Lab: OSPF Route Summarization

Posted on by jrivera

Route summarization is the method of summarizing routes of multiple networks/subnets to router neighbors routing table. Summarization provides advantages for example:
Saves memory – smaller routing tables reduces the memory requirements
Saves bandwidth – with less routes that need to be advertised, less data is traversed.
Saves CPU cycles – smaller routing tables means less packets need to be processed.

This is a multi-area OSPF lab, that provides an example of route summarization.

Task 1: Configure hostname of all three routers.

Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#no ip domain-lookup

Router>enable
Router#configure terminal
Router(config)#hostname R2
R2(config)#no ip domain-lookup

Router>enable
Router#configure terminal
Router(config)#hostname R3
R3(config)#no ip domain-lookup

Task 2: Assign IP addresses to the physical interfaces on all three routers.

R1(config)#interface ethernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 1/0
R1(config-if)#ip address 100.0.25.2 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit


R2(config)#interface ethernet 0/0
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 1/1
R2(config-if)#ip address 100.0.25.6 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit


R3(config)#interface serial 1/0
R3(config-if)#clock rate 8064000
R3(config-if)#ip address 100.0.25.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface serial 1/1
R3(config-if)#clock rate 8064000
R3(config-if)#ip address 100.0.25.5 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit

Task 3: Configure loopback addresses on Router 2. 

R2(config)#interface loopback 0
R2(config-if)#ip address 172.16.0.1 255.255.255.0
R2(config-if)#ip ospf network point-to-point
R2(config-if)#exit
R2(config)#interface loopback 1
R2(config-if)#ip address 172.16.1.1 255.255.255.0
R2(config-if)#ip ospf network point-to-point
R2(config-if)#exit
R2(config)#interface loopback 2
R2(config-if)#ip address 172.16.2.1 255.255.255.0
R2(config-if)#ip ospf network point-to-point
R2(config-if)#exit
R2(config)#interface loopback 3
R2(config-if)#ip address 172.16.3.1 255.255.255.0
R2(config-if)#ip ospf network point-to-point
R2(config-if)#exit

Task 4: Configure OSPF on all three routers. Advertise the physical and loopback interfaces for each router. Identify each router’s id with the following:
R1 = 1.1.1.1
R2 = 2.2.2.2
R3 = 3.3.3.3

R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 192.168.1.0 0.0.0.255 area 0
R1(config-router)#network 100.0.25.0 0.0.0.3 area 0
R1(config-router)#


R2(config)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 192.168.2.0 0.0.0.255 area 1
R2(config-router)#network 100.0.25.4 0.0.0.3 area 1
R2(config-router)#network 172.16.0.0 0.0.3.255 area 1
R2(config-router)#exit


R3(config)#router ospf 1
R3(config-router)#router-id 3.3.3.3
R3(config-router)#network 100.0.25.0 0.0.0.3 area 0
R3(config-router)#network 100.0.25.4 0.0.0.3 area 1

View the R1’s routing table after the OSPF process has been completed by all routers.

Task 5: Now let’s summarize what R3 shares to R1. Clear the OSPF process in order to force R3 neighbors to receive updates to the routing table learned from OSPF.

R3(config)#router ospf 1
R3(config-router)#area 1 range 172.16.0.0 255.255.252.0 
R3(config-router)#end
R3#clear ip ospf process

Finally, return back to router R1 and review the routing table, you will now see the routes summarized. The loopback interfaces routes should be seen as a single summarized route outside of area 1.

Lab: IPSEC Site-to-Site VPN

Posted on by jrivera

Simple IPSEC VPN lab. In this lab you will connect two sites through the internet with an IPSEC VPN tunnel. Each site has its own static public IP address assigned by the ISP.

IPSEC has five steps in the operation of IPSEC. Before getting to the first steps lets implement the basic configurations in order to setup the lab.

Configure the hostname and IP addresses of the ISP router.

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname ISP
ISP(config)#no ip domain-lookup
ISP(config)#interface ethernet 0/0
ISP(config-if)#ip address 100.0.25.2 255.255.255.252
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface ethernet 0/1
ISP(config-if)#ip address 200.0.25.2 255.255.255.252
ISP(config-if)#no shutdown
ISP(config)#interface loopback 0
ISP(config-if)#ip address 1.1.1.1 255.255.255.255
ISP(config-if)#no shutdown

Configure the hostname and IP addresses of router R1.

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R1
R1(config)#no ip domain-lookup
R1(config)#interface ethernet 0/0
R1(config-if)#ip address 100.0.25.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface ethernet 0/1
R1(config-if)#ip address 192.168.1.254 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

Configure the hostname and IP address of router R2.

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R2
R2(config)#no ip domain-lookup
R2(config)#interface ethernet 0/0
R2(config-if)#ip address 200.0.25.1 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface ethernet 0/1
R2(config-if)#ip address 192.168.2.254 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#

Configure the VPCs hostnames and IP addresses.

VPCS> set pcname PC-A
PC-A> ip 192.168.1.1 /24 192.168.1.254
Checking for duplicate address...
PC1 : 192.168.1.1 255.255.255.0 gateway 192.168.1.254

VPCS> set pcname PC-B
PC-B> ip 192.168.1.2 /24 192.168.1.254
Checking for duplicate address...
PC1 : 192.168.1.2 255.255.255.0 gateway 192.168.1.254

VPCS> set pcname PC-C
PC-C> ip 192.168.2.1 /24 192.168.2.254
Checking for duplicate address...
PC1 : 192.168.2.1 255.255.255.0 gateway 192.168.2.254

VPCS> set pcname PC-D
PC-D> ip 192.168.2.2 /24 192.168.2.254
Checking for duplicate address...
PC1 : 192.168.2.2 255.255.255.0 gateway 192.168.2.254

Now, the last thing before the 5 steps in configuring the IPSEC Site-to-Site VPN. Configure on router R1 and R2 a default route to the ISPs IP address of its external static public IP address.

R1(config)#ip route 0.0.0.0 0.0.0.0 100.0.25.2

R2(config)#ip route 0.0.0.0 0.0.0.0 200.0.25.2

Step 1:
Configure the traffic that we wish to encrypt. This is also known as Interesting traffic. This needs to be configured on both routers R1 and R2. The crypto ACL will need to identify only outbound traffic on each router. The permit statement in the ACL will specify the traffic flow that will be encrypted when exiting. Only traffic from R1 internal LAN network to R2 internal LAN will be encrypted, any traffic intended to any other network will not be encrypted.

R1(config)# ip access-list extended VPN-ACL
R1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

R2(config)# ip access-list extended VPN-ACL
R2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Step 2:
We need to add an exemption for NAT traffic on the routers for Internet access. IPSEC does not work with NAT, so that is why we need to exclude the traffic in the Crypto ACL in order for it to not be translated. First exclude the traffic and then add the NAT functionality to each router. 

R1(config)# ip access-list extended NAT-ACL
R1(config-ext-nacl)# deny  ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any
R1(config-ext-nacl)#exit

R1(config)#ip nat inside source list NAT-ACL interface ethernet 0/0 overload

R1(config)#interface ethernet 0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#interface ethernet 0/1
R1(config-if)#ip nat inside
R1(config-if)#exit


R2(config)# ip access-list extended NAT-ACL
R2(config-ext-nacl)# deny  ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 any
R2(config-ext-nacl)#exit

R2(config)#ip nat inside source list NAT-ACL interface ethernet 0/0 overload

R2(config)#interface ethernet 0/0
R2(config-if)#ip nat outside
R2(config-if)#exit
R2(config)#interface ethernet 0/1
R2(config-if)#ip nat inside
R2(config-if)#exit

Step 3:
Configure Phase 1 (ISAKMP). Phase 1 of the IPSEC operation is used to establish a secure communication channel for further data transmission. VPN peers exchange a shared secret key, to authenticate each other, and negotiate IKE security policies. The ISAKMP policy will indicate to its peer what security parameters must be used in the VPN. 

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#exit

R1(config)#crypto isakmp key secretkey address 200.0.25.1


R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#hash md5
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#exit

R2(config)#crypto isakmp key secretkey address 100.0.25.1

Step 4:
Configure Phase 2 of the IPSEC. After a secured tunnel is established in phase 1, setting up the VPN is to negotiate the IPSEC security parameters that will be used to protect the data and messages within the tunnel. In this phase the following functions are performed:

  • Negotiation of IPSEC security parameters and IPSEC transform sets.
  • Establishment of IPSEC SAs.
  • Renegotiation of IPSEC SAs periodically to ensure security.

After configuration of a transform set on both routers peers, we need to configure the crypto map which will combine all Phase 2 IPSEC parameters. This crypto map is then attached to the VPN termination interface.

R1(config)#crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#exit

R1(config)#crypto map VPNMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#set peer 200.0.25.1
R1(config-crypto-map)#set transform-set TRSET
R1(config-crypto-map)#match address VPN-ACL
R1(config-crypto-map)#exit
R1(config)#interface ethernet 0/0
R1(config-if)#crypto map VPNMAP
R1(config-if)#exit


R2(config)#crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
R2(cfg-crypto-trans)#exit

R2(config)#crypto map VPNMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R2(config-crypto-map)#set peer 100.0.25.1
R2(config-crypto-map)#set transform-set TRSET
R2(config-crypto-map)#match address VPN-ACL
R2(config-crypto-map)#exit
R2(config)#interface ethernet 0/0
R2(config-if)#crypto map VPNMAP
R2(config-if)#exit

Step 5:
Verification of encrypted data transfer. The command “show crypto isakamp sa” can be used to verify if a tunnel has been established.

**If by any chance the tunnel doesn’t seem to have form you can ping one of the host devices that belong to the peer sourcing your internal network ip in this case router R1 – 192.168.1.254. Sometimes if forces the tunnel to form when you specify using

To verify the data is being encrypted and decrypted successfully use the “show crypto ipsec sa” command.

Make sure you can successfully ping from one host in the internal network to the another host on the peer’s internal network.

Doing a packet capture on wireshark and pinging from host to the peer’s host and then pinging the ISP loopback 0 to simulate traffic out to the worldwide web you can see how when communication flows through the IPSEC tunnel versus communication to a outside IP address on the web.

A packet captured from the ping from a host inside to one of the peers host will show you an encrypted packet using ESP (Encapsulating Security Payload) protocol.

In comparison, pinging normally to the loopback address where communication is not protected by the IPSEC tunnel thus in clear text.

RHCSA Lab

Posted on by jrivera

RedHat Certified System Adminitrator is a systems administrator that has proven to have the sufficient knowledge to maintain and manage a Red Hat Linux enterprise environment. Since college, I have used Linux on and off. At work a few years back I was given the opportunity to take RHSA 1 and 2 courses. Each course is a week long course of labs and direct instruction from a certified RedHat instructor. I took the RHCSA 200 exam at the culmination of Red Hat classes. I didn’t pass, but thats ok. I always wanted to go back and study. So here is my chance of self-study. This will be an on going effort where I can test common tasks that are needed to pass the practical exam.

So as I complete each lab I will link back to this page. For the first lab lets get the three on the same network an talking with each other.

Task 1:
Configure the hostname on workstation1 using hostnamectl.

$ sudo hostnamectl set-hostname workstation1
$ hostnamectl

Task 2:
Configure the IP address, Gateway, DNS using nmcli. To list the currently active interfaces use the “nmcli connection” command.

2-a: Assign IPv4 address.

$ nmcli con mod ens3 ipv4.addresses 192.168.5.5/27

2-b: Set the gateway address.

$ nmcli con mod ens3 ipv4.gateway 192.168.5.1

2-c: Configure the DNS.

$ nmcli con mod ens3 ipv4.dns "8.8.8.8"

2-d: Set the interface as static.

$ nmcli con mod ens3 ipv4.method manual

2-e: Activate the network interface.

$ nmcli con up ens3

Task 3:
Use ping to confirm the connection.

Now you can repeat the process with workstation2 and server VMs.

Lab: Configure SSH

Posted on by jrivera

Connecting via SSH is essential in today’s networks. Cisco devices are not automatically capable to use SSH. It has to be enabled and configured. SSH (Secure Shell) is a secure method to remote access network devices as it includes both authentication and encryption. To configure SSH you will need an IOS image that supports crypto features.

This lab is a basic SSH configuration. I will be using a Ubuntu 18.04 image as a workstation to connect to the router.

When configuring SSH on a Cisco router you will need to make sure the router has a host name. It will also need a domain name. An RSA key will need to be generated, user will need to be created on the Cisco router and finally after SSH is enabled you will need to configure the VTY lines to allow the connection to occur.

Task 1:
Configure the host name on the router.

Router>
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname BlueRtr
BlueRtr(config)#

Task 2:
Configure a domain name.

BlueRtr(config)#ip domain-name joelrivera.com.local

Task 3:
Generate a RSA key. I recommend 2048 or greater when configuring the modulus bits. Make sure you use SSH version 2.

BlueRtr(config)#crypto key generate rsa
The name for the keys will be: BlueRtr.joelrivera.com.local
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 5 seconds)

BlueRtr(config)#
*Apr  5 02:57:18.367: %SSH-5-ENABLED: SSH 1.99 has been enabled
BlueRtr(config)#ip ssh version 2

Task 4:
Create a user with a password and an enable password. Make sure you use your own password and that you follow your companies security policies when creating a user account.

BlueRtr(config)#username admin secret $TrongP@$$word1234
BlueRtr(config)#enable secret cisco

Task 5:
Now that SSH is enabled we need to configure the VTY lines to allow the SSH connection through.

BlueRtr(config)#line vty 0 4
BlueRtr(config-line)#transport input ssh
BlueRtr(config-line)#login local
BlueRtr(config-line)#exit

Task 6:
Configure the ip address of the LAN connection of the router.

BlueRtr(config)#interface ethernet 0/0
BlueRtr(config-if)#ip address 192.168.14.62 255.255.255.192
BlueRtr(config-if)#no shutdown
BlueRtr(config-if)#end

Once the configuration is complete, now we need to test. I am using an Ubuntu 18.04 image. In this lab the most important part is to configure the device to be on the same network. In reality, SSH will work when connecting from an outside network so long as the device has a route to the network device and that it is not blocked from an ACL or Firewall.

To configure a static IP address in Ubuntu 18.04, we will need to identify the physical named interface on the device. To find out the proper name type “ip addr“. Once identified in my case its ens3, Enter the following command to statically configure the IP address “sudo ip addr add 192.168.14.25/26 dev ens3“. To configure the gateway enter the following command “sudo ip route add default via 192.168.14.62“.

Ping the gateway to confirm the device can ping the router.

Finally let’s test the SSH connection by typing “ssh admin@192.168.14.62“. Type in the user’s password when requested, and the enable password as well. Congratulations you have configured and connected to a router via SSH.

Lab: GRE Tunnel

Posted on by jrivera

Generic Routing Encapsulation (GRE) is a tunneling protocol. This protocol allows the encapsulation of the network layer protocols inside other packets (packets into packets). Tunnel allows the expansion of a network that are separated in two different locations to create a point-to-point connection between the two sites.

In this lab, we will build a simple GRE Tunnel between two different sites. We are not going to encrypt the traffic, so therefore this is a non-secure remote location network.

Task 1:
Lets start with the ISP router. Configure the host name of the router and both interfaces.

Router>enable
Router#configure terminal
Router(config)#hostname ISP
ISP(config)#interface ethernet 0/0
ISP(config-if)#ip address 199.100.25.38 255.255.255.252
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#
ISP(config)#interface ethernet 0/1
ISP(config-if)#ip address 199.100.25.25 255.255.255.252
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#
ISP(config)#end
ISP#

Task 2:
Configure the HQ router. Configure the host name and both its public IP interface and the loopback 0 interface.

Router>enable
Router#configure terminal
Router(config)#hostname HQ
HQ(config)#interface ethernet 0/0
HQ(config-if)#ip address 199.100.25.37 255.255.255.252
HQ(config-if)#no shutdown
HQ(config-if)#exit
HQ(config)#
HQ(config)#interface loopback 0
HQ(config-if)#ip address
HQ(config-if)#ip address 172.16.1.1 255.255.255.255
HQ(config-if)#no shutdown
HQ(config-if)#end
HQ#

Task 3:
Configure the Branch router. Configure the host name and both its public IP interface and the loopback 0 interface.

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname Branch
Branch(config)#interface ethernet 0/1
Branch(config-if)#ip address 199.100.25.26 255.255.255.252
Branch(config-if)#no shutdown
Branch(config-if)#exit
Branch(config)#interface loopback 0
Branch(config-if)#ip address 172.16.3.3 255.255.255.255
Branch(config-if)#no shutdown
Branch(config-if)#exit
Branch(config)#end
Branch#

Task 4:
In order for a tunnel to form. Both the HQ router and the Branch router will need to know how to reach each others public IP address. Add a static route on both routers to the others public ip. After both static routes have been implemented ping from the HQ router the Branch’s IP address.

Branch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#ip route 199.100.25.37 255.255.255.255 199.100.25.25
Branch(config)#end
Branch#


HQ#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#ip route 199.100.25.26 255.255.255.255 199.100.25.38
HQ(config)#end
HQ#ping 199.100.25.26
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 199.100.25.26, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Task 5:
Now we can create the tunnel interface in the HQ router. The tunnel source shall be the physical inteface towards the ISP. The destination will be the branch router public IP address.

HQ#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#interface tunnel 105
HQ(config-if)#tunnel source ethernet 0/0
HQ(config-if)#tunnel destination 199.100.25.26
HQ(config-if)#ip address 10.220.105.1 255.255.255.252
HQ(config-if)#end
HQ#

Task 6:
Create the tunnel interface in the Branch router. The tunnel source shall be the physical port that connects to the ISP. The destination will be the HQ routers public IP address. Verify the connection after completion.

Branch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#interface tunnel 105
Branch(config-if)#tunnel source ethernet 0/1
Branch(config-if)#tunnel destination 199.100.25.37
Branch(config-if)#ip address 10.220.105.2 255.255.255.252
Branch(config-if)#exit
Branch(config)#exit
Branch#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  administratively down down
Ethernet0/1                199.100.25.26   YES manual up                    up
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
Loopback0                  172.16.3.3      YES manual up                    up
Tunnel105                  10.220.105.2    YES manual up                    up
Branch#ping 10.220.105.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.220.105.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Branch#show interface tunnel 105
Tunnel105 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.220.105.2/30
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 199.100.25.26 (Ethernet0/1), destination 199.100.25.37
   Tunnel Subblocks:
      src-track:
         Tunnel105 source tracking subblock associated with Ethernet0/1
          Set of tunnels with source Ethernet0/1, 1 member (includes iterators), on interface 
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 00:22:20, output 00:01:02, output hang never
  Last clearing of "show interface" counters 00:25:21
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     5 packets input, 620 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     14 packets output, 1304 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

Task 7:
Now lets use a Dynamic routing protocol, in this lab I am going to use EIGRP. With the routing protocol configured we can have the HQ router and the Branch router learn about each other’s loopback address or in another instance the LANs IP address of the site. Verify after the configuration connectivity to the HQs Loopback from the Branch router.

HQ#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#router eigrp 1
HQ(config-router)#no auto-summary
HQ(config-router)#network 172.16.1.1 0.0.0.0
HQ(config-router)#network 10.220.105.0 0.0.0.3
HQ(config-router)#end
HQ#

Branch(config)#router eigrp 1
Branch(config-router)#no auto-summary
Branch(config-router)#network 172.16.3.3 0.0.0.0
Branch(config-router)#network 10.220.105.0 0.0.0.3
Branch(config-router)#end
Branch#

Branch#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Lab: Using NAT Overload (PAT) – Using EVE-NG connect to Internet

Posted on by jrivera

Different than Static NAT, PAT (Port Address Translation) allows internal IPs to be translated into one IP via Port numbers. This allows a network to support many hosts while conserving public IP addresses. The router keeps a NAT table entry for every unique combination of the private IP addresses and port, with translation to the global address and a unique port number.

This lab is divided into two parts. First connecting a Cisco router to the NAT network which allows a connection to the outside (Internet). Second is using NAT overload also known as PAT to connect multiple devices from your LAN to an outside IP.

Part 1:
This is related to EVE-NG. To test the connection of the router with multiple hosts. We want to first create a connection to the internet. This will allow a more realistic lab as this is how Cisco router will usually connect to an internet connection.

1-A: Once you are in the lab screen, Right click to add a new object and select network.

1-B: In the Drop down menu, select the NAT option and then click on the save button.

1-C: Add a new object (Node), a Cisco router. Link the router to the network connection that was previously created.

1-D: Once the router powers up enter the global configuration mode. Change the host name of the router. Then enter interface configuration mode to the corresponding port that is connected to the Network object created. Once in the interface configuration mode assign the ip address to dhcp.

Router>enable
Router# configure terminal
Router(config)#hostname R1
R1(config)#interface ethernet 0/0
R1(config-if)#ip address dhcp

1-E: After an IP address has been assigned from the DHCP server. Proceed to exit the configuration mode and ping 8.8.8.8, which is Google’s DNS server address. If the ping is successful, proceed to global configuration mode again and a DNS server IP. You can use your networks own DNS or add 8.8.8.8 by typing ‘ip name-server 8.8.8.8’. Exit the global configuration mode and ping using a URL (Uniform Resource Locator). If successful you are ready to proceed to the lab.

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/13/18 ms
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip name
R1(config)#ip name-server 8.8.8.8
R1(config)#exit
R1#ping www.joelrivera.com
Translating "www.joelrivera.com"...domain server (8.8.8.8) [OK]

Translating "www.joelrivera.com"...domain server (8.8.8.8) [OK]

Translating "www.joelrivera.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.138.209.62, timeout is 2 seconds:
!!!!!

Now to the lab

Subnet IPMaskGateway
192.168.113.0255.255.255.0192.168.113.254

Task 1: Configure the LAN connection. 

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface ethernet 0/1
R1(config-if)#ip address 192.168.113.254 255.255.255.0
R1(config-if)# no shutdown

Task 2: Define the inside and outside interfaces on R1.

R1(config)#interface ethernet 0/1
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface ethernet 0/0
R1(config-if)#ip nat outside
R1(config-if)#exit

Task 3: Define the access list that includes the IP addresses from the inside interface.

R1(config)#access-list 10 permit 192.168.113.0 0.0.0.255

Task 4: Enable NAT and refer to the ACL created in the previous step and the outside interface.

R1(config)#ip nat inside source list 10 interface Ethernet0/0 overload

Task 5: Assign an IP address to virtual PC. Ping the google’s DNS IP address.

VPCS> ip 192.168.113.1 /24 192.168.113.254

VPCS> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=51 time=20.990 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=51 time=16.394 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=51 time=16.834 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=51 time=13.980 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=51 time=13.271 ms

Task 6: Assign a DNS to the PC, and ping a web URL.

VPCS> ip dns 8.8.8.8

VPCS> ping www.yahoo.com
www.yahoo.com resolved to atsv2-fp-shed.wg1.b.yahoo.com(98.138.219.231)

84 bytes from 98.138.219.231 icmp_seq=1 ttl=50 time=41.102 ms
84 bytes from 98.138.219.231 icmp_seq=2 ttl=50 time=45.928 ms
84 bytes from 98.138.219.231 icmp_seq=3 ttl=50 time=39.901 ms
84 bytes from 98.138.219.231 icmp_seq=4 ttl=50 time=41.942 ms
84 bytes from 98.138.219.231 icmp_seq=5 ttl=50 time=46.653 ms