Just wanted to let you all know that there is a brand new lab coming your way, Im

calling it K69, because frankly it tossed me right over. No word of lie here, it
will start to come into cerculation soon as I think I might have been the first
genie pig.

Im going to leave most of the detail out for now, as I need to take a break from
studying for a day or two. From what I can tell you know, its not an easy one,
particularly with the wording of the questions.

I'll give you a run down on a few things you should consider brushing up on before
attempting your next lab:

MST with CIST

L2Tunneling/Dot1qTunneling
PPPoverEthernet
Mutual Redistribution between EIGRP & OSPF on two seperate routers (catering for
route feedback..etc)
Redistribution from BGP into IGP (in this case OSPF)
Private VLANs with 2 community VLANs, an Isolated VLAN and a Promiscous port
QOS - one simple policy-map limiting bandwidth (not allowed policing, so I used
shaping - applied to all other interfaces but where it was received)
QOS - 5 classes, matching precedences, but can't rememeber the full question here
SNMPv3 & SNMP 2vc - assigning user to a group with seperate community views
Multicast - No RP, but limiting certain multicast groups from different users
RIP Authentication - showing an existing hindden key-chain and completeing the rest
of the config

Initial Faults
Guard root on SW1 trunk ports
DHCP snooping/ARP inspection on VLAN17 on SW2

Hope this helps guys, as said I wont be back on here for a day or two, but just
thought I would give you the heads up

Hey Guys

As promised, I have compiled a Layer 2 & Layer 3 diagram of what I remember from
the Lab. Please bear in mind that this might not be 100% correct, particularly, I
can't remember whether the link between R3 and R5 was a Serial or an Ethernet
(Vlan35), but after drawing up the Layer 2 diagram, it seemed more likely that it
was a Serial.

With regards to the redistribution, I can't remember all the redistribution points
from the lab, but I can be sure that there was mutual redistribution on R2 and R3
between OSPF & EIGRP YY. Then EIGRP 100 to EIGRP YY (it might have been mutual
aswell). Also on either R1 or R2 BGP needed to be redistributed into OSPF YY Area 1
(not sure if it was on both). Hopefully going forward this can be clarified by
people that get this lab coming up.

I'm seeing alot of doubt on whether this is true, also bearing in mind that I have
very few posts on this forum, I would also be a bit sceptical myself (I know that
before I wrote last week, I didn't even want to read the forum, worried that
someone might throw out a rumor of a new Config/TS lab which might break my focus,
but I can assure you I have followed this forum for some time and I appreciate
everyone's input which has helped me along the way. I haven't found much reason to
post previously, but when I got this lab on my second attempt and not seeing it
anywhere on the forum, I thought I'd give back to the community as others have done
for me.
I hope these diagrams can help as a stepping stone to understanding what to expect
from this Lab. Oh and IMHO, I think they might start to phase out K4, rather than
K2, as K4 looks to be the easier of all the labs, just my 0.2c

Layer 2 tunnel (switchport mode dot1q-tunnel)

Zone based firewall
a lot of QOS classes
snmpv3 and v2 (very complicated question and I know this topic very well but still)
IPv6 is small (2 routers and 2 switches)
OSPFv3 with IPsec authentication
PPPoE

guys.. I am CCIE Security candidate.. I can help you with PVLAN, Zone-Based
firewall and SnmpV3 (maybe) question. we have a PVLAN question which seems very
similar. also, this is new Cisco practice to ask ambiguous question which would not
make much sense and it will give very unclear requirement. The same is happening in
CCIE sec.

vtp mode transparent

vlan 33
name-vlan_33
private-vlan primary
!
vlan 301
name email-servers
private-vlan community
!
vlan 302
name employee
private-vlan community
!
vlan 303
name guest
private-vlan isolated
!
vlan 33
private-vlan-association 301-303
!
int vlan 33
ip address xx.xx.yy.zz 255.255.255.0
private-vlan mapping 301-303
ip local-proxy-arp

private vlans, zone based firewall, mst, 4 bacbone routers dot1q tunnel

As promised, I have compiled a Layer 2 & Layer 3 diagram of what I remember from
the Lab. Please bear in mind that this might not be 100% correct, particularly, I
can't remember whether the link between R3 and R5 was a Serial or an Ethernet
(Vlan35), but after drawing up the Layer 2 diagram, it seemed more likely that it
was a Serial.

I have reformatted this to give a better structure:

Vlans
Vlan17 � Between R1 & SW2
Vlan29 � Between R2 & SW4
Vlan34 � Between R3 & R4
Vlan38 � Between R3 & SW3
Vlan45 � Between R4 & R5
Vlan56 � Between R5 & SW1
Vlan67 � SVI Between SW1 & SW2
Vlan89 � SVI Between SW3 & SW4
Vlan100 � Between R1 & BB1
Vlan200 � Between R2 & BB2
Vlan300 � Between SW3 & BB3
Vlan333 � Customer Vlan
Vlan666 � Carrier Vlan
Vlan999 � Unused ports Vlan

Initial Faults
Guard root on SW1 trunk ports
DHCP snooping/ARP inspection on VLAN17 on SW2

Topics Covered
MST with CIST
L2Tunneling/Dot1qTunneling
PPPoverEthernet
Mutual Redistribution between EIGRP & OSPF on two seperate routers (catering for
route feedback..etc)
Redistribution from BGP into IGP (in this case OSPF)
Private VLANs with 2 community VLANs, an Isolated VLAN and a Promiscous port
QOS - one simple policy-map limiting bandwidth (not allowed policing, so I used
shaping - applied to all other interfaces but where it was received)
QOS - 5 classes, matching precedences, but can't rememeber the full question here
SNMPv3 & SNMP 2vc - assigning user to a group with seperate community views
Multicast - No RP, but limiting certain multicast groups from different users
RIP Authentication - showing an existing hidden key-chain and completing the rest
of the config

Scenario�s
Section 1 � Layer 2
All Odd VLANs should be in MST instance 1 and Even in MST instance 2 with CIST
VLAN�s
On Switch trunks use native VLAN999 and ensure that native vlan�s are tagged
All unused access-ports should be shutdown and put into VLAN999 (unused ports vlan)
A dot1q tunnel needs to be configured from SW1 to SW2 via one of their trunk ports
� F0/19. SW1 should see SW2 directly via CDP on this interface. VLAN 333 should be
configured on both SW1 and SW2 with a particular IP address provided. VLAN 666
should be used for the Carrier VLAN for this dot1q tunnel. VLAN 333 should only be
seen on SW1/SW2. VLAN 666 should only be present on SW3/SW4 and the trunks between
them.

Section 2 � Layer 3
R2 & R3 should only see VLAN300 and routes learnt from BB3 as EIGRP External routes
Mutual Redistribution between EIGRP YY and OSPF Area 1 on both R2 & R3 (No prefix-
lists or access-lists are allowed to be used for route filtering)
Router 3 must be the route-reflector and R1/R2/R5 should be the route-reflector-
clients.
Router 2 should prefer external routes via AS254, but should fall back to BGP best
path selection of �internal vs external�.
Router 3 should prefer AS254 routes through R2, this configuration should not
affect how other routers get to AS254.
Redistribution between BGP and OSPF on R1 & R2
Section 3 � IPV6 & Multicast
IPv6 - Setting up Global unicast IP's on every interface on R1 & R5, SW1 & SW2
(basically within OSPF Area 0), so Serial between R1 & R5, Ethernets between these
routers and switches as well as the loopback of each. Ensuring ping connectivity
from any of these devices to each other.
Address numbering to follow:
(YY - Rack number, HH - interface ipv4 3rd octect, ZZ - interface ipv4 4th octect)
Interfaces - 2001:YY:HH::ZZ/64
Loopbacks - 2001:YY:HH::ZZ/128

Section 4 � Advanced Services

An output for the �show policy-map type inspect� command reveals a policy named
�A_B� with class-map �A_B� matching particular traffic as well as a class-default
class with WFQ. They ask to configured ZBF from scratch using the exact naming
convention in the output to ensure that when this command is done, it produces the
same output
SNMP - implementing v3 with a user "ccie" assigned to group "admin", with 2
separate community views for read and write access. Specific MIBs should be matched
within SNMP, the one was �ISO�, the other � I can�t remember. A separate v2c
instance for "nms" should also be created.
RIPv2 - On R4, you would need to do a "show key-chain rip" (key-chain name was
"rip" and the actually key once displayed was "HideRIPKey" or something similar.
Then completing the configuration on R4 for RIP authentication as well as
completing the configuration on R5 with the same key-chain to be configured.

Section 5 � Optimize the Network

QOS - 2 seperate questions, one asking to match traffic from BB2 and limiting this
traffic into the rest of the network down to 128k. Not allowed to use policing, so
I used shape peak or maybe I could have used shape average... You can't apply
shaping inbound, so the shaper has to be applied to every interface that the
traffic could be sent to (i.e 2 Serials and one ethernet to SW4)

The other QOS question asks to create classes for each type of traffic, they give
you a list with which precedence value's that should be under each class (i.e
Control, Voice, Video, Critical, Business, Internet - everything else). This was
the last question I was working on before my time was up, so I didn't quite
remember what they wanted to do with this traffic classification

As stated before, the material above is not 100% accurate, I tried my best to
capture what I remember. I will continue to post more detail as we get more
feedback from other candidates.

===================================================================================
===================================

1. PPPoE R4 should be server and R5 should be the client

2. Zonebased firewall on R1, there is an output for it and they are asking
for it to be same.
3. MST configuration odd ones to mst 1, even ones to mst 2 and all of the
others are to mst 3
4. ether channel between SW1 and SW2 802.3ad SW2 shouldn't actively start it.
5. faults; guard root on trunk links on SW4 and vtp passwords
6. Maximum 5 prefix is allowed otherwise it should send a message. Don't use
bgp peer group.
7. R4, R5 should only talk to each other even not to other clients of vlan
45, there is two other ports (unused) in vlan 45, they are also should talk only to
each other. (R4 and R5 should only talk to each other via vlan 45, they can't talk
to any other client int vlan 45. And there is also two other unused ports that were
assigned to vlan 45 should do the same.) [==> This is private vlan question]
8. IPv6 ospfv3 2001
9. Qos based on precedence just use match for precedence.
10. Some traffic from specific ip address from back of the BB1 to ospf area 0
addresses, it's a malicious traffic so limit it to 128k.
11. 666 vlan can be just on SW1 and SW2, And 333 should be carried under that
vlan. (cdp and stp information should also pass)
12. native vlan 999 should be tagged.
13. unused vlan 999 all unsued ports should be defined as access ports and
999 vlan.
14. ospf router-id lo0
15. snmpv3 read write admin grup and one of them should view ISO mib and one
of them system mib. It should use authentication.
16. HSRP configuration. But not a hard one. with preemption and tracking.

There is some classes that you should define and you can only use precedence as a
match criteria and limit their traffic to specific rates

===================================================================================
===============
BGP
Layer 3 BGP
� Configure R3 as the RR, do not use peer group
� Updates should be sent from Lo0
� R1 should chose routes to AS254 based on 'internal/external' criteria
� R3 should select R1 for routes to AS254, changes cannot impact any other
BGP peers // weight ???
� Redistribute OSPF into BGP in R1/R2 // resulted in RIB failure in the BGP
domain
� R2 should 'initial RIB marker' something something with R3 or BB2 ???
� You can only change OSPF cost in one interface (No idea why they mentioned
this ???)
// r2 receiving routes from bb2 with AS 254
// r1 receiving routes from bb1 with AS 254 253
// AS254 routes
197.68.1.0/24
197.68.4.0/24
197.68.5.0/24
197.68.21.0/24
197.68.22.0/24
R2#
access-list 1 197.68.0.0 0.0.8.0
route-map AS_PREPEND
match ip address 1
set as-path prepend 253
router bgp 5
neighbor 150.2.5.254 route-map AS_PREPEND in
// r1 choses external since all other criteria matches

===================================================================================
====================================
PPoE
Layer 2 - PPoE
-configure PPPoE between R3-R4
-configure r3 (or r4) as the PPPoE server
-configure r4 (or r3) as the PPPoE client
-ensure r4 always gets the same IP address, cannot use DHCP
-ensure no interleaving in PPPoE
-there were one or two more PPPoE options required, but forgot

Layer 3 - OSPF
-in case R1/R5 goes down, ensure R4 can still reach all OSPF networks via R3 //
virtual-links from R3 to R5 and R1 ???

Layer 3 - RIP
-redistribute OSPF routes into RIP in R5
-ensure R4 accesses SW1 Lo0 via R5 but all other routes should go through R3
===================================================================================
===============
QoS
Optimize Network
QOS - 2 seperate questions, one asking to match traffic from BB2 and limiting this
traffic into the rest of the network down to 128k. Not allowed to use policing, so
I used shape peak or maybe I could have used shape average... You can't apply
shaping inbound, so the shaper has to be applied to every interface that the
traffic could be sent to (i.e 2 Serials and one ethernet to SW4)

we need to shape all traffic from BB2 to the network to 128K, on the Router i don't
see any way we could do it.
however we can use the port on the switch connecting R2 to BB2.
using SRR-shape
bandwidth = 1/weigh*interface-speed
128K = 1/weigh*10
speed = 10
weigh = 78

configure on SW2:

int fa0/1 // access switchport connecting R2 to vlan 200

speed 10
srr-queue bandwidth shape 78 0 0 0

===================================================================================
==============
MULTICAST
The Multicast requirements were between R3-R5

1st part
-cannot use any RP (so i configured PIM dense mode in the PPP link between R3 and
R5)
-multicast is sourced from on Lo0 R3 and receiver was R5 fa0/0 (225.1.1.1)
-ensure unnecessary flooding/pruning does not occur
-ensure that only R3 Lo0 (yy.yy.3.3) is allowed to send multicast 225.1.1.1

2nd part
-in the future, other users in R5 fa0/0 are planning to join 225.1.1.2 and
225.1.1.3
-these users are IGMPv2
-ensure these users can only access only these two multicast streams

I used igmp acls to lock these down but don't think got the answers correct.

===================================================================================
=======