1 - 2

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Case Study 2

Copyright

© 2007, Cisco Systems, Inc

Case Study 2: SDM

Instructions

Implement the International Travel Agency network shown in the topology
diagram using the information and instruction in the scenario. Verify that all
configurations are operational and functioning according to the guidelines.

Topology Diagram

Scenario

The International Travel Agency has decided to extend its offices to a new
branch location using its existing network tunnel. The CIO has chosen to use a
secure generic routing encapsulation (GRE) tunnel to connect the branch office
to its headquarters office. The tunnel will terminate at the headquarters end on
a Cisco router with the firewall feature set.

Demonstrate that this configuration will allow routing between sites as well as
secure intranet traffic as it traverses the service provider’s domain. Implement
the security policies defined below both on FW router and the BRANCH router.

Use the Cisco Security Device Manager (SDM) to configure the security tasks
except where noted below.

Using the Cisco IOS CLI:

• Configure all interfaces using the addressing scheme shown in the topology

diagram.

• Configure HQ, FW, and BRANCH to run Enhanced Interior Gateway Routing

Protocol (EIGRP) in AS 1. (Until the tunnel is created, BRANCH will not have
any EIGRP adjacencies.)

• Add the major 172.16.0.0 network to EIGRP and disable automatic

summarization.

• Configure a static default route on FW towards ISP, and redistribute this into

EIGRP.

• Configure a static default route on BRANCH toward ISP.

• Create a static route on ISP for 172.16.0.0/16 toward FW.

• After configuring the static routes, make sure you can ping between FW and

BRANCH.

• Configure the host with the IP address shown in the topology diagram and

make FW its default gateway.

• Configure FW and BRANCH for SDM access from the host.

Using Cisco SDM:

• Create a secure GRE tunnel between FW and BRANCH using IPsec.

• Use the addressing shown on the diagram for the tunnel addressing.

• Run EIGRP across the tunnel.

• You should use the tunnel wizard to configure one end of the tunnel, and

generate a mirror configuration using Cisco SDM for the other end. You may
use the command-line interface (CLI) to implement the mirror tunnel
configuration on BRANCH.

• Apply any encryption algorithms desired for the secure GRE tunnel.

• Configure FW as a firewall using the basic firewall wizard. Assign the

interface facing the ISP router to be the outside interface. Trust traffic from all
other interfaces.

• If SDM does not automatically allow IPsec traffic through the firewall, explicitly

allow it.

• Use the SDM IPS wizard to configure BRANCH to enable the intrusion

prevention system (IPS) on the ingress interface facing the ISP router.

2 - 2

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Case Study 2

Copyright

© 2007, Cisco Systems, Inc