CCIEv5 New Lab Exam Topics Free workbook

Lab 1

IP addressing & Multilayer Switch configurations

R1
int s1/0
ip add 10.1.14.1 255.255.255.0
no sh
int s1/1
ip add 10.1.15.1 255.255.255.0
no sh
int loop 1
ip add 1.1.1.1 255.255.255.255
int loop 2
ip add 11.11.11.11 255.255.255.255

R2
int s1/0
ip add 10.1.24.2 255.255.255.0
no sh
int e0/0
ip add 2.2.2.10 255.255.255.0
no sh
int loop 0
ip add 192.168.2.1 255.255.255.0
int loop 1
ip add 12.12.12.12 255.255.255.255
int loop 2
ip add 22.22.22.22 255.255.255.255
R3
int loop 0
ip add 192.168.3.1 255.255.255.0
int e0/0
ip add 3.3.3.10 255.255.255.0
no sh
R4
int s1/1
ip add 10.1.24.4 255.255.255.0
no sh
int s1/0
ip add 10.1.14.4 255.255.255.0
no sh
int loop 1
ip add 4.4.4.4 255.255.255.255
int loop 2
ip add 44.44.44.44 255.255.255.255
R5
int loop 0
ip add 192.168.1.1 255.255.255.0
int e0/0
ip add 1.1.1.10 255.255.255.0
no sh
2

int s1/0
ip add 10.1.15.5 255.255.255.0
no sh
SW1
ip routing
ip cef
vlan 1
vlan 2
vlan 3
int e1/1
sw acc vlan 1
int e0/2
sw acc vlan 2
int e0/3
sw acc vlan 3
int vlan 1
ip add 1.1.1.100 255.255.255.0
no sh
int vlan 2
ip add 2.2.2.100 255.255.255.0
no sh
int vlan 3
ip add 3.3.3.100 255.255.255.0
no sh
we will need to make R5 , R2 , R3 had layer3 connectivity to each other so we go on each one of them
and create default route point to SW1
by doing this ,SW1 will simulated as internet and connecting the three routers while they use
different subnets ,this will help us later in DMVPN Task
on R5
ip route 0.0.0.0 0.0.0.0 1.1.1.100
on R2
ip route 0.0.0.0 0.0.0.0 2.2.2.100
on R3
ip route 0.0.0.0 0.0.0.0 3.3.3.100

now we are ready to answer this lab Tasks:

3

VPN Site To Site using pre shared key Task

Create VPN site to site connection between R2 & R4 using pre shared key Cbtme and according to
following requirements:
-VPN connection must be established if loop1 in R4 communicate with loop1 in R2 or vice versa using IP
protocol or ICMP.
-Confidentiality must be secured with AES and integrity with sha in both IKE1 & IK2 phases
- make sure key will be changed after 86400 seconds
-IPsec will use Tunnel protocol
-R2 & R4 loop 1, loop 2 will be advertised using static route
EIGRP Named Mode Task

-R1 & R4 will run EIGRP AS 101 and both will advertise all connected physical interfaces but not R1 s1/1
-R1 will advertise its own loop 0 in EIGRP domain
-Both routers must configured with EIGRP md5 authentication using key #1 , Key string (cbtme)
-Both routers any physical interface will not be connected to EIGRP domain must never send any EIGRP
hello messages. And make sure auto summarization is disabled .
-R1 will use EIGRP named mode , R4 will use Classic mode
-R4 interface s1/0 will have ipv6 add 2001:10:1:14::4/64 , loop0 2001:4:4:4::4/128
-R1 interface s1/0 will have ipv6 add 2001:10:1:14::1/64 , loop0 2001:1:1:1::1/128
-Run EIGRPv6 with same requirements we follow above for ipv4 domain.
-Redistribute OSPF 100 into EIGRP 101 in R1 (in next task we will create this OSPF process)

OSPF BFD Task

-Run OSPF 100 between R1 s1/1 & R5 s1/0 using router-id 0.0.0.x where x is the router number
-Both routers will be in area 0
-Advertise R1 loop1 into your OSPF domain
-Run BFD feature in both routers interfaces but make sure its enabled only in each OSPF enabled
physical interface
-Redistribute EIGRP101 into OSPF 100
EPC Task

-In R5 capture all icmp & ipv4 packets send or receive between R5 & R1 for 15 minutes
-Create buffer with name "MYBUFFER" with size 2048 and support maximum packet size to 1518
-your capture point name must be "MYPOINT"
-export captured packet to TFTP server 10.1.34.100 so later you can analyze using wireshark

DMVPN Task

-R5. R3 , R2 will connected to each others using SW1

-each router Ethernet interface had ip address act as public ip address :
R5 E0/0 1.1.1.10
R2 E0/0 2.2.2.10
R3 E0/0 3.3.3.10
-we need to implement DMVPN solution using secured mGRE Tunnels with subnet 172.16.0.0./24
where R5 will act as HUB and R2 ,R3 will act as SPOKES
-any communication between these three routers to reach their loop 0 subnets must go through our
mGRE tunnels
R5 loop 0 network 192.168.1.1 255.255.255.0
R2 loop 0 network 192.168.2.1 255.255.255.0
R3 loop 0 network 192.168.3.1 255.255.255.0

Lab 1 Answers
VPN site to site Task
Configure ISAKMP (ISAKMP Phase 1)
Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
1-Configure ISAKMP (IKE) - (ISAKMP Phase 1) and create static routes to provide layer three connectivity
to loop 0 & loop 1 as Task required .
IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate
an SA (an ISAKMP SA) relationship with the peer.
R2
ip route 4.4.4.4 255.255.255.255 10.1.24.4
ip route 44.44.44.44 255.255.255.255 10.1.24.4
crypto isakmp enable
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
exit
The above commands define the following (in listed order):
3DES - The encryption method to be used for Phase 1.
MD5 - The hashing algorithm
Pre-share - Use Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or
seconds. Value set is the default value.

Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the
following command:
crypto isakmp key 0 cisco address 10.1.24.4 255.255.255.0
The peers pre shared key is set to cisco and its public IP Address is 10.1.24.4 Every time R2 tries to
establish a VPN tunnel with R4 (10.1.24.4), this pre shared key will be used.
2- Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
To configure IPSec we need to setup the following in order:
- Create extended ACL
- Create IPSec Transform
- Create Crypto Map
- Apply crypto map to the public interface

Creating Extended ACL

ip access-list ext VPN_Networks
permit ip host 12.12.12.12 host 4.4.4.4
permit icmp host 12.12.12.12 host 4.4.4.4
exit

Create IPSec Transform (ISAKMP Phase 2 policy)

crypto ipsec transform-set TS1 esp-aes esp-sha-hmac
crypto ipsec security-ass lifetime seconds 86400
Create Crypto Map
The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec
configuration together:
crypto map MYMAP 100 ipsec-isakmp
match address VPN_Networks
set peer 10.1.24.4
set pfs group2
set transform-set TS1
exit
Weve named our crypto map MYMAP. The ipsec-isakmp tag tells the router that this crypto map is an
IPsec crypto map.
Apply Crypto Map to the Public Interface
int S1/0
crypto map MYMAP
R4
ip route 12.12.12.12 255.255.255.255 10.1.24.2
ip route 22.22.22.22 255.255.255.255 10.1.24.2
crypto isakmp enable
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
exit
crypto isakmp key 0 cisco address 10.1.24.2 255.255.255.0
ip access-list ext VPN_Networks
permit ip host 4.4.4.4 host 12.12.12.12
permit icmp host 4.4.4.4 host 12.12.12.12
8

exit
crypto ipsec transform-set TS1 esp-aes esp-sha-hmac
crypto ipsec security-ass lifetime seconds 86400
crypto map MYMAP 100 ipsec-isakmp
match address VPN_Networks
set peer 10.1.24.2
set pfs group2
set transform-set TS1
exit
int S1/1
crypto map MYMAP
Verification :

As we can see IPsec Tunnel was down but once we triggered it by ping ip address 12.12.12.12 using
source 4.4.4.4 which match ACL we made before , tunnel become up and ping traffic send & received
encrypted . your friend command here is Show Crypto Session

EIGRP named mode

R4 will run Classic EIGRP commands ( the ones we used to type normally)
R4
key chain cisco
key 1
key-string cbtme
router eigrp 101
no auto
eigrp router-id 0.0.0.4
network 10.1.14.4 0.0.0.0
network 10.1.24.4 0.0.0.0
passive-interface s1/1
int s1/0
ip authentication mode eigrp 101 md5
ip authentication key-chain eigrp 101 cisco
ipv6 unicast-routing
ipv6 router eigrp 101
router-id 0.0.0.4
no shutdown
int s1/0
ipv6 add 2001:10:1:14::4/64
ipv6 eigrp 101
int loop0
ipv6 add 2001:4:4:4::4/128
ipv6 eigrp 101
when you finish typing these commands notice on show run that EIGRP commands not in one place ,
some commands under EIGRP section , others under interfaces it self which make your troubleshooting
in the future not easy .

10

R1 will run EIGRP Named Mode , where we can have one name represent all our EIGRP configuration
this including ipv4 or ipv6 commands and whatever its made for RIB or for VRFs using address family
concept we used to use with BGP . in EIGRP named mode NO AUTO SUMMARY IS ENABLED BY
DEFAULT .
R1
key chain cisco
key 1
key-string cbtme
router eigrp Yasser
no shutdown
add ipv4 unicast as 101
network 10.1.14.1 0.0.0.0
network 2.2.2.2 0.0.0.0
topology base
redistribute ospf 100 metric 1000 100 255 1 1500
exit
af-interface default
passive-interface
exit
af-interface serial 1/0
no passive-interface
authentication mode md5
authentication key-chain cisco
exit
exit
exit
ipv6 unicast-routing
int s1/0
ipv6 add 2001:10:1:14::1/64
int loop 0
ipv6 add 2001:1:1:1::1/128
router eigrp yasser
add ipv6 unicast as 101
( no need to write networks he will advertise all)
af-interface s1/1
passive-interface
shutdown
exit

11

12

Notice All our configuration in one place in running configuration file

In EIGRP Named Mode we have four address families available
For IPv4:
R2(config-router)#address-family ipv4 unicast autonomous-system 1
For IPv4 VRF:
R2(config-router)#address-family ipv4 unicast vrf Customer_A autonomous-system 1
For IPv6:
R2(config-router)#address-family ipv6 unicast autonomous-system 1
For IPv6 VRF
R2(config-router)#address-family ipv6 unicast vrf site_A autonomous-system 1
13

A) Address-family configuration mode:

In this mode, you can configure networks, EIGRP neighbor, EIGRP Router-id, metric etc. From this mode
you can access the other two configuration modes used in EIGRP named configuration.
R2(config-router)#address-family ipv4 unicast autonomous-system 1
R2(config-router-af)#?
Address Family configuration commands:
af-interface
default
eigrp

Enter Address Family interface configuration

Set a command to its defaults
EIGRP Address Family specific commands

exit-address-family Exit Address Family configuration mode

help

Description of the interactive help system

maximum-prefix
metric

Maximum number of prefixes acceptable in aggregate

Modify metrics and parameters for address advertisement

neighbor

Specify an IPv4 neighbor router

network

Enable routing on an IP network

no
shutdown
timers
topology

Negate a command or set its defaults

Shutdown address family
Adjust peering based timers
Topology configuration mode

R2(config-router-af)#
B) Address-family interface configuration mode:
This mode takes all the interface specific commands that were previously configured on an actual
interface (logical or physical) and moves them into the EIGRP configuration. EIGRP authentication,
Bandwidth-percentage, split-horizon, and summary-address configuration are some of the options that
are now configured here instead of in interface configuration mode.
R2(config-router-af)#af-interface fa0/0
R2(config-router-af-interface)#?
Address Family Interfaces configuration commands:

14

authentication

authentication subcommands

bandwidth-percent Set percentage of bandwidth percentage limit

bfd

Enable Bidirectional Forwarding Detection

dampening-change Percent interface metric must change to cause update

dampening-interval Time in seconds to check interface metrics
default

Set a command to its defaults

exit-af-interface Exit from Address Family Interface configuration mode

hello-interval
hold-time

Configures hold time

next-hop-self
no

Configures hello interval

Configures EIGRP next-hop-self

Negate a command or set its defaults

passive-interface Suppress address updates on an interface

shutdown

Disable Address-Family on interface

split-horizon

Perform split horizon

summary-address

Perform address summarization

R2(config-router-af-interface)#
In traditional way if we want run EIGRP on all interface we use "network 0.0.0.0 0.0.0.0" command.
Here you can use af-interface default to function same.
R2(config-router-af)#af-interface default
R2(config-router-af-interface)#

C) Address-family topology configuration mode:

This mode provide several options which operates on EIGRP topology table .here you can define content
like redistribution, distance, offset list, variance etc. To enter this mode, we need to go back to addressfamily configuration mode:
R2(config-router-af-interface)#exit
R2(config-router-af)#topology base
R2(config-router-af-topology)#?
15

Address Family Topology configuration commands:

auto-summary
default

Enable automatic network number summarization

Set a command to its defaults

default-information Control distribution of default information

default-metric
distance

Set metric of redistributed routes

Define an administrative distance

distribute-list
eigrp

Filter entries in eigrp updates

EIGRP specific commands

exit-af-topology
fast-reroute

Configure Fast-Reroute

maximum-paths
metric
no
offset-list

Negate a command or set its defaults

Add or subtract offset from EIGRP metrics
Redistribute IPv4 routes from another routing protocol
Modify snmp parameters

summary-metric
timers
traffic-share
variance

Forward packets over multiple paths

Modify metrics and parameters for advertisement

redistribute
snmp

Exit from Address Family Topology configuration mode

Specify summary to apply metric/filtering

Adjust topology specific timers

How to compute traffic share over alternate paths
Control load balancing variance

R2(config-router-af-topology)#

16

OSPF BFD Task

R1
router ospf 100
router-id 0.0.0.1
network 10.1.15.1 0.0.0.0 area 0
net 11.11.11.11 0.0.0.0 area 0
bfd all-interfaces
int s1/1
bfd interval 50 min_rx 50 multiplier 5
(bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier)
int s1/0
ip ospf bfd disable
R5
router ospf 100
router-id 0.0.0.5
network 10.1.15.5 0.0.0.0 area 0
int s1/0
ip ospf bfd
bfd interval 50 min_rx 50 multiplier 5

Your friend commands are : SHOW BFD ENIGHBORS , SHOW BFD DROPS , SHOW BFD SUMAMRY
BFD (Bidirectional Forwarding Detection) is defined in RFC 5880.
BFD for one-hop IPv4/IPv6 is defined in RFC 5881.
BFD for multi-hop is defined in RFC 5883.
BFD for MPLS LSPs is defined in RFC 5884
17

BFD provide better way to check neighbors availability other than hello messages
It will not replace hello messages but will add additional functionality where we can send Keepalive
messages to our neighbors in milliseconds

BFD modes

Asynchronous mode
o continuous and periodic BFD packets
Demand mode
o BFD packets only after a demand

BFD echo (where a stream of echo packets is sent and received) is the most common function
for both modes.
Cisco supports the asynchronous mode and the echo function by default.
BFD payload control packets are encapsulated in UDP packets

destination port 3784

source port 49152

Echo packets are also encapsulated in UDP packets

destination port 3785

source port 3785

BFD control packets are always sent as unicast packets to the BFD peer.
The encapsulation of BFD Control packets for multihop application in IPv4 and IPv6 is identical
to that above, except that the UDP destination port is 4784.
Each system reports in the BFD Control packet how rapidly it would like to transmit BFD
packets, as well as how rapidly it is prepared to receive them. This allows either system to
determine the max packet rate (minimum interval) in both directions.

18

EPC Task
R5
config t
ip access-list ext 101
permit icmp any any
permit ip any any
exit
monitor capture buffer MYBUFFER
monitor capture buffer MYBUFFER size 2048 max-size 1518 circular
monitor capture buffer MYBUFFER filter access-list 101
monitor capture point ip cef MYPOINT serial 1/0 both
monitor capture point associate MYPOINT MYBUFFER
monitor capture mycap limit duration 900

monitor capture buffer MYBUFFER export tftp://10.1.34.100/capture.pcap

19

DMVPN Task

R1 HUB
int loop 0
ip add 192.168.1.1 255.255.255.0
int e0/0
ip add 1.1.1.10 255.255.255.0
no sh
int tunnel 0
ip add 172.16.0.1 255.255.255.0
no ip redirects
tunnel source 1.1.1.10
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1

tunnel mode gre multipoint

the absence of the tunnel destination command. It has been replaced with the tunnel mode gre
multipointcommand, which designates this tunnel as a multipoint GRE tunnel.

ip nhrp map multicast dynamic

enables the forwarding of multicast traffic across the tunnel to dynamic spokes. This is usually required
by routing protocols such as OSPF and EIGRP. In most cases, DMVPN is accompanied by a routing
protocol to send and receive dynamic updates about the private networks.
ip nhrp network-id 1
used to identify this DMVPN cloud. All routers participating in this DMVPN cloud must have the same
network-id configured in order for tunnels to form between them.
ip nhrp authentication
used to allow the authenticated updates and queries to the NHRP Database, ensuring unwanted queries
are not provided with any information about the DMVPN network.

20

R2 SPOKE
int loop 0
192.168.2.1 255.255.255.0
int f0/0
ip add 2.2.2.10 255.255.255.0
no sh
int tunnel 0
ip add 172.16.0.2 255.255.255.0
no ip redirects
tunnel source e0/0
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp map 172.16.0.1 1.1.1.10
ip nhrp map multicast 1.1.1.10
ip nhrp nhs 172.16.0.1
R3 SPOKE
int loop 0
192.168.3.1 255.255.255.0
int f0/0
ip add 3.3.3.10 255.255.255.0
no sh
int tunnel 0
ip add 172.16.0.3 255.255.255.0
no ip redirects
tunnel source e0/0
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp map 172.16.0.1 1.1.1.10
ip nhrp map multicast 1.1.1.10
ip nhrp nhs 172.16.0.1
ip nhrp nhs 172.16.0.1
tells our spoke router who the Next Hop Server (NHS) is, while the ip nhrp map 172.16.0.1 1.1.1.10
command maps the NHS address (172.16.0.1) to the Hubs (R1) public IP address (1.1.1.10).
ip nhrp map multicast 1.1.1.10
ensures multicast traffic is sent only from spokes to the hub and not from spoke to spoke. All multicast
traffic should be received by the hub, processed and then updates are sent out to the spokes

21

tunnel source FastEthernet0/1

All spokes with dynamic WAN IP address must be configured to bind the physical WAN
interface as the tunnel source. This way, when the spokes WAN IP changes, it will be able to
update the NHS server with its new WAN IP address.
Note: In R2s configuration, weve configured a static IP address on its WAN interface
FastEthernet0/1, but for the sake of this example, let us assume it was dynamically provided by
the ISP.
Now lets secure our DMVPN with IPsec
R1
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key firewall.cx address 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
R2/R3
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key firewall.cx address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
22

now lets create routing for internal networks in all of our routers
On the R5 hub router:
ip route 192.168.2.0 255.255.255.0 172.16.0.2
ip route 192.168.3.0 255.255.255.0 172.16.0.3
On R2 spoke router:
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip route 192.168.3.0 255.255.255.0 172.16.0.3
On R3 spoke router:
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip route 192.168.2.0 255.255.255.0 172.16.0.2

23

Your Friend command here is SHOW DMVPN , notice once we ping R2 loop0 from R3 , Dynamic mGRE
tunnel created and shown in your show dmvpn output , also your crypto session is up one for HUB and
one for Spoke you communicate with which is R2 in our case above.

24

Soon Lab2 will be added covering Tasks for :

-GRE with IPsec Tunnel
- GRE with IPsec Tunnel VTI
-IPv6 FHS
CCIEv5 New Topics Resources:

EPC
https://supportforums.cisco.com/document/139686/configuration-example-embedded-packetcapture-cisco-ios-and-ios-xe
http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-embedded-packetcapture/index.html
BFD
https://supportforums.cisco.com/video/12061606/bfd-configuration-troubleshooting-cisco-iosand-xr-routers
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/12-4t/irb-12-4tbook/Bidirectional_Forwarding_Detection.html
EIGRP Named Mode
https://supportforums.cisco.com/blog/11939146/glimpse-eigrp-name-mode-configuration
http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/enhanced-interiorgateway-routing-protocol-eigrp/Advances_In_EIGRP.pdf
Video from IPexpert:
http://www.youtube.com/watch?v=XsV6Rq8eiJ0
GRE with ipsec
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-greipsec.html
VPN site to site
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-tosite-ipsec-vpn.html

25

DMVPN
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-services-tech/896-cisco-dmvpnintro.html
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpnconfiguration.html
http://blog.ine.com/2008/08/02/dmvpn-explained/
Videos from INE:
http://www.youtube.com/watch?v=CIWcYSClbio
http://www.youtube.com/watch?v=DA9K0eGG17E
IPV6 FHS
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6solution/whitepaper_c11-602135.html
http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2s/ipv6-15-2s-book/ip6first-hop-security.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-s/ip6f-15-sbook.pdf
Videos from INE:
http://www.youtube.com/watch?v=Zv-stl5kRnI
http://www.youtube.com/watch?v=UtsHZmb1CYc
http://www.youtube.com/watch?v=goHublIvV-8

Good Luck
CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasser.r.a?view=documents
https://www.youtube.com/user/yasserramzyauda

26