Section 1.1: Configure The ACME Headquarters Network (AS 12345) As Per The Following Requirements

SECTION 1.
1
Configure the ACME Headquarters network (AS 12345) as per the following requirements
The VTP domain must be set to CCIE

Use VTP ver 2
SW1 must be the VTP server and SW2 must be the VTP client
Secure all VTP updates with an MD5 digest of the ASCII string
CCIErocks$
In order to avoid as much as possible unknown unicast flooding in all
vlans the administrator requires that any dynamic entries learned by
other SW1 and SW2 must be retained for 2 hours before being refreshed.
Configure the network of the New York office (AS 34567) as per the following requirements
The VTP domain must be set to CCIE

Use VTP ver 2
SW3 and SW4 must not advertise their vlan config but must forward VTP
advertisement that they receive out their trunk ports
Secure all VTP updates with an MD5 digest of the ASCII string
CCIErocks$
Answers:
SW-1(config)#vtp version 2
SW-1(config)#vtp domain CCIE
SW-1(config)#vtp mode server
SW-1(config)#vtp password CCIErocks$
SW-1(config)#end
SW-1#
SW-2(config)#vtp mode client
SW-1(config)#end
SW-1#
SW-1#sh mac address-table aging-time
Global Aging Time: 300
Vlan Aging Time
---- ---------SW-1#
default mac-address aging time is 300 seconds=5min
on both switches:
SW-1(config)# mac-address-table aging-time 7200
SW-2(config)# mac-address-table aging-time 7200

SW-3(config)#vtp mode transparent
SW-3(config)#end
SW-3#
SW-4(config)#vtp mode transparent
SW-4(config)#end
SW-4#
SECTION 1.2 - Layer 2 ports

Configure your network as per the following requirements
Complete the config of all vlans so that all routers that are located
in ACME's headquarters (AS12345) and New York office (AS 34567) can
ping their directly connected neighbors
All four switches (SW1-SW4) must have dot1q trunks that do not rely on
negotiation do not configure any etherchannel
Ensure that the following unused ports on all four switches are
shutdown and configured as access ports in vlan 999
E3/0 - E3/3 are unused on SW1 and SW2
Answers:
SW-1(config)#do sh vlan brief | ex 100
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active
Et3/0, Et3/1, Et3/2, Et3/3
14
15
23
24
67
VLAN0014
VLAN0015
VLAN0023
VLAN0024
VLAN0067
active
active
active
active
active
SW-1(config)# sh cdp neighbor

sw2 eth 2/1
eth 2/1
sw2 eth 2/2
eth 2/2
sw2 eth 2/3
eth 2/3
E0/0,E1/0
E1/1
E0/1,E0/2
E0/3
E1/2,E1/3
sw2 eth
R4 eth
R4 eth
R5 eth
R6 eth
R1 eth
R2 eth
R3 eth
2/0
0/3
1/0
1/1
1/2
2/1
0/1
0/2
eth
eth
eth
eth
eth
eth
eth
eth
2/0
0/1
0/0
0/1
0/1
2/1
0/1
0/1
SW1#
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active
Et3/0, Et3/1, Et3/2, Et3/3
14
15
23
24
67
VLAN0014
VLAN0015
VLAN0023
VLAN0024
VLAN0067
active
active
active
active
active
E0/0
E0/1

sw1 eth 2/1
eth 2/1
sw1 eth 2/2
eth 2/2
sw1 eth 2/3
eth 2/3
sw1 eth 2/0
eth 2/0
R4 eth 0/3
eth 0/2
R4 eth 1/0
eth 0/0
R5 eth 1/1
eth 0/2
R5 eth 1/0
eth 0/0
R6 eth 1/2
eth 0/2
R1 eth 0/0
eth 0/2
R2 eth 0/1
eth 0/2
R3 eth 0/2
eth 0/2
SW2#
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active
Eth 1/0,Eth 1/1,Eth1/2,Eth1/3
Et3/0, Et3/1, Et3/2, Et3/3
38 VLAN0038
89 VLAN0089
111 VLAN0111
310 VLAN0310
active
active
active
active
E0/0
E0/1
E0/3
E0/2

sw4 eth 2/1
eth 2/1
sw4 eth 2/2
eth 2/2
sw4 eth 2/3
eth 2/3
sw4 eth 2/0
eth 2/0
R8 eth 0/0
eth 0/1
R9 eth 0/1
eth 0/1
R11 eth 0/3
eth 0/1
R10 eth 0/2
eth 0/1
SW3#
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active
Eth 1/0,Eth 1/1,Eth1/2,Eth1/3
Et3/0, Et3/1, Et3/2, Et3/3
49 VLAN0049
89 VLAN0089
111 VLAN0111
411 VLAN0310
active
active
active
active
E0/1
E0/0
E0/2
E0/3

sw3 eth 2/1
eth 2/1
sw3 eth 2/2
eth 2/2
sw3 eth 2/3
eth 2/3
sw3 eth 2/0
eth 2/0
R8 eth 0/0
eth 0/2
R9 eth 0/1
eth 0/2
R11 eth 0/3
eth 0/2
R10 eth 0/2
eth 0/2
SW4#
now lets create vlans on sw1 to propagate to sw2:
SW-1(config)#vlan 14,15,23,24,35,46,57,67,99
SW-1(config-vlan)#exit
SW-1(config)#
SW-3(config)#vlan 34,38,49,89,111,310,411,999
SW-3(config-vlan)#exit
SW-3(config)#
lets uply commands for unused ports:
SW-1(config)#int range ethernet 3/0 - 3
SW-1(config-if-range)#switchport mode access
SW-1(config-if-range)#switchport access vlan 999
% Access VLAN does not exist. Creating vlan 999
SW-1(config-if-range)#shut
lets check and configure trunking and no auto negotiation:
on all switches:
sw1-sw4:
int range eth 3/0 - 3
switchport trunk encapsulation dot1q
switchport mode trunk
now you can verify if all vlans per switch are there.
Section 1.3 Spanning tree

Configure the ACME network as per the following requirements
SW1 must be the root switch for all odd vlans and must be the backup
for all even vlans
SW2 must be the root switch for all even vlans and must be the backup
for all odd vlans
SW3 must be the root switch for all odd vlans and must be the backup
for all even vlans
SW4 must be the root switch for all even vlans and must be the backup
for all odd vlans
Explicitly configure the root and backup roles, assuming that other
switches with default configuration may eventually be added in the
network in the future
All switches must maintain one STP instance per vlan
Use the STP mode that has only three possible states
All access ports must immediately transitioned to the forwarding state

upon link up and they must still participate in STP. use single command
per switch to enable this
Access ports must automatically shut down if they receive any BPDU and
an administrator must still manually re-enable the port. use a single
command per switch to enable this feature.
Answers
1.3 implement spanning tree/solutions
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree mode rapid-pvst
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree portfast default
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree portfast bpduguard default
note :needs to enable rapid-IOU I'm using does not support it
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree vlan 15,23,35,57,67,999 root primary
CPS_A1_ABHI_NAG_SW1(config)#spaning-tree vlan 14,24,46 root secondary
CPS_A1_ABHI_NAG_SW2(config)#spaning-tree vlan 14,24,46 root primary
CPS_A1_ABHI_NAG_SW2(config)#spaning-tree vlan 15,23,35,57,67,999 root secondary
CPS_A1_ABHI_NAG_SW3(config)#spaning-tree vlan 49,89,111,411,999 root primary
CPS_A1_ABHI_NAG_SW3(config)#spaning-tree vlan 34,38,310 root secondary
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree vlan 34,38,310 root primary
CPS_A1_ABHI_NAG_SW4(config)#spaning-tree vlan 49,89,111,411,999 root secondary
solutions Verification
CPS_A1_ABHI_NAG_SW1#show spaning-tree summary
switch is in rapid-pvst mode
Root bridge for:VLAN0015,VLAN0023,VLAN0035,VLAN0057,VLAN0067
VLAN0999
Entherchannel misconfig guard is enabled
Extended system ID
is enabled
Portfast default
is enabled
Portfast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard default
is disabled
Uplinkfast
is disabled
Backbonefast
is disabled
configured Pathcost method is short
Root bridge for:VLAN0014,VLAN0024,VLAN0046
Extended system ID
is enabled
Portfast default
is enabled
Loopguard default
is disabled
Uplinkfast
is disabled
Backbonefast
is disabled
Root bridge for:VLAN0001,VLAN0049,VLAN0089,VLAN0111,VLAN0411,VLAN0999
Extended system ID
is enabled
Portfast default
is enabled
Loopguard default
is disabled
Uplinkfast
is disabled
Backbonefast
is disabled
Configured Pathcost method used is short

Root bridge for:VLAN0034,VLAN0038,VLAN0310
Extended system ID
is enabled
Portfast default
is enabled
Loopguard default
is disabled
Uplinkfast
is disabled
Backbonefast
is disabled
Configured Pathcost method used is short
Section 1.4 Implement Wan Technology
The WAN links must rely on a layer 2 protocol that supports link
negotiation and authentication.
The Service provider expects both R18 and R19 to complete three way
hand shake by providing the expected response of a challenge that is
sent by R63
R18 must use the username ACME-R18 and password CCIE
R19 must use the username ACME-R19 and password CCIE
Solution
CPS_A1_ABHI_NAG_R18(config)#interface serial1/0
CPS_A1_ABHI_NAG_R18(config)# ip address 203.3.18.2 255.255.255.252
CPS_A1_ABHI_NAG_R18(config)# encapsulation ppp
CPS_A1_ABHI_NAG_R18(config)# ppp chap hostname ACME-R18
CPS_A1_ABHI_NAG_R18(config)# ppp chap password CCIE
CPS_A1_ABHI_NAG_R18(config)# no shutdown
CPS_A1_ABHI_NAG_R18#ping 203.3.18.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Encho to 203.3.18.1, timeout is 2 seconds:
!!!!!
success rate is 100 persent (5/5), rounding-trip min/avg/max= 6/8/9 ms
CPS_A1_ABHI_NAG_R18#
CPS_A1_ABHI_NAG_R18#show ip route 1 i 203
203.3.28.0/24 is variably subnetted, 3 subnets, 2 masks
C 203.3.18.0/30 is directly connected,serial1/0
L 203.3.18.2/32 is directly connected,serial1/0
Did you notice host route for PE interface?Generally it's not recommended with same subnet IP address
between two PPP peers we can disable it by using command no peer neighbor-route:
CPS_A1_ABHI_NAG_R18#(config)#interface serial1/0
CPS_A1_ABHI_NAG_R18#(config-if)#shutdown
CPS_A1_ABHI_NAG_R18#(config-if)# no peer neighbor-route
CPS_A1_ABHI_NAG_R18#(config-if)#no shutdown
CPS_A1_ABHI_NAG_R18#(config)#ping 203.3.18.1
Sending 5, 100-byte ICMP echos to 203.3.18.1, timeout is 2 seconds:
!!!!!
Success rate is 100 persent (5/5),round-trip min/avg/max=9/9/10 ms
CPS_A1_ABHI_NAG_18#
CPS_A1_ABHI_NAG_18#show ip route | i 203
203.3.18.0/24 is veriably subnetted, 2 subnets, 2 masks
CPS_A1_ABHI_NAG_18#
CPS_A1_ABHI_NAG_19(config)#interface serial1/0
CPS_A1_ABHI_NAG_19(config-if)#ip address 203.3.19.2 255.255.252
CPS_A1_ABHI_NAG_19(config-if)# encapsulation ppp
CPS_A1_ABHI_NAG_19(config-if)# ppp chap hostname ACME-19
CPS_A1_ABHI_NAG_19(config-if)# ppp chap password CCIE
CPS_A1_ABHI_NAG_19(config-if)# no peer neighbor-route
CPS_A1_ABHI_NAG_19(config-if)# no shutdown
CPS_A1_ABHI_NAG_19#ping 203.3.19.2
Sending 5, 100-byte ICMP echos to 203.3.19.2, timeout is 2 seconds:
!!!!!
Success rate is 100 persent (5/5),round-trip min/avg/max=15/17/19 ms
CPS_A1_ABHI_NAG_19#
CPS_A1_ABHI_NAG_19#show ip route | i 203
203.3.19.0/24 is veriably subnetted, 2 subnets, 2 masks
CPS_A1_ABHI_NAG_19#
Solution verification
CPS_A1_ABHI_NAG_18#show ppp all
Interface/ID OPEN+ Nego* fail- stage Peer Address Peer Name
--------------------------------------------------Se1/0 LCP+IPCP+CDPCP+ LocalT 203.3.18.1 AS20003
CPS_A1_ABHI_NAG_18#
CPS_A1_ABHI_NAG_18#show interface serial 1/0
Serial1/0 is up,line protocol is up
Hardware is M4T
Iternet address is 103.3.18.2/30

MTU 1500 bytes,BW 1544 Kbit/sec,DLY 20000 usec,
reliability 255/255,txload 1/255,rxload 1/255
Encapsulation PPP, LC[ Open
open: IPCP,CDPCP, crc 16, loopback not set
keepalive set (10sec)
Restart-delay is 0 secs
Last imput 00:00:08,output 00:00:08 hang never
last clearing of "show interface"counters 00:09:47
imput queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
queueing strategy: fifo
output queue: 0/40(size/max)
5 minutes imput rate 0 bits/sec,0 packets/sec
5 minutes output rate 0 bits/sec,0 packets/sec
208 packets imput, 10326 bytes,0 no buffer
Received 0 broadcast (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 imputs errors, 0 CRC, 0 frame, 0 overrum, 0 ignored, 0 abort
207 packets output, 10469 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 unknow protocol drops
0 output buffer failures, 0 output buffers swaped out
1 carrier transition DCD=up DSR=up DRT=up RTS=up CTS=up
CPS_A1_ABHI_NAG_19#show ppp all
Interface/ID OPEN+ Nego* fail- stage Peer Address Peer Name
--------------------------------------------------Se1/0 LCP+IPCP+CDPCP+ LocalT 203.3.19.1 AS20003
CPS_A1_ABHI_NAG_19#
CPS_A1_ABHI_NAG_19#show interface serial 1/0

Serial1/0 is up,line protocol is up
Hardware is M4T
Iternet address is 103.3.19.2/30
MTU 1500 bytes,BW 1544 Kbit/sec,DLY 20000 usec,
reliability 255/255,txload 1/255,rxload 1/255
Encapsulation PPP, LC[ Open
open: IPCP,CDPCP, crc 16, loopback not set
keepalive set (10sec)
Restart-delay is 0 secs
Last imput 00:00:04,output 00:00:04 hang never
last clearing of "show interface"counters 00:02:16
imput queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
queueing strategy: fifo
output queue: 0/40(size/max)
5 minutes imput rate 0 bits/sec,0 packets/sec
5 minutes output rate 0 bits/sec,0 packets/sec
61 packets imput, 3589 bytes,0 no buffer
Received 0 broadcast (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 imputs errors, 0 CRC, 0 frame, 0 overrum, 0 ignored, 0 abort
60 packets output, 3632 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets
0 unknow protocol drops
0 output buffer failures, 0 output buffers swaped out
0 carrier transition DCD=up DSR=up DRT=up RTS=up CTS=up
Section 2.1 OSPF in AS12345

Configure OSPFv2 area 0 in ACME HQ (AS12345) according to the following requirements
Configure the OSPF process id to 12345 and set the router id to

interface lo0 on all seven routers
The interface lo0 at each router must be seen as an internal OSPF
prefix by all other routers
Ensure that OSPF is not running on any interface that is facing another
AS. use any method to accomplish this requirement
SW and SW2 must not participate in routing at all
Do not change the default OSPF cost of any interface in AS12345
R1 must see the following OSPF routes in the routing table
R1# sh ip route OSPF

123.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
O
O
O
O
O
O
O
O
O
O
O
O
123.2.2.2/32 [110/21] via 123.10.1.1 4d20h ethernet e0/2

123.3.3.3/32 [110/21] via 123.10.1.6 4d20h ethernet e0/1
123.4.4.4/32 [110/21] via 123.10.1.1 4d20h ethernet e0/2
123.5.5.5/32 [110/21] via 123.10.1.6 4d20h ethernet e0/1
123.6.6.6/32 [110/21] via 123.10.1.1 4d20h ethernet e0/2
123.7.7.7/32 [110/21] via 123.10.1.6 4d20h ethernet e0/1
123.10.1.8/30 [110/30] via 123.10.1.6 4d20h ethernet e0/1
[110/30] via 123.10.1.1 4d20h ethernet e0/2
123.10.1.12/30 [110/20] via 123.10.1.6 4d20h ethernet e0/1
123.10.1.16/30 [110/20] via 123.10.1.1 4d20h ethernet e0/2
123.10.1.20/30 [110/20] via 123.10.1.1 4d20h ethernet e0/2
123.10.1.24/30 [110/30] via 123.10.1.6 4d20h ethernet e0/1
[110/30] via 123.10.1.1 4d20h ethernet e0/2
123.10.1.28/30 [110/20] via 123.10.1.6 4d20h ethernet e0/1
R1
R1#ping 123.10.1.6
Sending 5, 100-byte ICMP Echos to 123.10.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms

R1#
R1(config-router)#router ospf 12345
R1(config-router)#router-id 123.1.1.1
R1(config-router)#net 0.0.0.0 255.255.255.255 area 0
R1(config-router)#end
R1#sh ip ospf int brief
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0
R1#
IP Address/Mask Cost State Nbrs F/C

123.1.1.1/32
1
WAIT LOOP0 0/0
123.10.1.5/30
10
WAIT 0/0
123.10.1.1/30
10
WAIT 0/0
R2#ping 123.10.1.10
!!!!!
R2#
R2#ping 123.10.1.18
!!!!!
R1#
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0
R2#

123.2.2.2/32
1
WAIT LOOP0 0/0
123.10.1.17/30
10
WAIT 0/0
123.10.1.9/30
10
WAIT 0/0
R3#ping 123.10.1.9
!!!!!
R3#
R3#ping 123.10.1.14
!!!!!
R3#
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0

123.3.3.3/32
1
WAIT LOOP0 0/0
123.10.1.13/30
10
WAIT 0/0
123.10.1.10/30
10
BDR 0/0
R3#sh ip ospf neighbor

Neihbor-id Pri State Deat Time
123.2.2.2 1
FULL/DR 00.00.36
Address
Interface
123.10.1.9 Ethernet0/1
R4#ping 123.10.1.1
!!!!!
R4#
R4#ping 123.10.1.17
!!!!!
R4#
R4#ping 123.10.1.22
!!!!!
R4#

Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0
Et0/0
12345 0

123.4.4.4/32
1
WAIT LOOP0 0/0
123.10.1.21/30
10
WAIT 1/1
123.10.1.18/30
10
BDR 1/1
123.10.1.2/30
10
BDR 1/1

123.2.2.2 1
FULL/DR 00.00.36
123.1.1.1 1
FULL/DR 00.00.36
R4#
Address
Interface
123.10.1.17 Ethernet0/1
123.10.1.1 Ethernet0/0
R5#ping 123.10.1.5
!!!!!
R5#
R5#ping 123.10.1.13
!!!!!
R5#
R5#ping 123.10.1.30
!!!!!
R5#
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0
Et0/0
12345 0

123.5.5.5/32
1
WAIT LOOP0 0/0
123.10.1.14/30
10
WAIT 1/1
123.10.1.6/30
10
BDR 1/1
123.10.1.29/30
10
BDR 1/1

Neihbor-id
Pri
State
Deat Time
Address
Interface
123.3.3.3
123.1.1.1
1
1
FULL/DR 00.00.36
FULL/DR 00.00.36
123.10.1.17 Ethernet0/2
123.10.1.1 Ethernet0/1
R5#
R6#ping 123.10.1.26
!!!!!
R6#
R6#ping 123.10.1.21
!!!!!
R6#
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0

123.6.6.6/32
1
WAIT LOOP0 0/0
123.10.1.22/30
10
WAIT 1/1
123.10.1.25/30
10
BDR 1/1

123.4.4.4 1
FULL/DR 00.00.36
R6#
Address
Interface
123.10.1.21 Ethernet0/2
R7#ping 123.10.1.25
!!!!!
R7#
R7#ping 123.10.1.29
!!!!!
R7#
Interface PID Area
Lo0
12345 0
Et0/2
12345 0
Et0/1
12345 0

123.7.7.7/32
1
WAIT LOOP0 0/0
123.10.1.30/30
10
WAIT 1/1
123.10.1.26/30
10
BDR 1/1

123.5.5.5 1
FULL/DR 00.00.36
123.6.6.6 1
FULL/DR 00.00.36
R7#
Address
Interface
123.10.1.29 Ethernet0/2
123.10.1.25 Ethernet0/1
>>>from here show the routing table of each device and ping all devices loopbacks sourcing
from the loopbacks<<<<<
SECTION 2.2 - EIGRP IN AS34567

Configure EIGRP for ipv4 in the New York office (AS34567) according to the following
requirements
The EIGRP AS is 34567

The interface lo0 must be seen as an internal EIGRP prefix by all other
routers
Ensure the EIGRP is not running on any interface that is facing another
AS use any method to accomplish this
Using a single command on one switch only ensure that R8 installs two
equal-cost route for the following three path
vlan 411
int lo0 at SW4
int lo0 at R11
Using a single command on one switch only ensure that R9 installs two
equal cost route for the following three path
vlan 310
int lo0 at SW3
int lo0 at R10
2.2 SOLUTION:::: IMPLEMENTING EIGRP IN BGP AS 34567

R8#ping 123.10.2.2

!!!!!
R8#
R8#ping 123.10.2.6
!!!!!
R8#
R8(config-router)#router eigrp CCIE
R8(config-router)#address-family ipv4 unicast autonomous-system 34567
R8(config-router)#net 123.8.8.8 0.0.0.0
R8#sh ip eigrp interfaces
EIGRP-IPv4 VR(CCIE) Address-Family Interfaces for AS(34567)
Xmit Queue PeerQ
Mean Pacing Time Multicast Pending
Interface
Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/2
0
0/0
0/0
0
0/0
0
0
Et0/1
0
0/0
0/0
0
0/0
0
0
R8#
R8#sh ip eigrp neighbors
EIGRP-IPv4 VR(CCIE) Address-Family Neighbors for AS(34567)
R8#
R9#ping 123.10.2.1
!!!!!
R9#
R9#ping 123.10.2.10
!!!!!
R9#

Xmit Queue PeerQ
Interface
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/2
0
0/0
0/0
0
0/0
0
0
Et0/1
0
0/0
0/0
0
0/0
0
0
R9#
H Address
Interfaces Hold Uptime SRTT RTO Q Seq
0 123.10.2.1
R9#
E0/1
13 00:00:39
11
100
R10#ping 123.10.2.17
!!!!!
R10#
R10#ping 123.10.2.26
!!!!!
R10#
Xmit Queue PeerQ
Interface
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/2
0
0/0
0/0
0
0/0
0
0
Et0/1
0
0/0
0/0
0
0/0
0
0
R10#
R10#
R11#ping 123.10.2.25
!!!!!
R11#
R11#ping 123.10.2.21
!!!!!
R11#
Xmit Queue PeerQ
Interface
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/2
0
0/0
0/0
0
0/0
0
0
Et0/1
0
0/0
0/0
0
0/0
0
0
R11#
H Address
0 123.10.2.25
R11#
E0/1
11 00:00:39
14
100
SW3#ping 123.10.2.14
!!!!!
SW3#
SW3#ping 123.10.2.5
!!!!!
SW3#
SW3#ping 123.10.2.18
!!!!!
SW3#
SW3(config-router)#router eigrp CCIE
SW3(config-router)#net 123.33.33.33 0.0.0.0
SW3(config-router)#end
SW3#sh ip eigrp interfaces
Xmit Queue PeerQ
Interface
Lo0
0
0/0
0/0
0
0/0
0
0
Vl38
1
0/0
0/0
0
0/0
0
0
Vl34
0
0/0
0/0
0
0/0
0
0
Vl310
1
0/0
0/0
0
0/0
0
0
SW3#
SW3#sh ip eigrp neighbors
H Address
0 123.10.2.18 Vl310
1 123.10.2.5 Vl38
SW3#
11 00:00:39 14
11 00:00:39 14
100 0 3
100 0 3
SW4#ping 123.10.2.13
!!!!!
SW4#
SW4#ping 123.10.2.9
!!!!!
SW4#
SW4#ping 123.10.2.22
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 msSW4#

SW4#sh ip eigrp interfaces
Xmit Queue PeerQ
Interface
Lo0
0
0/0
0/0
0
0/0
0
0
Vl38
1
0/0
0/0
0
0/0
0
0
Vl34
0
0/0
0/0
0
0/0
0
0
Vl310
1
0/0
0/0
0
0/0
0
0
SW4#
SW4#
<<<<please show all eigrp neighbors and routing tables and ping all loopbacks source from lo0 of all
devices to compare>>>>>>
SECTION 2.3 - EIGRP IN AS45678

Configure EIGRP in AS45678 according to the following requirements

The interface lo0 must be seen as an internal EIGRP prefix by all other
routers
Ensure the EIGRP is not running on any interface that is facing another
AS use any method to accomplish this requirement
Sw5 and sw6 are layer 3 switches and must configure EIGRP
On all three routers R15, 16, 17 use EIGRP with 64bit version
Do not change the interface bandwidth on any physical interface in AS
45678
2.3 SOLUTION:::: Implementing EIGRP in BGP AS 45678
R15#ping 123.20.1.2
!!!!!
R15#
R15#ping 123.20.1.3
!!!!!
R15#
R15#ping 123.20.1.10
!!!!!
R15#
R15#ping 123.10.2.11
!!!!!
R15#
Xmit Queue PeerQ
Interface
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/1
2
0/0
0/0
0
0/0
0
0
Et0/2
0
0/0
0/0
0
0/0
0
0
R15#
H Address
0 123.20.1.3
1 123.20.1.2
R15#
Et0/1
Et0/1
13 00:00:39
14 00:00:39
14
14
100
100
0
0
7
7
R16#ping 123.20.1.1
!!!!!
R16#
R16#ping 123.10.2.18
!!!!!
R16#
Xmit Queue PeerQ
Interface
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/1
2
0/0
0/0
0
0/0
0
0
Et0/2
0
0/0
0/0
0
0/0
0
0
R16#
H Address
0 123.20.1.1
1 123.20.1.3
R16#
Et0/1
Et0/1
13 00:00:39
14 00:00:39
14
14
100
100
0
0
7
7
R17#ping 123.20.1.9
!!!!!

R17#
R17#ping 123.10.2.17
!!!!!
R17#
Xmit Queue PeerQ
Interface
Lo0
0
0/0
0/0
0
0/0
0
0
Et0/1
1
0/0
0/0
0
0/0
0
0
Et0/2
1
0/0
0/0
0
0/0
0
0
R17#
H Address
0 123.20.1.17 Et0/1
1 123.20.1.9 Et0/2
R17#
13 00:00:39 14
14 00:00:39 14
100
100
0 7
0 7

SW5#
H Address
0 123.20.1.1
1 123.20.1.2
SW5#
Vl55
Vl55
11 00:00:39
11 00:00:39
14
14

100
100
0
0
3
3
SW6#
<<<<<please verify by checking neighborship and pings and routing table>>>>>>>
Section 2.4 EIGRP in AS 65222

The interface lo0 at each router must be seen as an internal EIGRP
prefix by all other routers
Ensure that EIGRP is not running on any interface that is facing
another AS use any method to accomplish this requirement
R17 is the DMVPN hub, R18, R19 as the spoke,use the pre-config tunnel 0
2.4 SOLUTION::: Implementing EIGRP in BGP AS 65222
R17# sh run int tun 0

int tunnel 0
bandwidth 1000
ip address 123.20.1.25 255.255.255.248
no ip redirects
tunnel source Ethernet0/0
tunnel mode gre multipoint
end
R17#

int tunnel 0
bandwidth 1000
ip address 123.20.1.26 255.255.255.248
no ip redirects
tunnel source SERIAL1/0
end
R18#

int tunnel 0
bandwidth 1000
ip address 123.20.1.27 255.255.255.248
no ip redirects
tunnel source SERIAL1/0
end
R19#

Section 2.5 BGP in AS 12345

BGP is partially configured in ACME headquarters, complete the config as required
Configure the BGP in ACMEs HQ (AS 12345) according to the following
requirements
R4 and R5 must not establish any BGP session at any time

All BGP routers must use their int lo0 as their router-id
Disable the default ipv4 unicast address family for peering session
establishment in all BGP routers
R1 must be the ipv4 route-reflector for BGP AS12345
Configure eBGP between ACME's San Francisco and San Jose sites according to
the following requirements
R20 is the CE router and used eBGP to connect to the manages services
that are provided by the PE routers R2 and R3
R20 must establish separate eBGP peerings with both R2 and R3 for every
V
R20 must advertise the following prefix to all the BGP peers
123.0.0.0/8 summary-only
10.0.0.0/8 summary-only
R20 must advertise a default route to all of its BGP peers except to
10.120.99.1 and 10.120.99.5
2.5 SOLUTION::::Implementing BGP in BGP AS 12345
GREEN VPN. RD-65111:12 RT 12:12

BLUE VPN. RD-65111:13 RT 13:13
RED VPN.
RD-65111:14 RT 14:14
YELLOW VPN. RD-45678:15 RT 15:15
INET VPN.
RD-30000:99 RT 99:99
R1(config)#router bgp 12345

R1(config-router)#bgp router-id 123.1.1.1
R1(config-router)#no bgp default ipv4-unicast
R1(config-router)#neighbor IBGP peer-group
R1(config-router)#neighbor IBGP remote-as 12345
R1(config-router)#neighbor IBGP update-source loopback 0
R1(config-router)#neighbor IBGP 123.2.2.2 peer-group IGBP
R1(config-router)#address-family ipv4
R1(config-router-af)#neighbor 123.2.2.2 activate
R1(config-router-af)#neighbor IBGP route-reflector-client
R1(config-router-af)#exit-address-family
R2
R2(config-router)#neighbor 123.1.1.1 remote-as 12345
R2(config-router)#neighbor 123.1.1.1 update-source loopback 0
R2(config-router)address-family ipv4

R2(config-router-af)#end
R2#
R3
R3#
R6
R6#

R7#
<<<<<sh bgp all summary in all devices>>>>>>>
::VRF CONFIGS::
R2
R2(config)router bgp 12345
R2(config-router)#address-family ipv4 vrf GREEN
R2(config-router-af)#neighbor 10.120.12.2 remote-as 65112

R2(config-router)#address-family ipv4 vrf BLUE
R2(config-router)#address-family ipv4 vrf RED
R2(config-router)#address-family ipv4 vrf YELLOW
R2(config-router)#address-family ipv4 vrf INET
R3
R3(config)router bgp 12345
R20

R20(config-router)#net 10.0.0.0
R20(config-router)#net 123.0.0.0
R20(config-router)#auto-summary
R20(config-router)#neighbor
R20(config-router)#
10.120.12.1
10.120.13.1
10.120.14.1
10.120.15.1
10.120.99.1
10.120.12.5
10.120.13.5
10.120.14.5
10.120.15.5
10.120.99.5
remote-as
remote-as
remote-as
remote-as
remote-as
remote-as
remote-as
remote-as
remote-as
remote-as
12345
12345
12345
12345
12345
12345
12345
12345
12345
12345
10.120.12.1
10.120.13.1
10.120.14.1
10.120.15.1
10.120.12.5
10.120.13.5
10.120.14.5
10.120.15.5
default-originate
default-originate
default-originate
default-originate
default-originate
default-originate
default-originate
default-originate
<<<<<<<<<<<<<sho ip bgp on R20 and R3,sh bgp all summary,sh ip bgp vpnv4
all>>>>>>>>>>>>>>>>>
Section 2.6 BGP in AS 34567

BGP is partially pre-configured in ACME New York office, complete the config as
required
Configure IBGP in AS 34567 according to the following requirements
SW3 and SW4 must not establish any BGP session at any time
Configure full mesh IBGP peering between all four routers use any
configuration method
R9 must be selected as the preferred exit point for traffic destined to
remote AS's
R11 must selected as the next preferred exit in case R9 fails
No BGP speaker must use network statement under the BGP router config.
Ensure that all the BGP nexthop is never marked as unreachable as long
as int lo0 of the remote peer is known via IGP
Configure EIGRP in AS 34567 according to the following requirements
All four BGP routers must establish eBGP peerings with their
neighboring AS as shown in diagram 3 (BGP topology)
All four BGP routers must redistribute EIGRP into BGP
Ensure that R9 is the only router that sees the default as a BGP route
and that all other routers (R8, R10, R11) see it as an EIGRP external
2.6 SOLUTION::: Implement BGP in BGP AS 34567:

R8#


R9#

R10#

R11#

R8(config-router-af)#neighbor 123.9.9.9 next-hop-self
R8#clear ip bgp * soft



<<<<<show ip bgp in all routers>>>>>>
R8(config-router-af)#redistribute eigrp 34567

R9(config)# ip prefix-list 1 permit 0.0.0.0/0
R9(config)#route-map 1 permit 1
R9(config-route-map)#match ip address prefix-list 1
R9(config-route-map)#exit
R9(config)#router eigrp CCIE
R9(config-router-af)#topology base
R9(config-router-af-topology)#redistribute bgp 34567 metric 100000 10 255 1 1500 routemap 1
R11(config)# ip prefix-list 1 permit 0.0.0.0/0

R11(config)#route-map 1 permit 1
R11(config-route-map)#exit
<<<<on R8 and R9 and R10 and R11 do show ip route 0.0.0.0>>>>>>>>
:::R11 has issues, it is learning via BGP:::
R9(config)#route-map MYMAP permit 1
R9(config-route-map)#set local-preference 101
R9(config-router)#neighbor 33.34.4.1 route-map MYMAP in
R9# clear ip bgp * soft
Section 2.7 BGP in AS 45678 and 65222

refer to diagram 3 (BGP routing)
configure EBGP in ACME's APAC region (AS45678 and AS 65222) according to the
following requirements
SW5 and SW6 must not establish any BGP session at any time
No iBGP peering sessions are allowed in AS AS45678
R15 must establish an EBGP peering with AS 10003 and must receive
default route as well as other prefix.
R15 must redistribute BGP into EIGRP and vice versa
R15 must also advertise an aggregate prefix 123.20.1.0/24 to AS 1003
and must suppress all component prefixes
R16, 17, 18, 19 must establish an eBGP peering with AS 20003 and must
receive a default route as well as other prefix
R15, 17 , 18 , 19 must not advertise any prefix to AS 20003
As long as R15 is operational, R16, R17, R18, R19 must prefer the EIGRP
default route over the EBGP default route
Do not create any VRF anywhere in order to accomplish the above
requirements
2.7 SOLUTION::::Implement BGP in BGP AS 45678 and 65222
R15

R15(config-router)#aggregate-address 123.20.1.0 255.255.255.0 summary-only
R15(config-router)#redistribute eigrp 45678
R15(config-router-af-topology)#end
R16
R17
R18
R19
<<<NB:if R15 is not receiving default from SP it should receive after section 3.3 when
R2/R3 form eBGP for yellow vrf needs further work.>>>>>
Section 2.8 BGP routing policies
All ACME border routers in AS 12345 must filter the BGP prefixes that
are advertised to their SP in VRF INET and must allow all prefixes that
belong to class A 123..0.0./8 and all other VRF's must propagate all
prefix
All ACME border routers in AS 12345 must filter the BGP prefixes that
are advertised to their SP and must allow only all prefixes that belong
to the class A 123.0.0.0/8
Do not use any route-map or access-list to accomplish the above
requirements
R13 must route traffic preferably via AS 20002, use any method to
accomplish this requirement
All three remote sites in AS 65111 must be able to ping 1.2.3.4 and
traceroute must reveal the exact same path as shown in the following
output
R12# ping 1.2.3.4 so lo0
!!!!!
R12# traceroute 1.2.3.4 so lo0
1.
2.
3.
4.
5.
6.
7.
201.1.12.1 [AS 65112]

201.1.123.2 [AS 65112]
10.120.12.1 [AS 65112] [MPLS: label 135 EXP 0]
10.120.12.2 [AS 65112]
10.120.99.5 [AS 65112]
102.2.123.1 [AS 65112]
33.10.2.1 [AS 65112]
2.8 SOLUTION:::: Implement BGP routing Policies
<<<to do with vpn section 3.1,3.2 and 3.3>>>
Section 2.9 IPV6 OSPF

Configure OSPFv3 in the ACME New York office as per the following requirements
Configure the OSPF process id 1 and set the router-id as interface lo0
Sw4 must be selected as the DR on vlan 34 and must have the best chance
Sw3 must be selected as the backup DR on vlan 34 and must take over DR
if SW4 is down
2.9 SOLUTION::::Implement IPV6 OSPF
SW3
SW3(config)#ipv6 unicast-routing
SW3(config)#ipv6 router ospf 1
SW3(config-rtr)#router-id 123.33.33.33
SW3(config)#interface vlan 34
SW3(config-if)#ipv6 ospf 1 area 0
SW3(config-if)#ipv6 ospf priority 1
SW3(config-if)end
SW4
SW4(config)#ipv6 unicast-routing
SW4(config)#ipv6 router ospf 1
SW4(config-rtr)#router-id 123.44.44.44
SW4(config-if)#ipv6 ospf priority 255
SW4(config-if)end
R10
R10(config)#ipv6 unicast-routing
R10(config)#ipv6 router ospf 1
R10(config-rtr)#router-id 123.10.10.10
R10(config)#interface ethernet 0/1
R10(config-if)#ipv6 ospf 1 area 10
R10(config-if)#end
R11
R11(config)#ipv6 unicast-routing

R11(config-rtr)#router-id 123.11.11.11
R11(config-if)#ipv6 ospf 1 area 11
R11(config-if)#end
Section 2.10 BGP for IPV6

Configure ACME network as per the following requirements
Establish the four eBGP peering as indicated on "diagram IPV6 routing"

Do not use the network command under the BGP address-family ipv6 on
either R10 or R11
Both regional SP will advertise the necessary prefixes
Advertise the ipv6 prefix on interface E0/0 into BGP on both R12 and
R14
Configure your network such that any ipv6 that any user can communicate
with any ipv6 user that is located and vice versa
Do not use any static route or default route anywhere
Use the following ping to verify your config
R12# ping 2001:CC1E:BEF:14:10:1:14::1 so E0/0

!!!!!
2.10 SOLUTION:::Implement IPV6 BGP
R10
R10(config)ipv6 unicast routing
R10(config-router)#neighbor 2001:CC1E:BEF:10:201:1:34:1 remote-as 20001
R10(config-router-af)#neighbor 2001:CC1E:BEF:10:201:1:34:1 activate
R10(config-router-af)#redistribute ospf 1 match internal external
R10(config-rtr)#redistribute bgp 34567
R11
R11(config-router-af)#redistribute ospf 1 match internal external

R11(config-rtr)#redistribute bgp 34567
R12
R12(config-router-af)#network 2001:CC1E:BEF:12::/64
R12(config-rtr)#end
R14
R14(config-router-af)#network 2001:CC1E:BEF:14::/64
R14(config-rtr)#end
Section 2.11 Layer 3 multicast

Streaming server is connected in vlan 5 on sw5. Receivers are located at the
DMVPN spokes R18 and R19
Only network segments with active receivers that explicitly require the
data must receive the multicast traffic
Interface lo0 of R15 must be configured as RP
Use a standard method of dynamically distributing the RP
Both R16 and R17 must participate in the multicast routing
To test configure int E0/0 of both R18 and R19 to join group 232.1.1.1
Sw5# ping 232.1.1.1 so vlan 5

reply to request 0 from 10.2.19.1 3ms
reply to request o from 10.2.18.1 4ms
2.11
SOLUTION::::Implement Layer3 Multicast
R15
R15(config)#ip multicast-routing
R15(config-if)#ip pim sparse-mode
R15(config-if)#!
R15(config-if)#interface ethernet 0/2
R15(config-if)#!
R15(config-if)#interface lo0
R15(config)#ip pim rp-candidate loopback 0
R15(config)#ip pim bsr-candidate loopback 0
R15(config)#exit
<<<sh ip pim interfaces,sh ip pim rp mapping>>>
SW1
SW1(config)#ip multicast-routing
SW1(config-if)#no shut
SW1(config-if)#ip pim sparse-mode
SW1(config-if)#!
SW1(config-if)#interface vlan 5
SW1(config-if)#ip address 123.55.55.55 255.255.255.0
SW1(config-if)#!
SW1(config-if)#interface lo0
SW1(config)#exit
SW2
SW2(config)#ip multicast-routing
SW2(config-if)#!
SW2(config-if)#interface vlan 6
SW2(config-if)#ip address 123.66.66.66 255.255.255.0
SW2(config-if)#!
SW2(config-if)#interface lo0
SW2(config)#exit
R16
R16#sh cdp neighbor
R16(config-if)#!
R16(config-if)#!
R16(config)#exit
R17
R17#sh cdp neighbor
R17(config-if)#!
R17(config-if)#interface ethernet tunnel 0
R17(config-if)#!
R17(config)#exit
R18
R18#sh cdp neighbor
R18(config-if)#ip igmp join-group 232.1.1.1
R18(config-if)#!
R18(config-if)#!
R18(config)#exit
R19
R19#sh cdp neighbor
R19(config-if)#ip igmp join-group 232.1.1.1
R19(config-if)#!
R19(config-if)#!
R19(config)#exit
Section 3 VPN Technology

Refer to "diagram 3 BGP topology" and "diagram 4 VPN technology"
The ACME HQ network (AS12345) uses MPLS L3VPN in order to clearly

separate remote site networks
The ACME corporate security policies are centralized and enforced at
the San Jose site (AS 65112) for all remote sites. the policies require
that all traffic that is originated from any remote sites (with the
exception of New York office)
Configure mpls L3 VPN in the ACME network according to the following
requirements
Enable ldp only on required interfaces on all seven routers in AS 12345
Use the interface lo0 to establish ldp peerings
Ensure that no mpls interface that belongs to any router ins AS12345 is
visible on a trace route that originates outside of the AS
R2, R3, R6 and R7 must be configured as PE routers
R1, R4 and R5 must be configured as P routers
3.1 SOLUTION:::: Implement MPLS VPN-I
R1
R1(config)#ip cef
R1(config)#mpls ip
R1(config)#mpls label protocol ldp
R1(config)#int lo0
R1(config-if)#mpls ip
R1(config-if)#int eth 0/1

R1(config-if)#end
R1#
R2
R2(config)#ip cef
R2(config)#mpls ip
R2(config)#int lo0
R2(config-if)#end
R2#
R3
R3(config)#ip cef
R3(config)#mpls ip
R3(config)#int lo0
R3(config-if)#end
R3#
R4
R4(config)#ip cef
R4(config)#mpls ip
R4(config)#int lo0
R4(config-if)#end
R4#
R5
R5(config)#ip cef
R5(config)#mpls ip
R5(config)#int lo0
R5(config-if)#end
R5#
R6
R6(config)#ip cef
R6(config)#mpls ip
R6(config)#int lo0
R6(config-if)#end
R6#
R7
R7(config)#ip cef
R7(config)#mpls ip
R7(config)#int lo0
R7(config-if)#end
R7#
3.2 MPLS VPN part 2

Refer to "diagram 3 BGP topology" and "diagram 4 VPN technology"
The global and regional service providers have agreed to transport the ACME VPN via PE to
PE eBGP peering that are already preconfigured. Complete all the config of mpls L3 VPN in
the ACME network according to the following requirements
R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 12345

R2 and R3 must establish eBGP peering with both global SP (As 10001 and
AS 10002) for the following VRF's
BLUE
GREEN
RED
YELLOW
INET
R3 must establish an eBGP peering with the regional SP (AS 20001) for
the following VRFs
GREEN
BLUE
INET
R7 must establish an eBGP peering with the regional SP (AS 20002) for
the following VRFs
BLUE
RED
INET
All ip add used for eBGP peering must pass the BGP's directly connected
check
No BGP speaker is AS 12345 may use the network or redistribute
statement under any address-family of the BGP router config
At the end of the exam scenario the interface E0/0 of the gateway
router in any remote site must be able to connect to the int E0/0 of
any other remote gateway that belongs to AS 65111 or AS 65222
Use the following tests as examples of connectivity checks
R12# ping 10.2.19.1 so E0/0

!!!!!
R12# trace 10.2.19.1 so E0/0
(10 hops)
3.2 SOLUTION:::: Implement MPLS VPN-II

<<NB:CONFIGURE DMVPN (SEC 3.3) BEFORE THIS>>
R1
R1(config-router)#address-family vpnv4
R1(config-router-af)#neighbor IBGP route-reflector-client
R1(config-router-af)#neighbor IBGP send-community extended
R1#
R2
R2(config-router-af)#neighbor 123.1.1.1 send-community extended
R2#
R3
R3#
R6
R6#
R7
R7#
<<<<on R1,R2,R3,R6 and R7 do sh ip bgp vpnv4 all summary>>>>
R6
R6(config-router-af)#exit address-family
R6(config-router)#!
R6(config-router)#!
<<<<do sh ip bgp vpnv4 all summary>>>>
R12
R12(config-router)#redistribute connected
<<<do sh ip bgp summary and show ip bgp>>>
R7
R7(config-router)#!
R7(config-router)#!
<<<<do sh ip bgp vpnv4 all summary>>>>
R13
R14
R2
R2(config-router-af)#neighbor 101.1.123.1 remote-as
R2(config-router)#!
R2(config-router)#!
R2(config-router)#!
R2(config-router)#!
10001
10001
10001
10001
10001
R3
R3(config-router)#!
R3(config-router)#!
R3(config-router)#!
R3(config-router)#!
10002
10002
10002
10002
10002
<<<<do sh ip bgp vpnv4 all summary and run a tclsh ping from the remote sites all over to
the central site>>>>
3.3 DMVPN
configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the
following requirements
Use the preconfigured interface tunnel 0 on all the three routers in

order to accomplish this task
R17 must be the hub router
R18 and R19 must be the spoke and must participate in NHRP information
exchange
Disable send icmp redirect message on all three tunnel interfaces
Configure the following parameters on all the three tunnel interfaces
bandwidth 1000 kbps

delay 10000 msec
mtu 1400 bytes
tcp mss 1380
Authenticate NHRP using the string 45678key

Use NHRP network-id 45678
Config NHRP hold time to 5 min
Ensure that spoke to spoke traffic does not transit via the hub
3.3 SOLUTION::::Implement DMVPN
R17
R17(config)#interface tunnel 0
R17(config-if)#bandwidth 1000
R17(config-if)#ip address 123.20.1.25 255.255.255.248
R17(config-if)#no ip redirects
R17(config-if)#ip mtu 1400
R17(config-if)#ip nhrp authentication 45678key
R17(config-if)#ip nhrp map multicast dynamic
R17(config-if)#ip nhrp network-id 45678
R17(config-if)#ip nhrp holdtime 300
R17(config-if)#ip nhrp redirect
R17(config-if)#delay 1000
R17(config-if)#tunnel source eth0/0
R17(config-if)#tunnel mode gre multipoint
R17(config-if)#ip tcp adjust-mss 1380
R17(config-router)#address-family ipv4 autonomous 45678
R17(config-router-af)#af-interface tunnel 0
R17(config-router-af-interface)#no split-horizon
R17(config-router-af-interface)#no ip next-hop-self
R17(config-router-af-interface)#end
R17#
R18
R18(config-if)#ip nhrp shortcut
R18(config-if)#ip nhrp nhs 123.20.1.25
R18(config-if)#ip nhrp nhs map 123.20.1.25 203.3.17.2
R18(config-if)#ip nhrp map multicast 203.3.17.2
R18(config-if)#tunnel source s1/0

R18#
R19
R19(config-if)#ip nhrp shortcut
R19(config-if)#ip nhrp nhs 123.20.1.25
R19(config-if)#ip nhrp nhs map 123.20.1.25 203.3.17.2
R19(config-if)#ip nhrp map multicast 203.3.17.2
R19(config-if)#tunnel source s1/0

R19#
3.4 DMVPN Encryption

Refer to "Diagram 4 VPN technology"
Secure the DMVPN tunnel using IPSEC according to the following requirements
configure IKE phase 1 as per the following
Use AES encryption with the pre-shared key CCIE
The key must appear in plain text in the config

All IPSEC tunnels must be authenticated using the same IKE phase 1 preshared key
Use 1024 bits for the key exchange using the Diffie-Hellman algorithm
configure a single policy using priority 10

config IKE phase 2 as per the following requirements
use
use
use
use
Ensure that the DMVPN cloud is secured using above parameters. use
tunnel protection in your config
CCIEXFORM as transform set name

DMVPNPROFILE as IPSEC profile name
IPSEC in transport mode
the IPSEC protocol ESP and algorithm AES with 128 bits
3.4 SOLUTION::::Implement Encryption

R17
R17(config)#crypto isakmp enable
R17(config)#crypto isakmp policy 10
R17(config-isakmp)#authentication pre-share
R17(config-isakmp)#encryption aes
R17(config-isakmp)#group 2
R17(config-isakmp)#exit
R17(config)#crypto isakmp key CCIE address 203.3.18.2
R17(config)#crypto ipsec transform-set CCIEXFORM esp-aes esp-md5-hmac
R17(cfg-crypto-trans)#mode transport
R17(cfg-crypto-trans)#exit
R17(config)#crypto ipsec profile DMVPNPROFILE
R17(cfg-ipsec-profile)#set transform-set CCIEXFORM
R17(cfg-ipsec-profile)#exit
R17(config)#int tunnel 0
R17(config)#tunnel protection ipsec profile DMVPNPROFILE
R17(config-if)#exit
R18
R18(config-if)#exit
R19
R19(config-if)#exit
<<<<sh ip nhrp brief, show crypto ipsec sa on all devices running DMVPN>>>>
Section 4 Infrastructure security

4.1 Device security
Configure R20 int the ACME San Jose office as per the following
All users who connect to R20 via the console or via any of VTY lines using SSH
must be prompted with the below message before any other prompt is displayed
WARNING!ACCESS RESTRICTED
Do not use any other spaces or any other characters
4.1 SOLUTION:::Device Security

20(config)#service linenumber
R20(config)#banner motd cWARNING!ACCESS RESTRICTED!c
R20(config)#line vty 0 4
R20(config-line)#login local
R20(config-line)#access-class 1 in
R20(config-line)#transport input ssh
R20(config-line)#end
4.2 Network Security

Configure ACME New York office as per the following
Ensure that int E0/0-3 of Sw3 forward the traffic send from expected
and legitimate users only
Sw3 must dynamically learn only one mac address per port and must save
the mac address in its startup config
Sw3 must shut down the port if security violation occurs on any of the
four ports
4.2 SOLUTION:::Implement Network Security
SW3(config)#interface range ethernet 0/0-3

SW3(config-if)#switchport port security
SW3(config-if)#switchport port security mac-address sticky
SW3(config-if)#switchport port-security maximum 1
SW3(config-if)#switchport port-security violation shutdown
SW3(config-if)#end
<<<show port-security>>>
SECTION V
SECTION 5 Infrastructure Services
5.1 System management
Configure R20 int the ACME San Jose office as per the following
Establish SSH access in R20 using the domain name acme.org
R20 must accept up to five remote authorized users to connect at the
same time using SSH
Create the user "test" with password "test" in local database of R20
Ensure that R20 accepts SSH connections with clients with source ip in
123.10.2.0/24. All other source ip should be denied. Use standard ACL
to accomplish this
R20 must generate a syslog message for all SSH connection attempts
whether permitted or denied
When authenticate the username test must be granted privilege level 1
Do not enable aaa new model on R20
Ensure that SSH is the only remote access method permitted on VTY lines
of R20
Ensure that the console is not affected by your solution and no
username prompt is presented on the console port
Test your solution from any device that is located in AS 34567 and
ensure that the following sequence of command produce the following
output
R10 # ssh -l 123.20.20.20
WARNING!ACCESS RESTRICTED
R20>
R20>sh privilage
current privilage level is 1
R20>
R20>q
R10#
5.1 SOLUTION:::: Implement System Management

R20
R20(config)#service linenumber
R20(config)#username test password test
R20(config)#ip domain name acme.org
R20(config)#
R20(config)#crypto key generate rsa
R20(config)#
R20(config)#ip ssh maxstartups 5
R20(config)#ip ssh logging events
R20(config)#ip ssh version 2
R20(config)#ip access-list 1 permit 123.10.2.0 0.0.0.255
R20(config)#line vty 0 4
R20(config-line)#login local
R20(config-line)#access-class 1 in
R20(config-line)#transport input ssh
R20(config-line)#end
5.2 Network Services

Configure the ACME network as per the following
R20 must enable all private corporate traffic that is originated from
any host with source ip address 10.1.0.0/16 or 10.2.0.0/16 to connect
to any public destination that is located in AS 34567
All remote sites in AS 65111 and 65222 must be able to connect to the
public destinations
R20 must swap the source ip address in these packets with the ip
address of its lo0
R20 must allow multiple concurrent connections
Use a standard ACL to accomplish this.
The following tests must succeed after the above requirements (in
addition to previous requirements) are achieved
R12# ping 1.2.3.4 so E0/0

!!!!!
R18# ping 1.2.3.4 so E0/0
!!!!!
5.2 SOLUTION::::Implement Network Services

R20
R20(config)#access-list 2 permit 10.1.0.0 0.0.0.255
R20(config)#access-list 2 permit 10.2.0.0 0.0.0.255
R20(config)#ip nat inside source list 2 interface loopback 0 overload
R20(config)#interface 0/0.12
R20(config-if)#ip nat inside
R20(config)#interface 0/1.99
R20(config-if)#ip nat outside
<<<<run ping/traceroute tests to 1.2.3.4 from all vpn sites sourcing from their wan
interfaces>>>>
5.3 Network Optimization

Configure R17 as per the following requirements
The output shown below must be seen on R19 during 10 sec after R15
successfully pings interface lo0 of R19
R15# ping 123.19.19.19
!!!!!
R17 sh ipflow top
srcif srcipadd destif
destipadd pr
e0/1
123.20.1.9
tun0 123.19.19.9
srcp
01
dstp
000
byte
000 500
5.3 SOLUTION::::Implement Network Optimazation
R17
R17(config)#ip flow-export version 9
R17(config)#ip flow-top-talkers
R17(config-flow-top-talkers)#top 10
R17(config-flow-top-talkers)#sort-by packets
R17(config-flow-top-talkers)#cache-timeout 10
R17(config-flow-top-talkers)#match input-interface ethernet 0/1
R17(config-flow-top-talkers)#match source address 123.20.1.9 255.255.255.255
R17(config-flow-top-talkers)#exit
R17(config-if)#ip flow ingress
5.4 Network Services

Configure ACME as per the following requirements
Sw3 must provide an authoritive time source to the ACME network

R10 and R12 must sync their clock to Sw3 using ntpv4 for ipv6
R10 and R12 must operate in client mode
Sw3 must not capture or use any time info that is sent by R12 and R14
All NTP traffic must be sourced and destined to interface lo0 of the
corresponding devices
5.4 SOLUTION::::Implement Network Services
SW3
SW3(config)#ntp master
SW3(config)#ntp source loopback 0
SW3(config)#!
SW3(config)#interface loopback 0
SW3(config-if)#ntp disable ip
SW3(config-if)#end
R10
R10(config)#interface loopback 0
R10(config-if)#ipv6 address 2001:CC1E:BEF:0:123:10:10:10/64
R10(config-if)#IPV6 ospf 1 area 10
R10(config)#ntp source loopback 0
R10(config)#ntp server 2001:CC1E:BEF:0:123:33:33:33
R10(config)#
R11
R11(config-if)#IPV6 ospf 1 area 11
R11(config)#ntp source loopback 0
R11(config)#ntp server 2001:CC1E:BEF:0:123:33:33:33
R11(config)#
R12
R12(config-if)#ntp disable ip
R12(config-if)#end
R14
R14(config-if)#ntp disable ip
R14(config-if)#end
<<NB:PLEASE VERIFY LOOPBACK 0 OR CONFIGURE IN QUESTION 2.9,2.10>>
*********END**********END*********END********END***********

Section 1.1: Configure The ACME Headquarters Network (AS 12345) As Per The Following Requirements

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Section 1.1: Configure The ACME Headquarters Network (AS 12345) As Per The Following Requirements

Hochgeladen von

Copyright:

Verfügbare Formate

SECTION 1.

The VTP domain must be set to CCIE

The VTP domain must be set to CCIE

SW-2(config)# mac-address-table aging-time 7200

SECTION 1.2 - Layer 2 ports

SW-1(config)# sh cdp neighbor

SW-2(config)# sh cdp neighbor

SW-3(config)# sh cdp neighbor

SW-4(config)# sh cdp neighbor

Section 1.3 Spanning tree

All access ports must immediately transitioned to the forwarding state

CPS_A1_ABHI_NAG_SW4#show spaning-tree summary

Section 1.4 Implement Wan Technology

Iternet address is 103.3.18.2/30

CPS_A1_ABHI_NAG_19#show interface serial 1/0

60 packets output, 3632 bytes, 0 underruns

Section 2.1 OSPF in AS12345

Configure the OSPF process id to 12345 and set the router id to

R1# sh ip route OSPF

123.2.2.2/32 [110/21] via 123.10.1.1 4d20h ethernet e0/2

Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms

IP Address/Mask Cost State Nbrs F/C

IP Address/Mask Cost State Nbrs F/C

IP Address/Mask Cost State Nbrs F/C

R3#sh ip ospf neighbor

R4(config-router)#net 0.0.0.0 255.255.255.255 area 0

IP Address/Mask Cost State Nbrs F/C

R4#sh ip ospf neighbor

IP Address/Mask Cost State Nbrs F/C

R5#sh ip ospf neighbor

IP Address/Mask Cost State Nbrs F/C

R6#sh ip ospf neighbor

IP Address/Mask Cost State Nbrs F/C

R7#sh ip ospf neighbor

SECTION 2.2 - EIGRP IN AS34567

The EIGRP AS is 34567

2.2 SOLUTION:::: IMPLEMENTING EIGRP IN BGP AS 34567

Type escape sequence to abort.

R9(config-router)#router eigrp CCIE

R9(config-router)#address-family ipv4 unicast autonomous-system 34567

SW4(config-router)#router eigrp CCIE

SECTION 2.3 - EIGRP IN AS45678

The EIGRP AS is 45678

2.3 SOLUTION:::: Implementing EIGRP in BGP AS 45678

Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms

SW5(config-router)#router eigrp CCIE

SW6(config-router)#router eigrp CCIE

Section 2.4 EIGRP in AS 65222

The EIGRP AS is 45678

2.4 SOLUTION::: Implementing EIGRP in BGP AS 65222

R17# sh run int tun 0

R18# sh run int tun 0

R18(config-router)#router eigrp CCIE

R19(config-router)#router eigrp CCIE

Section 2.5 BGP in AS 12345

R4 and R5 must not establish any BGP session at any time

2.5 SOLUTION::::Implementing BGP in BGP AS 12345

GREEN VPN. RD-65111:12 RT 12:12

R1(config)#router bgp 12345

R2(config-router-af)#neighbor 123.1.1.1 activate

R7(config)#router bgp 12345

R2(config-router-af)#neighbor 10.120.12.2 remote-as 65112