Sie sind auf Seite 1von 17

Kate Winslet

Section 1 - Layer 2 Technologies


1.1Troubleshoot layer 2 Switching
Two faults have been injected into the preconfigured. These issues may impede a working solution for certain oints will be awarded for solving each problem correctly.!owever" if you fail to solve a particular problem but the injected fault prevent you from having a working solution in any section ofthis lab" then you will lose points for the fault and for the scenario that is not working. #$T%& There are no physical faults. 'll hardware is in working order" and you do not need to physically touch any device or cable in order to solve a problem. (epending on the scenario" resolving a fault may re)uire either one or multiple command lines on one or multiple devices. Solve one fault& Score 2 points Solve two faultes& Score * points

Questionnaire

1.2 Implement Access Switch Ports of Switched Networ

+onfigure all of the appropriate non-trunking switch ports on S,1-S,* according to the following re)uirements& - .T domain should be /++0%1 and password /cisco1 - .T v2 should be configured with S,1 as server" S,2"S,2"S,* vlan database should be updated by S,1 - +onfigure the .L'# 0( and #ame according to the table below 3case sensitive4. - +onfigure the access ports for each .L'# as per the diagram. - 'll * switches must run in transparent mode after synchroni5ation - 'll unused ports including 6iga ports have to be on access vlan 777 and shutdown. .L'#80( #'9% 1: ;1toS,1 1< ;1toS,2 2< ;2toS,2

2: ;2toS,1 *= ;*to;= :< S,1toS,2 :7 S,1toS,* <7 S,2toS,* 1>> ??1 2>> ??2 2>> ??2 =>> +lient 777 @nused 'ssign access ports to .L'#s according to the diagram. Score& 2 points

1.! Spanning"Tree #omains for Switched Networ

+onfigure ST on all four switches as per the following re)uirements

- 'll switches must run a separate ST instance for each .L'# - 'll ST instances must use the default hello" forward" and maA-age timers. - %nable rapid convergence on all four switches - S,1 must be elected the root switch for 'LL .L'#S 3effectively" for the entire range of all possible .L'# 0(s4. - S,2 must be elected the backup switches for 'LL .L'#S 3effectively" for the entire range of all possible .L'# 0(s4. - %nsure that both S,1 and sw2 have the best chance of keeping their respective root or backup role even if a new switch is added to the topology later on. - %nsure that S,1" S,2 and S,2 do not send ? (@s and do not process received ? (@s on their port BaoC1> only. Score& 2 points

1.$ Switch Trun ing and %therchannel


;efer to (iagram = Trunk portsD" and configure your network as per the following re)uirements& - 'll inter-switch links must use encapsulation <>2.1E - (isable (T on all trunks - %nsure that the native .L'# 3.L'# 1 4 is always tagged - $n each switch" configure three 2>>9bCs fault-tolerant links relying on the 0%%% <>2.2ad standard.

- Traffic forwarded through these fault-tolerant links must be load-balanced based on the source and destination 9'+ addresses. Score& 2 points

1.& 'AN (eature


+onfigure your network as per the following re)uirements& - %nsure that only the legitimate router interface is allowed to connect to Ba>C1 and Ba>C2 of S,1 3refer to D(iagram : & 'ccess ports14. - S,1 must dynamically learn these legitimate 9'+ addresses and automatically save them in the configuration file. - %nsure that S,1 does not need to relearn the legitimate 9'+ addresses after S,1 restarted. - S,1 must shut down the port if a security violation occurs on either of these two ports. Score& 2 points

1.) Ad*anced 'AN (eature


Bive users will connect to the network via .L'# =>> on Ba>C1 to Ba>C= on S,*. +onfigure your network as per the following re)uirements& - %nsure that these five ports start forwarding traffic as soon as the workstation is connected to them. - %nsure that these five ports are allowed to communicate with their Layer 2 gateway 3the .L'# =>> S.0 on S,24 and are prohibited from directly sending frames to each other. - %nsure that none of these five ports forwards flooded traffic due to an unknown unicast or unknown multicast. #$T%& (o not use private vlans. Score& 2 points

1.+ ,AN Technology


- +onfigure

+onfigure your network as per the following re)uirements& on the serial link between ;2 and ;=

- +onfigure Brame-;elay on the serial links between ;=" ;1" ;* and ;2. - 'll Brame-;elay interfaces must be able to ping the neighboring 0 .* address as well as their own 0 .* address. - @se the interface and (L+0 numbers indicated in D(iagram < & Brame-;elayD in order to accomplish this task.

- (isable Brame-;elay 0nverse '; on all Brame-;elay interfaces. - (o not disable the interfaces keepalives. (L+0 F 2>> between ;1 G ;* (L+0 F 2HH between ;2 G ;* (L+0 F HH between ;1 G ;= subinterface .HH (L+0 F 1HH between ;1 G ;= subinterface .1>> Score& 2 points

Section 2 - Layer 2 Technologies 2.1 0 .* $S B


+onfigure $S B.2 as per D(iagram 1& 06 ;outing1 and according to the following re)uirements& - The $S B process 0( must be 1>> for all $S B devices. - The $S B router 0(s must be stable and must be configured using the 0 address of interface Loopback>. - Loopback> interfaces must be advertised in the $S B area shown in D(iagram 1& 06 ;outing1 and must appear as host routes. - The .L'# =>> interface of S,2 must be configured into $S B area =>>" but no $S B hello may be sent out of this interface - %nsure that S,1 is elected as the (esignated ;outer on all three .L'# interfaces 3.L'# 1:" 2: and :<4 and ensure that it maintains the best chance of being re-elected as such. - The B>C1 interface of ;1 and the B>C> interface of ;2 must always remain in the (;$T!%; state. - $S B area 1 must be configured as a stub area" which allows the injection of eAternal routes. - %nable label switching on the serial interfaces between ;1" ;2 and ;= by using L( . - %nsure that the L( sessions are always sourced from the loopback> interface on a00 devices. - (o not create additional $S B areas. - (o not use any 0 address not listed in D(iagram 1& 06 ;outing1 unless eAplicitly re)uired. - (o not enable $S B on any interfaces other than the ones shown in D(iagram 1& 06 ;outing1 unless eAplicitly re)uired. Score& 2 points

2.2 0 .* %06;

+onfigure your network as per the following re)uirements&

- +onfigure %06; 'S HH and %06; 'S 1>> as per D(iagram 1 & 06 ;outingD - (isable automatic summari5ation in both autonomous systems. - S,* must receive siA %06; eAternal prefiAes from ??2.

- +onfigure the delay for interface f>C1 of both ;* and ;= to 1>> milliseconds 31>">>> tens of microseconds4 - %nable L( on the serial interfaces between ;1" ;2" ;* and ;= as well as on the fast%thernet link between ;* and ;=. - %nsure that the L( sessions are always sourced from the loopback> interface en all devices. Score& 2 points

2.2 0 .* ;0

+onfigure ;0 version 2 as per D(iagram 1& 06 following re)uirements. - (isable automatic summari5ation.

;outing1 and according to the

- ;0 must be enabled only for the re)uired interfaces" no other interfaces may send any ;0 updates. Score&2 points

2.* ;edistribution & %06; I---J $S B

+onfigure your network as per the following re)uirements&

- ;edistribute $S B into %06; and vice versa on ;= only. - (o not redistribute anywhere else between these two protocols. - %nsure that all %06; routers are still able to reach any $S B prefiA" when the link between ;* and ;= fail. - The interface .L'# =>> of S,2 must appear as prefiA in area > only. 0t must never appear in any other areas" your solution must remain valid" even if a new area was added to the $S B domain. - (o not modify the administrative distance of $S B. Score&* points

2.= ;edistribution& %06; I----J ;0

+onfigure your network as per the following re)uirements&

- ;edistribute %06; 1>> into ;0 .2 and vice versa on S,* - ;edistribute $S B into ;0 v2 on S,1 only. - (o not redistribute ;0 v2 into $S B. - %nsure that S,1 originates a default route everywhere into the $S B domain.

- %nsure that all devices 3but S,24 in your topology can reach 1=>.2.HH.2=*. - (o not use any static route to resolve any routing issue. Score& 2 points

2.: 0 .* 0?6

+onfigure your network as per D(iagram 2 & ?6 following re)uirements&

;outing1and according to the

- ,ith the eAception of ;1" all routers in ?6 'S HH must have only one 0?6 neighbor. - Secure all 0?6 sessions with a 9(= hash" use the string DciscoD to that effect 3without )uotes4 - 'll ?6 connections should survive a physical link failure - ;1 should always initiate the T+ session for the ?6 connection for the ?6 neighbor - +onfigure Kno bgp default ipv*-unicastK on all ?6 speakers Score& 2 points

2.L 0 .* %?6
+onfigure your network as per D(iagram 2 & ?6 following re)uirements& ;outingD and according to the

- %stablish %?6 between 'S HH and 'S 2=* on both ;* and ;= by using their physical interfaces. - The prefiAes of .L'#81>> and .L'#82>> may appear as a ?6 neAt-hop address in ;* and ;= only. - +onfigure 'S 1** on S,* to peer with 'S HH - %nsure that S,* installs in its routing table two e)ual-cost paths for any ?6 prefiAes originated in 'S 2=*. - %nsure that S,2 load-balances any traffic that is destined to 'S 2=* through both ;1 and ;2. #$T%& @se the following command to verify this re)uirement& ;ack1>S,2Msh ip cef 17L.1:<.1.1 17L.1:<.1.>C2* neAthop 1>.1>.1<.1 .lan1< neAthop 1>.1>.2<.2 .lan2< Score& 2 points

2.< 9 LS '#( L2. #

S,2 is simulating two distant customer sites in ?6 'S LLL that are interconnected with L2. # " which is provided by your core network. The interface loopback L1 of S,2 simulates the S0T%1" which is connected to ;2" and the interface loopback L2 simulates the S0T%2" which is connected to ;2. ;efer to D(iagram 2 & for more details. +onfigure your network as per the following re)uirements& - ;2 and ;= must eAchange . # prefiAes via ?6 by using the route distinguisher 2&2 - ;2 and ;= must eAchange . # prefiAes via ?6 by using the route distinguisher 2&2 - ;2 and ;2 may not per directly with one another. - +onfNgure /mpls 0dp eAplicit-null1 on both %s - S,2 must maintain two separate routing tables for each site as described in the D(iagram 2 & - The only prefiA that S,2 may see in its global routing table is its preconfigured Loopback> interface - Hour configuration must fully reconverge after a reload of any % router at the end of the eAam. #ote& .erify your solution by using the following commands on S,2. ;ack1>S,2Mping vrf S0T%2 L1.L1.L1.L1 source loL2 Type escape se)uence to abort. Sending =" 1>>-byte 0+9 %chos to L1.L1.L1.L1" timeout is 2 seconds& acket sent with a source address of L2.L2.L2.L2 OOOOO Success rate is 1>> percent 3=C=4" round-trip minCavgCmaA P 1C=C7 ms ;ack1>S,2Mtraceroute vrf S0T%2 rotocol QipR& Target 0 address& L1.L1.L1.L1 Source address& L2.L2.L2.L2 #umeric display QnR& ;esolve 'S number in 364lobal table" 3.4;B or3#4one Q6R& Timeout in seconds Q2R& robe count Q2R& 9inimum Time to Live Q1R& 9aAimum Time to Live Q2>R& ort #umber Q22*2*R& Loose" Strict" ;ecord" Timestamp" .erboseQnoneR&

Type escape se)uence to abort. Tracing the route to L1.L1.L1.L1 1 1L2.1:.2L.2 > msec > msec 7 msec 2 1>.HH.2*.* < msec 7 msec < msec 2 1>.HH.1*.1 => msec 72 msec 1>> msec * 1>.HH.1=.= 1L msec 1L msec 1L msec = 1L2.1:.2L.2 < msec < msec 7 msec : 1L2.1:.2L.L < msec S > msec ;ack1>S,2Mping vrf S0T%1 L2.L2.L2.L2 source loL1 Type escape se)uence to abort. Sending =" 1>>-byte 0+9 %chos to L2.L2.L2.L2" timeout is 2 seconds& acket sent with a source address of L1.L1.L1.L1 OOOOO Success rate is 1>> percent 3=C=4" round-trip minCavgCmaA P <C1>C1L ms ;ack1>S,2Mtraceroute vrf S0T%1 rotocol QipR& Target 0 address& L2.L2.L2.L2 Source address& L1.L1.L1.L1 #umeric display QnR& ;esolve 'S number in 364lobal table" 3.4;B or3#4one Q6R& Timeout in seconds Q2R& robe count Q2R& 9inimum Time to Live Q1R& 9aAimum Time to Live Q2>R& ort #umber Q22*2*R& Loose" Strict" ;ecord" Timestamp" .erboseQnoneR& Type escape se)uence to abort. Tracing the route to L2.L2.L2.L2 1 1L2.1:.2L.2 > msec < msec > msec 2 1>.1HH.2=.= *2 msec <* msec 72 msec 2 1>.HH.1=.1 1L msec 1L msec < msec * 1>.HH.1*.* 1L msec 1L msec < msec = 1L2.1:.2L.2 7 msec 1L msec < msec : 1L2.1:.2L.L < msec S 7 msec Score& * points

2.7 0 v: 'ddressing

reconfiguration. 'll 0 v: addresses were preconfigured as follows. 'll global unicast addresses match 2>>1&;;&HH&SS&&!!C99" where& - ;; is the identifier of the routing domain 3HH for %06; HH" 1HH for $S B 4. - HH stands for your two-digit rack number" written in decimal format - SS is the third octet ofthe 0 .* address of the same interface" written in decimal format - !! is the forth octet of the 0 .* address of the same interface" written in decimal format

- 99 is the subnet mask and must be C12< for loopback interfaces and C:* for other interfaces. +onfigure your network as per D(iagram * &0 v: ;outingD and according to the following re)uirements& - +onfigure %06; v: HH on all routers in the %06; v* 'S HH - @se the Loopback > 0 v* address as the %06; v* router 0(. - +onfigure the area > of $S Bv: 3between the S,1 and S,2 as shown the D(iagram of 0 v: ;outingD4. - The $S Bv2 process 0( must be 1>>. - ;edistribute $S Bv2 into %06; v: and vice versa on S,2. - %nsure that there is full reachability among a00 0 v: speakers. Score& 2 points

2.1> 0 v: ;outing

+onfigure your network as per D(iagram * &0 v: ;outingD and according to the following re)uirements. - +onfigure a tunnel between ;1 and ;2 to transport 0 v: traffic from ;2 to the %06; v: domain. - The tunnel transport mode must be 6;%" and it must be resilient to single physical link failure. - The tunnel must use the 0 v: prefiA 2>>1&12&12&12&&C:* - %Atend the %06; v: domain HH to ;2 over the tunnel. - ;2 must be able to reach the Loopback> interface of S,1 via the tunnel. Score& 2 point

Section 2 F 9ulticast 2.1 9ulticast

+onfigure multicast in your network as per the following re)uirements&

- %nable multicast for all interfaces belonging to ospf 1>> and eigrp HH 3including loopback> interfaces4 - The network should never have to flood and prune multicast traffic unnecessary - 'dd a loopback1 interface on both ;2 and ;2 with the same ip address 2>>.1>>.1>>.1>> - ;2 must advertise loopback1 into %06; HH " ;2 must advertise loopback1 into $S B 1>>. - %ach loopback 1 must be elected as the rende5vous point 3; 4 in their respective domain and must also be used as the source of the mapping information broadcasts - @se a non-proprietary method to discover and announce the ; information - 9ulticast service are located in vlan :<" and receivers are located on the link between ;* and ;= - Simulate the receivers with a static join on the B>C1 interface of ;*. - ;eceivers must be able to receive traffic sent to the group 222.1.1.1 from S,1 - %nsure that ;2 is the actual ; in use in the %06; domain" ;2 is the actual ; in use in the $S B domain" and that ;2 sends the source-active cache to ;2 Score& 2 points

2.2 'dvanced 9ulticast Beature

+ontinue configuring multicast in your network as per the following re)uirements&

- %nsure that both ; s process join re)uests for group 222.1.1.1 only. - %nsure that only the authori5ed sources 3located in .L'#8:<4 are allowed to register with the ; s - (o not use any route-map or named access-list to achieve this task. Score& 2 points

Section * - 'dvance 0 Services *.1 Birst !op ;edundancy


+onfigure your network as per the following re)uirements

- ?oth ;* and ;= must provide automatic default gateway backup for hosts located on .L'# *= by using the virtual 0 address 1>.HH.*=.1C2*. - %nsure that both ;* and ;= participate at the same time in forwarding traffic destined to the virtual 0 address "with ;* weighted at 1=> and processing three clients for every one processed by ;=. - @se the password D++0%122D 3without )uotes4 to secure the relationship between ;* and ;=" use the strongest security available. 3(o not use a keychain to accomplish this re)uirement4. Score& 2 points

*.2 L2 Security

+onsider that three servers 3S9T " ,%? " (#S4 connected to .L'# =>> on S,2 must be reachable from any host anywhere in the network . 9any users are connected to .L'# =>> on S,2 as well " and are allowed to connect to these local servers. These users must also be allowed to connect to other S9T ",%? and (#S servers located outside of .L'# =>>. ' number of these users are abusing the link with unnecessary traffic. +onfigure your network as per the following re)uirements& - +reate a filter on S,2 to allow only legitimate traffic 3S9T -T+ port 2= " ,%?-T+ port <> " (#S-@( port =2" 0+9 -all types4 on .L'# =>> going from and to any hosts 3(o not specify any 0 address in the filter4. - 'll non-legitimate traffic must be dropped. - @ser a single named access-list to accomplish this re)uirement of this task. (o not include any deny statement in the access-list. Score& 2 points

*.2 (evice Security

+onfigure ;= as per the following re)uirements

- The administrator user DadminK must be able to use the SS! protocol in order to manage the router by using the password DccieD This user must receive the enable prompt directly when logging in to ;=

- The user DguestD must be able to use the SS! protocol in order to connect to the router by using the password DciscoD. This user must receive the user-mode 3non-enable-mode4 prompt when logging in to ;=. - (isable all non-SS! access methods on the .TH lines of ;=. (o not user the command Daccess-classD to accomplish this . %nable a maAimum of 1: users to connect concurrently at any point in time. - +onfigure the domain name Dccie.comD on ;=. - %nsure that the console does not re)uire a username prompt and that it presents the user with the usermode 3non-enable-mode4 prompt - (o not modify the enable password. #$T%& .erify your solution by using ;2 as the SS! client and verify if the following commands succeed as eApected. ;ack1>;2Mssh -l admin 1HH.=.=.= ;ack1>;2Mssh -l guest 1HH.=.=.= Score& 2 points

*.* Euality of Service

+onfigure your network as per the following re)uirements

- +reate interface Loopback1*< in S,2 with the 0 address 1*<.>.>.<C22 and add it into %06; HH by any means available. - +reate interface Loopback1*< in ;* with the 0 %06; HH by any means available. address 1*<.>.>.*C22 and add it into

- Traffic sourced from Loopback1*< of S,2 and destined to Loopback1*< of ;* 3and only this traffic4 must always leave S,2 via interface .L'#1<" no other interface may ever transmit these packets. - S,2 must load-balance 3between ;1 and ;24 any other traffic destined to Lo1*< of ;*. - 0n case interface .L'# 1< of S,2 is not operational packets between Lo1*< of S,2 and Lo1*< of ;* must be drooped on S,2. - @se a single numbered and eAtended access-list with a single entry in order to accomplish this re)uirement. - (o not modify any %06; parameter anywhere to accomplish this re)uirement.

#$T%& @se the following tests to validate your solution ;ack1>S,2Mtrace rotocol QipR& Target 0 address& 1*<.>.>.* Source address& 1*<.>.>.< #umeric display QnR& Timeout in seconds Q2R& robe count Q2R& 9inimum Time to Live Q1R& 9aAimum Time to Live Q2>R& ort #umber Q22*2*R& Loose" Strict" ;ecord" Timestamp" .erboseQnoneR& Type escape se)uence to abort. Tracing the route to 1*<.>.>.* 1 1>.HH.1<.1 * msec * msec * msec 2 1>.HH.1*.* > msec S * msec ;ack1>S,2Mtrace 1*<.>.>.* Type escape se)uence to abort. Tracing the route to 1*<.>.>.* 1 1>.HH.1<.1 * msec 1>.HH.2<.2 * msec 1>.HH.1<.1 * msec 2 1>.HH.2*.* * msec 1>.HH.1*.* * msec S Score& 2 points

*.= L2. # Euality of Services

The 9 LS enabled routers in your network have been preconfigured to service three classes of traffic based on the 9 LS eAperimental bits. The % routers are also provisioning three classes of traffic towards the +% routers. ;1 contains a policy that will remark traffic for testing purposes. (o not modify this policy. +onfigure both % routers in your network as per the following re)uirements& - The traffic leaving the 9 LS core and going to the +% must be remarked using the latest value found in the 9 LS eAperimental bits. - ?oth % routers must shape the traffic towards the +%s to 29bCs +0;. - Hour solution must include the eAisting EoS preconfigurations.

- (o not create any new non-default class-map to accomplish the above re)uirements 3i.e. if you need to create any new class-map" it must be the class-map default4. - Hou may check your solution by using an eAtended ping" with the T$S value set to 1:>. +ounters must increment accordingly on the class +;0T0+'L on the egress policy of the remote %. Score&2 points

*.: (evice Security

+onfigure and apply on ;= a single ingress policy-map named D+$#T;$LD that contains eAactly three userdefined class-maps according to the following re)uirements& +onfigure a class-map called DSS!8 $L0+%D according to the following re)uirements. - 'ny SS! session initiated from .L'# 1< and destined to the interface Se>C>C1 of ;= must not be policed. - olice to 1: kbCs all other SS! traffic according to the following re)uirements. - The conform-action must be DtransmitD. - The eAceed-action must be DdropD. - The burst value must not be configured - +onfigure a named access-list called DSS!D in order to classify the above SS! traffic. +onfigure another class-map called D?L$+TD according to the following re)uirements& - !TT 3destined to port <>4 and !TT S 3destined to port **24 traffic sourced from any host located on .L'#=>> and destined to anywhere must be dropped. - +onfigure a named access-list called D!TT D containing eAactly two entries in order to classify the above !TT and !TT S traffics. - +onfigure another named access-list called D'LL80+9 D containing the single statement Dpermit icmp any anyD. - The class-map D?L$+TK must drop the traffic matched by these two access-list 3D!TT D and D'LL80+9 D4. +onfigure another class-map called D0+9 8L090TD according to the following re)uirements. - 0+9 echo and echo-reply to or from anywhere must be policed to 1>>pCs "allowing 1> packets in burst. - +onfigure a named access-list called D0+9 8%+!$D in order to classify the above 0+9 echo and echoreply traffic. - (o not use any Dmatch notD statement in any class-map. - %nsure that any device 3but S,24 can still ping the interfaces of ;=. - '00 class-map and access-list names are case sensitive and must not include any )uotes. #ote& kilobits per second and pCs P packets per second. Score& 2 points

*.L #etwork Services

+onfigure your network as per the following re)uirements - ;1 is the #T master 3stratum 14. - ;2 and ;= must synchroni5e their clock to the clock of ;1. - %nsure that all three devices retain the clock between reboots. - 'LL #T peer must use their Loopback> interface as the #T source. Score& 2 points

Section = F #etwork $ptimisation =.1 #etwork 9anagement-0

+onfigure ;1 as per the following re)uirements

- Track all changes to the running configuration. - #otify the syslog server 1>.1HH.:7.1>> when any configuration change happens. - ;etain the last 1> entries in the configuration log. - Suppress the display of password information in the configuration log files. - %nsure that configuration changes are not saved to the local file system. Score& 2 points

=.2 #etwork 9anagement-00

0n order to avoid hitting a 3Bictive4 software defect on ;2 " the vendor support engineer recommends bouncing 3shut C no shut4 both 6igabit%thernet interfaces of ;2 as soon as it restarts. +onfigure ;2 as per the following re)uirements& - ,rite a +isco 0$S %%9 applet named D?$@#+%606D that automates the above task. - @ser the DUSHS-=-;%ST';TD syslog pattern in order to trigger the script when ;2 has restarted. - %nsure that the script bounces interface 6ig>C> first" then bounces interface 6ig>C1 - Test router solution and ensure that there is an entry in the %%9 events history similar to the following output. ;ack1>;2Msh event manager history events #o. Time of %vent %vent Type 1 Bri 9ar 1 >>&>>&>2 2>>2 syslog Score& 2 points

#ame applet& ?$@#+%606

-Way2Ccar

Das könnte Ihnen auch gefallen