Beruflich Dokumente
Kultur Dokumente
Scenario
Due to the volume of information shared, the Air Guitar Company (AGC) requires a Frame
Relay link between its central site, which is R1 in the diagram, and a branch site, which is R2.
For fault tolerance, the FR link will be backed up with ISDN. The AGC also has a small SOHO
site, which is represented by R3, that periodically connects through an asynchronous dial-up
connection to download corporate e-mail and verify the status of orders.
To secure mission critical data traffic, IPSec VPN will be used between FR links, and PPP
CHAP will be used between ISDN and PSTN connections.
1 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 Copyright 2005, Cisco Systems, Inc.
QoS will also be configured between the Frame Relay links.
Generic Tasks
• Physically connect the network devices according to the network diagram. Ensure that
the correct cables are connected to the appropriate Adtran ports.
• The WAN provider supplying the FR, ISDN, and PSTN circuits has assigned the AGC
the 10.1.1.0 /24 subnet.
- Use VLSM whenever possible.
• Use the private network address 192.168.x.0/24 for each router LAN, where the “x”
refers to the router number.
- For example, the R1 LAN should be assigned the network address 192.168.1.0
/24.
• AAA authentication must be configured on all routers.
- Create an entry to authenticate all login attempts to the local database.
- Create a second AAA entry to authenticate all PPP CHAP challenges to the
local database.
• On all three routers, configure the following:
- Configure Telnet support.
- Configure the privileged EXEC mode password cisco.
- Configure local username and password entries for the remote router where
needed. The password must be cisco. For example, username R1
password cisco.
- Configure a local username called USER with the password cisco.
The AGC wants a Frame Relay link using sub-interfaces between R1 and R2.
1. DLCI 102 directly connects to DLCI 201. Use the appropriate show commands to
discover the locally attached DLCI.
2. Configure R1 and R2 for Frame Relay adaptive traffic shaping. Upon receiving a
BECN notice, all routers will be configured to throttle down to the contracted service
rate of CIR = 16000, BC = 64000, and Be = 64000.
3. To test the Frame Relay configuration, ping the sub-interfaces of R1 from R2.
2 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 Copyright 2005, Cisco Systems, Inc.
ISDN connection between R1 and R2
The AGC wants an ISDN DDR link between R1 and R2 in case the FR link fails. The two sites will
use EIGRP between them.
The AGC requires IPSec to encrypt traffic between the R1 and R2 LANs when traversing the
Frame Relay link.
1. Create an access list on the R1 and R2 routers to identify traffic from their LANs to be
encrypted when traffic is destined for their remote neighbors’ LANs.
2. Configure the ISAKMP policy suite on R1 and R2 and manually configure the same
pre-shared key on both routers to use pre-shared keys authentication.
3. Configure the transform-set to use esp-des to build the IPSec security association.
4. Apply the crypto map to the appropriate FR interfaces on the R1 and R2 routers.
5. Test the IPSec tunnel configuration by using the appropriate debug commands to
monitor IPSec activity and ping Host C from Host B.
3 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 Copyright 2005, Cisco Systems, Inc.
PSTN connection between R1 and R3
The SOHO site R3 occasionally connects to the central site R1. For this reason, an asynchronous
dial-up connection has been provisioned between the sites. The central site has negotiated a very
low toll cost. For this reason, R1 should be configured to call R3 when R3 initiates a connection.
No dynamic routing should be configured over the link. Instead, a static and default route should
be configured on the respective routers.
The AGC wants to test QoS over the FR link. To test the link, they require that Telnet traffic
should be guaranteed 16 Kbps of the FR bandwidth.
4 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 Copyright 2005, Cisco Systems, Inc.
Check List
R1 and R2 should be configured to adapt to BECN notices for Frame Relay traffic
7
shaping.
The ISDN dial backup interface should become active within a few seconds after
8
unplugging the serial interface.
EIGRP should propagate a default route to R2 but should not be allowed over the
9
ISDN links.
LAN traffic from R1 and R2 should be encrypted with an IPSec tunnel using pre-
10
shared keys.
Telnet traffic should be guaranteed 16 Kbps of Frame Relay bandwidth using
11
CBWFQ.
5 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 Copyright 2005, Cisco Systems, Inc.
Skills-Based Assessment Version 1 – Solutions
All features included in this Skills-Based Assessment should be tested on the test equipment
and IOS versions. Some features, such as PPP Callback and Dialer Watch, are sensitive and
may not work properly.
The following output was generated for the different devices:
R2 Serial Interface
c2600-jk8s-mz_122-12b.bin
(Cisco 2600) Ethernet Interface
R3 Serial Interface
c1700-sy-mz.122-4.YB.bin
(Cisco 1700) Ethernet Interface
6 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
Sample Router Configurations
The following output is from each router platform. It includes a sample running configuration:
R1#show running-config
R1#sho run
Building configuration...
7 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
!
!
!
!
!
!
controller T1 1/0
framing esf
linecode b8zs
pri-group timeslots 1-24
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay
no ip mroute-cache
no fair-queue
cdp enable
frame-relay traffic-shaping
!
interface Serial0/0.102 point-to-point
ip address 10.1.1.5 255.255.255.252
frame-relay class TS
frame-relay interface-dlci 102
crypto map VPN-2-R2
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
isdn switch-type basic-ni
!
interface Serial0/1
no ip address
shutdown
!
interface Serial1/0:23
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type primary-ni
fair-queue 64 256 0
ppp authentication chap
!
interface Async65
ip address 10.1.1.17 255.255.255.252
encapsulation ppp
dialer in-band
dialer map ip 10.1.1.18 name R3 class DIAL-BACK modem-script HAYES 5556002
dialer-group 2
async mode dedicated
ppp callback accept
ppp authentication chap callin
!
8 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
interface Dialer0
description Backup connection to R2
ip address 10.1.1.9 255.255.255.252
encapsulation ppp
dialer pool 1
dialer remote-name R2
dialer watch-disable 5
dialer string 5551000
dialer string 5551001
dialer watch-group 1
dialer-group 1
ppp authentication chap
!
router eigrp 1
network 10.1.1.4 0.0.0.3
network 10.1.1.8 0.0.0.3
network 192.168.1.0
auto-summary
!
ip classless
ip default-network 192.168.1.0
ip route 192.168.3.0 255.255.255.0 10.1.1.18
ip http server
!
!
map-class frame-relay TS
frame-relay cir 32000
frame-relay bc 64000
frame-relay be 64000
frame-relay adaptive-shaping becn
service-policy output BW-4-TELNET
!
map-class dialer DIAL-BACK
dialer callback-server username
access-list 101 permit tcp any any eq telnet
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 deny eigrp any any
access-list 103 permit ip any any
dialer watch-list 1 ip 192.168.2.0 255.255.255.0
dialer-list 1 protocol ip list 103
dialer-list 2 protocol ip permit
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
speed 57600
flowcontrol hardware
line vty 0 4
9 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
password cisco
!
end
R1#
R1#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
10 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
R2#show running-config
R2#sho run
Building configuration...
11 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
duplex auto
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay
no ip mroute-cache
no fair-queue
cdp enable
frame-relay traffic-shaping
frame-relay lmi-type ansi
!
interface Serial0/0.201 point-to-point
ip address 10.1.1.6 255.255.255.252
frame-relay class TS
frame-relay interface-dlci 201
crypto map VPN-2-R1
!
interface BRI0/0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 51055510000001 5551000
isdn spid2 51055510010001 5551001
ppp authentication chap
!
interface Serial0/1
no ip address
shutdown
!
interface Dialer0
ip address 10.1.1.10 255.255.255.252
encapsulation ppp
dialer pool 1
dialer remote-name R1
dialer watch-disable 5
dialer string 5555000
dialer watch-group 1
dialer-group 1
ppp authentication chap
!
router eigrp 1
network 10.1.1.4 0.0.0.3
network 10.1.1.8 0.0.0.3
network 192.168.2.0
auto-summary
!
ip classless
ip http server
!
!
map-class frame-relay TS
frame-relay cir 32000
frame-relay bc 64000
frame-relay be 64000
frame-relay adaptive-shaping becn
service-policy output BW-4-TELNET
access-list 101 permit tcp any any eq telnet
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
12 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
access-list 103 deny eigrp any any
access-list 103 permit ip any any
dialer watch-list 1 ip 192.168.1.0 255.255.255.0
dialer-list 1 protocol ip list 103
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password cisco
!
end
R2#
R2#sho ip rou
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
13 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
R3#show running-config
R3#sho run
Building configuration...
14 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
!
!
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 0 0
logging synchronous
line 1
flush-at-activation
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
password cisco
line vty 0 4
password cisco
!
end
R3#sho ip rou
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
15 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
Verifying the ISDN Backup Line
To verify the ISDN backup line, perform an extended ping from R1 and repeat the ping 1000
times. As the pings are crossing the FR link, unplug the serial interface to force a primary rate
failure. Observe that the pings are no longer able to cross the link.
The following is a sample output:
R1#deb dialer
Dial on demand events debugging is on
R1#ping
Protocol [ip]:
Target IP address: 192.168.2.1
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
00:19:52: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
00:19:52: %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 10.1.1.6 (Serial0/0.102)
is down: interface down
00:19:52: DDR: Dialer Watch: watch-group = 1
00:19:52: DDR: network 192.168.2.0/255.255.255.0 DOWN,
00:19:52: DDR: primary DOWN
00:19:52: DDR: Dialer Watch: Dial Reason: Primary of group 1 DOWN
00:19:52: DDR: Dialer Watch: watch-group = 1,
00:19:52: Se1/0:23 DDR: rotor dialout [priority]
00:19:52: DDR: dialing secondary by dialer string 5551000 on Di0
00:19:52: Se1/0:23 DDR: Attempting to dial 5551000
00:19:52: DDR: Dialer Watch: watch-group = 1
00:19:52: DDR: network 192.168.2.0/255.255.255.0 DOWN,
00:19:52: DDR: primary DOWN
00:19:52: DDR: Dialer Watch: Dial Reason: Primary of group 1 DOWN
00:19:52: DDR: Dialer Watch: watch-group = 1,
00:19:52: %LINK-3-UPDOWN: Interface Serial1/0:22, changed state to up
00:19:52: Se1/0:22 DDR: Dialer Watch: resetting call in progress
00:19:52: Se1/0:22: interface must be fifo queue, force fifo
00:19:52: %DIALER-6-BIND: Interface Se1/0:22 bound to profile Di0
00:19:52: Se1/0:22 DDR: dialer protocol up.
00:19:52: %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 10.1.1.10 (Dialer0) is up:
new adjacency
00:19:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed
state to down
00:19:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0:22,
changed state to up..
00:19:58: %ISDN-6-CONNECT: Interface Serial1/0:22 is now connected to
5551000 R2...!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
16 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (987/1000), round-trip min/avg/max = 32/34/60 ms
R1#sho dialer
<Output Omitted>
17 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
Verifying QoS
Verifying QoS is more difficult. The simplest to verify is to see if CBWFQ is configured on the
PVC.
The following is a sample output:
18 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
Verifying VPN
To verify that IPSec is encrypting the traffic between R! and R2 LANs, use the show crypto
ipsec sa command and an extended ping.
The following is a sample output:
R1#show crypto ipsec sa
interface: Serial0/0.102
Crypto map tag: VPN-2-R2, local addr. 10.1.1.5
inbound ah sas:
outbound ah sas:
R1#ping
Protocol [ip]:
Target IP address: 192.168.2.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
19 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/50/52 ms
interface: Serial0/0.102
Crypto map tag: VPN-2-R2, local addr. 10.1.1.5
inbound ah sas:
outbound ah sas:
outbound pcp sas:
R1#
20 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
Verifying PPP Callback
The central site has negotiated a lower toll charge. Whenever R3 dials in, the R1 router should
disconnect and call back R3.
To test this feature, perform an extended ping from R3. R1 should disconnect and then call R3
to establish the connection.
The following is a sample output of a successful callback:
R3#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.3.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
...........
01:44:55: %LINK-3-UPDOWN: Interface Serial0, changed state to up..
01:44:58: %LINK-5-CHANGED: Interface Serial0, changed state to reset..
01:45:03: %LINK-3-UPDOWN: Interface Serial0, changed state to
down................
01:45:35: %LINK-3-UPDOWN: Interface Serial0, changed state to up
01:45:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed
state to up.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 68 percent (68/100), round-trip min/avg/max = 132/177/204 ms
R3#
The following is a sample output of a successful callback with debug output generated by the
debug ppp callback, debug ppp negotiation, debug dialer, and debug ppp
authentication commands:
R1#
02:07:40: As65 LCP: I CONFREQ [Closed] id 34 len 28
02:07:40: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:07:40: As65 LCP: AuthProto CHAP (0x0305C22305)
02:07:40: As65 LCP: MagicNumber 0x096FB017 (0x0506096FB017)
02:07:40: As65 LCP: PFC (0x0702)
02:07:40: As65 LCP: ACFC (0x0802)
02:07:40: As65 LCP: Callback 0 (0x0D0300)
02:07:40: As65 LCP: Lower layer not up, Fast Starting
02:07:40: As65 PPP: Using dialer call direction
02:07:40: As65 PPP: Treating connection as a callin
02:07:40: As65 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 0 load]
02:07:40: As65 LCP: State is Listen
02:07:40: As65 LCP: O CONFREQ [Listen] id 166 len 25
02:07:40: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
21 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
02:07:40: As65 LCP: AuthProto CHAP (0x0305C22305)
02:07:40: As65 LCP: MagicNumber 0x05A784D1 (0x050605A784D1)
02:07:40: As65 LCP: PFC (0x0702)
02:07:40: As65 LCP: ACFC (0x0802)
02:07:40: As65 LCP: O CONFACK [Listen] id 34 len 28
02:07:40: As65 LCP:
R1# ACCM 0x000A0000 (0x0206000A0000)
02:07:40: As65 LCP: AuthProto CHAP (0x0305C22305)
02:07:40: As65 LCP: MagicNumber 0x096FB017 (0x0506096FB017)
02:07:40: As65 LCP: PFC (0x0702)
02:07:40: As65 LCP: ACFC (0x0802)
02:07:40: As65 LCP: Callback 0 (0x0D0300)
02:07:40: %LINK-3-UPDOWN: Interface Async65, changed state to up
02:07:40: As65 DDR: Dialer statechange to up
02:07:40: As65 DDR: Dialer received incoming call from <unknown>
02:07:40: As65 LCP: I CONFACK [ACKsent] id 166 len 25
02:07:40: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:07:40: As65 LCP: AuthProto CHAP (0x0305C22305)
02:07:40: As65 LCP: MagicNumber 0x05A784D1 (0x050605A784D1)
02:07:40: As65 LCP: PFC (0x0702)
02:07:40: As65 LCP: ACFC (0x0802)
02:07:40: As65 LCP: State is Open
02:07:40: As65 PPP: Phase is AUTHENTICATING, by both [0 sess, 0 load]
02:07:40: As65 CHAP: O CHALLENGE id 121 len 23 from "R1"
02:07:40: As65 CHAP: I CHALLENGE id 31 len 23 from "R3"
02:07:40: As65 CHAP: Waiting for peer to authenticate first
02:07:40: As65 CHAP: I RESPONSE id 121 len 23 from "R3"
02:07:40: As65 CHAP: O SUCCESS id 121 len 4
02:07:40: As65 CHAP: Processing saved Challenge, id 31
02:07:40: As65 CHAP: O RESPONSE id 31 len 23 from "R1"
02:07:40: As65 CHAP: I SUCCESS id 31 len 4
02:07:40: As65 DDR: PPP callback: Callback server starting to R3 5556002
R1#
R1#
02:07:41: As65 DDR: disconnecting call
R1#
02:07:43: %LINK-5-CHANGED: Interface Async65, changed state to reset
R1#
02:07:43: As65 PPP: Phase is TERMINATING [0 sess, 0 load]
02:07:43: As65 LCP: State is Closed
02:07:43: As65 PPP: Phase is DOWN [0 sess, 0 load]
R1#
02:07:48: %LINK-3-UPDOWN: Interface Async65, changed state to down
R1#
02:07:48: As65 LCP: State is Closed
R1#
02:07:58: As65 DDR: re-enable timeout
02:07:58: DDR: callback triggered by dialer_timers
02:07:58: As65 DDR: beginning callback to R3 5556002
02:07:58: As65 DDR: Attempting to dial 5556002
02:07:58: CHAT65: Attempting async line dialer script
02:07:58: CHAT65: Dialing using Modem script: HAYES & System script: none
02:07:58: CHAT65: process started
02:07:58: CHAT65: Asserting DTR
02:07:58: CHAT65: Chat script HAYES started
R1#
02:08:18: CHAT65: Chat script HAYES finished, status = Success
02:08:18: As65 IPCP: Install route to 10.1.1.18
R1#
02:08:20: %LINK-3-UPDOWN: Interface Async65, changed state to up
22 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
R1#
02:08:20: As65 DDR: Dialer statechange to up
02:08:20: DDR: Freeing callback to R3 5556002
02:08:20: As65 DDR: Dialer call has been placed
02:08:20: As65 PPP: Using dialer call direction
02:08:20: As65 PPP: Treating connection as a callout
02:08:20: As65 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 load]
02:08:20: As65 PPP: No remote authentication for callback
02:08:20: As65 LCP: O CONFREQ [Closed] id 167 len 20
02:08:20: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:08:20: As65 LCP: MagicNumber 0x05A8223B (0x050605A8223B)
02:08:20: As65 LCP: PFC (0x0702)
02:08:20: As65 LCP: ACFC (0x0802)
02:08:20: As65 LCP: I CONFREQ [REQsent] id 35 len 25
02:08:20: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:08:20: As65 LCP: AuthProto CHAP (0x0305C22305)
02:08:20: As65 LCP: MagicNumber 0x09704E10 (0x050609704E10)
02:08:20: As65 LCP: PFC (0x0702)
02:08:20: As65 LCP: ACFC (0x0802)
02:08:20: As65 LCP: O CONFACK [REQsent] id 35 len 25
02:08:20: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:08:20: As65 LCP: AuthProto CHAP (0x0305C22305)
02:08:20: As65 LCP: MagicNumber 0x09704E10 (0x050609704E10)
02:08:20: As65 LCP: PFC (0x0702)
02:08:20: As65 LCP: ACFC (0x0802)
02:08:20: As65 LCP: I CONFACK [ACKsent] id 167 len 20
02:08:20: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:08:20: As65 LCP: MagicNumber 0x05A8223B (0x050605A8223B)
02:08:20: As65 LCP: PFC (0x0702)
02:08:20: As65 LCP: ACFC (0x0802)
02:08:20: As65 LCP: State is Open
02:08:20: As65 PPP: Phase is AUTHENTICATING, by the peer [0 sess, 0 load]
02:08:20: As65 CHAP: I CHALLENGE id 32 len 23 from "R3"
02:08:20: As65 CHAP: O RESPONSE id 32 len 23 from "R1"
02:08:20: As65 CHAP: I SUCCESS id 32 len 4
02:08:20: As65 PPP: Phase is UP [0 sess, 0 load]
02:08:20: As65 IPCP: O CONFREQ [Closed] id 111 len 10
02:08:20: As65 IPCP: Address 10.1.1.17 (0x03060A010111)
02:08:20: As65 IPCP: I CONFREQ [REQsent] id 3 len 10
02:08:20: As65 IPCP: Address 10.1.1.18 (0x03060A010112)
02:08:20: As65 IPCP: O CONFACK [REQsent] id 3 len 10
02:08:20: As65 IPCP: Address 10.1.1.18 (0x03060A010112)
02:08:20: As65 IPCP: I CONFACK [ACKsent] id 111 len 10
02:08:20: As65 IPCP: Address 10.1.1.17 (0x03060A010111)
02:08:20: As65 IPCP: State is Open
02:08:20: As65 DDR: dialer protocol up
02:08:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async65, changed
state to up
R1#
23 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
After R1 calls back
R3#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.3.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 196/199/204 ms
R3#
R1#
02:10:44: As65 DDR: idle timeout
02:10:44: As65 DDR: disconnecting call
R1#
02:10:46: %LINK-5-CHANGED: Interface Async65, changed state to reset
R1#
02:10:46: As65 IPCP: State is Closed
02:10:46: As65 PPP: Phase is TERMINATING [0 sess, 0 load]
02:10:46: As65 LCP: State is Closed
02:10:46: As65 PPP: Phase is DOWN [0 sess, 0 load]
02:10:46: As65 IPCP: Remove route to 10.1.1.18
02:10:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async65, changed
state to down
R1#
02:10:51: %LINK-3-UPDOWN: Interface Async65, changed state to down
R1#
02:10:51: As65 LCP: State is Closed
02:11:01: As65 DDR: re-enable timeout
R1#
24 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright 2005, Cisco Systems, Inc.
CCNP 2 Skills-Based Assessment Version 2
Scenario
The Air Guitar Company (AGC) requires a hub and spoke Frame Relay topology between its
central site, which is represented by R1, and the branch sites, which are R2 and R3. Mission
critical data is only exchanged between R1 and R3. Therefore, the AGC requires the FR link
between R1 and R3 to be backed up with ISDN. The R2 router does not require the same fault
tolerance. However, R2 does provide an asynchronous dial-up connection to a telecommuter.
To help secure mission critical data use an IPSec VPN between FR links and PPP CHAP
between ISDN and PSTN connections.
Generic Tasks
• Physically connect the network devices according to the network diagram. Ensure that
the correct cables are connected to the appropriate Adtran ports.
• Use the private network address 192.168.x.0/24 for each router LAN, where the “x”
refers to the router number.
25 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 - Solutions Copyright 2004, Cisco Systems, Inc.
- For example, the R1 LAN should be assigned the network address 192.168.1.0
/24.
• The WAN provider supplying the FR, ISDN, and PSTN circuits has assigned the AGC
the 10.1.1.0 /24 subnet.
- Use VLSM whenever possible.
• On all three routers, configure the following:
- Configure Telnet support.
- Configure the privileged EXEC mode password cisco.
- Configure local username and password entries for the remote router where
needed. The password must be cisco. For example, username R1
password cisco.
- Create a local username called USER with the password cisco.
• AAA authentication must be configured on all routers:
- Create an entry to authenticate all login attempts to the local database.
- Create a second AAA entry to authenticate all PPP CHAP challenges to the
local database.
The AGC wants hub-and-spoke Frame Relay links between R1 and R2, and R1 and R3.
1. Configure Frame Relay on all three routers so that R2 and R3 will become spokes and
R1 will be the Frame Relay hub. Use the appropriate show commands to discover the
locally attached DLCI.
2. Configure sub-interfaces on R1 to directly connect to R2 and R3:
- R1 and R2 belong to the 10.1.1.4/30 subnet
- R1 and R3 belong to the 10.1.1.8 /30 subnet.
3. Prevent automatic mapping for unused PVCs on the spokes with the no frame-relay
inverse-arp ip command. Use the appropriate show commands to discover the locally
attached DLCI.
4. Configure EIGRP on all routers to advertise their directly connected networks. Verify
that all routers have a complete routing table.
The AGC wants an ISDN DDR link between R1 and R3 in case the FR link fails.
1. Configure ISDN BRI on R1 and R3 to use the SPID information from the network
diagram. The ISDN switch type for the ISDN BRI connection is basic-ni.
2. For scalability purposes, configure R1 and R3 to use a dialer profile to establish an
ISDN connection to each other:
26 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 - Solutions Copyright 2004, Cisco Systems, Inc.
- Dialer 0 interface on both routers belongs on the 10.1.1.12 /30 subnet.
3. Configure PPP CHAP to secure the ISDN connections.
4. Configure Dial-on-Demand routing (DDR) on R1 and R3 so that any packet types can
initiate the ISDN link.
5. Configure ISDN dialer backup on R1 and R3:
- The Dialer 0 interface should back up the primary Frame Relay connection.
- The backup line should be activated 5 seconds after the primary link fails and
deactivated 20 seconds after the primary link comes back up.
6. Configure each router to aggregate both ISDN B-channels upon sending and receiving
a threshold of one to place a dial-up call.
7. Prevent EIGRP hello packets from constantly establishing the ISDN call on both
routers by suppressing EIGRP packets from being sent out their dialer interfaces.
8. Configure floating static routes on R1 and R3 with a slightly higher administrative
distance than that of EIGRP.
PSTN connection on R2
A telecommuter occasionally connects to the AGC network through the branch site R2.
1. Configure the asynchronous dial-up connections using the AUX port on R2 to support
a dial-up connection from a host.
2. The AUX port must automatically discover the modem type and configure it.
3. The asynchronous interface should share the Fa0/0 IP address.
4. The router should authenticate using CHAP.
5. Configure PPP dedicated mode. The EXEC prompt should not appear and the router
will not be available for EXEC mode access unless the user Telnets from the host.
6. R2 should always assign a host the address 192.168.2.20.
7. Configure the host to dial 555-6001 to access the AGC network.
The AGC requires secure IPSec Frame Relay VPNs between the R1 and R2, R1 and R3, and R2
and R3 LANs.
1. Configure an ISAKMP policy, pre-shared key, and transform set on all routers:
- The ISAKMP policy suite is to use pre-shared key authentication.
- The pre-shared key should be CISCO123.
- The transform-set should use esp-des to build the IPSec security association.
27 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 - Solutions Copyright 2004, Cisco Systems, Inc.
2. Create two separate crypto maps on R1:
- The first crypto map should be for traffic between R1 and R2.
- The second crypto map should be for traffic between R1 and R3.
- Separate named access-lists should identify traffic from R1 to R2 LANs and from
R1 and R3 LANs.
- Apply the crypto maps to the appropriate FR sub-interfaces.
3. Create a crypto map on R2 and R3:
- The crypto map should contain separate crypto map entries for each destination.
- Separate named access-lists should identify traffic from their LANs to their remote
neighbors’ LANs.
- Apply the crypto map to the appropriate FR interface on each router.
4. Test the IPSec tunnel configuration using the appropriate show commands and ping
between hosts.
NAT
The AGC requires NAT to be configured on the R1 router. For testing purposes, a loopback
interface will be created.
28 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 - Solutions Copyright 2004, Cisco Systems, Inc.
Check List
4 R1, R2, and R3 should connect over the Frame Relay connection.
The ISDN dial backup interface should become active five seconds after the
5
primary Frame Relay sub-interfaces are down.
Floating static routes should be installed in R1 and R3 routing tables if the
6
primary link fails.
EIGRP should propagate a default route to R2 but should not be allowed over the
7
ISDN links.
LAN traffic over the FR network should be encrypted with IPSec tunnels using
8
pre-shared keys.
29 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 - Solutions Copyright 2004, Cisco Systems, Inc.
CCNP 2 Skills-Based Assessment Version 2 – Solutions
All features included in this Skills-Based Assessment should be tested on the test equipment
and IOS versions. Some features may not work properly.
Only use a 1700 router if it has an IOS that incorporates feature set IP PLUS IPSEC 56.
BRI Interface
R1
c2600-jk8s-mz_122-12b.bin Serial Asynchronous Interface
(Cisco 2600)
Ethernet Interface
Serial Interface
R2
c2600-jk8s-mz_122-12b.bin Ethernet Interface
(Cisco 2600)
AUX Port
R3 Serial Interface
c2600-jk8s-mz_122-12b.bin
(Cisco 2600) Ethernet Interface
30 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
Sample Router Configurations
The following output is from each router platform. It includes a sample running configuration:
R1#show running-config
R1#sho run
Building configuration...
31 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
!
interface Loopback0
description Simulates external link
ip address 200.200.200.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/0
description R1 LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description Main Frame Relay interface
no ip address
encapsulation frame-relay
no ip split-horizon eigrp 100
no ip mroute-cache
no fair-queue
cdp enable
!
interface Serial0/0.102 point-to-point
description Frame Relay subinterface to R2
ip address 10.1.1.5 255.255.255.252
ip nat inside
frame-relay interface-dlci 102
crypto map VPN-2-R2
!
interface Serial0/0.103 point-to-point
description Frame Relay subinterface to R3
backup delay 5 20
backup interface Dialer0
ip address 10.1.1.9 255.255.255.252
ip nat inside
frame-relay interface-dlci 103
crypto map VPN-2-R3
!
interface BRI0/0
description Main BRI interface
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 51055510000001 5551000
isdn spid2 51055510010001 5551001
ppp authentication chap
!
!
interface Dialer0
description Backup interface for the FR link
ip address 10.1.1.13 255.255.255.252
ip nat inside
encapsulation ppp
dialer pool 1
dialer remote-name R3
dialer string 5552000
dialer string 5552001
dialer load-threshold 1 either
dialer-group 1
32 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
ppp authentication chap
ppp multilink
!
router eigrp 100
passive-interface Dialer0
network 10.0.0.0
network 192.168.1.0
network 200.200.200.0
no auto-summary
!
ip nat pool NAT4AGC 100.100.100.1 100.100.100.20 netmask 255.255.255.0
ip nat inside source list 1 pool NAT4AGC
ip classless
ip default-network 200.200.200.0
ip route 0.0.0.0 0.0.0.0 Loopback0
ip http server
!
!
ip access-list extended ENCRYPT-TO-R2
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
R1#
33 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
R2#show running-config
R2#sho run
Building configuration...
34 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
interface Serial0/0.201 point-to-point
description FR subinterface to Hub - R1
ip address 10.1.1.6 255.255.255.252
frame-relay interface-dlci 201
crypto map VPN
!
!
interface Async65
description Asynchronous Dial-up interface for telecommuter
ip unnumbered FastEthernet0/0
encapsulation ppp
async mode dedicated
peer default ip address pool LOCALPOOL
ppp authentication chap
!
router eigrp 100
network 10.0.0.0
network 192.168.2.0
no auto-summary
!
ip local pool LOCALPOOL 192.168.2.20
ip default-gateway 192.168.2.1
ip classless
ip http server
!
!
ip access-list extended VPN-1
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R2#
35 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
R3#show running-config
R3#sho run
Building configuration...
36 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
duplex auto
speed auto
!
interface Serial0/0
description Main FR interface
no ip address
encapsulation frame-relay
no ip mroute-cache
no fair-queue
cdp enable
no frame-relay inverse-arp IP 302
frame-relay lmi-type ansi
!
interface Serial0/0.301 point-to-point
description FR subinterface to Hub - R1
ip address 10.1.1.10 255.255.255.252
frame-relay interface-dlci 301
crypto map VPN
!
interface BRI0/0
description Main BRI interface
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 51055520000001 5552000
isdn spid2 51055520010001 5552001
ppp authentication chap
!
interface Dialer0
description Backup interface for FR link
ip address 10.1.1.14 255.255.255.252
encapsulation ppp
dialer pool 1
dialer remote-name R1
dialer string 5551000
dialer string 5551001
dialer load-threshold 1 either
dialer-group 1
ppp authentication chap
ppp multilink
!
router eigrp 100
passive-interface Dialer0
network 10.0.0.0
network 192.168.3.0
no auto-summary
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.1.1.13 95
ip http server
!
!
ip access-list extended VPN-1
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
37 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password cisco
!
end
R3#
38 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
Verifying the ISDN Backup Line
To verify the ISDN backup line, perform an extended ping from the R1 LAN to the R3 LAN and
repeat the ping 1000 times. As the pings are crossing the FR link, unplug the serial interface to
force a primary rate failure. Observe that the pings are no longer able to cross the link until the
backup line, Dialer 0, is activated.
The following is a sample output:
R1#ping
Protocol [ip]:
Target IP address: 192.168.3.1
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!.
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
00:11:56: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed
state to up!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
00:11:58: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 5552000
R3!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!
00:12:09: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
00:12:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed
state to up!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
39 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
<Output Omitted>
R1#
Verifying NAT
To verify NAT, ping a non-existing IP address such as 200.200.200.2. Use the show ip nat
translations command to verify:
40 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
Verifying VPN
To verify that IPSec is encrypting the traffic between R3 and the R1 and R2 LANs, use the
show crypto ipsec sa command and an extended ping.
Here is a sample output:
R3#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.3.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/49/52 ms
R3#ping
Protocol [ip]:
Target IP address: 192.168.2.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.3.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 88/89/92 ms
interface: Serial0/0.301
Crypto map tag: VPN, local addr. 10.1.1.10
41 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 1, #recv errors 0
inbound ah sas:
outbound ah sas:
inbound ah sas:
42 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
inbound pcp sas:
outbound ah sas:
R3#
43 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 2 Copyright 2004, Cisco Systems, Inc.
CCNP 2 Skills-Based Assessment Version 3
Scenario
The Air Guitar Company (AGC) requires a full mesh Frame Relay topology between R1, R2,
and R3. Mission critical data is exchanged between all sites. Therefore, the AGC requires the
FR links to be backed up with ISDN.
To help secure mission critical data, an IPSec VPN will be used between FR links and PPP
CHAP will be used between ISDN and PSTN connections.
44 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
Generic Tasks
• Physically connect the network devices according to the network diagram. Ensure that
the correct cables are connected to the appropriate Adtran ports.
• Use the private network address 192.168.x.0/24 for each router LAN, where the “x”
refers to the router number:
- For example, the R1 LAN should be assigned the network address 192.168.1.0
/24.
• The WAN provider supplying the FR, ISDN, and PSTN circuits has assigned the AGC
the 10.1.1.0 /24 subnet:
- Use VLSM whenever possible.
• On all three routers, configure the following:
- Configure Telnet support.
- Configure the privileged EXEC mode password cisco.
- Configure local username and password entries for the remote router where
needed. The password must be cisco. For example, username R1
password cisco.
- Create a local username called USER with the password cisco.
• AAA authentication must be configured on all routers:
- Create an entry to authenticate all login attempts to the local database.
- Create a second AAA entry to authenticate all PPP CHAP challenges to the
local database.
The AGC wants a full mesh Frame Relay network between R1, R2, and R3.
1. Configure a full mesh, point-to-point Frame Relay network on all three routers. Use the
appropriate show commands to discover the locally attached DLCI.
2. Configure point-to-point sub-interfaces to directly connect to each router:
- R1 and R2 belong to the 10.1.1.20/30 subnet
- R1 and R3 belong to the 10.1.1.24 /30 subnet.
- R2 and R3 belong to the 10.1.1.28 /30 subnet.
3. Configure EIGRP on all routers to advertise their directly connected networks. Verify
that all routers have a complete routing table.
45 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
ISDN connection between R1 and R3
The AGC wants an ISDN DDR link between R1 and R3 in case the FR link fails:
PSTN connection on R1
1. Configure the asynchronous dial-up connections using the AUX port on R1 to support
a dial-up connection from a host.
2. The AUX port must automatically discover the modem type and configure it.
3. The asynchronous interface should share the Fa0/0 IP address.
4. The router should authenticate using CHAP.
5. Configure PPP dedicated mode. The EXEC prompt should not appear and the router
will not be available for EXEC mode access unless the user Telnets from the host.
6. R1 should always assign a host the address 10.1.1.10.
7. Configure the host to dial 555-6001 to access the AGC network.
46 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
VPN connection between FR links
The AGC requires secure IPSec Frame Relay VPNs between the R1 and R2, R1 and R3, and R2
and R3 LANs.
1. Configure an ISAKMP policy, pre-shared key, and transform set on all routers:
- The ISAKMP policy suite is to use pre-shared key authentication.
- The pre-shared key should be CISCO123.
- The transform-set is to use esp-des to build the IPSec security association.
2. Create two separate crypto maps on R1:
- The first crypto map should be for traffic between R1 and R2.
- The second crypto map should be for traffic between R1 and R3.
- Separate named access-lists should identify traffic from R1 to R2 LANs and from
R1 and R3 LANs.
- Apply the crypto maps to the appropriate FR sub-interfaces.
3. Create a crypto map on R2 and R3.
- The crypto map should contain separate crypto map entries for each destination.
- Separate access-lists should identify traffic from their respective LANs to their
remote neighbors’ LANs.
- Apply the crypto map to the appropriate FR interface on each router.
4. Test the IPSec tunnel configuration using the appropriate show commands and ping
between hosts.
NAT
The AGC requires NAT to be configured on the R1 router. For testing purposes, a loopback
interface will be created.
47 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
Check List
4 R1, R2, and R3 should connect over the Frame Relay connection.
The ISDN dialer watch should become active after the primary Frame Relay sub-
5
interfaces are down.
Floating static routes should be installed on the routers’ routing tables if the
6
primary link fails.
EIGRP should propagate a default route to R2 and R3 but should not be allowed
7
over the ISDN links.
LAN traffic over the FR network should be encrypted with IPSec tunnels using
8
pre-shared keys.
48 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
CCNP 2 Skills-Based Assessment Version 3 – Solution
All features included in this Skills-Based Assessment should be tested on the test equipment
and IOS versions. Some features may not work properly.
Do not use a Cisco 1700 series router, since it may not have an IOS that supports IPSec.
PRI Interface
R1 Serial Asynchronous Interface
c2600-jk8s-mz_122-12b.bin
(Cisco 2600) AUX Port
Ethernet Interface
Serial Interface
R2
c2600-jk8s-mz_122-12b.bin BRI Interface
(Cisco 2600)
Ethernet Interface
Serial Interface
R3
c2600-jk8s-mz_122-12b.bin BRI Interface
(Cisco 2600)
Ethernet Interface
49 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
Sample Router Configurations
The following output is for each router platform. It includes a sample running configuration:
R1#show running-config
Building configuration...
50 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
!
controller T1 1/0
framing esf
linecode b8zs
pri-group timeslots 1-24
!
!
!
interface Loopback0
ip address 200.200.200.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no keepalive
speed 100
full-duplex
!
interface Serial0/0
no ip address
encapsulation frame-relay
no ip mroute-cache
cdp enable
frame-relay lmi-type ansi
!
interface Serial0/0.102 point-to-point
ip address 10.1.1.21 255.255.255.252
ip nat inside
frame-relay interface-dlci 102
crypto map VPN-2-R2
!
interface Serial0/0.103 point-to-point
ip address 10.1.1.25 255.255.255.252
ip nat inside
frame-relay interface-dlci 103
crypto map VPN-2-R3
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
isdn switch-type basic-ni
!
interface Serial0/1
no ip address
shutdown
!
interface Serial1/0:23
ip address 10.1.1.1 255.255.255.248
ip nat inside
encapsulation ppp
dialer map ip 10.1.1.2 name R2 5551000
dialer map ip 10.1.1.2 name R2 5551001
dialer map ip 10.1.1.3 name R3 5552000
dialer map ip 10.1.1.3 name R3 5552001
dialer watch-group 2
dialer watch-group 1
dialer-group 1
51 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
isdn switch-type primary-ni
ppp authentication chap
ppp multilink
!
interface Async65
ip unnumbered FastEthernet0/0
encapsulation ppp
async mode interactive
peer default ip address pool LOCALPOOL
ppp authentication chap
!
router eigrp 100
network 10.0.0.0
network 192.168.1.0
network 200.200.200.0
no auto-summary
!
ip local pool LOCALPOOL 10.1.1.10
ip nat pool OUTSIDE 100.100.100.65 100.100.100.126 netmask 255.255.255.192
ip nat inside source list 1 pool OUTSIDE overload
ip classless
ip default-network 200.200.200.0
ip route 0.0.0.0 0.0.0.0 Loopback0
ip route 192.168.2.0 255.255.255.0 10.1.1.2 125
ip route 192.168.3.0 255.255.255.0 10.1.1.3 125
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 111 remark crypto_list_to R2
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 remark crypto_list_to R3
access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
dialer watch-list 2 ip 192.168.3.0 255.255.255.0
dialer watch-list 1 ip 192.168.2.0 255.255.255.0
dialer-list 1 protocol ip permit
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
modem InOut
modem autoconfigure discovery
transport input all
autoselect ppp
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
!
end
52 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
R1#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
53 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
R2#show running-config
Building configuration...
54 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
ip address 192.168.2.1 255.255.255.0
no keepalive
speed 100
full-duplex
!
interface Serial0/0
bandwidth 64000
no ip address
encapsulation frame-relay
no ip mroute-cache
no fair-queue
cdp enable
!
interface Serial0/0.201 point-to-point
ip address 10.1.1.22 255.255.255.252
frame-relay interface-dlci 201
crypto map VPN-2-R1
!
interface Serial0/0.203 point-to-point
ip address 10.1.1.29 255.255.255.252
frame-relay interface-dlci 203
crypto map VPN-2-R3
!
interface BRI0/0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 51055510000001 5551000
isdn spid2 51055510010001 5551001
ppp authentication chap
!
interface Serial0/1
no ip address
shutdown
!
interface Dialer0
ip address 10.1.1.2 255.255.255.248
encapsulation ppp
dialer pool 1
dialer remote-name R1
dialer string 5555000
dialer-group 1
ppp authentication chap
!
router eigrp 100
passive-interface Dialer0
network 10.0.0.0
network 192.168.2.0
no auto-summary
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.1.1.1 95
ip route 192.168.3.0 255.255.255.0 10.1.1.3 125
no ip http server
!
access-list 111 remark --CRYPTO LIST TO R1--
access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark --CRYPTO LIST TO R3--
55 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
R2#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
56 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
R3#show running-config
Building configuration...
57 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
no keepalive
speed 100
full-duplex
!
interface Serial0/0
bandwidth 64000
no ip address
encapsulation frame-relay
no ip mroute-cache
cdp enable
frame-relay lmi-type ansi
!
interface Serial0/0.301 point-to-point
description FR Subinterface to R1
ip address 10.1.1.26 255.255.255.252
frame-relay interface-dlci 301
crypto map VPN-2-R1
!
interface Serial0/0.302 point-to-point
description FR Subinterface to R2
ip address 10.1.1.30 255.255.255.252
frame-relay interface-dlci 302
crypto map VPN-2-R2
!
interface BRI0/0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 51055520000001 5552000
isdn spid2 51055520010001 5552001
ppp authentication chap
!
interface Serial0/1
no ip address
shutdown
!
interface Dialer0
ip address 10.1.1.3 255.255.255.248
encapsulation ppp
dialer pool 1
dialer remote-name R1
dialer string 5555000
dialer-group 1
ppp authentication chap
!
router eigrp 100
passive-interface Dialer0
network 10.0.0.0
network 192.168.3.0
no auto-summary
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.1.1.1 95
ip route 192.168.2.0 255.255.255.0 10.1.1.2 125
no ip http server
!
access-list 111 remark --CRYPTO LIST TO R1--
access-list 111 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
58 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
access-list 111 remark --CRYPTO LIST TO R1--
access-list 112 remark --CRYPTO LIST TO R2--
access-list 112 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 remark --CRYPTO LIST TO R2--
dialer-list 1 protocol ip permit
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
R3#
R3#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
59 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
Verifying the ISDN Backup Line
To verify the ISDN backup feature, perform an extended ping from the R2 LAN to the R3 LAN
and repeat the ping 1000 times.
Here is a sample output:
R2#ping
Protocol [ip]:
Target IP address: 192.168.3.1
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
.
04:53:14: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down.
04:53:14: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 10.1.1.21
(Serial0/0.201) is down: interface down
04:53:14: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 10.1.1.30
(Serial0/0.203) is down: interface down
04:53:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed
state to down
04:53:16: ISDN BR0/0: TX -> SETUP pd = 8 callref = 0x04
04:53:16: Bearer Capability i = 0x8890
04:53:16: Channel ID i = 0x83
04:53:16: Keypad Facility i = '5555000'
04:53:16: ISDN BR0/0: RX <- CALL_PROC pd = 8 callref = 0x84
04:53:16: Channel ID i = 0x89
04:53:16: ISDN BR0/0: RX <- CONNECT pd = 8 callref = 0x84
04:53:16: Channel ID i = 0x89
04:53:16: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
04:53:16: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di0.
04:53:16: BR0/0:1 PPP: Using dialer call direction
04:53:16: BR0/0:1 PPP: Treating connection as a callout
04:53:16: ISDN BR0/0: TX -> CONNECT_ACK pd = 8 callref = 0x04
04:53:16: BR0/0:1 CHAP: O CHALLENGE id 22 len 23 from "R2"
04:53:16: BR0/0:1 CHAP: I CHALLENGE id 10 len 23 from "R1"
04:53:16: BR0/0:1 CHAP: O RESPONSE id 10 len 23 from "R2"
04:53:16: BR0/0:1 CHAP: I SUCCESS id 10 len 4
04:53:16: BR0/0:1 CHAP: I RESPONSE id 22 len 23 from "R1"
04:53:16: BR0/0:1 CHAP: O SUCCESS id 22 len 4
04:53:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed
state to up...
60 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
04:53:22: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 5555000 R1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!
The pings are using the ISDN link between R2 and R1 and the FR link
between R1 and R3.
To test R1’s backup feature to R3, unplug the serial cable on R1.
.........
The pings should be successful after the backup feature activates on R1.
The BRI interface on R3 should now be active.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (983/1000), round-trip min/avg/max = 56/63/92 ms
R2#
61 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
Verifying NAT
To verify NAT, ping a non-existing IP address such as 200.200.200.2 from R2:
R2#ping
Protocol [ip]:
Target IP address: 200.200.200.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 200.200.200.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
....
62 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
Verifying VPN
To verify that IPSec is encrypting the traffic between R3 and the R1 and R2 LANs, use the
show crypto ipsec sa command and an extended ping.
Here is a sample output:
R1#clear crypto sa
R1#ping
Protocol [ip]:
Target IP address: 192.168.2.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/48/52 ms
R1#ping
Protocol [ip]:
Target IP address: 192.168.3.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/47/48 ms
interface: Serial0/0.102
Crypto map tag: VPN-2-R2, local addr. 10.1.1.21
63 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 10.1.1.22
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed:
0
#send errors 1, #recv errors 0
inbound ah sas:
outbound ah sas:
interface: Serial0/0.103
Crypto map tag: VPN-2-R3, local addr. 10.1.1.25
64 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.
current outbound spi: EB113F31
inbound ah sas:
outbound ah sas:
R1#
65 - 65 CCNP 2: Remote Access v3.0 – Skills-Based Assessment Version 3 - Solutions Copyright 2004, Cisco Systems, Inc.