baptism by fire approach

Okay... I'll give this a go for ya.

Your operation has three locations... head office in Pittsburg, satellites in Miami and Texas. Internet only through Pittsburg. Texas and Miami are not directly connected. A router in each location to connect to Pittsburg.

Pittsburg uses the 10.10.125.0 /24 network
Miami uses 10.10.151.0 /24 network
Texas uses 10.10.188.0 /24 network

All inter-site connections are serial, using "properly" designed (read, /30) subnets in any subnet of your choice (assume all of 10.10.x.x is available to you).

Secure the routers. Post message at logon scaring away potential hackers and general neer-do-wells. Secure all vty and console lines on all routers. Do not allow passwords to be visible.

Use ospf as your routing protocol.

Create an access list allowing Miami to ping resources in Texas, but not vice versa. Also, there is a management server in Pittsburg (say, 10.10.125 244) that the admin, when he's travelling, should be able to access, from a specific IP address in each location (say, 10.10.151.21, and 10.10.188.42). He'll use a web interface. No one else from any IP should be able to access that resource using a web interface, though they may need to access the server using other protocols.

Setup Pittsburg this way: the router (say, Pitt1)above that connects to the corp network will also connect to an internet router (call it Pitt2). You can put a switch inbetween them, if you like. Make the internet router's IP the default gateway for the network. Set up NAT to an outside IP of your choice, wherein all internal users from all sites will share a single public IP address.

Lastly, if you're feeling really adventurous, pick either Miami or Texas and set up a switch next to it. Create a few Vlans, and set up the trunk to the router. Disable vlan 1, making vlan 99 the native vlan.

That covers router setup, routing, access lists, NAT/PAT, and vlan setup.

Bro, you do that, and there isn't a sim on the exam that will stump you. Let's see your configs.

thats what Im talkin about

I'll stumble thru this later.

wait2dominate

*Copies the writeup into a text file to play with when I get home/to school for a lab for me to do:)

Any type of password authenticaion on the OSPF links or no?

^ see thats what I mean...the more ideas thrown out there for testing, the more everyone benefits.

Naw, no passwords required. That's into BSCI detail anyway. Just default stuff, Area 0, process number of your choice.

This could get really interesting, Lobster.

Mike

Stotic

Did you just create that lab off the top of your head?

Yep, just started typing... adding more... going back and adding names/IP's. Try it... it'll come to ya.

the Miami and Texas routers are connected to pittsburg thru serial or isdn or what?

markzab

The Prize Is Lobster wrote:

the Miami and Texas routers are connected to pittsburg thru serial or isdn or what?

"All inter-site connections are serial, using "properly" designed (read, /30) subnets in any subnet of your choice (assume all of 10.10.x.x is available to you). "

I think he was suggesting serial connections with the use of address conservation via VLSMs (/30) for the WAN links.

heh. I probably shoulda read a little closer.

Pittsburg, Philly... sure, same thing.

Great question... let's not get carried away, so just set up standard serial connections, and we'll pretend they're FR or something.

If you want, set up PPP... authentication CHAP.

If you're really gutsy, simulate Frame Relay. Stick with cisco defaults for LMI and FR encaps, using point - point on each line.

mikearama wrote:

Setup Pittsburg this way: the router (say, Pitt1)above that connects to the corp network will also connect to an internet router (call it Pitt2). You can put a switch inbetween them, if you like. Make the internet router's IP the default gateway for the network.

alright so...the corp network will use the internet routers IP for its default gateway?

Ah, here's where it gets interesting. The entire network will use the internet router for internet access, so you'll need a default network pointing at this router throughout the network.

BUT, traffic from Pittsburg will also have to travel to the other two sites, and vice versa, so you need to think about shaping traffic to decide between your satellites, and the internet. Any ideas?

so essentially a separate subnet or network for the internet traffic on Miami, Pittsburg, and TX all pointing to Pitt2 as their default gateway advertised on all networks...default route maybe?

It's easy to put default gateways on the Miami and Texas routers pointing at the Pittsburg router, but think about the Pittsburg traffic. Which router do you want the Pitts clients using.

If you select Pitts1, then Pitts1 needs to know about Miami and Texas (which OSPF will handle), and a default gateway can point to Pitts2 for unknown stuff... on to the internet.

Or, you can select Pitts2 as the clients gateway, in which case either OSPF will know of the way (assuming you include this router in your ospf config), or, my preference, use static routes to point the way. IE,

ip route 10.10.151.0 255.255.255.0 10.10.125.1
ip route 10.10.188.0 255.255.255.0 10.10.125.1

Now Pitts1 receives all satellite traffic, and can forward appropriately, while Pitts2 get and keeps and NATs internet traffic.

Regardless, put default routes to Pitts2 on everything, and you can't go wrong (as long as satellite traffic gets to Pittsburg in the first place).

Damn, I'm long winded.

rackin my brain on this so far. Its good though....forces me to look at things less streamlined.

mikearama,

Thanks for providing a network to configure. Most of the configuration was simple, but I have never done NAT on a router, so I'm still having trouble with it. Also, I had never changed native VLANs, so that was good practice, but I did have a little trouble with it because I initially forgot to configure the router for the changed native VLAN.
One question though for anyone: When I was setting up the ACL to prevent Texas from pinging Miami, I had the following config:

Texas
interface ethernet0
ip address 10.10.188.1 255.255.255.0
ip access-group 101 in

access-list 101 permit icmp 10.10.188.0 0.0.0.255 10.10.151.0 0.0.0.255 echo-reply
access-list 101 deny icmp 10.10.188.0 0.0.0.255 10.10.151.0 0.0.0.255 echo
access-list 101 permit ip any any

Anyway, if I do an extended ping from Texas's e0 interface (10.10.188.1) to the Miami LAN (say, 10.10.151.1), the ping is successful. However if I ping from my PC (10.10.188.42) on the Texas LAN, the ACL is blocking it because when I put the ACL on I can't ping and when I remove it I can ping. So, is it typical that when testing from the interface the ACL is configured on that the ACL doesn't process it?

I'm sure I'll finish the configuration tonight when I get home from work. Again, thanks a whole bunch mikearama. This has been a big help!

ACLs cant filter traffic generated from the router. I noticed the same.

The Prize Is Lobster wrote:

ACLs cant filter traffic generated from the router. I noticed the same.

I'm glad you've noticed that, too. I thought I was going nuts. I spent way too much time on that part racking my brains on why my exteneded pings were working. I should've gone to my PC right away and gotten a second opinion.
I just can't wait to get home from work and finish it up. It's a lot of fun!
I forgot to thank you, previously, The Prize Is Lobster, for starting this thread. Thanks mate!

part of the problem with a lot of "read the book, do this, do that" approach is it is just so cut and dry that challenges like this dont really come up, so its nice.

Initially it kind of frustrated me because it feels like I have a LOT of base work to cover in the next 5 weeks but some of it is just making the connection on previously learned things. The study on ACLs I just finished recently and havent had much of a chance to go thru it.

With the Boson Netsim, the service password encryption command is not available, so I cant run that to encrypt all passwords.

I set up the network a bit different than referenced. Pitt1 I set to 10.10.125.0 ethernet network and Pitt2 I set to 10.10.126.0 with a default route on all routers pointed towards 10.10.126.1

for whatever reason, the switch between the two routers simply would not allow me to ping one another, so I just did a serial connection between Pitt1 and Pitt2.

Here are my configs in the following order:

Pittsburgh1
Pittsburgh2
Texas
Miami
PTM_Switch
Miami_Switch

!
version 12.2
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Pittsburgh1
!
enable secret 5 $1$zMRg$QmtP1PhrOiErrKJoKO3Fp1
!
ip subnet-zero
!
!
!
!
interface Ethernet0
description Pittsburgh LAN
ip address 10.10.125.1 255.255.255.0
ip access-group 101 out
!
interface Serial0
description serial link to Texas
ip address 10.10.1.1 255.255.255.252
clock rate 64000
!
interface Serial1
description serial link to Miami
ip address 10.10.1.5 255.255.255.252
clock rate 64000
!
interface BRI0
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.10.1.0 0.0.0.3 area 0
network 10.10.1.4 0.0.0.3 area 0
network 10.10.125.0 0.0.0.255 area 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.125.2
ip http server
ip pim bidir-enable
!
access-list 101 permit tcp host 10.10.151.21 host 10.10.125.244 eq www
access-list 101 permit tcp host 10.10.188.42 host 10.10.125.244 eq www
access-list 101 deny tcp any host 10.10.125.244 eq www
access-list 101 permit ip any any
!
banner motd
Unauthorized access will result in a call home and a spanking from your mother! Got that?

!
line con 0
password 7 151B05181625
logging synchronous
line aux 0
line vty 0 4
password 7 07062F585C06
login
!
end

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Pittsburgh2
!
enable secret 5 $1$e09w$fJiuVJsLgt2QMH5q2AG4D1
!
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Loopback0
description Going to the show
no ip address
ip nat outside
shutdown
!
interface Loopback1
no ip address
shutdown
!
interface Ethernet0
description Pittsburgh LAN
ip address 10.10.125.2 255.255.255.0
ip nat inside
!
interface Serial0
ip address 192.168.2.1 255.255.255.0
ip nat outside
no fair-queue
clock rate 64000
!
interface Serial1
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.10.125.0 0.0.0.255 area 1
!
ip nat pool in2out 10.10.125.129 10.10.125.254 netmask 255.255.255.0
ip nat inside source list 1 pool in2out overload
ip classless
ip http server
ip pim bidir-enable
!
access-list 1 permit 10.10.151.0 0.0.0.255
access-list 1 permit 10.10.188.0 0.0.0.255
!
banner motd
Unauthorized access will result in a call home and a spanking from your mother! Got that?

!
line con 0
password 7 0828425A1B16
logging synchronous
line aux 0
line vty 0 4
password 7 130C19061903
login
!
end

!
version 12.2
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Texas
!
enable secret 5 $1$vi08$xfDPTBn1hy2Wy2Fw5GGp2.
!
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Ethernet0
description Texas LAN
ip address 10.10.188.1 255.255.255.0
ip access-group 101 in
!
interface Ethernet1
no ip address
shutdown
!
interface Serial0
description serial link to Pittsburgh
ip address 10.10.1.2 255.255.255.252
!
interface Serial1
ip address 192.168.2.2 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 10.10.1.0 0.0.0.3 area 0
network 10.10.188.0 0.0.0.255 area 2
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip http server
ip pim bidir-enable
!
access-list 101 permit icmp 10.10.188.0 0.0.0.255 10.10.151.0 0.0.0.255 echo-reply
access-list 101 deny icmp 10.10.188.0 0.0.0.255 10.10.151.0 0.0.0.255 echo
access-list 101 permit ip any any
!
banner motd
Unauthorized access will result in a call home and a spanking from your mother! Got that?

!
line con 0
password 7 011A08104904
logging synchronous
line aux 0
line vty 0 4
password 7 000D1D121654
login
!
end

!
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Miami
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$3deb$l7c0kH7sU7pjnhjn6cDun0
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
interface FastEthernet0/0
description Miami LAN
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.17
encapsulation dot1Q 17
ip address 10.10.17.1 255.255.255.0
!
interface FastEthernet0/0.18
encapsulation dot1Q 18
ip address 10.10.18.1 255.255.255.0
!
interface FastEthernet0/0.19
encapsulation dot1Q 19
ip address 10.10.19.1 255.255.255.0
!
interface FastEthernet0/0.99
encapsulation dot1Q 99 native
ip address 10.10.151.1 255.255.255.0
!
interface Serial1/0
no ip address
shutdown
!
interface Serial1/1
description serial link to Pittsburgh
ip address 10.10.1.6 255.255.255.252
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.10.1.4 0.0.0.3 area 0
network 10.10.16.0 0.0.15.255 area 3
network 10.10.151.0 0.0.0.255 area 3
!
ip route 0.0.0.0 0.0.0.0 Serial1/1
!
ip http server
no ip http secure-server
!
!
control-plane
!
banner motd
Unauthorized access will result in a call home and a spanking from your mother! Got that?

!
line con 0
password 7 12100B030004
logging synchronous
line aux 0
line vty 0 4
password 7 020F0A4F1909
login
!
!
end

!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname PTM_switch
!
enable secret 5 $1$pAvl$/XJBBL8B.4M0jxojagj8S1
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1 priority 40960
!
!
!
!
interface FastEthernet0/1
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/6
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/7
switchport mode access
!
interface FastEthernet0/8
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 3
switchport mode access
!
interface Vlan1
ip address 10.10.125.6 255.255.255.0
no ip route-cache
!
interface Vlan2
no ip address
no ip route-cache
shutdown
!
ip default-gateway 10.10.125.1
ip http server
banner motd
Unauthorized access will result in a call home and a spanking from your mother! Got that?

!
line con 0
password 7 011A08104904
logging synchronous
login
line vty 0 4
password 7 011A08104904
login
line vty 5 15
password 7 1047070D1718
login
!
!
end

!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Miami_Switch
!
enable secret 5 $1$G02L$SuKv0y8IFHludCZArDFG51
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
switchport access vlan 99
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 99
switchport trunk native vlan 99
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan99
ip address 10.10.151.6 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.151.1
ip http server
banner motd
Unauthorized access will result in a call home and a spanking from your mother! Got that?

!
line con 0
password 7 030D551F1400
logging synchronous
login
line vty 0 4
password 7 030D551F1400
login
line vty 5 15
password 7 0945401D0B0A
login
!
!
end

Damn bro, nice work. And fast.

Just had time to give it a quick once over, and few things jumped out, the first two having to do with your NAT'ing:

1) Your line...
ip nat pool in2out 10.10.125.129 10.10.125.254 netmask 255.255.255.0

This creates a pool of internal IP's that are now going to be seen publicly... not what we want. If I read correctly, you're using your Serial0 connection (ip address 192.168.2.1) to simulate your outside (public) interface, so this is the IP that should find its way into your pool command.

2) Your access list (list 1) for NAT'ting doesn't include the 125.x network, so no one from the 125 range will be able to get out to the internet.

If I read it correctly, no host from the 125 can even get natted to an ip in the 125 range, based on the above.

Next, f0/1 on the PTM_switch is set to trunk. What's at the other end of that trunk? Doesn't it require some config?

Lastly, on the Miami switch... so close. But this isn't possible:

interface FastEthernet0/12
switchport access vlan 99
switchport trunk native vlan 99
switchport mode trunk

The "access" command and the "mode trunk" command are exclusive. How could you rework that?

And you did such a nice job of setting up vlans 17, 18, 19 on the Miami router, sub-ints and all, but then didn't take advantage of them on the Miami switch. You really should.

Again, nice work.

Mike

heres whats confusing me.

In the above listed info. Pitt1 and Pitt2 are within the same network one IP address apart. Maybe this sounds incredibly stupid, but what exact purpose would this serve having two routers in the same ethernet network? Is it because Pitt2 is being used strictly for internet access and therefore there really isnt anything internally they route like Pitt1 with the corp network?

Yeah, that's right. Perhaps a better way to picture it is that Pitt2 is a firewall, only providing internet access.

Try to picture our network...

we have a core LAN, with four different ways (firewalls) in and out... depending on what you want to accomplish:
Internet
E-Biz (DMZ)
UAT
Vendor

So for the hosts up in Pittsburg, they have a choice of exit... one exit to the internet, another exit to the extended LAN. In between those two routers sit the LAN... could be a few switch stacks, a block of servers, a DMZ, who knows. And all of it has to be accessible to the corp network, while still allowing an out to the internet.

That help?

mikearama wrote:

Damn bro, nice work. And fast.

Just had time to give it a quick once over, and few things jumped out, the first two having to do with your NAT'ing:

1) Your line...
ip nat pool in2out 10.10.125.129 10.10.125.254 netmask 255.255.255.0

This creates a pool of internal IP's that are now going to be seen publicly... not what we want. If I read correctly, you're using your Serial0 connection (ip address 192.168.2.1) to simulate your outside (public) interface, so this is the IP that should find its way into your pool command.

I'm going to revisit this tomorrow and improve it. Your scenario definitely showed me that NAT is where I'm the weakest.

2) Your access list (list 1) for NAT'ting doesn't include the 125.x network, so no one from the 125 range will be able to get out to the internet.
If I read it correctly, no host from the 125 can even get natted to an ip in the 125 range, based on the above.

The pool that I set up uses addresses from the 125.x subnet so I didn't include them. But I'll be correcting the config to address this issue.

Next, f0/1 on the PTM_switch is set to trunk. What's at the other end of that trunk? Doesn't it require some config?

Oops. This is from a previous config. I didn't do a write erase on the switches before I started this scenario.

Lastly, on the Miami switch... so close. But this isn't possible:

interface FastEthernet0/12
switchport access vlan 99
switchport trunk native vlan 99
switchport mode trunk

The "access" command and the "mode trunk" command are exclusive. How could you rework that?

I'm actually surprised by this. I figured this wouldn't be possible. I'll just remove the 'switchport access vlan 99' statement. Good catch.

And you did such a nice job of setting up vlans 17, 18, 19 on the Miami router, sub-ints and all, but then didn't take advantage of them on the Miami switch. You really should.

I had nothing to connect on the 17, 18 and 19 Vlans, so I just went through setting them up on the router. It was the first time doing router-on-a-stick so I wanted to set up a few subinterfaces whereas I've set up Vlans before so I didn't think it was as important.

Again, nice work.

Mike

Thanks for taking a look and making comments. Again, your scenario has been very helpful for identifying things I need more practice with.

its definetly showed me I need to study thru some of the VLAN stuff more in-depth. I sat down last night and worked thru some of it...when I would get to a problem, I would just erase the configurations on each router and switch....not because I didnt know where the problem laid, but mostly just to kind of beat the procedure into my head.

Feel free to throw another up

I'll toss up my router/switch configs later.

The Prize Is Lobster wrote:

Feel free to throw another up I'll toss up my router/switch configs later.

I second that.

If I have time in the coming week, I will put one up, too.

I have no idea if this a netsim issue or otherwise...but....

So miami and Pittsburg1 are connected via serial links

If I set the respective IPs to 10.255.255.1 and 10.255.255.2 they can ping one another fine

however

if I set the Pittsburg1 serial link 1 and Texas serial link 0 to the 10.255.255.4 subnet, they cannot ping one another.

so basically

miami-pittsburg serials within 10.255.255.0 255.255.255.252
pittsburg-texas serials within 10.255.255.4 255.255.255.252

Ive tried reversing this as well....yesterday I just set it up as 10.255.255.0 255.255.255.252 and 10.255.255.4 255.255.255.252

I tried the same thing with just three routers, nothing else attached...that worked fine with separate subnets. Annoying.

With what you've written, you seem to have things correct. However, make sure of the following:
1. the Pittsburgh1 and Miami addresses are .5 and .6,
2. the mask is 255.255.255.252 for the IP addresses--sometimes I will mistakenly put in 255.255.255.0,

and finally, the one I always kick myself over,

3. you have done a 'no shutdown' on the interfaces.

If you confirm that you have done all those then I'd would say the software is the problem.