TOPOLOGÍA
- Tacacs - Usuario root / Password reverse. Tiene la configuración de este escenario
- Cisco 3640 - Sin usuario ni password. Sin configurar (Plantilla)
- Junos Olive - Usuario root / El password lo establecemos nosotros. Sin configurar (Plantilla)
Podéis encontrar una guía para importar las máquinas virtuales y los proyectos en GNS3 aquí.
El usuario configurado para poder entrar en los equipos de cliente con tacacs es:
Usuario: tacacs
Password: junos1
CONFIGURACIONES DE LOS EQUIPOS
Los equipo del ISP, es decir, los PE y P son todos Juniper.
Todos los CE son Cisco.
Recomiendo bajar la plantilla de Junos e ir haciendo en VBox tantos clones como queramos.
Os dejo un ejemplo de cada tipo de equipo para tener una referencia. Los demás equipos podéis configurarlos fijándoos en estas:
PE4JUNOS
root@PE4JUNOS> show configuration
version 12.1R1.9;
system {
host-name PE4JUNOS;
domain-name ccnplab.com;
root-authentication {
encrypted-password
"$1$ObW.A9af$f5vYhu4U5uGyVpaGIVZgT/"; ## SECRET-DATA
}
services {
ssh;
telnet;
web-management {
http;
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
interfaces {
em0 {
unit 0;
}
em1 {
unit 0 {
family inet {
address 10.1.4.1/31;
}
family mpls;
}
}
em2 {
unit 0 {
family inet {
address 10.2.4.1/31;
}
family mpls;
}
}
em3 {
unit 0 {
family inet {
address 94.10.10.9/30;
}
}
}
em4 {
vlan-tagging;
}
em5 {
unit 0 {
family inet {
address 94.20.20.5/30;
}
}
}
em6 {
unit 0 {
family inet {
address 94.10.10.5/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 4.4.4.4/32;
}
}
}
}
routing-options {
router-id 4.4.4.4;
autonomous-system 1000;
}
protocols {
mpls {
traceoptions {
flag all;
}
interface em1.0;
interface em2.0;
}
bgp {
group pe {
type internal;
local-address 4.4.4.4;
family inet-vpn {
any;
}
neighbor 3.3.3.3;
neighbor 5.5.5.5;
neighbor 8.8.8.8;
neighbor 9.9.9.9;
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface em1.0;
interface em2.0;
}
}
ldp {
traceoptions {
flag all;
}
interface em1.0;
interface em2.0;
}
}
policy-options {
policy-statement exportar_gestion_vpn {
term red_cliente {
from protocol bgp;
then {
community add
normales_gestion_vpn;
accept;
}
}
}
policy-statement exportar_vrf1 {
term loopEDC_BGP {
from {
protocol bgp;
route-filter 172.21.10.0/24
orlonger;
}
then {
community add normales_vrf1;
community add
normales_gestion_vpn;
accept;
}
}
term red_cliente {
from protocol bgp;
then {
community add normales_vrf1;
accept;
}
}
}
policy-statement exportar_vrf2 {
term loopEDC_BGP {
from {
protocol bgp;
route-filter 172.21.20.0/24 orlonger;
}
then {
community add normales_vrf2;
community add
normales_gestion_vpn;
}
}
term red_cliente {
from protocol bgp;
then {
community add normales_vrf2;
accept;
}
}
}
policy-statement importar_gestion_vpn {
term red_cliente {
from {
protocol bgp;
community
normales_gestion_vpn;
}
then accept;
}
term novalidas {
then reject;
}
}
policy-statement importar_vrf1 {
term red_cliente {
from {
protocol bgp;
community normales_vrf1;
}
then accept;
}
term rango_gestion {
from {
community
normales_gestion_vpn;
route-filter 94.240.0.0/25
exact;
}
then accept;
}
term novalidas {
then reject;
}
}
policy-statement importar_vrf2 {
term red_cliente {
from {
protocol bgp;
community normales_vrf2;
}
then accept;
}
term rango_gestion {
from {
community
normales_gestion_vpn;
route-filter 94.240.0.0/25
exact;
}
then accept;
}
term novalidas {
then reject;
}
}
policy-statement set-VPN-nexthop {
then {
next-hop self;
}
}
community normales_gestion_vpn members
target:1000:500;
community normales_vrf1 members
target:1000:1;
community normales_vrf2 members
target:1000:2;
community normales_vrf3 members
target:1000:3;
}
routing-instances {
GESTIONVPN {
instance-type vrf;
route-distinguisher 4.4.4.4:500;
vrf-import importar_gestion_vpn;
vrf-export [ set-VPN-nexthop
exportar_gestion_vpn ];
vrf-table-label;
routing-options {
maximum-prefixes 500 threshold
90;
auto-export;
}
}
VRF1 {
instance-type vrf;
interface em3.0;
interface em6.0;
route-distinguisher 4.4.4.4:1;
vrf-import importar_vrf1;
vrf-export [ set-VPN-nexthop
exportar_vrf1 ];
vrf-table-label;
routing-options {
maximum-prefixes 500 threshold
90;
auto-export;
}
protocols {
bgp {
group ce {
type external;
keep all;
peer-as 65200;
neighbor 94.10.10.10;
}
group ce2 {
type external;
keep all;
peer-as 65200;
neighbor 94.10.10.6;
}
}
}
}
VRF2 {
instance-type vrf;
interface em5.0;
route-distinguisher 4.4.4.4:2;
vrf-import importar_vrf2;
vrf-export [ set-VPN-nexthop
exportar_vrf2 ];
vrf-table-label;
routing-options {
maximum-prefixes 500 threshold
90;
auto-export;
}
protocols {
bgp {
group ce {
type external;
peer-as 64900;
as-override;
neighbor 94.20.20.6;
}
}
}
}
}
|
P2JUNOS
root@P2JUNOS> show configuration
version 12.1R1.9;
system {
host-name P2JUNOS;
domain-name ccnplab.com;
authentication-order tacplus;
root-authentication {
encrypted-password
"$1$Ff2FLoJa$cbP5MDW7i3FmSHA4tkqRu/"; ## SECRET-DATA
}
tacplus-server {
94.240.0.35 secret
"$9$AdT0tOIEhyeKWB17-ws4o36/"; ## SECRET-DATA
}
services {
ssh;
telnet;
web-management {
http;
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
interfaces {
em0 {
unit 0;
}
em1 {
unit 0 {
family inet {
address 10.1.2.1/31;
}
family mpls;
}
}
em2 {
unit 0 {
family inet {
address 10.2.3.0/31;
}
family mpls;
}
}
em3 {
unit 0 {
family inet {
address 10.2.4.0/31;
}
family mpls;
}
}
em4 {
unit 0 {
family inet {
address 10.2.5.0/31;
}
family mpls;
}
}
em5 {
unit 0 {
family inet {
address 10.2.9.0/31;
}
family mpls;
}
}
em6 {
unit 0 {
family inet {
address 10.2.6.0/31;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 2.2.2.2/32;
}
}
}
}
routing-options {
traceoptions {
file ldp size 10m files 5;
flag all;
}
router-id 2.2.2.2;
}
protocols {
mpls {
traceoptions {
flag all;
}
interface em1.0;
interface em2.0;
interface em3.0;
interface em4.0;
interface em5.0;
interface em6.0;
interface em7.0;
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface em3.0;
interface em1.0;
interface em2.0;
interface em4.0;
interface em5.0;
interface em6.0;
interface em7.0;
}
}
ldp {
traceoptions {
flag all;
}
interface em1.0;
interface em2.0;
interface em3.0;
interface em4.0;
interface em5.0;
interface em6.0;
interface em7.0;
}
}
routing-instances {
manage {
instance-type virtual-router;
interface em0.0;
}
}
|
PE5
root@PE5> show configuration
version 12.1R1.9;
system {database
initialized
host-name PE5;ialization:.
domain-name ccnplab.com;
authentication-order tacplus;
root-authentication {015
encrypted-password
"$1$RollaTdA$IMCAhu40SQ6L7iCapH4o8/"; ## SECRET-DATA
}ttyd0)
tacplus-server {
94.240.0.35 secret
"$9$L3qX-bsY4JZDn/lvW8N-q.PQn9tuBIESdb"; ## SECRET-DATA
} password:
services {
ssh;.1R1.9 built 2012-03-24 12:52:33
UTC
telnet;
web-management {
http;
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
interfaces {
em0 {
unit 0 {
family inet {
address 94.240.0.1/25;
}
}
}
em1 {
unit 0 {
family inet {
address 10.2.5.1/31;
}
family mpls;
}
}
em2 {
unit 0 {
family inet;
}
}
lo0 {
unit 0 {
family inet {
address 5.5.5.5/32;
}
}
}
}
routing-options {
router-id 5.5.5.5;
autonomous-system 1000;
}
protocols {
mpls {
interface em1.0;
}
bgp {
family inet-vpn {
unicast;
}
group pe {
type internal;
local-address 5.5.5.5;
family inet-vpn {
any;
}
neighbor 3.3.3.3;
neighbor 4.4.4.4;
neighbor 8.8.8.8;
neighbor 9.9.9.9;
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface em1.0;
}
}
ldp {
interface em1.0;
}
}
policy-options {
policy-statement exportar_gestion_vpn {
term red_gestion {
from protocol direct;
then {
community add
normales_gestion_vpn;
accept;
}
}
}
policy-statement exportar_vrf1 {
term red_cliente {
from protocol bgp;
then {
community add normales_vrf1;
accept;
}
}
}
policy-statement exportar_vrf2 {
term red_cliente {
from protocol bgp;
then {
community add normales_vrf2;
accept;
}
}
}
policy-statement exportar_vrf3 {
term red_cliente {
from protocol bgp;
then {
community add normales_vrf3;
accept;
}
}
}
policy-statement importar_gestion_vpn {
term red_cliente {
from {
protocol bgp;
community
normales_gestion_vpn;
}
then accept;
}
term novalidas {
then reject;
}
}
policy-statement importar_vrf1 {
term red_cliente {
from {
protocol bgp;
community normales_vrf1;
}
then accept;
}
term novalidas {
then reject;
}
}
policy-statement importar_vrf2 {
term red_cliente {
from {
protocol bgp;
community normales_vrf2;
}
then accept;
}
term novalidas {
then reject;
}
}
policy-statement importar_vrf3 {
term red_cliente {
from {
protocol bgp;
community normales_vrf3;
}
then accept;
}
term novalidas {
then reject;
}
}
policy-statement set-VPN-nexthop {
then {
next-hop self;
}
}
community normales_gestion_vpn members
target:1000:500;
community normales_vrf1 members
target:1000:1;
community normales_vrf2 members
target:1000:2;
community normales_vrf3 members
target:1000:3;
}
routing-instances {
GESTIONVPN {
instance-type vrf;
interface em0.0;
route-distinguisher 5.5.5.5:500;
vrf-import importar_gestion_vpn;
vrf-export [ set-VPN-nexthop
exportar_gestion_vpn ];
vrf-table-label;
routing-options {
maximum-prefixes 500 threshold
90;
auto-export;
}
}
VRF1 {
instance-type vrf;
route-distinguisher 5.5.5.5:1;
vrf-import importar_vrf1;
vrf-export [ set-VPN-nexthop
exportar_vrf1 ];
vrf-table-label;
routing-options {
maximum-prefixes 500 threshold
90;
auto-export;
}
}
VRF2 {
instance-type vrf;
route-distinguisher 5.5.5.5:2;
vrf-import importar_vrf2;
vrf-export [ set-VPN-nexthop
exportar_vrf2 ];
vrf-table-label;
routing-options {
maximum-prefixes 500 threshold
90;
auto-export;
}
}
VRF3 {
instance-type vrf;
route-distinguisher 5.5.5.5:4;
vrf-import importar_vrf3;
vrf-export [ set-VPN-nexthop
exportar_vrf3 ];
vrf-table-label;
routing-options {
maximum-prefixes 500 threshold
90;
auto-export;
}
}
}
|
CE10-VRF1-MAIN
CE10-VRF1-MAIN#sh run
Building
configuration...
Current
configuration : 2618 bytes
!
version 12.4
service timestamps
debug datetime msec
service timestamps
log datetime msec
no service
password-encryption
!
hostname
CE10-VRF1-MAIN
!
boot-start-marker
boot-end-marker
!
enable secret 5
$1$IEYw$LbrW9uOvNv8kf3Gdxj4ye.
!
aaa new-model
!
aaa authentication
login default group tacacs+ local
aaa authentication
enable default enable
aaa authorization
exec default group tacacs+ local
!
aaa session-id
common
!
resource policy
!
memory-size iomem 5
no ip icmp
rate-limit unreachable
ip tcp synwait-time
5
!
ip cef
no ip domain lookup
!
ip sla monitor
responder
!
username root
password 0 junos1
!
track 1 interface
Ethernet0/0 line-protocol
!
interface
Loopback100
ip address 172.21.10.10 255.255.255.255
!
interface
Ethernet0/0
description WAN
ip address 94.10.10.6 255.255.255.252
full-duplex
!
interface
Ethernet0/1
description LAN
ip address 192.168.10.4 255.255.255.0
full-duplex
standby 1 ip 192.168.10.1
standby 1 priority 110
standby 1 preempt delay minimum 5
standby 1 track 1 decrement 20
!
router bgp 65200
no synchronization
bgp log-neighbor-changes
network 172.21.10.10 mask 255.255.255.255
network 192.168.10.0
neighbor 94.10.10.5 remote-as 1000
neighbor 94.10.10.5 route-map marcado out
neighbor 192.168.10.3 remote-as 65200
neighbor 192.168.10.3 description IBGP
neighbor 192.168.10.3 route-map
filtroloopback out
no auto-summary
!
no ip http server
no ip http
secure-server
!
ip tacacs
source-interface Loopback100
!
ip prefix-list
loopback seq 1 permit 172.21.10.10/32
access-list 2 permit
94.240.0.0 0.0.0.127
access-list 2 permit
172.21.10.0 0.0.0.255
snmp-server
community VRF1 RO
snmp-server
system-shutdown
snmp-server enable
traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable
traps tty
snmp-server enable
traps config
snmp-server enable traps
envmon
snmp-server enable
traps bgp state-changes all
snmp-server enable
traps syslog
snmp-server host
94.240.0.35 VRF1
no cdp log mismatch
duplex
!
route-map
filtroloopback deny 10
match ip address prefix-list loopback
!
route-map
filtroloopback permit 20
!
route-map marcado
permit 10
set metric 2000
!
!
tacacs-server host
94.240.0.35 key LAB1234
tacacs-server
directed-request
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
access-class 2 in
line vty 5 15
!
!
end
|
IMPORTAR PROYECTO GNS3 COMPLETO (EQUIPOS CONFIGURADOS)
Un ejemplo con el laboratorio del JNCIA de cómo importar un proyecto entero de GNS3 aquí.
Es solo un ejemplo de cómo hacerlo. Para este laboratorio, las imágenes y el proyecto de GNS3 los descargáis de los siguientes enlaces:
- Tacacs - Usuario root / Password reverse. Tiene la configuración de este escenario
- Máquinas Virtuales - Tenéis que importar a VBox y luego añadirlas en GNS3(preferencess)
Un ejemplo con el laboratorio del JNCIA de cómo importar un proyecto entero de GNS3 aquí.
Es solo un ejemplo de cómo hacerlo. Para este laboratorio, las imágenes y el proyecto de GNS3 los descargáis de los siguientes enlaces:
- Tacacs - Usuario root / Password reverse. Tiene la configuración de este escenario
- Cisco 3640 - Sin usuario ni password. Sin configurar (Plantilla)
- Máquinas Virtuales - Tenéis que importar a VBox y luego añadirlas en GNS3(preferencess)
Una vez importado el proyecto a los equipos CE se accederá con el usuario tacacs o el usuario local que es root/junos1
A los equipos Pe y P se accede también con el usuario local que es el mismo, root/junos1
A los equipos Pe y P se accede también con el usuario local que es el mismo, root/junos1
Si después de importar el proyecto se quedan enlaces sin conectar, tendréis que ir a preferences y en las VirtualBox MS añadir más interfaces a las máquinas afectadas.
GRACIAS. me hiciste salvar el curso
ResponderEliminar¡¡No te puedes imaginar cuánto me alegro!!
Eliminar