Documente Academic
Documente Profesional
Documente Cultură
BGP Diagram
Physical Connectivity
Switching Topology
7
Section 1 : Layer 2 Technologies
1.1 Troubleshoot Layer 2 Switch
A few faults have been injected the preconfigurations just described. These issues may impede a
working solution for certain portions of this lab exam. And these issues can affect any lab section.
You must verify that all of your configurations work as expected. If something is not working as
expected. Then you must fix the underlying problem. Point will be awarded for solving each
problem. However, if you fail to solve particular problem, and the injected fault prevents you from
having a workings solution of this lab, then will lose points for the fault and the scenario that is not
working.
Solution
Faults
1. Guard root on SW1 trunk ports
1. interface f0/19 24
2. no spanning-tree portfast guard root
2. DHCP snooping/ARP inspection on VLAN17 on SW2
1. no ip dhcp snooping vlan 17
2. no ip arp inspection vlan 17
3. Portfast trunk on SW4 trunk interfaces
1. interface f0/19 24
2. no spanning-tree portfast
4. Root Guard on interfaces connected to backbone
1. On SW1 SW3
2. interface f0/10
3. no spanning-tree guard
5. vtp version, domain name, password difference
1. ( vtp version should be 2, adjust domain name and password accord to test info).
There are two Preconfigured SVI 71 and 92 was up , but there is no access ports configured
So didnt touch
1.2 VLAN and Access-Ports
Configure all of the appropriate non-trunking switch ports on all switches according to the
following requirements:
Vlan17 VLAN_17_R1-SW2
Vlan29 - VLAN_29_R2-SW4
Vlan34 - VLAN_34
Vlan38 - VLAN_38_R3-SW3
Vlan45 VLAN_45
Vlan56 - VLAN_56_R5-SW1
Vlan67 - VLAN_67_SW1-SW2
Vlan89 - VLAN_89_SW3-SW4
Vlan100 - VLAN_BB1
Vlan200 -VLAN_BB2
Vlan300 - VLAN_BB3
Vlan333 - VLAN_CUSTOMER
Vlan500 - VLAN_USERS
Vlan666 - VLAN_CARRIER
Vlan999 - VLAN_NATIVE
---------------------------------Vlan17 Between R1 & SW2
Vlan29 Between R2 & SW4
Vlan34 Between R3 & R4
Vlan38 Between R3 & SW3
Vlan45 Between R4 & R5
Vlan56 Between R5 & SW1
Vlan67 SVI Between SW1 & SW2
Vlan89 SVI Between SW3 & SW4
Vlan100 Between R1 & BB1
Vlan200 Between R2 & BB2
Vlan300 Between SW3 & BB3
Vlan333 Customer Vlan
Vlan500 User Vlan
Vlan666 Carrier Vlan
Vlan999 Unused ports Vlan
NOTE
1. SW1 or any other Switch has been pre-configu#0000cd with needed vlans,
2. It is better to check switchport trunking question (1.4) at this junction as that will help
populate SWs just by setting VTP domain name and password right.
3. Make sure the VLANS has spread across SWs before setting them to TRANSPARENT to save
time.
4. Cross Check VLANS Name according to provided table
Solution
On All Switches
9
vtp domain CCIE
vtp mode trans
vtp password cisco
vtp version 2
Vlan17
Name VLAN_17_R1-SW2
Vlan29
name VLAN_29_R2-SW4
Vlan34
name VLAN_34
Vlan38
name VLAN_38_R3-SW3
Vlan45
name VLAN_45
Vlan56
name VLAN_56_R5-SW1
Vlan67
name VLAN_67_SW1-SW2
Vlan89
name VLAN_89_SW3-SW4
Vlan100
name VLAN_BB1
Vlan200
name VLAN_BB2
Vlan300
name VLAN_BB3
Vlan333
name VLAN_CUSTOMER
Vlan500
name VLAN_USERS
Vlan666
name VLAN_CARRIER
Vlan999
name VLAN_NATIVE
On SW1
interface FastEthernet0/1
switchport access vlan 17
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 200
10
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 34
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 45
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 56
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 100
switchport mode access
!
interface Vlan56
ip address YY.YY.56.6 255.255.255.0
!
interface Vlan67
ip address YY.YY.67.6 255.255.255.0
On SW2
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 29
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 38
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 34
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 45
switchport mode access
!
K7 solutions used to pass For certcollection users only by SanjanaIE
11
interface FastEthernet0/10
switchport access vlan 200
switchport mode access
!
interface Vlan17
ip address YY.YY.17.7 255.255.255.0
!
interface Vlan67
ip address YY.YY.67.7 255.255.255.0
On SW3
interface FastEthernet0/10
switchport access vlan 300
switchport mode access
!
interface Vlan38
ip address YY.YY.38.8 255.255.255.0
!
interface Vlan89
ip address YY.YY.89.8 255.255.255.0
!
interface Vlan300
ip address 150.3.yy.1 255.255.255.0
On SW4
interface Vlan29
ip address YY.YY.29.9 255.255.255.0
!
interface Vlan89
ip address YY.YY.89.9 255.255.255.0
12
Configure the switches according to the following requirements
Each of the following sets of VLAN must share a common spanning-tree topology:
Spanning-tree topology 1: all odd VLANs used throughout your exam
Spanning-tree topology 2: all even VLANs used throughout your exam
Spanning-tree topology 3: all other VLANs must be explicitly put into instance 3
(Or)Spanning-tree topology 3: all other VLANs
Use domain name as cisco
o Ensure SW1 is root switch for Instance 1 and CIST VLANs and
o backup root switch for instance 2
o Ensure SW2 isroot switch for instance 2 and
o backup root switch for Instance 1 and CIST VLANs
Configure native vlan to vlan 999. Ensure this vlan is tagged.
o All unused ports should beadministratively shutdown and defined as access ports on
VLAN 999.
o Dont forget GigaEthernet ports (2 ports)
Solution
On all Switches
spanning-tree modemst
spanning-tree mst configuration
revision 1
name Cisco
instance 3 vlan 1-4094
instance 1 vlan 17,29,45,67,89,333,999
instance 2 vlan 34,38,56,100,200,300,500,666
----------------------------------------------------------------------------------interface range fastethernet 0/19-24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 999
!
interface range <all-unused-ports>
switchport mode access
switchport access vlan 999
shutdown
!
vlan dot1q tag native
On SW1
spanning-tree mst 0 root primary
spanning-tree mst 1 root primary
spanning-tree mst 2 root secondary
13
On SW2
spanning-tree mst 0 root secondary
spanning-tree mst 1 root secondary
spanning-tree mst 2 root primary
1.4 Switch Trunking and EtherChannel
Refer to the diagram . Configure the dual trunk ports between all switches according to the
following requirements
Configure the trunk using dot1q as per the diagram (port 19 24) for SW1 SW4
Allow the native VLAN 999 and sure native VLAN tagged the frame.
Use encapsulation 802.1q
Disable DTP on the six distribution ports for each switch
Configure an 802.3ad 200 Mbps Etherchannel between SW1 and SW2
SW2 should not actively start it
Ether channel load balancing should be accomplished by source destination host MAC
addresses
If more channel members are added in the future, Fa0/24 must have the best chance to be
the first active port in the channel.
Configure EtherChannel (LACP) between 2 switches, SW2 shouldnt actively starts it.
Load balance hash of src-dst mac-add
Solution
interface range fastethernet 0/19-24
switchport trunk encapsulation dot1q
switchport nonegotiate
On SW1
interface range fastethernet 0/23-24
channel-group 1 mode active
!
port-channel load-balance src-dst-mac
!
interface range fastethernet 0/24
lacp port-priority 1
On SW2
interface range fastethernet 0/23-24
channel-group 1 mode passive
!
port-channel load-balance src-dst-mac
!
interface range fastethernet 0/24
lacp port-priority 1
14
1.5 Implement 802.1Q Tunneling
Configure your network as per the following requirements:
User connected to VLAN 333 on SW3 must be able to communicate with users connected
to VLAN 333 on SW4 via their interfaces Fa0/19 (respectively connected to SW1 and SW2)
Configure theVLAN 333 interface onSW3 with the IP address YY.YY.33.8/24
Configure the VLAN 333 interface on SW4 with the IP address YY.YY.33.9/24
VLAN 333 must be allowed to flow only though SW3 and SW4's Fa0/19. No other trunks
may carry this VLAN
SW1 and SW2 must carry the VLAN 333 data across the network using VLAN666
VLAN 666 may exist only on SW1 and SW2
SW1 and SW2 must not allow VLAN 333 on any trunks and must allow VLAN 666 only on
the trunks between them.
No other port in any switch may carry VLAN 333
Do not modify any spanning-tree cost or port priority to achieve this task
Referring to the exhibit below
o
o
SW3 must see SW4 as a CDP neighbor via interface Fa0/19 and
must be able to ping SW4's VLAN 333
Solution
On ALL Switches
interface range fastethernet 0/19-24
switchport trunk allowed vlan remove 333 666
On SW3 and SW4
interface range fastethernet 0/19
switchport trunk allowed vlan 333
On SW1 and SW2
system mtu 1504/// reload for this command to take effect ///
system mtu routing 1500 /* default - its always better to hardcode than leaving it to the default */
!
interface fastethernet 0/19
switchport access vlan 666
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface Port-chanel 1
switchport trunk allowed vlan add 666
On SW3
interface vlan 333
ip address YY.YY.33.8 255.255.255.0
15
On SW4
interface vlan 333
ip address YY.YY.33.9 255.255.255.0
1.6 PPP over Ethernet
Configure PPPoE between R3 and R4 according to the following requirements:
Spoiler
Configure R3 as a PPPoE Sever
Configure R4 as a PPPoE Client
Configure group name as CISCO
R4 always gets the same IP address from R3
Do not use DHCP to receive the IP address
Ensure no interleaving in PPPoE link.Or (Ensure that there is no unnecessary ppp
fragmentation on the PPPoE link)
IP address must be give to virtual Template
R3 must require R4 to authenticate using CHAP but R4 must NOT require R3 to authenticate.
o
o
On R3 (Server)
username RackYYR4 password CISCO
vpdn enable
bba-group pppoe CISCO
virtual-template 1
!
interface FastEthernet0/1 */// R3 interface facing R4///*
no ip address
pppoe enable group CISCO
!
interface Virtual-Template1
ip address YY.YY.34.3 255.255.255.0
peer default ip address pool POOL
ppp authentication chap
!
ip local pool POOL YY.YY.34.4
On R4 (Client)
interface FastEthernet0/1 *///R4 interface facing R3///*
no ip address
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
mtu 1492
ip address negotiated
encapsulation ppp
dialer pool 1
K7 solutions used to pass For certcollection users only by SanjanaIE
16
dialer persistent
dialer idle-timeout 0
ppp chap hostname RackYYR4
ppp chap password CISCO
1.7 Implement Frame-Relay
Use the following requirements to configure R1 and R2 for Frame-Relay
Use static frame relay maps with the broadcast capability
Do not use dynamic ARP mapping
Do not change anything in the frame-relay switch (R4)
Use RFC1490/RFC2427 encapsulation
Use the DLCI assignments from the table below
Set the bandwidth administrative to 50000 Kb in the interfaces.
R1 and R2 must be able to ping self interface
R1 use DLCI 100
R2 uses DLCI 200
Solution
On R1
interface Serial0/0/0
bandwidth 50000
ip address YY.YY.12.1 255.255.255.0
encapsulation frame-relay IETF
/* check the frame-relay switch and configure LMI - Optional - Autosensing will take care of this */
frame-relay map ip YY.YY.12.2 100 broadcast
frame-relay map ip YY.YY.12.1 100
no frame-relay inverse-arp
On R2
interface Serial0/0/0
bandwidth 50000
ip address YY.YY.12.2 255.255.255.0
encapsulation frame-relay IETF
/* check the frame-relay switch and configure LMI - Optional - Autosensing will take care of this */
frame-relay map ip YY.YY.12.2 200
frame-relay map ip YY.YY.12.1 200 broadcast
no frame-relay inverse-arp
NOTE
If your test question did not have Set the bandwidth administrative to 50000 Kb in the interfaces
Then no need to configure bandwidth 50000
17
Configuration
On R1
Ip cef
router ospf 1
router-id YY.YY.1.1
area 1 virtual-link YY.YY.3.3
network YY.YY.1.1 0.0.0.0 area 0
network YY.YY.15.1 0.0.0.0 area 0
network YY.YY.17.1 0.0.0.0 area 0
network YY.YY.12.1 0.0.0.0 area 1
network 150.1.YY.1 0.0.0.0 area 0
neighbor YY.YY.12.2
On R2
Ip cef
router ospf 1
router-id YY.YY.2.2
network YY.YY.2.2 0.0.0.0 area 1
network YY.YY.12.2 0.0.0.0 area 1
network YY.YY.23.2 0.0.0.0 area 1
network 150.2.YY.1 0.0.0.0 area 1
neighbor YY.YY.12.1
On R3
Ip cef
router ospf 1
router-id YY.YY.3.3.3
18
area 1 virtual-link YY.YY.1.1
area 1 virtual-link YY.YY.5.5
network YY.YY.3.3 0.0.0.0 area 1
network YY.YY.23.3 0.0.0.0 area 1
network YY.YY.35.3 0.0.0.0 area 1
network YY.YY.34.3 0.0.0.0 area 2
On R4
Ip cef
router ospf 1
router-id YY.YY.4.4
network YY.YY.4.4 0.0.0.0 area 2
network YY.YY.34.4 0.0.0.0 area 2
On R5
Ip cef
router ospf 1
router-id YY.YY.5.5
area 1 virtual-link YY.YY.3.3
network YY.YY.5.5 0.0.0.0 area 0
network YY.YY.15.5 0.0.0.0 area 0
network YY.YY.56.5 0.0.0.0 area 0
network YY.YY.35.5 0.0.0.0 area 1
On SW1
ip routing
Ip cef distributed
router ospf 1
router-id YY.YY.6.6
network YY.YY.6.6 0.0.0.0 area 0
network YY.YY.56.6 0.0.0.0 area 0
network YY.YY.67.6 0.0.0.0 area 0
On SW2
ip routing
Ip cef distributed
router ospf 1
router-id YY.YY.7.7
network YY.YY.7.7 0.0.0.0 area 0
network YY.YY.17.7 0.0.0.0 area 0
network YY.YY.67.7 0.0.0.0 area 0
19
2.2 IPv4 EIGRP
Configure Enhanced Interior Gateway Routing Protocol (EIGRP) 100 and EIGRP YY as per the IGP
topology diagram
1.
2.
3.
4.
Configuration
On SW3
ip routing
Ip cef distributed
router eigrp YY
network YY.YY.8.8 0.0.0.0
network YY.YY.38.8 0.0.0.0
network YY.YY.89.8 0.0.0.0
redistribute eigrp 100
no auto-summary
router eigrp 100
network 150.3.YY.1 0.0.0.0
no auto-summary
On R3
router eigrp YY
network YY. YY.38.3 0.0.0.0
no auto-summary
On R2
router eigrp YY
network YY.YY.29.2 0.0.0.0
no auto-summary
On SW4
ip routing
Ip cef distributed
router eigrp YY
network YY.YY.9.9 0.0.0.0
network YY.YY.29.9 0.0.0.0
network YY.YY.89.9 0.0.0.0
no auto-summary
20
2.3 IPv4 RIPv2
Configure RIP Version 2(RIPv2) per the IGP topology diagram.
RIP updates must be advertised only out to the interface per the IGP topology diagram.
Do NOT use auto summarization.
Configuration
On R4
router rip
version 2
passive-interface default
no passive-interface FastEhternet 0/1
network YY.0.0.0
no auto-summary
On R5
router rip
version 2
passive-interface default
no passive-interface FastEhternet 0/1
network YY.0.0.0
no auto-summary
21
route-map DROP_EIGRP_EX permit 20
router eigrp YY
redistribute ospf 1 metric 100000 100 255 1 1500
router ospf 1
redistribute eigrp YY subnets route-map TAG_EIGRP_EX
distribute-list route-map DROP_EIGRP_EX in
On R4
router rip
distance 100 YY.YY.45.5 0.0.0.0 1
access-list 1 permit YY.YY.6.6
On R5
router ospf 1
redistribute rip subnets route-maps NETWORK45
route-map NETWORK45 permit 10
match ip address 45
access-list 45 permit YY.YY.45.0 0.0.0.255
router rip
redistribute ospf 1 metric 10
22
bgp graceful-restart
neighbor 150.2.YY.254 remote-as 254
On R1
router bgp YY
bgp graceful-restart
neighbor 150.1.YY.254 remote-as 254
neighbor 150.1.YY.254 maximum-prefix 5 100 warning-only
Where possible, failure of a physical interface should not permanently affect BGP peer
connections;
(Use only the Loopback 0 IP Addresses to propagate BGP route information within your BGP
domain)
Configure R3 route reflector to minimize the number of BGP peering sessions and all BGP
speakers in AS YY.
You are NOT allowed use BGP peer group.
On R1
router bgp YY
bgp router-id YY.YY.1.1
neighbor YY.YY.3.3 remote-as YY
neighbor YY.YY.3.3 update-source Loopback0
On R2
router bgp YY
bgp router-id YY.YY.2.2
neighbor YY.YY.3.3 remote-as YY
neighbor YY.YY.3.3 update-source Loopback0
On R4
router bgp YY
bgp router-id YY.YY.4.4
neighbor YY.YY.3.3 remote-as YY
neighbor YY.YY.3.3 update-source Loopback0
On R5
router bgp YY
bgp router-id YY.YY.5.5
neighbor YY.YY.3.3 remote-as YY
neighbor YY.YY.3.3 update-source Loopback0
On R3
router bgp YY
bgp router-id YY.YY.3.3
neighbor YY.YY.1.1 remote-as YY
neighbor YY.YY.1.1 update-source Loopback0
23
neighbor YY.YY.1.1 route-reflector-client
neighbor YY.YY.2.2 remote-as YY
neighbor YY.YY.2.2 update-source Loopback0
neighbor YY.YY.2.2 route-reflector-client
neighbor YY.YY.4.4 remote-as YY
neighbor YY.YY.4.4 update-source Loopback0
neighbor YY.YY.4.4 route-reflector-client
neighbor YY.YY.5.5 remote-as YY
neighbor YY.YY.5.5 update-source Loopback0
neighbor YY.YY.5.5 route-reflector-client
The routes from OSPF should be redistributed into BGP AS 254 on R1 and R2.
R1 should prefer the path through BB1 for AS 254. The tie breaker in the BGP best path
selection algorithm must be the "internal vs external" criteria.
R3 should prefer the path through R1 for BGP AS 254. This configuration should not affect any
other routers in AS YY getting to BGP AS 254
You are not allowed to change BGP attributes such as Weight, AS-Path or Local
Preference on R4 and R5 to accomplish this task
You are allowed to change the ospf cost of only one interface.
R4 should prefer R1 as exit point for AS 254. This change should not impact any
other BGP peer routers.
R4 should be able to ping a prefix 197.68.1.254 which located in AS 254 with path to R1.
Configuration
On R1
router bgp YY
redistribute OSPF 1 match internal external 1 external 2
On R2
router bgp YY
redistribute OSPF 1 match internal external 1 external 2
neighbor 150.2.YY.254 route-map PREPEND_AS in
!!! Then clear bgp ipv4 unicast * soft in and out
24
On R5
interface S0/0/0 /// (serial interface facing R1)
ip ospf cost 1
Ensure that all routers and switches can ping each other using IPv6.
The process ID is 2001.
OSPFv3 router IDs must be stable and identical to the OSPFv2 router IDs.
Ensure that periodic router advertisements should be disabled on the IPv6 enabled
interfaces.
Make sure IPV6 domain use Cisco Proprietary Forwarding Mechanism.
Authenticate the OSPFv3 between R1 and R5 according to the following requirement: Use
the authentication type with MD5 with following key string
1234567890ABCDEF1234567890ABCDEF
You are not allowed to use any commands under the router configuration mode to
accomplish this task.
Do not create additional OSPFv3 areas.
Ensure that all IPv6 networks on all routers and switches can ping each other using IPv6.
Configure IPv6 Address Number as follow.
(YY- Rack number, HH- Interface ipv4 3rd octet, ZZ- Interface ip4 4th octet)
Interface- 2001:YY:HH::ZZ/64, Loopback- 2001:YY:HH::ZZ/128
On R1
ipv6 unicast-routing
ipv6 cef
ipv6 router ospf 2001
router-id YY.YY.1.1
no shutdown
interface Serial0/0/1
ipv6 address 2001:YY:15::1/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
ipv6 ospf authentication ipsec spi md5 1234567890ABCDEF1234567890ABCDEF
interface FastEthernet0/0
K7 solutions used to pass For certcollection users only by SanjanaIE
25
ipv6 address 2001:YY:17::1/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
interface Loopback0
ipv6 address 2001:YY:1::1/128
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
On R5
ipv6 unicast-routing
ipv6 cef
ipv6 router ospf 2001
router-id YY.YY.5.5
no shutdown
interface Loopback0
ipv6 address 2001:YY:5::5/128
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
interface FastEthernet0/0
ipv6 address 2001:YY:56::5/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
interface Serial0/0/1
ipv6 address 2001:YY:15::5/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
ipv6 ospf authentication ipsec spi md5 1234567890ABCDEF1234567890ABCDEF
On SW1
sdm prefer dual-ipv4-and-ipv6 default
ipv6 unicast-routing
ipv6 cef
ipv6 router ospf 2001
router-id YY.YY.6.6
no shutdown
interface Loopback0
ipv6 address 2001:YY:6::6/128
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
interface vlan 56
ipv6 address 2001:YY:56::6/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
26
interface vlan 67
ipv6 address 2001:YY:67::6/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
On SW2
sdm prefer dual-ipv4-and-ipv6 default
// must be able to reload
ipv6 unicast-routing
ipv6 cef
Section 3 : IP Multicast
3.1 Implement IPv4 Multicast 1
Configure Multicast Routing between R3-S0/0/0 and R5-S0/0/1 according to following
requirements:
27
28
29
Type escapes sequence to abort.
Sending
5, 100-byte ICMP Echos to 150.1.YY.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),round-trip min/avg/max = 1/5/9 ms
RackYYR1#show policy-map type inspect zone-pair
Zone-pair: A_ B
Service-policy inspect : A_ B
Class-map: A_B (match-all)
Match: protocol icmp
Pass
55 packets, 4400 bytes
Class-map: class-default (match-any)
Match: any
Pass
8 packets, 64 bytes
You must use the exact same names for the policy and class-map (Case Sensitive)
On R1
class-map type inspect match-all A_B
match protocol icmp
Policy-map type inspect A_B
Class type inspect A_B
pass
class class-default
pass
zone security A
zone security B
zone-pair security A_B source A destination B
service-policy type inspect A_B
zone-pair security B_A source B destination A
service-policy type inspect A_B
interface FastEthernet0/0
zone-member security A
interface FastEthernet0/1
zone-member security B
interface Serial0/0/0
zone-member security A
30
interface Serial0/0/1
zone-member security A
R4 and R5 may communicate only with each other in VLAN 45 No other host is allowed to
communicate with them inVLAN 45
Hosts connected to port Fa0/6 on SW1 and SW2 should be part of VLAN 45 and they
communicate only with each other . Must not be able to communicate with any other host in
vlan 45.
Hosts connected to port Fa0/7 of both SW1 and SW2 should not be able to communicate with
any host.
SW1 Fa0/9 as promiscuous port or (All of the above ports (Fa0/6, Fa0/7 from SW1 and
SW2)must be allowed to communicate with a device connected to port Fa0/9 of SW1 )
Use only odd VLAN number(s) (between 334 and 998) if you need to create any new VLAN(s)
ALL switches
vlan 451
private-vlan community
name COMMUNITY1
vlan 453
private-vlan community
name COMMUNITY2
vlan 455
private-vlan isolated
name ISOLATED
vlan45
name VLAN_45
private-vlan primary
private-vlan association 451,453,455
spanning-tree mst configuration
instance 1 vlan 451,453,455
On SW1
interface FastEthernet0/4
no switch port access vlan 45
switchport private-vlan host-association 45 451
switchport mode private-vlan host
no shutdown
interface FastEthernet0/6
no switchport access vlan 999
switchport private-vlan host-association 45 453
switchport mode private-vlan host
31
no shutdown
interface FastEthernet0/7
no switchport access vlan 999
switchport private-vlan host-association 45 455
switchport mode private-vlan host
no shutdown
interface FastEthernet0/9
no switchport access vlan 999
switchport mode private-vlan promiscuous
switchport private-vlan mapping 45 add 451,453,455
no shutdown
On SW2
interface FastEthernet0/5
no switchport access vlan 45
switchport private-vlan host-association 45 451
switchport mode private-vlan host
interface FastEthernet0/6
no switchport access vlan 999
switchport private-vlan host-association 45 453
switchport mode private-vlan host
no shutdown
interface FastEthernet0/7
no switchport access vlan 999
switchport private-vlan host-association 45 455
switchport mode private-vlan host
no shutdown
32
class SUSPICIOUS
shape average 128000
!
int serial0/0/1 // (interface facing R5)
service-policy output LIMIT_SUSPICIOUS
!
int Gi0/0 // (interface facing SW2)
service-policy output LIMIT_SUSPICIOUS
Consider that users connected to VLAN 56 are sending traffic that is already marked as follow
o
o
o
o
o
33
policy-map MQC
class Voice
priority percent 20
police cir percent 20
class Control
priority 100
class Video
bandwidth percent 30
class Business
bandwidth percent 30
random-detect
random-detect exponential-weighting-constant 10
class Internet
exit
interface Serial0/0/1 //(interface facing R3)
bandwidth 2000
// if default is not 2000Kbps, add this command
max-reserved-bandwidth 100
service-policy output MQC
On SW2
track 11 ip route 150.1.YY.0 255.255.255.0 reachability
interface Vlan500
ip address YY.YY.100.1 255.255.255.0
standby 1 ip YY.YY.100.254
standby 1 authentication md5 key-string CISCO
standby 1 preempt
standby 1 priority 120
standby 1 track 11 decrement 30
standby 1 timers 3 16
On ALL Switches
spanning-tree mst configuration
instance 2 vlan 500
34
HTTP (from any user workstation to any remote server) is not allowed during office
hours (from 09:00 to 16:59, Monday to Friday)
FTP (from any user workstation to any remote server) is allowed only during every night for
Backup between 22:00 to 23:59 and is not allowed all any other time.
UDP traffic is allowed only outside of the office hours (every day from 17:00 to 8:59)
Any required control traffic must be allowed all any time and the ACL entry(-ies) must be as
specific as possible (i.e specify the Layer 4 with the connect port number on the destination)
Sources in all ACL entries must be explicitly configured to YY.YY.100.0/24
On SW1/SW2
time-range HTTP_BLOCK
periodic weekdays 09:00 to 1659
!
time-range FTP_ALLOW
periodic daily 22:00 to 23:59
!
time-range UDP_ALLOW
periodic daily 17:00 to 23:59
periodic daily 00:00 to 08:59
!
ip access-list extended TBACL
deny tcp YY.YY.100.0 0.0.0.255 any eq www time-range HTTP_BLOCK
permit tcp YY.YY.100.0 0.0.0.255 any eq www
permit tcp YY.YY.100.0 0.0.0.255 any eq ftp ftp-data time-range FTP_ALLOW
permit udp YY.YY.100.0 0.0.0.255 eq 1985 host 224.0.0.2 eq 1985
permit udp YY.YY.100.0 0.0.0.255 any time-range UDP_ALLOW
interface vlan 500
ip access-group TBACL in
35
Ensure that group admin should be set with strongest security mechanism.
A user ccie should be from group admin and use md5 password of cisco (case sensitive)
Ensure that admin group only allow users access from YY.YY.17.0/24
Use a SNMP v2c instance for NMS in YY.YY.67.0/24 to accomplish this task.
Note: All view name, group, username and community should be case-sensitive
On R3
access-list 17 permit YY.YY.17.0 0.0.0.255
access-list 67 permit YY.YY.67.0 0.0.0.255
snmp-server location San Jose, US
snmp-server contact ccie@cisco.com
snmp-server source-interface trap Loopback0
snmp-server view adminview iso included
snmp-server view adminwrite system included
snmp-server group admin v3 priv read adminview write adminwrite access 17
5.2 NetFlow
On R1
ip flow-export version 9
ip flow-export source loopback 0
ip flow-export destination YY.YY.56.100 2222 sctp
backup destination YY.YY.56.101 2222
36
flow-sampler-map NETFLOW
mode random one-out-of 1000
ip flow-export template options sampler
interface Gi0/1
flow-sampler NETFLOW
flow-sampler NETFLOW egress