OK, so I have been a bit preoccupied recently, I am putting the finishing touches to CCNA and Beyond, which is currently in the hands of the previewers, and took a side step to get the Check Point Certified Security Administrator (CCSA) exam - which I passed today. And as I am in a good mood, it's time to crank up the volume and play music. So here is Ash performing "Burn Baby Burn":
Love that song. And now, here is Red Kite performing "Montreal":
Anyway, it's time to crack on with the CCIE Security. It'sMarch now and I want to sit the exam in December. So I best be getting on with it.
Despite losing the existing topology, I rebuilt most of it using REST calls, but need to finish quite a bit by hand. It's nearly done! I have had to change the LA-FW to ASA (8.4.2) if you are following along at home and need to use the same REST calls.
It's actually proving much harder to re-do all of this than I thought, which is my fault as I did not rename devices, or come up with a proper IP address scheme early on. But, like my lack of backing up, I only have myself to blame.
I will post the topology (as it is at the moment) at the end of this post, and it will have IP addressing and so on and so forth. Lots of people have asked for it, so i't about time I shared it - also it means that this post will be a new starting point, and be all IP'd up (or nearly all).
I will start with the multi-context firewalls first, then do the transparent firewalls, then the MPLS core. If I am luck y then I'll even be able to get the tabbed thing working as it should do...
Multi-context firewalls
The code for the firewalls is below:hostname LA2 interface GigabitEthernet0/0 ip address 20.5.5.254 255.255.255.0 duplex auto speed auto media-type rj45 ip route 0.0.0.0 0.0.0.0 20.5.5.1
hostname LA3 interface GigabitEthernet0/0 ip address 20.6.6.254 255.255.255.0 duplex auto speed auto media-type rj45 ip route 0.0.0.0 0.0.0.0 20.6.6.1
hostname LA-FW interface Ethernet0 ! interface Ethernet0.10 vlan 10 ! interface Ethernet0.20 vlan 20 ! interface Ethernet0.30 vlan 30 ! admin-context admin context admin config-url disk0:/admin.cfg ! context C1 allocate-interface Ethernet0.20 outsideC1 allocate-interface Ethernet2 insideC1 config-url disk0:/C1.cfg ! context C2 allocate-interface Ethernet0.30 outsideC2 allocate-interface Ethernet3 insideC2 visible config-url disk0:/C2.cfg ! prompt hostname context
hostname C1 interface outsideC1 nameif Outside security-level 0 ip address 198.250.20.2 255.255.255.0 ! interface insideC1 nameif Inside security-level 100 ip address 20.5.5.1 255.255.255.0 !
hostname C2 interface outsideC2 nameif Outside security-level 0 ip address 198.250.30.2 255.255.255.0 ! interface insideC2 nameif Inside security-level 100 ip address 20.6.6.1 255.255.255.0 !
hostname LA-SW interface GigabitEthernet0/0 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation auto ! interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation autoRemember to recreate the VLANs! (10,20 and 30)
hostname LA1 interface Loopback0 ip address 4.4.4.4 255.255.255.255 ! interface GigabitEthernet0/0 ip address 198.240.5.1 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.10 encapsulation dot1Q 10 ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 198.250.20.1 255.255.255.252 ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 198.250.30.1 255.255.255.0 !
Make sure that the interfaces are not shut off, and save the work!
Transparent ASA
hostname NY2 interface Loopback0 ip address 3.3.3.0 255.255.255.255 ! interface Loopback1 ip address 3.3.3.1 255.255.255.255 ! interface Loopback2 ip address 3.3.3.2 255.255.255.255 ! interface GigabitEthernet0/0 ip address 128.2.2.2 255.255.255.0 duplex auto speed auto media-type rj45 !
firewall transparent hostname NY-FW interface GigabitEthernet0/0 nameif Inside bridge-group 1 security-level 100 ! interface GigabitEthernet0/1 nameif Outside bridge-group 1 security-level 0 ! interface BVI1 ip address 128.2.2.254 255.255.255.0 ! ftp mode passive access-list outside->in extended permit eigrp any any access-list outside->in extended permit icmp any any access-list outside->in extended permit ip any any ! access-group outside->in in interface Inside access-group outside->in in interface Outside ! http server enable http 0.0.0.0 0.0.0.0 Inside
hostname NY1 interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface GigabitEthernet0/0 ip address 128.2.2.1 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 198.240.3.1 255.255.255.0 duplex auto speed auto media-type rj45 !
MPLS Core
router ospf 1 router-id 2.2.2.2 network 198.240.3.1 0.0.0.0 a 0 network 2.2.2.2 0.0.0.0 a 0 mpls ldp autoconfig mpls label protocol ldp mpls ldp router-id lo0 force router bgp 1 bgp router-id 2.2.2.2 no bgp def ipv4-unicast neigh 4.4.4.4 remote 1 neigh 3.3.3.3 remote 1 neigh 4.4.4.4 update lo0 neigh 3.3.3.3 update lo0 address-family vpnv4 neigh 4.4.4.4 activate neigh 3.3.3.3 activ neigh 4.4.4.4 send-community extended neigh 3.3.3.3 send-community extended ! ip vrf 802101 rd 1:1 route-target bo 1:1 ! int gi0/0 ip vrf for 802101 ip add 128.2.2.1 255.255.255.0 ! router bgp 1 add ipv4 vrf 802101
hostname ISP interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface GigabitEthernet0/0 ip address 198.240.3.254 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 198.240.5.254 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 ip address 198.240.1.254 255.255.255.0 duplex auto speed auto media-type rj45 ! router ospf 1 router-id 1.1.1.1 network 0.0.0.0 0.0.0.0 a 0 mpls ldp autoconfig mpls label protocol ldp mpls ldp router-id lo0 force
router ospf 1 router-id 4.4.4.4 network 198.240.5.1 0.0.0.0 a 0 network 4.4.4.4 0.0.0.0 a 0 mpls ldp autoconfig mpls label protocol ldp mpls ldp router-id lo0 force router bgp 1 bgp router-id 4.4.4.4 no bgp def ipv4-unicast neigh 2.2.2.2 remote 1 neigh 3.3.3.3 remote 1 neigh 2.2.2.2 update lo0 neigh 3.3.3.3 update lo0 address-family vpnv4 neigh 2.2.2.2 activate neigh 3.3.3.3 activ neigh 2.2.2.2 send-community extended neigh 3.3.3.3 send-community extended ! ip vrf 802101 rd 1:1 route-target bo 1:1 ! int gi0/1.20 ip vrf for 802101 ip add 198.250.20.1 255.255.255.0 int gi 0/1.30 ip vrf for 802101 ip add 198.250.30.1 255.255.255.0 ! router bgp 1 add ipv4 vrf 802101
hostname LON1 interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface GigabitEthernet0/0 ip address 198.240.1.1 255.255.255.0 duplex auto speed auto media-type rj45 ! router ospf 1 router-id 3.3.3.3 network 198.240.1.1 0.0.0.0 a 0 network 3.3.3.3 0.0.0.0 a 0 mpls ldp autoconfig mpls label protocol ldp mpls ldp router-id lo0 force ! router bgp 1 bgp router-id 3.3.3.3 no bgp def ipv4-unicast neigh 2.2.2.2 remote 1 neigh 4.4.4.4 remote 1 neigh 2.2.2.2 update lo0 neigh 4.4.4.4 update lo0 address-family vpnv4 neigh 2.2.2.2 activate neigh 4.4.4.4 activ neigh 2.2.2.2 send-community extended neigh 4.4.4.4 send-community extended ! ip vrf 802101 rd 1:1 route-target bo 1:1 ! int gi 0/1 ip vrf for 802101 ip add 163.4.4.1 255.255.255.0 ! router bgp 1 add ipv4 vrf 802101
The last step is to do some redistribution, so that our end points (what we have so far) can all talk to each other.
IGPs and redistribution into MPLS
router eigrp 100 network 3.3.3.0 0.0.0.0 network 3.3.3.1 0.0.0.0 network 3.3.3.2 0.0.0.0 network 128.2.2.2 0.0.0.0 eigrp router-id 3.3.3.0
router eigrp NY ! address-family ipv4 unicast vrf 802101 autonomous-system 100 ! topology base redistribute bgp 1 metric 1000 10 100 1 1500 exit-af-topology network 128.2.2.1 0.0.0.0 exit-address-family ! router bgp 1 address-family ipv4 vrf 802101 redistribute eigrp 100 metric 1 exit-address-family
ip route vrf 802101 20.5.5.0 255.255.255.0 198.250.20.2 ip route vrf 802101 20.6.6.0 255.255.255.0 198.250.30.2 router eigrp LA ! address-family ipv4 unicast vrf 802101 autonomous-system 300 ! topology base redistribute bgp 1 metric 1000 10 100 1 1500 exit-af-topology network 198.250.20.0 network 198.250.30.0 exit-address-family ! router bgp 1 address-family ipv4 vrf 802101 redistribute eigrp 300 metric 1 red static metric 1 exit-address-family
router eigrp LON ! address-family ipv4 unicast vrf 802101 autonomous-system 200 ! topology base redistribute bgp 1 metric 1000 10 100 1 1500 exit-af-topology network 163.4.4.0 0.0.0.255 exit-address-family ! router bgp 1 address-family ipv4 vrf 802101 redistribute eigrp 200 metric 1 exit-address-family
We don't really need EIGRP on LA1. LA-FW (because it is running ASA 8.4 and in multiple-context mode) does not support routing protocols, so we can do with redistributing the static routes only. We really dont need these anyway, as they will be behind NAT. So take them or leave them!
Still missing a few bits, such as ACLs on the LA-FW. So, while we are on a good run, let's just save the work so far, and add those in. This is for the C1 context:
object-group network INSIDE-NAT-SUBNETS network-object 20.5.5.0 255.255.255.0 network-object 20.5.10.0 255.255.255.0 network-object 20.5.20.0 255.255.255.0 access-list outside->in extended permit ip any any access-list outside->in extended permit icmp any any access-list outside->in extended permit icmp any any echo-reply access-group outside->in in interface Outside nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SUBNETS interfaceAnd this is for the C2 context:
object-group network INSIDE-NAT-SUBNETS network-object 20.6.5.0 255.255.255.0 network-object 20.6.10.0 255.255.255.0 network-object 20.6.20.0 255.255.255.0 access-list outside->in extended permit ip any any access-list outside->in extended permit icmp any any access-list outside->in extended permit icmp any any echo-reply access-group outside->in in interface Outside nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SUBNETS interfaceWe can test connectivity now:
LA2#ping 3.3.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/17/32 ms LA2# LA3#ping 3.3.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/20 ms LA3# NY2#ping 163.4.4.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 163.4.4.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 7/9/13 ms NY2#Excellent, all seems to be working again.
This is what the lab looks like at the moment:
You can find the topology file under the Security link on the "Labs" drop down menu at the top.