HCIE-R&S Mock Exam 2 INTERNAL

HCIE-R&S Lab Mock Exam 2

2016-7-21 Huawei Confidential Page 1, Total 12

 HCIE-R&S Mock Exam 2 INTERNAL

2016-7-21 Huawei Confidential Page 2, Total 12

 HCIE-R&S Mock Exam 2 INTERNAL

2016-7-21 Huawei Confidential Page 3, Total 12

 HCIE-R&S Mock Exam 2 INTERNAL

Test Questions: (Y Represents the Rack Number, and X

Represents the Equipment Number)
1. Section 1: Layer 2 Technologies

1.1 VLAN
Create VLANs 4, 5, 27, 42, 58 and 255 on switches SW1, SW2, SW3 and SW4.

SW1-SW4:
vlan batch 4 to 5 27 42 58 255

Add the following access interfaces to VLANs

VLAN Switch Interfaces

4 SW2 Eth0/0/4

5 SW1 Eth0/0/5
SW4 Gi0/0/1, Gi0/0/2

27 SW1 Eth0/0/2
SW3 Gi0/0/1

42 SW1 Eth0/0/4
SW2 Eth0/0/20

58 SW2 Eth0/0/5

255 SW1 Eth0/0/1, Eth0/0/3, Eth0/0/6, Gi0/0/1, Gi0/0/2

SW2 Eth0/0/22
SW3 Eth0/0/20

1.2 Link Aggregation

The E0/0/11 and E0/0/12 interfaces linking SW1 and SW2 should be combined to
form a single logical link, using a dynamic mode and implementing load balancing.

Set the interface rate on these links to 10 Mbit/s.

Ensure the maximum bandwidth on the link between SW1 and SW2 is 20Mbps.

1.3 Mirroring
Incoming and outgoing traffic on G0/0/2 of SW4 should be copied to G0/0/1 for
analysis.

2016-7-21 Huawei Confidential Page 4, Total 12

 HCIE-R&S Mock Exam 2 INTERNAL

1.4 ffic Filtering

Configure G0/0/1 on SW3 to allow only packets with the SOURCE-MAC address
of 54-89-98-CF-2B-0B.

1.5 Trunk
All links between switches SW1, SW2, SW3 and SW4 should be configured as
trunk interfaces. Only VLANs 2 to 4094 should be allowed to pass across these
links.

1.6 MSTP
Switches SW1, SW2, SW3 and SW4 run MSTP as follows.
VLANs 4, 5 and 27 are in instance 10, VLANs 42, 58 and 255 are in instance 20.
Set the MST region name to huawei and revision-level to 10.
Spanning tree path cost calculations, should use Huawei proprietary values.
Configure SW1 to be root for instance 10 and SW2 to be root for instance 20.
Unauthorized switches that connect to G0/0/1 of SW3 must be prevented from
taking over as root bridges.

1.7 Hub-and-Spoke
R1, R5 and R3 use Frame Relay (FR) encapsulation and are connected in hub and
spoke mode with R3 as the hub. Connect R3 to R1 and R5 using P2P
sub-interfaces.
Traffic between R1 and R5 must pass through R3.
Only the DLCIs and IP addresses shown in the topology may be used. Your
configuration should take into account that IS-IS will need to run over these links.
Automatic FR mapping between layer 2 and layer 3 must be disabled.
Spoke devices may not send any multicast traffic to the hub.

1.8 Point-to-Point
The link between R3 and R4 should be configured as FR point to point.
Static layer 3 to layer 2 mapping may not be used on R3 or R4.
Automatic FR mapping between layer 2 and layer 3 must be disabled. On R3 and
R4.
Only the interfaces, DLCIs and IP addresses shown in the topology can be used.

1.9 FR
Perform the necessary configuration on R6 to ensure the following output can be
displayed:
[R6]display fr map-info
Map Statistics for interface Serial1/0/1 (DTE)
DLCI = 116, IP 157.68.1.254, Serial1/0/1
create time = 2013/09/03 16:54:33, status = ACTIVE
2016-7-21 Huawei Confidential Page 5, Total 12
 HCIE-R&S Mock Exam 2 INTERNAL

encapsulation = ietf, vlink = 1, broadcast

1.10 PPP
R4 and R5 are connected through a pair of serial links, which should be combined
using a suitable mechanism to make best use of the bandwidth.
Only the specified IP network may be used for this link.

2. Section 2: IGP

2.1 Basic Configurations

When implementing IP addressing, replace Y with your rack number and replace X
with the device number. For example the device numbers of R1, R2, SW1 and
SW2 are 1, 2, 11 and 22. The IP addresses on all physical interfaces use 24-bit
masks. All routers have Loopback0 interfaces with an IP address of 10.Y.X.X and
a 32-bit mask.
Configure IP addresses on device interfaces as per the information in the IPv4
logical topology diagram.
SW1 VLAN interfaces 27 and 5 should be assigned IP addresses 10.1.22.11/24 and
10.1.21.11/24 respectively. SW2 VLAN interfaces 5, 58 and 255 should be
assigned IP addresses 10.1.21.22/24, 10.1.52.22/24 and 157.68.3.22/24
respectively. SW4 VLAN interface 4 should be assigned IP address 10.1.44.44/24.
The router ID of all routers should be set to the IP address of Loopback0.

2.2 RIP
R4 should run RIPv2 on G0/0/0, summarization should be disabled.
Enable MD5 authentication for RIP update packets, use a password of HW, the
IETF defined format for authentication packets should be used.

2.3 OSPF Basic Configurations

R5 G0/0/1, R2 G0/0/0, SW1 VLAN interfaces 5 and 27 and SW2 VLAN interfaces
5 and 58 are in OSPF area 1. Set the OSPF process ID to Y.
Loopback0 interfaces of R2 and R5 are in OSPF area 1. Ensure they are advertised
with the full 24-bit mask.

2.4 OSPF Optimization

Set the cost of all OSPF interfaces to 10.
Configure MD5 authentication in OSPF area 1, use a password of HW, and do not
use the ospf authentication-mode command.

2.5 OSPF BFD

Implement BFD in OSPF to detect peer failures in less than 1 second. You may not
use the ospf bfd enable command.

2016-7-21 Huawei Confidential Page 6, Total 12

 HCIE-R&S Mock Exam 2 INTERNAL

2.6 IS-IS Basic Configurations

Configure IS-IS with a process ID of Y on routers R1, R3, R4, R5 and R6. All
devices belong to area 49.0001 and have a system ID of 0000.0000.000X..
IS-IS should be enabled on the FR link between R3 and R4.
IS-IS should be enabled on the FR links from R3 to R1 and R5.
IS-IS should be enabled on G/0/0 of R1, R3 and R6.
IS-IS should be enabled on the PPP links from R1 to R3 and R4 to R5.
The Loopback0 networks of R1, R3, R4 and R6 should also be added to IS-IS.

2.7 IS-IS Optimization

The FR link between R1 and R3 should be used as the primary path. Configure R1
to switch to the PPP link 3s after it detects that the FR link is down.

2.8 IS-IS Authentication

Configure MD5 authentication for SNPs and LSPs in the IS-IS area and set the
password to HW.

2.9 IGP Import

Configure full mutual route import between RIP and IS-IS, R4 should summarize
the 10.1.X.X addresses and set the tag to 100. The tag of RIP routes imported into
the IS-IS area should be set to 200.
R5 should generate default routes in both OSPF and IS-IS.
To ensure that the entire network interworking

3. Section 3: EGP

3.1 BGP Neighbor

BGP AS numbers are shown in the IPv4 BGP topology diagram. Use physical
interface addresses to establish BGP peer relationships between SW1 and SW2,
between SW2 and R5, between R6 and BB1 (157.68.1.254), between R6 and BB3
(157.68.3.254), between R1 and BB3 (157.68.3.254) and between R3 and BB3
(157.68.3.254).

3.2 BGP Peer Relationship Optimization

Establish an IBGP peer relationship, using the IP addresses of the directly
connected interfaces between R3 and R5.
R3 acts as a RR for the remaining routers in AS 100. To reduce resource usage in
R3 uses a peer group. The community attribute should be propagated between
group members.
The peer group configuration should include two new routers, which will be added,
with router IDs of 10.1.9.9 and 10.1.10.10. Your configuration should take into
account that these routers have not been deployed yet.
2016-7-21 Huawei Confidential Page 7, Total 12
 HCIE-R&S Mock Exam 2 INTERNAL

R6 should set the next hop address of learned routes to its own IP address.

3.3 BGP Security

Establish an EBGP peer relationship between R4 and BB2 (157.68.2.254). BB2
must think that R4 is in AS number 200, configuring authentication, and set the
password to HUAWEI.

3.4 BGP Filtering

Assume BB2 is configured to deny prefixes from ASs except AS 200 and AS 100.
To ensure connectivity from BB2 to other ASs, change the AS Path in R4.

3.5 BGP Optimization

R5 G0/0/0 and R4 G0/0/1 should be advertised by BGP.
Traffic towards R5 G0/0/0 and R4 G0/0/1 from AS 11 should be forwarded
through BB1 and R6 as the primary path. The MED attribute may not be used to
achieve this.

3.6 BGP AS Control

AS 65530 managed by AS 100 is a private AS number. When BGP updates are
sent from AS 100, the AS Path cannot carry the private AS number. AS path
filtering may not be used to achieve this.

3.7 BGP Aggregation

On R4, aggregate 24 bit prefixes starting with 222.22 and having a community of
22:22 to 222.22.0.0/16.
The aggregated route may only appear in AS 100 and the original community value
must be retained.

4. Section 4: IP Multicast

4.1 PIM
Enable multicast routing on R1, R3, R4, and R5.
Enable PIM-SM on the Ethernet link between R1 and R3, the Frame Relay network
between R3 and R4, and interconnected interfaces between R4 and R5.
Enable PIM-SM on the loopback interfaces of R1, R3, R4, and R5.

4.2 RP Redundancy
Use the IP address of loopback 0 on R1 as a C-RP address to serve group addresses
232.0.0.0-235.255.255.255.
Use the IP address of loopback 0 on R3 as a C-BSR address.
Ensure that R5 can learn the RP address.

2016-7-21 Huawei Confidential Page 8, Total 12

 HCIE-R&S Mock Exam 2 INTERNAL

4.3 IGMP
Enable IGMP on G0/0/0 of R5 and statically bind the interface to group
235.10.10.10.
Change the RPT-to-SPT switchover threshold to ensure that an RPT-to-SPT
switchover will occur when the traffic rate exceeds 64 kbps.
Ensure that R5 can receive multicast traffic from the RP.
Ensure that R1 will be elected as the PIM DR in VLAN 255.

5. Section 5:MPLS VPN

5.1 MPLS
Enable MPLS on R1, R3, and R4, and use the IP address of Loopback0 as the LSR
ID.
Enable label switching on the links between R1 and R3 and between R3 and R4.
Disable label switching on all other links.

5.2 VPN-Instance
On R1: create a VPN instance TEST_R1, and set both RD and RT to 100:11.
Create Loopback1 and set its address to 192.168.100.11/32. Loopback1 belongs to
TEST_R1.
On R3: create a VPN instance TEST_HUB, and set both RD and export RT to
100:33. Create Loopback1 and set its address to 192.168.100.33/32. Loopback1
belongs to TEST_HUB.
On R4: create a VPN instance TEST_R4, and set both RD and export RT to
100:44. Create Loopback1 and set its address to 192.168.100.44/32. Loopback1
belongs to TEST_R4.

5.3 MP-BGP
Use the VPNv4 address family for BGP connections among R1, R3, and R4.
Set the import RT for each VPN instance on R1, R3, and R4 to ensure that
TEST_HUB on R3 can communicate with TEST_R1 on R1 and TEST_R4
on R4 while TEST_R1 on R1 and TEST_R4 on R4 remain isolated from
each other.
The VPN connection between R1 and R3 is not interrupted so long as there
is a reachable route between them.

2016-7-21 Huawei Confidential Page 9, Total 12

 HCIE-R&S Mock Exam 2 INTERNAL

6. Section 6: QoS

6.1 Traffic Classification

Configure G0/0/0 of R4 to re-mark the priority values of 46 and above on received
data packets to 45. Other values must remain unchanged; a traffic policy may not
be used.
Configure SW3 E0/0/13 to mark received frames in VLAN 42 with an 802.1p
priority of 4.
Configure SW3 E0/0/11 to mark received frames in VLAN 58 with an 802.1p
priority of 2.

6.2 Traffic Policing

Configure SW4 E0/0/11 to police inbound traffic in VLAN 255to a rate of 200kbps,
packets exceeding this rate should be discarded. Forwarded packets should be
marked with an 802.1p priority of 3.

Enable traffic statistics collection.

6.3 Traffic Shaping

Three types of traffic is being received from R4, data traffic with a 802.1p value of
2, video traffic with a 802.1p value of 5 and voice traffic with a 802.1p value of 6.
The outbound link to R4 should be shaped to 8Mbps. Outbound traffic should be
placed in interface queues according to the 802.1p values received.
Set the scheduling mode for the link to R4 to WFQ for queues 0 to 5 and PQ for
queue 6 and queue 7. The queue serving data traffic should be shaped to 2Mbps,
the video queue shaped to 4Mbps and the voice queue shaped to 256 kbps.

7. Section 7: Security

7.1 Traffic Suppression

VLAN 255 on SW3 is receiving excessive broadcast traffic. Configure SW3 to
discard broadcast packets when their rate exceeds 500 kbit/s.
On SW4 E0/0/11, limit the rate of ICMP packets to 20 pps,
The network connected to E0/0/11 of SW4 is suffering serious transmission delays.
The administrator finds that E0/0/11 has received a large number of unknown
unicast and multicast packets. Take measures to reduce these delays. The interface
must be blocked when the packet rate exceeds 5000 ps and unblocked when packet
rate is lower than 3000 ps. Enable the log function and set the detection interval to
90 seconds.

2016-7-21 Huawei Confidential Page 10, Total 12

 HCIE-R&S Mock Exam 2 INTERNAL

7.2 DHCP
Configure SW1 to allocate IP addresses to clients connected to VLANIF 27. The
address of the network segment is 10.1.22.0/24; addresses 10.1.22.2 and 10.1.22.11
are reserved. The DNS server is 10.1.22.254 and the lease is 2 days.
The DHCP server should probe an IP address before allocating it to a client, the
maximum number of probe packets sent by the DHCP server should be 10 and the
waiting time to 100ms.
Enable DHCP snooping in VLAN 27 on SW3 to prevent unauthorized DHCP
servers disrupting the network.

7.3 ARP Security

Configure defense against man-in-the-middle attacks in VLAN 27 on SW3.
E0/0/0 of R6 has received a large number of IP packets with unresolvable
destination IP addresses. These packets are sent from 157.68.3.100. Each second,
R6 can only accept a maximum of 40 ARP Miss messages from this IP address and
20 ARP Miss messages from each of the other source IP addresses. In addition,
make sure to avoid the fake ARP packets that will incorrectly update R6's ARP
table.

7.4 IPSG
Configure defense against source address spoofing attacks from VLAN 27 of SW3.
SW3 should discard IP packets with the same source and destination IP addresses.

7.5 Attack Protection

Interface G0/0/0 on R6 has received flooding packets. Take measures on R6 to
address this problem by limiting both the rate of received TCP SYN packets and
rate of ICMP flooding packets to 15000 bit/s each.

8. Section 8: IP Feature

8.1 Packet Analysis

The customer wants to obtain incoming and outgoing traffic on G0/0/0 of R2
within 100s and view traffic information on a terminal. Use the HyperTerminal to
record the output within 100 ms and display the information.

8.2 VRRP
Add R1 and R3 to a VRRP group with IP address 157.68.3.102. Set R1 to master
and preemption delay to 10 seconds. To lessen fault impact on services, configure
ICMP on R1 to monitor packets on R5's S1/0/1 and set the detection interval to 20
seconds. When the packet rate reaches 80%, an active/standby switchover occurs in
the VRRP group.

2016-7-21 Huawei Confidential Page 11, Total 12

 HCIE-R&S Mock Exam 2 INTERNAL

8.3 Network Management

Configure the information center on R3. Output the error messages of the ping
module to the log buffer. Use the default channel.
The network management system uses SNMP to monitor BGP on R1. Configure
R1 to output the error messages of the BGP module to the server with name
SNMPHOST and IP address 157.68.3.101. Use the default channel. Set the user
group name to testgroup and user name to testuser. Use SHA authentication, set the
password to password, and set the name of trap source to SNMPV3. To avoid
impacting service traffic, allow the NMS server to monitor R1 only between
7:00-21:00 on weekends.

8.4 SSH
Set up secure login for users to VTY 0-4 of R6 through R3. The listening port of
R6 is port 1025. Ensure that SFTP and SCP are supported. Use password
authentication and set user name to R3, password to Hellow, and update interval to
24 hours. Give the R3 administrator all configuration rights on R6.

8.5 NTP
R6 has synchronized with the standard clock. Configure the R3 clock to
synchronize with R6. Set the clock stratum to 5, encrypt NTP broadcast traffic on
the LAN with hmac-sha256, set key ID to 16, and set the password to Hello.

2016-7-21 Huawei Confidential Page 12, Total 12