A5 byCCIEMAN2016 - Nonvrf

CCIE R&S LAB CFG H2/A5
Section 1 Layer 2 Technologies

1.1 Jamesons Datacenter: Access port
There has been preconfigured in Jamesons Datacenter. SW3 is the server and the other three
switches are clients. Do not modify this configuration. Some other configuration was already
started but it is your responsibility to verify and complete them. Configure all four switches in
Jamesons datacenter network (AS 65002) as per the following requirements:
All unused ports must be configured in VLAN 999 and administratively shutdown. Refer to
Table 1: Jamesons VLAN to Port Mapping to figure out which ports are used and unused.
Accessports must immediately transition to the forwarding state upon link up, as long as
they do not receive a BPDU. Use a unique command per switch to enable this feature.
If an accessport received a BPDU, it must automatically shutdown, generate a syslog and a
SNMP trap (to solve this issue add. Use a unique command per switch to enable to this
feature.
Ports that were shutdown must always rely on a manual intervention to recover.
VLAN 911 (10.2.100.X/24) will be used as the management VLAN in Jamesons datacenter.
Ensure that all datacenter switches are able to ping each other IP address in the management VLAN.
SW5 and SW6 are lowend access switches and they do not have much processing power.
Ensure that their only Layer 3 interfaces are Loopback0 and VLAN 911.
SW3 and SW4 are robust and powerful distribution switches. Ensure that they maintain a
Layer 3 interface for all local VLANs as well as all access VLANs, as specified in Table 1: Jamesons
VLAN to Port Mapping.
################
WARNING
##################
PAY ATTENCION GUYS, CISCO PUT INTERFACE SW4,SW5,SW6 ON ACCESS MODE,
AND ALL INTERFACE IN SHUTDOWN. WHEN WE START EXAM, UP INTERFACE AND
ENABLED BPDUGUARD, INTERFACE GOES DOWN AGAIN. THIS WAS A WRAP FROM
CISCO.
########################################
####################### TIP ####################
INTERFACE ARE DIFERENCES, EQUAL TOPOLOGY BELLOW, PORTCHANNEL WAS PRECONFIGURED, BUT INTERFACES WE NEED PUT INSIDE PORTCHANNEL!
Solution:
SW3:
vtp domain CCIE
vtp mode server
!
spanning-tree portfast bpduguard default
spanning-tree portfast default
snmp-server enable trap syslog
!
vlan 34,100,153,156,164,173,184,911,999
!
interface range e0/1,e0/3,e2/0-3
switchport mode access
switchport access vlan 999
shutdown
!
interface e0/0
interface e0/2
!
SW4:
vtp domain CCIE
vtp mode client
!

!
interface range e0/1,e0/3,e2/0-3
shutdown
!
interface e0/0
interface e0/2
!
SW5:
vtp domain CCIE
vtp mode client
!
!
interface range e2/0-3
shutdown
!
interface e0/0
!
!
SW6:
vtp domain CCIE
vtp mode client
!
!
shutdown
!
interface e0/0

!
Check:
Spanning-tree
Check all switches.

1.2 Jamesons Datacenter: Trunk ports
Refer to Diagram 1: Jamesons Layer 2 Connections and Table 1: Jamesons VLAN to Port
Mapping.
Configure Jamesons datacenter network (AS 65002) as per the following requirements:
All interswitch links must be configured to use dot1q encapsulation.
Ensure that no switch attempt to negotiate the trunk parameters.
Ensure that all four switches send and receive untagged frames on VLAN 1.
All four switches must maintain a separate Spanningtree instance for each VLAN.
Spanningtree must immediately delete dynamically learned MAC address entries on a
perport basis upon receiving a topology change.
SW3 must be the root switch for all VLANs. SW4 must be the backup root switch for all
VLANs. Ensure that they both have the best chances of maintaining their respective role even if any
new normalrange VLAN were to be added in the future.
Solution:
SW3:
!
spanning-tree mode rapid-pvst
spanning-tree vlan 1-1001 priority 0
!
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonego
!
SW4:
spanning-tree vlan 1-1001 priority 4096
!
switchport nonego
!
SW5:
!

switchport nonego
!
SW6:
!
switchport nonego
!
Check:
1.3 Jamesons Datacenter: Link bundling

Refer to Diagram 1: Jamesons Layer 2 Connections and Diagram 2: Initial Topology Configure
Jamesons datacenter network as per the following requirements:
All four switches must bundle trunk ports so that they maintain a single logical link to each
other (excepted between SW5 and SW6), as shown in the Diagram 2: Initial Topology.
Ensure that no switch attempt to negotiate which ports should become active in the bundle.
The distribution switches SW3 and SW4 must balance traffic between all members of the
link bundle based on source and destination IP addresses.
The access switches SW5 and SW6 must balance the income traffic (that is originated from
server) between all members of the link bundle based on the servers MAC address.
PS.: This output no exactly equal on exam.

Solution:
SW3:
channel-group 35 mode active
!
interface Port-channel35
!
!
!
port-channel load-balance src-dst-ip
!
SW4:
interface ran e1/0-1

!

!
interface ran e1/2-3
!
!
port-channel load-balance src-dst-ip
SW5:
!
channel-group 35 mode passive
!
!
!
port-channel load-balance src-mac
SW6:
!
!
!
!
port-channel load-balance src-mac
Check:
1.4 Jamesons Branch Offices

Refer to Diagram 1: Jamesons Layer 2 Connections. Configure interface Ethernet0/0 in Jamesons
branch routers R19, R20 and R21 as per the following requirements:
The Ethernet WAN links must rely on a Layer 2 protocol that supports link negotiation and
authentication.
The service provider expects that the branch routers complete a threeway handshake by
providing the expected response of a challenge that is sent by R49.
R19 must use the username JamesonsR19 and password CCIE (without quotes).
The interface Eth0/0 of all three routers must receive an IP address from R49.
Ensure that all three routers can ping the IP address of each others interface Eth0/0.
You are allowed to configure a single static route in each branch router to achieve the
previous requirement.

Solution:
R19
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
ppp chap hostname Jamesons-R19
ppp chap password 0 CCIE
ppp ipcp route default
!
interface Ethernet0/0
pppoe enable
pppoe-client dial-pool-number 1
!
ip route 192.0.2.0 255.255.255.0 dialer1
R20
!
interface Dialer0
encapsulation ppp
dialer pool 1
!
pppoe enable
!
ip route 192.0.2.0 255.255.255.0 dialer1
R21
!
interface Dialer0
encapsulation ppp
dialer pool 1
!
pppoe enable

!
ip route 192.0.2.0 255.255.255.0 dialer1
Check:
Section 2 Layer 3 Technologies

2.1 Jamesons IGP, part 1
Refer to Diagram 2: Initial Topology. The configuration was already started. It is your responsibility
to complete and verify all requirements.
Configure Jamesons network (AS 65001 and AS 65002) according to the following requirements:
Ensure that all routers use their interface Lo0 as OSPF routerid.
Ensure that OSPF is not running on any interface that is facing another BGP AS.
SW5 and SW6 must not participate in OSPF at all.
Do not use the network statement under the router ospf configuration anywhere in the
core network (AS 65001).
Do not change the default OSPF cost of any interface anywhere.
Ensure that R1, SW1 and SW2 are elected the designated router on all of their interfaces,
and that they have the best chances of maintaining that role as long as their interfaces are up.
Ensure that R2 is elected the Backup Designated router on all of their interfaces, and that it
has the best chances of maintaining that role as long as its interfaces are up.
Solution:
-------------------|Datacenter Network|
-------------------SW3
router ospf 65002
router-id 10.255.1.103
network 10.2.0.6 0.0.0.0 area 0

network
network
network
network
network
10.2.0.13 0.0.0.0 area 0

10.2.0.37 0.0.0.0 area 0
10.2.1.253 0.0.0.0 area 0
10.2.100.103 0.0.0.0 area 0
10.255.1.103 0.0.0.0 area 0
!
SW4
router ospf 65002
router-id 10.255.1.104
network 10.2.0.10 0.0.0.0 area 0
network 10.2.0.14 0.0.0.0 area 0
network 10.2.0.41 0.0.0.0 area 0
network 10.2.1.254 0.0.0.0 area 0
network 10.2.100.104 0.0.0.0 area 0
network 10.255.1.104 0.0.0.0 area 0
!
R15
router ospf 65002
router-id 10.255.1.15
network 10.2.0.1 0.0.0.0 area 0
network 10.2.0.5 0.0.0.0 area 0
network 10.255.1.15 0.0.0.0 area 0
R16
router ospf 65002
router-id 10.255.1.16
network 10.2.0.2 0.0.0.0 area 0
network 10.2.0.9 0.0.0.0 area 0
network 10.255.1.16 0.0.0.0 area 0
R17
router ospf 65002
router-id 10.255.1.17
network 10.2.0.38 0.0.0.0 area 0
network 10.255.1.17 0.0.0.0 area 0
---------------------|Headquarters Network|
---------------------SW1
interface vlan101
ip ospf priority 255

!
router ospf 65002
router-id 10.255.1.101
network 10.1.1.254 0.0.0.0 area 0
network 10.1.254.254 0.0.0.0 area 0
network 10.255.1.101 0.0.0.0 area 0
R11
router ospf 65002
router-id 10.255.1.11
network 10.1.254.1 0.0.0.0 area 0
network 10.255.1.11 0.0.0.0 area 0
R12
router ospf 65002
router-id 10.255.1.12
network 10.1.254.2 0.0.0.0 area 0
network 10.255.1.12 0.0.0.0 area 0
-------------|Main Network|
-------------SW2
interface vlan101
!
router ospf 65002
router-id 10.255.1.102
network 10.3.1.254 0.0.0.0 area 0
network 10.3.254.254 0.0.0.0 area 0
network 10.255.1.102 0.0.0.0 area 0
R13
router ospf 65002
router-id 10.255.1.13
network 10.3.254.1 0.0.0.0 area 0
network 10.255.1.13 0.0.0.0 area 0
R14
router ospf 65002
router-id 10.255.1.14
network 10.3.254.2 0.0.0.0 area 0
network 10.255.1.14 0.0.0.0 area 0

-------------|CORE Network|
-------------R1
router ospf 65001
router-id 10.255.1.1
!
inte ran e0/0-3,e1/0,lo0
ip ospf 65001 area 0
!
R2
router ospf 65001
!
inte ran e0/0-3,e1/0,lo0
!
R3
router ospf 65001
!
inte ran e0/0,e0/2,lo0
!
R4
router ospf 65001
!
inte ran e0/0,e0/2,lo0
!
R5
router ospf 65001
!
inte ran e0/0-1,lo0
!

R6
router ospf 65001
!
inte ran e0/0-1,lo0
!
R7
router ospf 65001
!
inte ran e0/3,lo0
!
R8
router ospf 65001
!
inte ran e0/3,lo0
!
Check:
Tip: look loopback address.
2.2 Jamesons IGP, part 2

Refer to Diagram 2: Initial Topology. Configure Jamesons branch network according to the
following requirements:
R17 must propagate a default route in its OSPF domain, but only if it already has a default
route in its routing table.
Do not redistribute BGP into OSPF and vice versa on R17.
Each branch router must establish an OSPF adjacency with R17 and must receive a default
route via OSPF. They may not receive any other LSA type 3 from the ABR.
Each branch router must advertise their interface Lo0 and Eth0/1 into OSPF.
None of the branch routers may attempt to elect a Designated Router on their Tunnel0
interface.
Solution (you cannt do this section, before do section 3.1(dmvpn), this is prereq):

R17
router ospf 65002
area 51 stub no-summary
network 10.100.0.1 0.0.0.0 area 51
!
R19
router ospf 65002
router-id 10.255.1.19
area 51 stub
network 10.16.1.1 0.0.0.0 area 51
network 10.100.0.19 0.0.0.0 area 51
network 10.255.1.19 0.0.0.0 area 51
!
R20
router ospf 65002
router-id 10.255.1.20
area 51 stub
network 10.16.2.1 0.0.0.0 area 51
network 10.100.0.20 0.0.0.0 area 51
network 10.255.1.20 0.0.0.0 area 51
!
R21
router ospf 65002
router-id 10.255.1.21
area 51 stub
network 10.16.3.1 0.0.0.0 area 51
network 10.100.0.21 0.0.0.0 area 51
network 10.255.1.21 0.0.0.0 area 51
!
Check (usually, I make section 3.1 before this section, but now I created this
section this normal sequence, cuz this this moment we cannot see ospf neighbor UP.
You can jump to section 3.1 and apply solution for test):

2.3 Jacobs IGP
Refer to Diagram 2: Initial Topology. Jacobs network is partly preconfigured. It is your
responsibility to verify and complete them. Configure EIGRP for IPv4 in Jacobs core network (AS
65006) according to the following requirements:
All EIGRP routers must support 64bit metric calculations and Routing Information Base (RIB)
scaling in EIGRP topologies.
The interface Lo0 of each router must be seen as an internal EIGRP prefix by all other routers
in their local domain.
Ensure that EIGRP is not running on any interface that is facing another AS. Use any method
to accomplish this requirement.
Jacobs core network must use the EIGRP autonomous system number 1.
R52 must inject its interface Lo52 into EIGRP as an external prefix.
All EIGRP core routers R50, R51,R52 must add the administrative tag 172.172.172.172 to
all
prefixes that they inject into EIGRP.
Ensure that operators can filter routes by using the route tag wildcard mask.
The following output must be seen on R50:
Solution:
--------------|CORE JACOBs|
--------------R50
route-tag notation dotted-decimal

!

router eigrp CCIE
!
address-family ipv4 unicast autonomous-system 1
!
topology base
exit-af-topology
network 172.30.1.50 0.0.0.0
network 172.30.100.1 0.0.0.0
eigrp default-route-tag 172.172.172.172
exit-address-family
R51

!
router eigrp CCIE
!
!
topology base
exit-af-topology
network 172.30.1.51 0.0.0.0
network 172.30.100.2 0.0.0.0
exit-address-family
R52
interface Loopback52
ip address 52.52.52.52 255.255.255.255
!
!
route-map connected permit 10
match interface Loopback52
set tag 172.172.172.172
!
!
router eigrp CCIE
!
!
topology base
redistribute connected metric 10000 1000 255 1 1500 route-map connected
exit-af-topology
network 172.30.1.52 0.0.0.0
network 172.30.100.3 0.0.0.0
exit-address-family

!
------------------------------| Headquarter network JACOBs|

------------------------------SW10
no router eigrp 10
!
router eigrp CCIE
!
!
topology base
exit-af-topology
network 172.18.1.254 0.0.0.0
network 172.18.2.254 0.0.0.0
network 172.18.254.254 0.0.0.0
network 172.30.1.110 0.0.0.0
!
R56
no router eigrp 10
!
router eigrp CCIE
add ipv4 auto 10
network 172.18.254.2 0.0.0.0
network 172.30.1.56 0.0.0.0
!
R55
no router eigrp 10
!
router eigrp CCIE
add ipv4 auto 10
network 172.18.254.1 0.0.0.0
network 172.30.1.55 0.0.0.0
!
-------------------------| Office network JACOBs|

-------------------------SW11

no router eigrp 10
!
router eigrp CCIE
add ipv4 auto 10
network 172.17.1.254 0.0.0.0
network 172.17.254.254 0.0.0.0
network 172.30.1.111 0.0.0.0
!
R58
no router eigrp 10
!
router eigrp CCIE
add ipv4 auto 10
network 172.17.254.1 0.0.0.0
network 172.30.1.58 0.0.0.0
!
Check:
2.4 Jamesons Premerge

Refer to the Overall Scenario, Diagram 2: Initial Topology and Diagram 4: Premerge Topology.
Jamesons decided to enable MPLS VPN in their network Configure Jamesons network as per the
R11, R12, R13 and R14 must redistribute OSPF into BGP and they must advertise a default
route into their respective OSPF domain. They may not redistribute BGP into OSPF.
R15 and R16 must mutually redistribute OSPF and BGP.
R11, R12, R13 and R14 must advertise only four prefixes via eBGP to Jamesons core network
as follows:
o R11 and R12 must advertise 10.1.0.0/16, 10.255.1.11/32, 10.255.1.12/32 and
10.255.1.101/32;
o R13 and R14 must advertise 10.3.0.0/16, 10.255.1.13/32, 10.255.1.14/32 and
10.255.1.102/32;
R1 must reflect IPv4 BGP prefixes to all core routers except R2. All internal BGP peering must
be established using interface Lo0.
Ensure that each Jamesons site receives BGP prefixes from other sites.
A very smaller output as the one shown below must be seen on R11, R12, R13 and R14 (only
the nexthop, version and updategroup may differ).
R11#sh ip top 10.2.0.0/16
PS.: you dont see this output this point. You need done section 3.2
and 3.4 for see this output.
Solution:
R11
router ospf 65002
default-information originate
!
ip prefix-list ebgp permit 10.1.0.0/16
!
router bgp 65002
aggregate-address 10.1.0.0 255.255.0.0 summary-only
redistribute ospf 65002
neighbor 10.254.0.53 prefix-list ebgp out
neighbor 10.255.1.12 next-hop-self
!
R12
router ospf 65002

!
!
router bgp 65002

!
R13
router ospf 65002
!
!
router bgp 65002
!
R14
router ospf 65002

!
!
router bgp 65002
aggregate-address 10.3.0.0 255.255.0.0 suumary-only
!
R15
router ospf 65002
redistribute bgp 65002 subnets
!
router bgp 65002
redistribute ospf 65002 match internal external
R16
router ospf 65002

redistribute bgp 65002 subnets
!
router bgp 65002
redistribute ospf 65002 match internal external
R1
router bgp 65001
bgp router-id 10.255.1.1
bgp log-neighbor-changes
neighbor ibgp peer-group
neighbor ibgp remote-as 65001
neighbor ibgp update-source Loopback0
neighbor 10.255.1.3 peer-group ibgp
!
address-family ipv4
neighbor ibgp route-reflector-client
neighbor 10.255.1.3 activate
!
R3
router bgp 65001
neighbor 10.255.1.1 remote-as 65001
neighbor 10.255.1.1 up lo0
address-family ipv4
!
R4
router bgp 65001
address-family ipv4

!
R5
router bgp 65001
address-family ipv4
!
R6
router bgp 65001
address-family ipv4
!
R7
router bgp 65001
address-family ipv4
!
R8
router bgp 65001
address-family ipv4
!
2.5 Jacobs Premerge
COMPLETELY DIFERENCE ON EXAM! DONT REMEMBER EXACTLY WHAT

WORDS CISCO SAY, BUT WE DONT DO NOTHING. TASK HERE, ONLY

DIRECTION YOU TO USE SoO ON PE SIDE JAMESON SITE. REDISTRIBUT
EIGRP+FILTER FOR CONTROL LOOP WAS PRE-CONFIGURED ON EXAM
Refer to the Overall Scenario, Diagram 2: Initial Topology and Diagram 4: Premerge Topology.
Jamesons decided to enable MPLS VPN in their network Configure Jamesons network as per the
R55, R56and R58 must redistribute EIGRP and BGP
Solution:
R55
router eigrp CCIE
!
!
topology base
redistribute bgp 65005 metric 1000 100 255 1 1500
!
ip prefix-list EIGRP permit 172.18.0.0/16 le 32
!
route-map EIGRP permit 10
match ip address prefix-list EIGRP
router bgp 65005
redistribute eigrp 10 route-map EIGRP
aggregate 172.18.0.0 255.255.0.0 summary-only
!
R56
router eigrp CCIE
!
!
topology base
!
ip prefix-list EIGRP permit 172.18.0.0/16 le 32
!
route-map EIGRP permit 10
match ip address prefix-list EIGRP
router bgp 65005
redistribute eigrp 10 route-map EIGRP
aggregate 172.18.0.0 255.255.0.0 summary-only
!
R58

router bgp 65007
redistribute eigrp 10
!
Check:
Check if each prefix is sending for router border. This moment you dont received
nothing, cuz MPLS SETUP no configure yet. After section 3.2,3.3,3.4 you should see
routes receive. Check only if you sent network.
2.6 Merge phase 1: BGP

Refer to the Overall Scenario and Diagram 5: Merge Phase: 1 Jamesons and Jacobs started the
first phase of their merge and add a new border router in their respective main site (R18 and R57).
Configure the network as per the following requirements:
Interface Lo0 of both R18 and R57 must be add into their respective IGP domain.
Interface Eth0/1 of both R18 and R57 must peer with its connected IGP neighbor.
Both R18 and R57 must advertise a summary prefix via eBGP to each other as follows:
o R18 advertises 10.0.0.0/8
o R57 advertises 172.0.0.0/8
Both R18 and R57 must propagate the received summary prefix into their respective IGP
domain.
Solution:
R18
ip prefix-list merge seq 5 permit 10.0.0.0/8
!
router ospf 65002
router-id 10.255.1.18
redistribute bgp 65002 subnets metric-type 1
network 10.2.0.42 0.0.0.0 area 0

network 10.255.1.18 0.0.0.0 area 0
!
!
router bgp 65002
neighbor 10.2.0.46 prefix-list merge out
aggregate-address 10.0.0.0 255.0.0.0
!
R57
ip prefix-list merge permit 172.0.0.0/8

!
router eigrp CCIE
!
!
topology base
exit-af-topology
network 172.18.2.1 0.0.0.0
network 172.30.1.57 0.0.0.0
exit-address-family
!
router bgp 65005
redistribute eigrp 10
neighbor 10.2.0.45 prefix-list merge out
aggregate-address 172.0.0.0 255.0.0.0
!
Check:
2.7 Merge phase 2: IGP

Refer to Diagram 2: Initial Topology and Diagram 6: Merge Phase 2. Jamesons and Jacobs are
entering in the second phase of the merge and have deployed two new border routers in their
respective core network.
Configure the core networks as per the following requirements:
R9 and R10 must run OSPF on their interface Eth0/0 and Lo0.
R9 and R10 must run EIGRP on their interface Eth0/1.
R53 and R54 must run EIGRP on all of their interfaces.
Mutually redistribute EIGRP and OSPF on both R9 and R10
Avoid routing loops and ensure that all current and future prefixes are routed via their
optimal path. Do not use any accesslist or prefixlist in order to achieve this requirement.
Do not change any administrative distance of any protocol in any router.
Solution:
R9
!
route-map loop deny 10
match tag 172.172.172.172
route-map loop permit 20
!
router ospf 65001
redistribute eigrp 1 subnets
distribute-list route-map loop in
!

inte ran e0/0,lo0
!
!
router eigrp CCIE
!
!
topology base
redistribute ospf 65001 metric 10000 1000 255 1 1500
exit-af-topology
network 10.254.0.61 0.0.0.0
!
R10
!
route-map loop deny 10
match tag 172.172.172.172
route-map loop permit 20
!
router ospf 65001
router-id 10.255.1.10
redistribute eigrp 1 subnets
distribute-list route-map loop in
!
inte ran e0/0,lo0
!
router eigrp CCIE
!
!
topology base
redistribute ospf 65001 metric 10000 1000 255 1 1500
exit-af-topology
network 10.254.0.65 0.0.0.0
R53
router eigrp CCIE
topology base
exit-af-topology
network 10.254.0.62 0.0.0.0
network 172.30.1.53 0.0.0.0
network 172.30.100.4 0.0.0.0

R54
router eigrp CCIE
!
!
topology base
exit-af-topology
network 10.254.0.66 0.0.0.0
network 172.30.1.54 0.0.0.0
network 172.30.100.5 0.0.0.0
Check:
Both solutions you should get prefix 52.52.52.52/32 on R9/R10 by EIGRP
2.8 Merge phase 2: Routing Policies
Refer to the Overall Scenario, Diagram 2: Initial Topology and Diagram 6: Merge Phase 2.
Network managers have decided that the primary path for all traffic between Jamesons
10.2.1.0/24 and Jacobs 172.18.1.0/24 must be routed preferably via the BGP backdoor link
between R18 and R57. If this link should fail then traffic should fall back over the MPLS core
network.
All other traffic must be routed preferably via the MPLS core network.
Do not configure any routemap nor accesslist in order to achieve this requirement.
Ensure that the following test reveals the same path as shown below:
Solution:
R18
ip prefix-list merge seq 10 permit 10.2.1.0/24
!
clear ip bgp * out
R57
ip prefix-list merge permit 172.18.1.0/24
!
clear ip bgp * out
Check:
This moment, you dont make section 5.1 and 5.3 (dhcp and hsrp) so you cannot
test from PC. For test, use source vlan over swich. Too you dont make section MPLS
vpn, so you dont get traceroute over MPLS cloud. We can test for specfic network.
2.9 IPv6 Routing, part 1

Refer to Diagram 2: Initial Topology. Jamesons started deploying IPv6 in dualstack mode in the
datacenter. Configure Jamesons datacenter network as per the following requirements:
Establish OSPFv3 adjacencies in Area 0 between SW3, SW4, R15 and R16.
Do not use the command ipv6 ospf anywhere in order to accomplish the previous
requirement.
Interface VLAN 100 of SW3 must be configured with default route preference set to high.
Interface VLAN 100 of SW4 must be configured with default route preference set to
medium.
The interval between Router Advertisement transmissions on VLAN 100 must be set 20
seconds on both SW3 and SW4.
Solution:
SW3
ipv6 unicast-routing
!
router ospfv3 65002
router-id 10.255.1.103
!
interface range l0, vlan153, vlan34
ospfv3 65002 ipv6 area 0
!
interface vlan 100
ipv6 nd router-preference High
ipv6 nd ra interval 20
SW4
!
router ospfv3 65002
router-id 10.255.1.104
!
interface range l0, vlan34
!
interface vlan 100
ipv6 nd router-preference medium
ipv6 nd ra interval 20
R15

!
ipv6 router ospf 65002
router-id 10.255.1.15
!
inte ran lo0,e0/0,e0/2
!
R16
!
Ipv6 router ospf 65002
router-id 10.255.1.16
!
interface range e0/0, e0/2
!
Check:
2.10 IPv6 Routing, part 2

Configure Jamesons datacenter network as per the following requirements:
SW3 and SW4 must provide firsthop redundancy for hosts in VLAN 100 by sharing the
virtual linklocal address FE80:100::1.
SW3 must be elected as the active router and SW4 must be elected the standby router

In case SW3 is down, SW4 must take over the active role. If SW3 comes back online, it
must automatically recover the active role from SW4.
Ensure that HSRP Hello packets are exchanged every second and that the standby takes
over the active role if three consecutive Hello packets were missed from the active.
Solution:
SW3
interface vlan 100
standby version 2
standby 6 ipv6 FE80:100::1
standby 6 preempt
standby 6 priority 105
standby 6 timers 1 3
SW4
interface vlan 100
ipv6 address 2001:6500:2:100::34/64
standby version 2
standby 6 ipv6 FE80:100::1
standby 6 preempt
R101
inte e0/0
ipv6 address autoconfig
Check:
2.11 Multicast in Jamesons

Refer to Diagram 2: Initial Topology. An application running on server R101 (which is located in
Jamesons datacenter) uses multicast to deliver specific traffic to users located in Jamesons branch
network. Configure Jamesons network as per following requirements:
Use PIM Sparsemode.
The interface Lo0 of R15 must be elected as the Rendezvous point for the whole multicast
domain.
R15 must announce its candidacy to advertise the grouptoRP mapping set to the router
link local address.
For interoperability reasons, the selection of R17 as the RP must adhere to open standard
and must use the default priority value as per the standard.
The source SW3 uses the group address 239.1.1.1 to send traffic to interested receivers.
No use PIM command on SW3.
Receivers are located in the branch network and they are connected to the datacenter via
DMVPN.
Ensure that the following test is successful:
SW3#ping 239.1.1.1 source vlan 173

Solution:
R17
ip pim bsr-candidate lo0
ip pim rp-candidate loopback 0
!
ip multicast-routing
!
interface range e0/1, tunnel0
ip pim sparse-mode
!
R19
!
!
ip pim sparse-mode
!
interface e0/1
ip igmp join-group 239.1.1.1
R20
!
ip pim sparse-mode
!
interface e0/1
R21
!
ip pim sparse-mode
!
interface e0/1
Check:
Section 3 VPN Technologies
3.1 Jamesons Branch Offices

Refer to Diagram 2: Initial Topology. Configure DMVPN Phase 3 in Jamesons branch network as
per the following requirements:
Use the preconfigured interface Tunnel0 on all four routers in order to accomplish this
task.
R17 must be configured as the hub router.
R19, R20 and R21 must be the spoke routers and must participate in the NHRP information
exchange.
Ensure that spoketospoke traffic does not transit via the hub.
Protect the tunneled traffic by attaching the preconfigured IPsec profile to the tunnel
interface on all tunnel endpoints.
Ensure that all spoke establish an OSPF adjacency through the tunnel with the hub R17,
without attempting to elect any Designated Router.
Ensure that the following test are successful:
Solution:
ON EXAM, CRYPTO POLICY WAS PRE-CONFIGURED, WE NEED PUT ON INTERFACE;
R17
interface Tunnel0
ip mtu 1400
ip nhrp authentication 65002key

ip nhrp map multicast dynamic
ip nhrp network-id 65002
ip nhrp holdtime 300
ip nhrp redirect
ip ospf network broadcast
tunnel protection ipsec profile cisco
!
R19
!
!
interface Tunnel0
ip mtu 1400
ip nhrp map multicast 192.0.2.2
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp nhs 10.100.0.1
ip nhrp shortcut
ip ospf priority 0
tunnel source Dialer0
tunnel vrf LOCALSP
!
R20
interface Tunnel0
ip mtu 1400
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp shortcut
ip ospf priority 0
tunnel vrf LOCALSP
!
R21
interface Tunnel0
ip mtu 1400

ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp shortcut
ip ospf priority 0
tunnel vrf LOCALSP
!
Check:
3.2 Jamesons Premerge VPN

Refer to the Overall Scenario and Diagram 4: Premerge Topology. Jamesons decided to enable
MPLS VPN in their network. They started configuring it but it is your responsibility to complete it
and verify that it is fully functional.
Configure Jamesons network as per the following requirements:

Enable LDP in the core network as indicated in Diagram 4: Premerge Topology.
Ensure that all LDP routers use their interface Lo0 as their LDP routerid.
R1 must reflect VPNv4 prefixes to all PEs.
The datacenter and main office network must be connected to the VPN GREEN via eBGP.
The headquarter network must be connected to the VPN RED via eBGP.
All six PEs must use a consistent format ASN.nn for the VPN route distinguisher, where:
o
o
ASN is the Autonomous System Number of the connected CE

nn is any relevant number for the VPN site.
Ensure that R101 in the datacenters VLAN 100 can successfully ping SW2 in the main
office as shown below:

Solution:
R1
mpls ldp router-id lo0 force
!
inte ran e0/0-3,e1/0
mpls ip
!
router bgp 65001
address-family vpnv4
neighbor ibgp send-community extended
neighbor ibgp route-reflector-client
!
R2
!
inte ran e0/0-3,e1/0
mpls ip
R3
!
inte ran e0/0,e0/2
mpls ip
!
ip vrf GREEN
rd 65002:3
!
int e0/1
ip vrf forwarding GREEN
ip address 10.254.0.73 255.255.255.252
!
router bgp 65001
no neighbor 10.254.0.74 remote-as 65002
!
neighbor 10.255.1.1 send-community extended
!
add ipv4 vrf GREEN
neighbor 10.254.0.74 as-override

neighbor 10.254.0.74 soo 3:4
!
R4
!
inte ran e0/0,e0/2
mpls ip
!
ip vrf GREEN
rd 65002:4
!
int e0/1
ip address 10.254.0.77 255.255.255.252
!
!
router bgp 65001
!
!
add ipv4 vrf GREEN
neighbor 10.254.0.78 soo 3:4
!
R5
!
inte ran e0/0-1
mpls ip
!
ip vrf GREEN
rd 65002:5
!
ip address 10.254.0.41 255.255.255.252
!
router bgp 65001
!

!
address-family ipv4 vrf GREEN
neighbor 10.254.0.42 soo 5:6
R6
!
inte ran e0/0-1
mpls ip
!
ip vrf GREEN
rd 65002:6
!
ip address 10.254.0.45 255.255.255.252
!
router bgp 65001
!
add ipv4 vrf GREEN
neighbor 10.254.0.46 soo 5:6
R7
!
inte ran e0/3
mpls ip
!
ip vrf RED
rd 65002:7
!
int e0/0
ip vrf forwarding RED
ip address 10.254.0.53 255.255.255.252
!
router bgp 65001

!
add ipv4 vrf RED
neighbor 10.254.0.54 soo 7:8
!
R8
!
inte ran e0/3
mpls ip
!
ip vrf RED
rd 65002:8
!
ip vrf forwarding RED
ip address 10.254.0.57 255.255.255.252
!
router bgp 65001
!
add ipv4 vrf RED
neighbor 10.254.0.58 soo 7:8
Check:
3.3 Merge phase 2: VPN

Refer to the Overall Scenario and Diagram 6: Merge Phase 2. Jamesons and Jacobs are
entering in the second phase of the merge and have deployed two new border routers in their
respective core network. Configure the network as per the following requirements:
The BGP AS number of Jacobs original core network must be converted to use Jamesons
AS number 65001, as indicated in Diagram 6: Merge Phase 2.

All BGP sessions between Jacobs core and remote sites (including headquarters and office
networks) must be recovered using the new AS number.
Do not modify the BGP configuration of Jacobs CEs (R55, R56, R58) in order to accomplish
this requirement.
Enable LDP in the merged core network as indicated in Diagram 6: Merge Phase2,
including the four new border router (R9, R10, R53, R54) and Jacobs core network.
Ensure that all LDP routers use their interface Lo0 as their LDP routerid.
R1 must reflect VPNv4 prefixes to all PEs, including to Jacobs PE.
Jacobs headquarters network must be added to the VPN GREEN.
Jacobs office network must be added to the VPN BLUE.
All nine PEs must use a consistent format ASN.nn for the VPN route distinguisher,
where:
o ASN is the Autonomous System Number of the connected CE
o nn is any relevant number
Solution:
R9
!
mpls ip
R10
!

mpls ip
R53
!
mpls ip
R54
!
mpls ip
R50
!
interface e0/0
mpls ip
!
###ON EXAME THIS RD WAS CONFIGURED WRONG, LIKE IT BELLOW:
ip vrf GREEN
rd 100:100
###################WE NEED ERASE THIS RD AND RE-CREATE CORRECT FORM ASN:NN, WHERE
ASN IS EQUAL AS CE, NN ANY NUMBER RELEVANT;
ip vrf GREEN
rd 65005:50
!
interface e0/1
ip vrf fo GREEN
ip address 172.18.253.1 255.255.255.252
!
no router bgp 65006
!
#we need wait some sec here#
!
router bgp 65001
add ipv4 vrf GREEN
neighbor 172.18.253.2 local-as 65006
add vpnv4
neighbor 10.255.1.1 act

R51
!
interface e0/0
mpls ip
!
###ON EXAME THIS RD WAS CONFIGURED WRONG, LIKE IT BELLOW:
ip vrf GREEN
rd 100:100
###################WE NEED ERASE THIS RD AND RE-CREATE CORRECT FORM ASN:NN, WHERE
ASN IS EQUAL AS CE, NN ANY NUMBER RELEVANT;
ip vrf GREEN
rd 65005:51
!
interface e0/1
ip vrf fo GREEN
ip address 172.18.253.5 255.255.255.252
!
no router bgp 65006
!
!
router bgp 65001
add ipv4 vrf GREEN
add vpnv4
R52
!
interface e0/0
mpls ip
!
ip vrf BLUE
rd 65007:52
!
interface e0/1
ip vrf fo BLUE
ip address 172.17.253.22 255.255.255.252
!
no router bgp 65006

!
!
router bgp 65001
add ipv4 vrf BLUE
add vpnv4
R1
router bgp 65001
neighbor 172.30.1.50
!
add vpnv4
peer-group ibgp
peer-group ibgp
peer-group ibgp
act
act
act
Check:
3.4 InterVPN Routing

LOST HERE ALOT TIME, WORDS TASK ARE DIFERENCES BUT WHAT CISCO WANT WE
IMPORT ALL RT ON DC PE, AND ON OTHERS SITES IMPORT ONLY RT FROM DC.
CISCO WANT WE USED SoO SIDE JAMESON SITE.
Refer to the Overall Scenario and Diagram 6: Merge Phase 2. Configure the network as per the
Jamesons headquarters (VPN RED), main office (VPN GREEN) and Jacob office (VPN BLUE)
must receive datacenter prefixes (VPN GREEN).
Jamesons main office (VPN GREEN) may not receive headquarters (VPN RED) prefixes nor

Jacobs headquarters (VPN GREEN) prefixes.
In order to simplify future changes, your solution may not be limited to specific prefixes.
Solution:
R3
ip vrf GREEN
route-target
route-target
route-target
route-target
route-target
route-target
export
import
import
import
import
import
65001:1
65001:1
65001:2
65001:3
65001:4
65001:5
export
import
import
import
import
import
65001:1
65001:1
65001:2
65001:3
65001:4
65001:5
R4
ip vrf GREEN
route-target
route-target
route-target
route-target
route-target
route-target
R5
ip vrf GREEN
route-target export 65001:2
route-target import 65001:1
R6
ip vrf GREEN
R7
ip vrf RED
R8
ip vrf RED

R50
ip vrf GREEN
R51
ip vrf GREEN
R52
ip vrf BLUE
Check:
Section 4 Infrastructure Security

4.1 Device Security
Refer to Diagram 1: Initial Topology. Configure the network as per the following requirements:

Protect R17s controlplane from TTL expiry attacks so that illegitimate IP packets with a
TTL of 0 or 1 are dropped before the CPU processes them.
Legit packets include expected control protocols running on the link.
Solution:
R17
ip access-list extended ttl
deny pim any any
deny ospf any any
deny gre any any
deny udp any any eq isakmp
deny esp any any
deny tcp any eq 179 any
deny tcp any any eq 179
permit ip any any ttl lt 2
!
class-map match-all classttl
match access-group name ttl
!
policy-map policyttl
class classttl
drop
!
control-plane
service-policy input policyttl
4.2 Network Security

Refer to Diagram 1: Jamesons Layer 2 Connections and Diagram 2: Initial Topology.
SW5 and SW6 must filter DHCP message received by untrusted hosts by comparing the
source MAC address and the DHCP client hardware address. If the address match, the switches must
forward the packet. If the addresses do not match, the switches must drop the packet.
Ensure that these access switches do not filter DHCP packets on their uplinks.
Ensure that the DHCP relay switches (refer to item 5.1) allow DHCP message received on
their interface VLAN 100 with the added Option 82 and uninitialized GIADDR field to be
accepted.
Solution:
SW5
ip dhcp snooping

ip dhcp snooping vlan 100-101
ip dhcp verify mac
!
interface range po35,po45
ip dhcp snooping trust
SW6
ip dhcp snooping
ip dhcp snooping vlan 100-101
ip dhcp verify mac
!
interface range po36,po46
ip dhcp snooping trust
SW3
interface vlan 100
ip dhcp relay information trusted
SW4
interface vlan 100
ip dhcp relay information trusted
Check:
Section 5 Infrastructure Services

5.1 Centralized DHCP
Refer to Diagram 1: Jamesons Layer 2 Connections and Diagram 2: Initial Topology. Jamesons
R15 must centralize DHCP service for the datacenters hosts VLANs. Configure the network as per
the following requirements:
Ensure that the distribution switches SW3 and SW4 forward DHCP discover broadcast
message received from VLAN 100s hosts to interface Lo0 of R15 as unicast messages.
R15 must assign hosts in VLAN 100 a valid IP address from the prefix 10.2.1.0/24.

Ensure that addresses that were statically configured will never be assigned to any host.
The DHCP offer must include the IP address 10.2.1.1/24 as the default gateway for VLAN
100 users.
Ensure that the server R101 effectively receives an IP address from the expected prefix
10.2.1.0/24 as well as its default gateway information.
Solution:
R15
ip dhcp excluded-address 10.2.1.1
ip dhcp pool VLAN100
network 10.2.1.0 255.255.255.0
default-router 10.2.1.1
!
SW3
interface vlan 100
ip helper-address 10.255.1.15
SW4
interface vlan 100
ip helper-address 10.255.1.15
Check:
5.2 Internet Gateway

Refer to Diagram 1: Initial Topology. Configure the network as per the following requirements:

R17 is Jamesons Internet gateway router.
Ensure that R17 enables all internal hosts (that is: hosts with source IP address in the range
of 10.0.0.0/8 or 172.0.0.0/8) to simultaneously connect to the Internet using the public IP
address of interface Eth0/0. The following tests must be successful:
Solution:
R17
access-list 99 permit 10.0.0.0 0.255.255.255
access-list 99 permit 172.0.0.0 0.255.255.255
!
interface e0/0
ip nat outside
!
ip nat inside

!
ip nat inside source list 99 interface e0/0 overload
!
R15
router bgp 65002
neighbor 10.254.0.73 default-originate
R16
router bgp 65002
neighbor 10.254.0.77 default-originate
5.3 First hop redundancy

Jamesons datacenters SW3 and SW4 must offer first hop redundancy to VLAN 100s host using
HSRP. Configure the network as per the following requirements:
SW3 and SW4 must use the multicast address 224.0.0.102 in order to negotiate the active
and standby roles.
SW3 must be elected as the active router and SW4 must be elected as the standby router.
In case SW3 is down, SW4 must take over the active role. If SW3 comes back online, it
must automatically recover the active role from SW4.
Ensure that HSRP hello packets are exchanged every second and that the standby takes
over the active role if three consecutive Hello packets were missed from the active.
Both routers must share the virtual IP address 10.2.1.1 that will be used as default gateway
for VLAN 100s hosts.
Solution:
SW3
interface Vlan100
standby version 2
standby 100 ip 10.2.1.1
standby 100 priority 105
standby 100 preempt
-------------------------------SW4
interface Vlan100
standby version 2
standby 100 ip 10.2.1.1

standby 100 preempt
Check:
5.4 Tracking reachability

SW3 and SW4 must monitor the reachability of their OSPF IPv4 default route and in case it
is not available, the HSRP priority must be decreased by 10.
Solution:
SW3
track 1 ip route 0.0.0.0/0 reachability
!
interface vlan100
standby 100 track 1 decrement 10
SW4
track 1 ip route 0.0.0.0/0 reachability
!
interface vlan100
standby 100 track 1 decrement 10
Check:

A5 byCCIEMAN2016 - Nonvrf

Uploaded by

Copyright:

Available Formats

A5 byCCIEMAN2016 - Nonvrf

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A5 byCCIEMAN2016 - Nonvrf

Uploaded by

Copyright:

Available Formats

CCIE R&S LAB CFG H2/A5

Section 1 Layer 2 Technologies

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

Check all switches.

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

1.3 Jamesons Datacenter: Link bundling

CCIE R&S LAB CFG H2/A5

PS.: This output no exactly equal on exam.

interface ran e1/0-1

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

1.4 Jamesons Branch Offices

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

Section 2 Layer 3 Technologies

CCIE R&S LAB CFG H2/A5

10.2.0.13 0.0.0.0 area 0

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

2.2 Jamesons IGP, part 2

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

route-tag notation dotted-decimal

CCIE R&S LAB CFG H2/A5

route-tag notation dotted-decimal

CCIE R&S LAB CFG H2/A5

------------------------------| Headquarter network JACOBs|

-------------------------| Office network JACOBs|

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

2.4 Jamesons Premerge

CCIE R&S LAB CFG H2/A5

router ospf 65002

CCIE R&S LAB CFG H2/A5

router ospf 65002

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

2.5 Jacobs Premerge

COMPLETELY DIFERENCE ON EXAM! DONT REMEMBER EXACTLY WHAT

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

2.6 Merge phase 1: BGP

CCIE R&S LAB CFG H2/A5

ip prefix-list merge permit 172.0.0.0/8

CCIE R&S LAB CFG H2/A5

2.7 Merge phase 2: IGP

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

CCIE R&S LAB CFG H2/A5

2.8 Merge phase 2: Routing Policies

CCIE R&S LAB CFG H2/A5

2.9 IPv6 Routing, part 1