The purpose of this lab is to set up the necessary infrastructure ready to investigate routing protocol security, device control plane security, and securing the routing system.
The initial lab topology sets up 8 autonomous systems (AS), each with four routers. In each AS, one router is the border router (for connecting to transit providers), one router is the core router (representing the rest of the network operator’s core network), one router is a peering router (for connecting to private peers and IXPs), and one router is the access router (for connecting to customer end-sites). There is also one customer router provided too. Each group has an Ubuntu appliance, which will be used later on in the workshop when exploring BGP Security.
The lab will start simply by configuring each autonomous system, and making sure that transit works via their transit provider. The address plan for the entire network is described in the Address Plan document. The initial set up is shown below.
Each participant will be assigned to a group. Depending on the number of participants, either a single person or a group will be responsible for the configuration of a router. You may be asked to rotate and work on a different router so that you have the opportunity to understand the network from another point of view.
As you go through the exercises, you will see examples of configurations for one or more routers. Make sure to take those examples and adapt them to your own router, network topology and addressing scheme. Use the diagrams to guide you.
Refer to the Lab Access Instructions document for information about logging into the routers that have been assigned to you.
Refer to the IP Address Plan document for information about the IP address plan for the network infrastructure for these labs.
The router configuration has already been completed, as the infrastructure has been built ready to focus on routing security. The many configuration examples throughout the entire workshop show the suggested/recommended configuration to be implemented on the routers in each group. Replace the RX in the examples with the router type (either B for Border or C for Core or P for Peering or A for Access or Cust for Customer router) and Group number as appropriate.
The name of each router in the lab has already been set, like below:
Router> enable
Router# config terminal
Router(config)# hostname RX
We will use the username isplab for this workshop. It is a role account, note, something that is strongly discouraged on public infrastructure. However, we use it here only for ease of operating the lab, and that we will need to connect to other groups’ routers through the duration of this workshop.
username isplab secret lab-PW
enable secret lab-EN
service password-encryption
The remaining configuration has been completed for you. Please check the changes from the Cisco defaults, to be suitable for the router to operate in a public network environment.
Check that IS-IS and IBGP are operational - the detailed configurations used for the IS-IS and IBGP components are included in the Additional Information section of the workshop agenda.
Verify and save the configuration.
show running-config
write memory
Do some PING tests to all routers in your group - here is an example for between Core and Border in Group One:
C1# ping 100.68.1.1 <- B1
C1# ping 2001:DB8:1::1 <- B1
C1# ping 100.68.1.3 <- P1
C1# ping 2001:DB8:1::3 <- P1and then verify the output of the following commands:
show arp : Show ARP cache
show interface : Show interface state and config
show ip interface : Show interface IP state and config
show ipv6 neighbors : Show IPv6 neighbours
show ipv6 interface : Show interface state and config
show cdp neighbors : Show neighbours seen via CDP
show isis neighbors : Show ISIS neighbours
show ip bgp summary : Show IBGP neighbour summary
show ip bgp : Show BGP routes (RIB)
show ip route : Show routing table (Global RIB)