Please visit our sponsors:
www.SecurityIE.com security minilab#1 (v0.9B)
Network Schematic:
http://www.securityie.com/securityielab1_files/secminiLAB1.vsd
Hints: http://www.securityie.com/securityielab1_files/Security
IE minilab hints.htm
Pre-configuration files: http://www.securityie.com/securityielab1_files/Base
configs.zip
Final configuration files: http://www.securityie.com/securityielab1_files/Finished
configs.zip
This lab in PDF format (password is securityie): http://www.securityie.com/securityielab1_files/securityielab1.pdf
The Handbanger – Larry
Roberts CCIE #7886 and Ed Yanez CCIE #6784
1. Initial
Configuration – 1 pt
a. Using a separate sheet of paper and colored pencils, redraw the network
diagram. Include all IP addressing information, Layer 2 information
(encapsulation types, interface numbers, DLCIs,
etc.), Layer 3 information (routing protocols, AS numbers, etc.), and anything
else that you think might be useful. Use a different colored pencil for each
routing protocol’s boundary lines. This technique will make the diagram more
understandable to both you and the lab proctor.
b. You may use the pre-configuration files for this lab to apply the
default configuration to all routers. The default configuration contains items
such as, IP addressing, encapsulation settings, clock rate settings for DCE
interfaces, etc. All of this information will be pre-configured for you in the
actual CCIE lab. For practice purposes, we recommended that you configure the
routers manually from scratch, at least the first time through the lab.
2. Frame Relay Configuration – 2 pts
a. The Frame Relay switch has been pre-configured in a full mesh topology.
Configure R3, R5, and R6 with R3 acting as the hub router. Subinterfaces
are not allowed in this lab. Make sure that your routers only know about the PVCs that they are using.
b. R4 and R2 connect to different external networks in this lab. These
routers are your ingress/egress points. Therefore, security on these devices is
critical. R4 connects to an upstream ISP (BB1). R2 connects to a downstream
customer. You are responsible for the configuration of R2.
3. Basic Catalyst Switch Configuration – 3 pts
a. Configure the VLANs as shown on the network
diagram. Set the console and enable passwords to cisco. Give the switch a name
(such as Cat1200) and set the correct time on the switch. The switch’s prompt
should match the system name assigned to the switch. Also make sure that you
provide information regarding the contact person and location of the switch in
case of emergency. Give the switch an IP address of 172.16.60.1/24 on VLAN 400
and make sure that the switch can be accessed from anywhere in the network.
4. Basic PIX Configuration – 4 pts
a. Configure the PIX as shown in the network diagram. VLAN 300 is the
inside network and VLAN 200 is the outside network. Verify that you can ping R5’s
Ethernet interface from R2. You may not use the NAT 0 command to accomplish
this task.
5. Basic ISDN Configuration – 8 pts
a.
The ISDN line should only come up when there is
traffic between VLAN 300 and VLAN 400 or when the Frame relay network is down.
You can use two static routes to accomplish this task.
a.
When traffic is initiated from VLAN 300, R5 should
call R6. R6 should authenticate R5, hang up and call back. Make sure that the
initial call from R5 to R6 is always disconnected. R6 does not need to
authenticate when calling R5.
6. OSPF Configuration – 7 pts
a. Configure OSPF as shown in the network diagram. The Frame Relay and ISDN
networks are in Area 0. You may not use the ip ospf network point-to-multipoint or ip
ospf network broadcast commands in this lab.
b. The serial link between R6 and R1 belongs to Area 1. VLAN 400 also
belongs to Area 1. All of the 192.168.x.x loopbacks
on R1 should be in Area 2. The other routers should see only one route for
these networks.
c. Make sure that each router under your control has a loopback 0 that is
accessible from anywhere in the network. If not specially told otherwise, those
loopbacks can be in any area or routing protocol that
you would like. Use the addresses below for your loopbacks.
R1-
11.11.11.11/24 R2- 22.22.22.22/24 R3- 33.33.33.33/24 R4- 44.44.44.44/24
R5-
55.55.55.55/24 R6- 66.66.66.66/24
7. RIP Configuration – 5 pts
a. Configure RIP as shown in the diagram. VLANs
200 and 300 should run RIP. The 22.22.22.22 loopback on R2 should not be
advertised in any routing protocol. The PIX and all routers running OSPF (R1,
R3, R5, and R6) should be able to ping the 22.22.22.22 address. You can only
create one route on the PIX using the route command.
8. EIGRP Configuration – 8 pts
a.
Configure EIGRP as shown in the network diagram. 17
is the autonomous system number on all EIGRP routers in this lab. EIGRP is being used to connect your customer
off of R2 directly to the ISP located at BB1. The 192.168.24.x – 192.168.27.x
networks off of R2 should be advertised in EIGRP. All other EIGRP routers
should only have one route in their routing table to get to all of these
networks. Verify that all routers running EIGRP can ping the 77.77.77.77
loopback off of BB1.
9. Route Redistribution – 8 pts
a.
Perform mutual redistribution between OSPF and
EIGRP 17 on R3. For security purposes, make sure that no OSPF networks appear
in the routing tables of the routers that connect to external networks (BB1 and
R2). This includes default routes learned from OSPF. R4 should have a full
routing table and be able to get anywhere within your internal network.
b.
Perform one-way redistribution of OSPF into RIP on
R5. Make sure that the PIX can get anywhere within the internal network. The
PIX should be able to ping all interfaces that reside in OSPF and EIGRP
including loopbacks. Verify that all of your internal
routers can ping R2’s e0 interface.
10. NTP configuration – 2 pts
a.
R2, R3, R4, R5, and R1 should receive date and time
information from R6.
11. Policy routing – 3 pts
a.
Make sure that all traffic from the internal
network (OSPF) uses R5 to get to the 192.168.24.0 – 192.168.27.0 networks off of R2.
12. BGP Configuration – 10 pts
a.
Configure BGP as shown in the network diagram.
Configure iBGP on routers R3, R4, R5, and R6. R6 should only peer with R3. .
All iBGP routers and the eBGP connection to BB1 should use their loopback 0
interfaces for fault-tolerance. BB1 is also using its loopback 0 interface. You
may have to configure a static route on R5 to accomplish this task.
b.
AS 300 should advertise networks 192.168.18.x –
192.168.23.x in BGP. AS 200 is advertising networks
192.168.200.x – 192.168.209.x. AS 100 does not need to advertise any networks
in BGP.
c.
Make sure that you only receive the even numbered
routes from AS 300. All of your iBGP routers should only see three routers from
AS 200. Those routes are 192.168.202.0, 192.168.205.0, and 192.168.208.0. Your
iBGP routers should use a summary route to reach all of the other networks off
of BB1.
d.
Without using any type of access-list, make sure
that your AS does not become a transit area. This
entails making sure that the external networks don’t learn each other’s routes
including any summary addresses. Make sure that all of your iBGP routers can
ping all of the networks advertised in BGP.
13. Company Security Policy – 2 pts for each topic
for a total of 30 pts
a.
Make sure that all devices in the network are
secured with an enable secret password (or equivalent) of cisco
b.
Prevent any passwords from appearing in clear text
in the running-config of all routers in the network.
c.
Make sure that idle sessions on the console and vty ports of all routers are automatically logged out after
30 minutes.
d.
Disable CDP on all routers that connect to external
networks.
e.
Disable the finger service on all routers.
f.
Prevent smurf attacks on
all routers.
g.
Disable source routing on all routers.
h.
Configure SNMP as follows on all devices:
RO string - TOUGH
RW string – LAB
Provide read access to any
device in the 172.16.0.0 network. Read/write access should be restricted to the 172.16.60.x network.
i.
Disable proxy-arp on all
interfaces that connect to external networks.
j.
Disable ICMP redirects and ICMP unreachables on all
routers and the switch.
k.
Configure the pix and all routers to log messages
of debugging and higher severity to a Syslog server
located on VLAN 400 at 172.16.60.10 using the local6 facility.
l.
Make sure all messages logged on the Syslog server show the correct date and time.
m.
All routing protocols must use authentication. The
exception to this is the eBGP connection between R5 and R2.
n.
Without putting a password on each line, make sure
that console, aux, and vty access on all routers are
secured with a password of cisco.
o.
Configure CHAP authentication on the link between
R1 and R6. R6 should use a username of ALTNAME.
14. Controlling Telnet Access – 9 points
a.
Your company has a very restrictive policy when it comes
to telnet. Telnet access from the outside to the inside is prohibited. Users
who wish to telnet to the hosts on the outside must first authenticate on R3
using the username of telnet and a password of cisco. If the user authenticates
successfully, R3 should allow only that host to telnet to the outside for a
period of 30 minutes. Idle telnet sessions should be timed out after 10
minutes.
b.
Since R4 is an ingress point to your network, it
has a very strict policy as well. R4 should allow only the appropriate routing
protocols into the network. Outside users should not be able to ping inside
hosts, but inside hosts should be able to ping outside resources.
At this point all internal
routers (R1, R3, R4, and R5) should be able to ping every interface except the
tunnel interface on R2. You might want to make sure that you generate some
interesting traffic to bring the ISDN link up before trying to ping everywhere.
15. IPSec Configuration – Extra Credit (Someone can
complete this and add it to the lab. I ran out of time)
All traffic between VLANs 100, 300, and 400 over the Frame Relay network must
be encrypted using IPSec. You can only
use one ISAKMP identity statement on each router to accomplish this. All EIGRP
routes between R2 and R3 should be encrypted as they cross your internal
network.