En CCNP2 SBA IV v31

CCNP 2 Skills-Based Assessment Version 1
Scenario
Due to the volume of information shared, the Air Guitar Company (AGC) requires a Frame
Relay link between its central site, which is R1 in the diagram, and a branch site, which is R2.
For fault tolerance, the FR link will be backed up with ISDN. The AGC also has a small SOHO
site, which is represented by R3, that periodically connects through an asynchronous dial-up
connection to download corporate e-mail and verify the status of orders.
To secure mission critical data traffic, IPSec VPN will be used between FR links, and PPP
CHAP will be used between ISDN and PSTN connections.
1 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 Copyright  2005, Cisco Systems, Inc.
QoS will also be configured between the Frame Relay links.
Generic Tasks
• Physically connect the network devices according to the network diagram. Ensure that
the correct cables are connected to the appropriate Adtran ports.
• The WAN provider supplying the FR, ISDN, and PSTN circuits has assigned the AGC
the 10.1.1.0 /24 subnet.
- Use VLSM whenever possible.
• Use the private network address 192.168.x.0/24 for each router LAN, where the “x”
refers to the router number.
- For example, the R1 LAN should be assigned the network address 192.168.1.0
/24.
• AAA authentication must be configured on all routers.
- Create an entry to authenticate all login attempts to the local database.
- Create a second AAA entry to authenticate all PPP CHAP challenges to the
local database.
• On all three routers, configure the following:
- Configure Telnet support.
- Configure the privileged EXEC mode password cisco.
- Configure local username and password entries for the remote router where
needed. The password must be cisco. For example, username R1
password cisco.
- Configure a local username called USER with the password cisco.
Frame Relay connection between R1 and R2
The AGC wants a Frame Relay link using sub-interfaces between R1 and R2.
1. DLCI 102 directly connects to DLCI 201. Use the appropriate show commands to
discover the locally attached DLCI.
2. Configure R1 and R2 for Frame Relay adaptive traffic shaping. Upon receiving a
BECN notice, all routers will be configured to throttle down to the contracted service
rate of CIR = 16000, BC = 64000, and Be = 64000.
3. To test the Frame Relay configuration, ping the sub-interfaces of R1 from R2.
ISDN connection between R1 and R2
The AGC wants an ISDN DDR link between R1 and R2 in case the FR link fails. The two sites will
use EIGRP between them.
1. Configure PPP CHAP to secure the ISDN connections.

2. Use dialer interfaces on each router.
3. Configure the SPID information from the network diagram. The ISDN switch type for
the ISDN BRI connection is “basic-ni.”
4. On R1, configure the following:
- Configure the PRI interface.
- The ISDN switch type is “primary-ni.”
- Configure the T1 controller to use “esf” framing and “b8zs” line coding, and set the
T1 controller to use all timeslots.
- The dialer 0 interface on R1 should be configured to connect to R2.
- Configure the BRI interface with the indicated SPIDs.
- The ISDN switch type is “basic-ni.”
- The dialer 0 interface should be configured to connect to R1 using the local
number 555-5000.
6. Configure a dialer watch on each router to activate in case the primary FR link fails.
7. EIGRP should not be allowed over the ISDN links.
VPN Connection between FR links
The AGC requires IPSec to encrypt traffic between the R1 and R2 LANs when traversing the
Frame Relay link.
1. Create an access list on the R1 and R2 routers to identify traffic from their LANs to be
encrypted when traffic is destined for their remote neighbors’ LANs.
2. Configure the ISAKMP policy suite on R1 and R2 and manually configure the same
pre-shared key on both routers to use pre-shared keys authentication.
3. Configure the transform-set to use esp-des to build the IPSec security association.
4. Apply the crypto map to the appropriate FR interfaces on the R1 and R2 routers.
5. Test the IPSec tunnel configuration by using the appropriate debug commands to
monitor IPSec activity and ping Host C from Host B.
PSTN connection between R1 and R3
The SOHO site R3 occasionally connects to the central site R1. For this reason, an asynchronous
dial-up connection has been provisioned between the sites. The central site has negotiated a very
low toll cost. For this reason, R1 should be configured to call R3 when R3 initiates a connection.
No dynamic routing should be configured over the link. Instead, a static and default route should
be configured on the respective routers.
1. Configure the asynchronous dial-up connections:

- Use the AUX port on R1.
- Use the Serial 0//0 port on R3.
2. The asynchronous ports must automatically discover the modem type and configure it.
3. Chat Scripts are required.
4. R1 must dial 555-6002 to establish a PSTN connection with R3.
5. R3 must dial 555-6001 to establish a PSTN connection with R1.
6. Configure PPP dedicated mode on R1 and R3.
7. The routers should authenticate using CHAP.
8. Use a static route and a default where appropriate to provide connectivity.
9. To maintain lower toll charges, the R1 router should call back the R3 router:
- Use an extended ping from the R3 router LAN interface to the R1 LAN interface to
verify.
QoS between FR links
The AGC wants to test QoS over the FR link. To test the link, they require that Telnet traffic
should be guaranteed 16 Kbps of the FR bandwidth.
1. Configure class-based weighted fair queuing (CBWFQ) on R1 and R2 to guarantee

the use of 16 Kbps of Frame Relay bandwidth for Telnet traffic coming from any
source to any destination.
2. Use the appropriate show commands to verify the QoS configurations.
Check List
1 AAA should be configured on all routers.
2 Telnet access should be configured on every router
Host C should initiate a dial-up, callback connection when it attempts to ping

3
another valid WAN IP address.
4 R1 and R2 should connect successfully over the Frame Relay connection.
R1 and R2 should be configured to adapt to BECN notices for Frame Relay traffic
7
shaping.
The ISDN dial backup interface should become active within a few seconds after
8
unplugging the serial interface.
EIGRP should propagate a default route to R2 but should not be allowed over the
9
ISDN links.
LAN traffic from R1 and R2 should be encrypted with an IPSec tunnel using pre-
10
shared keys.
Telnet traffic should be guaranteed 16 Kbps of Frame Relay bandwidth using
11
CBWFQ.
12 Callback must be configured correctly.
Skills-Based Assessment Version 1 – Solutions
All features included in this Skills-Based Assessment should be tested on the test equipment
and IOS versions. Some features, such as PPP Callback and Dialer Watch, are sensitive and
may not work properly.
The following output was generated for the different devices:
Device IOS version Specifics / Interfaces
PRI Interface (T1 controller)

R1 Serial Asynchronous Interface
c2600-jk8s-mz_122-12b.bin
(Cisco 2600) Aux Port
Ethernet Interface
R2 Serial Interface
(Cisco 2600) Ethernet Interface
R3 Serial Interface
c1700-sy-mz.122-4.YB.bin
Modems Hayes Accura 56 K
6 - 65 CCNP 2: Remote Access v3.1 – Skills-Based Assessment Version 1 - Solutions Copyright  2005, Cisco Systems, Inc.
Sample Router Configurations
The following output is from each router platform. It includes a sample running configuration:
R1#show running-config
R1#sho run
Building configuration...
Current configuration : 3208 bytes

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
enable password cisco
!
username R1 password 0 cisco
username USER password 0 cisco
memory-size iomem 10
ip subnet-zero
!
!
!
!
class-map match-all 4-TELNET
match access-group 101
!
!
policy-map BW-4-TELNET
class 4-TELNET
bandwidth 16
!
!
crypto isakmp policy 100
authentication pre-share
crypto isakmp key GOLDKEY123 address 10.1.1.6
!
!
crypto ipsec transform-set MYSET esp-des
!
crypto map VPN-2-R2 10 ipsec-isakmp
set peer 10.1.1.6
set transform-set MYSET
match address 102
!
isdn switch-type primary-ni
chat-script HAYES ABORT ERROR ABORT BUSY "" "ATZ" OK "ATDT \T" TIMEOUT 30
CONNECT \c
call rsvp-sync
!
!
!
!
!
!
controller T1 1/0
framing esf
linecode b8zs
pri-group timeslots 1-24
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay
no ip mroute-cache
no fair-queue
cdp enable
frame-relay traffic-shaping
!
interface Serial0/0.102 point-to-point
ip address 10.1.1.5 255.255.255.252
frame-relay class TS
frame-relay interface-dlci 102
crypto map VPN-2-R2
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
isdn switch-type basic-ni
!
interface Serial0/1
no ip address
shutdown
!
interface Serial1/0:23
no ip address
encapsulation ppp
dialer pool-member 1
fair-queue 64 256 0
ppp authentication chap
!
interface Async65
ip address 10.1.1.17 255.255.255.252
encapsulation ppp
dialer in-band
dialer map ip 10.1.1.18 name R3 class DIAL-BACK modem-script HAYES 5556002
dialer-group 2
async mode dedicated
ppp callback accept
ppp authentication chap callin
!
interface Dialer0
description Backup connection to R2
ip address 10.1.1.9 255.255.255.252
encapsulation ppp
dialer pool 1
dialer remote-name R2
dialer watch-disable 5
dialer string 5551000
dialer watch-group 1
dialer-group 1
!
router eigrp 1
network 10.1.1.4 0.0.0.3
network 10.1.1.8 0.0.0.3
network 192.168.1.0
auto-summary
!
ip classless
ip default-network 192.168.1.0
ip route 192.168.3.0 255.255.255.0 10.1.1.18
ip http server
!
!
map-class frame-relay TS
frame-relay cir 32000
frame-relay bc 64000
frame-relay be 64000
frame-relay adaptive-shaping becn
service-policy output BW-4-TELNET
!
map-class dialer DIAL-BACK
dialer callback-server username
access-list 101 permit tcp any any eq telnet
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 deny eigrp any any
access-list 103 permit ip any any
dialer watch-list 1 ip 192.168.2.0 255.255.255.0
dialer-list 1 protocol ip list 103
dialer-list 2 protocol ip permit
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
speed 57600
flowcontrol hardware
line vty 0 4
password cisco
!
end
R1#
R1#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.1.1.8/30 is directly connected, Dialer0
D 10.0.0.0/8 is a summary, 00:32:59, Null0
C 10.1.1.4/30 is directly connected, Serial0/0.102
C 10.1.1.16/30 is directly connected, Async65
C* 192.168.1.0/24 is directly connected, FastEthernet0/0
D 192.168.2.0/24 [90/20514560] via 10.1.1.6, 00:32:46, Serial0/0.102
S 192.168.3.0/24 [1/0] via 10.1.1.18
R1#
R2#sho run

!
version 12.2
!
hostname R2
!
aaa new-model
!
ip subnet-zero
!
!
!
!
class-map match-all 4-TELNET
match access-group 101
!
!
policy-map BW-4-TELNET
class 4-TELNET
bandwidth 16
!
!
crypto isakmp key GOLDKEY123 address 10.1.1.5
!
!
crypto ipsec transform-set MYSET esp-des
!
set peer 10.1.1.5
set transform-set MYSET
match address 102
!
call rsvp-sync
!
!
!
!
!
!
!
!
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip mroute-cache
no fair-queue
cdp enable
frame-relay traffic-shaping
frame-relay lmi-type ansi
!
ip address 10.1.1.6 255.255.255.252
frame-relay class TS
crypto map VPN-2-R1
!
interface BRI0/0
no ip address
encapsulation ppp
isdn spid1 51055510000001 5551000
isdn spid2 51055510010001 5551001
!
interface Serial0/1
no ip address
shutdown
!
interface Dialer0
ip address 10.1.1.10 255.255.255.252
encapsulation ppp
dialer pool 1
dialer watch-disable 5
dialer-group 1
!
router eigrp 1
network 10.1.1.4 0.0.0.3
network 10.1.1.8 0.0.0.3
network 192.168.2.0
auto-summary
!
ip classless
ip http server
!
!
map-class frame-relay TS
frame-relay cir 32000
frame-relay bc 64000
frame-relay be 64000
frame-relay adaptive-shaping becn
service-policy output BW-4-TELNET
access-list 101 permit tcp any any eq telnet
access-list 103 deny eigrp any any
access-list 103 permit ip any any
dialer-list 1 protocol ip list 103
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password cisco
!
end
R2#
R2#sho ip rou
area
Gateway of last resort is 10.1.1.5 to network 192.168.1.0

D 10.0.0.0/8 is a summary, 00:33:45, Null0
D* 192.168.1.0/24 [90/20514560] via 10.1.1.5, 00:33:44, Serial0/0.201
C 192.168.2.0/24 is directly connected, FastEthernet0/0
R2#
R3#sho run

!
version 12.2
!
hostname R3
!
aaa new-model
!
!
aaa session-id common
!
ip subnet-zero
!
!
no ip domain lookup
!
!
chat-script HAYES ABORT ERROR ABORT BUSY "" "ATZ" OK "ATDT \T" TIMEOUT 30
CONNECT \c
!
!
!
interface FastEthernet0
ip address 192.168.3.1 255.255.255.0
speed auto
!
interface Serial0
physical-layer async
ip address 10.1.1.18 255.255.255.252
encapsulation ppp
dialer in-band
dialer map ip 10.1.1.17 name R1 modem-script HAYES 5556001
dialer-group 1
ppp callback request
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.17
ip http server
ip pim bidir-enable
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line 1
flush-at-activation
modem InOut
transport input all
stopbits 1
speed 115200
line aux 0
password cisco
line vty 0 4
password cisco
!
end
R3#sho ip rou
area
10.0.0.0/30 is subnetted, 1 subnets

C 10.1.1.16 is directly connected, Serial0
C 192.168.3.0/24 is directly connected, FastEthernet0
S* 0.0.0.0/0 [1/0] via 10.1.1.17
R3#
Verifying the ISDN Backup Line
To verify the ISDN backup line, perform an extended ping from R1 and repeat the ping 1000
times. As the pings are crossing the FR link, unplug the serial interface to force a primary rate
failure. Observe that the pings are no longer able to cross the link.
The following is a sample output:
R1#deb dialer
Dial on demand events debugging is on
R1#ping
Protocol [ip]:
Target IP address: 192.168.2.1
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
00:19:52: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
00:19:52: %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 10.1.1.6 (Serial0/0.102)
is down: interface down
00:19:52: DDR: Dialer Watch: watch-group = 1
00:19:52: DDR: network 192.168.2.0/255.255.255.0 DOWN,
00:19:52: DDR: primary DOWN
00:19:52: DDR: Dialer Watch: Dial Reason: Primary of group 1 DOWN
00:19:52: DDR: Dialer Watch: watch-group = 1,
00:19:52: Se1/0:23 DDR: rotor dialout [priority]
00:19:52: DDR: dialing secondary by dialer string 5551000 on Di0
00:19:52: Se1/0:23 DDR: Attempting to dial 5551000
00:19:52: DDR: Dialer Watch: watch-group = 1
00:19:52: DDR: network 192.168.2.0/255.255.255.0 DOWN,
00:19:52: DDR: primary DOWN
00:19:52: DDR: Dialer Watch: Dial Reason: Primary of group 1 DOWN
00:19:52: DDR: Dialer Watch: watch-group = 1,
00:19:52: %LINK-3-UPDOWN: Interface Serial1/0:22, changed state to up
00:19:52: Se1/0:22 DDR: Dialer Watch: resetting call in progress
00:19:52: Se1/0:22: interface must be fifo queue, force fifo
00:19:52: %DIALER-6-BIND: Interface Se1/0:22 bound to profile Di0
00:19:52: Se1/0:22 DDR: dialer protocol up.
00:19:52: %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 10.1.1.10 (Dialer0) is up:
new adjacency
00:19:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed
state to down
00:19:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0:22,
changed state to up..
00:19:58: %ISDN-6-CONNECT: Interface Serial1/0:22 is now connected to
5551000 R2...!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (987/1000), round-trip min/avg/max = 32/34/60 ms
R1#sho dialer
<Output Omitted>
Serial1/0:21 - dialer type = ISDN

Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle

Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di0
Time until disconnect 108 secs
Current call connected 00:01:08
Connected to 5551000 (R2)
Dial String Successes Failures Last DNIS Last status

0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
Di0 - dialer type = DIALER PROFILE

Dialer state is data link layer up
Number of active calls = 1
Dial String Successes Failures Last DNIS Last status

5551000 3 153 00:01:09 successful Default
5551001 0 154 00:02:59 failed Default
Verifying QoS
Verifying QoS is more difficult. The simplest to verify is to see if CBWFQ is configured on the
PVC.
R1#sho frame-relay pvc 102
PVC Statistics for interface Serial0/0 (Frame Relay DTE)
DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE =

Serial0/0.102
input pkts 838 output pkts 844 in bytes 87467

out bytes 88346 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 530 out bcast bytes 44495
Shaping adapts to BECN
pvc create time 00:40:49, last time pvc status changed 00:19:53
cir 32000 bc 64000 be 64000 byte limit 8500 interval 125
mincir 16000 byte increment 500 Adaptive Shaping BECN
pkts 841 bytes 87479 pkts delayed 0 bytes delayed 0
shaping inactive
traffic shaping drops 0
service policy BW-4-TELNET
Serial0/0.102: DLCI 102 -
Service-policy output: BW-4-TELNET
Class-map: 4-TELNET (match-all)

0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 101
Queueing
Output Queue: Conversation 25
Bandwidth 16 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)

844 packets, 88346 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Output queue size 0/max total 600/drops 0
R1#
Verifying VPN
To verify that IPSec is encrypting the traffic between R! and R2 LANs, use the show crypto
ipsec sa command and an extended ping.
R1#show crypto ipsec sa
interface: Serial0/0.102
Crypto map tag: VPN-2-R2, local addr. 10.1.1.5
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 10.1.1.6
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.5, remote crypto endpt.: 10.1.1.6

path mtu 1500, media mtu 1500
current outbound spi: 216949B4
inbound esp sas:

spi: 0x59605C29(1499487273)
transform: esp-des ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN-2-R2
sa timing: remaining key lifetime (k/sec): (4607960/2340)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x216949B4(560548276)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
R1#ping
Protocol [ip]:
Repeat count [5]:
!!!!!

failed: 0

current outbound spi: 216949B4
inbound esp sas:

spi: 0x59605C29(1499487273)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x216949B4(560548276)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
R1#
Verifying PPP Callback
The central site has negotiated a lower toll charge. Whenever R3 dials in, the R1 router should
disconnect and call back R3.
To test this feature, perform an extended ping from R3. R1 should disconnect and then call R3
to establish the connection.
The following is a sample output of a successful callback:
R3#ping
Protocol [ip]:
...........
01:44:55: %LINK-3-UPDOWN: Interface Serial0, changed state to up..
01:44:58: %LINK-5-CHANGED: Interface Serial0, changed state to reset..
01:45:03: %LINK-3-UPDOWN: Interface Serial0, changed state to
down................
01:45:35: %LINK-3-UPDOWN: Interface Serial0, changed state to up
01:45:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed
state to up.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R3#
The following is a sample output of a successful callback with debug output generated by the
debug ppp callback, debug ppp negotiation, debug dialer, and debug ppp
authentication commands:
R1#
02:07:40: As65 LCP: I CONFREQ [Closed] id 34 len 28
02:07:40: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:07:40: As65 LCP: AuthProto CHAP (0x0305C22305)
02:07:40: As65 LCP: MagicNumber 0x096FB017 (0x0506096FB017)
02:07:40: As65 LCP: PFC (0x0702)
02:07:40: As65 LCP: ACFC (0x0802)
02:07:40: As65 LCP: Callback 0 (0x0D0300)
02:07:40: As65 LCP: Lower layer not up, Fast Starting
02:07:40: As65 PPP: Using dialer call direction
02:07:40: As65 PPP: Treating connection as a callin
02:07:40: As65 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 0 load]
02:07:40: As65 LCP: State is Listen
02:07:40: As65 LCP: O CONFREQ [Listen] id 166 len 25
02:07:40: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:07:40: As65 LCP: MagicNumber 0x05A784D1 (0x050605A784D1)
02:07:40: As65 LCP: PFC (0x0702)
02:07:40: As65 LCP: ACFC (0x0802)
02:07:40: As65 LCP: O CONFACK [Listen] id 34 len 28
02:07:40: As65 LCP:
R1# ACCM 0x000A0000 (0x0206000A0000)
02:07:40: As65 LCP: MagicNumber 0x096FB017 (0x0506096FB017)
02:07:40: As65 LCP: PFC (0x0702)
02:07:40: As65 LCP: ACFC (0x0802)
02:07:40: As65 LCP: Callback 0 (0x0D0300)
02:07:40: %LINK-3-UPDOWN: Interface Async65, changed state to up
02:07:40: As65 DDR: Dialer statechange to up
02:07:40: As65 DDR: Dialer received incoming call from <unknown>
02:07:40: As65 LCP: I CONFACK [ACKsent] id 166 len 25
02:07:40: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:07:40: As65 LCP: MagicNumber 0x05A784D1 (0x050605A784D1)
02:07:40: As65 LCP: PFC (0x0702)
02:07:40: As65 LCP: ACFC (0x0802)
02:07:40: As65 LCP: State is Open
02:07:40: As65 PPP: Phase is AUTHENTICATING, by both [0 sess, 0 load]
02:07:40: As65 CHAP: O CHALLENGE id 121 len 23 from "R1"
02:07:40: As65 CHAP: I CHALLENGE id 31 len 23 from "R3"
02:07:40: As65 CHAP: Waiting for peer to authenticate first
02:07:40: As65 CHAP: I RESPONSE id 121 len 23 from "R3"
02:07:40: As65 CHAP: O SUCCESS id 121 len 4
02:07:40: As65 CHAP: Processing saved Challenge, id 31
02:07:40: As65 CHAP: O RESPONSE id 31 len 23 from "R1"
02:07:40: As65 CHAP: I SUCCESS id 31 len 4
02:07:40: As65 DDR: PPP callback: Callback server starting to R3 5556002
R1#
R1#
02:07:41: As65 DDR: disconnecting call
R1#
02:07:43: %LINK-5-CHANGED: Interface Async65, changed state to reset
R1#
02:07:43: As65 PPP: Phase is TERMINATING [0 sess, 0 load]
02:07:43: As65 LCP: State is Closed
02:07:43: As65 PPP: Phase is DOWN [0 sess, 0 load]
R1#
02:07:48: %LINK-3-UPDOWN: Interface Async65, changed state to down
R1#
R1#
02:07:58: As65 DDR: re-enable timeout
02:07:58: DDR: callback triggered by dialer_timers
02:07:58: As65 DDR: beginning callback to R3 5556002
02:07:58: As65 DDR: Attempting to dial 5556002
02:07:58: CHAT65: Attempting async line dialer script
02:07:58: CHAT65: Dialing using Modem script: HAYES & System script: none
02:07:58: CHAT65: process started
02:07:58: CHAT65: Asserting DTR
02:07:58: CHAT65: Chat script HAYES started
R1#
02:08:18: CHAT65: Chat script HAYES finished, status = Success
02:08:18: As65 IPCP: Install route to 10.1.1.18
R1#
02:08:20: %LINK-3-UPDOWN: Interface Async65, changed state to up
R1#
02:08:20: As65 DDR: Dialer statechange to up
02:08:20: DDR: Freeing callback to R3 5556002
02:08:20: As65 DDR: Dialer call has been placed
02:08:20: As65 PPP: Using dialer call direction
02:08:20: As65 PPP: Treating connection as a callout
02:08:20: As65 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 load]
02:08:20: As65 PPP: No remote authentication for callback
02:08:20: As65 LCP: O CONFREQ [Closed] id 167 len 20
02:08:20: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:08:20: As65 LCP: MagicNumber 0x05A8223B (0x050605A8223B)
02:08:20: As65 LCP: PFC (0x0702)
02:08:20: As65 LCP: ACFC (0x0802)
02:08:20: As65 LCP: I CONFREQ [REQsent] id 35 len 25
02:08:20: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:08:20: As65 LCP: MagicNumber 0x09704E10 (0x050609704E10)
02:08:20: As65 LCP: PFC (0x0702)
02:08:20: As65 LCP: ACFC (0x0802)
02:08:20: As65 LCP: O CONFACK [REQsent] id 35 len 25
02:08:20: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:08:20: As65 LCP: MagicNumber 0x09704E10 (0x050609704E10)
02:08:20: As65 LCP: PFC (0x0702)
02:08:20: As65 LCP: ACFC (0x0802)
02:08:20: As65 LCP: I CONFACK [ACKsent] id 167 len 20
02:08:20: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
02:08:20: As65 LCP: MagicNumber 0x05A8223B (0x050605A8223B)
02:08:20: As65 LCP: PFC (0x0702)
02:08:20: As65 LCP: ACFC (0x0802)
02:08:20: As65 LCP: State is Open
02:08:20: As65 PPP: Phase is AUTHENTICATING, by the peer [0 sess, 0 load]
02:08:20: As65 CHAP: I CHALLENGE id 32 len 23 from "R3"
02:08:20: As65 CHAP: O RESPONSE id 32 len 23 from "R1"
02:08:20: As65 CHAP: I SUCCESS id 32 len 4
02:08:20: As65 PPP: Phase is UP [0 sess, 0 load]
02:08:20: As65 IPCP: O CONFREQ [Closed] id 111 len 10
02:08:20: As65 IPCP: Address 10.1.1.17 (0x03060A010111)
02:08:20: As65 IPCP: I CONFREQ [REQsent] id 3 len 10
02:08:20: As65 IPCP: O CONFACK [REQsent] id 3 len 10
02:08:20: As65 IPCP: I CONFACK [ACKsent] id 111 len 10
02:08:20: As65 IPCP: State is Open
02:08:20: As65 DDR: dialer protocol up
02:08:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async65, changed
state to up
R1#
After R1 calls back
R3#ping
Protocol [ip]:
Repeat count [5]:
!!!!!
R3#
After 2 minutes of inactivity, the call disconnects:
R1#
02:10:44: As65 DDR: idle timeout
02:10:44: As65 DDR: disconnecting call
R1#
02:10:46: %LINK-5-CHANGED: Interface Async65, changed state to reset
R1#
02:10:46: As65 IPCP: State is Closed
02:10:46: As65 PPP: Phase is TERMINATING [0 sess, 0 load]
02:10:46: As65 PPP: Phase is DOWN [0 sess, 0 load]
02:10:46: As65 IPCP: Remove route to 10.1.1.18
02:10:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async65, changed
state to down
R1#
02:10:51: %LINK-3-UPDOWN: Interface Async65, changed state to down
R1#
02:11:01: As65 DDR: re-enable timeout
R1#
Scenario
The Air Guitar Company (AGC) requires a hub and spoke Frame Relay topology between its
central site, which is represented by R1, and the branch sites, which are R2 and R3. Mission
critical data is only exchanged between R1 and R3. Therefore, the AGC requires the FR link
between R1 and R3 to be backed up with ISDN. The R2 router does not require the same fault
tolerance. However, R2 does provide an asynchronous dial-up connection to a telecommuter.
To help secure mission critical data use an IPSec VPN between FR links and PPP CHAP
between ISDN and PSTN connections.
Generic Tasks
refers to the router number.
/24.
the 10.1.1.0 /24 subnet.
password cisco.
- Create a local username called USER with the password cisco.
• AAA authentication must be configured on all routers:
local database.
Frame Relay connection between the hub R1 and spokes R2 and R3
The AGC wants hub-and-spoke Frame Relay links between R1 and R2, and R1 and R3.
1. Configure Frame Relay on all three routers so that R2 and R3 will become spokes and
R1 will be the Frame Relay hub. Use the appropriate show commands to discover the
locally attached DLCI.
2. Configure sub-interfaces on R1 to directly connect to R2 and R3:
- R1 and R2 belong to the 10.1.1.4/30 subnet
- R1 and R3 belong to the 10.1.1.8 /30 subnet.
3. Prevent automatic mapping for unused PVCs on the spokes with the no frame-relay
inverse-arp ip command. Use the appropriate show commands to discover the locally
attached DLCI.
4. Configure EIGRP on all routers to advertise their directly connected networks. Verify
that all routers have a complete routing table.
The AGC wants an ISDN DDR link between R1 and R3 in case the FR link fails.
1. Configure ISDN BRI on R1 and R3 to use the SPID information from the network
diagram. The ISDN switch type for the ISDN BRI connection is basic-ni.
2. For scalability purposes, configure R1 and R3 to use a dialer profile to establish an
ISDN connection to each other:
- Dialer 0 interface on both routers belongs on the 10.1.1.12 /30 subnet.
4. Configure Dial-on-Demand routing (DDR) on R1 and R3 so that any packet types can
initiate the ISDN link.
5. Configure ISDN dialer backup on R1 and R3:
- The Dialer 0 interface should back up the primary Frame Relay connection.
- The backup line should be activated 5 seconds after the primary link fails and
deactivated 20 seconds after the primary link comes back up.
6. Configure each router to aggregate both ISDN B-channels upon sending and receiving
a threshold of one to place a dial-up call.
7. Prevent EIGRP hello packets from constantly establishing the ISDN call on both
routers by suppressing EIGRP packets from being sent out their dialer interfaces.
8. Configure floating static routes on R1 and R3 with a slightly higher administrative
distance than that of EIGRP.
PSTN connection on R2
A telecommuter occasionally connects to the AGC network through the branch site R2.
1. Configure the asynchronous dial-up connections using the AUX port on R2 to support
a dial-up connection from a host.
2. The AUX port must automatically discover the modem type and configure it.
3. The asynchronous interface should share the Fa0/0 IP address.
4. The router should authenticate using CHAP.
5. Configure PPP dedicated mode. The EXEC prompt should not appear and the router
will not be available for EXEC mode access unless the user Telnets from the host.
6. R2 should always assign a host the address 192.168.2.20.
7. Configure the host to dial 555-6001 to access the AGC network.
VPN Connection between FR links
The AGC requires secure IPSec Frame Relay VPNs between the R1 and R2, R1 and R3, and R2
and R3 LANs.
1. Configure an ISAKMP policy, pre-shared key, and transform set on all routers:
- The ISAKMP policy suite is to use pre-shared key authentication.
- The pre-shared key should be CISCO123.
- The transform-set should use esp-des to build the IPSec security association.
2. Create two separate crypto maps on R1:
- The first crypto map should be for traffic between R1 and R2.
- The second crypto map should be for traffic between R1 and R3.
- Separate named access-lists should identify traffic from R1 to R2 LANs and from
R1 and R3 LANs.
- Apply the crypto maps to the appropriate FR sub-interfaces.
3. Create a crypto map on R2 and R3:
- The crypto map should contain separate crypto map entries for each destination.
- Separate named access-lists should identify traffic from their LANs to their remote
neighbors’ LANs.
- Apply the crypto map to the appropriate FR interface on each router.
4. Test the IPSec tunnel configuration using the appropriate show commands and ping
between hosts.
NAT
The AGC requires NAT to be configured on the R1 router. For testing purposes, a loopback
interface will be created.
1. Configure a loopback interface on R1 with a host IP address of 200.200.200.1/24.

- Configure a default route exiting from the Lo0 interface.
- Propagate the route as a default network to R1 and R3 using EIGRP.
2. Configure Dynamic NAT:
- NAT will translate the AGC network’s inside local address 192.168.x.0 /16 with an
inside global address range of 100.100.100.1 /24 to 100.100.100.20.
3. Verify the Dynamic NAT configuration by pinging a non-existing IP address such as
200.200.200.2 from either Host B or Host C:
- Use the appropriate show command to display the NAT translations.
Check List
2 Telnet access should be configured on every router.
Host B should successfully connect to R2, be assigned a valid IP address, and

3
be able to ping all LAN interfaces.
4 R1, R2, and R3 should connect over the Frame Relay connection.
The ISDN dial backup interface should become active five seconds after the
5
primary Frame Relay sub-interfaces are down.
Floating static routes should be installed in R1 and R3 routing tables if the
6
primary link fails.
EIGRP should propagate a default route to R2 but should not be allowed over the
7
ISDN links.
LAN traffic over the FR network should be encrypted with IPSec tunnels using
8
pre-shared keys.
9 NAT should be configured correctly.
CCNP 2 Skills-Based Assessment Version 2 – Solutions
and IOS versions. Some features may not work properly.
Only use a 1700 router if it has an IOS that incorporates feature set IP PLUS IPSEC 56.
The following output was generated from the different devices:
BRI Interface
R1
c2600-jk8s-mz_122-12b.bin Serial Asynchronous Interface
(Cisco 2600)
Ethernet Interface
Serial Interface
R2
c2600-jk8s-mz_122-12b.bin Ethernet Interface
(Cisco 2600)
AUX Port
R3 Serial Interface
The following output is from each router platform. It includes a sample running configuration:
R1#sho run

!
version 12.2
!
hostname R1
!
aaa new-model
!
ip subnet-zero
!
!
no ip domain-lookup
!
!
crypto isakmp key CISCO123 address 10.1.1.6

!
!
crypto ipsec transform-set OURSET esp-des
!
set peer 10.1.1.6
set transform-set OURSET
match address ENCRYPT-TO-R2
!
set peer 10.1.1.10
match address ENCRYPT-TO-R3
!
call rsvp-sync
!
!
!
!
!
!
interface Loopback0
description Simulates external link
ip address 200.200.200.1 255.255.255.0
ip nat outside
!
description R1 LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description Main Frame Relay interface
no ip address
no ip split-horizon eigrp 100
no ip mroute-cache
no fair-queue
cdp enable
!
description Frame Relay subinterface to R2
ip address 10.1.1.5 255.255.255.252
ip nat inside
crypto map VPN-2-R2
!
description Frame Relay subinterface to R3
backup delay 5 20
backup interface Dialer0
ip address 10.1.1.9 255.255.255.252
ip nat inside
crypto map VPN-2-R3
!
interface BRI0/0
description Main BRI interface
no ip address
encapsulation ppp
isdn spid1 51055510000001 5551000
isdn spid2 51055510010001 5551001
!
!
interface Dialer0
description Backup interface for the FR link
ip address 10.1.1.13 255.255.255.252
ip nat inside
encapsulation ppp
dialer pool 1
dialer load-threshold 1 either
dialer-group 1
ppp multilink
!
router eigrp 100
passive-interface Dialer0
network 10.0.0.0
network 192.168.1.0
network 200.200.200.0
no auto-summary
!
ip nat pool NAT4AGC 100.100.100.1 100.100.100.20 netmask 255.255.255.0
ip nat inside source list 1 pool NAT4AGC
ip classless
ip route 0.0.0.0 0.0.0.0 Loopback0
ip route 192.168.3.0 255.255.255.0 10.1.1.14 95
ip http server
!
!
ip access-list extended ENCRYPT-TO-R2
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended ENCRYPT-TO-R3

permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.255.255

!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password cisco
!
end
R1#
R2#sho run

!
version 12.2
!
hostname R2
!
aaa new-model
!
ip subnet-zero
!

!
!
!
crypto map VPN 10 ipsec-isakmp
set peer 10.1.1.5
match address VPN-1

set peer 10.1.1.10
match address VPN-2
!
call rsvp-sync
!
description R2 LAN
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
description Main FR interface
no ip address
no ip mroute-cache
no fair-queue
cdp enable
!
description FR subinterface to Hub - R1
ip address 10.1.1.6 255.255.255.252
crypto map VPN
!
!
interface Async65
description Asynchronous Dial-up interface for telecommuter
ip unnumbered FastEthernet0/0
encapsulation ppp
peer default ip address pool LOCALPOOL
!
router eigrp 100
network 10.0.0.0
network 192.168.2.0
no auto-summary
!
ip local pool LOCALPOOL 192.168.2.20
ip default-gateway 192.168.2.1
ip classless
ip http server
!
!
ip access-list extended VPN-1
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
modem InOut
transport input all
autoselect ppp
stopbits 1
speed 115200
line vty 0 4
password cisco
!
end
R2#
R3#sho run

!
version 12.2
!
hostname R3
!
aaa new-model
!
ip subnet-zero
!
!
!
!

!
!
!
set peer 10.1.1.9
match address VPN-1

set peer 10.1.1.6
match address VPN-2
!
call rsvp-sync
!
!
!
!
!
!
!
!
description R3 LAN
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
description Main FR interface
no ip address
no ip mroute-cache
no fair-queue
cdp enable
no frame-relay inverse-arp IP 302
!
description FR subinterface to Hub - R1
ip address 10.1.1.10 255.255.255.252
crypto map VPN
!
interface BRI0/0
description Main BRI interface
no ip address
encapsulation ppp
isdn spid1 51055520000001 5552000
isdn spid2 51055520010001 5552001
!
interface Dialer0
description Backup interface for FR link
ip address 10.1.1.14 255.255.255.252
encapsulation ppp
dialer pool 1
dialer load-threshold 1 either
dialer-group 1
ppp multilink
!
router eigrp 100
network 10.0.0.0
network 192.168.3.0
no auto-summary
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.1.1.13 95
ip http server
!
!
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password cisco
!
end
R3#
To verify the ISDN backup line, perform an extended ping from the R1 LAN to the R3 LAN and
repeat the ping 1000 times. As the pings are crossing the FR link, unplug the serial interface to
force a primary rate failure. Observe that the pings are no longer able to cross the link until the
backup line, Dialer 0, is activated.
R1#ping
Protocol [ip]:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!.
Link is Serial link is unplugged
00:11:40: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down

00:11:40: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 10.1.1.6 (Serial0/0.102)
is down: interface down
00:11:40: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 10.1.1.10
(Serial0/0.103) is down: interface down
state to down....
00:11:47: %LINK-3-UPDOWN: Interface Dialer0, changed state to up..
00:11:52: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up.
00:11:52: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di0
Backup interface is activated
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
00:11:56: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed
state to up!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
00:11:58: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 5552000
R3!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!
00:12:09: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
state to up!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<Output Omitted>
R1#
Verifying NAT
To verify NAT, ping a non-existing IP address such as 200.200.200.2. Use the show ip nat
translations command to verify:
R1#sho ip nat translations
Ping from Host B or Host C

Pro Inside global Inside local Outside local Outside global
--- 100.100.100.1 192.168.2.20 --- ---
R1#
Verifying VPN
To verify that IPSec is encrypting the traffic between R3 and the R1 and R2 LANs, use the
show crypto ipsec sa command and an extended ping.
Here is a sample output:
R3#ping
Protocol [ip]:
Repeat count [5]:
.!!!!
R3#ping
Protocol [ip]:
Repeat count [5]:
.!!!!
Crypto map tag: VPN, local addr. 10.1.1.10

failed: 0

current outbound spi: 68EF3222
inbound esp sas:

spi: 0x7797107D(2006388861)
slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x68EF3222(1760506402)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:

failed: 0

current outbound spi: 93988633
inbound esp sas:

spi: 0x3447ED24(877128996)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x93988633(2476246579)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
R3#
Scenario
The Air Guitar Company (AGC) requires a full mesh Frame Relay topology between R1, R2,
and R3. Mission critical data is exchanged between all sites. Therefore, the AGC requires the
FR links to be backed up with ISDN.
To help secure mission critical data, an IPSec VPN will be used between FR links and PPP
CHAP will be used between ISDN and PSTN connections.
Generic Tasks
refers to the router number:
/24.
the 10.1.1.0 /24 subnet:
password cisco.
- Create a local username called USER with the password cisco.
• AAA authentication must be configured on all routers:
local database.
Frame Relay connection between the hub R1 and spokes R2 and R3
The AGC wants a full mesh Frame Relay network between R1, R2, and R3.
1. Configure a full mesh, point-to-point Frame Relay network on all three routers. Use the
appropriate show commands to discover the locally attached DLCI.
2. Configure point-to-point sub-interfaces to directly connect to each router:
- R1 and R2 belong to the 10.1.1.20/30 subnet
3. Configure EIGRP on all routers to advertise their directly connected networks. Verify
that all routers have a complete routing table.
The AGC wants an ISDN DDR link between R1 and R3 in case the FR link fails:
1. The ISDN network has been assigned the 10.1.1.0/29 subnet.

2. Configure DDR so that any IP packet types can initiate the ISDN link.
4. Configure each router to support PPP Multilink.
- Configure the PRI interface.
- The ISDN switch type is “primary-ni.”
- Configure the T1 controller to use “esf” framing and “b8zs” line coding, and set the
T1 controller to use all timeslots.
- Do not use a dialer profile.
6. On R2 and R3, configure the following:
- Configure the BRI interface with the indicated SPIDs.
- The ISDN switch type is “basic-ni.”
- Configure a Dialer 0 interface to connect to R1 using the local number 555-5000.
7. Prevent EIGRP hello packets from constantly establishing the ISDN call on both
routers by suppressing EIGRP packets from being sent out their dialer interfaces.
8. Configure floating static routes on R1 and R3 with a slightly higher administrative
distance than that of EIGRP.
9. On R1, configure dialer watch to monitor the R2 and R3 LANs and activate the ISDN
links in case the primary FR link fails:
- Dialer watch only needs to be configured on R1.
PSTN connection on R1
R1 is to provide an asynchronous dial-up connection for telecommuters:
1. Configure the asynchronous dial-up connections using the AUX port on R1 to support
a dial-up connection from a host.
2. The AUX port must automatically discover the modem type and configure it.
3. The asynchronous interface should share the Fa0/0 IP address.
4. The router should authenticate using CHAP.
5. Configure PPP dedicated mode. The EXEC prompt should not appear and the router
will not be available for EXEC mode access unless the user Telnets from the host.
6. R1 should always assign a host the address 10.1.1.10.
7. Configure the host to dial 555-6001 to access the AGC network.
VPN connection between FR links
The AGC requires secure IPSec Frame Relay VPNs between the R1 and R2, R1 and R3, and R2
and R3 LANs.
1. Configure an ISAKMP policy, pre-shared key, and transform set on all routers:
- The ISAKMP policy suite is to use pre-shared key authentication.
- The pre-shared key should be CISCO123.
- The transform-set is to use esp-des to build the IPSec security association.
2. Create two separate crypto maps on R1:
- The first crypto map should be for traffic between R1 and R2.
- The second crypto map should be for traffic between R1 and R3.
- Separate named access-lists should identify traffic from R1 to R2 LANs and from
R1 and R3 LANs.
- Apply the crypto maps to the appropriate FR sub-interfaces.
3. Create a crypto map on R2 and R3.
- The crypto map should contain separate crypto map entries for each destination.
- Separate access-lists should identify traffic from their respective LANs to their
remote neighbors’ LANs.
- Apply the crypto map to the appropriate FR interface on each router.
4. Test the IPSec tunnel configuration using the appropriate show commands and ping
between hosts.
NAT
The AGC requires NAT to be configured on the R1 router. For testing purposes, a loopback
interface will be created.
1. Configure a loopback interface on R1 with a host IP address of 200.200.200.1/24:

- Propagate the route as a default network to R1 and R3 using EIGRP.
- Configure a default route exiting from the Lo0 interface.
2. Configure Dynamic NAT:
- NAT will translate the AGC network’s inside local address 192.168.x.0 /16 with an
inside global address range of 100.100.100.64/26.
3. Verify the Dynamic NAT configuration by pinging a non-existing IP address such as
200.200.200.2 from either Host B or Host C:
- Use the appropriate show command to display the NAT translations.
Check List
2 Telnet access should be configured on every router.
Host A should successfully dial up R1, be assigned a valid IP address, and be

3
able to ping all LAN interfaces.
4 R1, R2, and R3 should connect over the Frame Relay connection.
The ISDN dialer watch should become active after the primary Frame Relay sub-
5
interfaces are down.
Floating static routes should be installed on the routers’ routing tables if the
6
primary link fails.
EIGRP should propagate a default route to R2 and R3 but should not be allowed
7
over the ISDN links.
LAN traffic over the FR network should be encrypted with IPSec tunnels using
8
pre-shared keys.
9 NAT should be configured correctly.
CCNP 2 Skills-Based Assessment Version 3 – Solution
and IOS versions. Some features may not work properly.
Do not use a Cisco 1700 series router, since it may not have an IOS that supports IPSec.
The following output was generated using different devices:
PRI Interface
R1 Serial Asynchronous Interface
(Cisco 2600) AUX Port
Ethernet Interface
Serial Interface
R2
c2600-jk8s-mz_122-12b.bin BRI Interface
(Cisco 2600)
Ethernet Interface
Serial Interface
R3
c2600-jk8s-mz_122-12b.bin BRI Interface
(Cisco 2600)
Ethernet Interface
The following output is for each router platform. It includes a sample running configuration:

!
version 12.2
!
hostname R1
!
aaa new-model
!
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
!
!
set peer 10.1.1.22
match address 111
!
set peer 10.1.1.26
match address 112
!
call rsvp-sync
!
!
!
!
!
!
controller T1 1/0
framing esf
linecode b8zs
pri-group timeslots 1-24
!
!
!
interface Loopback0
ip address 200.200.200.1 255.255.255.0
ip nat outside
!
ip address 192.168.1.1 255.255.255.0
ip nat inside
no keepalive
speed 100
full-duplex
!
interface Serial0/0
no ip address
no ip mroute-cache
cdp enable
!
ip address 10.1.1.21 255.255.255.252
ip nat inside
crypto map VPN-2-R2
!
ip address 10.1.1.25 255.255.255.252
ip nat inside
crypto map VPN-2-R3
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
!
interface Serial0/1
no ip address
shutdown
!
interface Serial1/0:23
ip address 10.1.1.1 255.255.255.248
ip nat inside
encapsulation ppp
dialer map ip 10.1.1.2 name R2 5551000
dialer-group 1
ppp multilink
!
interface Async65
ip unnumbered FastEthernet0/0
encapsulation ppp
async mode interactive
peer default ip address pool LOCALPOOL
!
router eigrp 100
network 10.0.0.0
network 192.168.1.0
network 200.200.200.0
no auto-summary
!
ip local pool LOCALPOOL 10.1.1.10
ip nat pool OUTSIDE 100.100.100.65 100.100.100.126 netmask 255.255.255.192
ip nat inside source list 1 pool OUTSIDE overload
ip classless
ip route 0.0.0.0 0.0.0.0 Loopback0
ip route 192.168.2.0 255.255.255.0 10.1.1.2 125
ip route 192.168.3.0 255.255.255.0 10.1.1.3 125
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 111 remark crypto_list_to R2
access-list 112 remark crypto_list_to R3
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
modem InOut
transport input all
autoselect ppp
stopbits 1
speed 115200
line vty 0 4
!
end
R1#sho ip route
area
C* 200.200.200.0/24 is directly connected, Loopback0

C 10.1.1.0/29 is directly connected, Serial1/0:23
D 10.1.1.28/30 [90/21024000] via 10.1.1.22, 00:07:23, Serial0/0.102
[90/21024000] via 10.1.1.26, 00:07:23, Serial0/0.103
D 192.168.2.0/24 [90/20514560] via 10.1.1.22, 00:07:24, Serial0/0.102
D 192.168.3.0/24 [90/20514560] via 10.1.1.26, 00:07:24, Serial0/0.103
S* 0.0.0.0/0 is directly connected, Loopback0
R1#

!
version 12.2
!
hostname R2
!
aaa new-model
!
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
!
!
set peer 10.1.1.30
match address 112
!
set peer 10.1.1.21
match address 111
!
call rsvp-sync
!
!
!
!
!
!
!
!
ip address 192.168.2.1 255.255.255.0
no keepalive
speed 100
full-duplex
!
interface Serial0/0
bandwidth 64000
no ip address
no ip mroute-cache
no fair-queue
cdp enable
!
ip address 10.1.1.22 255.255.255.252
crypto map VPN-2-R1
!
ip address 10.1.1.29 255.255.255.252
crypto map VPN-2-R3
!
interface BRI0/0
no ip address
encapsulation ppp
isdn spid1 51055510000001 5551000
isdn spid2 51055510010001 5551001
!
interface Serial0/1
no ip address
shutdown
!
interface Dialer0
ip address 10.1.1.2 255.255.255.248
encapsulation ppp
dialer pool 1
dialer-group 1
!
router eigrp 100
network 10.0.0.0
network 192.168.2.0
no auto-summary
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.1.1.1 95
ip route 192.168.3.0 255.255.255.0 10.1.1.3 125
no ip http server
!
access-list 111 remark --CRYPTO LIST TO R1--
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
R2#sho ip route
area
D* 200.200.200.0/24 [90/679936] via 10.1.1.21, 00:05:58, Serial0/0.201

D 10.1.1.24/30 [90/1063936] via 10.1.1.30, 00:06:03, Serial0/0.203
D 192.168.1.0/24 [90/554496] via 10.1.1.21, 00:05:58, Serial0/0.201
D 192.168.3.0/24 [90/554496] via 10.1.1.30, 00:06:00, Serial0/0.203
R2#

!
version 12.2
!
hostname R3
!
aaa new-model
!
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
!
!
set peer 10.1.1.25
match address 111
!
set peer 10.1.1.29
match address 112
!
call rsvp-sync
!
!
!
!
!
!
!
!
ip address 192.168.3.1 255.255.255.0
no keepalive
speed 100
full-duplex
!
interface Serial0/0
bandwidth 64000
no ip address
no ip mroute-cache
cdp enable
!
description FR Subinterface to R1
ip address 10.1.1.26 255.255.255.252
crypto map VPN-2-R1
!
description FR Subinterface to R2
ip address 10.1.1.30 255.255.255.252
crypto map VPN-2-R2
!
interface BRI0/0
no ip address
encapsulation ppp
isdn spid1 51055520000001 5552000
isdn spid2 51055520010001 5552001
!
interface Serial0/1
no ip address
shutdown
!
interface Dialer0
ip address 10.1.1.3 255.255.255.248
encapsulation ppp
dialer pool 1
dialer-group 1
!
router eigrp 100
network 10.0.0.0
network 192.168.3.0
no auto-summary
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.1.1.1 95
ip route 192.168.2.0 255.255.255.0 10.1.1.2 125
no ip http server
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
R3#
R3#sho ip route
area
D* 200.200.200.0/24 [90/679936] via 10.1.1.25, 00:07:03, Serial0/0.301

D 10.1.1.20/30 [90/1063936] via 10.1.1.29, 00:07:03, Serial0/0.302
D 192.168.1.0/24 [90/554496] via 10.1.1.25, 00:07:03, Serial0/0.301
D 192.168.2.0/24 [90/554496] via 10.1.1.29, 00:07:04, Serial0/0.302
R3#
To verify the ISDN backup feature, perform an extended ping from the R2 LAN to the R3 LAN
and repeat the ping 1000 times.
R2#ping
Protocol [ip]:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Serial link is unplugged on R2
.
04:53:14: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down.
state to down
04:53:16: ISDN BR0/0: TX -> SETUP pd = 8 callref = 0x04
04:53:16: Bearer Capability i = 0x8890
04:53:16: Channel ID i = 0x83
04:53:16: Keypad Facility i = '5555000'
04:53:16: ISDN BR0/0: RX <- CALL_PROC pd = 8 callref = 0x84
04:53:16: Channel ID i = 0x89
04:53:16: ISDN BR0/0: RX <- CONNECT pd = 8 callref = 0x84
04:53:16: Channel ID i = 0x89
04:53:16: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
04:53:16: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di0.
04:53:16: BR0/0:1 PPP: Using dialer call direction
04:53:16: BR0/0:1 PPP: Treating connection as a callout
04:53:16: ISDN BR0/0: TX -> CONNECT_ACK pd = 8 callref = 0x04
04:53:16: BR0/0:1 CHAP: O CHALLENGE id 22 len 23 from "R2"
04:53:16: BR0/0:1 CHAP: I CHALLENGE id 10 len 23 from "R1"
04:53:16: BR0/0:1 CHAP: O RESPONSE id 10 len 23 from "R2"
04:53:16: BR0/0:1 CHAP: I SUCCESS id 10 len 4
04:53:16: BR0/0:1 CHAP: I RESPONSE id 22 len 23 from "R1"
04:53:16: BR0/0:1 CHAP: O SUCCESS id 22 len 4
04:53:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed
state to up...
04:53:22: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 5555000 R1
R1 is able to activate the backup line because of Dialer Watch.

The ISDN interface on R2 should be active.
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!
The pings are using the ISDN link between R2 and R1 and the FR link
between R1 and R3.
To test R1’s backup feature to R3, unplug the serial cable on R1.
.........
The pings should be successful after the backup feature activates on R1.
The BRI interface on R3 should now be active.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#
Verifying NAT
To verify NAT, ping a non-existing IP address such as 200.200.200.2 from R2:
R2#ping
Protocol [ip]:
Repeat count [5]:
....
From R1, use the show ip nat translations command to verify:

Pro Inside global Inside local Outside local Outside global
icmp 100.100.100.65:6568 192.168.2.1:6568 200.200.200.2:6568 200.200.200.2:6568
icmp 100.100.100.65:6569 192.168.2.1:6569 200.200.200.2:6569 200.200.200.2:6569
icmp 100.100.100.65:6570 192.168.2.1:6570 200.200.200.2:6570 200.200.200.2:6570
icmp 100.100.100.65:6571 192.168.2.1:6571 200.200.200.2:6571 200.200.200.2:6571
icmp 100.100.100.65:6572 192.168.2.1:6572 200.200.200.2:6572 200.200.200.2:6572
R1#
Verifying VPN
To verify that IPSec is encrypting the traffic between R3 and the R1 and R2 LANs, use the
show crypto ipsec sa command and an extended ping.
R1#clear crypto sa
R1#ping
Protocol [ip]:
Repeat count [5]:
.!!!!
R1#ping
Protocol [ip]:
Repeat count [5]:
.!!!!
R1#sho crypto ipsec sa
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed:
0

current outbound spi: 5D248D07
inbound esp sas:

spi: 0x7E2B6575(2116773237)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x5D248D07(1562676487)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed:
0

current outbound spi: EB113F31
inbound esp sas:

spi: 0x8B2C3900(2334931200)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xEB113F31(3943776049)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
R1#

En CCNP2 SBA IV v31

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

En CCNP2 SBA IV v31

Hochgeladen von

Copyright:

Verfügbare Formate

CCNP 2 Skills-Based Assessment Version 1

Frame Relay connection between R1 and R2

1. Configure PPP CHAP to secure the ISDN connections.

VPN Connection between FR links

1. Configure the asynchronous dial-up connections:

QoS between FR links

1. Configure class-based weighted fair queuing (CBWFQ) on R1 and R2 to guarantee

1 AAA should be configured on all routers.

2 Telnet access should be configured on every router

Host C should initiate a dial-up, callback connection when it attempts to ping

4 R1 and R2 should connect successfully over the Frame Relay connection.

12 Callback must be configured correctly.

Device IOS version Specifics / Interfaces

PRI Interface (T1 controller)

Modems Hayes Accura 56 K

Current configuration : 3208 bytes

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

Current configuration : 2364 bytes

Gateway of last resort is 10.1.1.5 to network 192.168.1.0

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

Current configuration : 1321 bytes

Gateway of last resort is 10.1.1.17 to network 0.0.0.0

10.0.0.0/30 is subnetted, 1 subnets

Serial1/0:21 - dialer type = ISDN

Serial1/0:22 - dialer type = ISDN

Serial1/0:23 - dialer type = ISDN

Dial String Successes Failures Last DNIS Last status

Di0 - dialer type = DIALER PROFILE

Dial String Successes Failures Last DNIS Last status

R1#sho frame-relay pvc 102

PVC Statistics for interface Serial0/0 (Frame Relay DTE)

DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE =

input pkts 838 output pkts 844 in bytes 87467

Service-policy output: BW-4-TELNET

Class-map: 4-TELNET (match-all)

Class-map: class-default (match-any)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

local crypto endpt.: 10.1.1.5, remote crypto endpt.: 10.1.1.6

inbound esp sas:

inbound pcp sas:

outbound esp sas:

outbound pcp sas:

R1#show crypto ipsec sa

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

local crypto endpt.: 10.1.1.5, remote crypto endpt.: 10.1.1.6

inbound esp sas:

inbound pcp sas:

outbound esp sas:

After 2 minutes of inactivity, the call disconnects:

Frame Relay connection between the hub R1 and spokes R2 and R3

ISDN connection between R1 and R3

VPN Connection between FR links

1. Configure a loopback interface on R1 with a host IP address of 200.200.200.1/24.

1 AAA should be configured on all routers.

2 Telnet access should be configured on every router.

Host B should successfully connect to R2, be assigned a valid IP address, and

9 NAT should be configured correctly.

The following output was generated from the different devices:

Device IOS version Specifics / Interfaces

Modems Hayes Accura 56 K

Current configuration : 3395 bytes