CCNP comprehensive experiment-
The top labs are as follows:
650) this. width = 650; "alt =" "border =" 0 "src =" http://img1.51cto.com/attachment/201104/185551130.jpg "/>
Lab requirements: 1: R3, R4 for NAT, R3 E0/1 for export, and R4 E0/0 for export. 2: R3, R4, R5, R7, R8 do OSPF, R3, R4, R5, R7 do frame-relay, R7 do FR switch. . 8.8.8 reaches 1.1.1.1 and is converted from R3 to public IP address 3.3.3.3. 8.8.8.9 when 1.1.1.1 is reached, it is switched from R4 to public IP address 4.4.4.4. 192.168.8.1 reaches 1.1.1.1 and can be obtained from R3 or R4. 4: The traffic between R8 and 1.1.1.1 is greater than bytes from R4 and less than bytes from R3. 5: Perform Regional authentication in OSPF.
Complete configuration in this experiment: R1 # show runhostname R1no ip domain lookup !! Ip cefinterface Loopback0 ip address 1.1.1.1 255.255.0! Interface Ethernet0/0 ip address 192.168.12.1 255.255.0 half-duplex! Interface Ethernet0/1 ip address 192.168.16.1 255.255.0 half-duplexrouter bgp 100 no synchronization disable BGP synchronization, which is the synchronization between BGP and IGP, it is also used to avoid routing black hole bgp router-id 1.1.1.1 bgp log-neighbor-changes network 1.1.1.0 mask 255.255.0 neighbor 192.168.12.2 remote-as 200 neighbor 192.168.16.6 remote-as 400maximum-paths 2/two routing load balancing, range 1-6 no auto-summaryR2: R2 # show runhostname R2no ip domain lookupip cefinterface Eth Ernet0/0 ip address 192.168.12.2 255.255.0 half-duplex interface Ethernet0/1 ip address 192.168.23.2 255.255.0 half-bgp 200 no bgp router-id 2.2.2.2 bgp log-neighbor-changes network 192.168.12.0 network 192.168.23.0 neighbor 192.168.12.1 remote-as 100 neighbor 192.168.23.3 remote-as 300 no auto-summaryR3: r3 # show runhostname R3! No ip domain lookupip cefinterface specified ip address 3.3.3.3 255.255.0 ip virtual-Ethernet0/1 ip address 192.168.23.3 255.255.0 ip nat outside ip virtual-reassembly half-duplexinterface Serial1/0 ip address 192.168.1.3 255.255.0 ip nat inside ip virtual-reassembly encapsulation frame-relay ip ospf message-digest-key 1 md5 cisco/region authentication interface enables authentication using MD5 encryption. Ip ospf network broadcast/In the NBMA network, the OSPF network type defined under the interface is broadcast serial restart-delay 0 frame-relay map ip 192.168.1.4 304 broadcast/define fr pvc, support broadcast frame-relay map ip 192.168.1.5 305 broadcast no frame-relay inverse-arp/disable FR reverse ARProuter ospf 1 log-adjacency-changes area 0 authentication message-digest/enable regional verification, hash network 3.3.3.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 default-information orig Inate/ASBR releases a default path. If the always parameter is not added, you must manually write a static default route to automatically publish a route entry pointing to the asbr in the ospf region. The default route entry is router bgp 300 no synchronization bgp router-id 3.3.3.3 bgp log-neighbor-changes network 3.3.3.3.0 mask. 255.255.255.0/advertise BGP routes, BGP must manually advertise the route and specify the neighbor. Network 192.168.1.0 network 192.168.23.0 redistribute ospf 1 neighbor 192.168.1.4 remote-as 300 neighbor 192.168.1.4 next-hop-self/In IBGP, the next hop is itself, because it is in the same, BGP is an AS hop. Unlike RIP, it is also called a path vector routing protocol neighbor 192.168.23.2 remote-as 200 neighbor 192.168.23.2 route-map 3 out/associated Route-map, modify and filter the attributes of BGP routes sent to neighbors. No auto-summaryip nat inside source route-map interface Ethernet0/1 overload/use PBR for PATip nat inside source static 8.8.8.8 3.3.3.3/static NATaccess-list 1 permit 8.8.8.8.9access-list 1 permit 192.168.8.1access -list 3 permit 4.4.4.0 0.0.255route-map 3 permit 10 match ip address 3 set as-path prepend 1000 10001/use PBR to modify BGP route entry AS-PATH attribute route-map 3 permit 20route-map permit 10 match ip address 1R4: h Ostname R4no ip domain lookupip cefinterface Loopback0 ip address 255.255.255.255.255.0 ip virtual-kerberethernet0/0 ip address 192.168.46.4 255.255.255.0 ip nat outside ip virtual-reassembly interface Serial1/0 ip address 192.168.1.4 255.255.0 ip nat ip virtual-reassembly encapsulation frame-relay ip ospf message-digest-key 1 md5 cisco ip ospf network broadcast serial res Tart-delay 0 frame-relay map ip 192.168.1.3 403 broadcast frame-relay map ip 192.168.1.5 405 broadcast no frame-relay inverse-arprouter ospf 1 log-adjacency-changes area 0 authentication message-digest redistribute bgp 300 subnets network 4.4.4.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 default-information originate always/Automatically releases a static default to the OSPF domain, you do not need to generate manually. For example, O * E2 0.0.0.0/0 [110/1] via 192.168.1.4, 06:16:55, serial1/0 router bgp 300 no bgp router-id route bgp log-neighbor-changes network 4.4.4.0 mask 255.255.255.0 network 192.168.1.0 network 192.168.46.0 redistribute ospf 1 neighbor 192.168.1.3 remote-as 300 neighbor 192.168.1.3 next- hop-self neighbor 192.168.46.6 remote-as 400 neighbor 192.168.46.6 route-map 3 out no auto-summaryip n At inside source route-map interface Ethernet0/0 overloadip nat inside source static 8.8.8.9 4.4.4access-list 1 permit 8.8.8.8access-list 1 permit 192.168.8.1access-list 3 permit 3.3.3.0 allow-map 3 permit 10 match ip address 3 set as-path prepend 1000 1001route-map 3 permit 20route-map map permit 10 match ip address 1R5: r5 # show runhostname R5no ip domain lookupip cefinterface Ether Net0/0 ip address 192.168.5.1 255.255.0 ip ospf message-digest-key 1 md5 cisco ip policy route-map car/PBR policy Routing is applied under the interface, only the global half-duplex of the inbound interface and local route can be applied! Interface Serial1/0 ip address 192.168.1.5 255.255.255.0 encapsulation frame-relay ip ospf message-digest-key 1 md5 cisco ip ospf network broadcast serial restart-delay 0 frame-relay map ip 192.168.1.3 503 broadcast frame -relay map ip 192.168.1.4 504 broadcast no frame-relay inverse-arprouter ospf 1 log-adjacency-changes area 0 authentication message-digest network 192.168.1.0 0.0.0.255 area 0 netw Ork 192.168.5.0 255.area 0ip ospf name-lookupaccess-list 101 permit ip host 8.8.8.8 host 1.1.1.1access-list 101 permit ip host 8.8.8.9 host 1.1.1.1access-list 101 permit ip 192.168.8.0 specify host 1.1.1.1route-map permit 10 match ip address 101 match length 0 1000/PBR for traffic control set ip next-hop 192.168.1.3route-map car permit 20 match ip address 101 match length 1000 1500 set ip next-hop 192.168.1.4route-map car permit 30R6: r6 # show runhostname R6no ip domain lookupip cefinterface Ethernet0/0 ip address 192.168.46.6 255.255.255.0 half-duplexinterface Ethernet0/1 ip address 192.168.16.6 255.255.0 half-then bgp 400 no bgp router-id route bgp log -neighbor-changes network 192.168.16.0 network 192.168.46.0 neighbor 192.168.16.1 remote-as 100 neighbor 192.16 8.46.4 remote-as 300 no auto-summaryR7FR): FR # show runhostname FRno ip domain lookup !! Ip cefip ips po max-events 100frame-relay switchinginterface Serial0/0 no ip address encapsulation frame-relay serial restart-delay 0 clockrate 64000 no frame-relay inverse-arp frame-relay intf-type dce frame-relay route 304 interface Serial0/1 403/PVC, FR route, frame-relay route 305 interface Serial0/2 503! Interface Serial0/1 no ip address encapsulation frame-relay serial restart-delay 0 clockrate 64000 frame-relay intf-type dce frame-relay route 403 interface Serial0/0 304 frame-relay route 405 interface Serial0/2 504! Interface Serial0/2 no ip address encapsulation frame-relay serial restart-delay 0 clockrate 64000 frame-relay intf-type dceframe-relay lm-type cisco/LMIS local management identifiled local management identifier, for the interface address, the LMS must be consistent between the FR switch and the user router interface. cisco is cisco by default, and there are three types of LMS: 1, ansi, 2, cisco, 3, q933a. frame-relay route 503 interface Serial0/0 305 frame-relay route 504 interface Serial0/1 405R8: R8 # show run hostname R8no ip domai N lookupip cefinterface Loopback0 ip address 255.255.255.255.0 secondary ip address 192.168.8.1 255.255.255.0 secondary ip address 255.255.ethernet0/0 ip address 192.168.5.8 255.255.0 ip ospf message-digest-key 1 md5 cisco router ospf 1 log- adjacency-changes area 0 authentication message-digest network 8.8.0 0.0.0.255 area 0 network 192.168.8.0 0.0.0.255 area 0 net After the work 0.0.0.0 255.255.255.255 area 0 configuration is correct, we can test whether it meets our requirements. There are three main areas to test: 1. Test the connectivity across the network; 2, NAT Test 3, traffic redirection Test 4, problems that occur when PBR modifies BGP attributes test is not optimized: R1 for R3, R4 lo 0, 3.3.3.3, 4.4.4.4 may be learned from 192.168.12.2 or 192.168.16.6, but this is not a good sign for static addresses used for NAT translation, because when we want to meet the above requirements, you will find that there will always be a side that cannot PING the 1.1.1.1 address, although he also meets the traffic channeling policy, because his route to the package is inconsistent with the return path, however, NAT translation is not allowed in this environment. Therefore, only BGP routing optimization can be performed. After NAT is converted, the path for packet removal and return is fixed. For 3.3.3.3, R1 should always take R2 as the next hop as the optimal path, when R6 arrives at R4, it will be dropped because the Intranet address is switched from R3 to 3.3.3.3, but on R4, there is no corresponding 3.3.3.3 NAT ing with the Intranet NAT ). Therefore, BGP routing is required for control. Here, I am doing this to control the AS-PATH attribute of the corresponding route on R3 and R4 to control the R1 routing. Connectivity across the network: R8 # ping 1.1.1.1 source 8.8.8.8 Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 8.8.8.8 !!!!! Success rate is 100 percent (5/5), and round-trip min/avg/max = 224/327/516 ms is obviously accessible. NAT test: R8 # ping 192.168.12.1 source lo 0 Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: Packet sent with a source address of 8.8.8.8 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 404/520/680 msR3 # * Mar 1 06:42:59. 650: NAT: s = 8.8.8.8-> 3.3.3.3, d = 192.168.12.1 [669] * Mar 1 06:42:59. 826: NAT: s = 192.168.12.1, d = 3.3.3.3-> 8.8.8.8 [669] * Mar 1 06:42:59. 882: NAT: s = 8.8.8.8-> 3.3.3.3, d = 192.168.12.1 [670] * Mar 1 06:43:00. 174: NAT: s = 192.168.12.1, d = 3.3.3.3-> 8.8.8.8 [670] * Mar 1 06:43:00. 290: NAT: s = 8.8.8.8-> 3.3.3.3, d = 192.168.12.1 [671] * Mar 1 06:43:00. 526: NAT: s = 192.168.12.1, d = 3.3.3.3-> 8.8.8.8 [671] R3 # * Mar 1 06:44:00. 690: NAT: expiring 3.3.3.3 (8.8.8.8) icmp 138 (138) R8 # ping 192.168.46.6 source lo 0 Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 192.168.46.6, timeout is 2 seconds: Packet sent with a source address of 8.8.8.8 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 72/215/380 msR8 # R4 # * Mar 1 06:50:59. 902: NAT *: s = 8.8.8.8-> 192.168.46.4, d = 192.168.46.6 [687] * Mar 1 06:51:00. 026: NAT *: s = 192.168.46.6, d = 192.168.46.4-> 8.8.8.8 [687] * Mar 1 06:51:00. 238: NAT *: s = 8.8.8.8-> 192.168.46.4, d = 192.168.46.6 [688] * Mar 1 06:51:00. 246: NAT *: s = 192.168.46.6, d = 192.168.46.4-> 8.8.8.8 [688] * Mar 1 06:51:00. 366: NAT *: s = 8.8.8. 8-> 192.168.46.4, d = 192.168.46.6 [689] * Mar 1 06:51:00. 514: NAT *: s = 192.168.46.6, d = 192.168.46.4-> 8.8.8.8 [689] * Mar 1 06:51:00. 518: NAT *: s = 8.8.8.8-> 192.168.46.4, d = 192.168.46.6 [690] * Mar 1 06:51:00. 582: NAT *: s = 192.168.46.6, d = 192.168.46.4-> 8.8.8.8 [690] * Mar 1 06:51:00. 902: NAT *: s = 8.8.8.8-> 192.168.46.4, d = 192.168.46.6 [691] R4 # * Mar 1 06:51:00. 938: NAT *: s = 192.168.46.6, d = 192.168.46.4-> 8.8.8.8 [691] R4 # Traffic traction test after successful conversion: When R8 goes up to the public address 1.1.1.1 and the traffic exceeds 1000bites, the next hop goes to R4R8 # ping 1.1.1.1 size 1001 source 8.8.8.8 Type escape sequence to abort. sending 5, 1001-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 8.8.8.8 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 248/297/336 msR4 # * Mar 1 06:48:11. 386: NAT *: s = 8.8.8.8-> 192.168.46.4, d = 1.1.1.1 [677] * Mar 1 06:48:11. 550: NAT *: s = 1.1.1.1, d = 192.168.46.4-> 8.8.8.8 [677] * Mar 1 06:48:11. 686: NAT *: s = 8.8.8.8-> 192.168.46.4, d = 1.1.1.1 [678] * Mar 1 06:48:11. 854: NAT *: s = 1.1.1.1, d = 192.168.46.4-> 8.8.8.8 [678] * Mar 1 06:48:11. 886: NAT *: s = 8.8.8.8-> 192.168.46.4, d = 1. 1.1.1 [679] * Mar 1 06:48:12. 018: NAT *: s = 1.1.1.1, d = 192.168.46.4-> 8.8.8.8 [679] * Mar 1 06:48:12. 198: NAT *: s = 8.8.8.8-> 192.168.46.4, d = 1.1.1.1 [680] * Mar 1 06:48:12. 206: NAT *: s = 1.1.1.1, d = 192.168.46.4-> 8.8.8.8 [680] R4 # * Mar 1 06:48:12. 574: NAT *: s = 8.8.8.8-> 192.168.46.4, d = 1.1.1.1 [681] * Mar 1 06:48:12. 678: NAT *: s = 1.1.1.1, d = 192.168.46.4-> 8.8.8.8 [681] R8 # ping 1.1.1.1 size 1001 source 8.8.8.8.9 Type escap E sequence to abort. Sending 5, 1001-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 8.8.8.9 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 172/222/312 msR4 # * Mar 1 06:49:43. 506: NAT *: s = 8.8.8.9-> 4.4.4.4, d = 1.1.1.1 [682] * Mar 1 06:49:43. 750: NAT *: s = 1.1.1.1, d = 4.4.4.4-> 8.8.8.9 [682] * Mar 1 06:49:43. 874: NAT *: s = 8.8.8.9-> 4.4.4.4, d = 1.1.1.1 [683] * Mar 1 06:49:43. 930: NAT *: s = 1.1.1.1, d = 4.4.4.4-> 8.8.8.9 [683] * Mar 1 06:49:44. 002: NAT *: s = 8.8.8.9-> 4.4.4.4, d = 1.1.1.1 [684] * Mar 1 4.106: NAT *: s = 1.1.1.1, d = 4.4.4.4-> 8.8.8.9 [684] * Mar 1 06:49:44. 202: NAT *: s = 8.8.8.9-> 4.4.4.4, d = 1.1.1.1 [685] * Mar 1 06:49:44. 330: NAT *: s = 1.1.1.1, d = 4.4.4.4-> 8.8.8.9 [685] * Mar 1 06:49:44. 414: NAT *: s = 8.8.8.9-> 4.4.4.4, d = 1.1.1.1 [686] * Mar 1 06:49:44. 454: NAT *: s = 1.1.1.1, d = 4.4.4.4-> 8.8.8.9 [686] R4 # when the traffic is less than bytes, the traffic on R8 needs to be changed to R3 as the next hop, r8 # ping 1.1.1.1 size 800 source 8.8.8.8 Type escape sequence to Bort. Sending 5, 800-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 8.8.8.8 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 212/332/468 msR8 # R8 # ping 1.1.1.1 size 800 source 8.8.9 Type escape sequence to abort. sending 5, 800-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 8.8.8.9 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 192/273/492 msR8 # R3 # * Mar 1 06:54:00. 522: NAT *: s = 8.8.8.8-> 3.3.3.3, d = 1.1.1.1 [692] * Mar 1 06:54:00. 734: NAT *: s = 1.1.1.1, d = 3.3.3.3-> 8.8.8.8 [692] * Mar 1 06:54:00. 958: NAT *: s = 8.8.8.8-> 3.3.3.3, d = 1.1.1.1 [693] * Mar 1 06:54:01. 118: NAT *: s = 1.1.1.1, d = 3.3.3.3-> 8.8.8.8 [693] * Mar 1 06:54:01. 158: NAT *: s = 8.8.8.8-> 3.3.3.3, d = 1.1.1.1 [694] * Mar 1 4: 01. 226: NAT *: s = 1.1.1.1, d = 3.3.3.3-> 8.8.8.8 [694] * Mar 1 06:54:01. 350: NAT *: s = 8.8.8.8-> 3.3.3.3, d = 1.1.1.1 [695] R3 # * Mar 1 06:54:01. 598: NAT *: s = 1.1.1.1, d = 3.3.3.3-> 8.8.8.8 [695] * Mar 1 06:54:01. 746: NAT *: s = 8.8.8.8-> 3.3.3.3, d = 1.1.1.1 [696] * Mar 1 06:54:01. 886: NAT *: s = 1.1.1.1, d = 3.3.3.3-> 8.8.8.8 [696] R3 # * Mar 1 06:54:09. 982: NAT *: s = 8.8.8.9-> 192.168.23.3, d = 1.1.1.1 [697] * Mar 1 06:54:10. 238: NAT *: s = 1.1.1.1, d = 192.168.23.3-> 8.8.8.9 [697] * Mar 1 06:54:10. 514: NAT *: s = 8.8.8.9-> 192.168.23.3, d = 1.1.1.1 [698] * Mar 1 06:54:10. 638: NAT *: s = 1.1.1.1, d = 192.168.23.3-> 8.8.8.9 [698] * Mar 1 06:54:10. 734: NAT *: s = 8.8.8.9-> 192.168.23.3, d = 1.1.1.1 [699] * Mar 1 06:54:10. 834: NAT *: s = 1.1.1.1, d = 192.168.23.3-> 8.8.8.9 [699] * Mar 1 06:54:10. 874: NAT *: s = 8.8.8.9-> 192.168.23.3, d = 1.1.1.1 [700] R3 # * Mar 1 06:54:11. 050: NA T *: s = 1.1.1.1, d = 192.168.23.3-> 8.8.8.9 [700] * Mar 1 06:54:11. 078: NAT *: s = 8.8.8.9-> 192.168.23.3, d = 1.1.1.1 [701] * Mar 1 06:54:11. 198: NAT *: s = 1.1.1.1, d = 192.168.23.3-> 8.8.8.9 [701], of course, everything goes smoothly after the BGP attribute is modified, how can we modify the bgp as-PATH to make R1 take the optimal PATH? First, let's take a look at the effect of AS-PATH: it can be modified, it is also a "accepted and mandatory" attribute, that is, each route must carry this attribute when it is advertised to a neighbor, it can be used to select routes or prevent loops. When a router receives a route with its own AS number, it will drop the entry that may cause the route loop, maintain the stability and robustness of BGP. Practice: for example, R1 learns from R2 for the route destined for 3.3.3.3, and 4.4.4 is required to learn from R6 in this tutorial, however, what he learned from R2 has changed to the optimal route table, and the final data conversion is only the entries in the route table, therefore, we want to make the 4.4.4 route entry transmitted from R3 less reliable than the route entry transmitted from R4 to R14.4.4.4, so that R1 will choose to go through R6 to 4.4.4.4 after weighing the merits and demerits of its properties. this is what we expect. Then why does R1 believe it? It compares the result obtained by comparing AS-PATH, because 4.4.4 needs to pass through many AS requests after being advertised from the source to BGP. Each time a router passes through an AS, it sends itself and the previous AS to an EBGP neighbor. AS a result, the more AS the router passes through, the reliability will naturally decrease, then we will make PBR on R3 to control the announcement of 4.4.4.4AS-PATH, so that it will be inferior to the route from 4.4.4.4.4 of r6à R1. Of course, similar practices can also be used for 3.3.3.3 that R4 transmits to R1. Router bgp 300 no bgp router-id 3.3.3.3 bgp log-neighbor-changes network 3.3.3.0 mask 255.255.255.0 network 192.168.1.0 network 192.168.23.0 redistribute ospf 1 neighbor 192.168.1.4 remote-as 300 neighbor 192.168.1.4 next-hop-self neighbor 192.168.23.2 remote-as 400 neighbor 192.168.23.2 route-map 3 outaccess-list 3 permit 4.4.4.0route-map 3 permit 10 match ip address 3 set as-path 10 00 1001exitroute-map 3 permit 20exit is ready, you can check on R1 whether there are two more AS numbers appended? *> 3.3.3.0/24 192.168.12.2 0 200 300 I * 192.168.16.6 0 400 300 1000 1001 I *> 3.3.3.3/32 192.168.12.2 0 200 300? * 192.168.16.6 0 400 300 1000 1001? Now, we will talk about this experiment today. It is a great honor to welcome your suggestions.
This article is from the "Chenxi" blog, please be sure to keep this source http://zenfei.blog.51cto.com/763386/546451