IPexpert CCUE Routing &amp Switching Volume 3 Lab 1 Proctor Guide

Volume 3: Lab 1: Proctor Guide
A companion to the IPexpert CCIE R&S Lab Preparation Workbook (Vol. 3)
This product is part of the IPexpert Blended Learning Program™

IPexpert CCIE R&S Proctor Guide Volume 3 - Lab 1
Volume 3 - Lab 1 Solution
• Complete Mock Lab Exam
Prerequisites
• None
Estimated Time to Complete: 8 hours
Copyright © 2008 by IPexpert, Inc. All Rights Reserved. 1

Volume 3 - Lab 1 IPexpert CCIE R&S Proctor Guide
Volume 3- Lab 1 Solution
NOTE
As a general rule of thumb, we recommend that you read the
ENTIRE lab prior to beginning.
1.0 Switching
Task 1.1
Configure the switches as follows:
VTP domain apples
VTP password oranges
Cat1 should be the VTP server. The other switches should be VTP clients. On Cat1 and Cat2, ‘show vtp
status’ should show the loopback1 interface as the local updater ID, and as the preferred interface.
Cat1(config)#vtp domain apples

Changing VTP domain name from NULL to apples
Cat1(config)#vtp password oranges
Setting device VLAN database password to oranges
Cat1(config)#vlan 100
Cat1(config-vlan)#vlan 200
Cat1(config)#vtp interface lo1

Cat2(config)#vtp interface lo1
Cat2(config)# vtp mode client
Setting device to VTP CLIENT mode.

Cat3(config)#vtp mode client

Cat4(config)#vtp mode client
2 Copyright © 2008 by IPexpert, Inc. All Rights Reserved.

Configure VLAN assignment as shown in the chart in the workbook.
Cat1(config)#int fa0/11
Cat1(config-if)#swit mo acc
Cat1(config-if)#swit acc vl 100
Cat1(config-if)#int fa0/2
Cat4(config-if)#swit acc vlan 100
Fast Ethernet ports 19 and 20 and the Gi0/1 and Gi0/2 ports should be shut down on all 4 switches.
Cat1(config)#int range fa0/19 , fa0/20 , gi0/1, gi0/2

Cat1(config-if-range)#shut


Cat4(config-if)#int range fa0/19, fa0/20, gi0/1, gi0/2

Each pair of ports connecting two switches should be seen as a single logical link. Encapsulation for
trunks between switches should be statically configured, not dynamically negotiated, and should use
dot1q tags. Use a native VLAN of 123. Do not use PAgP or LACP. For ports 21/22 use group 21, for
ports 23/24, use group 23.
Cat1(config)#int range fa0/21,fa0/22

Cat1(config-if-range)#channel-group 21 mode on
Creating a port-channel interface Port-channel 21








Cat1(config)#int range po21, po23

Cat1(config-if-range)#swit trunk encap dot1q
Cat1(config-if-range)#swit trun native vlan 123
Cat1(config-if-range)# swit mode trunk

Cat2(config-if-range)#swit mode trunk



Task 1.2
Switch 1 should be the spanning tree root for vlans 12, 67, 100. Switch 2 should be root for VLAN 200.
Do not configure the switches for 802.1s.
Cat1(config)#span vlan 12 root primary

Ports that are connected to routers and that are used in the logical topology should be configured such
that a TCN will not be generated if the port goes up or down. This should be configured per port, not
globally.
Cat1(config)#int range fa0/11, fa0/2, fa0/4

Cat1(config-if-range)#span portfast
Cat2(config)#int range fa0/12, fa0/1, fa0/6, fa0/7

Cat4(config)#int range fa0/7

Task 1.3
Configure Switch1’s connection to R1’s Fa0/0 without using a SVI.
Cat1(config-if)#no swit
Cat1(config-if)#ip address 141.41.35.35 255.255.255.0
Task 1.4
Configure Switch2 for a system MTU of 1508, and for the template that will allocate the TCAM resources
to support the highest number of indirect unicast routes.
Î Both of these will require a reload.
Cat2(config)#system mtu 1508

Cat2(config)#sdm prefer routing

Î Verify the number of routes supported with “show sdm prefer”.
Cat2#show sdm prefer routing

"desktop routing" template:
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K

number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 512
number of IPv4/MAC qos aces: 512
number of IPv4/MAC security aces: 1K
Configure Switch2 for DHCP snooping for VLAN 67.
Cat2(config)#ip dhcp snooping

Cat2(config)#ip dhcp snooping vlan 67
2.0 Frame Relay / PPP
Task 2.1
Configure the frame relay connections between R2, R6, and R5 as follows:
On R2 and R6, do not use any subinterfaces interfaces. On R5, use a multipoint subinterface for the
network connecting to R2 and R6. For the subnet between R2, R5, and R6, address mappings to DLCIs
should be statically configured.
R2(config)#int ser0/1/0
R2(config-if)#encap frame
R2(config-if)#frame map ip 141.41.26.5 205 broadcast
R2(config-if)#frame map ip 141.41.26.6 206 broadcast
R2(config-if)#frame map ip 141.41.26.2 205
R2(config-if)#ip address 141.41.26.2 255.255.255.0
R5(config)#int ser0/1/0.1 multipoint
R5(config-subif)#frame map ip 141.41.26.2 502 broad
R5(config-subif)#frame map ip 141.41.26.5 502
R5(config-subif)#frame map ip 141.41.26.6 502
R5(config-subif)#ip address 141.41.26.5 255.255.255.0

R6(config-if)#frame map ip 141.41.26.2 602 broad
Task 2.2
For the connection between R4 and R5, use a PPP over frame configuration with RFC 1973
Encapsulation. The connection should use CHAP authentication. For authentication, both devices should
use a username of T3ST123 and a password of PPPoverFr@m3. Both sides should challenge and
respond.
R4(config)#username T3ST123 password PPPoverFr@m3
R4(config)#int virtual-template 1
R4(config-if)#ppp chap hostname T3ST123
R4(config-if)#no ppp chap ignoreus
R4(config-if)#ppp authent chap
R4(config-if)#frame interface-dlci 405 ppp virtual-Template 1
R4(config-if)#exit
R5(config)#username T3ST123 password PPPoverFr@m3
R5(config)#int virtual-template 1
R5(config-if)#ppp chap hostname T3ST123
R5(config-if)#ppp authent chap
R5(config-if)#no ppp chap ignoreus
R5(config-if)#frame-relay interface-dlci 504 ppp virtual-template 1
Î Look at the output of “debug PPP authentication”. O is outbound, I is inbound. You

should see two challenges (one O, one I), two responses, and two SUCCESS.
Vi2 CHAP: O CHALLENGE id 79 len 28 from "T3ST123"

Vi2 CHAP: I CHALLENGE id 79 len 28 from "T3ST123"
Vi2 CHAP: O RESPONSE id 79 len 28 from "T3ST123"

Vi2 CHAP: I RESPONSE id 79 len 28 from "T3ST123"
Vi2 CHAP: O SUCCESS id 79 len 4

Vi2 CHAP: I SUCCESS id 79 len 4

Task 2.3
Configure the serial link connecting R2 and R5 for PPP encapsulation, using plaintext authentication. R2
should receive its IP address from R5. Configure for a maximum of 3 bad authentication retries.
Configure link control and IP control to predict peer responses.
R5(config)#username cisco password cisco
R5(config-if)#encap ppp
R5(config-if)#no shut
R5(config-if)#ppp ipcp predictive
R5(config-if)#ppp lcp predictive
R5(config-if)#ppp authentication pap
R5(config-if)#ppp pap username cisco password cisco
R5(config-if)#peer default ip address 141.141.205.2
R5(config-if)#ppp max-bad-auth 3
R2(config)#username cisco password cisco
R2(config-if)#encap ppp
R2(config-if)#no shut
R2(config-if)#ppp authentication pap
R2(config-if)#ppp pap sent-username cisco password cisco
R2(config-if)#ppp ipcp predictive
R2(config-if)#ppp lcp predictive
R2(config-if)#ip address negotiated
R2(config-if)#ppp max-bad-auth 3
3.0 Routing
Task 3.1
Configure the connections from R6 to R7 and R9 for EIGRP AS 679. Add the loopback1 interfaces on
R6, R7, and R9 to EIGRP. Add R2’s loopback1 interface to EIGRP AS 2.
R6(config)#router eigrp 679

R6(config-router)#no auto-summary
R6(config-router)#network 141.41.67.6 0.0.0.0



Task 3.2
Configure the link between R6 and R7 to use authentication for routing updates. Use key 1 and cisco as
the password.
R7(config)#key chain cisco

R7(config-keychain)#key 1
R7(config-keychain-key)#key-string cisco
R7(config-keychain-key)#int fa0/0
R7(config-if)#ip authentication mode eigrp 679 md5
R7(config-if)#ip authentication key-chain eigrp 679 cisco
R6(config)#key chain cisco

R6(config-keychain)#key 1
R6(config-keychain-key)#key-string cisco
R6(config-keychain-key)#int fa0/0
R6(config-if)#ip authentication mode eigrp 679 md5
R6(config-if)#ip authentication key-chain eigrp 679 cisco
Task 3.3
Configure R7’s connection to BB1 for EIGRP AS 679. R7 should receive routes from the backbone of the
format 201.y.x.x, where y is a number from 1 to 10. Configure R7 to only allow routes with an even
second octet. Do not configure an ACL for the filtering.
R7(config)#ip prefix-list EIGRP permit 201.2.0.0/16 le 32


R7(config-router)#distribute-list prefix EIGRP in fa0/1

Task 3.4
Based on the configuration of R9, R6 should learn that it should not send QUERY packets to R9, and that
R9 will only route packets for networks it has explicitly advertised.

R9(config-router)#eigrp stub connected
Î Verify with “show ip eigrp neighbor detail” on R6.
R6#show ip eigrp neigh det

IP-EIGRP neighbors for process 679
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 141.41.69.9 Se0/2/0 13 00:02:37 9 200 0 34
Version 12.4/1.2, Retrans: 0, Retries: 0, Prefixes: 2
Stub Peer Advertising ( CONNECTED ) Routes
Suppressing queries
0 141.41.70.9 Se0/2/1 11 00:02:37 8 200 0 35
Stub Peer Advertising ( CONNECTED ) Routes
Suppressing queries
2 141.41.67.7 Fa0/0 11 00:13:18 1 200 0 19
R6#
Task 3.5
Configure RIP for the connection between R1 and Switch1, the PPP link between R2 and R5, and the link
from R5 to R4. Add the loopback1 interface on switch1 and R4 to RIP.
Cat1(config)#ip routing
Cat1(config)#router rip
Cat1(config-router)#version 2
Cat1(config-router)#no auto-summary
Cat1(config-router)#network 141.141.0.0
Cat1(config-router)#network 35.0.0.0
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#network 141.141.0.0

Task 3.6
Configure R4 to receive routes via RIP from BB2. R4 should receive routes from BB2 of the format
172.20.x.y. Only allow routes with a third octet from 33 to 46, using an access list. Your access list
should use the fewest number of lines that will not allow any extra networks.
R4(config)#access-list 20 deny 172.20.32.0 0.0.0.255

R4(config)#access-list 20 deny 172.20.47.0 0.0.0.255
R4(config)#access-list 20 permit 172.20.32.0 0.0.15.255
R4(config-router)#distribute-list 20 in fa0/0
Î Looking at R2, you may see that R2 is not receiving routes from R5, depending on how
you configured the earlier address assignment. Debugging RIP events on R2 will tell you
what is happening.
R2#deb ip rip events

RIP event debugging is on
R2#
* 00:41:09.854: RIP: ignored v2 update from bad source 141.141.205.5 on
Serial0/2/0
Î The update is ignored, because R2’s address is learned with a /32 mask. Since the update
is received from an address that is not on the same network. The normal check can be
bypassed with the “no validate-update-source” command under the RIP process on R2.
R2(config-router)#no validate-update-source

Task 3.7
Configure OSPF for the network between R2, R5, and R6 in area 256. Configure OSPF for the network
between R1, R2, and Switch 2 in area 12. Area 12 should use the option discussed in RFC 1587. Add
the loopback1 interfaces on R1 and Switch2 to area 12. Add the loopback1 interfaces of R5 and R6 to
area 0.
Î Start by configuring the networks for the areas, and add area 12 as NSSA.
R2(config)#router ospf 1
R2(config-router)#network 141.41.26.2 0.0.0.0 area 256
R2(config-router)#area 12 NSSA
Cat2(config)#ip routing
Cat2(config)#router ospf 1
Cat2(config-router)#network 141.41.12.36 0.0.0.0 area 12
Cat2(config-router)#area 12 NSSA
Cat2(config-router)#network 36.36.36.36 0.0.0.0 area 12
Cat2(config)#int vlan 12
Cat2(config-if)#ip address 141.41.12.36 255.255.255.0
R1(config-router)#area 12 nssa
Î We also need virtual links for two reasons. We have both a discontiguous area 0, and R2
is touching two areas, but is not touching area 0.
R2(config-router)#area 256 virtual-link 6.6.6.6

Î Having network statements is not enough to establish the adjacency across frame relay.
The default OSPF network type is nonbroadcast, and will not send out traffic. We are not
given restrictions on the OSPF network type, so you could choose point to multipoint,
nonbroadcast, or broadcast. When configuring broadcast or nonbroadcast, there will be a
DR election. Setting the spoke priorities to 0 will force the hub to be the DR.
R2(config-if)#ip ospf netwo broadcast
R6(config-if)#ip ospf prior 0
R6(config-if)#ip ospf netw broadcast
R5(config)#int ser0/1/0.1
R5(config-subif)#ip ospf prior 0
R5(config-subif)#ip ospf netw broad
Î It is possible that the adjacency to Cat2 will not form and you may see an error message
like this one:
%OSPF-5-ADJCHG: Process 1, Nbr 36.36.36.36 on FastEthernet1/0 from EXSTART to

DOWN, Neighbor Down: Too many retransmissions
Î “Debug ip ospf adj” will show you:
OSPF: Nbr 36.36.36.36 has larger interface MTU
Î Because Cat2 has a larger MTU, the adjacency will not form. You can configure R1 and R2
to ignore the MTU in the DBD packets, you can adjust the system MTU, or you can adjust
the MTU of the SVI on the switch.
R1(config)#int fa0/1
R1(config-if)#ip ospf mtu-ignore
R2(config-if)#ip ospf mtu-ignore
Task 3.8
Configure MD5 authentication for the OSPF interfaces in area 256.
R2(config-router)#area 256 authentication mess
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
R5(config-router)#area 256 authent mess
R5(config-router)#int ser0/1/0.1
R5(config-subif)#ip ospf message-digest-key 1 md5 cisco

R6(config-router)#area 256 authent mess
R6(config-router)#int ser0/1/0
R6(config-if)#ip ospf message-digest-key 1 md5 cisco
Task 3.9
Redistribute as needed on R1, R2, R5, and R6, so that all routers can reach all networks that have not
been explicitly filtered in other steps.
Î Start on R1, redistribute from RIP to/from OSPF.
R1(config-router)#redist rip subnets
R1(config-router)#redist ospf 1 metric 3
Î On R2, redistribute from EIGRP into OSPF and RIP, to pass on information about R2’s
loopback1 interface.
R2(config-router)#redist eigrp 2 subnets
R2(config-router)#redist eigrp 2 metric 3
Î On R6, redistribute between EIGRP and OSPF.

R6(config-router)#redist ospf 1 metric 1000 1 1 1 1500
R6(config-router)#redist eigrp 679 subnets
Î We still need to redistribute between RIP and OSPF. Redistributing on R2 and R5 will
provide redundancy if there is a link or device failure on R2 or R5.

Î In order for reachability for Cat2, R1, and Cat1, the area will be configured as totally nssa.
Since R2 is the ASBR, it will be configured with the no-summary keyword. Without this,
reachability to the rest of the network would be affected by the default behavior of a NSSA
area, which is to not allow type 5 LSAs, which would include the networks from EIGRP AS
679.
R2(config-router)#area 12 NSSA no-summary
Î Using TCL, you can quickly ping devices to verify general connectivity. At a minimum,
you should ping the loopback networks from a few locations.
tclsh
foreach CCIE {
1.1.1.1
2.2.2.2
4.4.4.4
5.5.5.5
6.6.6.6
7.7.7.7
9.9.9.9
35.35.35.35
36.36.36.36
141.141.200.200
141.41.100.100
} {ping $CCIE}
Î You also may want to check that the routes are coming from the proper location. R5 is
learning routes via OSPF. If RIP routes are preferred via OSPF, then R5 may not be able to
get to those networks. In order to force rip to be preferred for the BB2 networks, and
VLAN 200, we can adjust the administrative distance on R5 for those networks, which are
learned from R4.

R5(config)#access-list 72 permit 141.141.200.0
R5(config)#access-list 72 permit 4.4.4.4
R5(config-router)#distance 105 141.141.45.4 0.0.0.0 72

Task 3.10
R9 should load balance traffic destined to the rest of the network. Traffic to the networks learned from
BB1 should prefer the path via Ser0/2/1 over Ser0/2/0. Traffic to the networks learned from BB2 should
prefer the path via Ser0/2/0. Traffic to other networks should be balanced across the two links per
packet.
Î Start with an access-list to match each set of networks. For EIGRP, offset lists can adjust
metrics over what is dynamically learned.
(BB1)
(BB2)
R6(config-if)#router eigrp 679

R6(config-router)#offset-list 20 out 1 Serial0/2/0
R6(config-router)# offset-list 10 out 1 Serial0/2/1
R9(config-if)#ip load-sharing per-packet
R9(config-if)#int ser0/2/1
R9(config-if)#ip load-sharing per-packet
Î Verify the load sharing with a debug. Using an access list and “debug ip packet detail”,
we can see that the traffic packets alternates between Ser0/2/0 and Ser0/2/1. Note: If you
also want the return traffic to alternate between the two interfaces, you would need to also
configuring the load sharing on the interfaces on R6.
R9(config)#access-list 101 permit icmp any any

R9(config)#exit
R9#debug ip packet 101 det

IP packet debugging is on (detailed) for access list 101
R9#ping 6.6.6.6 source 9.9.9.9 repeat 10
Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 9.9.9.9
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 1/3/4 ms
R9#
* 02:46:06.703: IP: tableid=0, s=9.9.9.9 (local), d=6.6.6.6 (Serial0/2/1),

routed via FIB
* 02:46:06.703: IP: s=9.9.9.9 (local), d=6.6.6.6 (Serial0/2/1), len 100,
sending
* 02:46:06.703: ICMP type=8, code=0
* 02:46:06.707: IP: tableid=0, s=6.6.6.6 (Serial0/2/1), d=9.9.9.9 (Loopback1),
routed via RIB
* 02:46:06.707: IP: s=6.6.6.6 (Serial0/2/1), d=9.9.9.9, len 100, rcvd 4
* 02:46:06.707: ICMP type=0, code=0


routed via FIB
sending
* 02:46:06.707: ICMP type=8, code=0
routed via RIB
* 02:46:06.711: ICMP type=0, code=0
routed via FIB
sending
* 02:46:06.711: ICMP type=8, code=0
routed via RIB
* 02:46:06.715: ICMP type=0, code=0
routed via FIB
sending
* 02:46:06.715: ICMP type=8, code=0
routed via RIB
* 02:46:06.719: ICMP type=0, code=0
routed via FIB
sending
* 02:46:06.719: ICMP type=8, code=0
routed via RIB
* 02:46:06.723: ICMP type=0, code=0
routed via FIB
sending
* 02:46:06.723: ICMP type=8, code=0
routed via RIB
* 02:46:06.727: ICMP type=0, code=0
routed via FIB
sending
* 02:46:06.727: ICMP type=8, code=0
routed via RIB
* 02:46:06.731: ICMP type=0, code=0
routed via FIB
sending
* 02:46:06.731: ICMP type=8, code=0
routed via RIB
* 02:46:06.731: ICMP type=0, code=0


routed via FIB
sending
* 02:46:06.735: ICMP type=8, code=0
routed via RIB
* 02:46:06.735: ICMP type=0, code=0
routed via FIB
sending
* 02:46:06.739: ICMP type=8, code=0
routed via RIB
* 02:46:06.739: ICMP type=0, code=0
4.0 BGP
Task 4.1
Configure R2, R5, and R6 in AS 256. Configure R4 in AS 4. Configure R9 in AS 9. Do not configure a
full mesh between the three routers in AS 256.
Î In order to configure without using a full mesh, we can configure either a confederation or
a route reflector. Configuring a route reflector is a little easier. Since we have multiple
paths, peering between loopbacks will provide some resiliency.
R2(config)#router bgp 256

R2(config-router)#neighbor 5.5.5.5 remote-as 256
R2(config-router)#neighbor 5.5.5.5 route-reflector-client
R2(config-router)#neighbor 6.6.6.6 route-reflector-client
R2(config-router)#neighbor 5.5.5.5 update-source lo1



R9 should peer to R6, R4 should peer to R5. For R6’s peering to R9, R6 should appear to be in AS 66.
For R9’s peering to R6, R9 should appear to be in AS 99.
Î For EBGP peerings, normally peerings are done between directly connected interfaces.
When peering with loopbacks, the ebgp-multihop option will allow the peering to establish
the multihop peering connection. Alternatively, some IOS versions support the ttl-security
option.
R9(config-router)#neighbor 6.6.6.6 update-sourc lo1
R9(config-router)#neighbor 6.6.6.6 ebgp-multi
R9(config-router)#neigh 6.6.6.6 local-as 99

R6(config-router)#neigh 9.9.9.9 update-source lo1
R6(config-router)#neigh 9.9.9.9 ebgp-multi
R6(config-router)#neigh 9.9.9.9 local-as 66
R4(config-router)#neighbor 5.5.5.5 upd lo1
R4(config-router)#neighbor 5.5.5.5 ebgp-multi

R5(config-router)#neigh 4.4.4.4 remote-as 4
R5(config-router)#neigh 4.4.4.4 upd lo1
R5(config-router)#neigh 4.4.4.4 ebgp-multi
Add the following 4 loopbacks on R4.
Loopback40 – 204.40.4.4/32
Loopback41 – 204.41.4.4/32
Loopback42 – 204.42.4.4/32
Loopback43 – 204.43.4.4/32
On R4, add these 4 loopbacks to BGP, and advertise them to R5.
R4(config)#int loop 40
R4(config-if)#int loop 41

Î When adding the networks to BGP, make sure to include the mask, otherwise they will not
get properly advertised to the neighbor.
R4(config-router)#network 204.40.4.4 mask 255.255.255.255
Task 4.2
Configure R5 such that the following requirements are met regarding these loopback networks.
R2 and R6 should not see the loopbacks with an odd second octet. R2 and R6 should still be able to ping
all 4 loopbacks.
R9 should not see any of the /32 loopback network routes, but should be able to ping all 4 loopbacks. Do
not configure anything on R6 to achieve this task. Do not add any static routes to achieve this task.
Î Adding a summary will allow reachability without passing the original routes, as there
would still be a route to a less specific network. By default when configuring summaries
with BGP, both the summary and the more specific routes are sent. There are a number of
different methods that can be used to filter the specific networks.
Î In this case, we will use a route-map as a “suppress map” to block just a few of the more
specific routes. In this particular case, we can match two routes with one ACL line, due to
the binary bit boundaries.
R5(config)#route-map SUPPRESS deny

R5(config-route-map)#match address 42
R5(config-route-map)#route-map SUPPRESS permit 20

R5(config-router)#aggregate-address 204.40.0.0 255.252.0.0 suppress-map
SUPPRESS
Î After filtering the .41 and .43 networks, the .40 and .42 networks are still being sent. We
need to prevent these from getting to R9, without configuring anything on R6.
Communities would be one method. By setting the community of ‘no-export’, the routes
would not be sent on to another AS. When setting communities, you also need to make
sure that you send the community to the neighbor.
Î Prefix lists will allow you to also match mask length. In this case, the access-list used
would match both the .40 more specific network and the summary. Since we want the
summary to still be passed on, we need to further differentiate. In this case, we can do
that by also matching next hop, since the more specific routes have the next hop of the
peering address on R4.

R5(config)#route-map TOR2
R5(config-route-map)#match address 42
R5(config-route-map)#set community no-export additive
R5(config-route-map)#route-map TOR2
R5(config-route-map)#route-map TOR2 permit 20

R5(config-router)#neighbor 2.2.2.2 route-map TOR2 out
R5(config-router)#neighbor 2.2.2.2 send-comm

R2(config-router)#neighbor 6.6.6.6 send-comm
5.0 Multicast
Task 5.1
Configure sparse mode for the interfaces connecting R2, R5, and R6, and the loopback1 interfaces on
those devices. R2’s loopback1 should be the RP.
Configure R2’s loopback1 interface to join the group 225.0.0.2.
R2, R5, and R6 should receive a response when they ping the multicast groups 225.0.0.2, 225.0.0.5, and
225.0.0.6.
R2(config)#ip multicast-routing
R2(config)#int lo1
R2(config-if)#ip pim sparse
R2(config-if)#
R2(config)#ip pim rp-address 2.2.2.2
R5(config-subif)#ip pim sparse

R2(config)#int lo1
R2(config-if)#ip igmp join-group 225.0.0.2
R5(config)#int lo1
R6(config)#int lo1
R6#ping 225.0.0.5

.
Î You may see failures when pinging the groups on the spokes. The router will treat each
connection as an individual point to point link.
R2(config-if)#ip pim nbma
Î Look at the output of ‘debug ip mpacket’ on the hub.
Before adding NBMA mode:

IP(0): s=141.41.26.6 (Serial0/1/0) d=225.0.0.5 id=19, ttl=
254, prot=1, len=104(100), mroute olist null
After adding NBMA mode:

IP(0): s=141.41.26.6 (Serial0/1/0) d=225.0.0.5 (Serial0/1/
0) id=20, ttl=254, prot=1, len=100(100), mforward
R5#ping 225.0.0.6

Reply to request 0 from 141.41.26.6, 20 ms

R5#ping 225.0.0.2


R5#

6.0 IOS features / services
Task 6.1
Configure NTP on R1, R2, R4, R5, R6, R7, and R9. You may only configure the NTP master command
on one device. In the output of show ntp status, each device’s stratum should be the same as the router
number. (R1 should have a stratum of 1, R4 should have a stratum of 4, R7 should have a stratum of 7,
etc.)
Î Stratum increases by one hop each time a peering is established. So, a device peering to
a stratum 1 device, will have a stratum of 2. A device peering to a stratum 2 device will
have a stratum of 3. Start with router 1, and each peering will increment. We need a
device at stratum 3 and 8, which we can use our two switches. Make sure to verify with
the output of “show ntp status”.
R1(config)#ntp master 1
R2(config)#ntp server 1.1.1.1
Cat1(config)#ntp server 2.2.2.2
Cat2(config)#ntp server 7.7.7.7
R1#show ntp status | i strat

Clock is synchronized, stratum 1, reference is .LOCL.

Clock is synchronized, stratum 2, reference is 1.1.1.1


R6#show ntp stat | i strat

R7#show ntp stat | i strat


R9#

Task 6.2
Configure R4 to hand out addresses for VLAN 67 with a fourth octet from 20 to 40. Do not add any
subinterfaces on R4. R4 should hand out a default router address of x.x.x.6, and should hand out a DNS
server address of x.x.x.53. Test by configuring R8’s Fa0/0 interface to receive an address via DHCP, and
verifying that the address received is in the range of addresses that R4 is handing out. Verify that DHCP
still works if R5’s serial 0/1/0 subinterface connecting to R2 fails.
R4(config)#ip dhcp excl 141.41.67.1 141.41.67.19

R4(config)#ip dhcp excl 141.41.67.41 141.41.67.254
R4(config)#no ip dhcp conflict logging
R4(config)#ip dhcp pool MYPOOL

R4(dhcp-config)#network 141.41.67.0 /24
R4(dhcp-config)#default-router 141.41.67.6
R4(dhcp-config)#dns-server 141.41.67.53
R6(config-if)#ip helper-address 4.4.4.4
Cat2(config-if)#span portfast
R8(config-if)#ip address dhcp
Î Since Cat2 is configured for DHCP snooping for the VLAN, make sure to add the port as a
trusted port.
Cat2(config-if)#ip dhcp snooping trust
Î Next, let’s look at some debugs on R6. Start with an access list for the DHCP traffic, which
we can use in conjunction with “debug ip packet detail” to watch the packets. Also, debug
ip dhcp server packet can give us DHCP specific information.
R6(config)#access-list 167 permit udp any any eq 67

R6(config)#access-list 167 permit udp any any eq 68
R6#debug ip pack 167 det

IP packet debugging is on (detailed) for access list 167
R6#debug ip dhcp server pack
19:46:33.078: IP: s=0.0.0.0 (FastEthernet0/0), d=255.255.255.255, len 339,

rcvd 2
19:46:33.078: UDP src=68, dst=67
19:46:33.078: DHCPD: inconsistent relay information.
19:46:33.078: DHCPD: relay information option exists, but giaddr is zero.

Î The switch is inserting option 82 information, which is preventing R6 from accepting and
forwarding the request. You could either configure the switch to not insert the
information, or configure R6 to trust the information on the port where the helper address
is applied.
R6(config-if)#ip dhcp relay info trust
Task 6.3
Add a loopback222 on R2 with the address 222.222.222.222 and a 32 bit mask. Do not add this
loopback network to any routing protocol. R2 should have 100% success for a ping is sourced from this
new loopback with a destination of the loopback1 interfaces of the routers and switches in the topology.
Î By translating the address to another interface that has reachability, the loopbacks will be
able to send return traffic.
R2(config)#int loop222
R2(config)#int loop222
R2(config-if)#ip nat inside
R2(config-if)#ip nat outside
R2(config-if)#int fa1/0
R2(config)#access-list 163 permit ip host 222.222.222.222 any

R2(config)#ip nat inside source list 163 int lo1 overload
Î Verify with ping and debugging nat. You should see the address translated, and
successful pings.
R2#deb ip nat
IP NAT debugging is on
R2#ping 1.1.1.1 source 222.222.222.222

Packet sent with a source address of 222.222.222.222
!!!!!
R2#
20:15:03.515: NAT: s=222.222.222.222->2.2.2.2, d=1.1.1.1 [46]
20:15:03.515: NAT*: s=1.1.1.1, d=2.2.2.2->222.222.222.222 [46]
20:15:03.515: NAT: s=222.222.222.222->2.2.2.2, d=1.1.1.1 [47]
20:15:03.515: NAT*: s=1.1.1.1, d=2.2.2.2->222.222.222.222 [47]
20:15:03.515: NAT: s=222.222.222.222->2.2.2.2, d=1.1.1.1 [48]
20:15:03.519: NAT*: s=1.1.1.1, d=2.2.2.2->222.222.222.222 [48]

7.0 IPv6
Task 7.1
Add a loopback on R5, R6, and R2 of the format 2001::x, where x is the router number. Add these
networks to an IPv6 RIP process, and configure the frame relay connection between R5, R6, and R2 for
RIP. Verify that each of these three routers can ping all three IPv6 loopbacks. Do not configure the PPP
link between R2 and R5 for IPv6.
R2(config)#ipv6 unicast-routing
R2(config)#int lo6
R2(config-if)#ipv6 address 2001::2/128
R2(config-if)#ipv6 address 2001::256:2/125
R5(config)#int lo6
R5(config-if)#int ser0/1/0.1
R5(config-subif)#ipv6 address 2001::256:5/125
R6(config)#int lo6
R6(config-if)#ipv6 address 2001::256:6/125
R5(config-if)#ipv6 address fe80::5 link-local
R2(config-if)#frame map ipv6 2001::256:5 205
R5(config-subif)#frame map ipv6 2001::256:2 502
R5(config-subif)#frame map ipv6 2001::256:6 502

R2(config)#ipv6 router rip V6

R2(config)#int lo6
R2(config-if)#ipv6 rip V6 enable
R5(config)#int lo6
R5(config-if)#int ser0/1/0.1
R5(config-subif)#ipv6 rip V6 enable

R6(config)#int lo6
R5(config-subif)#frame map ipv6 fe80::2 502 broad
R2(config-if)#frame map ipv6 fe80::5 205 broad
Î Take a look at the routing tables on R5, R6, and R2.
R5#show ipv6 route | i /128

R 2001::2/128 [120/2]
LC 2001::5/128 [0/0]
L 2001::256:5/128 [0/0]
R5#

R 2001::2/128 [120/2]
LC 2001::6/128 [0/0]
L 2001::256:6/128 [0/0]
R6#

LC 2001::2/128 [0/0]
R 2001::5/128 [120/2]
R 2001::6/128 [120/2]
L 2001::256:2/128 [0/0]
R2#
Î R2 sees both the loopbacks, but R5 and R6 only see the loopback on R2. This is due to
the operation of RIP and split horizon.

R2(config-rtr)#no split-horizon

Î After enabling the updates to pass, R5 and R6 should be able to ping each other’s
loopbacks.
R5#ping 2001::6

Sending 5, 100-byte ICMP Echos to 2001::6, timeout is 2 seconds:
!!!!!
R5#
8.0 QoS / Traffic information
Task 8.1
Configure an outbound policy on R1’s Fa0/0 interface for traffic classification. Telnet traffic should be
marked with precedence level 5, HTTP traffic should be marked with precedence level 4. Do not assign
any bandwidth allocations, reservations, or restrictions for these two traffic classes. All other traffic
entering this interface should be handled using WRED with explicit congestion notification.
R1(config)#class-map telnet
R1(config-cmap)#match prot telnet
R1(config-cmap)#class-map http
R1(config-cmap)#match prot http
R1(config)#policy-map qos
R1(config-pmap)#class telnet
R1(config-pmap-c)#set prec 5
R1(config-pmap-c)#class http
R1(config-pmap-c)#set prec 4
R1(config-pmap-c)#class class-default
R1(config-pmap-c)#fair-queue
R1(config-pmap-c)#rand
R1(config-pmap-c)#rand ecn
R1(config-if)#service-pol output qos
Task 8.2
Configure R2’s FastEthernet and Frame-relay interfaces to gather statistics for traffic, to monitor what
protocols are seen, using common protocol names.
R2(config-if)#ip nbar protocol-discovery

R2(config-if)#ip nbar protocol-discovery
Task 8.3
Configure R2’s FastEthernet interface to drop ICMP type 0 and type 8 packets with a size from 250 to
300 bytes.
Î Since a direction is not specified, we can drop in both directions.
R2(config)#access-list 183 permit icmp any any echo

R2(config)#access-list 183 permit icmp any any echo-reply
R2(config)#class-map icmp
R2(config-cmap)#match access-group 183
R2(config-cmap)#match packet length min 250 max 300
R2(config)#policy-map icmppol
R2(config-pmap)#class icmp
R2(config-pmap-c)#drop
R2(config-if)#service-policy input icmppol
R2(config-if)#service-policy output icmppol
Task 8.4
On R6’s FastEthernet interface connecting to VLAN 67, configure a custom Queue with the following
parameters:
Configure telnet for queue 3, double the default byte count, and increase the queue length to 10 times the
default value.
Configure SMTP traffic for queue 5, with the default queue length and byte count.
Configure other packets to use queue 4, with a queue length 20 times the default value, and a byte count
of 10 times the default value.
Î The default byte count for a queue is 1500 bytes, and the default queue length is 20.
R6(config)#queue-list 1 prot ip 3 tcp telnet

R6(config)#queue-list 1 prot ip 5 tcp 25
R6(config)#queue-list 1 default 4
R6(config)#queue-list 1 queue 3 byte-count 3000

R6(config)#queue-list 1 queue 3 limit 200
R6(config)#queue-list 1 queue 4 byte-count 15000
R6(config)#queue-list 1 queue 4 limit 400
R6(config-if)#custom-queue-list 1

9.0 Security
R9 should be configured to accept telnet connections on port 3005. Telnet connections to port 23 should
not be allowed. Configure a local user named cisco with a password of cisco, and privilege level 15.
Telnet access should require user login, but console access should not require user login.
Î Access on an alternate port can be done with the rotary command on a VTY line. In order
to restrict access, you can use an access-list applied with the access-class command.
R9(config)#username cisco priv 15 password cisco
R9(config)#line vty 5
R9(config-line)#rotary 5
R9(config-line)#login local
R9(config)#access-list 101 deny tcp any any eq telnet

R9(config)#access-list 101 permit ip any any
R9(config)#line vty 0 1180

R9(config-line)#access-class 101 in
Î In order to configure separate actions, we can use different methods. For the VTY line, we
can use local authentication, and for other connections, we can use a default of no
authentication, so that the console port is not affected.
R9(config)#aaa new-model
R9(config)#aaa authentication login def none
R9(config)#aaa authentication login VTY local
R9(config)#line vty 5
R9(config-line)#login authent VTY
Î Test by telnetting from R6 to ports 23 and 3005.
R6#telnet 9.9.9.9
Trying 9.9.9.9 ...
% Connection refused by remote host
R6#telnet 9.9.9.9 3005

Trying 9.9.9.9, 3005 ... Open
User Access Verification
Username: cisco
Password:
R9>

Task 9.2
When the user cisco telnets to R9, the user should be able to show the routing table (show ip route), and
show interface status (show interface). The user should not be able to make configuration changes.
Î Verify that the user is only able to show the routing table and check interface status. On
the configuration done earlier, if just authentication is done, the user will not be able to
configure the router. Alternatively, a menu could be used to restrict what options the user
has available.
R6#telnet 9.9.9.9 3005

Trying 9.9.9.9, 3005 ... Open
Username: cisco
Password:
R9>show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets

D EX 1.1.1.1 [170/3072256] via 141.41.70.6, 20:04:41, Serial0/2/1
[170/3072256] via 141.41.69.6, 20:04:41, Serial0/2/0
D EX 35.35.35.35 [170/3072256] via 141.41.70.6, 20:04:41, Serial0/2/1
[170/3072256] via 141.41.69.6, 20:04:41, Serial0/2/0
D EX 2.2.2.2 [170/3072256] via 141.41.70.6, 20:04:41, Serial0/2/1
[170/3072256] via 141.41.69.6, 20:04:41, Serial0/2/0
D EX 4.4.4.4 [170/3072256] via 141.41.70.6, 04:13:02, Serial0/2/1
[170/3072256] via 141.41.69.6, 04:13:02, Serial0/2/0
R9>show int
FastEthernet0/0 is administratively down, line protocol is down
Hardware is MV96340 Ethernet, address is 001b.d504.4c40 (bia 001b.d504.4c40)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto Speed, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 2w2d, output 2w2d, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec

128 packets input, 29442 bytes

Received 128 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
16 packets output, 5982 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
--More—
Task 9.3
Switch1 should only allow telnet and SSH connections from R5’s loopback1 interface. Do not configure
an extended ACL for this task.
Î Enabling SSH requires defining a domain-name and generating RSA keys.
Cat1(config)#ip domain-name cisco.com

Cat1(config)#crypto key generate rsa
The name for the keys will be: Cat1.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:

% Generating 512 bit RSA keys ...[OK]
Cat1(config)#
1d04h: %SSH-5-ENABLED: SSH 1.99 has been enabled
Î Configuring a standard access-list is sufficient to only accept connections from R5’s

loopback. SSH requires username/password for authentication, so define a user and
configure cat1’s vty lines for authentication.
Cat1(config)#access-list 23 permit 5.5.5.5
Cat1(config)#line vty 0 15
Cat1(config-line)#access-class 23 in
Cat1(config-line)#login local
Cat1(config)#username cisco password cisco

Î In order to test, enable SSH on R5 and test using the SSH client.
R5(config)#ip domain-name cisco.com

R5(config)#crypto key generate rsa
The name for the keys will be: R5.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R5(config)#ip ssh source-int lo1
R5#telnet 35.35.35.35 /source-int lo1

Trying 35.35.35.35 ... Open
Username: cisco
Password:
Cat1>exit
[Connection to 35.35.35.35 closed by foreign host]

R5#ssh -l cisco 35.35.35.35
Password:
Cat1>
Technical Verification and Support

To verify your router configurations please ensure that you have
downloaded the latest configurations from your www.IPexpert.com
account.
Support is also available in the following ways:
• Mailing List: http://www.OnlineStudyList.com

• Online Forum: http://www.CertificationTalk.com
• Email: support@ipexpert.com

This page left intentionally blank.

IPexpert CCUE Routing &amp Switching Volume 3 Lab 1 Proctor Guide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

IPexpert CCUE Routing &amp Switching Volume 3 Lab 1 Proctor Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Volume 3: Lab 1: Proctor Guide

A companion to the IPexpert CCIE R&S Lab Preparation Workbook (Vol. 3)

This product is part of the IPexpert Blended Learning Program™

Volume 3 - Lab 1 Solution

• Complete Mock Lab Exam

Estimated Time to Complete: 8 hours

Copyright © 2008 by IPexpert, Inc. All Rights Reserved. 1

Volume 3- Lab 1 Solution

Cat1(config)#vtp domain apples

Cat2(config)#vtp domain apples

Cat3(config)#vtp domain apples

Cat4(config)#vtp domain apples

2 Copyright © 2008 by IPexpert, Inc. All Rights Reserved.

Configure VLAN assignment as shown in the chart in the workbook.

Cat1(config)#int range fa0/19 , fa0/20 , gi0/1, gi0/2

Cat2(config)#int range fa0/19 , fa0/20 , gi0/1, gi0/2

Cat3(config)#int range fa0/19 , fa0/20 , gi0/1, gi0/2

Cat4(config-if)#int range fa0/19, fa0/20, gi0/1, gi0/2

Cat1(config)#int range fa0/21,fa0/22

Copyright © 2008 by IPexpert, Inc. All Rights Reserved. 3

Cat1(config)#int range fa0/23,fa0/24

Cat2(config)#int range fa0/21,fa0/22

Cat2(config)#int range fa0/23,fa0/24

Cat3(config)#int range fa0/21,fa0/22

Cat3(config)#int range fa0/23,fa0/24

Cat4(config)#int range fa0/21,fa0/22

Cat4(config)#int range fa0/23,fa0/24

Cat1(config)#int range po21, po23

Cat2(config)#int range po21, po23

Cat3(config)#int range po21, po23

Cat4(config)#int range po21, po23

4 Copyright © 2008 by IPexpert, Inc. All Rights Reserved.

Cat1(config)#span vlan 12 root primary

Cat1(config)#int range fa0/11, fa0/2, fa0/4

Cat2(config)#int range fa0/12, fa0/1, fa0/6, fa0/7

Cat4(config)#int range fa0/7

Î Both of these will require a reload.

Cat2(config)#system mtu 1508

Copyright © 2008 by IPexpert, Inc. All Rights Reserved. 5

Î Verify the number of routes supported with “show sdm prefer”.

Cat2#show sdm prefer routing

number of unicast mac addresses: 3K

Configure Switch2 for DHCP snooping for VLAN 67.

Cat2(config)#ip dhcp snooping

2.0 Frame Relay / PPP

6 Copyright © 2008 by IPexpert, Inc. All Rights Reserved.

R4(config)#username T3ST123 password PPPoverFr@m3

R5(config)#username T3ST123 password PPPoverFr@m3

Î Look at the output of “debug PPP authentication”. O is outbound, I is inbound. You

Vi2 CHAP: O CHALLENGE id 79 len 28 from "T3ST123"

Vi2 CHAP: O RESPONSE id 79 len 28 from "T3ST123"

Vi2 CHAP: O SUCCESS id 79 len 4

Copyright © 2008 by IPexpert, Inc. All Rights Reserved. 7

R5(config)#username cisco password cisco

R2(config)#username cisco password cisco

R6(config)#router eigrp 679

R7(config)#router eigrp 679

8 Copyright © 2008 by IPexpert, Inc. All Rights Reserved.

R9(config)#router eigrp 679

R7(config)#key chain cisco

R6(config)#key chain cisco

R7(config)#ip prefix-list EIGRP permit 201.2.0.0/16 le 32

R7(config)#router eigrp 679