Caso de Estudio CCNP – ISCW.Por: José Luis Landa Anzules

Escenario:La agencia de viajes internacional necesita implementar partes de su red con IPsec y MPLS con las especificaciones dadas y la topología mostrada en el diagrama. Este caso de estudio debería ser implementado usando CLI, sin usar SDM:

- Configurar las interfaces usando el esquema de direccionamiento mostrado en la topología.- Implementar EIGRP AS 1 en todo el núcleo de la red, todas las subredes deberían ser incluidas.- Crear un túnel IPsec entre R1 y R3 con un transform set apropiado y políticas ISAKMP.- El túnel IPsec debería solo encriptar trafico entre la red loopback R1 y la red loopback R4.- No crear nuevas interfaces la alcanzar la tarea asignada.- Usar cualquier algoritmo de encriptación deseado para la tarea asignada que use el conjunto de

protocolos crypto.- Configurar MPLS en ambos extremos del enlace entre R3 y R4.- Configurar R1 para enviar mensajes de registro del sistema en el nivel de gravedad de error a un

host imaginario localizado en 172.16.2.200.- Ajustar la fecha correcta en R4 usando el comando clock set. Usar la ayuda del sistema si no se

dispone de la sintaxis de este comando.- Configurar R4 como Network Time Protocol (NTP) master con stratum 5.- Configurar R3 como cliente NTP de R4.

Topología de Red.

- Interfaces de los Routers.

Router Interface IP Address

R1 Serial 0/2/0 172.16.12.1R1 Loopback 0 172.16.1.1R2 Serial 0/2/0 172.16.12.2R2 Serial 0/2/1 172.16.23.2R2 Loopback 0 172.16.2.1R3 Serial 0/2/0 172.16.23.3R3 Serial 0/2/1 172.16.34.3R3 Loopback 0 172.16.3.1R4 Serial 0/2/0 172.16.34.4R4 Loopback 0 172.16.4.1

- Equipo utilizado.

Equipo utilizadoEmulador GNS3 0.7.2 Under GLP v2 licenseIOS: c2691-adventerprisek9_ivs-mz.124-9.T7.bin

Consideraciones:- Todas las interfaces seriales están establecidas como DCE, comportamiento propio del

emulador.

Archivos de configuración:- R1:

R1#show runnBuilding configuration...

Current configuration : 1566 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname R1!boot-start-markerboot-end-marker!enable secret 5 $1$N3zx$SGvWB7dX8Kphsu9pTiY7j.!no aaa new-model!

resource policy!memory-size iomem 5ip cef!crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600crypto isakmp key cisco address 172.16.23.3!crypto ipsec security-association lifetime seconds 1800!crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map MYMAP 10 ipsec-isakmp set peer 172.16.23.3 set security-association lifetime seconds 900 set transform-set 50 set pfs group5 match address 101!interface Loopback0 ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface Serial0/0 description Link to R2 ip address 172.16.12.1 255.255.255.0 clock rate 2000000 crypto map MYMAP!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface Serial0/1 no ip address shutdown clock rate 2000000

!router eigrp 1 network 172.16.0.0 no auto-summary!ip http serverno ip http secure-server!logging trap errorslogging 172.16.2.200access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255!control-plane!gatekeeper shutdown!line con 0 password 7 104D000A0618 loginline aux 0line vty 0 4 password 7 02050D480809 login!end

- R2:R2#show runnBuilding configuration...

Current configuration : 1051 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname R2!boot-start-markerboot-end-marker!enable secret 5 $1$H2vd$Mz0P8QjtaPO.5RvDz0N9x0!no aaa new-model!resource policy

!memory-size iomem 5ip cef!interface Loopback0 ip address 172.16.2.1 255.255.255.0!interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface Serial0/0 description Link to R1 ip address 172.16.12.2 255.255.255.0 clock rate 2000000!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface Serial0/1 description Link to R3 ip address 172.16.23.2 255.255.255.0 clock rate 2000000!router eigrp 1 network 172.16.0.0 no auto-summary!ip http serverno ip http secure-server!control-plane!gatekeeper shutdown!line con 0 password 7 121A0C041104 loginline aux 0line vty 0 4 password 7 0822455D0A16 login

!end

- R3:R3#show runnBuilding configuration...

Current configuration : 1711 bytes!! Last configuration change at 00:02:34 UTC Fri Mar 1 2002!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname R3!boot-start-markerboot-end-marker!enable secret 5 $1$yQ.9$PVpWLYxTqcwYke57iO7QM/!no aaa new-model!resource policy!memory-size iomem 5ip cef!crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600crypto isakmp key cisco address 172.16.12.1!crypto ipsec security-association lifetime seconds 1800!crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map MYMAP 10 ipsec-isakmp set peer 172.16.12.1 set security-association lifetime seconds 900 set transform-set 50 set pfs group5 match address 101!

interface Loopback0 ip address 172.16.3.1 255.255.255.0!interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface Serial0/0 description Link to R2 ip address 172.16.23.3 255.255.255.0 clock rate 2000000 crypto map MYMAP!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface Serial0/1 description Link to R4 ip address 172.16.34.3 255.255.255.0 mpls ip clock rate 2000000!router eigrp 1 network 172.16.0.0 no auto-summary!ip http serverno ip http secure-server!access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255!control-plane!gatekeeper shutdown!!line con 0 password 7 094F471A1A0A loginline aux 0line vty 0 4 password 7 14141B180F0B

login!scheduler allocate 20000 1000ntp clock-period 17179904ntp server 172.16.34.4!end

- R4:R4#show runnBuilding configuration...

Current configuration : 1127 bytes!! Last configuration change at 00:11:22 UTC Fri Mar 1 2002!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname R4!boot-start-markerboot-end-marker!enable secret 5 $1$BA5M$2NPq8Domn/yjeG8o2tbhP.!no aaa new-model!resource policy!memory-size iomem 5ip cef!interface Loopback0 ip address 172.16.4.1 255.255.255.0!interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface Serial0/0 description Link to R3 ip address 172.16.34.4 255.255.255.0 mpls ip

clock rate 2000000!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface Serial0/1 no ip address shutdown clock rate 2000000!router eigrp 1 network 172.16.0.0 no auto-summary!ip http serverno ip http secure-server!control-plane!gatekeeper shutdown!line con 0 password 7 0822455D0A16 loginline aux 0line vty 0 4 password 7 070C285F4D06 login!scheduler allocate 20000 1000ntp master 5!end

Pruebas de conectividad:- Ping hacia las otras redes desde R1:

R1#ping 172.16.12.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/58/108 msR1#ping 172.16.2.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/76/120 msR1#ping 172.16.23.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/76/140 msR1#ping 172.16.23.3

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.23.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 16/84/164 msR1#ping 172.16.3.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 44/90/200 msR1#ping 172.16.4.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/187/308 msR1#ping 172.16.34.3

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.34.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 64/156/292 msR1#ping 172.16.34.4

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 112/244/472 ms

- Neighbors:R1#show ip eigrp neighborsIP-EIGRP neighbors for process 1H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num0 172.16.12.2 Se0/0 12 00:28:26 159 954 0 11

- Rutas en R1:R1#show ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 7 subnetsD 172.16.34.0 [90/3193856] via 172.16.12.2, 00:27:31, Serial0/0D 172.16.23.0 [90/2681856] via 172.16.12.2, 00:27:42, Serial0/0C 172.16.12.0 is directly connected, Serial0/0D 172.16.4.0 [90/3321856] via 172.16.12.2, 00:27:24, Serial0/0C 172.16.1.0 is directly connected, Loopback0D 172.16.2.0 [90/2297856] via 172.16.12.2, 00:27:42, Serial0/0D 172.16.3.0 [90/2809856] via 172.16.12.2, 00:27:30, Serial0/0

- Logging:R1#show loggingSyslog logging: enabled (11 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) Console logging: level debugging, 24 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: disabled, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled

No active filter modules.

ESM: 0 messages dropped

Trap logging: level errors, 23 message lines logged Logging to 172.16.2.200(global) (udp port 514, audit disabled, link up), 1 message lines logged, xml disabled, filtering disabled

- Prueba del tráfico por el túnel:R1#pingProtocol [ip]:Target IP address: 172.16.4.1Repeat count [5]: 10

Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address or interface: 172.16.1.1Type of service [0]:Set DF bit in IP header? [no]:Validate reply data? [no]:Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 10, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:Packet sent with a source address of 172.16.1.1.!!!!!!!!!Success rate is 90 percent (9/10), round-trip min/avg/max = 272/454/736 ms

R1#sh crypto ipsec sa

interface: Serial0/0 Crypto map tag: MYMAP, local addr 172.16.12.1

protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0) current_peer 172.16.23.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0

local crypto endpt.: 172.16.12.1, remote crypto endpt.: 172.16.23.3 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x529A47DF(1385842655)

inbound esp sas: spi: 0x84D56CF5(2228579573) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 3, flow_id: SW:3, crypto map: MYMAP sa timing: remaining key lifetime (k/sec): (4474683/85) IV size: 16 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

spi: 0x329848AB(848840875) transform: ah-sha-hmac , in use settings ={Tunnel, } conn id: 3, flow_id: SW:3, crypto map: MYMAP sa timing: remaining key lifetime (k/sec): (4474683/83) replay detection support: Y Status: ACTIVE

inbound pcp sas:

outbound esp sas: spi: 0x529A47DF(1385842655) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 4, flow_id: SW:4, crypto map: MYMAP sa timing: remaining key lifetime (k/sec): (4474683/81) IV size: 16 bytes replay detection support: Y Status: ACTIVE

outbound ah sas: spi: 0x7939FC8B(2033843339) transform: ah-sha-hmac , in use settings ={Tunnel, } conn id: 4, flow_id: SW:4, crypto map: MYMAP sa timing: remaining key lifetime (k/sec): (4474683/79) replay detection support: Y Status: ACTIVE

outbound pcp sas:

Capturas en la interface serial 0/0 R1:

- Ping hacia las otras redes desde R2:R2#ping 172.16.1.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/52/96 msR2#ping 172.16.4.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/65/108 msR2#ping 172.16.3.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/41/124 msR2#ping 172.16.23.3

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.23.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/40/100 msR2#ping 172.16.34.4

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/88/164 ms

- Neighbors:R2#sh ip eigrp neighIP-EIGRP neighbors for process 1H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num1 172.16.23.3 Se0/1 14 00:47:49 870 5000 0 80 172.16.12.1 Se0/0 14 00:47:58 206 1236 0 2

- Rutas en R2:R2#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 7 subnetsD 172.16.34.0 [90/2681856] via 172.16.23.3, 00:47:54, Serial0/1C 172.16.23.0 is directly connected, Serial0/1C 172.16.12.0 is directly connected, Serial0/0D 172.16.4.0 [90/2809856] via 172.16.23.3, 00:47:47, Serial0/1D 172.16.1.0 [90/2297856] via 172.16.12.1, 00:48:05, Serial0/0C 172.16.2.0 is directly connected, Loopback0D 172.16.3.0 [90/2297856] via 172.16.23.3, 00:47:54, Serial0/1

- Ping hacia las otras redes desde R3:R3#ping 172.16.4.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 92/152/304 msR3#ping 172.16.34.4

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 60/141/224 msR3#ping 172.16.2.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 36/85/248 ms

R3#ping 172.16.23.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/98/172 msR3#ping 172.16.12.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 44/68/96 msR3#ping 172.16.12.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 68/188/372 msR3#ping 172.16.1.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 100/221/360 ms

- Neighbors:R3#show ip eigrp neighborsIP-EIGRP neighbors for process 1H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num1 172.16.34.4 Se0/1 12 01:03:42 205 1230 0 20 172.16.23.2 Se0/0 11 01:03:51 102 612 0 10

- Rutas en R3:R3#show ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 7 subnetsC 172.16.34.0 is directly connected, Serial0/1C 172.16.23.0 is directly connected, Serial0/0D 172.16.12.0 [90/2681856] via 172.16.23.2, 01:04:34, Serial0/0

D 172.16.4.0 [90/2297856] via 172.16.34.4, 01:04:28, Serial0/1D 172.16.1.0 [90/2809856] via 172.16.23.2, 01:04:34, Serial0/0D 172.16.2.0 [90/2297856] via 172.16.23.2, 01:04:34, Serial0/0C 172.16.3.0 is directly connected, Loopback0

- Prueba del tráfico por el túnel:R3#sh crypto ipsec sa

interface: Serial0/0 Crypto map tag: MYMAP, local addr 172.16.23.3

protected vrf: (none) local ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) current_peer 172.16.12.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 68, #pkts encrypt: 68, #pkts digest: 68 #pkts decaps: 68, #pkts decrypt: 68, #pkts verify: 68 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 172.16.23.3, remote crypto endpt.: 172.16.12.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

- MPLS:R3#sh mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface16 Untagged 172.16.2.0/24 0 Se0/0 point2point17 Untagged 172.16.12.0/24 1040 Se0/0 point2point18 Untagged 172.16.1.0/24 1040 Se0/0 point2point19 Pop tag 172.16.4.0/24 0 Se0/1 point2point

R3#show interfaces s0/1 accountingSerial0/1 Link to R4 Protocol Pkts In Chars In Pkts Out Chars Out Other 0 0 413 9912 IP 2098 136649 2183 145799 CDP 71 23084 71 23084 Tag 88 9504 0 0

- NTP:R3#show ntp statusClock is synchronized, stratum 6, reference is 172.16.34.4nominal freq is 250.0000 Hz, actual freq is 250.0002 Hz, precision is 2**18reference time is CFDC5E1D.5F16B390 (13:35:25.371 UTC Mon Jul 5 2010)clock offset is -57.9459 msec, root delay is 39.95 msecroot dispersion is 134.48 msec, peer dispersion is 76.49 msec

R3#show ntp associations

address ref clock st when poll reach delay offset disp*~172.16.34.4 127.127.7.1 5 58 64 377 39.9 -57.95 76.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

- Ping hacia las otras redes desde R4:R4#ping 172.16.3.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 36/117/200 msR4#ping 172.16.23.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/90/188 msR4#ping 172.16.12.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 100/178/280 msR4#ping 172.16.1.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 104/164/224 msR4#ping 172.16.4.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

- Neighbors:R4#show ip eigrp neighborsIP-EIGRP neighbors for process 1H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num0 172.16.34.3 Se0/0 13 01:29:29 162 972 0 7

- Rutas en R4:R4#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 7 subnetsC 172.16.34.0 is directly connected, Serial0/0D 172.16.23.0 [90/2681856] via 172.16.34.3, 01:29:29, Serial0/0D 172.16.12.0 [90/3193856] via 172.16.34.3, 01:29:29, Serial0/0C 172.16.4.0 is directly connected, Loopback0D 172.16.1.0 [90/3321856] via 172.16.34.3, 01:29:29, Serial0/0D 172.16.2.0 [90/2809856] via 172.16.34.3, 01:29:29, Serial0/0D 172.16.3.0 [90/2297856] via 172.16.34.3, 01:29:29, Serial0/0

- MPLS:R4#sh mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface16 Pop tag 172.16.3.0/24 0 Se0/0 point2point17 Pop tag 172.16.23.0/24 0 Se0/0 point2point18 16 172.16.2.0/24 0 Se0/0 point2point19 17 172.16.12.0/24 0 Se0/0 point2point20 18 172.16.1.0/24 0 Se0/0 point2point

R4#show interface s0/0 accountingSerial0/0 Link to R3 Protocol Pkts In Chars In Pkts Out Chars Out Other 0 0 539 12936

IP 2878 193351 2754 180087 CDP 89 28925 92 29909 Tag 0 0 128 13824

- NTP:R4#sh ntp associations

address ref clock st when poll reach delay offset disp*~127.127.7.1 127.127.7.1 4 35 64 377 0.0 0.00 0.0 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

R4#sh ntp statusClock is synchronized, stratum 5, reference is 127.127.7.1nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24reference time is CFDC62E3.4CBB9299 (13:55:47.299 UTC Mon Jul 5 2010)clock offset is 0.0000 msec, root delay is 0.00 msecroot dispersion is 0.02 msec, peer dispersion is 0.02 msec

Preguntas:- R3 o R4 enviaran las consultas NTP como frames MPLS?, explicar.

R3 y R4 no enviaran consultas NTP como frames MPLS. Ambos routers están directamente conectados y el protocolo NTP trabaja solo entre ellos dos. Por lo tanto a causa de la función PHP, MPLS no deberá etiquetar los paquetes, ya que tendrían que ser eliminadas en el siguiente salto. Para evitar la sobrecarga MPLS envía paquetes como normal paquetes IP.

- R3 o R4 enviaran cualquier paquete destinado a el otro router como MPLS frames?No enviaran paquetes como MPLS frames debido a la función PHP y que son routers directamente conectados.

- R3 o R4 enviaran absolutamente cualquier paquete como MPLS frames?R4 enviara paquetes destinado a R1 y R2 como MPLS frames pero R3 removerá la etiqueta antes de reenviar hacia R1 y R2. R3 no enviara ningún paquete como MPLS frames debido a que por un lado R1 y R2 no están configurados con MPLS y además la función PHP remueve la etiqueta antes de que cualquier paquete sea enviado hacia R4.

- Diferenciar entre los algoritmos explicando cuales algoritmos en las políticas IPsec aplican a la encriptación, cuales a autentificación y cuales a integridad de los mensajes. De acuerdo con su lectura, ¿cuál de los algoritmos disponibles en cada categoría es la más segura?

En la configuración, el protocolo ESP provee autenticidad de origen, integridad y protección de confidencialidad de un paquete. El protocolo ESP está definido en la configuración del túnel en la red como esp-aes 256 esp-sha-hmac dentro del tranform set. El protocolo AH por otro lado está destinado a garantizar integridad y autentificación de datos de origen de los paquetes IP. ESP provee confidencialidad y AH provee integridad. En nuestra configuración está definido como ah-sha-hmac. ESP con encriptación AES de 256 es el algoritmo más seguro en la actualidad ya que provee 256 bits de encriptación lo cual es el máximo valor disponible.

- Como NTP ayuda a preparar una red para registros del sistema?

El servidor NTP asegura que los routers en la red estén configurados con la hora correcta. Esto provee una indicación exacta de la hora cuando errores y otros mensajes son registrados en el servidor. Esto es crucial para asegurar que las marcas de tiempo sean correctas cuando errores o ataques son almacenados.