Tag: OSPF

Soluzione PT Activity 5.6.1: Packet Tracer Skills Integration Challenge

Task 1: Configure PPP with CHAP Authentication
Step 1. Configure the link between HQ and B1 to use PPP encapsulation with CHAP authentication.

The password for CHAP authentication is cisco123.

B1
User Access Verification
Password: cisco
B1>en
Password: class
B1#conf t
B1(config)#int s0/0/0
B1(config-if)#encapsulation ppp
B1(config-if)#ppp authentication chap
B1(config-if)#exit
B1(config)#username HQ password cisco123

HQ
User Access Verification
Password: cisco
HQ>en
Password: class
HQ#conf t
HQ(config)#int s0/0/0
HQ(config-if)#encapsulation ppp
HQ(config-if)#ppp authentication chap
HQ(config-if)#exit
HQ(config)#username B1 password cisco123

Step 2. Configure the link between HQ and B2 to use PPP encapsulation with CHAP authentication.
The password for CHAP authentication is cisco123.

HQ
HQ(config)#
HQ(config)#int s0/0/1
HQ(config-if)#encapsulation ppp
HQ(config-if)#ppp authentication chap
HQ(config-if)#exit
HQ(config)#username B2 password cisco123

B2
User Access Verification
Password: cisco
B2>en
Password: class
B2#conf t
B2(config)#int s0/0/0
B2(config-if)#encapsulation ppp
B2(config-if)#ppp authentication chap
B2(config-if)#exit
B2(config)#username HQ password cisco123

Step 3. Verify that connectivity is restored between the routers.
HQ should be able to ping both B1 and B2. The interfaces may take a few minutes to come back up. You can switch back and forth between Realtime and Simulation mode to speed up the process. Another possible workaround to this Packet Tracer behavior is to use the shutdown and no shutdown commands on the interfaces.

HQ
HQ#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms

HQ#ping 10.1.1.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms

Task 2: Configure Default Routing
Step 1. Configure default routing from HQ to ISP.

Configure a default route on HQ using the exit interface argument to send all default traffic to ISP.

HQ
HQ(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0

Step 2. Test connectivity to Web Server.
HQ should be able to successfully ping Web Server at 209.165.202.130 as long as the ping is sourced from the Serial0/1/0 interface.

HQ#ping 209.165.202.130

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.130, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/9 ms

Task 3: Configure OSPF Routing
Step 1. Configure OSPF on HQ.

- Configure OSPF using the process ID 1.
- Advertise all subnets except the 209.165.201.0 network.
- Propagate the default route to OSPF neighbors.
- Disable OSPF updates to ISP and to the HQ LANs.

HQ
HQ(config)#router ospf 1
HQ(config-router)#network 10.1.1.4 0.0.0.3 area 0
HQ(config-router)#network 10.1.1.0 0.0.0.3 area 0
HQ(config-router)#network 10.1.50.0 0.0.0.255 area 0
HQ(config-router)#network 10.1.40.0 0.0.0.255 area 0
HQ(config-router)#default-information originate
HQ(config-router)#passive-interface S0/1/0
HQ(config-router)#passive-interface f0/0
HQ(config-router)#passive-interface f0/1
HQ(config-router)#exit

Step 2. Configure OSPF on B1 and B2.

- Configure OSPF using the process ID 1.
- On each router, configure the appropriate subnets.
- Disable OSPF updates to the LANs.

B1
B1(config)#router ospf 1
B1(config-router)#network 10.1.1.0 0.0.0.3 area 0
B1(config-router)#network 10.1.10.0 0.0.0.255 area 0
B1(config-router)#network 10.1.20.0 0.0.0.255 area 0
B1(config-router)#passive-interface f0/0
B1(config-router)#passive-interface f0/1
B1(config-router)#exit

B2
B2(config)#router ospf 1
B2(config-router)#network 10.1.1.4 0.0.0.3 area 0
B2(config-router)#network 10.1.70.0 0.0.0.255 area 0
B2(config-router)#network 10.1.80.0 0.0.0.255 area 0
B2(config-router)#passive-interface f0/0
B2(config-router)#passive-interface f0/1
B2(config-router)#exit

Task 4: Implement Multiple ACL Security Policies
Step 1. Implement security policy number 1.

Block the 10.1.10.0 network from accessing the 10.1.40.0 network. All other access to 10.1.40.0 is allowed. Configure the ACL on HQ using ACL number 10.
Use a standard or extended ACL? standard
Apply the ACL to which interface? f0/1
Apply the ACL in which direction? OUT

HQ
HQ(config)#access-list 10 deny 10.1.10.0 0.0.0.255
HQ(config)#access-list 10 permit any
HQ(config)#int fa0/1
HQ(config-if)#ip access-group 10 out

Step 4. Implement security policy number 2.
Host 10.1.10.5 is not allowed to access host 10.1.50.7. All other hosts are allowed to access 10.1.50.7. Configure the ACL on B1 using ACL number 115.
Use a standard or extended ACL? extended
Apply the ACL to which interface? f0/0
Apply the ACL in which direction? IN

B1
B1(config)#access-list 115 deny ip host 10.1.10.5 host 10.1.50.7
B1(config)#access-list 115 permit ip any any
B1(config)#int fa0/0
B1(config-if)#ip access-group 115 in

Step 7. Implement security policy number 3.
Hosts 10.1.50.1 through 10.1.50.63 are not allowed web access to Intranet server at 10.1.80.16. All other access is allowed. Configure the ACL on the appropriate router and use ACL number 101.
Use a standard or extended ACL? extended
Configure the ACL on which router? HQ
Apply the ACL to which interface? f0/0
Apply the ACL in which direction? IN

HQ
HQ(config)#access-list 101 deny tcp 10.1.50.0 0.0.0.63 host 10.1.80.16 eq www
HQ(config)#access-list 101 permit ip any any
HQ(config)#interface fa0/0
HQ(config-if)#ip access-group 101 in

Step 10. Implement security policy number 4.
Use the name NO_FTP to configure a named ACL that blocks the 10.1.70.0/24 network from accessing FTP services (port 21) on the file server at 10.1.10.2. All other access should be allowed.
Note: Names are case-sensitive.
Use a standard or extended ACL? extended
Configure the ACL on which router? B2
Apply the ACL to which interface? f0/1
Apply the ACL in which direction? IN

B2
B2(config)#ip access-list extended NO_FTP
B2(config-ext-nacl)#deny tcp 10.1.70.0 0.0.0.255 host 10.1.10.2 eq ftp
B2(config-ext-nacl)#permit ip any any
B2(config-ext-nacl)#interface fa0/1
B2(config-if)#ip access-group NO_FTP in

Step 12. Implement security policy number 5.
Since ISP represents connectivity to the Internet, configure a named ACL called FIREWALL in the following order:
Allow only inbound ping replies from ISP and any source beyond ISP.
Allow only established TCP sessions from ISP and any source beyond ISP.
Explicitly block all other inbound access from ISP and any source beyond ISP
Use a standard or extended ACL? extended
Configure the ACL on which router? HQ
Apply the ACL to which interface? s0/1/0
Apply the ACL in which direction? IN

HQ
HQ(confi)#ip access-list extended FIREWALL
HQ(config-ext-nacl)#permit icmp any any echo-reply
HQ(config-ext-nacl)#permit tcp any any established
HQ(config-ext-nacl)#deny ip any any
HQ(config-ext-nacl)#interface s0/1/0
HQ(config-if)#ip access-group FIREWALL in

Soluzione PT Activity 4.7.1: Packet Tracer Skills Integration Challenge

Task 1: Configure Routing
Step 1. Configure a default route to ISP.

R2
Password: cisco
R2>en
Password: class
R2#conf t
R2(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0

Step 2. Configure OSPF routing between R1, R2, and R3.

R2(config)#route ospf 1
R2(config-router)#network 192.168.20.0 255.255.255.252 area 0
R2(config-router)#network 10.1.1.0 0.0.0.3 area 0
R2(config-router)#network 10.2.2.0 0.0.0.3 area 0
R2(config-router)#default-information originate
R2(config-router)#passive-interface f0/1
R2(config-router)#passive-interface s0/1/0

R1
Password: cisco
R1>en
Password: class
R1#conf t
R1(config)#router ospf 1
R1(config-router)#network 192.168.10.0 0.0.0.255 area 0
R1(config-router)#network 10.1.1.0 0.0.0.3 area 0
R1(config-router)#passive-interface f0/1

R3
Password: cisco
R3>en
Password: class
R3#conf t
R3(config)#router ospf 1
R3(config-router)#network 192.168.30.0 0.0.0.255 area 0
R3(config-router)#network 10.1.1.0 0.0.0.3 area 0
R3(config-router)#passive-interface f0/1

Task 2: Configure OSPF Authentication
Step 1. Configure MD5 authentication between R1, R2, and R3.
Configure OSPF MD5 authentication between R1, R2, and R3 using 1 as the key value and a cisco123 as the password.

R1
R1(config-router)#area 0 authentication  message-digest
R1(config-router)#exit
R1(config)#int s0/0/0
R1(config-if)#ip ospf message-digest-key 1 md5 cisco123
R1(config-if)#exit
R1(config)#

R2
R2(config-router)#area 0 authentication message-digest
R2(config-router)#exit
R2(config)#int s0/0/0
R2(config-if)#ip ospf message-digest-key 1 md5 cisco123
R2(config-if)#exit
R2(config)#
R2(config)#int s0/0/1
R1(config-if)#ip ospf message-digest-key 1 md5 cisco123
R1(config-if)#exit
R2(config)#

R3
R3(config-router)#area 0 authentication message-digest
R3(config-router)#exit
R3(config)#int s0/0/1
R3(config-if)#ip ospf message-digest-key 1 md5 cisco123
R3(config-if)#exit
R3(config)#

Task 3: Upgrade the Cisco IOS Image

Step 1. Copy a newer image from the TFTP server to flash on R2.

Look under the Config tab for the TFTP server to determine the name of the newer Cisco IOS image. Then copy the newer image to flash on R2.

Step 2. Configure R2 to boot with the new image.

R2#sh version
Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.3(14)T7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 15-May-06 14:54 by pt_team

ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)

System returned to ROM by power-on
System image file is "flash:c1841-ipbase-mz.123-14.T7.bin"

R2#copy tftp flash
Address or name of remote host []? 192.168.20.254
Source filename []? c1841-ipbasek9-mz.124-12.bin
Destination filename [c1841-ipbasek9-mz.124-12.bin]?

Accessing tftp://192.168.20.254/c1841-ipbasek9-mz.124-12.bin…
Loading c1841-ipbasek9-mz.124-12.bin from 192.168.20.254: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 16599160 bytes]

16599160 bytes copied in 1.288 secs (2883740 bytes/sec)

R2#conf t
R2(config)#boot system flash c1841-ipbasek9-mz.124-12.bin
R2(config)#exit
R2#show flash

System flash directory:
File  Length   Name/status
  1   13832032 c1841-ipbase-mz.123-14.T7.bin
  3   16599160 c1841-ipbasek9-mz.124-12.bin
[30431192 bytes used, 2082856 available, 32514048 total]
32768K bytes of processor board System flash (Read/Write)

R2#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK]