PRACTICAL 1

Configure Routers

a) OSPF MD5 authentication.

OSPF(Open Shortest Path First): Dijkstra Algorithm,it calculates every path

and takes the shortest one.

MD5=Message Digest 5 Algorithm, it adds a hash value along OSPF.

213 2 2+1+3=6- ->Hash Value [223]
1
3
TOPOLOGY:

PROCESS:

1. Firstly, make a topology.

2. After that make the various configurations.
3. In PC0
4. In PC1,

5. NTP Server,
6. SYSLOG Server

7. In Router 0,

8. In Router 1
9. Now we have to configure OSPF MD5 Authentication.
In Router 0,CLI:

Type Commands as Follows:

1. Exit
2. enable
3. router ospf 1
4. network 192.168.1.0 0.255.255.255 area 1
5. network 192.168.2.0 0.255.255.255 area 1
6. exit

In Router 1,CLI:

Type Commands as follows:

1. network 192.168.2.0 0.255.255.255 area 1
2. network 192.168.3.0 0.255.255.255 area 1

10. In PC1,Desktop, Command Prompt.

Type Following Commands.

1. ping 192.168.1.2
2. ping 192.168.1.3
If the packets are Transferred that means OSPF is enabled.

11. In Router 0, CLI,

Type Commands:
 1. enable
2. conf
3. interface GigabitEthernet 0/1
4. ip ospf authentication message-digest
5. ip ospf message-digest-key 1 md5 smile
6. exit
7. Exit.

In Router 1,
All Commands are the same as above.

12. In Router 0, cmd

Type Command : show ip ospf interface GigabitEthernet 0/1

This is Output for this Practical it means we have configured OSPF MD5
Authentication.

b) NTP

● NTP(Network Time Protocol): It deals with synchronization purposes

through
● Calendar. Time and Calendar Settings,Clock and Calendar Settings
purposes.
● TCP Protocol
Configure NTP Server and enable the NTP service
Now Go to CLI Mode of Router0 and type the following commands on both the
Routers

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ntp server 192.168.1.3
Router(config)#ntp up
Router(config)#ntp update-calendar
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console

To verify the Output we use the following command

Router#show clock
*0:23:41.789 UTC Mon Mar 1 1993
Router#show clock
19:10:42.287 UTC Tue Apr 23 2024
c) SYSLOG

Configure SYSLOG Server and enable the service

● Syslog is a way for network devices to send event messages to a

logging server – usually known as a Syslog server.
● The Syslog protocol is supported by a wide range of devices and can be
used to log different types of events.

Turn ON the SYSLOG service on the server

Now Go to CLI Mode of any Router and type the following commands in all the
Routers.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging 192.168.1.2
Router(config)#exit
Router#
d) SSH
● An SSH server is a software program which uses the secure
shell protocol to accept connections from remote computers.
● The way SSH works is by making use of a client-server model to
allow for authentication of two remote systems and encryption
of the data that passes between them.

Now Go to CLI Mode of both the routers and type the following commands.

Router#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip domain-name ismail.com
Router(config)#hostname R1
R1(config)#crypto key generate rsa
The name for the keys will be: R1.ismail.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may
take
a few minutes.
How many bits in the modulus [512]: 512
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#line vty 0 4
*Apr 23 19:22:43.332: RSA key size needs to be at least 768 bits for ssh
version 2
*Apr 23 19:22:43.337: %SSH-5-ENABLED: SSH 1.5 has been enabled
R1(config-line)#transport input ssh
R1(config-line)#login local
R1(config-line)#exit
R1(config)#username ismail privilege 15 password cisco
R1(config)#

Output:

1. Go to cmd of PC1 and type the command

2. ssh –l ismail 192.168.3.1 and type the password cisco

Hence SSH is also verified

 PRACTICAL 2
1. Configure a local user account on Router and configure
authenticate on the console and vty lines local AAA
2. Verify local AAA authentication from the router console and the
PC-A client
● AAA- Authentication,Authorization,Accounting
● Terminal Access Control, Access Control Services(TACACS)
Proprietary protocol, uses TCP, 49 Port No,AAA
● RADIUS- Open,Uses UDP,AA0
Go to Router0,cmd

Router(config)#conf t
%Invalid hex value
Router(config)#aaa new-model
Router(config)#tacacs-server host 192.168.2.3 key CISCO
Router(config)#radius-server host 192.168.2.2 key CISCO
Router(config)#aaa authentication login tyit group tacacs+ group radius
local
Router(config)#line vty 0 4
Router(config-line)#login authentication tyit
Router(config-line)#exit
Router(config)#

After performing all these steps. Go to both PC’s CMD and do necessary
configurations.

PC0-Tacacs(Tacacs ON,Radius OFF) PC1-Radius(Tacacs ON,Radius

OFF)
 PRACTICAL 3
A. Configure,Apply and Verify an Extended Numbered ACL

EXPLANATION:

The Cisco Access Control List (ACL) are used for filtering traffic based
on a given filtering criteria on a router or switch interface. Based on the
conditions supplied by the ACL, a packet is allowed or blocked from
further movement. Cisco ACLs are available for several types of routed
protocols including IP, IPX, AppleTalk, XNS, DECnet, and others.
However, we will be discussing ACLs pertaining to TCP/IP protocol only.
ACLs for TCP/IP traffic filtering are primarily divided into two types:
Standard Access Lists, and Extended Access Lists

Topology:

Part 1: Configure, Apply and Verify an Extended Numbered ACL

Configuring PC1
Configuring PC2

Configuring Router1
Configuring Router0

Configuring Server0
Configuring Server1

Set the RIP protocol on both the Routers as follows

Check the connectivity by using the ping command Part 1: Configure, Apply
and Verify an Extended Numbered ACL Type the following commands in
Router1

Router#configure terminal
Router(config)# Router(config)#access-list 100 permit tcp host 192.168.3.2
host 192.168.1.2 eq ftp Router(config)#interface GigabitEthernet0/1
Router(config-if)#ip access-group 100 out Router(config-if)#exit
Router(config)#
Now verify the ftp (ftp 192.168.1.2) command from both the PCs, one would be
successful (PC1) and other (PC0) would fail
Part 2: Configure, Apply and Verify an Extended Named ACL We use the same
topology for this case Type the following command in the CLI mode of Router1
Router> Router>en Router#configure terminal
Router(config)#ip access-list extended SMILE
Router(config-ext-nacl)#permit tcp host 192.168.3.3 host 192.168.1.3 eq www
Router(config-ext-nacl)#exit
Router(config)#
Router(config)#interface GigabitEthernet0/1
Router(config-if)#ip access-group SMILE out
Router(config-if)#exit
Router(config)#
Now verify the www (192.168.1.3) command from both the PCs browser, one
would be successful (PC0) and other (PC1) would fail

Hence Extended Numbered ACLs as well as Extended Named ACLs have been
verified
 PRACTICAL 4

Configure IP ACLs to Mitigate Attacks and IPV6 ACLs a Verify connectivity

among devices before firewall configuration. b Use ACLs to ensure remote
access to the routers is available only from management station PC-C. c
Configure ACLs on to mitigate attacks. d Configuring IPv6 ACLs

SOLUTION:

TOPOLOGY:

Configuring PC0:
Configuring Server0

Configuring Router0

Configuring Router1
Configuring Router2
Set the RIP on each Router
Part 1: Verify Basic Connectivity
We can now verify the connectivity by pinging Server from PC

We can now verify the connectivity by pinging PC from Server

Part 2: Secure Access to Routers 10We configure ACL 10 to block all remote
access to the Routers and allow remote access only from PC. We type the
following commands in all the Routers (Router0, Router1, and Router2).

This part is divided in 2 subparts

Part a) Set up the SSH protocol Enter the following commands in CLI mode of
all Routers

Router>enable
Router#configure terminal
Router(config)#ip domain-name ismail.com
Router(config)#hostname R0
R0(config)#
R0(config)#crypto key generate rsa
R0(config)#line vty 0 4
R0(config-line)#transport input ssh
R0(config-line)#login local
R0(config-line)#exit
R0(config)#username SSHadmin privilege 15 password ismail
R0(config)#exit
R0#

Part b) Create an ACL 10 to permit remote access to PC only Enter the

following commands in CLI mode of all Routers

Router>enable
Router#configure terminal
Router(config)#access-list 10 permit host 192.168.4.2
Router(config)#line vty 0 4
Router(config-line)#access-class 10 in

Now we verify the remote access from PC using the following and find it to be
successful

Part 3: Create a Numbered IP ACL 120 on R1 12We need to perform the

following in this part

1) Create an IP ACL numbered 120 on R1 using the following rules

2) Permit any outside host to access DNS, SMTP, and FTP services on server
3) Deny any outside host access to HTTPS services on server
4) Permit PC to access R1 via SSH. (done in previous part)

Enter the following commands in the CLI mode of Router1

R1>enable
R1#
R1#configure terminal
R1(config)#access-list 120 permit udp any host 192.168.1.2 eq domain
R1(config)#access-list 120 permit tcp any host 192.168.1.2 eq smtp
R1(config)#access-list 120 permit tcp any host 192.168.1.2 eq ftp
R1(config)#access-list 120 deny tcp any host 192.168.1.2 eq 443
R1(config)#exit
R1#
R1#configure terminal
R1(config)#interface Serial0/1/1
R1(config-if)#ip access-group 120 in
R1(config-if)#exit

Verify the above entering the following commands in the PC

 PRACTICAL 5

5 Configuring a Zone-Based Policy Firewall

Cisco IOS® Software Release 12.4(6)T introduced Zone-Based Policy

Firewall (ZFW), a new configuration model for the Cisco IOS Firewall
feature set. This new configuration model offers intuitive policies for
multiple-interface routers, increased granularity of firewall policy
application, and a default deny-all policy that prohibits traffic between
firewall security zones until an explicit policy is applied to allow
desirable traffic.

Configuring PC0

Configuring Router1
 Configuring Router2

Configuring Server0
Part 1: Static Routing Static Routing is done using the following procedure for
each Router Router 2: Add the following Routes in the Static mode
Router 1: Add the following Routes in the Static mode

Now we check the connectivity by pinging the Server from the PC

Part 2: Configuring SSH on Router 2
Type the following commands in the CLI mode of Router2
Router>en
Router>enable
Router#configure terminal
Router(config)#ip domain-name ismail.com
Router(config)#hostname R2
R2(config)#
R2(config)#crypto key generate rsa
R2(config)#line vty 0 4
R2(config-line)#transport input ssh
R2(config-line)#login local
R2(config-line)#exit
R2(config)#username ismail privilege 15 password cisco

Now we verify the SSH using PC as follows

Next we access the web services of the Server using the web browser of
PC using the following

Part 3: Create the Firewall Zones on Router1

Type the following commands in the CLI mode of Router1
Router#
Router#configure terminal
Router(config)#zone security in-zone
Router(config-sec-zone)#exit
Router(config)#zone security out-zone
Router(config-sec-zone)#exit
Router(config)#access-list 101 permit ip 192.168.4.0 0.0.0.255 any
Router(config)#class-map type inspect match-all in-map
Router(config-cmap)#match access-group 101
Router(config-cmap)#exit
Router(config)#policy-map type inspect in-out
Router(config-pmap)#class type inspect in-map
Router(config-pmap-c)#inspect
Router(config-pmapc)#exit
Router(configpmap)#exit
Router(config)#
Router(config)#zone-pair security in-out-zone source in-zone destination
out-zone
Router(config-sec-zone-pair)#service-policy type inspect in-out
Router(config-sec-zone-pair)#exit
Router(config)#
Router(config)#interface GigabitEthernet0/0
Router(config-if)#zone-member security inzone
Router(config-if)#exit
Router(config)#
Router(config)#interface Serial0/1/1
Router(config-if)#zone-member security out-zone
Router(config-if)#exit
Router(config)#exit
Router#copy running-config startup-config

Part 4: Testing the Firewall Functionality (from in-zone to

outzone)by the following steps
Step 1: Pinging SERVER from the PC (it will succeed

Step 2: Start an SSH session from PC to Router 2 (ip 192.168.1.2)

Step 3: Type the following command in the CLI mode of Router1

Router#show policy-map type inspect zone-pair sessions We will get the
following output
Step 4: We close the SSH connection and open the web browser and
access the server address (192.168.1.2) and get the following

Part 5: Testing the Firewall Functionality (from out-zone to in-zone)by the

following steps Step 1: Ping PC0 from the SERVER (it will result in
Failure)

Hence the Firewall functionality has been verified

 PRACTICAL 6

6 Configure IOS Intrusion Prevention System (IPS) Using the CLI

a Enable IOS IPS.
b Modify an IPS signature.

Solution:

The Cisco IOS IPS acts as an in-line intrusion prevention sensor,

watching packets and sessions as they flow through the router and
scanning each packet to match any of the Cisco IOS IPS signatures.
When it detects suspicious activity, it responds before network security
can be compromised and logs the event through Cisco IOS syslog
messages or Security Device Event Exchange (SDEE). The network
administrator can configure Cisco IOS IPS to choose the appropriate
response to various threats. The Signature Event Action Processor
(SEAP) can dynamically control actions that are to be taken by a
signature event on the basis of parameters such as fidelity, severity, or
target value rating. These parameters have default values but can
also be configured through CLI. When packets in a session match a
signature, Cisco IOS IPS can take any of the following actions, as
appropriate:
1) Send an alarm to a syslog server or a centralized management
interface
2) Drop the packet
3) Reset the connection
4) Deny traffic from the source IP address of the attacker for a specified
amount of time
5) Deny traffic on the connection for which the signature was seen for a
specified amount of time
Configuring PC0:

Configuring PC1:

Configuring Server0:

Configuring Router0:
Configuring Router1
We need to set the Routing table in all the Routers so that each node
could send and receive packets from others (RIP is set in all the Routers
as follows)
Now we can check the connectivity by sending ping commands from
any node to any other node

So we conclude that the connectivity has been established

PART1: Enable the IOS IPS (on Router1)

Type the following command in the CLI mode of Router1

Router#show version
As seen above the security package is not enabled, to enable the
security feature,
type the following command in Router1
Router(config)#license boot module c1900 technology-package
securityk9
Router(config)#exit
Router#
Router#reload

Router>enable
Router#
Router#show version
We will get a message informing whether the security package is
enabled or not

As seen above now the security package has been enabled

Now type the following commands in the CLI mode of Router1

Router#
Router#
Router#clock set 11:47:56 MARCH 3 2020
Router#mkdir smile
Router#configure terminal
Router(config)#ip ips config location flash:smile
Router(config)#ip ips name iosips
Router(config)#ip ips notify log
Router(config)#ip ips signature-category
Router(config-ips-category)#category all
Router(config-ips-category-action)#retired true
Router(config-ips-category-action)#exit
Router(config-ips-category)#category ios_ips basic
Router(config-ips-category-action)#retired false
Router(config-ips-category-action)#exit
Router(config-ips-category)#exit
Router(config)#interface Serial0/1/0
Router(config-if)#ip ips iosips out
Router(config-if)#
Router(config)#

Part 2: Modify the Signature

Type the following commands in the CLI mode of Router1
Router(config)#
Router(config)#ip ips signature-definition
Router(config-sigdef)#signature 2004 0
Router(config-sigdef-sig)#status
Router(config-sigdef-sig-status)#retired false
Router(config-sigdef-sig-status)#enabled true
Router(config-sigdef-sig-status)#exit
Router(config-sigdef-sig)#engine
Router(config-sigdef-sig-engine)#event-action produce-alert
Router(config-sigdef-sig-engine)#event-action deny-packet-inline
Router(config-sigdef-sig-engine)#exit
Router(config-sigdef-sig)#exit
Router(config-sigdef)#exit
Router(config)#
Now we need to verify the above IPS configuration, we do it first by
pinging PC1 to SERVER and then from SERVER to PC1

PC1 to SERVER
SERVER to PC1

Also we can observe the Syslog service in the SERVER to check the log
activities
 PRACTICAL 7
7. Layer 2 Security
a. Assign the Central switch as the root bridge.
b Secure spanning-tree parameters to prevent STP manipulation attacks.
c Enable port security to prevent CAM table overflow attacks.

Topology:

Part 1 : Root Bridge is set up

Multilayer Switch0 : CLI

Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#show spanning-tree
^
% Invalid input detected at '^' marker.
Switch(config)#exit
Switch#
%SYS-5-CONFIG_I: Configured from console by console
Switch#show spanning-tree

Switch1: CLI

Switch#erase startup-config
Confirm
Switch#en
Switch#show spanning-tree

Multilayer Switch0:
Switch#
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#spanning-tree vlan1 root primary
^
% Invalid input detected at '^' marker.

Switch(config)#spanning-tree vlan 1 root primary

Switch(config)#do show spann

Part 2–Protect Against STP Attack

Redundant links are always welcome in switch topology as they are
increasingthenetwork’s availability and robustness. Redundant links, if
we look at them from layer 2 perspective, can cause Layer2loops.

Switch A Configuration

CLI:
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface range fastEthernet 0/1-2
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a
single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
%Warning: portfast should only be enabled on ports connected to a
single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/2 but will only
have effect when the interface is in a non-trunking mode.
Switch(config-if-range)#spanning-tree bpduguard enable
Switch(config-if-range)#

Switch B has also same commands

Switch1:

CLI:

Switch>EN
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface range fastEthernet 0/23-24
Switch(config-if-range)#spanning-tree guard root
Switch(config-if-range)#

Repeat Same Commands for Switch 1 and 2 till spanning-tree

guard root

Part 3 –Port Security and Disable Unused ports

Switch A : CLI

Switch(config)#interface range fastEthernet 0/1-2

Switch(config-if-range)#switch port-security
Switch(config-if-range)#switch port-security Maximum 2
Switch(config-if-range)#switch port-security mac-address sticky
Switch(config-if-range)#switch port-security violation shutdown
Switch(config-if-range)#
Same set of commands on SwitchB

GO back to switch A after exit check

Switch#show port-security
Switch#show port-security interface f0/1

Disabling Unused ports on Switch A and Switch B

Switch#en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface range fastEthernet 0/3-22
Switch(config-if-range)#shutdown
 PRACTICAL 8

10. Configure and Verify a Site-to-Site IPsec VPN Using CLI

IPSec’s protocol objective is to provide security services for IP packets such as

encrypting sensitive data, authentication, and protection against replay and
data confidentiality.
Encapsulating Security Payload (ESP) and Authentication Header (AH) are the
two IPSec security protocols used to provide these security services.
Understanding IPSec Modes –Tunnel Mode & Transport Mode
IPSec can be configured to operate in two different modes, Tunnel and
Transport mode. Use of each mode depends on the requirements and
implementation of IPSec.

IPSec Tunnel Mode

IPSec tunnel mode is the default mode. With tunnel mode, the entire original
IP packet is protected by IPSec. This means IPSec wraps the original packet,
encrypts it, adds a new IP header and sends it to the other side of the VPN
tunnel (IPSec peer).
Tunnel mode is most commonly used between gateways (Cisco routers or
ASA firewalls), or at an end-station to a gateway, the gateway acting as a
proxy for the hosts behind it.
Tunnel mode is used to encrypt traffic between secure IPSec Gateways, for
example two Cisco routers connected over the Internet via IPSec VPN.
Configuring PC0

Configuring PC1

Configuring PC2
Configuring Router0

Configuring Router1
Configuring Router2
Part 1: Configuring RIP on each Router

Router 0: Add the following networks

Router 1: Add the following networks

Router 2: Add the following networks

Now check the connectivity by ping command

PCO to PC1 (it should be successful)

PC2 to PC0 (it should be successful)

Part 2: Configure IPSec Parameters on Router0
In order to configure the IPSec parameters on Router0 we go by the following steps

Step 1: Enable the security package on Router0 through the following

commands in CLI mode

Router>enable
Router#configure terminal
Router(config)#license boot module c1900 technology-package securityk9
Router(config)#do write
Router(config)#exit
Router#reload
Router>
Router>enable
Now we need to check if the security package is enabled, so we type the following
command

Router#show version

The above shows that the security package has been enabled

Step 2: Configuring IKA phase 1 ISAKMP policy on Router0

Type the following commands in the CLI mode of Router0

Router#configure terminal
Router(config)#access-list 110 permit ip 92.168.1.0 0.0.0.255 192.168.4.0
0.0.0.255
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#encryption aes 256
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 5
Router(config-isakmp)#exit
Router(config)#crypto isakmp key smile1234 address 192.168.3.2
Router(config)#crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac
Router(config)#crypto map vpn-map 10 ipsec-isakmp
Router(config-crypto-map)#set peer 192.168.3.2
Router(config-crypto-map)#set transform-set vpn-set
Router(config-crypto-map)#match address 110
Router(config-crypto-map)#exit
Router(config)#
Router(config)#interface Serial0/1/0
Router(config-if)#crypto map vpn-map
Router(config-if)#exit
Router(config)#

Part 3: Configure IPSec Parameters on Router1

In order to configure the IPSec parameters on Router1 we go by the
following steps

Step 1: Enable the security package on Router1 through the following

commands in CLI mode

Router>enable
Router#configure terminal
Router(config)#license boot module c1900 technology-package securityk9
Router(config)#do write
Router(config)#exit
Router#reload

Router>

Router>enable

Now we need to check if the security package is enabled, so we type the following
command

Router#show version
The above shows that the security package has been enabled

Step 2: Configuring IKA phase 1 ISAKMP policy on Router1

In order to configure the IPSec parameters on Router1 we go by the
following steps

Router#
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#encryption aes 256
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 5
Router(config-isakmp)#exit
Router(config)#crypto isakmp key smile1234 address 192.168.2.1
Router(config)#crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac
Router(config)#crypto map vpn-set 10 ipsec-isakmp
Router(config-crypto-map)#description vpn
Router(config-crypto-map)#set peer 192.168.2.1
Router(config-crypto-map)#set transform-set vpn-set
Router(config-crypto-map)#match address 110
Router(config-crypto-map)#exit
Router(config)#
Router(config)#interface Serial0/1/1
Router(config-if)#crypto map vpn-set
Router(config-if)#
Part 4: Verify the IPSec VPN

Step 1: Type the following command in the CLI mode of Router0

Router>
Router>EN
Router>enable
Router#show crypto ipsec sa

We get the following output (No packets are encrypted given in bold)

interface: Serial0/1/0
Crypto map tag: vpn-map, local addr 192.168.2.1

protected vrf: (none)

local ident (addr/mask/prot/port): (92.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer 192.168.3.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.2.1, remote crypto endpt.:192.168.3.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/1/0
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:

Step 2: Ping PC1 from PC0 (Creating interesting traffic)

We ping PC1 from PC0 (which is the interesting traffic)

And now we check the Router0 by typing the following Command

Router#show crypto ipsec sa

We get the following output, as seen the number of packets encrypted is not zero
(marked bold)

interface: Serial0/1/0
Crypto map tag: vpn-map, local addr 192.168.2.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer 192.168.3.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 192.168.2.1, remote crypto endpt.:192.168.3.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/1/0
current outbound spi: 0x4C85163A(1283790394)

inbound esp sas:

 spi: 0x6F1C411E(1864122654)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: FPGA:1, crypto map: vpn-map
sa timing: remaining key lifetime (k/sec): (4525504/3572)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x4C85163A(1283790394)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: FPGA:1, crypto map: vpn-map
sa timing: remaining key lifetime (k/sec): (4525504/3572)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Step 3: Ping PC1 from PC0 (Creating another interesting traffic)

Now we ping PC0 from PC0 (which is interesting traffic)

And now we check the Router0 by typing the following Command

Router#show crypto ipsec sa

We get the following output, as seen the number of packets encrypted is not zero
(marked bold)
interface: Serial0/1/0
Crypto map tag: vpn-map, local addr 192.168.2.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer 192.168.3.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 192.168.2.1, remote crypto endpt.:192.168.3.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/1/0
current outbound spi: 0x4C85163A(1283790394)

inbound esp sas:

spi: 0x6F1C411E(1864122654)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: FPGA:1, crypto map: vpn-map
sa timing: remaining key lifetime (k/sec): (4525504/2848)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x4C85163A(1283790394)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: FPGA:1, crypto map: vpn-map
sa timing: remaining key lifetime (k/sec): (4525504/2848)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
 outbound ah sas:

outbound pcp sas:

Step 4: Ping PC2 from PC0 (Creating NON interesting traffic)

Now we ping PC2 from PC0 (Not interesting traffic)

And now we check the Router0 by typing the following Command

Router#show crypto ipsec sa

We get the following output, as seen the number of encrypted packets do not
change as compared to previous case

Router#show crypto ipsec sa

interface: Serial0/1/0
Crypto map tag: vpn-map, local addr 192.168.2.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer 192.168.3.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 192.168.2.1, remote crypto endpt.:192.168.3.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/1/0
current outbound spi: 0x4C85163A(1283790394)

inbound esp sas:

spi: 0x6F1C411E(1864122654)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: FPGA:1, crypto map: vpn-map
sa timing: remaining key lifetime (k/sec): (4525504/2693)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x4C85163A(1283790394)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: FPGA:1, crypto map: vpn-map
sa timing: remaining key lifetime (k/sec): (4525504/2693)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE

outbound ah sas:

outbound pcp sas: