Beruflich Dokumente
Kultur Dokumente
Prerequisites
• None
NOTE
As a general rule of thumb, we recommend that you read the
ENTIRE lab prior to beginning.
1.0 Switching
Task 1.1
Configure the switches as follows:
VTP domain apples
VTP password oranges
Cat1 should be the VTP server. The other switches should be VTP clients. On Cat1 and Cat2, ‘show vtp
status’ should show the loopback1 interface as the local updater ID, and as the preferred interface.
Cat1(config)#int fa0/11
Cat1(config-if)#swit mo acc
Cat1(config-if)#swit acc vl 100
Cat1(config-if)#int fa0/2
Cat1(config-if)#swit mo acc
Cat1(config-if)#swit acc vl 12
Cat1(config-if)#int fa0/4
Cat1(config-if)#swit mo acc
Cat1(config-if)#swit acc vl 200
Cat2(config)#int fa0/12
Cat2(config-if)#swit mo acc
Cat2(config-if)#swit acc vl 200
Cat2(config-if)#int fa0/1
Cat2(config-if)#swit mo acc
Cat2(config-if)#swit acc vl 12
Cat2(config-if)#int fa0/6
Cat2(config-if)#swit mo acc
Cat2(config-if)#swit acc vl 67
Cat2(config-if)#int fa0/7
Cat2(config-if)#swit mo acc
Cat2(config-if)#swit acc vl 67
Cat4(config)#int fa0/7
Cat4(config-if)#swit mo acc
Cat4(config-if)#swit acc vlan 100
Fast Ethernet ports 19 and 20 and the Gi0/1 and Gi0/2 ports should be shut down on all 4 switches.
Each pair of ports connecting two switches should be seen as a single logical link. Encapsulation for
trunks between switches should be statically configured, not dynamically negotiated, and should use
dot1q tags. Use a native VLAN of 123. Do not use PAgP or LACP. For ports 21/22 use group 21, for
ports 23/24, use group 23.
Task 1.2
Switch 1 should be the spanning tree root for vlans 12, 67, 100. Switch 2 should be root for VLAN 200.
Do not configure the switches for 802.1s.
Ports that are connected to routers and that are used in the logical topology should be configured such
that a TCN will not be generated if the port goes up or down. This should be configured per port, not
globally.
Task 1.3
Configure Switch1’s connection to R1’s Fa0/0 without using a SVI.
Cat1(config)#int fa0/1
Cat1(config-if)#no swit
Cat1(config-if)#ip address 141.41.35.35 255.255.255.0
Task 1.4
Configure Switch2 for a system MTU of 1508, and for the template that will allocate the TCAM resources
to support the highest number of indirect unicast routes.
Task 2.1
Configure the frame relay connections between R2, R6, and R5 as follows:
On R2 and R6, do not use any subinterfaces interfaces. On R5, use a multipoint subinterface for the
network connecting to R2 and R6. For the subnet between R2, R5, and R6, address mappings to DLCIs
should be statically configured.
R2(config)#int ser0/1/0
R2(config-if)#encap frame
R2(config-if)#frame map ip 141.41.26.5 205 broadcast
R2(config-if)#frame map ip 141.41.26.6 206 broadcast
R2(config-if)#frame map ip 141.41.26.2 205
R2(config-if)#ip address 141.41.26.2 255.255.255.0
R5(config)#int ser0/1/0
R5(config-if)#encap frame
R5(config)#int ser0/1/0.1 multipoint
R5(config-subif)#frame map ip 141.41.26.2 502 broad
R5(config-subif)#frame map ip 141.41.26.5 502
R5(config-subif)#frame map ip 141.41.26.6 502
R5(config-subif)#ip address 141.41.26.5 255.255.255.0
R6(config)#int ser0/1/0
R6(config-if)#encap frame
R6(config-if)#frame map ip 141.41.26.2 602 broad
R6(config-if)#frame map ip 141.41.26.6 602
R6(config-if)#frame map ip 141.41.26.5 602
R6(config-if)#ip address 141.41.26.6 255.255.255.0
Task 2.2
For the connection between R4 and R5, use a PPP over frame configuration with RFC 1973
Encapsulation. The connection should use CHAP authentication. For authentication, both devices should
use a username of T3ST123 and a password of PPPoverFr@m3. Both sides should challenge and
respond.
R4(config)#int virtual-template 1
R4(config-if)#ip address 141.141.45.4 255.255.255.0
R4(config-if)#ppp chap hostname T3ST123
R4(config-if)#no ppp chap ignoreus
R4(config-if)#ppp authent chap
R4(config)#int ser0/0/0
R4(config-if)#encap frame
R4(config-if)#frame interface-dlci 405 ppp virtual-Template 1
R4(config-if)#exit
R5(config)#int virtual-template 1
R5(config-if)#ip address 141.141.45.5 255.255.255.0
R5(config-if)#ppp chap hostname T3ST123
R5(config-if)#ppp authent chap
R5(config-if)#no ppp chap ignoreus
R5(config)#int ser0/1/0
R5(config-if)#frame-relay interface-dlci 504 ppp virtual-template 1
Task 2.3
Configure the serial link connecting R2 and R5 for PPP encapsulation, using plaintext authentication. R2
should receive its IP address from R5. Configure for a maximum of 3 bad authentication retries.
Configure link control and IP control to predict peer responses.
R5(config)#int ser0/2/0
R5(config-if)#encap ppp
R5(config-if)#ip address 141.141.205.5 255.255.255.0
R5(config-if)#no shut
R5(config-if)#ppp ipcp predictive
R5(config-if)#ppp lcp predictive
R5(config-if)#ppp authentication pap
R5(config-if)#ppp pap username cisco password cisco
R5(config-if)#peer default ip address 141.141.205.2
R5(config-if)#ppp max-bad-auth 3
R2(config)#int ser0/2/0
R2(config-if)#encap ppp
R2(config-if)#no shut
R2(config-if)#ppp authentication pap
R2(config-if)#ppp pap sent-username cisco password cisco
R2(config-if)#ppp ipcp predictive
R2(config-if)#ppp lcp predictive
R2(config-if)#ip address negotiated
R2(config-if)#ppp max-bad-auth 3
3.0 Routing
Task 3.1
Configure the connections from R6 to R7 and R9 for EIGRP AS 679. Add the loopback1 interfaces on
R6, R7, and R9 to EIGRP. Add R2’s loopback1 interface to EIGRP AS 2.
R2(config)#router eigrp 2
R2(config-router)#no auto-summary
R2(config-router)#network 2.2.2.2 0.0.0.0
Task 3.2
Configure the link between R6 and R7 to use authentication for routing updates. Use key 1 and cisco as
the password.
Task 3.3
Configure R7’s connection to BB1 for EIGRP AS 679. R7 should receive routes from the backbone of the
format 201.y.x.x, where y is a number from 1 to 10. Configure R7 to only allow routes with an even
second octet. Do not configure an ACL for the filtering.
Task 3.4
Based on the configuration of R9, R6 should learn that it should not send QUERY packets to R9, and that
R9 will only route packets for networks it has explicitly advertised.
Task 3.5
Configure RIP for the connection between R1 and Switch1, the PPP link between R2 and R5, and the link
from R5 to R4. Add the loopback1 interface on switch1 and R4 to RIP.
Cat1(config)#ip routing
Cat1(config)#router rip
Cat1(config-router)#version 2
Cat1(config-router)#no auto-summary
Cat1(config-router)#network 141.141.0.0
Cat1(config-router)#network 35.0.0.0
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#no auto-summary
R1(config-router)#network 141.141.0.0
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#no auto-summary
R2(config-router)#network 141.141.0.0
R5(config)#router rip
R5(config-router)#version 2
R5(config-router)#no auto-summary
R5(config-router)#network 141.141.0.0
R4(config)#router rip
R4(config-router)#version 2
R4(config-router)#no auto-summary
R4(config-router)#network 141.141.0.0
R4(config-router)#network 4.0.0.0
Task 3.6
Configure R4 to receive routes via RIP from BB2. R4 should receive routes from BB2 of the format
172.20.x.y. Only allow routes with a third octet from 33 to 46, using an access list. Your access list
should use the fewest number of lines that will not allow any extra networks.
Î Looking at R2, you may see that R2 is not receiving routes from R5, depending on how
you configured the earlier address assignment. Debugging RIP events on R2 will tell you
what is happening.
Î The update is ignored, because R2’s address is learned with a /32 mask. Since the update
is received from an address that is not on the same network. The normal check can be
bypassed with the “no validate-update-source” command under the RIP process on R2.
R2(config)#router rip
R2(config-router)#no validate-update-source
Task 3.7
Configure OSPF for the network between R2, R5, and R6 in area 256. Configure OSPF for the network
between R1, R2, and Switch 2 in area 12. Area 12 should use the option discussed in RFC 1587. Add
the loopback1 interfaces on R1 and Switch2 to area 12. Add the loopback1 interfaces of R5 and R6 to
area 0.
Î Start by configuring the networks for the areas, and add area 12 as NSSA.
R2(config)#router ospf 1
R2(config-router)#network 141.41.26.2 0.0.0.0 area 256
R2(config-router)#network 141.41.12.2 0.0.0.0 area 12
R2(config-router)#area 12 NSSA
R5(config)#router ospf 1
R5(config-router)#network 141.41.26.5 0.0.0.0 area 256
R5(config-router)#network 5.5.5.5 0.0.0.0 area 0
R6(config)#router ospf 1
R6(config-router)#network 141.41.26.6 0.0.0.0 area 256
R6(config-router)#network 6.6.6.6 0.0.0.0 area 0
Cat2(config)#ip routing
Cat2(config)#router ospf 1
Cat2(config-router)#network 141.41.12.36 0.0.0.0 area 12
Cat2(config-router)#area 12 NSSA
Cat2(config-router)#network 36.36.36.36 0.0.0.0 area 12
Cat2(config)#int vlan 12
Cat2(config-if)#ip address 141.41.12.36 255.255.255.0
R1(config)#router ospf 1
R1(config-router)#network 1.1.1.1 0.0.0.0 area 12
R1(config-router)#area 12 nssa
R1(config-router)#network 141.41.12.1 0.0.0.0 area 12
Î We also need virtual links for two reasons. We have both a discontiguous area 0, and R2
is touching two areas, but is not touching area 0.
R2(config)#router ospf 1
R2(config-router)#area 256 virtual-link 6.6.6.6
R2(config-router)#area 256 virtual-link 5.5.5.5
R5(config)#router ospf 1
R5(config-router)#area 256 virtual-link 2.2.2.2
R6(config)#router ospf 1
R6(config-router)#area 256 virtual-link 2.2.2.2
Î Having network statements is not enough to establish the adjacency across frame relay.
The default OSPF network type is nonbroadcast, and will not send out traffic. We are not
given restrictions on the OSPF network type, so you could choose point to multipoint,
nonbroadcast, or broadcast. When configuring broadcast or nonbroadcast, there will be a
DR election. Setting the spoke priorities to 0 will force the hub to be the DR.
R2(config)#int ser0/1/0
R2(config-if)#ip ospf netwo broadcast
R6(config)#int ser0/1/0
R6(config-if)#ip ospf prior 0
R6(config-if)#ip ospf netw broadcast
R5(config)#int ser0/1/0.1
R5(config-subif)#ip ospf prior 0
R5(config-subif)#ip ospf netw broad
Î It is possible that the adjacency to Cat2 will not form and you may see an error message
like this one:
Î Because Cat2 has a larger MTU, the adjacency will not form. You can configure R1 and R2
to ignore the MTU in the DBD packets, you can adjust the system MTU, or you can adjust
the MTU of the SVI on the switch.
R1(config)#int fa0/1
R1(config-if)#ip ospf mtu-ignore
R2(config)#int fa1/0
R2(config-if)#ip ospf mtu-ignore
Task 3.8
Configure MD5 authentication for the OSPF interfaces in area 256.
R2(config)#router ospf 1
R2(config-router)#area 256 authentication mess
R2(config)#int ser0/1/0
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
R5(config)#router ospf 1
R5(config-router)#area 256 authent mess
R5(config-router)#int ser0/1/0.1
R5(config-subif)#ip ospf message-digest-key 1 md5 cisco
R6(config)#router ospf 1
R6(config-router)#area 256 authent mess
R6(config-router)#int ser0/1/0
R6(config-if)#ip ospf message-digest-key 1 md5 cisco
Task 3.9
Redistribute as needed on R1, R2, R5, and R6, so that all routers can reach all networks that have not
been explicitly filtered in other steps.
R1(config)#router ospf 1
R1(config-router)#redist rip subnets
R1(config)#router rip
R1(config-router)#redist ospf 1 metric 3
Î On R2, redistribute from EIGRP into OSPF and RIP, to pass on information about R2’s
loopback1 interface.
R2(config)#router ospf 1
R2(config-router)#redist eigrp 2 subnets
R2(config)#router rip
R2(config-router)#redist eigrp 2 metric 3
R6(config)#router ospf 1
R6(config-router)#redist eigrp 679 subnets
Î We still need to redistribute between RIP and OSPF. Redistributing on R2 and R5 will
provide redundancy if there is a link or device failure on R2 or R5.
R5(config)#router rip
R5(config-router)#redist ospf 1 metric 3
R5(config)#router ospf 1
R5(config-router)#redist rip subnets
R2(config)#router rip
R2(config-router)#redist ospf 1 metric 3
R2(config)#router ospf 1
R2(config-router)#redist rip subnets
Î In order for reachability for Cat2, R1, and Cat1, the area will be configured as totally nssa.
Since R2 is the ASBR, it will be configured with the no-summary keyword. Without this,
reachability to the rest of the network would be affected by the default behavior of a NSSA
area, which is to not allow type 5 LSAs, which would include the networks from EIGRP AS
679.
R2(config)#router ospf 1
R2(config-router)#area 12 NSSA no-summary
Î Using TCL, you can quickly ping devices to verify general connectivity. At a minimum,
you should ping the loopback networks from a few locations.
tclsh
foreach CCIE {
1.1.1.1
2.2.2.2
4.4.4.4
5.5.5.5
6.6.6.6
7.7.7.7
9.9.9.9
35.35.35.35
36.36.36.36
141.141.200.200
141.41.100.100
} {ping $CCIE}
Î You also may want to check that the routes are coming from the proper location. R5 is
learning routes via OSPF. If RIP routes are preferred via OSPF, then R5 may not be able to
get to those networks. In order to force rip to be preferred for the BB2 networks, and
VLAN 200, we can adjust the administrative distance on R5 for those networks, which are
learned from R4.
R5(config)#router rip
R5(config-router)#distance 105 141.141.45.4 0.0.0.0 72
Task 3.10
R9 should load balance traffic destined to the rest of the network. Traffic to the networks learned from
BB1 should prefer the path via Ser0/2/1 over Ser0/2/0. Traffic to the networks learned from BB2 should
prefer the path via Ser0/2/0. Traffic to other networks should be balanced across the two links per
packet.
Î Start with an access-list to match each set of networks. For EIGRP, offset lists can adjust
metrics over what is dynamically learned.
(BB1)
R6(config)#access-list 20 permit 201.0.1.1 0.14.0.0
(BB2)
R6(config)#access-list 10 permit 172.20.32.2 0.0.15.0
R9(config)#int ser0/2/0
R9(config-if)#ip load-sharing per-packet
R9(config-if)#int ser0/2/1
R9(config-if)#ip load-sharing per-packet
Î Verify the load sharing with a debug. Using an access list and “debug ip packet detail”,
we can see that the traffic packets alternates between Ser0/2/0 and Ser0/2/1. Note: If you
also want the return traffic to alternate between the two interfaces, you would need to also
configuring the load sharing on the interfaces on R6.
4.0 BGP
Task 4.1
Configure R2, R5, and R6 in AS 256. Configure R4 in AS 4. Configure R9 in AS 9. Do not configure a
full mesh between the three routers in AS 256.
Î In order to configure without using a full mesh, we can configure either a confederation or
a route reflector. Configuring a route reflector is a little easier. Since we have multiple
paths, peering between loopbacks will provide some resiliency.
R9 should peer to R6, R4 should peer to R5. For R6’s peering to R9, R6 should appear to be in AS 66.
For R9’s peering to R6, R9 should appear to be in AS 99.
Î For EBGP peerings, normally peerings are done between directly connected interfaces.
When peering with loopbacks, the ebgp-multihop option will allow the peering to establish
the multihop peering connection. Alternatively, some IOS versions support the ttl-security
option.
R9(config)#router bgp 9
R9(config-router)#neighbor 6.6.6.6 remote-as 66
R9(config-router)#neighbor 6.6.6.6 update-sourc lo1
R9(config-router)#neighbor 6.6.6.6 ebgp-multi
R9(config-router)#neigh 6.6.6.6 local-as 99
R4(config)#router bgp 4
R4(config-router)#neighbor 5.5.5.5 remote-as 256
R4(config-router)#neighbor 5.5.5.5 upd lo1
R4(config-router)#neighbor 5.5.5.5 ebgp-multi
Loopback40 – 204.40.4.4/32
Loopback41 – 204.41.4.4/32
Loopback42 – 204.42.4.4/32
Loopback43 – 204.43.4.4/32
R4(config)#int loop 40
R4(config-if)#ip address 204.40.4.4 255.255.255.255
R4(config-if)#int loop 41
R4(config-if)#ip address 204.41.4.4 255.255.255.255
R4(config-if)#int loop 42
R4(config-if)#ip address 204.42.4.4 255.255.255.255
R4(config-if)#int loop 43
R4(config-if)#ip address 204.43.4.4 255.255.255.255
Î When adding the networks to BGP, make sure to include the mask, otherwise they will not
get properly advertised to the neighbor.
R4(config)#router bgp 4
R4(config-router)#network 204.40.4.4 mask 255.255.255.255
R4(config-router)#network 204.41.4.4 mask 255.255.255.255
R4(config-router)#network 204.42.4.4 mask 255.255.255.255
R4(config-router)#network 204.43.4.4 mask 255.255.255.255
Task 4.2
Configure R5 such that the following requirements are met regarding these loopback networks.
R2 and R6 should not see the loopbacks with an odd second octet. R2 and R6 should still be able to ping
all 4 loopbacks.
R9 should not see any of the /32 loopback network routes, but should be able to ping all 4 loopbacks. Do
not configure anything on R6 to achieve this task. Do not add any static routes to achieve this task.
Î Adding a summary will allow reachability without passing the original routes, as there
would still be a route to a less specific network. By default when configuring summaries
with BGP, both the summary and the more specific routes are sent. There are a number of
different methods that can be used to filter the specific networks.
Î In this case, we will use a route-map as a “suppress map” to block just a few of the more
specific routes. In this particular case, we can match two routes with one ACL line, due to
the binary bit boundaries.
Î After filtering the .41 and .43 networks, the .40 and .42 networks are still being sent. We
need to prevent these from getting to R9, without configuring anything on R6.
Communities would be one method. By setting the community of ‘no-export’, the routes
would not be sent on to another AS. When setting communities, you also need to make
sure that you send the community to the neighbor.
Î Prefix lists will allow you to also match mask length. In this case, the access-list used
would match both the .40 more specific network and the summary. Since we want the
summary to still be passed on, we need to further differentiate. In this case, we can do
that by also matching next hop, since the more specific routes have the next hop of the
peering address on R4.
R5(config)#route-map TOR2
R5(config-route-map)#match address 42
R5(config-route-map)#set community no-export additive
R5(config-route-map)#route-map TOR2
R5(config-route-map)#route-map TOR2 permit 20
5.0 Multicast
Task 5.1
Configure sparse mode for the interfaces connecting R2, R5, and R6, and the loopback1 interfaces on
those devices. R2’s loopback1 should be the RP.
R2, R5, and R6 should receive a response when they ping the multicast groups 225.0.0.2, 225.0.0.5, and
225.0.0.6.
R2(config)#ip multicast-routing
R2(config)#int lo1
R2(config-if)#ip pim sparse
R2(config-if)#int ser0/1/0
R2(config-if)#ip pim sparse
R2(config-if)#
R2(config-if)#int ser0/2/0
R2(config-if)#ip pim sparse
R2(config)#ip pim rp-address 2.2.2.2
R5(config)#ip multicast-routing
R5(config)#int ser0/2/0
R5(config-if)#ip pim sparse
R5(config)#ip pim rp-address 2.2.2.2
R5(config)#int ser0/1/0.1
R5(config-subif)#ip pim sparse
R6(config)#ip multicast-routing
R6(config)#ip pim rp-address 2.2.2.2
R6(config)#int ser0/1/0
R6(config-if)#ip pim sparse
R2(config)#int lo1
R2(config-if)#ip igmp join-group 225.0.0.2
R5(config)#int lo1
R5(config-if)#ip igmp join-group 225.0.0.5
R6(config)#int lo1
R6(config-if)#ip igmp join-group 225.0.0.6
R6#ping 225.0.0.5
Î You may see failures when pinging the groups on the spokes. The router will treat each
connection as an individual point to point link.
R2(config)#int ser0/1/0
R2(config-if)#ip pim nbma
R5#ping 225.0.0.6
Task 6.1
Configure NTP on R1, R2, R4, R5, R6, R7, and R9. You may only configure the NTP master command
on one device. In the output of show ntp status, each device’s stratum should be the same as the router
number. (R1 should have a stratum of 1, R4 should have a stratum of 4, R7 should have a stratum of 7,
etc.)
Î Stratum increases by one hop each time a peering is established. So, a device peering to
a stratum 1 device, will have a stratum of 2. A device peering to a stratum 2 device will
have a stratum of 3. Start with router 1, and each peering will increment. We need a
device at stratum 3 and 8, which we can use our two switches. Make sure to verify with
the output of “show ntp status”.
R1(config)#ntp master 1
Task 6.2
Configure R4 to hand out addresses for VLAN 67 with a fourth octet from 20 to 40. Do not add any
subinterfaces on R4. R4 should hand out a default router address of x.x.x.6, and should hand out a DNS
server address of x.x.x.53. Test by configuring R8’s Fa0/0 interface to receive an address via DHCP, and
verifying that the address received is in the range of addresses that R4 is handing out. Verify that DHCP
still works if R5’s serial 0/1/0 subinterface connecting to R2 fails.
R6(config)#int fa0/0
R6(config-if)#ip helper-address 4.4.4.4
Cat2(config)#int fa0/8
Cat2(config-if)#swit acc vl 67
Cat2(config-if)#span portfast
R8(config)#int fa0/0
R8(config-if)#ip address dhcp
Î Since Cat2 is configured for DHCP snooping for the VLAN, make sure to add the port as a
trusted port.
Cat2(config)#int fa0/6
Cat2(config-if)#ip dhcp snooping trust
Î Next, let’s look at some debugs on R6. Start with an access list for the DHCP traffic, which
we can use in conjunction with “debug ip packet detail” to watch the packets. Also, debug
ip dhcp server packet can give us DHCP specific information.
Î The switch is inserting option 82 information, which is preventing R6 from accepting and
forwarding the request. You could either configure the switch to not insert the
information, or configure R6 to trust the information on the port where the helper address
is applied.
R6(config)#int fa0/0
R6(config-if)#ip dhcp relay info trust
Task 6.3
Add a loopback222 on R2 with the address 222.222.222.222 and a 32 bit mask. Do not add this
loopback network to any routing protocol. R2 should have 100% success for a ping is sourced from this
new loopback with a destination of the loopback1 interfaces of the routers and switches in the topology.
Î By translating the address to another interface that has reachability, the loopbacks will be
able to send return traffic.
R2(config)#int loop222
R2(config-if)#ip address 222.222.222.222 255.255.255.255
R2(config)#int loop222
R2(config-if)#ip nat inside
R2(config)#int ser0/1/0
R2(config-if)#ip nat outside
R2(config-if)#int ser0/2/0
R2(config-if)#ip nat outside
R2(config-if)#int fa1/0
R2(config-if)#ip nat outside
Î Verify with ping and debugging nat. You should see the address translated, and
successful pings.
R2#deb ip nat
IP NAT debugging is on
R2#ping 1.1.1.1 source 222.222.222.222
7.0 IPv6
Task 7.1
Add a loopback on R5, R6, and R2 of the format 2001::x, where x is the router number. Add these
networks to an IPv6 RIP process, and configure the frame relay connection between R5, R6, and R2 for
RIP. Verify that each of these three routers can ping all three IPv6 loopbacks. Do not configure the PPP
link between R2 and R5 for IPv6.
R2(config)#ipv6 unicast-routing
R2(config)#int lo6
R2(config-if)#ipv6 address 2001::2/128
R2(config-if)#int ser0/1/0
R2(config-if)#ipv6 address 2001::256:2/125
R5(config)#ipv6 unicast-routing
R5(config)#int lo6
R5(config-if)#ipv6 address 2001::5/128
R5(config-if)#int ser0/1/0.1
R5(config-subif)#ipv6 address 2001::256:5/125
R6(config)#ipv6 unicast-routing
R6(config)#int lo6
R6(config-if)#ipv6 address 2001::6/128
R6(config-if)#int ser0/2/0
R6(config-if)#int ser0/1/0
R6(config-if)#ipv6 address 2001::256:6/125
R5(config)#int ser0/1/0.1
R5(config-if)#ipv6 address fe80::5 link-local
R6(config)#int ser0/1/0
R6(config-if)#ipv6 address fe80::6 link-local
R2(config-if)#int ser0/1/0
R2(config-if)#frame map ipv6 2001::256:5 205
R2(config-if)#frame map ipv6 2001::256:6 206
R5(config)#int ser0/1/0.1
R5(config-subif)#frame map ipv6 2001::256:2 502
R5(config-subif)#frame map ipv6 2001::256:6 502
R6(config-if)#int ser0/1/0
R6(config-if)#frame map ipv6 2001::256:2 602
R6(config-if)#frame map ipv6 2001::256:5 602
R5(config)#int lo6
R5(config-if)#ipv6 rip V6 enable
R5(config-if)#int ser0/1/0.1
R5(config-subif)#ipv6 rip V6 enable
R5(config)#int ser0/1/0.1
R5(config-subif)#frame map ipv6 fe80::2 502 broad
R2(config)#int ser0/1/0
R2(config-if)#frame map ipv6 fe80::5 205 broad
R2(config-if)#frame map ipv6 fe80::6 206 broad
R2(config-if)#ipv6 address fe80::2 link-local
R6(config)#int ser0/1/0
R6(config-if)#frame map ipv6 fe80::2 602 broad
Î R2 sees both the loopbacks, but R5 and R6 only see the loopback on R2. This is due to
the operation of RIP and split horizon.
Î After enabling the updates to pass, R5 and R6 should be able to ping each other’s
loopbacks.
R5#ping 2001::6
Task 8.1
Configure an outbound policy on R1’s Fa0/0 interface for traffic classification. Telnet traffic should be
marked with precedence level 5, HTTP traffic should be marked with precedence level 4. Do not assign
any bandwidth allocations, reservations, or restrictions for these two traffic classes. All other traffic
entering this interface should be handled using WRED with explicit congestion notification.
R1(config)#class-map telnet
R1(config-cmap)#match prot telnet
R1(config-cmap)#class-map http
R1(config-cmap)#match prot http
R1(config)#policy-map qos
R1(config-pmap)#class telnet
R1(config-pmap-c)#set prec 5
R1(config-pmap-c)#class http
R1(config-pmap-c)#set prec 4
R1(config-pmap-c)#class class-default
R1(config-pmap-c)#fair-queue
R1(config-pmap-c)#rand
R1(config-pmap-c)#rand ecn
R1(config)#int fa0/0
R1(config-if)#service-pol output qos
Task 8.2
Configure R2’s FastEthernet and Frame-relay interfaces to gather statistics for traffic, to monitor what
protocols are seen, using common protocol names.
R2(config)#int fa1/0
R2(config-if)#ip nbar protocol-discovery
R2(config)#int ser0/1/0
R2(config-if)#ip nbar protocol-discovery
Task 8.3
Configure R2’s FastEthernet interface to drop ICMP type 0 and type 8 packets with a size from 250 to
300 bytes.
R2(config)#class-map icmp
R2(config-cmap)#match access-group 183
R2(config-cmap)#match packet length min 250 max 300
R2(config)#policy-map icmppol
R2(config-pmap)#class icmp
R2(config-pmap-c)#drop
R2(config)#int fa1/0
R2(config-if)#service-policy input icmppol
R2(config-if)#service-policy output icmppol
Task 8.4
On R6’s FastEthernet interface connecting to VLAN 67, configure a custom Queue with the following
parameters:
Configure telnet for queue 3, double the default byte count, and increase the queue length to 10 times the
default value.
Configure SMTP traffic for queue 5, with the default queue length and byte count.
Configure other packets to use queue 4, with a queue length 20 times the default value, and a byte count
of 10 times the default value.
Î The default byte count for a queue is 1500 bytes, and the default queue length is 20.
R6(config)#int fa0/0
R6(config-if)#custom-queue-list 1
9.0 Security
R9 should be configured to accept telnet connections on port 3005. Telnet connections to port 23 should
not be allowed. Configure a local user named cisco with a password of cisco, and privilege level 15.
Telnet access should require user login, but console access should not require user login.
Î Access on an alternate port can be done with the rotary command on a VTY line. In order
to restrict access, you can use an access-list applied with the access-class command.
R9(config)#line vty 5
R9(config-line)#rotary 5
R9(config-line)#login local
Î In order to configure separate actions, we can use different methods. For the VTY line, we
can use local authentication, and for other connections, we can use a default of no
authentication, so that the console port is not affected.
R9(config)#aaa new-model
R9(config)#aaa authentication login def none
R9(config)#aaa authentication login VTY local
R9(config)#line vty 5
R9(config-line)#login authent VTY
R6#telnet 9.9.9.9
Trying 9.9.9.9 ...
% Connection refused by remote host
Username: cisco
Password:
R9>
Task 9.2
When the user cisco telnets to R9, the user should be able to show the routing table (show ip route), and
show interface status (show interface). The user should not be able to make configuration changes.
Î Verify that the user is only able to show the routing table and check interface status. On
the configuration done earlier, if just authentication is done, the user will not be able to
configure the router. Alternatively, a menu could be used to restrict what options the user
has available.
Username: cisco
Password:
R9>show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
R9>show int
FastEthernet0/0 is administratively down, line protocol is down
Hardware is MV96340 Ethernet, address is 001b.d504.4c40 (bia 001b.d504.4c40)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto Speed, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 2w2d, output 2w2d, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Task 9.3
Switch1 should only allow telnet and SSH connections from R5’s loopback1 interface. Do not configure
an extended ACL for this task.
Cat1(config)#
1d04h: %SSH-5-ENABLED: SSH 1.99 has been enabled
Cat1(config)#line vty 0 15
Cat1(config-line)#access-class 23 in
Cat1(config-line)#login local
Î In order to test, enable SSH on R5 and test using the SSH client.
Username: cisco
Password:
Cat1>exit
Password:
Cat1>