config)# router eigrp 1
ISP2(config-router)# network 209.165.200.224 0.0.0.3
ISP2(config-router)# network 209.165.202.128 0.0.0.31
ISP2(config-router)# no auto-summary
ISP2(config-router)# exit
ISP2(config)#
ISP2(config)# ip route 192.168.1.0 255.255.255.0 209.165.202.130
ISP2(config)# foreach address { 209.165.200.254
209.165.201.30 209.165.202.158
} { ping $address source
192.168.1.1
} foreach address {
209.165.200.254
209.165.201.30
209.165.202.158
} { trace $address source
192.168.1.1
}
R1(config)# ip sla 22
R1(config-ip-sla)# icmp-echo 209.165.202.158
R1(config-ip-sla-echo)# frequency 10
R1(config-ip-sla-echo)# exit
R1(config)#
R1(config)# ip sla schedule 22 life forever start-time now
R1(config)# end
R1#
R1#
R1#
R1# show ip sla statistics 22
IPSLAs Latest Operation Statistics
IPSLA operation id: 22
R1#
Step 4: Configure tracking options.
R1(config)# no ip route 0.0.0.0 0.0.0.0 209.165.201.1
R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.1 5
R1(config)# exit
R1# show ip route | begin Gateway
Gateway of last report is 209.165.201.1 to network 0.0.0.0
a. From global configuration mode on R1, use the track 1 ip sla 11 reachability command to enter
the config-track subconfiguration mode.
b. On R1, observe the debug output being generated. Recall that R1 will wait up to 10
seconds before initiating action therefore several seconds will elapse before the output is
generated. R1#
Jan 10 10:53:59.551: %TRACK-6-STATE: 1 ip sla 11 reachabilitty Up ->
Down
Jan 10 10:53:59.551: RT: del 0.0.0.0 via 209.165.201.1, static metric
[2/0]
Jan 10 10:53:59.551: RT: delete network route to 0.0.0.0/0
Jan 10 10:53:59.551: RT: default path has been cleared Jan
10 10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578
209.165.201.129
Jan 10 10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.201.1 0 1048578
The new static route has an administrative distance of 3 and is being forwarded to ISP2 as it
should.
d. Verify the IP SLA statistics.
Number of failures: 45
Operation time to live: Forever
IPSLA operation id: 22
R1#
e. On R1, initiate a trace to the web server from the internal LAN IP address.
ISP1(config-if)# no shutdown
Jan 10 11:05:45.847: %LINK-3-UPDOWN: Interface Loopback1, changed
state to up
Jan 10 11:05:46.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface
209.165.201.1 0 1048578
[2/0]
Jan 10 11:06:20.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578
R1#
h. Verify the routing table.
R1# show ip route | begin Gateway
Gateway of last report is 209.165.201.1 to network 0.0.0.0
TOPOLOGY:
Objectives
• Implement a Layer 3 EtherChannel
• Implement Static Routing
• Implement Inter-VLAN Routing
Building configuration...
[OK]
Proceed with reload? [confirm]
DLS2(config)# ip routing
DLS2(config)# vlan 110
DLS2(config-vlan)# name Management
DLS2(config-vlan)# exit
DLS2(config)# vlan 120
DLS2(config-vlan)# name Local
DLS2(config-vlan)# exit
DLS2(config)# int vlan 110
DLS2(config-if)# ip address 10.1.110.1 255.255.255.0
DLS2(config-if)# no shut
DLS2(config-if)# exit
DLS2(config)# int vlan 120
DLS2(config-if)# ip address 10.1.120.1 255.255.255.0 DLS2(config-if)# no
shut
DLS2(config-if)# exit
DLS2(config)# int loopback 1
DLS2(config-if)# ip address 192.168.1.1 255.255.255.0
DLS2(config-if)# no shut
DLS2(config-if)# exit
DLS2(config)#
will be enabled
channel group will be disabled
DLS1(config-if-range)# no shut
DLS1(config-if-range)# exit
DLS1(config)# interface port-channel 2
DLS1(config-if)# ip address 172.16.12.1 255.255.255.252
DLS1(config-if)# no shut
DLS1(config-if)# exit
DLS1(config)#
I - stand-alone s - suspended
<output omitted>
Gateway of last resort is 172.16.12.1 to network 0.0.0.0
abort.
ALS1(config-if-range)# no shut
ALS1(config-if-range)# exit
ALS1(config)# interface range f0/9-10
ALS1(config-if-range)# switchport mode trunk
ALS1(config-if-range)# switchport trunk allowed vlan 110
ALS1(config-if-range)# channel-group 4 mode desirable
Creating a port-channel interface Port-channel 4
ALS1(config-if-range)# no shut
ALS1(config-if-range)# exit
ALS1(config)#end
ALS1# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
Po4 110
<output omitted>
ALS1#
sequence to abort.
Tracing the route to 10.1.99.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.120.1 0 msec 0 msec 8 msec
ALS1(config-vlan)# exit
ALS1(config)# int vlan 100
ALS1(config-if)# ip address 10.1.100.1 255.255.255.0
ALS1(config-if)# no shut
ALS1(config-if)# exit
ALS1(config)# int vlan 110
ALS1(config-if)# ip address 10.1.110.2 255.255.255.0
ALS1(config-if)# no shut
ALS1(config-if)# exit ALS1(config)#
enabled
channel group will be disabled
PRACTICAL 8
AIM: Cisco MPLS Configuration TOPOLOGY:
autoconfig
autoconfig
R2#
*Mar 1 00:31:53.643: %SYS-5-CONFIG_I: Configured from console
10.0.0.1 1.1.1.1
Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
TCP connection: 3.3.3.3.22155 - 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 12/11; Downstream
Up time: 00:03:30 LDP
discovery sources:
FastEthernet0/1, Src IP addr: 10.0.1.3 Addresses bound to
10.0.1.3 3.3.3.3
R1#trace 3.3.3.3
to 3.3.3.3
autosummary
192.168.1.1 255.255.255.0
if)#ip vrf fo
255.255.255.0
R1
R1#sh run int f0/1
Building configuration... Current
R1(config-if)#
*Mar 1 01:12:54.323: %OSPF-5-ADJCHG: Process 2, Nbr
4.4.4.4 on FastEthernet0/1 from LOADING to FULL,
Loading Done
shut ip add
RED
255.255.255.0
R3
configuration...
R3
R3#sh ip route vrf RED
Routing Table: RED
Codes: C - connected, S - static, R - RIP, M - mobile, B
- BGP
Gateway of last resort is not set
6.0.0.0/32 is subnetted, 1 subnets
O 6.6.6.6 [110/11] via 192.168.2.6, 00:02:44,
FastEthernet0/1
C 192.168.2.0/24 is directly connected,
FastEthernet0/1
R3#
RIB-failure, S Stale
100 0 ?
100 0 ?
FastEthernet0/0
R6#sh ip route
4.0.0.0/32 is subnetted, 1 subnets
O IA 4.4.4.4 [110/21] via 192.168.2.1, 00:01:22,
FastEthernet0/0
6.0.0.0/32 is subnetted, 1 subnets
C 6.6.6.6 is directly connected, Loopback0
O IA 192.168.1.0/24 [110/11] via
192.168.2.1,00:01:22,FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0
R4#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max=
40/48/52ms
R4#trace 6.6.6.6
Type escape sequence to abort.
Tracing the route to 6.6.6.6
1 192.168.1.1 20 msec 8 msec 8 msec
36 msec
3 192.168.2.1 [MPLS: Label 20 Exp 0] 16 msec 40 msec 16 msec
R4#