LEONARDO(Re-Born) (K6++)

Section 1 - Layer 2 Technologies

1.1Troubleshoot layer 2 Switching
Two faults have been injected into the preconfigured. These issues may impede a working solution for certain Points will be awarded for solving each problem correctly.However, if you fail to solve a particular problem but the injected fault prevent you from having a working solution in any section ofthis lab, then you will lose points for the fault and for the scenario that is not working. NOTE: There are no physical faults. All hardware is in working order, and you do not need to physically touch any device or cable in order to solve a problem. Depending on the scenario, resolving a fault may require either one or multiple command lines on one or multiple devices.

Questionnaire

1.2 Implement Access Switch Ports of Switched Network

Configure all of the appropriate non-trunking switch ports on SW1 SW4 according to the following: SW1 is the server for the VLAN Trunking Protocol version 2 domain "CCIE" (VTP password "cisco" ) SW2, SW3, SW4 are expecting SW1 update their VLAN database when needed Configure the VLAN ID and Name according to the table below (case sensitive) Configure the access ports for each VLAN as per the diagram Using a single command ensure that all access ports are transitioned to forwarding state as quickly as possible Using a single command ensure that the interface is forced the err-disabled state if BPDU is received by any ports Ensure that any BPDU received by the access ports facing the backbone devices (and only these devices) have no effect to your spanning tree decision Dont forget to configure the Layer 3 interfaces and to include SW1s port fa 0/4 into VLAN 44 VLAN_ID NAME 11 VLAN_11_BB1 22 VLAB_22_BB2 33 VLAN_33_BB3 42 VLAN_?_R2-SW4 44 VLAN_44_R4

55 123 999

VLAN_55_R5-SW2 VLAN_123_SWITCHES VLAN_RSPAN

1.3 Spanning-Tree Domains for Switched Network

Configure the switches according to the following requirements: Each of the following sets of vlans must have one instance per vlans Ensure that SW1 is the root switch, SW2 is backup switch for odd vlans Ensure that SW2 is the root switch , SW2 is backup switch for Even vlans Configure to 30 sec that time all switches wait before their spanning-tree process attempt to reconverge if it didnt receive any spanning-tree configuration message. Configure instance per vlan and rapid transition for forwarding The bride id priority of vlan between R2 and SW4 must be 12330 on SW2.

Use the following requirements to configure the Etherchannel of SW1, SW2, SW3 and SW4: Use encapsulation 802.1q Configure the Industry standard Etherchannel between SW1 and SW2. Configure the Cisco proprietary Etherchannel between SW3 and SW4. Ensure that SW1 and SW3 must initiate the negotiation and SW2 and SW4 must not start the negotiation

1.4 Switch Trunking and Ether Channel

Configure the spanning-tree topology according to the following requirement without configuring anything on SW4. Make sure that port Fa0/20 is forwarding for the spanning-tree topology rather than blocking for even vlans on SW4. Use the highest numeric values to achieve this task. Any traffic received from VLAN_BB1 and VLAN_BB2 must be replicated to a traffic analyzer connected to SW4 Fa0/15 via VLAN 999 You need to monitor any future interfaces connecting to VLAN_BB1 and VLAN_BB2 Any traffic flowing through the trunk between SW3 and SW4 must be replicated to another traffic analyzer connected to SW4 Fa0/16 There should not be any configuration regarding this on SW3. Dont create any new VLAN while configuring this

1.5 Spanning-Tree Tuning

1.6 RSPAN

R4 must require R1 and R2 to authenticate using CHAP but R1 and R2 must not require R4 to authenticate R1 and R2 cannot use ppp chap hostname, they can use ppp chap password with "CCIE". Make sure that all CHAP passwords are shown in clear int the configuration

1.7 PPP & CHAP

 Use radius server at YY.YY.44.200 as authentication server and fallback to the local AAA database in case the server is unreachable Use CISCO as key required by the Radius server Make sure AAA authentication does not affect any console or line VTY from any PPP devices (ensure that there is no username prompt either) Use only default method list for both console and line VTY.

Section 2 Layer 3 Technologies

OSPF process ID can be any number Router ID must be stable and must be configed using the IP Address of Lo0 Lo0 interfaces must be advertised in the OSPF area as shown in the IGP topology diagram and must appear as /32 routes Ensure that all switches attached to the VLAN 123 exchange routing updates primarily with SW1 and then SW2 (in case SW1 goes down) Use highest numerical values Make sure that all 3 prefixes for the backbone links (150.BB.YY.0/24) appear as OSPF External Type 2 routes in routing table Do not create any additional OSPF areas. Do not use any IP address not listed in the diagram

2.1 Configure OSPF Area 0, 142 and 51 as per diagram

Configure Enhanced Interior Gateway Routing Protocol (EIGRP) 100 on SW2 in order to establish EIGRP neighbor with Backbone 3 in the IGP topology diagram. BB3 has IP address 150.3.YY.254 and is using AS number 100 Disable auto-summary

2.2 Implement IPv4 EIGRP

2.3 Implement RIP Version 2

Configure RIP Version 2 (RIPv2) between R3 and BB1 R3 must accept from BB1 only the following prefixes 199.172.4.0/24 199.172.6.0/24 199.172.12.0/24 199.172.14.0/24 Use Standard ACL with a single entry Disable Auto Summarization

o o o o

Redistribute RIP into OSPF on R3 such that the routing table on R5 contains the following. O N2 199.172.15.0/24 [110/30] O N2 199.172.13.0/24 [110/30] O N1 199.172.7.0/24 [110/XXX] O N1 199.172.5.0/24 [110/XXX]

2.4 Redistribute RIP ---> OSPF

o O N2 150.1.YY.0 [110/30] Use Standard ACL with a single entry

Redistribute EIGRP into OSPF on SW2 such that Redistributed EIGRP routes must not be advertised into Area 51 Redistributed EIGRP routes must be advertised into Area 0 and 142 as OSPF Type E2 SW2 must advertise an inter-area default route into Area 51 only Dont use any route-map and do not add any static route anywhere

2.5 Redistribute EIGRP ---> OSPF

Configure iBGP peering for R1, R2, SW2, R3 and R5 as per the following requirement. Where possible failure of a physical interface should not permanently affect BGP peer connections Minimize number of BGP peering sessions and all BGP speakers in AS YY except SW2 must have only one iBGP peer All BGP routes on all devices must be valid routes Configure BGP as per diagram BGP routes from BB1 must have community values 254 207 103 in AS YY BGP routes from BB2 must have community values 254 208 104 in AS YY Make sure that all BGP speakers in AS YY (even R2) are pointing all BGP prefixes from AS 254 via BB1 only (their BGP next hop must be the IP address of the backbone devices)

2.6 Implement IPv4 BGP

2.7 Implement Performance Routing

Implement PfR to achieve the following policies R4 must be the master controller R1 and R2 must be the Border Routers Ensure that PfR sessions are established using the Lo0 interface only Configure tunnel to have direct connectivity between Border routers A specific traffic (marked with DSCP "CS2") from VLAN_44 to VLAN_55 must be routed via R1 Another traffic (marked with DSCP "CS4") from VLAN_44 to VLAN_55 must be routed via R2 Use Extended ACL with a single entry Use active probes only If required by you solution you may use any prefix that is not used in your topology Do not use max-range-utilization, resolve utilization and resolve range in OER policy You should user access-list specifying only source address and DSCP value You must use "set mode select-exit good"

2.8 Implement Performance Routing

Continue as per following PfR must ensure that the voice traffic is routed via an exit which provides a maximum delay 40ms and a maximum jitter of 5ms Set the frequency of probes to 2 seconds

 Make sure that all exits are constantly probed The voice traffic is sourced from VLAN_$$ destined to the voice gateway R5 (YY.YY.55.5) and marked with DSCP "EF" You should user access-list specifying only source address and DSCP value You must use "set mode select-exit good"

2.9 Implement IPv6

Use any number for the process ID. OSPFv3 router IDs must be stable and identical to the OSPF v2 router IDs Configure OSPF Area 0 on the Ethernet segment shared by all switches. SW1 should control all routing, and SW2 should be the backup for Area 0. (Use largest value) SW3 and SW4 should not participate in the election. Configure OSPF Area 142 between R1, R2, R4, SW1 and SW4. Configure OSPF Area 51 between R3, R5 and SW2. Add Loopback 8 to SW2 with Global IPv6 Address 2011:CC1E:88:88:88::88/128 and redistribute into OSPFv3 Area 0 which should be seen as OE2 routes. Configure OSPF filtering to allow SW2 Loopback 8 in Area 0 to go into Area 51, but not Area 142. There should not be a default route in Area 142

Configure sparse mode on ospf area 142 on R1, R2, R4 according to the following requirements. Ensure that multicast stream should be a transient one and scope is 5 for company wide. R4 should send static RP address FEC1:CC1E:44:4 for multicast group FFTS:4000:4000 R1 fa0/0 should join the multicast group FFTS:4000:4000 You should be able to ping the multicast group from R2 fa0/0

2.10 Implement Advanced IPv6 feature

Section 3 IP Multicast
3.1 IPv4 Multicast
Used dynamic method to support PIMv1 and PIMv2. There is a multicast source on VLAN 44 and clients are located on the BB3 subnet (150.3.YY.0 /24) Configure R1 and R2 loopback0 to be a rendezvous point (RP). Ensure that R2 loopback 0 should be the preferred RP but R1 loopback 0 is able take over in case R1 goes down. Simulate clients have sent requests to join the multicast group 239.YY.YY.1. Make sure R4 f0/0 is able to ping this multicast IP.

Ensure PIM register message should reach RP via SW1. If SW1 goes down, PIM register messages should reach RP via one of the switches in Area

3.2 PIM Tuning

0. Ensure that vlan 33 should not receive any RP Messages.

Section 4 Advanced Services

You are required to implement NAT. You need to match the output in the screenshots provided. Do not propagate and prefix from the network 100.0.0.0/8 in any routing protocol. You are allowed to add one /24 static in too four devices. Do not add any static route in R4. Screenshot: SW1# ping 100.100.42.10 source lo 100 SW4# ping 100.100.17.7 source lo 100 On R4: show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 100.100.17.7:N YY.YY.17.7:0 100.100.42.10:0 100.100.42.10:0 icmp 100.100.17.7:N YY.YY.17.7:0 YY.YY. 42.10:0 YY.YY. 42.10:0 100.100.17.7:N YY.YY.17.7 icmp 100.100.42.10:N YY.YY.42.10:0 YY.YY.17.7:0 YY.YY.17.7:0 icmp 100.100.42.10:N YY.YY.42.10:0 100.100.17.7:0 100.100.17.7:0 100.100.42.10:N YY.YY.42.10

4.1 Network Address Translations (NAT)

Configure your four switches according to the following requirements. Make sure that ports SW1-f0/1 to SW1-F0/5 are marking all untagged packets to "COS 1" Make sure that these ports are trusting the COS value if packets are already marked. Ensure that all switches are queuing packets marked with "COS 1" in the ingress queue #1 Ensure that all switches are queuing packets marked with "COS 5" in the ingress queue #2 Ensure that all switches drop ingress traffic marked with "COS 1" when the respective ingress queue level is between 40 and 100 percent Ensure that the switches do not drop packets marked with "COS 5" in ingress until the respective ingress queue in completely full

4.2 MLS QoS

The IT administrator requires that you implement QoS. For traffic coming from BB2 allocate 10000 kbps on R2 f0/0. For traffic coming from BB1 allocate 1000 kbps on R3 s0/0/0. This should not affect any other traffic other than to all possible traffic entering from these links

4.3 QoS Class Based Weighted Fair Queuing

4.4 Implement Routing Protocol Authentication

Secure OSPF area 0 according to the following requirement Use the strongest authentication type The password must be saved in clear in the config and must be seen to "cisco" You are not allowed to use any commands in the router configuration

R4 has been configured to provide the following parameters for DHCP clients on VLAN 44 IP addresses DNS servers YY.YY.55.50 and YY.YY.55.51 Domain name cisco.com Default gateway is YY.YY.44.4

4.5 Implement DHCP

The administrator wants that the DHCP deployment is as secured as possible. Complete the DHCP configuration on R4 and SW1 according to the following requirements: Protect users in VLAN 44 from rogue DHCP servers Ensure that only R4 services the DHCP requests Disable the insertion and removal of option-82 field Protect the DHCP server from DHCP attacks originating from SW1 port Fa0/14, which may lead to resource exhaustion and ensure that maximum 3 different hosts can still connect to that port (Shutdown the port when violation occurred) Note: Make sure that SW1 Fa 0/14 is enabled and provisioned so that the customer only needs to connect the printer to the port

4.6 Implement Layer 2 Security

Continue securing the DHCP deployment according to the following requirements In the near future the customer will connect a printer to SW1s Fa0/14 in VLAN 44 and assign it the static IP address YY.YY.44.100. The printers MAC address is abcd.abcd.abcd Ensure that the printer is able to communicate with the users on VLAN 44 and ensure that your solution survives a reload (use the file flash:CCIE.TXT) Enable a feature on the switch to dynamically protect interface Fa 0/14 against spoofed IP packets and ARP request

4.7 Web Caching Communication Protocol (WCCP)

Configure WCCP on R4 according to the following requirement There will be a WAAS appliance connected to interface of Fa0/1 Any traffic from any client connected toi Fa0/0 going out of the 2 serial interfaces must be redirected to the WAAS server on Fa0/1 Traffic redirected from the server to the clients must use WCCP service 61 Traffic redirected from the clients to the server must use WCCP service 62 Traffic that is being send from R1 to R2 and from R2 to R1 is not allowed to be redirected.

Section 5 Optimize the Network

5.1 Implement SNMP
On R5 implement SNMP to send traps to an NMS system. Use the community string of CiscoWorks. The NMS system is located at YY.YY.55.240 which is the only SNMP manager that should be able to use this community strings SNMP manager should be able to modify any MIB on R5. Configure R5 to send bgp traps.

Configure 2 eem scripts one for enabling ospf debug if the ospf neighborship of R3 goes down. Configure R3 with event manger applet ENABLE_OSPF_DEBUG when the ospf adjacency goes down to R5. It should enable the debug ip ospf event and debug ip ospf adj Configure another EEM applet DISABLE_OSPF_DEBUG when OSPF neighbor ship comes up with R5. It should disable all the debug messages. Make sure that each event generates a syslog message with a priority of 6 that shows the name of the event being activated. These logs should be seen both in the console and in the log buffer. You MUST be able to have these events run on R3 when R5 bounces its interface

5.2 Embedded Event Manager

The Past is to be respected and acknowledgedI, but not to be worshipped. It is our future in which we will find our Greatness.

-WaytoCcar