From: Robert Thompson (rthompson@xxxxxxxxxxxxx)
Date: Fri Aug 20 1999 - 03:13:33 GMT-3
The lack of CCIE ISP exercises is vexing. To get a
grip on it all, I have a suggesstion. Simply that we
try and set problems. The CCIE itself grew out of the
Cisco TACs setting each other problems. So to suit
action to rhetoric....
The below isn't necessarily a CCIE ISP problem, but does
set a simple VPN problem that if you just try and do it
without looking at the solution might make you think a
bit. I found having to stop & think really valuable as
part of the learning.
Exercise - (30 minutes for this I suggest - lots of time ^_^ )
Create a VPN between two routers, over an Internet such
1) that both sites use private addressing on their ethernet
2) the sites have full connectivity to each others ethernet
3) the sites ethernets have full Internet connectivity
(it is not required that Internet sites can open any connections
to the sites ethernet)
4) the sites link to the Internet is via ISDN, each site has
one Internet IP address for its ISDN link, and each has a
single 30 bit subnetted Internet class C they can use only if
required to make the scenario work.
The above isn't hard, but I got it wrong first go on my
lab. Make sure in your routing the private addresses won't
be transported between the sites by the "Internet" routing
and then you won't accidentally make it work when it shouldn't.
ISDN isn't really required - its just what I used. Replace
ISDN with HDLC or anything else if you don't have it.
The main value should be in being set a task rather than
looking at the solution provided to see how it is done.
Also I was trying to think of an good exercise for dialer
rotary & pools.
Something along the lines of
configure (channelised E1) PRI for dynamic dial-in, static
IP dial-in, dial-out using IP unnumbered, dial-out using IP
address on the link, and setting exactly how many B channels
each of the above is allowed to use. The dynamic dial-in
must use a rotary. All the above must work simultaneously
on the PRI.
Dosen't really seem CCIE level though, I need something
tricky. I need someone more knowledgeable with this stuff
to set problems. Any takers?
If anyone does think it is tricky enough, give it a go. I
have done this and while it isn't hard, doing it may help
you understand pools & rotaries if you don't already.
A SOLUTION FOR VPN EXERCISE
**************************************************
don't look down here until you have had a try
[router for site 1]
!
interface Tunnel0
ip unnumbered BRI0
no ip directed-broadcast
tunnel source BRI0
tunnel destination 139.130.43.198
!
interface BRI0
ip address 139.130.149.230 255.255.255.224
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer idle-timeout 2000000
dialer map ip 139.130.149.225 0392666900
dialer-group 1
isdn switch-type basic-net3
hold-queue 75 in
!
interface FastEthernet0
ip address 10.0.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
ip nat pool NATpool1 139.130.149.230 139.130.149.230 prefix-length 27
ip nat inside source list 10 pool NATpool1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 BRI0
ip route 192.168.0.0 255.255.255.0 Tunnel0
access-list 10 permit 10.0.0.0 0.0.0.255
[router for site 2]
interface Tunnel0
ip unnumbered BRI0
no ip directed-broadcast
tunnel source BRI0
tunnel destination 139.130.149.230
!
interface BRI0
ip address 139.130.43.198 255.255.255.128
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer idle-timeout 2000000
dialer map ip 139.130.43.129 0286666700
dialer-group 1
isdn switch-type basic-net3
hold-queue 75 in
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
ip nat pool NATpool1 139.130.43.198 139.130.43.198 prefix-length 25
ip nat inside source list 10 pool NATpool1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 BRI0
ip route 10.0.0.0 255.255.255.0 Tunnel0
access-list 10 permit 192.168.0.0 0.0.0.255
Note that I haven't put anything in here for the routers
that form the "Internet". I used four routers total, but the
only thing you need to ensure is that private addressing
won't route between the two sites.
If you used the additional 30 bit subnets, you of course
fail the scenario as these are "only if required".
I think I should have used extended access lists. It seems
to work ok though, so next time I'll do better.
---------------------------------
Robert Thompson, CCIE #4500, MCSE
Business Integration Solutions
44 Ellingworth Pde, Box Hill 3128
Australia
Office +61 3 9899 5111
FAX +61 3 9899 7671
Mobile 0407 368 154
Mailto:rthompson@busint.com.au
http://www.busint.com.au
---------------------------------
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:47 GMT-3