CCIE R - Amp Amp S v5.0 LAB Section

★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.
SECTION 1.1
Configure the ACME Headquarters network (AS 12345) as per the following requirements
· The VTP domain must be set to CCIE
· Use VTP ver 2
· SW1 must be the VTP server and SW2 must be the VTP client
· Secure all VTP updates with an MD5 digest of the ASCII string “CCIErocks$”
· In order to avoid as much as possible unknown unicast flooding in all vlans the
administrator requires that any dynamic entries learned by other SW1 and SW2 must be
retained for 2 hours before being refreshed.
Configure the network of the New York office (AS 34567) as per the following requirements
· The VTP domain must be set to CCIE
· Use VTP ver 2
· SW3 and SW4 must not advertise their vlan config but must forward VTP advertisement
that they receive out their trunk ports
· Secure all VTP updates with an MD5 digest of the ASCII string “CCIErocks$”
Answers:
SW-1(config)#vtp version 2
SW-1(config)#vtp domain CCIE
SW-1(config)#vtp mode server
SW-1(config)#vtp password CCIErocks$
SW-1(config)#end
SW-1#
SW-2(config)#vtp mode client
SW-2(config)#end
SW-2#
第 1 页 /共 65 页
★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.9
SW-1#sh mac address-table aging-time
Global Aging Time: 300
Vlan Aging Time
---- ----------
SW-1#
default mac-address aging time is 300 seconds=5min on both switches:
SW-1(config)# mac-address-table aging-time 7200

SW-2(config)# mac-address-table aging-time 7200
SW-3(config)#vtp mode transparent
SW-3(config)#end
SW-3#
SW-4(config)#vtp mode transparent
SW-4(config)#end
SW-4#
SECTION 1.2 - Layer 2 ports

Configure your network as per the following requirements
· Complete the config of all vlans so that all routers that are located in ACME's
headquarters (AS12345) and New York office (AS 34567) can ping their directly
connected neighbors
· All four switches (SW1-SW4) must have dot1q trunks that do not rely onnegotiation do
not configure any etherchannel
· Ensure that the following unused ports on all four switches areshutdown and configured
as access ports in vlan 999
· E3/0 - E3/3 are unused on SW1 and SW2
第 2 页 /共 65 页
Answers:
SW-1(config)#do sh vlan brief | ex 100
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et3/0, Et3/1, Et3/2, Et3/3
14 VLAN0014 active E0/0,E1/0
15 VLAN0015 active E1/1
SW-1(config)#do sh cdp neighbor

sw2 eth 2/1 eth 2/1
sw2 eth 2/2 eth 2/2
sw2 eth 2/3 eth 2/3
sw2 eth 2/0 eth 2/0
R4 eth 0/3 eth 0/1
R4 eth 1/0 eth 0/0
R5 eth 1/1 eth 0/1
R6 eth 1/2 eth 0/1
R1 eth 2/1 eth 2/1
R2 eth 0/1 eth 0/1
R3 eth 0/2 eth 0/1
SW1#

---- -------------------------------- --------- -------------------------------
1 default active Et3/0, Et3/1, Et3/2, Et3/3
14 VLAN0014 active
23 VLAN0023 active
67 VLAN0067 active
SW-2(config)# do sh cdp neighbor

sw1 eth 2/1 eth 2/1
sw1 eth 2/2 eth 2/2
sw1 eth 2/3 eth 2/3
sw1 eth 2/0 eth 2/0
R4 eth 0/3 eth 0/2
R4 eth 1/0 eth 0/0
R5 eth 1/1 eth 0/2
第 3 页 /共 65 页
R5 eth 1/0 eth 0/0
R6 eth 1/2 eth 0/2
R1 eth 0/0 eth 0/2
R2 eth 0/1 eth 0/2
R3 eth 0/2 eth 0/2
SW2#

---- -------------------------------- --------- -------------------------------
1 default active Eth 1/0,Eth 1/1,Eth1/2,Eth1/3
Et3/0, Et3/1, Et3/2, Et3/3
SW-3(config)# do sh cdp neighbor
sw4 eth 2/1 eth 2/1
sw4 eth 2/2 eth 2/2
sw4 eth 2/3 eth 2/3
sw4 eth 2/0 eth 2/0
R8 eth 0/0 eth 0/1
R9 eth 0/1 eth 0/1
R11 eth 0/3 eth 0/1
R10 eth 0/2 eth 0/1
SW3#

---- -------------------------------- --------- -------------------------------
1 default active Eth 1/0,Eth 1/1,Eth1/2,Eth1/3
Et3/0, Et3/1, Et3/2, Et3/3
SW-4(config)#do sh cdp neighbor

sw3 eth 2/1 eth 2/1
sw3 eth 2/2 eth 2/2
sw3 eth 2/3 eth 2/3
sw3 eth 2/0 eth 2/0
R8 eth 0/0 eth 0/2
R9 eth 0/1 eth 0/2
R11 eth 0/3 eth 0/2
R10 eth 0/2 eth 0/2
第 4 页 /共 65 页
SW4#
now lets create vlans on sw1 to propagate to sw2:
SW-1(config)#vlan 14,15,23,24,35,46,57,67,99
SW-1(config-vlan)#exit
SW-1(config)#
SW-3(config)#vlan 34,38,49,89,111,310,411,999
SW-3(config-vlan)#exit
SW-3(config)#
lets uply commands for unused ports:
SW-1(config)#int range ethernet 3/0 - 3

SW-1(config-if-range)#switchport mode access
SW-1(config-if-range)#switchport access vlan 999
% Access VLAN does not exist. Creating vlan 999
SW-1(config-if-range)#shut



lets check and configure trunking and no auto negotiation:
on all switches:
sw1-sw4:
int range eth 3/0 - 3
switchport trunk encapsulation dot1q
switchport mode trunk
now you can verify if all vlans per switch are there.
第 5 页 /共 65 页
Section 1.3 Spanning tree

C onfigure the ACME network as per the following requirements
· SW1 must be the root switch for all odd vlans and must be the backup for all even vlans
· SW2 must be the root switch for all even vlans and must be the backup for all odd vlans
· SW3 must be the root switch for all odd vlans and must be the backup for all even vlans
· SW4 must be the root switch for all even vlans and must be the backup for all odd vlans
· Explicitly configure the root and backup roles, assuming that other switches with default
configuration may eventually be added in the network in the future
· All switches must maintain one STP instance per vlan
· Use the STP mode that has only three possible states
· All access ports must immediately transitioned to the forwarding state upon link up and
they must still participate in STP. use single command per switch to enable this
· Access ports must automatically shut down if they receive any BPDU and an
administrator must still manually re-enable the port. use a single command per switch
to enable this feature.
Answers
1.3 implement spanning tree/solutions
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree mode rapid-pvst
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree portfast default
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree portfast bpduguard default


第 6 页 /共 65 页
note :needs to enable rapid-IOU I'm using does not support it
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree vlan 15,23,35,57,67,999 root primary

CPS_A1_ABHI_NAG_SW1(config)#spaning-tree vlan 14,24,46 root secondary
CPS_A1_ABHI_NAG_SW2(config)#spaning-tree vlan 14,24,46 root primary

CPS_A1_ABHI_NAG_SW2(config)#spaning-tree vlan 15,23,35,57,67,999 root secondary
CPS_A1_ABHI_NAG_SW3(config)#spaning-tree vlan 49,89,111,411,999 root primary

CPS_A1_ABHI_NAG_SW3(config)#spaning-tree vlan 34,38,310 root secondary
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree vlan 34,38,310 root primary

CPS_A1_ABHI_NAG_SW4(config)#spaning-tree vlan 49,89,111,411,999 root secondary
solutions Verification
CPS_A1_ABHI_NAG_SW1#show spaning-tree summary
switch is in rapid-pvst mode

Root bridge for:VLAN0015,VLAN0023,VLAN0035,VLAN0057,VLAN0067
VLAN0999
Entherchannel misconfig guard is enabled
Extended system ID is enabled
Portfast default is enabled
Portfast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard default is disabled
Uplinkfast is disabled
Backbonefast is disabled
configured Pathcost method is short

Root bridge for:VLAN0014,VLAN0024,VLAN0046
第 7 页 /共 65 页

Root bridge for:VLAN0001,VLAN0049,VLAN0089,VLAN0111,VLAN0411,VLAN0999
Configured Pathcost method used is short

Root bridge for:VLAN0034,VLAN0038,VLAN0310
Configured Pathcost method used is short
Section 1.4 Implement Wan Technology

· The WAN links must rely on a layer 2 protocol that supports link negotiation and
authentication.
· The Service provider expects both R18 and R19 to complete three way hand shake by
providing the expected response of a challenge that is sent by R63
· R18 must use the username ACME-R18 and password CCIE
· R19 must use the username ACME-R19 and password CCIE
Answers
CPS_A1_ABHI_NAG_R18(config)#interface serial1/0
第 8 页 /共 65 页
CPS_A1_ABHI_NAG_R18(config)# ip address 203.3.18.2 255.255.255.252
CPS_A1_ABHI_NAG_R18(config)# encapsulation ppp
CPS_A1_ABHI_NAG_R18(config)# ppp chap hostname ACME-R18
CPS_A1_ABHI_NAG_R18(config)# ppp chap password CCIE
CPS_A1_ABHI_NAG_R18(config)# no shutdown
CPS_A1_ABHI_NAG_R18#ping 203.3.18.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Encho to 203.3.18.1, timeout is 2 seconds:
!!!!!
success rate is 100 persent (5/5), rounding-trip min/avg/max= 6/8/9 ms
CPS_A1_ABHI_NAG_R18#
CPS_A1_ABHI_NAG_R18#show ip route 1 i 203

203.3.28.0/24 is variably subnetted, 3 subnets, 2 masks
C 203.3.18.0/30 is directly connected,serial1/0
L 203.3.18.2/32 is directly connected,serial1/0
Did you notice host route for PE interface?Generally it's not recommended with same subnet IP address
between two PPP peers we can disable it by using command no peer neighbor-route:
CPS_A1_ABHI_NAG_R18#(config)#interface serial1/0
CPS_A1_ABHI_NAG_R18#(config-if)#shutdown
CPS_A1_ABHI_NAG_R18#(config-if)# no peer neighbor-route
CPS_A1_ABHI_NAG_R18#(config-if)#no shutdown
CPS_A1_ABHI_NAG_R18#(config)#ping 203.3.18.1
Sending 5, 100-byte ICMP echos to 203.3.18.1, timeout is 2 seconds:
!!!!!
Success rate is 100 persent (5/5),round-trip min/avg/max=9/9/10 ms
CPS_A1_ABHI_NAG_18#
CPS_A1_ABHI_NAG_18#show ip route | i 203

203.3.18.0/24 is veriably subnetted, 2 subnets, 2 masks
CPS_A1_ABHI_NAG_18#
CPS_A1_ABHI_NAG_19(config)#interface serial1/0
CPS_A1_ABHI_NAG_19(config-if)#ip address 203.3.19.2 255.255.252
CPS_A1_ABHI_NAG_19(config-if)# encapsulation ppp
CPS_A1_ABHI_NAG_19(config-if)# ppp chap hostname ACME-19
CPS_A1_ABHI_NAG_19(config-if)# ppp chap password CCIE
第 9 页 /共 65 页
CPS_A1_ABHI_NAG_19(config-if)# no peer neighbor-route
CPS_A1_ABHI_NAG_19(config-if)# no shutdown
CPS_A1_ABHI_NAG_19#ping 203.3.19.2
Sending 5, 100-byte ICMP echos to 203.3.19.2, timeout is 2 seconds:
!!!!!
Success rate is 100 persent (5/5),round-trip min/avg/max=15/17/19 ms
CPS_A1_ABHI_NAG_19#
CPS_A1_ABHI_NAG_19#show ip route | i 203

203.3.19.0/24 is veriably subnetted, 2 subnets, 2 masks
CPS_A1_ABHI_NAG_19#
Solution verification
CPS_A1_ABHI_NAG_18#show ppp all

Interface/ID OPEN+ Nego* fail- stage Peer Address Peer Name
---------------------------------------------------
Se1/0 LCP+IPCP+CDPCP+ LocalT 203.3.18.1 AS20003
CPS_A1_ABHI_NAG_18#
CPS_A1_ABHI_NAG_18#show interface serial 1/0

Serial1/0 is up,line protocol is up
Hardware is M4T
Iternet address is 103.3.18.2/30
MTU 1500 bytes,BW 1544 Kbit/sec,DLY 20000 usec,
reliability 255/255,txload 1/255,rxload 1/255
Encapsulation PPP, LC[ Open
open: IPCP,CDPCP, crc 16, loopback not set
keepalive set (10sec)
Restart-delay is 0 secs
Last imput 00:00:08,output 00:00:08 hang never
last clearing of "show interface"counters 00:09:47
imput queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
queueing strategy: fifo
output queue: 0/40(size/max)
5 minutes imput rate 0 bits/sec,0 packets/sec
5 minutes output rate 0 bits/sec,0 packets/sec
208 packets imput, 10326 bytes,0 no buffer
Received 0 broadcast (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 imputs errors, 0 CRC, 0 frame, 0 overrum, 0 ignored, 0 abort
第 10 页 /共 65 页
207 packets output, 10469 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 unknow protocol drops
0 output buffer failures, 0 output buffers swaped out
1 carrier transition DCD=up DSR=up DRT=up RTS=up CTS=up
CPS_A1_ABHI_NAG_19#show ppp all

Interface/ID OPEN+ Nego* fail- stage Peer Address Peer Name
---------------------------------------------------
Se1/0 LCP+IPCP+CDPCP+ LocalT 203.3.19.1 AS20003
CPS_A1_ABHI_NAG_19#
CPS_A1_ABHI_NAG_19#show interface serial 1/0

Serial1/0 is up,line protocol is up
Hardware is M4T
Iternet address is 103.3.19.2/30
MTU 1500 bytes,BW 1544 Kbit/sec,DLY 20000 usec,
reliability 255/255,txload 1/255,rxload 1/255
Encapsulation PPP, LC[ Open
open: IPCP,CDPCP, crc 16, loopback not set
keepalive set (10sec)
Restart-delay is 0 secs
Last imput 00:00:04,output 00:00:04 hang never
last clearing of "show interface"counters 00:02:16
imput queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
queueing strategy: fifo
output queue: 0/40(size/max)
5 minutes imput rate 0 bits/sec,0 packets/sec
5 minutes output rate 0 bits/sec,0 packets/sec
61 packets imput, 3589 bytes,0 no buffer
Received 0 broadcast (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 imputs errors, 0 CRC, 0 frame, 0 overrum, 0 ignored, 0 abort
60 packets output, 3632 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknow protocol drops
0 output buffer failures, 0 output buffers swaped out
0 carrier transition DCD=up DSR=up DRT=up RTS=up CTS=up
Section 2.1 OSPF in AS12345
第 11 页 /共 65 页
Configure OSPFv2 area 0 in ACME HQ (AS12345) according to the following requirements
· Configure the OSPF process id to 12345 and set the router id to interface lo0 on all seven
routers
· The interface lo0 at each router must be seen as an internal OSPF prefix by all other
routers
· Ensure that OSPF is not running on any interface that is facing another AS. use any
method to accomplish this requirement
· SW and SW2 must not participate in routing at all
· Do not change the default OSPF cost of any interface in AS12345
· R1 must see the following OSPF routes in the routing table

R1# sh ip route OSPF
123.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
O 123.2.2.2/32 [110/21] via 123.10.1.1 4d20h ethernet e0/2

[110/30] via 123.10.1.1 4d20h ethernet e0/2
[110/30] via 123.10.1.1 4d20h ethernet e0/2
R1#
R1#ping 123.10.1.6
Sending 5, 100-byte ICMP Echos to 123.10.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R1#
R1(config-router)#router ospf 12345
第 12 页 /共 65 页
R1(config-router)#router-id 123.1.1.1
R1(config-router)#net 0.0.0.0 255.255.255.255 area 0
R1(config-router)#end
R1#sh ip ospf int brief

Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 12345 0 123.1.1.1/32 1 WAIT LOOP0 0/0
Et0/2 12345 0 123.10.1.5/30 10 WAIT 0/0
Et0/1 12345 0 123.10.1.1/30 10 WAIT 0/0
R1#
R2#ping 123.10.1.10
!!!!!
R2#
R2#ping 123.10.1.18
!!!!!
R1#


Lo0 12345 0 123.2.2.2/32 1 WAIT LOOP0 0/0
Et0/2 12345 0 123.10.1.17/30 10 WAIT 0/0
Et0/1 12345 0 123.10.1.9/30 10 WAIT 0/0
R2#
R3#ping 123.10.1.9
!!!!!
R3#
第 13 页 /共 65 页
R3#ping 123.10.1.14
!!!!!
R3#


Lo0 12345 0 123.3.3.3/32 1 WAIT LOOP0 0/0
Et0/2 12345 0 123.10.1.13/30 10 WAIT 0/0
Et0/1 12345 0 123.10.1.10/30 10 BDR 0/0
R3#sh ip ospf neighbor

Neihbor-id Pri State Deat Time Address Interface
123.2.2.2 1 FULL/DR 00.00.36 123.10.1.9 Ethernet0/1
R4#ping 123.10.1.1
!!!!!
R4#
R4#ping 123.10.1.17
!!!!!
R4#
R4#ping 123.10.1.22
!!!!!
R4#

第 14 页 /共 65 页

Lo0 12345 0 123.4.4.4/32 1 WAIT LOOP0 0/0
Et0/2 12345 0 123.10.1.21/30 10 WAIT 1/1
Et0/1 12345 0 123.10.1.18/30 10 BDR 1/1
Et0/0 12345 0 123.10.1.2/30 10 BDR 1/1

123.2.2.2 1 FULL/DR 00.00.36 123.10.1.17 Ethernet0/1
123.1.1.1 1 FULL/DR 00.00.36 123.10.1.1 Ethernet0/0
R4#
R5#ping 123.10.1.5
!!!!!
R5#
R5#ping 123.10.1.13
!!!!!
R5#
R5#ping 123.10.1.30
!!!!!
R5#


Lo0 12345 0 123.5.5.5/32 1 WAIT LOOP0 0/0
第 15 页 /共 65 页
Et0/2 12345 0 123.10.1.14/30 10 WAIT 1/1
Et0/1 12345 0 123.10.1.6/30 10 BDR 1/1
Et0/0 12345 0 123.10.1.29/30 10 BDR 1/1

123.3.3.3 1 FULL/DR 00.00.36 123.10.1.17 Ethernet0/2
123.1.1.1 1 FULL/DR 00.00.36 123.10.1.1 Ethernet0/1
R5#
R6#ping 123.10.1.26
!!!!!
R6#
R6#ping 123.10.1.21
!!!!!
R6#


Lo0 12345 0 123.6.6.6/32 1 WAIT LOOP0 0/0
Et0/2 12345 0 123.10.1.22/30 10 WAIT 1/1
Et0/1 12345 0 123.10.1.25/30 10 BDR 1/1

123.4.4.4 1 FULL/DR 00.00.36 123.10.1.21 Ethernet0/2
R6#
R7#ping 123.10.1.25
!!!!!
R7#
第 16 页 /共 65 页
R7#ping 123.10.1.29
!!!!!
R7#


Lo0 12345 0 123.7.7.7/32 1 WAIT LOOP0 0/0
Et0/2 12345 0 123.10.1.30/30 10 WAIT 1/1
Et0/1 12345 0 123.10.1.26/30 10 BDR 1/1

123.5.5.5 1 FULL/DR 00.00.36 123.10.1.29 Ethernet0/2
123.6.6.6 1 FULL/DR 00.00.36 123.10.1.25 Ethernet0/1
R7#
>>>from here show the routing table of each device and ping all devices loopbacks
sourcing from the loopbacks<<<<<
SECTION 2.2 - EIGRP IN AS34567

Configure EIGRP for ipv4 in the New York office (AS34567) according to the following
requirements
· The EIGRP AS is 34567
· The interface lo0 must be seen as an internal EIGRP prefix by all other routers
· Ensure the EIGRP is not running on any interface that is facing another AS use any
method to accomplish this
· Using a single command on one switch only ensure that R8 installs two equal-cost route
for the following three path
· vlan 411
第 17 页 /共 65 页
· int lo0 at SW4
· int lo0 at R11
· Using a single command on one switch only ensure that R9 installs two equal cost route
for the following three path
· vlan 310
· int lo0 at SW3
· int lo0 at R10
2.2 SOLUTION:::: IMPLEMENTING EIGRP IN BGP AS 34567

R8#ping 123.10.2.2
!!!!!
R8#
R8#ping 123.10.2.6
!!!!!
R8#
R8(config-router)#router eigrp CCIE

R8(config-router)#address-family ipv4 unicast autonomous-system 34567
R8(config-router)#net 123.8.8.8 0.0.0.0
R8#sh ip eigrp interfaces

EIGRP-IPv4 VR(CCIE) Address-Family Interfaces for AS(34567)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Lo0 0 0/0 0/0 0 0/0 0 0
Et0/2 0 0/0 0/0 0 0/0 0 0
Et0/1 0 0/0 0/0 0 0/0 0 0
R8#
第 18 页 /共 65 页
R8#sh ip eigrp neighbors
EIGRP-IPv4 VR(CCIE) Address-Family Neighbors for AS(34567)
R8#
R9#ping 123.10.2.1
!!!!!
R9#
R9#ping 123.10.2.10
!!!!!
R9#


Lo0 0 0/0 0/0 0 0/0 0 0
Et0/2 0 0/0 0/0 0 0/0 0 0
Et0/1 0 0/0 0/0 0 0/0 0 0
R9#

H Address Interfaces Hold Uptime SRTT RTO Q Seq
0 123.10.2.1 E0/1 13 00:00:39 11 100 0 4
R9#
R10#ping 123.10.2.17
!!!!!
R10#
第 19 页 /共 65 页
R10#ping 123.10.2.26
!!!!!
R10#


Lo0 0 0/0 0/0 0 0/0 0 0
Et0/2 0 0/0 0/0 0 0/0 0 0
Et0/1 0 0/0 0/0 0 0/0 0 0
R10#

R10#
R11#ping 123.10.2.25
!!!!!
R11#
R11#ping 123.10.2.21
!!!!!
R11#

第 20 页 /共 65 页

Lo0 0 0/0 0/0 0 0/0 0 0
Et0/2 0 0/0 0/0 0 0/0 0 0
Et0/1 0 0/0 0/0 0 0/0 0 0
R11#

0 123.10.2.25 E0/1 11 00:00:39 14 100 0 3
R11#
SW3#ping 123.10.2.14
!!!!!
SW3#
SW3#ping 123.10.2.5
!!!!!
SW3#
SW3#ping 123.10.2.18
!!!!!
SW3#
SW3(config-router)#router eigrp CCIE

SW3(config-router)#net 123.33.33.33 0.0.0.0
SW3(config-router)#end
第 21 页 /共 65 页
SW3#sh ip eigrp interfaces
Lo0 0 0/0 0/0 0 0/0 0 0
Vl38 1 0/0 0/0 0 0/0 0 0
Vl34 0 0/0 0/0 0 0/0 0 0
Vl310 1 0/0 0/0 0 0/0 0 0
SW3#
SW3#sh ip eigrp neighbors

0 123.10.2.18 Vl310 11 00:00:39 14 100 0 3
1 123.10.2.5 Vl38 11 00:00:39 14 100 0 3
SW3#
SW4#ping 123.10.2.13
!!!!!
SW4#
SW4#ping 123.10.2.9
!!!!!
SW4#
SW4#ping 123.10.2.22
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 msSW4#
SW4#sh ip eigrp interfaces

第 22 页 /共 65 页
Lo0 0 0/0 0/0 0 0/0 0 0
Vl38 1 0/0 0/0 0 0/0 0 0
Vl34 0 0/0 0/0 0 0/0 0 0
Vl310 1 0/0 0/0 0 0/0 0 0
SW4#

SW4#
<<<<please show all eigrp neighbors and routing tables and ping all loopbacks source from lo0 of all
devices to compare>>>>>>
SECTION 2.3 - EIGRP IN AS45678

Configure EIGRP in AS45678 according to the following requirements
· The interface lo0 must be seen as an internal EIGRP prefix by all other routers
· Ensure the EIGRP is not running on any interface that is facing another AS use any
· Sw5 and sw6 are layer 3 switches and must configure EIGRP
· On all three routers R15, 16, 17 use EIGRP with 64bit version
· Do not change the interface bandwidth on any physical interface in AS45678
2.3 SOLUTION:::: Implementing EIGRP in BGP AS 45678

R15#ping 123.20.1.2
!!!!!
R15#
R15#ping 123.20.1.3
!!!!!
R15#
第 23 页 /共 65 页
R15#ping 123.20.1.10
!!!!!
R15#
R15#ping 123.10.2.11
!!!!!
R15#


Lo0 0 0/0 0/0 0 0/0 0 0
Et0/1 2 0/0 0/0 0 0/0 0 0
Et0/2 0 0/0 0/0 0 0/0 0 0
R15#

0 123.20.1.3 Et0/1 13 00:00:39 14 100 0 7
1 123.20.1.2 Et0/1 14 00:00:39 14 100 0 7
R15#
R16#ping 123.20.1.1
!!!!!
R16#
R16#ping 123.10.2.18
第 24 页 /共 65 页
!!!!!
R16#


Lo0 0 0/0 0/0 0 0/0 0 0
Et0/1 2 0/0 0/0 0 0/0 0 0
Et0/2 0 0/0 0/0 0 0/0 0 0
R16#

0 123.20.1.1 Et0/1 13 00:00:39 14 100 0 7
1 123.20.1.3 Et0/1 14 00:00:39 14 100 0 7
R16#
R17#ping 123.20.1.9
!!!!!
R17#
R17#ping 123.10.2.17
!!!!!
R17#

第 25 页 /共 65 页

Lo0 0 0/0 0/0 0 0/0 0 0
Et0/1 1 0/0 0/0 0 0/0 0 0
Et0/2 1 0/0 0/0 0 0/0 0 0
R17#

0 123.20.1.17 Et0/1 13 00:00:39 14 100 0 7
1 123.20.1.9 Et0/2 14 00:00:39 14 100 0 7
R17#

SW5#

0 123.20.1.1 Vl55 11 00:00:39 14 100 0 3
1 123.20.1.2 Vl55 11 00:00:39 14 100 0 3
SW5#

SW6#
<<<<<please verify by checking neighborship and pings and routing table>>>>>>>
Section 2.4 EIGRP in AS 65222

· The interface lo0 at each router must be seen as an internal EIGRP prefix by all other
第 26 页 /共 65 页
routers
· Ensure that EIGRP is not running on any interface that is facing another AS use any
· R17 is the DMVPN hub, R18, R19 as the spoke,use the pre-config tunnel 0
2.4 SOLUTION::: Implementing EIGRP in BGP AS 65222

R17# sh run int tun 0
int tunnel 0
bandwidth 1000
ip address 123.20.1.25 255.255.255.248
no ip redirects
tunnel source Ethernet0/0
tunnel mode gre multipoint
end
R17#


int tunnel 0
bandwidth 1000
ip address 123.20.1.26 255.255.255.248
no ip redirects
tunnel source SERIAL1/0
end
R18#


int tunnel 0
第 27 页 /共 65 页
bandwidth 1000
ip address 123.20.1.27 255.255.255.248
no ip redirects
tunnel source SERIAL1/0
end
R19#

Section 2.5 BGP in AS 12345
BGP is partially configured in ACME headquarters, complete the config as required
Configure the BGP in ACME’s HQ (AS 12345) according to the following requirements
· R4 and R5 must not establish any BGP session at any time
· All BGP routers must use their int lo0 as their router-id
· Disable the default ipv4 unicast address family for peering session establishment in all
BGP routers
· R1 must be the ipv4 route-reflector for BGP AS12345
Configure eBGP between ACME's San Francisco and San Jose sites according to the
following requirements
· R20 is the CE router and used eBGP to connect to the manages services that are
provided by the PE routers R2 and R3

第 28 页 /共 65 页
· R20 must establish separate eBGP peerings with both R2 and R3 for every V
· R20 must advertise the following prefix to all the BGP peers
123.0.0.0/8 summary-only
10.0.0.0/8 summary-only
· R20 must advertise a default route to all of its BGP peers except to 10.120.99.1 and
10.120.99.5
2.5 SOLUTION::::Implementing BGP in BGP AS 12345
GREEN VPN. RD-65111:12 RT 12:12

BLUE VPN. RD-65111:13 RT 13:13
RED VPN. RD-65111:14 RT 14:14
YELLOW VPN. RD-45678:15 RT 15:15
INET VPN. RD-30000:99 RT 99:99
R1(config)#router bgp 12345

R1(config-router)#bgp router-id 123.1.1.1
R1(config-router)#no bgp default ipv4-unicast
R1(config-router)#neighbor IBGP peer-group
R1(config-router)#neighbor IBGP remote-as 12345
R1(config-router)#neighbor IBGP update-source loopback 0
R1(config-router)#neighbor IBGP 123.2.2.2 peer-group IGBP
R1(config-router)#address-family ipv4
R1(config-router-af)#neighbor 123.2.2.2 activate
R1(config-router-af)#neighbor IBGP route-reflector-client
R1(config-router-af)#exit-address-family
第 29 页 /共 65 页
R2:
R2(config-router)#neighbor 123.1.1.1 remote-as 12345
R2(config-router)#neighbor 123.1.1.1 update-source loopback 0
R2(config-router)address-family ipv4
R2(config-router-af)#end
R2#
R3:
R3#
R6:
R6#
R7:
第 30 页 /共 65 页
R7#
<<<<<sh bgp all summary in all devices>>>>>>>
::VRF CONFIGS::
R2:
R2(config)router bgp 12345
R2(config-router)#address-family ipv4 vrf GREEN
R2(config-router-af)#neighbor 10.120.12.2 remote-as 65112
R2(config-router)#address-family ipv4 vrf BLUE

R2(config-router)#address-family ipv4 vrf RED

R2(config-router)#address-family ipv4 vrf YELLOW

R2(config-router)#address-family ipv4 vrf INET

R3:
R3(config)router bgp 12345

第 31 页 /共 65 页



R20:
R20(config-router)#net 10.0.0.0
R20(config-router)#net 123.0.0.0
R20(config-router)#auto-summary

R20(config-router)#neighbor 10.120.12.1 default-originate

第 32 页 /共 65 页
<<<<<<<<<<<<<sho ip bgp on R20 and R3,sh bgp all summary,sh ip bgp vpnv4 all>>>>>>>>>>>>>>>>>
Section 2.6 BGP in AS 34567
BGP is partially pre-configured in ACME New York office, complete the config as required
Configure IBGP in AS 34567 according to the following requirements
· SW3 and SW4 must not establish any BGP session at any time
· Configure full mesh IBGP peering between all four routers use any configuration method
· R9 must be selected as the preferred exit point for traffic destined to remote AS's
· R11 must selected as the next preferred exit in case R9 fails
· No BGP speaker must use network statement under the BGP router config.
· Ensure that all the BGP nexthop is never marked as unreachable as long as int lo0 of the
remote peer is known via IGP
Configure EIGRP in AS 34567 according to the following requirements
· All four BGP routers must establish eBGP peerings with their neighboring AS as shown in
diagram 3 (BGP topology)
· All four BGP routers must redistribute EIGRP into BGP
· Ensure that R9 is the only router that sees the default as a BGP route and that all other
routers (R8, R10, R11) see it as an EIGRP external
2.6 SOLUTION::: Implement BGP in BGP AS 34567:
R8:
第 33 页 /共 65 页



R8#
R9:



R9#
R10:
第 34 页 /共 65 页



R10#
R11:



R11#
R8:
第 35 页 /共 65 页
R8(config-router-af)#neighbor 123.9.9.9 next-hop-self
R8#clear ip bgp * soft
R9:
R10:
R11:
第 36 页 /共 65 页
<<<<<show ip bgp in all routers>>>>>>
R8:
R8(config-router-af)#redistribute eigrp 34567
R9:
R10:
R11:
R9:
R9(config)# ip prefix-list 1 permit 0.0.0.0/0
R9(config)#route-map 1 permit 1
第 37 页 /共 65 页
R9(config-route-map)#match ip address prefix-list 1
R9(config-route-map)#exit
R9(config)#router eigrp CCIE

R9(config-router-af)#topology base
R9(config-router-af-topology)#redistribute bgp 34567 metric 100000 10 255 1 1500 route-map 1
R11:
R11(config)# ip prefix-list 1 permit 0.0.0.0/0
R11(config)#route-map 1 permit 1
R11(config-route-map)#exit

R11(config-router-af-topology)#redistribute bgp 34567 metric 100000 10 255 1 1500 route-map 1
<<<<on R8 and R9 and R10 and R11 do show ip route 0.0.0.0>>>>>>>>
:::R11 has issues, it is learning via BGP:::
R9(config)#route-map MYMAP permit 1

R9(config-route-map)#set local-preference 101
R9(config-router)#neighbor 33.34.4.1 route-map MYMAP in
R9# clear ip bgp * soft
Section 2.7 BGP in AS 45678 and 65222

refer to diagram 3 (BGP routing)
configure EBGP in ACME's APAC region (AS45678 and AS 65222) according to the
following requirements
· SW5 and SW6 must not establish any BGP session at any time
第 38 页 /共 65 页
· No iBGP peering sessions are allowed in AS AS45678
· R15 must establish an EBGP peering with AS 10003 and must receive default route as
well as other prefix.
· R15 must redistribute BGP into EIGRP and vice versa
· R15 must also advertise an aggregate prefix 123.20.1.0/24 to AS 1003 and must suppress
all component prefixes
· R16, 17, 18, 19 must establish an eBGP peering with AS 20003 and must receive a default
route as well as other prefix
· R15, 17 , 18 , 19 must not advertise any prefix to AS 20003
· As long as R15 is operational, R16, R17, R18, R19 must prefer the EIGRP default route
over the EBGP default route
· Do not create any VRF anywhere in order to accomplish the above requirements
2.7 SOLUTION::::Implement BGP in BGP AS 45678 and 65222
R15:
R15(config-router)#aggregate-address 123.20.1.0 255.255.255.0 summary-only
R15(config-router)#redistribute eigrp 45678

R15(config-router-af-topology)#redistribute bgp 45678 metric 100000 10 255 1 1500 route-map1
R15(config-router-af-topology)#end
R16:
第 39 页 /共 65 页
R17:
R18:
R19:
<<<NB:if R15 is not receiving default from SP it should receive after section 3.3 when R2/R3 form eBGP
for yellow vrf needs further work.>>>>>
Section 2.8 BGP routing policies

Configure the ACME network as per the following requirements
· All ACME border routers in AS 12345 must filter the BGP prefixes that are advertised to
their SP in VRF INET and must allow all prefixes that belong to class A 123..0.0./8 and all
other VRF's must propagate all prefix
· All ACME border routers in AS 12345 must filter the BGP prefixes that are advertised to
their SP and must allow only all prefixes that belong to the class A 123.0.0.0/8
· Do not use any route-map or access-list to accomplish the above requirements
第 40 页 /共 65 页
· R13 must route traffic preferably via AS 20002, use any method to accomplish this
requirement
· All three remote sites in AS 65111 must be able to ping 1.2.3.4 and traceroute must
reveal the exact same path as shown in the following output
R12# ping 1.2.3.4 so lo0

!!!!!
R12# traceroute 1.2.3.4 so lo0

1. 201.1.12.1 [AS 65112]
2. 201.1.123.2 [AS 65112]
3. 10.120.12.1 [AS 65112] [MPLS: label 135 EXP 0]
4. 10.120.12.2 [AS 65112]
5. 10.120.99.5 [AS 65112]
6. 102.2.123.1 [AS 65112]
7. 33.10.2.1 [AS 65112]
2.8 SOLUTION:::: Implement BGP routing Policies

<<<to do with vpn section 3.1,3.2 and 3.3>>>
Section 2.9 IPV6 OSPF

Configure OSPFv3 in the ACME New York office as per the following requirements
· Configure the OSPF process id 1 and set the router-id as interface lo0
· Sw4 must be selected as the DR on vlan 34 and must have the best chance
· Sw3 must be selected as the backup DR on vlan 34 and must take over DR if SW4 is
down
2.9 SOLUTION::::Implement IPV6 OSPF
SW3:
SW3(config)#ipv6 unicast-routing
SW3(config)#ipv6 router ospf 1
SW3(config-rtr)#router-id 123.33.33.33
第 41 页 /共 65 页
SW3(config)#interface vlan 34
SW3(config-if)#ipv6 ospf 1 area 0
SW3(config-if)#ipv6 ospf priority 1

SW3(config-if)end
SW4:
SW4(config)#ipv6 unicast-routing
SW4(config)#ipv6 router ospf 1
SW4(config-rtr)#router-id 123.44.44.44
SW4(config-if)#ipv6 ospf priority 255

SW4(config-if)end
R10:
R10(config)#ipv6 unicast-routing
R10(config)#ipv6 router ospf 1
R10(config-rtr)#router-id 123.10.10.10
R10(config)#interface ethernet 0/1

R10(config-if)#ipv6 ospf 1 area 10
R10(config-if)#end
R11:
R11(config)#ipv6 unicast-routing
R11(config-rtr)#router-id 123.11.11.11

R11(config-if)#ipv6 ospf 1 area 11
R11(config-if)#end
Section 2.10 BGP for IPV6

Configure ACME network as per the following requirements
第 42 页 /共 65 页
· Establish the four eBGP peering as indicated on "diagram IPV6 routing"
· Do not use the network command under the BGP address-family ipv6 on either R10 or
R11
· Both regional SP will advertise the necessary prefixes
· Advertise the ipv6 prefix on interface E0/0 into BGP on both R12 and R14
· Configure your network such that any ipv6 that any user can communicate with any ipv6
user that is located and vice versa
· Do not use any static route or default route anywhere
· Use the following ping to verify your config
R12# ping 2001:CC1E:BEF:14:10:1:14::1 so E0/0
!!!!!
2.10 SOLUTION:::Implement IPV6 BGP
R10:
R10(config)ipv6 unicast routing
R10(config-router)#neighbor 2001:CC1E:BEF:10:201:1:34:1 remote-as 20001
R10(config-router-af)#neighbor 2001:CC1E:BEF:10:201:1:34:1 activate
R10(config-router-af)#redistribute ospf 1 match internal external
R10(config-rtr)#redistribute bgp 34567
R11:
第 43 页 /共 65 页
R11(config-router-af)#redistribute ospf 1 match internal external
R11(config-rtr)#redistribute bgp 34567
R12:
R12(config-router-af)#network 2001:CC1E:BEF:12::/64
R12(config-rtr)#end
R14:
R14(config-router-af)#network 2001:CC1E:BEF:14::/64
R14(config-rtr)#end
Section 2.11 Layer 3 multicast

Streaming server is connected in vlan 5 on sw5. Receivers are located at the DMVPN
spokes R18 and R19
Configure the ACME network as per the following requirements
· Only network segments with active receivers that explicitly require the data must
receive the multicast traffic
· Interface lo0 of R15 must be configured as RP
· Use a standard method of dynamically distributing the RP
· Both R16 and R17 must participate in the multicast routing

第 44 页 /共 65 页
· To test configure int E0/0 of both R18 and R19 to join group 232.1.1.1
Sw5# ping 232.1.1.1 so vlan 5
reply to request 0 from 10.2.19.1 3ms
reply to request o from 10.2.18.1 4ms
2.11 SOLUTION::::I mplement Layer3 Multicast
R15:
R15(config)#ip multicast-routing
R15(config-if)#ip pim sparse-mode
R15(config-if)#interface ethernet 0/2
R15(config-if)#interface lo0
R15(config)#ip pim rp-candidate loopback 0
R15(config)#ip pim bsr-candidate loopback 0
R15(config)#exit
<<<sh ip pim interfaces,sh ip pim rp mapping>>>
SW1:
SW1(config)#ip multicast-routing
SW1(config-if)#no shut
SW1(config-if)#ip pim sparse-mode
SW1(config-if)#interface vlan 5
SW1(config-if)#ip address 123.55.55.55 255.255.255.0
SW1(config-if)#interface lo0
SW1(config)#exit
SW2:
SW2(config)#ip multicast-routing
SW2(config-if)#interface vlan 6
第 45 页 /共 65 页
SW2(config-if)#ip address 123.66.66.66 255.255.255.0
SW2(config-if)#interface lo0
SW2(config)#exit
R16:
R16(config)#exit
R17:
R17(config-if)#interface ethernet tunnel 0
R17(config)#exit
R18:
R18(config-if)#ip igmp join-group 232.1.1.1
R18(config-if)#!
第 46 页 /共 65 页
R18(config-if)#!
R18(config)#exit
R19:
R19(config-if)#ip igmp join-group 232.1.1.1
R19(config)#exit
Section 3 VPN Technology

Refer to "diagram 3 BGP topology" and "diagram 4 VPN technology"
· The ACME HQ network (AS12345) uses MPLS L3VPN in order to clearlyseparate remote
site networks
· The ACME corporate security policies are centralized and enforced at the San Jose site
(AS 65112) for all remote sites. the policies require that all traffic that is originated from
any remote sites (with the exception of New York office)
· Configure mpls L3 VPN in the ACME network according to the following requirements
· Enable ldp only on required interfaces on all seven routers in AS 12345
· Use the interface lo0 to establish ldp peerings
· Ensure that no mpls interface that belongs to any router ins AS12345 is visible on a trace
route that originates outside of the AS
· R2, R3, R6 and R7 must be configured as PE routers
· R1, R4 and R5 must be configured as P routers

第 47 页 /共 65 页
3.1 SOLUTION:::: Implement MPLS VPN-I
R1:
R1(config)#ip cef
R1(config)#mpls ip
R1(config)#mpls label protocol ldp
R1(config)#int lo0
R1(config-if)#mpls ip
R1(config-if)#int eth 0/1
R1(config-if)#end
R1#
R2:
R2(config)#ip cef
R2(config)#mpls ip
R2(config)#int lo0
R2(config-if)#end
R2#
R3:
R3(config)#ip cef
R3(config)#mpls ip
R3(config)#int lo0
R3(config-if)#end
R3#
R4:
第 48 页 /共 65 页
R4(config)#ip cef
R4(config)#mpls ip
R4(config)#int lo0
R4(config-if)#end
R4#
R5:
R5(config)#ip cef
R5(config)#mpls ip
R5(config)#int lo0
R5(config-if)#end
R5#
R6:
R6(config)#ip cef
R6(config)#mpls ip
R6(config)#int lo0
R6(config-if)#end
R6#
R7:
R7(config)#ip cef
R7(config)#mpls ip
R7(config)#int lo0
第 49 页 /共 65 页
R7(config-if)#end
R7#
3.2 MPLS VPN part 2

Refer to "diagram 3 BGP topology" and "diagram 4 VPN technology"
The global and regional service providers have agreed to transport the ACME VPN via PE to PE eBGP
peering that are already preconfigured. Complete all the config of mpls L3 VPN in the ACME network
according to the following requirements
· R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 12345
· R2 and R3 must establish eBGP peering with both global SP (As 10001 and AS 10002) for
the following VRF's
· BLUE
· GREEN
· RED
· YELLOW
· INET
· R3 must establish an eBGP peering with the regional SP (AS 20001) for the following
VRFs
· GREEN
· BLUE
· INET
· R7 must establish an eBGP peering with the regional SP (AS 20002) for the following
VRFs
· BLUE
第 50 页 /共 65 页
· RED
· INET
· All ip add used for eBGP peering must pass the BGP's directly connected check
· No BGP speaker is AS 12345 may use the network or redistribute statement under any
address-family of the BGP router config
· At the end of the exam scenario the interface E0/0 of the gateway router in any remote
site must be able to connect to the int E0/0 of any other remote gateway that belongs to
AS 65111 or AS 65222
· Use the following tests as examples of connectivity checks

R12# ping 10.2.19.1 so E0/0
!!!!!
R12# trace 10.2.19.1 so E0/0
(10 hops)
3.2 SOLUTION:::: Implement MPLS VPN-II

<<NB:CONFIGURE DMVPN (SEC 3.3) BEFORE THIS>>
R1:
R1(config-router)#address-family vpnv4
R1(config-router-af)#neighbor IBGP route-reflector-client
R1(config-router-af)#neighbor IBGP send-community extended
R1#
R2:
R2(config-router-af)#neighbor 123.1.1.1 send-community extended
第 51 页 /共 65 页
R2#
R3:
R3#
R6:
R6#
R7:
R7#
<<<<在 R1,R2,R3,R6 和 R7 上敲 sh ip bgp vpnv4 all summary>>>>
R6:
R6(config-router-af)#exit address-family


第 52 页 /共 65 页
<<<<do sh ip bgp vpnv4 all summary>>>>
R12:
R12(config-router)#redistribute connected
<<<do sh ip bgp summary and show ip bgp>>>
R7:


<<<<do sh ip bgp vpnv4 all summary>>>>
R13:
R14:
第 53 页 /共 65 页
R2:




R3:

第 54 页 /共 65 页


<<<<do sh ip bgp vpnv4 all summary and run a tclsh ping from the remote sites all over to the central
site>>>>
3.3 DMVPN
configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the following
requirements
· Use the preconfigured interface tunnel 0 on all the three routers in order to accomplish
this task
· R17 must be the hub router
· R18 and R19 must be the spoke and must participate in NHRP information exchange
· Disable send icmp redirect message on all three tunnel interfaces
· Configure the following parameters on all the three tunnel interfaces

bandwidth 1000 kbps
delay 10000 msec
mtu 1400 bytes
tcp mss 1380
· Authenticate NHRP using the string 45678key
· Use NHRP network-id 45678
· Config NHRP hold time to 5 min
· Ensure that spoke to spoke traffic does not transit via the hub
第 55 页 /共 65 页
3.3 SOLUTION::::Implement DMVPN
R17:
R17(config)#interface tunnel 0
R17(config-if)#bandwidth 1000
R17(config-if)#ip address 123.20.1.25 255.255.255.248
R17(config-if)#no ip redirects
R17(config-if)#ip mtu 1400
R17(config-if)#ip nhrp authentication 45678key
R17(config-if)#ip nhrp map multicast dynamic
R17(config-if)#ip nhrp network-id 45678
R17(config-if)#ip nhrp holdtime 300
R17(config-if)#ip nhrp redirect
R17(config-if)#delay 1000
R17(config-if)#tunnel source eth0/0
R17(config-if)#tunnel mode gre multipoint
R17(config-if)#ip tcp adjust-mss 1380

R17(config-router)#address-family ipv4 autonomous 45678
R17(config-router-af)#af-interface tunnel 0
R17(config-router-af-interface)#no split-horizon
R17(config-router-af-interface)#no ip next-hop-self
R17(config-router-af-interface)#end
R17#
R18:
R18(config-if)#ip nhrp shortcut
R18(config-if)#ip nhrp nhs 123.20.1.25
R18(config-if)#ip nhrp nhs map 123.20.1.25 203.3.17.2
R18(config-if)#ip nhrp map multicast 203.3.17.2
第 56 页 /共 65 页
R18(config-if)#tunnel source s1/0

R18#
R19:
R19(config-if)#ip nhrp shortcut
R19(config-if)#ip nhrp nhs 123.20.1.25
R19(config-if)#ip nhrp nhs map 123.20.1.25 203.3.17.2
R19(config-if)#ip nhrp map multicast 203.3.17.2
R19(config-if)#tunnel source s1/0

R19#
3.4 DMVPN Encryption

Refer to "Diagram 4 VPN technology"
Secure the DMVPN tunnel using IPSEC according to the following requirements
· configure IKE phase 1 as per the following
第 57 页 /共 65 页
· Use AES encryption with the pre-shared key CCIE
· The key must appear in plain text in the config
· All IPSEC tunnels must be authenticated using the same IKE phase 1 preshared key
· Use 1024 bits for the key exchange using the Diffie-Hellman algorithm
· configure a single policy using priority 10
· config IKE phase 2 as per the following requirements
· use CCIEXFORM as transform set name
· use DMVPNPROFILE as IPSEC profile name
· use IPSEC in transport mode
· use the IPSEC protocol ESP and algorithm AES with 128 bits
· Ensure that the DMVPN cloud is secured using above parameters. Use tunnel protection
in your config
3.4 SOLUTION::::Implement Encryption
R17:
R17(config)#crypto isakmp enable
R17(config)#crypto isakmp policy 10
R17(config-isakmp)#authentication pre-share
R17(config-isakmp)#encryption aes
R17(config-isakmp)#group 2
R17(config-isakmp)#exit
R17(config)#crypto isakmp key CCIE address 203.3.18.2

R17(config)#crypto ipsec transform-set CCIEXFORM esp-aes esp-md5-hmac

R17(cfg-crypto-trans)#mode transport
R17(cfg-crypto-trans)#exit
R17(config)#crypto ipsec profile DMVPNPROFILE

R17(cfg-ipsec-profile)#set transform-set CCIEXFORM
第 58 页 /共 65 页
R17(cfg-ipsec-profile)#exit
R17(config)#int tunnel 0
R17(config)#tunnel protection ipsec profile DMVPNPROFILE
R17(config-if)#exit
R18:


R18(config-if)#exit
R19:


第 59 页 /共 65 页
R19(config-if)#exit
<<<<sh ip nhrp brief, show crypto ipsec sa on all devices running DMVPN>>>>
Section 4 Infrastructure security

4.1 Device security
· Configure R20 int the ACME San Jose office as per the following
· All users who connect to R20 via the console or via any of VTY lines using SSH must be prompted with
the below message before any other prompt is displayed
WARNING!ACCESS RESTRICTED
· Do not use any other spaces or any other characters
4.1 SOLUTION:::Device Security

R20(config)#service linenumber
R20(config)#banner motd cWARNING!ACCESS RESTRICTED!c
R20(config)#line vty 0 4
R20(config-line)#login local
R20(config-line)#access-class 1 in
R20(config-line)#transport input ssh
R20(config-line)#end
4.2 Network Security

Configure ACME New York office as per the following
· Ensure that int E0/0-3 of Sw3 forward the traffic send from expected and legitimate
users only
· Sw3 must dynamically learn only one mac address per port and must save the mac
address in its startup config
· Sw3 must shut down the port if security violation occurs on any of the four ports
4.2 SOLUTION:::Implement Network Security

SW3(config)#interface range ethernet 0/0-3
第 60 页 /共 65 页
SW3(config-if)#switchport port security
SW3(config-if)#switchport port security mac-address sticky
SW3(config-if)#switchport port-security maximum 1
SW3(config-if)#switchport port-security violation shutdown
SW3(config-if)#end
<<<show port-security>>>
SECTION V
SECTION 5 Infrastructure Services
5.1 System management
· Configure R20 int the ACME San Jose office as per the following
· Establish SSH access in R20 using the domain name acme.org
· R20 must accept up to five remote authorized users to connect at the same time using
SSH
· Create the user "test" with password "test" in local database of R20
· Ensure that R20 accepts SSH connections with clients with source ip in 123.10.2.0/24. All
other source ip should be denied. Use standard ACL to accomplish this
· R20 must generate a syslog message for all SSH connection attempts whether permitted
or denied
· When authenticate the username test must be granted privilege level 1
· Do not enable aaa new model on R20
· Ensure that SSH is the only remote access method permitted on VTY lines of R20
· Ensure that the console is not affected by your solution and no username prompt is
presented on the console port
· Test your solution from any device that is located in AS 34567 and ensure that the
following sequence of command produce the following output
第 61 页 /共 65 页
R10 # ssh -l 123.20.20.20
WARNING!ACCESS RESTRICTED
R20>
R20>sh privilage
current privilage level is 1
R20>
R20>q
R10#
5.1 SOLUTION:::: Implement System Management
R20:
R20(config)#service linenumber
R20(config)#username test password test
R20(config)#ip domain name acme.org
R20(config)#crypto key generate rsa
R20(config)#ip ssh maxstartups 5

R20(config)#ip ssh logging events
R20(config)#ip ssh version 2
R20(config)#ip access-list 1 permit 123.10.2.0 0.0.0.255
R20(config)#line vty 0 4
R20(config-line)#login local
R20(config-line)#access-class 1 in
R20(config-line)#transport input ssh
R20(config-line)#end
5.2 Network Services

Configure the ACME network as per the following
· R20 must enable all private corporate traffic that is originated from any host with source
ip address 10.1.0.0/16 or 10.2.0.0/16 to connect to any public destination that is located
in AS 34567
· All remote sites in AS 65111 and 65222 must be able to connect to the public
destinations
第 62 页 /共 65 页
· R20 must swap the source ip address in these packets with the ip address of its lo0
· R20 must allow multiple concurrent connections
· Use a standard ACL to accomplish this.
· The following tests must succeed after the above requirements (in addition to previous
requirements) are achieved

R12# ping 1.2.3.4 so E0/0
!!!!!
R18# ping 1.2.3.4 so E0/0
!!!!!
5.2 SOLUTION::::Implement Network Services
R20:
R20(config)#access-list 2 permit 10.1.0.0 0.0.0.255
R20(config)#access-list 2 permit 10.2.0.0 0.0.0.255
R20(config)#ip nat inside source list 2 interface loopback 0 overload
R20(config)#interface 0/0.12
R20(config-if)#ip nat inside
R20(config)#interface 0/1.99
R20(config-if)#ip nat outside
<<<<run ping/traceroute tests to 1.2.3.4 from all vpn sites sourcing from their wan interfaces>>>>
5.3 Network Optimization

Configure R17 as per the following requirements
· The output shown below must be seen on R19 during 10 sec after R15 successfully pings
interface lo0 of R19

R15# ping 123.19.19.19
!!!!!
R17 sh ipflow top

srcif srcipadd destif destipadd pr srcp dstp byte
e0/1 123.20.1.9 tun0 123.19.19.9 01 000 000 500
第 63 页 /共 65 页
5.3 SOLUTION::::Implement Network Optimazation
R17:
R17(config)#ip flow-export version 9
R17(config)#ip flow-top-talkers
R17(config-flow-top-talkers)#top 10
R17(config-flow-top-talkers)#sort-by packets
R17(config-flow-top-talkers)#cache-timeout 10
R17(config-flow-top-talkers)#match input-interface ethernet 0/1
R17(config-flow-top-talkers)#match source address 123.20.1.9 255.255.255.255
R17(config-flow-top-talkers)#exit

R17(config-if)#ip flow ingress
5.4 Network Services

Configure ACME as per the following requirements
· Sw3 must provide an authoritive time source to the ACME network
· R10 and R12 must sync their clock to Sw3 using ntpv4 for ipv6
· R10 and R12 must operate in client mode
· Sw3 must not capture or use any time info that is sent by R12 and R14
· All NTP traffic must be sourced and destined to interface lo0 of the corresponding
devices
5.4 SOLUTION::::Implement Network Services
SW3:
SW3(config)#ntp master
SW3(config)#ntp source loopback 0
SW3(config)#interface loopback 0
SW3(config-if)#ntp disable ip
SW3(config-if)#end
R10:
R10(config)#interface loopback 0
第 64 页 /共 65 页
R10(config-if)#ipv6 address 2001:CC1E:BEF:0:123:10:10:10/64
R10(config-if)#IPV6 ospf 1 area 10
R10(config)#ntp source loopback 0
R10(config)#ntp server 2001:CC1E:BEF:0:123:33:33:33
R10(config)#
R11:
R11(config-if)#IPV6 ospf 1 area 11
R11(config)#ntp source loopback 0
R11(config)#ntp server 2001:CC1E:BEF:0:123:33:33:33
R11(config)#
R12:
R12(config-if)#ntp disable ip
R12(config-if)#end
R14:
R14(config-if)#ntp disable ip
R14(config-if)#end
<<NB:PLEASE VERIFY LOOPBACK 0 OR CONFIGURE IN QUESTION 2.9,2.10>>
第 65 页 /共 65 页

CCIE R - Amp Amp S v5.0 LAB Section

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CCIE R - Amp Amp S v5.0 LAB Section

Încărcat de

Drepturi de autor:

Formate disponibile

★眞的愛妳★ CCIE R&S v5.0 Lab Section 2014.9.

· The VTP domain must be set to CCIE

· Use VTP ver 2

retained for 2 hours before being refreshed.

· The VTP domain must be set to CCIE

· Use VTP ver 2

that they receive out their trunk ports

SW-1(config)# mac-address-table aging-time 7200

SECTION 1.2 - Layer 2 ports

not configure any etherchannel

as access ports in vlan 999

· E3/0 - E3/3 are unused on SW1 and SW2

· E1/0 - E1/3 are unused on SW3 and SW4

· E3/0 - E3/3 are unused on SW3 and SW4

SW-1(config)#do sh cdp neighbor

SW-2(config)#do sh vlan brief | ex 100

SW-2(config)# do sh cdp neighbor

SW-3(config)#do sh vlan brief | ex 100

SW-4(config)#do sh vlan brief | ex 100

SW-4(config)#do sh cdp neighbor

now lets create vlans on sw1 to propagate to sw2:

lets uply commands for unused ports:

SW-1(config)#int range ethernet 3/0 - 3

SW-2(config)#int range ethernet 3/0 - 3

SW-3(config)#int range ethernet 3/0 - 3

SW-4(config)#int range ethernet 3/0 - 3

lets check and configure trunking and no auto negotiation:

Section 1.3 Spanning tree

configuration may eventually be added in the network in the future

· All switches must maintain one STP instance per vlan

to enable this feature.

CPS_A1_ABHI_NAG_SW2(config)#spaning-tree mode rapid-pvst

CPS_A1_ABHI_NAG_SW3(config)#spaning-tree mode rapid-pvst

note :needs to enable rapid-IOU I'm using does not support it

CPS_A1_ABHI_NAG_SW1(config)#spaning-tree vlan 15,23,35,57,67,999 root primary

CPS_A1_ABHI_NAG_SW2(config)#spaning-tree vlan 14,24,46 root primary

CPS_A1_ABHI_NAG_SW3(config)#spaning-tree vlan 49,89,111,411,999 root primary

CPS_A1_ABHI_NAG_SW4(config)#spaning-tree vlan 34,38,310 root primary

CPS_A1_ABHI_NAG_SW1#show spaning-tree summary

switch is in rapid-pvst mode

CPS_A1_ABHI_NAG_SW2#show spaning-tree summary

switch is in rapid-pvst mode

CPS_A1_ABHI_NAG_SW3#show spaning-tree summary

switch is in rapid-pvst mode

CPS_A1_ABHI_NAG_SW4#show spaning-tree summary

switch is in rapid-pvst mode

Section 1.4 Implement Wan Technology

providing the expected response of a challenge that is sent by R63

· R18 must use the username ACME-R18 and password CCIE

· R19 must use the username ACME-R19 and password CCIE

CPS_A1_ABHI_NAG_R18#show ip route 1 i 203

CPS_A1_ABHI_NAG_18#show ip route | i 203

CPS_A1_ABHI_NAG_19#show ip route | i 203

CPS_A1_ABHI_NAG_18#show ppp all

CPS_A1_ABHI_NAG_18#show interface serial 1/0

CPS_A1_ABHI_NAG_19#show ppp all

CPS_A1_ABHI_NAG_19#show interface serial 1/0

Section 2.1 OSPF in AS12345

method to accomplish this requirement

· SW and SW2 must not participate in routing at all

· Do not change the default OSPF cost of any interface in AS12345

· R1 must see the following OSPF routes in the routing table

123.0.0.0/8 is variably subnetted, 17 subnets, 2 masks