Sei sulla pagina 1di 33

1.

0 Introduction
.Scenario: The regional electrical utility company, South West Electrical, needs a network to be designed and implemented. The company supplies electricity over a wide area. Its headquarters is in Exeter with a call-centre in Plymouth connected via leased line. The Engineering division operates out of Poole whilst the Sales team have a Sales Office in Bournemouth. The Bournemouth and Poole branches are connected to the companys headquarters in Exeter using Frame Relay because of cost considerations. The companys networks communicate using the open standard routing protocol OSPF. The company wants to use private addresses throughout for security reasons and DHCP for the LANs. Access to the Internet is provided from Exeter using network address translation. The company also wishes to limit Internet access to Web traffic while allowing multiple protocols within its own WAN. A server for the Engineering division is provided at the companys headquarters in Exeter.

Building from this scenario, a solution can be provided, and simulated within Ciscos Packet Tracer program. The use of this program will allow a fully function and real to life simulation that will show the company of the use of relevant networking equipment. This will also provide the networking staff a test platform to fix any problems, and foresee any problems that the design and the security implications that may occur. This report will describe the methods used to create this simulation along with testing of the network and its functionality. This will also detail the networking structure that has been designed to address the system, keeping in mind the companies want for efficient network addressing. 2.0 Network Design The network will be designed using the 172.20.0.0 /16 addressing scheme that has been requested, this will also be linked to an external internet source, which will be accounted for in the networking system. This is the design that will be used to simulate within the Packet Tracer logical topology. This has been provided for the purposes of this scenario, and is presumed that the company already owns this equipment, as such this will not need to be costed within this plan, however the frame-relay element will be unknown, and will be simulated with a cloud within the software package. The internet access is available to all users on the network, however due to restrictions, the network has only been provided with one public IP address that is available to use within the internet. This will use the NAT protocol, and will operate on the 199.199.199.1 address.

Page

Joe Powell

2.1 Network Addressing Scheme This scheme is based on the following scheme. Address 172.20.0.0 255.255.0.0 Available Addresses 65534
Network Name Call Centre Plymouth Sales Bournemouth Engineering Poole It Support (Inc Servers) Required Hosts 102 Hosts 102 Hosts 62 Hosts 5 Hosts Block Reserved 126 Hosts 126 Hosts 62 Hosts 6 Hosts Network Address 172.20.0.0 172.20.0.128 172.20.1.0 172.20.1.64 1st Usable 172.20.0.1 172.20.0.12 9 172.20.1.1 172.20.1.65 Last Usable 172.20.0.126 172.20.0.254 172.20.1.62 172.20.1.70 Broadcast 172.20.0.127 172.20.0.255 172.20.1.63 172.20.1.71 Subnet 255.255.255.128 255.255.255.128 255.255.255.192 255.255.255.248

Link1 Link2 Link 3 Link 4

2 Hosts 2 Hosts 2 Hosts 2 Hosts

2 Hosts 2 Hosts 2 Hosts 2 Hosts

172.20.1.80 172.20.1.84 172.20.1.88 172.20.1.92

172.20.1.81 172.20.1.85 172.20.1.89 172.20.1.93

172.20.1.82 172.20.1.86 172.20.1.90 172.20.1.94

172.20.1.83 172.20.1.87 172.20.1.91 172.20.1.95

255.255.255.25 2 255.255.255.25 2 255.255.255.25 2 255.255.255.25 2

Engineering Server General Server

2 Hosts 2 Hosts

2 Hosts 2 Hosts

172.20.1.96 172.20.1.10 0

172.20.1.97 172.20.1.101

172.20.1.98 172.20.1.102

172.20.1.99 172.20.1.103

255.255.255.25 2 255.255.255.25 2

Pre Configured Networks DNS Server Link Internet Wan Link Web Server Internal Network 2 Hosts 2 Hosts 2 Hosts 255 Hosts 255 Hosts 255 Hosts 198.198.1.0 200.1.1.0 210.1.1.0 198.198.1.1 200.1.1.1 210.1.1.1 198.198.1.254 200.1.1.254 210.1.1.254 198.198.1.255 200.1.1.255 210.1.1.255 255.255.255.0 255.255.255.0 255.255.255.0

This scheme has been designed with space saving, and an economic structure in place. However you may notice that the system has a break within the addressing scheme, due to the use of incorrectly configured devices, changes were made during setup of the topology, this in turn has created holes in the design of the network addressing scheme. However as the company specified that a space saving design would be preferred, VLSM has been used. The main core of the network is at its maximum capacity 271 IP addresses. The first 271 addresses have now been separated from the working network addresses due to this break. This has provided a clean separation, and as such a simple configuration. With the use of VLSM, security can also be increased, by only allowing a required number of addresses to function within the network, for example, the use of a /30 subnet, (255.255.255.252) will only allow 2 hosts to be active on the network, removing the possibility of intrusion from external or internal attacks.

Page

Joe Powell

The design also required that the system was secure on unused interfaces on the networking devices. This was thought about from the offset, with a secure environment in mind, only devices that were required were addressed for, however some equipment, for example switches have multiple extra interfaces that can potentially be interfered with. 2.2 Securing the Network Switches The switch provided in the simulation, and thus in real life designs come as default with all ports exposed. As a matter of good practice, a switch should always have security in place, for this, the following security protocols were put in place. The command switchport is used in multiple scenarios, however in this situation it is used to activate a command port-security with the following options.

mac-address Secure mac address maximum Max secure addresses violation Security violation mode

Using the port-security commands, mac addresses could be dynamically leant to the system, and then locked to ports within the switches, this meant that any unwarranted user that found themselves physically located in the wrong network port, would be restricted from the network access. This technique is provided the system with sticky macs which allows only the first physical address to access the network.

Upon the network discovering the change in mac address a violation shutdown will occur, and the network administrator will be required to look at the switch and assess the problem, and manually reenable the port. This is to prevent an internal attacker simply unplugging the network and plugging the malicious device into the system. All ports on the switches that were not currently used were also shut down to ensure that in the event of a new physical connection, the port would not activate, and thus prevent access. Again this can be countered by an administrative change to enable for further expansion. 2.3 Logical Topology Layout and Configuration The logical topology design was provided prior to the instruction of the specification. This network was partially addressed, but was not configured. This was converted to the simulation software, where devices could then be addressed using the previously designed addressing scheme. This is the literal translation from the image design that was provided in the specification to the simulation software, Ciscos Packet Tracer. This will then be fragmented into sections of which will be dynamically addressed.

The addressing of new devices such as servers and user terminals that were not already addressed will be provided with an IP address, Subnet Mask, DNS-Server Location, and Default Gateway. These elements would be pushed out to each device via DHCP. This protocol saves dramatic amounts of time for a network administrator when addressing a network, it also allows for systems to be added, ie wireless clients. or removed from the system without the users manually checking and assigning an address. This service could have been handled by the general server, and then pushed to the whole

Page

Joe Powell

network, but to reduce load on the lines, the closest router to the end device would provide this service. As displayed in the example, the router Engineering Poole will provide addressing to the network that it is closets to. This network will have specified requirements that are programmed into the routers DHCP Pool. Config: ! ip dhcp pool IPEP network 172.20.1.0 255.255.255.192 default-router 172.20.1.62 dns-server 198.198.1.2 ! The local interface is pre-programmed with a static address, while any client that connects to it may take any address (numerically ordered) from the router. Each DHCP Pool is required to have its own name, this is mainly for identification, as you can have multiple instances of this protocol running at any time on a single device. It is also passed the default gateway, or default router that it must route its packets towards, and an optional dns server that allows DNS lookups, ACL permitting. This configuration was completed on all 4 of the routers within the internal network, and as such provided addressing for each system automatically. Servers on the network were however statically addressed, as it is felt that there location is always required to be statically placed, regardless of the networks addressing around them. A bandwidth cap was also specified on the WAN links between the routers, on a dedicated serial line. This cap was set at 64Kbps, which in modern standards would cause a huge negative effect on network performance, but for the purposed of this specification has been applied. Within the interface configuration, the command was issued. Router(config-if)# bandwidth 64 This caped the available bandwidth on the line to be 64Kbps. It is worth noting that if another routing protocol, such as EIGRP was active and this was a WAN link, the protocol may avoid using this path, as higher bandwidth paths, such as T1 (1.544Mbps) may be available. However no mention of application data was included so it is assumed that this is sufficient bandwidth for the company. To ensure that configuration was completed on the correct routers, the hostname command was used on each router, with a sensible name for the router. For example, for the Plymouth Call Centre router, Hostname CCR Similarly this command was passed to the switches within the network that allows a user to quickly identify which device they are currently configuring. This is particularly useful when using telnet to configure a device, as many of the routers / switches may have un-familiar ip address, or may not be local to your network. With the main backbone of the network in place, and the addressing scheme implemented, the network specification required that certain authentication methods were included in certain links within the design. Specifically the network link between the main HQ Router, which was located in Exeter, and the Call Centre router in Plymouth. The routers at both ends of the link required some configuration, as this system requires Chap authentication a three way handshake procedure is put in place. 1. Challenge 2. Response 3. Success or Faliure

Page

Joe Powell

The method behind this link of authentication is that both routers on the link have a shared secret, so both need to be reading from the same page. However neither actually send any data over the network about the contained secret. This allows particularly complex passwords, and hashing systems to be encrypted over the transmission, making it increasingly difficult for a rouge device to actually authenticate on the network. The routers are setup with a default configuration with Ciscos proprietary encapsulation HDLC, this is acceptable if both routers are Cisco branded, however will not work on other devices, which you may be unaware of when connecting to a remote source. The follow configuration was applied to each device to produce a working simulation of this authentication. HQE(config)# hostname HQE HQE(config)# int se0/1 HQE(config-if)# username CCR password cisco HQE(config-if)# encapsulation PPP HQE(config-if)# PPP authentication CHAP CCR(config)# hostname CCR CCR(config)# int se0/0 CCR(config-if)# username HQE password cisco CCR(config-if)# encapsulation PPP CCR(config-if)# PPP authentication CHAP It is important during the configuration that both routers have the same password set, which is case sensitive as they will fail authentication if this is false. It is also optional that the no shutdown command is added during this configuration, however as the devices were already configured with this during the addressing phase, this was omitted from the configuration stage. With the main WAN link to the Plymouth office configured, and secured, the network will now need to be configured with frame-relay interface. This is primarily a data link between multiple networks. This method of communication allows multiple interfaces to communicated without needing multiple lines of connection. Within the simulation software, a cloud can be deployed to the network, within which, a frame relay switch is situated. The basis of the network relys on sub interfaces for the number of routing devices that you need to communicate with. Traffic from Router A destined for Router B is required to be assigned not only an ip address for routing, but a map of DLCI, which is an identifier for the sub network. Configuration on the devices is as follows HQE(config)# int se0/0 HQE(config-if)# encapsulation frame-relay This will configure the overall device for frame-relay encapsulation. This must also be configured on separate routers within the network that wish to communicate on the frame relay portion of the network. This will be configured on the releveant interfaces, once configured this will lead into the sub interface configuration. HQE(config-if)# int se0/0.102 point-to-point The green item displays the interface that is being configured, this connection was destined for the 2nd router in cluster. The other interface would be incremented accordingly. This is generally for identification within the configuration, as it is easier to see which interface is which, when the interface has a relevant number. The red item ensures that the connection is point-to-point, without this, packet tracer, and the network will throw an error and not allow the configuration to continue.

Page

Joe Powell

HQE(config-if)#in se0/0.102 %Cannot create sub-interface Once configured as point to point, the interface must also be assigned a DLCI number, this is an identifier, but this has been designed to accord to the sub interface numbers for ease of programming and configuration. HQE(config-if)#frame-relay interface-dlci 102 102-1 Is relating to the router that is currently configured upon. 102-2 Is relating to the router that is going to be virtually linked to this address. HQE(config-if)#description It is intelligent to configure description to the device, this has however no effect on the actual configuration. But on a large network design this may help at a later state when configuration of the network may be needed. This is also helpful if you are joining the network, and are taking over someone else configuration. An IP address must also be configured, please see the addressing table above. HQE(config-if)#ip address 172.20.1.85 255.255.255.252 This can then also be completed for the other devices on the network. The frame relay portion of the configuration now is required. This is access via the control panel of the simulation software.

The individual interfaces must be configured via the control panel, this particular cloud supports 4 serial interfaces, however only 3 are being used, starting with the Serial0 interface. This process allows you to bind the DLCI number that was previously configured to the other end of the device/cloud. It is also worth noting that the cloud deals with the clock rate for the DCE end of the serial connection. This is also automatically set. Assignment of a brief name is also recommended, for example, the 102 connection links router1 and router 2, so a name of R1-R2 has been created. This process is completed for all of the current links between the HQ, Poole and Bournemouth Routers. The Plymouth Call Centre router is excluded, as it is not currently assigned to the cloud, due to the dedicated line that was installed for the connection. To ensure that the frame relay has a static map, it must be created, this can also be configured by the command line, however due to limitations within the simulation software, and the particular device chosen, the configuration was completed using the Frame Relay option within the cloud. This configuration creates the map, or link between the DLCIs, is will become evident of the importances of relevant names for these connections.

Page

Joe Powell

As you will see, the serial connections are self explanatory, however if the sub links were just called the DCLI numbers, on a larger scale network this would become confusing. The use of names therefore has produced a clean and easy interface interaction that allows any user to clearly see what configuration has happened.

With the backbone links configured, the stub networks would now need to be configured, as the configuration of the networks has already taken place on the wired networks, and addressing has been completed, the wireless network needs to be configured. Due to the limitations of the simulation software, encryption and other securing technologies only partially work, however access points are used to simulate what the area will be called, and devices connected to it. The access point is configured to show a SSID of SalesBMouth, and has been configured on channel 6. As this is the only wireless broadcaster in the area/office, channel requirements are lower as there will be little interference from other potential devices. Wireless devices are also configured to allow that they will only connect to this device. They are also dynamically provided an address as before from the closest router, in this case, Sales Bournemouth. ip dhcp pool IPSB network 172.20.0.128 255.255.255.128 default-router 172.20.0.254 dns-server 198.198.1.2 The routers communicate each networking using the open standard OSPF and have all been configured to the OSPF Area 0. The following configuration was completed on each router respectively. HQE(config)# router HQE(config-router)# HQE(config-router)# HQE(config-router)# HQE(config-router)# HQE(config-router)# ospf 1 network 172.20.1.80 network 172.20.1.64 network 172.20.1.84 network 172.20.1.92 default-information 0.0.0.3 area 0 0.0.0.15 area 0 0.0.0.3 area 0 0.0.0.3 area 0 originate

This will configure the HQE Router to OSPF 1, with an area of 0. This will also be configured respectively on the adjacent routers. Upon correct configuration of the routers, a routing table will be propagated, this extract is from the HQE Router.

Page

Joe Powell

HQE#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 O O O C C C O C C C C C S* 172.20.0.0/16 is variably subnetted, 10 subnets, 4 masks 172.20.0.0/25 [110/65] via 172.20.1.82, 00:05:24, Serial0/1 172.20.0.128/25 [110/65] via 172.20.1.94, 00:05:24, Serial0/0.103 172.20.1.0/26 [110/65] via 172.20.1.86, 00:05:24, Serial0/0.102 172.20.1.64/29 is directly connected, FastEthernet0/0.10 172.20.1.80/30 is directly connected, Serial0/1 172.20.1.84/30 is directly connected, Serial0/0.102 172.20.1.88/30 [110/128] via 172.20.1.86, 00:05:24, Serial0/0.102 [110/128] via 172.20.1.94, 00:05:24, Serial0/0.103 172.20.1.92/30 is directly connected, Serial0/0.103 172.20.1.96/30 is directly connected, FastEthernet0/0.20 172.20.1.100/30 is directly connected, FastEthernet0/0.30 198.198.1.0/24 is directly connected, FastEthernet0/1 200.1.1.0/24 is directly connected, Serial0/3 0.0.0.0/0 is directly connected, Serial0/3

Note that any Route that has an O is a route that has been created via OSPF, C is a route that has been created via a physical connection S* is a route that has been statically programmed. In this situation the default gateway, or gateway of last resort has been programmed for Se0/3 as this is a WAN link, and is required for the network to function. HQE(config)# ip route 0.0.0.0 0.0.0.0 se0/3 This means that any traffic that the router is unsure about will forward out of Se0/3, which is the WAN port. This means that any packet that is not for a connected or mapped network will have originated from that port, so it will return on that line, as the next connecting router may be aware of its destination. It was also required that a website be viewable over the internet link, all systems on the network should be able to view this page, regardless of there location. This was started by turning the HTTP server on at the remote end of the network. This server is pre-addressed at 210.1.1.2 255.255.255.0. This address will need to be added to the DNS server and as such, packets from the hosts will travel to the HQ router, into the DNS network, locate the HTTP server and begin the transition of a simple webpage over the HTTP protocol, at this point. No access lists have been created, so HTTP traffic is allowed over the whole network. Both will currently hit the server, and provide the webpage. This is

because DNS is enable, as the screenshot will show.

Page

Joe Powell

As this screenshot shows, the DNS server has a location for the website. www.example.com This website was provided preconfiguration. You will also note that the other servers are running websites, this is for later expansion when pings are disabled, but HTTP requests are active, and has been forward planned. The configuration of NAT, or network address translation was also required within the project, this discuises an internal network as one IP address so that external requests are only locating the public IP address. This is common practice with users that require more than one address, of which is usually provided by the ISP. In this case, the IP is 199.199.199.1. The current WAN connection is connected to the HQ router 200.1.1.2 255.255.255.0. This will need to be translated to allow users to connect to the public IP address. The configuration of NAT is relitavly simple, and similar to many other protocols, you define a rule, and then assign it to a port. HQE(config)# ip nat pool publicnat 199.199.199.1 199.199.199.1 netmask 255.255.255.0 This will create a NAT Pool, of which devices can be assigned to. Inside the nat pool means inside of the local network, where as outside, referes to network connections that will require nat to be applied. For example; ! interface FastEthernet0/1 ip address 198.198.1.254 255.255.255.0 ip nat inside duplex auto speed auto ! As you can see from this extract of the configuration file, the interface for the DNS server is regarded as inside the nat pool, and has been configured accordingly. interface Serial0/3 ip address 200.1.1.2 255.255.255.0 ip nat outside Is located outside the nat pool and has been configured accordingly. Testing of this configuration will be shown at a later stage of this report, but in basic principle any interface that is configured with an inside address will be translated to the outside address. Telnet and ping was also required to be disabled from the interfaces with exception of the IT support team. This was configurged with ACLs. An ACL is put in place to deny or permit access, but however can only have one active acl per interface, so must be precise, and define every protocol that you require to be through the system.

Page

Joe Powell

To disable telnet, firstly the telnet interface must be selected, on all of the routers. Telnet is accessible via the VTY 0 4 interface. For the disability of an interface, ie Telnet, an extended list must be created. HQE(config)# access-list 102 deny tcp any any eq telnet HQE(config)# int vty 0 4 HQE(config-if)# ip access-class 102 in A similar principle was configured for use with the Ping etc. The following ACL was implemented; access-list access-list access-list access-list access-list 101 101 101 101 101 permit permit permit permit permit tcp any any eq www tcp any any eq 443 udp any any eq domain udp any any eq bootps icmp any any echo-reply

This was applied to the interface will allowed http traffic, DNS, and DHCP. It will also respond to any ping request that comes into the machine, however, it will be applied to the inbound interface, so any ping that originates from the internet network will fail. Using this principle it is possible to allow traffic from certain networks to other networks, This is used when trying to communicated with the engineering server, so only machines from that servers network will be allowed. access-list access-list access-list access-list 2 2 2 2 permit 172.20.1.0 0.0.0.63 permit 172.20.1.64 0.0.0.7 permit 172.20.1.96 0.0.0.3 deny any

Which allows the relevant networks to communicate.

3.0 Testing of the Network Testing will be completed as per the specification.

Page

Joe Powell

3.1 Phase 1 Testing After completion of Phase 1, the network is fully addressed, however no routing protocols have been completed yet. As you can see, both devices are addressed, via DHCP, of which was implemented early as to avoid re-addressing the whole scheme.

A simple ping command shows us; Packet Tracer PC Command Line 1.0 PC>ping 172.20.0.1 Pinging 172.20.0.1 with 32 bytes of data: Reply Reply Reply Reply from from from from 172.20.1.78: 172.20.1.78: 172.20.1.78: 172.20.1.78: Destination Destination Destination Destination host host host host unreachable. unreachable. unreachable. unreachable.

Ping statistics for 172.20.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The ping managed to get to the routing device, but did not make it past the router, as no protocol for routing has been put in place, at this stage, static routes could be implemented, but they have not been specified, so have been left out. This stage also shows that telnet has and pings have not been disabled, as the client can technically ping a device, a telnet query responds with. PC>telnet 172.20.1.78 Trying 172.20.1.78 ...Open Although this will fail, as no information regarding authentication has been included on the routers configuration. Due to this, no further testing can be completed, as the network is not fully functional. Each domain of the network functions, but no communication can be provided over a WAN link.

3.2 Testing of Phase 2 Phase 2.1 focuses on allowd the WAN links to be encrypted, and authorised using PPP and CHAP. These protocols are installed using the configuration explained previously.

Page

Joe Powell

username CCR password 0 cisco interface Serial0/1 ip address 172.20.1.81 255.255.255.252 encapsulation ppp ppp authentication chap bandwidth 64 clock rate 64000 username HQE password 0 cisco interface Serial0/0 ip address 172.20.1.82 255.255.255.240 encapsulation ppp ppp authentication chap These reports from each router respectively shows how on the serial interface that the encapsulation mode has been completed. This also shows that the bandwidth has been set at the DCE end of the connection. This can be tested for connectivity using a ping from within the router. CCR#ping 172.20.1.81 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.20.1.81, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms As you can see from the results the ping was successful, showing connectivity is active on the newly secured connection. Frame-Relay was also required to be configured, this would required that the system cloud0 would have the appropriate configuration applied, as previously described. With that configuration applied the system could ping from any of the 3 routers in the cluster. For the purpose of the test, OSPF was also configured, for the testing all of the routers will be tested. Pings have been completed over the internal backbones of the network and the Serial WAN links, both forward and backwards, this shows that all of those pings were successful.

Apendix ISP Router Router#show run

Page

Joe Powell

Building configuration... Current configuration : 1003 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Router ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 210.1.1.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Serial0/0 ip address 200.1.1.1 255.255.255.0 ip nat outside clock rate 4000000 ! interface Serial0/1 no ip address shutdown ! interface Serial0/2 no ip address shutdown ! interface Serial0/3 no ip address shutdown ! interface FastEthernet1/0 no ip address duplex auto speed auto shutdown !

Page

Joe Powell

interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! router rip network 200.1.1.0 network 210.1.1.0 ! ip nat inside source static 210.1.1.2 200.1.1.1 ip classless ip route 172.20.0.0 255.255.0.0 200.1.1.2 ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ! ! ! ! ! ! ! ! line con 0 line vty 0 4 login ! ! ! end HQ Exeter Router HQE(config)#do show run Building configuration... Current configuration : 2620 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname HQE ! ! ! enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ! ! ! ! username CCR password 0 cisco ! ! ! ! ! ! ! ! !

Page

Joe Powell

! ! interface FastEthernet0/0 no ip address ip nat inside duplex auto speed auto ! interface FastEthernet0/0.10 encapsulation dot1Q 10 ip address 172.20.1.70 255.255.255.248 ! interface FastEthernet0/0.20 encapsulation dot1Q 20 ip address 172.20.1.98 255.255.255.252 ip access-group 2 in ip access-group 2 out ! interface FastEthernet0/0.30 encapsulation dot1Q 30 ip address 172.20.1.102 255.255.255.252 ! interface FastEthernet0/1 ip address 198.198.1.254 255.255.255.0 ip nat inside duplex auto speed auto ! interface Serial0/0 no ip address encapsulation frame-relay ip access-group 100 in ip access-group 100 out ip nat inside ! interface Serial0/0.102 point-to-point ip address 172.20.1.85 255.255.255.252 frame-relay interface-dlci 102 ip access-group 110 in ip access-group 100 out ip nat inside ! interface Serial0/0.103 point-to-point ip address 172.20.1.93 255.255.255.252 frame-relay interface-dlci 103 ip access-group 110 in ip access-group 100 out ip nat inside ! interface Serial0/1 ip address 172.20.1.81 255.255.255.252 encapsulation ppp ppp authentication chap ip access-group 110 in ip access-group 100 out ip nat inside clock rate 64000 ! interface Serial0/2 no ip address shutdown

Page

Joe Powell

! interface Serial0/3 ip address 200.1.1.2 255.255.255.0 ip nat outside ! interface FastEthernet1/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! router ospf 1 log-adjacency-changes network 172.20.1.80 0.0.0.3 area 0 network 172.20.1.64 0.0.0.15 area 0 network 172.20.1.84 0.0.0.3 area 0 network 172.20.1.92 0.0.0.3 area 0 ! router rip ! ip nat pool publicnat 199.199.199.1 199.199.199.1 netmask 255.255.255.0 ip nat inside source list 1 pool publicnat overload ip classless ip route 198.198.1.0 255.255.255.0 198.198.1.2 ip route 0.0.0.0 0.0.0.0 Serial0/3 ! ! access-list 1 permit 172.20.0.0 0.0.255.255 access-list 2 permit 172.20.1.0 0.0.0.63 access-list 2 permit 172.20.1.64 0.0.0.7 access-list 2 permit 172.20.1.96 0.0.0.3 access-list 2 deny any access-list 102 deny tcp any any eq telnet ! ip dhcp excluded-address 172.20.1.70 ! ip dhcp pool IPSUP network 172.20.1.64 255.255.255.248 default-router 172.20.1.70 dns-server 198.198.1.2 ! ! ! ! ! line con 0 password cisco login line vty 0 4 password cisco login ! ! ! end

Page

Joe Powell

DSW0 Switch Switch#show run Building configuration... Current configuration : 2164 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Switch ! enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1 ! ! ! interface FastEthernet0/1 switchport mode trunk switchport port-security mac-address sticky ! interface FastEthernet0/2 switchport access vlan 20 switchport mode access switchport port-security mac-address sticky ! interface FastEthernet0/3 switchport access vlan 30 switchport mode access switchport port-security mac-address sticky ! interface FastEthernet0/4 switchport access vlan 10 switchport mode access switchport port-security mac-address sticky ! interface FastEthernet0/5 switchport access vlan 10 switchport mode access switchport port-security mac-address sticky ! interface FastEthernet0/6 switchport access vlan 10 switchport mode access switchport port-security mac-address sticky ! interface FastEthernet0/7 switchport access vlan 10 switchport mode access switchport port-security mac-address sticky ! interface FastEthernet0/8 switchport access vlan 10 switchport mode access switchport port-security mac-address sticky ! interface FastEthernet0/9 switchport access vlan 10 switchport mode access

Page

Joe Powell

switchport port-security mac-address sticky ! interface FastEthernet0/10 shutdown ! interface FastEthernet0/11 shutdown ! interface FastEthernet0/12 shutdown ! interface FastEthernet0/13 shutdown ! interface FastEthernet0/14 shutdown ! interface FastEthernet0/15 shutdown ! interface FastEthernet0/16 shutdown ! interface FastEthernet0/17 shutdown ! interface FastEthernet0/18 shutdown ! interface FastEthernet0/19 shutdown ! interface FastEthernet0/20 shutdown ! interface FastEthernet0/21 shutdown ! interface FastEthernet0/22 shutdown ! interface FastEthernet0/23 shutdown ! interface FastEthernet0/24 shutdown ! interface GigabitEthernet1/1 shutdown ! interface GigabitEthernet1/2 shutdown ! interface Vlan1 no ip address shutdown ! banner motd ^C It is illegal to interfere with swit^C ! line con 0 password cisco

Page

Joe Powell

login ! line vty 0 4 password cisco login line vty 5 15 login ! ! end CCR Router CCR#show run Building configuration... Current configuration : 1565 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname CCR ! ! ! enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ! ! ! ! username HQE password 0 cisco ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.20.0.126 255.255.255.128 ip access-group 100 out duplex auto speed auto ! interface FastEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Serial0/0 ip address 172.20.1.82 255.255.255.252 encapsulation ppp ppp authentication chap ! interface Serial0/1

Page

Joe Powell

no ip address shutdown ! interface Serial0/2 no ip address shutdown ! interface Serial0/3 no ip address shutdown ! interface FastEthernet1/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! router ospf 1 log-adjacency-changes network 172.20.1.80 0.0.0.3 area 0 network 172.20.0.0 0.0.0.127 area 0 default-information originate ! router rip ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ! access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 443 access-list 101 permit udp any any eq domain access-list 101 permit udp any any eq bootps access-list 101 permit icmp any any echo-reply access-list 102 deny tcp any any eq telnet ! ! ip dhcp pool IPCC network 172.20.0.0 255.255.255.128 default-router 172.20.0.126 dns-server 198.198.1.2 ! no cdp run ! ! ! ! ! line con 0 password cisco login line vty 0 4 access-class 102 in password cisco login

Page

Joe Powell

! ! ! end CCR# CCR#show run Building configuration... Current configuration : 1565 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname CCR ! ! ! enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ! ! ! ! username HQE password 0 cisco ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.20.0.126 255.255.255.128 ip access-group 100 out duplex auto speed auto ! interface FastEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Serial0/0 ip address 172.20.1.82 255.255.255.252 encapsulation ppp ppp authentication chap ! interface Serial0/1 no ip address shutdown ! interface Serial0/2 no ip address

Page

Joe Powell

shutdown ! interface Serial0/3 no ip address shutdown ! interface FastEthernet1/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! router ospf 1 log-adjacency-changes network 172.20.1.80 0.0.0.3 area 0 network 172.20.0.0 0.0.0.127 area 0 default-information originate ! router rip ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ! access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 443 access-list 101 permit udp any any eq domain access-list 101 permit udp any any eq bootps access-list 101 permit icmp any any echo-reply access-list 102 deny tcp any any eq telnet ! ! ip dhcp pool IPCC network 172.20.0.0 255.255.255.128 default-router 172.20.0.126 dns-server 198.198.1.2 ! no cdp run ! ! ! ! ! line con 0 password cisco login line vty 0 4 access-class 102 in password cisco login ! ! ! end

Page

Joe Powell

CC Switch Switch#show run Building configuration... Current configuration : 1009 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Switch ! ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23

Page

Joe Powell

! interface FastEthernet0/24 ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 ! interface Vlan1 no ip address shutdown ! ! line con 0 ! line vty 0 4 login line vty 5 15 login ! ! end Enginnering Poole Router EP#show run Building configuration... Current configuration : 1738 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname EP ! ! ! enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.20.1.62 255.255.255.192 ip access-group 100 out duplex auto speed auto ! interface FastEthernet0/1 no ip address

Page

Joe Powell

! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.201 point-to-point ip address 172.20.1.86 255.255.255.252 frame-relay interface-dlci 201 ! interface Serial0/0.203 point-to-point ip address 172.20.1.89 255.255.255.252 frame-relay interface-dlci 203 ! interface Serial0/1 no ip address shutdown ! interface Serial0/2 no ip address shutdown ! interface Serial0/3 no ip address shutdown ! interface FastEthernet1/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! router ospf 1 log-adjacency-changes network 172.20.1.0 0.0.0.63 area 0 network 172.20.1.84 0.0.0.3 area 0 network 172.20.1.88 0.0.0.3 area 0 default-information originate ! ip classless ip route 0.0.0.0 0.0.0.0 172.20.1.85 ! ! access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 443 access-list 101 permit udp any any eq domain access-list 101 permit udp any any eq bootps access-list 101 permit icmp any any echo-reply access-list 102 deny tcp any any eq telnet ! ! ip dhcp pool IPEP network 172.20.1.0 255.255.255.192

duplex auto speed auto shutdown

Page

Joe Powell

default-router 172.20.1.62 dns-server 198.198.1.2 ! no cdp run ! ! ! ! ! line con 0 password cisco login line vty 0 4 EP#

EP con0 is now available

Press RETURN to get started.

User Access Verification Password: Password: EP>ena Password: EP#show run Building configuration... Current configuration : 1738 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption !

Page

Joe Powell

hostname EP ! ! ! enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.20.1.62 255.255.255.192 ip access-group 100 out duplex auto speed auto ! interface FastEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.201 point-to-point ip address 172.20.1.86 255.255.255.252 frame-relay interface-dlci 201 ! interface Serial0/0.203 point-to-point ip address 172.20.1.89 255.255.255.252 frame-relay interface-dlci 203 ! interface Serial0/1 no ip address shutdown ! interface Serial0/2 no ip address shutdown ! interface Serial0/3 no ip address shutdown ! interface FastEthernet1/0 no ip address duplex auto speed auto shutdown !

Page

Joe Powell

interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! router ospf 1 log-adjacency-changes network 172.20.1.0 0.0.0.63 area 0 network 172.20.1.84 0.0.0.3 area 0 network 172.20.1.88 0.0.0.3 area 0 default-information originate ! ip classless ip route 0.0.0.0 0.0.0.0 172.20.1.85 ! ! access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 443 access-list 101 permit udp any any eq domain access-list 101 permit udp any any eq bootps access-list 101 permit icmp any any echo-reply access-list 102 deny tcp any any eq telnet ! ! ip dhcp pool IPEP network 172.20.1.0 255.255.255.192 default-router 172.20.1.62 dns-server 198.198.1.2 ! no cdp run ! ! ! ! ! line con 0 password cisco login line vty 0 4 access-class 102 in password cisco login ! ! ! end Engineering Pooole Switch Switch#show run Building configuration... Current configuration : 1039 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Switch

Page

Joe Powell

! ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 ! interface Vlan1 no ip address shutdown ! ! ip access-list extended ping1

Page

Joe Powell

line con 0 ! line vty 0 4 login line vty 5 15 login ! ! end Sales Bournemouth router SB#show run Building configuration... Current configuration : 1720 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname SB ! ! ! enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.20.0.254 255.255.255.128 duplex auto speed auto ! interface FastEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.301 point-to-point ip address 172.20.1.94 255.255.255.252 frame-relay interface-dlci 301 ! interface Serial0/0.302 point-to-point

Page

Joe Powell

ip address 172.20.1.90 255.255.255.252 frame-relay interface-dlci 302 ! interface Serial0/1 no ip address shutdown ! interface Serial0/2 no ip address shutdown ! interface Serial0/3 no ip address shutdown ! interface FastEthernet1/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! router ospf 1 log-adjacency-changes network 172.20.0.128 0.0.0.127 area 0 network 172.20.1.88 0.0.0.3 area 0 network 172.20.1.92 0.0.0.3 area 0 default-information originate ! ip classless ip route 0.0.0.0 0.0.0.0 172.20.1.93 ! ! access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 443 access-list 101 permit udp any any eq domain access-list 101 permit udp any any eq bootps access-list 101 permit icmp any any echo-reply access-list 102 deny tcp any any eq telnet ! ! ip dhcp pool IPSB network 172.20.0.128 255.255.255.128 default-router 172.20.0.254 dns-server 198.198.1.2 ! no cdp run ! ! ! ! ! line con 0 password cisco login line vty 0 4

Page

Joe Powell

! ! ! end

access-class 102 in password cisco login

Routiing Tables HQE HQE#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 O O O C C C O C C C C C S* 172.20.0.0/16 is variably subnetted, 10 subnets, 4 masks 172.20.0.0/25 [110/65] via 172.20.1.82, 00:05:24, Serial0/1 172.20.0.128/25 [110/65] via 172.20.1.94, 00:05:24, Serial0/0.103 172.20.1.0/26 [110/65] via 172.20.1.86, 00:05:24, Serial0/0.102 172.20.1.64/29 is directly connected, FastEthernet0/0.10 172.20.1.80/30 is directly connected, Serial0/1 172.20.1.84/30 is directly connected, Serial0/0.102 172.20.1.88/30 [110/128] via 172.20.1.86, 00:05:24, Serial0/0.102 [110/128] via 172.20.1.94, 00:05:24, Serial0/0.103 172.20.1.92/30 is directly connected, Serial0/0.103 172.20.1.96/30 is directly connected, FastEthernet0/0.20 172.20.1.100/30 is directly connected, FastEthernet0/0.30 198.198.1.0/24 is directly connected, FastEthernet0/1 200.1.1.0/24 is directly connected, Serial0/3 0.0.0.0/0 is directly connected, Serial0/3

CCR Routing Rable CCR#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 C O O O C 172.20.0.0/16 is variably subnetted, 8 subnets, 4 masks 172.20.0.0/25 is directly connected, FastEthernet0/0 172.20.0.128/25 [110/129] via 172.20.1.81, 00:11:37, Serial0/0 172.20.1.0/26 [110/129] via 172.20.1.81, 00:11:37, Serial0/0 172.20.1.64/29 [110/65] via 172.20.1.81, 00:11:37, Serial0/0 172.20.1.80/30 is directly connected, Serial0/0

Page

Joe Powell

O O O S* EP

172.20.1.84/30 [110/128] via 172.20.1.81, 00:11:37, Serial0/0 172.20.1.88/30 [110/192] via 172.20.1.81, 00:11:37, Serial0/0 172.20.1.92/30 [110/128] via 172.20.1.81, 00:11:37, Serial0/0 0.0.0.0/0 is directly connected, Serial0/0

EP#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 172.20.1.85 to network 0.0.0.0 O O C O O C C O S* SB SB#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 172.20.1.93 to network 0.0.0.0 O C O O O O C C S* 172.20.0.0/16 is variably subnetted, 8 subnets, 4 masks 172.20.0.0/25 [110/129] via 172.20.1.93, 00:12:25, Serial0/0.301 172.20.0.128/25 is directly connected, FastEthernet0/0 172.20.1.0/26 [110/65] via 172.20.1.89, 00:12:35, Serial0/0.302 172.20.1.64/29 [110/65] via 172.20.1.93, 00:12:35, Serial0/0.301 172.20.1.80/30 [110/128] via 172.20.1.93, 00:12:35, Serial0/0.301 172.20.1.84/30 [110/128] via 172.20.1.93, 00:12:35, Serial0/0.301 [110/128] via 172.20.1.89, 00:12:35, Serial0/0.302 172.20.1.88/30 is directly connected, Serial0/0.302 172.20.1.92/30 is directly connected, Serial0/0.301 0.0.0.0/0 [1/0] via 172.20.1.93 172.20.0.0/16 is variably subnetted, 8 subnets, 4 masks 172.20.0.0/25 [110/129] via 172.20.1.85, 00:12:03, Serial0/0.201 172.20.0.128/25 [110/65] via 172.20.1.90, 00:12:03, Serial0/0.203 172.20.1.0/26 is directly connected, FastEthernet0/0 172.20.1.64/29 [110/65] via 172.20.1.85, 00:12:13, Serial0/0.201 172.20.1.80/30 [110/128] via 172.20.1.85, 00:12:13, Serial0/0.201 172.20.1.84/30 is directly connected, Serial0/0.201 172.20.1.88/30 is directly connected, Serial0/0.203 172.20.1.92/30 [110/128] via 172.20.1.85, 00:12:13, Serial0/0.201 [110/128] via 172.20.1.90, 00:12:03, Serial0/0.203 0.0.0.0/0 [1/0] via 172.20.1.85

Page

Joe Powell

Potrebbero piacerti anche