Beruflich Dokumente
Kultur Dokumente
Questionnaire
+onfigure all of the appropriate non-trunking switch ports on S,1-S,* according to the following re)uirements& - .T domain should be /++0%1 and password /cisco1 - .T v2 should be configured with S,1 as server" S,2"S,2"S,* vlan database should be updated by S,1 - +onfigure the .L'# 0( and #ame according to the table below 3case sensitive4. - +onfigure the access ports for each .L'# as per the diagram. - 'll * switches must run in transparent mode after synchroni5ation - 'll unused ports including 6iga ports have to be on access vlan 777 and shutdown. .L'#80( #'9% 1: ;1toS,1 1< ;1toS,2 2< ;2toS,2
2: ;2toS,1 *= ;*to;= :< S,1toS,2 :7 S,1toS,* <7 S,2toS,* 1>> ??1 2>> ??2 2>> ??2 =>> +lient 777 @nused 'ssign access ports to .L'#s according to the diagram. Score& 2 points
- 'll switches must run a separate ST instance for each .L'# - 'll ST instances must use the default hello" forward" and maA-age timers. - %nable rapid convergence on all four switches - S,1 must be elected the root switch for 'LL .L'#S 3effectively" for the entire range of all possible .L'# 0(s4. - S,2 must be elected the backup switches for 'LL .L'#S 3effectively" for the entire range of all possible .L'# 0(s4. - %nsure that both S,1 and sw2 have the best chance of keeping their respective root or backup role even if a new switch is added to the topology later on. - %nsure that S,1" S,2 and S,2 do not send ? (@s and do not process received ? (@s on their port BaoC1> only. Score& 2 points
- Traffic forwarded through these fault-tolerant links must be load-balanced based on the source and destination 9'+ addresses. Score& 2 points
+onfigure your network as per the following re)uirements& on the serial link between ;2 and ;=
- +onfigure Brame-;elay on the serial links between ;=" ;1" ;* and ;2. - 'll Brame-;elay interfaces must be able to ping the neighboring 0 .* address as well as their own 0 .* address. - @se the interface and (L+0 numbers indicated in D(iagram < & Brame-;elayD in order to accomplish this task.
- (isable Brame-;elay 0nverse '; on all Brame-;elay interfaces. - (o not disable the interfaces keepalives. (L+0 F 2>> between ;1 G ;* (L+0 F 2HH between ;2 G ;* (L+0 F HH between ;1 G ;= subinterface .HH (L+0 F 1HH between ;1 G ;= subinterface .1>> Score& 2 points
2.2 0 .* %06;
- +onfigure %06; 'S HH and %06; 'S 1>> as per D(iagram 1 & 06 ;outingD - (isable automatic summari5ation in both autonomous systems. - S,* must receive siA %06; eAternal prefiAes from ??2.
- +onfigure the delay for interface f>C1 of both ;* and ;= to 1>> milliseconds 31>">>> tens of microseconds4 - %nable L( on the serial interfaces between ;1" ;2" ;* and ;= as well as on the fast%thernet link between ;* and ;=. - %nsure that the L( sessions are always sourced from the loopback> interface en all devices. Score& 2 points
2.2 0 .* ;0
+onfigure ;0 version 2 as per D(iagram 1& 06 following re)uirements. - (isable automatic summari5ation.
- ;0 must be enabled only for the re)uired interfaces" no other interfaces may send any ;0 updates. Score&2 points
- ;edistribute $S B into %06; and vice versa on ;= only. - (o not redistribute anywhere else between these two protocols. - %nsure that all %06; routers are still able to reach any $S B prefiA" when the link between ;* and ;= fail. - The interface .L'# =>> of S,2 must appear as prefiA in area > only. 0t must never appear in any other areas" your solution must remain valid" even if a new area was added to the $S B domain. - (o not modify the administrative distance of $S B. Score&* points
- ;edistribute %06; 1>> into ;0 .2 and vice versa on S,* - ;edistribute $S B into ;0 v2 on S,1 only. - (o not redistribute ;0 v2 into $S B. - %nsure that S,1 originates a default route everywhere into the $S B domain.
- %nsure that all devices 3but S,24 in your topology can reach 1=>.2.HH.2=*. - (o not use any static route to resolve any routing issue. Score& 2 points
2.: 0 .* 0?6
- ,ith the eAception of ;1" all routers in ?6 'S HH must have only one 0?6 neighbor. - Secure all 0?6 sessions with a 9(= hash" use the string DciscoD to that effect 3without )uotes4 - 'll ?6 connections should survive a physical link failure - ;1 should always initiate the T+ session for the ?6 connection for the ?6 neighbor - +onfigure Kno bgp default ipv*-unicastK on all ?6 speakers Score& 2 points
2.L 0 .* %?6
+onfigure your network as per D(iagram 2 & ?6 following re)uirements& ;outingD and according to the
- %stablish %?6 between 'S HH and 'S 2=* on both ;* and ;= by using their physical interfaces. - The prefiAes of .L'#81>> and .L'#82>> may appear as a ?6 neAt-hop address in ;* and ;= only. - +onfigure 'S 1** on S,* to peer with 'S HH - %nsure that S,* installs in its routing table two e)ual-cost paths for any ?6 prefiAes originated in 'S 2=*. - %nsure that S,2 load-balances any traffic that is destined to 'S 2=* through both ;1 and ;2. #$T%& @se the following command to verify this re)uirement& ;ack1>S,2Msh ip cef 17L.1:<.1.1 17L.1:<.1.>C2* neAthop 1>.1>.1<.1 .lan1< neAthop 1>.1>.2<.2 .lan2< Score& 2 points
S,2 is simulating two distant customer sites in ?6 'S LLL that are interconnected with L2. # " which is provided by your core network. The interface loopback L1 of S,2 simulates the S0T%1" which is connected to ;2" and the interface loopback L2 simulates the S0T%2" which is connected to ;2. ;efer to D(iagram 2 & for more details. +onfigure your network as per the following re)uirements& - ;2 and ;= must eAchange . # prefiAes via ?6 by using the route distinguisher 2&2 - ;2 and ;= must eAchange . # prefiAes via ?6 by using the route distinguisher 2&2 - ;2 and ;2 may not per directly with one another. - +onfNgure /mpls 0dp eAplicit-null1 on both %s - S,2 must maintain two separate routing tables for each site as described in the D(iagram 2 & - The only prefiA that S,2 may see in its global routing table is its preconfigured Loopback> interface - Hour configuration must fully reconverge after a reload of any % router at the end of the eAam. #ote& .erify your solution by using the following commands on S,2. ;ack1>S,2Mping vrf S0T%2 L1.L1.L1.L1 source loL2 Type escape se)uence to abort. Sending =" 1>>-byte 0+9 %chos to L1.L1.L1.L1" timeout is 2 seconds& acket sent with a source address of L2.L2.L2.L2 OOOOO Success rate is 1>> percent 3=C=4" round-trip minCavgCmaA P 1C=C7 ms ;ack1>S,2Mtraceroute vrf S0T%2 rotocol QipR& Target 0 address& L1.L1.L1.L1 Source address& L2.L2.L2.L2 #umeric display QnR& ;esolve 'S number in 364lobal table" 3.4;B or3#4one Q6R& Timeout in seconds Q2R& robe count Q2R& 9inimum Time to Live Q1R& 9aAimum Time to Live Q2>R& ort #umber Q22*2*R& Loose" Strict" ;ecord" Timestamp" .erboseQnoneR&
Type escape se)uence to abort. Tracing the route to L1.L1.L1.L1 1 1L2.1:.2L.2 > msec > msec 7 msec 2 1>.HH.2*.* < msec 7 msec < msec 2 1>.HH.1*.1 => msec 72 msec 1>> msec * 1>.HH.1=.= 1L msec 1L msec 1L msec = 1L2.1:.2L.2 < msec < msec 7 msec : 1L2.1:.2L.L < msec S > msec ;ack1>S,2Mping vrf S0T%1 L2.L2.L2.L2 source loL1 Type escape se)uence to abort. Sending =" 1>>-byte 0+9 %chos to L2.L2.L2.L2" timeout is 2 seconds& acket sent with a source address of L1.L1.L1.L1 OOOOO Success rate is 1>> percent 3=C=4" round-trip minCavgCmaA P <C1>C1L ms ;ack1>S,2Mtraceroute vrf S0T%1 rotocol QipR& Target 0 address& L2.L2.L2.L2 Source address& L1.L1.L1.L1 #umeric display QnR& ;esolve 'S number in 364lobal table" 3.4;B or3#4one Q6R& Timeout in seconds Q2R& robe count Q2R& 9inimum Time to Live Q1R& 9aAimum Time to Live Q2>R& ort #umber Q22*2*R& Loose" Strict" ;ecord" Timestamp" .erboseQnoneR& Type escape se)uence to abort. Tracing the route to L2.L2.L2.L2 1 1L2.1:.2L.2 > msec < msec > msec 2 1>.1HH.2=.= *2 msec <* msec 72 msec 2 1>.HH.1=.1 1L msec 1L msec < msec * 1>.HH.1*.* 1L msec 1L msec < msec = 1L2.1:.2L.2 7 msec 1L msec < msec : 1L2.1:.2L.L < msec S 7 msec Score& * points
2.7 0 v: 'ddressing
reconfiguration. 'll 0 v: addresses were preconfigured as follows. 'll global unicast addresses match 2>>1&;;&HH&SS&&!!C99" where& - ;; is the identifier of the routing domain 3HH for %06; HH" 1HH for $S B 4. - HH stands for your two-digit rack number" written in decimal format - SS is the third octet ofthe 0 .* address of the same interface" written in decimal format - !! is the forth octet of the 0 .* address of the same interface" written in decimal format
- 99 is the subnet mask and must be C12< for loopback interfaces and C:* for other interfaces. +onfigure your network as per D(iagram * &0 v: ;outingD and according to the following re)uirements& - +onfigure %06; v: HH on all routers in the %06; v* 'S HH - @se the Loopback > 0 v* address as the %06; v* router 0(. - +onfigure the area > of $S Bv: 3between the S,1 and S,2 as shown the D(iagram of 0 v: ;outingD4. - The $S Bv2 process 0( must be 1>>. - ;edistribute $S Bv2 into %06; v: and vice versa on S,2. - %nsure that there is full reachability among a00 0 v: speakers. Score& 2 points
2.1> 0 v: ;outing
+onfigure your network as per D(iagram * &0 v: ;outingD and according to the following re)uirements. - +onfigure a tunnel between ;1 and ;2 to transport 0 v: traffic from ;2 to the %06; v: domain. - The tunnel transport mode must be 6;%" and it must be resilient to single physical link failure. - The tunnel must use the 0 v: prefiA 2>>1&12&12&12&&C:* - %Atend the %06; v: domain HH to ;2 over the tunnel. - ;2 must be able to reach the Loopback> interface of S,1 via the tunnel. Score& 2 point
- %nable multicast for all interfaces belonging to ospf 1>> and eigrp HH 3including loopback> interfaces4 - The network should never have to flood and prune multicast traffic unnecessary - 'dd a loopback1 interface on both ;2 and ;2 with the same ip address 2>>.1>>.1>>.1>> - ;2 must advertise loopback1 into %06; HH " ;2 must advertise loopback1 into $S B 1>>. - %ach loopback 1 must be elected as the rende5vous point 3; 4 in their respective domain and must also be used as the source of the mapping information broadcasts - @se a non-proprietary method to discover and announce the ; information - 9ulticast service are located in vlan :<" and receivers are located on the link between ;* and ;= - Simulate the receivers with a static join on the B>C1 interface of ;*. - ;eceivers must be able to receive traffic sent to the group 222.1.1.1 from S,1 - %nsure that ;2 is the actual ; in use in the %06; domain" ;2 is the actual ; in use in the $S B domain" and that ;2 sends the source-active cache to ;2 Score& 2 points
- %nsure that both ; s process join re)uests for group 222.1.1.1 only. - %nsure that only the authori5ed sources 3located in .L'#8:<4 are allowed to register with the ; s - (o not use any route-map or named access-list to achieve this task. Score& 2 points
- ?oth ;* and ;= must provide automatic default gateway backup for hosts located on .L'# *= by using the virtual 0 address 1>.HH.*=.1C2*. - %nsure that both ;* and ;= participate at the same time in forwarding traffic destined to the virtual 0 address "with ;* weighted at 1=> and processing three clients for every one processed by ;=. - @se the password D++0%122D 3without )uotes4 to secure the relationship between ;* and ;=" use the strongest security available. 3(o not use a keychain to accomplish this re)uirement4. Score& 2 points
*.2 L2 Security
+onsider that three servers 3S9T " ,%? " (#S4 connected to .L'# =>> on S,2 must be reachable from any host anywhere in the network . 9any users are connected to .L'# =>> on S,2 as well " and are allowed to connect to these local servers. These users must also be allowed to connect to other S9T ",%? and (#S servers located outside of .L'# =>>. ' number of these users are abusing the link with unnecessary traffic. +onfigure your network as per the following re)uirements& - +reate a filter on S,2 to allow only legitimate traffic 3S9T -T+ port 2= " ,%?-T+ port <> " (#S-@( port =2" 0+9 -all types4 on .L'# =>> going from and to any hosts 3(o not specify any 0 address in the filter4. - 'll non-legitimate traffic must be dropped. - @ser a single named access-list to accomplish this re)uirement of this task. (o not include any deny statement in the access-list. Score& 2 points
- The administrator user DadminK must be able to use the SS! protocol in order to manage the router by using the password DccieD This user must receive the enable prompt directly when logging in to ;=
- The user DguestD must be able to use the SS! protocol in order to connect to the router by using the password DciscoD. This user must receive the user-mode 3non-enable-mode4 prompt when logging in to ;=. - (isable all non-SS! access methods on the .TH lines of ;=. (o not user the command Daccess-classD to accomplish this . %nable a maAimum of 1: users to connect concurrently at any point in time. - +onfigure the domain name Dccie.comD on ;=. - %nsure that the console does not re)uire a username prompt and that it presents the user with the usermode 3non-enable-mode4 prompt - (o not modify the enable password. #$T%& .erify your solution by using ;2 as the SS! client and verify if the following commands succeed as eApected. ;ack1>;2Mssh -l admin 1HH.=.=.= ;ack1>;2Mssh -l guest 1HH.=.=.= Score& 2 points
- +reate interface Loopback1*< in S,2 with the 0 address 1*<.>.>.<C22 and add it into %06; HH by any means available. - +reate interface Loopback1*< in ;* with the 0 %06; HH by any means available. address 1*<.>.>.*C22 and add it into
- Traffic sourced from Loopback1*< of S,2 and destined to Loopback1*< of ;* 3and only this traffic4 must always leave S,2 via interface .L'#1<" no other interface may ever transmit these packets. - S,2 must load-balance 3between ;1 and ;24 any other traffic destined to Lo1*< of ;*. - 0n case interface .L'# 1< of S,2 is not operational packets between Lo1*< of S,2 and Lo1*< of ;* must be drooped on S,2. - @se a single numbered and eAtended access-list with a single entry in order to accomplish this re)uirement. - (o not modify any %06; parameter anywhere to accomplish this re)uirement.
#$T%& @se the following tests to validate your solution ;ack1>S,2Mtrace rotocol QipR& Target 0 address& 1*<.>.>.* Source address& 1*<.>.>.< #umeric display QnR& Timeout in seconds Q2R& robe count Q2R& 9inimum Time to Live Q1R& 9aAimum Time to Live Q2>R& ort #umber Q22*2*R& Loose" Strict" ;ecord" Timestamp" .erboseQnoneR& Type escape se)uence to abort. Tracing the route to 1*<.>.>.* 1 1>.HH.1<.1 * msec * msec * msec 2 1>.HH.1*.* > msec S * msec ;ack1>S,2Mtrace 1*<.>.>.* Type escape se)uence to abort. Tracing the route to 1*<.>.>.* 1 1>.HH.1<.1 * msec 1>.HH.2<.2 * msec 1>.HH.1<.1 * msec 2 1>.HH.2*.* * msec 1>.HH.1*.* * msec S Score& 2 points
The 9 LS enabled routers in your network have been preconfigured to service three classes of traffic based on the 9 LS eAperimental bits. The % routers are also provisioning three classes of traffic towards the +% routers. ;1 contains a policy that will remark traffic for testing purposes. (o not modify this policy. +onfigure both % routers in your network as per the following re)uirements& - The traffic leaving the 9 LS core and going to the +% must be remarked using the latest value found in the 9 LS eAperimental bits. - ?oth % routers must shape the traffic towards the +%s to 29bCs +0;. - Hour solution must include the eAisting EoS preconfigurations.
- (o not create any new non-default class-map to accomplish the above re)uirements 3i.e. if you need to create any new class-map" it must be the class-map default4. - Hou may check your solution by using an eAtended ping" with the T$S value set to 1:>. +ounters must increment accordingly on the class +;0T0+'L on the egress policy of the remote %. Score&2 points
+onfigure and apply on ;= a single ingress policy-map named D+$#T;$LD that contains eAactly three userdefined class-maps according to the following re)uirements& +onfigure a class-map called DSS!8 $L0+%D according to the following re)uirements. - 'ny SS! session initiated from .L'# 1< and destined to the interface Se>C>C1 of ;= must not be policed. - olice to 1: kbCs all other SS! traffic according to the following re)uirements. - The conform-action must be DtransmitD. - The eAceed-action must be DdropD. - The burst value must not be configured - +onfigure a named access-list called DSS!D in order to classify the above SS! traffic. +onfigure another class-map called D?L$+TD according to the following re)uirements& - !TT 3destined to port <>4 and !TT S 3destined to port **24 traffic sourced from any host located on .L'#=>> and destined to anywhere must be dropped. - +onfigure a named access-list called D!TT D containing eAactly two entries in order to classify the above !TT and !TT S traffics. - +onfigure another named access-list called D'LL80+9 D containing the single statement Dpermit icmp any anyD. - The class-map D?L$+TK must drop the traffic matched by these two access-list 3D!TT D and D'LL80+9 D4. +onfigure another class-map called D0+9 8L090TD according to the following re)uirements. - 0+9 echo and echo-reply to or from anywhere must be policed to 1>>pCs "allowing 1> packets in burst. - +onfigure a named access-list called D0+9 8%+!$D in order to classify the above 0+9 echo and echoreply traffic. - (o not use any Dmatch notD statement in any class-map. - %nsure that any device 3but S,24 can still ping the interfaces of ;=. - '00 class-map and access-list names are case sensitive and must not include any )uotes. #ote& kilobits per second and pCs P packets per second. Score& 2 points
+onfigure your network as per the following re)uirements - ;1 is the #T master 3stratum 14. - ;2 and ;= must synchroni5e their clock to the clock of ;1. - %nsure that all three devices retain the clock between reboots. - 'LL #T peer must use their Loopback> interface as the #T source. Score& 2 points
- Track all changes to the running configuration. - #otify the syslog server 1>.1HH.:7.1>> when any configuration change happens. - ;etain the last 1> entries in the configuration log. - Suppress the display of password information in the configuration log files. - %nsure that configuration changes are not saved to the local file system. Score& 2 points
0n order to avoid hitting a 3Bictive4 software defect on ;2 " the vendor support engineer recommends bouncing 3shut C no shut4 both 6igabit%thernet interfaces of ;2 as soon as it restarts. +onfigure ;2 as per the following re)uirements& - ,rite a +isco 0$S %%9 applet named D?$@#+%606D that automates the above task. - @ser the DUSHS-=-;%ST';TD syslog pattern in order to trigger the script when ;2 has restarted. - %nsure that the script bounces interface 6ig>C> first" then bounces interface 6ig>C1 - Test router solution and ensure that there is an entry in the %%9 events history similar to the following output. ;ack1>;2Msh event manager history events #o. Time of %vent %vent Type 1 Bri 9ar 1 >>&>>&>2 2>>2 syslog Score& 2 points
-Way2Ccar