Documente Academic
Documente Profesional
Documente Cultură
(v5)
Table of Contents
iPexpert's End-User License Agreement ............................................................................................................. 3
Welcome, and Thank You! ................................................................................................................................... 5
Feedback .............................................................................................................................................................. 5
Technical Support and Freebies .......................................................................................................................... 5
Lab 5: Troubleshooting Section ............................................................................................................................... 10
Before You Begin ................................................................................................................................................ 10
General Rules ..................................................................................................................................................... 10
Pre-Setup............................................................................................................................................................ 11
Incident 1 ....................................................................................................................................................... 16
Incident 2 ....................................................................................................................................................... 18
Incident 3 ....................................................................................................................................................... 20
Incident 4 ....................................................................................................................................................... 21
Incident 5 ....................................................................................................................................................... 23
Incident 6 ....................................................................................................................................................... 25
Incident 7 ....................................................................................................................................................... 27
Incident 8 ....................................................................................................................................................... 29
Incident 9 ....................................................................................................................................................... 30
Incident 10 ..................................................................................................................................................... 32
Lab 5: Diagnostic Section ......................................................................................................................................... 34
Before You Begin ................................................................................................................................................ 34
General Rules ..................................................................................................................................................... 34
Ticket 1 ............................................................................................................................................................... 35
Ticket 2 ........................................................................................................................................................... 69
Ticket 3 ........................................................................................................................................................... 74
Lab 5: Configuration Section ................................................................................................................................... 81
Before You Begin ................................................................................................................................................ 81
General Rules ..................................................................................................................................................... 81
Pre-Setup............................................................................................................................................................ 82
Section 1.0: Layer 2 Technologies ..................................................................................................................... 90
Section 2.0: IP Routing ....................................................................................................................................... 93
Section 3.0: IPv4 VPN Technology ................................................................................................................... 104
Section 4.0: IP Security .................................................................................................................................... 107
Section 5.0:Infrastructure Services .................................................................................................................. 109
Technical Verification and Support ....................................................................................................................... 110
Version 5.1B
2|Page
3|Page
Version 5.1B
Version 5.1B
4|Page
Feedback
At iPexpert, we value the feedback (both positive and constructive) offered by our clientele. Our
dedication to offering the best tools and content to help students succeed could not be possible
without your comments and suggestions. Your feedback is what continually keeps us enhancing our
product portfolio, and it is greatly appreciated. If there is anything you'd like us to know, please do so
via the feedback@ipexpert.com alias.
In addition, when you pass your CCIE Lab Exam, we want to hear about it! Please email your Full
Name (used in the CCIE Verification Tool), CCIE number and the track to success@ipexpert.com and
let us know how iPexpert played a role in your success. We would like to be sure you're welcomed
into the "CCIE Club" appropriately, send you a gift for your accomplishment.
5|Page
Version 5.1B
A restructure of the way the lab is delivered. You will first have to complete a Troubleshooting
section where you'll have access to the rack that Cisco provides you to do so. The next section
consists of the Diagnostics section, which is done without access to your rack. The third section is
the Configuration section, which is the actual "lab" that most people focus on, and have been
primarily concerned about in the past. With this new lab structure, it's VERY IMPORTANT that
you are well prepared for all three Sections of the lab exam. At any point, you could fail the lab
exam if you don't receive enough points in 1 of the 3 sections.
Cisco has also made a drastic change in the topology that you'll be given. It's common knowledge
at the time of this book's publication that the topology you're given has gone from their previous
6 to 8 router / 4 switch topology (seen in the labs previous to V4), to a topology that could
potentially consist of up to 40 routers and 8 switches. It's imperative that you work through
practice scenarios on a large topology so you're familiar with the intricacies and technological
specifics that can be introduced with a topology that large.
Cisco has also changed their retake policy, which now requires their CCIE candidates to wait
longer durations before their next attempt(s). Below we have listed Cisco's new policy.
And, finally, Cisco has created this impressive blueprint and broken it into sections. Cisco
provides you with the 5 section titles and the number of points so you're able to understand how
their grading works and how much focus and attention is placed on that various section. The
primary section outline is provided below; however, we have not provided all of the topics and
subtopics that Cisco has provided. We recommend that you reference Cisco's website URL which
provides these details for the Routing and Switching V5 Lab - which will require you to have a
CCO and Cisco Learning Network login prior to being given access. That URL was found here at
the date of this book's publication.
Version 5.1B
6|Page
7|Page
Version 5.1B
Cost
The Lab Exam cost does not include travel and lodging expenses. Costs may vary due to exchange
rates and local taxes (VAT, GST). You are responsible for any fees your financial institution charges to
complete the payment transaction. Price not confirmed and is subject to change until full payment is
made. For more information on the Lab Exam Registration please reference the Take Your Lab
Exam tab.
Lab Environment
The Cisco documentation is available in the lab room, but the exam assumes knowledge of the more
common protocols and technologies. The documentation can be navigated using the index. No
outside reference materials are permitted in the lab room. You must report any suspected
equipment issues to the proctor during the exam; adjustments cannot be made once the exam is
over.
Lab Format
The CCIE Routing and Switching Lab exam consists of a 2-hour Troubleshooting section, a 30-minute
Diagnostic section, and a 5 hour Configuration section. Candidates may choose to borrow up to 30
minutes from the Configuration section and use it in the Troubleshooting section.
Version 5.1B
8|Page
Payment Terms
Make your request within 14 days following your exam date by using the "Request for Reread" link
next to your lab record. A Reread costs $1000.00 USD and a Review costs $400.00 USD. Payment is
made online via credit card and your Reread or Review will be initiated upon successful payment. You
may not cancel the appeal request once the process has been initiated. Refunds are given only when
results change from fail to pass.
Troubleshooting
The CCIE Routing and Switching Lab exam features a 2 hour troubleshooting section. Candidates will
be presented with a series of trouble tickets for preconfigured networks and need to diagnose and
resolve the network fault or faults. As with the configuration section, the network must be up and
running for a candidate to receive credit. Candidates who finish the troubleshooting section early
may proceed on to the diagnostic section, but they will not be allowed to go back to troubleshooting.
NOTE
This concludes any referenced content seen or found on Cisco's Learning Network.
9|Page
Version 5.1B
General Rules
You may modify, but not delete or remove any prefix-lists, route-maps, or access-lists.
Do not modify any IP addressing on any interfaces.
The BB routers are not accessible.
All routers have an interface loopback 0 with the address 10.x.x.x, where x is the router number.
ISP routers have a loopback address of 10.10x.10x.10x. BB routers have a loopback address of
100.x.x.x .Switches have loopback addresses of 172.xx.xx.xx.
MPLS routers have a loopback address of 10.x.x.x /32.
Static/default routes are NOT allowed unless otherwise stated in the task.
Save your configurations often.
10 | P a g e
Pre-Setup
Please login to your vRack and load the initial Configuration. This lab is intended to be used with
online rack access. Connect to the terminal server and complete the troubleshooting tasks as
detailed below.
11 | P a g e
Version 5.1B
Diagram 5.1
Version 5.1B
12 | P a g e
Diagram 5.2
13 | P a g e
Version 5.1B
Diagram 5.3
Version 5.1B
14 | P a g e
Diagram 5.4
15 | P a g e
Version 5.1B
Incident 1
(3 points)
Users from remote branch-1 have lost connectivity to the iPexpert HQ office.
The users mentioned that they can still reach the other remote branches.
Fix the issues so that remote branch-1 can reach the HQ and all the remote branches, the
outputs should match the below:
Version 5.1B
16 | P a g e
D EX
D EX
D EX
R24#traceroute 10.23.23.23
Type escape sequence to abort.
Tracing the route to 10.23.23.23
VRF info: (vrf in name/id, vrf out name/id)
1 40.40.40.23 37 msec 37 msec *
17 | P a g e
Version 5.1B
Incident 2
(1 points)
Users that are located in VLAN100 of the IPexpert HQ office have lost access to the Server which
is located in VLAN200.
Isolate and fix the issues so R10 is reachable from R14 , the outputs should match the below:
Version 5.1B
18 | P a g e
19 | P a g e
0 msec
Version 5.1B
Incident 3
(2 points)
Version 5.1B
20 | P a g e
Incident 4
(2 points)
21 | P a g e
Version 5.1B
Version 5.1B
22 | P a g e
Incident 5
(1 points)
The Global Provider network engineer is having IPv6 connectivity issues between the Data Center
and their DR site and cannot reach one of their IPv6 Management web sites.
Fix the issue so that the following sequence of commands produces the same relevant result:
ISP3#ping www.global.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:50:50::50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 25/28/30 ms
ISP3#telnet www.global.com 80
Translating "www.global.com"...domain server (255.255.255.255)
Trying 2001:50:50::50, 80 ... Open
get
HTTP/1.1 400 Bad Request
23 | P a g e
Version 5.1B
Version 5.1B
24 | P a g e
Incident 6
(2 points)
The NOC team has identified it has lost connectivity to the Global Provider DR Site.
Isolate and fix the configuration such that the traffic can reach its destination as shown in the
output:
25 | P a g e
Version 5.1B
Version 5.1B
26 | P a g e
Incident 7
(3 points)
27 | P a g e
Version 5.1B
*
194.45.67.1 [AS 10100] [MPLS: Labels 17/18 Exp 0] 27 msec *
ISP4#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 27/28/30 ms
NOTE
This incident is dependent on Incident 6.
Version 5.1B
28 | P a g e
Incident 8
(2 points)
Administrator users that are connected to the R5 router are not able to use tftp to download the
configuration backup from BB1, which is located at the remote Office.
NOTE
While resolving this issue, you are not allowed to create any new interface.
29 | P a g e
Version 5.1B
Incident 9
(1 points)
Users traffic from the Starbucks Asia Pacific office must load balance traffic towards the
172.9.9.9 Server.
Fix the issue so that BB3 can ping the server and we have the following output on SW2.
NOTE
You are not allowed to remove any configurations.
Version 5.1B
30 | P a g e
31 | P a g e
Version 5.1B
Incident 10
(2 points)
User BB3 is unable to reach the DNS server of 8.8.4.4 in the internet.
Fix the issues so that we have reachability.
The outputs should match the below:
Version 5.1B
32 | P a g e
NOTE
This incident is dependent on Incident 6.
This concludes the Troubleshooting Section of iPexpert's R&S Lab 5 Workbook, Volume 2
Copyright iPexpert. All Rights Reserved.
33 | P a g e
Version 5.1B
General Rules
You do not have access to any equipment.
You are not required to configure any equipment.
Questions may be best selection, fill in the blank, multiple choice, order of operations, or best
match.
34 | P a g e
Ticket 1
(3 points)
A new trouble ticket has been escalated to you. The following information has been provided to help
with understanding the issue. Diagnose and help resolve the issue:
Version 5.1B
Dade Murphy
HelpDesk Representative
Office: 999-999-9999 | helpdesk@ipexpert.com
Version 5.1B
36 | P a g e
Router Configuration
SW-BB Config
SW-BB#sh run
Building configuration...
ip subnet-zero
ip routing
no ip domain-lookup
ip domain-name blade.com
ip dhcp excluded-address 172.20.1.1 172.20.1.10
37 | P a g e
Version 5.1B
Version 5.1B
38 | P a g e
39 | P a g e
Version 5.1B
Version 5.1B
40 | P a g e
41 | P a g e
Version 5.1B
Version 5.1B
42 | P a g e
43 | P a g e
Version 5.1B
Version 5.1B
44 | P a g e
any
45 | P a g e
Version 5.1B
any
!
snmp-server community public RO
snmp-server community NMSRO RO 5
snmp-server enable traps license
snmp-server host 123.1.1.89 bladewr
snmp-server host 123.1.1.123 public
snmp-server host 123.1.1.89 public
radius-server host 123.1.1.16 auth-port 1812 acct-port 1813 key 7 123A0C25134855522E28
radius-server source-ports 1645-1646
!
control-plane
!
banner motd ^C
******************************
Blade Company LTD.
Device name: $hostname
Warning:
Any unauthorized access to
this system is unlawful, and
may be subject to civil and/or
criminal penalties!
******************************
^C
alias exec u undebug all
!
line con 0
logging synchronous
line vty 0 4
access-class 10 in
logging synchronous
Version 5.1B
46 | P a g e
Device ID
Local Intrfce
Holdtme
ccmpub
Gig 1/0/2
166
SEP001A6D10AD7E
Gig 1/0/5
Capability
Platform
Port ID
VMware
eth0
124
ATA 186
Port 1
170
R S I
WS-C4506
Gig 4/14
170
R S I
WS-C4506
Gig 4/13
Gig 1/0/2
130
VMware
eth0
BLD_MAIN_SW
Gig 1/0/28
175
R S I
BLD_MAIN_SW
Gig 1/0/27
173
R S I
160
Gig 1/0/1
148
R S I
BLD_SW_1
Gig 1/0/24
122
S I
BLD_SW_2
Gig 1/0/22
172
S I
BLD_SW_3
Gig 1/0/21
134
S I
BLD_SW_4
Gig 1/0/26
160
S I
BLD_SW_6
Gig 1/0/25
137
S I
BLD_SW_8
Gig 1/0/23
124
S I
blade_BB.blade.com
Gig 1/0/4
blade_BB.blade.com
Gig 1/0/3
unitypub.blade.com
Presence.blade.com
Gig 1/0/2
VMware
eth0
2811
Fas 0/0
Meir_BLD_Router_VOICE.blade.com
BLD_SW1 Config
BLD_SW_1#sh run
Building configuration...
47 | P a g e
Version 5.1B
ip subnet-zero
!
no ip domain-lookup
!
!
!
!
!
Version 5.1B
48 | P a g e
49 | P a g e
Version 5.1B
Version 5.1B
50 | P a g e
51 | P a g e
Version 5.1B
Version 5.1B
52 | P a g e
53 | P a g e
Version 5.1B
Version 5.1B
54 | P a g e
any
any
55 | P a g e
Version 5.1B
BLD_SW2 Config
BLD_SW_2#sh run
Building configuration...
Version 5.1B
56 | P a g e
ip subnet-zero
!
no ip domain-lookup
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
57 | P a g e
Version 5.1B
Version 5.1B
58 | P a g e
59 | P a g e
Version 5.1B
Version 5.1B
60 | P a g e
61 | P a g e
Version 5.1B
Version 5.1B
62 | P a g e
63 | P a g e
Version 5.1B
any
any
Version 5.1B
64 | P a g e
Network Topology
65 | P a g e
Version 5.1B
Version 5.1B
66 | P a g e
67 | P a g e
Version 5.1B
28:c0:da:30:f6:81
00:00:00:00:fd:00
00:00:00:00:fe:01
08:00:27:00:A4:99
80:86:F2:6B:0D:DB
IPv4mcast_05
ff:ff:ff:ff:ff:ff
Vmware:ca:7d:f4
Cisco_45:9a:24
Cisco_45:9a:20
00:27:0d:45:9a:24
Version 5.1B
68 | P a g e
Ticket 2
(3 points)
You have been away to a Cisco training for the past week. While you were out, your company added
a new supplier using BGP protocol. Your co-worker configured the entire thing and everything is
working properly. Now they have decided that an IPv6 BGP peer is necessary on top of this
connection, unfortunately he configured the entire thing in the NLRI format (legacy syntax).
You've been asked to modify the BGP configuration to support multi address-families without
removing any configurations and explicitly NO down time. Review the information provided for a
better understanding of the issue.
Router configuration
RTR-SUP#sh run
Building configuration...
69 | P a g e
Version 5.1B
Version 5.1B
70 | P a g e
71 | P a g e
Version 5.1B
Version 5.1B
72 | P a g e
Neighbor
AS MsgRcvd MsgSent
TblVer
State/PfxRcd
3.3.3.20
64782
0 never
Idle
10.10.10.20
65489
0 never
Idle
123.20.1.18
8005
0 00:02:44
Using the information provided, choose the best option to accomplish this task:
Schedule a maintenance window, quickly remove existing bgp config and replace with new
multi-af config.
Fortunately, IOS provides a feature to automate the transition in the form of a simple
command: bgp upgrade-cli, which is run at the global under configuration. No down time is
required.
Fortunately, IOS provides a feature to automate the transition in the form of a simple
command: bgp upgrade-cli, which is run at the global under configuration. This cannot be
accomplished without any downtime.
Fortunately, IOS provides a feature to automate the transition in the form of a simple
command: bgp upgrade-cli, which is run under the bgp process configuration. No down time
is required.
Fortunately, IOS provides a feature to automate the transition in the form of a simple
command: bgp upgrade-cli, which is run under the bgp process configuration. This cannot be
accomplished without any downtime.
73 | P a g e
Version 5.1B
Ticket 3
(3 points)
Users are complaining and have opened a trouble ticket that has been assigned to you. They are
complaining that they cannot reach a specific remote office (R2 / R3), but can reach the Main office
(R1). Obviously there is a connectivity issue of some sort. Help identify the cause and choose a
solution.
R1 Outputs
R1#sh ip ei ne
IP-EIGRP neighbors for process 100
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
RTO
Seq
Cnt Num
10.10.10.3
Fa0/0
14 00:00:09
212
1272
10.10.10.2
Fa0/0
14 00:01:08 1041
5000
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
R1#debug ip eigrp
*Mar 1 00:26:25.343: IP-EIGRP(Default-IP-Routing-Table:100): route installed for
100.0.0.0 (Summary)
Version 5.1B
74 | P a g e
*Mar
75 | P a g e
Version 5.1B
R2 Outputs
R2#sh ip ei ne
IP-EIGRP neighbors for process 100
H
Address
10.10.10.1
Interface
Fa0/0
Hold Uptime
SRTT
(sec)
(ms)
13 00:01:18
48
RTO
Seq
Cnt Num
288
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Version 5.1B
76 | P a g e
R2#debug ip eigrp
*Mar 1 00:25:17.315: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.10.10.1
(FastEthernet0/0) is down: holding time expired
*Mar 1 00:26:27.259: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.10.10.1
(FastEthernet0/0) is up: new adjacency
*Mar 1 00:26:27.447: IP-EIGRP(Default-IP-Routing-Table:100): Processing incoming
UPDATE packet
*Mar 1 00:26:29.243: IP-EIGRP(Default-IP-Routing-Table:100): 20.20.20.0/24 - don't
advertise out FastEthernet0/0
*Mar 1 00:26:29.243: IP-EIGRP(Default-IP-Routing-Table:100): 10.10.10.0/24 - do
advertise out FastEthernet0/0
*Mar 1 00:26:29.247: IP-EIGRP(Default-IP-Routing-Table:100): 20.0.0.0/8 - do
advertise out FastEthernet0/0
*Mar 1 00:26:29.247: IP-EIGRP(Default-IP-Routing-Table:100): Int 20.0.0.0/8 metric
128256 - 256 128000
*Mar 1 00:26:29.247: IP-EIGRP(Default-IP-Routing-Table:100): 10.0.0.0/8 - poison
advertise out FastEthernet0/0
*Mar 1 00:26:29.403: IP-EIGRP(Default-IP-Routing-Table:100): Processing incoming
UPDATE packet
*Mar 1 00:26:29.407: IP-EIGRP(Default-IP-Routing-Table:100): Int 100.0.0.0/8 M 409600
- 256000 153600 SM 128256 - 256 128000
*Mar 1 00:26:29.407: IP-EIGRP(Default-IP-Routing-Table:100): route installed for
100.0.0.0 ()
*Mar 1 00:26:29.427: IP-EIGRP(Default-IP-Routing-Table:100): Int 100.0.0.0/8 metric
409600 - 256000 153600
*Mar 1 00:26:29.559: IP-EIGRP(Default-IP-Routing-Table:100): Processing incoming
UPDATE packet
*Mar 1 00:26:29.563: IP-EIGRP(Default-IP-Routing-Table:100): Int 20.0.0.0/8 M
4294967295 - 256000 4294967295 SM 4294967295 - 256000 4294967295
*Mar 1 00:26:29.855: IP-EIGRP(Default-IP-Routing-Table:100): Processing incoming
UPDATE packet
*Mar 1 00:26:29.859: IP-EIGRP(Default-IP-Routing-Table:100): Int 30.0.0.0/8 M
4294967295 - 256000 4294967295 SM 4294967295 - 256000 4294967295
R3 Outputs
R3#sh ip ei ne
IP-EIGRP neighbors for process 100
H
Address
10.10.10.1
77 | P a g e
Interface
Fa0/0
Hold Uptime
SRTT
(sec)
(ms)
11 00:00:26
164
RTO
Seq
Cnt Num
984
Version 5.1B
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
10.10.10.2
Fa0/0
11 00:00:26 1283
10.10.10.1
Fa0/0
11 00:00:26
164
RTO
Seq
Cnt Num
5000
984
R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
R3#debug ip eigrp
*Mar 1 00:26:26.071: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.10.10.1
(FastEthernet0/0) is up: new adjacency
*Mar 1 00:26:28.023: IP-EIGRP(Default-IP-Routing-Table:100): Processing incoming
UPDATE packet
*Mar 1 00:26:28.035: IP-EIGRP(Default-IP-Routing-Table:100): 30.30.30.0/24 - don't
advertise out FastEthernet0/0
*Mar 1 00:26:28.035: IP-EIGRP(Default-IP-Routing-Table:100): 10.10.10.0/24 - do
advertise out FastEthernet0/0
*Mar 1 00:26:28.035: IP-EIGRP(Default-IP-Routing-Table:100): 30.0.0.0/8 - do
advertise out FastEthernet0/0
*Mar 1 00:26:28.039: IP-EIGRP(Default-IP-Routing-Table:100): Int 30.0.0.0/8 metric
128256 - 256 128000
*Mar 1 00:26:28.039: IP-EIGRP(Default-IP-Routing-Table:100): 10.0.0.0/8 - poison
advertise out FastEthernet0/0
Version 5.1B
78 | P a g e
EIGRP Topology
79 | P a g e
Version 5.1B
Area of Issue:
R2
Enable split-horizon on R1
R3
Enable split-horizon on R2
PC1
Disable split-horizon on R3
PC2
Disable split-horizon on R2
PC3
Disable split-horizon on R1
R1
Enable next-hop-self on R1
Disable next-hop-self on R1
Disable auto-summary on R1
Enable auto-summary on R2
Enable auto-summary on R3
This concludes the Diagnostic Section of iPexpert's R&S Lab 5 Workbook, Volume 2
Copyright iPexpert. All Rights Reserved.
Version 5.1B
80 | P a g e
General Rules
All IPv4 address are pre-configured except SVI, tunnel, and sub-interfaces, unless
otherwise noted.
All Service Provider routers are pre-configured and cannot be accessed during the lab.
Do not modify any IP addressing on any interfaces.
The BB routers are not accessible.
Static/default routes are NOT allowed unless otherwise stated in the task.
Save your configurations often.
Version 5.1B
Pre-Setup
Please login to your vRack and load the initial Configuration.
This lab is intended to be used with online rack access. Connect to the terminal server and
complete the troubleshooting tasks as detailed below.
Version 5.1B
82 | P a g e
83 | P a g e
Version 5.1B
Version 5.1B
84 | P a g e
85 | P a g e
Version 5.1B
Version 5.1B
86 | P a g e
87 | P a g e
Version 5.1B
Version 5.1B
88 | P a g e
89 | P a g e
Version 5.1B
Layer 2 Ports
(12 points)
(2 points)
Using the given diagrams, configure the switch-to-switch links as dot1q trunks.
Make sure that the trunk configuration is not negotiated.
Ensure that the following unused ports on all four switches are shutdown and configured as
access ports in vlan 999:
o
All unused ports on all switches are to be shutdown and configured as access ports in vlan 999 as
well.
Configure the networks of San Francisco office (ASN 23456) and Hawaii office (ASN 34567) as per
the following requirements:
Task 1.2:
Using the given diagrams, configure the switch-to-switch links as dot1q trunks on
interfaces e2/0 and e2/1.
All unused ports on all switches are to be shutdown and configured as access in VLAN
999
Switch Administration
(2 points)
Configure the network of San Francisco office (ASN 23456) as per the following requirements:
Version 5.1B
90 | P a g e
SW6 must be the vtp server and SW5 must be the vtp client
Configure the network of Hawaii office (ASN 34567) as per the following requirements:
Task 1.3:
Layer 2 VLANs
(3 points)
Task 1.4:
Spanning-Tree
(3 points)
Use the spanning-tree protocol which maintains one STP instance per VLAN and converges
rapidly.
SW1 should be the Root bridge for all odd VLANs and the secondary root bridge for all even
VLANs.
SW2 should be the primary Root bridge for all even VLANs and the secondary root bridge for all
odd VLANs.
SW6 should be the Root bridge for all odd VLANs and the secondary root bridge for all even
VLANs.
SW5 should be the primary Root bridge for all even VLANs and the secondary root bridge for all
odd VLANs.
91 | P a g e
Version 5.1B
Statically set the primary and secondary Root bridges to protect against other switches becoming
the root bridge.
All access ports should move to forwarding state immediately after coming up.
Use a single command to accomplish this on each device.
Enable port state recovery for storm-control errors, and also modify the interval to be half of the
default value.
Configure inter switch ports of SW1-SW4 in order to enforce the Root bridge placement in the
network.
Verify all directly connected devices can ping each other in Hawaii, San Francisco, and New York
HQ.
Task 1.5:
WAN Switching
(2 points)
The WAN links must rely on a layer 2 protocol that supports link negotiation and authentication.
The provider connections with R24 and R25 must use ip address negotiation and be
authenticated using a 3-Way Handshake with ISP6.
Version 5.1B
R24 must use the username "IPX-24" and the password "IPXKEY"
R25 must use the username "IPX-25" and the password "IPXKEY"
R20 must use the username "IPX-20" and the password "IPXKEY"
92 | P a g e
(35 points)
(2 points)
Configure the OSPF process id 12345 and set the router-id as the interface Loopback0 on all
routers.
Add all interfaces to the OSPF process except the links that leave the Autonomous System.
o
All addresses in the OSPF domain should be reachable by all devices in the AS.
The switches must not participate in routing at all.
Make sure the loopback interfaces are advertised properly with the original mask.
When finished, R1 must see the following OSPF routes in the routing table without modifying the
cost on any link:
R1#sh ip route ospf
101.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O
Ethernet0/0
172.17.0.0/16 is variably subnetted, 8 subnets, 2 masks
O
93 | P a g e
Version 5.1B
Task 2.2:
EIGRP in AS 23456
(3 points)
All subnets included in EIGRP ASN 23456 should be reachable from every device in the AS,
including the Loopback interface of each router.
Using a single command only on one switch, ensure that R11 installs two equal-cost route for the
following routes:
o
vlan 135
Do not change the interface bandwidth on any physical interface in ASN 23456.
Task 2.3:
EIGRP in AS 34567
(2 points)
For all three routers R18, R19, R20 use EIGRP with 64bit metrics.
SW7 and SW8 are Layer 3 switches and must configure EIGRP.
Advertise the loopback 0 interface of all devices in EIGRP AS 34567 as internal routes.
Version 5.1B
94 | P a g e
Task 2.4:
(2 points)
Task 2.5:
BGP in AS 65333
(4 points)
Configure eBGP between IPexperts New York and RPT according the following requirements:
o
95 | P a g e
R9 is a CE router and uses eBGP to connect to management services that are provided by
the PE routers R2 and R3.
Version 5.1B
R9 must establish a separate eBGP peering with both R2 and R3 for every VRF.
10.0.0.0/8 summary-only
172.0.0.0/8 summary-only
R9 must advertise a default route to all of its BGP peers except for INET.
Task 2.6:
BGP in AS 65444
(4 points)
Task 2.7:
(3 points)
96 | P a g e
R20, R24, and R25 must establish an eBGP peering with AS 6666 in vrf GW.
o
They must receive a default route and all other prefixes from AS 6666.
Task 2.8:
(3 points)
Create the eBGP peerings from ASes: 65521, 65522, and 65523 to AS 4444.
Create the eBGP peering from AS 65522 to AS 7777.
Use the directly connected serial interfaces to make these peerings.
Do not perform any redistribution in these ASs.
R22 should not be sending 172.16.22.0/24 and 172.0.0.0/8 to ISP7.
R22 should prefer AS 4444 as the preferred exit point for traffic destined to remote-ASes.
o
Task 2.9:
(3 points)
All routers in AS 65333 must filter the BGP prefixes which are advertised to their Service
Providers - they must allow 172.0.0.0/8 prefix and a default route. All other VRFs must propagate
all prefixes.
All routers in AS 65444 must filter the BGP prefixes that are advertised to their Service Providers
and must allow only all prefixes that belong to 172.0.0.0/8 network.
97 | P a g e
Version 5.1B
65 msec
64 msec
64 msec
Version 5.1B
98 | P a g e
65 msec
99 | P a g e
Version 5.1B
(3 points)
Assign IPv6 addresses according to the IPv6 diagram and table below:
Table 5.12
Device
Interface
IPv6 Address
R2
e0/0
2004::23:1/112
e0/1.26
2004::26:5/112
e0/0
2004::23:2/112
e0/1.37
2004::37:9/112
e0/1.26
2004::26:6/112
e0/1.64
2004::64:13/112
e0/1.37
2004::37:10/112
e0/1.75
2004::75:17/112
R4
e0/1
2004::64:14/112
R5
e0/1
2004::75:18/112
R3
R6
R7
(3 points)
Version 5.1B
100 | P a g e
Table 5.13
Device
Interface
IPv6 Address
R4
s2/0
2004::44:1/112
R5
s2/0
2004::54:5/112
R21
s2/0
2004::21:21/112
R23
s2/0
2004::23:23/112
Configure IPv6 eBGP peerings between ASes 65521, 65523 and 65333 with AS 4444.
o
101 | P a g e
Version 5.1B
(3 points)
102 | P a g e
All devices in ASN 65423 and ASN 65420 must participate in multicast routing.
A ping to 232.8.8.8 must result in a response from R19, R24, and R25 loopback 0 interfaces as
displayed in the following output below:
SW8#ping 232.8.8.8 source lo0
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 232.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.17.118.118
103 | P a g e
Version 5.1B
MPLS VPN
(16 points)
(3 points)
Complete the configuration of mpls L3VPN in the IPexpert network according to the following
requirements:
o
Ensure that no MPLS interface that belongs to any router in AS 65333 is visible on a
traceroute that originates outside of the AS.
Task 3.2:
(5 points)
Version 5.1B
GREEN
BLUE
RED
YELLOW
INET
104 | P a g e
R4 must establish an eBGP peering with the Service Providers AS 4444 for the following VRFs:
o
GREEN
BLUE
RED
No BGP speaker in AS 65333 may use the network statement under any address-family of the
BGP router configuration.
Peer between ASN 65333 (R2, R3) and ASN 64520 (R9). Each sub-interface should have its own
BGP peering in its respective VRF.
Task 3.3:
DMVPN
(4 points)
Use the preconfigured interface tunnel0 on R20, R24, and R25 in order to accomplish
this task.
Use interface s2/0 as the source address of the tunnel on each device,
R24 and R25 must be the spokes and must participate in the NHRP information
exchange.
105 | P a g e
Ensure that spoke-to-spoke traffic does not transit via the hub
Task 3.4:
DMVPN Encryption
(4 points)
All IPsec tunnels must be authenticated using the same IKE Phase 1 pre-shared key.
Use 1024 bits for the key exchange using the Diffie-Hellman algorithm.
Use the IPsec security protocol ESP and the algorithm AES with 128 bits.
Ensure that the DMVPN cloud is secured using the above parameters.
Version 5.1B
106 | P a g e
Device Security
(5 points)
(3 points)
All users who connect from R2 to R9 via VTY line using telnet & using the username
"OPERATOR" and Password "CISCO" must be prompted with the displayed menu:
Leave one line for regular telnet access authenticating users with the Local Database.
Every single function in the menu must display the correct output.
Escape to Shell
Disconnect
107 | P a g e
Version 5.1B
Task 4.2:
Network Security
(2 points)
Version 5.1B
Ensure that interfaces E0/1-3, and E1/2-E1/3 of SW2 forward traffic that was sent from
expected and legitimate hosts and servers.
SW2 must dynamically learn only one MAC address per port and must save the MAC
address in its startup configuration.
SW2 must shut down the port if a security violation occurs on any of these ports.
108 | P a g e
(4 points)
(2 points)
The New York branch needs a CLI configuration auditing solution, one that doesn't require
purchasing any new devices/servers such as TACACS+ or any AAA solution.
Configure routers R1-R3 in ASN 12345 to locally track changes made to its running configuration.
o
Ensure that passwords in the configuration will not be sent across this communication
channel.
Limit the maximum number of logged commands that will be kept by the config log to a
maximum of 1000 entries.
Verify this on all routers by typing the following commands and receiving the same
output:
conf t
RX (config)#int e0/0
Task 5.2:
logged
109 | P a g e
The output that is shown below must be seen on R20 during 10 seconds after R25
successfully pinged interface Lo21 of R21.
Version 5.1B
SrcIf
SrcIPaddress
DstIf
DstIPaddress
Et0/1
172.16.21.254
Tu0*
172.16.25.254
01 0000 0800
500
Thisconcludes
concludesthe
theDiagnostic
Configuration
Section
and iPexpert's
R&S Lab
5 Workbook,
This
Section
of iPexpert's
R&S 1-Week
Lab
Experience Volume
DSG, Lab21
Copyright iPexpert.
iPexpert. All
All Rights
Rights Reserved.
Reserved.
Copyright
Version 5.1B
110 | P a g e