Wednesday, January 6, 2016

ISIS task #2. Multi area topology

Topology:



Use configuration from ISIS task #1 as initial configuration for this task.
Routers R1, R2, R4, R6, R7  and R8 area IOS routers. 
Routers R3 and R5 are IOS-XR. 

Requirements: 

1. Configure router R8 in ISIS area 49.0002
2. Configure routers R4, R5, R6 and R7 in ISIS area 49.0003
3. Routers R6 and R7 should only have ISIS Level-1 database.  
4. Routers R4 and R5 should only form Level-1 adjacency online R4-R5. 
5. Traffic flowing between Area 2 and Area 3 (both directions) should NOT use link R1-R2, if alternative path is available.
6. Create interface Loopback100 on R3. Configure ipv4 address 100.100.100.100/32 on this interface. All devices in the topology should have connectivity to this interface. Do not enable ISIS on this interface and to not use redistribution.
7. On link R1-R8, authenticate ISIS Hello's using password HPASS. This password (but no other passwords in the task) should be visible in the configuration file.
8. Authenticate LSPs and SNPs in area 3 using password AREA3. Don't use "authentication" command on routers R6 and R7.
9. Authenticate Level-2 LSPs and SNPs using password DPASS. Use strongest authentication method. Configuration shall allow for easy key management in the future.

Solution:

Highlight the text below to reveal the solution. 

This task requires understanding of multi-level ISIS, metrics, injection of default route into Level-2 and different authentication types. 

Requirement #3 -  configure R6 and R7 for ISIS level-1 only on protocol level, so Level-2 database is not created. 
Requirement #5 -  increase the ISIS metric on link R1-R2. 
Requirement #6 -  configure R3 to inject a default route into ISIS Level-2 domain. 
Requirement #7 - use clear text (old style) interface authentication.
Requirement #8 - since authentication command not allowed on R6 and R7, use area-password configuration (old style). Routers R4 and R5 require new style configuration with "text" keyword, for compatibility with old style configuration of R6 and R7. 
Requirement #9 - Use new style authentication, level-2, MD5 with key-chains for easy key management. 

R1: 


!
key chain CHAIN
 key 1
  key-string 7 013736256838
!
interface Ethernet1/0
 ip address 11.0.18.1 255.255.255.0
 ip router isis CCIE
 isis password HPASS
!
router isis CCIE
 net 49.0001.0000.0000.0001.00
 authentication mode md5
 authentication key-chain CHAIN level-2
!

R2: 


!
key chain CHAIN
 key 1
  key-string 7 08057C6F3A2A
!
!
router isis CCIE
 net 49.0001.0000.0000.0002.00
 authentication mode md5
 authentication key-chain CHAIN level-2
!

R3: 


!
key chain CHAIN
 key 1
  accept-lifetime 00:00:00 january 01 1993 infinite
  key-string password 13212733383F
  send-lifetime 00:00:00 january 01 1993 infinite
  cryptographic-algorithm HMAC-MD5
 !
!
router isis CCIE
 net 49.0001.0000.0000.0003.00
 lsp-password keychain CHAIN level 2
 address-family ipv4 unicast
  default-information originate
 !
..
!
interface Loopback100
 ipv4 address 100.100.100.100 255.255.255.255
!

R4:


!
!
key chain CHAIN
 key 1
  key-string 7 013736256838
key chain CHAIN2
 key 1
  key-string 7 096D7C2C3856
!
router isis CCIE
 net 49.0003.0000.0000.0004.00
 authentication mode text level-1
 authentication mode md5 level-2
 authentication key-chain CHAIN2 level-1
 authentication key-chain CHAIN level-2
!


R5:


!
key chain CHAIN
 key 1
  accept-lifetime 00:00:00 january 01 1993 infinite
  key-string password 112D29242421
  send-lifetime 00:00:00 january 01 1993 infinite
  cryptographic-algorithm HMAC-MD5
 !
!
router isis CCIE
 net 49.0003.0000.0000.0005.00
 lsp-password text encrypted 047A39232E72 level 1
 lsp-password keychain CHAIN level 2
..
..
!

R6:


!
router isis CCIE
 net 49.0003.0000.0000.0006.00
 is-type level-1
 area-password AREA3 authenticate snp validate
!

R7:


!
router isis CCIE
 net 49.0003.0000.0000.0007.00
 is-type level-1
 area-password AREA3 authenticate snp validate
!

R8:


!
key chain CHAIN
 key 1
  key-string 7 072B116D7D3A
!
!
interface Ethernet0/0
 ip address 11.0.18.8 255.255.255.0
 ip router isis CCIE
 isis password HPASS
!
!
router isis CCIE
 net 49.0002.0000.0000.0008.00
 authentication mode md5
 authentication key-chain CHAIN level-2
!






2 comments:

  1. Hi Dimitry and thx for your effort put in creating this WB!

    I found this task an excellent exercise in IS-IS authentication.

    I'd like to suggest some notes. First, the solution is not hidden (while probably it should be). Second, your formulation of point 6 is a bit indefinite, e.g. one could simply announce lo100 as a passive interface and thus accomplish the goal. Perhaps this task point needs be more specific. Same for point 7 where the visibility requirement can be achieved with a key chain as well. Point 9, in my opinion, would benefit from specifying where precisely level-2 packets should be authenticated. As it stands now, the reader has to guess whether any specific area is meant here or all areas at once, especially when the previous point 8 requests authentication in Area 3 in which some routers run both level-1 and level-2.

    Best regards,

    Anton



    ReplyDelete
    Replies
    1. Hi Anton,

      Thank you for your comments!

      "hidden" part is fixed.

      Regarding the rest, you are correct. As in real life, some tasks may have multiple solutions. I'll make an effort to provide better instructions in the future.

      Best regards,
      Dimimtry

      Delete