CFG Lab PDF

SECTION1Layer2Technologies
SECTION1.1SwitchAdministration
ConfiguretheACMEHeadquartersnetwork(AS12345)asperthefollowingrequirements:
TheVTPdomainmustbesettoCCIE
UseVTPversion2
SW1andSW2mustnotadvertisetheirVLANconfigurationbutmustforwardVTPadvertisementsthattheyreceiveouttheirtrunkports
SecureallVTPupdateswithanMD5digestoftheASCIIstring"CCIErocks?"
ConfiguretheNetworkofNewYorkoffice(AS34567)asperthefollowingrequirements:
TheVTPdomainmustbesettoCCIE
UseVTPversion2
SW3mustbetheVTPServerandSW4mustbetheVTPClient
SecureallVTPupdateswithanMD5digestoftheASCIIstringCCIErocks?
InordertoavoidasmuchaspossibleunknownunicastfloodinginallVLANstheadministratorrequiresthatanydynamicentrieslearnedbySW3andSW4mustberetainedfor3hours
beforebeingrefreshed
Note:CheckwhichSwitchesareaskedforServer/Client/Transparentmodeandformacaddressagingtime
VTPtransparentmode:vlans,domainnameandmodeshouldbepresentinrunningconfigandthencanbesavedinstartupconfig
UseCtrl+VorEsc+Qinordertoput?asapartofpassword
Solution:
SW1,SW2:
vtp domain CCIE
vtp version 2
vtp mode transparent
vtp password CCIErocks?
SW3:
vtp domain CCIE
vtp version 2
vtp mode server
!
mac address-table aging-time 10800
SW4:
vtp domain CCIE
vtp version 2
vtp mode client
!
mac address-table aging-time 10800
Verification:
show vtp status
show vtp password
show mac address-table aging-time
SECTION1.2Layer2Ports
Configureyournetworkasperthefollowingrequirements:
CompletetheconfigofallVLANssothatallroutersthatarelocatedinACME'sheadquarters(AS12345)andNewYorkoffice(AS34567)canpingtheirdirectlyconnectedneighbors
Allfourswitches(SW1SW4)musthavedot1qtrunksthatdonotrelyonnegotiation,donotconfigureanyEtherChannel
EnsurethatthefollowingunusedportsonallfourswitchesareshutdownandconfiguredasaccessportsinVLAN999
E3/0E3/3areunusedonSW1andSW2
Note:VLANconfigurationisrequiredonServer/TransparentmodeSwitchesonly,notonClientmode
Solution:
SW1,SW2:
vlan 14,15,23,24,35,46,57,67,999
SW3:
vlan 34,38,49,89,111,310,411,999
SW1:
int e0/0
switchport
switchport
no shut
!
int e0/1
switchport
switchport
no shut
!
int e0/2
switchport
switchport
no shut
!
int e0/3
switchport
switchport
no shut
!
int e1/0
switchport
switchport
no shut
!
int e1/1
switchport
switchport
no shut
!
int e1/2
switchport
mode access
access vlan 14
mode access
access vlan 23
mode access
access vlan 23
mode access
access vlan 24
mode access
access vlan 14
mode access
access vlan 15
mode access
SW1,SW2,SW3,SW4:
int range e2/0 - 3
switchport trunk encap dot1q
switchport mode trunk
switchport nonegotiate
no shut
SW2:
int e0/0
switchport
switchport
no shut
!
int e0/1
switchport
switchport
no shut
!
int e0/2
switchport
switchport
no shut
!
int e0/3
switchport
switchport
no shut
!
int e1/0
switchport
switchport
no shut
!
int e1/1
switchport
switchport
no shut
!
int e1/2
switchport
mode access
access vlan 15
mode access
access vlan 24
mode access
access vlan 35
mode access
access vlan 46
mode access
access vlan 35
mode access
access vlan 57
mode access
SW1,SW2,SW3,SW4:
int range e3/0 - 3
switchport mode access
switchport access vlan 999
shut
SW3:
int e0/0
no shut
!
int e0/1
no shut
!
int e0/2
no shut
!
int e0/3
no shut
!
int vlan 34
ip add 123.10.2.13 255.255.255.252
no shut
!
int vlan 38
ip add 123.10.2.6 255.255.255.252
no shut
!
int vlan 310
ip add 123.10.2.17 255.255.255.252
no shut
SW3,SW4:
int range e1/0 - 3
shut
SW4:
int e0/0
switch access vlan 89
no shut
!
int e0/1
no shut
!
int e0/2
no shut
!
int e0/3
no shut
!
int vlan 34
ip add 123.10.2.14 255.255.255.252
no shut
!
int vlan 49
ip add 123.10.2.10 255.255.255.252
no shut
!
int vlan 411
ip add 123.10.2.21 255.255.255.252
no shut

no shut
!
int e1/3
no shut

no shut
!
int e1/3
no shut
Verification:
show interfaces status
show interface trunk
show vlan brief
SECTION1.3SpanningTree
ConfiguretheACMEnetworkasperthefollowingrequirements:
MST
EachofthefollowingsetsofVLANsmustshareacommonspanningtopology:
Spanningtreetopology1:alloddVLANsusedthroughoutyourexam
Spanningtreetopology2:allevenVLANsusedthroughoutyourexam
Defaultspanningtreetopology:allotherVLANs
EnsurethatSW1andSW3istherootswitchforinstance1andthebackuprootswitch
forinstance2(meansMST)
EnsurethatSW2andSW4istherootswitchforinstance2andthebackuprootswitch
forinstance1(meansMST)
AllswitchesmustmaintainthreeSTPinstanceintotal
Explicitlyconfiguretherootandbackuprolesassumingthatotherswitcheswithdefault
configurationmayeventuallybeaddedinthenetworkinthefuture
Allaccessportsmustimmediatelytransitiontotheforwardingstateuponlinkupand
theymuststillparticipateinSTP,useasinglecommandperswitchtoenablethisfeature
AccessportsmustautomaticallyshutdowniftheyreceiveanyBPDUandan
administratormuststillmanuallyreenabletheport,useasinglecommandperswitchto
enablethefeature
Solution:
RSTP
SW1mustbetherootswitchforalloddvlansandmustbethebackupforallevenvlans
SW2mustbetherootswitchforallevenvlansandmustbethebackupforalloddvlans
SW3mustbetherootswitchforalloddvlansandmustbethebackupforallevenvlans
SW4mustbetherootswitchforallevenvlansandmustbethebackupforalloddvlans
UsetheSTPmodethathasonlythreepossiblestates(meansRSTP)
AllswitchesmustmaintainoneSTPinstancepervlan(meansRSTP)
Explicitlyconfiguretherootandbackuproles,assumingthatotherswitcheswith
defaultconfigurationmayeventuallybeaddedinthenetworkinthefuture
Allaccessportsmustimmediatelytransitionedtotheforwardingstateuponlinkupand
theymuststillparticipateinSTP,usesinglecommandperswitchtoenablethis
AccessportsmustautomaticallyshutdowniftheyreceiveanyBPDUandan
administratormuststillmanuallyreenabletheport,useasinglecommandperswitch
toenablethisfeature
MST
RSTP
Verification:
SW1,SW2,SW3,SW4:
spanning-tree mode mst
spanning-tree portfast default
spanning-tree portfast bpduguard default
SW1,SW2,SW3,SW4:
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
show
show
show
show
spanning-tree
spanning-tree root
spanning-tree summary
spanning-tree mst configuration
SW1,SW2:
name cisco
revision 1
instance 1 vlan 1,15,23,35,57,67,999
instance 2 vlan 14,24,46
SW3,SW4:
name cisco
revision 1
instance 1 vlan 1,49,89,111,411,999
instance 2 vlan 34,38,310
SW1,SW3:
spanning-tree mst 1 priority 0
SW1:
spanning vlan 1,15,23,35,57,67,999 priority 0
spanning vlan 14,24,46 priority 4096
show
show
show
show
spanning-tree
spanning-tree
spanning-tree
spanning-tree
mst
mst 0
mst 1
mst 2
SW2:
spanning vlan 1,15,23,35,57,67,999 priority 4096
SW3:
spanning vlan 1,49,89,111,411,999 priority 0
SW4:
spanning vlan 1,49,89,111,411,999 priority 4096
SW2,SW4:
SECTION1.4WANSwitching
TheWANlinksmustrelyonalayer2protocolthatsupportslinknegotiationandauthentication
TheServiceproviderexpectsbothR18andR19tocompletethreewayhandshakebyprovidingtheexpectedresponseofachallengethatissentbyAS20003Router
R18mustusetheusernameACMER18andpasswordCCIE
R19mustusetheusernameACMER19andpasswordCCIE
Solution:
R18:
int Serial 1/0
ip add 203.3.18.2 255.255.255.252
encapsulation ppp
no peer neighbor-route
ppp chap hostname ACME-R18
ppp chap password CCIE
no shut
SECTION2Layer3Technologies
R19:
int Serial 1/0
ip add 203.3.19.2 255.255.255.252
encapsulation ppp
no peer neighbor-route
ppp chap hostname ACME-R19
ppp chap password CCIE
no shut
Verification:
show ppp all
debug ppp authentication
A.
B.
C.
D.
E.
Afterfinishingeachofthefollowingquestionsmakesurethatallconfiguredinterfacesandsubnetsareconsistentlyvisibleonallpertinentrouterandswitches
DonotredistributeroutebetweenanyinteriorgatewayprotocolIGPandBGPifnotexplicitlyrequired.
IfnotexplicitlystatedotherwiseyouneedtopingaBGProuteonlyifitisstatedinaquestionotherwisetherouteshouldbeonlytheBGPtable.
Attheendofthissectionallsubnetsinyourtopologyincludingtheloopbackinterfacemustbereachableviapingfromanywhereinyourtopologythebackboneinterfacesmustbe
reachableonlyiftheyarepartofthesolutiontoaquestion.
Theloopbackinterfacesmustbeseenasahostroute/32intheroutingtablesunlessstatedotherwiseinaquestion.
SECTION2.1OSPFinAS12345
ConfigureOSPFv2area0inACMEHQ(AS12345)accordingtothefollowingrequirements:
ConfiguretheOSPFprocessidto12345andsettherouteridtointerfacelo0onallsevenrouters
Theinterfacelo0ateachroutermustbeseenasaninternalOSPFprefixbyallotherrouters
EnsurethatOSPFisnotrunningonanyinterfacethatisfacinganotherAS,useanymethodtoaccomplishthisrequirement
SW1andSW2mustnotparticipateinroutingatall
DonotchangethedefaultOSPFcostofanyinterfaceinAS12345
R1shouldactlikestubrouterinospf,itisnotorderedyoutoconfigureR1instubarea,justmakesureR1won'tbeatransitrouterofthetrafficsR1isnotsourceordestination
R1mustseethefollowingOSPFroutesintheroutingtable
R1# show ip route ospf
!
Gateway of last resort is not set
123.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
123.2.2.2/32 [110/21] via 123.10.1.1, 00:00:20, Ethernet0/1
123.3.3.3/32 [110/21] via 123.10.1.6, 00:00:30, Ethernet0/2
123.4.4.4/32 [110/11] via 123.10.1.1, 00:00:20, Ethernet0/1
123.5.5.5/32 [110/11] via 123.10.1.6, 00:00:30, Ethernet0/2
123.6.6.6/32 [110/21] via 123.10.1.1, 00:00:20, Ethernet0/1
123.7.7.7/32 [110/21] via 123.10.1.6, 00:00:30, Ethernet0/2
123.10.1.8/30 [110/30] via 123.10.1.6, 00:00:30, Ethernet0/2
[110/30] via 123.10.1.1, 00:00:20, Ethernet0/1
123.10.1.12/30 [110/20] via 123.10.1.6, 00:00:30, Ethernet0/2
123.10.1.16/30 [110/20] via 123.10.1.1, 00:00:20, Ethernet0/1
123.10.1.20/30 [110/20] via 123.10.1.1, 00:00:20, Ethernet0/1
123.10.1.24/30 [110/30] via 123.10.1.6, 00:00:30, Ethernet0/2
[110/30] via 123.10.1.1, 00:00:20, Ethernet0/1
123.10.1.28/30 [110/20] via 123.10.1.6, 00:00:30, Ethernet0/2
O
O
O
O
O
O
O
O
O
O
O
O
After implementing the last point you should get something like:
O
123.2.2.2/32 [110/65546] via 123.10.1.1, 00:00:30 Ethernet 0/1
Solution:
R1:
router ospf 12345
R2:
router ospf 12345
R3:
router ospf 12345
R4:
router ospf 12345
router-id 123.1.1.1
net 123.1.1.1 0.0.0.0 area 0
net 123.10.1.2 0.0.0.0 area 0
net 123.10.1.5 0.0.0.0 area 0
net 123.10.1.0 0.0.0.255 area 0
max-metric router-lsa
router-id 123.2.2.2
net 123.2.2.2 0.0.0.0 area 0
net 123.10.1.9 0.0.0.0 area 0
net 123.10.1.17 0.0.0.0 area 0
net 123.10.1.0 0.0.0.255 area 0
router-id 123.3.3.3
net 123.3.3.3 0.0.0.0 area 0
net 123.10.1.10 0.0.0.0 area 0
net 123.10.1.13 0.0.0.0 area 0
net 123.10.1.0 0.0.0.255 area 0
router-id 123.4.4.4
net 123.4.4.4 0.0.0.0 area 0
net 123.10.1.21 0.0.0.0 area 0
net 123.10.1.1 0.0.0.0 area 0
net 123.10.1.18 0.0.0.0 area 0
net 123.10.1.0 0.0.0.255 area 0
R5:
router ospf 12345
router-id 123.5.5.5
net 123.5.5.5 0.0.0.0 area 0
net 123.10.1.14 0.0.0.0 area 0
net 123.10.1.6 0.0.0.0 area 0
net 123.10.1.29 0.0.0.0 area 0
net 123.10.1.0 0.0.0.255 area 0
R6:
router ospf 12345
router-id 123.6.6.6
net 123.6.6.6 0.0.0.0 area 0
net 123.10.1.25 0.0.0.0 area 0
net 123.10.1.22 0.0.0.0 area 0
net 123.10.1.0 0.0.0.255 area 0
R7:
router ospf 12345
router-id 123.7.7.7
net 123.7.7.7 0.0.0.0 area 0
net 123.10.1.30 0.0.0.0 area 0
net 123.10.1.26 0.0.0.0 area 0
net 123.10.1.0 0.0.0.255 area 0
Verification:
show ip ospf neighbor
show ip ospf int brief
show ip route ospf
SECTION2.2EIGRPinAS34567
ConfigureEIGRPforIPv4intheNewYorkoffice(AS34567)accordingtothefollowingrequirements:
TheEIGRPASis34567,donotuseanyvirtualinstancenumber(meansnonamedmode).
Theinterfacelo0mustbeseenasaninternalEIGRPprefixbyallotherrouters
EnsuretheEIGRPisnotrunningonanyinterfacethatisfacinganotherAS,useanymethodtoaccomplishthis
UsingasinglecommandononeswitchonlyensurethatR8installstwoequalcostrouteforthefollowingthreepath
VLAN411
intlo0atSW4
intlo0atR11
UsingasinglecommandononeswitchonlyensurethatR9installstwoequalcostrouteforthefollowingthreepath
VLAN310
intlo0atSW3
intlo0atR10
Note:ChecktheBWandDELAYvaluesforPhysicalandSVIinterfaces
Solution:
R8:
router eigrp 34567
no auto-summary
network 123.8.8.8 0.0.0.0
network 123.10.2.1 0.0.0.0
network 123.10.2.5 0.0.0.0
network 123.10.2.0 0.0.0.255
R9:
router eigrp 34567
no auto-summary
network 123.9.9.9 0.0.0.0
network 123.10.2.2 0.0.0.0
network 123.10.2.9 0.0.0.0
network 123.10.2.0 0.0.0.255
R10:
router eigrp 34567
no auto-summary
network 123.10.10.10 0.0.0.0
network 123.10.2.18 0.0.0.0
network 123.10.2.25 0.0.0.0
network 123.10.2.0 0.0.0.255
R11:
router eigrp 34567
no auto-summary
network 123.11.11.11 0.0.0.0
network 123.10.2.26 0.0.0.0
network 123.10.2.22 0.0.0.0
network 123.10.2.0 0.0.0.255
SW3:
ip routing
router eigrp 34567
no auto-summary
network 123.33.33.33 0.0.0.0
network 123.10.2.17 0.0.0.0
network 123.10.2.6 0.0.0.0
network 123.10.2.13 0.0.0.0
network 123.10.2.0 0.0.0.255
SW4:
ip routing
router eigrp 34567
no auto-summary
network 123.44.44.44 0.0.0.0
network 123.10.2.21 0.0.0.0
network 123.10.2.10 0.0.0.0
network 123.10.2.14 0.0.0.0
network 123.10.2.0 0.0.0.255
SW3,SW4:
int vlan 34
delay 100
end
clear ip eigrp neighbors
Verification:
show
show
show
show
show
ip eigrp
ip eigrp
ip eigrp
ip route
int vlan
interfaces
neighbors
topology
eigrp
34 | i DLY
CheckEIGRProutingtableonR8&R9beforechangingthedelayandafterchangingit,wellseetwopathsforthedestination
R8#show ip route eigrp

!
Gateway of last resort is not set
D
D
D

123.10.2.20/30 [90/307456] via 123.10.2.6, 00:01:26, Ethernet0/1
[90/307456] via 123.10.2.2, 00:01:26, Ethernet0/2
123.11.11.11/32 [90/435456] via 123.10.2.6, 00:01:26, Ethernet0/1
[90/435456] via 123.10.2.2, 00:01:26, Ethernet0/2
123.44.44.44/32 [90/435200] via 123.10.2.6, 00:01:26, Ethernet0/1
[90/435200] via 123.10.2.2, 00:01:26, Ethernet0/2
R9#show ip route eigrp

!
Gateway of last resort is 33.34.4.1 to network 0.0.0.0
D
D
D

123.10.2.16/30 [90/307456] via 123.10.2.10, 00:02:42, Ethernet0/2
[90/307456] via 123.10.2.1, 00:02:42, Ethernet0/1
123.10.10.10/32 [90/435456] via 123.10.2.10, 00:02:42, Ethernet0/2
[90/435456] via 123.10.2.1, 00:02:42, Ethernet0/1
123.33.33.33/32 [90/435200] via 123.10.2.10, 00:02:42, Ethernet0/2
[90/435200] via 123.10.2.1, 00:02:42, Ethernet0/1
TheEIGRPAutonomousSystemis45678
Theinterfacelo0mustbeseenasaninternalEIGRPprefixbyallotherrouters
EnsuretheEIGRPisnotrunningonanyinterfacethatisfacinganotherAS,useanymethodtoaccomplishthisrequirement(Named/Classic)
SW5andSW6arelayer3switchesandmustconfigureEIGRP
DonotchangetheinterfacebandwidthonanyphysicalinterfaceinAS45678
OnallthreeroutersR15,R16,R17,useEIGRPwith64bitmetricversion
EIGRPrunninginAS45678shouldusethestrongestauthenticationmethodwithkeyCCIE,itshouldprotectagainstpacketreplayattacksbecauseofaspoofedsourceaddress.

Note:CheckandConfigureVLANs&SVIsontheSwitches(vlan5,55&vlan6,66)
SW5/SW6donthaveLoopbacksconfigured,insteadtheIPaddareonVLAN5/6
Ifaskedfor"novirtualname"&"noauthentication":
CLASSICmodeonR15/R16/R17/SW5/SW6
Ifaskedfor"novirtualname"&"strongestauthentication": CLASSICmodeonR15/R16/R17/SW5/SW6withmd5
Ifaskedfor"virtualname"&"strongestauthentication":
NAMEDmodeonR15/R16/R17/SW5/SW6withhmac
Solution:
Named Mode
R15:
router eigrp CCIE
address-fa ipv4 auto 45678
net 123.15.15.15 0.0.0.0
net 123.20.1.9 0.0.0.0
net 123.20.1.1 0.0.0.0
topology base
no auto-summary
R16:
router eigrp CCIE
net 123.16.16.16 0.0.0.0
net 123.20.1.2 0.0.0.0
net 123.20.1.17 0.0.0.0
topology base
no auto-summary
R17:
router eigrp CCIE
net 123.17.17.17 0.0.0.0
net 123.20.1.18 0.0.0.0
net 123.20.1.10 0.0.0.0
topology base
no auto-summary
SW5:
router eigrp CCIE
net 123.55.55.55 0.0.0.0
net 123.20.1.3 0.0.0.0
topology base
no auto-summary
SW6:
router eigrp CCIE
net 123.66.66.66 0.0.0.0
net 123.20.1.11 0.0.0.0
topology base
no auto-summary
SW5:
router eigrp 45678
no auto-summary
net 123.55.55.55 0.0.0.0
net 123.20.1.3 0.0.0.0
SW6:
router eigrp 45678
no auto-summary
net 123.66.66.66 0.0.0.0
net 123.20.1.11 0.0.0.0
Classic Mode
R15:
router eigrp 45678
no auto-summary
net 123.15.15.15 0.0.0.0
net 123.20.1.9 0.0.0.0
net 123.20.1.1 0.0.0.0
R16:
router eigrp 45678
no auto-summary
net 123.16.16.16 0.0.0.0
net 123.20.1.2 0.0.0.0
net 123.20.1.17 0.0.0.0
Strongest Authentication (NAMED Mode)

R15,R16,R17:
router eigrp CCIE
address-family ipv4 uni auto 45678
af-interface default
authentication mode hmac-sha-256 CCIE
SW5,SW6:
router eigrp CCIE
address-family ipv4 uni auto 45678
af-interface vlan55/66
authentication mode hmac-sha-256 CCIE
R17:
router eigrp 45678
no auto-summary
net 123.17.17.17 0.0.0.0
net 123.20.1.18 0.0.0.0
net 123.20.1.10 0.0.0.0
Classic Mode
Authentication
R15,R16,R17,SW5,SW6:
key chain CCIE
key 1
key-string cisco
R15,R16,R17:
int range e0/1 - 2
ip authentication mode eigrp 45678 md5
ip authentication key-chain eigrp 45678 CCIE
SW5:
int vlan 55
SW6:
int vlan 66
Verification:
show ip eigrp neighbors
show ip eigrp interfaces
show ip route eigrp
debug eigrp packets
TheEIGRPASis45678
Theinterfacelo0ateachroutermustbeseenasaninternalEIGRPprefixbyallotherroutersinBGPAS65222&AS45678
TheinterfaceE0/0onR18andR19mustbeadvertisedintoEIGRPasinternalprefix
EnsurethatEIGRPisnotrunningonanyinterfacethatisfacinganotherAS,useanymethodtoaccomplishthisrequirement
Allfourrouters(R16,R17,R18,R19)mustmaintainaseparateroutingtableinstancesupportsebgppeeringwithAS20003
R17istheDMVPNhub,R18,R19asthespoke,usethepreconfigtunnel0
EnsureR17establishEIGRPtunnelwithR18andR19viasameinterfacetunnel0
R17mustnotsendanyqueriestoR18&R19foractiveEIGRProutes
R17mustnotreceiveEIGRPsummaryroutesfromR18andR19
DonotsummarizeorfilteranyprefixanywhereinEIGRPAS45678
Note:Checkwhethereigrpstubconnectedandsummaryroutesareaskedornot
Checkwhethertunnelsarepreconfiguredonallrouters
Testwith/without"nosplithorizon"onR17Tun0interface
AdvertisetheconnectedinterfacesonR18,R19
EIGRPneighborshipwillcomeupbetweenR17/R18/R19aftercompletionofSec2.7&3.3
Solution:
Tunnel Pre-Configuration:
R17:
int tun0
ip add 123.20.1.25 255.255.255.248
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 45678
tunnel source e0/0
tunnel mode gre multipoint
R18:
int tun0
ip add 123.20.1.26 255.255.255.248
ip nhrp map multicast 203.3.17.2
ip nhrp map 123.20.1.25 203.3.17.2
ip nhrp nhs 123.20.1.25
tunnel source Serial1/0
Named Mode
R19:
int tun0
ip add 123.20.1.27 255.255.255.248
ip nhrp map multicast 203.3.17.2
ip nhrp map 123.20.1.25 203.3.17.2
ip nhrp nhs 123.20.1.25
tunnel source Serial1/0
R17:
router eigrp CCIE
address-family ipv4 auto 45678
network 123.17.17.17 0.0.0.0
network 123.20.1.25 0.0.0.0
!
af-interface tunnel0
no split-horizon
no authentication mode
!
topology base
no auto-summary
R18:
router eigrp CCIE
network 123.18.18.18 0.0.0.0
network 123.20.1.26 0.0.0.0
network 10.1.18.1 0.0.0.0
eigrp stub connected
!
topology base
no auto-summary
R19:
router eigrp CCIE
network 123.19.19.19 0.0.0.0
network 123.20.1.27 0.0.0.0
network 10.1.19.1 0.0.0.0
!
topology base
no auto-summary
Classic Mode
R17:
router eigrp 45678
no auto-summary
network 123.17.17.17 0.0.0.0
network 123.20.1.25 0.0.0.0
R18:
router eigrp 45678
no auto-summary
network 123.18.18.18 0.0.0.0
network 123.20.1.26 0.0.0.0
network 10.1.18.1 0.0.0.0
R19:
router eigrp 45678
no auto-summary
network 123.19.19.19 0.0.0.0
network 123.20.1.27 0.0.0.0
network 10.1.19.1 0.0.0.0
SECTION2.5BGPinAS12345
BGPispartiallyconfiguredinACMEheadquarters,completetheconfigurationasrequired
ConfiguretheBGPinACMEsHQ(AS12345)accordingtothefollowingrequirements:
R4andR5mustnotestablishanyBGPsessionatanytime
AllBGProutersmustusetheirinterfaceloopback0astheirrouterid
Disablethedefaultipv4unicastaddressfamilyforpeeringsessionestablishmentinallBGProuters
R1mustbetheipv4routereflectorforBGPAS12345
R1mustusepeergroupnameiBGPforinternalpeerings
ConfigureeBGPbetweenACME'sSanFranciscoandSanJosesitesaccordingtothefollowingrequirements:
R20istheCErouteranduseeBGPtoconnecttothemanagedservicesthatareprovidedbythePEroutersR2andR3
R20mustestablishseparateeBGPpeeringswithbothR2andR3foreveryVRF
R20mustadvertiseadefaultroutetoallofitsBGPpeersexceptto10.120.99.1and10.120.99.5
R20mustadvertisethefollowingprefixtoalltheBGPpeers
10.0.0.0/8summaryonly
123.0.0.0/8summaryonly
Verification:
show ip nhrp
show ip eigrp neigh
Note:CheckVRFconfigurationonR2/R3
CheckwhetheraddressfamilyisrequiredonR20ornot,checkfor10.1.20.0,128/25 subnets
AggregaterouteswillappearaftercompletionofallAS45678/65222Sections
Solution:
BGP with Peer Group
BGP without Peer Group
R1:
router bgp 12345
bgp router-id 123.1.1.1
no bgp default ipv4-unicast
neighbor iBGP peer-group
neighbor iBGP remote-as 12345
neighbor iBGP update-source Lo0
neighbor 123.2.2.2 peer-group iBGP
!
address-family ipv4
neighbor iBGP route-reflector-client
neighbor 123.2.2.2 activate
R1:
router bgp 12345
neighbor 123.2.2.2 remote-as 12345
neighbor 123.2.2.2 update-source Lo0
!
address-family ipv4
neighbor 123.2.2.2 route-reflector-client
R2:
router bgp 12345
!
address-family ipv4 vrf GREEN
!
address-family ipv4 vrf BLUE
!
address-family ipv4 vrf RED
!
address-family ipv4 vrf YELLOW
R3:
router bgp 12345
!
!
!
!
R2:
router bgp 12345
R3:
router bgp 12345
R6:
router bgp 12345
R7:
router bgp 12345
R2,R3,R6,R7:
router bgp 12345
!
address-family ipv4
R20:
router bgp 65112
neighbor 10.120.12.1 remote-as
!
address-family ipv4
12345
12345
12345
12345
12345
12345
12345
12345
12345
12345

!
address-family ipv4 vrf INET
Verification:
show
show
show
show
ip bgp summary
ip bgp vpnv4 all summary
bgp all summary
bgp vpnv4 unicast all summary
show
show
show
show
ip bgp
ip bgp vpnv4 all
bgp all
bgp vpnv4 unicast all
show ip route
show ip route vrf *

!

neighbor 10.120.12.1 default-originate
!
network 10.1.20.0 mask 255.255.255.128
network 10.1.20.128 mask 255.255.255.128
aggregate-add 123.0.0.0 255.0.0.0 summary-only
SECTION2.6BGPinAS34567
BGPispartiallypreconfiguredinACMENewYorkoffice,completetheconfigasrequired
ConfigureiBGPinAS34567accordingtothefollowingrequirements:
SW3andSW4mustnotestablishanyBGPsessionatanytime
AllBGProutersmustusetheirinterfacelo0astheirrouterid
Disablethedefaultipv4unicastaddressfamilyforpeeringsessionestablishmentinallBGProuters
ConfigurefullmeshiBGPpeeringbetweenallfourrouters,useanyconfigurationmethod
R9mustbeselectedasthepreferredexitpointfortrafficdestinedtoremoteAS's
R11mustselectedasthenextpreferredexitincaseR9fails
NoBGPspeakermustusenetworkstatementundertheBGProuterconfig
EnsurethatalltheBGPnexthopisnevermarkedasunreachableaslongasinterfacelo0oftheremotepeerisknownviaIGP
ConfigureeBGPinAS34567accordingtothefollowingrequirements:
AllfourBGProutersmustestablisheBGPpeeringswiththeirneighboringASasshowninDiagram3(BGPtopology)
AllfourBGProutersmustredistributeEIGRPintoBGP
R9&R11mustredistributeonlytheBGPdefaultrouteintoEIGRP
EnsurethatR9istheonlyrouterthatseesthedefaultasaBGProuteandthatallotherrouters(R8,R10,R11)seeitasanEIGRPexternal
Notes:R8/R10isreceivingfewroutesfromtheISPsdirectly,filterthem.
R8/R10:
ip prefix-list DEFAULT permit 0.0.0.0/0
neighbor a.b.c.d prefix-list DEFAULT in
R10:
ip prefix-list ROUTE_61 deny 61.61.61.61/32
neighbor a.b.c.d prefix-list ROUTE_61 in
Solution:
R8:
router bgp 34567
neigh iBGP peer-group
neigh iBGP remote-as 34567
neigh iBGP update-source lo0
neigh 123.9.9.9
peer-gro iBGP
neigh 123.10.10.10 peer-gro iBGP
neigh 101.1.34.1 remote-as 10001
!
address-family ipv4
neigh iBGP next-hop-self
neigh 123.9.9.9
activate
neigh 123.10.10.10 activate
neigh 101.1.34.1
activate
R9:
router bgp 34567
bgp default local-pref 110
neigh 123.8.8.8
peer-gro iBGP
!
address-family ipv4
neigh 123.8.8.8
activate
neigh 102.2.34.1
activate
neigh 33.34.4.1
activate
neigh 102.2.34.1 route-map LP in
!
route-map LP
set local-preference 110
R10:
router bgp 34567
neigh 123.8.8.8
peer-gro iBGP
neigh 123.9.9.9
peer-gro iBGP
!
address-family ipv4
neigh 123.8.8.8
activate
neigh 123.9.9.9
activate
neigh 201.1.34.1
activate
R11:
router bgp 34567
neigh 123.8.8.8
peer-gro iBGP
neigh 123.9.9.9
peer-gro iBGP
!
address-family ipv4
neigh 123.8.8.8
activate
neigh 123.9.9.9
activate
neigh 202.2.34.1
activate
neigh 33.34.3.1
activate
!
route-map LP
set local-preference 105
R8:
router bgp 34567
neig 123.9.9.9
remote-as 34567
neig 123.10.10.10 remote-as 34567
neig 123.11.11.11 remote-as 34567
neig 123.9.9.9
update-so lo0
neig 123.10.10.10 update-so lo0
neig 123.11.11.11 update-so lo0
neig 101.1.34.1 remote-as 10001
R9:
router bgp 34567
neig 123.8.8.8
remote-as
neig 123.10.10.10 remote-as
neig 123.11.11.11 remote-as
neig 123.8.8.8
update-so
neig 123.10.10.10 update-so
neig 123.11.11.11 update-so
R10:
router bgp 34567
nei 123.8.8.8
remote-as 34567
nei 123.9.9.9
remote-as 34567
nei 123.11.11.11 remote-as 34567
nei 123.8.8.8
update-so lo0
nei 123.9.9.9
update-so lo0
nei 123.11.11.11 update-so lo0
nei 201.1.34.1
remote-as 20001
R11:
router bgp 34567
nei 123.8.8.8
remote-as 34567
nei 123.9.9.9
remote-as 34567
nei 123.10.10.10 remote-as 34567
nei 123.8.8.8
update-so lo0
nei 123.9.9.9
update-so lo0
nei 123.10.10.10 update-so lo0
34567
34567
34567
lo0
lo0
lo0
!
address-family ipv4
neig 123.9.9.9
activate
neig 123.10.10.10 activate
neig 123.9.9.9
next-hop-self
neig 123.10.10.10 next-hop-self
neig 101.1.34.1
activate
R8,R9,R10,R11:
router bgp 34567
address-family ipv4
redistribute eigrp 34567
neig 102.2.34.1
remote-as 10002
neig 33.34.4.1
remote-as 30000
!
address-family ipv4
neig 123.8.8.8
next-hop-self
neig 102.2.34.1
activate
neig 33.34.4.1
activate
!
address-family ipv4
nei 123.8.8.8
activate
nei 123.9.9.9
activate
nei 123.11.11.11 activate
nei 123.8.8.8
next-hop-self
nei 123.9.9.9
next-hop-self
nei 123.11.11.11 next-hop-self
nei 201.1.34.1
activate
R9,R11:
!
route-map DEFAULT
match ip address prefix-list DEFAULT
!
router eigrp 34567
redistribute bgp 34567 metric 10000 10 255 1 1500 route-map DEFAULT
nei 202.2.34.1 remote-as 20002

nei 33.34.3.1 remote-as 30000
!
address-family ipv4
nei 123.8.8.8
activate
nei 123.9.9.9
activate
nei 123.10.10.10 activate
nei 123.8.8.8
next-hop-self
nei 123.9.9.9
next-hop-self
nei 123.10.10.10 next-hop-self
nei 202.2.34.1
activate
nei 33.34.3.1
activate
Verification:
show
show
show
show
show
ip
ip
ip
ip
ip
bgp
bgp summary
route bgp
route eigrp
route 0.0.0.0
SECTION2.7BGPinAS45678and65222
Thereare2variations:WithVRF(LOCALSP)andWithoutVRF
ConfigureeBGPinACME'sAPACregion(AS45678andAS65222)accordingtothefollowingrequirements:
ConfigureBGPinACMESydneyandAPACRegionasperbelowrequirements:
SW5andSW6mustnotestablishanyBGPsessionatanytime
AllBGProutersmustusetheirintlo0astheirrouterid
NoiBGPpeeringsessionsareallowedinAS45678
R15mustestablishanEBGPpeeringwithAS10003andmustreceivedefaultrouteaswellasotherprefix.
R15mustredistributeBGPintoEIGRPandviceversa
R15mustalsoadvertiseanaggregateprefix123.20.1.0/24toAS10003andmustsuppressallcomponentprefixes
R16,R17,R18,R19areconfiguredvrfLOCAPSP
R16,R17,R18,R19mustestablishaneBGPpeeringwithAS20003inVRFLOCALSPandmustreceiveonlydefaultrouteandnootherprefixesfromAS20003
R16,R17,R18,R19mustestablishaneBGPpeeringwithAS20003andmustreceiveadefaultrouteaswellasotherprefix
R16,R17,R18,R19mustnotadvertiseanyprefixtoAS20003
AslongasR15isoperational;R16,R17,R18,R19mustprefertheEIGRPdefaultrouteovertheeBGPdefaultroute
DonotcreateanyVRFanywhereinordertoaccomplishtheaboverequirements
WithVRFWithoutVRF
Note:Forvrfversion,wearen'taskedtomakeEIGRPdefaultpreferredovereBGPdefault
CheckVRFconfigurationproperly(ipvrfforwardingmissing)
CheckEIGRPmodeinSec2.3&2.4(NamedorClassic)
DefaultrouteonR18/R19willcomeaftercompletionofSec3.3
NonVRF:IfR16,R17,R18,R19receive1.2.3.4/32&123.0.0.0/8routes,thenfilterthemusingaprefixlistandcalltheminINdirectionforneighbors
R16,R17,R18,R19:
ip prefix-list BLOCK seq 1 deny
1.2.3.4/32
ip prefix-list BLOCK seq 2 deny
123.0.0.0/8 le 32
ip prefix-list BLOCK seq 3 permit 0.0.0.0/0
le 32
!
neighbor a.b.c.d prefix-list BLOCK in
Solution:
VRF Configuration:
R16:
ip vrf LOCALSP
rd 45678:1
!
int e0/0
ip vrf forwarding LOCALSP
ip add 203.3.16.2 255.255.255.252
no shut
R17:
ip vrf LOCALSP
rd 45678:1
!
int e0/0
ip add 203.3.17.2 255.255.255.252
no shut
R18:
ip vrf LOCALSP
rd 45678:1
!
int Ser1/0
ip add 203.3.18.2 255.255.255.252
no shut
R15:
router bgp 45678
!
address-family ipv4
redistribute eigrp 45678
!
router eigrp CCIE
address-family ipv4 unicast auto 45678
topology base
redistribute bgp 45678 metric 10000 10 255 1 1500
--------- OR --------router eigrp 45678
redistribute bgp 45678 metric 10000 10 255 1 1500
Verification:
show
show
show
show
show
show
show
show
show
bgp all summary

bgp all
ip bgp summary
ip bgp
bgp vpnv4 unicast all
bgp vpnv4 unicast
ip bgp neighbors A.B.C.D advertised-routes
bgp all neighbors A.B.C.D advertised-routes
ip route bgp
WITH VRF
WITHOUT VRF
R19:
ip vrf LOCALSP
rd 45678:1
!
int Ser1/0
ip add 203.3.19.2 255.255.255.252
no shut

R16,R17,R18,R19:
ip prefix-list AS20003 deny 0.0.0.0/0 le 32
!
route-map DEFAULT
match ip address prefix-list DEFAULT
R16:
router bgp 45678
address-family ipv4 vrf LOCALSP
neighbor 203.3.16.1 prefix-list AS20003 out
neighbor 203.3.16.1 prefix-list DEFAULT in
neighbor 203.3.16.1 route-map DEFAULT in
distance 171 203.3.16.1 0.0.0.0
R17:
router bgp 45678
distance 171 203.3.16.1 0.0.0.0
R18:
router bgp 65222
distance 171 203.3.18.1 0.0.0.0
R19:
router bgp 65222
R16,R17,R18,R19:
access-list 1 permit 0.0.0.0
ip prefix-list AS20003 deny 0.0.0.0/0 le 32
R16:
router bgp 45678
address-family ipv4
distance 171 203.3.16.1 0.0.0.0 1
R17:
router bgp 45678
address-family ipv4
distance 171 203.3.17.1 0.0.0.0 1
R18:
router bgp 65222
address-family ipv4
distance 171 203.3.18.1 0.0.0.0 1
R19:
router bgp 65222
address-family ipv4
neighbor
neighbor
neighbor
distance
203.3.19.1 prefix-list AS20003 out

203.3.19.1 prefix-list DEFAULT in
203.3.19.1 route-map DEFAULT in
171 203.3.18.1 0.0.0.0

distance 171 203.3.19.1 0.0.0.0 1
SECTION2.8BGPRoutingPolicies
AllACMEborderroutersinAS12345mustfiltertheBGPprefixesthatareadvertisedtotheirSPinVRFINETandmustallowallprefixesthatbelongtoClassA123.0.0.0/8andallother
VRF'smustpropagateallprefix
AllACMEborderroutersinAS34567mustfiltertheBGPprefixesthatareadvertisedtotheirSPandmustallowallprefixesthatbelongtotheClassA123.0.0.0/8
Donotuseanyroutemaporaccesslisttoaccomplishtheaboverequirements
R13mustroutetrafficpreferablyviaAS20002,useanymethodtoaccomplishthisrequirement
AllthreeremotesitesinAS65111mustbeabletoping1.2.3.4andtraceroutemustrevealtheexactsamepathasshowninthefollowingoutput
R12#ping 1.2.3.4 source lo0
!!!!!
R12#traceroute 1.2.3.4 so lo0
VRF info: (vrf in name/id, vrf out name/id)
1 201.1.12.1 2 msec 0 msec 1 msec
2 201.1.123.2 [AS 65112] 0 msec 1 msec 0 msec
3 10.120.12.1 [AS 65112] [MPLS: Label 31 Exp 0] 1 msec 1 msec 0 msec
4 10.120.12.2 [AS 65112] 6 msec 1 msec 1 msec
5 10.120.99.5 [AS 65112] 1 msec 1 msec 1 msec
6 102.2.123.1 [AS 65112] 1 msec 1 msec 1 msec
7 33.10.2.1 [AS 65112] 1 msec * 2 msec
Note:ping&tracewillworkaftercompletionofSec3.1and3.2
R12/R13/R14:redistributeconnectedsubnetsoradvertisesubnetsintobgp
Solution:
R2,R3,R6,R7,R8,R9,R10,R11:
ip prefix-list CLASS-A permit 123.0.0.0/8 le 32
R2:
router bgp 12345
neighbor 101.1.123.1 prefix-list CLASS-A out
R8:
router bgp 34567
address-family ipv4
R3:
router bgp 12345
R9:
router bgp 34567

address-family ipv4
R6:
router bgp 12345
R10:
router bgp 34567
address-family ipv4
R7:
router bgp 12345
R11:
router bgp 34567
address-family ipv4
R12:
router bgp 65111
!
address-family ipv4
redistribute connected
R13:
router bgp 65111
!
address-family ipv4
neighbor 202.2.13.1 weight 100
R20:
router bgp 65112
address-family ipv4
Verification:
R14:
router bgp 65111
!
address-family ipv4
show bgp all summary

show ip bgp vpnv4 all summary
show ip bgp vpnv4 vrf INET neighbors A.B.C.D advertised-routes
SECTION2.9IPv6OSPF
ConfigureOSPFv3intheACMENewYorkOfficeasperthefollowingrequirements:
DonotenableOSPFv3onanyinterfacesotherthaninterfacesindicatedinIPv6topology.
PlaceinterfacesinOSPFv3area,donotcreateanynewarea.NootherinterfacemaybeincludedinOSPFv3
ConfigureOSPFProcessID1andsettherouteridasinterfacelo0
SW4mustbeselectedastheDRonvlan34andmusthavethebestchance
SW3mustbeselectedasthebackupDRonvlan34andmusttakeoverDRifSW4isdown
YouarenotallowedtouseIPv6routerospf
YouarenotallowedtouseIPv6ospf1area
YouarenotallowedtouseIPv6ospf1priority
Note:IfSW3&SW4haveloopbackconfiguredwithIPv6addthenonlyadvertiseinOSPFv3
SW3andR10loopbacksareconfiguredforOSPFv3forNTPtask
CheckwhetherIPv6OSPFconfigurationisallowedornot
Solution:
SW3:
ipv6 unicast-routing
ipv6 cef
!
router ospfv3 1
router-id 123.33.33.33
!
int vlan 34
ospfv3 1 ipv6 area 0
ospfv3 priority 254
!
int vlan 310
!
int lo0
SW4:
ipv6 cef
!
router ospfv3 1
router-id 123.44.44.44
!
int vlan 34
ospfv3 priority 255
!
int vlan 411
!
int lo0
R10:
ipv6 cef
!
router ospfv3 1
router-id 123.10.10.10
!
interface Ethernet0/1
!
int lo0
R11:
ipv6 cef
!
router ospfv3 1
router-id 123.11.11.11
!
!
int lo0
SW3:
ipv6 cef
!
ipv6 router ospf 1
router-id 123.33.33.33
!
int vlan 34
ipv6 ospf 1 area 0
ipv6 ospf priority 254
!
int vlan 310
ipv6 ospf 1 area 10
!
int lo0
ipv6 ospf 1 area 0
SW4:
ipv6 cef
!
ipv6 router ospf 1
router-id 123.44.44.44
!
int vlan 34
ipv6 ospf 1 area 0
ipv6 ospf priority 255
!
int vlan 411
ipv6 ospf 1 area 11
!
int lo0
ipv6 ospf 1 area 0
R10:
ipv6 cef
!
ipv6 router ospf 1
router-id 123.10.10.10
!
ipv6 ospf 1 area 10
!
interface lo0
ipv6 ospf 1 area 10
R11:
ipv6 cef
!
ipv6 router ospf 1
router-id 123.11.11.11
!
ipv6 ospf 1 area 11
!
interface lo0
ipv6 ospf 1 area 11
SECTION2.10BGPforIPv6
ConfigureACMEnetworkasperthefollowingrequirements:
EstablishthefoureBGPpeeringasindicatedon"DiagramIPv6routing"
DonotusethenetworkcommandundertheBGPaddressfamilyipv6oneitherR10orR11
Verification:
show
show
show
show
ipv6 interface brief

ipv6 ospf int brief
ipv6 ospf neighbor
ospfv3 neighbor
BothregionalSPwilladvertisethenecessaryprefixes
AdvertisetheIPv6prefixofinterfaceE0/1(E0/0)intoBGPonbothR12andR14
ConfigureyournetworksuchthatanyIPv6usercancommunicatewithanyIPv6userthatislocatedandviceversa
Donotuseanystaticrouteordefaultrouteanywhere
Usethefollowingpingtoverifyyourconfig
R12#ping 2001:CC1E:BEF:14:202:2:14:1 source Ethernet0/1 (E0/0)

!!!!!
Note:RedistributionisrequiredforNTPtask
Checktheoutputwithandwithoutallowasin
RedistributionbetweenBGP&OSPFmaynotberequired,ifweshuttheeBGPbetweenAS20001andAS20002
Solution:
R10:
router bgp 34567
neighbor 2001:CC1E:BEF:10:201:1:34:1 remote-as 20001
!
address-family ipv6
neighbor 2001:CC1E:BEF:10:201:1:34:1 activate
redistribute ospf 1 include-connected match int ext 1 ext 2
redistribute ospf 1 include-connected route-map OSPF-BGP
!
route-map OSPF-BGP
match route-type internal
match route-type external
!
router ospfv3 1
address-family ipv6 unicast
redistribute bgp 34567
------- Or ------ipv6 router ospf 1
R11:
router bgp 34567
!
address-family ipv6
redistribute ospf 1 include-connected match int ext 1 ext 2
redistribute ospf 1 include-connected route-map OSPF-BGP
!
route-map OSPF-BGP
match route-type internal
match route-type external
!
router ospfv3 1
address-family ipv6 unicast
------- Or ------ipv6 router ospf 1
R12:
ipv6 cef
!
router bgp 65111
!
address-family ipv6
neighbor 2001:CC1E:BEF:12:201:1:12:1 allowas-in
network 2001:CC1E:BEF:12::/64
R14:
ipv6 cef
!
router bgp 65111
!
address-family ipv6
neighbor 2001:CC1E:BEF:14:202:2:14:1 allowas-in
network 2001:CC1E:BEF:14::/64
Verification:
show
show
show
show
show
show
bgp all sum

bgp all neigh
bgp all
ip bgp ipv6 unicast
ip bgp ipv6 unicast summary
ip bgp ipv6 unicast neighbors A.B.C.D.E.F advertised-routes
SECTION2.11Layer3Multicast
StreamingserverisconnectedinVLAN5onSW5.ReceiversarelocatedattheDMVPNspokesR18andR19
Onlynetworksegmentswithactivereceiversthatexplicitlyrequirethedatamustreceivethemulticasttraffic
InterfaceLoooback0ofR15mustbeconfiguredasRP(rpcand)
UseastandardmethodofdynamicallydistributingtheRP(bsrcand)
BothR16andR17mustparticipateinthemulticastrouting
TotestconfigureinterfaceE0/0ofbothR18andR19tojoingroup232.1.1.1
AddanyunusedportonSW5intoVLAN5andconfirmthatmulticastisworkingasrequiredbyusingthefollowingtest.
SW5mustreceiveareplyfrombothR18andR19.
MulticasttrafficshouldpreferpaththroughR16,dontusedelayorbandwidthtoenforceit
SW5#ping 232.1.1.1 source vlan 5

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 232.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 123.55.55.55
reply to request 0 from 10.1.19.1 3ms
reply to request o from 10.1.18.1 4ms
Note:ippimsparsemodemayberequiredonSW6also
WeneedtoforceR17totakepathtoreachRP(R15)viaR16formulticasttowork
Ensure,theinterfacethattheIGMPjoingroupconfigison,mustalsobeadvertisedandreachableviaunicastipaddressfortheinterface
Solution:
SW5:
ip multicast-routing
!
int vlan 5
ip pim sparse-mode
!
int vlan 55
R15:
!
int lo0
ip pim sparse-mode
!
int e0/1
R16:
!
int e0/1
ip pim sparse-mode
!
int e0/2
R17:
!
int tun0
ip pim sparse-mode
!
int e0/1
R18,R19:
!
int tun0
ip pim sparse-mode
!
int e0/0
ip pim sparse-mode
ip pim sparse-mode
!
int e0/2
ip pim sparse-mode
!
ip pim bsr-cand lo0
ip pim rp-cand lo0
R17:
access-list 17 per 123.15.15.15 0.0.0.0
!
router eigrp CCIE
topology base
offset-list 17 in 2147483647 e0/2
----- Or ----router eigrp 45678
offset-list 17 in 2147483647 e0/2
ip pim sparse-mode
ip pim sparse-mode
!
int e0/2
ip pim sparse-mode
ip pim sparse-mode
ip igmp join-group 232.1.1.1
Verification:
show ip pim interface
show ip pim neighbor
show ip igmp interface
show ip igmp groups
show ip mroute
show ip mroute summary
clear ip mroute *
SECTION3VPNTechnology
SECTION3.1MPLSVPNPart1
Referto"Diagram3BGPTopology"and"Diagram4VPNTechnology"
TheACMEHQnetwork(AS12345)usesMPLSL3VPNinordertoclearlyseparateremotesitenetworks.
TheACMEcorporatesecuritypoliciesarecentralizedandenforcedattheSanJosesite(AS65112)forallremotesites.Thepoliciesrequirethatalltrafficthatisoriginatedfromanyremote
sites(withtheexceptionofNewYorkoffice)
ConfigureMPLSL3VPNintheACMEnetworkaccordingtothefollowingrequirements:
EnableLDPonlyonrequiredinterfacesonallsevenroutersinAS12345,usesmartestway(mplsldpautoconfig)
Usetheinterfacelo0toestablishLDPpeerings
EnsurethatnoMPLSinterfacethatbelongstoanyrouterinAS12345isvisibleonatraceroutethatoriginatesoutsideoftheAS
R2,R3,R6,R7mustbeconfiguredasPErouters
R1,R4,R5mustbeconfiguredasProuters
Note:mplsldpautoconfigfeaturegloballyenablesLDPoneveryinterfaceassociatedwithanIGPinstance
Solution:
R1,R2,R3,R4,R5,R6,R7
mpls label protocol ldp
R1,R2,R3,R4,R5,R6,R7
mpls label protocol ldp
Verification:
mpls ldp router-id lo0 force

no mpls ip propagate-ttl
!
router ospf 12345
mpls ldp autoconfig
mpls ldp router-id lo0 force

no mpls ip propagate-ttl
!
int range e0/1 - 2
mpls ip
R4,R5:
int e0/0
mpls ip
show
show
show
show
show
show
mpls
mpls
mpls
mpls
mpls
mpls
interfaces
ldp neighbor
ldp discovery
ldp bindings
ip binding
forwarding-table
SECTION3.2MPLSVPNPart2
Referto"Diagram3BGPTopology"and"Diagram4VPNTechnology"
TheglobalandregionalserviceprovidershaveagreedtotransporttheACMEVPNviaPEtoPEeBGPpeeringthatarealreadypreconfigured.
CompletealltheconfigofMPLSL3VPNintheACMEnetworkaccordingtothefollowingrequirements:
R1mustreflectVPNv4prefixesfromanyPEtoanyotherPEinAS12345
R2andR3mustestablisheBGPpeeringwithbothglobalSP(AS10001andAS10002)forthefollowingVRF's
GREEN
BLUE
RED
YELLOW
INET
R6mustestablishaneBGPpeeringwiththeregionalSP(AS20001)forthefollowingVRFs
GREEN
BLUE
INET
R7mustestablishaneBGPpeeringwiththeregionalSP(AS20002)forthefollowingVRFs
BLUE
RED
INET
AllIPaddusedforeBGPpeeringmustpasstheBGP'sdirectlyconnectedcheck
NoBGPspeakerinAS12345mayusethenetworkorredistributestatementunderanyaddressfamilyoftheBGProuterconfig
AttheendoftheexamscenariotheinterfaceE0/0ofthegatewayrouterinanyremotesitemustbeabletoconnecttotheinterfaceE0/0ofanyotherremotegatewaythatbelongstoAS
65111orAS65222(Sec2.8AS65111task)
Usethefollowingtestsasexamplesofconnectivitychecks
R12#ping 10.1.19.1 source Ethernet0/0
!!!!!
R12#trace 10.1.19.1 source Ethernet0/0
(10 hops)
Note:ping&tracewillworkaftercompletionofSec2.8(AS65222)andallAS45678/65222Sections
10.1.19.1(10.2.19.1)isR19IPAddress
Solution:
BGP with Peer Group
BGP without Peer Group
R1:
router bgp 12345
!
address-family vpnv4
neigh iBGP route-reflector-client
neigh iBGP send-community extended
R1:
router bgp 12345
!
neigh 123.2.2.2 route-reflector-client
neigh 123.2.2.2 send-community extended
R2:
router bgp 12345
!
neigh 101.1.123.1 remote-as 10001
!
neigh 101.1.123.1 remote-as 10001
!
neigh 101.1.123.1 remote-as 10001
!
neigh 101.1.123.1 remote-as 10001
!
neigh 101.1.123.1 remote-as 10001
R3:
router bgp 12345
!
neigh 102.2.123.1 remote-as 10002
!
neigh 102.2.123.1 remote-as 10002
!
neigh 102.2.123.1 remote-as 10002
!
neigh 102.2.123.1 remote-as 10002
!
neigh 102.2.123.1 remote-as 10002
R2,R3,R6,R7:
router bgp 12345
!
R6:
router bgp 12345
!
neigh 201.1.123.1 remote-as 20001
!
neigh 201.1.123.1 remote-as 20001
!
neigh 201.1.123.1 remote-as 20001
R7:
router bgp 12345
!
neigh 202.2.123.1 remote-as 20002
!
neigh 202.2.123.1 remote-as 20002
!
neigh 202.2.123.1 remote-as 20002
Requirement for trace of 10 hops
R12,R13,R14:
Verification:
R20:
router bgp 65112
address-family ipv4
bgp config:
complete the task in Sec 2.8
show
show
show
show
show
show
show
ip vrf
bgp all
bgp all summary
ip bgp
ip bgp summary
ip bgp vpnv4 all
ip bgp vpnv4 all summary
SECTION3.3DMVPN
ConfigureDMVPNphase3intheACMEAPACregion(AS45678and65222)asperthefollowingrequirements:
Usethepreconfiguredinterfacetunnel0onallthethreeroutersinordertoaccomplishthistask
R17mustbethehubrouter
R18andR19mustbethespokeandmustparticipateinNHRPinformationexchange
Disablesendicmpredirectmessageonallthreetunnelinterfaces
Configurethefollowingparametersonallthethreetunnelinterfaces
bandwidth1000kbps
delay10000msec
mtu1400bytes
tcpmss1380
AuthenticateNHRPusingthestring45678key
UseNHRPnetworkid45678
ConfigNHRPholdtimeto5min
Ensurethatspoketospoketrafficdoesnottransitviathehub(Phase3)
EnsurethatDMVPNshouldbeestablishedviaVRFoneachrouters(withVRFtask)
Note:tunnelvrf"vrfname"missingontunnelinterfaces
TakebackupofTunnelsconfiguration
Solution:
WITH VRF
WITHOUT VRF
WITH/WITHOUT VRF
Verification:
R17,R18,R19:
int tun0
tunnel vrf LOCALSP
no ip redirects
bandwidth 1000
R17,R18,R19:
int tun0
!
no ip redirects
bandwidth 1000
R17:
int tun0
ip nhrp redirect
show ip nhrp detail

show ip nhrp brief
show dmvpn detail
delay 1000
ip mtu 1400
ip tcp adjust-mss 1380
tunnel key 45678
ip nhrp holdtime 300
delay 1000
ip mtu 1400
ip tcp adjust-mss 1380
tunnel key 45678
ip nhrp holdtime 300
R18,R19:
int tun 0
ip nhrp shortcut
SECTION3.4DMVPNEncryption
Referto"Diagram4VPNtechnology"
SecuretheDMVPNtunnelusingIPSecaccordingtothefollowingrequirements:
ConfigureIKEphase1asperthefollowing
Configureasinglepolicyusingpriority10
UseAESencryptionwiththepresharekeyCCIE
Thekeymustappearinplaintextintheconfig
AllIPSectunnelsmustbeauthenticatedusingthesameIKEphase1presharedkey
Use1024bitsforthekeyexchangeusingtheDiffieHellmanalgorithm
ConfigureIKEphase2asperthefollowingrequirements
UseCCIEXFORMastransformsetname
UseDMVPNPROFILEasIPSecprofilename
UseIPSecintransportmode
UsetheIPSecprotocolESPandalgorithmAESwith128bits
EnsurethattheDMVPNcloudissecuredusingaboveparameters.Usetunnelprotectioninyourconfig
Solution:
VRF
WITHOUT VRF
Verification:
R17,R18,R19:
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
!
crypto keyring DMVPN vrf LOCALSP
pre-shared-key address 0.0.0.0 0.0.0.0 key CCIE
!
crypto ipsec transform-set CCIEXFORM esp-aes
mode transport
!
crypto ipsec profile DMVPNPROFILE
R17,R18,R19:
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
crypto isakmp key CCIE address 0.0.0.0
!
!
!
crypto ipsec transform-set CCIEXFORM esp-aes
mode transport
!
crypto ipsec profile DMVPNPROFILE
show crypto isakmp sa

show crypto ipsec sa
show crypto session
clear dmvpn session
clear crypto session
clear ip eigrp neighbor
set transform-set CCIEXFORM

!
int tun 0
tunnel protection ipsec profile DMVPNPROFILE
set transform-set CCIEXFORM

!
int tun 0
tunnel protection ipsec profile DMVPNPROFILE
SECTION4InfrastructureSecurity
SECTION4.1DeviceSecurity
ConfigureR20intheACMESanJoseofficeasperthefollowing:
AlluserswhoconnecttoR20viatheconsoleorviaanyofVTYlinesusingSSHmustbepromptedwiththebelowmessagebeforeanyotherpromptisdisplayed
WARNING!ACCESSRESTRICTED
Donotuseanyotherspacesoranyothercharacters
Solution:
R20:
banner motd *WARNING!ACCESS RESTRICTED*
banner login *WARNING!ACCESS RESTRICTED*
!
line vty 0 4
no motd-banner
Note:SSHwillworkaftercompletionofSec5.1
SECTION4.2NetworkSecurity
ConfigureACMENewYorkofficeasperthefollowing:
EnsurethatinterfacesE0/03ofSW3forwardthetrafficsentfromexpectedandlegitimateusersonly
SW3mustdynamicallylearnonlyonemacaddressperportandmustsavethemacaddressinitsstartupconfiguration
SW3mustshutdowntheportifsecurityviolationoccursonanyofthefourports
Solution:
SW3:
int range e0/0-3
switchport port-security
Verification:
show port-security
switchport port-security mac-address sticky

switchport port-security maximum 1
switchport port-security violation shutdown
SECTION5InfrastructureServices
SECTION5.1SystemManagement
ConfigureR20intheACMESanJoseofficeasperthefollowing:
EstablishSSHaccessinR20usingthedomainnameacme.org
R20mustacceptuptofiveremoteauthorizeduserstoconnectatthesametimeusingSSH
Createtheuser"test"withpassword"test"inlocaldatabaseofR20
EnsurethatR20acceptsSSHconnectionswithclientswithsourceipin123.10.2.0/24.Allothersourceipshouldbedenied.UsestandardACLtoaccomplishthis
R20mustgenerateasyslogmessageforallSSHconnectionattemptswhetherpermittedordenied
Whenauthenticatetheusernametestmustbegrantedprivilegelevel1
DonotenableaaanewmodelonR20
EnsurethatSSHistheonlyremoteaccessmethodpermittedonVTYlinesofR20
Ensurethattheconsoleisnotaffectedbyyoursolutionandnousernamepromptispresentedontheconsoleport
TestyoursolutionfromanydevicethatislocatedinAS34567andensurethatthefollowingsequenceofcommandproducethefollowingoutput
R10#ssh -l test 123.20.20.20
WARNING!ACCESS RESTRICTED
R20>
R20>show privilege
current privilege level is 1
R20>
R20>q
R10#
Note:rsakeysmustbegeneratedmanually
Solution:
R20:
ip domain-name acme.org
username test privilege 1 password test
!
crypto key generate rsa modulus 1024
ip ssh maxstartups 5
login on-success log
login on-failure log
ip ssh logging events
!
line vty 0 4
access-class 20 in
privilege level 1
login local
transport input ssh
!
access-list 20 permit 123.10.2.0 0.0.0.255 log
SECTION5.2NetworkServices
ConfiguretheACMEnetworkasperthefollowing:
R20mustenableallprivatecorporatetrafficthatisoriginatedfromanyhostwithsourceipaddress10.1.0.0/16or10.2.0.0/16
toconnecttoanypublicdestinationthatislocatedinAS34567
AllremotesitesinAS65111and65222mustbeabletoconnecttothepublicdestinations
R20mustswapthesourceIPAddressinthesepacketswiththeIPAddressofitsLooopback0
R20mustallowmultipleconcurrentconnections
UseastandardACLtoaccomplishthis.
Thefollowingtestsmustsucceedaftertheaboverequirements(inadditiontopreviousrequirements)areachieved
R12#ping 1.2.3.4 so Ethernet 0/0
!!!!!
R18#ping 1.2.3.4 so Ethernet 0/0
!!!!!
Solution:
R20:
access-list 10 permit 10.1.0.0 0.0.255.255
access-list 10 permit 10.2.0.0 0.0.255.255
!
ip nat inside source list 10 int lo0 overload
!
int lo0
ip nat outside/inside
!
int e0/0.99
ip nat outside
!
int e0/1.99
ip nat outside
!
int range e0/0.12 - e0/0.15
ip nat inside
!
Verification:
show ip nat translations
show ip nat statistics
int range e0/1.12 - e0/1.15

ip nat inside
SECTION5.3NetworkOptimization
ConfigureIOSfeatureonR17toachievefollowingoutput:
R17#show int | grep 'is up'
Ethernet 0/1 is up, line protocol is up
Loopback0 is up, line protocol is up
Tunnel0 is up, line protocol is up
Tunnel1 is up, line protocol is up
R17#show int | grep 'is up' | wc - l
Solution:
R17:
R17#terminal shell
R17(config)#shell processing full
SECTION5.3NetworkOptimizationAnotherVariation
ConfigureR17asperthefollowingrequirements:
TheoutputshownbelowmustbeseenonR17during10secafterR15successfullypingsinterfacelo0ofR19
R15#ping 123.19.19.19
!!!!!
R17#show ip flow top-talkers
SrcIf
E0/2
SrcIPaddress
123.20.1.9
DstIf
Tu0*
DstIPaddress
123.19.19.19
Pr
01
SrcP
0000
Note:E0/2istheinterfacefacingR15
Matchtheoutputasperthequestion(shuttheotherinterfaces)
Solution:
R17:
DstP Bytes
0800
500
ip flow-export version 9
ip flow-top-talkers
top 1
sort-by bytes
cache-timeout 10000
match protocol 1
match source address 123.20.1.9 255.255.255.255
match destination address 123.19.19.19 255.255.255.255
!
int tun0
ip flow egress
----- Or ----int e0/2
ip flow ingress
SECTION5.4NetworkServices
ConfigureACMEasperthefollowingrequirements:
SW3mustprovideanauthoritativetimesourcetotheACMEnetwork
R10andR12mustsynctheirclocktoSW3usingNTPv4forIPv6
R10andR12mustoperateinclientmode
SW3mustnotcaptureoruseanytimeinfothatissentbyR12andR14
AllNTPtrafficmustrelyonIPv6connectivityonly
AllNTPtrafficmustbesourcedanddestinedtointerfacelo0ofthecorrespondingdevices
TheNTPdevicesmustusestrongestauthenticationmethodtosynchronize,usingpasswordCCIERocks$
Note:CheckreachabilitytoSW3LoopbackIPv6address
CheckIPv6addressontheLoopbackinterfaces
Solution:
SW3:
int lo0
ipv6 add 2001:CC1E:BEF:0:123:33:33:33/128
-------- Or -----ipv6 ospf 1 area 0
R10:
int lo0
ipv6 add 2001:CC1E:BEF:0:123:10:10:10/128
-------- Or ------ipv6 ospf 1 area 10
SW3:
ntp master 1
ntp peer 2001:CC1E:BEF:0:123:10:10:10 ver 4
ntp peer 2001:CC1E:BEF:0:123:12:12:12 ver 4
SW3,R10,R12,R14
ntp source lo0
!
int lo0
ntp disable ip
R10,R12,R14
ntp server 2001:CC1E:BEF:0:123:33:33:33 ver 4
Strongest Authentication Solution:

SW3,R10,R12:
ntp authentication-key 1 md5 CCIERocks$
ntp authenticate
ntp trusted-key 1
Verification:
show ntp associations
show ntp information
show ntp packets
R12:
int lo0
ipv6 add 2001:CC1E:BEF:0:123:12:12:12/128
!
router bgp 65111
address-family ipv6
network 2001:CC1E:BEF:0:123:12:12:12/128
R10,R12
ntp server 2001:CC1E:BEF:34:123:10:2:13 key 1 source lo0
show ntp status

CFG Lab PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CFG Lab PDF

Uploaded by

Copyright:

Available Formats

SECTION1Layer2Technologies

switchport access vlan 67

switchport access vlan 46

123.2.2.2/32 [110/65546] via 123.10.1.1, 00:00:30 Ethernet 0/1

R8#show ip route eigrp

123.0.0.0/8 is variably subnetted, 15 subnets, 2 masks

R9#show ip route eigrp

123.0.0.0/8 is variably subnetted, 15 subnets, 2 masks

Strongest Authentication (NAMED Mode)

BGP with Peer Group

BGP without Peer Group

neighbor 10.120.15.2 remote-as 65112

neighbor 10.120.15.6 remote-as 65112

neighbor 10.120.13.1 activate

nei 202.2.34.1 remote-as 20002

bgp all summary

203.3.19.1 prefix-list AS20003 out

neighbor 203.3.19.1 prefix-list AS20003 out

address-family ipv4 vrf INET

show bgp all summary

ipv6 interface brief

R12#ping 2001:CC1E:BEF:14:202:2:14:1 source Ethernet0/1 (E0/0)

bgp all sum

SW5#ping 232.1.1.1 source vlan 5

mpls ldp router-id lo0 force

mpls ldp router-id lo0 force

BGP with Peer Group

BGP without Peer Group

Requirement for trace of 10 hops

show ip nhrp detail

show crypto isakmp sa

set transform-set CCIEXFORM

set transform-set CCIEXFORM

switchport port-security mac-address sticky

int range e0/1.12 - e0/1.15

Strongest Authentication Solution:

show ntp status

You might also like