- Stub Router Configuration: All spoke routers are configured as stub routers, limiting the query scope in the network.
- Route Filtering: Implemented to allow communication within regions and with HQ while restricting inter-regional router communication.
- EIGRP Bandwidth Allocation: EIGRP is allocated 25% of the bandwidth on links participating in the EIGRP process.
- EIGRP Authentication: Authentication is enabled for EIGRP neighborship to enhance security.
- EIGRP Metric Calculation: Configured to use only the delay metric value for path metric calculation with a uniform delay setting of 10 microseconds.
- Passive Interfaces: LAN-facing interfaces are configured as passive to reduce unnecessary EIGRP traffic.
- EIGRP add-path feature is used to advertise redundant links to spoke routers.
router eigrp EIGRP
!
address-family ipv4 unicast autonomous-system 100
!
af-interface Tunnel10
authentication mode md5
authentication key-chain EIGRP-KEY
bandwidth-percent 25
no next-hop-self
add-path 2
no split-horizon
exit-af-interface
!
topology base
redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-to-EIGRP-MAP
exit-af-topology
network 172.16.0.0 0.0.0.255
metric weights 0 0 0 1 0 0 0
exit-address-family
- Area 23: Configured as a totally stub area, propagating only a default type 3 LSA.
Gateway of last resort is 10.0.23.1 to network 0.0.0.0
O*IA 0.0.0.0/0 [110/10001] via 10.0.23.1, 00:25:14, Ethernet0/1
- Area 10: Configured as an NSSA, receiving type 3 IA LSAs and Type 7 LSAs for the default route.
- Area 51 and Backbone: Configured as normal areas.
- ASBR (R7): Redistributes EIGRP prefixes into OSPF and redistributes OSPF routes into EIGRP-20.
router eigrp 20
network 10.1.1.0 0.0.0.3
redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-to-EIGRP
!
router ospf 1
router-id 10.0.0.7
auto-cost reference-bandwidth 100000
area 10 nssa
redistribute eigrp 20 subnets route-map EIGRP-to-OSPF
!
- Area 0: Serves as the backbone with R1 as the DR and R2 as the BDR, featuring point-to-point links.
- HUBs 1 and 2: Serve as the internet and VPN gateways for OSPF and EIGRP domains in the spoke networks; they also Redistribute prefixes between OSPF and EIGRP domains.
- Reference bandwidth for all routers used in OSPF cost calculation is 100Gbps
- EIGRP: Configured with MD5 authentication.
- Firewalls act as zone-based firewalls for stateful inspection, with specific rules for traffic.
- * FW-Area-10
- * Ingress Traffic:
- Remote desktop connection to windows server 192.168.10.254
- SNMP-traps,SYSLOG,DHCP and Netflow traffic
- * Egress traffic:
- All UDP, TCP and ICMP traffic
- * FW-AREA-51
- * Ingress traffic
- All traffic originating from spokes and Hubs
- * Egress traffic
- All UDP, TCP and ICMP traffic
- CoPP: Configured on Backbone routers.
- Edge routers: Disable CDP and LLDP on internet-facing interfaces.
- IPsec: Configured in conjunction with DMVPN for enhanced security.
- Remote access via SSH can only be accessed via 192.168.2.0/24 network.
hub config snippet:
--------------------
interface Tunnel10
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication gns3vpn
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip tcp adjust-mss 1360
delay 1
tunnel source Ethernet0/2
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile Crypt_profile
- DHCP Server: windows-server serves as the DHCP/DNS server.
- QoS: Configured on routers facing end devices to block torrent sites and police social media sites to 1Mbps.
- NAT: Configured on spoke routers and Area 51 firewalls to provide independent internet connectivity for regional offices.
- NTP: Configured on all devices for time synchronization.
- windows server is configured to enable Remote desktop connection, the firewall only permits this from 192.168.2.0/24 network.
- In Area 23 HSRPv2 is configured for redundancy and load sharing of traffic for both VLAN 2 and 3
- SNMP: Configured on all routers for proactive monitoring using PRTG installed on windows server.
- SPAN and RSPAN: Configured on Edge switches to inspect all traffic entering from and leaving towards the internet.
- NetFlow: Configured on all Spokes and Area 23 routers to monitor traffic trends.
- Syslog has been configured on all devices with windows server as the syslog server
- VTY access has been configured with syslog level 6
- Python Netmiko: Installed on Ubuntu server to automate repetitive tasks related to SNMP, NetFlow and DHCP.
pip install netmiko
pip install rich