!************************************************
!* *
!* Lab 2 Final Solutions for all Devices *
!* *
!************************************************
!********************************
!* *
!* R1 Final Solution Config *
!* *
!********************************
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
no logging console
enable password cisco
no aaa new-model
ip source-route
ip cef
no ip domain lookup
ip domain name cisco.com
ip multicast-routing
crypto key generate rsa exportable label dmvpn_gdoi
ip ips config location flash:ips5/ retries 1
ip ips notify SDEE
ip ips name myIOSipsV5
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto gdoi group dmvpn_gdoi
identity number 2
server address ipv4 10.6.6.6
!
!
crypto map dmvpn_using_gdoi local-address Loopback0
crypto map dmvpn_using_gdoi 10 gdoi
set group dmvpn_gdoi
!
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
load protocol ip.phdf
load protocol udp.phdf
!
ip tcp synwait-time 5
ip ssh version 1
!
class-map type access-control match-all W32-Blaster
description "Match W32.Blaster worm packets"
match field UDP dest-port eq 0x45
match start l3-start offset 50 size 4 eq 0x20A29010
match field IP length gt 0x192
class-map type stack match-all udp_protocol
description "Match UDP over IP packets"
match field IP protocol eq 0x11 next UDP
!
!
policy-map type access-control drop-W32-Blaster
description "Policy for UDP based W32.Blaster worm attack"
class W32-Blaster
drop
policy-map type access-control fpm-policy
description "drop W32.Blaster worm packets"
class udp_protocol
service-policy drop-W32-Blaster
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Loopback11
ip address 10.11.11.11 255.255.255.255
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 2
ip pim dr-priority 10
ip pim nbma-mode
ip pim sparse-dense-mode
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp server-only
no ip split-horizon eigrp 2
no ip mroute-cache
delay 1500
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 2
!
interface GigabitEthernet0/0
ip address 192.168.3.11 255.255.255.0
ip pim sparse-dense-mode
ip ips myIOSipsV5 in
ip ips myIOSipsV5 out
rate-limit input access-group 101 32000 6000 12000 conform-action transmit exceed-action drop
crypto map dmvpn_using_gdoi
!
interface GigabitEthernet0/1
ip address 192.168.2.11 255.255.255.0
service-policy type access-control input fpm-policy
no shutdown
!
router eigrp 2
network 10.11.11.11 0.0.0.0
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 10.2.2.0 255.255.255.0 192.168.3.2
ip route 10.3.3.0 255.255.255.0 192.168.3.3
ip route 10.4.4.0 255.255.255.0 192.168.3.2
ip route 10.5.5.0 255.255.255.0 192.168.3.2
ip route 10.6.6.0 255.255.255.0 192.168.3.2
ip route 10.7.7.0 255.255.255.0 192.168.3.2
ip route 10.8.8.0 255.255.255.0 192.168.3.3
ip route 192.168.0.0 255.255.0.0 192.168.3.2
ip http server
no ip http secure-server
!
access-list 101 permit udp any host 10.1.1.1 eq isakmp
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line aux 0
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
!
end
!********************************
!* *
!* R2 Final Solution Config *
!* *
!********************************
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
no logging console
enable password cisco
aaa new-model
aaa authentication login ezvpn local
aaa authorization network ezvpn local
!
ip source-route
ip cef
no ip domain lookup
ip domain name cisco.com
no ipv6 cef
!
username cisco privilege 15 password 0 cisco
secure boot-image
secure boot-config
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group cisco
key cisco
domain cisco.com
pool mypool
crypto isakmp profile ezvpn_dvti
match identity group cisco
client authentication list ezvpn
isakmp authorization list ezvpn
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ezvpn_trans esp-3des esp-sha-hmac
!
crypto ipsec profile ezvpn_dvti
set transform-set ezvpn_trans
set isakmp-profile ezvpn_dvti
!
!
ip tcp synwait-time 5
!
no policy-map drop23
no class-map match-any drop23
!
class-map match-all drop23
match protocol telnet
match ip dscp 1
!
!
policy-map drop23
class drop23
drop
!
!
interface Loopback0
ip address 10.2.2.2 255.255.255.0
!
interface GigabitEthernet0/0
ip address 192.168.3.2 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 192.168.4.2 255.255.255.0
service-policy input drop23
no service-policy output drop23
no shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ezvpn_dvti
!
ip local pool mypool 10.20.20.1 10.20.20.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.4.10
ip route 10.1.1.0 255.255.255.0 192.168.3.11
ip route 192.168.2.0 255.255.255.0 192.168.3.11
no ip http server
no ip http secure-server
!
!
access-list 101 permit tcp any any eq telnet
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
line aux 0
exec-timeout 0 0
password cisco
logging synchronous
transport input telnet
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
transport input telnet
!
end
!********************************
!* *
!* R3 Final Solution Config *
!* *
!********************************
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
enable password cisco
!
no aaa new-model
ip source-route
ip cef
no ip domain lookup
ip domain name cisco.com
ip multicast-routing
no ipv6 cef
!
crypto key generate rsa exportable label dmvpn_gdoi
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto gdoi group dmvpn_gdoi
identity number 2
server address ipv4 10.6.6.6
!
!
crypto map dmvpn_using_gdoi local-address Loopback0
crypto map dmvpn_using_gdoi 10 gdoi
set group dmvpn_gdoi
!
ip tcp synwait-time 5
ip ssh version 1
!
class-map type port-filter match-all myclassmap
match closed-ports
!
!
policy-map type port-filter mypolicymap
class myclassmap
drop
!
!
interface Loopback0
ip address 10.3.3.3 255.255.255.0
!
interface Loopback11
ip address 10.33.33.33 255.255.255.255
!
interface Tunnel0
ip address 172.16.1.3 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 2
ip pim sparse-dense-mode
ip nhrp authentication cisco
ip nhrp map 172.16.1.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 2
ip nhrp nhs 172.16.1.1
ip nhrp registration no-unique
no ip split-horizon eigrp 2
no ip mroute-cache
load-interval 30
delay 2000
qos pre-classify
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 2
!
interface GigabitEthernet0/0
ip address 192.168.3.3 255.255.255.0
ip policy route-map drop4444-pbr
crypto map dmvpn_using_gdoi
no shutdown
!
interface GigabitEthernet0/1
ip address 192.168.5.3 255.255.255.0
crypto map dmvpn_using_gdoi
no shutdown
!
router eigrp 2
network 10.33.33.33 0.0.0.0
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.5.10
ip route 10.1.1.0 255.255.255.0 192.168.3.11
ip route 10.11.11.0 255.255.255.0 Tunnel0
ip route 10.33.33.0 255.255.255.0 Tunnel0
ip http server
no ip http secure-server
!
!
ip mroute 10.1.1.1 255.255.255.255 172.16.1.1
access-list 101 permit tcp any any eq 4444
!
!
route-map drop4444-pbr permit 10
match ip address 101
match length 100 100
set interface Null0
!
route-map drop4444-pbr permit 20
!
!
control-plane host
service-policy type port-filter input mypolicymap
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line aux 0
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
!
end
!********************************
!* *
!* R4 Final Solution Config *
!* *
!********************************
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
no logging console
enable password cisco
!
no aaa new-model
ip source-route
ip cef
!
no ip domain lookup
ip domain name cisco.com
ip port-map http port tcp 8080
ip inspect max-incomplete low 200
ip inspect max-incomplete high 300
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name mycbac tcp
ip inspect name mycbac udp
ip inspect name mycbac icmp
ip inspect name mycbac http java-list 1
no ipv6 cef
!
frame-relay switching
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2L_trans esp-3des esp-sha-hmac
!
crypto ipsec profile L2L_VTI
set transform-set L2L_trans
!
!
!
crypto ipsec client ezvpn ezvpn_dvti
connect auto
group cisco key cisco
local-address Loopback0
mode client
no peer 192.168.4.2
peer 10.2.2.2
username cisco password cisco
xauth userid mode interactive
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 10.4.4.4 255.255.255.0
!
interface Loopback45
ip address 45.45.4.1 255.255.255.0
!
interface Tunnel45
ip address 100.1.1.1 255.255.255.0
tunnel source GigabitEthernet0/1
tunnel destination 192.168.45.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile L2L_VTI
!
interface GigabitEthernet0/0
ip address 192.168.41.1 255.255.255.0
ip access-group 101 in
no ip unreachables
ip inspect mycbac out
crypto ipsec client ezvpn ezvpn_dvti inside
no shutdown
!
interface GigabitEthernet0/1
ip address 192.168.45.4 255.255.255.0
no ip access-group 102 in
no shutdown
!
interface Serial0/0/0
ip address 192.168.64.4 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
no fair-queue
clock rate 2000000
frame-relay map ip 192.168.64.6 64 broadcast
frame-relay intf-type dce
crypto ipsec client ezvpn ezvpn_dvti outside
no shutdown
!
router ospf 1
log-adjacency-changes
network 10.4.4.0 0.0.0.255 area 0
network 192.168.41.0 0.0.0.255 area 0
network 192.168.45.0 0.0.0.255 area 0
network 192.168.64.0 0.0.0.255 area 0
!
router rip
version 2
network 45.45.4.0
network 100.0.0.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
access-list 1 permit 198.168.10.25
access-list 101 permit icmp any any
access-list 101 permit ospf any any
access-list 102 deny udp host 192.168.45.5 host 192.168.45.4 eq isakmp
access-list 102 permit ip any any
!
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line aux 0
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
!
end
!********************************
!* *
!* R5 Final Solution Config *
!* *
!********************************
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
no logging buffered
enable password cisco
!
aaa new-model
aaa authentication login myauthen group tacacs+
aaa authentication login noauthen none
aaa authorization exec myexecauthor group tacacs+
aaa authorization commands 5 mycommandauthor group tacacs+
!
!
ip source-route
ip cef
!
!
no ip domain lookup
ip domain name cisco.com
ip multicast-routing
no ipv6 cef
!
frame-relay switching
!
!
crypto key generate rsa exportable label dmvpn_gdoi
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2L_trans esp-3des esp-sha-hmac
!
crypto ipsec profile L2L_VTI
set transform-set L2L_trans
!
crypto gdoi group dmvpn_gdoi
identity number 2
server address ipv4 10.6.6.6
!
!
crypto map dmvpn_using_gdoi local-address Loopback0
crypto map dmvpn_using_gdoi 10 gdoi
set group dmvpn_gdoi
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface Loopback0
ip address 10.5.5.5 255.255.255.0
no ip redirects
!
interface Loopback11
ip address 10.55.55.55 255.255.255.255
!
interface Loopback45
ip address 45.45.5.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.5 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 2
ip pim sparse-dense-mode
ip nhrp authentication cisco
ip nhrp map 172.16.1.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 2
ip nhrp nhs 172.16.1.1
ip nhrp registration no-unique
no ip split-horizon eigrp 2
no ip mroute-cache
load-interval 30
delay 2000
qos pre-classify
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 2
!
interface Tunnel45
ip address 100.1.1.2 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 192.168.45.4
tunnel mode ipsec ipv4
tunnel protection ipsec profile L2L_VTI
!
interface GigabitEthernet0/0
ip address 192.168.45.5 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 192.168.52.1 255.255.255.0
no shutdown
!
interface Serial0/0/1
ip address 192.168.65.5 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
clock rate 2000000
frame-relay map ip 192.168.65.6 65 broadcast
frame-relay intf-type dce
crypto map dmvpn_using_gdoi
no shutdown
!
router eigrp 2
network 10.55.55.55 0.0.0.0
network 172.16.1.0 0.0.0.255
no auto-summary
!
router ospf 1
log-adjacency-changes
network 10.5.5.0 0.0.0.255 area 0
network 192.168.45.0 0.0.0.255 area 0
network 192.168.52.0 0.0.0.255 area 0
network 192.168.65.0 0.0.0.255 area 0
!
router rip
version 2
network 45.45.5.0
network 100.0.0.0
no auto-summary
!
ip http server
no ip http secure-server
!
!
ip mroute 10.1.1.1 255.255.255.255 172.16.1.1
!
!
!
tacacs-server host 192.168.2.14 key cisco
!
!
privilege configure all level 5 router
privilege configure all level 5 interface
privilege configure level 15 crypto
privilege exec level 5 configure terminal
privilege exec level 5 configure
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login authentication noauthen
line aux 0
exec-timeout 0 0
password cisco
logging synchronous
transport input telnet
line vty 0 4
exec-timeout 0 0
password cisco
authorization commands 5 mycommandauthor
authorization exec myexecauthor
logging synchronous
login authentication myauthen
transport input telnet
!
end
!********************************
!* *
!* R6 Final Solution Config *
!* *
!********************************
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R6
!
enable password cisco
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name cisco.com
ip multicast-routing
no ipv6 cef
!
crypto key generate rsa exportable label dmvpn_gdoi
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set dmvpn_trans esp-3des esp-sha-hmac
mode transport require
!
crypto ipsec profile dmvpn_using_gdoi
set security-association lifetime seconds 36000
set transform-set dmvpn_trans
!
crypto gdoi group dmvpn
identity number 2
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa dmvpn_gdoi
rekey transport unicast
sa ipsec 1
profile dmvpn_using_gdoi
match address ipv4 101
replay counter window-size 64
address ipv4 10.6.6.6
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
class-map match-all mark23
match protocol telnet
!
!
policy-map mark23
class mark23
set dscp 1
!
!
!
!
!
interface Loopback0
ip address 10.6.6.6 255.255.255.0
ip pim sparse-dense-mode
!
interface GigabitEthernet0/0
ip address 192.168.6.6 255.255.255.0
ip pim sparse-dense-mode
no shutdown
!
interface Serial0/0/0
ip address 192.168.64.6 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
no fair-queue
frame-relay map ip 192.168.64.4 64 broadcast
no service-policy input mark23
no shutdown
!
interface Serial0/0/1
ip address 192.168.65.6 255.255.255.0
ip pim sparse-dense-mode
encapsulation frame-relay
ip ospf network point-to-point
frame-relay map ip 192.168.65.5 65 broadcast
service-policy input mark23
no shutdown
!
router ospf 1
log-adjacency-changes
redistribute connected metric 1 subnets
redistribute static metric 1 subnets
network 10.6.6.0 0.0.0.255 area 0
network 192.168.64.0 0.0.0.255 area 0
network 192.168.65.0 0.0.0.255 area 0
!
ip route 10.1.1.0 255.255.255.0 192.168.6.10
ip route 10.2.2.0 255.255.255.0 192.168.6.10
ip route 10.3.3.0 255.255.255.0 192.168.6.11
ip route 192.168.2.0 255.255.255.0 192.168.6.10
ip route 192.168.3.0 255.255.255.0 192.168.6.10
ip route 192.168.4.0 255.255.255.0 192.168.6.10
ip route 192.168.5.0 255.255.255.0 192.168.6.11
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit gre any any
!
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line aux 0
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
!
end
!********************************
!* *
!* Sw1 Final Solution Config *
!* *
!********************************
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Sw1
enable password cisco
!
vtp mode server
vtp domain ccie
vtp password cisco
!
!
vlan 2
vlan 3
vlan 4
vlan 5
vlan 6
vlan 7
vlan 8
vlan 10
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip domain-name cisco.com
!
!
ip dhcp snooping vlan 10
no ip dhcp snooping information option
ip dhcp snooping
!
!
ip tcp synwait-time 5
!
!
!
interface Loopback0
ip address 10.7.7.7 255.255.255.0
!
interface FastEthernet0/1
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/4
no switchport
ip address 192.168.41.2 255.255.255.0
!
interface FastEthernet0/5
switchport access vlan 8
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 6
switchport mode access
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
switchport access vlan 6
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 8
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 10
switchport mode access
ip verify source
!
interface FastEthernet0/19
switchport access vlan 10
switchport mode access
ip dhcp snooping trust
!
interface FastEthernet0/20
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/21
!
interface FastEthernet0/22
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/23
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.7.7.0 0.0.0.255 area 0
network 192.168.41.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.41.1
ip http server
ip http port 8080
ip http secure-server
!
!
ip source binding 0000.0000.0001 vlan 10 10.10.1.1 interface Fa0/18
!
control-plane
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
line vty 5 15
login
!
end
Sw1#show vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 10
Maximum VLANs supported locally : 1005
Number of existing VLANs : 15
VTP Operating Mode : Server
VTP Domain Name : ccie
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x9A 0x7A 0xC6 0xAA 0x92 0x16 0xE8 0x51
Configuration last modified by 192.168.52.2 at 8-17-09 14:03:53
Local updater ID is 192.168.41.2 on interface Fa0/4 (first layer3 interface found)
Sw1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/7, Fa0/8, Fa0/9, Fa0/13
Fa0/14, Fa0/21, Gi0/1, Gi0/2
2 VLAN0002 active Fa0/15, Fa0/20, Fa0/22, Fa0/23
3 VLAN0003 active Fa0/1, Fa0/2, Fa0/3
4 VLAN0004 active Fa0/11
5 VLAN0005 active Fa0/12
6 VLAN0006 active Fa0/6, Fa0/10
7 VLAN0007 active Fa0/16
8 VLAN0008 active Fa0/5, Fa0/17
10 VLAN0010 active Fa0/18, Fa0/19
101 VLAN0101 active
102 VLAN0102 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
!********************************
!* *
!* Sw2 Final Solution Config *
!* *
!********************************
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Sw2
!
vtp mode server
vtp domain ccie
vtp password cisco
!
no logging console
enable password cisco
!
username cisco privilege 15 password 0 cisco
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip domain-name cisco.com
!
!
!
!
!
!
crypto key generate rsa exportable
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
ip ssh time-out 5
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
interface Loopback0
ip address 10.8.8.8 255.255.255.0
!
interface FastEthernet0/1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 4
switchport mode access
no ip access-group 101 in
!
interface FastEthernet0/3
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/5
no switchport
ip address 192.168.52.2 255.255.255.0
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
switchport access vlan 6
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
switchport access vlan 101
switchport mode access
switchport voice vlan 102
switchport port-security maximum 10
switchport port-security maximum 8 vlan access
switchport port-security maximum 2 vlan voice
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
spanning-tree portfast
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
!
router ospf 1
log-adjacency-changes
network 10.8.8.0 0.0.0.255 area 0
network 192.168.52.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.52.1
ip http server
ip http secure-server
!
!
access-list 101 deny udp any any eq isakmp
access-list 101 permit ip any any
!
control-plane
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login local
transport input ssh
line vty 5 15
exec-timeout 0 0
password cisco
logging synchronous
login local
transport input ssh
!
end
Sw2#show vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 10
Maximum VLANs supported locally : 1005
Number of existing VLANs : 15
VTP Operating Mode : Server
VTP Domain Name : ccie
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x9A 0x7A 0xC6 0xAA 0x92 0x16 0xE8 0x51
Configuration last modified by 192.168.52.2 at 8-17-09 14:03:53
Local updater ID is 192.168.52.2 on interface Fa0/5 (first layer3 interface found)
Sw2#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/21
Fa0/22, Fa0/23, Gi0/1, Gi0/2
2 VLAN0002 active Fa0/1
3 VLAN0003 active
4 VLAN0004 active Fa0/2, Fa0/11
5 VLAN0005 active Fa0/3, Fa0/12
6 VLAN0006 active Fa0/10
7 VLAN0007 active Fa0/4
8 VLAN0008 active
10 VLAN0010 active
101 VLAN0101 active Fa0/20
102 VLAN0102 active Fa0/20
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
!********************************
!* *
!* ASA1 System Context *
!* Final Solution Configuration *
!* *
!********************************
mode multiple
!*****************************************************
! Convert to Multi-mode, ASA will reboot at this point
!*****************************************************
!
!
hostname ASA1
enable password cisco
mac-address auto
!
interface Ethernet0/0
no shutdown
!
interface Ethernet0/1
no shutdown
!
interface Ethernet0/2
no shutdown
!
interface Ethernet0/3
no shutdown
!
interface Management0/0
shutdown
!
!
failover
failover lan unit primary
failover lan interface failint Ethernet0/3
failover key cisco
failover link failint Ethernet0/3
failover interface ip failint 192.168.50.10 255.255.255.0 standby 192.168.50.11
failover group 1
failover group 2
secondary
admin-context admin
context admin
allocate-interface Management0/0
config-url disk0:/admin
!
context c1
allocate-interface Ethernet0/0
allocate-interface Ethernet0/1
config-url disk0:/c1
join-failover-group 1
!
context c2
allocate-interface Ethernet0/0
allocate-interface Ethernet0/2
config-url disk0:/c2
join-failover-group 2
!
prompt hostname context
: end
[OK]
!********************************
!* *
!* ASA1 c1 Context *
!* Final Solution Configuration *
!* *
!********************************
change context c1
!
hostname c1
enable password cisco
passwd cisco
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.6.10 255.255.255.0 standby 192.168.6.15
asr-group 1
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.4.10 255.255.255.0 standby 192.168.4.15
!
regex emailaddress "joe@myemail.com"
!
time-range abc
absolute start 21:00 01 August 2009 end 22:00 01 August 2009
!
access-list 100 extended permit icmp any any
access-list 100 extended permit udp any any eq 848
access-list 100 extended permit udp any any eq isakmp
access-list 100 extended permit esp any any
access-list 100 extended permit tcp host 10.5.5.5 host 10.1.1.1 eq telnet
access-list 100 extended permit tcp host 192.168.65.5 host 192.168.2.14 eq tacacs
access-list 100 extended permit tcp any any eq telnet
access-list policyNAT extended permit ip host 10.1.1.1 host 10.4.4.4
access-list 101 extended permit ip host 10.2.2.2 host 10.6.6.6 time-range abc
access-list 101 extended deny ip host 10.2.2.2 host 10.6.6.6
access-list 101 extended permit ip any any
access-list telnet extended permit tcp host 10.5.5.5 host 10.1.1.1 eq telnet
static (inside,outside) 192.168.6.61 access-list policyNAT
access-group 100 in interface outside
access-group 101 out interface outside
route outside 0.0.0.0 0.0.0.0 192.168.6.6 1
route inside 10.1.1.0 255.255.255.0 192.168.4.2 1
route inside 10.2.2.0 255.255.255.0 192.168.4.2 1
route inside 192.168.2.0 255.255.255.0 192.168.4.2 1
route inside 192.168.3.0 255.255.255.0 192.168.4.2 1
aaa-server myACSserver protocol tacacs+
max-failed-attempts 2
aaa-server myACSserver (inside) host 192.168.2.14
key cisco
aaa authentication match telnet outside myACSserver
aaa authorization match telnet outside myACSserver
!
class-map webport
match port tcp eq www
!
policy-map type inspect esmtp blockBADemail
parameters
special-character action drop-connection
match sender-address regex emailaddress
drop-connection
match header to-fields count gt 5
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect esmtp blockBADemail
policy-map embryonic_attack_protection
class webport
set connection embryonic-conn-max 100 per-client-embryonic-max 100
!
service-policy global_policy global
service-policy embryonic_attack_protection interface outside
: end
[OK]
!********************************
!* *
!* ASA1 c2 Context *
!* Final Solution Configuration *
!* *
!********************************
change context c2
!
hostname c2
domain-name cisco.com
enable password cisco
passwd cisco
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.6.11 255.255.255.0 standby 192.168.6.15
asr-group 1
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.5.10 255.255.255.0 standby 192.168.5.15
!
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
nat-control
global (outside) 1 192.168.6.150-192.168.6.155
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.3.3.3 10.3.3.3 netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.6.6 1
route inside 10.1.1.0 255.255.255.0 192.168.5.3 1
route inside 10.3.3.0 255.255.255.0 192.168.5.3 1
!
: end
[OK]
!********************************
!* *
!* ASA2 Final Solution Config *
!* *
!********************************
mode multiple
!*****************************************************
! Convert to Multi-mode, ASA will reboot at this point
!*****************************************************
!
!
interface Ethernet0/3
no shutdown
!
failover
failover lan unit secondary
failover lan interface failint Ethernet0/3
failover key cisco
failover link failint Ethernet0/3
failover interface ip failint 192.168.50.10 255.255.255.0 standby 192.168.50.11
failover group 1
failover group 2
secondary
!********************************
!* *
!* IPS Final Solution Config *
!* *
!********************************
service interface
physical-interfaces GigabitEthernet0/0
admin-state enabled
exit
physical-interfaces GigabitEthernet0/1
admin-state enabled
exit
inline-interfaces mypair
interface1 GigabitEthernet0/0
interface2 GigabitEthernet0/1
exit
exit
! ------------------------------
service host
network-settings
host-ip 192.168.2.12/24,192.168.2.11
host-name IPS
telnet-option enabled
access-list 192.168.2.0/24
exit
exit
! ------------------------------
service signature-definition sig0
signatures 2000 0
alert-severity medium
engine atomic-ip
event-action produce-alert
exit
status
enabled true
exit
exit
signatures 2004 0
alert-severity medium
engine atomic-ip
event-action produce-alert
exit
status
enabled true
exit
exit
signatures 65000 0
sig-description
sig-name Large ICMP attack
exit
engine atomic-ip
event-action produce-alert
specify-l4-protocol yes
l4-protocol icmp
exit
exit
specify-ip-payload-length yes
ip-payload-length 5000-6000
exit
specify-ip-addr-options yes
ip-addr-options rfc-1918-address
exit
exit
exit
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0
logical-interface mypair
inline-TCP-evasion-protection-mode strict
exit
exit
Wyszukiwarka
Podobne podstrony:
AppendixC Lab2 InitialConfigurationsAppendixC Lab2 InitialConfigurationsAppendixB Lab1 FinalConfigurationsCisco Press CCNP Routing Exam Certification Guide AppendixLinux IPCHAINS HOWTO Appendix Differences between ipchains and ipfwadmappendixbappendix aAppendix II (2)AppendixIIILab2 4 R1 lab24AppendixLAPPENDfunction stream filter appendappendixa (3)Cisco Broadband Operating System Appendix AappendixAAppendices01 Introwięcej podobnych podstron