0% found this document useful (0 votes)
28 views91 pages

MODNET Final

The document describes configuring IP SLA tracking and path control on routers. It includes configuring IP SLA probes to monitor connectivity to DNS servers, verifying the probes, and using the results for routing.

Uploaded by

Prince Patil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
28 views91 pages

MODNET Final

The document describes configuring IP SLA tracking and path control on routers. It includes configuring IP SLA probes to monitor connectivity to DNS servers, verifying the probes, and using the results for routing.

Uploaded by

Prince Patil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 91

K M AGRAWAL COLLEGE OF

Sc IENCE, COMMERECE & ARTS


Department of Information Technology
M.Sc. Part – I (Sem II)
Certificate
This is to certify that,
Mr/Ms. ______________________________ , Seat No. ____________ ,
Studying in Master of Science in Information Technology Part – I Semester – II
as satisfactorily completed the practical of “Modern Networking ” as
prescribed by university of mumbai, during acedemic year 2022-2023.

---------------------------- --------------------------- -------------------------

Co-ordinator Modern Networking


Modern Networking
Subject In-charge In-charge External Examiner

-------------------------------

College seal
INDEX

Sr.No. Practical Date Sign


Configure IP SLA Tracking and Path Control
1.
Using the AS_PATH Attribute
2.
Configuring IBGP and EBGP Sessions, Local
3. Preference, and MED

Secure the Management Plane


4.
Configure and Verify Path Control Using PBR
5.
Configure IP SLA Tracking and Path Control
6.
Inter-VLAN Routing
7.
PRACTICAL 1
AIM: Configure IP SLA
Tracking and Path
Control

TOPOLOGY:

Objectives
• Configure and verify the IP SLA feature.
• Test the IP SLA tracking feature.
• Verify the configuration and operation using show and debug commands.

Step 1: Prepare the routers and configure the router hostname and interface
addresses.

Router R1 hostname R1
interface Loopback 0
description R1 LAN
ip address 192.168.1.1 255.255.255.0
interface Serial0/0/0 description R1 -->
ISP1 ip address 209.165.201.2
255.255.255.252 clock rate 128000 bandwidth
128 no shutdown
interface Serial0/0/1 description R1 -->
ISP2 ip address 209.165.202.130
255.255.255.252 bandwidth 128 no shutdown
Router ISP1 (R2)
hostname ISP1 interface Loopback0
description Simulated Internet Web Server
ip address 209.165.200.254 255.255.255.255
interface Loopback1 description ISP1 DNS
Server ip address 209.165.201.30
255.255.255.255 interface Serial0/0/0
description ISP1 --> R1
ip address 209.165.201.1 255.255.255.252
bandwidth 128 no shutdown interface
Serial0/0/1 description ISP1 --> ISP2 ip
address 209.165.200.225 255.255.255.252
clock rate 128000 bandwidth 128 no shutdown Router
ISP2 (R3)
hostname ISP2 interface Loopback0
description Simulated Internet Web Server
ip address 209.165.200.254 255.255.255.255
interface Loopback1 description ISP2 DNS
Server ip address 209.165.202.158
255.255.255.255
interface Serial0/0/0 description ISP2 -->
R1 ip address 209.165.202.129
255.255.255.252 clock rate 128000 bandwidth 128
no shutdown interface Serial0/0/1 description
ISP2 --> ISP1
ip address 209.165.200.226 255.255.255.252
bandwidth 128 no shutdown
Verify the configuration by using the show interfaces description command. The output
from router R1 is shown here as an example.

R1# show interfaces description | include up


Se0/0/0 up up R1-->ISP1
Se0/0/1 up up R2-->ISP2
Le0 up up R1 LAN
R1#

Step 2: Configure static routing.


a. Implement the routing policies on the respective routers. You can copy and paste the following
configurations.

Router R1
R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.1

R1(config)#
Router ISP1 (R2)
ISP1(config)# router eigrp 1
ISP1(config-router)# network 209.165.200.224 0.0.0.3
ISP1(config-router)# network 209.165.201.0 0.0.0.31
ISP1(config-router)# no auto-summary
ISP1(config-router)# exit
ISP1(config)#
ISP1(config-router)# ip route 192.168.1.0 255.255.255.0 209.165.201.2
ISP1(config)#
Router ISP2 (R3)
ISP2(config)# router eigrp 1
ISP2(config-router)# network 209.165.200.224 0.0.0.3
ISP2(config-router)# network 209.165.202.128 0.0.0.31
ISP2(configrouter)# no auto-summary ISP2(config-router)# exit
ISP2(config)#
ISP2(config)# ip route 192.168.1.0 255.255.255.0 209.165.202.130
ISP2(config)#

b. The Cisco IOS IP SLA feature enables an administrator to monitor network performance between
Cisco devices (switches or routers) or from a Cisco device to a remote IP device. IP SLA probes
continuously check the reachability of a specific destination, such as a provider edge router interface,
the DNS server of the ISP, or any other specific destination, and can conditionally announce a default
route only if the connectivity is verified.

foreach address { 209.165.200.254


209.165.201.30
209.165.202.158
} { ping $address source
192.168.1.1
}
c.Trace the path taken to the web server, ISP1 DNS server, and ISP2 DNS server. You can copy the
following Tcl script and paste it into R1.

foreach address { 209.165.200.254


209.165.201.30 209.165.202.158
} { trace $address source
192.168.1.1
}

Step 3: Configure IP SLA probes.

a. Create an ICMP echo probe on R1 to the primary DNS server on ISP1 using the ip sla
command.

R1(config)# ip sla 11
R1(config-ip-sla)# icmp-echo 209.165.201.30
R1(config-ip-sla-echo)# frequency 10
R1(config-ip-sla-echo)# exit
R1(config)#
R1(config)# ip sla schedule 11 life forever start-time now
R1(config)#
b. Verify the IP SLAs configuration of operation 11 using the show ip sla configuration 11
command.

R1# show ip sla configuration 11


IP SLAs Infrastructure Engine-III
Entry number: 11 Owner:
Tag:
Operation timeout (milliseconds): 5000

Type of operation to perform: icmp-echo


Target address/Source address: 209.165.201.30/0.0.0.0
Type Of Service parameter: 0x0
Request size (ARR data portion): 28
Verify data: No Vrf Name:
Schedule:
Operation frequency (seconds): 10(not considered if randomly
scheduled)

Next Scheduled Star Time:Star Time already passed


Group Scheduled : FALSE Randomly
Scheduled : FALSE Life
(seconds): Forever
Entry Ageout (seconds): never Recurring
(Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active Threshold
(milliseconds): 5000 Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1 Statistic
distribution interval (milliseconds): 20 Enhanced History: History
Statistics:

Number of history Lives kept: 0 Number


of history Buckets kept: 15
History Filter Type: None
R1#

c. Issue the show ip sla statistics command to display the number of successes, failures, and
results of the latest operations.

R1# show ip sla statistics


IPSLAs Latest Operation Statistics

IPSLA operation id: 11 Latest


RTT: 8 milliseconds
Latest operation start time: 10:33:18 UTC Sat Jan 10 2015
Latest operation return code: OK
Number of ssuccessses:51 Number
of failures: 0 Operation time
to live: Forever
R1#
d. Although not actually required because IP SLA session 11 alone could provide the desired
fault tolerance, create a second probe, 22, to test connectivity to the second DNS server
located on router ISP2.
R1(config)# ip sla 22
R1(config-ip-sla)# icmp-echo 209.165.202.158
R1(config-ip-sla-echo)# frequency 10
R1(config-ip-sla-echo)# exit
R1(config)#
R1(config)# ip sla schedule 22 life forever start-time now R1(config)#
end
R1#

e. Verify the new probe using the show ip sla configuration and show ip sla statistics
commands.

R1# show ip sla configuration 22


IP SLAs Infrastructure Engine-III
Entry number:22 Owner:
Tag:
Operation timeout (milliseconds): 5000
Type of operation to perform:icmp-echo

Target address/Source address: 209.165.202.158/0.0.0.0


Type Of Service parameter: 0x0
Request size (ARR data portion): 28
Verify data: No Vrf Name: Schedule:

Operation frequency (seconds): 10 (not considered if randomly


scheduled)
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life seconds: Forever

Entry Ageout (seconds): never


Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active Threshold
(milliseconds): 5000 Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20 Enhanced
History:
History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None

R1#

R1# show ip sla configuration 22


IP SLAs, Infrastructure Engine-II.
Entry number:22 Owner:
Tag:
Type of operation to perform:icmp-echo
Target address/Source address:209.165.201.158/0.0.0.0
Type Of Service parameter: 0x0
Request size (ARR data portion): 28 Operation
timeout (milliseconds): 5000 Verify data: No
Vrf Name:
Schedule:
Operation frequency (seconds):10 (not considered if randomly
scheduled)
Next Scheduled Start Time:Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE Life
(seconds): Forever Entry Ageout
(seconds): never
Recurring (Starting Everyday): FALSE Status
of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000 (not considered if react RTT is
configured)
Distribution Statistics: Number
of statistic hours kept: 2
Number of statistic distribution buckets kept: 1 Statistic
distribution interval (milliseconds): 20 History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None Enhanced
History:

R1#
R1# show ip sla statistics 22
IPSLAs Latest Operation Statistics
IPSLA operation id:22 Latest
RTT: 16 milliseconds
Latest operation start time: 10:38:29 UTC Sat Jan 10 2015
Latest operation return code:OK
Number of successes: 82
Number of failures: 0

Operation time to live: Forever R1#


Step 4: Configure tracking options.
a. On R1, remove the current default route and replace it with a floating static route having an
administrative distance of 5.

R1(config)# no ip route 0.0.0.0 0.0.0.0 209.165.201.1


R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.1 5
R1(config)# exit

b. Verify the routing table.


R1# show ip route | begin Gateway
Gateway of last report is 209.165.201.1 to network 0.0.0.0

S* 0.0.0.0 [5/0] via 209.165.201.1


192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback0
L 192.168.1.1/32 is directly connected, Loopback0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.201.0/30 is directly connected, Serial0/0/0
L 209.165.201.2/32 is directly connected, Serial0/0/0
209.165.202.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.202.128/30 is directly connected, Serial0/0/1
L 209.165.202.130/32 is directly connected, Serial0/0/1
R1#

c. From global configuration mode on R1, use the track 1 ip sla 11 reachability command to enter
the config-track subconfiguration mode.

R1(config)# track 1 ip sla 11 reachability


R1(config-track)#
d. Specify the level of sensitivity to changes of tracked objects to 10 seconds of down delay and 1
second of up delay using the delay down 10 up 1 command. The delay helps to alleviate the
effect of flapping objects—objects that are going down and up rapidly. In this situation, if the DNS
server fails momentarily and comes back up within 10 seconds, there is no impact.

R1(config-track)# delay down 10 up 1


R1(config-track)# exit
R1(config)#
e. To view routing table changes as they happen, first enable the debug ip routing command. R1#
debug ip routing IP routing debugging is on R1#
f. Configure the floating static route that will be implemented when tracking object 1 is active. Use
the ip route 0.0.0.0 0.0.0.0 209.165.201.1 2 track 1 command to create a floating static default
route via 209.165.201.1 (ISP1). Notice that this command references the tracking object number
1, which in turn references IP SLA operation number 11.

R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.1 2 track 1


R1(config)#
Jan 10 10:45:39.119: RT:updating static 0.0.0.0/0(0x0) :
via 209.165.201.1 0 1048578

Jan 10 10:45:39.119: RT: closer admin distance for 0.0.0.0,flushing 1


routes
Jan 10 10:45:39.119: RT: add 0.0.0.0/0 via 209.165.201.1 ,static
metric [2/0]
Jan 10 10:45:39.119: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.201.1 0 1048578

Jan 10 10:45:39.119: RT: rib update return code: 17 Jan 10


10:45:39.119: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.201.1 0 1048578

Jan 10 10:45:39.119: RT: rib update return code: 17


R1(config)#
g. Repeat the steps for operation 22, track number 2, and assign the static route an admin distance
higher than track 1 and lower than 5. On R1, copy the following configuration, which sets an
admin distance of 3.

R1(config)# track 2 ip sla 22 reachability


R1(config-track)# delay down 10 up 1
R1(config-track)# exit
R1(config)#
R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.202.129 3 track 2
R1(config)#

h. Verify the routing table again.


R1#show ip route | begin Gateway
Gateway of last report is 209.165.201.1 to network 0.0.0.0

S* 0.0.0.0/0 [2/0] via 209.165.201.1


192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback0
L 192.168.1.1/32 is directly connected, Loopback0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C
209.165.201.0/30 is directly connected, Serial0/0/0
L 209.165.201.2/32 is directly connected, Serial0/0/0
209.165.202.0/24 is variably subnetted, 2 subnets, 2 masks C
209.165.202.128/30 is directly connected, Serial0/0/1
L 209.165.202.130/32 is directly connected, Serial0/0/1 R1#

Step 5: Verify IP SLA operation.

a. On ISP1, disable the loopback interface 1.

ISP1(config-if)# int lo1


ISP1(config-if)# shutdown
ISP1(config-if)#
Jan 10 10:53:25.091: %LINK-5-CHANGED: Interface Loopback1, changed
state to administratively down
Jan 10 10:53:26.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Loopback1, changed state to down
ISP1(config-if)#

b. On R1, observe the debug output being generated. Recall that R1 will wait up to 10 seconds
before initiating action therefore several seconds will elapse before the output is generated.
R1# Jan 10 10:53:59.551: %TRACK-6-STATE: 1 ip sla 11 reachability Up
->
Down
Jan 10 10:53:59.551: RT: del 0.0.0.0 via 209.165.201.1, static
metric[2/0]
Jan 10 10:53:59.551: RT: delete network route to 0.0.0.0/0
Jan 10 10:53:59.551: RT: default path has been cleared Jan
10 10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578

Jan 10 10:53:59.551: RT: add 0.0.0.0/0 via 209.165.201.129

209.265.201.129, static metric [3/0]


Jan 10 10:53:59.551: RT: default path is now 0.0.0.0 via

209.165.202.129
Jan 10 10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.201.1 0 1048578

Jan 10 10:53:59.551: RT: rib update return code: 17 Jan 10


10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578

Jan 10 10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :


via 209.165.201.1 0 1048578

Jan 10 10:53:59.551: RT: rib update return code: 17 R1#


c. On R1, verify the routing table.
R1# show ip route | begin Gateway
Gateway of last report is 209.165.201.129 to network 0.0.0.0

S* 0.0.0.0/0 [3/0] via 209.165.201.129


192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback0
L 192.168.1.1/32 is directly connected, Loopback0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C
209.165.201.0/30 is directly connected, Serial0/0/0
L 209.165.201.2/32 is directly connected, Serial0/0/0
209.165.202.0/24 is variably subnetted, 2 subnets, 2 masks C
209.165.202.128/30 is directly connected, Serial0/0/1
L 209.165.202.130/32 is directly connected, Serial0/0/1 R1# d.
Verify the IP SLA statistics.
R1# show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 11


Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 11:01:08 UTC Sat Jan 10 2015

Latest operation return code: Timeout


Number of successes: 173

Number of failures: 45
Operation time to live: Forever
IPSLA operation id: 22
Latest RTT: 8 milliseconds
Latest operation start time: 11:01:09 UTC Sat Jan 10 2015
Latest operation return code: OK
Number of successes: 218
Number of failures: 0
Operation time to live: Forever R1#
e. On R1, initiate a trace to the web server from the internal LAN IP address.

R1# trace 209.165.200.254 source 192.168.1.1 Type escape


sequence to abort.
Tracing the route to 209.165.200.254 VRF
info: (vrf in name/id, vrf out name/id)
1 209.165.202.129 4 msec * * R1#
f. On ISP1, re-enable the DNS address by issuing the no shutdown command on the loopback
1 interface to examine the routing behavior when connectivity to the ISP1 DNS is restored.

ISP1(config-if)# no shutdown
Jan 10 11:05:45.847: %LINK-3-UPDOWN: Interface Loopback1, changed
state to up
Jan 10 11:05:46.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface

Loopback1, changed state to up ISP1(config-if)#


Notice the output of the debug ip routing command on R1.
R1#
Jan 10 11:06:20.551:%TRACK-6-STATE: 1 ip sla 11 reachability Down –>
Up
Jan 10 11:06:20.551:RT: updating static 0.0.0.0/0 (0X0): via
209.165.201.1 0 1048578
Jan 10 11:06:20.551: RT: closer admin distance for 0.0.0.0, flushing
1 routes
Jan 10 11:06:20.551: RT:add 0.0.0.0/0 via 209.165.201.1,static
metric[2/0]
Jan 10 11:06:20.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578

Jan 10 11:06:20.551: RT: rib update return code: 17


Jan 10 11:06:20.551: RT: u
R1#pdating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578

Jan 10 11:06:20.551: RT: rib update return code: 17 Jan 10


11:06:20.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.201.1 0 1048578

Jan 10 11:06:20.551: RT: rib update return code: 17 R1#


g. Again examine the IP SLA statistics.

R1# show ip sla statistics


IPSLAs Latest Operation Statistics

IPSLA operation id: 11


Latest RTT: 8 milliseconds
Latest operation start time: 11:07:38 UTC Sat Jan 10 2015
Latest operation return code: OK

Number of successes: 182


Number of failures: 75
Operation time to live: Forever
IPSLA operation id: 22
Latest RTT: 16 milliseconds
Latest operation start time: 11:07:39 UTC Sat Jan 10 2015
Latest operation return code: OK
Number of successes: 257
Number of failures: 0 Operation
time to live: Forever
R1#

h. Verify the routing table.


R1# show ip route | begin Gateway
Gateway of last report is 209.165.201.1 to network 0.0.0.0

S* 0.0.0.0 [2/0] via 209.165.201.1


192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback0
L 192.168.1.1/32 is directly connected, Loopback0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C
209.165.201.0/30 is directly connected, Serial0/0/0
L 209.165.201.2/32 is directly connected, Serial0/0/0
209.165.202.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.202.128/30 is directly connected, Serial0/0/1
L 209.165.202.130/32 is directly connected, Serial0/0/1 R1#
PRACTICAL 2 AIM:
Using the AS_PATH
Attribute
TOPOLOGY

Objectives
• Use BGP commands to prevent private AS numbers from being advertised to the outside world.
• Use the AS_PATH attribute to filter BGP routes based on their source AS numbers.

Step 0: Suggested starting configurations.

a .Apply the following configuration to each router along with the appropriate hostname. The
exectimeout 0 0 command should only be used in a lab environment.
Step 1: Configure interface addresses.
b. Using the addressing scheme in the diagram, create the loopback interfaces and apply IPv4
addresses to these and the serial interfaces on SanJose (R1), ISP (R2), and CustRtr (R3). The ISP
loopbacks simulate real networks. Set a clock rate on the DCE serial interfaces.

c. Use ping to test the connectivity between the directly connected routers.
Note: SanJose will not be able to reach either ISP’s loopback (10.2.2.1) or CustRtr’s loopback
(10.3.3.1), nor will it be able to reach either end of the link joining ISP to CustRtr (172.24.1.17 and
172.24.1.18).

Step 2: Configure BGP.


a. Configure BGP for normal operation. Enter the appropriate BGP commands on each router so that
they identify their BGP neighbors and advertise their loopback networks.

b.Verify that these routers have established the appropriate neighbor relationships by issuing the
show ip bgp neighbors command on each router.

Step
3: Remove the private AS.
a.Display the SanJose routing table using the show ip route command. SanJose should have a route
to both 10.2.2.0 and 10.3.3.0. Troubleshoot if necessary.
b.Ping the 10.3.3.1 address from SanJose.
c. Ping again, this time as an extended ping, sourcing from the Loopback0 interface address.

Note:
You can bypass extended ping mode and specify a source address using one of these
commands:

Or
d.Check the BGP table from SanJose by using the show ip bgp command. Note the AS path for the
10.3.3.0 network. The AS 65000 should be listed in the path to 10.3.3.0.

e.Configure ISP to strip the private AS numbers from BGP routes exchanged with SanJose using the
following commands.

f. After issuing these commands, use the clear ip bgp * command on ISP to reestablish the BGP
relationship between the three routers. Wait several seconds and then return to SanJose to check its
routing table.
Note: The clear ip bgp * soft command can also be used to force each router to resend its BGP
table.

SanJose should be able to ping 10.3.3.1 using its loopback 0 interface as the source of the ping.
Step 4: Use the AS_PATH attribute to filter routes.

a.Configure a special kind of access list to match BGP routes with an AS_PATH attribute that both
begins and ends with the number 100. Enter the following commands on ISP.

b.Apply the configured access list using the neighbor command with the filter-list option.

The
out keyword specifies that the list is applied to routing information sent to this neighbor.
c. Use the clear ip bgp * command to reset the routing information. Wait several seconds and then
check the routing table for ISP. The route to 10.1.1.0 should be in the routing table.
Note: To force the local router to resend its BGP table, a less disruptive option is to use the clear ip
bgp * out or clear ip bgp * soft command (the second command performs both outgoing and
incoming route resync).
f.Run the following Tcl script on all routers to verify whether there is connectivity. All pings from ISP
should be successful. SanJose should not be able to ping the CustRtr loopback 10.3.3.1 or the WAN
link 172.24.1.16/30. CustRtr should not be able to ping the SanJose loopback 10.1.1.1 or the WAN
link 192.168.1.4/30.
PRACTICAL 3
AIM: Configuring IBGP
and EBGP Sessions,
Local Preference, and
MED TOPOLOGY

Objectives:
• For IBGP peers to correctly exchange routing information, use the next-hop-self
command with the Local-Preference and MED attributes.
• Ensure that the flat-rate, unlimited-use T1 link is used for sending and receiving data to
and from the AS 200 on ISP and that the metered T1 only be used in the event that the
primary T1 link has failed.

Step 0: Suggested starting configurations.


a. Apply the following configuration to each router along with the appropriate hostname. The
exec-timeout 0 0 command should only be used in a lab environment.

Router(config)# no ip domain-lookup
Router(config)# line con 0
Router(config-line)# logging synchronous

Router(config-line)# exec-timeout 0 0 Step 1: Configure


interface addresses.

a.Using the addressing scheme in the diagram, create the loopback interfaces and apply IPv4
addresses to these and the serial interfaces on ISP (R1), SanJose1 (R2), and SanJose2 (R3).
Router R1 (hostname ISP)
ISP(config)# interface Loopback0
ISP(config-if)# ip address 192.168.100.1 255.255.255.0
ISP(config-if)# exit
ISP(config)# interface Serial0/0/0
ISP(config-if)# ip address 192.168.1.5 255.255.255.252
ISP(config-if)# clock rate 128000
ISP(config-if)# no shutdown
ISP(config-if)# exit
ISP(config)# interface Serial0/0/1
ISP(config-if)# ip address 192.168.1.1 255.255.255.252
ISP(config-if)# no shutdown
ISP(config-if)# end
ISP#
Router R2 (hostname SanJose1)
SanJose1(config)# interface Loopback0
SanJose1(config-if)# ip address 172.16.64.1 255.255.255.0
SanJose1(config-if)# exit
SanJose1(config)# interface Serial0/0/0
SanJose1(config-if)# ip address 192.168.1.6 255.255.255.252
SanJose1(config-if)# no shutdown
SanJose1(config-if)# exit
SanJose1(config)# interface Serial0/0/1
SanJose1(config-if)# ip address 172.16.1.1 255.255.255.0
SanJose1(config-if)# clock rate 128000
SanJose1(config-if)# no shutdown
SanJose1(config-if)# end
SanJose1#
Router R3 (hostname SanJose2)
SanJose2(config)# interface Loopback0
SanJose2(config-if)# ip address 172.16.32.1 255.255.255.0
SanJose2(config-if)# exit
SanJose2(config)# interface Serial0/0/0
SanJose2(config-if)# ip address 192.168.1.2 255.255.255.252
SanJose2(config-if)# clock rate 128000
SanJose2(config-if)# no shutdown
SanJose2(config-if)# exit
SanJose2(config)# interface Serial0/0/1
SanJose2(config-if)# ip address 172.16.1.2 255.255.255.0
SanJose2(config-if)# no shutdown
SanJose2(config-if)# end
SanJose2#
b.Use ping to test the connectivity between the directly connected routers. Both SanJose routers
should be able to ping each other and their local ISP serial link IP address. The ISP router cannot
reach the segment between SanJose1 and SanJose2.
Step 2: Configure EIGRP.
Configure EIGRP between the SanJose1 and SanJose2 routers. (Note: If using an IOS prior
to 15.0, use the no auto-summary router configuration command to disable automatic
summarization. This command is the default beginning with IOS 15.)
SanJose1(config)# router eigrp 1
SanJose1(config-router)# network 172.16.0.0

SanJose2(config)# router eigrp 1


SanJose2(config-router)# network 172.16.0.0

Step 3: Configure IBGP and verify BGP neighbors.


a.Configure IBGP between the SanJose1 and SanJose2 routers. On the SanJose1 router, enter the
following configuration.

SanJose1(config)# router bgp 64512


SanJose1(config-router)# neighbor 172.16.32.1 remote-as 64512
SanJose1(config-router)# neighbor 172.16.32.1 update-source lo0
If multiple pathways to the BGP neighbor exist, the router can use multiple IP interfaces to
communicate with the neighbor. The source IP address therefore depends on the outgoing
interface. The update-source lo0 command instructs the router to use the IP address of the
interface Loopback0 as the source IP address for all BGP messages sent to that neighbor.
b. Complete the IBGP configuration on SanJose2 using the following commands.

SanJose2(config)# router bgp 64512


SanJose2(config-router)# neighbor 172.16.64.1 remote-as 64512
SanJose2(config-router)# neighbor 172.16.64.1 update-source lo0
c. Verify that SanJose1 and SanJose2 become BGP neighbors by issuing the show ip bgp
neighbors command on SanJose1. View the following partial output. If the BGP state is not
established, troubleshoot the connection.

SanJose2# show ip bgp neighbors


BGP neighbor is 172.16.64.1, remote AS 64512, internal link
BGP version 4, remote router ID 172.16.64.1
BGP state = Established, up for 00:00:22
Last read 00:00:22, last write 00:00:22, hold time is
180, keepalive interval is 60 seconds <output omitted>

The link between SanJose1 and SanJose2 should be identified as an internal link indicating
an IBGP peering relationship, as shown in the output.

Step 4: Configure EBGP and verify BGP neighbors.


a. Configure ISP to run EBGP with SanJose1 and SanJose2. Enter the following commands on
ISP.

ISP(config)# router bgp 200


ISP(config-router)# neighbor 192.168.1.6 remote-as 64512
ISP(config-router)# neighbor 192.168.1.2 remote-as 64512
ISP(config-router)# network 192.168.100.0
Because EBGP sessions are almost always established over point-to-point links, there is no
reason to use the update-source keyword in this configuration. Only one path exists between
the peers. If this path goes down, alternative paths are not available.
b. Configure a discard static route for the 172.16.0.0/16 network. Any packets that do not have a
more specific match (longer match) for a 172.16.0.0 subnet will be dropped instead of sent to
the ISP. Later in this lab we will configure a default route to the ISP.

SanJose1(config)# ip route 172.16.0.0 255.255.0.0 null0


c. Configure SanJose1 as an EBGP peer to ISP.

SanJose1(config)# router bgp 64512


SanJose1(config-router)# neighbor 192.168.1.5 remote-as 200
SanJose1(config-router)# network 172.16.0.0
d. Use the show ip bgp neighbors command to verify that SanJose1 and ISP have reached
the established state. Troubleshoot if necessary.

SanJose1# show ip bgp neighbors


BGP neighbor is 172.16.32.1, remote AS 64512, internal link
BGP version 4, remote router ID 172.16.32.1
BGP state = Established, up for 00:12:43 <output
omitted>

BGP neighbor is 192.168.1.5, remote AS 200,external link


BGP version 4, remote router ID 192.168.100.1

BGP state = Established, up for 00:06:49


Last read 00:00:42, last write 00:00:45, hold time is 180,
keepalive interval is 60 seconds <output omitted>
Notice that the “external link” indicates that an EBGP peering session has been established.
You should also see an informational message indicating the establishment of the BGP
neighbor relationship.

*Sep 8 21:09:59.699: %BGP-5-ADJCHANGE: neighbor 192.168.1.5 Up


e. Configure a discard static route for 172.16.0.0/16 on SanJose2 and as an EBGP peer to ISP.

SanJose2(config)# ip route 172.16.0.0 255.255.0.0 null0


SanJose2(config)# router bgp 64512
SanJose2(config-router)# neighbor 192.168.1.1 remote-as 200

SanJose2(config-router)# network 172.16.0.0 Step 5: View BGP

summary output.
In Step 4, the show ip bgp neighbors command was used to verify that SanJose1 and ISP had
reached the established state. A useful alternative command is show ip bgp summary. The
output should be similar to the following.
SanJose2# show ip bgp summary
BGP router identifier 172.16.32.1, local AS number 64512

BGP table version is 6, main routing table version 6


2 network entries using 288 bytes of memory
4 path entries using 320 bytes of memory
4/2 BGP path/bestpath attribute entries using 640 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory 0
BGP filter-list cache entries using 0 bytes of memory BGP
using 1272 total bytes of memory
BGP activity 2/0 prefixes, 4/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ

Up/Down State/PfxRcd
172.16.64.1 4 64512 27 26 6 0 0
00:18:15 2
192.168.1.1 4 200 10 7 6 0 0
00:01:42 1 SanJose2#

Step 6: Verify which path the traffic takes.


f. Clear the IP BGP conversation with the clear ip bgp * command on ISP. Wait for the
conversations to reestablish with each SanJose router.

ISP# clear ip bgp *


ISP#
*Nov 9 22:05:32.427: %BGP-5-ADJCHANGE: neighbor 192.168.1.2 Down User
reset
*Nov 9 22:05:32.427: %BGP_SESSION-5-ADJCHANGE: neighbor 192.168.1.2 IPv4

Unicast topology base removed from session User reset


*Nov 9 22:05:32.427: %BGP-5-ADJCHANGE: neighbor 192.168.1.6 Down User
reset
*Nov 9 22:05:32.427: %BGP_SESSION-5-ADJCHANGE: neighbor 192.168.1.6 IPv4

Unicast topology base removed from session User reset


*Nov 9 22:05:32.851: %BGP-5-ADJCHANGE: neighbor 192.168.1.2 Up
*Nov 9 22:05:32.851: %BGP-
ISP#5-ADJCHANGE: neighbor 192.168.1.6 Up
ISP#
g. Test whether ISP can ping the loopback 0 address of 172.16.64.1 on SanJose1 and the serial
link between SanJose1 and SanJose2, 172.16.1.1.

ISP# ping 172.16.64.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.64.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ISP#
ISP# ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: .....
Success rate is 0 percent (0/5)
ISP#
h. Now ping from ISP to the loopback 0 address of 172.16.32.1 on SanJose2 and the serial link
between SanJose1 and SanJose2, 172.16.1.2.

ISP# ping 172.16.32.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.32.1, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
ISP# ping 172.16.1.2
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:


!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =
12/13/16 ms
ISP#
i. Issue the show ip bgp command on ISP to verify BGP routes and metrics.

ISP# show ip bgp


BGP table version is 3, local router ID is 192.168.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


* 172.16.0.0 192.168.1.6 0 0 64512
i
*> 192.168.1.2 0 0 64512
i

*> 192.168.100.0 0.0.0.0 0 32768 i ISP#


ISP# show ip bgp

j. At this point, the ISP router should be able to get to each network connected to SanJose1 and
SanJose2 from the loopback address 192.168.100.1. Use the extended ping command and
specify the source address of ISP Lo0 to test.

ISP# ping 172.16.1.1 source 192.168.100.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24
ms
ISP# ping 172.16.32.1 source 192.168.100.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.32.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16
ms

ISP# ping 172.16.1.2 source 192.168.100.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16
ms
ISP#

ISP# ping 172.16.64.1 source 192.168.100.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.64.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24
ms
You can also use the extended ping dialogue to specify the source address, as shown in this
example.
ISP# ping Protocol
[ip]:
Target IP address: 172.16.64.1 Repeat
count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.100.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.64.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24
ms
ISP#
Complete reachability has been demonstrated between the ISP router and both SanJose1
and SanJose2.

Step 7: Configure the BGP next-hop-self feature.


SanJose1 is unaware of the link between ISP and SanJose2, and SanJose2 is unaware of the link
between ISP and SanJose1. Before ISP can successfully ping all the internal serial interfaces of
AS 64512, these serial links should be advertised via BGP on the ISP router. This can also be
resolved via EIGRP on each SanJose router. One method is for ISP to advertise these links.
a. Issue the following commands on the ISP router.
ISP(config)# router bgp 200

ISP(config-router)# network 192.168.1.0 mask 255.255.255.252


ISP(config-router)# network 192.168.1.4 mask 255.255.255.252
a. Issue the show ip bgp command to verify that the ISP is correctly injecting its own WAN links
into BGP.

ISP# show ip bgp


BGP table version is 5, local router ID is 192.168.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


* 172.16.0.0 192.168.1.6 0 0 64512 i
*> 192.168.1.2 0 0 64512
i*> 192.168.1.0/30 0.0.0.0 0 32768 i *>
192.168.1.4/30 0.0.0.0 0 32768 i

*> 192.168.100.0 0.0.0.0 0 32768 i


ISP#
b. Verify on SanJose1 and SanJose2 that the opposite WAN link is included in the routing table.
The output from SanJose2 is as follows.

SanJose2# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i -
ISIS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route o - ODR, P - periodic downloaded static route, H
- NHRP, l - LISP a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks


S 172.16.0.0/16 is directly connected, Null0
C 172.16.1.0/24 is directly connected, Serial0/0/1
L 172.16.1.2/32 is directly connected, Serial0/0/1
C 172.16.32.0/24 is directly connected, Loopback0
L 172.16.32.1/32 is directly connected, Loopback0
D 172.16.64.0/24 [90/2297856] via 172.16.1.1, 00:52:03,
Serial0/0/1
192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
C 192.168.1.0/30 is directly connected, Serial0/0/0 L
192.168.1.2/32 is directly connected, Serial0/0/0

B 192.168.1.4/30 [20/20] via 192.168.1.1, 00:01:03


B 192.168.100.0/24 [20/0] via 192.168.1.1, 00:25:20
SanJose2#

a. To better understand the next-hop-self command we will remove ISP advertising its two WAN
links and shutdown the WAN link between ISP and SanJose2. The only possible path from
SanJose2 to ISP’s 192.168.100.0/24 is through SanJose1.

ISP(config)# router bgp 200


ISP(config-router)# no network 192.168.1.0 mask 255.255.255.252
ISP(config-router)# no network 192.168.1.4 mask 255.255.255.252
ISP(config-router)# exit
ISP(config)# interface serial 0/0/1
ISP(config-if)# shutdown
ISP(config-if)#
b. Display SanJose2’s BGP table using the show ip bgp command and the IPv4 routing table with
show ip route.

SanJose2# show ip bgp


BGP table version is 1, local router ID is 172.16.32.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


* i 172.16.0.0 172.16.64.1 0 100 0 I *
i 192.168.100.0 192.168.1.5 0 100 0 200 i
SanJose2#

SanJose2# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i -
ISIS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route o - ODR, P - periodic downloaded static route, H
- NHRP, l - LISP a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks


S 172.16.0.0/16 is directly connected, Null0
C 172.16.1.0/24 is directly connected, Serial0/0/1
L 172.16.1.2/32 is directly connected, Serial0/0/1
C 172.16.32.0/24 is directly connected, Loopback0
L 172.16.32.1/32 is directly connected, Loopback0
D 172.16.64.0/24 [90/2297856] via 172.16.1.1, 02:41:46,

Serial0/0/1
SanJose2#

a. Issue the next-hop-self command on SanJose1 and SanJose2 to advertise themselves as


the next hop to their IBGP peer.

SanJose1(config)# router bgp 64512


SanJose1(config-router)# neighbor 172.16.32.1 next-hop-self

SanJose2(config)# router bgp 64512


SanJose2(config-router)# neighbor 172.16.64.1 next-hop-self
b. Reset BGP operation on either router with the clear ip bgp * command.

SanJose1# clear ip bgp *


SanJose1#

SanJose2# clear ip bgp *


SanJose2#
c. After the routers have returned to established BGP speakers, issue the show ip bgp
command on SanJose2 and notice that the next hop is now SanJose1 instead of ISP.

SanJose2# show ip bgp


BGP table version is 5, local router ID is 172.16.32.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


*> 172.16.0.0 0.0.0.0 0 32768 i
* i 172.16.64.1 0 100 0 I
* >i 192.168.100.0 172.16.64.1 0 100 0 200 i

SanJose2#
d. The show ip route command on SanJose2 now displays the 192.168.100.0/24 network
because SanJose1 is the next hop, 172.16.64.1, which is reachable from SanJose2.

SanJose2# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su
- IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-
2 ia - IS-IS inter area, * - candidate default, U - per-user
static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks


S 172.16.0.0/16 is directly connected, Null0
C 172.16.1.0/24 is directly connected, Serial0/0/1
L 172.16.1.2/32 is directly connected, Serial0/0/1
C 172.16.32.0/24 is directly connected, Loopback0
L 172.16.32.1/32 is directly connected, Loopback0
D 172.16.64.0/24 [90/2297856] via 172.16.1.1, 04:27:19, Serial0/0/1

B 192.168.100.0/24 [200/0] via 172.16.64.1, 00:00:46


SanJose2#

a. Before configuring the next BGP attribute, restore the WAN link between ISP and SanJose3.
This will change the BGP table and routing table on both routers. For example, SanJose2’s routing
table shows 192.168.100.0/24 will now have a better path through ISP.

ISP(config)# interface serial 0/0/1


ISP(config-if)# no shutdown
ISP(config-if)#

SanJose2# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i -
ISIS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route o - ODR, P - periodic downloaded static route, H
- NHRP, l - LISP a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks


S 172.16.0.0/16 is directly connected, Null0
C 172.16.1.0/24 is directly connected, Serial0/0/1
L 172.16.1.2/32 is directly connected, Serial0/0/1
C 172.16.32.0/24 is directly connected, Loopback0
L 172.16.32.1/32 is directly connected, Loopback0
D 172.16.64.0/24 [90/2297856] via 172.16.1.1, 04:37:34,
Serial0/0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C
192.168.1.0/30 is directly connected, Serial0/0/0 L
192.168.1.2/32 is directly connected, Serial0/0/0

B 192.168.100.0/24 [20/0] via 192.168.1.1, 00:01:35 SanJose2#

Step 8: Set BGP local preference.


At this point, everything looks good, with the exception of default routes, the outbound flow of
data, and inbound packet flow.
a. Because the local preference value is shared between IBGP neighbors, configure a simple
route map that references the local preference value on SanJose1 and SanJose2. This policy adjusts
outbound traffic to prefer the link off the SanJose1 router instead of the metered T1 off SanJose2.

SanJose1(config)# route-map PRIMARY_T1_IN permit 10


SanJose1(config-route-map)# set local-preference 150
SanJose1(config-route-map)# exit
SanJose1(config)# router bgp 64512
SanJose1(config-router)# neighbor 192.168.1.5 route-map PRIMARY_T1_IN in

SanJose2(config)# route-map SECONDARY_T1_IN permit 10


SanJose2(config-route-map)# set local-preference 125
SanJose1(config-route-map)# exit
SanJose2(config)# router bgp 64512
SanJose2(config-router)# neighbor 192.168.1.1 route-map

SECONDARY_T1_IN in
b. Use the clear ip bgp * soft command after configuring this new policy. When the conversations
have been reestablished, issue the show ip bgp command on SanJose1 and SanJose2.
SanJose1# clear ip bgp * soft SanJose2# clear
ip bgp * soft

SanJose1# show ip bgp


BGP table version is 3, local router ID is 172.16.64.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


* i 172.16.0.0 172.16.32.1 0 100 0 i
*> 0.0.0.0 0 32768 i

*> 192.168.100.0 192.168.1.5 0 150 0 200 i


SanJose1#

SanJose2# show ip bgp


BGP table version is 7, local router ID is 172.16.32.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


* i 172.16.0.0 172.16.64.1 0 100 0 i
*> 0.0.0.0 0 32768 i

*> i 192.168.100.0 172.16.64.1 0 150 0 200 i


* 192.168.1.1 0 125 0 200 i SanJose2#

Step 9: Set BGP MED.


a. In the previous step we saw that SanJose1 and SanJose2 will route traffic for
192.168.100.0/24 using the link between SanJose1 and ISP. Examine what the return path ISP takes
to reach AS 64512. Notice that the return path is different from the original path. This is known as
asymmetric routing and is not necessarily an unwanted trait.

ISP# show ip bgp


BGP table version is 22, local router ID is 192.168.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


*172.16.0.0 192.168.1.6 0 0 64512 i
*> 192.168.1.2 0 0 64512
i
*> 192.168.100.0 0.0.0.0 0 32768 i ISP#
show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-
IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route o - ODR, P - periodic downloaded static route, H
- NHRP, l - LISP a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

B 172.16.0.0/16 [20/0] via 192168.1.2, 00:12:45


192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks
C 192.168.1.0/30 is directly connected, Serial0/0/1
L 192.168.1.1/32 is directly connected, Serial0/0/1
C 192.168.1.4/30 is directly connected, Serial0/0/0
L 192.168.1.5/32 is directly connected, Serial0/0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Loopback0
L 192.168.100.1/32 is directly connected, Loopback0 ISP#

To verify this, the simplest solution is to issue the show ip bgp command on the ISP router as
was done above. What if access was not given to the ISP router? Traffic returning from the
Internet should not be passed across the metered T1. Is there a simple way to verify before
receiving the monthly bill? How can it be checked instantly?

a. Use an extended ping command to verify this situation. Specify the record option and
compare your output to the following. Notice the return path using the exit interface 192.168.1.1 to
SanJose2.

SanJose2# ping Protocol


[ip]:
Target IP address: 192.168.100.1 Repeat
count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.32.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: record Number of
hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2
seconds:
Packet sent with a source address of 172.16.32.1
Packet has IP options: Total option bytes= 39, padded length=40
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)

Reply to request 0 (20 ms). Received packet has options Total


option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)

(192.168.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list

Reply to request 1 (20 ms). Received packet has options Total


option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)

(192.168.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Reply to request 2 (20 ms). Received packet has options Total
option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)

(192.168.1.1)
(172.16.32.1) <*>

(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list

Reply to request 3 (24 ms). Received packet has options Total


option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)

(192.168.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list

Reply to request 4 (20 ms). Received packet has options Total


option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)

(192.168.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24


ms SanJose2#

b. Create a new policy to force the ISP router to return all traffic via SanJose1. Create a
second route map utilizing the MED (metric) that is shared between EBGP neighbors.

SanJose1(config)#route-map PRIMARY_T1_MED_OUT permit 10


SanJose1(config-route-map)#set Metric 50
SanJose1(config-route-map)#exit
SanJose1(config)#router bgp 64512
SanJose1(config-router)#neighbor 192.168.1.5 route-map

PRIMARY_T1_MED_OUT out

SanJose2(config)#route-map SECONDARY_T1_MED_OUT permit 10


SanJose2(config-route-map)#set Metric 75
SanJose2(config-route-map)#exit
SanJose2(config)#router bgp 64512
SanJose2(config-router)#neighbor 192.168.1.1 route-map

SECONDARY_T1_MED_OUT out
c. Use the clear ip bgp * soft command after issuing this new policy. Issuing the show
ip bgp command as follows on SanJose1 or SanJose2 does not indicate anything about this
newly defined policy.

SanJose1# clear ip bgp * soft


SanJose2# clear ip bgp * soft

SanJose1# show ip bgp


BGP table version is 4, local router ID is 172.16.64.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


* i 172.16.0.0 172.16.32.1 0 100 0 i
*> 0.0.0.0 0 32768 i
*> 192.168.100.0 192.168.1.5 0 150 0 200 i
SanJose1#

SanJose2# show ip bgp


BGP table version is 8, local router ID is 172.16.32.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


* i 172.16.0.0 172.16.64.1 0 100 0 i
*> 0.0.0.0 0 32768 i
*>i 192.168.100.0 172.16.64.1 0 150 0 200 i
* 192.168.1.1 0 125 0 200 i
SanJose2#

d. Reissue an extended ping command with the record command. Notice the change in
return path using the exit interface 192.168.1.5 to SanJose1.

SanJose2# ping Protocol


[ip]:
Target IP address: 192.168.100.1 Repeat
count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.32.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: record Number of
hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2
seconds:
Packet sent with a source address of 172.16.32.1
Packet has IP options: Total option bytes= 39, padded length=40
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)

Reply to request 0 (28 ms). Received packet has options Total


option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)
(192.168.1.5)
(172.16.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list

Reply to request 1 (28 ms). Received packet has options Total


option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)

(192.168.1.5)
(172.16.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list

Reply to request 2 (28 ms). Received packet has options Total


option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)
(192.168.1.5)
(172.16.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list

Reply to request 3 (28 ms). Received packet has options Total


option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)

(192.168.1.5)
(172.16.1.1) (172.16.32.1)
<*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Reply to request 4 (28 ms). Received packet has options Total
option bytes= 40, padded length=40 Record route:
(172.16.1.2)
(192.168.1.6)
(192.168.100.1)

(192.168.1.5)
(172.16.1.1)
(172.16.32.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28


ms
SanJose2#

ISP# show ip bgp


BGP table version is 24, local router ID is 192.168.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


*> 172.16.0.0 192.168.1.6 50 0 64512
i
* 192.168.1.2 75 0 64512
i
*> 192.168.100.0 0.0.0.0 0 32768 i

Step 10: Establish a default route.


The final step is to establish a default route that uses a policy statement that adjusts to changes in
the network.
a. Configure ISP to inject a default route to both SanJose1 and SanJose2 using BGP
using the default-originate command. This command does not require the presence
of 0.0.0.0 in the ISP router. Configure the 10.0.0.0/8 network which will not be
advertised using BGP. This network will be used to test the default route on
SanJose1 and SanJose2.

ISP(config)# router bgp 200


ISP(config-router)# neighbor 192.168.1.6 default-originate
ISP(config-router)# neighbor 192.168.1.2 default-originate
ISP(config-router)# exit
ISP(config)# interface loopback 10
ISP(config-if)# ip address 10.0.0.1 255.255.255.0
ISP(config-if)#
b. Verify that both routers have received the default route by examining the routing
tables on
SanJose1 and SanJose2. Notice that both routers prefer the route between SanJose1 and ISP.

SanJose1# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i -
ISIS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route o - ODR, P - periodic downloaded static route, H
- NHRP, l - LISP a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.1.5 to network 0.0.0.0

B* 0.0.0.0/0 [20/0] via 192.168.1.5, 00:00:36


172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
S 172.16.0.0/16 is directly connected, Null0
C 172.16.1.0/24 is directly connected, Serial0/0/1
L 172.16.1.1/32 is directly connected, Serial0/0/1
D 172.16.32.0/24 [90/2297856] via 172.16.1.2, 05:47:24,

Serial0/0/1
C 172.16.64.0/24 is directly connected, Loopback0
L 172.16.64.1/32 is directly connected, Loopback0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.4/30 is directly connected, Serial0/0/0
L 192.168.1.6/32 is directly connected, Serial0/0/0
SanJose1#

SanJose2# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i -
ISIS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route o - ODR, P - periodic downloaded static route, H
- NHRP, l - LISP a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 172.16.64.1 to network 0.0.0.0

B* 0.0.0.0/0 [20/0] via 172.16.64.1, 00:00:45


172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks S
172.16.0.0/16 is directly connected, Null0
C 172.16.1.0/24 is directly connected, Serial0/0/1
L 172.16.1.2/32 is directly connected, Serial0/0/1
C 172.16.32.0/24 is directly connected, Loopback0
L 172.16.32.1/32 is directly connected, Loopback0
D 172.16.64.0/24 [90/2297856] via 172.16.1.1, 05:47:33,
Serial0/0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C
192.168.1.0/30 is directly connected, Serial0/0/0
L 192.168.1.2/32 is directly connected, Serial0/0/0
SanJose2#
c. The preferred default route is by way of SanJose1 because of the higher local
preference attribute configured on SanJose1 earlier.

SanJose2# show ip bgp


BGP table version is 38, local router ID is 172.16.32.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter, x best-external, a additional-path, c
RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*>i 0.0.0.0 172.16.64.1 0 150


* 192.168.1.1 125 0 200 i
* i 172.16.0.0 172.16.64.1 0
100 0 i
*> 0.0.0.0 0 32768 i
*>i 192.168.100.0 172.16.64.1 0 150 0 200 i
* 192.168.1.1 0 125 0 200 i
SanJose2#

d. Using the traceroute command verify that packets to 10.0.0.1 is using the default
route through SanJose1.

SanJose2# traceroute 10.0.0.1


Type escape sequence to abort.
Tracing the route to 10.0.0.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.1 8 msec 4 msec 8 msec

2 192.168.1.5 [AS 200] 12 msec * 12 msec


SanJose2#
e. Next, test how BGP adapts to using a different default route when the path between
SanJose1 and ISP goes down.

ISP(config)# interface serial 0/0/0


ISP(config-if)# shutdown ISP(config-if)#

f. Verify that both routers are modified their routing tables with the default route using
the path between SanJose2 and ISP.

SanJose1# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i -
ISIS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route o - ODR, P - periodic downloaded static route, H
- NHRP, l - LISP a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 172.16.32.1 to network 0.0.0.0

B* 0.0.0.0/0 [200/0] via 172.16.32.1, 00:00:06


172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
S 172.16.0.0/16 is directly connected, Null0
C 172.16.1.0/24 is directly connected, Serial0/0/1
L 172.16.1.1/32 is directly connected, Serial0/0/1
D 172.16.32.0/24 [90/2297856] via 172.16.1.2, 05:49:25,

Serial0/0/1
C 172.16.64.0/24 is directly connected, Loopback0
L 172.16.64.1/32 is directly connected, Loopback0
B 192.168.100.0/24 [200/0] via 172.16.32.1, 00:00:06
SanJose1#

SanJose2# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i -
ISIS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route o - ODR, P - periodic downloaded static route, H
- NHRP, l - LISP a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0


B* 0.0.0.0/0 [20/0] via 192.168.1.1, 00:00:30
172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
S 172.16.0.0/16 is directly connected, Null0
C 172.16.1.0/24 is directly connected, Serial0/0/1
L 172.16.1.2/32 is directly connected, Serial0/0/1
C 172.16.32.0/24 is directly connected, Loopback0
L 172.16.32.1/32 is directly connected, Loopback0
D 172.16.64.0/24 [90/2297856] via 172.16.1.1, 05:49:49,
Serial0/0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/30 is directly connected, Serial0/0/0
L 192.168.1.2/32 is directly connected, Serial0/0/0
B 192.168.100.0/24 [20/0] via 192.168.1.1, 00:00:30
SanJose2#

g.Verify the new path using the traceroute command to 10.0.0.1 from SanJose1. Notice the default
route is now through SanJose2.

SanJose1# trace 10.0.0.1


Type escape sequence to abort.
Tracing the route to 10.0.0.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.2 8 msec 8 msec 8 msec 2

192.168.1.1 [AS 200] 12 msec * 12 msec


SanJose1#

PRACTICAL 4

AIM: Secure the Management Plane


TOPOLOGY:

Objectives:
• Secure management access.
• Configure enhanced username password security.
• Enable AAA RADIUS authentication.
• Enable secure remote management.
Step 1: Configure loopbacks and assign addresses.

R1 hostname R1
interface Loopback 0
description R1 LAN
ip address 192.168.1.1
255.255.255.0 exit ! interface
Serial0/0/0 description R1 --> R2
ip address 10.1.1.1
255.255.255.252 clock rate 128000
no shutdown exit ! end
R2
hostname R2
!
interface Serial0/0/0 description
R2 --> R1 ip address 10.1.1.2
255.255.255.252 no shutdown exit
interface Serial0/0/1 description
R2 --> R3 ip address 10.2.2.1
255.255.255.252 clock rate 128000 no
shutdown exit ! end R3

hostname R3
!
interface Loopback0
description R3 LAN ip address
192.168.3.1 255.255.255.0 exit
interface Serial0/0/1 description
R3 --> R2 ip address 10.2.2.2 255.255.255.252
no shutdown exit !
End

Step 2: Configure static routes.


a. On R1, configure a default static route to ISP.

R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.2


b. On R3, configure a default static route to ISP.

R3(config)# ip route 0.0.0.0 0.0.0.0 10.2.2.1


c. On R2, configure two static routes.

R2(config)# ip route 192.168.1.0 255.255.255.0 10.1.1.1


R2(config)# ip route 192.168.3.0 255.255.255.0 10.2.2.2
d. From the R1 router, run the following Tcl script to verify connectivity.

foreach address {
192.168.1.1
10.1.1.1 10.1.1.2
10.2.2.1
10.2.2.2 192.168.3.1
} {
ping $address }

R1# tclsh
R1(tcl)#foreach address {
+>(tcl)#192.168.1.1

+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2 +>(tcl)#192.168.3.1
+>(tcl)#} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16
ms Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16
ms R1(tcl)#

Step 3: Secure management access.


a. On R1, use the security passwords command to set a minimum password length of 10
characters.

R1(config)# security passwords min-length 10


b. Configure the enable secret encrypted password on both routers.

R1(config)# enable secret class12345


R1(config)# line console 0
R1(config-line)# password ciscoconpass
R1(config-line)# exec-timeout 5 0 R1(config-line)#

login
R1(config-line)# logging synchronous
R1(config-line)# exit
R1(config)#

c. Configure the password on the vty lines for router R1.

R1(config)# line vty 0 4


R1(config-line)# password ciscovtypass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
R1(config-line)# exit
R1(config)#

e. The aux port is a legacy port used to manage a router remotely using a modem and is hardly
ever used. Therefore, disable the aux port.

R1(config)# line aux 0


R1(config-line)# no exec
R1(config-line)# end
R1#

f. Enter privileged EXEC mode and issue the show run command. Can you read the enable
secret password? Why or why not?
g. Use the service password-encryption command to encrypt the line console and vty
passwords.

R1(config)# service password-encryption


R1(config)#
h. Issue the show run command.
i. Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner using
the banner motd command. When a user connects to one of the routers, the MOTD banner
appears before the login prompt. In this example, the dollar sign ($) is used to start and end
the message.

R1(config)# banner motd $Unauthorized access strictly prohibited!$


R1(config)# exit
j. Issue the show run command. What does the $ convert to in the output?
k. Exit privileged EXEC mode using the disable or exit command and press Enter to get
started. Does the MOTD banner look like what you created with the banner motd command?
If the MOTD banner is not as you wanted it, recreate it using the banner motd command.
l. Repeat the configuration portion of steps 3a through 3k on router R3.

Step 4: Configure enhanced username password security.


a. To create local database entry encrypted to level 4 (SHA256), use the username
name secret password global configuration command. In global configuration mode,
enter the following command:

R1(config)# username JR-ADMIN secret class12345


R1(config)# username ADMIN secret class54321

b. Set the console line to use the locally defined login accounts.

R1(config)# line console 0


R1(config-line)# login local
R1(config-line)# exit
R1(config)#

c. Set the vty lines to use the locally defined login accounts.

R1(config)# line vty 0 4


R1(config-line)# login local
R1(config-line)# end
R1(config)#

d. Repeat the steps 4a to 4c on R3.

e. To verify the configuration, telnet to R3 from R1 and login using the ADMIN local
database account.

R1# telnet 10.2.2.2


Trying 10.2.2.2 ... Open
Unauthorized access strictly prohibited!
User Access Verification
Username: ADMIN
Password:
R3>

Step 5: Enabling AAA RADIUS Authentication with Local User for Backup.
a. Always have local database accounts created before enabling AAA. Since we created two local
database accounts in the previous step, then we can proceed and enable AAA on R1.
R1(config)# aaa new-model

b. Configure the specifics for the first RADIUS server located at 192.168.1.101. Use
RADIUS1pa55w0rd as the server password.
R1(config)# radius server RADIUS-1
R1(config-radius-server)# address ipv4 192.168.1.101
R1(config-radius-server)# key RADIUS-1-pa55w0rd
R1(config-radius-server)# exit
R1(config)#

c. Configure the specifics for the second RADIUS server located at 192.168.1.102. Use
RADIUS2pa55w0rd as the server password.
R1(config)# radius server RADIUS-2
R1(config-radius-server)# address ipv4 192.168.1.102
R1(config-radius-server)# key RADIUS-2-pa55w0rd
R1(config-radius-server)# exit
R1(config)#
d. Assign both RADIUS servers to a server group.
R1(config)# aaa group server radius RADIUS-GROUP
R1(config-sg-radius)# server name RADIUS-1
R1(config-sg-radius)# server name RADIUS-2
R1(config-sg-radius)# exit
R1(config)#

e.Enable the default AAA authentication login to attempt to validate against the server group. If they
are not available, then authentication should be validated against the local database..
R1(config)# aaa authentication login default group RADIUS-GROUP local
R1(config)#
f.Enable the default AAA authentication Telnet login to attempt to validate against the server group. If
they are not available, then authentication should be validated against a case sensitive local
database.
R1(config)# aaa authentication login TELNET-LOGIN group RADIUS-GROUP
local-case R1(config)#
g. Alter the VTY lines to use the TELNET-LOGIN AAA authentiaito0n method.

R1(config)# line vty 0 4


R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# exit
R1(config)#

h.Repeat the steps 5a to 5g on R3.

i.To verify the configuration, telnet to R3 from R1 and login using the ADMIN local database account.

R1# telnet 10.2.2.2


Trying 10.2.2.2 ... Open
Unauthorized access strictly prohibited!
User Access Verification
Username: admin
Password:
% Authentication failed

Username: ADMIN Password:


R3>

Step 6: Enabling secure remote management using SSH.


a. SSH requires that a device name and a domain name be configured. Since the router already
has a name assigned, configure the domain name.

R1(config)# ip domain-name ccnasecurity.com


b. The router uses the RSA key pair for authentication and encryption of transmitted SSH data.
Although optional it may be wise to erase any existing key pairs on the router.
R1(config)# crypto key zeroize rsa

c. Generate the RSA encryption key pair for the router. Configure the RSA keys with 1024 for
the number of modulus bits. The default is 512, and the range is from 360 to 2048.

R1(config)# crypto key generate rsa general-keys modulus 1024


The name for the keys will be: R1.ccnasecurity.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
Jan 10 13:44:44.711: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#

d. Cisco routers support two versions of SSH:


• SSH version 1 (SSHv1): Original version but has known vulnerabilities.
• SSH version 2 (SSHv2): Provides better security using the Diffie-Hellman key
exchange and the strong integrity-checking message authentication code (MAC).

R1(config)# ip ssh version 2


R1(config)#

e. Configure the vty lines to use only SSH connections.


R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# end

f. Verify the SSH configuration using the show ip ssh command.

R1# show ip ssh


SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): sshrsa

AAAAB3NzaC1yc2EAAAADAQABAAAAgQC3Lehh7ReYlgyDzls6wq+mFzxqzoaZFr9XGx+Q/yio

dFYw00hQo80tZy1W1Ff3Pz6q7Qi0y00urwddHZ0kBZceZK9EzJ6wZ+9a87KKDETCWrGSLi6c8lE/y4K+
Z/oVrMMZk7bpTM1MFdP41YgkTf35utYv+TcqbsYo++KJiYk+xw==
R1#

g. Repeat the steps 6a to 6f on R3.

h. Although a user can SSH from a host using the SSH option of TeraTerm of PuTTY, a router
can also SSH to another SSH enabled device. SSH to R3 from R1.
R1# ssh -l ADMIN 10.2.2.2
Password:
Unauthorized access strictly prohibited!
R3>
R3> en
Password:
R3#

PRACTICAL 5
AIM: Configure and Verify Path Control Using PBR

TOPOLOGY:

Objectives:
• Configure and verify policy-based routing.
• Select the required tools and commands to configure policy-based routing operations.
• Verify the configuration and operation by using the proper show and debug commands.

Step 1: Configure loopbacks and assign addresses.


Router R1
hostname R1
!
interface Lo1 description R1 LAN ip
address 192.168.1.1 255.255.255.0 !
interface Serial0/0/0 description R1 -
-> R2 ip address 172.16.12.1
255.255.255.248 clock rate 128000
bandwidth 128 no shutdown !
interface Serial0/0/1 description R1 -
-> R3 ip address 172.16.13.1
255.255.255.248 bandwidth 64 no
shutdown ! end Router R2
hostname R2
!
interface Lo2 description R2 LAN ip
address 192.168.2.1 255.255.255.0 !
interface Serial0/0/0 description R2 -
-> R1 ip address 172.16.12.2
255.255.255.248 bandwidth 128
no shutdown

interface Serial0/0/1 description R2 ->


R3 ip address 172.16.23.2
255.255.255.248 clock rate 128000
bandwidth 128 no shutdown
! end
Router R3
hostname R3
!
interface Lo3 description R3 LAN ip
address 192.168.3.1 255.255.255.0 !
interface Serial0/0/0 description R3 -
> R1 ip address 172.16.13.3
255.255.255.248 clock rate 64000
bandwidth 64 no shutdown !
interface Serial0/0/1 description R3 -
> R2 ip address 172.16.23.3
255.255.255.248 bandwidth 128 no
shutdown !
interface Serial0/1/0 description R3 ->
R4 ip address 172.16.34.3
255.255.255.248 clock rate 64000
bandwidth 64 no shutdown
! end
Router R4
hostname R4
!
interface Lo4 description R4 LAN A ip
address 192.168.4.1 255.255.255.128 !
interface Lo5 description R4
LAN B ip address
192.168.4.129 255.255.255.128 !
interface Serial0/0/0 description R4 -
-> R3 ip address 172.16.34.4
255.255.255.248 bandwidth 64 no
shutdown ! end
a. Verify the configuration with the show ip interface brief, show protocols, and show
interfaces description commands. The output from router R3 is shown here as an example.

R3# show ip interface brief | include up


Serial0/0/0 172.16.13.3 YES manual up up
Serial0/0/1 172.16.23.3 YES manual up up
Serial0/1/0 172.16.34.3 YES manual up up
Loopback3 192.168.3.1 YES manual up up
R3#

R3# show protocols Global


values:
Internet Protocol routing is enabled
Embedded-Service-Engine0/0 is administratively down, line protocol is
down
GigabitEthernet0/0 is administratively down, line protocol is down
GigabitEthernet0/1 is administratively down, line protocol is down
Serial0/0/0 is up, line protocol is up
Internet address is 172.16.13.3/29 Serial0/0/1
is up, line protocol is up Internet address is
172.16.23.3/29 Serial0/1/0 is up, line protocol
is up
Internet address is 172.16.34.3/29
Serial0/1/1 is administratively down, line protocol is down
Loopback3 is up, line protocol is up
Internet address is 192.168.3.1/24
R3#
R3# show interfaces description | include up
Se0/0/0 up up R3 --> R1
Se0/0/1 up up R3 --> R2
Se0/1/0 up up R3 --> R4
Lo3 up up R3 LAN R3#

Step 3: Configure basic EIGRP.

Router R1 router eigrp 1 network


192.168.1.0 network
172.16.12.0 0.0.0.7
network 172.16.13.0 0.0.0.7 no
auto-summary Router R2 router eigrp
1 network 192.168.2.0 network
172.16.12.0 0.0.0.7
network 172.16.23.0 0.0.0.7
no auto-summary
Router R3 router eigrp 1
network 192.168.3.0 network
172.16.13.0 0.0.0.7 network
172.16.23.0 0.0.0.7
network 172.16.34.0 0.0.0.7
no auto-summary Router R4

router eigrp 1 network

192.168.4.0 network

172.16.34.0 0.0.0.7
no auto-summary

Step 4: Verify EIGRP connectivity.


a. EIGRP adjacencies.

R1# show ip eigrp neighbors


EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.13.3 Se0/0/1 10 00:01:55 27 2340 0 9
0 172.16.12.2 Se0/0/0 13 00:02:07 8 1170 0 11
R1#

R2# show ip eigrp neighbors


EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.23.3 Se0/0/1 12 00:02:15 12 1170 0 10 0
172.16.12.1 Se0/0/0 11 00:02:27 9 1170 0 13
R2#

R3# show ip eigrp neighbors


EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.34.4 Se0/1/0 12 00:02:14 44 2340 0 3
1 172.16.23.2 Se0/0/1 11 00:02:23 10 1170 0 10
0 172.16.13.1 Se0/0/0 10 00:02:23 1031 5000 0 12
R3#
R4# show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms)

Cnt Num
0 172.16.34.3 Se0/0/0 10

00:02:22 37 2340 0 11
R4#

b. Run the following Tcl script on all routers to verify full connectivity.

R1# tclsh

foreach address {
172.16.12.1
172.16.12.2
172.16.13.1
172.16.13.3
172.16.23.2
172.16.23.3
172.16.34.3
172.16.34.4
192.168.1.1 192.168.2.1
192.168.3.1
192.168.4.1
192.168.4.129 } { ping
$address }

Step 5: Verify the current path.


a. On R1, use the show ip route command. Notice the next-hop IP address for all networks
discovered by EIGRP.

R1# show ip route | begin Gateway


Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks


C 172.16.12.0/29 is directly connected, Serial0/0/0
L 172.16.12.1/32 is directly connected, Serial0/0/0
C 172.16.13.0/29 is directly connected, Serial0/0/1
L 172.16.13.1/32 is directly connected, Serial0/0/1
D 172.16.23.0/29 [90/21024000] via 172.16.12.2, 00:07:22,

Serial0/0/0
D 172.16.34.0/29 [90/41024000] via 172.16.13.3, 00:07:22,
Serial0/0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback1
L 192.168.1.1/32 is directly connected, Loopback1
D 192.168.2.0/24 [90/20640000] via 172.16.12.2, 00:07:22,
Serial0/0/0 D 192.168.3.0/24 [90/21152000] via
172.16.12.2, 00:07:22,

Serial0/0/0
192.168.4.0/25 is subnetted, 2 subnets
D 192.168.4.0 [90/41152000] via 172.16.13.3, 00:07:14,
Serial0/0/1 D 192.168.4.128 [90/41152000] via
172.16.13.3, 00:07:14,

Serial0/0/1 R1#
b. On R4, use the traceroute command to the R1 LAN address and source the ICMP packet
from R4 LAN A and LAN B.

R4# traceroute 192.168.1.1 source 192.168.4.1 Type escape


sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.34.3 12 msec 12 msec 16 msec
2 172.16.23.2 20 msec 20 msec 20 msec
3 172.16.12.1 24 msec * 24 msec
R4#
R4# traceroute 192.168.1.1 source 192.168.4.129
Type escape sequence to abort. Tracing the route
to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.34.3 12 msec 16 msec 12 msec
2 172.16.23.2 28 msec 20 msec 16 msec
3 172.16.12.1 24 msec * 24 msec
R4#

a. On R3, use the show ip route command and note that the preferred route from R3 to R1 LAN
192.168.1.0/24 is via R2 using the R3 exit interface S0/0/1.

R3# show ip route | begin Gateway


Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 7 subnets, 2 masks


D 172.16.12.0/29 [90/21024000] via 172.16.23.2, 00:10:54,

Serial0/0/1
C 172.16.13.0/29 is directly connected, Serial0/0/0
L 172.16.13.3/32 is directly connected, Serial0/0/0
C 172.16.23.0/29 is directly connected, Serial0/0/1
L 172.16.23.3/32 is directly connected, Serial0/0/1
C 172.16.34.0/29 is directly connected, Serial0/1/0
L 172.16.34.3/32 is directly connected, Serial0/1/0
D 192.168.1.0/24 [90/21152000] via 172.16.23.2, 00:10:54
Serial0/0/1 D 192.168.2.0/24 [90/20640000] via
172.16.23.2, 00:10:54, Serial0/0/1
192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.0/24 is directly connected, Loopback3
L 192.168.3.1/32 is directly connected, Loopback3
192.168.4.0/25 is subnetted, 2 subnets
D 192.168.4.0 [90/40640000] via 172.16.34.4, 00:10:47,
Serial0/1/0 D 192.168.4.128 [90/40640000] via
172.16.34.4, 00:10:47,

Serial0/1/0
R3#

a. On R3, use the show interfaces serial 0/0/0 and show interfaces s0/0/1 commands.

R3# show interfaces serial0/0/0


Serial0/0/0 is up, line protocol is up
Hardware is WIC MBRD Serial
Description: R3 --> R1
Internet address is 172.16.13.3/29
MTU 1500 bytes, BW 64Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input 00:00:01, output 00:00:00, output hang never Last
clearing of "show interface" counters never Input queue:
0/75/0/0 (size/max/drops/flushes); Total output drops:
0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
399 packets input, 29561 bytes, 0 no buffer
Received 186 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
393 packets output, 29567 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up

R3# show interfaces serial0/0/0 | include BW


MTU 1500 bytes,BW 64Kbit/sec, DLY 20000 usec,
R3# show interfaces serial0/0/1 | include BW

MTU 1500 bytes,BW 128Kbit/sec,DLY 20000 usec, R3#

bandwidth of the serial link between R3 and R2 (S0/0/1) is set to 128 Kb/s.
a. Confirm that R3 has a valid route to reach R1 from its serial 0/0/0 interface using the show ip
eigrp topology 192.168.1.0 command.

R3# show ip eigrp topology 192.168.1.0


EIGRP-IPv4 Topology Entry for AS(1)/ID(192.168.3.1) for

192.168.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is

21152000
Descriptor Blocks:
172.16.23.2 (Serial0/0/1), from 172.16.23.2, Send flag is 0x0
Composite metric is ( 21152000/20640000), route is Internal
Vector metric:

Minimum bandwidth is 128 Kbit


Total delay is 45000 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 2
Originating router is 192.168.1.1
172.16.13.1 (Serial0/0/0), from 172.16.13.1, Send flag is 0x0
Composite metric is (4064000/128256), route is Internal Vector
metric:

Minimum bandwidth is 64 Kbit


Total delay is 25000 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
Originating router is 192.168.1.1 R3#

Step 6: Configure PBR to provide path control.


a. On router R3, create a standard access list called PBR-ACL to identify the R4 LAN B network.

R3(config)# ip access-list standard PBR-ACL


R3(config-std-nacl)# remark ACL matches R4 LAN B traffic
R3(config-std-nacl)# permit 192.168.4.128 0.0.0.127
R3(config-std-nacl)# exit
R3(config)#

b. Create a route map called R3-to-R1 that matches PBR-ACL and sets the next-hop interface to the
R1 serial 0/0/1 interface.

R3(config)# route-map R3-to-R1 permit


R3(config-route-map)# description RM to forward LAN B traffic to R1
R3(config-route-map)# match ip address PBR-ACL
R3(config-route-map)# set ip next-hop 172.16.13.1
R3(config-route-map)# exit
R3(config)#

c. Apply the R3-to-R1 route map to the serial interface on R3 that receives the traffic from R4.
Use the ip policy route-map command on interface S0/1/0.

R3(config)# interface s0/1/0


R3(config-if)# ip policy route-map R3-to-R1
R3(config-if)# end
R3#
d. On R3, display the policy and matches using the show route-map command.

R3# show route-map route-map R3-to-R1,


permit, sequence 10 Match clauses:
ip address (access-lists): PBR-ACL
Set clauses: ip next-hop
172.16.13.1
Policy routing matches: 0 packets, 0 bytes R3#

Step 7: Test the policy.


a. On R3, create a standard ACL which identifies all of the R4 LANs.

R3# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)# access-list 1 permit 192.168.4.0 0.0.0.255
R3(config)# exit
b. Enable PBR debugging only for traffic that matches the R4 LANs.

R3# debug ip policy ? <1-


199> Access list
dynamic dynamic PBR
<cr>

R3# debug ip policy 1


Policy routing debugging is on for access list 1
a. Test the policy from R4 with the traceroute command, using R4 LAN A as the source
network.

R4# traceroute 192.168.1.1 source 192.168.4.1

Type escape sequence to abort.


Tracing the route to 192.168.1.1

1 172.16.34.3 0 msec 0 msec 4 msec


2 172.16.23.2 0 msec 0 msec 4 msec
3 172.16.12.1 4 msec 0 msec *
R3#
Jan 10 10:49:48.411: IP: s=192.168.4.1 (Serial0/1/0),
d=192.168.1.1, len 28, policy rejected – normal forwarding Jan
10 10:49:48.427: IP: s=192.168.4.1 (Serial0/1/0),
d=192.168.1.1, len 28, policy rejected – normal forwarding Jan
10 10:49:48.439: IP: s=192.168.4.1 (Serial0/1/0),
d=192.168.1.1, len 28, policy rejected – normal forwarding Jan
10 10:49:48.451: IP: s=192.168.4.1 (Serial0/1/0),
d=192.168.1.1, len 28,FIB policy rejected(no match) – normal
forwarding
Jan 10 10:49:48.471: IP: s=192.168.4.1 (Serial0/1/0),
d=192.168.1.1, len 28, FIB policy rejected(no match) – normal
forwarding
Jan 10 10:49:48.491: IP: s=192.168.4.1 (Serial0/1/0),
d=192.168.1.1, len 28, FIB policy rejected(no match) – normal
forwarding
Jan 10 10:49:48.511: IP: s=192.168.4.1 (Serial0/1/0),
d=192.168.1.1, len 28, FIB policy rejected(no match) – normal
forwarding
Jan 10 10:49:48.539: IP: s=192.168.4.1 (Serial0/1/0),
d=192.168.1.1, len 28, FIB policy rejected(no match) – normal
forwarding
Jan 10 10:49:51.539: IP: s=192.168.4.1 (Serial0/1/0),
d=192.168.1.1, len 28, FIB policy rejected(no match) – normal
forwarding
R3#

a. Test the policy from R4 with the traceroute command, using R4 LAN B as the source
network.

R4# traceroute 192.168.1.1 source 192.168.4.129

Type escape sequence to abort.


Tracing the route to 192.168.1.1

1 172.16.34.3 12 msec 12 msec 16 msec


2 172.16.13.1 28 msec 28 msec *

R3#
R3#
Jan 10 10:50:04.283: IP: s=192.168.4.129 (Serial0/1/0),
d=192.168.1.1, len 28,policy match
Jan 10 10:50:04.283: IP: route map R3-toR1, item 10, permit
Jan 10 10:50:04.283: IP: s=192.168.4.129 (Serial0/1/0), d=192.168.1.1

(Serial0/0/0), len 28,policy routed


Jan 10 10:50:04.283: IP: Serial0/1/0 to Serial0/0/0 172.16.13.1 Jan
10 10:50:04.295: IP: s=192.168.4.129 (Serial0/1/0), d=192.168.1.1,
len 28, policy match
Jan 10 10:50:04.295: IP: route map R3-to-R1, item 10, permit
Jan 10 10:50:04.295: IP: s=192.168.4.129 (Serial0/1/0), d=192.168.1.1
(Serial0/0/0), len 28, policy routed
Jan 10 10:50:04.295: IP: Serial0/1/0 to Serial0/0/0 172.16.13.1 Jan
10 10:50:04.311: IP: s=192.168.4.129 (Serial0/1/0), d=192.168.1.1,
len 28, policy match
Jan 10 10:50:04.311: IP: route map R3-to-R1, item 10, permit
Jan 10 10:50:04.311: IP: s=192.168.4.129 (Serial0/1/0), d=192.168.1.1

(Serial0/0/0), len 28, policy routed


Jan 10 10:50:04.311: IP: Serial0/1/0 to Serial0/0/0 172.16.13.1 Jan
10 10:50:04.323: IP: s=192.168.4.129 (Serial0/1/0), d=192.168.1.1,
len 28, FIB policy match
Jan 10 10:50:04.323: IP: s=192.168.4.129 (Serial0/1/0),
d=192.168.1.1, len 28, PBR Counted
Jan 10 10:50:04.323: IP: s=192.168.4.129 (Serial0/1/0),
d=192.168.1.1, g=172.16.13.1, len 28, FIB policy routed Jan 10
10:50:04.351: IP: s=192.168.4.129 (Serial0/1/0),
d=192.168.1.1, len 28, FIB policy match
Jan 10 10:50:04.351: IP: s=192.168.4.129 (Serial0/1/0),
d=192.168.1.1, len 28, PBR Counted
Jan 10 10:50:04.351: IP: s=192.168.4.129 (Serial0/1/0),
d=192.168.1.1, g=172.16.13.1, len 28, FIB policy routed Jan 10
10:50:07.347: IP: s=192.168.4.129 (Serial0/1/0),
d=192.168.1.1, len 28, FIB policy match
Jan 10 10:50:07.347: IP: s=192.168.4.129 (Serial0/1/0),
d=192.168.1.1, len 28, PBR Counted
Jan 10 10:50:07.347: IP: s=192.168.4.129 (Serial0/1/0),
d=192.168.1.1, g=172.16.13.1, len 28, FIB policy routed R3#
a. On R3, display the policy and matches using the show route-map command.

R3# show route-map route-map R3-toR1,


permit, sequence 10 Match clauses:
ip address (access-lists): PBR-ACL
Set clauses: ip next-hop
172.16.13.1 Nexthop tracking current:
0.0.0.0
172.16.13.1, fib_nh:0,oce:0,status:0
Policy routing matches: 12 packets, 384 bytes
R3#
PRACTICAL 6
AIM: Configure IP SLA Tracking and Path Control

TOPOLOGY:

Objectives
• Configure and verify the IP SLA feature.
• Test the IP SLA tracking feature.
• Verify the configuration and operation using show and debug commands.

Step 1: Configure loopbacks and assign addresses.


Router R1 hostname
R1

interface Loopback 0
description R1 LAN
ip address 192.168.1.1 255.255.255.0

interface Serial0/0/0 description R1 -->


ISP1 ip address 209.165.201.2
255.255.255.252 clock rate 128000 bandwidth
128
no shutdown
interface Serial0/0/1 description R1 --> ISP2
ip address 209.165.202.130 255.255.255.252
bandwidth 128 no shutdown Router ISP1 (R2) hostname
ISP1

interface Loopback0 description Simulated


Internet Web Server ip address
209.165.200.254 255.255.255.255

interface Loopback1 description ISP1 DNS


Server ip address 209.165.201.30
255.255.255.255 interface Serial0/0/0
description ISP1 --> R1 ip address
209.165.201.1 255.255.255.252 bandwidth
128 no
shutdown

interface Serial0/0/1 description ISP1 -->


ISP2 ip address 209.165.200.225
255.255.255.252 clock rate 128000 bandwidth
128 no shutdown Router ISP2 (R3) hostname ISP2

interface Loopback0 description Simulated


Internet Web Server ip address
209.165.200.254 255.255.255.255

interface Loopback1
description ISP2 DNS Server
ip address 209.165.202.158 255.255.255.255

interface Serial0/0/0 description ISP2 -->


R1 ip address 209.165.202.129
255.255.255.252 clock rate 128000 bandwidth
128
no shutdown

interface Serial0/0/1 description ISP2 -->


ISP1 ip address 209.165.200.226
255.255.255.252 bandwidth 128 no shutdown
b Verify the configuration by using the show interfaces description command. The output from
router R1 is shown here as an example.
R1# show interfaces description | include up
Se0/0/0 up up R1  ISP1
Se0/0/1 up up R1  ISP2
Lo0 up up R1 LAN
R1#

Step 2: Configure static routing.


a. configurations.

Router R1
R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.1
R1(config)#
Router ISP1 (R2)
ISP1(config)# router eigrp 1
ISP1(config-router)# network 209.165.200.224 0.0.0.3
ISP1(config-router)# network 209.165.201.0 0.0.0.31
ISP1(config-router)# no auto-summary
ISP1(config-router)# exit
ISP1(config)#
ISP1(config-router)# ip route 192.168.1.0 255.255.255.0 209.165.201.2
ISP1(config)#
Router ISP2 (R3)
ISP2(config)# router eigrp 1
ISP2(config-router)# network 209.165.200.224 0.0.0.3
ISP2(config-router)# network 209.165.202.128 0.0.0.31
ISP2(config-router)# no auto-summary
ISP2(config-router)# exit
ISP2(config)#
ISP2(config)# ip route 192.168.1.0 255.255.255.0 209.165.202.130
ISP2(config)# foreach address { 209.165.200.254
209.165.201.30 209.165.202.158
} { ping $address source
192.168.1.1
} foreach address {
209.165.200.254
209.165.201.30
209.165.202.158
} { trace $address source
192.168.1.1
}

Step 3: Configure IP SLA probes.


R1(config)# ip sla 11
R1(config-ip-sla)# icmp-echo 209.165.201.30
R1(config-ip-sla-echo)# frequency 10
R1(config-ip-sla-echo)# exit
R1(config)#
R1(config)# ip sla schedule 11 life forever start-time now
R1(config)#
R1# show ip sla configuration 11
IP SLAs Infrastructure Engine-III
Entry number: 11 Owner:
Tag:
Operation timeout (milliseconds): 5000
Type of operation to perform: icmp- echo

Target address/Source address:209.165.201.30/0.0.0.0


Type Of Service parameter: 0x0
Request size (ARR data portion): 28
Verify data: No Vrf Name:
Schedule:
Operation Frequency (seconds): 10(not considered if randomly
scheduled)

Next Scheduled start Time: Start Time Already passed


Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active Threshold
(milliseconds): 5000 Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20 Enhanced
History:
History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None
R1#

R1# show ip sla statistics IPSLAs


Latest Operation Statistics IPSLA
operation id: 11
Latest RTT: 8 milliseconds
Latest operation start time: 10:33:18 UTC Sat Jan 10 2015
Latest operation return code: OK

Number of successes:51 Number


of failures: 0 Operation time
to live: Forever
R1#

R1(config)# ip sla 22
R1(config-ip-sla)# icmp-echo 209.165.202.158
R1(config-ip-sla-echo)# frequency 10
R1(config-ip-sla-echo)# exit
R1(config)#
R1(config)# ip sla schedule 22 life forever start-time now
R1(config)# end
R1#

R1# show ip sla configuration 22


IP SLAs Infrastructure Engine-III
Entry number: 22 Owner:
Tag:
Operation timeout (milliseconds): 5000
Type of operation to perform:icmp-echo

Target address/Source address: 209.165.202.158/0.0.0.0


Type Of Service parameter: 0x0
Request size (ARR data portion): 28
Verify data: No Vrf Name:
Schedule:
Operation frequency (seconds): 10(not considered if randomly
scheduled)
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): Forever

Entry Ageout (seconds): never


Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active Threshold
(milliseconds): 5000 Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20 Enhanced
History:
History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None

R1#

R1# show ip sla configuration 22


IP SLAs, Infrastructure Engine-II.
Entry number:22 Owner:
Tag:
Type of operation to perform: icmp-echo
Target address/Source
address:209.165.201.158/0.0.0.0 Type Of Service
parameter: 0x0 Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000 Verify data:
No Vrf Name:
Schedule:
Operation frequency (seconds): 10 (not considered if randomly
scheduled)
Next Scheduled Start Time:Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000 (not considered if react RTT is
configured)
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20 History
Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None Enhanced History:

R1#
R1# show ip sla statistics 22
IPSLAs Latest Operation Statistics
IPSLA operation id: 22

Latest RTT: 16 milliseconds


Latest operation start time: 10:38:29 UTC Sat Jan 10
2015 Latest operation return code: OK Number of
successes return code: OK Number of failures: 0

Operation time to live: Forever

R1#
Step 4: Configure tracking options.
R1(config)# no ip route 0.0.0.0 0.0.0.0 209.165.201.1
R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.1 5
R1(config)# exit
R1# show ip route | begin Gateway
Gateway of last report is 209.165.201.1 to network 0.0.0.0

S* 0.0.0.0 [5/0] via 209.165.201.1


192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback0
L 192.168.1.1/32 is directly connected, Loopback0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.201.0/30 is directly connected, Serial0/0/0
L 209.165.201.2/32 is directly connected, Serial0/0/0
209.165.202.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.202.128/30 is directly connected, Serial0/0/1
L 209.165.202.130/32 is directly connected, Serial0/0/1
R1#

a. From global configuration mode on R1, use the track 1 ip sla 11 reachability command to enter
the config-track subconfiguration mode.

R1(config)# track 1 ip sla 11 reachability


R1(config-track)#
b. Specify the level of sensitivity to changes of tracked objects to 10 seconds of down delay and 1
second of up delay using the delay down 10 up 1 command. The delay helps to alleviate the
effect of flapping objects—objects that are going down and up rapidly. In this situation, if the DNS
server fails momentarily and comes back up within 10 seconds, there is no impact.

R1(config-track)# delay down 10 up 1


R1(config-track)# exit
R1(config)#
c. To view routing table changes as they happen, first enable the debug ip routing command.

R1# debug ip routing


IP routing debugging is on R1#
a. Configure the floating static route that will be implemented when tracking object 1 is active.
Use the ip route 0.0.0.0 0.0.0.0 209.165.201.1 2 track 1 command to create a floating static default
route via 209.165.201.1 (ISP1). Notice that this command references the tracking object number 1,
which in turn references IP SLA operation number 11.

R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.1 2 track 1


R1(config)#
Jan 10 10:45:39.119: RT: updating static 0.0.0.0/0(0x0) :
via 209.165.201.1 0 1048578

Jan 10 10:45:39.119: RT: closer admin distance for 0.0.0.0, flushing


1 routes
Jan 10 10:45:39.119: RT: add 0.0.0.0/0 via 209.165.201.1, static
metric[2/0]
Jan 10 10:45:39.119: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.201.1 0 1048578

Jan 10 10:45:39.119: RT: rib update return code: 17 Jan 10


10:45:39.119: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.201.1 0 1048578

Jan 10 10:45:39.119: RT: rib update return code: 17


R1(config)#
a. Repeat the steps for operation 22, track number 2, and assign the static route an admin
distance higher than track 1 and lower than 5. On R1, copy the following configuration, which
sets an admin distance of 3.

R1(config)# track 2 ip sla 22 reachability


R1(config-track)# delay down 10 up 1
R1(config-track)# exit
R1(config)#
R1(config)# ip route 0.0.0.0 0.0.0.0 209.165.202.129 3 track 2
R1(config)#

b. Verify the routing table again.


R1#show ip route | begin Gateway
Gateway of last resort is 209.165.201.1 to network 0.0.0.0

S* 0.0.0.0/0 [2/0] via 209.165.201.1

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks


C 192.168.1.0/24 is directly connected, Loopback0
L 192.168.1.1/32 is directly connected, Loopback0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.201.0/30 is directly connected, Serial0/0/0
L 209.165.201.2/32 is directly connected, Serial0/0/0
209.165.202.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.202.128/30 is directly connected, Serial0/0/1
L 209.165.202.130/32 is directly connected, Serial0/0/1
R1#

Step 5: Verify IP SLA operation.


a. On ISP1, disable the loopback interface 1.

ISP1(config-if)# int lo1


ISP1(config-if)# shutdown
ISP1(config-if)#
Jan 10 10:53:25.091: %LINK-5-CHANGED: Interface Loopback1, changed
state to administratively down
Jan 10 10:53:26.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface

Loopback1, changed state to down


ISP1(config-if)#

b. On R1, observe the debug output being generated. Recall that R1 will wait up to 10
seconds before initiating action therefore several seconds will elapse before the output is
generated. R1#
Jan 10 10:53:59.551: %TRACK-6-STATE: 1 ip sla 11 reachabilitty Up ->
Down
Jan 10 10:53:59.551: RT: del 0.0.0.0 via 209.165.201.1, static metric
[2/0]
Jan 10 10:53:59.551: RT: delete network route to 0.0.0.0/0
Jan 10 10:53:59.551: RT: default path has been cleared Jan
10 10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578

Jan 10 10:53:59.551: RT: add 0.0.0.0/0 via 209.165.201.129, static


metric [3/0]
Jan 10 10:53:59.551: RT: default path is now 0.0.0.0 via

209.165.201.129
Jan 10 10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.201.1 0 1048578

Jan 10 10:53:59.551: RT: rib update return code: 17 Jan 10


10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578

Jan 10 10:53:59.551: RT: updating static 0.0.0.0/0 (0x0) :


via 209.165.201.1 0 1048578

Jan 10 10:53:59.551: RT: rib update return code: 17


R1#

c. On R1, verify the routing table.


R1# show ip route | begin Gateway
Gateway of last resort is 209.165.201.129 to network 0.0.0.0

S* 0.0.0.0/0 [3/0] via 209.165.201.129

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks


C 192.168.1.0/24 is directly connected, Loopback0
L 192.168.1.1/32 is directly connected, Loopback0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C
209.165.201.0/30 is directly connected, Serial0/0/0
L 209.165.201.2/32 is directly connected, Serial0/0/0
209.165.202.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.202.128/30 is directly connected, Serial0/0/1
L 209.165.202.130/32 is directly connected, Serial0/0/1 R1#

The new static route has an administrative distance of 3 and is being forwarded to ISP2 as it
should.
d. Verify the IP SLA statistics.

R1# show ip sla statistics


IPSLAs Latest Operation Statistics

IPSLA operation id: 11


Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 11:01:08 UTC Sat Jan 10 2015

Latest operation return code: Timeout


Number of successes: 173

Number of failures: 45
Operation time to live: Forever
IPSLA operation id: 22

Latest RTT: 8 milliseconds

Latest operation start time: 11:01:09 UTC Sat Jan 10 2015


Latest operation return code: OK
Number of successes: 218
Number of failures: 0
Operation time to live: Forever

R1#
e. On R1, initiate a trace to the web server from the internal LAN IP address.

R1# trace 209.165.200.254 source 192.168.1.1 Type escape


sequence to abort.
Tracing the route to 209.165.200.254 VRF
info: (vrf in name/id, vrf out name/id)
1 209.165.202.129 4 msec * *
R1#
f. On ISP1, re-enable the DNS address by issuing the no shutdown command on the loopback
1 interface to examine the routing behavior when connectivity to the ISP1 DNS is restored.

ISP1(config-if)# no shutdown
Jan 10 11:05:45.847: %LINK-3-UPDOWN: Interface Loopback1, changed
state to up
Jan 10 11:05:46.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface

Loopback1, changed state to up


ISP1(config-if)#
R1#
Jan 10 11:06:20.551:%TRACK-6-STATE:1 ip sla 11 reachability Down-> Up
Jan 10 11:06:20.551:RT: updating static 0.0.0.0/0 (0x0) :via

209.165.201.1 0 1048578

Jan 10 11:06:20.551: RT:closer admin distance for 0.0.0.0, flushing 1


routes
Jan 10 11:06:20.551: RT:add 0.0.0.0/0 via 209.165.201.1, static metri

[2/0]
Jan 10 11:06:20.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578

Jan 10 11:06:20.551: RT: rib update return code: 17


Jan 10 11:06:20.551: RT: u
R1#pdating static 0.0.0.0/0 (0x0) :
via 209.165.202.129 0 1048578

Jan 10 11:06:20.551: RT: rib update return code: 17 Jan 10


11:06:20.551: RT: updating static 0.0.0.0/0 (0x0) :
via 209.165.201.1 0 1048578

Jan 10 11:06:20.551: RT: rib update return code: 17


R1#

g. Again examine the IP SLA statistics.

R1# show ip sla statistics


IPSLAs Latest Operation Statistics

IPSLA operation id: 11


Latest RTT: 8 milliseconds
Latest operation start time: 11:07:38 UTC Sat Jan 10 2015
Latest operation return code:OK

Number of successes: 182


Number of failures: 75
Operation time to live: Forever
IPSLA operation id: 22

Latest RTT: 16 milliseconds

Latest operation start time: 11:07:39 UTC Sat Jan 10 2015


Latest operation return code: OK
Number of successes: 257
Number of failures: 0
Operation time to live: Forever

R1#
h. Verify the routing table.
R1# show ip route | begin Gateway
Gateway of last report is 209.165.201.1 to network 0.0.0.0

S* 0.0.0.0 [2/0] via 209.165.201.1


192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback0
L 192.168.1.1/32 is directly connected, Loopback0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.201.0/30 is directly connected, Serial0/0/0
L 209.165.201.2/32 is directly connected, Serial0/0/0
209.165.202.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.202.128/30 is directly connected, Serial0/0/1
L 209.165.202.130/32 is directly connected, Serial0/0/1 R1#
PRACTICAL 7
AIM: Inter-VLAN
Routing

TOPOLOGY:

Objectives
• Implement a Layer 3 EtherChannel
• Implement Static Routing
• Implement Inter-VLAN Routing

Part 1: Configure Multilayer Switching using Distribution Layer Switches.


Step 1: Load base config
DLS1# tclsh reset.tcl
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
Reloading the switch in 1 minute, type reload cancel to halt

Proceed with reload? [confirm]

*Mar 7 18:41:40.403: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of


nvram
*Mar 7 18:41:41.141: %SYS-5-RELOAD: Reload requested by console. Reload
Reason: Reload command.
<switch reloads - output omitted>
Would you like to enter the initial configuration dialog? [yes/no]: n
Switch> en
*Mar 1 00:01:30.915: %LINK-5-CHANGED: Interface Vlan1, changed state to
administratively down
Switch# copy BASE.CFG running-config
Destination filename [running-config]?
184 bytes copied in 0.310 secs (594 bytes/sec) DLS1#

Step 2: Verify switch management database configuration.

ALS1# sho sdm pref


The current template is "default" template.
<output omitted>
ALS1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ALS1(config)# sdm pref lanbase-routing
Changes to the running SDM preferences have been stored, but cannot take
effect until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently active.
ALS1(config)# end
ALS1# reload

System configuration has been modified. Save? [yes/no]: y


*Mar 1 02:12:00.699: %SYS-5-CONFIG_I: Configured from console by console

Building configuration...
[OK]
Proceed with reload? [confirm]

Step 3: Configure layer 3 interfaces on the DLS switches.


Switch Interface Address/Mask

DLS1 VLAN 99 10.1.99.1/24

DLS1 Loopback 1 172.16.1.1/24

DLS2 VLAN 110 10.1.110.1/24

DLS2 VLAN 120 10.1.120.1/24

DLS2 Loopback 1 192.168.2.1/24

DLS2(config)# ip routing
DLS2(config)# vlan 110
DLS2(config-vlan)# name Management
DLS2(config-vlan)# exit
DLS2(config)# vlan 120
DLS2(config-vlan)# name Local
DLS2(config-vlan)# exit
DLS2(config)# int vlan 110
DLS2(config-if)# ip address 10.1.110.1 255.255.255.0
DLS2(config-if)# no shut
DLS2(config-if)# exit
DLS2(config)# int vlan 120
DLS2(config-if)# ip address 10.1.120.1 255.255.255.0 DLS2(config-if)# no
shut
DLS2(config-if)# exit
DLS2(config)# int loopback 1
DLS2(config-if)# ip address 192.168.1.1 255.255.255.0
DLS2(config-if)# no shut
DLS2(config-if)# exit
DLS2(config)#

DLS2(config)# int f0/6 DLS2(config-if)#

switchport host switchport mode will be

set to access spanning-tree portfast

will be enabled
channel group will be disabled

DLS2(config-if)# switchport access vlan 110


DLS2(config-if)# no shut
DLS2(config-if)# exit
DLS2(config)#

Step 4: Configure a Layer 3 Etherchannel between DLS1 and DLS2.


DLS1 172.16.12.1/30 DLS2 172.16.12.2/30

DLS1(config)# interface range f0/11-12


DLS1(config-if-range)# no switchport
DLS1(config-if-range)# channel-group 2 mode desirable
Creating a port-channel interface Port-channel 2

DLS1(config-if-range)# no shut
DLS1(config-if-range)# exit
DLS1(config)# interface port-channel 2
DLS1(config-if)# ip address 172.16.12.1 255.255.255.252
DLS1(config-if)# no shut
DLS1(config-if)# exit
DLS1(config)#

DLS2# show etherchannel summary


Flags: D - down P - bundled in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)


R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met

u - unsuitable for bundling w - waiting

to be aggregated d - default port

Number of channel-groups in use: 1


Number of aggregators: 1

Group Port-channel Protocol Ports


------+-------------+-----------
+---------------------------------------------

2 Po2(RU) PAgp Fa0/11(P) Fa0/12(P)

DLS2# ping 172.16.12.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds: .!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms DLS2#

Step 5: Configure default


routing between DLS
switches

DLS1(config)# ip route 0.0.0.0 0.0.0.0 port-channel 2


%Default route without gateway, if not a point-to-point interface, may impact
performance
DLS1(config)# ip route 0.0.0.0 0.0.0.0 port-channel 2 172.16.12.2
DLS1(config)#
DLS2# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

<output omitted>
Gateway of last resort is 172.16.12.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.16.12.1, Port-channel2


10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.110.0/24 is directly connected, Vlan110
L 10.1.110.1/32 is directly connected, Vlan110
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.12.0/30 is directly connected, Port-channel2
L 172.16.12.2/32 is directly connected, Port-channel2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback1
L 192.168.1.1/32 is directly connected,

Loopback1 DLS2# ping 172.16.1.1 Type escape sequence to

abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: !!!!!


Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms DLS2#

Step 6: Configure the


remaining EtherChannels for
the topology
Endpoint 1 Channel number Endpoint 2 VLANs Allowed

ALS1 F0/7-8 1 DLS1 F0/7-8 All except 110

ALS1 F0/9-10 4 DLS2 F0/9-10 110 Only

ALS2 F0/7-8 3 DLS2 F0/7-8 All

Example from ALS1:


ALS1(config)# interface range f0/7-8
ALS1(config-if-range)# switchport mode trunk
ALS1(config-if-range)# switchport trunk allowed vlan except 110
ALS1(config-if-range)# channel-group 1 mode desirable
Creating a port-channel interface Port-channel 1

ALS1(config-if-range)# no shut
ALS1(config-if-range)# exit
ALS1(config)# interface range f0/9-10
ALS1(config-if-range)# switchport mode trunk
ALS1(config-if-range)# switchport trunk allowed vlan 110
ALS1(config-if-range)# channel-group 4 mode desirable
Creating a port-channel interface Port-channel 4
ALS1(config-if-range)# no shut
ALS1(config-if-range)# exit

ALS1(config)#end
ALS1# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met

u - unsuitable for bundling w - waiting

to be aggregated d - default port

Number of channel-groups in use: 2


Number of aggregators: 2

Group Port-channel Protocol Ports ------+-------------+-----------+----


------------------------------------------

1 Po1(SU) PAgP Fa0/7(P) Fa0/8(P)


4 Po4(SU) PAgP Fa0/9(P) Fa0/10(P)

ALS1# show interface trunk


Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Po4 on 802.1q trunking 1

Port Vlans allowed on trunk


Po1 1-109,111-4094

Po4 110
<output omitted>
ALS1#

Step 7: Enable and Verify Layer 3 connectivity across the network

ALS2(config)# vlan 120


ALS2(config-vlan)# name Management
ALS2(config-vlan)# exit
ALS2(config)# int vlan 120
ALS2(config-if)# ip address 10.1.120.2 255.255.255.0
ALS2(config-if)# no shut
ALS2(config-if)# exit
ALS2(config)# ip default-gateway 10.1.120.1
ALS2(config)# end
ALS2# ping 10.1.99.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.99.2, timeout is 2 seconds: ..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 1/3/8 ms
ALS2#
ALS2# traceroute 10.1.99.2 Type escape

sequence to abort.
Tracing the route to 10.1.99.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.120.1 0 msec 0 msec 8 msec

2 172.16.12.1 0 msec 0 msec 8 msec


3 10.1.99.2 0 msec 0 msec * ALS2#

Part 2: Configure Multilayer Switching at ALS1


Step 1: Configure additional VLANs and VLAN interfaces
ALS1(config)# ip routing
ALS1(config)# vlan 100
ALS1(config-vlan)# name Local
ALS1(config-vlan)# exit ALS1(config)# vlan

110 ALS1(config-vlan)# name InterNode

ALS1(config-vlan)# exit
ALS1(config)# int vlan 100
ALS1(config-if)# ip address 10.1.100.1 255.255.255.0
ALS1(config-if)# no shut
ALS1(config-if)# exit
ALS1(config)# int vlan 110
ALS1(config-if)# ip address 10.1.110.2 255.255.255.0
ALS1(config-if)# no shut
ALS1(config-if)# exit ALS1(config)#

Step 2: Configure and test Host Access

ALS1(config)# interface f0/6 ALS1(configif)#

switchport host switchport mode will be set

to access spanning-tree portfast will be

enabled
channel group will be disabled

ALS1(config-if)# switchport access vlan 100


ALS1(config-if)# no shut
ALS1(config-if)# exit
Step 3: Configure and
verify static routing
across the network
ALS1(config)# ip route 192.168.1.0 255.255.255.0 vlan 110
ALS1(config)# ip route 0.0.0.0 0.0.0.0 10.1.99.1
ALS1(config)# end
ALS1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su -

IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter

area, * - candidate default, U - per-user static route o - ODR, P -

periodic downloaded static route, H - NHRP, l - LISP


+ - replicated route, % - next hop override
Gateway of last resort is 10.1.99.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.1.99.1

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks


C 10.1.99.0/24 is directly connected, Vlan99
L 10.1.99.2/32 is directly connected, Vlan99
C 10.1.100.0/24 is directly connected, Vlan100
L 10.1.100.1/32 is directly connected, Vlan100
C 10.1.110.0/24 is directly connected, Vlan110
L 10.1.110.2/32 is directly connected, Vlan110
S 192.168.1.0/24 is directly connected, Vlan110

ALS1# traceroute 10.1.120.2


Type escape sequence to abort.
Tracing the route to 10.1.120.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.99.1 0 msec 0 msec 0 msec
2 172.16.12.2 9 msec 0 msec 0 msec
3 10.1.120.2 0 msec 8 msec * ALS1#
From ALS1, a traceroute to 192.168.1.1 should take one hop:
ALS1# traceroute 192.168.1.1
Type escape sequence to abort.

Tracing the route to 192.168.1.1


VRF info: (vrf in name/id, vrf out name/id)
1 10.1.110.1 0 msec 0 msec *
ALS1#

PRACTICAL 8
AIM: Cisco MPLS Configuration TOPOLOGY:

R1 hostname R1 int lo0 ip add 1.1.1.1


255.255.255.255 ip ospf 1 area 0 int
f0/0 ip add 10.0.0.1 255.255.255.0 no
shut ip ospf 1 area 0
R2 hostname R2 int lo0 ip add 2.2.2.2
255.255.255.255 ip ospf 1 are 0 int
f0/0 ip add 10.0.0.2 255.255.255.0 no
shut ip ospf 1 area 0 int f0/1 ip add
10.0.1.2 255.255.255.0 no shut ip
ospf 1 area 0
R3 hostname R3 int lo0 ip add 3.3.3.3
255.255.255.255 ip ospf 1 are 0 int
f0/0 ip add 10.0.1.3 255.255.255.0 no
shut ip ospf 1 area 0

R1#ping 3.3.3.3 source lo0

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
40/52/64 ms
R1#

Step 2 – Configure LDP on all the interfaces in the MPLS


Core R1 router ospf 1 mpls ldp autoconfig

R2 router ospf 1 mpls ldp

autoconfig

R3 router ospf 1 mpls ldp

autoconfig

R2#
*Mar 1 00:31:53.643: %SYS-5-CONFIG_I: Configured from console

*Mar 1 00:31:54.423: %LDP-5-NBRCHG: LDP Neighbor


1.1.1.1:0 (1) is UP
R2#
*Mar 1 00:36:09.951: %LDP-5-NBRCHG: LDP Neighbor
3.3.3.3:0 (2) is UP
R2#sh mpls interface
Interface IP Tunnel
Operational
FastEthernet0/0 Yes (ldp) No Yes
FastEthernet0/1 Yes (ldp) No Yes
R2#sh mpls ldp neigh
Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
TCP connection: 1.1.1.1.646 - 2.2.2.2.37909

State: Oper; Msgs sent/rcvd: 16/17;


Downstream Up time: 00:07:46 LDP discovery
sources:

FastEthernet0/0, Src IP addr: 10.0.0.1 Addresses bound to

peer LDP Ident:

10.0.0.1 1.1.1.1
Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
TCP connection: 3.3.3.3.22155 - 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 12/11; Downstream
Up time: 00:03:30 LDP
discovery sources:
FastEthernet0/1, Src IP addr: 10.0.1.3 Addresses bound to

peer LDP Ident:

10.0.1.3 3.3.3.3
R1#trace 3.3.3.3

Type escape sequence to abort. Tracing the route

to 3.3.3.3

1 10.0.0.2 [MPLS: Label 17 Exp 0] 84 msec 72 msec 44 msec

2 10.0.1.3 68 msec 60 msec *

Step 3 – MPLS BGP Configuration between R1 and R3


R1# router bgp 1 neighbor 3.3.3.3 remote-as 1
neighbor 3.3.3.3 update-source Loopback0 no
autosummary
! address-family vpnv4 neighbor
3.3.3.3 activate

R3# router bgp 1 neighbor 1.1.1.1 remote-as 1

neighbor 1.1.1.1 update-source Loopback0 no

autosummary

! address-family vpnv4 neighbor


1.1.1.1 activate

*Mar 1 00:45:01.047: %BGP-5-ADJCHANGE: neighbor 1.1.1.1


Up
R1#sh bgp vpnv4 unicast all summary
BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ
OutQ Up/Down State/PfxRcd
3.3.3.3 4 1 218 218 1 0
0 03:17:48 0

Step 4 – Add two more routers, create VRFs


R4 int lo0 ip add 4.4.4.4 255.255.255.255

ip ospf 2 area 2 int f0/0 ip add

192.168.1.4 255.255.255.0 ip ospf 2 area 2


no shut R1 int f0/1 no shut ip add

192.168.1.1 255.255.255.0

R1 ip vrf RED rd 4:4

route-target both 4:4 R1

int f0/1 ip vrf

forwarding RED R1(config-

if)#ip vrf fo

R1(config-if)#ip vrf forwarding RED


% Interface FastEthernet0/1 IP address 192.168.1.1 removed due to

enabling VRF RED

R1 int f0/1 ip address 192.168.1.1

255.255.255.0

R1
R1#sh run int f0/1
Building configuration... Current

configuration : 119 bytes

! interface FastEthernet0/1 ip vrf forwarding


RED ip address 192.168.1.1 255.255.255.0
duplex auto speed auto end R1#
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B
- BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su

- IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS

inter area, * - candidate default, U - per- user static route o -

ODR, P - periodic downloaded static route

Gateway of last resort is not set


1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11] via 10.0.0.2, 01:03:48,
FastEthernet0/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/21] via 10.0.0.2, 01:02:29,
FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.0.0 is directly connected, FastEthernet0/0
O 10.0.1.0 [110/20] via 10.0.0.2, 01:02:39,
FastEthernet0/0
R1#
R1#sh ip route vrf red
% IP routing table red does not exist
R1#sh ip route vrf RED

Routing Table: RED


Codes: C - connected, S - static, R - RIP, M - mobile, B
- BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su

- IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS

inter area, * - candidate default, U - per- user static route

o - ODR, P - periodic downloaded static route


Gateway of last resort is not set
C 192.168.1.0/24 is directly connected, FastEthernet0/1
R1#
R1 int f0/1 ip ospf 2 area
2

R1(config-if)#
*Mar 1 01:12:54.323: %OSPF-5-ADJCHG: Process 2, Nbr
4.4.4.4 on FastEthernet0/1 from LOADING to FULL,

Loading Done

R1#sh ip route vrf RED


Routing Table: RED
Codes: C - connected, S - static, R - RIP, M - mobile,
B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su

- IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS

inter area, * - candidate default, U - per- user static route o -

ODR, P - periodic downloaded static route

Gateway of last resort is not set


4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/11] via 192.168.1.4, 00:00:22,
FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/1
R1#

R6 int lo0 ip add 6.6.6.6

255.255.255.255 ip ospf 2 area 2 int

f0/0 ip add 192.168.2.6 255.255.255.0 ip

ospf 2 area 2 no shut R3 int f0/1 no

shut ip add

192.168.2.3 255.255.255.0 R3 ip vrf RED rd

4:4 route-target both 4:4

R3 int f0/1 ip vrf forwarding

RED

R3(config-if)#ip vrf forwarding RED


% Interface FastEthernet0/1 IP address 192.168.2.1 removed due to

enabling VRF RED

R3 int f0/1 ip address 192.168.2.1

255.255.255.0

R3

R3#sh run int f0/1 Building

configuration...

Current configuration : 119 bytes


! interface FastEthernet0/1 ip vrf forwarding

RED ip address 192.168.2.1 255.255.255.0 duplex

auto speed auto end


Finally we just need to enable OSPF on that interface and verify the routes are in the

RED routing table. R3 int f0/1 ip ospf 2 area 2

R3
R3#sh ip route vrf RED
Routing Table: RED
Codes: C - connected, S - static, R - RIP, M - mobile, B
- BGP
Gateway of last resort is not set
6.0.0.0/32 is subnetted, 1 subnets
O 6.6.6.6 [110/11] via 192.168.2.6, 00:02:44,
FastEthernet0/1
C 192.168.2.0/24 is directly connected,
FastEthernet0/1
R3#

Check the routes on R4


R4#sh ip route
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
Check the routes on R1
R1#sh ip route

1.0.0.0/32 is subnetted, 1 subnets


C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11] via 10.0.0.2, 00:01:04,
FastEthernet0/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/21] via 10.0.0.2, 00:00:54,
FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.0.0 is directly connected, FastEthernet0/0
O 10.0.1.0 [110/20] via 10.0.0.2, 00:00:54,
FastEthernet0/0
Routing Table: RED
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/11] via 192.168.1.4, 00:02:32,
FastEthernet0/1
C 192.168.1.0/24 is directly connected,
FastEthernet0/1 R1 router bgp 1 address-family ipv4
vrf RED redistribute ospf 2 R3 router bgp 1 address-
family ipv4 vrf RED redistribute ospf 2 sh ip bgp
vpnv4 vrf RED

R1#sh ip bgp vpnv4 vrf RED


BGP table version is 9, local router ID is 1.1.1.1 Status

codes: s suppressed, d damped, h history, * valid, > best, r

RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path Route

Distinguisher: 4:4 (default for vrf RED)

*> 4.4.4.4/32 192.168.1.4 11 32768 ? *>i6.6.6.6/32 3.3.3.3 11

100 0 ?

*> 192.168.1.0 0.0.0.0 0 32768 ?


*>i192.168.2.0 3.3.3.3 0 100 0 ?

R3#sh ip bgp vpnv4 vrf RED


BGP table version is 9, local router ID is 3.3.3.3 Status

codes: s suppressed, d damped, h history, * valid, > best, i

- internal, r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete


Network Next Hop Metric LocPrf Weight Path Route

Distinguisher: 4:4 (default for vrf RED)

*>i4.4.4.4/32 1.1.1.1 11 100 0 ? *> 6.6.6.6/32

192.168.2.6 11 32768 ? *>i192.168.1.0 1.1.1.1 0

100 0 ?

*> 192.168.2.0 0.0.0.0 0 32768 ?


R1 router ospf 2 redistribute bgp
1 subnets

R3 router ospf 2 redistribute bgp 1

subnets R4#sh ip route

4.0.0.0/32 is subnetted, 1 subnets


C 4.4.4.4 is directly connected, Loopback0
6.0.0.0/32 is subnetted, 1 subnets
O IA 6.6.6.6 [110/21] via 192.168.1.1, 00:01:31,
FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0 O E2

192.168.2.0/24 [110/1] via 192.168.1.1, 00:01:31,

FastEthernet0/0

R6#sh ip route
4.0.0.0/32 is subnetted, 1 subnets
O IA 4.4.4.4 [110/21] via 192.168.2.1, 00:01:22,
FastEthernet0/0
6.0.0.0/32 is subnetted, 1 subnets
C 6.6.6.6 is directly connected, Loopback0
O IA 192.168.1.0/24 [110/11] via
192.168.2.1,00:01:22,FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0

R4#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max=

40/48/52ms

R4#trace 6.6.6.6
Type escape sequence to abort.
Tracing the route to 6.6.6.6
1 192.168.1.1 20 msec 8 msec 8 msec

2 10.0.0.2 [MPLS: Labels 17/20 Exp 0] 36 msec 40 msec

36 msec
3 192.168.2.1 [MPLS: Label 20 Exp 0] 16 msec 40 msec 16 msec

4 192.168.2.6 44 msec 40 msec 56 msec

R4#

You might also like