Sie sind auf Seite 1von 99

SECTION 1.

Configure the ACME Headquarters network (AS 12345) as per the following requirements

• The VTP domain must be set to CCIE

• Use VTP ver 2

• SW1 must be the VTP server and SW2 must be the VTP client

Secure all VTP updates with an MD5 digest of the ASCII string "CCIErocks?"

• In order to avoid as much as possible unknown unicast flooding in all vlans the administrator

requires that any dynamic entries learned by other SW1 and SW2 must be retained for 2

hours before being refreshed.

Solution:

SW1:

conf t

vtp version 2

vtp mode server

vtp domain CCIE

vtp password CCIErocks? ------------- using ctrl+v in order to put ? as a part of password

mac address-table aging-time 7200

SW2:

conf t

vtp version 2

vtp mode client

vtp domain CCIE

vtp password CCIErocks? ------------- using ctrl+v in order to put ? as a part of password

mac address-table aging-time 7200


SW3:

conf t

vtp version 2

vtp mode transparent

vtp domain CCIE

vtp password CCIErocks? ------------- using ctrl+v in order to put ? as a part of password

SW4:

conf t

vtp version 2

vtp mode transparent

vtp domain CCIE

vtp password CCIErocks? ------------- using ctrl+v in order to put ? as a part of password

SECTION 1.2 - Layer 2 ports

Configure your network as per the following requirements

• Complete the config of all vlans so that all routers that are located in ACME's headquarters

(AS12345) and New York office (AS 34567) can ping their directly connected neighbors

• All four switches (SW1-SW4) must have dot1q trunks that do not rely on negotiation do not

configure any etherchannel

• Ensure that the following unused ports on all four switches are shutdown and configured as

access ports in vlan 999

• E3/0 - E3/3 are unused on SW1 and SW2

• E1/0 - E1/3 are unused on SW3 and SW4


• E3/0 - E3/3 are unused on SW3 and SW4

Solution:

SW3:

conf t

vlan 34

exit

vlan 38

exit

vlan 89

exit

vlan 111

exit

vlan 310

exit

vlan 999

exit

int vlan 34

ip add 123.10.12.13 255.255.255.252

no sh

int vlan 310

ip add 123.10.2.17 255.255.255.252

no sh
int vlan 38

ip add 123.10.2.6 255.255.255.252

no sh

int e 0/0

switchport mode acces

switchport acc vlan 38

no sh

int e0/1

switchport mode acces

switchport acc vlan 89

no sh

int e 0/2

switchport mode acces

switchport acc vlan 310

no sh

int e 0/3

switchport mode acces

switchport acc vlan 111

no sh

exit

int range e1/0-3

switchport mode acces

switchport acc vlan 999

shut

exit
int range e2/0-3

switchport trunk enc dot

switchp mode trun

switchport nonegotiate

SW4:

conf t

vlan 49

exit

vlan 34

exit

vlan 411

exit

vlan 999

exit

vlan 89

exit

vlan 111

exit

int vlan 411

ip add 123.10.2.21 255.255.255.252

no sh

int vlan 34

ip add 123.10.12.14 255.255.255.252


no sh

int vlan 49

ip add 123.10.2.10 255.255.255.252

no sh

int et 0/0

switchport mode access

switch acc vlan 89

no sh

int et 0/1

switchport mode access

switch acc vlan 49

no sh

int et 0/2

switchport mode access

switch acc vlan 111

no sh

int et 0/3

switchport mode access

switch acc vlan 411

no sh

exit

int range e1/0-3

switchport mode acces

switchport acc vlan 999

shut
exit

int range e2/0-3

switchport trunk enc dot

switchp mode trun

switchport nonegotiate

SW1:

conf t

vlan 999

exit

vlan 23

exit

vlan 35

exit

vlan 15

exit

vlan 57

exit

vlan 67

exit

vlan 46

exit

vlan 14

exit
vlan 24

exit

int e 0/1

switchp mode acc

switchp acc vlan 23

no sh

int e 0/2

switchp mode acc

switchp acc vlan 23

no sh

int e 0/0

switchp mode acc

switchp acc vlan 14

no sh

int e 1/2

switchp mode acc

switchp acc vlan 67

no sh

int e 1/3

switchp mode acc

switchp acc vlan 67

no sh

int e 1/0

switchp mode acc

switchp acc vlan 14


no sh

int e 0/3

switchp mode acc

switchp acc vlan 24

no sh

int e 1/1

switchp mode acc

switchp acc vlan 15

no sh

exit

int range e 2/0-3

switchport trunk enc dot

switchp mode trun

switchport nonegotiate

SW2:

conf t

int e 0/1

switchp mode acc

switchp acc vlan 24

no sh

int e 0/2

switchp mode acc

switchp acc vlan 35


no sh

int e 0/0

switchp mode acc

switchp acc vlan 15

no sh

int e 1/2

switchp mode acc

switchp acc vlan 46

no sh

int e 1/3

switchp mode acc

switchp acc vlan 57

no sh

int e 0/3

switchp mode acc

switchp acc vlan 46

no sh

int e 1/1

switchp mode acc

switchp acc vlan 57

no sh

int e 1/0

switchp mode acc

switchp acc vlan 35

no sh
int range e 2/0-3

switchport trunk enc dot

switchp mode trun

switchport nonegotiate

Section 1.3 Spanning tree

Configure the ACME network as per the following requirements

• SW1 must be the root switch for all odd vlans and must be the backup for all even vlans

• SW2 must be the root switch for all even vlans and must be the backup for all odd vlans

• SW3 must be the root switch for all odd vlans and must be the backup for all even vlans

• SW4 must be the root switch for all even vlans and must be the backup for all odd vlans

• Explicitly configure the root and backup roles, assuming that other switches with default

configuration may eventually be added in the network in the future

• Use the STP mode mst

• All access ports must immediately transitionned to the forwarding state upon link up and

they must still participate in STP. use single command per switch to enable this

• Access ports must automatically shut down if they receive any BPDU and an administrator

must still manually re-enable the port. use a single command per switch to enable this

feature.

Solution:

SW3
conf t

spanning-tree mode mst

spanning-tree mst configuration

revision 1

name cisco

instance 1 vlan 1,49,89,111,411,999

instance 2 vlan 34,38,310

exit

spanning-tree mst 2 priority 4096

spanning-tree mst 1 priority 0

spanning-tree portfast def

spanning-tree portfast bpduguard default

SW4

conf t

spanning-tree mode mst

spanning-tree mst configuration

revision 1

name cisco

instance 1 vlan 1,49,89,111,411,999

instance 2 vlan 34,38,310

exit

spanning-tree mst 1 priority 4096


spanning-tree mst 2 priority 0

spanning-tree portfast def

spanning-tree portfast bpduguard default

SW1

for

conf t

spanning-tree mode mst

spanning-tree mst configuration

revision 1

name cisco

instance 1 vlan 1,15,23,35,57,67,999

instance 2 vlan 14,24,46

exit

spanning-tree mst 2 priority 4096

spanning-tree mst 1 priority 0

spanning-tree portfast def

spanning-tree portfast bpduguard default

SW2

conf t

spanning-tree mode mst

spanning-tree mst configuration

revision 1
name cisco

instance 1 vlan 1,15,23,35,57,67,999

instance 2 vlan 14,24,46

exit

spanning-tree mst 1 priority 4096

spanning-tree mst 2 priority 0

spanning-tree portfast def

spanning-tree portfast bpduguard default

for Section 1.4 WAN Switching

• The WAN links must rely on a layer 2 protocol that supports link negotiation and

authentication.

• The Service provider expects both R18 and R19 to complete three way hand shake by

providing the expected response of a challenge that is sent by R63

• R18 must use the username ACME-R18 and password CCIE

• R19 must use the username ACME-R19 and password CCIE

Solution:

R18

conf t

int ser 1/0

encapsulation ppp

ppp chap hostname ACME-R18


ppp chap password CCIE

R19

conf t

int ser 1/0

encapsulation ppp

ppp chap hostname ACME-R19

ppp chap password CCIE

for Section 2.1 OSPF in AS12345

Configure OSPFv2 area 0 in ACME HQ (AS12345) according to the following requirements

• Configure the OSPF process id to 12345 and set the router id to interface lo0 on all seven

routers

• The interface lo0 at each router must be seen as an internal OSPF prefix by all other routers

• Ensure that OSPF is not running on any interface that is facing another AS. use any method to

accomplish this requirement

• SW and SW2 must not participate in routing at all

• Do not change the default OSPF cost of any interface in AS12345

• R1 must see the following OSPF routes in the routing table

• R1 should act like stub router in ospf, it is not order you config R1 in stub area , just make

sure R1 won't be a transit router of the traffics R1 is not souce or destination.


R1# sh ip route OSPF

123.0.0.0/8 is variably subnetted, 17 subnets, 2 masks

O 123.2.2.2/32 [110/21] via 123.10.1.1 4d20h ethernet e0/2

O 123.3.3.3/32 [110/21] via 123.10.1.6 4d20h ethernet e0/1

O 123.4.4.4/32 [110/21] via 123.10.1.1 4d20h ethernet e0/2

O 123.5.5.5/32 [110/21] via 123.10.1.6 4d20h ethernet e0/1

O 123.6.6.6/32 [110/21] via 123.10.1.1 4d20h ethernet e0/2

O 123.7.7.7/32 [110/21] via 123.10.1.6 4d20h ethernet e0/1

O 123.10.1.8/30 [110/30] via 123.10.1.6 4d20h ethernet e0/1

[110/30] via 123.10.1.1 4d20h ethernet e0/2

O 123.10.1.12/30 [110/20] via 123.10.1.6 4d20h ethernet e0/1

O 123.10.1.16/30 [110/20] via 123.10.1.1 4d20h ethernet e0/2

O 123.10.1.20/30 [110/20] via 123.10.1.1 4d20h ethernet e0/2

O 123.10.1.24/30 [110/30] via 123.10.1.6 4d20h ethernet e0/1

[110/30] via 123.10.1.1 4d20h ethernet e0/2

O 123.10.1.28/30 [110/20] via 123.10.1.6 4d20h ethernet e0/1

If you implement the last point you should get something like

O 123.2.2.2/32 [110/65546] via 123.10.1.1 4d20h ethernet 0/1


Solution:

R1

conf t

router ospf 12345

router-id 123.1.1.1

network 123.1.1.1 0.0.0.0 area 0

network 123.10.1.2 0.0.0.0 area 0

network 123.10.1.5 0.0.0.0 area 0

max-metric router-lsa

for R4

conf t

router ospf 12345

router-id 123.4.4.4

network 123.4.4.4 0.0.0.0 area 0

network 123.10.1.21 0.0.0.0 area 0

network 123.10.1.1 0.0.0.0 area 0

network 123.10.1.18 0.0.0.0 area 0

R2

conf t

router ospf 12345

router-id 123.2.2.2

network 123.2.2.2 0.0.0.0 area 0

network 123.10.1.9 0.0.0.0 area 0


network 123.10.1.17 0.0.0.0 area 0

R3

conf t

router ospf 12345

router-id 123.3.3.3

network 123.3.3.3 0.0.0.0 area 0

network 123.10.1.10 0.0.0.0 area 0

network 123.10.1.15 0.0.0.0 area 0

R5

conf t

router ospf 12345

router-id 123.5.5.5

network 123.5.5.5 0.0.0.0 area 0

network 123.10.1.14 0.0.0.0 area 0

network 123.10.1.6 0.0.0.0 area 0

network 123.10.1.29 0.0.0.0 area 0

R7

conf t

router ospf 12345

router-id 123.7.7.7

network 123.7.7.7 0.0.0.0 area 0

network 123.10.1.30 0.0.0.0 area 0

network 123.10.1.26 0.0.0.0 area 0

for

for R6
conf t

router ospf 12345

router-id 123.6.6.6

network 123.6.6.6 0.0.0.0 area 0

network 123.10.1.25 0.0.0.0 area 0

network 123.10.1.22 0.0.0.0 area 0

for SECTION 2.2 - EIGRP IN AS34567

Configure EIGRP for ipv4 in the New York office (AS34567) according to the following

requirements

• The EIGRP AS is 34567

• The interface lo0 must be seen as an internal EIGRP prefix by all other routers

• Ensure the EIGRP is not running on any interface that is facing another AS use any method to

accomplish this

• Using a single command on one switch only ensure that R8 installs two equal-cost route for

the following three path

vlan 411

int lo0 at SW4

int lo0 at R11


• Using a single command on one switch only ensure that R9 installs two equal cost route for

the following three path

vlan 310

int lo0 at SW3

int lo0 at R10

Solution:

R8

conf t

router eigrp 34567

no auto

network 123.10.2.1 0.0.0.0

network 123.10.2.5 0.0.0.0

network 123.8.8.8 0.0.0.0

R9

conf t

router eigrp 34567

no auto

network 123.10.2.2 0.0.0.0

network 123.10.2.9 0.0.0.0

network 123.9.9.9 0.0.0.0


R10

conf t

router eigrp 34567

no auto

network 123.10.2.18 0.0.0.0

network 123.10.2.25 0.0.0.0

network 123.10.10.10 0.0.0.0

for

R11

conf t

router eigrp 34567

no auto

network 123.10.2.26 0.0.0.0

network 123.10.2.22 0.0.0.0

network 123.11.11.11 0.0.0.0

SW3

conf t

router eigrp 34567

no auto

network 123.10.2.17 0.0.0.0


network 123.10.2.6 0.0.0.0

network 123.10.12.13 0.0.0.0

network 123.33.33.33 0.0.0.0

SW4

conf t

router eigrp 34567

no auto

network 123.10.2.21 0.0.0.0

network 123.10.2.10 0.0.0.0

network 123.10.12.14 0.0.0.0

network 123.44.44.44 0.0.0.0

SW3

conf t

int vlan 34

delay 100

exit

exit

clear ip eigrp neighb

SW4
conf t

int vlan 34

delay 100

exit

exit

clear ip eigrp neighb

for SECTION 2.3 - EIGRP IN AS45678

Configure EIGRP in AS45678 according to the following requirements

• The EIGRP AS is 45678

• The interface lo0 must be seen as an internal EIGRP prefix by all other routers

• Ensure the EIGRP is not running on any interface that is facing another AS use any method to

accomplish this requirement

• Sw5 and sw6 are layer 3 switches and must configure EIGRP

• On all three routers R15, 16, 17 use EIGRP with 64bit version

• Do not change the interface bandwidth on any physical interface in AS 45678

Solution:

R15

conf t
router eigrp CCIE

address-family ipv4 autonomous-system 45678

network 123.15.15.15 0.0.0.0

network 123.20.1.9 0.0.0.0

network 123.20.1.1 0.0.0.0

R16

conf t

router eigrp CCIE

address-family ipv4 autonomous-system 45678

network 123.16.16.16 0.0.0.0

network 123.20.1.2 0.0.0.0

network 123.20.1.17 0.0.0.0

R17

conf t

router eigrp CCIE

address-family ipv4 autonomous-system 45678

network 123.17.17.17 0.0.0.0

network 123.20.1.18 0.0.0.0

network 123.20.1.10 0.0.0.0


SW6

conf t

router eigrp 45678

no auto

network 123.20.1.11 0.0.0.0

exit

int range e 1/0-1

for switchport mode access

switchp acc vlan 66

no sh

SW5

conf t

router eigrp 45678

no auto

network 123.20.1.3 0.0.0.0

exit

int range e 1/0-1

switchport mode access

switchp acc vlan 55

no sh
for Section 2.4 EIGRP in AS 65222

• The EIGRP AS is 45678

• The interface lo0 at each router must be seen as an internal EIGRP prefix by all other routers

• Ensure that EIGRP is not running on any interface that is facing another AS use any method

to accomplish this requirement

• R17 is the DMVPN hub, R18, R19 as the spoke, use the pre-config tunnel 0

Solution:

R19

conf t

int tun 0

ip nhrp authentication cisco

ip nhrp map multicast 203.3.17.2

ip nhrp map 123.20.1.25 203.3.17.2

ip nhrp network-id 45678

ip nhrp nhs 123.20.1.25

tunnel mode gre multipoint

R18

conf t
int tun 0

ip nhrp authentication cisco

ip nhrp map multicast 203.3.17.2

ip nhrp map 123.20.1.25 203.3.17.2

ip nhrp network-id 45678

ip nhrp nhs 123.20.1.25

tunnel mode gre multipoint

R17

conf t

int tun 0

ip nhrp authentication cisco

ip nhrp map multicast dynami

ip nhrp network-id 45678

tunnel mode gre multipoint

R17

conf t

router eigrp CCIE

address-family ipv4 unicast autonomous-system 45678

network 123.20.1.25 0.0.0.0

af-interface Tunnel0
no split-horizon

for

R18

conf t

router eigrp 45678

no auto

networ 123.20.1.26 0.0.0.0

networ 123.18.18.18 0.0.0.0

R19

conf t

router eigrp 45678

no auto

network 123.20.1.27 0.0.0.0

network 123.19.19.19 0.0.0.0

for Section 2.5 BGP in AS 12345

BGP is partially configured in ACME headquarters, complete the config as required

Configure the BGP in ACME’s HQ (AS 12345) according to the following requirements
• R4 and R5 must not establish any BGP session at any time

• All BGP routers must use their int lo0 as their router-id

• Disable the default ipv4 unicast address family for peering session establishment in all BGP

routers

• R1 must be the ipv4 route-reflector for BGP AS12345

Configure eBGP between ACME's San Francisco and San Jose sites according to the following

requirements

• R20 is the CE router and used eBGP to connect to the manages services that are provided by

the PE routers R2 and R3

• R20 must establish separate eBGP peerings with both R2 and R3 for every VRF

• R20 must advertise the following prefix to all the BGP peers

123.0.0.0/8 summary-only

10.0.0.0/8 summary-only

• R20 must advertise a default route to all of its BGP peers except to 10.120.99.1 and

10.120.99.5

Solution:

R2
conf t

router bgp 12345

bgp router-id 123.2.2.2

no bgp default ipv4-unicast

neighbor 123.1.1.1 remote-as 12345

neighbor 123.1.1.1 update-source loo 0

address-family ipv4

neighbor 123.1.1.1 activate

R3

conf t

router bgp 12345

bgp router-id 123.3.3.3

no bgp default ipv4-unicast

neighbor 123.1.1.1 remote-as 12345

neighbor 123.1.1.1 update-source loo 0

address-family ipv4

neighbor 123.1.1.1 activate

R6

for

conf t

router bgp 12345

bgp router-id 123.6.6.6


no bgp default ipv4-unicast

neighbor 123.1.1.1 remote-as 12345

neighbor 123.1.1.1 update-source loo 0

address-family ipv4

neighbor 123.1.1.1 activate

R7

conf t

router bgp 12345

bgp router-id 123.7.7.7

no bgp default ipv4-unicast

neighbor 123.1.1.1 remote-as 12345

neighbor 123.1.1.1 update-source loo 0

address-family ipv4

neighbor 123.1.1.1 activate

R1

conf t

router bgp 12345

bgp router-id 123.1.1.1

no bgp default ipv4-unicast

neighbor 123.2.2.2 remote-as 12345

neighbor 123.2.2.2 update-source loo 0


neighbor 123.3.3.3 remote-as 12345

neighbor 123.3.3.3 update-source loo 0

neighbor 123.6.6.6 remote-as 12345

neighbor 123.6.6.6 update-source loo 0

neighbor 123.7.7.7 remote-as 12345

neighbor 123.7.7.7 update-source loo 0

address-family ipv4

neighbor 123.7.7.7 activate

neighbor 123.7.7.7 route-reflector-client

neighbor 123.6.6.6 activate

neighbor 123.6.6.6 route-reflector-client

neighbor 123.3.3.3 activate

neighbor 123.3.3.3 route-reflector-client

neighbor 123.2.2.2 activate

neighbor 123.2.2.2 route-reflector-client

R2

conf t

router bgp 12345

address-family ipv4 vrf BLUE

neighb 10.120.13.2 remote-as 65112

for neighb 10.120.13.2 activate

address-family ipv4 vrf GREEN

neighb 10.120.12.2 remote-as 65112


neighb 10.120.12.2 activate

address-family ipv4 vrf INET

neighb 10.120.99.2 remote-as 65112

neighb 10.120.99.2 activate

address-family ipv4 vrf RED

neighb 10.120.14.2 remote-as 65112

neighb 10.120.14.2 activate

address-family ipv4 vrf YELLOW

neighb 10.120.15.2 remote-as 65112

neighb 10.120.15.2 activate

R3

conf t

router bgp 12345

address-family ipv4 vrf BLUE

neighb 10.120.13.6 remote-as 65112

neighb 10.120.13.6 activate

address-family ipv4 vrf GREEN

neighb 10.120.12.6 remote-as 65112

neighb 10.120.12.6 activate

address-family ipv4 vrf INET

neighb 10.120.99.6 remote-as 65112

neighb 10.120.99.6 activate

address-family ipv4 vrf RED


neighb 10.120.14.6 remote-as 65112

neighb 10.120.14.6 activate

address-family ipv4 vrf YELLOW

neighb 10.120.15.6 remote-as 65112

neighb 10.120.15.6 activate

R20

conf t

router bgp 65112

neighb 10.120.13.5 remote-as 12345

neighb 10.120.12.5 remote-as 12345

neighb 10.120.99.5 remote-as 12345

neighb 10.120.14.5 remote-as 12345

neighb 10.120.15.5 remote-as 12345

neighb 10.120.13.1 remote-as 12345

neighb 10.120.12.1 remote-as 12345

neighb 10.120.99.1 remote-as 12345

neighb 10.120.14.1 remote-as 12345

neighb 10.120.15.1 remote-as 12345

address-family ipv4

neighb 10.120.13.5 activate

neighb 10.120.12.5 activate

for neighb 10.120.99.5 activate

neighb 10.120.14.5 activate


neighb 10.120.15.5 activate

neighb 10.120.13.5 default-

neighb 10.120.12.5 default-

neighb 10.120.14.5 default-

neighb 10.120.15.5 default-

aggregate-address 123.0.0.0 255.0.0.0 summary-only

aggregate-address 10.0.0.0 255.0.0.0 summary-only

neighb 10.120.13.1 activate

neighb 10.120.13.1 default-

neighb 10.120.12.1 activate

neighb 10.120.12.1 default-

neighb 10.120.99.1 activate

neighb 10.120.14.1 activate

neighb 10.120.14.1 default-

neighb 10.120.15.1 activate

neighb 10.120.15.1 default-

for Section 2.6 BGP in AS 34567

BGP is partially pre-configured in ACME New York office, complete the config as required

Configure IBGP in AS 34567 according to the following requirements

• SW3 and SW4 must not establish any BGP session at any time
• All BGP routers must use their int lo0 as their router-id

• Configure full mesh IBGP peering between all four routers use any configuration method

• R9 must be selected as the preferred exit point for traffic destined to remote AS's

• R11 must selected as the next preferred exit in case R9 fails

• No BGP speaker must use network statement under the BGP router config.

• Ensure that all the BGP nexthop is never marked as unreachable as long as int lo0 of the

remote peer is known via IGP

Configure EIGRP in AS 34567 according to the following requirements

• All four BGP routers must establish eBGP peerings with their neighboring AS as shown in

diagram 3 (BGP topology)

• All four BGP routers must redistribute EIGRP into BGP

• Ensure that R9 is the only router that sees the default as a BGP route and that all other

routers (R8, R10, R11) see it as an EIGRP external

Solution:

R8

conf t

router bgp 34567

bgp router-id 123.8.8.8

neighbo 123.9.9.9 remote-as 34567

neighbo 123.9.9.9 update-source loo0


neighbo 123.10.10.10 remote-as 34567

neighbo 123.10.10.10 update-source loo0

neighbo 123.11.11.11 remote-as 34567

neighbo 123.11.11.11 update-source loo0

neigh 101.1.34.1 remote-as 10001

address-family ipv4

neighbo 123.9.9.9 activate

neighbor 123.9.9.9 next-hop-self

neighbo 123.10.10.10 activ

neighbor 123.10.10.10 next-hop-self

neighbo 123.11.11.11 activ

neigh 101.1.34.1 acti

neighbor 123.11.11.11 next-hop-self

R9

conf t

router bgp 34567

bgp router-id 123.9.9.9

for neighbo 123.8.8.8 remote-as 34567

neighbo 123.8.8.8 update-source loo0

neighbo 123.10.10.10 remote-as 34567

neighbo 123.10.10.10 update-source loo0

neighbo 123.11.11.11 remote-as 34567

neighbo 123.11.11.11 update-source loo0


neighbo 102.1.34.1 remote-as 10002

neighb 33.34.4.1 remote-as 30000

address-family ipv4

neighbo 123.8.8.8 activate

neighbor 123.8.8.8 next-hop-self

neighbo 123.10.10.10 activ

neighbor 123.10.10.10 next-hop-self

neighbo 123.11.11.11 activ

neighbor 123.11.11.11 next-hop-self

neighbo 102.1.34.1 activ

neighbo 102.1.34.1 route-map LP110 in

neighbo 33.34.4.1 activ

neighbo 33.34.4.1 route-map LP110 in

exit

exit

route-map LP110

set local-preference 110

R10

conf t

router bgp 34567

bgp router-id 123.10.10.10

neighbo 123.8.8.8 remote-as 34567

neighbo 123.8.8.8 update-source loo0


neighbo 123.9.9.9 remote-as 34567

neighbo 123.9.9.9 update-source loo0

neighbo 123.11.11.11 remote-as 34567

neighbo 123.11.11.11 update-source loo0

neighb 201.1.34.1 remote-as 20001

address-family ipv4

neighbo 123.8.8.8 activate

neighbor 123.8.8.8 next-hop-se

neighbo 123.9.9.9 activ

neighbor 123.9.9.9 next-hop-se

neighbo 123.11.11.11 activ

neighbor 123.11.11.11 next-hop-se

neighb 201.1.34.1 activ

R11

conf t

router bgp 34567

bgp router-id 123.11.11.11

neighbo 123.8.8.8 remote-as 34567

for neighbo 123.8.8.8 update-source loo0

neighbo 123.9.9.9 remote-as 34567

neighbo 123.9.9.9 update-source loo0

neighbo 123.10.10.10 remote-as 34567

neighbo 123.10.10.10 update-source loo0


neighb 33.34.3.1 remote-as 30000

neighb 202.2.34.1 remote-as 20002

address-family ipv4

neighbo 123.8.8.8 activate

neighbor 123.8.8.8 next-hop-self

neighbo 123.9.9.9 activ

neighbor 123.9.9.9 next-hop-self

neighbo 123.10.10.10 activ

neighbor 123.10.10.10 next-hop-self

neighb 33.34.3.1 activ

neighb 33.34.3.1 route-map LP100 in

neighb 202.2.34.1 activ

exit

exit

route-map LP100

set local-preference 100

R9

conf t

router bgp 34567

address-family ipv4

redistribute eigrp 34567

exit

exit
router eigrp 34567

redistribute bgp 34567 metric 10000 10 255 1 1500 route-map DEFAULT

exit

route-map DEFAULT

match ip address prefix-list DEFAULT

exit

ip prefix-list DEFAULT permit 0.0.0.0/0

R8

conf t

router bgp 34567

address-family ipv4

redistribute eigrp 34567

R10

conf t

router bgp 34567

address-family ipv4

for redistribute eigrp 34567

R11
conf t

router bgp 34567

address-family ipv4

redistribute eigrp 34567

for Section 2.7 Implement BGP in BGP AS 45678 and 65222

refer to diagram 3 (BGP routing)

configure EBGP in ACME's APAC region (AS45678 and AS 65222) according to the following

requirements

Configured BGP in ACME Sydney and APAC Region as per below requirements:

R15 must establish an EBGP peering with AS 10003.

It must receive default route and all other prefixes from AS 10003

R15 must advertise an aggregate network prefix 123.20.1.0/24 to AS 10003.

R15 must suppress all component prefixes of this summary prefix.

R15 must distribute BGP in EIGRP vice-versa.

R16,R17,R18,R19 are configured vrf LOCALPSP (requirement for vrf LOCALSP version only)!

R16,R17,R18,R19 must establish an EBGP peering with AS 20003 in vrf LOCALSP

These must receive only default route and not other prefixes from AS 20003 (requirement for vrf

LOCALSP version only)!


R16,R17,R18,R19 must not advertise any prefix to AS 20003.

As long as R15 is operational R16,R17,R18,R19 must prefer EIGRP default route.

IBGP must not be enabled in AS 45678.

SW5 and SW6 must not establish any BGP neighbor.

Do not create additonal VRFs to complete this task……# but I think you may have to create the

LOCALSP as this is not included in the current initial config… - in vrf version vrf is precreated.

!!! THERE ARE 2 VARIATIONS – WITH AND WITHOUT VRF LOCALSP: BELOW CONFIGURATION

WITHOUT VRF:

Solution:

R15

conf t

router bgp 45678

neighbor 103.2.45.1 remote-as 10003

address-family ipv4

neighbor 103.2.45.1 activate

aggregate-address 123.20.1.0 255.255.255.0 summary-only

redistribute eigrp 45678

exit

exit
router eigrp CCIE

address-family ipv4 unicast autonomous-system 45678

topology base

redistribute bgp 45678 metric 10000 10 255 1 1500

R16

for conf t

access-list 1 permit 0.0.0.0

router bgp 45678

nei 203.3.16.1 prefix-l DENY out

distance 171 203.3.16.1 0.0.0.0 1

exit

ip prefix-l DENY deny 0.0.0.0/0 le 32

R17

conf t

access-list 1 permit 0.0.0.0

router bgp 45678

bgp router-id 123.17.17.17

neighbor 203.3.17.1 remote-as 20003

nei 203.3.17.1 prefix-l DENY out

distance 171 203.3.17.1 0.0.0.0 1

exit
ip prefix-l DENY deny 0.0.0.0/0 le 32

R18

conf t

router bgp 65222

bgp log-neighbor-changes

neighbor 203.3.18.1 remote-as 20003

nei 203.3.18.1 prefix-l DENY out

distance 171 203.3.18.1 0.0.0.0 1

exit

ip prefix-l DENY deny 0.0.0.0/0 le 32

access-list 1 permit any

R19

conf t

router bgp 65222

bgp log-neighbor-changes

neighbor 203.3.19.1 remote-as 20003

nei 203.3.19.1 prefix-l DENY out

distance 171 203.3.19.1 0.0.0.0 1

exit

ip prefix-l DENY deny 0.0.0.0/0 le 32

access-list 1 permit any


!!! THERE ARE 2 VARIATIONS – WITH AND WITHOUT VRF LOCALSP: BELOW CONFIGURATION WITH

VRF:

Solution:

for R15

conf t

router bgp 45678

neighbor 103.2.45.1 remote-as 10003

address-family ipv4

neighbor 103.2.45.1 activate

aggregate-address 123.20.1.0 255.255.255.0 summary-only

redistribute eigrp 45678

exit

exit

router eigrp CCIE

address-family ipv4 unicast autonomous-system 45678

topology base

redistribute bgp 45678 metric 10000 10 255 1 1500

R16
conf t

ip vrf LOCALSP

rd 45678:1

exit

access-list 1 permit 0.0.0.0

router bgp 45678

bgp router-id 123.17.17.17

address-family ipv4 vrf LOCALSP

neighbor 203.3.16.1 remote-as 20003

neighbor 203.3.16.1 activate

neighbor 203.3.16.1 prefix-list DENY out

neighbor 203.3.16.1 route-map BGP-DEFAULT in

exit

exit

ip prefix-l DENY deny 0.0.0.0/0 le 32

ip prefix-l BGP per 0.0.0.0/0

route-map BGP-DEFAULT per 10

matc ip add pref BGP

exit

interface Ethernet0/3

ip vrf forwarding LOCALSP

ip address 203.3.16.2 255.255.255.252

R17
conf t

ip vrf LOCALSP

rd 45678:1

exit

access-list 1 permit 0.0.0.0

router bgp 45678

router bgp 45678

bgp router-id 123.17.17.17

for address-family ipv4 vrf LOCALSP

neighbor 203.3.17.1 remote-as 20003

neighbor 203.3.17.1 activate

neighbor 203.3.17.1 prefix-list DENY out

neighbor 203.3.17.1 route-map BGP-DEFAULT in

exit

exit

ip prefix-l DENY deny 0.0.0.0/0 le 32

ip prefix-l BGP per 0.0.0.0/0

route-map BGP-DEFAULT per 10

mat ip add pref BGP

exit

interface Ethernet0/3

ip vrf forwarding LOCALSP

ip address 203.3.17.2 255.255.255.252

R18
conf t

ip vrf LOCALSP

rd 45678:1

exit

router bgp 65222

bgp log-neighbor-changes

address-family ipv4 vrf LOCALSP

neighbor 203.3.18.1 remote-as 20003

neighbor 203.3.18.1 activate

neighbor 203.3.18.1 route-map BGP-DEFAULT in

neighbor 203.3.18.1 prefix-list DENY out

exit

exit

ip prefix-l DENY deny 0.0.0.0/0 le 32

ip prefix-l BGP per 0.0.0.0/0

route-map BGP-DEFAULT per 10

mat ip add pref BGP

exit

interface serial 1/0

ip vrf forwarding LOCALSP

ip address 203.3.18.2 255.255.255.252

R19
conf t

ip vrf LOCALSP

rd 45678:1

exit

router bgp 65222

address-family ipv4 vrf LOCALSP

neighbor 203.3.19.1 remote-as 20003

neighbor 203.3.19.1 activate

neighbor 203.3.19.1 route-map BGP-DEFAULT in

for neighbor 203.3.19.1 prefix-list DENY out

exit

exit

ip prefix-l DENY deny 0.0.0.0/0 le 32

ip prefix-l BGP per 0.0.0.0/0

route-map BGP-DEFAULT per 10

mat ip add pref BGP

exit

interface serial 1/0

ip vrf forwarding LOCALSP

ip address 203.3.19.2 255.255.255.252

for Section 2.8 BGP routing policies

Configure the ACME network as per the following requirements


• All ACME border routers in AS 12345 must filter the BGP prefixes that are advertised to their

SP in VRF INET and must allow all prefixes that belong to class A 123.0.0.0./8 and all other

VRF's must propagate all prefix

• All ACME border routers in AS 34567 must filter the BGP prefixes that are advertised to their

SP and must allow only all prefixes that belong to the class A 123.0.0.0/8

• Do not use any route-map or access-list to accomplish the above requirements

• R13 must route traffic preferably via AS 20002, use any method to accomplish this

requirement

• All three remote sites in AS 65111 must be able to ping 1.2.3.4 and traceroute must reveal

the exact same path as shown in the following output

R12# ping 1.2.3.4 so lo0

!!!!!

R12# traceroute 1.2.3.4 so lo0

1. 201.1.12.1 [AS 65112]

2. 201.1.123.2 [AS 65112]

3. 10.120.12.1 [AS 65112] [MPLS: label 135 EXP 0]

4. 10.120.12.2 [AS 65112]

5. 10.120.99.5 [AS 65112]

6. 102.2.123.1 [AS 65112]


7. 33.10.2.1 [AS 65112]

Solution:

R6

conf t

router bgp 12345

address-family ipv4 vrf INET

neighbor 201.1.123.1 remote-as 20001

neighbor 201.1.123.1 activate

neighbor 201.1.123.1 prefix-list INET out

exit

exit

ip prefix-list INET permit 123.0.0.0/8 le 32

R7

conf t

router bgp 12345

address-family ipv4 vrf INET

neighbor 202.2.123.1 remote-as 20002

for neighbor 202.2.123.1 activate

neighbor 202.2.123.1 prefix-list INET out

exit
exit

ip prefix-list INET permit 123.0.0.0/8 le 32

R3

conf t

router bgp 12345

address-family ipv4 vrf INET

neighbor 102.2.123.1 remote-as 10002

neighbor 102.2.123.1 activate

neighbor 102.2.123.1 prefix-list INET out

exit

exit

ip prefix-list INET permit 123.0.0.0/8 le 32

R2

conf t

router bgp 12345

address-family ipv4 vrf INET

neighbor 101.1.123.1 remote-as 10001

neighbor 101.1.123.1 activate

neighbor 101.1.123.1 prefix-list INET out

exit

exit
ip prefix-list INET permit 123.0.0.0/8 le 32

R8

conf t

router bgp 34567

address-family ipv4

neighbor 101.1.34.1 prefix-list INET out

exit

exit

ip prefix-list INET permit 123.0.0.0/8 le 32

R9

conf t

router bgp 34567

address-family ipv4

neighbor 102.1.34.1 prefix-list INET out

exit

exit

ip prefix-list INET permit 123.0.0.0/8 le 32

R11

conf t
router bgp 34567

address-family ipv4

neighbor 202.2.34.1 prefix-list INET out

exit

exit

ip prefix-list INET permit 123.0.0.0/8 le 32

R10

conf t

router bgp 34567

address-family ipv4

neighbor 201.1.34.1 prefix-list INET out

exit

exit

ip prefix-list INET permit 123.0.0.0/8 le 32

R13

conf t

router bgp 65111

neighbor 201.1.13.1 remote-as 20001

neighbor 202.2.13.1 remote-as 20002

address-family ipv4

neighbor 201.1.13.1 activate


neighbor 202.2.13.1 activate

R17

conf t

router bgp 45678

bgp router-id 123.17.17.17

neighbor 203.3.17.1 remote-as 20003

R12

conf t

router bgp 65111

neighbor 201.1.12.1 remote-as 20001

R14

conf t

router bgp 65111

neighbor 202.2.14.1 remote-as 20002

R13

conf t

for router bgp 65111


address-family ipv4

neighbor 202.2.13.1 weight 120

R20

conf t

router bgp 65112

address-family ipv4

neighbor 10.120.99.5 weight 100

for Section 2.9 IPV6 OSPF

Configure OSPFv3 in the ACME New York office as per the following requirements

Configure OSPFv3 in the ACME New York Office as per the following requirements:

Configure OSPF Process Id 1.

Configure Loopback 0 as OSPF router id.

SW4 must be elected as DR for Vlan 34.

SW3 must be BDR and ready to take over SW4.

You are not allowed to use ipv6 ospf 1 area

You are not allowed to use ipv6 ospf 1 priority

You are not allowed to use router ospf

Solution:
R10

conf t

ipv6 unicast-routing

router ospfv3 1

router-id 123.10.10.10

exit

int e0/2

ospfv3 1 ipv6 area 0

R11

conf t

ipv6 unicast-routing

router ospfv3 1

router-id 123.11.11.11

exit

int e0/1

ospfv3 1 ipv6 area 0

SW3

conf t

ipv6 unicast-routing

router ospfv3 1
router-id 123.33.33.33

exit

int vlan 310

ospfv3 1 ipv6 area 0

int vlan 34

ospfv3 1 ipv6 area 0

ospfv3 priority 254

SW4

for conf t

ipv6 unicast-routing

router ospfv3 1

router-id 123.44.44.44

exit

int vlan 411

ospfv3 1 ipv6 area 0

int vlan 34

ospfv3 1 ipv6 area 0

ospfv3 priority 255

for Section 2.10 BGP for IPV6

Configure ACME network as per the following requirements


• Establish the four eBGP peering as indicated on "diagram IPV6 routing"

• Do not use the network command under the BGP address-family ipv6 on either R10 or R11

• Both regional SP will advertise the necessary prefixes

• Advertise the ipv6 prefix on interface E0/0 into BGP on both R12 and R14

• Configure your network such that any ipv6 that any user can communicate with any ipv6 user

that is located and vice versa

• Do not use any static route or default route anywhere

• Use the following ping to verify your config

R12# ping 2001:CC1E:BEF:14:202:2:14:1 sou E0/0

!!!!!

Solution:

R10

conf t

route-map OSPF-BGP permit 10

match route-type internal

match route-type external

exit

router bgp 34567

neighbor 2001:CC1E:BEF:10:201:1:34:1 remote-as 20001


address-family ipv6

neighbor 2001:CC1E:BEF:10:201:1:34:1 activate

redistribute ospf 1 include-connected route-map OSPF-BGP

exit

exit

router ospfv3 1

address-family ipv6 unicast

redistribute bgp 34567

R11

conf t

route-map OSPF-BGP permit 10

match route-type internal

match route-type external

exit

ipv6 unicast-routing

router bgp 34567

neighbor 2001:CC1E:BEF:11:202:2:34:1 remote-as 20002

address-family ipv6

neighbor 2001:CC1E:BEF:11:202:2:34:1 activate

redistribute ospf 1 include-connected route-map OSPF-BGP

for exit

exit
router ospfv3 1

address-family ipv6 unicast

redistribute bgp 34567

R14

conf t

router bgp 65111

neighbor 2001:CC1E:BEF:14:202:2:14:1 remote-as 20002

address-family ipv6

network 2001:CC1E:BEF:14::/64

neighbor 2001:CC1E:BEF:14:202:2:14:1 activate

R12

conf t

ipv6 unicast-routing

router bgp 65111

neighbor 2001:CC1E:BEF:12:201:1:12:1 remote-as 20001

address-family ipv6

network 2001:CC1E:BEF:12::/64

neighbor 2001:CC1E:BEF:12:201:1:12:1 activate


for Section 2.11 Layer 3 multicast

Streaming server is connected in vlan 5 on sw5. Receivers are located at the DMVPN spokes R18

and R19

Configure the ACME network as per the following requirements

• Only network segments with active receivers that explicitly require the data must receive the

multicast traffic

• Interface lo0 of R15 must be configured as RP

• Use a standard method of dynamically distributing the RP

• Both R16 and R17 must participate in the multicast routing

• To test configure int E0/0 of both R18 and R19 to join group 232.1.1.1

Sw5# ping 232.1.1.1 so vlan 5

reply to request 0 from 10.2.19.1 3ms

reply to request o from 10.2.18.1 4ms

Solution:

SW5
conf t

vlan 5

exit

ip multicast-routing

int vlan 5

ip pim sparse-m

int vlan 55

ip pim sparse-m

R16

conf t

ip multicast-routing

int e0/1

ip pim sparse-m

int e0/2

ip pim sparse-m

R17

conf t

ip multicast-routing

int e0/1

ip pim sparse-m

int e0/2
ip pim sparse-m

int tun 0

for ip pim sparse-m

R15

conf t

ip multicast-routing

int e0/1

ip pim sparse-m

int e0/2

ip pim sparse-m

int loo 0

ip pim sparse-m

exit

ip pim bsr-candidate Loopback0

ip pim rp-candidate Loopback0

R18

conf t

ip multicast-routing

int tun 0

ip pim sparse-m
R19

conf t

ip multicast-routing

int tun 0

ip pim sparse-m

R18

conf t

int loo 18 ----- because of on IOU there is no e0/0 configured that is why we configure loopback 18

ip add 10.2.18.1 255.255.255.255

ip pim sparse-mode

ip igmp join-group 232.1.1.1

exit

router eigrp 45678

network 10.2.18.1 0.0.0.0

R19

conf t

int loo 19 -----because of on IOU there is no e0/0 configured that is why we configure loopback 19

ip add 10.2.19.1 255.255.255.255

ip pim sparse-mode

ip igmp join-group 232.1.1.1


exit

router eigrp 45678

network 10.2.19.1 0.0.0.0

for

for Section 3 VPN Technology

Refer to "diagram 3 BGP topology" and "diagram 4 VPN technology"

• The ACME HQ network (AS12345) uses MPLS L3VPN in order to clearly separate remote site

networks

• The ACME corporate security policies are centralized and enforced at the San Jose site (AS

65112) for all remote sites. the policies require that all traffic that is originated from any

remote sites (with the exception of New York office)

• Configure mpls L3 VPN in the ACME network according to the following requirements

• Enable ldp only on required interfaces on all seven routers in AS 12345

• Use the interface lo0 to establish ldp peerings

• Ensure that no mpls interface that belongs to any router ins AS12345 is visible on a trace

route that originates outside of the AS

• R2, R3, R6 and R7 must be configured as PE routers

• R1, R4 and R5 must be configured as P routers

Solution:
R1

conf t

interface Ethernet0/1

mpls ip

interface Ethernet0/2

mpls ip

interface Ethernet0/3

exit

mpls ldp router-id Loopback0 force

no mpls ip propagate-ttl

R3

conf t

interface Ethernet0/1

mpls ip

interface Ethernet0/2

mpls ip

exit

mpls ldp router-id Loopback0 force

no mpls ip propagate-ttl

R2
conf t

interface Ethernet0/1

mpls ip

interface Ethernet0/2

mpls ip

exit

for mpls ldp router-id Loopback0 force

no mpls ip propagate-ttl

R6

conf t

interface Ethernet0/1

mpls ip

interface Ethernet0/2

mpls ip

exit

mpls ldp router-id Loopback0 force

no mpls ip propagate-ttl

R7

conf t

interface Ethernet0/1

mpls ip
interface Ethernet0/2

mpls ip

exit

mpls ldp router-id Loopback0 force

no mpls ip propagate-ttl

R4

conf t

no mpls ip propagate-ttl

interface Ethernet0/0

mpls ip

interface Ethernet0/1

mpls ip

interface Ethernet0/2

mpls ip

exit

mpls ldp router-id Loopback0 force

R5

conf t

no mpls ip propagate-ttl

interface Ethernet0/0

mpls ip
interface Ethernet0/1

mpls ip

interface Ethernet0/2

mpls ip

exit

mpls ldp router-id Loopback0 force

for 3.2 MPLS VPN part 2

Refer to "diagram 3 BGP topology" and "diagram 4 VPN technology"

The global and regional service providers have agreed to transport the ACME VPN via PE to PE

eBGP peering that are already preconfigured. Complete all the config of mpls L3 VPN in the ACME

network according to the following requirements

• R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 12345

• R2 and R3 must establish eBGP peering with both global SP (As 10001 and AS 10002) for the

following VRF's

BLUE

GREEN

RED

YELLOW

INET
• R6 must establish an eBGP peering with the regional SP (AS 20001) for the following VRFs

GREEN

BLUE

INET

• R7 must establish an eBGP peering with the regional SP (AS 20002) for the following VRFs

BLUE

RED

INET

• All ip add used for eBGP peering must pass the BGP's directly connected check

• No BGP speaker is AS 12345 may use the network or redistribute statement under any

address-family of the BGP router config

• At the end of the exam scenario the interface E0/0 of the gateway router in any remote site

must be able to connect to the int E0/0 of any other remote gateway that belongs to AS

65111 or AS 65222

• Use the following tests as examples of connectivity checks

R12# ping 10.2.19.1 so E0/0

!!!!!

R12# trace 10.2.19.1 so E0/0

(10 hops)
Solution:

!!!Warning, on IOU topology there is a 201.2.13.0/30 configured between R13-ISP5 --- it should be

changed to 202.2.13.0/30

R1

for

conf t

router bgp 12345

address-family vpnv4

neighbor 123.2.2.2 activate

neighbor 123.2.2.2 send-community extended

neighbor 123.2.2.2 route-reflector-client

neighbor 123.3.3.3 activate

neighbor 123.3.3.3 send-community extended

neighbor 123.3.3.3 route-reflector-client

neighbor 123.6.6.6 activate

neighbor 123.6.6.6 send-community extended

neighbor 123.6.6.6 route-reflector-client

neighbor 123.7.7.7 activate

neighbor 123.7.7.7 send-community extended

neighbor 123.7.7.7 route-reflector-client

R3
conf t

router bgp 12345

address-family vpnv4

neighbor 123.1.1.1 activate

neighbor 123.1.1.1 send-community extended

exit

address-family ipv4 vrf YELLOW

neighbo 102.2.123.1 remote-as 10002

neighbo 102.2.123.1 activate

exit

address-family ipv4 vrf BLUE

neighbo 102.2.123.1 remote-as 10002

neighbo 102.2.123.1 activate

exit

address-family ipv4 vrf GREEN

neighbo 102.2.123.1 remote-as 10002

neighbo 102.2.123.1 activate

exit

address-family ipv4 vrf INET

neighbo 102.2.123.1 remote-as 10002

neighbo 102.2.123.1 activate

exit

address-family ipv4 vrf RED

neighbo 102.2.123.1 remote-as 10002


neighbo 102.2.123.1 activate

R2

conf t

router bgp 12345

address-family vpnv4

neighbor 123.1.1.1 activate

for neighbor 123.1.1.1 send-community extended

exit

address-family ipv4 vrf YELLOW

neighbo 101.1.123.1 remote-as 10001

neighbo 101.1.123.1 activate

exit

address-family ipv4 vrf BLUE

neighbo 101.1.123.1 remote-as 10001

neighbo 101.1.123.1 activate

exit

address-family ipv4 vrf GREEN

neighbo 101.1.123.1 remote-as 10001

neighbo 101.1.123.1 activate

exit

address-family ipv4 vrf INET

neighbo 101.1.123.1 remote-as 10001

neighbo 101.1.123.1 activate


exit

address-family ipv4 vrf RED

neighbo 101.1.123.1 remote-as 10001

neighbo 101.1.123.1 activate

R6

conf t

router bgp 12345

address-family vpnv4

neighbor 123.1.1.1 activate

neighbor 123.1.1.1 send-community extended

exit

address-family ipv4 vrf INET

neighbor 201.1.123.1 remote-as 20001

neighbor 201.1.123.1 activate

exit

address-family ipv4 vrf BLUE

neighbor 201.1.123.1 remote-as 20001

neighbor 201.1.123.1 activate

exit

address-family ipv4 vrf GREEN

neighbor 201.1.123.1 remote-as 20001

neighbor 201.1.123.1 activate


R7

conf t

router bgp 12345

address-family vpnv4

neighbor 123.1.1.1 activate

neighbor 123.1.1.1 send-community extended

exit

for address-family ipv4 vrf BLUE

neighbor 202.2.123.1 remote-as 20002

neighbor 202.2.123.1 activate

exit

address-family ipv4 vrf INET

neighbor 202.2.123.1 remote-as 20002

neighbor 202.2.123.1 activate

exit

address-family ipv4 vrf RED

neighbor 202.2.123.1 remote-as 20002

neighbor 202.2.123.1 activate

exit

R12

conf t
router bgp 65111

address-family ipv4

redistribute connected

R13

conf t

router bgp 65111

address-family ipv4

redistribute connected

R14

conf t

router bgp 65111

address-family ipv4

redistribute connected

R20

conf t

router bgp 65112

address-family ipv4

neighbor 10.120.15.5 weight 100

for 3.3 DMVPN


configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the following

requirements

• Use the preconfigured interface tunnel 0 on all the three routers in order to accomplish this

task

• R17 must be the hub router

• R18 and R19 must be the spoke and must participate in NHRP information exchange

• Disable send icmp redirect message on all three tunnel interfaces

• Configure the following parameters on all the three tunnel interfaces

bandwidth 1000 kbps

delay 10000 msec

mtu 1400 bytes

tcp mss 1380

• Authenticate NHRP using the string 45678key

• Use NHRP network-id 45678

• Config NHRP hold time to 5 min

• Ensure that spoke to spoke traffic does not transit via the hub

• "Ensure that DMVPN should be established via VRF on each routers."

now what can we make of it?

!!! THERE ARE 2 VARIATIONS – WITH AND WITHOUT VRF LOCALSP: BELOW CONFIGURATION

WITHOUT VRF:
Solution:

R17

conf t

int tun 0

ip nhrp redirect

no ip redirects

bandwidth 1000

delay 1000

ip mtu 1400

ip tcp adjust-mss 1380

tunnel key 45678

ip nhrp network-id 45678

ip nhrp holdtime 300

R18

conf t

int tun 0

ip nhrp shortcut

no ip redirects

bandwidth 1000

delay 1000
for ip mtu 1400

ip tcp adjust-mss 1380

tunnel key 45678

ip nhrp network-id 45678

ip nhrp holdtime 300

R19

conf t

int tun 0

ip nhrp shortcut

no ip redirects

bandwidth 1000

delay 1000

ip mtu 1400

ip tcp adjust-mss 1380

tunnel key 45678

ip nhrp network-id 45678

ip nhrp holdtime 300

!!! THERE ARE 2 VARIATIONS – WITH AND WITHOUT VRF LOCALSP: BELOW CONFIGURATION WITH

VRF:

Solution:
R17

conf t

int tun 0

tunnel vrf LOCALSP

ip nhrp redirect

no ip redirects

bandwidth 1000

delay 1000

ip mtu 1400

ip tcp adjust-mss 1380

tunnel key 45678

ip nhrp network-id 45678

ip nhrp holdtime 300

R18

conf t

int tun 0

tunnel vrf LOCALSP

ip nhrp shortcut

no ip redirects

bandwidth 1000

for delay 1000


ip mtu 1400

ip tcp adjust-mss 1380

tunnel key 45678

ip nhrp network-id 45678

ip nhrp holdtime 300

R19

conf t

int tun 0

tunnel vrf LOCALSP

ip nhrp shortcut

no ip redirects

bandwidth 1000

delay 1000

ip mtu 1400

ip tcp adjust-mss 1380

tunnel key 45678

ip nhrp network-id 45678

ip nhrp holdtime 300

for 3.4 DMVPN Encryption

Refer to "Diagram 4 VPN technology"


Secure the DMVPN tunnel using IPSEC according to the following requirements

• configure IKE phase 1 as per the following

Use AES encryption with the pre-shared key CCIE

The key must appear in plain text in the config

All IPSEC tunnels must be authenticated using the same IKE phase 1 pre-shared key

Use 1024 bits for the key exchange using the Diffie-Hellman algorithm

• configure a single policy using priority 10

• config IKE phase 2 as per the following requirements

use CCIEXFORM as transform set name

use DMVPNPROFILE as IPSEC profile name

use IPSEC in transport mode

use the IPSEC protocol ESP and algorithm AES with 128 bits

• Ensure that the DMVPN cloud is secured using above parameters. use tunnel protection in

your config

!!! THERE ARE 2 VARIATIONS – WITH AND WITHOUT VRF LOCALSP: BELOW CONFIGURATION

WITHOUT VRF:
Solution:

R18

conf t

crypto isakmp policy 10

encr aes

group 2

authentication pre-share

exit

crypto isakmp key CCIE address 0.0.0.0

crypto ipsec transform-set CCIEXFORM esp-aes

mode transport

exit

crypto ipsec profile DMVPNPROFILE

set transform-set CCIEXFORM

exit

int tun 0

tunnel protection ipsec profile DMVPNPROFILE

R19

conf t

for crypto isakmp policy 10

encr aes
group 2

authentication pre-share

exit

crypto isakmp key CCIE address 0.0.0.0

crypto ipsec transform-set CCIEXFORM esp-aes

mode transport

exit

crypto ipsec profile DMVPNPROFILE

set transform-set CCIEXFORM

exit

int tun 0

tunnel protection ipsec profile DMVPNPROFILE

R17

conf t

crypto isakmp policy 10

encr aes

group 2

authentication pre-share

exit

crypto isakmp key CCIE address 0.0.0.0

crypto ipsec transform-set CCIEXFORM esp-aes

mode transport

exit
crypto ipsec profile DMVPNPROFILE

set transform-set CCIEXFORM

exit

int tun 0

tunnel protection ipsec profile DMVPNPROFILE

!!! THERE ARE 2 VARIATIONS – WITH AND WITHOUT VRF LOCALSP: BELOW CONFIGURATION WITH

VRF:

Solution:

R18

conf t

crypto isakmp policy 10

encr aes

group 2

authentication pre-share

exit

crypto keyring DMVPN vrf LOCALSP

pre-shared-key address 0.0.0.0 0.0.0.0 key CCIE

for exit

crypto ipsec transform-set CCIEXFORM esp-aes

mode transport
exit

crypto ipsec profile DMVPNPROFILE

set transform-set CCIEXFORM

exit

int tun 0

tunnel protection ipsec profile DMVPNPROFILE

R19

conf t

crypto isakmp policy 10

encr aes

group 2

authentication pre-share

exit

crypto keyring DMVPN vrf LOCALSP

pre-shared-key address 0.0.0.0 0.0.0.0 key CCIE

exit

crypto ipsec transform-set CCIEXFORM esp-aes

mode transport

exit

crypto ipsec profile DMVPNPROFILE

set transform-set CCIEXFORM

exit

int tun 0
tunnel protection ipsec profile DMVPNPROFILE

R17

conf t

crypto isakmp policy 10

encr aes

group 2

authentication pre-share

exit

crypto keyring DMVPN vrf LOCALSP

pre-shared-key address 0.0.0.0 0.0.0.0 key CCIE

exit

crypto ipsec transform-set CCIEXFORM esp-aes

mode transport

exit

crypto ipsec profile DMVPNPROFILE

set transform-set CCIEXFORM

exit

int tun 0

tunnel protection ipsec profile DMVPNPROFILE

for Section 4 Infrastructure security

4.1 Device security


• Configure R20 int the ACME San Jose office as per the following

• All users who connect to R20 via the console or via any of VTY lines using SSH must be

Prompted with the below message before any other prompt is displayed

WARNING!ACCESS RESTRICTED

• Do not use any other spaces or any other characters

Solution:

R20

conf t

Banner motd L

WARNING!ACCESS RESTRICTEDL

banner login L

WARNING!ACCESS RESTRICTEDL

exit

for 4.2 Network Security

Configure ACME New York office as per the following


• Ensure that int E0/0-3 of Sw3 forward the traffic send from expected and legitimate users

Only

• Sw3 must dynamically learn only one mac address per port and must save the mac address in

Its startup config

• Sw3 must shut down the port if security violation occurs on any of the four ports

Solution:

SW3

Conf t

int range e 0/0-3

switchport port-security

switchport port-security mac-address sticky

for SECTION 5 Infrastructure Services

5.1 System management

• Configure R20 int the ACME San Jose office as per the following

• Establish SSH access in R20 using the domain name acme.org

• R20 must accept up to five remote authorized users to connect at the same time using SSH
• Create the user "test" with password "test" in local database of R20

• Ensure that R20 accepts SSH connections with clients with source ip in 123.10.2.0/24. All

Other source ip should be denied. Use standard ACL to accomplish this

• R20 must generate a syslog message for all SSH connection attempts whether permitted or

Denied

• When authenticate the username test must be granted privilege level 1

• Do not enable aaa new model on R20

• Ensure that SSH is the only remote access method permitted on VTY lines of R20

• Ensure that the console is not affected by your solution and no username prompt is

Presented on the console port

• Test your solution from any device that is located in AS 34567 and ensure that the following

sequence of command produce the following output

R10 # ssh -l test 123.20.20.20

WARNING!ACCESS RESTRICTED

R20>

R20>sh privilage

current privilage level is 1

R20>

R20>q

R10#

Solution:
R20

Conf t

Username test password test

ip domain-name acme.org

Crypto key generate rsa modulus 1024

ip ssh maxstartups 5

login on-success log

login on-failure log

ip ssh logging events

Line vty 0 4

access-class 9 in

privilege level 1

transport input ssh

login local

exit

for access-list 9 permit 123.10.2.0 0.0.0.255

5.2 Network Services

Configure the ACME network as per the following

• R20 must enable all private corporate traffic that is originated from any host with source ip

Address 10.1.0.0/16 or 10.2.0.0/16 to connect to any public destination that is located in AS


34567

• All remote sites in AS 65111 and 65222 must be able to connect to the public destinations

• R20 must swap the source ip address in these packets with the ip address of its lo0

• R20 must allow multiple concurrent connections

• Use a standard ACL to accomplish this.

• The following tests must succeed after the above requirements (in addition to previous

Requirements) are achieved

R12# ping 1.2.3.4 so E0/0

!!!!!

R18# ping 1.2.3.4 so E0/0

!!!!!

Solution:

R20

conf t

Interface Ethernet0/0.12

ip nat inside

Interface Ethernet0/0.13

ip nat inside

interface Ethernet0/0.14

ip nat inside
interface Ethernet0/0.15

ip nat inside

interface Ethernet0/0.99

ip nat outside

interface Ethernet0/1.12

ip nat inside

interface Ethernet0/1.13

ip nat inside

interface Ethernet0/1.14

ip nat inside

interface Ethernet0/1.15

ip nat inside

interface Ethernet0/1.99

ip nat outside

int loo 0

ip nat outside

exit

ip NAT inside source list 10 interface Loopback0 overload

Access-list 10 permits 10.1.0.0 0.0.255.255

for access-list 10 permit 10.2.0.0 0.0.255.255

for 5.3 Network Optimization

Configure R17 as per the following requirements

• The output shown below must be seen on R19 during 10 sec after R15 successfully pings
Interface lo0 of R19

R15# ping 123.19.19.19

!!!!!

R17 sh ip flow top

srcif srcipadd destif destipadd pr srcp dstp byte

e0/1 123.20.1.9 tun0 123.19.19.9 01 000 000 500

Solution:

R17

Conf t

Interface Ethernet 0/1

ip flow ingress

Exit

ip flow-top-talkers

Top 1

Sort-by bytes

Cache-timeout 10000

Match protocol 1

Match source address 123.20.1.9 255.255.255.255


Match destination address 123.19.19.19 255.255.255.255

for 5.4 Network Services

Configure ACME as per the following requirements

• Sw3 must provide an authoritative time source to the ACME network

• R10 and R12 must sync their clock to Sw3 using ntp v4 for ipv6

• R10 and R12 must operate in client mode

• Sw3 must not capture or use any time info that is sent by R12 and R14

• All NTP traffic must be sourced and destined to interface lo0 of the corresponding devices

Solution:

SW3

conf t

ntp source Loopback0

ntp master 5

Interface Loopback0

ip address 123.33.33.33 255.255.255.255

ipv6 address 2001:CC1E:BEF:0:123:33:33:33/128

ntp disable ip

ospfv3 1 ipv6 area 0


R10

conf t

ntp source Loopback0

ntp server 2001:CC1E:BEF:0:123:33:33:33

Interface Loopback0

ip address 123.10.10.10 255.255.255.255

ipv6 address 2001:CC1E:BEF:0:123:10:10:10/64

ospfv3 1 ipv6 area 0

R12

conf t

ntp source Loopback0

ntp server 2001:CC1E:BEF:0:123:33:33:33

interface Loopback0

ipv6 address 2001:CC1E:BEF:1:123:12:12:12/64

exit

router bgp 65111

address-family ipv6

network 2001:CC1E:BEF:1::/64

the end…
bb