CCIE ROUTING & SWITCHING v5.0 LAB EXAM CONFIGURATION SECTION -H3 Lead2pass.

Transcription

1 CCIE ROUTING & SWITCHING v5.0 LAB EXAM CONFIGURATION SECTION -H3

2 H3 Topology Diagrams Collection SECTION 1 Layer 2 Technologies Section 1.1: LAN Access Section 1.2: LAN Distribution Section 1.3: LAN Resiliency: Spanning-Tree Section 1.4: WAN Switching Technologies Section 2 Layer 3 Technologies Section 2.1: OSPF in Headquarters Section 2.2: OSPF in DC#1 Section 2.3: B2B Connection with Partner#1 Section 2.4: BGP in DC#1: Part 1 Section 2.5: BGP in DC#1: Part 2 Section 2.6: BGP in Remote Sites: Part 1 Section 2.7: BGP in Remote Sites: Part 2 Section 2.8: Routing Policies Section 2.9: IPv6 Routing Section 2.10: Multicast in DC#1 Section 2.11: Multicast in HQ Section 3 VPN Technology Section 3.1: MPLS VPN Section 3.2: DMVPN Section 3.3: Internet Access Section 3.4 LAN to LAN IPsec Section 4 Infrastructure Security Section 4.1: Device Security Section 4.2: Network Security Section 5 Infrastructure Services Section 5.1: System Management Section 5.2: Quality of Service Section 5.3: Network Services Section 5.4: Network Services TABLE OF CONTENTS

3 Topology Diagrams Collection (As of known Yet!)

4

5

6 Section-1.1: LAN Access SECTION 1: Layer 2 Technologies The following requirements were pre-configured: VTP is turned off in all switches. All required VLAN, including access-ports configuration in all relevant switches are provisioned. All required SVI interfaces in all relevant switches (including IP address and subnet mask) are provisioned. Configure the network in all sites as per the following requirements: Access-ports must immediately transition to the forwarding state upon link up, as long as they do not receive a BPDU. Use the minimal number of commands per switch to enable this feature. If an access-port receives a BPDU, it must automatically shutdown. Use the minimal number of commands per switch to enable this feature. Ports that were shutdown must attempt to automatically recover after 10 minutes. None of the switches may generate a TC. Solution:

7 Section-1.2: LAN Distribution Configure the Headquarters network, as well as the large and medium office networks as per the following requirements: All trunks must always use dot1q encapsulation. Negotiation of trunking protocol must be disabled in all switches. Distribution switches (SW300, SW301, SW400, SW401, SW500, SW501) must initiate etherchannel negotiation using LACP. Access switches (SW310, SW410, SW510) must never initiate etherchannel negotiation. Configure layer 2 etherchannels number as shown in the Diagram 1: Main topology and Diagram 5: Layer 2 Connections (that is, use only Po1 and/or Po2). Ensure that all ports included in etherchannels are effectively in use and bundled in the expected channel. Access Switches must see similar output as shown below: SW310#show etherchannel summary Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator M - not in use, minimum links not met m - not in use, port not aggregated due to minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port A - formed by Auto LAG Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports Po1(SU) LACP Et2/0(P) Et2/1(p) 2 Po2(SU) LACP Et2/2(P) Et2/3(P)

8 Solution:

9 Section 1.3: LAN Resiliency: Spanning-Tree Configure the headquarters network as per the following requirements: SW300 must be the spanning-tree root bridge and must maintain a single Spanning- Tree instance for the following VLANS: 2000, 2002, 2004, 2006, 2008 (use instance number 2). SW301 must be the spanning-tree root bridge and must maintain a single Spanning- Tree instance for the following VLANS: 2001, 2003, 2005, 2007, 2009 (use instance number 1). All other VLANS, except 3001, must share the default Spanning-Tree instance. Ensure that interface E0/2 of SW300 and SW301 is a dot1q trunk and that it switches frames for VLAN 3001 only. SW300, SW301 and SW310 must not have any blocked ports for any access VLAN (i.e ). SW310 must have the least chance of being elected the root bridge for any VLAN. None of the three switches may run more than four instances of Spanning-Tree at any point in time. Configure all access switches in both Datacenter networks (SW110. SW111, SW210, SW211) as per the following requirements: Use 32-bit based values for default port path costs. All four switches must use the default value for their interface cost. Solution:

10

11 Section 1.4: WAN Switching Technologies Configure the home router R70 as per the following requirements: The Ethernet WAN link must rely on a Layer 2 protocol that supports authentication and Layer 3 protocol negotiation. The service provider expects that R70 completes a three-way handshake by providing the expected response of a challenge requested. R70 must use the hostname R70 and password CCIE (without quotes). R70 must receive an IP address from R8 and must install a default route pointing to Ensure that R70 can successfully ping , which is located in the ISP#2 cloud. You are not allowed to configure any static route in R70 in order to achieve the previous requirements. Use the pre-configured Dialer1 interface as appropriate. Solution:

12 Section 2: Layer 3 Technologies Section-2.1: OSPF in Headquarters Configure the headquarters network (BGP AS#65003) as per the following requirements: Both gateway routers of the headquarters network must always advertise a default route into the OSPF domain. All four devices produce the exact same output as shown below. Everything must match, except the Dead Time counters and line order. Make sure that when you do 'show ip ospf interfaces' and 'show ip ospf neighbor' you see the hostnames. Solution:

13 Complete the rest of configuration for this section yourself! Section 2.2: OSPF in DC1 In order to speed up OSPF convergence in the DC#1 network, limit the number of IP prefixes that carried in OSPF LSAs that OSPF is pre-configured in all required devices in DC#1. Configure DC#1 network as the following requirements: All OSPF devices must exclude the IP prefixes of connected networks when advertising their type 1 router LSA, except for prefixes associated with the loopbacks or passive interfaces. All host loopbacks are the only OSPF Intra-area prefixes that may appear in any DC device s routing table. Your solution must still apply, if any new interface was added to the OSPF domain. Do not use any prefix-list or other explicit filter anywhere. Do not configure any interface as unnumbered. Do not remove any pre-configuration. Solution:

14

15 Section 2.3: B2B Connection with Partner#1 R100 is located in the Partner#1 network and is connected to R42. It supports OSPF only. Configure the Large Office network as the following requirements: R42 must run a separate OSPF process with R100. As mentioned in Section 2.6, the site gateways R40 and R41 are not allowed to redistribute OSPF iun BGP and vice versa. R42 is allowed to redistribute OSPF into BGP and vice versa. At the end of Exam: The Server2 (located in DC#2) must be able to ping the IP address /24 (located in Partner#1 network). R100, the Partner router, must receive the external prefixes as shown below and no other prefixes: R100#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

16 a - application route + - replicated route, % - next hop override Gateway of last resort is not set /16 is subnetted, 7 subnets O E [110/1] via :46:04, Ethernet0/0 Solution:

17 Section-2.4: BGP in DC#1: Part 1 Assuming that the network topology will remain unchanged for the foreseeable future the network architect decided to reduce the amount and complexity of CLI configuration and save CPU and memory usage. Configure the DC#1 network as the following requirements: All six routers and four switches must run BGP using As number (including R10, R11, R12, R13, R14, R15, SW100, SW101, SW110, SW111). All internal BGP sessions must be established using interface loopback0 and must be secured with an MD5 hash of the string "cisco" (without quotes). R13 must maintain an active peering with all BGP speakers in the autonomous system. All BGP speakers except R13 must maintain only one active internal BGP session. R13 must be configured in a way that allows BGP to peer with a group of neighbors that are defined by a range of IP addresses. R13 must not require any additional configuration if a new internal BGP peer is added to the network. The next-hop of any prefix received from any external BGP peer must always be the interface Loopbacks of the corresponding local BGP router.

18 Solution: Section-2.5: BGP in DC#1: Part 2 The network architect decided to maximize link utilization in the DC#1. Configure the DC#1 network as the following requirements: All BGP routers in AS#65001 must be configured with the minimum send and/or receive capabilities, in order to ensure multiple paths through the same peering session for the same prefix. New paths must not implicitly replace any previous equivalent paths. Only two of the best paths must be advertised. The following traceroute initiated from SW100 must reveal the same paths as shown below: SW100#traceroute Protocol [ip]: Target IP address:

19 Source address: Numeric display [n]: y Timeout in seconds [3]: Probe count [3]: 2 Minimum Time to Live [1]: Maximum Time to Live [30]: 4 Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to VRF info: (vrf in name/id, vrf out name/id) msec msec msec msec [AS 65003] 1 msec [AS 65003] 1 msec Solution:

20 Section-2.6: BGP in Remote Site: Part 1 Some configuration was already started. It is your responsibility to verify it and ensure that the network is optional. Configure all corporate site's gateway (*) in HollyMaya's network as the following requirements: They must run ebgp with their external neighbor. They must advertise class B aggregate prefix for their local address space and must not advertise any specific prefix that are covered by the aggregate. They must ensure that their aggregate prefix is always advertised as soon as their ebgp session comes up and that more specific prefixes are not advertised and later withdrawn. That is the BGP aggregation process must run as soon as possible. They must not redistribute BGP into OSPF and vice versa. The redistribute command must not appear anywhere in the router cited below. Ensure that the Home Office prefix /16 still appears in the domain. (refer to section 3: VPN Technologies). The Corporate Site's gateways include the following routers per site: DC#1: R10, R11, R12. DC#2: R20, R21, R22. Headquarter: R30, R31. Large Office: R40, R41. Medium Office: R5, R51. Small Office: R60. R10#sh ip route bgp in 10.*/16 B /16 [200/0] via , 5d12h, Null0 B /16 [200/0] via , 5d12h B /16 [20/0] via , 5d12h B /16 [200/0] via , 13:37:52 B /16 [20/0] via , 5d12h B /16 [200/0] via , 5d12h B /16 [200/0] via , 5d12h R20#sh ip route bgp in 10.*/16 B /16 [200/0] via , 5d12h B /16 [200/0] via , 5d12h, Null0 B /16 [200/0] via , 5d12h B /16 [20/0] via , 13:39:09 B /16 [20/0] via , 5d12h B /16 [200/0] via , 5d12h B /16 [200/0] via , 5d12h

21 Solution:

22

23 Section-2.7: BGP in Remote Sites: Part 2 Configure all relevant remote sites as the following requirement: None of the Corporate sites (except both Datacenters) may ever be used as transit sites for remote traffic. Your solution must remain valid even if any new prefix was added to any remote site. Configure the Datacenter's gateways R10, R11, R20, and R21 as per the following requirements: They must specifically advertise the seven corporate class B aggregate prefixes as well as the default route to all remote sites. No other prefix may be advertised to external peers. At the end of the exam, ensure that the AS number of either ISP (AS#19999 or 29999) is seen in the AS path of the default route from all corporate sites (except the Home Office), similar to what is shown below as an example from R60. R60#show bgp ipv4 uni BGP table is 36, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP,? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path r r> i *> / i *> / i *> / i Solution:

24

25

26 Section-2.8: Routing Policies HollyMaya Inc requires full reachability between all sites, as well as Internet access fol sites. Internet traffic from the Medium and Large Offices must be routed centrally via any Datacenter. Configure the Large office ntwork as per the following requirements: Both ingress and egress traffic must be routed primarily via R41 and must be routed via R40 on if the primary uplink or its Control-plane is down. You are not allowed to configure anything on any Datacenters router in order to accomplish these two requirements. By the end of the exam, the following output must be seen as shown below: Configure the Medium office network as per the following requirements: The MPLS path (via R50) must be the preffered path for both ingress and egress traffic except for traffic between spoke DMVPN sites for which the DMVPN path (via R51) must be preferred over MPLS path. Ensure that the traffic between /16 and /16 is routed primarily via DMVPN cloud. Ensure that DMVPN dynamic spoke-to-spoke tunnels are still functional. All other traffic (including Internet traffic) must be routed primarily via the MPLS path (via R50) and must only be routed via DMVPN path (via R51), if the primary uplink or control-plane is down. Do not configure any policy-based routing anywhere in order to accomplish the previous requirements. You are allowed to configure R50, R51, and R14 as necessary in order to accomplish the previous requirements. User4#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms User4#traceroute numeric Type escape sequence to abort. Tracing the route to VRF info: (vrf in name/id, vrf out name/id) msec 0 msec 1 msec msec 3 msec 1 msec msec 2 msec 2 msec msec 3 msec 1 msec msec 3 msec 4 msec msec 5 msec 4 msec msec * 4 msec User4#traceroute numeric Type escape sequence to abort. Tracing the route to VRF info: (vrf in name/id, vrf out name/id) msec 1 msec 1 msec msec 1 msec 1 msec msec 1 msec 1 msec

27 msec 1 msec 2 msec msec 2 msec 1 msec x.2 2 msec 3 msec 2 msec x.1 2 msec 3 msec 3 msec x.1 4 msec * 10 msec Server1#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/204/1009 ms Server1#traceroute numeric Type escape sequence to abort. Tracing the route to VRF info: (vrf in name/id, vrf out name/id) msec 0 msec 1 msec msec 1 msec 0 msec msec 1 msec 1 msec msec 1 msec 1 msec msec 1 msec 2 msec x.2 2 msec * 3 msec Solution:

28

29

30

31 Section-2.9: IPv6 Routing The ISP#1 offers IPv6 connectivity via BGP. The network architect decided to start offering IPv6 connectivity to selected VLANs only. Configure the DC#1 network as the following requirements: Both R14 and R15 must: Receive a default IPv6 route from R9 via BGP. Filter any other IPv6 prefix received from R9. Advertise an aggregate prefix for 2001:CC:1E:8BAD::/64 to R9. Must not include any other more specific prefixes. SW111 must: Advertise the IPv6 prefix of VLAN 2001 to both R14 and R15 using IBP. Install two default IPv6 routes received via BGP in its routing table. At the end of the exam, Server1 must be able to ping IPv6 address 2001:CC:1E:1::1 but it may not run any dynamic routing protocol with SW111. No other devices than R14, R15, SW111 and Server1 may run IPv6. Do not remove any pre-configuration in order to accomplish the previous requirements. Solution:

32

33 Section-2.10: Multicast in DC#1 The network architect decided to provide load-sharing and redundancy of multicast rendezvous point routers (RP) in the DC# network. PIM sparse mode is pre-configured everywhere. Configure the DC#1 network as the following requirements: Interface VLAN 2001 of SW111 is preconfigured as a receiver for the multicast goup Auto RP must be used throughout the DC#1 network. Both SW100 and SW101 must attempt to become the RP and must announce the winner of the RP election, using their interface L01 ( /32). Ensure that both SW100 and SW101 advertise their interface LO1 ( /32) as the RP for groups in /16 as shown below: R13#show ip pim rp mapping PIM Group-to-RP Mappings Group(s) /16 RP (DC1-RP), v2v1 Info source: (?), elected via Auto-RO Uptime: 00:21:44, expires: 00:02:02 Both SW100 and SW101 must exchange information about active sources when they receive registration messages from any source. Ensure that R13 consistently receives replies from SW111 when sending traffic to the group as shown below: R13#ping repeat 3 source l0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of Reply to request 0 from , 1 ms Reply to request 0 from , 2 ms Reply to request 1 from , 3 ms Reply to request 1 from , 5 ms Reply to request 2 from , 2 ms Reply to request 2 from , 3 ms Solution:

34

35 Section-2.11: Multicast in HQ The Headquarters requires a specific multicast application that uses the group address The Corporate multicast application on group must be available to Headquarters as well as the Datacenter#1 networks. PIM is preconfigured everywhere. Configure the Headquarters network as the following requirements: Interface VLAN 2001 of SW111 and VLAN 2000 of SW300 are pre-configured as receivers for the multicast groups and Auto RP must be used throughout the Headquarters network. Interface Lo1 of R30 in the Headquarter must be the RP and RP mapping agent for all groups in /16. The DC#1 network must never see any RP announcement from Headqarter's RP. The Headquarter's network must reply on the default route received from the DC#1 for multicast traffic between both domains (No specific prefix for the DC#1 RP maybe propagated outside of the DC#1 network). The source R13 (that is located in the DC#1) must receive replies from both SW111 and SW300 when sending corporate multicast traffic to the group R31 must receive replies from SW300 only when sending multicast traffic to the group as shown below. The following commands must produce the exact same output (except the timers). R13#ping repeat 3 source l0 Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of Reply to request 0 from , 11 ms Reply to request 0 from , 22 ms Reply to request 0 from , 22 ms Reply to request 0 from , 22 ms Reply to request 0 from , 17 ms Reply to request 0 from , 17 ms Reply to request 0 from , 17 ms Reply to request 1 from , 17 ms Reply to request 1 from , 6 ms Reply to request 1 from , 6 ms Reply to request 1 from , 6 ms Reply to request 1 from , 6 ms Reply to request 1 from , 3 ms Reply to request 1 from , 2 ms R31#ping repeat 3 source l0 Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of Reply to request 0 from , 1 ms Reply to request 0 from , 2 ms Reply to request 0 from , 1 ms Reply to request 1 from , 2 ms Reply to request 1 from , 2 ms Reply to request 1 from , 2 ms Reply to request 2 from , 2 ms

36 Reply to request 2 from , 3 ms Reply to request 2 from , 2 ms R30#show ip pim rp mapping PIM Group-to-RP Mappings Group(s) /16 RP (HQ-RP), v2v1 Info source: (HQ-RP), elected via Auto-RP Uptime: 00:42:09, expires: 00:02:20 Group(s) /16 RP (DC1-RP), v2v1 Info source: (HQ-RP), elected via Auto-RP Uptime: 00:13:30, expires: 00:02:23 R13#show ip pim rp mapping PIM Group-to-RP Mappings Group(s) /16 RP (DC1-RP), v2v1 Info source: (?), elected via Auto-RP Uptime: 00:21:44, expires: 00:02:02 Solution:

37 Section 3.1: MPLS VPN Section-3: VPN Technology Some configuration was air already started. It is your responsibility to verify it and ensure that the network is fully operational. Configure the Global Service Provider#1 network AS#10000 as the following requirements: R1 and R2 are P routers they must switch packets based on the labels and must not run BGP protocol. R3, R4, RS, R6 are PE routers they must exchange VPNv4 prefixes with each other and peer with their connected VE router using BGP. All PE routers must serve the "HollyMaya" VPN as described in the MPLS VPN Topology. Do not configure a route-reflector or confederation in AS# LDP must he enabled on all right interfaces and must derive its Router ID using interface loopback0. At the end of the exam, the following output must be seen on all four PE routers (the only difference maybe the BGP Table (7) version number and order of paths): R3#show bgp vpnv4 uni vrf HollyMaya BGP table version is 43, local router ID is

38 Status codes: s suppressed, d damped, h history, * valxd, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Orzgin codes: i - IGP, e - EGP,? - incomplete RPKI validation codes: V valxd, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:3 (default for vrf HollyMaya) * i i *> i *> / i *>i / i * i *> / i *>i / i * i *>i / i *>i 10.6.o.0/ i * / ? *>i ? *> / ? *>i / ? *>i / ? *>i / ? *>i / ? *>i / ? *>i / ? R4#show bgp vpnv4 uni vrf HollyMaya BGP table version is 42, local router ID is Status codes: s suppressed, d damped, h history, * valxd, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Orzgin codes: i - IGP, e - EGP,? - incomplete RPKI validation codes: V valxd, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65002:4 (default for vrf HollyMaya) * i i *> i *>i / i * i *> / i *>i / i * i *>i / i *>i / i *>i / i * i *> / ? *>i / ? *> / ? *>i / ? *>i / ? *>i / ?

39 *>i / ? *>i / ? R5#show bgp vpnv4 uni vrf HollyMaya BGP table version is 39, local router ID is Status codes: s suppressed, d damped, h history, * valxd, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Orzgin codes: i - IGP, e - EGP,? - incomplete RPKI validation codes: V valxd, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65005:5 (default for vrf HollyMaya) * i i *>i i *>i / i *>i / i *>i / i *>i / i *> / i *>i / i *>i / ? *>i / ? *> / ? *>i / ? *> / ? *>i / ? *>i / ? *>i / ? R6#show bgp vpnv4 uni vrf HollyMaya BGP table version is 39, local router ID is Status codes: s suppressed, d damped, h history, * valxd, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Orzgin codes: i - IGP, e - EGP,? - incomplete RPKI validation codes: V valxd, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65004:6 (default for vrf HollyMaya) *>i i i * i i *>i / i *>i / i *>i / i *> / i *> / i *>i / i *>i / ? *>i / ? *>i / ? *> / ? *>i / ? *> /32

40 ? *> / ? *> / ? Solution:

41

42

43

44 Section 3.2: DMVPN Complete the DMVPN phase 3 configuration in the network as the following requirements: R14 must be configured as the DMVPN hub router. R51 and R60 must be the DMVPN spoke routers. NHRP must be allowed to properly populate routing tables on spoke routers, on an on demand basis. Both spoke routers most receive a default route from the ISP#1 via BGP and must install it into their VRF INTERNET. Protect the tunneled traffic by attaching the preconfigured IPsec profile to the tunnel interface on all tunnel end-points. Use the preconfigured interface Tunnel 0 on all three routers in order to accomplish this task. BGP must be used to exchange routing information between hub and spokes: The hub must be configured in a way that does not require any additional configuration if new spokes of the same subnet were added to the network. All BGP peerings between the hub and any spokes must be established between AS and AS Both spokes must receive the aggregate prefixes (10.x.0.0/16) for all Corporate sites from R14. Both spokes must not receive any other prefixes in /8 from R14. Do not remove any existing configuration on R14, R51 and R60. At the end of the exam, ensure the following sequence of commands produces the same output: SW600#traceroute Type escape sequence to abort. Tracing the route to VRF info: (vrf in name/id, vrf out name/id) msec 1 msec 1 msec msec 2 msec 2 msec [AS 65005] 2 msec 2 msec 2 msec [AS 65005] 3 msec 3 msec *

45 Solution:

46

47 Section 3.3: Internet Access Configure the network as per the following requirements: Egress Internet traffic from the Medium office must be routed primarily via the MPLS path (via R50) and must only be routed via R51 if the primary uplink or its control-plane is down. R60 must always route Internet traffic locally via the ISP#1 (i.e R60 must perform Direct Internet Access). SW600 must always receive a default route from R60 via BGP. R60 must enable all its LAN hosts to communicate with the Internet. You are allowed to configure one static route and one interface with PBR on R60. None of the corporate prefixes in /8 may ever appear in the VRF INTERNET of the R60. Do not remove any pre-configuration. Solution:

48 Section-3.4: LAN to LAN IPsec R24 is preconfigured as an IPsec hub and listens to remote peers to initiate crypto sessions. Configure the network as the following requirements: R71 must encrypt and encapsulate traffic towards R24 when any LAN host ( /16) attempts to communicate with any corporate resource (located in /8). User7 must be able to ping Server2 as shown below. When the crypto session is up, R24 must see the must same output as shown below. Do not change any pre-configuration in R24 in order to accomplish this task. You are allowed to configure one static route in one device only in order to achieve the previous requirements. User7#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms User7#traceroute numeric Type escape sequence to abort. Tracing the route to VRF info: (vrf in name/id, vrf out name/id) msec 0 msec 0 msec 2 * * * msec 4 msec 4 msec msec * 3 msec R24#show crypto session crypto session current status Interface: Ethernet0/0 Session Status: UP-ACTIVE Peer: port 4500 Session ID: 0 IKEv1 SA: local /4500 remote /4500 Active IPSEC FLOW: permit ip / / Active SAs: 4, origin: dynamic crypto map

49 Solution:

50

51 Section-4: Infrastructure Security Section-4.1: Device Security The network architect has decided to secure the DC#1 VLAN 2001 against unwanted or rogue Router Advertisement (RA) messages in order to ensure that SW111 is always selected as the default router by any host that is located In VLAN Configure the DC#1 network as the following requirements: SW111 must analyze all RSs received on any ports of VLAN 2001 (Including Eth0/0, Eth0/1, Eth0/2, Eth0/3) and it must filter out RAs that are sent by unauthorized devices. SW111 must send own RA with the Default Router Preference (DRP) bits set to "high". Solution:

52 Section-4.2: Network Security The network architect requires the link with Partner#1 (connected to R42 in Large office) to be secured against spoofing attacks. Configure the Large office network as the following requirements: R42 must drop traffic received from the partner if the source IP address is not reachable via its interface E0/2. No additional configuration must be required if any new prefix is received from the partner#1. Do not configure any access-list in order to achieve the previous requirements. Solution:

53 SECTION 5: INFRASTRUCTURE SERVICES Section-5.1: System Management SW200 is experiencing high CPU when a Network Management System (NMS, which is located in the DC#1) polls its dot1dbridge MIB. Configure SW200 as the following requirements: Exclude the dot1dbridge MIB from the available MIBs. All other MIB supported by SW200 must still be available to the NMS. Only hosts residing in the /16 network are allowed to poll SW200 using the read-only community string "ccie" (without quotes). SW200 must ignore SNMPv1 requests for that community and must respond to SNMP v2c requests. Solution:

54 Section-5.2: Quality of Service Configure the medium office network as per the following requirements: The interface E0/0 of R50 must shape its overall egress traffic to 10 Mbps. When forwarding traffic out of its interface E0/0,R50 must differentiate four different traffic classes as described below: Traffic policy: Overall shaper to 10Mbps LLQ with four queues Traffic classes: Class Name Match Queue Type Queue Size voice dscp ef Priority Max 2% (even without congestion) signaling dscp af31 Normal Guaranteed remaining 5% in case of congestion video dscp af41 Normal Guaranteed remaining 20% in case of congestion Class-default All the rest Normal Guaranteed remaining 50% in case of congestion Note: use the exact same names for the traffic classes as shown above. Solution:

55 Section-5.3: Network Services 1 The DC#1 network must assign dynamic IPv6 addresses to hosts in VLAN For simplicity, the Admin has decided to use SW111 as the DHCPv6 server. Configure the network as the following requirements: SW111 must dynamically assign IPv6 addresses to any DHCPv6 client that is connected to its interface VLAN2001. Interface E0/0 of Server1 must receive an IPv6 route from SW111, as well as the domain name "hollymaya.org" and the DNS server 2001:CC:1E:1::1 Do not remove any preconfiguration in Server1 in order to accomplish the previous requirements. Solution:

56 Section-5.4: Network Services 2 The network architect requires first hop redundancy at the Headquarters network. Configure the Headquarter's network as the following requirements: SW300 and SW301 must share a vital IP address as follows: must be virtual default gateway for VLAN 2001; Both switches must use the same number for FHRP groups as the VLAN number they serve. Under stable conditions with all devices and links operational, the active role must be taken on by the STP root switch in the respective VLAN. If the active switch is down, the standby must take over the active role within roughly 3 seconds (accounting for built-in jitter) If the default active switch comes back up, it must first wait 2 minutes before attempting to take the active role. Solution:

57 THE END