Scribd Logo
Upload

Welcome to Scribd!

  • K 7

    Uploaded by

    satourism
    213 views16 pages
    K7 lab

    Original Title

    k7

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    K7 lab

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    213 views16 pages

    K 7

    Uploaded by

    satourism
    K7 lab

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    K7 SOLUTION BOOK

    CCIE SOLDIER

    Section 1 : Layer 2 Technologies 1.1 Troubleshoot Layer 2 Switch Faults 1. Guard root on SW1 trunk ports 1. interface f0/19 24 2. no spanning-tree portfast guard root 2. DHCP snooping/ARP inspection on VLAN17 on SW2 1. no ip dhcp snooping vlan 17 2. no ip arp inspection vlan 17 3. Portfast trunk on SW4 trunk interfaces 1. interface f0/19 24 2. no spanning-tree portfast 4. Root Guard on interfaces connected to backbone 1. On SW1 SW3 2. interface f0/10 3. no spanning-tree guard 5. vtp version, domain name, password difference 1. ( vtp version should be 2, adjust domain name and password accord to test info). 1.2 VLAN and Access-Ports On All Switches vtp domain CCIE vtp mode trans vtp password cisco vtp version 2 On SW1 interface Vlan56 ip address YY.YY.56.6 255.255.255.0

    interface Vlan67 ip address YY.YY.67.6 255.255.255.0 On SW2 interface Vlan17 ip address YY.YY.17.7 255.255.255.0 interface Vlan67 ip address YY.YY.67.7 255.255.255.0 On SW3 interface Vlan38 ip address YY.YY.38.8 255.255.255.0 interface Vlan89 ip address YY.YY.89.8 255.255.255.0 interface Vlan300 ip address 150.3.yy.1 255.255.255.0 On SW4 interface Vlan29 ip address YY.YY.29.9 255.255.255.0 interface Vlan89 ip address YY.YY.89.9 255.255.255.0 1.3 Multiple Spanning Tree (MST) On all Switches vlan dot1q tag native spanning-tree mode mst spanning-tree mst configuration revision 1 name cisco instance 3 vlan 1-4094 instance 1 vlan 17,29,45,67,89,333,999 instance 2 vlan 34,38,56,100,200,300,500,666 interface range fastethernet 0/19-24 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 999 int po 1 sw trunk native vlan 999 ////Just added, you will have native vlan mismatch error msg if Po is not treated//// interface range <all-unused-ports> switchport mode access switchport access vlan 999 shutdown On SW1 spanning-tree mst 0 root primary spanning-tree mst 1 root primary spanning-tree mst 2 root secondary

    On SW2 spanning-tree mst 0 root secondary spanning-tree mst 1 root secondary spanning-tree mst 2 root primary 1.4 Switch Trunking and EtherChannel interface range fastethernet 0/19-24 switchport trunk encapsulation dot1q switchport nonegotiate On SW1 port-channel load-balance src-dst-mac interface range fastethernet 0/23-24 channel-group 1 mode active interface fastethernet 0/24 lacp port-priority 1 On SW2 port-channel load-balance src-dst-mac interface range fastethernet 0/23-24 channel-group 1 mode passive interface fastethernet 0/24 lacp port-priority 1

    1.5 Implement 802.1Q Tunneling On ALL Switches interface range fastethernet 0/19-24 switchport trunk allowed vlan remove 333 666 On SW3 and SW4 no vlan 666 interface range fastethernet 0/19 switchport trunk allowed vlan 333 On SW1 and SW2 system mtu 1504 /// reload for this command to take effect /// system mtu routing 1500 /* default */ interface fastethernet 0/19 switchport access vlan 666 switchport mode dot1q-tunnel l2protocol-tunnel cdp no cdp enable interface Port-chanel 1 switchport trunk allowed vlan add 666 On SW3

    interface vlan 333 ip address YY.YY.33.8 255.255.255.0 On SW4 interface vlan 333 ip address YY.YY.33.9 255.255.255.0 1.6 PPP over Ethernet Check carefully "service password-encryption" command. If it is enable then disable it with "no service passwordencryption" On R3 (Server) username RackYYR4 password CISCO bba-group pppoe CISCO virtual-template 1 interface FastEthernet0/0 /// R3 interface facing R4/// no ip address pppoe enable group CISCO interface Virtual-Template1 ip address YY.YY.34.3 255.255.255.0 peer default ip address pool POOL ppp authentication chap ip local pool POOL YY.YY.34.4 On R4 (Client) interface FastEthernet0/ 1 ///R4 interface facing R3/// no ip address pppoe enable pppoe-client dial-pool-number 1 interface Dialer1 mtu 1492 ip address negotiated encapsulation ppp dialer pool 1 dialer persistent dialer idle-timeout 0 ppp chap hostname RackYYR4 ppp chap password CISCO 1.7 Implement Frame-Relay On R1 interface Serial0/0/0 bandwidth 50000 ip address YY.YY.12.1 255.255.255.0 encapsulation frame-relay IETF frame-relay map ip YY.YY.12.2 100 broadcast frame-relay map ip YY.YY.12.1 100 no frame-relay inverse-arp On R2 interface Serial0/0/0 bandwidth 50000

    ip address YY.YY.12.2 255.255.255.0 encapsulation frame-relay IETF frame-relay map ip YY.YY.12.1 200 broadcast frame-relay map ip YY.YY.12.2 200 no frame-relay inverse-arp Section 2 : Layer 3 Technologies 2.1 IPv4 OSPF On R1 ip cef router ospf yy router-id YY.YY.1.1 area 1 virtual-link YY.YY.3.3 network YY.YY.1.1 0.0.0.0 area 0 network YY.YY.15.1 0.0.0.0 area 0 network YY.YY.17.1 0.0.0.0 area 0 network YY.YY.12.1 0.0.0.0 area 1 network 150.1.YY.1 0.0.0.0 area 0 //dont forget advertise in ospf// neighbor YY.YY.12.2 On R2 Ip cef router ospf yy router-id YY.YY.2.2 network YY.YY.2.2 0.0.0.0 area 1 network YY.YY.12.2 0.0.0.0 area 1 network YY.YY.23.2 0.0.0.0 area 1 network 150.2.YY.1 0.0.0.0 area 1 //dont forget advertise in ospf// neighbor YY.YY.12.1 On R3 Ip cef router ospf yy router-id YY.YY.3.3.3 area 1 virtual-link YY.YY.1.1 area 1 virtual-link YY.YY.5.5 network YY.YY.3.3 0.0.0.0area 1 network YY.YY.23.3 0.0.0.0 area 1 network YY.YY.35.3 0.0.0.0 area 1 network YY.YY.34.3 0.0.0.0 area 2 On R4 Ip cef router ospf yy router-id YY.YY.4.4 network YY.YY.4.4 0.0.0.0 area 2 network YY.YY.34.4 0.0.0.0 area 2 On R5 Ip cef router ospf yy router-id YY.YY.5.5 area 1 virtual-link YY.YY.3.3

    network YY.YY.5.5 0.0.0.0 area 0 network YY.YY.15.5 0.0.0.0 area 0 network YY.YY.56.5 0.0.0.0 area 0 network YY.YY.35.5 0.0.0.0 area 1 On SW1 ip routing Ip cef distributed router ospf yy router-id YY.YY.6.6 network YY.YY.6.6 0.0.0.0 area 0 network YY.YY.56.6 0.0.0.0 area 0 network YY.YY.67.6 0.0.0.0 area 0 On SW2 ip routing Ip cef distributed router ospf yy router-id YY.YY.7.7 network YY.YY.7.7 0.0.0.0 area 0 network YY.YY.17.7 0.0.0.0 area 0 network YY.YY.67.7 0.0.0.0 area 0 2.2 IPv4 EIGRP On SW3 ip routing Ip cef distributed router eigrp YY network YY.YY.8.8 0.0.0.0 network YY.YY.38.8 0.0.0.0 network YY.YY.89.8 0.0.0.0 redistribute eigrp 100 no auto-summary router eigrp 100 network 150.3.YY.1 0.0.0.0 no auto-summary On R3 router eigrp YY network YY. YY.38.3 0.0.0.0 no auto-summary On R2 router eigrp YY network YY.YY.29.2 0.0.0.0 no auto-summary On SW4 ip routing Ip cef distributed router eigrp YY network YY.YY.9.9 0.0.0.0 network YY.YY.29.9 0.0.0.0

    network YY.YY.89.9 0.0.0.0 no auto-summary

    2.3 IPv4 RIPv2 On R4 router rip version 2 passive-interface default no passive-interface FastEhternet 0/0 network YY.0.0.0 no auto-summary On R5 router rip version 2 passive-interface default no passive-interface FastEhternet 0/1 network YY.0.0.0 no auto-summary Redistribution OSPF, EIGRP, RIP 2.4 Between OSPF and EIGRP On R2 / R3 route-map SET_TAG permit 10 match source-protocol eigrp YY match route-type external set tag 100 route-map SET_TAG permit 20 route-map DENY_TAG deny 10 match tag 100 route-map DENY_TAG permit 20 router eigrp YY redistribute ospf yy metric 100000 100 255 1 1500 router ospf yy redistribute eigrp YY subnets route-map SET_TAG distribute-list route-map DENY_TAG in

    2.5 Between OSPF and RIPv2


    On R4 router rip distance 109 YY.YY.45.5 0.0.0.0 6 access-list 6 permit YY.YY.6.6 On R5 router ospf yy redistribute rip subnets route-map RIP route-map RIP permit 10 match ip address 45

    access-list 45 permit YY.YY.45.0 0.0.0.255 router rip redistribute ospf 1 metric 10

    2.6 IPv4 EBGP


    On R2 router bgp YY bgp graceful-restart neighbor 150.2.YY.254 remote-as 254 On R1 router bgp YY bgp graceful-restart neighbor 150.1.YY.254 remote-as 254 neighbor 150.1.YY.254 maximum-prefix 5 100 warning-only /read Question carefully . If in question no specific router for warning message then configure it on both routers /

    2.7 IPv4 IBGP


    On R1 router bgp YY bgp router-id YY.YY.1.1 neighbor YY.YY.3.3 remote-as YY neighbor YY.YY.3.3 update-source Loopback0 On R2 router bgp YY bgp router-id YY.YY.2.2 neighbor YY.YY.3.3 remote-as YY neighbor YY.YY.3.3 update-source Loopback0 On R4 router bgp YY bgp router-id YY.YY.4.4 neighbor YY.YY.3.3 remote-as YY neighbor YY.YY.3.3 update-source Loopback0 On R5 router bgp YY bgp router-id YY.YY.5.5 neighbor YY.YY.3.3 remote-as YY neighbor YY.YY.3.3 update-source Loopback0 On R3 router bgp YY bgp router-id YY.YY.3.3 neighbor YY.YY.1.1 remote-as YY neighbor YY.YY.1.1 update-source Loopback0 neighbor YY.YY.1.1 route-reflector-client neighbor YY.YY.2.2 remote-as YY neighbor YY.YY.2.2 update-source Loopback0 neighbor YY.YY.2.2 route-reflector-client neighbor YY.YY.4.4 remote-as YY

    neighbor YY.YY.4.4 update-source Loopback0 neighbor YY.YY.4.4 route-reflector-client neighbor YY.YY.5.5 remote-as YY neighbor YY.YY.5.5 update-source Loopback0 neighbor YY.YY.5.5 route-reflector-client

    2.5 Advanced BGP


    On R1 router bgp YY redistribute OSPF yy match internal external 1 external 2 On R2 router bgp YY redistribute OSPF yy match internal external 1 external 2 neighbor 150.2.YY.254 route-map PREPEND in route-map PREPEND permit 10 set as-path prepend 253 On R3 router bgp YY neighbor YY.YY.1.1 weight 100 On R5 interface S0/0/0 /// (serial interface facing R1) /// ip ospf cost 1

    2.9 IPv6 Address and OSPF Routing


    On R1 ipv6 unicast-routing ipv6 cef ipv6 router ospf 2001 router-id YY.YY.1.1 interface Serial0/0/1 ipv6 address 2001:YY:15::1/64 ipv6 ospf 2001 area 0 ipv6 nd ra suppress ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF interface FastEthernet0/0 ipv6 address 2001:YY:17::1/64 ipv6 ospf 2001 area 0 ipv6 nd ra suppress interface Loopback0 ipv6 address 2001:YY:1::1/128 ipv6 ospf 2001 area 0 On R5 ipv6 unicast-routing ipv6 cef

    ipv6 router ospf 2001 router-id YY.YY.5.5 interface Loopback0 ipv6 address 2001:YY:5::5/128 ipv6 ospf 2001 area 0 interface FastEthernet0/0 ipv6 address 2001:YY:56::5/64 ipv6 ospf 2001 area 0 ipv6 nd ra suppress interface Serial0/0/1 ipv6 address 2001:YY:15::5/64 ipv6 ospf 2001 area 0 ipv6 nd ra suppress ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF On SW1 sdm prefer dual-ipv4-and-ipv6 default // reload // ipv6 unicast-routing ipv6 cef ipv6 router ospf 2001 router-id YY.YY.6.6 interface Loopback0 ipv6 address 2001:YY:6::6/128 ipv6 ospf 2001 area 0 interface vlan 56 ipv6 address 2001:YY:56::6/64 ipv6 ospf 2001 area 0 ipv6 nd ra suppress interface vlan 67 ipv6 address 2001:YY:67::6/64 ipv6 ospf 2001 area 0 ipv6 nd ra suppress On SW2 sdm prefer dual-ipv4-and-ipv6 default // reload // ipv6 unicast-routing ipv6 cef ipv6 router ospf 1 router-id YY.YY.7.7 interface Loopback0 ipv6 address 2001:YY:7::7/128 ipv6 ospf 2001 area 0 interface vlan 17 ipv6 address 2001:YY:17::7/64 ipv6 ospf 2001 area 0 ipv6 nd ra suppress interface vlan 67 ipv6 address 2001:YY:67::7/64 ipv6 ospf 2001 area 0

    ipv6 nd ra suppress

    Section 3 : IP Multicast 3.1 Implement IPv4 Multicast 1 & 3.2 Implement IPv4 Multicast 2
    R3 ip multicast-routing access-list 10 permit 225.1.1.1 access-list 10 permit 225.1.1.2 access-list 10 permit 225.1.1.3 ip pim ssm range 10 int Loopback0 ip pim sparse-mode ! int serial0/0/0 ip pim sparse-mode ! no ip igmp ssm-map query dns R5 ip multicast-routing access-list 10 permit 225.1.1.1 access-list 10 permit 225.1.1.2 access-list 10 permit 225.1.1.3 access-list 20 permit 225.1.1.2 access-list 20 permit 225.1.1.3 ip pim ssm range 10 int serial0/0/1 ip pim sparse-mode ! ip igmp ssm-map enable no ip igmp ssm-map query dns ip igmp ssm-map static 20 YY.YY.3.3 ! int fa0/0 ip pim sparse-mode ip igmp version 3 ip igmp join-group 225.1.1.1 source YY.YY.3.3 //please attention what interface is for IGMPv3 joining// ip igmp static-group 225.1.1.2 source ssm-map //please attention what interface is for IGMPv2 joining// ip igmp static-group 225.1.1.3 source ssm-map //please attention what interface is for IGMPv2 joining//

    Section 4 : Advanced Services 4.1 IGP Authentication 1


    On R5 no service password-encription // can be found using "show key chain"// key chain rip key 1 key-string HiddenRipKey //check carefully which key is preconfigured// int fa0/1 ip rip authentication mode md5 ip rip authentication key-chain rip On R4 int fa0/0 ip rip authentication mode md5 ip rip authentication key-chain rip

    4.2 Zone-Based Firewall


    On R1 class-map type inspect match-all A_B match protocol icmp Policy-map type inspect A_B Class type inspect A_B pass class class-default pass zone security A zone security B zone-pair security A_B source A destination B service-policy type inspect A_B zone-pair security B_A source B destination A service-policy type inspect A_B interface FastEthernet0/0 zone-member security A interface FastEthernet0/1 zone-member security B interface Serial0/0/0 zone-member security A interface Serial0/0/1 zone-member security A

    4.3 Layer 2 security


    ALL switches vlan 555 private-vlan community vlan 557 private-vlan community vlan 559 private-vlan isolated vlan45 private-vlan primary private-vlan association 555,557,559 spanning-tree mst configuration instance 1 vlan 555,557,559 On SW1 interface FastEthernet0/4 no switchport access vlan switchport mode private-vlan host switchport private-vlan host-association 45 555 no shutdown interface FastEthernet0/6 no switchport access vlan switchport mode private-vlan host switchport private-vlan host-association 45 557 no shutdown interface FastEthernet0/7 no switchport access vlan switchport private-vlan host-association 45 559 switchport mode private-vlan host no shutdown interface FastEthernet0/9 no switchport access vlan switchport mode private-vlan promiscuous switchport private-vlan mapping 45 555,557,559 no shutdown On SW2 interface FastEthernet0/5 no switchport access vlan switchport mode private-vlan host switchport private-vlan host-association 45 555 no shutdown interface FastEthernet0/6 no switchport access vlan switchport mode private-vlan host switchport private-vlan host-association 45 557 no shutdown

    interface FastEthernet0/7 no switchport access vlan switchport mode private-vlan host switchport private-vlan host-association 45 559 no shutdown

    4.4 Quality of Services-1


    On R1 access-list 40 permit 197.68.1.0 0.0.0.255 class-map BB match access-group 40 match input-interface f0/1 // (interface facing BB1) // policy-map LIMIT_BB class BB shape average 128000 int serial0/0/1 // (interface facing R5) // service-policy output LIMIT_BB int f0/0 // (interface facing SW2)// service-policy output LIMIT_BB

    4.5 Quality of Services-1


    On R5 class-map Control match ip precedence 6 7 class-map Voice match ip precedence 5 class-map Video match ip precedence 4 class-map Business match ip precedence 3 class-map Internet match ip precedence 0 policy-map MQC class Voice priority percent 20 police cir percent 20 class Control priority 100 OR Bandwidth percent 5 class Video bandwidth percent 30

    class Business bandwidth percent 30 random-detect random-detect exponential-weighting-constant 10 class Internet interface Serial0/0/1 //(interface facing R3) // max-reserved-bandwidth 100 bandwidth 2000 // if default is not 2000Kbps// service-policy output MQC

    4.6 Implementing HSRP


    On SW1 interface Vlan500 ip address YY.YY.100.2 255.255.255.0 standby 1 ip YY.YY.100.254 standby 1 authentication md5 key-string CISCO standby 1 preempt standby 1 timers 3 16 no shut On SW2 track 1 ip route 150.1.YY.0 255.255.255.0 reachability interface Vlan500 ip address YY.YY.100.1 255.255.255.0 standby 1 ip YY.YY.100.254 standby 1 authentication md5 key-string CISCO standby 1 preempt standby 1 priority 120 standby 1 track 1 decrement 30 standby 1 timers 3 16 no sh

    4.7 Time Based ACL


    On SW1/SW2 time-range HTTP periodic weekdays 09:00 to 1659 ! time-range FTP periodic daily 22:00 to 23:59 ! time-range UDP periodic daily 17:00 to 23:59 periodic daily 00:00 to 08:59 // Check order of entries carefully // ip access-list extended TBACL deny tcp YY.YY.100.0 0.0.0.255 any eq www time-range HTTP permit tcp YY.YY.100.0 0.0.0.255 any eq www permit tcp YY.YY.100.0 0.0.0.255 any eq ftp ftp-data time-range FTP permit udp YY.YY.100.0 0.0.0.255 eq 1985 host 224.0.0.2 eq 1985 permit udp YY.YY.100.0 0.0.0.255 any time-range UDP

    interface vlan 500 ip access-group TBACL in

    Section 5 : Optimize the Network 5.1 Simple Network Management Protocol (SNMP)
    On R3 access-list 17 permit YY.YY.17.0 0.0.0.255 access-list 67 permit YY.YY.67.0 0.0.0.255 snmp-server location San Jose, US snmp-server contact ccie@cisco.com snmp-server source-interface trap Loopback0 snmp-server view adminview iso included snmp-server view adminwrite system included

    snmp-server user ccie admin v3 auth md5 cisco snmp-server community NMS ro 67 no snmp-server group NMS v1 For verify #show snmp user #show snmp group

    snmp-server group admin v3 priv read adminview write adminwrite access 17

    5.2 NetFlow
    On R1 ip flow-export version 9 ip flow-export source loopback 0 // read question carefully.sometimes source loopback 0 not stated in question// ip flow-export destination YY.YY.56.100 2222 sctp backup destination YY.YY.56.101 2222 backup mode fail-over flow-sampler-map NETFLOW mode random one-out-of 1000 interface Gi0/1 flow-sampler NETFLOW flow-sampler NETFLOW egress

    You might also like