Translate

segunda-feira, 14 de janeiro de 2013

Configuração RIP em GNS3


RIP - Lab com múltiplas tarefas:


Configuração de Frame-Relay nos Routers:

R1(config): interface Serial0/0
R1(config-if): no shutdown
R1(config-if): no ip address
R1(config-if): encapsulation frame-relay
R1(config-if): no frame-relay inverse-arp

R1(config): interface Serial0/0.12 point-to-point
R1(config-if): ip address 172.12.123.1 255.255.255.0
R1(config-if): frame-relay interface-dlci 102

R1(config): interface Serial0/0.13 point-to-point
R1(config-if): ip address 172.12.13.1 255.255.255.0
R1(config-if): frame-relay interface-dlci 103

R2(config): interface Serial0/0
R2(config-if): no shutdown
R2(config-if): no ip address
R2(config-if): encapsulation frame-relay
R2(config-if): no frame-relay inverse-arp

R2(config): interface Serial0/0.21 point-to-point
R2(config-if): ip address 172.12.123.2 255.255.255.0
R2(config-if): frame-relay interface-dlci 201

R3(config): interface Serial0/0
R3(config-if): no shutdown
R3(config-if): no ip address
R3(config-if): encapsulation frame-relay
R3(config-if): no frame-relay inverse-arp

R3(config): interface Serial0/0.31 point-to-point
R3(config-if): ip address 172.12.13.2 255.255.255.0
R3(config-if): frame-relay interface-dlci 301

Configuração do Frame-Relay Switch:

- Configuração básica de RIP:

R1(config): router rip
R1(config-router): version 2
R1(config-router): no auto-summary
R1(config-router): network 172.12.0.0
R1(config-router): network 1.0.0.0

R2(config): router rip
R2(config-router): version 2
R2(config-router): no auto-summary
R2(config-router): network 172.12.0.0
R2(config-router): network 2.0.0.0

R3(config): router rip
R3(config-router): version 2
R3(config-router): no auto-summary
R3(config-router): network 172.12.0.0
R3(config-router): network 3.0.0.0

- Configuração de timers:

R1(config): router rip
R1(config-router): timers basic 30 180 180 240

R2(config): router rip
R2(config-router): timers basic 30 180 180 240

R3(config): router rip
R3(config-router): timers basic 30 180 180 240

- Configuração de "triggered updates":

R1(config): interface serial 0/0.12
R1(config-if): ip rip triggered
R1(config): interface serial 0/0.13
R1(config-if): ip rip triggered

R2(config): interface serial 0/0.201
R2(config-if): ip rip triggered

R3(config): interface serial 0/0.301
R3(config-if): ip rip triggered

- Configuração de neighbours (unicast):

Nota: O comando "passive" impede o envio de broadcasts/multicasts.

R1(config): router rip
R1(config-router): neighbor 172.12.123.2
R1(config-router): neighbor 172.12.13.2
R1(config-router): passive interface serial 0/0.12
R1(config-router): passive interface serial 0/0.13
R1(config-router): passive interface loopback 1

R2(config): router rip
R2(config-router): neighbor 172.12.123.1
R2(config-router): passive interface serial 0/0.201
R2(config-router): passive interface loopback 2

R3(config): router rip
R3(config-router): neighbor 172.12.13.1
R3(config-router): passive interface serial 0/0.301
R3(config-router): passive interface loopback 3

- Criar Default Route que seja anunciada pelo RIP no R1:

R1(config): ip route 0.0.0.0 0.0.0.0 195.23.10.2
R1(config): router rip
R1(config-router): default-information originate

- Configurar sumarização no R3:

R3(config): interface serial 0/0.301
R3(config-if): ip summary-address rip 10.30.0.0 255.255.252.0

- Criar link de backup entre R0 e R2 por forma a evitar o Load-Balancing entre os 2 links:

R0(config): ip access-list standard RIP_BACKUP_OFFSET
R0(config-std-nacl): permit any

R0(config): router rip
R0(config-router): offset-list RIP_BACKUP_OFFSET in 2 Serial0/1
R0(config-router): offset-list RIP_BACKUP_OFFSET out 2 Serial0/1


DESCARREGAR AS CONFIGS AQUI

Publicada por à(s) Sem comentários:
Etiquetas: , , ,

domingo, 13 de janeiro de 2013

Teste CCNP para empregadores


Teste CCNP para empregadores:




Pressupostos:

- Não se podem criar interfaces adicionais;
- Não se podem criar rotas estáticas ou rotas "policy-based", excepto quando pedido;

Tarefa 1: Configurar um trunk 802.1q entre o interface fa1/15 do SW1 e o interface fa1/15 do SW2 fa1/15:

SW1(config): interface fastethernet 1/15
SW1(config-if): no shutdown
SW1(config-if): switchport trunk encapsulation dot1q
SW1(config-if): switchport mode trunk

SW2(config): interface fastethernet 1/15
SW2(config-if): no shutdown
SW2(config-if): switchport trunk encapsulation dot1q
SW2(config-if): switchport mode trunk

Tarefa 2: Configurar um trunk 802.1Q "etherchannel" entre o SW1 e o SW2. Ambos os interfaces fa1/10 and fa1/11 devem fazer parte do mesmo LAG:

SW1(config): interface range fastethernet 1/10 - 11
SW1(config-if-range): no shutdown
SW1(config-if-range): channel-group 1 mode on
SW1(config-if-range): switchport mode trunk
SW1(config-if-range): switchport encapsulation dot1q

SW1(config): interface port-channel 1
SW1(config-if): switchport mode trunk
SW1(config-if): switchport encapsulation dot1q

SW2(config): interface range fastethernet 1/10 - 11
SW2(config-if-range): no shutdown
SW2(config-if-range): channel-group 1 mode on
SW2(config-if-range): switchport mode trunk
SW2(config-if-range): switchport encapsulation dot1q

SW2(config): interface port-channel 1
SW2(config-if): switchport mode trunk
SW2(config-if): switchport encapsulation dot1q

Tarefa 3: Garantir que o tráfego VLAN atravessa o trunk do interface fa1/15 e não o trunk "etherchannel", a não ser que o trunk fa1/15 esteja em baixo:

SW2(config): interface fastethernet 1/15
SW2(config-if): spanning-tree cost 1

Tarefa 4: Os routers R1 e R2 devem fazer parte da VLAN 10 e devem ser ambos pingáveis através da interface fa0/0. Como estamos no GNS3, teremos que usar o comando "vlan database" para criar a VLAN:

R1(config): interface fastethernet 0/0
R1(config-if): ip address 192.168.12.1 255.255.255.0
R1(config-if): speed 10
R1(config-if): duplex half

R2(config): interface fastethernet 0/0
R2(config-if): ip address 192.168.12.2 255.255.255.0
R2(config-if): speed 10
R2(config-if): duplex half

SW1#: vlan database
SW1(vlan): vtp server
SW1(vlan): vtp domain teste
SW1(vlan): vtp password cisco
SW1(vlan): vlan 10
SW1(vlan): apply

SW1(config): interface fastethernet 1/0
SW1(config-if): speed 10
SW1(config-if): duplex half
SW1(config-if): switchport mode access
SW1(config-if): switchport access vlan 10

SW2(vlan): vtp domain teste
SW2(vlan): vtp password cisco
SW2(vlan): vtp client
SW2(vlan): apply

SW2(config): interface fastethernet 1/0
SW2(config-if): speed 10
SW2(config-if): duplex half
SW2(config-if): switchport mode access
SW2(config-if): switchport access vlan 10

Tarefa 5: Garantir que o tráfego da VLAN 10 não pode atravessar o trunk do interface fa1/15:

SW1(config): interface fastethernet 1/15
SW1(config-if): switchport trunk allowed vlan except 10

SW2(config): interface fastethernet 1/15
SW2(config-if): switchport trunk allowed vlan except 10

Tarefa 6: Garantir que o SW1 seja sempre o "root switch" para a VLAN 10, mesmo que outro switch seja colocado na mesma rede:

SW1(config): spanning-tree vlan 10 root primary

Tarefa 7: Configurar OSPF (area 0) entre o R1 e o R2. Os "hellos" em OSPF só devem ser enviados a partir do interface que faz parte da area 0. Garantir que o loopback 0 de R1 pode pingar o loopback 0 de R2:

R1(config): router ospf 1
R1(config-router): router-id 1.1.1.1
R1(config-router): passive-interface default
R1(config-router): network 192.168.12.0 0.0.0.255 area 0
R1(config-router): network 1.1.1.1 0.0.0.0 area 0
R1(config-router): no passive-interface fastethernet 0/0

R2(config): router ospf 1
R2(config-router): router-id 2.2.2.2
R2(config-router): passive-interface default
R2(config-router): network 192.168.12.0 0.0.0.255 area 0
R2(config-router): network 2.2.2.2 0.0.0.0 area 0
R2(config-router): no passive-interface fastethernet 0/0

Tarefa 8: Configurar o EIGRP (AS100) entre R1 & R3 e R2 & R3 apenas. Garantir que o R3 redistribui o interface loopback 0 apenas:

R1(config): router eigrp 100
R1(config-router): no auto-summary
R1(config-router): passive-interface default
R1(config-router): network 192.168.13.0 0.0.0.255
R1(config-router): no passive-interface fastethernet 0/1

R2(config): router eigrp 100
R2(config-router): no auto-summary
R2(config-router): passive-interface default
R2(config-router): network 192.168.13.0 0.0.0.255
R2(config-router): network 192.168.23.0 0.0.0.255
R2(config-router): no passive-interface fastethernet 0/0
R2(config-router): no passive-interface fastethernet 0/1

R3(config): router eigrp 100
R3(config-router): no auto-summary
R3(config-router): passive-interface default
R3(config-router): network 192.168.23.0 0.0.0.255
R3(config-router): no passive-interface fastethernet 0/1

R3(config): route-map CONNECTED_TO_EIGRP permit 10
R3(config-route-map): match interface Loopback0
R3(config): router eigrp 100
R3(config-router): redistribute connected metric 1 1 1 1 1500 route-map CONNECTED_TO_EIGRP

Tarefa 9: Configurar redistribuição mútua entre OSPF e EIGRP em R1 e R2. Todos os routers (R1, R2 e R3) devem ser capazes apenas de pingar os respectivos interfaces loopbacks 0 entre eles:

R1(config): router ospf 1
R1(config-router): redistribute eigrp 100 subnets

R1(config): router eigrp 100
R1(config-router): redistribute ospf 1 metric 1 1 1 1 1500

R2(config): router ospf 1
R2(config-router): redistribute eigrp 100 subnets

R2(config): router eigrp 100
R2(config-router): redistribute ospf 1 metric 1 1 1 1 1500

Tarefa 10: Sem utilizar rotas estáticas ou rotas "policy-based", garantir que o R2 é capaz de fazer um traceroute para o interface loopback 0 de R3, sobre o link directamente ligado:

R2(config): access-list 1 permit host 192.168.23.1
R2(config): route-map NEXT_HOP permit 10
R2(config-route-map): match ip address
R2(config-route-map): set ip next-hop 192.168.23.2

R2(config): interface fastethernet 0/1
R2(config-if): ip policy route-map NEXT_HOP

Tarefa 11: Negar o acesso telnet a R2 por parte do R1, quando a sessão é iniciada a partir do interface fa0/0 de R1:

R2(config): access-list 10 deny host 192.168.12.1 0.0.0.255
R2(config): access-list 10 permit any

R2(config): line vty 0 4
R2(config-line): access-class 10 in

Tarefa 12: Em R2, redistribuir RIP para dentro de OSPF e RIP para dentro de EIGRP. Evitar potenciais loops. Todos os routers devem estar alcançáveis entre eles a partir do interface loopback 0:

R2(config): router ospf 1
R2(config-router): redistribute rip metric 5 subnets

R2(config): router eigrp 100
R2(config-router): redistribute rip metric 1 1 1 1 1500

R2(config): router rip
R2(config-router): redistribute ospf 1 metric 3
R2(config-router): redistribute eigrp 100 metric 1 1 1 1 1500

Nota: No R4 quando se faz "show ip route" verifica-se "routing loops" já que se tem várias entradas na routing table associadas a RIP quando estas nunca poderiam ser anunciadas pelo RIP originalmente !!!

DESCARREGAR AS CONFIGS AQUI

Publicada por à(s) Sem comentários:
Etiquetas: , , , , , ,

sábado, 12 de janeiro de 2013

Configuração de ASA em Active/Standby Failover

Configuração de ASA em Active/Standby Failover:


-- Configuração inicial:

ASA1(config)# interface Ethernet0/1
ASA1(config-if)# nameif outside
ASA1(config-if)# security-level 0
ASA1(config-if)# ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
ASA1(config-if)# no shut

ASA1(config)# interface Ethernet0/0
ASA1(config-if)# nameif inside
ASA1(config-if)# security-level 100
ASA1(config-if)# ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
ASA1(config-if)# no shut


ASA2(config)# interface Ethernet0/1
ASA2(config-if)# nameif outside
ASA2(config-if)# security-level 0
ASA2(config-if)# ip address 1.1.1.2 255.255.255.0
ASA2(config-if)# no shut

ASA2(config)# interface Ethernet0/0
ASA2(config-if)# nameif inside
ASA2(config-if)# security-level 100
ASA2(config-if)# ip address 10.0.0.2 255.255.255.0
ASA2(config-if)# no shut

-- Configuração do "Failover":

ASA1(config)# failover
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface FOCONTROL e0/2
ASA1(config)# failover interface ip FOCONTROL 192.168.21.1 255.255.255.252 standby 192.168.21.2
ASA1(config)# failover link FOSTATE e0/3
ASA1(config)# failover interface ip FOSTATE 192.168.21.5 255.255.255.252 standby 192.168.21.6
ASA1(config)# failover key cisco
ASA1(config)# failover polltime msec 200 holdtime msec 800
ASA1(config)# copy running-config disk0:/.private/startup-config

ASA2(config)# failover
ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FOCONTROL e0/2
ASA2(config)# failover interface ip FOCONTROL 192.168.21.1 255.255.255.252 standby 192.168.21.2
ASA2(config)# failover key cisco
ASA2(config)# failover polltime msec 200 holdtime msec 800
ASA2(config)# copy running-config disk0:/.private/startup-config

-- Testar desligando o principal:

Aparece no ASA2 "Switching To Active"

-- Executar os seguintes comandos e verificar o status dos ASAs:

show failover
show failover interface

DESCARREGAR AS CONFIGS AQUI
Publicada por à(s) Sem comentários:
Etiquetas: , ,

Configuração inicial de ASA em GNS3

Configuração Básica de ASA no GNS3:



Depois de ter o ASA a correr fazer:

1) Configurar o "inside" NIC:

asa(config): interface ethernet 0/0
asa(config-if): no shut
asa(config-if): ip address 192.168.1.199 255.255.255.0
asa(config-if): nameif inside
asa(config-if): security-level 100

Nota: O loopback está com 192.168.1.200 / 24

2) Activar a função de web server:

asa(config): http server enable

3) Permitir acesso do "host" fisico (loopback):

asa(config): http 192.168.1.200 255.255.255.255 inside

4) Criar user com permissões para a aceder ao GUI do ASA:

asa(config): username cisco password cisco privilege 15

5) Importar o ficheiro bin do ASA:

asa: copy tftp://192.168.1.200/asdm-645.bin flash:

6) Enquanto importa verificar onde o ASA vai gravar o bin !!!

Se for em flash: fazer:

asa(config): asdm image flash:/asdm-645.bin

Se for em disk0: fazer:

asa(config): asdm image disk0:/asdm-645.bin

7) Gravar a startup-config:

cisco-asa(config): boot config disk0:/.private/startup-config
cisco-asa(config): copy running-config disk0:/.private/running-config
cisco-asa(config): copy disk0:/.private/running-config disk0:/.private/startup-config

8) Fazer download do java a 32 bits !!! Se necessário desinstalar o java do IE e instalar apenas o de 32 bits (confirmar no control panel):

9) Abrir o IE com o seguinte URL:

https://192.168.1.199/admin/public/asdm.jnlp

10) Executar o ficheiro "asdm.jnlp" e seguir as instruções do browser
11) Garantir que o certificado "self-signed" emitido pelo ASA não se renova em cada sessão, obrigando o browser a anunciar erro de certificado:

No ASDM ir a:

a) Certificate Management -> Identity Certificates -> Clicar em Add (ver imagem abaixo):


b) Selecionar "Add a new identity certifcate" -> Selecionar "New" e escolher <Default-RSA-Key> e <CN=nome do ASA>

c) Clicar em "Generate self-signed certifcate"


DESCARREGAR AS CONFIGS AQUI
Publicada por à(s) Sem comentários:
Etiquetas: , , ,

Configuração VPN Site-To-Site (Pre-Shared Keys)

Configuração de VPN Site-To-Site (Pre-Shared Keys):


-- Configuração dos Routers que estabelecem a VPN:

No Router A:

Router_A:(config): crypto isakmp enable

Router_A:(config): crypto isakmp policy 1
Router_A:(config-isakmp): authentication pre-share
Router_A:(config-isakmp): hash sha
Router_A:(config-isakmp): encryption aes 128
Router_A:(config-isakmp): group 2
Router_A:(config-isakmp): lifetime 86400
Router_A:(config-isakmp): exit
Router_A:(config): crypto isakmp key cisco address 172.16.1.2
Router_A:(config): exit

Router_A:(config): crypto ipsec transform set MYSET esp-aes esp-sha
Router_A:(config-crypto-trans): exit

Router_A:(config): access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255

Router_A:(config): crypto map ROUTER_A_TO_ROUTER_B 10 ipsec-isakmp
Router_A:(config-crypto-map): set peer 172.16.1.2
Router_A:(config-crypto-map): match address 101
Router_A:(config-crypto-map): set transform-set MYSET
Router_A:(config-crypto-map): exit

Router_A:(config): interface s0/0
Router_A:(config-if): crypto map ROUTER_A_TO_ROUTER_B

Router_A: wr

No Router B:

Router_B:(config): crypto isakmp enable

Router_B:(config): crypto isakmp policy 1
Router_B:(config-isakmp): authentication pre-share
Router_B:(config-isakmp): hash sha
Router_B:(config-isakmp): encryption aes 128
Router_B:(config-isakmp): group 2
Router_B:(config-isakmp): lifetime 86400
Router_B:(config-isakmp): exit
Router_B:(config): crypto isakmp key cisco address 172.16.1.1
Router_B:(config): exit

Router_B:(config): crypto ipsec transform set MYSET esp-aes esp-sha
Router_B:(config-crypto-trans): exit

Router_B:(config): access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Router_B:(config): crypto map ROUTER_B_TO_ROUTER_A 10 ipsec-isakmp
Router_B:(config-crypto-map): set peer 172.16.1.1
Router_B:(config-crypto-map): match address 101
Router_B:(config-crypto-map): set transform-set MYSET
Router_B:(config-crypto-map): exit

Router_B:(config): interface s0/0
Router_B:(config-if): crypto map ROUTER_B_TO_ROUTER_A

Router_B: wr

-- Fazer um ping do Router A ao servidor da rede local B;

-- Para testar o status da VPN:

show crypto session
show crypto isakmp sa
show crypto ipsec sa

DESCARREGAR AS CONFIGS AQUI









Publicada por à(s) Sem comentários:
Etiquetas: , ,
Subscrever: Mensagens (Atom)