Step to step for CCIE -- The CCIE Experience: 2011

Minggu, 25 Desember 2011

BGP path manipulation using MED

pada posting ini kita akan melihat bagaimana kita manipulate path bgp...
pastikan dulu intial config ping ke masing-masing router bisa berjalan...dan tambahkan protocol IGP di iBGP supaya BGP bisa up...
ada soal seperti ini, ***konfigurasi bagaimana AS#12 ke AS#6 menggunakan R1 sebagai exit point...anda hanya bisa melakukan confignya di R4 menggunakan outbound direction MED....***
berikut confignya...

R1
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Loopback100
ip address 100.1.1.1 255.255.255.255
interface FastEthernet0/0.12
encapsulation dot1Q 12
ip address 10.1.12.1 255.255.255.0
ip router isis
no snmp trap link-status
isis circuit-type level-1
!
interface FastEthernet0/0.13
encapsulation dot1Q 13
ip address 10.1.13.1 255.255.255.0
no snmp trap link-status
router isis
net 49.0001.0000.0000.0001.00
is-type level-1
passive-interface Loopback0
!
router bgp 12
bgp router-id 10.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.1.1.2 remote-as 12
neighbor 10.1.1.2 update-source Loopback0
neighbor 10.1.13.3 remote-as 34
!
address-family ipv4
neighbor 10.1.1.2 activate
neighbor 10.1.1.2 send-community both
neighbor 10.1.1.2 route-reflector-client
neighbor 10.1.1.2 next-hop-self
neighbor 10.1.13.3 activate
neighbor 10.1.13.3 send-community both
no auto-summary
no synchronization
network 10.1.1.1 mask 255.255.255.255 route-map SET_COM
network 100.1.1.1 mask 255.255.255.255
exit-address-family
ip bgp-community new-format
ip prefix-list SET_NET seq 5 permit 100.1.1.1/32
logging alarm informational
route-map SET_COM permit 10
set community 1:1
!

R2
interface Loopback0
ip address 10.1.1.2 255.255.255.255
interface FastEthernet0/0.12
encapsulation dot1Q 12
ip address 10.1.12.2 255.255.255.0
ip router isis
no snmp trap link-status
isis circuit-type level-1
!
interface FastEthernet0/0.24
encapsulation dot1Q 24
ip address 10.1.24.2 255.255.255.0
no snmp trap link-status
router isis
net 49.0001.0000.0000.0002.00
is-type level-1
passive-interface Loopback0
!
router bgp 12
bgp router-id 10.1.1.2
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.1.1.1 remote-as 12
neighbor 10.1.1.1 update-source Loopback0
neighbor 10.1.24.4 remote-as 34
!
address-family ipv4
neighbor 10.1.1.1 activate
neighbor 10.1.1.1 send-community both
neighbor 10.1.1.1 next-hop-self
neighbor 10.1.24.4 activate
neighbor 10.1.24.4 send-community both
no auto-summary
no synchronization
network 10.1.1.2 mask 255.255.255.255 route-map ORIGIN
exit-address-family
ip bgp-community new-format
route-map ORIGIN permit 10
set origin incomplete
set community 2:2
!
route-map ORIGIN permit 20
!
route-map SET_COM permit 10
set community 2:2

R3
interface Loopback0
ip address 10.1.1.3 255.255.255.255

interface FastEthernet0/0.13
encapsulation dot1Q 13
ip address 10.1.13.3 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.34
encapsulation dot1Q 34
ip address 10.1.34.3 255.255.255.0
ip ospf network point-to-point
ip ospf mtu-ignore
no snmp trap link-status
!
interface FastEthernet0/0.35
encapsulation dot1Q 35
ip address 10.1.35.3 255.255.255.0
no snmp trap link-status
router ospf 1
router-id 10.1.1.3
log-adjacency-changes
passive-interface Loopback0
network 10.1.1.3 0.0.0.0 area 0
network 10.1.34.0 0.0.0.255 area 0
!
router bgp 34
bgp router-id 10.1.1.3
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.1.1.4 remote-as 34
neighbor 10.1.1.4 update-source Loopback0
neighbor 10.1.13.1 remote-as 12
neighbor 10.1.35.5 remote-as 6
neighbor 10.1.35.5 local-as 7735
!
address-family ipv4
neighbor 10.1.1.4 activate
neighbor 10.1.1.4 send-community both
neighbor 10.1.1.4 route-reflector-client
neighbor 10.1.1.4 next-hop-self
neighbor 10.1.13.1 activate
neighbor 10.1.13.1 send-community both
neighbor 10.1.13.1 route-map IN_TO_R1 in
neighbor 10.1.13.1 route-map OUT_TO_R1 out
neighbor 10.1.35.5 activate
no auto-summary
no synchronization
network 10.1.1.3 mask 255.255.255.255 route-map SET_COM
exit-address-family

ip bgp-community new-format
ip as-path access-list 1 permit _5$
ip prefix-list R1 seq 5 permit 10.1.1.1/32
logging alarm informational
!
route-map OUT_TO_R1 permit 10
match as-path 1
set metric 66666
!
route-map OUT_TO_R1 permit 20
!
route-map SET_COM permit 10
set community 3:3
!
route-map IN_TO_R1 permit 10
match ip address prefix-list R1
set local-preference 75
!
route-map IN_TO_R1 permit 20

R4
interface Loopback0
ip address 10.1.1.4 255.255.255.255
interface FastEthernet0/0.24
encapsulation dot1Q 24
ip address 10.1.24.4 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.34
encapsulation dot1Q 34
ip address 10.1.34.4 255.255.255.0
ip ospf network point-to-point
ip ospf mtu-ignore
no snmp trap link-status
!
interface FastEthernet0/0.46
encapsulation dot1Q 46
ip address 10.1.46.4 255.255.255.0
no snmp trap link-status
router ospf 1
router-id 10.1.1.4
log-adjacency-changes
passive-interface Loopback0
network 10.1.1.4 0.0.0.0 area 0
network 10.1.34.0 0.0.0.255 area 0
!
router bgp 34
bgp router-id 10.1.1.4
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.1.1.3 remote-as 34
neighbor 10.1.1.3 update-source Loopback0
neighbor 10.1.1.6 remote-as 6
neighbor 10.1.1.6 ebgp-multihop 5
neighbor 10.1.1.6 update-source FastEthernet0/0.46
neighbor 10.1.24.2 remote-as 12
!
address-family ipv4
neighbor 10.1.1.3 activate
neighbor 10.1.1.3 send-community both
neighbor 10.1.1.3 next-hop-self
neighbor 10.1.1.6 activate
neighbor 10.1.1.6 send-community both
neighbor 10.1.24.2 activate
neighbor 10.1.24.2 send-community both
neighbor 10.1.24.2 route-map COM out
no auto-summary
no synchronization
network 10.1.1.4 mask 255.255.255.255 route-map SET_COM
exit-address-family
ip route 10.1.1.6 255.255.255.255 10.1.46.6
ip bgp-community new-format
ip community-list 1 permit 6:6
ip prefix-list R2 seq 5 permit 10.1.1.2/32
logging alarm informational
!
route-map COM permit 10
match community 1
set as-path prepend 34 34 34
!
route-map SET_COM permit 10
set origin incomplete
set community 4:4
!
route-map IN_TO_R2 permit 10
match ip address prefix-list R2
set local-preference 55
!
route-map IN_TO_R2 permit 20

R5
!
interface Loopback0
ip address 10.1.1.5 255.255.255.255
interface FastEthernet0/0.35
encapsulation dot1Q 35
ip address 10.1.35.5 255.255.255.0
no snmp trap link-status
router bgp 5
bgp router-id 10.1.1.5
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.1.35.3 remote-as 7735
neighbor 10.1.35.3 local-as 6 no-prepend
!
address-family ipv4
neighbor 10.1.35.3 activate
neighbor 10.1.35.3 send-community
neighbor 10.1.35.3 allowas-in
no auto-summary
no synchronization
network 10.1.1.5 mask 255.255.255.255 route-map SET_COM
exit-address-family
ip bgp-community new-format
route-map SET_COM permit 10
set community 5:5

R6
interface Loopback0
ip address 10.1.1.6 255.255.255.255
interface FastEthernet0/0.46
encapsulation dot1Q 46
ip address 10.1.46.6 255.255.255.0
no snmp trap link-status

router bgp 6
bgp router-id 10.1.1.6
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.1.46.4 remote-as 34
neighbor 10.1.46.4 update-source Loopback0
!
address-family ipv4
neighbor 10.1.46.4 activate
neighbor 10.1.46.4 send-community both
neighbor 10.1.46.4 allowas-in
no auto-summary
no synchronization
network 10.1.1.6 mask 255.255.255.255 route-map SET_COM
exit-address-family
ip bgp-community new-format

route-map SET_COM permit 10
set community 6:6

kita bisa verifikasi disini....

R2#sh ip bgp
BGP table version is 10, local router ID is 10.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
r>i10.1.1.1/32      10.1.1.1                 0      100      0 i
*> 10.1.1.2/32      0.0.0.0                  0         32768 ?
*>i10.1.1.3/32      10.1.1.1                 0    100      0 34 i
*>i10.1.1.4/32      10.1.1.1                 0    100      0 34 ?
*>i10.1.1.5/32      10.1.1.1             66666 100      0 34 7735 6 5 i
*>i10.1.1.6/32      10.1.1.1                 0      100      0 34 6 i
*                    10.1.24.4                         0      34 34 34 34 6 i
*>i100.1.1.1/32     10.1.1.1                 0    100      0 i
R2#

Sabtu, 24 Desember 2011

Dual Wan with OER

pada posting ini akan dicontohkan menggunakan 2 ISP dengan command OER....

berikut config yang digunakan untuk OER...

fa0/0 : connected to IM2

fa0/1: connected to Telkom

vlan1: local LAN

***pertama kita assign OER master***

oer master

policy-rules OER-MAP

traceroute probe-delay 10000

keepalive 1

logging

***Match interface external yang menuju ke WAN***

border *LAN-IP* key-chain key1

interface Vlan1 internal

interface FastEthernet0/1 external

interface FastEthernet0/0 external

learn

throughput

delay

periodic-interval 1

monitor-period 2

prefixes 10000

expire after time 1

aggregation-type prefix-length 32

max prefix total 10000

no max range receive

backoff 180 360

mode route control

mode select-exit best

resolve loss priority 1 variance 1

resolve delay priority 2 variance 5

resolve utilization priority 3 variance 5

resolve range priority 5

oer border

local Vlan1

master *LAN-IP* key-chain key1

!***tracking menggunakan IP SLA***

track 99 rtr 99 reachability

delay down 15 up 10

!***tracking menggunakan IP SLA***

track 173 rtr 173 reachability

delay down 15 up 10

class-map type inspect match-any priv-pub-traffic

match protocol http

match protocol https

match protocol ftp

match protocol ssh

match protocol appleqtc

match protocol bittorrent

match protocol dns

match protocol echo

match protocol h323

match protocol ymsgr

match protocol telnet

match protocol udp

match protocol icmp

match protocol tcp

policy-map type inspect priv-pub-policy

class type inspect priv-pub-traffic

inspect

class class-default

zone security public

zone security private

zone-pair security priv-pub source private destination public

service-policy type inspect priv-pub-policy

interface FastEthernet0/0

ip address *IM2* 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security public

duplex auto

speed auto

interface FastEthernet0/1

ip address *TELKOM* 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security public

duplex auto

speed auto

interface Vlan1

ip address *LAN-IP* 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security private

ip local policy route-map LOCAL-TRAFFIC-EGRESS

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 *IM2-GW* 20 tag 99 track 99

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 *TELKOM-GW* 10 tag 173 track 173

ip nat translation dns-timeout 10

ip nat inside source route-map NAT-ISP-TELKOM interface FastEthernet0/1 overload oer

ip nat inside source route-map NAT-ISP-IM2 interface FastEthernet0/0 overload oer

ip access-list standard IP-SOURCE-TELKOM

permit *TELKOM-IP*

ip access-list standard IP-SOURCE-IM2

permit *IM2-IP*

ip access-list standard LAN

permit *LAN-SUBNET* 0.0.0.255

***tracking menggunakan IP SLA***

ip sla 99

icmp-echo *IM2-TEST-IP* source-interface FastEthernet0/0

timeout 1500

frequency 20

ip sla schedule 99 life forever start-time now

ip sla 173

icmp-echo *TELKOM-TEST-IP* source-interface FastEthernet0/1

timeout 1500

frequency 20

ip sla schedule 173 life forever start-time now

route-map NAT-ISP-IM2 permit 10

match ip address LAN

match interface FastEthernet0/0

route-map LOCAL-TRAFFIC-EGRESS permit 10

match ip address IP-SOURCE-TELKOM

set ip next-hop *TELKOM-GW*

set interface FastEthernet0/1

route-map LOCAL-TRAFFIC-EGRESS permit 20

match ip address IP-SOURCE-IM2

set ip next-hop *IM2-GW*

set interface FastEthernet0/0

route-map LOCAL-TRAFFIC-EGRESS permit 30

match ip address NAT-ACL LAN

set interface Vlan1

route-map NAT-ISP-TELKOM permit 10

match ip address LAN

match interface FastEthernet0/1

oer-map OER-MAP 10

match oer learn delay

set traceroute reporting

oer-map OER-MAP 20

match oer learn throughput

set traceroute reporting

dengan ini, router dapat menggunakan 2 ISP untuk traffic ke outside...

sekian posting ini....

EEM Applet Script configuration

pada posting ini saya akan mencontohkan fungsi dari IOS EEM--Embedded Event Manger, jika kita melakukan shutdown pada interface lo0, dengan fungsi EEM ini, interface lo0 akan bisa dengan automatically up kembali....
mari kita lihat example dari EEM....

di R1 kita buat dulu interface lo0, lalu kita ketik EEM commandnya :
R1#conf t
R1(config)#inter lo0

R1(config-if)#ip add 1.1.1.1 255
*Mar 1 00:03:14.971: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0,
changed state to u
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#event manager applet Lo0
R1(config-applet)#event syslog occurs 2 pattern "Loopback0, changed state to admin"
R1(config-applet)#action 1.0 syslog msg "testing shutdown loopback0 - automatic no shut sendiri"
R1(config-applet)#action 1.1 syslog msg "Lo0 down, automatic lo0 nyala lagi"
R1(config-applet)#action 1.2 cli command "enable"
R1(config-applet)#action 1.3 cli command "configure ter"
R1(config-applet)#action 1.4 cli command "int lo0"
R1(config-applet)#action 1.5 cli command "no shut"
R1(config-applet)#action 1.6 syslog msg "OK lo0 sudah aktif kembali"
R1(config-applet)#
R1(config-applet)#do sh run | s event

event manager applet Lo0
event syslog occurs 2 pattern "Loopback0, changed state to admin"
action 1.0 syslog msg "testing shutdown loopback0 - automatic no shut sendiri"
action 1.1 syslog msg "Lo0 down, automatic lo0 nyala lagi"
action 1.2 cli command "enable"
action 1.3 cli command "configure ter"
action 1.4 cli command "int lo0"
action 1.5 cli command "no shut"
action 1.6 syslog msg "OK lo0 sudah aktif kembali"
R1(config-applet)#end

R1#
R1#conf t
R1(config)#
R1(config-if)#inter lo0
R1(config-if)#no shu
R1(config-if)#no shutdown
R1(config-if)#
*Mar 1 00:05:57.531: %LINK-3-UPDOWN: Interface Loopback0, changed state to up
*Mar 1 00:05:58.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0,
changed state to up
R1(config-if)#end
R1#
*Mar 1 00:06:04.967: %SYS-5-CONFIG_I: Configured from console by console
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#inter lo0
R1(config-if)#shu
R1(config-if)#
*Mar 1 00:07:49.459: %LINK-5-CHANGED: Interface Loopback0, changed state to adm
inistratively down
*Mar 1 00:07:49.487: %HA_EM-6-LOG: Lo0: testing shutdown loopback0 - automatic
no shut sendiri
*Mar 1 00:07:49.487: %HA_EM-6-LOG: Lo0: Lo0 down, automatic lo0 nyala lagi
*Mar 1 00:07:49.963: %HA_EM-6-LOG: Lo0: OK lo0 sudah aktif kembali
*Mar 1 00:07:49.979: %SYS-5-CONFIG_I: Configured from console by vty0
*Mar 1 00:07:51.939: %LINK-3-UPDOWN: Interface Loopback0, changed state to up
R1(config-if)#do sh ip inter bri
% Ambiguous command: "do sh ip inter bri"
R1(config-if)#do sh ip inter bri
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 unassigned YES unset administratively down down

FastEthernet0/1 unassigned YES unset administratively down down

Loopback0 1.1.1.1 YES manual up up

R1(config-if)#

dari sesi diatas dapat terlihat ketika interface lo0 di shutdown, maka interface lo0 tersebut akan otomatis no shut sendiri karena telah menggunakan applet EEM di Router ini...

sekian posting EEM ini...

Jumat, 23 Desember 2011

Using Kron for automatic backup config your router

pada posting ini, saya akan mencontohkan cara menggunakan automatic backup dengan archive dan Kron...

Menggunakan Archive :
pertama yang harus ada adalah tftpserver, bisa menggunakan 3CDaemon atau tftp32, pastikan tftp ini aktif selalu...

lalu kita coba cara backup config menggunakan archive....
R1#conf t
R1(config)#archive
R1(config-archive)#path tftp://10.10.10.100/backup-cfg ***untuk menempatkan config file di IP yang tertera dan nama backup filenya***
R1(config-archive)#time-period 1440 ***simpan dalam waktu 24jam***
R1(config-archive)#write-memory
R1(config-archive)#end
R1#
R1#write
Building configuration... ***perhatikan waktu write-memory***
[OK]!!
R1#
R1#write
Building configuration...
[OK]!!

waktu kita ketik write-memory, akan tersimpan file didalam directory di tftpserver yang sedang aktif....

Sekarang menggunakan Kron:
R1#conf t
R1(config)#kron-policy
R1(config-kron-policy)#kron policy-list netx
R1(config-kron-policy)#cli sh running-config | redirect tftp://10.10.10.100/netxbackup-cfg
R1(config-kron-policy)#exit
R1(config)#kron occurence netx-kron at 10:00 recurring
R1(config-kron-occurence)#policy-list netx
R1(config-kron-occurence)#end
R1# sh kron schedule
Kron Occurence Schedule
netx-kron incative. will run again in 0 days 18:16:48 at 10:00 on

R1#cloct set 9:59:30 31 Dec 2011
R1#sh kron schedule
Kron Occurence Schedule
netx-kron incative. will run again in 0 days 00:00:29 at 10:00 on

R1#sh kron schedule
Kron Occurence Schedule
netx-kron incative. will run again in 0 days 00:00:01 at 10:00 on

R1#sh kron schedule
Kron Occurence Schedule
netx-kron active. will run again in 0 days 23:59:58 at 10:00 on

lalu kita lihat di tftp akan ada tambahan backup file dengan nama netxbackup-cfg di directory tftpserver anda....
silahkan anda buka file tersebut dengan notepad atau wordpad..

sekian untuk posting ini...

Rabu, 21 Desember 2011

RSTP, MST Configuration

Pertama gunakan EIGRP AS 2003, dan pastikan walker1 dan walker2 bisa ping..lalu kita lanjut ke walker1:

hostname walker1
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan192
! ip address 172.16.192.16 255.255.255.0

Configurasi VTP di walker1

walker1#vlan database
walker1(vlan)#vtp domain walker
walker1(vlan)#vtp server
walker1(vlan)#vtp password psv2

lanjut ke konfigurasi VLAN port :

interface FastEthernet0/3
 switchport access vlan 300
! assigned to VLAN 300
 switchport mode access
 spanning-tree portfast
! Portfast used in 802.1w
 no ip address
!
interface FastEthernet0/5
 switchport access vlan 100
! assigned to VLAN 100
 switchport mode access
spanning-tree portfast
! Portfast used in 802.1w
 no ip address
!
interface FastEthernet0/8
 switchport access vlan 100
! assigned to VLAN 100
 switchport mode access
 spanning-tree portfast
! Portfast used in 802.1w
 no ip address

dilanjutkan dengan configurasi portfast :

walker1(config)#interface range fastEthernet 0/10 - 15
walker1(config-if-range)#switchport mode access
walker1(config-if-range)#switchport access vlan 20
walker1(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION
%Portfast will be configured in 6 interfaces due to the range command
 but will only have effect when the interfaces are in a non-trunking mode.
walker1(config-if-range)#exit

untuk memverifikasi VLAN dan VTP status :

walker1#show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/4,
                                                Fa0/6, Fa0/9, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
20   psv2_vlan20                      active    Fa0/10, Fa0/11, Fa0/12, Fa0/13
  Fa0/14, Fa0/15
100  psv2_vlan100                     active    Fa0/5, Fa0/8
192  psv2_vlan192                     active
300  psv2_vlan300                     active    Fa0/3
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
100  enet  100100     1500  -      -      -        -    -        0      0
192  enet  100192     1500  -      -      -        -    -        0      0
300  enet  100300     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    srb      0      0
1004 fdnet 101004     1500  -      -      1        ieee -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0
walker1#
walker1#show vtp status
VTP Version                     : 2
Configuration Revision          : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 9
VTP Operating Mode              : Server
VTP Domain Name                 : walker
VTP Pruning Mode                : Enabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xEF 0xD8 0x4D 0x0A 0x57 0x8F 0x7E 0x14
Configuration last modified by 172.16.192.16 at 3-1-93 01:10:51
Local updater ID is 172.16.192.16 on interface Vl192 (lowest numbered VLAN interface)
walker1#

Konfigurasi Trunking di walker1 :

walker1(config)#interface gigabit 0/2
walker1(config-if)#switchport trunk encapsulation dot1q
walker1(config-if)#switchport mode trunk
walker1(config-if)#exit
walker1(config)#interface fast 0/17
walker1(config-if)#switchport trunk encapsulation dot1q
walker1(config-if)#switchport mode trunk
walker1(config-if)#exit

Konfigurasi MST pada walker1 :

walker1(config)#spanning-tree mst config        
walker1(config-mst)#name walker                 
walker1(config-mst)#revision 1                  
walker1(config-mst)#instance 1 vlan 2-300

walker1(config-mst)#exit

walker1(config)#spanning-tree mst 1 root primary    
walker1(config)#spanning-tree mode mst

MST configuration di walker1 :

walker1#show spanning-tree mst 1
###### MST01        vlans mapped:   2-300
Bridge      address 000a.8a0e.ba80  priority  24577 (24576 sysid 1)
Root        this switch for MST01
Interface        role state cost      prio type
---------------- ---- ----- --------- ---- --------------------------------
Fa0/3            desg FWD   200000    128  edge P2P
Fa0/5            desg FWD   2000000   128  edge SHR
Fa0/8            desg FWD   200000    128  edge P2P
Fa0/10           desg FWD   2000000   128  edge SHR
Fa0/17           desg FWD   200000    128  P2P
Gi0/2            desg FWD   20000     128  P2P
walker1#show spanning-tree root
                                        Root    Hello Max Fwd
MST Instance           Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
MST00            32768 0004.275e.f0c0    200000    2   20  15  Gi0/2
MST01            24577 000a.8a0e.ba80         0    2   20  15
walker1#

untuk testing RSTP dan MST :

surgery#ping
Protocol [ip]:
Target IP address: 172.16.30.7
Repeat count [5]: 10000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 172.16.30.7, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!..!
 Gig 0/2 dropped
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (9998/10000), round-trip min/avg/max = 1/2/20 ms

konfigurasi SVI interface :

interface Vlan20
 ip address 172.16.2.16 255.255.255.0
!
interface Vlan100
 ip address 172.16.10.16 255.255.255.0
!
interface Vlan192
 ip address 172.16.192.16 255.255.255.0
!
interface Vlan300
 ip address 172.16.30.16 255.255.255.0

Untuk konfigurasi di walker2 :

hostname walker2
!
enable secret 5 $1$oTsK$C95mG2YeDzQ4w3ecs0CkS0
!
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
 name walker
 revision 1
 instance 1 vlan 2-300
!
interface FastEthernet0/1
 switchport access vlan 300
 switchport mode access
 no ip address
 spanning-tree portfast
!
interface FastEthernet0/17
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface VLAN192
 ip address 172.16.192.13 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
ip default-gateway 172.16.192.16

Konfigurasi Protected ports :

walker1(config)#interface range fastEthernet 0/10 - 15
walker1(config-if-range)#switchport protected
walker1(config-if-range)#^z
walker1#
walker1#show interfaces fastEthernet 0/10 switchport
Name: Fa0/10
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 20 (psv2_vlan20)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled

Voice VLAN: none (Inactive)
Appliance trust: none

sekian untuk posting ini...

Configuration VRRP

VRRP adalah open standar protocol, alternative untuk Cisco HSRP

VRRP Sample Configuration on C1

**************************************

track 1 interface Serial1/0 line-protocol

interface FastEthernet0/0

ip address 192.168.10.2 255.255.255.0

duplex auto

speed auto

vrrp 1 ip 192.168.10.1

vrrp 1 priority 110

vrrp 1 authentication agus123

vrrp 1 track 1 decrement 20

**************************************

VRRP Sample Configuration on C2

**************************************

interface FastEthernet0/0

ip address 192.168.10.3 255.255.255.0

duplex auto

speed auto

vrrp 1 ip 192.168.10.1

vrrp 1 authentication agus123

**************************************

How to check 1 (show vrrp all/brief)

**************************************

C1#sh vrrp all

FastEthernet0/0 - Group 1

State is Master

Virtual IP address is 192.168.10.1

Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 110

Track object 1 state Up decrement 20

Authentication text "agus123"

Master Router is 192.168.10.2 (local), priority is 110

Master Advertisement interval is 1.000 sec

Master Down interval is 3.570 sec

C1#

**************************************

C2#sh vrrp all

FastEthernet0/0 - Group 1

State is Backup

Virtual IP address is 192.168.10.1

Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 100

Authentication text "agus123"

Master Router is 192.168.10.2, priority is 110

Master Advertisement interval is 1.000 sec

Master Down interval is 3.609 sec (expires in 3.425 sec)

C2#

**************************************

How to check 2 (ping and tracert)

**************************************

C:\>ping 192.168.40.5 -n 5

Pinging 192.168.40.5 with 32 bytes of data:

Reply from 192.168.40.5: bytes=32 time=341ms TTL=126

Reply from 192.168.40.5: bytes=32 time=262ms TTL=126

Reply from 192.168.40.5: bytes=32 time=280ms TTL=126

Reply from 192.168.40.5: bytes=32 time=528ms TTL=126

Reply from 192.168.40.5: bytes=32 time=444ms TTL=126

Ping statistics for 192.168.40.5:

Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 262ms, Maximum = 528ms, Average = 371ms

**************************************

C:\>tracert 192.168.40.5

Tracing route to 192.168.40.5 over a maximum of 30 hops

1 92 ms 87 ms 144 ms 192.168.10.2

2 277 ms 191 ms 348 ms 192.168.20.2

3 206 ms 291 ms 387 ms 192.168.40.5

Trace complete.

C:\>

**************************************

How to check 3 (shutdown int f0/0 on C1)

**************************************

C1(config)#int f0/0

C1(config-if)#shut

C1(config-if)#

*Dec 11 10:13:34.667: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Init

*Dec 11 10:13:34.687: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached

*Dec 11 10:13:36.667: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down

*Dec 11 10:13:36.667: %ENTITY_ALARM-6-INFO: ASSERT INFO Fa0/0 Physical Port Administrative State Down

*Dec 11 10:13:37.667: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down

**************************************

C2#

*Dec 11 10:07:28.327: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master

**************************************

C1#sh vrrp all

FastEthernet0/0 - Group 1

State is Init

Virtual IP address is 192.168.10.1

Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 110

Track object 1 state Up decrement 20

Authentication text "agus123"

Master Router is unknown, priority is unknown

Master Advertisement interval is unknown

Master Down interval is unknown

C1#

**************************************

C2#sh vrrp all

FastEthernet0/0 - Group 1

State is Master

Virtual IP address is 192.168.10.1

Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 100

Authentication text "agus123"

Master Router is 192.168.10.3 (local), priority is 100

Master Advertisement interval is 1.000 sec

Master Down interval is 3.609 sec

C2#

**************************************

C:\>ping 192.168.40.5 -n 5

Pinging 192.168.40.5 with 32 bytes of data:

Reply from 192.168.40.5: bytes=32 time=332ms TTL=126

Reply from 192.168.40.5: bytes=32 time=351ms TTL=126

Reply from 192.168.40.5: bytes=32 time=322ms TTL=126

Reply from 192.168.40.5: bytes=32 time=449ms TTL=126

Reply from 192.168.40.5: bytes=32 time=615ms TTL=126

Ping statistics for 192.168.40.5:

Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 322ms, Maximum = 615ms, Average = 413ms

**************************************

C:\>tracert 192.168.40.5

Tracing route to 192.168.40.5 over a maximum of 30 hops

1 267 ms 167 ms 53 ms 192.168.10.3

2 388 ms 246 ms 168 ms 192.168.30.2

3 407 ms 368 ms 310 ms 192.168.40.5

Trace complete.

C:\>

**************************************

How to check 4 (no shutdown int f0/0 on C1)

**************************************

C1(config)#int f0/0

C1(config-if)#no shut

C1(config-if)#

*Dec 11 10:16:27.267: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Init -> Backup

*Dec 11 10:16:29.251: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

*Dec 11 10:16:29.251: %ENTITY_ALARM-6-INFO: CLEAR INFO Fa0/0 Physical Port Administrative State Down

*Dec 11 10:16:30.251: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

*Dec 11 10:16:30.839: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master

*Dec 11 10:16:33.503: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done

**************************************

C2#

*Dec 11 10:10:39.731: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Backup

*Dec 11 10:10:41.523: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done

**************************************

FastEthernet0/0 - Group 1

State is Master

Virtual IP address is 192.168.10.1

Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 110

Track object 1 state Up decrement 20

Authentication text "agus123"

Master Router is 192.168.10.2 (local), priority is 110

Master Advertisement interval is 1.000 sec

Master Down interval is 3.570 sec

C1#

**************************************

C2#sh vrrp all

FastEthernet0/0 - Group 1

State is Backup

Virtual IP address is 192.168.10.1

Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 100

Authentication text "agus123"

Master Router is 192.168.10.2, priority is 110

Master Advertisement interval is 1.000 sec

Master Down interval is 3.609 sec (expires in 2.045 sec)

C2#

**************************************

C:\>ping 192.168.40.5 -n 5

Pinging 192.168.40.5 with 32 bytes of data:

Reply from 192.168.40.5: bytes=32 time=379ms TTL=126

Reply from 192.168.40.5: bytes=32 time=335ms TTL=126

Reply from 192.168.40.5: bytes=32 time=371ms TTL=126

Reply from 192.168.40.5: bytes=32 time=346ms TTL=126

Reply from 192.168.40.5: bytes=32 time=428ms TTL=126

Ping statistics for 192.168.40.5:

Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 335ms, Maximum = 428ms, Average = 371ms

C:\>tracert 192.168.40.5

**************************************

Tracing route to 192.168.40.5 over a maximum of 30 hops

1 607 ms 395 ms 516 ms 192.168.10.2

2 628 ms 201 ms 382 ms 192.168.20.2

3 607 ms 521 ms 339 ms 192.168.40.5

Trace complete.

C:\>

**************************************

How to check 5 (shutdown int s1/0 on C1)

**************************************

C1(config)#int s1/0

C1(config-if)#shutdown

C1(config-if)#

*Dec 11 10:19:19.015: %TRACKING-5-STATE: 1 interface Se1/0 line-protocol Up->Down

*Dec 11 10:19:19.023: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial1/0 from FULL to DOWN, Neighbor Down: Interface down or detached

*Dec 11 10:19:20.995: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down

*Dec 11 10:19:20.995: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down

*Dec 11 10:19:21.995: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down

*Dec 11 10:19:22.023: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Backup

**************************************

C2#

*Dec 11 10:13:28.343: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master

**************************************

C1(config-if)#do sh vrrp all

FastEthernet0/0 - Group 1

State is Backup

Virtual IP address is 192.168.10.1

Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 90 (cfgd 110)

Track object 1 state Down decrement 20

Authentication text "agus123"

Master Router is 192.168.10.3, priority is 100

Master Advertisement interval is 1.000 sec

Master Down interval is 3.570 sec (expires in 3.198 sec)

C1(config-if)#

**************************************

C2#sh vrrp all

FastEthernet0/0 - Group 1

State is Master

Virtual IP address is 192.168.10.1

Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 100

Authentication text "agus123"

Master Router is 192.168.10.3 (local), priority is 100

Master Advertisement interval is 1.000 sec

Master Down interval is 3.609 sec

C2#

**************************************

C:\>ping 192.168.40.5 -n 5

Pinging 192.168.40.5 with 32 bytes of data:

Reply from 192.168.40.5: bytes=32 time=231ms TTL=126

Reply from 192.168.40.5: bytes=32 time=413ms TTL=126

Reply from 192.168.40.5: bytes=32 time=316ms TTL=126

Reply from 192.168.40.5: bytes=32 time=480ms TTL=126

Reply from 192.168.40.5: bytes=32 time=367ms TTL=126

Ping statistics for 192.168.40.5:

Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 231ms, Maximum = 480ms, Average = 361ms

**************************************

C:\>tracert 192.168.40.5

Tracing route to 192.168.40.5 over a maximum of 30 hops

1 326 ms 121 ms 48 ms 192.168.10.3

2 392 ms 202 ms 207 ms 192.168.30.2

3 544 ms 603 ms 515 ms 192.168.30.2

4 423 ms 256 ms 276 ms 192.168.40.5

Trace complete.

C:\>

**************************************

How to check 6 (no shutdown int s1/0 on C1)

**************************************

C1(config-if)#int s1/0

C1(config-if)#no shut

C1(config-if)#

*Dec 11 10:22:31.627: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up

*Dec 11 10:22:31.627: %ENTITY_ALARM-6-INFO: CLEAR INFO Se1/0 Physical Port Administrative State Down

*Dec 11 10:22:31.635: %TRACKING-5-STATE: 1 interface Se1/0 line-protocol Down->Up

*Dec 11 10:22:32.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

*Dec 11 10:22:33.487: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master

*Dec 11 10:22:43.575: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial1/0 from LOADING to FULL, Loading Done

**************************************

C2#

*Dec 11 10:16:47.391: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Backup

**************************************

C1(config-if)#do sh vrrp all

FastEthernet0/0 - Group 1

State is Master

Virtual IP address is 192.168.10.1

Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 110

Track object 1 state Up decrement 20

Authentication text "agus123"

Master Router is 192.168.10.2 (local), priority is 110

Master Advertisement interval is 1.000 sec

Master Down interval is 3.570 sec

C1(config-if)#

**************************************

C2#sh vrrp all

FastEthernet0/0 - Group 1

State is Backup

Virtual IP address is 192.168.10.1

Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 100

Authentication text "agus123"

Master Router is 192.168.10.2, priority is 110

Master Advertisement interval is 1.000 sec

Master Down interval is 3.609 sec (expires in 3.185 sec)

C2#

**************************************

C:\>ping 192.168.40.5 -n 5

Pinging 192.168.40.5 with 32 bytes of data:

Reply from 192.168.40.5: bytes=32 time=441ms TTL=126

Reply from 192.168.40.5: bytes=32 time=427ms TTL=126

Reply from 192.168.40.5: bytes=32 time=594ms TTL=126

Reply from 192.168.40.5: bytes=32 time=863ms TTL=126

Reply from 192.168.40.5: bytes=32 time=324ms TTL=126

Ping statistics for 192.168.40.5:

Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 324ms, Maximum = 863ms, Average = 529ms

**************************************

C:\>tracert 192.168.40.5

Tracing route to 192.168.40.5 over a maximum of 30 hops

1 184 ms 105 ms 82 ms 192.168.10.2

2 332 ms 261 ms 214 ms 192.168.20.2

3 323 ms 344 ms 467 ms 192.168.40.5

Trace complete.

C:\>

kita bisa lihat kalo interface C1 atau C2 down, melalui VRRP ini traffic tetap bisa lewat, asalkan salah satu router C1 atau C2 masih tetap up sebagai master...

referensi dari packetlife.net dan CCIE Bootcamp Indonesia

Video Zone-Based Firewall Configuration

di video ini, akan menampilkan zone inside dan outside,
INSIDE zone, link antara R2 dan R1dimana fa0/0-R2 (vlan 2, 10.0.0.2/24) dan fa0/0-R1 10.0.0.1/24
OUTSIDE zone, link antara R3 dan R2 dimana fa0/1-R2 23.0.0.2/24 dan fa0/1-R3 23.0.0.3/24....
pertama membuat class-map CMAP-1...
match protocol tcp, icmp dan udp...
kita buat policy-map PMAP-1, didalamnya kita assign class-map CMAP-1
kita inspect dan kita rate-limit 8000bits...
lalu ditambahkan zone-pair sec inside-to-outside source inside destination outside
masukkan service-policy type inspect PMAP-1...
kita tes ping...
lalu untuk melihat policy-map ini, kita gunakan show policy-map type inspect zone-pair sessions
akan terlihat class-map CMAP-1, match protocol ICMP, akan ada traffic packet yang lewat...

SG

Minggu, 25 Desember 2011

Sabtu, 24 Desember 2011

Jumat, 23 Desember 2011

Rabu, 21 Desember 2011