baptism by fire approach

The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
to put it bluntly, my learning style is that of a 6 year old badly in need of Ritalin. I can read books fine, but I bounce from subject to subject a lot and I retain things better that way. Im planning on taking the CCNA at the end of Aug/early Sept...so I really need to get down to it.


Now, being that a lot of the labs I have encountered are laid out too cut and dry to really retain the knowledge...I thought of a novel idea which I encourage others to participate in.


Toss out a basic design for a network...can be something more on the complex side but within the realm of what would be encountered on the CCNA. Just give the rundown of "heres what it should include" and I'll set it up. For me, I tend to learn by doing rather than reading and doing...and at work for example I excel in slightly higher pressure situations. I figure this way if there are others who learn in the same vein, they can also walk thru the steps, review whats necessary when doing so with few instructions on how tos, and go from there to really make things click.

My only limitation is I am using Netsim, and I think some of the commands are flaky.
«1

Comments

  • mikearamamikearama Member Posts: 749
    Okay... I'll give this a go for ya.

    Your operation has three locations... head office in Pittsburg, satellites in Miami and Texas. Internet only through Pittsburg. Texas and Miami are not directly connected. A router in each location to connect to Pittsburg.

    Pittsburg uses the 10.10.125.0 /24 network
    Miami uses 10.10.151.0 /24 network
    Texas uses 10.10.188.0 /24 network

    All inter-site connections are serial, using "properly" designed (read, /30) subnets in any subnet of your choice (assume all of 10.10.x.x is available to you).

    Secure the routers. Post message at logon scaring away potential hackers and general neer-do-wells. Secure all vty and console lines on all routers. Do not allow passwords to be visible.

    Use ospf as your routing protocol.

    Create an access list allowing Miami to ping resources in Texas, but not vice versa. Also, there is a management server in Pittsburg (say, 10.10.125 244) that the admin, when he's travelling, should be able to access, from a specific IP address in each location (say, 10.10.151.21, and 10.10.188.42). He'll use a web interface. No one else from any IP should be able to access that resource using a web interface, though they may need to access the server using other protocols.

    Setup Pittsburg this way: the router (say, Pitt1)above that connects to the corp network will also connect to an internet router (call it Pitt2). You can put a switch inbetween them, if you like. Make the internet router's IP the default gateway for the network. Set up NAT to an outside IP of your choice, wherein all internal users from all sites will share a single public IP address.

    Lastly, if you're feeling really adventurous, pick either Miami or Texas and set up a switch next to it. Create a few Vlans, and set up the trunk to the router. Disable vlan 1, making vlan 99 the native vlan.

    That covers router setup, routing, access lists, NAT/PAT, and vlan setup.

    Bro, you do that, and there isn't a sim on the exam that will stump you. Let's see your configs.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    thats what Im talkin about ;)


    I'll stumble thru this later.
  • wait2dominatewait2dominate Member Posts: 74 ■■□□□□□□□□
    *Copies the writeup into a text file to play with when I get home/to school for a lab for me to do:)

    Any type of password authenticaion on the OSPF links or no?
    Brake lights are a sign your car doesn't handle well enough.

    CCNP or MCSE is next to come.
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    ^ see thats what I mean...the more ideas thrown out there for testing, the more everyone benefits.
  • mikearamamikearama Member Posts: 749
    Naw, no passwords required. That's into BSCI detail anyway. Just default stuff, Area 0, process number of your choice.

    This could get really interesting, Lobster.

    Mike
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • StoticStotic Member Posts: 248
    Did you just create that lab off the top of your head?
  • mikearamamikearama Member Posts: 749
    Yep, just started typing... adding more... going back and adding names/IP's. Try it... it'll come to ya.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    the Miami and Texas routers are connected to pittsburg thru serial or isdn or what?
  • markzabmarkzab Member Posts: 619
    the Miami and Texas routers are connected to pittsburg thru serial or isdn or what?

    "All inter-site connections are serial, using "properly" designed (read, /30) subnets in any subnet of your choice (assume all of 10.10.x.x is available to you). "

    I think he was suggesting serial connections with the use of address conservation via VLSMs (/30) for the WAN links.
    "You, me, or nobody is gonna hit as hard as life. But it ain't how hard you hit; it's about how hard you can get hit, and keep moving forward. How much you can take, and keep moving forward. That's how winning is done!" - Rocky
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    heh. I probably shoulda read a little closer.
  • mikearamamikearama Member Posts: 749
    Pittsburg, Philly... sure, same thing.

    Great question... let's not get carried away, so just set up standard serial connections, and we'll pretend they're FR or something.

    If you want, set up PPP... authentication CHAP.

    If you're really gutsy, simulate Frame Relay. Stick with cisco defaults for LMI and FR encaps, using point - point on each line.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    mikearama wrote:
    Setup Pittsburg this way: the router (say, Pitt1)above that connects to the corp network will also connect to an internet router (call it Pitt2). You can put a switch inbetween them, if you like. Make the internet router's IP the default gateway for the network.

    alright so...the corp network will use the internet routers IP for its default gateway?
  • mikearamamikearama Member Posts: 749
    Ah, here's where it gets interesting. The entire network will use the internet router for internet access, so you'll need a default network pointing at this router throughout the network.

    BUT, traffic from Pittsburg will also have to travel to the other two sites, and vice versa, so you need to think about shaping traffic to decide between your satellites, and the internet. Any ideas?
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    so essentially a separate subnet or network for the internet traffic on Miami, Pittsburg, and TX all pointing to Pitt2 as their default gateway advertised on all networks...default route maybe?
  • mikearamamikearama Member Posts: 749
    It's easy to put default gateways on the Miami and Texas routers pointing at the Pittsburg router, but think about the Pittsburg traffic. Which router do you want the Pitts clients using.

    If you select Pitts1, then Pitts1 needs to know about Miami and Texas (which OSPF will handle), and a default gateway can point to Pitts2 for unknown stuff... on to the internet.

    Or, you can select Pitts2 as the clients gateway, in which case either OSPF will know of the way (assuming you include this router in your ospf config), or, my preference, use static routes to point the way. IE,

    ip route 10.10.151.0 255.255.255.0 10.10.125.1
    ip route 10.10.188.0 255.255.255.0 10.10.125.1

    Now Pitts1 receives all satellite traffic, and can forward appropriately, while Pitts2 get and keeps and NATs internet traffic.

    Regardless, put default routes to Pitts2 on everything, and you can't go wrong (as long as satellite traffic gets to Pittsburg in the first place).

    Damn, I'm long winded.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    rackin my brain on this so far. Its good though....forces me to look at things less streamlined.
  • NeonNoodleNeonNoodle Member Posts: 92 ■■□□□□□□□□
    mikearama,

    Thanks for providing a network to configure. Most of the configuration was simple, but I have never done NAT on a router, so I'm still having trouble with it. Also, I had never changed native VLANs, so that was good practice, but I did have a little trouble with it because I initially forgot to configure the router for the changed native VLAN.
    One question though for anyone: When I was setting up the ACL to prevent Texas from pinging Miami, I had the following config:

    Texas
    interface ethernet0
    ip address 10.10.188.1 255.255.255.0
    ip access-group 101 in


    access-list 101 permit icmp 10.10.188.0 0.0.0.255 10.10.151.0 0.0.0.255 echo-reply
    access-list 101 deny icmp 10.10.188.0 0.0.0.255 10.10.151.0 0.0.0.255 echo
    access-list 101 permit ip any any

    Anyway, if I do an extended ping from Texas's e0 interface (10.10.188.1) to the Miami LAN (say, 10.10.151.1), the ping is successful. However if I ping from my PC (10.10.188.42) on the Texas LAN, the ACL is blocking it because when I put the ACL on I can't ping and when I remove it I can ping. So, is it typical that when testing from the interface the ACL is configured on that the ACL doesn't process it?

    I'm sure I'll finish the configuration tonight when I get home from work. Again, thanks a whole bunch mikearama. This has been a big help!
    I recognize the lion by his paw.
    --Jacob Bernoulli
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    ACLs cant filter traffic generated from the router. I noticed the same.
  • NeonNoodleNeonNoodle Member Posts: 92 ■■□□□□□□□□
    ACLs cant filter traffic generated from the router. I noticed the same.

    I'm glad you've noticed that, too. I thought I was going nuts. I spent way too much time on that part racking my brains on why my exteneded pings were working. I should've gone to my PC right away and gotten a second opinion.
    I just can't wait to get home from work and finish it up. It's a lot of fun!
    I forgot to thank you, previously, The Prize Is Lobster, for starting this thread. Thanks mate!
    I recognize the lion by his paw.
    --Jacob Bernoulli
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    part of the problem with a lot of "read the book, do this, do that" approach is it is just so cut and dry that challenges like this dont really come up, so its nice.


    Initially it kind of frustrated me because it feels like I have a LOT of base work to cover in the next 5 weeks but some of it is just making the connection on previously learned things. The study on ACLs I just finished recently and havent had much of a chance to go thru it.


    With the Boson Netsim, the service password encryption command is not available, so I cant run that to encrypt all passwords.

    I set up the network a bit different than referenced. Pitt1 I set to 10.10.125.0 ethernet network and Pitt2 I set to 10.10.126.0 with a default route on all routers pointed towards 10.10.126.1


    for whatever reason, the switch between the two routers simply would not allow me to ping one another, so I just did a serial connection between Pitt1 and Pitt2.
  • NeonNoodleNeonNoodle Member Posts: 92 ■■□□□□□□□□
    Here are my configs in the following order:

    Pittsburgh1
    Pittsburgh2
    Texas
    Miami
    PTM_Switch
    Miami_Switch


    !
    version 12.2
    service config
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Pittsburgh1
    !
    enable secret 5 $1$zMRg$QmtP1PhrOiErrKJoKO3Fp1
    !
    ip subnet-zero
    !
    !
    !
    !
    interface Ethernet0
    description Pittsburgh LAN
    ip address 10.10.125.1 255.255.255.0
    ip access-group 101 out
    !
    interface Serial0
    description serial link to Texas
    ip address 10.10.1.1 255.255.255.252
    clock rate 64000
    !
    interface Serial1
    description serial link to Miami
    ip address 10.10.1.5 255.255.255.252
    clock rate 64000
    !
    interface BRI0
    no ip address
    shutdown
    !
    router ospf 1
    log-adjacency-changes
    network 10.10.1.0 0.0.0.3 area 0
    network 10.10.1.4 0.0.0.3 area 0
    network 10.10.125.0 0.0.0.255 area 1
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.10.125.2
    ip http server
    ip pim bidir-enable
    !
    access-list 101 permit tcp host 10.10.151.21 host 10.10.125.244 eq www
    access-list 101 permit tcp host 10.10.188.42 host 10.10.125.244 eq www
    access-list 101 deny tcp any host 10.10.125.244 eq www
    access-list 101 permit ip any any
    !
    banner motd
    Unauthorized access will result in a call home and a spanking from your mother! Got that?

    !
    line con 0
    password 7 151B05181625
    logging synchronous
    line aux 0
    line vty 0 4
    password 7 07062F585C06
    login
    !
    end



    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Pittsburgh2
    !
    enable secret 5 $1$e09w$fJiuVJsLgt2QMH5q2AG4D1
    !
    ip subnet-zero
    no ip domain-lookup
    !
    !
    !
    !
    interface Loopback0
    description Going to the show
    no ip address
    ip nat outside
    shutdown
    !
    interface Loopback1
    no ip address
    shutdown
    !
    interface Ethernet0
    description Pittsburgh LAN
    ip address 10.10.125.2 255.255.255.0
    ip nat inside
    !
    interface Serial0
    ip address 192.168.2.1 255.255.255.0
    ip nat outside
    no fair-queue
    clock rate 64000
    !
    interface Serial1
    no ip address
    shutdown
    !
    interface BRI0
    no ip address
    shutdown
    !
    router ospf 1
    log-adjacency-changes
    network 10.10.125.0 0.0.0.255 area 1
    !
    ip nat pool in2out 10.10.125.129 10.10.125.254 netmask 255.255.255.0
    ip nat inside source list 1 pool in2out overload
    ip classless
    ip http server
    ip pim bidir-enable
    !
    access-list 1 permit 10.10.151.0 0.0.0.255
    access-list 1 permit 10.10.188.0 0.0.0.255
    !
    banner motd
    Unauthorized access will result in a call home and a spanking from your mother! Got that?

    !
    line con 0
    password 7 0828425A1B16
    logging synchronous
    line aux 0
    line vty 0 4
    password 7 130C19061903
    login
    !
    end


    !
    version 12.2
    service config
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Texas
    !
    enable secret 5 $1$vi08$xfDPTBn1hy2Wy2Fw5GGp2.
    !
    ip subnet-zero
    no ip domain-lookup
    !
    !
    !
    !
    interface Ethernet0
    description Texas LAN
    ip address 10.10.188.1 255.255.255.0
    ip access-group 101 in
    !
    interface Ethernet1
    no ip address
    shutdown
    !
    interface Serial0
    description serial link to Pittsburgh
    ip address 10.10.1.2 255.255.255.252
    !
    interface Serial1
    ip address 192.168.2.2 255.255.255.0
    !
    router ospf 1
    log-adjacency-changes
    network 10.10.1.0 0.0.0.3 area 0
    network 10.10.188.0 0.0.0.255 area 2
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.10.1.1
    ip http server
    ip pim bidir-enable
    !
    access-list 101 permit icmp 10.10.188.0 0.0.0.255 10.10.151.0 0.0.0.255 echo-reply
    access-list 101 deny icmp 10.10.188.0 0.0.0.255 10.10.151.0 0.0.0.255 echo
    access-list 101 permit ip any any
    !
    banner motd
    Unauthorized access will result in a call home and a spanking from your mother! Got that?

    !
    line con 0
    password 7 011A08104904
    logging synchronous
    line aux 0
    line vty 0 4
    password 7 000D1D121654
    login
    !
    end


    !
    version 12.4
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Miami
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$3deb$l7c0kH7sU7pjnhjn6cDun0
    !
    no aaa new-model
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description Miami LAN
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.17
    encapsulation dot1Q 17
    ip address 10.10.17.1 255.255.255.0
    !
    interface FastEthernet0/0.18
    encapsulation dot1Q 18
    ip address 10.10.18.1 255.255.255.0
    !
    interface FastEthernet0/0.19
    encapsulation dot1Q 19
    ip address 10.10.19.1 255.255.255.0
    !
    interface FastEthernet0/0.99
    encapsulation dot1Q 99 native
    ip address 10.10.151.1 255.255.255.0
    !
    interface Serial1/0
    no ip address
    shutdown
    !
    interface Serial1/1
    description serial link to Pittsburgh
    ip address 10.10.1.6 255.255.255.252
    !
    interface Serial1/2
    no ip address
    shutdown
    !
    interface Serial1/3
    no ip address
    shutdown
    !
    router ospf 1
    log-adjacency-changes
    network 10.10.1.4 0.0.0.3 area 0
    network 10.10.16.0 0.0.15.255 area 3
    network 10.10.151.0 0.0.0.255 area 3
    !
    ip route 0.0.0.0 0.0.0.0 Serial1/1
    !
    ip http server
    no ip http secure-server
    !
    !
    control-plane
    !
    banner motd
    Unauthorized access will result in a call home and a spanking from your mother! Got that?

    !
    line con 0
    password 7 12100B030004
    logging synchronous
    line aux 0
    line vty 0 4
    password 7 020F0A4F1909
    login
    !
    !
    end


    !
    version 12.1
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname PTM_switch
    !
    enable secret 5 $1$pAvl$/XJBBL8B.4M0jxojagj8S1
    !
    ip subnet-zero
    !
    ip ssh time-out 120
    ip ssh authentication-retries 3
    !
    !
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    spanning-tree vlan 1 priority 40960
    !
    !
    !
    !
    interface FastEthernet0/1
    switchport mode trunk
    !
    interface FastEthernet0/2
    switchport access vlan 3
    switchport mode access
    !
    interface FastEthernet0/3
    switchport access vlan 2
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/4
    switchport mode access
    !
    interface FastEthernet0/5
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet0/6
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/7
    switchport mode access
    !
    interface FastEthernet0/8
    switchport mode access
    !
    interface FastEthernet0/9
    switchport access vlan 2
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/10
    switchport access vlan 2
    switchport mode access
    !
    interface FastEthernet0/11
    switchport access vlan 3
    switchport mode access
    !
    interface FastEthernet0/12
    switchport access vlan 3
    switchport mode access
    !
    interface Vlan1
    ip address 10.10.125.6 255.255.255.0
    no ip route-cache
    !
    interface Vlan2
    no ip address
    no ip route-cache
    shutdown
    !
    ip default-gateway 10.10.125.1
    ip http server
    banner motd
    Unauthorized access will result in a call home and a spanking from your mother! Got that?

    !
    line con 0
    password 7 011A08104904
    logging synchronous
    login
    line vty 0 4
    password 7 011A08104904
    login
    line vty 5 15
    password 7 1047070D1718
    login
    !
    !
    end


    !
    version 12.1
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Miami_Switch
    !
    enable secret 5 $1$G02L$SuKv0y8IFHludCZArDFG51
    !
    ip subnet-zero
    !
    no ip domain-lookup
    ip ssh time-out 120
    ip ssh authentication-retries 3
    !
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    !
    !
    !
    !
    interface FastEthernet0/1
    !
    interface FastEthernet0/2
    switchport access vlan 2
    switchport mode access
    !
    interface FastEthernet0/3
    switchport access vlan 3
    switchport mode access
    !
    interface FastEthernet0/4
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    !
    interface FastEthernet0/8
    !
    interface FastEthernet0/9
    !
    interface FastEthernet0/10
    !
    interface FastEthernet0/11
    switchport access vlan 99
    spanning-tree portfast
    !
    interface FastEthernet0/12
    switchport access vlan 99
    switchport trunk native vlan 99
    switchport mode trunk
    !
    interface Vlan1
    no ip address
    no ip route-cache
    shutdown
    !
    interface Vlan99
    ip address 10.10.151.6 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 10.10.151.1
    ip http server
    banner motd
    Unauthorized access will result in a call home and a spanking from your mother! Got that?

    !
    line con 0
    password 7 030D551F1400
    logging synchronous
    login
    line vty 0 4
    password 7 030D551F1400
    login
    line vty 5 15
    password 7 0945401D0B0A
    login
    !
    !
    end
    I recognize the lion by his paw.
    --Jacob Bernoulli
  • mikearamamikearama Member Posts: 749
    Damn bro, nice work. And fast.

    Just had time to give it a quick once over, and few things jumped out, the first two having to do with your NAT'ing:

    1) Your line...
    ip nat pool in2out 10.10.125.129 10.10.125.254 netmask 255.255.255.0

    This creates a pool of internal IP's that are now going to be seen publicly... not what we want. If I read correctly, you're using your Serial0 connection (ip address 192.168.2.1) to simulate your outside (public) interface, so this is the IP that should find its way into your pool command.

    2) Your access list (list 1) for NAT'ting doesn't include the 125.x network, so no one from the 125 range will be able to get out to the internet.

    If I read it correctly, no host from the 125 can even get natted to an ip in the 125 range, based on the above.

    Next, f0/1 on the PTM_switch is set to trunk. What's at the other end of that trunk? Doesn't it require some config?

    Lastly, on the Miami switch... so close. But this isn't possible:

    interface FastEthernet0/12
    switchport access vlan 99
    switchport trunk native vlan 99
    switchport mode trunk

    The "access" command and the "mode trunk" command are exclusive. How could you rework that?

    And you did such a nice job of setting up vlans 17, 18, 19 on the Miami router, sub-ints and all, but then didn't take advantage of them on the Miami switch. You really should.

    Again, nice work.

    Mike
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    heres whats confusing me.


    In the above listed info. Pitt1 and Pitt2 are within the same network one IP address apart. Maybe this sounds incredibly stupid, but what exact purpose would this serve having two routers in the same ethernet network? Is it because Pitt2 is being used strictly for internet access and therefore there really isnt anything internally they route like Pitt1 with the corp network?
  • mikearamamikearama Member Posts: 749
    Yeah, that's right. Perhaps a better way to picture it is that Pitt2 is a firewall, only providing internet access.

    Try to picture our network...

    we have a core LAN, with four different ways (firewalls) in and out... depending on what you want to accomplish:
    Internet
    E-Biz (DMZ)
    UAT
    Vendor

    So for the hosts up in Pittsburg, they have a choice of exit... one exit to the internet, another exit to the extended LAN. In between those two routers sit the LAN... could be a few switch stacks, a block of servers, a DMZ, who knows. And all of it has to be accessible to the corp network, while still allowing an out to the internet.

    That help?
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • NeonNoodleNeonNoodle Member Posts: 92 ■■□□□□□□□□
    mikearama wrote:
    Damn bro, nice work. And fast.

    Just had time to give it a quick once over, and few things jumped out, the first two having to do with your NAT'ing:

    1) Your line...
    ip nat pool in2out 10.10.125.129 10.10.125.254 netmask 255.255.255.0

    This creates a pool of internal IP's that are now going to be seen publicly... not what we want. If I read correctly, you're using your Serial0 connection (ip address 192.168.2.1) to simulate your outside (public) interface, so this is the IP that should find its way into your pool command.
    I'm going to revisit this tomorrow and improve it. Your scenario definitely showed me that NAT is where I'm the weakest.

    2) Your access list (list 1) for NAT'ting doesn't include the 125.x network, so no one from the 125 range will be able to get out to the internet.
    If I read it correctly, no host from the 125 can even get natted to an ip in the 125 range, based on the above.
    The pool that I set up uses addresses from the 125.x subnet so I didn't include them. But I'll be correcting the config to address this issue.

    Next, f0/1 on the PTM_switch is set to trunk. What's at the other end of that trunk? Doesn't it require some config?
    Oops. This is from a previous config. I didn't do a write erase on the switches before I started this scenario.

    Lastly, on the Miami switch... so close. But this isn't possible:

    interface FastEthernet0/12
    switchport access vlan 99
    switchport trunk native vlan 99
    switchport mode trunk

    The "access" command and the "mode trunk" command are exclusive. How could you rework that?
    I'm actually surprised by this. I figured this wouldn't be possible. I'll just remove the 'switchport access vlan 99' statement. Good catch.

    And you did such a nice job of setting up vlans 17, 18, 19 on the Miami router, sub-ints and all, but then didn't take advantage of them on the Miami switch. You really should.
    I had nothing to connect on the 17, 18 and 19 Vlans, so I just went through setting them up on the router. It was the first time doing router-on-a-stick so I wanted to set up a few subinterfaces whereas I've set up Vlans before so I didn't think it was as important.
    Again, nice work.

    Mike
    Thanks for taking a look and making comments. Again, your scenario has been very helpful for identifying things I need more practice with.
    I recognize the lion by his paw.
    --Jacob Bernoulli
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    its definetly showed me I need to study thru some of the VLAN stuff more in-depth. I sat down last night and worked thru some of it...when I would get to a problem, I would just erase the configurations on each router and switch....not because I didnt know where the problem laid, but mostly just to kind of beat the procedure into my head.


    Feel free to throw another up :D I'll toss up my router/switch configs later.
  • NeonNoodleNeonNoodle Member Posts: 92 ■■□□□□□□□□
    Feel free to throw another up :D I'll toss up my router/switch configs later.
    I second that. :D

    If I have time in the coming week, I will put one up, too.
    I recognize the lion by his paw.
    --Jacob Bernoulli
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    I have no idea if this a netsim issue or otherwise...but....


    So miami and Pittsburg1 are connected via serial links

    If I set the respective IPs to 10.255.255.1 and 10.255.255.2 they can ping one another fine

    however

    if I set the Pittsburg1 serial link 1 and Texas serial link 0 to the 10.255.255.4 subnet, they cannot ping one another.


    so basically

    miami-pittsburg serials within 10.255.255.0 255.255.255.252
    pittsburg-texas serials within 10.255.255.4 255.255.255.252

    Ive tried reversing this as well....yesterday I just set it up as 10.255.255.0 255.255.255.252 and 10.255.255.4 255.255.255.252

    I tried the same thing with just three routers, nothing else attached...that worked fine with separate subnets. Annoying.
  • NeonNoodleNeonNoodle Member Posts: 92 ■■□□□□□□□□
    With what you've written, you seem to have things correct. However, make sure of the following:
    1. the Pittsburgh1 and Miami addresses are .5 and .6,
    2. the mask is 255.255.255.252 for the IP addresses--sometimes I will mistakenly put in 255.255.255.0,

    and finally, the one I always kick myself over,

    3. you have done a 'no shutdown' on the interfaces.

    If you confirm that you have done all those then I'd would say the software is the problem.
    I recognize the lion by his paw.
    --Jacob Bernoulli
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    I figured out what the issue was. I was just caught up in typing commands and overlooked a subnet on one of the serial connections. icon_wink.gif


    so far yeah this has prompted me to re-review some of the OSPF stuff. RIP/EIGRP/Static and Default routes Im okay with but when it comes to OSPF and the areas, backbone, DR/BDR, etc it just makes my head swim.
Sign In or Register to comment.