Case Study 2: SDM
Instructions
Implement the International Travel Agency network shown in the topology diagram using the information and instruction in the scenario. Verify that all configurations are operational and functioning according to the guidelines.
Topology Diagram
Scenario
The International Travel Agency has decided to extend its offices to a new branch location using its existing network tunnel. The CIO has chosen to use a secure generic routing encapsulation (GRE) tunnel to connect the branch office to its headquarters office. The tunnel will terminate at the headquarters end on a Cisco router with the firewall feature set.
Demonstrate that this configuration will allow routing between sites as well as secure intranet traffic as it traverses the service provider’s domain. Implement the security policies defined below both on FW router and the BRANCH router.
Use the Cisco Security Device Manager (SDM) to configure the security tasks except where noted below.
Using the Cisco IOS CLI:
• Configure all interfaces using the addressing scheme shown in the topology diagram.
• Configure HQ, FW, and BRANCH to run Enhanced Interior Gateway Routing Protocol (EIGRP) in AS 1. (Until the tunnel is created, BRANCH will not have any EIGRP adjacencies.)
• Add the major 172.16.0.0 network to EIGRP and disable automatic summarization.
• Configure a static default route on FW towards ISP, and redistribute this into EIGRP.
• Configure a static default route on BRANCH toward ISP.
• Create a static route on ISP for 172.16.0.0/16 toward FW.
• After configuring the static routes, make sure you can ping between FW and BRANCH.
• Configure the host with the IP address shown in the topology diagram and make FW its default gateway.
• Configure FW and BRANCH for SDM access from the host.
Using Cisco SDM:
• Create a secure GRE tunnel between FW and BRANCH using IPsec.
• Use the addressing shown on the diagram for the tunnel addressing.
• Run EIGRP across the tunnel.
• You should use the tunnel wizard to configure one end of the tunnel, and generate a mirror configuration using Cisco SDM for the other end. You may use the command-line interface (CLI) to implement the mirror tunnel configuration on BRANCH.
• Apply any encryption algorithms desired for the secure GRE tunnel.
• Configure FW as a firewall using the basic firewall wizard. Assign the interface facing the ISP router to be the outside interface. Trust traffic from all other interfaces.
• If SDM does not automatically allow IPsec traffic through the firewall, explicitly allow it.
• Use the SDM IPS wizard to configure BRANCH to enable the intrusion prevention system (IPS) on the ingress interface facing the ISP router.
2 - 2 CCNP: Implementing Secure Converged Wide-area Networks v5.0 -
Case Study 2 Copyright © 2007, Cisco Systems, Inc
0 comments:
Post a Comment