The Net

Policy-Base Routing - route base on source address - GNS3 *this is not a complete routing design, just to prove the Policy-Base Routing concept all traffic source from 10.1.1.1 and 10.2.2.2 will be route to R3 and R4 respectively using policy-base routing R1 will have a default route to R2, policy-base routing will be applied on R2 note that policy-base will take over from static or dynamic route if there's a match R1 interface Loopback1  ip address 10.1.1.1 255.255.255.0 ! interface Loopback2  ip address 10.2.2.2 255.255.255.0 ! interface Serial0/0  ip address 172.16.1.1 255.255.255.252  clock rate 56000 ! ip route 0.0.0.0 0.0.0.0 172.16.1.2 R2 interface FastEthernet0/0  ip address 192.168.1.1 255.255.255.0  duplex auto  speed auto ! interface Serial0/0  ip address 172.16.1.2 255.255.255.252  ip route-cache policy  ip policy route-map map1  clock rate 2000000 ! interface FastEthernet0/1  ip address 192.168.2.1 255.255....

please setup your lab similar to previous lab add this line to R2 router eigrp 1  passive-interface Serial0/0  network 10.1.1.0 0.0.0.255  network 172.16.2.0 0.0.0.3  no auto-summary ip route 192.168.0.0 255.255.0.0 172.16.2.1 now R2 have two routes to reach 192.168.1.1 via EIGRP with AD = 90 via static route with AD = 1 R2#sh ip route ... D     192.168.1.0/24 [90 /2323456] via 10.1.1.1, 00:05:57, FastEthernet0/0 S     192.168.0.0/16 [1 /0] via 172.16.2.1 guess.. which path will the router use to reach 192.168.1.1 ? some of you may though that it'll be static because it has AD = 1, let's test.. R2#traceroute 192.168.1.1 ..   1 10.1.1.1 4 msec 4 msec 4 msec   2 172.16.1.1 12 msec 12 msec *   unfortunately it choose to use route learn via EIGRP.. thru R3. This is because it prefer longest prefix match compare to AD destination : 192.168.1.1 EIGRP route = 192.168.1.0/24 Static route = 192.168.0.0/16 EIG...

using static route when dynamic route not available primary link between network 192.168.1.0/24 and 10.1.1.0/24 are thru R3, learn each others via EIGRP . R2 is a backup link in case the primary link is not available *this is not a complete routing solution, this lab only looking from R1 point of view to reach 10.1.1.0/24 R1 interface Loopback1 ip address 192.168.1.1 255.255.255.0 ! interface Serial0/0 ip address 172.16.2.1 255.255.255.252 clock rate 56000 ! interface Serial0/1 ip address 172.16.1.1 255.255.255.252 clock rate 56000 ! router eigrp 1 network 10.0.0.0 network 172.16.1.0 0.0.0.3 network 192.168.1.0 no auto-summary ! ip route 10.1.1.0 255.255.255.0 172.16.2.2 190 ! R2 interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 172.16.2.2 255.255.255.252 clock rate 56000 ! ip route 192.168.0.0 255.255.0.0 172.16.2.1 R3 interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 duplex auto speed auto ! int...

sh ip route R1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route Gateway of last resort is not set      172.16.0.0/30 is subnetted, 2 subnets C       172.16.1.0 is directly connected, Serial0/1 C       172.16.2.0 is directly connected, Serial0/0      10.0.0.0/24 is subnetted, 1 subnets D       10.1.1.0 [90/2195456] via 172.16.1.2, 00:02:01, Ser...

Adding device Click on Network Configuration Go to the bottom of the page, click on Add Entry Create a group, give a name, ex.. Branch_1 * Shared Secret : if all of your devices in this group share the same key, you can fill it now.. I leave it blank because I want to fill the key on each individual router later Leave the rest of the option as default Click again on Network Configuration , should be able to see your group now Click on it Got to the bottom page, click add entry Fill up the form, leave the rest as default .. *Authenticate using : since this tutorial is for Cisco IOS, so I choose Cisco IOS On bottom page, click Submit + Apply

Click here for setting on ACS aaa new-model aaa authentication login default group tacacs+ aaa authentication enable default group tacacs+ tacacs-server host 1.1.1.1 Tacacs-server host 2.2.2.2 tacacs-server key secret Tacacs-server attempts 3 end Once you configure aaa authentication, router start to ignore local pwd for all line (vty, console etc..) 2nd and 3rd line tell router to use tacacs server (for login and enable ) define your tacac server, can put more than server for failover purpose.. Router will try sequentially Define your key or pwd for this router to communicate w/ tacacs server, both side must be same 3 attempt before session dropped Another way to define tacacs server is by grouping it aaa group server tacacs+ groupA server 1.1.1.1 server 2.2.2.2 Then remove this line tacacs-server host 1.1.1.1 (and 2.2.2.2) And replaceTacacs+ word with group name aaa authentication login default group groupA What if there's no connection to tacacs+ server at all, for wh...