474 Chapter 13: Final Preparation
Scenario 2
Part A of the final review scenario begins with some planning guidelines that include planning IP addresses and the location of IP standard access lists. After you complete Part A, Part B of Scenario 2 asks you to configure the three routers to implement the planned design and a few other features. Finally, in Part C of Scenario 2, some errors have been introduced into the network, and you are asked to examine router command output to find them. Part C also lists some questions relating to the user interface and protocol specifications.
Scenario 2, Part A: Planning
Your job is to deploy a new network with three sites, as shown in Figure 13-2. The decision to use Frame Relay has already been made, and the products have been chosen. To complete Part A, perform the following tasks:
1.Plan the IP addressing and subnets used in this network. Class B network 170.1.0.0 has been assigned by the Network Information Center (NIC). The maximum number of hosts per subnet is 300. Assign IP addresses to the PCs as well. Use Tables 13-3 and 13-4 to record your answers.
2.Plan the location and logic of IP access lists to filter for the following criteria:
—Access to servers in PC11 and PC12 is allowed for web and FTP clients from anywhere else.
—All other traffic to or from PC11 and PC12 is not allowed.
—No IP traffic between the Ethernets off R2 and R3 is allowed.
—All other IP traffic between any sites is allowed.
3.After choosing your subnet numbers, calculate the broadcast addresses and the range of valid IP addresses in each subnet. Use Table 13-5 if convenient.
Scenario 2 475
Figure 13-2 Scenario 13-2 Network Diagram
Server 1 |
Server 2 |
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PC11 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
R1 |
|
|
|
|
|
PC12 |
|||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
DLCI 301 |
|
|
s0 |
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Frame Relay |
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Partial Mesh |
|||||||||
|
DLCI 302 |
|
|
|
s0 |
|
|
|
|
|
|
|
|
|
|
s0 |
|
DLCI 304 |
|||||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
s0 |
|
|
DLCI 303 |
|
|
R4 |
||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
R2 |
|
|
|
R3 |
|
|
||||||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PC21 Server 3 PC31 PC32 PC41 PC42
Table 13-3 Scenario 2, Part A: IP Subnet Planning Chart
Geographic Location of Subnet/Network |
Subnet Mask |
Subnet Number |
|
|
|
Ethernet off R1 |
|
|
|
|
|
Ethernet off R2 |
|
|
|
|
|
Ethernet off R3 |
|
|
|
|
|
Ethernet off R4 |
|
|
|
|
|
Virtual circuit between R1 and R2 |
|
|
|
|
|
Virtual circuit between R1 and R3 |
|
|
|
|
|
Virtual circuit between R1 and R4 |
|
|
|
|
|
Server 1 internal |
|
|
|
|
|
Server 2 internal |
|
|
|
|
|
Server 3 internal |
|
|
|
|
|
476 Chapter 13: Final Preparation
Table 13-4 Scenario 2, Part A: IP Address Planning Chart
Host |
Address |
|
|
PC11 |
|
|
|
PC12 |
|
|
|
PC21 |
|
|
|
PC31 |
|
|
|
PC32 |
|
|
|
PC41 |
|
|
|
PC42 |
|
|
|
R1-E0 |
|
|
|
R1-S0-sub ____ |
|
|
|
R1-S0-sub ____ |
|
|
|
R1-S0-sub ____ |
|
|
|
R2-E0 |
|
|
|
R2-S0-sub ____ |
|
|
|
R3-E0 |
|
|
|
R3-S0-sub ____ |
|
|
|
R4-E0 |
|
|
|
R4-S0-sub ____ |
|
|
|
Server 1 |
|
|
|
Server 2 |
|
|
|
Server 3 |
|
|
|
Table 13-5 Scenario 2, Part A: Subnets, Broadcast Addresses, and Range of Valid Addresses
Subnet Number |
Subnet Broadcast Address |
Range of Valid Addresses |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
478 Chapter 13: Final Preparation
Table 13-7 Scenario 2, Part A: Completed IP Address Planning Chart (Continued)
Host |
Address |
|
|
R1-S0-sub 4 |
170.1.14.1 |
|
|
R2-E0 |
170.1.5.2 |
|
|
R2-S0-sub 2 |
170.1.10.2 |
|
|
R3-E0 |
170.1.7.3 |
|
|
R3-S0-sub 3 |
170.1.12.3 |
|
|
R4-E0 |
170.1.9.4 |
|
|
R4-S0-sub 4 |
170.1.14.4 |
|
|
Server 1 |
170.1.2.101 |
|
|
Server 2 |
170.1.2.102 |
|
|
Server 3 |
170.1.4.103 |
|
|
The IP access lists can effectively be placed in several places. Stopping packets in one of the two directions succeeds in stopping users from connecting to the servers. For the first set of criteria, an access list stopping packets from entering the serial interface of R1, thus stopping packets destined for PC11 and PC12, suffices. For the second criteria to disallow traffic between Site 2 and Site 3, the access lists are also placed in R1. The access lists stop the packets earlier in their life if they are placed in R2 and R3, but the traffic is minimal, because no true application traffic will ever be successfully generated between IP hosts at Sites 2 and 3.
The design shown here calls for all filtered packets to be filtered via access lists enabled on subinterfaces on R1’s S0 interface. Other options are valid as well. Remember, the strategy outlined in the Cisco ICND course suggests that denying packets as close to the source as possible when using extended access lists is the best option.
Table 13-8 shows the answers, which include the subnet numbers, their corresponding broadcast addresses, and the range of valid assignable IP addresses.
Table 13-8 Scenario 2, Part A: Completed IP Subnet Planning Chart
Subnet Number |
Subnet Broadcast Address |
Range of Valid Addresses (Last 2 Bytes) |
|
|
|
170.1.2.0 |
170.1.3.255 |
2.1 through 3.254 |
|
|
|
170.1.4.0 |
170.1.5.255 |
4.1 through 5.254 |
|
|
|
170.1.6.0 |
170.1.7.255 |
6.1 through 7.254 |
|
|
|
170.1.8.0 |
170.1.9.255 |
8.1 through 9.254 |
|
|
|
170.1.10.0 |
170.1.11.255 |
10.1 through 11.254 |
|
|
|
170.1.12.0 |
170.1.13.255 |
12.1 through 13.254 |
|
|
|
170.1.14.0 |
170.1.15.255 |
14.1 through 15.254 |
|
|
|
480 Chapter 13: Final Preparation
Example 13-9 R1 Configuration (Continued)
access-list 102 deny ip 170.1.4.0 0.0.1.255 170.1.6.0 0.0.1.255 access-list 102 permit ip any any
access-list 103 permit tcp any host 170.1.2.11 eq ftp access-list 103 permit tcp any host 170.1.2.11 eq www access-list 103 permit tcp any host 170.1.2.12 eq ftp access-list 103 permit tcp any host 170.1.2.12 eq www access-list 103 deny ip any host 170.1.2.11 access-list 103 deny ip any host 170.1.2.12
access-list 103 deny ip 170.1.6.0 0.0.1.255 170.1.4.0 0.0.1.255 access-list 103 permit ip any any
access-list 104 permit tcp any host 170.1.2.11 eq ftp access-list 104 permit tcp any host 170.1.2.11 eq www access-list 104 permit tcp any host 170.1.2.12 eq ftp access-list 104 permit tcp any host 170.1.2.12 eq www access-list 104 deny ip any host 170.1.2.11 access-list 104 deny ip any host 170.1.2.12 access-list 104 permit ip any any
Example 13-10 R2 Configuration
interface serial0 encapsulation frame-relay
interface serial 0.1 point-to-point ip address 170.1.10.2 255.255.254.0 frame-relay interface-dlci 301
!
interface ethernet 0
ip address 170.1.5.2 255.255.254.0
!
router igrp 1 network 170.1.0.0
!
Example 13-11 R3 Configuration
interface serial0 encapsulation frame-relay
interface serial 0.1 point-to-point ip address 170.1.12.3 255.255.254.0 frame-relay interface-dlci 301
!
interface ethernet 0
ip address 170.1.7.3 255.255.254.0
!
router igrp 1 network 170.1.0.0
484 Chapter 13: Final Preparation
Example 13-14 Scenario 2, Part C: R2 show and debug Output (Continued)
LMI enq sent 144, LMI stat recvd 138, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 0 LMI type is ANSI Annex D frame relay DTE
Broadcast queue 0/64, broadcasts sent/dropped 73/0, interface broadcasts 48 Last input 00:00:04, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 42 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
232 packets input, 17750 bytes, 0 no buffer
Received 1 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 225 packets output, 12563 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 output buffer failures, 0 output buffers swapped out
12 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up --More--
Serial0.1 is up, line protocol is up
Hardware is HD64570
Internet address is 170.1.10.2/23
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255
Encapsulation FRAME-RELAY --More--
Serial1 is administratively down, line protocol is down
Hardware is HD64570
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Closed
Closed: CDPCP, LLC2
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Scenario 2 487
Example 13-15 Scenario 2, Part C: R3 show and debug Output (Continued)
2 170.1.10.2 72 msec * 72 msec
R3#ping 170.1.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 170.1.5.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/136/140 ms
R3#ping
Protocol [ip]:
Target IP address: 170.1.5.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 170.1.7.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 170.1.5.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
R3#show frame-relay lmi
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 |
Invalid Prot Disc 0 |
Invalid dummy Call Ref 0 |
Invalid Msg Type 0 |
Invalid Status Message 0 |
Invalid Lock Shift 0 |
Invalid Information ID 0 |
Invalid Report IE Len 0 |
Invalid Report Request 0 |
Invalid Keep IE Len 0 |
Num Status Enq. Sent 172 |
Num Status msgs Rcvd 172 |
Num Update Status Rcvd 0 |
Num Status Timeouts 0 |
R3#show frame-relay map
Serial0.1 (up): point-to-point dlci, dlci 301(0x12D,0x48D0), broadcast status defined, active
488 Chapter 13: Final Preparation
Example 13-16 Scenario 2, Part C: R4 show and debug Output
R4#show ip interface brief |
|
|
|
|
Interface |
IP-Address |
OK? Method |
Status |
Protocol |
Serial0 |
unassigned |
YES unset |
up |
up |
Serial0.1 |
170.1.14.4 |
YES NVRAM |
up |
up |
Serial1 |
unassigned |
YES unset |
administratively down down |
|
Ethernet0 |
170.1.9.4 |
YES NVRAM |
up |
up |
R4#show cdp neighbor detail |
|
|
|
|
------------------------- |
|
|
|
|
Device ID: R1 |
|
|
|
|
Entry address(es): |
|
|
|
|
IP address: 170.1.14.1 |
|
|
|
|
Platform: Cisco 2500, |
Capabilities: Router |
|
|
|
Interface: Serial0.1, |
Port ID (outgoing port): Serial0.4 |
|
||
Holdtime : 178 sec |
|
|
|
|
Version :
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-DS-L), Version 12.2(1), RELEASE SOFTWARE (fc2) Copyright 1986-2001 by cisco Systems, Inc.
Compiled Fri 27-Apr-01 14:43 by cmong
advertisement version: 2
R4#show frame-relay pvc
PVC Statistics for interface Serial0 (Frame Relay DTE)
DLCI = 301, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0.1
input pkts |
85 |
output pkts 63 |
in bytes 14086 |
out bytes 8464 |
dropped pkts 0 |
in FECN pkts 0 |
|
in BECN pkts 0 |
out FECN pkts 0 |
out BECN pkts 0 |
|
in DE pkts |
0 |
out DE pkts 0 |
|
out bcast pkts 53 |
out bcast bytes 7614 |
|
|
pvc create |
time 00:18:40, last time pvc status changed 00:18:40 |
||
Using Examples 13-13 through 13-16 as references, answer the following questions:
1.The ping of 170.1.5.2 (R2’s E0 interface) from R3 was successful (refer to Example 1315). Why was it successful if the access lists in R1 are enabled as shown in its configuration?
2.What show commands can be executed on R4 to display R1’s IP addresses?
3.What command lists the IP subnet numbers to which R2 is connected?
Scenario 2 489
4.What commands list the routing metrics used for IP subnets?
5.If you do not know the enable password, how can you see what access lists are used?
6.What does ICMP stand for?
7.Describe how R2 learns that R1’s IP address is 170.1.10.1.
8.What does DLCI stand for? How big can a DLCI be?
9.What additional configuration is needed on R3 to get routing updates to flow over the VC to R1?
10.What show command lists Frame Relay PVCs and the IP addresses on the other end of the PVC in this network?
11.What show command lists the status of the VC between R1 and R2?
12.What do ISDN, BRI, and PRI stand for?
13.Give examples of two ISDN reference points.
Solutions to Scenario 2, Part C: Verification and Questions
The answers to the questions for Scenario 2, Part C are as follows:
1.The ping command uses the outgoing interface’s IP address as the source address in the packet, which in this case is 170.1.12.3. Access lists 102 and 103 check the source and destination IP addresses, looking for the subnets on the Ethernet segments. Therefore, the packet is not matched. If you look further in Example 13-15 to see the extended ping with source IP address 170.1.7.3 (R3’s E0 IP address), you see that it fails. This is because the extended ping calls for the use of 170.1.7.3 as the source IP address.
2.The show ip route command (refer to Example 13-15) lists the IP addresses of the neighboring routers. Because only point-to-point subinterfaces are in use, the show frame-relay map command (refer to Example 13-15) does not show details of the neighboring routers’ Layer 3 addresses. The show cdp neighbor detail command (refer to Example 13-16) also shows information about IP addresses.
3.The show ip route command lists these numbers (refer to Example 13-15). Routes with a C in the left column signify connected subnets.
4.The show ip route command lists the metric values (refer to Example 13-15). The metric value for each IP subnet is the second of the two numbers in brackets.
5.Use the show access-lists command.
6.ICMP stands for Internet Control Message Protocol.
490Chapter 13: Final Preparation
7.The Inverse ARP process is not used when the subinterface is a point-to-point subinterface. Therefore, R2 can learn of R1’s IP and IPX addresses only with CDP, or by looking at the source addresses of the IPX RIP and IP IGRP routing updates.
8.DLCI stands for data-link connection identifier. Lengths between 10 and 14 bits are defined. A 10-bit number is the most typically implemented size.
9.No other configuration is necessary; this is a trick question. This is the kind of misdirection you might see on the exam. Read the questions slowly, and read them twice.
10.The show frame-relay pvc command lists the PVCs. When multipoint subinterfaces are used, or when no subinterfaces are used for Frame Relay configuration, the show framerelay map command lists the IP addresses. The show ip route command, or the show cdp neighbor detail command, can be used to see the addresses in either case.
11.The show frame-relay pvc command displays the status.
12.ISDN stands for Integrated Services Digital Network. BRI stands for Basic Rate Interface. PRI stands for Primary Rate Interface.
13.A reference point is an interface between function groups. R, S, T, and U are the reference points. S and T are combined in many cases and together are called the S/T
reference point.
