Beruflich Dokumente
Kultur Dokumente
1
Configure the ACME Headquarters network (AS 12345) as per the following requirements
Configure the network of the New York office (AS 34567) as per the following requirements
Answers:
SW-1(config)#vtp version 2
SW-1(config)#vtp domain CCIE
SW-1(config)#vtp mode server
SW-1(config)#vtp password CCIErocks$
SW-1(config)#end
SW-1#
SW-2(config)#vtp version 2
SW-2(config)#vtp domain CCIE
SW-2(config)#vtp mode client
SW-2(config)#vtp password CCIErocks$
SW-1(config)#end
SW-1#
SW-1#sh mac address-table aging-time
Global Aging Time: 300
Vlan Aging Time
---- ---------SW-1#
default mac-address aging time is 300 seconds=5min
on both switches:
SW-1(config)# mac-address-table aging-time 7200
Complete the config of all vlans so that all routers that are located
in ACME's headquarters (AS12345) and New York office (AS 34567) can
ping their directly connected neighbors
All four switches (SW1-SW4) must have dot1q trunks that do not rely on
negotiation do not configure any etherchannel
Ensure that the following unused ports on all four switches are
shutdown and configured as access ports in vlan 999
E3/0 - E3/3 are unused on SW1 and SW2
E1/0 - E1/3 are unused on SW3 and SW4
E3/0 - E3/3 are unused on SW3 and SW4
Answers:
SW-1(config)#do sh vlan brief | ex 100
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active
Et3/0, Et3/1, Et3/2, Et3/3
14
15
23
24
67
VLAN0014
VLAN0015
VLAN0023
VLAN0024
VLAN0067
active
active
active
active
active
E0/0,E1/0
E1/1
E0/1,E0/2
E0/3
E1/2,E1/3
sw2 eth
R4 eth
R4 eth
R5 eth
R6 eth
R1 eth
R2 eth
R3 eth
2/0
0/3
1/0
1/1
1/2
2/1
0/1
0/2
eth
eth
eth
eth
eth
eth
eth
eth
2/0
0/1
0/0
0/1
0/1
2/1
0/1
0/1
SW1#
SW-2(config)#do sh vlan brief | ex 100
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active
Et3/0, Et3/1, Et3/2, Et3/3
14
15
23
24
67
VLAN0014
VLAN0015
VLAN0023
VLAN0024
VLAN0067
active
active
active
active
active
E0/0
E0/1
active
active
active
active
E0/0
E0/1
E0/3
E0/2
SW3#
SW-4(config)#do sh vlan brief | ex 100
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active
Eth 1/0,Eth 1/1,Eth1/2,Eth1/3
Et3/0, Et3/1, Et3/2, Et3/3
49 VLAN0049
89 VLAN0089
111 VLAN0111
411 VLAN0310
active
active
active
active
E0/1
E0/0
E0/2
E0/3
SW-1(config-if-range)#shut
SW-2(config)#int range ethernet 3/0 - 3
SW-2(config-if-range)#switchport mode access
SW-2(config-if-range)#switchport access vlan 999
% Access VLAN does not exist. Creating vlan 999
SW-2(config-if-range)#shut
SW-3(config)#int range ethernet 3/0 - 3
SW-3(config-if-range)#switchport mode access
SW-3(config-if-range)#switchport access vlan 999
% Access VLAN does not exist. Creating vlan 999
SW-3(config-if-range)#shut
SW-4(config)#int range ethernet 3/0 - 3
SW-4(config-if-range)#switchport mode access
SW-4(config-if-range)#switchport access vlan 999
% Access VLAN does not exist. Creating vlan 999
SW-4(config-if-range)#shut
lets check and configure trunking and no auto negotiation:
on all switches:
sw1-sw4:
int range eth 3/0 - 3
switchport trunk encapsulation dot1q
switchport mode trunk
now you can verify if all vlans per switch are there.
SW1 must be the root switch for all odd vlans and must be the backup
for all even vlans
SW2 must be the root switch for all even vlans and must be the backup
for all odd vlans
SW3 must be the root switch for all odd vlans and must be the backup
for all even vlans
SW4 must be the root switch for all even vlans and must be the backup
for all odd vlans
Explicitly configure the root and backup roles, assuming that other
switches with default configuration may eventually be added in the
network in the future
All switches must maintain one STP instance per vlan
Use the STP mode that has only three possible states
Answers
1.3 implement spanning tree/solutions
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree mode rapid-pvst
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree portfast default
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree portfast bpduguard default
CPS_A1_ABHI_NAG_SW2(config)#spaning-tree mode rapid-pvst
CPS_A1_ABHI_NAG_SW2(config)#spaning-tree portfast default
CPS_A1_ABHI_NAG_SW2(config)#spaning-tree portfast bpduguard default
CPS_A1_ABHI_NAG_SW3(config)#spaning-tree mode rapid-pvst
CPS_A1_ABHI_NAG_SW3(config)#spaning-tree portfast default
CPS_A1_ABHI_NAG_SW3(config)#spaning-tree portfast bpduguard default
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree mode rapid-pvst
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree portfast default
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree portfast bpduguard default
note :needs to enable rapid-IOU I'm using does not support it
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree vlan 15,23,35,57,67,999 root primary
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree vlan 14,24,46 root secondary
CPS_A1_ABHI_NAG_SW2(config)#spaning-tree vlan 14,24,46 root primary
CPS_A1_ABHI_NAG_SW2(config)#spaning-tree vlan 15,23,35,57,67,999 root secondary
CPS_A1_ABHI_NAG_SW3(config)#spaning-tree vlan 49,89,111,411,999 root primary
CPS_A1_ABHI_NAG_SW3(config)#spaning-tree vlan 34,38,310 root secondary
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree vlan 34,38,310 root primary
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree vlan 49,89,111,411,999 root secondary
solutions Verification
CPS_A1_ABHI_NAG_SW1#show spaning-tree summary
switch is in rapid-pvst mode
Root bridge for:VLAN0015,VLAN0023,VLAN0035,VLAN0057,VLAN0067
VLAN0999
Entherchannel misconfig guard is enabled
Extended system ID
is enabled
Portfast default
is enabled
Portfast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard default
is disabled
Uplinkfast
is disabled
Backbonefast
is disabled
configured Pathcost method is short
CPS_A1_ABHI_NAG_SW2#show spaning-tree summary
switch is in rapid-pvst mode
Root bridge for:VLAN0014,VLAN0024,VLAN0046
Entherchannel misconfig guard is enabled
Extended system ID
is enabled
Portfast default
is enabled
Portfast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard default
is disabled
Uplinkfast
is disabled
Backbonefast
is disabled
CPS_A1_ABHI_NAG_SW3#show spaning-tree summary
switch is in rapid-pvst mode
Root bridge for:VLAN0001,VLAN0049,VLAN0089,VLAN0111,VLAN0411,VLAN0999
Entherchannel misconfig guard is enabled
Extended system ID
is enabled
Portfast default
is enabled
Portfast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard default
is disabled
Uplinkfast
is disabled
Backbonefast
is disabled
Configured Pathcost method used is short
The WAN links must rely on a layer 2 protocol that supports link
negotiation and authentication.
The Service provider expects both R18 and R19 to complete three way
hand shake by providing the expected response of a challenge that is
sent by R63
R18 must use the username ACME-R18 and password CCIE
R19 must use the username ACME-R19 and password CCIE
Solution
CPS_A1_ABHI_NAG_R18(config)#interface serial1/0
CPS_A1_ABHI_NAG_R18(config)# ip address 203.3.18.2 255.255.255.252
CPS_A1_ABHI_NAG_R18(config)# encapsulation ppp
CPS_A1_ABHI_NAG_R18(config)# ppp chap hostname ACME-R18
CPS_A1_ABHI_NAG_R18(config)# ppp chap password CCIE
CPS_A1_ABHI_NAG_R18(config)# no shutdown
CPS_A1_ABHI_NAG_R18#ping 203.3.18.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Encho to 203.3.18.1, timeout is 2 seconds:
!!!!!
success rate is 100 persent (5/5), rounding-trip min/avg/max= 6/8/9 ms
CPS_A1_ABHI_NAG_R18#
CPS_A1_ABHI_NAG_R18#show ip route 1 i 203
203.3.28.0/24 is variably subnetted, 3 subnets, 2 masks
C 203.3.18.0/30 is directly connected,serial1/0
C 203.3.18.1/32 is directly connected,serial1/0
L 203.3.18.2/32 is directly connected,serial1/0
CPS_A1_ABHI_NAG_R18#
Did you notice host route for PE interface?Generally it's not recommended with same subnet IP address
between two PPP peers we can disable it by using command no peer neighbor-route:
CPS_A1_ABHI_NAG_R18#(config)#interface serial1/0
CPS_A1_ABHI_NAG_R18#(config-if)#shutdown
CPS_A1_ABHI_NAG_R18#(config-if)# no peer neighbor-route
CPS_A1_ABHI_NAG_R18#(config-if)#no shutdown
CPS_A1_ABHI_NAG_R18#(config)#ping 203.3.18.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP echos to 203.3.18.1, timeout is 2 seconds:
!!!!!
Success rate is 100 persent (5/5),round-trip min/avg/max=9/9/10 ms
CPS_A1_ABHI_NAG_18#
CPS_A1_ABHI_NAG_18#show ip route | i 203
203.3.18.0/24 is veriably subnetted, 2 subnets, 2 masks
C 203.3.18.0/30 is directly connected,serial1/0
L 203.3.18.0/32 is directly connected,serial1/0
CPS_A1_ABHI_NAG_18#
CPS_A1_ABHI_NAG_19(config)#interface serial1/0
CPS_A1_ABHI_NAG_19(config-if)#ip address 203.3.19.2 255.255.252
CPS_A1_ABHI_NAG_19(config-if)# encapsulation ppp
CPS_A1_ABHI_NAG_19(config-if)# ppp chap hostname ACME-19
CPS_A1_ABHI_NAG_19(config-if)# ppp chap password CCIE
CPS_A1_ABHI_NAG_19(config-if)# no peer neighbor-route
CPS_A1_ABHI_NAG_19(config-if)# no shutdown
CPS_A1_ABHI_NAG_19#ping 203.3.19.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP echos to 203.3.19.2, timeout is 2 seconds:
!!!!!
Success rate is 100 persent (5/5),round-trip min/avg/max=15/17/19 ms
CPS_A1_ABHI_NAG_19#
CPS_A1_ABHI_NAG_19#show ip route | i 203
203.3.19.0/24 is veriably subnetted, 2 subnets, 2 masks
C 203.3.19.0/30 is directly connected,serial1/0
L 203.3.19.0/32 is directly connected,serial1/0
CPS_A1_ABHI_NAG_19#
Solution verification
CPS_A1_ABHI_NAG_18#show ppp all
Interface/ID OPEN+ Nego* fail- stage Peer Address Peer Name
--------------------------------------------------Se1/0 LCP+IPCP+CDPCP+ LocalT 203.3.18.1 AS20003
CPS_A1_ABHI_NAG_18#
CPS_A1_ABHI_NAG_18#show interface serial 1/0
Serial1/0 is up,line protocol is up
Hardware is M4T
R1
R1#ping 123.10.1.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.6, timeout is 2 seconds:
!!!!!
R2#ping 123.10.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R2#
R2#ping 123.10.1.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R1#
R2(config-router)#router ospf 12345
R2(config-router)#router-id 123.2.2.2
R2(config-router)#net 123.2.2.2 0.0.0.0 area 0
R2(config-router)#net 123.10.1.9 0.0.0.0 area 0
R2(config-router)#net 123.10.1.17 0.0.0.0 area 0
R2(config-router)#end
R2#sh ip ospf int brief
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0
R2#
R3#ping 123.10.1.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R3#
R3#ping 123.10.1.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R3#
R3(config-router)#router ospf 12345
R3(config-router)#router-id 123.3.3.3
R3(config-router)#net 123.3.3.3 0.0.0.0 area 0
R3(config-router)#net 123.10.1.10 0.0.0.0 area 0
R3(config-router)#net 123.10.1.13 0.0.0.0 area 0
R3(config-router)#end
R3#sh ip ospf int brief
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0
Address
Interface
123.10.1.9 Ethernet0/1
R4#ping 123.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R4#
R4#ping 123.10.1.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R4#
R4#ping 123.10.1.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R4#
R4(config-router)#router ospf 12345
R4(config-router)#router-id 123.4.4.4
Address
Interface
123.10.1.17 Ethernet0/1
123.10.1.1 Ethernet0/0
R5#ping 123.10.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R5#
R5#ping 123.10.1.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R5#
R5#ping 123.10.1.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R5#
R5(config-router)#router ospf 12345
R5(config-router)#router-id 123.5.5.5
R5(config-router)#net 0.0.0.0 255.255.255.255 area 0
R5(config-router)#end
R5#sh ip ospf int brief
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0
Et0/0
12345 0
Pri
State
Deat Time
Address
Interface
123.3.3.3
123.1.1.1
1
1
FULL/DR 00.00.36
FULL/DR 00.00.36
123.10.1.17 Ethernet0/2
123.10.1.1 Ethernet0/1
R5#
R6#ping 123.10.1.26
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.26, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R6#
R6#ping 123.10.1.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R6#
R6(config-router)#router ospf 12345
R6(config-router)#router-id 123.6.6.6
R6(config-router)#net 0.0.0.0 255.255.255.255 area 0
R6(config-router)#end
R6#sh ip ospf int brief
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0
Address
Interface
123.10.1.21 Ethernet0/2
R7#ping 123.10.1.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R7#
R7#ping 123.10.1.29
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.1.29, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R7#
R7(config-router)#router ospf 12345
R7(config-router)#router-id 123.7.7.7
R7(config-router)#net 0.0.0.0 255.255.255.255 area 0
R7(config-router)#end
R7#sh ip ospf int brief
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0
Address
Interface
123.10.1.29 Ethernet0/2
123.10.1.25 Ethernet0/1
>>>from here show the routing table of each device and ping all devices loopbacks sourcing
from the loopbacks<<<<<
vlan 411
int lo0 at SW4
int lo0 at R11
Using a single command on one switch only ensure that R9 installs two
equal cost route for the following three path
vlan 310
int lo0 at SW3
int lo0 at R10
E0/1
13 00:00:39
11
100
R10#ping 123.10.2.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R10#
R10#ping 123.10.2.26
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.26, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R10#
R10(config-router)#router eigrp CCIE
R10(config-router)#address-family ipv4 unicast autonomous-system 34567
R10(config-router)#net 123.10.10.10 0.0.0.0
R10(config-router)#net 123.10.2.18 0.0.0.0
R10(config-router)#net 123.10.2.25 0.0.0.0
R10(config-router)#end
R10#sh ip eigrp interfaces
EIGRP-IPv4 VR(CCIE) Address-Family Interfaces for AS(34567)
Xmit Queue PeerQ
Mean Pacing Time Multicast Pending
Interface
Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/2
0
0/0
0/0
0
0/0
0
0
Et0/1
0
0/0
0/0
0
0/0
0
0
R10#
R10#sh ip eigrp neighbors
EIGRP-IPv4 VR(CCIE) Address-Family Neighbors for AS(34567)
R10#
R11#ping 123.10.2.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R11#
R11#ping 123.10.2.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R11#
R11(config-router)#router eigrp CCIE
R11(config-router)#address-family ipv4 unicast autonomous-system 34567
R11(config-router)#net 123.11.11.11 0.0.0.0
R11(config-router)#net 123.10.2.22 0.0.0.0
R11(config-router)#net 123.10.2.26 0.0.0.0
R11(config-router)#end
R11#sh ip eigrp interfaces
EIGRP-IPv4 VR(CCIE) Address-Family Interfaces for AS(34567)
Xmit Queue PeerQ
Mean Pacing Time Multicast Pending
Interface
Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/2
0
0/0
0/0
0
0/0
0
0
Et0/1
0
0/0
0/0
0
0/0
0
0
R11#
R11#sh ip eigrp neighbors
EIGRP-IPv4 VR(CCIE) Address-Family Neighbors for AS(34567)
H Address
Interfaces Hold Uptime SRTT RTO Q Seq
0 123.10.2.25
R11#
E0/1
11 00:00:39
14
100
SW3#ping 123.10.2.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW3#
SW3#ping 123.10.2.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW3#
SW3#ping 123.10.2.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW3#
SW3(config-router)#router eigrp CCIE
SW3(config-router)#net 123.33.33.33 0.0.0.0
SW3(config-router)#net 123.10.2.6 0.0.0.0
SW3(config-router)#net 123.10.2.13 0.0.0.0
SW3(config-router)#net 123.10.2.17 0.0.0.0
SW3(config-router)#end
SW3#sh ip eigrp interfaces
EIGRP-IPv4 VR(CCIE) Address-Family Interfaces for AS(34567)
Xmit Queue PeerQ
Mean Pacing Time Multicast Pending
Interface
Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Lo0
0
0/0
0/0
0
0/0
0
0
Vl38
1
0/0
0/0
0
0/0
0
0
Vl34
0
0/0
0/0
0
0/0
0
0
Vl310
1
0/0
0/0
0
0/0
0
0
SW3#
SW3#sh ip eigrp neighbors
EIGRP-IPv4 VR(CCIE) Address-Family Neighbors for AS(34567)
H Address
Interfaces Hold Uptime SRTT RTO Q Seq
0 123.10.2.18 Vl310
1 123.10.2.5 Vl38
SW3#
11 00:00:39 14
11 00:00:39 14
100 0 3
100 0 3
SW4#ping 123.10.2.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW4#
SW4#ping 123.10.2.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW4#
SW4#ping 123.10.2.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 msSW4#
R15#ping 123.20.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.20.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R15#
R15#ping 123.20.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R15#
R15#ping 123.20.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R15#
R15#ping 123.10.2.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R15#
R15(config-router)#router eigrp CCIE
R15(config-router)#address-family ipv4 unicast autonomous-system 45678
R15(config-router)#net 123.15.15.15 0.0.0.0
R15(config-router)#net 123.20.1.1 0.0.0.0
R15(config-router)#net 123.20.1.9 0.0.0.0
R15(config-router)#end
R15#sh ip eigrp interfaces
EIGRP-IPv4 VR(CCIE) Address-Family Interfaces for AS(34567)
Xmit Queue PeerQ
Mean Pacing Time Multicast Pending
Interface
Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/1
2
0/0
0/0
0
0/0
0
0
Et0/2
0
0/0
0/0
0
0/0
0
0
R15#
R15#sh ip eigrp neighbors
EIGRP-IPv4 VR(CCIE) Address-Family Neighbors for AS(45678)
H Address
Interfaces Hold Uptime SRTT RTO Q Seq
0 123.20.1.3
1 123.20.1.2
R15#
Et0/1
Et0/1
13 00:00:39
14 00:00:39
14
14
100
100
0
0
7
7
R16#ping 123.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R16#
R16#ping 123.10.2.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R16#
R16(config-router)#router eigrp CCIE
R16(config-router)#address-family ipv4 unicast autonomous-system 45678
R16(config-router)#net 123.16.16.16 0.0.0.0
R16(config-router)#net 123.20.1.2 0.0.0.0
R16(config-router)#net 123.20.1.17 0.0.0.0
R16(config-router)#end
R16#sh ip eigrp interfaces
EIGRP-IPv4 VR(CCIE) Address-Family Interfaces for AS(34567)
Xmit Queue PeerQ
Mean Pacing Time Multicast Pending
Interface
Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/1
2
0/0
0/0
0
0/0
0
0
Et0/2
0
0/0
0/0
0
0/0
0
0
R16#
R16#sh ip eigrp neighbors
EIGRP-IPv4 VR(CCIE) Address-Family Neighbors for AS(45678)
H Address
Interfaces Hold Uptime SRTT RTO Q Seq
0 123.20.1.1
1 123.20.1.3
R16#
Et0/1
Et0/1
13 00:00:39
14 00:00:39
14
14
100
100
0
0
7
7
R17#ping 123.20.1.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.10.2.9, timeout is 2 seconds:
!!!!!
13 00:00:39 14
14 00:00:39 14
100
100
0 7
0 7
Vl55
Vl55
11 00:00:39
11 00:00:39
14
14
100
100
0
0
3
3
SW6(config-router)#end
SW6#
<<<<<please verify by checking neighborship and pings and routing table>>>>>>>
R19#
Configure eBGP between ACME's San Francisco and San Jose sites according to
the following requirements
R20 is the CE router and used eBGP to connect to the manages services
that are provided by the PE routers R2 and R3
R20 must establish separate eBGP peerings with both R2 and R3 for every
V
R20 must advertise the following prefix to all the BGP peers
123.0.0.0/8 summary-only
10.0.0.0/8 summary-only
R20 must advertise a default route to all of its BGP peers except to
10.120.99.1 and 10.120.99.5
R3
R3(config)#router bgp 12345
R3(config-router)#bgp router-id 123.3.3.3
R3(config-router)#no bgp default ipv4-unicast
R3(config-router)#neighbor 123.1.1.1 remote-as 12345
R3(config-router)#neighbor 123.1.1.1 update-source loopback 0
R3(config-router)address-family ipv4
R3(config-router-af)#neighbor 123.1.1.1 activate
R3(config-router-af)#exit-address-family
R3(config-router-af)#end
R3#
R6
R6(config)#router bgp 12345
R6(config-router)#bgp router-id 123.6.6.6
R6(config-router)#no bgp default ipv4-unicast
R6(config-router)#neighbor 123.1.1.1 remote-as 12345
R6(config-router)#neighbor 123.1.1.1 update-source loopback 0
R6(config-router)address-family ipv4
R6(config-router-af)#neighbor 123.1.1.1 activate
R6(config-router-af)#exit-address-family
R6(config-router-af)#end
R6#
10.120.12.1
10.120.13.1
10.120.14.1
10.120.15.1
10.120.99.1
10.120.12.5
10.120.13.5
10.120.14.5
10.120.15.5
10.120.99.5
remote-as
remote-as
remote-as
remote-as
remote-as
remote-as
remote-as
remote-as
remote-as
remote-as
12345
12345
12345
12345
12345
12345
12345
12345
12345
12345
R20(config-router)#neighbor
R20(config-router)#neighbor
R20(config-router)#neighbor
R20(config-router)#neighbor
R20(config-router)#neighbor
R20(config-router)#neighbor
R20(config-router)#neighbor
R20(config-router)#neighbor
R20(config-router)#end
10.120.12.1
10.120.13.1
10.120.14.1
10.120.15.1
10.120.12.5
10.120.13.5
10.120.14.5
10.120.15.5
default-originate
default-originate
default-originate
default-originate
default-originate
default-originate
default-originate
default-originate
<<<<<<<<<<<<<sho ip bgp on R20 and R3,sh bgp all summary,sh ip bgp vpnv4
all>>>>>>>>>>>>>>>>>
SW3 and SW4 must not establish any BGP session at any time
All BGP routers must use their int lo0 as their router-id
Configure full mesh IBGP peering between all four routers use any
configuration method
R9 must be selected as the preferred exit point for traffic destined to
remote AS's
R11 must selected as the next preferred exit in case R9 fails
No BGP speaker must use network statement under the BGP router config.
Ensure that all the BGP nexthop is never marked as unreachable as long
as int lo0 of the remote peer is known via IGP
All four BGP routers must establish eBGP peerings with their
neighboring AS as shown in diagram 3 (BGP topology)
All four BGP routers must redistribute EIGRP into BGP
Ensure that R9 is the only router that sees the default as a BGP route
and that all other routers (R8, R10, R11) see it as an EIGRP external
R9(config-router)address-family ipv4
R10(config-router)address-family ipv4
R10(config-router-af)#neighbor 123.8.8.8 activate
R10(config-router-af)#neighbor 123.9.9.9 activate
R10(config-router-af)#neighbor 123.11.11.11 activate
R10(config-router-af)#exit-address-family
R10(config-router-af)#end
R10#
R11(config-router)address-family ipv4
R11(config-router-af)#neighbor 123.8.8.8 activate
R11(config-router-af)#neighbor 123.9.9.9 activate
R11(config-router-af)#neighbor 123.10.10.10 activate
R11(config-router-af)#exit-address-family
R11(config-router-af)#end
R11#
R11(config-router-af)#topology base
R11(config-router-af-topology)#redistribute bgp 34567 metric 100000 10 255 1 1500 routemap 1
R11(config-router)#end
<<<<on R8 and R9 and R10 and R11 do show ip route 0.0.0.0>>>>>>>>
:::R11 has issues, it is learning via BGP:::
R9(config)#route-map MYMAP permit 1
R9(config-route-map)#match ip address prefix-list 1
R9(config-route-map)#set local-preference 101
R9(config)#router bgp 34567
R9(config-router)#address-family ipv4
R9(config-router)#neighbor 33.34.4.1 route-map MYMAP in
R9(config-router)#end
R9# clear ip bgp * soft
SW5 and SW6 must not establish any BGP session at any time
All BGP routers must use their int lo0 as their router-id
No iBGP peering sessions are allowed in AS AS45678
R15 must establish an EBGP peering with AS 10003 and must receive
default route as well as other prefix.
R15 must redistribute BGP into EIGRP and vice versa
R15 must also advertise an aggregate prefix 123.20.1.0/24 to AS 1003
and must suppress all component prefixes
R16, 17, 18, 19 must establish an eBGP peering with AS 20003 and must
receive a default route as well as other prefix
R15, 17 , 18 , 19 must not advertise any prefix to AS 20003
As long as R15 is operational, R16, R17, R18, R19 must prefer the EIGRP
default route over the EBGP default route
Do not create any VRF anywhere in order to accomplish the above
requirements
R15
R17
R17(config)#router bgp 45678
R17(config-router)#bgp router-id 123.17.17.17
R17(config-router)#neighbor 203.3.17.1 remote-as 20003
R17(config-router)#end
R18
R18(config)#router bgp 45678
R18(config-router)#bgp router-id 123.18.18.18
R18(config-router)#neighbor 203.3.18.1 remote-as 20003
R18(config-router)#end
R19
R19(config)#router bgp 45678
R19(config-router)#bgp router-id 123.19.19.19
R19(config-router)#neighbor 203.3.19.1 remote-as 20003
R19(config-router)#end
<<<NB:if R15 is not receiving default from SP it should receive after section 3.3 when
R2/R3 form eBGP for yellow vrf needs further work.>>>>>
All ACME border routers in AS 12345 must filter the BGP prefixes that
are advertised to their SP in VRF INET and must allow all prefixes that
belong to class A 123..0.0./8 and all other VRF's must propagate all
prefix
All ACME border routers in AS 12345 must filter the BGP prefixes that
are advertised to their SP and must allow only all prefixes that belong
to the class A 123.0.0.0/8
Do not use any route-map or access-list to accomplish the above
requirements
R13 must route traffic preferably via AS 20002, use any method to
accomplish this requirement
All three remote sites in AS 65111 must be able to ping 1.2.3.4 and
traceroute must reveal the exact same path as shown in the following
output
R12# ping 1.2.3.4 so lo0
!!!!!
R12# traceroute 1.2.3.4 so lo0
1.
2.
3.
4.
5.
6.
7.
Configure the OSPF process id 1 and set the router-id as interface lo0
Sw4 must be selected as the DR on vlan 34 and must have the best chance
Sw3 must be selected as the backup DR on vlan 34 and must take over DR
if SW4 is down
SW3
SW3(config)#ipv6 unicast-routing
SW3(config)#ipv6 router ospf 1
SW3(config-rtr)#router-id 123.33.33.33
SW3(config)#interface vlan 34
SW3(config-if)#ipv6 ospf 1 area 0
SW3(config-if)#ipv6 ospf priority 1
SW3(config)#interface vlan 310
SW3(config-if)#ipv6 ospf 1 area 10
SW3(config-if)end
SW4
SW4(config)#ipv6 unicast-routing
SW4(config)#ipv6 router ospf 1
SW4(config-rtr)#router-id 123.44.44.44
SW4(config)#interface vlan 34
SW4(config-if)#ipv6 ospf 1 area 0
SW4(config-if)#ipv6 ospf priority 255
SW4(config)#interface vlan 411
SW4(config-if)#ipv6 ospf 1 area 11
SW4(config-if)end
R10
R10(config)#ipv6 unicast-routing
R10(config)#ipv6 router ospf 1
R10(config-rtr)#router-id 123.10.10.10
R10(config)#interface ethernet 0/1
R10(config-if)#ipv6 ospf 1 area 10
R10(config-if)#end
R11
R11(config)#ipv6 unicast-routing
R10
R10(config)ipv6 unicast routing
R10(config)#router bgp 34567
R10(config-router)#neighbor 2001:CC1E:BEF:10:201:1:34:1 remote-as 20001
R10(config-router)#address-family ipv6
R10(config-router-af)#neighbor 2001:CC1E:BEF:10:201:1:34:1 activate
R10(config-router-af)#redistribute ospf 1 match internal external
R10(config)#ipv6 router ospf 1
R10(config-rtr)#redistribute bgp 34567
R11
R11(config)ipv6 unicast routing
R11(config)#router bgp 34567
R11(config-router)#neighbor 2001:CC1E:BEF:11:202:1:34:1 remote-as 20002
R11(config-router)#address-family ipv6
R11(config-router-af)#neighbor 2001:CC1E:BEF:11:202:1:34:1 activate
R11(config-router-af)#redistribute ospf 1 match internal external
Only network segments with active receivers that explicitly require the
data must receive the multicast traffic
Interface lo0 of R15 must be configured as RP
Use a standard method of dynamically distributing the RP
Both R16 and R17 must participate in the multicast routing
To test configure int E0/0 of both R18 and R19 to join group 232.1.1.1
R15(config)#ip multicast-routing
R15(config)#interface ethernet 0/1
R15(config-if)#ip pim sparse-mode
R15(config-if)#!
R15(config-if)#interface ethernet 0/2
R15(config-if)#ip pim sparse-mode
R15(config-if)#!
R15(config-if)#interface lo0
R15(config-if)#ip pim sparse-mode
R15(config)#ip pim rp-candidate loopback 0
R15(config)#ip pim bsr-candidate loopback 0
R15(config)#exit
<<<sh ip pim interfaces,sh ip pim rp mapping>>>
SW1
SW1(config)#ip multicast-routing
SW1(config)#interface vlan 55
SW1(config-if)#no shut
SW1(config-if)#ip pim sparse-mode
SW1(config-if)#!
SW1(config-if)#interface vlan 5
SW1(config-if)#ip address 123.55.55.55 255.255.255.0
SW1(config-if)#no shut
SW1(config-if)#ip pim sparse-mode
SW1(config-if)#!
SW1(config-if)#interface lo0
SW1(config-if)#ip pim sparse-mode
SW1(config)#exit
<<<sh ip pim interfaces,sh ip pim rp mapping>>>
SW2
SW2(config)#ip multicast-routing
SW2(config)#interface vlan 66
SW2(config-if)#no shut
SW2(config-if)#ip pim sparse-mode
SW2(config-if)#!
SW2(config-if)#interface vlan 6
SW2(config-if)#ip address 123.66.66.66 255.255.255.0
SW2(config-if)#no shut
SW2(config-if)#ip pim sparse-mode
SW2(config-if)#!
SW2(config-if)#interface lo0
SW2(config-if)#ip pim sparse-mode
SW2(config)#exit
<<<sh ip pim interfaces,sh ip pim rp mapping>>>
R16
R16#sh cdp neighbor
R16(config)#ip multicast-routing
R16(config)#interface ethernet 0/1
R16(config-if)#ip pim sparse-mode
R16(config-if)#!
R16(config-if)#interface ethernet 0/2
R16(config-if)#ip pim sparse-mode
R16(config-if)#!
R16(config-if)#interface lo0
R16(config-if)#ip pim sparse-mode
R16(config)#exit
<<<sh ip pim interfaces,sh ip pim rp mapping>>>
R17
R17#sh cdp neighbor
R17(config)#ip multicast-routing
R17(config)#interface ethernet 0/1
R17(config-if)#ip pim sparse-mode
R17(config-if)#!
R17(config-if)#interface ethernet 0/2
R17(config-if)#ip pim sparse-mode
R17(config-if)#interface ethernet tunnel 0
R17(config-if)#ip pim sparse-mode
R17(config-if)#!
R17(config-if)#interface lo0
R17(config-if)#ip pim sparse-mode
R17(config)#exit
<<<sh ip pim interfaces,sh ip pim rp mapping>>>
R18
R18#sh cdp neighbor
R18(config)#ip multicast-routing
R18(config)#interface ethernet 0/0
R18(config-if)#ip igmp join-group 232.1.1.1
R18(config-if)#ip pim sparse-mode
R18(config-if)#!
R18(config-if)#interface ethernet tunnel 0
R18(config-if)#ip pim sparse-mode
R18(config-if)#!
R18(config-if)#interface lo0
R18(config-if)#ip pim sparse-mode
R18(config)#exit
<<<sh ip pim interfaces,sh ip pim rp mapping>>>
R19
R19#sh cdp neighbor
R19(config)#ip multicast-routing
R19(config)#interface ethernet 0/0
R19(config-if)#ip igmp join-group 232.1.1.1
R19(config-if)#ip pim sparse-mode
R19(config-if)#!
R19(config-if)#interface ethernet tunnel 0
R19(config-if)#ip pim sparse-mode
R19(config-if)#!
R19(config)#exit
<<<sh ip pim interfaces,sh ip pim rp mapping>>>
R1
R1(config)#ip cef
R1(config)#mpls ip
R1(config)#mpls label protocol ldp
R1(config)#int lo0
R1(config-if)#mpls ip
R1(config-if)#int eth 0/1
R1(config-if)#mpls ip
R4
R4(config)#ip cef
R4(config)#mpls ip
R4(config)#mpls label protocol ldp
R4(config)#int lo0
R4(config-if)#mpls ip
R4(config-if)#int eth 0/1
R4(config-if)#mpls ip
R4(config-if)#int eth 0/2
R4(config-if)#mpls ip
R4(config-if)#end
R4#
R5
R5(config)#ip cef
R5(config)#mpls ip
R5(config)#mpls label protocol ldp
R5(config)#int lo0
R5(config-if)#mpls ip
R5(config-if)#int eth 0/1
R5(config-if)#mpls ip
R5(config-if)#int eth 0/2
R5(config-if)#mpls ip
R5(config-if)#end
R5#
R6
R6(config)#ip cef
R6(config)#mpls ip
R6(config)#mpls label protocol ldp
R6(config)#int lo0
R6(config-if)#mpls ip
R6(config-if)#int eth 0/1
R6(config-if)#mpls ip
R6(config-if)#int eth 0/2
R6(config-if)#mpls ip
R6(config-if)#end
R6#
R7
R7(config)#ip cef
R7(config)#mpls ip
R7(config)#mpls label protocol ldp
R7(config)#int lo0
R7(config-if)#mpls ip
R7(config-if)#int eth 0/1
R7(config-if)#mpls ip
R7(config-if)#int eth 0/2
R7(config-if)#mpls ip
R7(config-if)#end
R7#
BLUE
GREEN
RED
YELLOW
INET
R3 must establish an eBGP peering with the regional SP (AS 20001) for
the following VRFs
GREEN
BLUE
INET
R7 must establish an eBGP peering with the regional SP (AS 20002) for
the following VRFs
BLUE
RED
INET
All ip add used for eBGP peering must pass the BGP's directly connected
check
No BGP speaker is AS 12345 may use the network or redistribute
statement under any address-family of the BGP router config
At the end of the exam scenario the interface E0/0 of the gateway
router in any remote site must be able to connect to the int E0/0 of
any other remote gateway that belongs to AS 65111 or AS 65222
Use the following tests as examples of connectivity checks
R1
R1(config)#router bgp 12345
R1(config-router)#address-family vpnv4
R1(config-router-af)#neighbor IBGP route-reflector-client
R1(config-router-af)#neighbor IBGP send-community extended
R1(config-router-af)#neighbor 123.2.2.2 activate
R1(config-router-af)#neighbor 123.3.3.3 activate
R1(config-router-af)#neighbor 123.6.6.6 activate
R1(config-router-af)#neighbor 123.7.7.7 activate
R1(config-router-af)#end
R1#
R2
R2(config)#router bgp 12345
R2(config-router)#address-family vpnv4
R2(config-router-af)#neighbor 123.1.1.1 activate
R2(config-router-af)#neighbor 123.1.1.1 send-community extended
R2(config-router-af)#end
R2#
R3
R3(config)#router bgp 12345
R3(config-router)#address-family vpnv4
R3(config-router-af)#neighbor 123.1.1.1 activate
R3(config-router-af)#neighbor 123.1.1.1 send-community extended
R3(config-router-af)#end
R3#
R6
R6(config)#router bgp 12345
R6(config-router)#address-family vpnv4
R6(config-router-af)#neighbor 123.1.1.1 activate
R6(config-router-af)#neighbor 123.1.1.1 send-community extended
R6(config-router-af)#end
R6#
R7
R7(config)#router bgp 12345
R7(config-router)#address-family vpnv4
R7(config-router-af)#neighbor 123.1.1.1 activate
R7(config-router-af)#neighbor 123.1.1.1 send-community extended
R7(config-router-af)#end
R7#
R6
R6(config)#router bgp 12345
R6(config-router)#address-family ipv4 vrf BLUE
R6(config-router-af)#neighbor 201.1.123.1 remote-as 20001
R6(config-router-af)#neighbor 201.1.123.1 activate
R6(config-router-af)#exit address-family
R6(config-router)#!
R6(config-router)#address-family ipv4 vrf GREEN
R6(config-router-af)#neighbor 201.1.123.1 remote-as 20001
R6(config-router-af)#neighbor 201.1.123.1 activate
R6(config-router-af)#exit address-family
R6(config-router)#!
R6(config-router)#address-family ipv4 vrf INET
R6(config-router-af)#neighbor 201.1.123.1 remote-as 20001
R6(config-router-af)#neighbor 201.1.123.1 activate
R6(config-router-af)#exit address-family
R6(config-router)#end
<<<<do sh ip bgp vpnv4 all summary>>>>
R12
R12(config)#router bgp 65111
R12(config-router)#neighbor 201.1.13.1 remote-as 20001
R12(config-router)#redistribute connected
R12(config-router)#end
<<<do sh ip bgp summary and show ip bgp>>>
R7
R7(config)#router bgp 12345
R7(config-router)#address-family ipv4 vrf BLUE
R7(config-router-af)#neighbor 202.2.123.1 remote-as 20002
R7(config-router-af)#neighbor 202.2.123.1 activate
R7(config-router-af)#exit address-family
R7(config-router)#!
R7(config-router)#address-family ipv4 vrf INET
R7(config-router-af)#neighbor 202.2.123.1 remote-as 20002
R7(config-router-af)#neighbor 202.2.123.1 activate
R7(config-router-af)#exit address-family
R7(config-router)#!
R7(config-router)#address-family ipv4 vrf RED
R7(config-router-af)#neighbor 202.2.123.1 remote-as 20002
R7(config-router-af)#neighbor 202.2.123.1 activate
R7(config-router-af)#exit address-family
R7(config-router)#end
<<<<do sh ip bgp vpnv4 all summary>>>>
R13
R13(config)#router bgp 65111
R13(config-router)#neighbor 201.1.13.1 remote-as 20001
R13(config-router)#neighbor 202.2.13.1 remote-as 20002
R13(config-router)#redistribute connected
R13(config-router)#end
<<<do sh ip bgp summary and show ip bgp>>>
R14
R14(config)#router bgp 65111
R14(config-router)#neighbor 202.2.14.1 remote-as 20002
R14(config-router)#redistribute connected
R14(config-router)#end
<<<do sh ip bgp summary and show ip bgp>>>
R2
R2(config)#router bgp 12345
R2(config-router)#address-family ipv4 vrf BLUE
R2(config-router-af)#neighbor 101.1.123.1 remote-as
R2(config-router-af)#neighbor 101.1.123.1 activate
R2(config-router-af)#exit address-family
R2(config-router)#!
R2(config-router)#address-family ipv4 vrf GREEN
R2(config-router-af)#neighbor 101.1.123.1 remote-as
R2(config-router-af)#neighbor 101.1.123.1 activate
R2(config-router-af)#exit address-family
R2(config-router)#!
R2(config-router)#address-family ipv4 vrf INET
R2(config-router-af)#neighbor 101.1.123.1 remote-as
R2(config-router-af)#neighbor 101.1.123.1 activate
R2(config-router-af)#exit address-family
R2(config-router)#!
R2(config-router)#address-family ipv4 vrf RED
R2(config-router-af)#neighbor 101.1.123.1 remote-as
R2(config-router-af)#neighbor 101.1.123.1 activate
R2(config-router-af)#exit address-family
R2(config-router)#!
R2(config-router)#address-family ipv4 vrf YELLOW
R2(config-router-af)#neighbor 101.1.123.1 remote-as
R2(config-router-af)#neighbor 101.1.123.1 activate
R2(config-router-af)#exit address-family
R2(config-router)#end
10001
10001
10001
10001
10001
R3
R3(config)#router bgp 12345
R3(config-router)#address-family ipv4 vrf BLUE
R3(config-router-af)#neighbor 102.2.123.1 remote-as
R3(config-router-af)#neighbor 102.2.123.1 activate
R3(config-router-af)#exit address-family
R3(config-router)#!
R3(config-router)#address-family ipv4 vrf GREEN
R3(config-router-af)#neighbor 102.2.123.1 remote-as
R3(config-router-af)#neighbor 102.2.123.1 activate
R3(config-router-af)#exit address-family
R3(config-router)#!
R3(config-router)#address-family ipv4 vrf INET
R3(config-router-af)#neighbor 102.2.123.1 remote-as
R3(config-router-af)#neighbor 102.2.123.1 activate
R3(config-router-af)#exit address-family
R3(config-router)#!
R3(config-router)#address-family ipv4 vrf RED
R3(config-router-af)#neighbor 102.2.123.1 remote-as
R3(config-router-af)#neighbor 102.2.123.1 activate
R3(config-router-af)#exit address-family
R3(config-router)#!
R3(config-router)#address-family ipv4 vrf YELLOW
R3(config-router-af)#neighbor 102.2.123.1 remote-as
R3(config-router-af)#neighbor 102.2.123.1 activate
R3(config-router-af)#exit address-family
R3(config-router)#end
10002
10002
10002
10002
10002
<<<<do sh ip bgp vpnv4 all summary and run a tclsh ping from the remote sites all over to
the central site>>>>
3.3 DMVPN
configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the
following requirements
R17
R17(config)#interface tunnel 0
R17(config-if)#bandwidth 1000
R17(config-if)#ip address 123.20.1.25 255.255.255.248
R17(config-if)#no ip redirects
R17(config-if)#ip mtu 1400
R17(config-if)#ip nhrp authentication 45678key
R17(config-if)#ip nhrp map multicast dynamic
R17(config-if)#ip nhrp network-id 45678
R17(config-if)#ip nhrp holdtime 300
R17(config-if)#ip nhrp redirect
R17(config-if)#delay 1000
R17(config-if)#tunnel source eth0/0
R17(config-if)#tunnel mode gre multipoint
R17(config-if)#ip tcp adjust-mss 1380
R17(config)#router eigrp CCIE
R17(config-router)#address-family ipv4 autonomous 45678
R17(config-router-af)#af-interface tunnel 0
R17(config-router-af-interface)#no split-horizon
R17(config-router-af-interface)#no ip next-hop-self
R17(config-router-af-interface)#end
R17#
R18
R18(config)#interface tunnel 0
R18(config-if)#bandwidth 1000
R18(config-if)#ip address 123.20.1.26 255.255.255.248
R18(config-if)#no ip redirects
R18(config-if)#ip mtu 1400
R18(config-if)#ip nhrp authentication 45678key
R18(config-if)#ip nhrp map multicast dynamic
R18(config-if)#ip nhrp network-id 45678
R18(config-if)#ip nhrp holdtime 300
R18(config-if)#ip nhrp shortcut
R18(config-if)#ip nhrp redirect
R18(config-if)#ip nhrp nhs 123.20.1.25
R18(config-if)#ip nhrp nhs map 123.20.1.25 203.3.17.2
R18(config-if)#ip nhrp map multicast 203.3.17.2
R18(config-if)#delay 1000
R18(config-if)#tunnel source s1/0
R18(config-if)#tunnel mode gre multipoint
R18(config-if)#ip tcp adjust-mss 1380
R19
R19(config)#interface tunnel 0
R19(config-if)#bandwidth 1000
R19(config-if)#ip address 123.20.1.27 255.255.255.248
R19(config-if)#no ip redirects
R19(config-if)#ip mtu 1400
R19(config-if)#ip nhrp authentication 45678key
R19(config-if)#ip nhrp map multicast dynamic
R19(config-if)#ip nhrp network-id 45678
R19(config-if)#ip nhrp holdtime 300
R19(config-if)#ip nhrp shortcut
R19(config-if)#ip nhrp redirect
R19(config-if)#ip nhrp nhs 123.20.1.25
R19(config-if)#ip nhrp nhs map 123.20.1.25 203.3.17.2
R19(config-if)#ip nhrp map multicast 203.3.17.2
R19(config-if)#delay 1000
R19(config-if)#tunnel source s1/0
R19(config-if)#tunnel mode gre multipoint
R19(config-if)#ip tcp adjust-mss 1380
use
use
use
use
Ensure that the DMVPN cloud is secured using above parameters. use
tunnel protection in your config
R18
R18(config)#crypto isakmp enable
R18(config)#crypto isakmp policy 10
R18(config-isakmp)#authentication pre-share
R18(config-isakmp)#encryption aes
R18(config-isakmp)#group 2
R18(config-isakmp)#exit
R18(config)#crypto isakmp key CCIE address 203.3.17.2
R18(config)#crypto ipsec transform-set CCIEXFORM esp-aes esp-md5-hmac
R18(cfg-crypto-trans)#mode transport
R18(cfg-crypto-trans)#exit
R18(config)#crypto ipsec profile DMVPNPROFILE
R18(cfg-ipsec-profile)#set transform-set CCIEXFORM
R18(cfg-ipsec-profile)#exit
R18(config)#int tunnel 0
R18(config)#tunnel protection ipsec profile DMVPNPROFILE
R18(config-if)#exit
R19
R19(config)#crypto isakmp enable
R19(config)#crypto isakmp policy 10
R19(config-isakmp)#authentication pre-share
R19(config-isakmp)#encryption aes
R19(config-isakmp)#group 2
R19(config-isakmp)#exit
R19(config)#crypto isakmp key CCIE address 203.3.17.2
R19(config)#crypto ipsec transform-set CCIEXFORM esp-aes esp-md5-hmac
R19(cfg-crypto-trans)#mode transport
R19(cfg-crypto-trans)#exit
R19(config)#crypto ipsec profile DMVPNPROFILE
R19(cfg-ipsec-profile)#set transform-set CCIEXFORM
R19(cfg-ipsec-profile)#exit
R19(config)#int tunnel 0
R19(config)#tunnel protection ipsec profile DMVPNPROFILE
R19(config-if)#exit
<<<<sh ip nhrp brief, show crypto ipsec sa on all devices running DMVPN>>>>
Configure R20 int the ACME San Jose office as per the following
All users who connect to R20 via the console or via any of VTY lines using SSH
must be prompted with the below message before any other prompt is displayed
WARNING!ACCESS RESTRICTED
Ensure that int E0/0-3 of Sw3 forward the traffic send from expected
and legitimate users only
Sw3 must dynamically learn only one mac address per port and must save
the mac address in its startup config
Sw3 must shut down the port if security violation occurs on any of the
four ports
SECTION V
SECTION 5 Infrastructure Services
5.1 System management
Configure R20 int the ACME San Jose office as per the following
Establish SSH access in R20 using the domain name acme.org
R20 must accept up to five remote authorized users to connect at the
same time using SSH
Create the user "test" with password "test" in local database of R20
Ensure that R20 accepts SSH connections with clients with source ip in
123.10.2.0/24. All other source ip should be denied. Use standard ACL
to accomplish this
R20 must generate a syslog message for all SSH connection attempts
whether permitted or denied
When authenticate the username test must be granted privilege level 1
Do not enable aaa new model on R20
Ensure that SSH is the only remote access method permitted on VTY lines
of R20
Ensure that the console is not affected by your solution and no
username prompt is presented on the console port
Test your solution from any device that is located in AS 34567 and
ensure that the following sequence of command produce the following
output
R10 # ssh -l 123.20.20.20
WARNING!ACCESS RESTRICTED
R20>
R20>sh privilage
current privilage level is 1
R20>
R20>q
R10#
R20(config-line)#end
R20 must enable all private corporate traffic that is originated from
any host with source ip address 10.1.0.0/16 or 10.2.0.0/16 to connect
to any public destination that is located in AS 34567
All remote sites in AS 65111 and 65222 must be able to connect to the
public destinations
R20 must swap the source ip address in these packets with the ip
address of its lo0
R20 must allow multiple concurrent connections
Use a standard ACL to accomplish this.
The following tests must succeed after the above requirements (in
addition to previous requirements) are achieved
The output shown below must be seen on R19 during 10 sec after R15
successfully pings interface lo0 of R19
!!!!!
R17 sh ipflow top
srcif srcipadd destif
destipadd pr
e0/1
123.20.1.9
tun0 123.19.19.9
srcp
01
dstp
000
byte
000 500
R17
R17(config)#ip flow-export version 9
R17(config)#ip flow-top-talkers
R17(config-flow-top-talkers)#top 10
R17(config-flow-top-talkers)#sort-by packets
R17(config-flow-top-talkers)#cache-timeout 10
R17(config-flow-top-talkers)#match input-interface ethernet 0/1
R17(config-flow-top-talkers)#match source address 123.20.1.9 255.255.255.255
R17(config-flow-top-talkers)#exit
R17(config)#interface ethernet 0/1
R17(config-if)#ip flow ingress
SW3
SW3(config)#ntp master
SW3(config)#ntp source loopback 0
SW3(config)#!
SW3(config)#interface loopback 0
SW3(config-if)#ntp disable ip
SW3(config-if)#end
R10
R10(config)#interface loopback 0
R10(config-if)#ipv6 address 2001:CC1E:BEF:0:123:10:10:10/64
R10(config-if)#IPV6 ospf 1 area 10
R10(config)#ntp source loopback 0
R10(config)#ntp server 2001:CC1E:BEF:0:123:33:33:33
R10(config)#
R11
R11(config)#interface loopback 0
R11(config-if)#ipv6 address 2001:CC1E:BEF:0:123:11:11:11/64
R11(config-if)#IPV6 ospf 1 area 11
R11(config)#ntp source loopback 0
R11(config)#ntp server 2001:CC1E:BEF:0:123:33:33:33
R11(config)#
R12
R12(config)#interface loopback 0
R12(config-if)#ipv6 address 2001:CC1E:BEF:0:123:12:12:12/64
R12(config-if)#ntp disable ip
R12(config-if)#end
R14
R14(config)#interface loopback 0
R14(config-if)#ipv6 address 2001:CC1E:BEF:0:123:14:14:14/64
R14(config-if)#ntp disable ip
R14(config-if)#end
<<NB:PLEASE VERIFY LOOPBACK 0 OR CONFIGURE IN QUESTION 2.9,2.10>>
*********END**********END*********END********END***********