Ipexpert's CCIE R&S (v5) Mock Lab Workbook (Vol. 2) Lab 5 Workbook PDF

for Cisco's CCIE Routing & Switching Lab Exam, Lab 5
(v5)
CCIE Routing & Switching

Volume 2 Workbook
Lab 5
Version 5.1B
iPexpert's Lab Preparation Workbook

for Cisco's CCIE Routing & Switching Lab Exam, Volume 2, Lab 5
Table of Contents
iPexpert's End-User License Agreement ............................................................................................................. 3
Welcome, and Thank You! ................................................................................................................................... 5
Feedback .............................................................................................................................................................. 5
Technical Support and Freebies .......................................................................................................................... 5
Lab 5: Troubleshooting Section ............................................................................................................................... 10
Before You Begin ................................................................................................................................................ 10
General Rules ..................................................................................................................................................... 10
Pre-Setup............................................................................................................................................................ 11
Incident 1 ....................................................................................................................................................... 16
Incident 2 ....................................................................................................................................................... 18
Incident 3 ....................................................................................................................................................... 20
Incident 4 ....................................................................................................................................................... 21
Incident 5 ....................................................................................................................................................... 23
Incident 6 ....................................................................................................................................................... 25
Incident 7 ....................................................................................................................................................... 27
Incident 8 ....................................................................................................................................................... 29
Incident 9 ....................................................................................................................................................... 30
Incident 10 ..................................................................................................................................................... 32
Lab 5: Diagnostic Section ......................................................................................................................................... 34
Before You Begin ................................................................................................................................................ 34
General Rules ..................................................................................................................................................... 34
Ticket 1 ............................................................................................................................................................... 35
Ticket 2 ........................................................................................................................................................... 69
Ticket 3 ........................................................................................................................................................... 74
Lab 5: Configuration Section ................................................................................................................................... 81
Before You Begin ................................................................................................................................................ 81
General Rules ..................................................................................................................................................... 81
Pre-Setup............................................................................................................................................................ 82
Section 1.0: Layer 2 Technologies ..................................................................................................................... 90
Section 2.0: IP Routing ....................................................................................................................................... 93
Section 3.0: IPv4 VPN Technology ................................................................................................................... 104
Section 4.0: IP Security .................................................................................................................................... 107
Section 5.0:Infrastructure Services .................................................................................................................. 109
Technical Verification and Support ....................................................................................................................... 110
Version 5.1B
2|Page

iPexpert's End-User License Agreement

END USER LICENSE FOR ONE (1) PERSON ONLY
IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,
DO NOT OPEN OR USE THE TRAINING MATERIALS.
This is a legally binding agreement between you and IPEXPERT, the Licensor, from whom you have licensed the IPEXPERT training materials
(the Training Materials). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms
have been modified by a written agreement (the Governing Agreement) signed by you (or the party that has licensed the Training Materials for
your use) and an executive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials
to you. In this event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions.
The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Training Materials
throughout the term of this License.
Copyright and Proprietary Rights
The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All
copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, text, graphics, design elements, audio,
and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to
IPEXPERT.
The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-share the Training
Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. You may not
modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit,
download or distribute in any form or by any means, electronic, mechanical, recording or otherwise any part of the Training Materials and
IPEXPERT Information other than printing out or downloading portions of the text and images for your own personal, non-commercial use
without the prior written permission of IPEXPERT.
You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information in any
manner that infringes the rights of any person or entity.
Exclusions of Warranties
THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED AS IS. LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS,
IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY
LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may have
other rights that vary from state to state.
Choice of Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of
law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall be
brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter.
The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any
provision of this Agreement is held invalid, the remainder of this License shall continue in full force and effect.
Limitation of Claims and Liability
ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING THE DATE THE CLAIM FIRST
ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSORS LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS
AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL,
INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER
3|Page
Version 5.1B

LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE
FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER.
Entire Agreement
This is the entire agreement between the parties and may not be modified except in writing signed by both parties.
U.S. Government - Restricted Rights

The Training Materials and accompanying documentation are commercial computer Training Materials and commercial computer Training
Materials documentation, respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification,
reproduction release, performance, display, or disclosure of the Training Materials and accompanying documentation by the U.S. Government
shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this
Agreement.
IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR
INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.
Version 5.1B
4|Page

Welcome, and Thank You!

On behalf of the entire iPexpert team, I'd personally like to thank you for putting your greatest
certification journey in our hands, and trusting us to deliver cutting-edge training to help you
accomplish this goal. Although there is no way to guarantee a 100% pass rate on the CCIE Lab, my
team and I feel extremely confident that your chances of passing will improve dramatically with the
use of our training materials.
-Respectfully, Wayne A. Lawson II, CCIE #5244 (Emeritus) / Founder & CEO - iPexpert, Inc.
Feedback
At iPexpert, we value the feedback (both positive and constructive) offered by our clientele. Our
dedication to offering the best tools and content to help students succeed could not be possible
without your comments and suggestions. Your feedback is what continually keeps us enhancing our
product portfolio, and it is greatly appreciated. If there is anything you'd like us to know, please do so
via the feedback@ipexpert.com alias.
In addition, when you pass your CCIE Lab Exam, we want to hear about it! Please email your Full
Name (used in the CCIE Verification Tool), CCIE number and the track to success@ipexpert.com and
let us know how iPexpert played a role in your success. We would like to be sure you're welcomed
into the "CCIE Club" appropriately, send you a gift for your accomplishment.
Technical Support and Freebies

To conclude, we are also proud to lead the industry with multiple support options at your disposal,
free of charge. Our online support community has attracted a membership of your peers from
around the world, and is monitored on a daily basis by our instructors and our students. We also
consistently publish technical articles / papers on our blog. You can also follow up on Facebook,
Twitter, LinkedIn, Google+ and YouTube for more in-depth discussion on current industry trends and
CCIE preparation tips.
Lastly, referrals are very important to us. It tells us that; 1) you like, value, and approve of our training
and 2) it helps us to continue to grow as a company. If you have any of your peers who you feel will
value by the use of any of our training materials, please send us their name, email address, telephone
number and what certification and track you feel that they're interested in. If your referral makes a
purchase, we will provide you with in-house credit that can be used at any time. If your referrals
exceed a certain threshold, we will also include a gift card of your choice (either an American Express
or Amazon gift card).
5|Page
Version 5.1B

How to Use This Lab Preparation Workbook

In 2014 Cisco announced a new CCIE Routing and Switching blueprint for their V5 version of the Lab
exam. This change was one of the biggest changes we've seen over the 14 years since we've been
delivering cutting-edge CCIE training materials. The changes consisted of a modification of the lab
structure to now include:
A restructure of the way the lab is delivered. You will first have to complete a Troubleshooting
section where you'll have access to the rack that Cisco provides you to do so. The next section
consists of the Diagnostics section, which is done without access to your rack. The third section is
the Configuration section, which is the actual "lab" that most people focus on, and have been
primarily concerned about in the past. With this new lab structure, it's VERY IMPORTANT that
you are well prepared for all three Sections of the lab exam. At any point, you could fail the lab
exam if you don't receive enough points in 1 of the 3 sections.
Cisco has also made a drastic change in the topology that you'll be given. It's common knowledge
at the time of this book's publication that the topology you're given has gone from their previous
6 to 8 router / 4 switch topology (seen in the labs previous to V4), to a topology that could
potentially consist of up to 40 routers and 8 switches. It's imperative that you work through
practice scenarios on a large topology so you're familiar with the intricacies and technological
specifics that can be introduced with a topology that large.
Cisco has also changed their retake policy, which now requires their CCIE candidates to wait
longer durations before their next attempt(s). Below we have listed Cisco's new policy.
And, finally, Cisco has created this impressive blueprint and broken it into sections. Cisco
provides you with the 5 section titles and the number of points so you're able to understand how
their grading works and how much focus and attention is placed on that various section. The
primary section outline is provided below; however, we have not provided all of the topics and
subtopics that Cisco has provided. We recommend that you reference Cisco's website URL which
provides these details for the Routing and Switching V5 Lab - which will require you to have a
CCO and Cisco Learning Network login prior to being given access. That URL was found here at
the date of this book's publication.
Version 5.1B
6|Page

Cisco's New Retake Policy
Cisco R&S V5 Blueprint (Primary Sections w/ Assigned Point Values)
Layer 2 Technologies: 20%

Layer 3 Technologies: 40%
VPN Technologies: 20%
Infrastructure Security: 5%
Infrastructure Services: 15%
How to Use This Lab Preparation Workbook

Throughout this workbook, you'll be asked to reference various diagrams and to pre-load
configurations. These pre-loaded configurations will be automatically loaded when you're utilizing
our online rack rental solution. All diagrams are provided in a .zip file that's accessed when you're
logged into your iPexpert's Member's Area. If you're asked to reference a table, it will be located
within this actual workbook, unless otherwise noted.
Additional Information Pertaining to Cisco's CCIE R&S Lab Exam

NOTE
The following information has been obtained from Cisco's Learning Network. We are not affiliated with, or
endorsed in any way by Cisco.
7|Page
Version 5.1B

About the CCIE Lab Exam
The CCIE Lab Exam is an eight-hour, hands-on exam, which requires you to configure and
troubleshoot a series of complex networks to given specifications. Knowledge of troubleshooting is
an important skill and candidates are expected to diagnose and solve issues as part of the CCIE lab
exam. You will not configure end-user systems, but are responsible for all devices residing in the
network (hubs, etc.). Point values and testing criteria are provided. More detail is found on the
Routing and Switching Lab Exam Blueprint and the list of Lab Equipment and IOS Versions.
Cost
The Lab Exam cost does not include travel and lodging expenses. Costs may vary due to exchange
rates and local taxes (VAT, GST). You are responsible for any fees your financial institution charges to
complete the payment transaction. Price not confirmed and is subject to change until full payment is
made. For more information on the Lab Exam Registration please reference the Take Your Lab
Exam tab.
Lab Environment
The Cisco documentation is available in the lab room, but the exam assumes knowledge of the more
common protocols and technologies. The documentation can be navigated using the index. No
outside reference materials are permitted in the lab room. You must report any suspected
equipment issues to the proctor during the exam; adjustments cannot be made once the exam is
over.
Lab Exam Grading

The labs are graded by proctors, who ensure that all the criteria have been met. They will use
automatic tools to gather data from the routers in order to perform preliminary evaluations.
Candidates must reach a minimum threshold in all three sections and achieve an overall passing
score.
Lab Format
The CCIE Routing and Switching Lab exam consists of a 2-hour Troubleshooting section, a 30-minute
Diagnostic section, and a 5 hour Configuration section. Candidates may choose to borrow up to 30
minutes from the Configuration section and use it in the Troubleshooting section.
Version 5.1B
8|Page

Results
You can review your lab exam results online (login required), usually within 48 hours. Results are
Pass/Fail and failing score reports indicate major topic areas where additional study and preparation
may be useful.
Reevaluation of Lab Results

A Reread involves having a second proctor load your configurations into a rack to re-create the test
and re-score the entire exam. Rereads are available for the Routing and Switching, and Service
Provider technology tracks.
A Review involves having a second proctor verify your answers and any applicable system-generated
debug data saved from your exam. Reviews are available for all other tracks.
Payment Terms
Make your request within 14 days following your exam date by using the "Request for Reread" link
next to your lab record. A Reread costs $1000.00 USD and a Review costs $400.00 USD. Payment is
made online via credit card and your Reread or Review will be initiated upon successful payment. You
may not cancel the appeal request once the process has been initiated. Refunds are given only when
results change from fail to pass.
Troubleshooting
The CCIE Routing and Switching Lab exam features a 2 hour troubleshooting section. Candidates will
be presented with a series of trouble tickets for preconfigured networks and need to diagnose and
resolve the network fault or faults. As with the configuration section, the network must be up and
running for a candidate to receive credit. Candidates who finish the troubleshooting section early
may proceed on to the diagnostic section, but they will not be allowed to go back to troubleshooting.
NOTE
This concludes any referenced content seen or found on Cisco's Learning Network.
9|Page
Version 5.1B

Lab 5: Troubleshooting Section

Before You Begin
Please look at the provided diagrams and read through the whole lab before you start. Read the
directions very carefully to make sure you are doing what is being asked of you. This is very
important when you take Ciscos CCIE lab.
Each section contains a small diagram that is designed to show you the focus of where the issue is.
Multiple topology diagrams are available for this lab, including an IPv4 and a BGP diagram.
General Rules
You may modify, but not delete or remove any prefix-lists, route-maps, or access-lists.
Do not modify any IP addressing on any interfaces.
The BB routers are not accessible.
All routers have an interface loopback 0 with the address 10.x.x.x, where x is the router number.
ISP routers have a loopback address of 10.10x.10x.10x. BB routers have a loopback address of
100.x.x.x .Switches have loopback addresses of 172.xx.xx.xx.
MPLS routers have a loopback address of 10.x.x.x /32.
Static/default routes are NOT allowed unless otherwise stated in the task.
Save your configurations often.
Estimated Time to Complete: 2 hours
Total Possible Points: 19

Version 5.1B
10 | P a g e

Pre-Setup
Please login to your vRack and load the initial Configuration. This lab is intended to be used with
online rack access. Connect to the terminal server and complete the troubleshooting tasks as
detailed below.
11 | P a g e
Version 5.1B

Diagram 5.1
Version 5.1B
12 | P a g e

Diagram 5.2
13 | P a g e
Version 5.1B

Diagram 5.3
Version 5.1B
14 | P a g e

Diagram 5.4
15 | P a g e
Version 5.1B

Incident 1
(3 points)
Users from remote branch-1 have lost connectivity to the iPexpert HQ office.
The users mentioned that they can still reach the other remote branches.
Fix the issues so that remote branch-1 can reach the HQ and all the remote branches, the
outputs should match the below:
Version 5.1B
16 | P a g e

R24#sh ip route eigrp
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D EX
10.4.4.0/24 [170/542771200] via 192.168.24.6, 03:11:05, Serial2/0
10.13.13.0/24 [90/27008000] via 40.40.40.13, 00:00:16, Tunnel66
10.15.15.0/24 [90/27033600] via 40.40.40.13, 00:00:16, Tunnel66
D EX
10.23.23.0/24 [170/28288000] via 40.40.40.23, 00:00:09, Tunnel66
D EX
10.25.25.0/24 [170/28288000] via 40.40.40.25, 00:00:09, Tunnel66

172.5.0.0/24 is subnetted, 1 subnets
172.5.5.0 [90/27033600] via 40.40.40.13, 00:00:16, Tunnel66

172.16.0.0/24 is subnetted, 4 subnets
172.16.200.0 [90/26905856] via 40.40.40.13, 00:00:16, Tunnel66
172.16.214.0 [90/26905600] via 40.40.40.13, 00:00:16, Tunnel66
172.16.215.0 [90/26905600] via 40.40.40.13, 00:00:16, Tunnel66
172.16.216.0 [90/26931200] via 40.40.40.13, 00:00:16, Tunnel66
D EX
192.168.0.0/16 [170/542771200] via 192.168.24.6, 03:11:05, Serial2/0
192.168.13.0/24 [90/34036062] via 192.168.24.6, 03:11:05, Serial2/0
192.168.15.0/24 [90/27417600] via 40.40.40.13, 00:00:16, Tunnel66
192.168.23.0/24 [90/44276062] via 192.168.24.6, 03:11:05, Serial2/0
192.168.25.0/24 [90/23796062] via 192.168.24.6, 03:11:05, Serial2/0
192.168.74.0/24 [90/34036062] via 192.168.24.6, 03:11:05, Serial2/0
192.168.76.0/24 [90/23796062] via 192.168.24.6, 03:11:05, Serial2/0
R24#traceroute 10.23.23.23
Type escape sequence to abort.
Tracing the route to 10.23.23.23
VRF info: (vrf in name/id, vrf out name/id)
1 40.40.40.23 37 msec 37 msec *
17 | P a g e
Version 5.1B

Incident 2
(1 points)
Users that are located in VLAN100 of the IPexpert HQ office have lost access to the Server which
is located in VLAN200.
Isolate and fix the issues so R10 is reachable from R14 , the outputs should match the below:
Version 5.1B
18 | P a g e

R14#ping 172.16.200.2
Sending 5, 100-byte ICMP Echos to 172.16.200.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R14#traceroute 172.16.200.2 num

1 172.16.100.1 1 msec 0 msec 0 msec
2 172.16.56.5 0 msec 0 msec 1 msec
3 172.16.200.2 0 msec *
19 | P a g e
0 msec
Version 5.1B

Incident 3
(2 points)
ISP3 is trying to reach ISP2 network of 10.102.102.0 /24 but is unsuccessful.

Isolate and fix the issues so that it is reachable from ISP3, the outputs should match the below:
ISP3#ping 10.102.102.102
!!!!!
Version 5.1B
20 | P a g e

Incident 4
(2 points)
Starbucks Coffee branch-1 cannot communicate with Starbucks branch-2.

Troubleshoot and fix the issues so that both sites have reachability.
The outputs should match the below:
21 | P a g e
Version 5.1B

R16#ping 10.20.20.20 source lo0
Packet sent with a source address of 10.16.16.16
!!!!!
R20#ping 10.16.16.16 so lo0

!!!!!
Version 5.1B
22 | P a g e

Incident 5
(1 points)
The Global Provider network engineer is having IPv6 connectivity issues between the Data Center
and their DR site and cannot reach one of their IPv6 Management web sites.
Fix the issue so that the following sequence of commands produces the same relevant result:
ISP3#ping www.global.com
Sending 5, 100-byte ICMP Echos to 2001:50:50::50, timeout is 2 seconds:
!!!!!
ISP3#telnet www.global.com 80
Translating "www.global.com"...domain server (255.255.255.255)
Trying 2001:50:50::50, 80 ... Open
get
HTTP/1.1 400 Bad Request
23 | P a g e
Version 5.1B

Date: Wed, 04 Feb 2015 11:01:43 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request

[Connection to www.global.com closed by foreign host]
Version 5.1B
24 | P a g e

Incident 6
(2 points)
The NOC team has identified it has lost connectivity to the Global Provider DR Site.
Isolate and fix the configuration such that the traffic can reach its destination as shown in the
output:
25 | P a g e
Version 5.1B

R2#sh ip route vrf ISP 221.50.0.50
Routing Table: ISP
Routing entry for 221.0.0.0/8, supernet
Known via "bgp 7200", distance 20, metric 0
Tag 20001, type external
Last update from 123.10.1.6 00:07:20 ago
Routing Descriptor Blocks:
* 123.10.1.6, from 123.10.1.6, 00:07:20 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 20001
MPLS label: none
R2#traceroute vrf ISP 221.50.0.50 num
1 123.10.1.6 9 msec
Version 5.1B
26 | P a g e

Incident 7
(3 points)
ISP4 is trying to reach the internet ip address of 8.8.8.8 but is unsuccessful.

Fix the issue so that the following sequence of commands produces the same relevant result:
27 | P a g e
Version 5.1B

R50#traceroute 192.168.44.1 source loopback1
1 123.10.1.5 8 msec 9 msec 9 msec
2 123.10.82.8 [AS 10100] [MPLS: Labels 21/18 Exp 0] 26 msec 26 msec 26 msec
3
*
194.45.67.1 [AS 10100] [MPLS: Labels 17/18 Exp 0] 27 msec *
4 192.168.44.2 [AS 65505] [MPLS: Label 18 Exp 0] 17 msec 17 msec 17 msec

5 192.168.44.1 [AS 65505] 26 msec 26 msec *
ISP4#ping 8.8.8.8
!!!!!
NOTE
This incident is dependent on Incident 6.
Version 5.1B
28 | P a g e

Incident 8
(2 points)
Administrator users that are connected to the R5 router are not able to use tftp to download the
configuration backup from BB1, which is located at the remote Office.
Fix the problem so that the following tftp session is successful:

R5#copy tftp://192.1.1.2/startup-config null:
Accessing tftp://192.1.1.2/startup-config...
Loading startup-config from 192.1.1.2 (via Tunnel1): !
[OK - 2364 bytes]
2364 bytes copied in 0.110 secs (21491 bytes/sec)
NOTE
While resolving this issue, you are not allowed to create any new interface.
29 | P a g e
Version 5.1B

Incident 9
(1 points)
Users traffic from the Starbucks Asia Pacific office must load balance traffic towards the
172.9.9.9 Server.
Fix the issue so that BB3 can ping the server and we have the following output on SW2.
NOTE
You are not allowed to remove any configurations.
Version 5.1B
30 | P a g e

BB3#ping 172.9.9.9
!!!!!
SW2#sh ip route 172.9.9.9
Routing entry for 172.9.9.9/32
Known via "eigrp 400", distance 90, metric 307232, type internal
Redistributing via eigrp 400
Last update from 172.17.12.1 on Vlan12, 00:00:02 ago
Routing Descriptor Blocks:
* 172.17.218.2, from 172.17.218.2, 00:00:02 ago, via Vlan218
Total delay is 2001 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
172.17.12.1, from 172.17.12.1, 00:00:02 ago, via Vlan12
Total delay is 2001 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
31 | P a g e
Version 5.1B

Incident 10
(2 points)
User BB3 is unable to reach the DNS server of 8.8.4.4 in the internet.
Fix the issues so that we have reachability.
The outputs should match the below:
Version 5.1B
32 | P a g e

BB3#ping 8.8.4.4
!!!!!
BB3#traceroute 8.8.4.4
1 172.17.30.1 0 msec 2 msec 0 msec
2 172.17.217.2 0 msec 0 msec 1 msec
3 194.45.67.6 9 msec 8 msec 9 msec
4 194.45.67.10 [MPLS: Labels 23/32 Exp 0] 30 msec 28 msec 26 msec
5 194.45.67.2 [MPLS: Labels 23/32 Exp 0] 32 msec 24 msec 25 msec
6 123.10.1.5 [MPLS: Label 32 Exp 0] 18 msec 20 msec 14 msec
7 123.10.1.6 31 msec 26 msec *
NOTE
This incident is dependent on Incident 6.
This concludes the Troubleshooting Section of iPexpert's R&S Lab 5 Workbook, Volume 2
Copyright iPexpert. All Rights Reserved.
33 | P a g e
Version 5.1B

Lab 5: Diagnostic Section

Before You Begin
Please look at the provided information and read through this entire lab before you start. Read the
directions very carefully to make sure you are doing what is being asked of you. This is very
important when you take Ciscos CCIE lab.
Each task may contain a large amount of information including diagrams, email chains, trouble
tickets, device configs, and Wireshark captures. It is extremely important that you read through each
piece of information before answering the task.
Each task will require you to provide an answer to the issues provided, based off of the information
that is presented.
General Rules
You do not have access to any equipment.
You are not required to configure any equipment.
Questions may be best selection, fill in the blank, multiple choice, order of operations, or best
match.
Estimated Time to Complete: 30 minutes

Version 5.1B
34 | P a g e

Ticket 1
(3 points)
A new trouble ticket has been escalated to you. The following information has been provided to help
with understanding the issue. Diagnose and help resolve the issue:
Email Chain Between Helpdesk and Customer

From: Bob Mecoy
Sent: Wednesday, January 13, 2015 9:17 AM
To: iPexpert Helpdesk
Subject: Network Failure general packetloss HELP!
Hi,
We came to the office this morning to find that all hell broke loose, users are calling the helpdesk
complaining of slow response times while browsing the internet/ sending emails / accessing the
corporate servers.
We need help to figure out what is causing this issue.
Bob Mecoy
IT Manager, Blade Corp.
Direct: 111-014-014
E-mail: bob.mecoy@blade.com
From: iPexpert Helpdesk

To: Bob Mecoy
Mr. Mecoy,
We would love to assist with this issue. We have opened up an Incident ticket # 187465 for internal
tracking. In order to better help, please provide the following:
1. A network diagram that shows the topology
2. The switches configs for which those users are having issues, make sure to attach the
backbone config.
3. Run several ping commands to key point servers in your network and send us the output.
4. In continue to step #3, please perform a packet capture on the VLAN broadcast domain
where those users reside, no SPAN required.
Once we have the above information, we will review, assign an engineer, and get back to you.
35 | P a g e
Version 5.1B

Dade Murphy
HelpDesk Representative
Office: 999-999-9999 | helpdesk@ipexpert.com
From: Bob Mecoy

To: iPexpert Helpdesk
The information requested has been attached. I am having packetloss throughout the entire
network, around 5-10% packetloss to random users and servers as one. I cannot seem to connect to
all the switches in the management domain. I cannot attach the packet capture file which I took from
my personal computer due to its large size, instead I have provided several statistics outputs from
the sniffing program. Please understand that this is a network down issue and we need assistance
asap. Also, you should be aware that due to the company policies we wont be able to give you
remote access to diagnose our network in real-time.
Bob Mecoy
IT Manager, Blade Corp.
Direct: 111-111-1111
E-mail: jiminy.cricket@acme.com
From: iPexpert Helpdesk

To: Bob Mecoy
Subject: RE: EIGRP Config Tuning HELP!
Mr. Mecoy,
This incident has been assigned to our top tier Network Engineer for review. You should hear
something back very soon. Thank you for your patience.
Dade Murphy
HelpDesk Representative
Office: 999-999-9999 | helpdesk@ipexpert.com
Version 5.1B
36 | P a g e

Router Configuration
SW-BB Config
SW-BB#sh run
Building configuration...
Current configuration : 10873 bytes

!
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname SW-BB
!
logging buffered 16192 debugging
enable secret 5 $1$5Iw1$S5se75dA/IDCdlAyuaGPiQ0
!
username admin privilege 15 secret 5 $1$Wqu.$DqTWHRayMj9RSgqfMN4xc.
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authorization exec default group radius local
!
aaa session-id common
switch 1 provision ws-c3750g-24ts-1u
switch 2 provision ws-c3750g-24ts-1u
system mtu routing 1500
vtp domain BLADE
vtp mode transparent
udld enable
ip subnet-zero
ip routing
no ip domain-lookup
ip domain-name blade.com
ip dhcp excluded-address 172.20.1.1 172.20.1.10
37 | P a g e
Version 5.1B

ip dhcp excluded-address 172.20.1.245 172.20.1.255
!
ip dhcp pool voice
network 172.20.1.0 255.255.255.0
option 150 ip 172.20.1.1 172.20.3.1
default-router 172.20.1.253 172.20.1.200
domain-name wr
!
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1,100,200,221,502-503 priority 4096
!
vlan internal allocation policy ascending
!
vlan 2-3
!
vlan 22
name AS400_Replication_vlan
!
vlan 161
name TO_INTERNAL_FW
!
vlan 200
!
vlan 221
name NEW-COM
!
vlan 500
name AP_MGMT
!
vlan 501
name WIFI_USERS
!
vlan 502
name WIFI_INTERNET
!
Version 5.1B
38 | P a g e

vlan 503
name WIFI_HDS
!
interface GigabitEthernet1/0/1
description connect to voice_router
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
description connect to ccm-pub
!
description Line_60MB_To_SAP_Replication
switchport nonegotiate
bandwidth 61440
load-interval 30
!
no switchport
bandwidth 40960
ip address 10.1.0.3 255.255.255.240
ip rip authentication mode md5
ip rip authentication key-chain Troy
load-interval 30
!
switchport voice vlan 200
!
description ##_TO_FW_BLD-1_##
39 | P a g e
Version 5.1B

load-interval 30
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
!
description ##_TO_FW_BLD-2_##
load-interval 30
no cdp enable
!
description ESX-BLD-NIC1
switchport trunk encapsulation dot1q
switchport trunk native vlan 3
switchport trunk allowed vlan 2,3
switchport mode trunk
load-interval 30
!
!
description ESX-BLD-ILO
!
Version 5.1B
40 | P a g e

description SAPDEV DR Replication Port
!
description ESX-BLD-NIC2
switchport trunk native vlan 3
switchport trunk allowed vlan 2,3
!
load-interval 30
!
description PINEAPP
!
description SAPDEV DR Replication Port
!
speed 1000
duplex full
41 | P a g e
Version 5.1B

!
description To FW_BLD_1 2200-1 (Lan5) for External WiFi Users
!
description HMC
speed 1000
duplex full
!
speed 1000
duplex full
!
description To FW_BLD_2 2200-1 (Lan5) for External WiFi Users
!
description connect to SW_2960_3_Backup
storm-control broadcast level 5.00
Version 5.1B
42 | P a g e

storm-control multicast level 5.00
storm-control action shutdown
!
!
description connect to SW_2960_7
!
!
!
43 | P a g e
Version 5.1B

!
description Connect to BLD_MAIN
load-interval 30
channel-group 1 mode on
!
description Connect to BLD_MAIN
load-interval 30
channel-group 1 mode on
!
interface Vlan1
description vlan to BLD_Old
ip address 10.10.30.12 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain Troy
!
interface Vlan2
description Admin
ip address 210.0.35.249 255.255.255.0
!
interface Vlan22
ip address 172.22.0.254 255.255.255.0
shutdown
!
interface Vlan161
ip address 10.20.161.9 255.255.255.0
!
interface Vlan200
description VOICE-VLAN
ip address 172.20.1.253 255.255.255.0
!
Version 5.1B
44 | P a g e

interface Vlan221
description NEW-COM
ip address 172.21.21.1 255.255.255.0
!
ip classless
ip route 172.32.32.32 255.255.255.255 10.20.161.10 track 255
ip route 0.0.0.0 0.0.0.0 10.20.161.10
ip route 1.1.10.0 255.255.255.0 10.1.0.1
ip route 10.1.10.0 255.255.255.0 10.1.0.1
ip route 10.205.1.1 255.255.255.255 10.1.0.1
ip route 81.218.75.162 255.255.255.255 10.20.161.10
ip route 111.0.0.0 255.255.255.0 10.1.0.1
ip route 123.2.2.91 255.255.255.255 10.10.30.254
ip route 123.2.2.95 255.255.255.255 10.10.30.254
ip route 172.17.1.0 255.255.255.0 10.20.161.10
ip route 172.19.0.0 255.255.0.0 10.1.0.1
ip route 172.20.18.0 255.255.255.0 10.1.0.1
ip route 172.21.0.0 255.255.255.0 10.20.161.10
ip route 172.28.2.0 255.255.255.0 10.1.0.1
ip route 192.168.2.0 255.255.255.0 10.1.0.1
ip route 192.168.7.0 255.255.255.0 10.1.0.1
ip route 192.168.46.71 255.255.255.255 10.1.0.1
ip route 192.168.131.0 255.255.255.0 10.1.0.1
ip route 194.90.1.5 255.255.255.255 10.20.161.10
ip route 212.179.42.0 255.255.255.0 10.1.0.1
ip route 212.179.67.62 255.255.255.255 10.1.0.1
no ip http server
ip radius source-interface Vlan1
!
logging trap warnings
logging 123.1.1.89
access-list 5 remark SNMP_Access
access-list 5 permit 123.1.1.89
access-list 5 permit 212.179.20.0 0.0.0.63
access-list 5 deny
any

45 | P a g e
Version 5.1B

access-list 10 remark VTY-ACCESS
access-list 10 deny
any
!
snmp-server community public RO
snmp-server community NMSRO RO 5
snmp-server enable traps license
snmp-server host 123.1.1.89 bladewr
snmp-server host 123.1.1.123 public
radius-server host 123.1.1.16 auth-port 1812 acct-port 1813 key 7 123A0C25134855522E28
radius-server source-ports 1645-1646
!
control-plane
!
banner motd ^C
******************************
Blade Company LTD.
Device name: $hostname
Warning:
Any unauthorized access to
this system is unlawful, and
may be subject to civil and/or
criminal penalties!
******************************
^C
alias exec u undebug all
!
line con 0
logging synchronous
line vty 0 4
access-class 10 in
logging synchronous
Version 5.1B
46 | P a g e

line vty 5 15
access-class 10 in
logging synchronous
!
ntp clock-period 36029257
ntp server 10.10.30.254
end
SW-BB#sh cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID
Local Intrfce
Holdtme
ccmpub
Gig 1/0/2
166
SEP001A6D10AD7E
Gig 1/0/5
Capability
Platform
Port ID
VMware
eth0
124
ATA 186
Port 1
170
R S I
WS-C4506
Gig 4/14
170
R S I
WS-C4506
Gig 4/13
Gig 1/0/2
130
VMware
eth0
BLD_MAIN_SW
Gig 1/0/28
175
R S I
WS-C3560- Gig 0/2
BLD_MAIN_SW
Gig 1/0/27
173
R S I
WS-C3560- Gig 0/1
160
Gig 1/0/1
148
R S I
BLD_SW_1
Gig 1/0/24
122
S I
WS-C2960- Gig 0/1
BLD_SW_2
Gig 1/0/22
172
S I
WS-C2960- Gig 0/1
BLD_SW_3
Gig 1/0/21
134
S I
WS-C2960- Gig 0/1
BLD_SW_4
Gig 1/0/26
160
S I
WS-C2960- Gig 0/1
BLD_SW_6
Gig 1/0/25
137
S I
WS-C2960- Gig 0/1
BLD_SW_8
Gig 1/0/23
124
S I
WS-C2960- Gig 0/1
blade_BB.blade.com
Gig 1/0/4
blade_BB.blade.com
Gig 1/0/3
unitypub.blade.com
Presence.blade.com
Gig 1/0/2
VMware
eth0
2811
Fas 0/0
Meir_BLD_Router_VOICE.blade.com
BLD_SW1 Config
BLD_SW_1#sh run
47 | P a g e
Version 5.1B

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
!
hostname BLD_SW_1
!
boot-start-marker
boot-end-marker
!
logging buffered 16192
enable secret 5 $1$ZD8T$H.4Ha78RwnXai9g8PBaHLM0
!
username admin privilege 15 secret 5 $1$/o/.$j2rdtSMA0iHciiiCXpT9z1
aaa new-model
!
!
!
!
!
udld aggressive
ip subnet-zero
!
no ip domain-lookup
!
!
!
!
!
Version 5.1B
48 | P a g e

!
!
!
!
!
!
interface FastEthernet0/1
!
!
!
49 | P a g e
Version 5.1B

!
description Printer ZEBRA
!
!
!
description PRINTER (210.0.37.202)
Version 5.1B
50 | P a g e

!
!
!
!
51 | P a g e
Version 5.1B

!
!
!
!
!
Version 5.1B
52 | P a g e

!
!
!
!
53 | P a g e
Version 5.1B

!
!
!
!
interface GigabitEthernet0/1
description connect to SW_3750_MAIN
spanning-tree port-priority 16
!
Version 5.1B
54 | P a g e

media-type rj45
!
interface Vlan1
description Management Network
ip address 10.10.30.17 255.255.255.0
no ip route-cache
!
no ip http server
logging 123.1.1.89
access-list 5 deny
any

access-list 10 deny
any

radius-server host 123.1.1.16 auth-port 1812 acct-port 1813 key 7
052805F3D200F175F1D06
!
control-plane
!
banner motd ^C
55 | P a g e
Version 5.1B

*********************************
Blade Company LTD.
Warning:
criminal penalties!
*********************************
^C
!
line con 0
exec-timeout 5 0
line vty 0 4
access-class 10 in
exec-timeout 0 0
password 7 070D245564B18100B03
line vty 5 15
access-class 10 in
exec-timeout 0 0
!
ntp server 10.1.0.1
end
BLD_SW2 Config
BLD_SW_2#sh run

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
Version 5.1B
56 | P a g e

!
hostname BLD_SW_2
!
boot-start-marker
boot-end-marker
!
logging buffered 16192
enable secret 5 $1$ZD8T$H.4Ha78RwnXai9g8PBaHLM0
!
username admin privilege 15 secret 5 $1$/o/.$j2rdtSMA0iHciiiCXpT9z1
aaa new-model
!
!
!
!
!
udld aggressive
ip subnet-zero
!
no ip domain-lookup
!
!
!
!
!
!
!
!
57 | P a g e
Version 5.1B

!
!
!
!
!
!
!
Version 5.1B
58 | P a g e

description Printer ZEBRA
!
!
!
description PRINTER (210.0.37.202)
!
59 | P a g e
Version 5.1B

!
!
!
!
Version 5.1B
60 | P a g e

!
!
!
!
61 | P a g e
Version 5.1B

!
!
!
!
!
Version 5.1B
62 | P a g e

!
!
!
description connect to SW_3750_MAIN
!
media-type rj45
!
interface Vlan1
description Management Network
ip address 10.10.30.17 255.255.255.0
63 | P a g e
Version 5.1B

no ip route-cache
!
no ip http server
logging 123.1.1.89
access-list 5 deny
any

access-list 10 deny
any

radius-server host 123.1.1.16 auth-port 1812 acct-port 1813 key 7 052805F3D200F175F1D06
!
control-plane
!
banner motd ^C
*********************************
Blade Company LTD.
Warning:
criminal penalties!
*********************************
^C
!
Version 5.1B
64 | P a g e

line con 0
exec-timeout 5 0
line vty 0 4
access-class 10 in
exec-timeout 0 0
password 7 070D2455364B18100B03
line vty 5 15
access-class 10 in
exec-timeout 0 0
!
ntp server 10.1.0.1
end
Network Topology
65 | P a g e
Version 5.1B

Packet Capture information
Version 5.1B
66 | P a g e

67 | P a g e
Version 5.1B

Using the information provided, select the most logical cause of the issue from the list below:
(Multiple answers)
BLD_SW1 seems to be causing the issues.

SW_BB is undergoing a broadcast storm.
Everything seems to be ok, further information is required.
The storm-control statements used on the switches are causing network flaps.
There seems to be a broadcast storm affecting the entire network.
BLD_SW2 seems to be causing the issues.
A bad uplink between the remote switch and the SW-BB is the reason.
A massive packet rate of traffic seems to be broadcast to every user on the LAN.
According to the sniffer conversation statistics output provided choose the mac-addresses which
should be further investigated:
28:c0:da:30:f6:81
00:00:00:00:fd:00
00:00:00:00:fe:01
08:00:27:00:A4:99
80:86:F2:6B:0D:DB
IPv4mcast_05
ff:ff:ff:ff:ff:ff
Vmware:ca:7d:f4
Cisco_45:9a:24
Cisco_45:9a:20
00:27:0d:45:9a:24
Version 5.1B
68 | P a g e

Ticket 2
(3 points)
You have been away to a Cisco training for the past week. While you were out, your company added
a new supplier using BGP protocol. Your co-worker configured the entire thing and everything is
working properly. Now they have decided that an IPv6 BGP peer is necessary on top of this
connection, unfortunately he configured the entire thing in the NLRI format (legacy syntax).
You've been asked to modify the BGP configuration to support multi address-families without
removing any configurations and explicitly NO down time. Review the information provided for a
better understanding of the issue.
Router configuration
RTR-SUP#sh run

!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SUP
!
boot-start-marker
boot-end-marker
!
!
enable password cps
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
ip multicast-routing
69 | P a g e
Version 5.1B

ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
redundancy
!
!
interface Loopback0
ip address 123.16.16.16 255.255.255.255
ip pim sparse-mode
!
interface Ethernet0/0
ip address 203.3.16.2 255.255.255.252
!
ip address 123.20.1.2 255.255.255.248
ip pim sparse-mode
!
ip address 123.20.1.17 255.255.255.248
ip pim sparse-mode
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
Version 5.1B
70 | P a g e

!
no ip address
shutdown
!
no ip address
shutdown
!
no ip address
shutdown
!
no ip address
shutdown
!
interface Serial5/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial5/1
no ip address
shutdown
!
interface Serial5/2
no ip address
shutdown
!
router bgp 65248
bgp log-neighbor-changes
neighbor 3.3.3.20 remote-as 64782
neighbor 123.20.1.18 password IPX
neighbor 123.20.1.18 ebgp-multihop 255
71 | P a g e
Version 5.1B

neighbor 123.20.1.18 route-map BGP-OUT out
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
ip prefix-list BGP-OUT seq 5 permit 0.0.0.0/0 le 32
!
route-map BGP-OUT permit 10
match ip address prefix-list BGP-OUT
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
password cisco
login
transport input none
!
!
end
RTR-SUP#sh ip bgp sum

BGP router identifier 123.16.16.16, local AS number 65248
Version 5.1B
72 | P a g e

BGP table version is 1, main routing table version 1
Neighbor
AS MsgRcvd MsgSent
TblVer
InQ OutQ Up/Down
State/PfxRcd
3.3.3.20
64782
0 never
Idle
10.10.10.20
65489
0 never
Idle
123.20.1.18
8005
0 00:02:44
Using the information provided, choose the best option to accomplish this task:
Schedule a maintenance window, quickly remove existing bgp config and replace with new
multi-af config.
Fortunately, IOS provides a feature to automate the transition in the form of a simple
command: bgp upgrade-cli, which is run at the global under configuration. No down time is
required.
command: bgp upgrade-cli, which is run at the global under configuration. This cannot be
accomplished without any downtime.
command: bgp upgrade-cli, which is run under the bgp process configuration. No down time
is required.
command: bgp upgrade-cli, which is run under the bgp process configuration. This cannot be
accomplished without any downtime.
73 | P a g e
Version 5.1B

Ticket 3
(3 points)
Users are complaining and have opened a trouble ticket that has been assigned to you. They are
complaining that they cannot reach a specific remote office (R2 / R3), but can reach the Main office
(R1). Obviously there is a connectivity issue of some sort. Help identify the cause and choose a
solution.
R1 Outputs
R1#sh ip ei ne
IP-EIGRP neighbors for process 100
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
RTO
Seq
Cnt Num
10.10.10.3
Fa0/0
14 00:00:09
212
1272
10.10.10.2
Fa0/0
14 00:01:08 1041
5000
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set

C
100.100.100.0/24 is directly connected, Loopback1
100.0.0.0/8 is a summary, 00:02:17, Null0
20.0.0.0/8 [90/409600] via 10.10.10.2, 00:02:02, FastEthernet0/0

10.10.10.0/24 is directly connected, FastEthernet0/0
10.0.0.0/8 is a summary, 00:02:17, Null0
R1#debug ip eigrp
*Mar 1 00:26:25.343: IP-EIGRP(Default-IP-Routing-Table:100): route installed for
100.0.0.0 (Summary)
Version 5.1B
74 | P a g e

10.0.0.0 (Summary)
*Mar 1 00:26:25.683: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.10.10.3
(FastEthernet0/0) is up: new adjacency
*Mar
1 00:26:27.307: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar
1 00:26:28.303: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:26:28.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,

changed state to up
*Mar 1 00:26:28.855: IP-EIGRP(Default-IP-Routing-Table:100): Processing incoming
UPDATE packet
UPDATE packet
UPDATE packet
*Mar 1 00:26:30.727: IP-EIGRP(Default-IP-Routing-Table:100): Int 20.0.0.0/8 M 409600
- 256000 153600 SM 128256 - 256 128000
20.0.0.0 ()
*Mar 1 00:26:30.735: IP-EIGRP(Default-IP-Routing-Table:100): 100.100.100.0/24 - don't
advertise out FastEthernet0/0
*Mar 1 00:26:30.735: IP-EIGRP(Default-IP-Routing-Table:100): 10.10.10.0/24 - do
*Mar 1 00:26:30.739: IP-EIGRP(Default-IP-Routing-Table:100): Int 100.0.0.0/8 metric
128256 - 256 128000
*Mar 1 00:26:30.739: IP-EIGRP(Default-IP-Routing-Table:100): 10.0.0.0/8 - poison
UPDATE packet
- 256000 153600 SM 128256 - 256 128000
30.0.0.0 ()
409600 - 256000 153600
409600 - 256000 153600
UPDATE packet
*Mar 1 00:26:31.023: IP-EIGRP(Default-IP-Routing-Table:100): Int 100.0.0.0/8 M
4294967295 - 256000 4294967295 SM 4294967295 - 256000 4294967295
75 | P a g e
Version 5.1B

128256 - 256 128000
409600 - 256000 153600
409600 - 256000 153600
UPDATE packet
4294967295 - 256000 4294967295 SM 4294967295 - 256000 4294967295
R2 Outputs
R2#sh ip ei ne
H
Address
10.10.10.1
Interface
Fa0/0
Hold Uptime
SRTT
(sec)
(ms)
13 00:01:18
48
RTO
Seq
Cnt Num
288
R2#sh ip route

20.0.0.0/8 is a summary, 00:04:05, Null0

Version 5.1B
76 | P a g e

C
10.0.0.0/8 is a summary, 00:04:05, Null0
R2#debug ip eigrp
(FastEthernet0/0) is down: holding time expired
UPDATE packet
128256 - 256 128000
UPDATE packet
- 256000 153600 SM 128256 - 256 128000
100.0.0.0 ()
409600 - 256000 153600
UPDATE packet
4294967295 - 256000 4294967295 SM 4294967295 - 256000 4294967295
UPDATE packet
4294967295 - 256000 4294967295 SM 4294967295 - 256000 4294967295
R3 Outputs
R3#sh ip ei ne
H
Address
10.10.10.1
77 | P a g e
Interface
Fa0/0
Hold Uptime
SRTT
(sec)
(ms)
11 00:00:26
164
RTO
Seq
Cnt Num
984
Version 5.1B

R3#sh ip ei ne
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
10.10.10.2
Fa0/0
11 00:00:26 1283
10.10.10.1
Fa0/0
11 00:00:26
164
RTO
Seq
Cnt Num
5000
984
R3#sh ip route

10.0.0.0/8 is a summary, 00:04:05, Null0

30.0.0.0/8 is a summary, 00:04:05, Null0
R3#debug ip eigrp
UPDATE packet
128256 - 256 128000
Version 5.1B
78 | P a g e

UPDATE packet
4294967295 - 256000 4294967295 SM 4294967295 - 256000 4294967295
UPDATE packet
- 256000 153600 SM 128256 - 256 128000
100.0.0.0 ()
409600 - 256000 153600
UPDATE packet
4294967295 - 256000 4294967295 SM 4294967295 - 256000 4294967295
EIGRP Topology
79 | P a g e
Version 5.1B

Assuming R2 and R3 are configured correctly and using the information provided, choose the device
that contains the configuration error and then choose the best method to fix the issue:
Device with Issue:
Area of Issue:
R2
Enable split-horizon on R1
R3
Enable split-horizon on R2
PC1
Disable split-horizon on R3
PC2
PC3
R1
Enable next-hop-self on R1
Disable next-hop-self on R1
Disable auto-summary on R1
Enable auto-summary on R2
Enable auto-summary on R3
Disable auto-summary on All
This concludes the Diagnostic Section of iPexpert's R&S Lab 5 Workbook, Volume 2
Copyright iPexpert. All Rights Reserved.
Version 5.1B
80 | P a g e

Lab 5: Configuration Section

Before You Begin
Please look at the provided diagrams and read through the whole lab before you start. Read
the directions very carefully to make sure you are doing what is being asked of you. This is
very important when you take Ciscos CCIE lab.
Multiple topology diagrams are available for this lab. Be sure to understand each diagram
and the information being conveyed.
General Rules
All IPv4 address are pre-configured except SVI, tunnel, and sub-interfaces, unless
otherwise noted.
All Service Provider routers are pre-configured and cannot be accessed during the lab.
Do not modify any IP addressing on any interfaces.
The BB routers are not accessible.
Static/default routes are NOT allowed unless otherwise stated in the task.
Save your configurations often.
Estimated Time to Complete: 5 hours

81 | P a g e
Version 5.1B

Pre-Setup
Please login to your vRack and load the initial Configuration.
This lab is intended to be used with online rack access. Connect to the terminal server and
complete the troubleshooting tasks as detailed below.
Version 5.1B
82 | P a g e

Diagram 5.5: Layer 2
83 | P a g e
Version 5.1B

Diagram 5.6: IPv4
Version 5.1B
84 | P a g e

Diagram 5.7: BGP
85 | P a g e
Version 5.1B

Diagram 5.8: DMVPN
Version 5.1B
86 | P a g e

Diagram 5.9: IPv6
87 | P a g e
Version 5.1B

Diagram 5.10: MCAST
Version 5.1B
88 | P a g e

Diagram 5.11: MP-BGP
89 | P a g e
Version 5.1B

Section 1.0: Layer 2 Technologies

Task 1.1:
Layer 2 Ports
(12 points)
(2 points)
Using the given diagrams, configure the switch-to-switch links as dot1q trunks.
Make sure that the trunk configuration is not negotiated.
Ensure that the following unused ports on all four switches are shutdown and configured as
access ports in vlan 999:
o
e3/2, e4/0 and e4/1 are unused on SW1 and SW2
e4/0 and e4/1 are unused on SW3 and SW4
All unused ports on all switches are to be shutdown and configured as access ports in vlan 999 as
well.
Configure the networks of San Francisco office (ASN 23456) and Hawaii office (ASN 34567) as per
the following requirements:
Task 1.2:
Using the given diagrams, configure the switch-to-switch links as dot1q trunks on
interfaces e2/0 and e2/1.
Make sure that the trunk configuration is not negotiated.
All unused ports on all switches are to be shutdown and configured as access in VLAN
999
Switch Administration
(2 points)
Use VTP domain name "CCIERS".

Secure all VTP updates with an MD5 of the ASCII password "iPexpert?"
SW1 should always be the VTP be the master. All other switches should be set to client.
Do not configure any VLANs on SW2, SW3, or SW4. They should learn the VLANs from the VTP
server.
Configure the network of San Francisco office (ASN 23456) as per the following requirements:
Version 5.1B
90 | P a g e

o
SW6 must be the vtp server and SW5 must be the vtp client
Use VTP domain name "CCIE".
Configure the network of Hawaii office (ASN 34567) as per the following requirements:
Task 1.3:
SW7 and SW8 should be configured as VTP Transparent.
Use VTP domain name "CCIERS".
Layer 2 VLANs
(3 points)
Configure the necessary VLANs.

Using the Layer 2 diagram, configure all interfaces connected to a router as access ports, unless
connected to a router with sub-interfaces, these connections must use 802.1q trunking.
Only allow the VLANs required across the trunk links.

Do not modify any pre-configured subinterfaces, VLANs, or 802.1q trunks.
Task 1.4:
Spanning-Tree
(3 points)
Use the spanning-tree protocol which maintains one STP instance per VLAN and converges
rapidly.
SW1 should be the Root bridge for all odd VLANs and the secondary root bridge for all even
VLANs.
SW2 should be the primary Root bridge for all even VLANs and the secondary root bridge for all
odd VLANs.
SW6 should be the Root bridge for all odd VLANs and the secondary root bridge for all even
VLANs.
SW5 should be the primary Root bridge for all even VLANs and the secondary root bridge for all
odd VLANs.
91 | P a g e
Version 5.1B

Statically set the primary and secondary Root bridges to protect against other switches becoming
the root bridge.
All access ports should move to forwarding state immediately after coming up.
Use a single command to accomplish this on each device.
Enable port state recovery for storm-control errors, and also modify the interval to be half of the
default value.
Configure inter switch ports of SW1-SW4 in order to enforce the Root bridge placement in the
network.
Verify all directly connected devices can ping each other in Hawaii, San Francisco, and New York
HQ.
Task 1.5:
WAN Switching
(2 points)
The WAN links must rely on a layer 2 protocol that supports link negotiation and authentication.
The provider connections with R24 and R25 must use ip address negotiation and be
authenticated using a 3-Way Handshake with ISP6.
The one-way authentication must be initiated by ISP6:
Version 5.1B
R24 must use the username "IPX-24" and the password "IPXKEY"
92 | P a g e

Section 2.0: IP Routing

Task 2.1:
(35 points)
OSPF in New York HQ
(2 points)
Configure the OSPF process id 12345 and set the router-id as the interface Loopback0 on all
routers.
Add all interfaces to the OSPF process except the links that leave the Autonomous System.
o
Do not use the ip ospf command under interface configuration.
Restrict OSPF to these interfaces without using the passive-interface feature.
All addresses in the OSPF domain should be reachable by all devices in the AS.
The switches must not participate in routing at all.
Make sure the loopback interfaces are advertised properly with the original mask.
When finished, R1 must see the following OSPF routes in the routing table without modifying the
cost on any link:
R1#sh ip route ospf
O
101.33.1.0/30 [110/65555] via 101.33.1.30, 00:00:02, Ethernet0/1

[110/65555] via 101.33.1.25, 00:00:02, Ethernet0/0
101.33.1.4/30 [110/65545] via 101.33.1.25, 00:00:02, Ethernet0/0
101.33.1.8/30 [110/65545] via 101.33.1.30, 00:00:02, Ethernet0/1
101.33.1.12/30 [110/65545] via 101.33.1.25, 00:00:02, Ethernet0/0
101.33.1.16/30 [110/65545] via 101.33.1.30, 00:00:02, Ethernet0/1
101.33.1.20/30 [110/65555] via 101.33.1.30, 00:00:02, Ethernet0/1

[110/65555] via 101.33.1.25, 00:00:02,
Ethernet0/0
O
172.17.2.0/24 [110/65546] via 101.33.1.25, 00:00:02, Ethernet0/0
172.17.3.0/24 [110/65546] via 101.33.1.30, 00:00:02, Ethernet0/1
172.17.4.0/24 [110/65546] via 101.33.1.25, 00:00:02, Ethernet0/0
172.17.5.0/24 [110/65546] via 101.33.1.30, 00:00:02, Ethernet0/1
172.17.6.0/24 [110/65536] via 101.33.1.25, 00:00:02, Ethernet0/0
172.17.7.0/24 [110/65536] via 101.33.1.30, 00:00:02, Ethernet0/1
93 | P a g e
Version 5.1B

Task 2.2:
EIGRP in AS 23456
(3 points)
Create EIGRP ASN 23456 in San Francisco.

Configure all interfaces for EIGRP except those connected to other Autonomous Systems.
Ensure that no interfaces advertise hello messages other than the ones specified.
All EIGRP adjacencies should be authenticated using MD5 and the password CCIERock$ (no
quotations).
o
Use only one command to accomplish this.
All subnets included in EIGRP ASN 23456 should be reachable from every device in the AS,
including the Loopback interface of each router.
Using a single command only on one switch, ensure that R11 installs two equal-cost route for the
following routes:
o
vlan 135
R13's interface Loopback0
Do not change the interface bandwidth on any physical interface in ASN 23456.
Task 2.3:
EIGRP in AS 34567
(2 points)
The EIGRP Autonomous System number is 34567.

Add all interfaces in Hawaii to the EIGRP process except those connected to other Autonomous
Systems.
o
Use any method to accomplish this requirement.
For all three routers R18, R19, R20 use EIGRP with 64bit metrics.
SW7 and SW8 are Layer 3 switches and must configure EIGRP.
Advertise the loopback 0 interface of all devices in EIGRP AS 34567 as internal routes.
Version 5.1B
94 | P a g e

Task 2.4:
EIGRP in Australia and Mexico AS 34567
(2 points)
Enable EIGRP 34567 in Australia and Mexico.

Advertise the loopback 24 interface of R24 as an external route.
Advertise the loopback 25 interface of R25 as an external route.
Use the pre-configured DMVPN tunnel interface of R20, R24, and R25 to establish the EIGRP
relationships.
R20 is the DMVPN hub, R24, R25 are spokes.

Ensure that R24, and R25 receive also a default route.
o
Do not use redistribution to accomplish this.
Do not use static routing to accomplish this.
Task 2.5:
BGP in AS 65333
(4 points)
Use loopback 0 as the BGP router-id on all routers.

R1 must be the IPv4 route-reflector for ASN 65333.
IPv4 unicast family address must be disabled by default in all BGP routers.
R6 and R7 must not establish any BGP session at any time.
Configure all iBGP peerings using the loopback 0 interface.
Use peer group name "IBGP" for all internal neighbor relationship on R1.
Configure eBGP VPNv4 and IPv4 peerings between New York and AS 1111, AS 2222, and AS 4444.
o
Use the directly connected interfaces to form these peerings.
Advertise the loopback0 interface to these eBGP peers via redistribution.

o
Do not advertise any other prefixes.
Configure eBGP between IPexperts New York and RPT according the following requirements:
o
95 | P a g e
R9 is a CE router and uses eBGP to connect to management services that are provided by
the PE routers R2 and R3.
Version 5.1B

o
R9 must establish a separate eBGP peering with both R2 and R3 for every VRF.
R9 must advertise the following prefixes to all of its BGP peers:

o
10.0.0.0/8 summary-only
172.0.0.0/8 summary-only
R9 must advertise a default route to all of its BGP peers except for INET.
Task 2.6:
BGP in AS 65444
(4 points)

IPv4 must be disabled by default.
Configure a full mesh iBGP peering between all three routers use any configuration method.
Configure the eBGP peerings to AS 3333, AS 7777.
R11 must be selected as the preferred exit point for traffic destined to remote-ASes.
R13 must be selected as the next preferred exit point in case R11 fails.
No BGP speaker should use the network command.
Ensure that BGP next-hop is never marked as unreachable as long as loopback 0 interface of the
remote peer are known via the IGP.
Redistribute EIGRP into BGP on R11.
Task 2.7:
BGP in AS 65423 and AS 65420
(3 points)

R18 must establish an eBGP peering with AS 3333.
It must receive a default route and all other prefixes from AS 3333.
R18 must advertise a summary route to AS 3333 for 101.33.20.0/24 and suppress all other
routes.
R18 must redistribute BGP into EIGRP and vice versa.

Version 5.1B
96 | P a g e

R20, R24, and R25 must establish an eBGP peering with AS 6666 in vrf GW.
o
They must not advertise any prefixes at all to AS 6666.
They must receive a default route and all other prefixes from AS 6666.
Use directly connected interfaces for the peering addresses.
Task 2.8:
BGP in ASes: 65521, 65522, 65523
(3 points)
Create the eBGP peerings from ASes: 65521, 65522, and 65523 to AS 4444.
Create the eBGP peering from AS 65522 to AS 7777.
Use the directly connected serial interfaces to make these peerings.
Do not perform any redistribution in these ASs.
R22 should not be sending 172.16.22.0/24 and 172.0.0.0/8 to ISP7.
R22 should prefer AS 4444 as the preferred exit point for traffic destined to remote-ASes.
o
Task 2.9:
Accomplish this other than using local-preference.
BGP Routing Policies
(3 points)
All routers in AS 65333 must filter the BGP prefixes which are advertised to their Service
Providers - they must allow 172.0.0.0/8 prefix and a default route. All other VRFs must propagate
all prefixes.
All routers in AS 65444 must filter the BGP prefixes that are advertised to their Service Providers
and must allow only all prefixes that belong to 172.0.0.0/8 network.
Do not use any route-map or access-list to accomplish the above requirements.

ASes 65521 and 65523 must be reachable from Australia and Mexico, you should be able to ping
their interface loopbacks 21 and 23. Traceroute must reveal the exact same path as show in the
following output:
R24#trace 172.16.21.254 so l24 num
97 | P a g e
Version 5.1B

1 192.168.20.20 18 msec 20 msec 21 msec
2 101.33.20.9 26 msec 21 msec 24 msec
3 195.13.183.2 30 msec 29 msec 29 msec
6 10.10.29.2 47 msec 45 msec 48 msec
8 92.82.21.21 64 msec *
65 msec
R24#trace 172.16.23.254 so l24 num

1 192.168.20.20 21 msec 21 msec 21 msec
2 101.33.20.9 22 msec 21 msec 22 msec
3 195.13.183.2 30 msec 26 msec 29 msec
6 10.30.29.2 47 msec 47 msec 47 msec
8 92.82.23.23 65 msec *
64 msec
R25#trace 172.16.21.254 so l25 num

1 192.168.20.20 43 msec 19 msec 21 msec
2 101.33.20.9 21 msec 21 msec 21 msec
3 195.13.183.2 29 msec 21 msec 30 msec
6 10.10.29.2 48 msec 48 msec 47 msec
8 92.82.21.21 64 msec *
64 msec
R25#trace 172.16.23.254 so l25 num

Version 5.1B
98 | P a g e

1 192.168.20.20 21 msec 21 msec 21 msec
2 101.33.20.9 21 msec 21 msec 22 msec
3 195.13.183.2 23 msec 29 msec 30 msec
6 10.30.29.2 47 msec 45 msec 47 msec
8 92.82.23.23 63 msec *
65 msec
R21#ping 172.16.25.254 so lo021

!!!!!
R21#ping 172.16.24.254 so lo021
!!!!!
R23#ping 172.16.24.254 so l23
!!!!!
R23#ping 172.16.25.254 so l23
!!!!!
99 | P a g e
Version 5.1B

Task 2.10: IPv6 OSPF
(3 points)
Assign IPv6 addresses according to the IPv6 diagram and table below:
Table 5.12
Device
Interface
IPv6 Address
R2
e0/0
2004::23:1/112
e0/1.26
2004::26:5/112
e0/0
2004::23:2/112
e0/1.37
2004::37:9/112
e0/1.26
2004::26:6/112
e0/1.64
2004::64:13/112
e0/1.37
2004::37:10/112
e0/1.75
2004::75:17/112
R4
e0/1
2004::64:14/112
R5
e0/1
2004::75:18/112
R3
R6
R7
Also advertise loopbacks0 of the above mentioned routers.

Configure the OSPF process ID 12345.
All routers should support Multi-AF OSPF.
Do not enable OSPF on any interfaces that are not referenced in the IPv6 diagram/table.
R2 must be elected as the DR on VLAN23, R3 must be selected as the backup DR on VLAN23 and
should take over if R2 is down.
Configure OSPF Areas: 0,10,20,30,40.
Task 2.11: IPv6 BGP
(3 points)
Assign the IPv6 addressing according to the following table:
Version 5.1B
100 | P a g e

Table 5.13
Device
Interface
IPv6 Address
R4
s2/0
2004::44:1/112
R5
s2/0
2004::54:5/112
R21
s2/0
2004::21:21/112
R23
s2/0
2004::23:23/112
Configure IPv6 eBGP peerings between ASes 65521, 65523 and 65333 with AS 4444.
o
Only add the interfaces that are in the IPv6 diagram.
Redistribute OSPF into BGP on R4.

Perform mutual redistribution between OSPF and BGP on R5.
No BGP speaker should use the network command.
Do not use any static route or default route anywhere.
Verify that loopback 21 of R21 and loopback23 of R23 have full connectivity to R2's, and R3's
loopback addresses; also the following outputs should match:
R21#ping 2001::2 source Lo21
Sending 5, 100-byte ICMP Echos to 2001::2, timeout is 2 seconds:
Packet sent with a source address of 2021::21
!!!!!
R21#ping 2001::3 source Lo21

!!!!!
R21#traceroute ipv6 2001::2

101 | P a g e
Version 5.1B

Tracing the route to 2001::2
1 2004::21:1 8 msec 9 msec 8 msec

2 2004::44:1 [AS 4444] 16 msec 16 msec 17 msec
3 2004::64:13 [AS 65333] 17 msec 16 msec 17 msec
4 2004::26:5 [AS 65333] 17 msec 17 msec 17 msec
R21#traceroute ipv6 2001::3

Tracing the route to 2001::3
1 2004::21:1 9 msec 8 msec 8 msec

2 2004::54:5 [AS 4444] 18 msec 17 msec 18 msec
3 2004::75:17 [AS 65333] 17 msec 17 msec 17 msec
4 2004::37:9 [AS 65333] 18 msec 16 msec 17 msec
R23#ping ipv6 2001::2 source lo23

!!!!!
R23#ping ipv6 2001::3 source lo23

!!!!!
Task 2.12: IPv4 Multicast
(3 points)
SW8 is a multicast server on interface Loopback 0.

The rendezvous point must be dynamically discovered using standard methods.
R18's loopback 0 interface must be the elected RP.
To test configure R19, R24, and R25 loopback0 to join group 232.8.8.8 as multicast receivers.
Version 5.1B
102 | P a g e

All devices in ASN 65423 and ASN 65420 must participate in multicast routing.
A ping to 232.8.8.8 must result in a response from R19, R24, and R25 loopback 0 interfaces as
displayed in the following output below:
SW8#ping 232.8.8.8 source lo0
Reply to request 0 from 172.17.19.19, 1 ms

103 | P a g e
Version 5.1B

Section 3.0: IPv4 VPN Technology

Task 3.1:
MPLS VPN
(16 points)
(3 points)
Refer to the BGP diagram and VPN topology.

The global and regional Service providers have agreed to transport the IPexpert VPNs via PE to PE
eBGP peering that are already fully configured.
Complete the configuration of mpls L3VPN in the IPexpert network according to the following
requirements:
o
Enable LDP only on required interfaces on all seven routers in AS 65333.
Use the interface Lo0 to establish LDP Peerings.
R2, R3, R4 and R5 must be configured as PE routers.
R6, R7 and R1 must be configured as P routers.
Use only one command to achieve this.
Ensure that no MPLS interface that belongs to any router in AS 65333 is visible on a
traceroute that originates outside of the AS.
Task 3.2:
MPLS VPN Connectivity
(5 points)
R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 65333.

R2 and R3 must establish an eBGP peering with both Service Providers (AS 1111 and AS 2222 )
for the following VRFs:
Version 5.1B
GREEN
BLUE
RED
YELLOW
INET
104 | P a g e

R4 must establish an eBGP peering with the Service Providers AS 4444 for the following VRFs:
o
GREEN
BLUE
RED
No BGP speaker in AS 65333 may use the network statement under any address-family of the
BGP router configuration.
Peer between ASN 65333 (R2, R3) and ASN 64520 (R9). Each sub-interface should have its own
BGP peering in its respective VRF.
Task 3.3:
DMVPN
(4 points)
Configure DMVPN in ASN 34567 as per the following requirements:

o
Use the preconfigured interface tunnel0 on R20, R24, and R25 in order to accomplish
this task.
R20 must be configured as DMVPN hub.
Use interface s2/0 as the source address of the tunnel on each device,
except for R20 which uses interface s2/2.
R24 and R25 must be the spokes and must participate in the NHRP information
exchange.
Place the tunnel source interfaces in VRF GW.
Disable send ICMP redirect messages on all three tunnel interfaces.
Configure the following parameter on all three tunnel interface:
105 | P a g e
Bandwidth: 1000 kbps
Delay: 10000 msec
IP MTU: 1400 Bytes
TCP MSS: 1380 Bytes

Version 5.1B

o
NHRP Authentication: "DMVPNk6y"
NHRP network-id: 34567
NHRP hold time: 10 min
Tunnel Key: 34567
Ensure that spoke-to-spoke traffic does not transit via the hub
Task 3.4:
DMVPN Encryption
(4 points)
Refer to the DMVPN Topology

Secure the DMVPN tunnel with IPsec according to the following requirements:
Configure IKE Phase 1 according to the following requirements:

o
Configure a single policy with priority 50.
Use AES encryption with the pre-shared key "IPXrulez"
The key must appear in plain text in the configuration.
All IPsec tunnels must be authenticated using the same IKE Phase 1 pre-shared key.
Use 1024 bits for the key exchange using the Diffie-Hellman algorithm.
Configure IKE Phase 2 according to the following requirements:

o
Transform-set name: "IPXTransform"
Use the IPsec security protocol ESP and the algorithm AES with 128 bits.
IPsec profile name: DMVPNPROFILE
Use IPsec in transport mode.
Ensure that the DMVPN cloud is secured using the above parameters.
Version 5.1B
106 | P a g e

Section 4.0: IP Security

Task 4.1:
Device Security
(5 points)
(3 points)
Configure R9 in the iPexpert RTP office as per the following requirements:

o
All users who connect from R2 to R9 via VTY line using telnet & using the username
"OPERATOR" and Password "CISCO" must be prompted with the displayed menu:
No other users should receive this menu.
Leave one line for regular telnet access authenticating users with the Local Database.
Every single function in the menu must display the correct output.
R2#telnet 172.16.9.254 /vrf YELLOW

Trying 172.16.9.254 ... Open
User Access Verification

Username: OPERATOR
Password:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IPXpert Operator Menu - - - - - - - - Welcome To IPXpert's
Operator Menu
Authorized users only,
violaters will be shot on sight!
use this menu for ADMIN Operations
Choose desired function
- - - - - - - - - - - - - - - - - - - - - - - - - - 1
Display Routing table
Display Running Config
Escape to Shell
Disconnect
107 | P a g e
Version 5.1B

Task 4.2:
Network Security
(2 points)
Refer to the Layer 2 topology

The iPexpert New York office holds business critical information, for that reason we need to limit
unknown or rogue users from connecting to our network, configure the office as per the
following requirements:
Version 5.1B
Ensure that interfaces E0/1-3, and E1/2-E1/3 of SW2 forward traffic that was sent from
expected and legitimate hosts and servers.
SW2 must dynamically learn only one MAC address per port and must save the MAC
address in its startup configuration.
SW2 must shut down the port if a security violation occurs on any of these ports.
108 | P a g e

Section 5.0: Infrastructure Services

Task 5.1:
(4 points)
Configuration Change Notification
(2 points)
The New York branch needs a CLI configuration auditing solution, one that doesn't require
purchasing any new devices/servers such as TACACS+ or any AAA solution.
Configure routers R1-R3 in ASN 12345 to locally track changes made to its running configuration.
o
Track changes made to the Cisco software running configuration by maintaining a

configuration log.
Log these changes to syslog.
Ensure that passwords in the configuration will not be sent across this communication
channel.
Limit the maximum number of logged commands that will be kept by the config log to a
maximum of 1000 entries.
Verify this on all routers by typing the following commands and receiving the same
output:
conf t
RX (config)#int e0/0
*May 16 15:49:25.578 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console

command:interface Ethernet0/0
Task 5.2:
logged
Network Optimization (2 points)
Configure R20 as per the following requirements:

o
109 | P a g e
The output that is shown below must be seen on R20 during 10 seconds after R25
successfully pinged interface Lo21 of R21.
Version 5.1B

R21#ping 172.16.25.254 source lo21
!!!!!
R20#show ip flow top-talkers
SrcIf
SrcIPaddress
DstIf
DstIPaddress
Pr SrcP DstP Bytes
Et0/1
172.16.21.254
Tu0*
172.16.25.254
01 0000 0800
500
1 of 10 top talkers shown. 1 of 1 flows matched.
Technical Verification and Support

For verification of your work, please refer to this Workbook's accompanying Detailed Solution Guide.
If you need assistance with any of this book's content, please visit our Member Community at
http://community.ipexpert.com.
Thisconcludes
concludesthe
theDiagnostic
Configuration
Section
and iPexpert's
R&S Lab
5 Workbook,
This
Section
of iPexpert's
R&S 1-Week
Lab
Experience Volume
DSG, Lab21
Copyright iPexpert.
iPexpert. All
All Rights
Rights Reserved.
Reserved.
Copyright
Version 5.1B
110 | P a g e

Ipexpert's CCIE R&S (v5) Mock Lab Workbook (Vol. 2) Lab 5 Workbook PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ipexpert's CCIE R&S (v5) Mock Lab Workbook (Vol. 2) Lab 5 Workbook PDF

Încărcat de

Drepturi de autor:

Formate disponibile

for Cisco's CCIE Routing & Switching Lab Exam, Lab 5

CCIE Routing & Switching

iPexpert's Lab Preparation Workbook

iPexpert's Lab Preparation Workbook

iPexpert's End-User License Agreement

iPexpert's Lab Preparation Workbook

U.S. Government - Restricted Rights

iPexpert's Lab Preparation Workbook

Welcome, and Thank You!

Technical Support and Freebies

iPexpert's Lab Preparation Workbook

How to Use This Lab Preparation Workbook

iPexpert's Lab Preparation Workbook

Cisco's New Retake Policy

Cisco R&S V5 Blueprint (Primary Sections w/ Assigned Point Values)

Layer 2 Technologies: 20%

How to Use This Lab Preparation Workbook

Additional Information Pertaining to Cisco's CCIE R&S Lab Exam

iPexpert's Lab Preparation Workbook

Lab Exam Grading

iPexpert's Lab Preparation Workbook

Reevaluation of Lab Results

iPexpert's Lab Preparation Workbook

Lab 5: Troubleshooting Section

Estimated Time to Complete: 2 hours

Total Possible Points: 19

iPexpert's Lab Preparation Workbook

iPexpert's Lab Preparation Workbook

iPexpert's Lab Preparation Workbook

iPexpert's Lab Preparation Workbook

iPexpert's Lab Preparation Workbook

iPexpert's Lab Preparation Workbook

iPexpert's Lab Preparation Workbook

10.4.4.0/24 [170/542771200] via 192.168.24.6, 03:11:05, Serial2/0

10.13.13.0/24 [90/27008000] via 40.40.40.13, 00:00:16, Tunnel66

10.15.15.0/24 [90/27033600] via 40.40.40.13, 00:00:16, Tunnel66

10.23.23.0/24 [170/28288000] via 40.40.40.23, 00:00:09, Tunnel66

10.25.25.0/24 [170/28288000] via 40.40.40.25, 00:00:09, Tunnel66

172.5.5.0 [90/27033600] via 40.40.40.13, 00:00:16, Tunnel66

172.16.200.0 [90/26905856] via 40.40.40.13, 00:00:16, Tunnel66

172.16.214.0 [90/26905600] via 40.40.40.13, 00:00:16, Tunnel66

172.16.215.0 [90/26905600] via 40.40.40.13, 00:00:16, Tunnel66

172.16.216.0 [90/26931200] via 40.40.40.13, 00:00:16, Tunnel66

192.168.0.0/16 [170/542771200] via 192.168.24.6, 03:11:05, Serial2/0

192.168.13.0/24 [90/34036062] via 192.168.24.6, 03:11:05, Serial2/0

192.168.15.0/24 [90/27417600] via 40.40.40.13, 00:00:16, Tunnel66

192.168.23.0/24 [90/44276062] via 192.168.24.6, 03:11:05, Serial2/0

192.168.25.0/24 [90/23796062] via 192.168.24.6, 03:11:05, Serial2/0

192.168.74.0/24 [90/34036062] via 192.168.24.6, 03:11:05, Serial2/0

192.168.76.0/24 [90/23796062] via 192.168.24.6, 03:11:05, Serial2/0

iPexpert's Lab Preparation Workbook

iPexpert's Lab Preparation Workbook

R14#traceroute 172.16.200.2 num

iPexpert's Lab Preparation Workbook

ISP3 is trying to reach ISP2 network of 10.102.102.0 /24 but is unsuccessful.

iPexpert's Lab Preparation Workbook

Starbucks Coffee branch-1 cannot communicate with Starbucks branch-2.

iPexpert's Lab Preparation Workbook

R20#ping 10.16.16.16 so lo0

iPexpert's Lab Preparation Workbook

iPexpert's Lab Preparation Workbook

400 Bad Request

iPexpert's Lab Preparation Workbook