K6 VS K6++

Section 1 - Layer 2
1.1 Troubleshoot Layer 2 Switching
VLAN access map that is denying OSPF is in pre-configuration, the map

name CCIE. Only changed drop to forward.
The section says preconfigured trunk ports. Should be check all switches
because there are not all switches trunk port preconfigured and these
port will go err-disable latter.
Some trunk ports preconfigured with spanning-tree guard root. Remove
1.2 Implement Access Switch Ports of Switched Network
Configure all of the appropriate non-trunking switch ports on SW1 –

SW4 according to the following
SW1 is the server for the VLAN Trunking Protocol version 2 domain
"CCIE" (VTP password "cisco" )
SW2, SW3, SW4 are expecting SW1 update their VLAN database when
needed
Configure the VLAN ID and Name according to the table below (case
sensitive)
Configure the access ports for each VLAN as per the diagram
Using a single command ensure that all access ports are transitioned to
forwarding state as quickly as possible
Using a single command ensure that the interface is forced the err-
disabled state if BPDU is received by any ports
Ensure that any BPDU received by the access ports facing the backbone
devices (and only these devices) have no effect to your spanning tree
decision
Don’t forget to configure the Layer 3 interfaces and to include SW1’s
port fa 0/4 into VLAN 44
Vlan ID
11 VLAN_11_BB1
22 VLAN_22_BB2
33 VLAN_33_BB3
42 VLAN_42_R2-SW4
44 VLAN_44_R4
55 VLAN_55_R5-SW2
123 VLAN_123_SWITCHES
999 VLAN_RSPAN
SW1
vtp domain CCIE

vtp password cisco
vtp version 2
vtp mode server
SW2 SW3 SW4
vtp mode server

vtp domain CCIE
vtp password cisco
vtp version 2
vtp mode client
SW1 SW2 SW3 SW4
spanning-tree portfast default

spanning-tree portfast bpduguard default
(NOTE: - If on SW3 fa0/10 backbone port starting in Error disable

don’t used bpdufilter enable, used as below,
SW1 – SW4
Int fa0/10
Spanning-tree bpduguard disable
Config ter# spanning-tree bpduguard default
Int fa0/10
Spanning-tree guard root )
Or
SW1 SW2 SW3

interface fa0/10
spanning-tree bpdufilter enable
Note : There is BB on SW4 fa0/10, this will be err-disable in future but

this is not important because there is no device on topology diagram
1.3 Spanning-Tree Domains for Switched Network
Configure the switches according to the following requirements:

Each of the following sets of VLANs must share a common spanning
tree topology
Spanning-Tree Topology 1 : 11,22,33 (all VLANs towards backbone
links)
Spanning-Tree Topology 2 : all other VLANs used throughout the exam
Default spanning Tree Topology: All other VLANs

Ensure that SW1 is the Root Switch for Instance 1 and the Backup for
Instance 2
Ensure that SW2 is the Root Switch for Instance 2 and the Backup for
Instance 1
Configure to 30 seconds that time that all switches wait before their
spanning-tree processes attempts to re-converge if it didn’t receive any
spanning-tree configuration message
SW1, SW2, SW3, SW4

spanning-tree mode mst
spanning-tree mst configuration
name cisco
rev 1
instance 1 vlan 11, 22, 33
instance 2 vlan 10, 42, 44, 55, 123,999
!
spanning-tree mst max-age 30
SW1
spanning-tree mst 1 root primary
spanning-tree mst 2 root secondary
SW2
spanning-tree mst 2 root primary
spanning-tree mst 1 root secondary
++1.3 Spanning-Tree Domains for Switched Network

Configure the switches according to the following requirements.
5]- Each of the following sets of vlans must have one instance
per vlans
5]- Ensure that SW1 is the root switch, SW2 is backup switch for
odd vlans
5]- Ensure that SW2 is the root switch , SW2 is backup switch for
Even vlans
5]- Configure to 30 sec that time all switches wait before their
spanning-tree process attempt to reconverge if it didn’t receive any
spanning-tree configuration message.
5]- Configure instance per vlan and rapid transition for forwarding
5]- The bride id priority of vlan between R2 and SW4 must be

12330 on SW2.
Solution:
On SW1 / SW2
Spanning-tree mode rapid
SW1
Spanning-tree vlan 1,11,33,55,123,999 root primary
Spanning-tree vlan 22,42,44 root secondary
SW2
Spanning-tree vlan 22,42,44 root primary
Spanning-tree vlan 1,11,33,55,123,999 root secondary
Spanning-tree vlan 42 priority 12288 (12330 – 42 = 12288)
1.4 Switch Trunking and Ether Channel

Use the following requirements to configure the Etherchannel of SW1,
SW2, SW3 and SW4:
Use encapsulation 802.1q
Configure the Industry standard Etherchannel between SW1 and SW2.
Configure the Cisco proprietary Etherchannel between SW3 and SW4.
Ensure that SW1 and SW3 must initiate the negotiation and SW2 and
SW4 must not start the negotiation
Note: Check all trunk ports on all whithes with “sh run” and interfaces
with “sh int status”. There are maybe err-disable or suspend ports.
SW1, SW2, SW3, SW4

interface range fastethernet 0/19-24
switchport trunk encapsulation dot1q
switchport mode trunk
SW1
interface range fa0/23-24
channel-protocol lacp
channel-group 12 mode active
SW2
channel-protocol lacp
channel-group 12 mode passive
SW3
channel-protocol pagp
channel-group 34 mode desirable
SW4
channel-protocol pagp
channel-group 34 mode auto
1.5 Spanning-Tree Tuning

Ensure that the port fa0/20 is in the forwarding state rather than the
blocking state for MST 1 on SW3.
Ensure that the port fa0/20 is in the forwarding state rather than the
blocking state for MST 2 on SW4.
You must do this without changing any configurations on SW3
Use the highest numerical value to complete.
SW1
interface fastethernet 0/19
spanning-tree mst 1 port-priority 240
SW2
spanning-tree mst 2 port-priority 240
++1.5 Spanning-Tree Tuning

Configure the spanning-tree topology according to the following
requirement without configuring anything on SW4.
5]- Make sure that port Fa0/20 is forwarding for the spanning-tree
topology rather than blocking for even vlans on SW4.
5]- Use the highest numeric values to achieve this task.
SW2
Int fa0/19
Spanning-tree vlan 22,42,44 port-priority 240
1.6 RSPAN
Any traffic received from VLAN_BB1 and VLAN_BB2 must be
replicated to a traffic analyzer connected to SW4 Fa0/15 via VLAN
999
You need to monitor any future interfaces connecting to
VLAN_BB1 and VLAN_BB2
Any traffic flowing through the trunk between SW3 and SW4 must
be replicated to another traffic analyzer connected to SW4 Fa0/16
There should not be any configuration regarding this on SW3.
Don’t create any new VLAN while configuring this
SW1
vlan 999
remote-span
monitor session 1 source vlan 11 rx

monitor session 1 destination remote vlan 999
SW2
monitor session 1 source vlan 22 rx
monitor session 1 destination remote vlan 999
SW4
monitor session 1 source remote vlan 999
monitor session 1 destination interface fastEthernet 0/15
!
monitor session 2 source interface port-channel 34 both
monitor session 2 destination interface fastEthernet 0/16
!
int ra fa 0/15 - 16
no shut
1.7 PPP & CHAP

R4 must require R1 and R2 to authenticate using CHAP but R1 and
R2 must not require R4 to authenticate
R1 and R2 cannot use ppp chap hostname, they can use ppp chap
password with "CCIE".
Make sure that all CHAP passwords are shown in clear int the
configuration
Use radius server at YY.YY.44.200 as authentication server and
fallback to the local AAA database in case the server is unreachable
Use CISCO as key required by the Radius server
Make sure AAA authentication does not affect any console or line
VTY from any PPP devices (ensure that there is no username
prompt either)
Use only default method list for both console and line VTY.
R4
no service password-encr
aaa new-model
aaa authentication login default none **********line /* none
required at the end only if no line password is configured */
aaa authentication ppp default group radius local-case
!
radius host YY.YY.44.200 key CISCO
!
username <Hostname of R1> password 0 CCIE
!
interface s0/0/0
encapsulation ppp
ppp authentication chap default
!
interface s0/0/1
encapsulation ppp
ppp authentication chap default
R1 & R2
no service password-encr
interface s0/0/0
encapsulation ppp
ppp chap password 0 CCIE
Note: If the question says to use AAA list name R1 and R2 for
authenticating R1 and R2 respectively, use the below configuration
R4
aaa new-model
aaa authentication login default line /* none required at the end
only if no line password is configured */
aaa authentication ppp R1 group radius local-case
aaa authentication ppp R2 group radius local-case
radius host YY.YY.44.200 key CISCO
!
!
interface s0/0/0
encapsulation ppp
ppp authentication chap R1
!
interface s0/0/1
encapsulation ppp
ppp authentication chap R2
R1 & R2
interface s0/0/0
encapsulation ppp
ppp chap password 0 CCIE
Section 2 – Layer 3 Technologies
2.1 Configure OSPF Area 0, 142 and 51 as per diagram
OSPF process ID can be any number

Router ID must be stable and must be configured using the IP
Address of Lo0
Lo0 interfaces must be advertised in the OSPF area as shown in the
IGP topology diagram and must appear as /32 routes
Ensure that all switches attached to the VLAN 123 exchange
routing updates primarily with SW1 and then SW2 (in case SW1
goes down) Use highest numerical values
Make sure that all 3 prefixes for the backbone links
(150.BB.YY.0/24) appear as OSPF External Type 2 routes in
routing table
Do not create any additional OSPF areas. Do not use any IP address
not listed in the diagram
R1
router ospf YY
router-id YY.YY.1.1
network YY.YY.1.1 0.0.0.0 area 142
R2
router ospf YY
router-id YY.YY.2.2
redistribute connected subnets route-map BB-TO-OSPF
!
route-map BB-TO-OSPF permit 10
match interface fastethernet 0/1
R3
router ospf YY
router-id YY.YY.3.3
!
match interface fastethernet 0/0
R4
router ospf YY
router-id YY.YY.4.4
R5
router ospf YY
router-id YY.YY.5.5
SW1
ip routing
router ospf YY
router-id YY.YY.7.7
!
interface vlan 123
ip ospf priority 255
SW2
ip routing
router ospf YY
router-id YY.YY.8.8
!
match interface vlan 33
!
interface vlan 123
ip ospf priority 254
SW3
ip routing
router ospf YY
router-id YY.YY.9.9
SW4
ip routing
router ospf YY
router-id YY.YY.10.10
2.2 – Implement IPv4 EIGRP
Configure Enhanced Interior Gateway Routing Protocol (EIGRP)

100 on SW2 in order to establish EIGRP neighbor with Backbone 3
in the IGP topology diagram.
BB3 has IP address 150.3.YY.254 and is using AS number 100
Disable auto-summary
SW2
router eigrp 100
no auto-summary
network 150.3.YY.1 0.0.0.0
2.3 – Implement RIP Version 2

I put line on sentences which sentences was not on my lab.
Configure RIP Version 2 (RIPv2) between R3 and BB1
RIP updates should be sent only out to the interface per the IGP
topology
All RIP updates should be sent as Unicast
R3 must accept from BB1 only the following prefixes
199.172.5.0/24
199.172.7.0/24
199.172.13.0/24
199.172.15.0/24
Use Standard ACL with a single entry
Disable Auto Summarization
R3
router rip
version 2
no auto-summary
network 150.1.0.0
distribute-list 1 in fastethernet 0/0
!
Access-list 1 permit 199.172.5.0 0.0.10.255
++2.3 – Implement RIP Version 2

Configure RIP Version 2 (RIPv2) between R3 and BB1
R3 must accept from BB1 only the following prefixes
199.172.4.0/24
199.172.6.0/24
199.172.12.0/24
199.172.14.0/24
Disable Auto Summarization
R3
Route rip
Version 2
No auto-summary
Network 150.1.0.0
Distribute list 1 in
Access-list 1 permit 199.172.4.0 0.0.10.255
2.4 Redistribute RIP into OSPF

Redistribute RIP into OSPF on R3 such that the routing table on R5
contains the following.
O N2 199.172.15.0/24 [110/30]
O N2 199.172.13.0/24 [110/30]
O N1 199.172.7.0/24 [110/XXX]
O N1 199.172.5.0/24 [110/XXX]
O N2 150.1.YY.0 [110/30]
R3
access-list 2 permit 199.172.5.0 0.0.2.255
!
route-map RIP_TO_OSPF permit 10
match ip address 2
set metric-type type-1
route-map RIP_TO_OSPF permit 20
router ospf YY
redistribute rip subnets route-map RIP_TO_OSPF
area 51 nssa
R5
router ospf YY
area 51 nssa
SW2
router ospf YY
area 51 nssa
2.5 Redistribute EIGRP into OSPF
Redistribute EIGRP into OSPF on SW2 such that

Redistributed EIGRP routes must not be advertised into Area 51
Redistributed EIGRP routes must be advertised into Area 0 and 142 as
OSPF Type E2
SW2 must advertise an inter-area default route into Area 51 only
Don’t use any route-map and do not add any static route anywhere
SW2
router ospf YY
redistribute eigrp YY subnets
area 51 nssa no-summary no-redistribution
2.6 Implement IPv4 BGP
Configure iBGP peering for R1, R2, SW2, R3 and R5 as per the
following requirement.
Where possible failure of a physical interface should not permanently
affect BGP peer connections
Minimize number of BGP peering sessions and all BGP speakers in AS
YY except SW2 must have only one iBGP peer
All BGP routes on all devices must be valid routes
Configure BGP as per diagram
BGP routes from BB1 must have community values 254 207 103 in AS
YY
BGP routes from BB2 must have community values 254 208 104 in AS
YY
Make sure that all BGP speakers in AS YY (even R2) are pointing all
BGP prefixes from AS 254 via BB1 only (their BGP next hop must be
the IP address of the backbone devices)
Note: I checket network which came from BB1 and BB2, there is 254
community and and use "additive" int route-map
R1 / R2 / R3 / R5
router bgp YY
Router bgp id YY.YY.R*.R* (R1,R2,R3,R5)
no auto-summary
no synchronization
neighbor YY.YY.8.8 remote-as YY
neighbor YY.YY.8.8 update-source loopback0
neighbor YY.YY.8.8 send-community
SW2
router bgp YY
no auto-summary
no synchronization
neighbor PEER peer-group
neighbor PEER remote-as YY
neighbor PEER update-source Loopback0
neighbor PEER route-reflector-clientip
neighbor PEER send-community
neighbor YY. YY.1.1 peer-group PEER
R2
neighbor 150.2.YY.254 remote-as 254
neighbor 150.2.YY.254 route-map SET-COMMUNITY in
!
route-map SET-COMMUNITY permit 10
set community 103,207 additive
R3
neighbor 150.1.YY.254 remote-as 254
neighbor 150.1.YY.254 route-map SET-COMMUNITY in
!
route-map SET-COMMUNITY permit 10
set local-preference 200
set community 104,208 additive
2.9 Implement IPv6
Use any number for the process ID.

OSPFv3 router IDs must be stable and identical to the OSPF v2 router
IDs
Configure OSPF Area 0 on the Ethernet segment shared by all switches.
SW1 should control all routing, and SW2 should be the backup for Area
0. (Use largest value)
SW3 and SW4 should not participate in the election.
Configure OSPF Area 142 between R1, R2, R4, SW1 and SW4.
Configure OSPF Area 51 between R3, R5 and SW2.
Add Loopback 8 to SW2 with Global IPv6 Address
2011:CC1E:88:88:88::88/128 and redistribute into OSPFv3 Area 0
which should be seen as OE2 routes.
Configure OSPF filtering to allow SW2 Loopback 8 in Area 0 to go into
Area 51, but not Area 142.
There should not be a default route in Area 142
Note: Some router interfaces preconfigured Ipv6 addresses. Should be

check on Ipv6 diagram and devices.
R1
ipv6 unicast-routing
ipv6 cef
!
ipv6 router ospf YY
router-id YY.YY.1.1
!
interface Serial 0/1
ipv6 address FEC1:CC1E:14::1/64
ipv6 ospf YY area 142
!
R2
ipv6 cef
!
ipv6 router ospf YY
router-id YY.YY.2.2
!
interface Serial 0/1
!
interface FastEthernet 0/0
R3
ipv6 cef
!
ipv6 router ospf YY
router id YY.YY.3.3
!
interface Serial 0/0/0
ipv6 ospr YY area 51
R4
ipv6 cef
!
ipv6 router ospf YY
router-id YY.YY.4.4
!
!
!
interface serial 0/0/1
R5
ipv6 cef
!
ipv6 router ospf YY
router-id YY.YY.5.5
!
!
interface FastEthernet 0/0
SW1 SW2 SW3 SW4

sdm prefer dual-ipv4-and-ipv6 default
END
write mem
reload
Note: Shoul be carefuly before reload switches and sure to write config
SW1
ipv6 cef dis
!
ipv6 router ospf YY
router-id YY.YY.7.7
!
!
interface vlan 123
ipv6 ospf YY area 0
ipv6 ospf priority 255
SW2
ipv6 cef dis
!
interface loopback 8
ipv6 address 2011:cc1e:88:88:88::88/128
!
route-map loopback8 permit 10
match interface loopback8
!
ipv6 router ospf YY
router-id YY.YY.8.8
redistribute connected route-map loopback8
!
interface vlan 55
!
interface vlan 123
ipv6 ospf YY area 0
SW3
ipv6 cef dis
!
ipv6 router ospf YY
router-id YY.YY.9.9
!
interface vlan 123
ipv6 ospf YY area 0
SW4
ipv6 cef dis
!
ipv6 router ospf YY
router-id YY.YY.10.10
!
interface vlan 42
!
interface vlan 123
ipv6 ospf YY area 0
R1 R2 R4 SW1 SW4
ipv6 router ospf YY
area 142 nssa
2.10 Implement Advanced IPv6 feature

In an attempt to reduce link-layer congestion, limit to 4 messages per
second the rate at which all IPv6 enabled devices generate all IPv6
ICMP error messages
Enable Netflow for IPv6 on R1 to monitor the traffic leaving Area 142
Export the flows every two hours to the server YY.YY.44.100 (port
9876)
Use R1-Lo0 as source address for the exports
Aggregate the flows per ports and allow up to 20000 entries in the
cache
Inactive entries must be deleted from the cache after 3 minutes of
inactivity
R1 R2 R3 R4 R5 SW1 SW2 SW3 SW4

ipv6 icmp error-interval 250 1
R1
ipv6 cef
!
ipv6 flow-export source Loopback0
!
ipv6 flow-aggregation cache protocol-port
cache entries 20000
cache timeout inactive 180
export template timeout-rate 120
export version 9
export destination YY.YY.44.100 9876
enabled
interface fastethernet0/0
ipv6 flow egress
++2.10 Implement IPv6 Multicast

Configure sparse mode on ospf area 142 on R1, R2, R4 according to the
following requirements.
5]- Ensure that multicast stream should be a transient one and

scope is 5 for company wide.
5]- R4 should send static RP address FEC1:CC1E:44:4 for

multicast group FFTS:4000:4000 (FF15:4000:4000)
5]- R1 fa0/0 should join the multicast group FFTS:4000:4000

5]- You should be able to ping the multicast group from R2 fa0/0
R1, R2,R4
Ipv6 cef
R4
Ipv6 unicast-routing
Int s0/0/0
Ipv6 address fec1:cc1e:14::4/64
Ipv6 ospf YY area 142
Int s0/0/1
Int fa0/0
Ipv6 address fec1:cc1e:44:4/64
Ipv6 router ospf YY

Router-id YY.YY.4.4
Ipv6 pim rp-address fec1:cc1e:44::4 MULTICAST
Ipv6 access-list MULTICAST
Permit ipv6 any host ff15:4000:4000
R2
Ipv6 router ospf YY
Router-id YY.YY.2.2
Int s0/0/0
Ipv6 ospf YY 142
Int fa0/0
Ipv6 mld join-group ff15:4000:4000
Ipv6 pim rp-address fec1:cc1e:44::4
R1
Ipv6 router ospf YY
Router-id YY.YY.1.1
Int s0/0/0
Ipv6 ospf YY 142
Int fa0/0
Ipv6 mld join-group ff15:4000:4000
Ipv6 pim rp-address fec1:cc1e:44::4
Section 3 – IP Multicast Variation

3.1 IPv4 Multicast
Enable multicasting with PIM-SM between Area 142 and Area 0.
There is a multicast source on VLAN 44 and clients are located on the
BB3 subnet (150.3.YY.0 /24)
Use a non-cisco proprietary based on the method to send RP information
to the other routers joined in multicast routing.
Configure R1 and R2 loopback0 to be a rendezvous point (RP).
Ensure that R1 should be the preferred RP rather than R2.
Simulate clients have sent requests to join the multicast group
239.YY.YY.1.
Make sure R4 f0/0 is able to ping this multicast IP.
++3.1 IPv4 Multicast

Used dynamic method to support PIMv1 and PIMv2.
There is a multicast source on VLAN 44 and clients are located on
the BB3 subnet (150.3.YY.0 /24)
Configure R1 and R2 loopback0 to be a rendezvous point (RP).
Ensure that R2 loopback 0 should be the preferred RP but R1
loopback 0 is able take over in case R1 goes down.
Simulate clients have sent requests to join the multicast group
239.YY.YY.1.
Make sure R4 f0/0 is able to ping this multicast IP.
R1
ip multicast-routing
interface loopback0
ip pim sparse-mode
ip pim sparse-mode
ip pim sparse-mode
ip pim rp-candidate loopback0 priority 1
K6++ R1
Ip multicast-routing
Ip pim autorp-listener
Int lo0
Ip pim sparse-mode
Int s0/0/0
Ip pim sparse-mode
Int fa0/0
Ip pim sparse-mode
Ip pim send-rp announce lo0 scope 16 group-list LIST
Ip access-list standard LIST
Permit 224.0.0.0 15.255.255.255
R2
interface loopback0
ip pim sparse-mode
ip pim sparse-mode
ip pim sparse-mode
ip pim rp-candidate loopback0 priority 2
K6++ R2
Ip pim autorp-listener
Int lo0
Ip pim sparse-mode
Int s0/0/0
Ip pim sparse-mode
Int fa0/0
Ip pim sparse-mode
Ip pim send-rp announce lo0 scope 16 group-list LIST
Ip access-list standard LIST
Permit 224.0.0.0 15.255.255.255
R4
int fa 0/0
ip pim sparse-mode
int se 0/0
ip pim sparse-mode
int se 0/1
ip pim sparse-mode
int lo 0
ip pim sparse-mode
ip pim bsr-candidate lo 0
K6++ R4
Ip pim autorp listener
Int lo0
Ip pim spare-mode
Int s0/0/0
Ip pim spare-mode
Int s0/0/1
Ip pim spare-mode
Int fa0/0
Ip pim spare-mode
Int fa0/1
Ip pim spare-mode
Ip pim auto-rp listener
Ip pim send-rp discovery lo0 scope 16
SW1
int vlan 123
ip pim sparse-mode
int fa 1/1
ip pim sparse-mode
K6++ SW1
Ip multicast-routing distributed
Int lo0
Ip pim sparse-mode
Int fa0/1
Ip pim sparse-mode
Int vlan 123

I ip pim sparse-mode
SW2
interface vlan 123
ip pim sparse-mode
interface vlan 33
ip pim sparse-mode
ip igmp join-group 239.YY.YY.1
K6++ SW2
Int lo0
Ip pim sparse-mode
Int vlan 123
Ip pim sparse-mode
Int vlan 33
Ip pim sparse-mode
Ip igmp join-group 239.65.65.1
SW3
interface vlan 123
ip pim sparse-mode
K6++ SW3
Int lo0
Ip pim sparse-mode
Int vlan 123
Ip pim sparse-mode
SW4
interface vlan 42
ip pim sparse-mode
interface vlan 123
ip pim sparse-mode
K6++ SW4
Int lo0
Ip pim sparse-mode
Int vlan 123
Ip pim sparse-mode
Int vlan 42
Ip pim sparse-mode
3.2 PIM Tuning

Ensure PIM register message should reach RP via SW1.
If SW1 goes down, PIM register messages should reach RP via one of
the switches in Area 0.
SW1
interface vlan 123
ip pim dr-priority <max-value>
SW4
interface vlan 123
ip pim dr-priority <(max-value) - 1>
++3.2 PIM Tuning

Ensure PIM register message should reach RP via SW1.
If SW1 goes down, PIM register messages should reach RP via one of
the switches in Area 0.
Ensure that vlan 33 should not receive any RP Messages.
SW1
interface vlan 123
ip pim dr-priority <max-value>
SW4
interface vlan 123
ip pim dr-priority <(max-value) - 1>
SW2
Access-list 33 deny 224.0.0.39
Access-list 33 deny 224.0.0.40
Access-list 33 permit any
Int vlan 33
Ip multicast boundary 33 filter-autorp
Section 4 – Advanced Services
4.1 Network Address Translations (NAT)

You are required to implement NAT. You need to match the output in
the screenshots provided.
Do not propagate and prefix from the network 100.0.0.0/8 in any routing
protocol.
You are allowed to add one /24 static in too four devices.
Do not add any static route in R4.
Screenshot:
SW1# ping 100.100.42.10 source lo 100

SW4# ping 100.100.17.7 source lo 100
R4
show ip nat translations
Pro Inside global Inside local Outside local Outside global

icmp 100.100.17.7:N YY.YY.17.7:0 100.100.42.10:0 100.100.42.10:0
icmp 100.100.17.7:N YY.YY.17.7:0 YY.YY. 42.10:0 YY.YY. 42.10:0
100.100.17.7:N YY.YY.17.7
icmp 100.100.42.10:N YY.YY.42.10:0 YY.YY.17.7:0 YY.YY.17.7:0
icmp 100.100.42.10:N YY.YY.42.10:0 100.100.17.7:0 100.100.17.7:0
100.100.42.10:N YY.YY.42.10
SW1
interface loopback100
ip address 100.100.17.7 255.255.255.255
ip route 100.100.42.0 255.255.255.0 YY.YY.17.1
R1
ip route 100.100.42.0 255.255.255.0 YY.YY.14.4
SW4
interface loopback100
ip address 100.100.42.10 255.255.255.255
ip route 100.100.17.0 255.255.255.0 YY.YY.42.2
R2
ip route 100.100.17.0 255.255.255.0 YY.YY.24.4
R4
ip nat inside source static YY.YY.17.7 100.100.17.7
ip nat inside source static YY.YY.42.10 100.100.42.10
!
interface serial0/0/0
ip nat outside
!
interface serial0/0/1
ip nat outside
4.2 MLS QoS
Configure your four switches according to the following requirements.

Make sure that ports SW1-f0/1 to SW1-F0/5 are marking all untagged
packets to "COS 1"
Make sure that these ports are trusting the COS value if packets are
already marked.
Ensure that all switches are queuing packets marked with "COS 1" in the
ingress queue #1
Ensure that all switches are queuing packets marked with "COS 5" in the
ingress queue #2
Ensure that all switches drop ingress traffic marked with "COS 1" when
the respective ingress queue level is between 40 and 100 percent
Ensure that the switches do not drop packets marked with "COS 5" in
ingress until the respective ingress queue in completely full
Note: Once you completed this task, only one entry should be shown
when taking the output (show run)
SW1 SW2 SW3 SW4

mls qos
interface range fastethernet 0/19 – 24
mls qos trust cos
!
mls qos srr-queue input cos-map queue 1 1
mls qos srr-queue input cos-map queue 2 5
!
mls qos srr-queue input threshold 1 40 100
mls qos srr-queue input threshold 2 100 100
SW1
 Mls qos
interface range fastethernet 0/1 – 5
mls qos cos 1
mls qos trust cos
4.3 QoS – Class Based Weighted Fair Queuing (CBWFQ)
The IT administrator requires that you implement QoS.

For traffic coming from BB2 allocate 10000 kbps on R2 f0/0.
For traffic coming from BB1 allocate 1000 kbps on R3 s0/0/0.
This should not affect any other traffic other than to all possible
traffic entering from these links
R2
class-map BB
match input-interface fastethernet0/1
policy-map BB
class BB2
bandwidth 10000
service-policy output BB
R3
class-map BB
match input-interface fastethernet0/0
policy-map BB
class BB1
bandwidth 1000
interface serial0/0
service-policy output BB
4.4 Implement Routing Protocol Authentication
Secure OSPF area 0 according to the following requirement

Use the strongest authentication type
The password must be saved in clear in the config and must be
seen to "cisco"
You are not allowed to use any commands in the router
configuration
SW1 SW2 SW3 SW4

!
no service password-encryption
!
interface vlan 123
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
4.5 Implement DHCP

Note: R4 has some config about DHCP. Please check it
R4 has been configured to provide the following parameters for

DHCP clients on VLAN 44
IP addresses
DNS servers YY.YY.55.50 and YY.YY.55.51
Domain name cisco.com
Default gateway is YY.YY.44.4
The administrator wants that the DHCP deployment is as secured
as possible. Complete the DHCP configuration on R4 and SW1
according to the following requirements
Protect users in VLAN 44 from rogue DHCP servers
Ensure that only R4 services the DHCP requests
Disable the insertion and removal of option-82 field
Protect the DHCP server from DHCP attacks originating from
SW1 port Fa0/14, which may lead to resource exhaustion and
ensure that maximum 3 different hosts can still connect to that port
(Shutdown the port when violation occurred)
Note: make sure that SW1 Fa 0/14 is enabled and provisioned so
that the customer only needs to connect the printer to the port
4.6 Implement Layer 2 Security
Continue securing the DHCP deployment according to the

following requirements
In the near future the customer will connect a printer to SW1’s
Fa0/14 in VLAN 44 and assign it the static IP address
YY.YY.44.100. The printers MAC address is abcd.abcd.abcd
Ensure that the printer is able to communicate with the users on
VLAN 44 and ensure that your solution survives a reload (use the
file flash:CCIE.TXT)
Enable a feature on the switch to dynamically protect interface Fa
0/14 against spoofed IP packets and ARP request
Solution for 4.5 and 4.6 Combined
R4 (preconfigured)
!
ip dhcp pool 44
network YY.YY.44.0 255.255.255.0
default-router YY.YY.44.4
dns-server YY.YY.55.50.YY.YY.55.51
domain-name cisco.com
lease 10 <-------------------------------remove
R4
ip dhcp excluded-address YY.YY.44.4
SW1
ip dhcp snooping
ip dhcp snooping vlan 44
ip dhcp snooping verify mac-address /* Default - Wont show in
show run */
ip dhcp snooping database flash:CCIE.TXT
no ip dhcp snooping information option
!
ip arp inspection vlan 44
!
ip dhcp snooping trust
ip arp inspection trust
!
switchport mode access
switchport access vlan 44
switchport port-security
switchport port-security maximum 3
switchport port-security violation shutdown /* Shutdown the port
when violation occurred */
switchport port-security mac-address sticky
ip dhcp snooping limit rate 150 /* Prevents Resource Exhaustion */
ip verify source /* enable ip source guard - for protection against
spoofed IP packets */
no shutdown /* dont forget this */
end
!
ip dhcp snooping binding abcd.abcd.abcd vlan 44 YY.YY.44.100
interface fastEthernet 0/14 expiry 4294967295 /* exec level
command*/
*
4.7 Web Caching Communication Protocol (WCCP)
Configure WCCP on R4 according to the following requirement

There will be a WAAS appliance connected to interface of Fa0/1
Any traffic from any client connected toi Fa0/0 going out of the 2
serial interfaces must be redirected to the WAAS server on Fa0/1
Traffic redirected from the server to the clients must use WCCP
service 61
Traffic redirected from the clients to the server must use WCCP
service 62
You are not allowed to modify any configuration of interface Fa0/0
R4
61 = server to client = IN
62 = client to server = OUT
Ip cef
Ip wccp version 2
Ip wccp 61
Ip wccp 62
Int s0/1/0 -----------à toward R2

Ip wccp 61 redirect in
Ip wccp 62 redirect out
Int s0/0/0 -----------à toward R1

Ip wccp 62redirect out
Int fa0/1 ----------à toward to WAAS

Ip wccp redirect excluded in
++WCCP
Configure WCCP on R4 according to the following requirement
There will be a WAAS appliance connected to interface of Fa0/1
Any traffic from any client connected toi Fa0/0 going out of the 2
serial interfaces must be redirected to the WAAS server on Fa0/1
Traffic redirected from the server to the clients must use WCCP
service 61
Traffic redirected from the clients to the server must use WCCP
service 62
++Traffic that is being send from R1 to R2 and from R2 to R1
is not allowed to be redirected.
R4
ip wccp ver 2
ip wccp check services all /* check all configured services for a
match and perform redirection for those services */
!
ip wccp 61 redirect-list S_TO_C
ip wccp 62 redirect-list C_TO_S
!
ip access-list extended S_TO_C
permit ip any YY.YY.44.0 0.0.0.255
!
ip access-list extended C_TO_S
permit ip YY.YY.44.0 0.0.0.255 any
!
!
ip wccp 61 redirect in
!
ip wccp 61 redirect in
!
ip wccp redirect exclude in
!
Section 5 – Optimize the Network

5.1 Implement SNMP
On R5 implement SNMP to send traps to an NMS system.
Use the community string of CiscoWorks.
The NMS system is located at YY.YY.55.240 which is the only
SNMP manager that should be able to use this community strings
SNMP manager should be able to modify any MIB on R5.
Configure R5 to send bgp traps.
R5
snmp-server community CiscoWorks RW 10
snmp-server enable traps bgp
snmp-server host YY.YY.55.240 CiscoWorks bgp
!
access-list 10 permit YY.YY.55.240
5.2 Embedded Event Manager
On R3 configure an EEM applet named "CONF_CHANGE"

(without the quotes).
The EEM applet should append the output of "show clock" to
flash:ConfSave.txt.
The EEM applet needs to activate every time someone make
changes to the configuration.
Also, a syslog informational message has to be generated with
the string "Configuration changed" (without the quotes).
R3
logging on
logging console informational
event manager applet CONF_CHANGE

event syslog pattern ".* %SYS-5-CONFIG_I:.*” Configured
from console by console.*"
action 1.0 cli command "enable"
action 2.0 cli command "show clock | append flash:ConfSave.txt"
action 3.0 syslog msg 6 "Configuration changed"
++ Embedded Event Manager

Solution:
Log on
Event manager applet ENABLE_OSPF_DEBUG
Event syslog patter “%OSPF-5-ADJCHG: Process 6, Neighbor
6.6.5.5 on Serial0/0/0 from FULL to DOWN”
Action 1.0 cli command “enable”
Action 2.0 cli command “debug ip ospf event”
Action 3.0 cli command “debug ip osfp adj”
Action 4.0 syslog priority informational msg
“ENABLE_OSPF_DEBUG”
Event manager applet DISABLE_OSPF_DEBUG

Event syslog patter “%OSPF-5-ADJCHG: Process 6, Neighbor
6.6.5.5 on Serial0/0/0 from LOADING to FULL”
Action 1.0 cli command “enable”
Action 2.0 cli command “ undebug all”
Action 3.0 syslog priority information msg
“DISABLE_OSPF_DEBUG”

K6 VS K6++

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

K6 VS K6++

Hochgeladen von

Copyright:

Verfügbare Formate

Section 1 - Layer 2

1.1 Troubleshoot Layer 2 Switching

VLAN access map that is denying OSPF is in pre-configuration, the map

1.2 Implement Access Switch Ports of Switched Network

Configure all of the appropriate non-trunking switch ports on SW1 –

vtp domain CCIE

SW2 SW3 SW4

vtp mode server

SW1 SW2 SW3 SW4

spanning-tree portfast default

(NOTE: - If on SW3 fa0/10 backbone port starting in Error disable

SW1 SW2 SW3

Note : There is BB on SW4 fa0/10, this will be err-disable in future but

1.3 Spanning-Tree Domains for Switched Network

Configure the switches according to the following requirements:

Default spanning Tree Topology: All other VLANs

SW1, SW2, SW3, SW4

++1.3 Spanning-Tree Domains for Switched Network

5]- The bride id priority of vlan between R2 and SW4 must be

1.4 Switch Trunking and Ether Channel

SW1, SW2, SW3, SW4

1.5 Spanning-Tree Tuning

++1.5 Spanning-Tree Tuning

5]- Use the highest numeric values to achieve this task.

monitor session 1 source vlan 11 rx

1.7 PPP & CHAP

Section 2 – Layer 3 Technologies

2.1 Configure OSPF Area 0, 142 and 51 as per diagram

OSPF process ID can be any number

2.2 – Implement IPv4 EIGRP

Configure Enhanced Interior Gateway Routing Protocol (EIGRP)

2.3 – Implement RIP Version 2

++2.3 – Implement RIP Version 2

Access-list 1 permit 199.172.4.0 0.0.10.255

2.4 Redistribute RIP into OSPF

2.5 Redistribute EIGRP into OSPF

Redistribute EIGRP into OSPF on SW2 such that

2.6 Implement IPv4 BGP

2.9 Implement IPv6

Use any number for the process ID.

Note: Some router interfaces preconfigured Ipv6 addresses. Should be

SW1 SW2 SW3 SW4

2.10 Implement Advanced IPv6 feature

R1 R2 R3 R4 R5 SW1 SW2 SW3 SW4

++2.10 Implement IPv6 Multicast

5]- Ensure that multicast stream should be a transient one and

5]- R4 should send static RP address FEC1:CC1E:44:4 for

5]- R1 fa0/0 should join the multicast group FFTS:4000:4000

Ipv6 router ospf YY

Ipv6 pim rp-address fec1:cc1e:44::4

Ipv6 pim rp-address fec1:cc1e:44::4

Section 3 – IP Multicast Variation

++3.1 IPv4 Multicast

Ip pim send-rp announce lo0 scope 16 group-list LIST

Ip access-list standard LIST

Permit 224.0.0.0 15.255.255.255

Permit 224.0.0.0 15.255.255.255

Ip pim autorp listener

Ip pim auto-rp listener

Ip pim send-rp discovery lo0 scope 16

Ip pim autorp listener

Int vlan 123

Ip pim autorp listener

Int vlan 123