6CoLabs. The Shrike ©Fabrice Bobes 2002 (Single User License) Page 1 1 The Shrike – 6CoLabs Part 0: Pre Lab Setup 0.1 Load the initial configs. 0.2 The major Network is 150.4.0.0 0.3 Create a loopback interface (Lo0) on each router. This loopback interface’s address must be 150.4.x.x where x is the router number. The subnet mask is /24. 0.4 Default routes, static routes and routes to null0 are not permitted unless otherwise specified 0.5 At the end of your work, verify the IP connectivity. Unless it is otherwise specified, every interface must be “pingable” from any router. Part 1: Bridging and Switching (16 points) 1.1 Catalysts 3550 configuration (7 points) 1.1.1 On Cat35-1, the vtp domain name must be 6Colabs and the vtp mode server. Cat35-2 must synchronize its VLAN configuration with Cat35-1. You can’t change Cat35-2’s VLAN configuration. 1.1.2 Vlans Configuration: Assign the Catalyst Cat35-1’s ports as shown below: 10 VLAN-A FA0/6, FA0/8 20 VLAN-B FA0/18, FA0/24 30 VLAN-C FA0/14 40 VLAN-D FA0/1 50 VLAN-E FA0/5 The Catalyst Cat35-1’s management interface must be part of VLAN-C. Its IP address is 150.4.114.50/24. The Catalyst Cat35-2’s management interface must be part of VLAN-C. Its IP address is 150.4.114.51/24. 1.1.3 Configure a Trunk on an EtherChannel bundle between Cat35-1 and Cat35-2. Use dot1Q for the trunk encapsulation. Disable Trunk negotiation. You must manually configure EtherChannel and the trunk. 1.1.4 Only VLAN 1, 10, 20, 30, 40 and 50 are allowed on the trunk 1.1.5 Reduce the startup delay of the Cat35-2’s FastEthernet ports 0/1 to 0/12 without turning Spanning-Tree off. 1.2 Frame-Relay Configuration (3 points) 1.2.1 Configure R6 and R5 over Frame-Relay. Use only subinterfaces. 1.2.2 Configure R6 and R14 over Frame-Relay. Don't use a subinterface on R14. 1.2.3 Configure R1 and R5 over Frame-Relay. The frame-relay switch R7 has been configured with fully meshed PVCs. Use only the PVCs shown in the diagram. 1.3 PPP configuration (2 points) 1.3.1 The encapsulation for the serial connection between R6 and R8 must be PPP. Use a clock rate of 256000 on R6 S0/1 1.3.2 Configure R6 to shutdown the link if the quality drops below 80%. 6CoLabs. The Shrike ©Fabrice Bobes 2002 (Single User License) Page 2 2 1.4 ATM configuration (4 points) 1.4.1 Configure Classical IP between R13 and R14. You must specify the Esi-address on both sides. R14 is the ARP server. Don't use any subinterface. Part 2: IP IGP Protocols (26 points) 2.1 OSPF Configuration (10 points) 2.1.1 Configure the OSPF areas as shown in the diagram. Enable OSPF by specifying the entire mask in your network statement. On R5, R6, R8 and R14, assign the loopback interface Lo0 to the OSPF area of your choice. 2.1.2 Configure area 0 to use the highest level of authentication possible. Use the password cisco. 2.1.3 Do not advertise the loopback interfaces as host routes (/32 mask) 2.2 RIP Configuration (4 points) 2.2.1 Configure RIP between R5 and R1. Add the loopbacks and the ethernet networks on R1 to the RIP process. 2.2.2 Make sure that R1 can only send and receive RIP v1 updates on its Ethernet interface. 2.2.3 Don't summarize the routes on R1 and R5 2.2.4 Configure RIP authentication between R1 and R5. Use the highest level of authentication possible. 2.3 EIGRP configuration (4 points) 2.3.1 Configure EIGRP as shown in the diagram. Include R13 loopback interface into the EIGRP process. 2.4 Redistribution configuration. (8 points) 2.4.1 Mutually redistribute RIP and OSPF on R5 Redistribute only the odd numbered loopback networks learned from R1. To do so, you are allowed only one statement in your access-list. 2.4.2 Mutually redistribute EIGRP 100 and OSPF on R6 and R14 2.4.3 R8 must prefer the routes learned via Eigrp over Ospf Part 3: Dial (10 points) 3.1 The ISDN link must come up only when the Frame-Relay link is down. Use the Frame-Relay feature that checks if the remote end of the VC is up or down via keepalive requests. 3.2 Only R5 must initiate the call. When the frame-relay goes down, the ISDN link must be brought up in less than 5 seconds. 3.3 You can't use dialer-watch, dial-on-demand or ospf demand-circuit 3.4 Shutdown S0/0.1 on R6 and make sure that R1 can still reach every network when using the ISDN link 6CoLabs. The Shrike ©Fabrice Bobes 2002 (Single User License) Page 3 3 Part 4: BGP (23 points) 4.1 IBGP Configuration (3 points) 4.1.1 Configure R6, R8 and R14 in AS65005. R6 and R14 should have only one neighbor within AS 65005. 4.1.2 Don't turn off synchronization in AS65005 4.1.3 Every BGP router must use its loopback address when peering 4.2 EBGP Configuration (8 points) 4.2.1 Configure router R1 in AS65001 to peer with router R5 in AS2 4.2.2 Configure router R6 in AS3 to peer with router R5 in AS2. 4.2.3 Configure router R14 in AS3 to peer with router R13 in AS4 and with Cat35-2 in AS5. 4.2.4 Every BGP router must use its loopback address when peering except between AS5 and AS3. 4.3 Redistribution/Filtering (12 points) 4.3.1 Create a loopback interface Lo10 on R1 with IP subnet 172.16.1.0/24 and inject it into BGP. Make sure that every router within AS3 know about this subnet. 4.3.2 Don't advertise the network 172.16.1.0/24 to AS4 or AS5. You can only make the change on R6. 4.3.3 Configure R1 to advertise all the networks 192.168.x.0/24 and summarize them as a single network. Use the shortest prefix possible. You must redistribute the networks into BGP without using the network command. 4.3.4 AS3 must see the networks learned from R1 without AS path containing AS65001. The change must be done on R5. Don’t use a route-map. 4.3.5 Create a loopback interface on R6 with IP subnet 210.210.210.0/24 and inject it into BGP. Make sure that this subnet shows up in every router within AS3, AS4 and AS5 only. Don’t advertise this subnet via BGP nor IGP to R1 and R5. 4.3.6 Advertise a default route via BGP to Cat35-2 Part 5: Non IP Protocols (8 points) 5.1 DLSW Configuration 5.1.1 Configure DLSW between R5 and R8 to allow hosts in VLAN-E to communicate with hosts in VLAN-A. Use TCP encapsulation. 5.1.2 Configure R5 to peer with R6 in case the DLSW connection between R5 and R8 fails. Use DLSW Lite encapsulation between R5 and R6. Make sure that the link between R5 and R6 doesn't stay up when the link between R5 and R8 is restored. 5.1.3 Only R5 must establish the DLSW connections. Don’t use the option promiscuous on R6 and R8. 5.1.4 Eliminate unnecessary traffic by disabling spanning-tree negotiation protocol 5.1.5 Configure a filter on R5 that will allow only Netbios traffic to R6 and R8. 6CoLabs. The Shrike ©Fabrice Bobes 2002 (Single User License) Page 4 4 Part 6: Voice (8 points) 6.1.1 Configure Phone A on R13 with the number 1301 6.1.2 Configure Phone B on R13 with the number 1302 6.1.3 Configure Phone C on R14 with the number 1401 6.1.4 You must be able to dial any number from Phone C and ring Phone B. You must still connect to the right extension. Num-exp is not allowed. 6.1.5 Configure Phone A to be able to call Phone C 6.1.6 Picking up Phone B must ring automatically Phone A 6.1.7 The voice quality is of the highest importance and you have plenty of network bandwidth: - choose a codec with the highest quality - enable the transmission of silence packets 6.1.8 Reserve the equivalent of 10% of an OC3 link for the voice traffic with a maximun of 80kbps per single-flow. Only R13 will request the reservation of bandwidth. Part 7: Other IOS Features (9 points) 7.1.1 You want to prevent DOS (Denial of Service) attacks coming from the network attached to e0/0 on R1. a) - Enable the feature that will discard IP packets that lack a verifiable IP source address. b) - Protect the TCP servers on the network 150.4.0.0/16 from TCP SYN-flooding attacks 7.1.2 Configure an access-list on R1 with the following requirement: - permit smtp traffic to the mail server 150.4.50.3 - permit http traffic to the web server 150.4.50.3 - permit ftp traffic to the ftp server 150.4.50.2 - permit http traffic if the connection was established from any host belonging to the network 150.4.114.0 - permit RIPv1 . - log the denied packets The access-list must be applied to R1’s e0/0 7.1.3 Telnet access to the Catalyst Cat35-2 must be only permitted from R5. R5 must use the address of its loopback address as the source address for Telnet. 7.1.4 Configure R5 to serve as a DHCP Server for the clients attached to R5’s E0/0. You must exclude the following addresses from the pool: 150.4.50.101 – 150.4.50.254 Configure the following configuration: - DNS Server: 150.4.114.253 150.4.114.254 - Wins Server: 150.4.114.253 - Netbios-node-type: Hybrid - Lease: 3 Days - Default Router: 150.4.50.5 You need to configure manual bindings for two hosts: - The host serving as a Mail and web server has the following mac-address 00-50-BA-DD-BA-00. You must allocate the IP address 150.4.50.3 - The host serving as a FTP server has the following mac-address 00-50-BA-DD-BA-01. You must allocate the IP address 150.4.50.2 The two hosts run Microsoft Windows. TIP: you must concatenate the hardware type (01 for Ethernet) with the Mac-address of the client. [...]... hosts: The host serving as a Mail and web server has the following mac-address 00-50-BA-DD-BA-00 You must allocate the IP address 150.4.50.3 The host serving as a FTP server has the following mac-address 00-50-BA -DD-BA -01 You must allocate the IP address 150.4.50.2 The two hosts run Microsoft Windows TIP: you must concatenate the hardware type (01 for Ethernet) with the Mac-address of the client A: The. .. (Single User License) 6 Page 6 6CoLabs The Shrike Part 3: Dial (10 points) 3.1 The ISDN link must come up only when the Frame-Relay link is down Use the Frame-Relay feature that checks if the remote end of the VC is up or down via keepalive requests A: You are asked to use the frame-relay end-to-end keepalive feature This feature is a great addition to the backup interface command The relevant configuration... Bobes 2002 (Single User License) 4 Page 4 6CoLabs The Shrike Part 2: IP IGP Protocols (26 points) 2.1 OSPF Configuration (10 points) 2.1.1 Configure the OSPF areas as shown in the diagram Enable OSPF by specifying the entire mask in your network statement On R5, R6, R8 and R14, assign the loopback interface Lo0 to the OSPF area of your choice A: Don’t forget the virtual-links Area 50 is not adjacent... Configure area 0 to use the highest level of authentication possible Use the password cisco A: To enable md5 authentication, you must enter the following configs on R6 and R8: Interface s0/1 ip ospf message-digest-key 1 md5 cisco router ospf 1 area 0 authentication message-digest Since area 0 is using authentication, you must add the following command on R5: Router ospf 1 area 0 authentication message-digest... receive RIP v1 updates on its Ethernet interface A: Add: interface Ethernet0/0 ip rip send version 1 ip rip receive version 1 2.2.3 Don't summarize the routes on R1 and R5 A: You must use RIPv2 between R1 and R5 2.2.4 Configure RIP authentication between R1 and R5 Use the highest level of authentication possible A To enable MD5 authentication for RIP v2, you must add the following config to R1 and... User License) 11 Page 11 6CoLabs The Shrike 6.1.6 Picking up Phone B must ring automatically Phone A A: R13 voice-port 3/0/1 connection plar 1301 6.1.7 The voice quality is of the highest importance and you have plenty of network bandwidth: - choose a codec with the highest quality - enable the transmission of silence packets A: You should use g711ulaw or codec g711alaw Use the command No vad to transmit... Line vty 0 4 Access-class 1 in Login Password cisco ©Fabrice Bobes 2002 (Single User License) 13 Page 13 6CoLabs The Shrike 7.1.4 Configure R5 to serve as a DHCP Server for the clients attached to R5’s E0/0 You must exclude the following addresses from the pool: 150.4.50.101 – 150.4.50.254 Configure the following configuration: DNS Server: 150.4.114.253 150.4.114.254 Wins Server: 150.4.114.253 Netbios-node-type:... s0/1on R5) ip rip authentication mode md5 ip rip authentication key-chain rip ©Fabrice Bobes 2002 (Single User License) 5 Page 5 6CoLabs The Shrike 2.3 EIGRP configuration (4 points) 2.3.1 Configure EIGRP as shown in the diagram Include R13 loopback interface into the EIGRP process 2.4 Redistribution configuration (8 points) 2.4.1 Mutually redistribute RIP and OSPF on R5 Redistribute only the odd numbered... sure you filter the networks learned from RIP or you will create routing loops 2.4.3 R8 must prefer the routes learned via Eigrp over Ospf A: Beware: again, you may easily create routing loops The solution is to increase the AD (Administrative distance) of OSPF on R8 to a value higher than the AD for EIGRP external-routes (170) We encourage you to check the routing tables before changing the AD A show... with the following command: R13#sh ip rsvp reservation To From Pro DPort Sport Next Hop I/F Fi Serv BPS Bytes 150.4.100.13 150.4.100.14 UDP 18628 18902 FF LOAD 80K 400 ©Fabrice Bobes 2002 (Single User License) 12 Page 12 6CoLabs The Shrike Part 7: Other IOS Features (9 points) 7.1.1 You want to prevent DOS (Denial of Service) attacks coming from the network attached to e0/0 on R1 a) - Enable the feature . 6CoLabs. The Shrike ©Fabrice Bobes 2002 (Single User License) Page 1 1 The Shrike – 6CoLabs Part 0: Pre Lab Setup 0.1 Load the initial. concatenate the hardware type (01 for Ethernet) with the Mac-address of the client.