+++++++++++++++++++++++++++++++++ IPv6 +++++++++++++++++++++++++++++++++ ************************************************************************************** Lab 1 - Configuring ‬IPv6 - HQ Site ************************************************************************************** =================================================================== 1. Configure IPv6 Addresses =================================================================== ------ R1 ------ ipv6 unicast-routing ! Interface E0/0 ipv6 address 2000:1234:1111::1/64 ipv6 address FE80::1 link-local no shut ! Interface E0/1 ipv6 address 2000:1234:ABCD:1ff::1/64 ipv6 address FE80::1 link-local no shut ! Interface loopback0 ipv6 address 2000:1:1:1::1/64 ------ R4 ------ ipv6 unicast-routing ! Interface E0/0 ipv6 address 2000:1234:ABCD:1ff::4/64 ipv6 address FE80::4 link-local no shut ! Interface E0/1 ipv6 address 2000:1234:ABCD:100::4/64 ipv6 address FE80::4 link-local no shut ! Interface loopback0 ipv6 address 2000:4:4:4::4/64 ------ R5 ------ ipv6 unicast-routing ! Interface E0/0 ipv6 address 2000:1234:ABCD:100::5/64 ipv6 address FE80::5 link-local no shut ! Interface loopback0 ipv6 address 2000:5:5:5::5/64 ! Interface loopback1 ipv6 address 2000:1234:ABCD:101::5/64 ! Interface loopback2 ipv6 address 2000:1234:ABCD:102::5/64 ! Interface loopback3 ipv6 address 2000:1234:ABCD:103::5/64 ! Interface loopback4 ipv6 address 2000:1234:ABCD:104::5/64 ! Interface loopback5 ipv6 address 2000:1234:ABCD:105::5/64 ! Interface loopback6 ipv6 address 2000:1234:ABCD:106::5/64 ! Interface loopback7 ipv6 address 2000:1234:ABCD:107::5/64 =================================================================== 2. Configure OSPFv3 in the HQ Site between R1, R4 & R5 =================================================================== ------ R1 ------ ipv6 router ospf 1 router-id 0.0.0.1 ! Interface E0/1 ipv6 ospf 1 area 0 ! Interface Loopback0 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point ------ R4 ------ router ospfv3 1 router-id 0.0.0.4 address-family ipv6 ! Interface E0/0 ipv6 ospf 1 area 0 ! Interface E0/1 ipv6 ospf 1 area 0 ! Interface Loopback0 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point ------ R5 ------ router ospfv3 1 router-id 0.0.0.5 address-family ipv6 ! Interface E0/0 ipv6 ospf 1 area 0 ipv6 address fe80::5 link-local ! Interface Loopback0 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point ! Interface Loopback1 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point ! Interface Loopback2 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point ! Interface Loopback3 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point ! Interface Loopback4 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point ! Interface Loopback5 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point ! Interface Loopback6 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point ! Interface Loopback7 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point =================================================================== 3. Configure OSPFv3 between R1 & R4 to bypass the DR/BDR election =================================================================== ------ R1 ------ Interface E0/1 ipv6 ospf network point-to-point ------ R4 ------ Interface E0/0 ipv6 ospf network point-to-point ************************************************************************************** Lab 2 - Configuring ‬IPv6 - Remote Site # 1 ************************************************************************************** =================================================================== 1. Configure IPv6 Addresses =================================================================== ------ R2 ------ ipv6 unicast-routing ! Interface E0/0 ipv6 address 2000:1234:2222::2/64 ipv6 address FE80::2 link-local no shut ! Interface E0/1 ipv6 address 2000:1234:ABCD:2FF::2/64 ipv6 address FE80::2 link-local no shut ! Interface loopback0 ipv6 address 2000:2:2:2::2/64 ------ R7 ------ ipv6 unicast-routing ! Interface E0/0 ipv6 address 2000:1234:ABCD:2FF::7/64 ipv6 address FE80::7 link-local no shut ! Interface loopback0 ipv6 address 2000:7:7:7::7/64 ! Interface loopback1 ipv6 address 2000:1234:ABCD:200::7/64 ! Interface loopback2 ipv6 address 2000:1234:ABCD:201::7/64 ! Interface loopback3 ipv6 address 2000:1234:ABCD:202::7/64 ! Interface loopback4 ipv6 address 2000:1234:ABCD:203::7/64 =================================================================== 2. Configure EIGRP for IPv6 betweeen R2 & R7 in Remote Site # 1 =================================================================== ------ R2 ------ ipv6 router eigrp 200 router-id 0.0.0.2 ! Interface E0/1 ipv6 eigrp 200 ! Interface Loopback0 ipv6 eigrp 200 ------ R7 ------ ipv6 router eigrp 200 router-id 0.0.0.7 ! Interface E0/0 ipv6 eigrp 200 ! Interface Loopback0 ipv6 eigrp 200 ! Interface Loopback1 ipv6 eigrp 200 ! Interface Loopback2 ipv6 eigrp 200 ! Interface Loopback3 ipv6 eigrp 200 ! Interface Loopback4 ipv6 eigrp 200 ************************************************************************************** Lab 3 - Configuring ‬Authentication for OSPF & EIGRP ************************************************************************************** ================================================================================= 1. Configure IPSec-based authentication between R1 & R4 to encrypt OSPF Packets ================================================================================= ------ R1 ------ Interface E0/1 ipv6 ospf encryption ipsec spi 1000 esp 3des 1234ABCD12341234ABCD12341234ABCD12341234ABCD1234 md5 ABCD1234ABCD1234ABCD1234ABCD1234 ------ R4 ------ Interface E0/0 ipv6 ospf encryption ipsec spi 1000 esp 3des 1234ABCD12341234ABCD12341234ABCD12341234ABCD1234 md5 ABCD1234ABCD1234ABCD1234ABCD1234 ================================================================================= 2. Configure MD5 Authentication between R2 & R7 for EIGRP ================================================================================= ------ R2 ------ key chain ABC key 1 key-string Cisco@123 ! Interface E0/1 ipv6 authentication mode eigrp 200 md5 ipv6 authentication key-chain eigrp 200 ABC ------ R7 ------ key chain ABC key 1 key-string Cisco@123 ! Interface E0/0 ipv6 authentication mode eigrp 200 md5 ipv6 authentication key-chain eigrp 200 ABC ************************************************************************************** Lab 4 - Configuring ‬IPv6 - Remote Site # 2 ************************************************************************************** =================================================================== 1. Configure IPv6 Addresses =================================================================== ------ R3 ------ ipv6 unicast-routing ! Interface E0/1 ipv6 address 2000:1234:ABCD:3FF::3/64 ipv6 address FE80::3 link-local no shut ! Interface loopback0 ipv6 address 2000:3:3:3::3/64 ------ R8 ------ ipv6 unicast-routing ! Interface E0/0 ipv6 address 2000:1234:ABCD:3FF::8/64 ipv6 address FE80::8 link-local no shut ! Interface loopback0 ipv6 address 2000:8:8:8::8/64 ! Interface loopback1 ipv6 address 2000:1234:ABCD:300::8/64 ! Interface loopback2 ipv6 address 2000:1234:ABCD:301::8/64 ! Interface loopback3 ipv6 address 2000:1234:ABCD:302::8/64 ! Interface loopback4 ipv6 address 2000:1234:ABCD:303::8/64 =================================================================== 2. Configure IS-IS for IPv6 betweeen R3 & R8 in Remote Site # 2 =================================================================== ------ R3 ------ router isis net 49.0000.0000.0000.0003.00 is-type level-2 address-family ipv6 ! Interface E0/1 ipv6 router isis ! Interface Loopback0 ipv6 router isis ------ R8 ------ router isis net 49.0000.0000.0000.0008.00 is-type level-2 address-family ipv6 ! Interface E0/0 ipv6 router isis ! Interface Loopback0 ipv6 router isis ! Interface Loopback1 ipv6 router isis ! Interface Loopback2 ipv6 router isis ! Interface Loopback3 ipv6 router isis ! Interface Loopback4 ipv6 router isis =================================================================== 3. Configure Authentication for IS-IS =================================================================== ------ R3 ------ key chain ABC key 1 key-string Cisco123 ! Interface E0/1 isis authentication mode md5 isis authentication key-chain ABC ------ R8 ------ key chain ABC key 1 key-string Cisco123 ! Interface E0/0 isis authentication mode md5 isis authentication key-chain ABC ************************************************************************************** Lab 5 - Configuring ‬IPv6 - BGP - ISP-HQ & ISP-Remote Site # 1 ************************************************************************************** =================================================================== 1. Configure BGP between HQ & ISP =================================================================== ------ R9 ------ ipv6 unicast-routing ! Interface E0/0 ipv6 address 2000:1234:1111::9/64 no shut ! Interface E0/1 ipv6 address 2000:1234:2222::9/64 no shut ! router bgp 1000 neighbor 2000:1234:1111::1 remote-as 100 address-family ipv6 neighbor 2000:1234:1111::1 activate neighbor 2000:1234:1111::1 password Cisco123 ------ R1 ------ router bgp 100 neighbor 2000:1234:1111::9 remote-as 1000 address-family ipv6 neighbor 2000:1234:1111::9 activate neighbor 2000:1234:1111::9 password Cisco123 redistribute ospf 1 =================================================================== 2. Configure BGP between Remote Site # 1 & ISP =================================================================== ------ R9 ------ router bgp 1000 neighbor 2000:1234:2222::2 remote-as 200 address-family ipv6 neighbor 2000:1234:2222::2 activate neighbor 2000:1234:2222::2 password Cisco123 ------ R2 ------ router bgp 200 neighbor 2000:1234:2222::9 remote-as 1000 address-family ipv6 neighbor 2000:1234:2222::9 activate neighbor 2000:1234:2222::9 password Cisco123 redistribute eigrp 200 =================================================================== 3. Redistribute BGP Routes into the Site IGPs =================================================================== ------ R1 ------ ipv6 router ospf 1 redistribute bgp 100 ------ R2 ------ ipv6 router eigrp 200 redistribute bgp 200 metric 10 10 10 10 10 ************************************************************************************** Lab 6 - Configuring ‬IPv6IP Tunnel to connect HQ to Remote Site # 2 ************************************************************************************** =================================================================== 1. Configure a Tunnel between R1 =================================================================== ------ R1 ------ interface Tunnel1 tunnel source 200.1.1.1 tunnel destination 199.1.1.3 tunnel mode ipv6ip ipv6 address 2000:1234:ABCD:1313::1/64 ipv6 ospf 1 area 0 ! router bgp 100 address-family ipv6 redistribute ospf 1 match internal external ------ R3 ------ interface Tunnel1 tunnel source 199.1.1.3 tunnel destination 200.1.1.1 tunnel mode ipv6ip ipv6 address 2000:1234:ABCD:1313::3/64 ipv6 ospf 1 area 0 ! ipv6 router ospf 1 redistribute isis ! router isis address-family ipv6 redistribute ospf 1 ************************************************************************************** Lab 7 - Configuring NAT64 ************************************************************************************** =================================================================== 1. Enable all the Interface on R4 for NAT64 =================================================================== ------ R4 ------ Interface E0/0 nat64 enable ! Interface E0/1 nat64 enable ! Interface E0/2 nat64 enable =================================================================== 2. Allocate a IPv6 Network for NAT64 =================================================================== ------ R4 ------ nat64 prefix stateful 2000:1234:ABCD:400::/64 =================================================================== 3. Inject the NAT64 prefix into the IPv6 Domain on R4 =================================================================== ------ R4 ------ ipv6 route 2000:1234:ABCD:400::/64 null0 ! router ospfv3 1 address-family ipv6 redistribute static =================================================================== 4. Configure Static Translations on R4 for the IPv4 Addresses =================================================================== ------ R4 ------ nat64 v4v6 static 6.1.1.1 2000:1234:ABCD:400::1 nat64 v4v6 static 6.1.1.2 2000:1234:ABCD:400::2 nat64 v4v6 static 6.1.1.3 2000:1234:ABCD:400::3 ================================================================================== 5. Configure Dynamic PAT for your IPv6 Clients accessing the legacy IPv4 Servers ================================================================================== ------ R4 ------ nat64 v4 pool POOL-A 10.10.10.1 10.10.10.2 ! ipv6 access-list ABC permit ip 2000:1234:ABCD::/48 any ! nat64 v6v4 list ABC pool POOL-A overload +++++++++++++++++++++++++++++++++ VPN +++++++++++++++++++++++++++++++++ ************************************************************************************** Lab 1 - Configuring a GRE-Based VPN ************************************************************************************** =================================================================== 1. Create a Tunnel to connect R1 to R3 =================================================================== ------ R1 ------ Interface Tunnel1 tunnel source 199.1.1.1 tunnel destination 200.1.1.3 ip address 192.168.1.1 255.255.255.0 ------ R3 ------ Interface Tunnel1 tunnel source 200.1.1.3 tunnel destination 199.1.1.1 ip address 192.168.1.3 255.255.255.0 =================================================================== 2. Configure EIGRP to route the Internal Networks over the Tunnel =================================================================== ------ R1 ------ router eigrp 123 network 10.0.0.0 network 172.16.0.0 network 192.168.0.0 ------ R3 ------ router eigrp 123 network 10.0.0.0 network 172.16.0.0 network 192.168.0.0 EIGRP HELLO Packet: 98 Bytes ----------------------------------------------------------------------------- | GRE | 199.1.1.1 | 200.1.1.3 | EIGRP | 192.168.1.1 | 224.0.0.10 | EIGRP | ----------------------------------------------------------------------------- ************************************************************************************** Lab 2 - Encrypting a GRE Tunnel using IPSec - GRE Over IPSec ************************************************************************************** ------ R1 ------ ! 1. Configure Phase I Parameters crypto isakmp policy 5 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp key Cisco123 address 200.1.1.3 ! 2. Configure Phase II Parameters crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec Profile to link the transform Set. The Profile will be applied to the Tunnel Interface Crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface. Interface Tunnel1 tunnel protection ipsec profile IPROF ------ R3 ------ ! 1. Configure Phase I Parameters crypto isakmp policy 5 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp key Cisco123 address 199.1.1.1 ! 2. Configure Phase II Parameters crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec Profile to link the transform Set. The Profile will be applied to the Tunnel Interface Crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface. Interface Tunnel1 tunnel protection ipsec profile IPROF EIGRP HELLO Packet: 150 Bytes -------------------------------------------------------------------------------------------------------- ESP | 199.1.1.1 | 200.1.1.3 | GRE | 199.1.1.1 | 200.1.1.3 | EIGRP | 192.168.1.1 | 224.0.0.10 | EIGRP | -------------------------------------------------------------------------------------------------------- ************************************************************************************** Lab 3 - GRE-Over-IPSec - Using Transport Mode ************************************************************************************** ------ R1 ------ crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ------ R3 ------ crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport EIGRP HELLO Packet: 134 Bytes -------------------------------------------------------------------------------------------------------- ESP | 199.1.1.1 | 200.1.1.3 | GRE | EIGRP | 192.168.1.1 | 224.0.0.10 | EIGRP | -------------------------------------------------------------------------------------------------------- ************************************************************************************** Lab 4 - Native IPSec Tunnel Interface Based VPN (Static Virtual Tunnel Interface) ************************************************************************************** ------ R1 ------ Interface Tunnel1 tunnel mode ipsec ipv4 ------ R3 ------ Interface Tunnel1 tunnel mode ipsec ipv4 EIGRP HELLO Packet: 126 Bytes -------------------------------------------------------------------------------------------------------- ESP | 199.1.1.1 | 200.1.1.3 | EIGRP | 192.168.1.1 | 224.0.0.10 | EIGRP | -------------------------------------------------------------------------------------------------------- ************************************************************************************** Lab 5 - Configuring a Native IPSec Tunnel interface from scratch ************************************************************************************** ------ R1 ------ ! 1. Configure Phase I Parameters crypto isakmp policy 5 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp key Cisco123 address 200.1.1.3 ! 2. Configure Phase II Parameters crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec Profile to link the transform Set. The Profile will be applied to the Tunnel Interface Crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface. Interface Tunnel1 tunnel source 199.1.1.1 tunnel destination 200.1.1.3 tunnel mode ipsec ipv4 ip address 192.168.1.1 255.255.255.0 tunnel protection ipsec profile IPROF ! 5. Configure Dynamic Routing router eigrp 123 network 192.168.1.0 network 172.16.0.0 network 10.0.0.0 ------ R3 ------ ! 1. Configure Phase I Parameters crypto isakmp policy 5 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp key Cisco123 address 199.1.1.1 ! 2. Configure Phase II Parameters crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec Profile to link the transform Set. The Profile will be applied to the Tunnel Interface Crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface. Interface Tunnel1 tunnel source 200.1.1.3 tunnel destination 199.1.1.1 tunnel mode ipsec ipv4 ip address 192.168.1.3 255.255.255.0 tunnel protection ipsec profile IPROF ! 5. Configure Dynamic Routing router eigrp 123 network 192.168.1.0 network 172.16.0.0 network 10.0.0.0