Ccie Config Lab by ALOZIE CHARLES

8/18/2019 Ccie Config Lab by ALOZIE CHARLES

1/208

Practice Lab 1

The CCIE exam commences with 2 hours of troubleshooting followed by 5 1/2 hours ofconfiguration and a final 30 minutes of additional uestions! This lab consists of 100 "oints and

has been timed to last for # hours of configuration and self$troubleshooting% so aim to com"lete

the lab within this "eriod! Then either score yourself at this "oint or continue until you belie&eyou ha&e met all the ob'ecti&es! (ou will now be guided through the eui"ment reuirements and

"re$lab tas)s in "re"aration for ta)ing this "ractice lab!

If you do not own six routers and four switches% consider using the eui"ment a&ailable and

additional lab exercises and training facilities a&ailable within the CCIE *+, 3-0 "rogram! (ou

can find detailed information on the 3-0 "rogram and CCIE *+, exam on the following .*s%res"ecti&ely

htt"s//learningnetwor)!cisco!com/community/learningcenter/cisco3-0/3-0$rs

htt"s//learningnetwor)!cisco!com/community/certifications/ccieroutingswitching

Equipment List

(ou need the following hardware and software com"onents to begin this "ractice lab

,ix routers loaded with Cisco I, ,oftware *elease 15!3T d&anced Enter"rise image

and the minimum interface configuration% as documented in Table 1$1

4our 35-0 switches with I, 15!0, I6 ,er&ices

Setting Up the Lab 1

(ou can use any combination of routers as long as you fulfill the reuirements within the

to"ology diagram% as shown in 4igure 1$1! 7owe&er% you should use the same model of routers

because this can ma)e life easier if you load configurations directly from those su""lied withyour own de&ices! If your router interface s"eeds do not match those used in this lab% consider

https://learningnetwork.cisco.com/community/learning_center/cisco_360/360-rshttps://learningnetwork.cisco.com/community/certifications/ccie_routing_switchinghttps://learningnetwork.cisco.com/community/certifications/ccie_routing_switchinghttps://learningnetwork.cisco.com/community/learning_center/cisco_360/360-rs


2/208


3/208

Note

The CCIE ssessor to"ology &ersion 8 is used for this lab! dditional

interfaces a&ailable on the ssessor that are not reuired for this lab were

omitted from 4igure 1$1! If you are not using the CCIE ssessor% use 4igure

1$1 and 4igure 1$9 to determine how many interfaces you need to com"leteyour own to"ology!

Note

:otice in the initial configurations su""lied that some interfaces will not ha&e

I6 address "reconfigured! This is because you either will not be using that

interface or you need to configure this interface from default within the

exercise! The initial configurations su""lied should be used to "reconfigure

your routers and switch before the lab starts!If your routers ha&e different interface s"eeds than those used within this

boo)% ad'ust the bandwidth statements on the rele&ant interfaces to )ee" allinterface s"eeds in line! This can ensure that you do not get unwanted

beha&ior due to differing I;6 metrics!

Lab Topology

This "ractice lab uses the to"ology outlined in 4igure 1$1% which you must re$create with your

own eui"ment or by sim"ly using the CCIE ssessor!

Switch Instructions

Configure


4/208

Table 1- VLAN Assignment

Note

,witch 2 will be configured during the actual lab uestions for


5/208

*5 o0 120!100!5!1/29

*- o0 120!100!-!1/29

,A1 o0 120!100!B!1/29

,A2 o0 120!100!#!1/29

,A3 o0 120!100!!1/29,A9 o0 120!100!10!1/29

Figure 1-$ IP Addressing Diagram

Pre-Lab Tas!s

8uild the lab to"ology as "er 4igure 1$1 and 4igure 1$2!

Configure the I6 addresses on each router% as shown in 4igure 1$3% and add the loo"bac)addresses! lternati&ely% you can load the initial configuration files su""lied if your router

is com"atible with those used to create this exercise! *1 reuires a secondary I6 address

on its ;igabit Ethernet 0/1 interface for this labD you can find details on theaccom"anying initial configuration for *1!

%eneral %ui#elines

*ead the whole lab before you start!


6/208

@o not configure any static/default routes unless otherwise s"ecified!

Ensure full I6 &isibility between routers for "ing testing/Telnet access to your de&ices

=exce"t for the switch loo"bac) addresses% which will not be &isible to the ma'ority of

your networ) because of the configuration tas)s>!

If you find yourself running out of time% choose uestions that you are confident you can

answerD failing this% choose uestions with a higher "oint rating to maximie your "otential score!

;et into a comfortable and uiet en&ironment where you can focus for the next # hours!

Ta)e a 30$minute brea) midway through the exercise!

7a&e a&ailable a Cisco documentation C@$*F or access online the latest documentation

from htt"//www!cisco!com/cisco/web/"sa/configure!html! :ote that access to this .* isli)ely to be restricted within the real exam!

Note

ccess only this .*% not the whole Cisco!com website =because if you are "ermitted to use documentation during your CCIE lab exam% it will be

restricted>! To sa&e time during your lab exam% consider o"ening se&eralwindows with the "ages you are li)ely to loo) at!

Practice Lab &ne

(ou will now answer uestions in relation to the networ) to"ology% as shown in 4igure 1$9!

http://www.cisco.com/cisco/web/psa/configure.htmlhttp://cisco.com/http://www.cisco.com/cisco/web/psa/configure.htmlhttp://cisco.com/


7/208

Figure 1-' Network Topology for Practice Lab ne

Section 1( L"N Switching )* Points+

Configure your switches as a colla"sed bac)bone networ) with ,witches 1 and 2

"erforming core and distribution functionality and ,witches 3 and 9 as access switches inyour to"ology! ,witches 3 and 9 should connect only to the core switches! =2 "oints>

,witch 1 and 2 should run s"anning tree in #02!1w modeD ,witches 3 and 9 should o"eratein their default s"anning$tree mode! =2 "oints>

Configure ,witch 1 to be the root bridge and ,witch 2 the secondary root bridge for

Ensure that user interfaces% should they toggle excessi&ely% are shut down dynamically by

all switchesD if they remain stable for 35 seconds% they should be reenabled! Configure


8/208

4ast Ethernet 6ort 0/10 on each switch so that if multicast traffic is recei&ed on this "ort

the "ort is automatically disabled! =2 "oints>

4ast Ethernet 6orts 0/11G1B will be used for future connecti&ity on each switch! Configure

these "orts as access "orts for

4or additional security% ensure that the user "orts on ,witches 1G9 and 11G1B can

communicate only with the networ) with I6 addresses gained from the @7C6 featureconfigured "re&iously! .se a dynamic feature to ensure that the only information

forwarded u"on connection is @7C6 reuest "ac)ets% and then% for additional security%

any traffic that matches the @7C6 I6 information recei&ed from the @7C6 binding! =3

"oints>

*5 and *- ha&e been "reconfigured with I6 addresses on their Ethernet interfaces!Configure *9 and its associated switch "ort accordingly without using secondary

addressing to communicate with *5 and *-! Configure *9 with an I6 address of

120!100!95!9/29 to communicate with *5% and configure *9 with an I6 address of

120!100!9-!9/29 to communicate with *-! Configure *9 ;i0/1 and ,witch 2 4E0/9 only!=3 "oints>

Section ( IP,' I%P Protocols )' Points+

Section 1( &SPF

*efer to 4igure 1$5!.se a "rocess I@ of 1D all ,64 configuration where "ossible should not be configured

under the "rocess I@! The loo"bac) interfaces of *outers *1% *2% and *3 should beconfigured to be in rea 0! *9 should be in rea 39 and *5 in rea 5! =2 "oints>

:o loo"bac) networ)s should be ad&ertised as host routes! =1 "oint>

Ensure that *1 does not ad&ertise the "reconfigured secondary address under interface;igabit 0/1 of 120!100!100!1/29 to the ,64 networ)! @o not use any filtering techniues

to achie&e this! =2 "oints>

*5 should use the serial lin) within rea 5 for its "rimary communication to the ,64

networ)! If this networ) should fail either at ayer 1 or ayer 2% *5 should form a

neighbor relationshi" with *9 under rea 5 to maintain connecti&ity! (our solutionshould be dynamic% ensuring that while the rea 5 serial lin) is o"erational there is no

neighbor relationshi" between *9 and *5D howe&er% the Ethernet interfaces of *9 and *5

must remain u"! To confirm the o"erational status of the serial networ)% ensure that theserial interface of *5 is reachable by configuration of *5! (ou are "ermitted to define

neighbor statements between *5 and *9! =9 "oints>


9/208

Figure 1-* SP! Topology

Section ( EI%.P

*efer to 4igure 1$-!

Configure EI;*6 with an instance name of CCIE where "ossible using an autonomous

system number of 1! The loo"bac) interfaces of all routers and switches should be

ad&ertised within EI;*6! =2 "oints>

Ensure that *9 does not install any of the EI;*6 loo"bac) routes from any of the

switches into its routing tableD these routes should also not be "resent in the ,64networ) "ost redistribution! @o not use any route$filtering Cs% "refix lists% or admin

distance mani"ulation to achie&e this% and "erform configuration only on *9! =9 "oints>

*9 will ha&e dual eual$cost routes to from *5 and *-!

Ensure that *9 sends traffic to this destination networ) to *5 instead of load sharing! Ifthe route from *5 becomes una&ailable% traffic should be sent to *-! (ou cannot "olicy

route% alter the bandwidth or delay statements on *9Hs interfaces% or use an offset list!

6erform your configuration on *9 only! (our solution should be a""lied to all routes


10/208

recei&ed from *5 and *-% as o""osed to solely the route to networ) ! EI;*6 routes redistributed within the ,64 networ) should remain with a

fixed cost of 5000 throughout the networ)! =3 "oints>

Configure *9 to redistribute only u" to fi&e EI;*6 routes and generate a system warning

when the fourth route is redistributed! @o not use any access lists in your solution! =2 "oints>

Section $( 0%P )1' Points+

*efer to 4igure 1$B!

Configure i8;6 "eering as follows *1$*3% *2$*3% *-$*5% ,A1$*-% and ,A1$*5! .seminimal configuration and use loo"bac) interfaces for your "eering! Configure e8;6

"eering as follows *3$*9% *9$*-% *9$*5% and *5$*2! .se minimal configuration and

use loo"bac) interfaces for your "eering with the exce"tion of *9 to *5! =2 "oints>

.se the autonomous system numbers su""lied in 4igure 1$B! =2 "oints>


11/208

Figure 1- %#P Topology

,200 is to be used as a bac)u" transit networ) for traffic between ,10 and ,300Dtherefore% if the serial networ) between *5 and *2 fails% ensure that the "eering between

*2 and *5 is not maintained &ia the Ethernet networ)! @o not use any C ty"e

restrictions or change the existing "eering! =2 "oints>

Configure a new loo"bac) interface 2 on *2 of 130!100!200!1/29% and ad&ertise this into

8;6 using the networ) command! Configure *2 in such a way that if the serial lin) between *2 and *5 fails% ,300 no longer recei&es this route! @o not use any route

filtering between neighbors to achie&e this! =3 "oints>

Configure 7,*6 between *5 and *- on

Section '( IP,/ )1* Points+

*efer to 4igure 1$#!

Configure I6&- addresses on your networ) as follows

200BC15C0101/-9 G *1 ;i0/1


12/208

200BC15C0111/-9 G *1 ;i0/0

200BC15C0112/-9 G *2 4E0/0

200BC15C0113/-9 G *3 ;i0/1

200BC15C0122/-9 $ *2 4E0/1

200BC15C0192/-9 G *2 ,0/1200BC15C0195/-9 G *5 ,0/0/1

200BC15C0153/-9 G *3 ;i0/0

200BC15C0159/-9 G *9 ;i0/0

200BC15C01-5/-9 G *5 ;i0/1

200BC15C01--/-9 G *- ;i0/1

Figure 1-2 IP&' Topology

Section '1( EI%.P,/Configure EI;*6&- under the instance of CCIE with a "rimary autonomous system of 1! *1

must not form any neighbor relationshi" with *2 on


13/208

Section '( &SPF,$

Configure ,64&3 with a "rocess I@ of 1% with all ,64 interfaces assigned to rea 0! =2 "oints>

The I6&- networ) is deemed to be stableD therefore% reduce the number of ,s flooded

within the ,64 domain! =2 "oints>

Section '$( .e#istribution

*edistribute EI;*6&- routes into the ,64&3 demand =one way>! EI;*6&- routesshould ha&e a fixed cost of 5000 associated with them within the ,64 networ)! =1 "oint>

Ensure that the ,643 networ) is reachable from the EI;*6&- networ) by a single route

of 200B/1-% which should be seen within the EI;*6&- domain! Configure *5 only to

achie&e this! The ,64 domain should continue to recei&e s"ecific EI;*6&- subnets! =2 "oints>

Ensure that if the serial lin) fails between the ,64 and EI;*6&- domain% routing is still "ossible between *5 and *9 o&er

Section *( 3oS )2 Points+

(ou are reuired to configure o, on ,witch 1 according to the Cisco o, baselinemodel! Create a Fodular o, configuration for all user "orts =4ast Ethernet 1G29> that

facilitates the following reuirements =3 "oints>

1 ll "orts should trust the @,C6 &alues recei&ed from their connecting de&ices!

6ac)ets recei&ed from the user "orts with @,C6 &alues of 9#% 9-% 39% 32% 29% 2#% 1-%

and 10 should be re$mar)ed to @,C6 # =678 C,1> in the e&ent of traffic flowing

abo&e 5 Fb"s on a "er$"ort basis! This traffic could be a combination of any of the "receding @,C6 &alues with any source/destination combination! Ensure a minimum

burst &alue is configured abo&e the 5 Fb"s!

,witch 1 will be connected to a new trusted domain in the future using interface ;igabit

0/1! @,C6 &alue recei&ed locally on ,A1 of 493 should be ma""ed to 492 when

destined for the new domain! =2 "oints>

Configure Cisco Fodular o, as follows on *2 for the following traffic ty"es based ontheir associated "er$ho" beha&ior into classes! Incor"orate these into an o&erall "olicy that

should be a""lied to the T1 interface ,0/1! llow each class the effecti&e bandwidth asdetailed% entered as a "ercentage! =2 "oints>


14/208

Configure *2 so that traffic can be monitored on the serial networ) with a &iew to a

dynamic "olicy being generated in the future that trusts the @,C6 &alue of traffic

identified on this media! =1 "oint>

Section /( Security )/ Points+

Configure *3 to identify and discard the following custom &irusD the &irus is characteried

by the ,CII characters 7astings8eer within the "ayload and uses .@6 6orts 11--9 to

11---! The I@ of the &irus begins on the third character of the "ayload! The &irusoriginated on

Section ( 4ulticast )' Points+

Configure routers *1% *2% *3% and *9 for I6&9 FulticastD configure *3 to send multicast

ad&ertisements of its own time by use of :T6 sourced from interface ;ig 0/0! Configure6IF s"are mode on all reuired interfaces! *3 should also be used to ad&ertise its own

gigabit interface I6 address as an *6! *3 should also ad&ertise the I6 address you are


15/208

using for the :T6 ad&ertisements that will be 229!0!1!1! @o not use the command nt"

ser&er in any configurations! *outers *1% *2% and *9 should all show a cloc)

synchronied to that of *3! =9 "oints>

IP Ser,ices )' Points+

Configure the following commands on router *1

aaa new-mo#el

logging bu55ere#

logging 16166771

Configure a "olicy on router *1 so that if a user tries to remo&e ser&ices or disable

logging &ia the CI that a syslog message of .:.T7*IJE@$CFF:@$

E:TE*E@ is generated! The "olicy should ensure that neither command is executed andshould consist of a single$line command for the CI "attern detection! The "olicy and

CI should run asynchronously! The "olicy should also generate an email from the router

to a mail ser&er residing on I6 address 120!100!!2 =to securityKlab$exam!net from

eemKlab$exam!net sub'ect L.ser$IssueM with the message body consisting of details ofwho was logged on the time either of the commands were entered>! =9 "oints>

8"s! the Proctor9

Note

This section should be used only if you reuire clues to com"lete theuestions! In the actual CCIE lab% the "roctor will not enter into any

discussions about the uestions or answers! 7e or she will be "resent to

ensure that you do not ha&e "roblems with the lab en&ironment and to

maintain the timing element of the exam!

Section 1( L"N Switching

3 @o you want me to configure the colla"sed bac)bone networ) by mani"ulating s"anning

tree to ensure that ,witch 1 and ,witch 2 are the cores for each


16/208

" :o% s"anning tree must remain in o"eration!

3 Can I configure a FC address ty"e access list to bloc) all multicast at ayer 2N

" :o% this wouldnHt disable the "ort if multicast traffic was "resent on itD loo) for a dynamic

solution that does not reuire an C!

3 Can I configure the switch"ort bloc) multicast commandN

" :o% this would bloc) the traffic but wouldnHt disable the "ort!

3 Aould you li)e me to


17/208

" :o% use an ,64 feature to disable the ad&ertisement of this secondary address!

3 IH&e attem"ted to form a neighbor relationshi" with *9 from *5 using a bac)u" interface!

Is this o)ayN

" :o% the uestion states that your solution should cater for either ayer 1 or ayer 2

failures and that the Ethernet should remain u"! 8ac)u" interfaces would be fine for aayer 1 failure but not for a ayer 2 ty"e issue if you had "roblems with 666 that caused

neighbor failures o&er the serial networ)! This feature would also ensure that the Ethernetnetwor) would be down until the bac)u" interface is acti&ated!

3 7ow about an ,64 demand circuit between *9 and *5N

" :o% this would in&ol&e a neighbor relationshi" being maintained! (ou need to allow the

neighbor relationshi" to be formed only if a failure condition occurs!

3 Can I use 84@ between *9 and *5N

" :o% this might aid in failure detection% but it does not meet the ob'ecti&es of the uestion!

3 To confirm the o"eration status of *5Hs serial interface% can I 'ust "ing itN" (ou can use ICF6% but you need to ensure that your solution is dynamic!

3 If I use I6 , to automatically "ing *5 to chec) the status% is this o)ayN

" (es!

3 )ay% I ha&e I6 , running% but IHm stuc)! Is this anything to do with trac)ing the

res"onse to the "ingN

" (es!

3 7ow about if I use "olicy routing with the next ho" based on the trac)ing statusN

" This is fineD 'ust remember that this traffic will be based locally on the router whena""lying any "olicies!

3 IH&e wor)ed out how to do this and managed to get a neighbor u" when the serial networ)

fails% but my ,64 connecti&ity is still not "erfect through the Ethernet! Is this normalN

" :ot if you ha&e configured correctly! Ta)e a loo) at your to"ology and areas! ,omething

might ha&e changed when *5 connects o&er the Ethernet!

Section ( EI%.P

3 I canHt configure my switches with an EI;*6 instance name! Is the legacy method with

'ust an autonomous system acce"table for the switchesN

" (es% this is fine and in accordance with the uestion!

3 If I ad&ertise my loo"bac)s into EI;*6% wonHt that mean that *9 and *5 will ha&e their

loo"bac)s ad&ertised by both ,64 and EI;*6N

" (es% this is fine and in accordance with the uestion!

3 To sto" *9 from recei&ing the switch loo"bac)s% can I sto" ad&ertising them from the

switchesN


18/208

" :o% you should use a feature on *9 to bloc) them!

3 Can I use a neighbor "refix list to bloc) the loo"bac)sN

" :o% you cannot use any ty"e of Cs or "refix lists!

3 IH&e noticed when I loo) at the s"ecific loo"bac) routes that they ha&e a ho" count

associated with them! ItHs unusual to associate ho" counts with EI;*6% but can I bloc)routes based on their ho" countN

" (es!

3 If I canHt change the bandwidth and delay on *9% can I use a route ma" to mani"ulate the

EI;*6 O &alues associated on a "er$neighbor basisN

" (es!

Section $( .e#istribution

3 @o you reuire a distribute list to bloc) the switch loo"bac)s from entering the ,64

domainN" :o% you should ha&e bloc)ed these from entering your I6 routing table within *9

"re&iously% so additional bloc)ing would not be reuired!

3 I ha&e only one redistribution "oint% and there is no benefit in creating filtering to "rotect

against "otential routing loo"s between "rotocols! Is this acce"tableN

" (es% in this scenario% this would be su"erfluous!

3 Can I use a route ma" to enable fi&e s"ecific EI;*6 routes to be redistributed into ,64N

" :o% the uestion doesnHt guide you to redistribute s"ecific routes! .se a more general

method of allowing a s"ecific number of routes!

Section $( 0%P

3 Is it o)ay to disable autosynchroniation in 8;6N

" (ou need to determine whether you need this feature on or off! *emember that you

should ha&e synchroniation on only when you are fully redistributing between 8;6 and

your I;6!

3 @o you want me to configure e8;6 multiho" but limit it to a &alue of 2 on *3 for a TT

security chec)N

" There is a s"ecific security configuration feature within 8;6 to "erform the TT chec)!

3 If I use the TT security ho"s with a &alue of 2% is this all you are loo)ing forN" (ou must ensure that your "eering still wor)s effecti&ely between *3 and *9 when you

ha&e configured this feature!

3 I find that when the serial networ) fails% my neighbor relationshi" is still maintained

between *2 and *5! This is because the loo"bac) routes are still a&ailable o&er the

alternati&e "ath through the networ)! Can I bloc) my loo"bac)s or "olicy route at some

"oint to effecti&ely brea) the "eeringN


19/208

" (ou do need to effecti&ely brea) the "eering% but there is a much sim"ler method of

achie&ing this that still maintains unaltered communication between *2 and *5! Thin)

about what you need to configure when you ha&e E8;6 "eers!

3 I might ha&e been a little generous with my original multiho" &alue between *2 and *5!

If I reduce this to a TT of 2% I can brea) the "eering! Is this o)ayN

" (es!

3 I thin) I can sto" the loo"bac) on *2 being ad&ertised by using the community &alue of

no-e:port% but if I enable this to *2% it wouldnHt ma)e it to *5 e&en when the serial

networ) is wor)ingN

" Correct% it wouldnHt be ad&ertised to *5 ,300 from *2! ?ust thin) about whether *2 is

the best "lace to send the community to originally!

3 4or the 7,*6 uestion% is this some form of conditional ad&ertisingN

" :o% the clue is in the uestionD 'ust find a way of trac)ing the 8;6 route and mani"ulate

the 7,*6 "rocess!

3 If I enable I6 , to trac) a route in the routing table% can I use this to control 7,*6N

" (es!

3 (ou ha&enHt told me what address I should use for 7,*6! Is it o)ay to use the first

address in the subnetN

" (es!

3 I ha&e configured my two new loo"bac)s! Can I use two route ma"s inbound from *1and *2 both "ointing to different Cs so that each route ma" calls only one CN

" :o% you still ha&e two Cs!

3 Can I set community &alues on the routes and match on these using a single CN

" :o% you are instructed to use an CD your solution would reuire additional

configuration!

3 Can I use a "refix list to achie&e thisN

" :o% you are instructed to use an C!

3 ,o% I need an C with a mas) suitable for both rangesN

" :ot necessarily! (ou would need to match only one reuirement on the "ermitfunctionalityD the other could be met by deny!

Section '( IP,/

3 ,hould I use the eui$-9 address format when configuring my addressesN

" :o% if these were reuired% the uestion would ha&e instructed you to use them!

3 Can I form an EI;*6&- neighbor relationshi" between *1 and *3 and also *3 and *2N

" (es!


20/208

3 Can I use different autonomous systems and then redistribute at *3N

" (es!

3 (ou are not reuesting mutual redistribution between EI;*6&- and ,64&3! 7ow will

my EI;*6&- domain communicate with the ,64&3 domainN

" This issue is addressed in the following tas)!

3 If I canHt use EI;*6&- directly on


21/208

" :o% this should be com"leted as "art of your "olicy!

3 (ou ha&enHt indicated what the minimum burst sie should beD is this correctN

" (es% 'ust use the a&ailable limits within the command o"tions!

3 I belie&e I can use a @,C6 mutation ma" to con&ert the @,C6 &alues for the future% but

the command wonHt ta)e the &alues 493 and 492!

" :o% it wonHt because these are ssured 4orwarding &alues! (ou need to con&ert these to@,C6 &alues! ,earch your documentation C@ or a&ailable Cisco!com "ages!

3 I am trying to assign bandwidth within my class with the s"eeds su""lied% but I can see

only a "ercentage o"tion! Is this correctN

" (es% you must do some math! (ou are su""lied with the information you reuire and 'ustneed to remember how fast a T1 line is!

Section /( Security

3 Can I use a route ma" and Cs to identify the traffic by "ort numberN" :o% this would identify the .@@ traffic but not the &irus "ayload as "er the uestion!

In&estigate the o"tions o"en to you with :8*!

3 Can I "olicy route traffic destined to the infected host to null0N

" :o% you must use a 8;6$related feature!

3 static route for 12!0!2!0/29 wonHt ha&e any bearing on traffic destined to the infected

host! Ahy is this rele&antN

" Thin) about the way 8;6 wor)s! ItHs the only routing "rotocol where you donHt need to

be directly connected to form a neighbor relationshi"D therefore% you trans"ort next$ho"

information with your u"dates!3 I ha&e configured Co66 on *- and seem to ha&e lost all my routes! Is this ex"ected

beha&iorN @o you want me to fix this as "art of the Co66 uestionN

" If you ha&e lost your routes% thin) about why this has ha""ened! (es% "ro&ide a fixD

otherwise% you would lose "oints in other sections!

Section ( 4ulticast

3 If I canHt configure nt" ser&er on *1% *2% and *9% there wonHt be a way I can get theserouters to "eer with *3! Is this correctN

" (es% you donHt need to s"ecifically "eer with *3 as the ser&er! 7owe&er% you should aim

to recei&e the :T6 stream that *3 should be configured to multicast!

3 @o you want me to create and announce the grou" 229!0!1!1 on *3N

" (es!

Section 2( IP Ser,ices

3 8ased on the email address% I guess this is an EEF uestionN

http://cisco.com/http://cisco.com/http://cisco.com/


22/208

" Correct!

3 @o you need me to set u" a route to 120!100!!0/29N

" :o!

3 I canHt get both commands onto a single CI "attern e&ent! Is it o)ay to configure twoN

" :o% you are directed to configure a single CI "attern e&ent command that will "ic) u"

either command!

Lab ;ebrie5

This section analyes each uestion% showing you what was reuired and how to achie&e the

desired results! (ou should use this section to "roduce an o&erall score for this "ractice lab!

Section 1( L"N Switching )* Points+

Configure your switches as a colla"sed bac)bone networ) with ,witches 1 and 2 "erforming core and distribution functionality and ,witches 3 and 9 as access switches in

your to"ology! ,witches 3 and 9 should connect to only the core switches! =2 "oints>

This is a sim"le start to the exercise! The switches are fully meshed to begin with! To create a

colla"sed bac)bone to"ology% the core switches should be connected together% and each access

switch should be dual$homed to the core switches! The only switches that should not connectdirectly to each other are the access switches =,A3 and ,A9>! 8y shutting down the interfaces

between ,A3 and ,A9% you create the reuired to"ology! If you ha&e configured this correctly%

as shown in Exam"le 1$1% you ha&e scored 2 "oints! E&en though the resulting to"ology is notloo"ed at this stage% you can &erify route bridge assignment by using the show spanning treeroot command!

E:ample 1-1 S() and S(* Config+ration

#02!1w is *a"id ,"anning Tree% which is bac)ward com"atible with the switchesH default

=6! ,o% if you configure ,witches 1 and 2 into *a"id ,"anning Tree mode% s"anning treecan still o"erate effecti&ely with ,witches 3 and 9! If you ha&e configured this correctly% as

shown in Exam"le 1$2% you ha&e earned another 2 "oints!


23/208

E:ample 1- S(, and S(- Config+ration


24/208

Fa)e sure that you fully use the a&ailable bandwidth between switches by grou"ing your

interswitch lin)s as trun)s! Ensure that only dot1 and EtherChannel are su""orted! =3

"oints>

This is another straightforward uestion for all switches to create EtherChannels betweende&ices! .sing the command channel-group n mo#e on under the "hysical interfaces ensures

that only EtherChannel is su""orted% as o""osed to 6ort ggregation 6rotocol =6g6> or in)ggregation Control 6rotocol =C6>% and dot1 is the trun)ing "rotocol! 4or ayer 2

EtherChannels% you do not ha&e to create a "ort$channel interface first by using the inter5ace

port-channel configuration command before assigning a "hysical "ort to a channel grou"! (ou

can use the channel$grou" interface configuration command that automatically creates the "ort$

channel interface% although a manual "ort channel configuration has been shown here for clarity!*emember that now that you ha&e EtherChannels between switches% you will need to configure

root guard on these interfaces to ensure that ,witches 3 and 9 cannot become root bridges! This

is o&er and abo&e the "hysical interface configuration com"leted "re&iously! If you ha&econfigured this correctly% as shown in Exam"le 1$9% you ha&e scored 3 "oints!

E:ample 1-' Switch ,. -. ). and * "therChannel Config+ration


25/208

SW2(config-if)# switchport trunk encapsulation dot1 SW2(config-if)# switchport mode trunkSW2(config-if)# interface Port-channel3SW2(config-if)# switchport trunk encapsulation dot1 SW2(config-if)# switchport mode trunk

SW3(config-if)# interface range fastethernet0/19-20SW3(config-if)# channel-group 1 mode onSW3(config-if)# interface range fastethernet0/21-22SW3(config-if)# channel-group 2 mode onSW3(config-if)# interface Port-channel1SW3(config-if)# switchport trunk encapsulation dot1 SW3(config-if)# switchport mode trunkSW3(config-if)# interface Port-channel2SW3(config-if)# switchport trunk encapsulation dot1 SW3(config-if)# switchport mode trunk

SW4(config-if)# interface range fastethernet0/19-20SW4(config-if)# channel-group 1 mode onSW4(config-if)# interface range fastethernet0/21-22SW4(config-if)# channel-group 2 mode onSW4(config-if)# interface Port-channel1SW4(config-if)# switchport trunk encapsulation dot1 SW4(config-if)# switchport mode trunkSW4(config-if)# interface Port-channel2SW4(config-if)# switchport trunk encapsulation dot1 SW4(config-if)# switchport mode trunk

SW1# show interfaces port-channel 1 status

Port Name Status Vlan Duplex Spee !"pePo1 connecte trun a-full a-1$$SW1# show interfaces port-channel 2 status


Port Name Status Vlan Duplex Spee !"pePo3 connecte trun a-full a-1$$

SW1# show etherchannel summaryNum%er of c&annel-groups in use' 3Num%er of aggregators' 3

roup Port-c&annel Protocol Ports-----------------------------------------------------------------------------1 Po1(S*) - +a$,1(P) +a$,2$(P)2 Po2(S*) - +a$,21(P) +a$,22(P)


26/208

3 Po3(S*) - +a$,23(P) +a$,24(P)

SW2# show interfaces port-channel 1 status

Port Name Status Vlan Duplex Spee !"pe

Po1 connecte trun a-full a-1$$SW2# show interfaces port-channel 2 status




roup Port-c&annel Protocol Ports-----------------------------------------------------------------------------1 Po1(S*) - +a$,1(P) +a$,2$(P)2 Po2(S*) - +a$,21(P) +a$,22(P)3 Po3(S*) - +a$,23(P) +a$,24(P)

SW3# show interface port-channel 1 status

Port Name Status Vlan Duplex Spee !"pePo1 connecte trun a-full a-1$$SW3# show interface port-channel 2 status




SW4# show interface port-channel 1 status

Port Name Status Vlan Duplex Spee !"pePo1 connecte trun a-full a-1$$SW4# show interface port-channel 2 status

Port Name Status Vlan Duplex Spee !"pe


27/208

Po2 connecte trun a-full a-1$$



Ensure that traffic is distributed on indi&idual Ethernet trun)s between switches based on

the destination FC address of indi&idual flows! =2 "oints>

common "roblem with EtherChannels is traffic not being distributed eually among the

"hysical interfaces! Configuring channel load balancing based on the destination FC address

of an indi&idual flow is 'ust one method a&ailable to distribute traffic! If you ha&e configured this

correctly% as shown in Exam"le 1$5% you ha&e scored 2 "oints!

E:ample 1-* Switch ,. -. ). and * "therChannel Load/%alancing Config+ration

or faulty cable! 6lacing the "orts into

error disable is a way to stabilie the en&ironment! To disable a "ort when multicast traffic is "resent% you need to configure storm control with the multicast o"tion set to 0! If you ha&e

configured this correctly% as shown in Exam"le 1$-% you ha&e scored 3 "oints!


28/208

E:ample 1-/ Switch ,. -. ). and * Config+ration

This is a @ynamic 7ost Control 6rotocol =@7C6> snoo"ing uestion! This is a useful security

feature that "rotects the networ) from rogue @7C6 ser&ers! Ahen the @7C6 o"tion$#2 feature isenabled on the switch with the command ip #hcp snooping in5ormation option% a subscriber is

identified by the switch "ort through which it connects to the networ) and by its FC address!

@7C6 snoo"ing also facilitates a rate$limiting feature for @7C6 reuests to "re&ent a @7C6denial of ser&ice by excessi&e false reuests from a host% which would ha&e the Lgobbler effectM

of reuesting numerous leases from the same "ort! The uestion includes a cou"le of "oints that

could easily be o&erloo)ed if you are suffering from exam "ressure% namely that the "orts are

reuired to be configured with switchport host =or by configuring "ortfast> to set the "ort modeto access and to forward immediately! The rate limiting is configured in "ac)ets "er second% not


29/208

"er minute as im"lied% so you need to "ay attention to detail! If you ha&e configured this

correctly% as shown in Exam"le 1$B% you ha&e scored - "oints!

E:ample 1- Switch ,. -. ). and * D0CP Snooping Config+ration


30/208

------------------------ ------- ----------------fastet&ernet$,11 no 1$fastet&ernet$,12 no 1$fastet&ernet$,13 no 1$fastet&ernet$,14 no 1$fastet&ernet$,1< no 1$

fastet&ernet$,17 no 1$fastet&ernet$,1= no 1$fastet&ernet$,1: "es unlimite

4or additional security ensure that the user "orts on ,witches 1G9 and 11G1B can

communicate only with the networ) with I6 addresses gained from the @7C6 featureconfigured "re&iously! .se a dynamic feature to ensure that the only information

forwarded u"on connection is @7C6 reuest "ac)ets and then% for additional security% any

traffic that matches the @7C6 I6 information recei&ed from the @7C6 binding! =3 "oints>

com"lementary feature to @7C6 snoo"ing is I6 ,ource ;uard! This feature binds the

information recei&ed from the @7C6 address offered and effecti&ely builds a dynamic

This is 'ust a sim"le trun)ing uestion on ,witch 2 to *9 to enable *9 to connect to


31/208

before configuring the trun)! If you ha&e configured this correctly% as shown in Exam"le 1$% you

ha&e scored 3 "oints!

E:ample 1-7 Switch - and $* Tr+nking Config+ration

configuration!

E:ample 1-16 SP! Config+ration


32/208

;2(config-if)# ip ospf 1 area ";2(config-if)# interface fastethernet 0/1;2(config-if)# ip ospf 1 area 200

;3(config)# interface loop!ack 0;3(config-if)# ip ospf 1 area 0

;3(config-if)# interface %iga!it&thernet 0/1;3(config-if)# ip ospf 1 area 0;3(config-if)# interface %iga!it&thernet 0/0;3(config-if)# ip ospf 1 area 34

;4(config)# interface +oop!ack 0;4(config-if)# ip ospf 1 area 34;4(config-if)# interface %iga!it&thernet 0/0;4(config-if)# ip ospf 1 area 34;4(config-if)# interface %iga!it&thernet 0/1'4";4(config-if)# ip ospf 1 area "

;1,32 ?11$,71$$>21$$>4>1,32 ?11$,77@ 6ia 12$>1$$>123>3A $$'$$'42A Serial$,$ 12$>1$$>1>1,32 ?11$,12@ 6ia 12$>1$$>123>3A $$'$1'$$A Serial$,$

12$>1$$>3>1,32 ?11$,71$$>123>3A $$'$1'$$A Serial$,$

;2# sh ip route include /32/ 12$>1$$>2


33/208

iga%it.t&ernet$,1 12$>1$$>3>1,32 ?11$,2@ 6ia 12$>1$$>123>3A $$'4'2$Aiga%it.t&ernet$,1;1# conf t;1(config)# int +oop!ack 0;1(config-if)# ip ospf network point-to-point

;2# conf t;2(config)# interface +oop!ack 0;2(config-if)# ip ospf network point-to-point

;3# conf t;3(config)# int +oop!ack 0;3(config-if)# ip ospf network point-to-point

;4# conf t;4(config)# int +oop!ack 0;4(config-if)# ip ospf network point-to-point

;1$$>4>$,24 ?11$,3@ 6ia 12$>1$$>123>3A $1'42'$Afastet&ernet$,$ 12$>1$$>$,24 ?11$,71$$>21$$>1>$,24 ?11$,2@ 6ia 12$>1$$>123>1A $1'43'$$Afastet&ernet$,$ 12$>1$$>3>$,24 ?11$,2@ 6ia 12$>1$$>123>3A $1'42'27Afastet&ernet$,$

12$>1$$>4$,24 ?11$,71$$>21$$>34>$,24 ?11$,2@ 6ia 12$>1$$>123>3A $1'43'$$Afastet&ernet$,$ 5 12$>1$$>1$$>$,24 ?11$,2@ 6ia 12$>1$$>123>1A $$'$$'$4Afastet&ernet$,$

Ensure that *1 does not ad&ertise the "reconfigured secondary address under interface

;igabit 0/1 of 120!100!100!1/29 to the ,64 networ)! @o not use any filtering techniues

to achie&e this! =2 "oints>

The associated beha&ior with configuring ,64 directly under the interface is that it will by

default ad&ertise any secondary addresses assigned to the interface! *1 has a "reconfiguredsecondary address on interface ;igabit 0/1 that is therefore ad&ertised! 8ecause you cannot filter

this ad&ertisement% you need to inform ,64 not to include the secondary addresses under the

interface command! If you ha&e configured this correctly% as shown in Exam"le 1$12% you ha&escored 2 "oints!


34/208

E:ample 1-1 SP! Secondary Address Ad&ertisement and Config+ration

1>1,24A 5rea 1$$ Process D 1A ;outer D 12$>1$$>1>1A Net8or !"pe ;5D/5S!A /ost' 1 .na%le %" interface configA incluing seconar" ip aresses !ransmit Dela" is 1 secA State D;A Priorit" 1 Designate ;outer (D) 12$>1$$>1>1A nterface aress 11$$>1>1 No %acup esignate router on t&is net8or !imer inter6als configureA 9ello 1$A Dea 4$A Wait 4$A ;etransmit < oo%-res"nc timeout 4$ 9ello ue in $$'$$'$$ Supports 0in-local Signaling (00S) /isco NS+ &elper support ena%le

.!+ NS+ &elper support ena%le nex 1,1A floo Bueue lengt& $ Next $x$($),$x$($) 0ast floo scan lengt& is $A maximum is $ 0ast floo scan time is $ msecA maximum is $ msec Neig&%or /ount is $A 5Cacent neig&%or count is $ Suppress &ello for $ neig&%or(s)

;1(config)# interface %iga!it&thernet 0/1;1(config-if)# ip ospf 1 area 100 secondaries none

;2# sh ip route 120'100'100'0 Su%net not in ta%le

*5 should use the serial lin) within rea 5 for its "rimary communication to the ,64

networ)! If this networ) should fail either at ayer 1 or ayer 2% *5 should form aneighbor relationshi" with *9 under rea 5 to maintain connecti&ity! (our solution

should be dynamic% ensuring that while the rea 5 serial lin) is o"erational% there is no

neighbor relationshi" between *9 and *5D howe&er% the Ethernet interfaces of *9 and *5must remain u"! To confirm the o"erational status of the serial networ)% ensure that the

serial interface of *5 is reachable by configuration of *5! (ou are "ermitted to define

neighbor statements between *5 and *9! =9 "oints>

This is a com"lex scenario that can consume your time% but all the clues are in the uestion% so

some lateral thin)ing is reuired! (ou can rule out a bac)u" interface solution because theEthernet needs to remain u"% and the solution must cater for ayer 1 and ayer 2 rather than

"urely ayer 1! ,imilarly% a demand scenario is also out because this would in&ol&e a neighbor

relationshi" being formed! (ou are also reuested to confirm o"erational status of the serial

interface on *5 with your o&erall solution being dynamic! This would ta)e a great deal of effortand trial and error% but you will find that you can use the I6 , feature to monitor the I6

address of the serial interface on *5 by *5 itself! If this res"onds to the automatic "olling with

Internet Control Fessage 6rotocol =ICF6>% you )now the serial lin) is u" at ayers 1 and 2! If


35/208

the "olling fails% you )now the interface is down! I6 , can then be used to inform the router%

and a forwarding decision can be mani"ulatedD this feature is )nown as "olicy$based routing

=68*> su""ort with multi"le trac)ing o"tions! This gi&es 68* access to all the ob'ects that area&ailable through the trac)ing "rocess!

The trac)ing "rocess "ro&ides the ability to trac) indi&idual ob'ects% such as ICF6 "ing

reachability% and inform the reuired 68* "rocess when an ob'ect state changes! In summary% ifthe ob'ect status changes% *5 can sim"ly mani"ulate the way it sends traffic by "olicy routing!

The traffic it mani"ulates needs to be ,64 that should be directed to *9 to form the ad'acencyo&er the Ethernet networ) =! ,o% when the *5 serial lin) is u" and running% we 'ust

need to brea) the ad'acency between *5 and *9! Ahen the serial lin) fails% we need to allow the

ad'acency between *5 and *9 to form! The first ste" in this solution is to configure the I6 ,ob'ect trac)ing on *5! This configuration is detailed in Exam"le 1$13!

E:ample 1-1$ $1 IP SLA Config+ration and Stat+s


36/208

*5 and *9 to form the neighbor relationshi"% the next ho" can be modified% and because the

,64 TT is set to 1 by default% the traffic will effecti&ely be dro""ed by the next ho" and the

,64 between *5 and *9 will ne&er establish! ,imilarly% when the ob'ect trac)ing fails% the 68* "rocess will be o&erridden and traffic can flow as normal! This will then allow *5 and *9 to

form an ,64 ad'acency! ,o% if you use the 68* command set ip ne:t-hop ,eri5y-a,ailability

16166* 16 trac! 1% *5 can forward normal ,64 traffic to 120!100!25!2 =*2 serial toeffecti&ely discard the traffic> if the trac)ed ob'ect =1> is u"! If the ob'ect status changes to down%

the 68* "rocess is informed% and the 6,4 traffic to 120!100!25!2 would follow the usual next

ho"! *5 must be configured to locally "olicy route traffic because normal 68* beha&ior is fortraffic mani"ulation for traffic that flows through the router rather than traffic generated by the

router itself! Exam"le 1$19 shows the reuired ,64 configuration on *9 and *5% the 68* on

*5% a debug of *2 sending TT ex"ired to *5 after the ,64 traffic is sent to *2 instead of *5%

and the resulting neighbor "artial ad'acency that is formed between *9 and *5!

E:ample 1-1' $* and $1 SP! and P%$ Config+ration

44);2#

;


37/208

Neig&%or D Pri State Dea!ime 5ress nterface12$>1$$>2>1 $ +*00, - $$'$$'3= 12$>1$$>22Serial$,$,112$>1$$>4>1 1 N!,D;!9.; $$'$1'4< 12$>1$$>44

iga%it.t&ernet$,$

Exam"le 1$15 shows the ,64 ad'acency formed when the serial lin) between *2 and *5 is shutdown on *5! The 68* is o&erridden and normal routing occurs because the next ho" is not

&erified by the ob'ect trac)ing! (our routing table needs to be an exact re"lica as that shown in

Exam"le 1$15! (ou must remember that when an ,64 ad'acency forms between *5 and *2%you are 'oining rea 5 into rea 39% and a &irtual lin) between *3 and *9 is reuired to extend

area 0! If you had not configured a &irtual lin)% it would ha&e been an easy mista)e that would

ta)e your "oints away! =This was a difficult uestion% but a good one to "ractice with andexamine how features o"erate and interact with each otherD you might ha&e been scratching your

head or cursing me% but IHd be sur"rised if you didnHt learn something new from this uestion!>If you configured this correctly% including the &irtual lin)% you ha&e scored 9 "oints =definitely a

uestion worth lea&ing to the end of your exam when you might ha&e some time left o&er to

ex"eriment>!

E:ample 1-1* $) and $* SP! Virt+al Link Config+ration and $1 Test

1 onSerial$,$,1 from +*00 to DWNA Neig&%or Do8n' nterface o8n or etac&eEGan 2 21'


38/208

;$>$>$ oniga%it.t&ernet$,$ from 5!!.P! to DWNA Neig&%or Do8n' Dea timer expire;131$$>4>1 on

iga%it.t&ernet$,$ from 05DN to +*00A 0oaing Done;$,24 is su%netteA 2 su%nets 5 11$$>2>$ ?11$,4@ 6ia 12$>1$$>44A $$'$$'12Aiga%it.t&ernet$,$ 12$>$>$>$,24 is su%netteA su%nets 5 12$>1$$>4>$ ?11$,2@ 6ia 12$>1$$>44A $$'$4'4Aiga%it.t&ernet$,$ 5 12$>1$$>1>$ ?11$,4@ 6ia 12$>1$$>44A $$'$$'12Aiga%it.t&ernet$,$

5 12$>1$$>2>$ ?11$,4@ 6ia 12$>1$$>44A $$'$$'12Aiga%it.t&ernet$,$ 5 12$>1$$>3>$ ?11$,3@ 6ia 12$>1$$>44A $$'$$'12Aiga%it.t&ernet$,$ 5 12$>1$$>34>$ ?11$,2@ 6ia 12$>1$$>44A $$'$4'4Aiga%it.t&ernet$,$ 5 12$>1$$>123>$ ?11$,3@ 6ia 12$>1$$>44A $$'$$'12Aiga%it.t&ernet$,$ 5 12$>1$$>1$$>$ ?11$,4@ 6ia 12$>1$$>44A $$'$$'12Aiga%it.t&ernet$,$

Section ( EI%.P

Configure EI;*6 with an instance name of CCIE where "ossible using an autonomoussystem number of 1! The loo"bac) interfaces of all routers and switches should bead&ertised within EI;*6! =2 "oints>

This is not a difficult uestion by any means% 'ust one that has a magnitude of configuration andsets u" your Enhanced Interior ;ateway *outing 6rotocol =EI;*6> networ) using the named

instance and address family I6&9 for the following uestions! (ou need to remember to include

your "reconfigured loo"bac) interfaces and enable routing on the ayer 3 switches! .se the

show ip eigrp neighbor command to &erify your "eering before mo&ing on to the next uestion!

If you ha&e configured this correctly% as shown in Exam"le 1$1-% you ha&e scored 2 "oints!

E:ample 1-1/ "I#$P Config+ration


39/208

;=>1 $>$>$>$ net8or 11$$>3>= $>$>$>$ no auto-summar"

SW2(config)# ip routingSW2(config)# e.itSW2# sh run !eg eigrprouter eigrp 1 net8or 12$>1$$>:>1 $>$>$>$ net8or 11$$>3>: $>$>$>$

no auto-summar"

SW3(config)# ip routingSW3(config)# e.itSW3# sh run !eg eigrprouter eigrp 1 net8or 12$>1$$>>1 $>$>$>$ net8or 11$$>3> $>$>$>$ no auto-summar"

SW4(config)# ip routingSW4(config)# e.itSW4# sh run !eg eigrp

router eigrp 1 net8or 12$>1$$>1$>1 $>$>$>$ net8or 11$$>3>1$ $>$>$>$ no auto-summar"

Ensure that *9 does not install any of the EI;*6 loo"bac) routes from any of theswitches into its routing tableD these routes should also not be "resent in the ,64


40/208

networ) "ost redistribution! @o not use any route$filtering Cs% "refix lists% or admin

distance mani"ulation to achie&e this% and "erform configuration only on *9! =9 "oints>

distribute or "refix list would ha&e been the ob&ious choice here% but this is not "ermitted!

."on close ins"ection of the loo"bac) routes within Exam"le 1$1B% you will notice that theroutes ha&e a ho" count of 2 associated with them! 7o" count isnHt something you would

naturally assimilate with EI;*6% but you can configure the "rocess to ignore routes recei&edwith a ho" count larger than a configured threshold with the command metric ma:imum-hops!

8y configuring the maximum ho" count of 1 on *9% you can sim"ly sto" the loo"bac) routesfrom entering the "rocess! If you ha&e configured this correctly% as shown in Exam"le 1$1B% you

ha&e scored 9 "oints!

E:ample 1-1 "I#$P 2a3im+m/0ops Config+ration

$>$,24 is su%netteA 3 su%netsD 11$$>3>$ ?$,3$=2$@ 6ia 12$>1$$>47>7A $$'$$'1$A iga%it.t&ernet$,1>47 ?$,3$=2$@ 6ia 12$>1$$>44< 12$>$>$>$,: is 6aria%l" su%netteA 17 su%netsA 2 massD 12$>1$$>:>$,24 ?$,11$$>47>7A $$'$$'1$Aiga%it.t&ernet$,1>47 ?$,11$$>44<D 12$>1$$>>$,24 ?$,11$$>47>7A $$'$$'1$A

iga%it.t&ernet$,1>47 ?$,11$$>44<D 12$>1$$>1$>$,24 ?$,11$$>47>7A $$'$1'$=Aiga%it.t&ernet$,1>47 ?$,11$$>44<D 12$>1$$>$,24 ?$,11$$>44<D 12$>1$$>7>$,24 ?$,11$$>47>7A $$'$$'1$A

iga%it.t&ernet$,1>47D 12$>1$$>=>$,24 ?$,11$$>47>7A $$'$$'1$Aiga%it.t&ernet$,1>47 ?$,11$$>44<

;4# show ip route 120'100'#'0


41/208

;outing entr" for 12$>1$$>:>$,24 Fno8n 6ia Heigrp 1HA istance $A metric 147>7 on iga%it.t&ernet$,1>47A $$'$$'1< ago ;outing Descriptor locs'

E 12$>1$$>47>7A from 12$>1$$>47>7A $$'$$'1< agoA 6iaiga%it.t&ernet$,1>47 ;oute metric is 17 on iga%it.t&ernet$,1>47A $$'$$'2< ago ;outing Descriptor locs' E 12$>1$$>47>7A from 12$>1$$>47>7A $$'$$'2< agoA 6iaiga%it.t&ernet$,1>47 ;oute metric is 11$$>$,24 ?$,11$$>44<D 12$>1$$>7>$,24 ?$,11$$>47>7A $$'$$'$4A

iga%it.t&ernet$,1>47

*9 will ha&e dual eual$cost routes to from *5 and *-!Ensure that *9 sends traffic to this destination networ) to *5 instead of load sharing!

,hould the route from *5 become una&ailable% traffic should be sent to *-! (ou may not

"olicy route% alter the ban#wi#th or #elay statements on *9Hs interfaces or use an offset


42/208

list! 6erform your configuration on *9 only! (our solution should be a""lied to all routes

recei&ed from *5 and *- as o""osed to solely the route to networ) $,24 Fno8n 6ia Heigrp 1HA istance $A metric 3$=2$A t"pe internal ;eistri%uting 6ia ospf 1A eigrp 1 56ertise %" ospf 1 metric 1$$>4< on iga%it.t&ernet$,1>4


43/208

;4(config-router)# address-family ipv4 unicast autonomous-system 1;4(config-router-af)# topology !ase;4(config-router-af-topolg")# distri!ute-list route-map %&5&6 in;4(config-router-af-topolg")# 78;4# clear ip route ;4# sh ip route 1"0'100'3'0

;outing entr" for 11$$>3>$,24 Fno8n 6ia Heigrp 1HA istance $A metric 12:24< on iga%it.t&ernet$,1>4! EI;*6 routes redistributed within the ,64 networ) should remain with afixed cost of 5000 throughout the networ)! =3 "oints>

sim"le redistribution uestion for the warm$u" lab% you ha&e only a single redistribution "oint=*9>% so ha&e no concerns when using "rotocols such as EI;*6 and ,64% with their inherent

"rotection against routing loo"s! The fixed cost of 5000 is achie&ed by ad&ertising redistributed

routes into ,64 using a metric ty"e of 2% which is the default% so no s"ecific configuration isreuired for this! The only "oints you need to consider when redistributing into ,64 are to use

the subnets command to ensure classless redistribution and to use default metrics in each

"rotocol! If you ha&e configured this correctly% as shown in Exam"le 1$1% you ha&e scored 3 "oints!


44/208

E:ample 1-17 $* $edistrib+tion Config+ration and Verification


45/208

;4(config)# router ospf 1;4(config-router)# redistri!ute ma.imum-prefi. " #0

Section $( 0%P )1' Points+

Configure i8;6 "eering as follows *1$*3% *2$*3% *-$*5% ,A1$*-% and ,A1$*5! .seminimal configuration and use loo"bac) interfaces for your "eering! Configure e8;6

"eering as follows *3$*9% *9$*-% *9$*5% and *5$*2! .se minimal configuration and

use loo"bac) interfaces for your "eering with the exce"tion of *9 to *5! =2 "oints> .se

the autonomous system numbers su""lied in 4igure 1$B! 4or your e8;6 "eering on *3%use the TT security feature% which will not "ermit a session from *9 to become

established if *9 is more than 2 ho"s away! This feature must be configured only on *3

and not on *9! =2 "oints>

(ou can get some easy "eering "oints to begin with% but youHll ha&e to do a lot of ty"ing to earn

them! (ou must remember to use "eer grou"s to minimie configuration where "ossible% namely

on *3% *-% and ,witch 1% and follow the "eering instructions closely because these are rele&antfor the following uestions! (ou should ha&e noticed that *3 was reuired to be a route reflector

for i8;6 "eers *1 and *2 in ,10 and that no synchroni=ation is reuired because theunderlying I;6 is not redistributed into 8;6! *emember to &erify your "eering with the show ipbgp neighbor command! The "eering becomes com"licated when the TT security feature is

enabled by use of the command neighbor 16166'1 ttl-security hops on *3! This commandis a neat feature that will not "ermit the "eering session if the recei&ed neighbor TT &alue is less

than 253 in this case% which would suggest that the incoming session could be some form of

remote attac) with s"oofed source I6 address of the original neighbor! 8ecause you are not "ermitted to configure the same feature on *9% the "eering will brea)% of course% e&en if you ha&e

configured the e8;6 multiho" feature on *9 with a &alue of 2! =f course% this will sim"ly

increment the TT &alue from a default &alue of 0!>Exam"le 1$21 shows a debug on *3 for the e8;6 "eering! The field highlighted is the Time To

i&e =TT> hex &alue dis"layed from the hidden command =dum"> when "erforming the debug!(ou need to get the hex &alue to 4@ =253 decimal> by configuring the multiho" &alue to 255 on

*9% to show *3 that the *9 can only be a maximum of two ho"s away! If you ha&e configured

this correctly% as shown in Exam"le 1$21% you ha&e scored 2 "oints!

E:ample 1-1 %#P Peering Config+ration


46/208

router %gp 1$ no s"nc&roniJation neig&%or 12$>1$$>3>1 remote-as 1$ neig&%or 12$>1$$>1 remote-as 3$$ neig&%or 12$>1$$>1 e%gp-multi&op 2 neig&%or 12$>1$$>1 upate-source 0oop%ac$

no auto-summar"

;3# sh run !egin !gprouter %gp 1$ no s"nc&roniJation neig&%or P peer-group neig&%or P remote-as 1$ neig&%or P upate-source 0oop%ac$ neig&%or P route-reflector-client neig&%or 12$>1$$>1>1 peer-group P neig&%or 12$>1$$>2>1 peer-group P neig&%or 12$>1$$>4>1 remote-as 2$$ neig&%or 12$>1$$>4>1 ttl-securit" &ops 2

neig&%or 12$>1$$>4>1 upate-source 0oop%ac$ no auto-summar"

;4# sh run !egin !gprouter %gp 2$$ no s"nc&roniJation neig&%or 12$>1$$>3>1 remote-as 1$ neig&%or 12$>1$$>3>1 e%gp-multi&op 2 neig&%or 12$>1$$>3>1 upate-source 0oop%ac$ neig&%or 12$>1$$>7>1 remote-as 3$$ neig&%or 12$>1$$>7>1 e%gp-multi&op 2 neig&%or 12$>1$$>7>1 upate-source 0oop%ac$ neig&%or 12$>1$$>4< remote-as 3$$

no auto-summar"

;3(config)# access-list 100 permit ip host 120'100'4'1 host 120'100'3'1;3(config)# e.it;3# de!ug ip packet 100 detail dumpP pacet e%ugging is on (etaile) (ump) for access list 1$$

;3# P src;42)92* dst;1$9* se;2)002$994)* ack;0* win;1)3:4 SKN$+4$$/$$' /2$4 $=4$$$$$ >>L>>$+4$$/1$' /2$211.$ $$1$$:$$ 4>M>>>>.L>AC>>>$+4$$/2$' $1$747=. $1$1$1$1 $3$3$3$3 57/4$$3 >>+>>>>>>>>OD>3$+4$$/3$' 5+D1+:5 $$$$$$$$ 7$$24$$$ +1$$$$ >>>>>>>M>L>BQ>>

$+4$$/4$' $2$4$21: >>>>

R !&e !!0 from ;4 is ecremente to $1 9ex $1 ecimal as ;4 &as e%gp-multi&op 2R configure an t&e P session 8ill not %e esta%lis&e as ;3 &as t&e!!0 securit"R c&ec ena%leA from ;3Ts perspecti6e ;4 coul %e 2


47/208

R e%gp multi&op 6alue of 21$$>2>1 remote-as 1$ neig&%or 12$>1$$>2>1 e%gp-multi&op 2 neig&%or 12$>1$$>2>1 upate-source 0oop%ac$

neig&%or 12$>1$$>7>1 remote-as 3$$ neig&%or 12$>1$$>7>1 upate-source 0oop%ac$ neig&%or 12$>1$$>47 remote-as 2$$ neig&%or 12$>1$$>=>1 remote-as 3$$ neig&%or 12$>1$$>=>1 upate-source 0oop%ac$no auto-summar"

;7# sh run !eg !gprouter %gp 3$$ no s"nc&roniJation neig&%or P peer-group neig&%or P remote-as 3$$ neig&%or P upate-source 0oop%ac$

neig&%or 12$>1$$>4>1 remote-as 2$$ neig&%or 12$>1$$>4>1 e%gp-multi&op 2 neig&%or 12$>1$$>4>1 upate-source 0oop%ac$ neig&%or 12$>1$$>1 peer-group P neig&%or 12$>1$$>=>1 peer-group P no auto-summar"

SW1# sh run !egin !gprouter %gp 3$$


48/208

no s"nc&roniJation neig&%or P peer-group neig&%or P remote-as 3$$ neig&%or P upate-source 0oop%ac$ neig&%or 12$>1$$>1 peer-group P neig&%or 12$>1$$>7>1 peer-group P

no auto-summar"

,200 is to be used as a bac)u" transit networ) for traffic between ,10 and ,300Dtherefore% if the serial networ) between *5 and *2 fails% ensure that the "eering between

*2 and *5 is not maintained &ia the Ethernet networ)! @o not use any C ty"e

restrictions or change the existing "eering! =2 "oints>

s *2 and *5 "eer to each other using their loo"bac) interfaces% the "eering is maintained if theserial networ) between *2 and *5 fails! Exam"le 1$22 shows the "ath ta)en between *5 and *2

when the serial interface is shut down on *5! To brea) the "eering without using Cs% you 'ust

need to ensure that the ebgp-multihop count used in the original "eering is set at 2 and no

greater! Exam"le 1$22 also shows the ICF6 debug with the TT ex"iration messages% whichindicate the "eering will ha&e failed% e&en though there is I6 connecti&ity between loo"bac)s! If

your ebgp-multihop count is set at 2 between *2 and *5% you ha&e scored 2 "oints!

E:ample 1- e%#P TTL "3piration


49/208

;2#Gan 1= 21'27'13>3$7' /P' time exceee rc6 from 12$>1$$>34>4

Configure a new loo"bac) interface 2 on *2 of 130!100!200!1/29% and ad&ertise this into

8;6 using the networ! command! Configure *2 in such a way that if the serialconnection between *2 and *5 fails% ,300 no longer recei&es this route! @o not use any

route filtering between neighbors to achie&e this! =3 "oints>

If the "eering between *2 and *5 fails% the new networ) route will flow from ,10 to ,300 &ia

,200 instead of flowing directly from ,10 to ,300! Therefore% a sim"le use of communities

can be used to ensure that the route is not ex"orted to ,200! (ou sim"ly need to a""ly a no-

e:port &alue to the route as it is ad&ertised on *2 toward *3D this way the route is not ad&ertised

to ,200 if a failure occurs! .nder normal conditions% ,200 would still see the route from

,300! If you ha&e configured this correctly% as shown in Exam"le 1$23% you ha&e scored 3

"oints!

E:ample 1-$ $o+te Ad&ertisement and no/e3port Config+ration on $-

$,24A 6ersion 4Pat&s' (1 a6aila%leA %est #1A ta%le Default-P-;outing-!a%leA nota6ertise to.P peer) 56ertise to upate-groups' 2 0ocalA (;ecei6e from a ;;-client) 12$>1$$>2>1 (metric 71$$>2>1 (13$>1$$>2$$>1) rigin PA metric $A localpref 1$$A 6aliA internalA %est /ommunit"' no-export


50/208

; .n 8it& /N!0,X>;


51/208

;3>1 5cti6e 6irtual 5/ aress is $$$$>$c$=>ac$1

0ocal 6irtual 5/ aress is $$$$>$c$=>ac$1 (61 efault) 9ello time 3 secA &ol time 1$ sec Next &ello sent in $>47$ secs Preemption ena%le 5cti6e router is local Stan%" router is 11$$>3>7A priorit" $ (expires in :>4=2 sec) Priorit" 1$$ (efault 1$$) !rac o%Cect 2 state *p ecrement 2$ P reunanc" name is H&srp-i$,1-1H (efault);


52/208

ma"! The route ma"s should be a""lied on a "er$neighbor basis and both call u" the same single

C! Exam"le 1$2- shows the configuration for the new loo"bac)s on *1 and *2 and the

filtering on *3! 4urther testing is detailed in Exam"le 1$2- to substantiate the filtering "rocess on*3! If you ha&e configured this correctly% as shown in Exam"le 1$25% you ha&e scored 3 "oints!

E:ample 1-* $o+te 2ap !iltering on $)


53/208

Note

This additional testing configuration is not "resent on the su""lied% final

configuration!

E:ample 1-/ $o+te 2ap !iltering Verification

2$$>1Status coes' s suppresseA ampeA & &istor"A E 6aliA %estA i -


54/208

internalA r ;-failureA S Stalerigin coes' i - PA e - .PA U - incomplete

Net8or Next 9op etric 0ocPrf Weig&tPat&

E 1$$>1>1>$,24 $>$>$>$ $ 32=7: iE 13$>1>1>$,24 $>$>$>$ $ 32=7: iE 13$>1$$>2$$>$,24 $>$>$>$ $ 32=7: i

!otal num%er of prefixes 3

;3# sh ip !gpP ta%le 6ersion is 4A local router D is 12$>1$$>3>1Status coes' s suppresseA ampeA & &istor"A E 6aliA %estA i -internalA r ;-failureA S Stalerigin coes' i - PA e - .PA U - incomplete

Net8or Next 9op etric 0ocPrf Weig&tPat&Ei127>1>1>$,24 12$>1$$>1>1 $ 1$$ $ iEi13$>1>1>$,24 12$>1$$>2>1 $ 1$$ $ iEi13$>1$$>2$$>$,24 12$>1$$>2>1 $ 1$$ $ i

Section '( IP,/ )1* Points+

The "rereuisite to the uestions is configuration of the I6&- addresses! (ou should test your

I6&- connecti&ity to ensure that you are ready to "rogress to the routing uestions! Exam"le 1$2Bshows the reuired I6&- configuration to "rogress to the routing uestions! Consider using the

show ip,/ inter5aces brie5 command for a uic) chec) of your interface configuration!

E:ample 1- IP&' Testing and Initial Config+ration


55/208

;3(config)# ipv) unicast-routing;3(config)# interface giga!it&thernet 0/0;3(config-if)# ipv) address 200$@1"@0@1"@@3/)4;3(config-if)# giga!it&thernet 0/1

;3(config-if)# ipv) address 200$@1"@0@11@@3/)4

;4(config)# ipv) unicast-routing;4(config)# interface giga!it&thernet 0/0;4(config-if)# ipv) address 200$@1"@0@1"@@4/)4

;! *1 must

dynamically learn a default route o&er EI;*6&- &ia *3 on


56/208

E:ample 1-2 "I#$P&' Config+ration and Testing


57/208

;4(config)# router eigrp &;4(config-router)# address-family ipv) unicast autonomous-system 1;4(config-router-af)# af-interface %iga!it&thernet0/0;4(config-router-af-interface)# no shutdown

;


58/208

6ia +.:$''21


59/208

E:ample 1-$6 $1 and $' !lood/$ed+ction Config+ration


60/208

.2 2$$='/1


61/208

!"pe escape seBuence to a%ort>Sening


62/208

.I 2$$='/1


63/208

critical data! This a""roach enables traffic associated with this &alue to remain unchanged e&en

when traffic rates exceed 5 Fb"s! This a""roach also assumes that the &irus does not itself re$

mar) traffic to this &alue to increase its chances of causing damage! 7owe&er% the exclusion of@,C62- is not rele&ant to the configuration and methodology you use to answer the uestion!

The uestion reuires you to configure a standard I6 C that "ermits any traffic! 4or traffic

matching this classification% the @,C6 &alue in the incoming "ac)et is trusted! If the matchedtraffic exceeds an a&erage traffic rate of 5 Fb"s and a normal burst sie of #000 bytes% its @,C6

is mar)ed down according to the "oliced @,C6 ma" &alues and transmitted! If you ha&e

configured this correctly% as shown in Exam"le 1$39% you ha&e scored 3 "oints!

E:ample 1-$' Switch , 4oS Config+ration and Verification


64/208

E:ample 1-$* Switch , DSCP/m+tation 2ap Config+ration


65/208

would assign &oice traffic into a real$time ueue =low$latency ueuing RS>% but the uestion

doesnHt dictate this% so effecti&ely all traffic ty"es are being assigned with different "ro"ortions of

class$based weighted fair ueuing =C8A4>! If you ha&e configured this correctly% as shown inExam"le 1$3-% you ha&e scored 2 "oints!

E:ample 1-$/ Switch, 2od+lar 4oS Config+ration


66/208

%an8it& percent 17

class /500-S %an8it& percent 3 class class-efault %an8it& percent 2<

Ren

;2# sh run int s0/1 !egin ma.-reserved-!andwidth 100 max-reser6e-%an8it& 1$$ ser6ice-polic" output YSen

;2# show policy-map (


67/208

4 - - 1,1$ < - - 1,1$ 7 - - 1,1$ = - - 1,1$ rs6p - - 1,1$

/lass /500-S an8it& 3 () ax !&res&ol 74 (pacets) /lass class-efault an8it& 2< () exponential 8eig&t class min-t&res&ol max-t&res&ol mar-pro%a%ilit"

-------------------------------------------------------

$ - - 1,1$ 1 - - 1,1$ 2 - - 1,1$ 3 - - 1,1$

4 - - 1,1$ < - - 1,1$ 7 - - 1,1$ = - - 1,1$ rs6p - - 1,1$

Configure *2 so that traffic can be monitored on the serial networ) with a &iew to a

dynamic "olicy being generated in the future that trusts the @,C6 &alue of traffic

identified on this media! =1 "oint>

This is a sim"le uestion that reuires the command auto #isco,ery qos trust be configured

under the serial interface of *2! This command uses :8* to ins"ect the a""lication traffic thatflows through the router with a &iew of generating a o, "olicy based on the traffic flow "rofile!

The )eyword trust in the command ensures that the @,C6 &alue of the traffic monitored on the

networ) is trusted! If you ha&e configured this correctly% you ha&e scored 1 "oint!

Section /( Security )/ Points+

Configure *3 to identify and discard the following custom &irus! The &irus ischaracteried by the ,CII characters 7astings8eer within the "ayload and uses .@6

"orts 11--9 to 11---! The I@ of the &irus begins on the third character of the "ayload!

The &irus originated on to ins"ect a "ac)et "ayload to identify the &irus based on the information su""lied within the uestion! 8ecause the &irus is located within the

third ,CII character% you need to inform the custom :8* list to ignore the first two

characters% which ensures that it will begin to chec) the third "ac)et! If you ha&e configured thiscorrectly% as shown in Exam"le 1$3B% you ha&e scored 3 "oints! (ou can use the show policy-map command to &erify your configuration!


68/208

E:ample 1-$ $) N%A$ Config+ration

eer 2 ascii astingsC>eer udprange 11))4 11)));3(config)# class-map match-all ?6=,;3(config-cmap)# match protocol astingsC>eer;3(config-cmap)# policy-map >++

This uestion is re"resentati&e of blac)$hole routing! This is an effecti&e method of discarding "ac)ets being sent to a )nown destination! This a""roach to discarding traffic is efficient because

it enables the edge routers to route traffic rather than use Cs% and it can be de"loyed

dynamically by ma)ing use of the next$ho" field within 8;6 u"dates! (ou are "ermitted tocreate a static route on routers *1% *2% and *3 in ,10 for networ) 12!0!2!0/29 to null0 and one

additional route on *2! This route would need to be directing traffic to the infected host to null0%

to u"date routers *1 and *3! *2 sim"ly ad&ertises the host route for the infected host to ,10and sets the next ho" for this to 12!0!2!1! *outers *1 and *3 then direct traffic to null0 when

traffic is destined to the infected host! To ensure that the solution is used only in ,10% you must

set the community to no-e:port for the s"ecific static route and tag the route with a &alue of 10

to identify it! (ou must therefore send the community &alues to neighbor *3 on *2% but thisshould ha&e com"leted "re&iously for an earlier 8;6 uestion! .se of the no icmp unreachable

command on *1Hs ;igabit Ethernet interface "re&ents unnecessary re"lies when traffic is "assed

to the null0 interface! If you ha&e configured this correctly% as shown in Exam"le 1$3#% you ha&escored 3 "oints!

E:ample 1-$2 %#P %lack/0ole $o+ting Config+ration and Verification


69/208

;2(config-router)# route-map >+A1$$>2$$>1Status coes' s suppresseA ampeA & &istor"A E 6aliA %estA i -internalAr ;-failureA S Stalerigin coes' i - PA e - .PA U - incompleteNet8or Next 9op etric 0ocPrf Weig&t Pat&E 13$>1>1>$,24 $>$>$>$ $ 32=7: iE 13$>1$$>2$$>$,24 $>$>$>$ $ 32=7: iE 11$$>2>1$$,32 12>$>2>1 $ 32=7: i!otal num%er of prefixes 3

;2# show ip route 1"0'100'2'100

;outing entr" for 11$$>2>1$$,32Fno8n 6ia HstaticHA istance 1A metric $ (connecte)!ag 1$;eistri%uting 6ia %gp 1$56ertise %" %gp 1$ route-map 05/F90.;outing Descriptor locs'E irectl" connecteA 6ia Null$;oute metric is $A traffic s&are count is 1;oute tag 1$

;3(config)# ip route 192'0'2'1 2""'2""'2""'2"" null0;3(config)# do show ip !gpP ta%le 6ersion is 14A local router D is 12$>1$$>3>1

Status coes' s suppresseA ampeA & &istor"A E 6aliA %estA i -internalAr ;-failureA S Stalerigin coes' i - PA e - .PA U - incompleteNet8or Next 9op etric 0ocPrf Weig&t Pat&Ei127>1>1>$,24 12$>1$$>1>1 $ 1$$ $ iEi13$>1>1>$,24 12$>1$$>2>1 $ 1$$ $ iEi13$>1$$>2$$>$,24 12$>1$$>2>1 $ 1$$ $ iE i11$$>2>1$$,32 12>$>2>1 $ 1$$ $ i

;1(config)# ip route 192'0'2'1 2""'2""'2""'2"" null0;1(config)# interface %iga!it0/1

;1(config-if)# no icmp unreacha!le;1(config-if)# do show ip !gpP ta%le 6ersion is :A local router D is 127>1>1>1Status coes' s suppresseA ampeA & &istor"A E 6aliA %estA i -internalAr ;-failureA S Stalerigin coes' i - PA e - .PA U - incompleteNet8or Next 9op etric 0ocPrf Weig&t Pat&E 127>1>1>$,24 $>$>$>$ $ 32=7: i


70/208

Ei13$>1>1>$,24 12$>1$$>2>1 $ 1$$ $ iEi13$>1$$>2$$>$,24 12$>1$$>2>1 $ 1$$ $ iE i11$$>2>1$$,32 12>$>2>1 $ 1$$ $ i

;1# show ip route 1"0'100'2'100;outing entr" for 11$$>2>1$$,32

Fno8n 6ia H%gp 1$HA istance 2$$A metric $A t"pe internal0ast upate from 12>$>2>1 $$'$$'$2 ago;outing Descriptor locs'E 12>$>2>1A from 12$>1$$>3>1A $$'$$'$2 ago;oute metric is $A traffic s&are count is 15S 9ops $;1# show ip route 192'0'2'1;outing entr" for 12>$>2>1,32Fno8n 6ia HstaticHA istance 1A metric $ (connecte);outing Descriptor locs'E irectl" connecteA 6ia Null$;oute metric is $A traffic s&are count is 1

To "rotect the control "lane on router *-% configure Co66 so that I6 "ac)ets with a TT of

0 or 1 are dro""ed rather than "rocessed% with a resulting ICF6 redirect sent to the

source! =1 "oint>

Cisco I, ,oftware sends all "ac)ets with a TT of 0 or 1 to the "rocess le&el to be "rocessed!The de&ice must then send an ICF6 TT ex"ire message to the source! 8y filtering "ac)ets that

ha&e a TT of 0 and 1% you can reduce the load on the "rocess le&el! The control "lane "olicing

sim"ly bloc)s "ac)ets with a TT &alue of 0 and 1 as directed% but this will brea) your EI;*6

and 8;6 "eering! ,o% you must s"ecifically "ermit these "ac)ets within your CD otherwise%you would ha&e 'ust lost &aluable "oints! If you found yourself running short on time and

couldnHt 'ustify further time to in&estigate how to maintain your routing "eering% remember that

this is a 1$"oint uestion% worth lea&ing and coming bac) to% if "ossible! If you ha&e configuredthis correctly% as shown in Exam"le 1$3% you ha&e scored 1 "oint!

E:ample 1-$7 CoPP Config+ration


71/208

Section ( 4ulticast )' Points+

Configure routers *1% *2% *3% and *9 for I6&9 multicast! Configure *3 to send multicastad&ertisements of its own time by use of :T6 sourced from interface ;ig 0/0! Configure

6IF s"arse mode on all reuired interfaces! *3 should also be used to ad&ertise its owngigabit interface I6 address as an *6! *3 should also ad&ertise the I6 address you areusing for the :T6 ad&ertisements% which will be 229!0!1!1! @o not use the command ntpser,er in any configurations! *outers *1% *2% and *9 should all show a cloc)

synchronied to that of *3! =9 "oints>

:etwor) Time 6rotocol =:T6> can be multicast on the reser&ed grou" I6 address of 229!0!1!1

rather than the more familiar broadcast or unicast scenarios! The uestion reuires you toconfigure *3 to become the :T6 master and announce the grou" address to the :T6 clients! (ou

are not "ermitted to use the command ntp ser,er% and so you must configure the clients with the

command ntp multicast client! They will then ha&e the ca"ability to 'oin the :T6 grou" by use

of 6rotocol Inde"endent Fulticast =6IF>! It is good "ractice to TT sco"e your multicast

announcements so that they do not "ro"agate "ast the domain you reuire! If you ha&e not ta)enthis into consideration in your solution% you would not be deducted "oints% but be aware of the

facility in case you face a uestion that s"ecifies this! If you ha&e configured this correctly% asshown in Exam"le 1$90% you ha&e scored 9 "oints!

E:ample 1-'6 NTP 2+lticast Config+ration and Verification


72/208

iga%it.t&ernet$,$

;1(config-if)# ip pim sparse-mode;1(config-if)# ntp multicast client

;1# show ntp status

/loc is s"nc&roniJeA stratum A reference is 12$>1$$>34>3nominal freB is 2$$$$ 9JA actual freB is 2$$$$ 9JA precision is2EE1:reference time is /:+1.=>+2321D (21'1='4723 *!/ !ue +e% 2= 2$$=)cloc offset is $>$11$$>34>3nominal freB is 2$$$$ 9JA actual freB is 2$$$$ 9JA precision is

2EE1:reference time is /:+1.=3>:3=3.7: (21'1='3>$1:2 msecA root ela" is 4>14 msecroot ispersion is 11>1 Serial$,$ $$'41'$: $$'$2'1$$>123>2224>$>1>3 Serial$,$ $$'$:'12 $$'$2'1$$>123>3224>$>1>4$ Serial$,$ $$'41'$ $$'$1'1$$>1

23>2/&ange +

;4(config)# ip multicast-routing;4(config-if)# interface %iga!it&thernet0/0;4(config-if)# ip pim sparse-mode;4(config-if)# ntp multicast client

;4# show ntp status


73/208

/loc is s"nc&roniJeA stratum A reference is 12$>1$$>34>3nominal freB is 2$$$$ 9JA actual freB is 2$$$$ 9JA precision is2EE1:reference time is /:+1.+1>2=D1+2 (21'1'417 *!/ !ue +e% 2= 2$$=)cloc offset is -$>73= msecA root ela" is 1>3= msecroot ispersion is =:==>$: msecA peer ispersion is =:=7>34 msec

;4# show ip igmp groupP /onnecte roup em%ers&iproup 5ress nterface *ptime .xpires 0ast;eporter224>$>1>1 iga%it.t&ernet$,$ $$'41'2 $$'$2'42 12$>1$$>34>4224>$>1>3 iga%it.t&ernet$,$ $$'$:'3< $$'$2'42 12$>1$$>34>3224>$>1>4$ iga%it.t&ernet$,$ $$'41'$= $$'$2'42 12$>1$$>34>4

IP Ser,ices )' Points+

Configure the following commands on router *1

aaa new-mo#el

logging bu55ere#

logging 16166771

Configure a "olicy on router *1 so that if a user tries to remo&e ser&ices or disable logging

&ia the CI that a syslog message of .:.T7*IJE@$CFF:@$E:TE*E@ is generated!

The "olicy should ensure that neither command is executed and should consist of a single$linecommand for the CI "attern detection! The "olicy and CI should run asynchronously! The

"olicy should also generate an email from the router to a mail ser&er residing on I6 address

120!100!!2 =to securityKlab$exam!net from eemKlab$exam!net% with the sub'ect L.ser$Issue%Mwith the message body consisting of details of who was logged on the time either of the

commands were entered>! =2 "oints>

This is an intricate Embedded E&ents Fanager =EEF> uestion! (ou are reuired to configure an

EEF a""let with a CI "attern e&ent on a single line to match on either of the commands =no

aaa ::: and no logging :::>! This is achie&ed by a "attern of 8>no )aaa?logging+@9! Thefollowing sync no s!ip yes "arameters sim"ly state that the "olicy and CI should run

asynchronously and that the command entered should not be executed as directed! Ahen the

commands are matched &ia the CI "attern% the "olicy reuires the syslog message to begenerated% a CI command action to run show users% and a final action to send an email with the

details of the "re&ious show command =which is achie&ed by the command 8ABcliBresult9>!Exam"le 1$91 details the reuired configuration and resulting execution of the EEF when the

commands no aaa new-mo#el and no logging bu55ere# are entered and not executed on therouter! If you ha&e configured this correctly% as shown in Exam"le 1$91% you ha&e scored 9

"oints!


74/208

E:ample 1-'1 $, ""2 Config+ration and Verification Testing

1$$>>295Z.-3-+PDZ.;;;' .rror executing applet //.-Y*.S!N statement 3>$;1(config)# no logging !uffered 95Z.-7-0' //.-Y*.S!N' *N5*!9;S.D-/5ND-.N!.;.D95Z.-3-+PDZS!PZ/NN./!' *na%le to connect to S!P ser6er'12$>1$$>>295Z.-3-+PDZ.;;;' .rror executing applet //.-Y*.S!N statement 3>$;1(config)# do show run include aaa new-modelaaa ne8-moel;1(config)# do show run include logging !uffered

logging %uffere 4$7 e%ugging

Lab Crap-Up

,o% how did it goN @id you run out of timeN @id you manage to finish but miss what was actually

reuiredN If you scored o&er #0% well done! If you accom"lished this within # hours or less% youwill be "re"ared for any scenario that you are li)ely to face during the 5!5 hours of the

Configuration section of the actual exam! *emember that the Troubleshooting section on the

&5!0 exam is a se"arate section from the Configuration section and has a different scenarioD you

will ha&e 2 hours to com"lete the Troubleshooting section!

This lab was designed to ensure that you troubleshoot your own wor) as you "rogress throughthe uestions! Ahat sets the CCIE exam a"art within the industry is the com"lexity of the

uestions to test you further than you thought "ossible! The exam is not trying to tric) you% but it

will ensure that you ha&e the ability to thin) laterallyan ability that will ensure that you exceed

in your networ)ing career and one that sets CCIEs a"art! ,"end the time to go bac) o&er theuestions and "ractice with the configurations using debug and show commands to fully absorb

any new areas you might ha&e come across!


75/208

@id you antici"ate and factor into your configuration items such as the maximum reser&ed

bandwidth within o,N If you did% congratulations% because this would ha&e sa&ed you time and

secured you "oints! It also shows that you fully understand the "rotocols in&ol&ed and ada"t attesting your configurations! 7ow can you ensure that you ha&e the ability to s"ot any underlying

issues related to a uestionN Aell% itHs all mileageD youHll get out of your study what you "ut into

it!

Practice Lab

Equipment List

6ractice ab 2 follows an identical format to ab 1 with timings and also consists of 100 "oints!

(ou need the following hardware and software com"onents to begin this "ractice lab!

,ix routers loaded with Cisco I, ,oftware *elease 15!3T d&anced Enter"rise image

and the minimum interface configuration% as documented in Table 2$1

Table -1 0ardware $e5+ired per $o+ter

Note

:otice in the initial configurations su""lied that some interfaces will not ha&e

I6 addresses "reconfigured! This is because you will either not be using that

interface or you must configure it from default within the exercise! The initialconfigurations su""lied should be used to "reconfigure your routers and

switch

Ccie Config Lab by ALOZIE CHARLES

Documents

Transcript of Ccie Config Lab by ALOZIE CHARLES