Documente Academic
Documente Profesional
Documente Cultură
SECTION 1.1
Configure the ACME Headquarters network (AS 12345) as per the following requirements
· SW1 must be the VTP server and SW2 must be the VTP client
· Secure all VTP updates with an MD5 digest of the ASCII string “CCIErocks$”
· In order to avoid as much as possible unknown unicast flooding in all vlans the
administrator requires that any dynamic entries learned by other SW1 and SW2 must be
Configure the network of the New York office (AS 34567) as per the following requirements
· SW3 and SW4 must not advertise their vlan config but must forward VTP advertisement
· Secure all VTP updates with an MD5 digest of the ASCII string “CCIErocks$”
Answers:
SW-1(config)#vtp version 2
SW-1(config)#vtp domain CCIE
SW-1(config)#vtp mode server
SW-1(config)#vtp password CCIErocks$
SW-1(config)#end
SW-1#
SW-2(config)#vtp version 2
SW-2(config)#vtp domain CCIE
SW-2(config)#vtp mode client
SW-2(config)#vtp password CCIErocks$
SW-2(config)#end
SW-2#
第 1 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
SW-1#sh mac address-table aging-time
Global Aging Time: 300
Vlan Aging Time
---- ----------
SW-1#
default mac-address aging time is 300 seconds=5min on both switches:
SW-4(config)#vtp version 2
SW-4(config)#vtp domain CCIE
SW-4(config)#vtp mode transparent
SW-4(config)#vtp password CCIErocks$
SW-4(config)#end
SW-4#
· Complete the config of all vlans so that all routers that are located in ACME's
headquarters (AS12345) and New York office (AS 34567) can ping their directly
connected neighbors
· All four switches (SW1-SW4) must have dot1q trunks that do not rely onnegotiation do
· Ensure that the following unused ports on all four switches areshutdown and configured
第 2 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
Answers:
SW-1(config)#do sh vlan brief | ex 100
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et3/0, Et3/1, Et3/2, Et3/3
14 VLAN0014 active E0/0,E1/0
15 VLAN0015 active E1/1
23 VLAN0023 active E0/1,E0/2
24 VLAN0024 active E0/3
67 VLAN0067 active E1/2,E1/3
SW-1(config)#vlan 14,15,23,24,35,46,57,67,99
SW-1(config-vlan)#exit
SW-1(config)#
SW-3(config)#vlan 34,38,49,89,111,310,411,999
SW-3(config-vlan)#exit
SW-3(config)#
on all switches:
sw1-sw4:
int range eth 3/0 - 3
switchport trunk encapsulation dot1q
switchport mode trunk
now you can verify if all vlans per switch are there.
第 5 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
· SW1 must be the root switch for all odd vlans and must be the backup for all even vlans
· SW2 must be the root switch for all even vlans and must be the backup for all odd vlans
· SW3 must be the root switch for all odd vlans and must be the backup for all even vlans
· SW4 must be the root switch for all even vlans and must be the backup for all odd vlans
· Explicitly configure the root and backup roles, assuming that other switches with default
· Use the STP mode that has only three possible states
· All access ports must immediately transitioned to the forwarding state upon link up and
they must still participate in STP. use single command per switch to enable this
· Access ports must automatically shut down if they receive any BPDU and an
administrator must still manually re-enable the port. use a single command per switch
Answers
1.3 implement spanning tree/solutions
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree mode rapid-pvst
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree portfast default
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree portfast bpduguard default
第 6 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree mode rapid-pvst
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree portfast default
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree portfast bpduguard default
solutions Verification
authentication.
· The Service provider expects both R18 and R19 to complete three way hand shake by
Answers
CPS_A1_ABHI_NAG_R18(config)#interface serial1/0
第 8 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
CPS_A1_ABHI_NAG_R18(config)# ip address 203.3.18.2 255.255.255.252
CPS_A1_ABHI_NAG_R18(config)# encapsulation ppp
CPS_A1_ABHI_NAG_R18(config)# ppp chap hostname ACME-R18
CPS_A1_ABHI_NAG_R18(config)# ppp chap password CCIE
CPS_A1_ABHI_NAG_R18(config)# no shutdown
CPS_A1_ABHI_NAG_R18#ping 203.3.18.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Encho to 203.3.18.1, timeout is 2 seconds:
!!!!!
success rate is 100 persent (5/5), rounding-trip min/avg/max= 6/8/9 ms
CPS_A1_ABHI_NAG_R18#
Did you notice host route for PE interface?Generally it's not recommended with same subnet IP address
between two PPP peers we can disable it by using command no peer neighbor-route:
CPS_A1_ABHI_NAG_R18#(config)#interface serial1/0
CPS_A1_ABHI_NAG_R18#(config-if)#shutdown
CPS_A1_ABHI_NAG_R18#(config-if)# no peer neighbor-route
CPS_A1_ABHI_NAG_R18#(config-if)#no shutdown
CPS_A1_ABHI_NAG_R18#(config)#ping 203.3.18.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP echos to 203.3.18.1, timeout is 2 seconds:
!!!!!
Success rate is 100 persent (5/5),round-trip min/avg/max=9/9/10 ms
CPS_A1_ABHI_NAG_18#
CPS_A1_ABHI_NAG_19(config)#interface serial1/0
CPS_A1_ABHI_NAG_19(config-if)#ip address 203.3.19.2 255.255.252
CPS_A1_ABHI_NAG_19(config-if)# encapsulation ppp
CPS_A1_ABHI_NAG_19(config-if)# ppp chap hostname ACME-19
CPS_A1_ABHI_NAG_19(config-if)# ppp chap password CCIE
第 9 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
CPS_A1_ABHI_NAG_19(config-if)# no peer neighbor-route
CPS_A1_ABHI_NAG_19(config-if)# no shutdown
CPS_A1_ABHI_NAG_19#ping 203.3.19.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP echos to 203.3.19.2, timeout is 2 seconds:
!!!!!
Success rate is 100 persent (5/5),round-trip min/avg/max=15/17/19 ms
CPS_A1_ABHI_NAG_19#
Solution verification
第 11 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
Configure OSPFv2 area 0 in ACME HQ (AS12345) according to the following requirements
· Configure the OSPF process id to 12345 and set the router id to interface lo0 on all seven
routers
· The interface lo0 at each router must be seen as an internal OSPF prefix by all other
routers
· Ensure that OSPF is not running on any interface that is facing another AS. use any
R1#
R1#ping 123.10.1.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R1#
R1(config-router)#router ospf 12345
第 12 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R1(config-router)#router-id 123.1.1.1
R1(config-router)#net 0.0.0.0 255.255.255.255 area 0
R1(config-router)#end
R2#ping 123.10.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R2#
R2#ping 123.10.1.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R1#
R3#ping 123.10.1.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R3#
第 13 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R3#ping 123.10.1.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R3#
R4#ping 123.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R4#
R4#ping 123.10.1.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R4#
R4#ping 123.10.1.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R4#
R5#ping 123.10.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R5#
R5#ping 123.10.1.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R5#
R5#ping 123.10.1.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R5#
R6#ping 123.10.1.26
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.26, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R6#
R6#ping 123.10.1.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R6#
R7#ping 123.10.1.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R7#
第 16 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R7#ping 123.10.1.29
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.29, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R7#
>>>from here show the routing table of each device and ping all devices loopbacks
· The interface lo0 must be seen as an internal EIGRP prefix by all other routers
· Ensure the EIGRP is not running on any interface that is facing another AS use any
· Using a single command on one switch only ensure that R8 installs two equal-cost route
· vlan 411
第 17 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
· Using a single command on one switch only ensure that R9 installs two equal cost route
· vlan 310
R8#ping 123.10.2.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R8#
第 18 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R8#sh ip eigrp neighbors
EIGRP-IPv4 VR(CCIE) Address-Family Neighbors for AS(34567)
R8#
R9#ping 123.10.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R9#
R9#ping 123.10.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R9#
R10#ping 123.10.2.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R10#
第 19 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R10#ping 123.10.2.26
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.26, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R10#
R11#ping 123.10.2.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R11#
R11#ping 123.10.2.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R11#
SW3#ping 123.10.2.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW3#
SW3#ping 123.10.2.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW3#
SW3#ping 123.10.2.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW3#
第 21 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
SW3#sh ip eigrp interfaces
EIGRP-IPv4 VR(CCIE) Address-Family Interfaces for AS(34567)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Lo0 0 0/0 0/0 0 0/0 0 0
Vl38 1 0/0 0/0 0 0/0 0 0
Vl34 0 0/0 0/0 0 0/0 0 0
Vl310 1 0/0 0/0 0 0/0 0 0
SW3#
SW4#ping 123.10.2.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW4#
SW4#ping 123.10.2.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW4#
SW4#ping 123.10.2.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 msSW4#
SW4(config-router)#router eigrp CCIE
SW4(config-router)#net 123.44.44.44 0.0.0.0
SW4(config-router)#net 123.10.2.10 0.0.0.0
SW4(config-router)#net 123.10.2.14 0.0.0.0
SW4(config-router)#net 123.10.2.21 0.0.0.0
SW4(config-router)#end
<<<<please show all eigrp neighbors and routing tables and ping all loopbacks source from lo0 of all
devices to compare>>>>>>
· The interface lo0 must be seen as an internal EIGRP prefix by all other routers
· Ensure the EIGRP is not running on any interface that is facing another AS use any
· Sw5 and sw6 are layer 3 switches and must configure EIGRP
· On all three routers R15, 16, 17 use EIGRP with 64bit version
R15#ping 123.20.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R15#
第 23 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R15#ping 123.20.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R15#
R15#ping 123.10.2.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R15#
R16#ping 123.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R16#
R16#ping 123.10.2.18
Type escape sequence to abort.
第 24 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
Sending 5, 100-byte ICMP Echos to 123.10.2.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R16#
R17#ping 123.20.1.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R17#
R17#ping 123.10.2.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R17#
· The interface lo0 at each router must be seen as an internal EIGRP prefix by all other
第 26 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
routers
· Ensure that EIGRP is not running on any interface that is facing another AS use any
· R17 is the DMVPN hub, R18, R19 as the spoke,use the pre-config tunnel 0
Configure the BGP in ACME’s HQ (AS 12345) according to the following requirements
· All BGP routers must use their int lo0 as their router-id
· Disable the default ipv4 unicast address family for peering session establishment in all
BGP routers
Configure eBGP between ACME's San Francisco and San Jose sites according to the
following requirements
· R20 is the CE router and used eBGP to connect to the manages services that are
· R20 must establish separate eBGP peerings with both R2 and R3 for every V
· R20 must advertise the following prefix to all the BGP peers
123.0.0.0/8 summary-only
10.0.0.0/8 summary-only
· R20 must advertise a default route to all of its BGP peers except to 10.120.99.1 and
10.120.99.5
第 29 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R2:
R2(config)#router bgp 12345
R2(config-router)#bgp router-id 123.2.2.2
R2(config-router)#no bgp default ipv4-unicast
R2(config-router)#neighbor 123.1.1.1 remote-as 12345
R2(config-router)#neighbor 123.1.1.1 update-source loopback 0
R2(config-router)address-family ipv4
R2(config-router-af)#neighbor 123.1.1.1 activate
R2(config-router-af)#exit-address-family
R2(config-router-af)#end
R2#
R3:
R3(config)#router bgp 12345
R3(config-router)#bgp router-id 123.3.3.3
R3(config-router)#no bgp default ipv4-unicast
R3(config-router)#neighbor 123.1.1.1 remote-as 12345
R3(config-router)#neighbor 123.1.1.1 update-source loopback 0
R3(config-router)address-family ipv4
R3(config-router-af)#neighbor 123.1.1.1 activate
R3(config-router-af)#exit-address-family
R3(config-router-af)#end
R3#
R6:
R6(config)#router bgp 12345
R6(config-router)#bgp router-id 123.6.6.6
R6(config-router)#no bgp default ipv4-unicast
R6(config-router)#neighbor 123.1.1.1 remote-as 12345
R6(config-router)#neighbor 123.1.1.1 update-source loopback 0
R6(config-router)address-family ipv4
R6(config-router-af)#neighbor 123.1.1.1 activate
R6(config-router-af)#exit-address-family
R6(config-router-af)#end
R6#
R7:
R7(config)#router bgp 12345
R7(config-router)#bgp router-id 123.7.7.7
R7(config-router)#no bgp default ipv4-unicast
R7(config-router)#neighbor 123.1.1.1 remote-as 12345
R7(config-router)#neighbor 123.1.1.1 update-source loopback 0
第 30 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R7(config-router)address-family ipv4
R7(config-router-af)#neighbor 123.1.1.1 activate
R7(config-router-af)#exit-address-family
R7(config-router-af)#end
R7#
::VRF CONFIGS::
R2:
R2(config)router bgp 12345
R2(config-router)#address-family ipv4 vrf GREEN
R2(config-router-af)#neighbor 10.120.12.2 remote-as 65112
R2(config-router-af)#neighbor 10.120.12.2 activate
R2(config-router-af)#exit-address-family
R3:
R3(config)router bgp 12345
R3(config-router)#address-family ipv4 vrf GREEN
R3(config-router-af)#neighbor 10.120.12.6 remote-as 65112
R3(config-router-af)#neighbor 10.120.12.6 activate
R3(config-router-af)#exit-address-family
R20:
R20(config)#router bgp 65112
R20(config-router)#net 10.0.0.0
R20(config-router)#net 123.0.0.0
R20(config-router)#auto-summary
<<<<<<<<<<<<<sho ip bgp on R20 and R3,sh bgp all summary,sh ip bgp vpnv4 all>>>>>>>>>>>>>>>>>
BGP is partially pre-configured in ACME New York office, complete the config as required
· SW3 and SW4 must not establish any BGP session at any time
· All BGP routers must use their int lo0 as their router-id
· Configure full mesh IBGP peering between all four routers use any configuration method
· R9 must be selected as the preferred exit point for traffic destined to remote AS's
· No BGP speaker must use network statement under the BGP router config.
· Ensure that all the BGP nexthop is never marked as unreachable as long as int lo0 of the
· All four BGP routers must establish eBGP peerings with their neighboring AS as shown in
· Ensure that R9 is the only router that sees the default as a BGP route and that all other
R8:
第 33 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R8(config)#router bgp 34567
R8(config-router)#bgp router-id 123.8.8.8
R8(config-router)#no bgp default ipv4-unicast
R8(config-router)address-family ipv4
R8(config-router-af)#neighbor 123.9.9.9 activate
R8(config-router-af)#neighbor 123.10.10.10 activate
R8(config-router-af)#neighbor 123.11.11.11 activate
R8(config-router-af)#exit-address-family
R8(config-router-af)#end
R8#
R9:
R9(config)#router bgp 34567
R9(config-router)#bgp router-id 123.9.9.9
R9(config-router)#no bgp default ipv4-unicast
R9(config-router)address-family ipv4
R9(config-router-af)#neighbor 123.8.8.8 activate
R9(config-router-af)#neighbor 123.10.10.10 activate
R9(config-router-af)#neighbor 123.11.11.11 activate
R9(config-router-af)#exit-address-family
R9(config-router-af)#end
R9#
R10:
第 34 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R10(config)#router bgp 34567
R10(config-router)#bgp router-id 123.10.10.10
R10(config-router)#no bgp default ipv4-unicast
R10(config-router)address-family ipv4
R10(config-router-af)#neighbor 123.8.8.8 activate
R10(config-router-af)#neighbor 123.9.9.9 activate
R10(config-router-af)#neighbor 123.11.11.11 activate
R10(config-router-af)#exit-address-family
R10(config-router-af)#end
R10#
R11:
R11(config)#router bgp 34567
R11(config-router)#bgp router-id 123.11.11.11
R11(config-router)#no bgp default ipv4-unicast
R11(config-router)address-family ipv4
R11(config-router-af)#neighbor 123.8.8.8 activate
R11(config-router-af)#neighbor 123.9.9.9 activate
R11(config-router-af)#neighbor 123.10.10.10 activate
R11(config-router-af)#exit-address-family
R11(config-router-af)#end
R11#
R8:
第 35 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R8(config)#router bgp 34567
R8(config-router)#neighbor 101.1.34.1 remote-as 10001
R8(config-router)address-family ipv4
R8(config-router-af)#neighbor 101.1.34.1 activate
R8(config-router-af)#neighbor 123.9.9.9 next-hop-self
R8(config-router-af)#neighbor 123.10.10.10 next-hop-self
R8(config-router-af)#neighbor 123.11.11.11 next-hop-self
R8(config-router-af)#exit-address-family
R8(config-router-af)#end
R8#clear ip bgp * soft
R9:
R9(config)#router bgp 34567
R9(config-router)#neighbor 33.34.4.1 remote-as 30000
R9(config-router)#neighbor 102.1.34.1 remote-as 10002
R9(config-router)address-family ipv4
R9(config-router-af)#neighbor 33.34.4.1 activate
R9(config-router-af)#neighbor 102.1.34.1 activate
R9(config-router-af)#neighbor 123.8.8.8 next-hop-self
R9(config-router-af)#neighbor 123.10.10.10 next-hop-self
R9(config-router-af)#neighbor 123.11.11.11 next-hop-self
R9(config-router-af)#exit-address-family
R9(config-router-af)#end
R9#clear ip bgp * soft
R10:
R10(config)#router bgp 34567
R10(config-router)#neighbor 201.1.34.1 remote-as 20001
R10(config-router)address-family ipv4
R10(config-router-af)#neighbor 201.1.34.1 activate
R10(config-router-af)#neighbor 123.9.9.9 next-hop-self
R10(config-router-af)#neighbor 123.8.8.8 next-hop-self
R10(config-router-af)#neighbor 123.11.11.11 next-hop-self
R10(config-router-af)#exit-address-family
R10(config-router-af)#end
R10#clear ip bgp * soft
R11:
R11(config)#router bgp 34567
R11(config-router)#neighbor 33.34.3.1 remote-as 30000
第 36 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R11(config-router)#neighbor 202.2.34.1 remote-as 20002
R11(config-router)address-family ipv4
R11(config-router-af)#neighbor 33.34.3.1 activate
R11(config-router-af)#neighbor 202.2.34.1 activate
R11(config-router-af)#neighbor 123.8.8.8 next-hop-self
R11(config-router-af)#neighbor 123.10.10.10 next-hop-self
R11(config-router-af)#neighbor 123.9.9.9 next-hop-self
R11(config-router-af)#exit-address-family
R11(config-router-af)#end
R11#clear ip bgp * soft
R8:
R8(config)#router bgp 34567
R8(config-router)address-family ipv4
R8(config-router-af)#redistribute eigrp 34567
R8(config-router-af)#end
R9:
R9(config)#router bgp 34567
R9(config-router)address-family ipv4
R9(config-router-af)#redistribute eigrp 34567
R9(config-router-af)#end
R10:
R10(config)#router bgp 34567
R10(config-router)address-family ipv4
R10(config-router-af)#redistribute eigrp 34567
R10(config-router-af)#end
R11:
R11(config)#router bgp 34567
R11(config-router)address-family ipv4
R11(config-router-af)#redistribute eigrp 34567
R11(config-router-af)#end
R9:
R9(config)# ip prefix-list 1 permit 0.0.0.0/0
R9(config)#route-map 1 permit 1
第 37 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R9(config-route-map)#match ip address prefix-list 1
R9(config-route-map)#exit
R11:
R11(config)# ip prefix-list 1 permit 0.0.0.0/0
R11(config)#route-map 1 permit 1
R11(config-route-map)#match ip address prefix-list 1
R11(config-route-map)#exit
configure EBGP in ACME's APAC region (AS45678 and AS 65222) according to the
following requirements
· SW5 and SW6 must not establish any BGP session at any time
第 38 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
· All BGP routers must use their int lo0 as their router-id
· R15 must establish an EBGP peering with AS 10003 and must receive default route as
· R15 must also advertise an aggregate prefix 123.20.1.0/24 to AS 1003 and must suppress
· R16, 17, 18, 19 must establish an eBGP peering with AS 20003 and must receive a default
· As long as R15 is operational, R16, R17, R18, R19 must prefer the EIGRP default route
· Do not create any VRF anywhere in order to accomplish the above requirements
R15:
R15(config)#router bgp 45678
R15(config-router)#bgp router-id 123.15.15.15
R15(config-router)#neighbor 103.2.45.1 remote-as 10003
R15(config-router)#aggregate-address 123.20.1.0 255.255.255.0 summary-only
R15(config-router)#redistribute eigrp 45678
R16:
第 39 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R16(config)#router bgp 45678
R16(config-router)#bgp router-id 123.16.16.16
R16(config-router)#neighbor 203.3.16.1 remote-as 20003
R16(config-router)#end
R17:
R17(config)#router bgp 45678
R17(config-router)#bgp router-id 123.17.17.17
R17(config-router)#neighbor 203.3.17.1 remote-as 20003
R17(config-router)#end
R18:
R18(config)#router bgp 45678
R18(config-router)#bgp router-id 123.18.18.18
R18(config-router)#neighbor 203.3.18.1 remote-as 20003
R18(config-router)#end
R19:
R19(config)#router bgp 45678
R19(config-router)#bgp router-id 123.19.19.19
R19(config-router)#neighbor 203.3.19.1 remote-as 20003
R19(config-router)#end
<<<NB:if R15 is not receiving default from SP it should receive after section 3.3 when R2/R3 form eBGP
for yellow vrf needs further work.>>>>>
· All ACME border routers in AS 12345 must filter the BGP prefixes that are advertised to
their SP in VRF INET and must allow all prefixes that belong to class A 123..0.0./8 and all
· All ACME border routers in AS 12345 must filter the BGP prefixes that are advertised to
their SP and must allow only all prefixes that belong to the class A 123.0.0.0/8
第 40 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
· R13 must route traffic preferably via AS 20002, use any method to accomplish this
requirement
· All three remote sites in AS 65111 must be able to ping 1.2.3.4 and traceroute must
· Configure the OSPF process id 1 and set the router-id as interface lo0
· Sw4 must be selected as the DR on vlan 34 and must have the best chance
· Sw3 must be selected as the backup DR on vlan 34 and must take over DR if SW4 is
down
SW3:
SW3(config)#ipv6 unicast-routing
SW3(config)#ipv6 router ospf 1
SW3(config-rtr)#router-id 123.33.33.33
第 41 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
SW3(config)#interface vlan 34
SW3(config-if)#ipv6 ospf 1 area 0
SW3(config-if)#ipv6 ospf priority 1
SW4:
SW4(config)#ipv6 unicast-routing
SW4(config)#ipv6 router ospf 1
SW4(config-rtr)#router-id 123.44.44.44
SW4(config)#interface vlan 34
SW4(config-if)#ipv6 ospf 1 area 0
SW4(config-if)#ipv6 ospf priority 255
R10:
R10(config)#ipv6 unicast-routing
R10(config)#ipv6 router ospf 1
R10(config-rtr)#router-id 123.10.10.10
R11:
R11(config)#ipv6 unicast-routing
R11(config)#ipv6 router ospf 1
R11(config-rtr)#router-id 123.11.11.11
· Do not use the network command under the BGP address-family ipv6 on either R10 or
R11
· Advertise the ipv6 prefix on interface E0/0 into BGP on both R12 and R14
· Configure your network such that any ipv6 that any user can communicate with any ipv6
!!!!!
R10:
R10(config)ipv6 unicast routing
R10(config)#router bgp 34567
R10(config-router)#neighbor 2001:CC1E:BEF:10:201:1:34:1 remote-as 20001
R10(config-router)#address-family ipv6
R10(config-router-af)#neighbor 2001:CC1E:BEF:10:201:1:34:1 activate
R10(config-router-af)#redistribute ospf 1 match internal external
R10(config)#ipv6 router ospf 1
R10(config-rtr)#redistribute bgp 34567
R11:
R11(config)ipv6 unicast routing
R11(config)#router bgp 34567
R11(config-router)#neighbor 2001:CC1E:BEF:11:202:1:34:1 remote-as 20002
第 43 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R11(config-router)#address-family ipv6
R11(config-router-af)#neighbor 2001:CC1E:BEF:11:202:1:34:1 activate
R11(config-router-af)#redistribute ospf 1 match internal external
R11(config)#ipv6 router ospf 1
R11(config-rtr)#redistribute bgp 34567
R12:
R12(config)ipv6 unicast routing
R12(config)#router bgp 65111
R12(config-router)#neighbor 2001:CC1E:BEF:12:201:1:12:1 remote-as 20001
R12(config-router)#address-family ipv6
R12(config-router-af)#neighbor 2001:CC1E:BEF:12:201:1:12:1 activate
R12(config-router-af)#network 2001:CC1E:BEF:12::/64
R12(config-rtr)#end
R14:
R14(config)ipv6 unicast routing
R14(config)#router bgp 65111
R14(config-router)#neighbor 2001:CC1E:BEF:14:202:2:14:1 remote-as 20002
R14(config-router)#address-family ipv6
R14(config-router-af)#neighbor 2001:CC1E:BEF:14:202:2:14:1 activate
R14(config-router-af)#network 2001:CC1E:BEF:14::/64
R14(config-rtr)#end
· Only network segments with active receivers that explicitly require the data must
· To test configure int E0/0 of both R18 and R19 to join group 232.1.1.1
Sw5# ping 232.1.1.1 so vlan 5
reply to request 0 from 10.2.19.1 3ms
reply to request o from 10.2.18.1 4ms
R15:
R15(config)#ip multicast-routing
R15(config)#interface ethernet 0/1
R15(config-if)#ip pim sparse-mode
R15(config-if)#interface ethernet 0/2
R15(config-if)#ip pim sparse-mode
R15(config-if)#interface lo0
R15(config-if)#ip pim sparse-mode
R15(config)#ip pim rp-candidate loopback 0
R15(config)#ip pim bsr-candidate loopback 0
R15(config)#exit
SW1:
SW1(config)#ip multicast-routing
SW1(config)#interface vlan 55
SW1(config-if)#no shut
SW1(config-if)#ip pim sparse-mode
SW1(config-if)#interface vlan 5
SW1(config-if)#ip address 123.55.55.55 255.255.255.0
SW1(config-if)#no shut
SW1(config-if)#ip pim sparse-mode
SW1(config-if)#interface lo0
SW1(config-if)#ip pim sparse-mode
SW1(config)#exit
SW2:
SW2(config)#ip multicast-routing
SW2(config)#interface vlan 66
SW2(config-if)#no shut
SW2(config-if)#ip pim sparse-mode
SW2(config-if)#interface vlan 6
第 45 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
SW2(config-if)#ip address 123.66.66.66 255.255.255.0
SW2(config-if)#no shut
SW2(config-if)#ip pim sparse-mode
SW2(config-if)#interface lo0
SW2(config-if)#ip pim sparse-mode
SW2(config)#exit
R16:
R16(config)#ip multicast-routing
R16(config)#interface ethernet 0/1
R16(config-if)#ip pim sparse-mode
R16(config-if)#interface ethernet 0/2
R16(config-if)#ip pim sparse-mode
R16(config-if)#interface lo0
R16(config-if)#ip pim sparse-mode
R16(config)#exit
R17:
R17(config)#ip multicast-routing
R17(config)#interface ethernet 0/1
R17(config-if)#ip pim sparse-mode
R17(config-if)#interface ethernet 0/2
R17(config-if)#ip pim sparse-mode
R17(config-if)#interface ethernet tunnel 0
R17(config-if)#ip pim sparse-mode
R17(config-if)#interface lo0
R17(config-if)#ip pim sparse-mode
R17(config)#exit
R18:
R18(config)#ip multicast-routing
R18(config)#interface ethernet 0/0
R18(config-if)#ip igmp join-group 232.1.1.1
R18(config-if)#ip pim sparse-mode
R18(config-if)#!
R18(config-if)#interface ethernet tunnel 0
R18(config-if)#ip pim sparse-mode
第 46 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R18(config-if)#!
R18(config-if)#interface lo0
R18(config-if)#ip pim sparse-mode
R18(config)#exit
R19:
R19(config)#ip multicast-routing
R19(config)#interface ethernet 0/0
R19(config-if)#ip igmp join-group 232.1.1.1
R19(config-if)#ip pim sparse-mode
R19(config-if)#interface ethernet tunnel 0
R19(config-if)#ip pim sparse-mode
R19(config)#exit
· The ACME HQ network (AS12345) uses MPLS L3VPN in order to clearlyseparate remote
site networks
· The ACME corporate security policies are centralized and enforced at the San Jose site
(AS 65112) for all remote sites. the policies require that all traffic that is originated from
· Configure mpls L3 VPN in the ACME network according to the following requirements
· Ensure that no mpls interface that belongs to any router ins AS12345 is visible on a trace
R1:
R1(config)#ip cef
R1(config)#mpls ip
R1(config)#mpls label protocol ldp
R1(config)#int lo0
R1(config-if)#mpls ip
R1(config-if)#int eth 0/1
R1(config-if)#mpls ip
R1(config-if)#int eth 0/2
R1(config-if)#mpls ip
R1(config-if)#end
R1#
R2:
R2(config)#ip cef
R2(config)#mpls ip
R2(config)#mpls label protocol ldp
R2(config)#int lo0
R2(config-if)#mpls ip
R2(config-if)#int eth 0/1
R2(config-if)#mpls ip
R2(config-if)#int eth 0/2
R2(config-if)#mpls ip
R2(config-if)#end
R2#
R3:
R3(config)#ip cef
R3(config)#mpls ip
R3(config)#mpls label protocol ldp
R3(config)#int lo0
R3(config-if)#mpls ip
R3(config-if)#int eth 0/1
R3(config-if)#mpls ip
R3(config-if)#int eth 0/2
R3(config-if)#mpls ip
R3(config-if)#end
R3#
R4:
第 48 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R4(config)#ip cef
R4(config)#mpls ip
R4(config)#mpls label protocol ldp
R4(config)#int lo0
R4(config-if)#mpls ip
R4(config-if)#int eth 0/1
R4(config-if)#mpls ip
R4(config-if)#int eth 0/2
R4(config-if)#mpls ip
R4(config-if)#end
R4#
R5:
R5(config)#ip cef
R5(config)#mpls ip
R5(config)#mpls label protocol ldp
R5(config)#int lo0
R5(config-if)#mpls ip
R5(config-if)#int eth 0/1
R5(config-if)#mpls ip
R5(config-if)#int eth 0/2
R5(config-if)#mpls ip
R5(config-if)#end
R5#
R6:
R6(config)#ip cef
R6(config)#mpls ip
R6(config)#mpls label protocol ldp
R6(config)#int lo0
R6(config-if)#mpls ip
R6(config-if)#int eth 0/1
R6(config-if)#mpls ip
R6(config-if)#int eth 0/2
R6(config-if)#mpls ip
R6(config-if)#end
R6#
R7:
R7(config)#ip cef
R7(config)#mpls ip
R7(config)#mpls label protocol ldp
R7(config)#int lo0
第 49 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R7(config-if)#mpls ip
R7(config-if)#int eth 0/1
R7(config-if)#mpls ip
R7(config-if)#int eth 0/2
R7(config-if)#mpls ip
R7(config-if)#end
R7#
· R2 and R3 must establish eBGP peering with both global SP (As 10001 and AS 10002) for
· BLUE
· GREEN
· RED
· YELLOW
· INET
· R3 must establish an eBGP peering with the regional SP (AS 20001) for the following
VRFs
· GREEN
· BLUE
· INET
· R7 must establish an eBGP peering with the regional SP (AS 20002) for the following
VRFs
· BLUE
第 50 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
· RED
· INET
· All ip add used for eBGP peering must pass the BGP's directly connected check
· No BGP speaker is AS 12345 may use the network or redistribute statement under any
· At the end of the exam scenario the interface E0/0 of the gateway router in any remote
site must be able to connect to the int E0/0 of any other remote gateway that belongs to
AS 65111 or AS 65222
R1:
R1(config)#router bgp 12345
R1(config-router)#address-family vpnv4
R1(config-router-af)#neighbor IBGP route-reflector-client
R1(config-router-af)#neighbor IBGP send-community extended
R1(config-router-af)#neighbor 123.2.2.2 activate
R1(config-router-af)#neighbor 123.3.3.3 activate
R1(config-router-af)#neighbor 123.6.6.6 activate
R1(config-router-af)#neighbor 123.7.7.7 activate
R1(config-router-af)#end
R1#
R2:
R2(config)#router bgp 12345
R2(config-router)#address-family vpnv4
R2(config-router-af)#neighbor 123.1.1.1 activate
R2(config-router-af)#neighbor 123.1.1.1 send-community extended
R2(config-router-af)#end
第 51 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R2#
R3:
R3(config)#router bgp 12345
R3(config-router)#address-family vpnv4
R3(config-router-af)#neighbor 123.1.1.1 activate
R3(config-router-af)#neighbor 123.1.1.1 send-community extended
R3(config-router-af)#end
R3#
R6:
R6(config)#router bgp 12345
R6(config-router)#address-family vpnv4
R6(config-router-af)#neighbor 123.1.1.1 activate
R6(config-router-af)#neighbor 123.1.1.1 send-community extended
R6(config-router-af)#end
R6#
R7:
R7(config)#router bgp 12345
R7(config-router)#address-family vpnv4
R7(config-router-af)#neighbor 123.1.1.1 activate
R7(config-router-af)#neighbor 123.1.1.1 send-community extended
R7(config-router-af)#end
R7#
R6:
R6(config)#router bgp 12345
R6(config-router)#address-family ipv4 vrf BLUE
R6(config-router-af)#neighbor 201.1.123.1 remote-as 20001
R6(config-router-af)#neighbor 201.1.123.1 activate
R6(config-router-af)#exit address-family
R12:
R12(config)#router bgp 65111
R12(config-router)#neighbor 201.1.13.1 remote-as 20001
R12(config-router)#redistribute connected
R12(config-router)#end
R7:
R7(config)#router bgp 12345
R7(config-router)#address-family ipv4 vrf BLUE
R7(config-router-af)#neighbor 202.2.123.1 remote-as 20002
R7(config-router-af)#neighbor 202.2.123.1 activate
R7(config-router-af)#exit address-family
R13:
R13(config)#router bgp 65111
R13(config-router)#neighbor 201.1.13.1 remote-as 20001
R13(config-router)#neighbor 202.2.13.1 remote-as 20002
R13(config-router)#redistribute connected
R13(config-router)#end
R14:
R14(config)#router bgp 65111
R14(config-router)#neighbor 202.2.14.1 remote-as 20002
第 53 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R14(config-router)#redistribute connected
R14(config-router)#end
R2:
R2(config)#router bgp 12345
R2(config-router)#address-family ipv4 vrf BLUE
R2(config-router-af)#neighbor 101.1.123.1 remote-as 10001
R2(config-router-af)#neighbor 101.1.123.1 activate
R2(config-router-af)#exit address-family
R3:
R3(config)#router bgp 12345
R3(config-router)#address-family ipv4 vrf BLUE
R3(config-router-af)#neighbor 102.2.123.1 remote-as 10002
R3(config-router-af)#neighbor 102.2.123.1 activate
R3(config-router-af)#exit address-family
第 54 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R3(config-router)#address-family ipv4 vrf INET
R3(config-router-af)#neighbor 102.2.123.1 remote-as 10002
R3(config-router-af)#neighbor 102.2.123.1 activate
R3(config-router-af)#exit address-family
<<<<do sh ip bgp vpnv4 all summary and run a tclsh ping from the remote sites all over to the central
site>>>>
3.3 DMVPN
configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the following
requirements
· Use the preconfigured interface tunnel 0 on all the three routers in order to accomplish
this task
· R18 and R19 must be the spoke and must participate in NHRP information exchange
· Ensure that spoke to spoke traffic does not transit via the hub
第 55 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R17:
R17(config)#interface tunnel 0
R17(config-if)#bandwidth 1000
R17(config-if)#ip address 123.20.1.25 255.255.255.248
R17(config-if)#no ip redirects
R17(config-if)#ip mtu 1400
R17(config-if)#ip nhrp authentication 45678key
R17(config-if)#ip nhrp map multicast dynamic
R17(config-if)#ip nhrp network-id 45678
R17(config-if)#ip nhrp holdtime 300
R17(config-if)#ip nhrp redirect
R17(config-if)#delay 1000
R17(config-if)#tunnel source eth0/0
R17(config-if)#tunnel mode gre multipoint
R17(config-if)#ip tcp adjust-mss 1380
R18:
R18(config)#interface tunnel 0
R18(config-if)#bandwidth 1000
R18(config-if)#ip address 123.20.1.26 255.255.255.248
R18(config-if)#no ip redirects
R18(config-if)#ip mtu 1400
R18(config-if)#ip nhrp authentication 45678key
R18(config-if)#ip nhrp map multicast dynamic
R18(config-if)#ip nhrp network-id 45678
R18(config-if)#ip nhrp holdtime 300
R18(config-if)#ip nhrp shortcut
R18(config-if)#ip nhrp redirect
R18(config-if)#ip nhrp nhs 123.20.1.25
R18(config-if)#ip nhrp nhs map 123.20.1.25 203.3.17.2
R18(config-if)#ip nhrp map multicast 203.3.17.2
R18(config-if)#delay 1000
第 56 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R18(config-if)#tunnel source s1/0
R18(config-if)#tunnel mode gre multipoint
R18(config-if)#ip tcp adjust-mss 1380
R19:
R19(config)#interface tunnel 0
R19(config-if)#bandwidth 1000
R19(config-if)#ip address 123.20.1.27 255.255.255.248
R19(config-if)#no ip redirects
R19(config-if)#ip mtu 1400
R19(config-if)#ip nhrp authentication 45678key
R19(config-if)#ip nhrp map multicast dynamic
R19(config-if)#ip nhrp network-id 45678
R19(config-if)#ip nhrp holdtime 300
R19(config-if)#ip nhrp shortcut
R19(config-if)#ip nhrp redirect
R19(config-if)#ip nhrp nhs 123.20.1.25
R19(config-if)#ip nhrp nhs map 123.20.1.25 203.3.17.2
R19(config-if)#ip nhrp map multicast 203.3.17.2
R19(config-if)#delay 1000
R19(config-if)#tunnel source s1/0
R19(config-if)#tunnel mode gre multipoint
R19(config-if)#ip tcp adjust-mss 1380
第 57 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
· All IPSEC tunnels must be authenticated using the same IKE phase 1 preshared key
· Use 1024 bits for the key exchange using the Diffie-Hellman algorithm
· configure a single policy using priority 10
· use the IPSEC protocol ESP and algorithm AES with 128 bits
· Ensure that the DMVPN cloud is secured using above parameters. Use tunnel protection
in your config
R17:
R17(config)#crypto isakmp enable
R17(config)#crypto isakmp policy 10
R17(config-isakmp)#authentication pre-share
R17(config-isakmp)#encryption aes
R17(config-isakmp)#group 2
R17(config-isakmp)#exit
R17(config)#int tunnel 0
R17(config)#tunnel protection ipsec profile DMVPNPROFILE
R17(config-if)#exit
R18:
R18(config)#crypto isakmp enable
R18(config)#crypto isakmp policy 10
R18(config-isakmp)#authentication pre-share
R18(config-isakmp)#encryption aes
R18(config-isakmp)#group 2
R18(config-isakmp)#exit
R18(config)#int tunnel 0
R18(config)#tunnel protection ipsec profile DMVPNPROFILE
R18(config-if)#exit
R19:
R19(config)#crypto isakmp enable
R19(config)#crypto isakmp policy 10
R19(config-isakmp)#authentication pre-share
R19(config-isakmp)#encryption aes
R19(config-isakmp)#group 2
R19(config-isakmp)#exit
R19(config)#int tunnel 0
R19(config)#tunnel protection ipsec profile DMVPNPROFILE
R19(config-if)#exit
<<<<sh ip nhrp brief, show crypto ipsec sa on all devices running DMVPN>>>>
WARNING!ACCESS RESTRICTED
· Do not use any other spaces or any other characters
users only
· Sw3 must dynamically learn only one mac address per port and must save the mac
· Sw3 must shut down the port if security violation occurs on any of the four ports
<<<show port-security>>>
SECTION V
SECTION 5 Infrastructure Services
5.1 System management
· Configure R20 int the ACME San Jose office as per the following
· R20 must accept up to five remote authorized users to connect at the same time using
SSH
· Create the user "test" with password "test" in local database of R20
· Ensure that R20 accepts SSH connections with clients with source ip in 123.10.2.0/24. All
· R20 must generate a syslog message for all SSH connection attempts whether permitted
or denied
· Ensure that SSH is the only remote access method permitted on VTY lines of R20
· Ensure that the console is not affected by your solution and no username prompt is
· Test your solution from any device that is located in AS 34567 and ensure that the
following sequence of command produce the following output
第 61 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R10 # ssh -l 123.20.20.20
WARNING!ACCESS RESTRICTED
R20>
R20>sh privilage
current privilage level is 1
R20>
R20>q
R10#
R20:
R20(config)#service linenumber
R20(config)#username test password test
R20(config)#ip domain name acme.org
R20(config)#line vty 0 4
R20(config-line)#login local
R20(config-line)#access-class 1 in
R20(config-line)#transport input ssh
R20(config-line)#end
· R20 must enable all private corporate traffic that is originated from any host with source
in AS 34567
· All remote sites in AS 65111 and 65222 must be able to connect to the public
destinations
第 62 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
· R20 must swap the source ip address in these packets with the ip address of its lo0
· The following tests must succeed after the above requirements (in addition to previous
R20:
R20(config)#access-list 2 permit 10.1.0.0 0.0.0.255
R20(config)#access-list 2 permit 10.2.0.0 0.0.0.255
R20(config)#ip nat inside source list 2 interface loopback 0 overload
R20(config)#interface 0/0.12
R20(config-if)#ip nat inside
R20(config)#interface 0/1.99
R20(config-if)#ip nat outside
<<<<run ping/traceroute tests to 1.2.3.4 from all vpn sites sourcing from their wan interfaces>>>>
· The output shown below must be seen on R19 during 10 sec after R15 successfully pings
第 63 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R17:
R17(config)#ip flow-export version 9
R17(config)#ip flow-top-talkers
R17(config-flow-top-talkers)#top 10
R17(config-flow-top-talkers)#sort-by packets
R17(config-flow-top-talkers)#cache-timeout 10
R17(config-flow-top-talkers)#match input-interface ethernet 0/1
R17(config-flow-top-talkers)#match source address 123.20.1.9 255.255.255.255
R17(config-flow-top-talkers)#exit
· R10 and R12 must sync their clock to Sw3 using ntpv4 for ipv6
· Sw3 must not capture or use any time info that is sent by R12 and R14
· All NTP traffic must be sourced and destined to interface lo0 of the corresponding
devices
SW3:
SW3(config)#ntp master
SW3(config)#ntp source loopback 0
SW3(config)#interface loopback 0
SW3(config-if)#ntp disable ip
SW3(config-if)#end
R10:
R10(config)#interface loopback 0
第 64 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
R10(config-if)#ipv6 address 2001:CC1E:BEF:0:123:10:10:10/64
R10(config-if)#IPV6 ospf 1 area 10
R10(config)#ntp source loopback 0
R10(config)#ntp server 2001:CC1E:BEF:0:123:33:33:33
R10(config)#
R11:
R11(config)#interface loopback 0
R11(config-if)#ipv6 address 2001:CC1E:BEF:0:123:11:11:11/64
R11(config-if)#IPV6 ospf 1 area 11
R11(config)#ntp source loopback 0
R11(config)#ntp server 2001:CC1E:BEF:0:123:33:33:33
R11(config)#
R12:
R12(config)#interface loopback 0
R12(config-if)#ipv6 address 2001:CC1E:BEF:0:123:12:12:12/64
R12(config-if)#ntp disable ip
R12(config-if)#end
R14:
R14(config)#interface loopback 0
R14(config-if)#ipv6 address 2001:CC1E:BEF:0:123:14:14:14/64
R14(config-if)#ntp disable ip
R14(config-if)#end
第 65 页 /共 65 页