Showing posts with label challenge. Show all posts
Showing posts with label challenge. Show all posts

Wednesday, May 23, 2018

Challenge: BGP

I was hanging out in theLANtamer's Discord server and a friend showed me this challenge.

I later found out after I had completed the challenge, it was a BGP challenge from the Great Vinit Jain (https://twitter.com/vinugenie) from his Cisco Live presentation, at around 12 minutes in: ( https://www.ciscolive.com/global/on-demand-library/?search=BRKRST%203320#/video/1519328378542002IVEW )


The Challenge:


The Solution:


The Configs:


R1:



 hostname R1

 interface Loopback100
 ip address 100.1.1.1 255.255.255.255

 interface FastEthernet0/0
 description "To R2"
 ip address 10.1.12.1 255.255.255.0
router bgp 100
 bgp log-neighbor-changes
 network 100.1.1.1 mask 255.255.255.255
 neighbor 10.1.12.2 remote-as 200

R2:



 hostname R2

 ip vrf 200
 rd 200:200
interface FastEthernet0/0
 description "To R1"
 ip vrf forwarding 200
 ip address 10.1.12.2 255.255.255.0

 interface FastEthernet1/0
 description "To R3"
 ip vrf forwarding 200
 ip address 10.1.23.2 255.255.255.0
router bgp 200
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf 200
  neighbor 10.1.12.1 remote-as 100
  neighbor 10.1.12.1 activate
  neighbor 10.1.23.3 remote-as 100
  neighbor 10.1.23.3 activate
  neighbor 10.1.23.3 as-override
 exit-address-family

R3:


 hostname R3

 interface FastEthernet0/0
 description "To R4"
 ip address 10.1.34.3 255.255.255.0

 interface FastEthernet1/0
 description "To R2"
 ip address 10.1.23.3 255.255.255.0

 router bgp 250
 bgp log-neighbor-changes
 neighbor 10.1.23.2 remote-as 200
 neighbor 10.1.23.2 local-as 100 no-prepend replace-as
 neighbor 10.1.34.4 remote-as 200
 neighbor 10.1.34.4 local-as 200 no-prepend replace-as

R4:


 hostname R4

 interface FastEthernet0/0
 description "To R3"
 ip address 10.1.34.4 255.255.255.0

 interface FastEthernet1/0
 description "To R5"
 ip address 10.1.45.4 255.255.255.0

 router bgp 200
 bgp log-neighbor-changes
 neighbor 10.1.34.3 remote-as 200
 neighbor 10.1.45.5 remote-as 300

R5:


 hostname R5

 interface FastEthernet1/0
 description "To R4"
 ip address 10.1.45.5 255.255.255.0

 router bgp 300
 bgp log-neighbor-changes
 neighbor 10.1.45.4 remote-as 200

R5 - Verify:


 R5#sho ip bgp
BGP table version is 13, local router ID is 10.1.45.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

      Network          Next Hop            Metric LocPrf Weight Path
 *>  100.1.1.1/32     10.1.45.4                              0 200 200 200 i
R5#

Posted by at No comments:
Labels: ,

Friday, April 20, 2018

Challenge: RIP - GET-VPN - ANSWERS

This is a back-to-basics lesson rolled up with a VPN topic. This will test your understanding of Cisco's default behavior when configuring RIPv1 and RIPv2. This is the solution to my previous blogpost: https://showipintbri.blogspot.com/2018/04/challenge-rip-get-vpn.html

An excellent Cisco resource that I found very useful in preparing for this lab was:

https://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html

The Topology:


The Requirements:

1. All routers interfaces must be configured using the ip schema from the topology diagram.

2. You must run RIP protocol between all routers and no other routing protocol
  • Advertise all your connected networks
  • R2 must run RIP version 2
  • All other routers must run RIP version 1, and should see R2's loopback with its real mask

3. You must have routes representing all the subnets(classful or better) from the topology in all your routing tables.

4. configure GET VPN between all routers WAN interfaces
  • R1 must be the key-server

5. pings sourced from the loopbacks of the group members to other group members must be encrypted
  • All other traffic should not be encrypted.

6. You should have full reachability to all loopbacks in the topology 

My Solution:




The Configs:

R1:

int fa0/0
ip add 10.0.0.1 255.255.255.0
no shut

 int lo 1
ip add 1.1.1.1 255.255.255.255
no shut

 router rip
network 10.0.0.1
network 1.1.1.1
no auto-summary
exit


R2:

int fa0/0
ip add 10.0.0.2 255.255.255.0
ip rip receive 1 2
no shut

 int lo 2
ip add 2.2.2.2 255.255.255.255
no shut

 router rip
network 10.0.0.2
network 2.2.2.2
version 2
no auto-summary

R3:

int fa0/0
ip add 10.0.0.3 255.255.255.0
no shut

 int lo 2
ip add 2.2.2.2 255.255.255.255
no shut

 router rip
network 10.0.0.3
network 3.3.3.3
no auto-summary

R4:

int fa0/0
ip add 10.0.0.4 255.255.255.0
no shut

 int lo 2
ip add 4.4.4.4 255.255.255.255
no shut

 router rip
network 10.0.0.4
network 4.4.4.4
no auto-summary



GET-VPN Configs:

Key Server:


crypto key generate rsa modulus 1024 label GETVPN_KEY



ip access-list extended 100
 permit icmp any any

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key CISCO address 0.0.0.0

crypto ipsec transform-set GETVPN_TRANS esp-3des esp-md5-hmac

crypto ipsec profile GETVPN_PROFILE
 set transform-set GETVPN_TRANS

crypto gdoi group GETVPN_GROUP
 identity number 123
 server local
  rekey authentication mypubkey rsa GETVPN_KEY
  rekey transport unicast
  sa ipsec 1
   profile GETVPN_PROFILE
   match address ipv4 100
   replay counter window-size 64
  address ipv4 10.0.0.1

Group Members:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key CISCO address 10.0.0.1

crypto ipsec transform-set GETVPN_TRANS esp-3des esp-md5-hmac

crypto ipsec profile GETVPN_PROFILE
 set transform-set GETVPN_TRANS

crypto gdoi group GETVPN_GROUP
 identity number 123
 server address ipv4 10.0.0.1

crypto map GETVPN_MAP 10 gdoi
 set group GETVPN_GROUP


int fa0/0
crypto map GETVPN_MAP
exit


Verification:

foreach address {
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
} { ping $address repeat 1 source 1.1.1.1 }

! Change the 'source x.x.x.x' to the appropriate source IP
Posted by at No comments:
Labels: , ,

Saturday, April 14, 2018

Challenge: RIP - GET-VPN

UPDATE (4/20/2018) : I posted the answers a day early: https://showipintbri.blogspot.com/2018/04/challenge-rip-get-vpn-answers.html

As I was working through some studies I had a challenge idea.

This is not a "stump the chump" instead this is a back to basics.

Answers will be posted April 21, 2018.

Topology:

Requirements:

1. All routers interfaces must be configured using the ip schema from the topology diagram.

2. You must run RIP protocol between all routers and no other routing protocol
  • Advertise all your connected networks
  • R2 must run RIP version 2
  • All other routers must run RIP version 1, and should see R2's loopback with its real mask

3. You must have routes representing all the subnets(classful or better) from the topology in all your routing tables.

4. configure GET VPN between all routers WAN interfaces
  • R1 must be the key-server

5. pings sourced from the loopbacks of the group members to other group members must be encrypted
  • All other traffic should not be encrypted.

6. You should have full reachability to all loopbacks in the topology 
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)