You are on page 1of 11



Section 1 : Layer 2 Technologies 1.1 Troubleshoot Layer 2 Switch A few faults have been injected the preconfigurations just described. These issues may impede a working solution for certain portions of this lab exam. And these issues can affect any lab section. You must verify that all of your configurations work as expected. If something is not working as expected. Then you must fix the underlying problem. Point will be awarded for solving each problem. However, if you fail to solve particular problem, and the injected fault prevents you from having a workings solution of this lab, then will lose points for the fault and the scenario that is not working.

1.2 VLAN and Access-Ports Configure all of the appropriate non-trunking switch ports on all switches according to the following requirements:

VTP Domain is set to "CCIE" and VTP password is set to "cisco" VTP mode on all switches should be configures to transparent mode. Configure the VLAN ID and Name according to the table below (case sensitive). Configure the access ports for each VLAN as per the diagram Vlan17 VLAN_17_R1-SW2

Vlan29 - VLAN_29_R2-SW4

Vlan34 - VLAN_34 Vlan38 - VLAN_38_R3-SW3 Vlan45 VLAN_45 Vlan56 - VLAN_56_R5-SW1 Vlan67 - VLAN_67_SW1-SW2 Vlan89 - VLAN_89_SW3-SW4 Vlan100 - VLAN_BB1 Vlan200 -VLAN_BB2 Vlan300 - VLAN_BB3 Vlan333 - VLAN_CUSTOMER Vlan500 - VLAN_USERS Vlan666 - VLAN_CARRIER Vlan999 - VLAN_NATIVE

1.3 Multiple Spanning Tree (MST) Configure the switches according to the following requirements Each of the following sets of VLAN must share a common spanning-tree topology: Spanning-tree topology 1: all odd VLANs used throughout your exam Spanning-tree topology 2: all even VLANs used throughout your exam Spanning-tree topology 3: all other VLANs must be explicitly put into instance 3 (Or)Spanning-tree topology 3: all other VLANs Use domain name as cisco o Ensure SW1 is root switch for Instance 1 and CIST VLANs and o backup root switch for instance 2 o Ensure SW2 isroot switch for instance 2 and o backup root switch for Instance 1 and CIST VLANs Configure native vlan to vlan 999. Ensure this vlan is tagged. o All unused ports should beadministratively shutdown and defined as access ports on VLAN 999. o Dont forget GigaEthernet ports (2 ports)

1.4 Switch Trunking and EtherChannel Refer to the diagram . Configure the dual trunk ports between all switches according to the following requirements Configure the trunk using dot1q as per the diagram (port 19 24) for SW1 SW4 Allow the native VLAN 999 and sure native VLAN tagged the frame. Use encapsulation 802.1q Disable DTP on the six distribution ports for each switch Configure an 802.3ad 200 Mbps Etherchannel between SW1 and SW2 SW2 should not actively start it Ether channel load balancing should be accomplished by source destination host MAC addresses If more channel members are added in the future, Fa0/24 must have the best chance to be the first active port in the channel. Configure EtherChannel (LACP) between 2 switches, SW2 shouldnt actively starts it. Load balance hash of src-dst mac-add

1.5 Implement 802.1Q Tunneling Configure your network as per the following requirements: - User connected to VLAN 333 on SW3 must be able to communicate with users connected to VLAN 333 on SW4 via their interfaces Fa0/19 (respectively connected to SW1 and SW2) - Configure theVLAN 333 interface onSW3 with the IP address YY.YY.33.8/24 - Configure the VLAN 333 interface on SW4 with the IP address YY.YY.33.9/24 - VLAN 333 must be allowed to flow only though SW3 and SW4's Fa0/19. No other trunks may carry this VLAN - SW1 and SW2 must carry the VLAN 333 data across the network using VLAN666 - VLAN 666 may exist only on SW1 and SW2 - SW1 and SW2 must not allow VLAN 333 on any trunks and must allow VLAN 666 only on the trunks between them. - No other port in any switch may carry VLAN 333 - Do not modify any spanning-tree cost or port priority to achieve this task - Referring to the exhibit below o SW3 must see SW4 as a CDP neighbor via interface Fa0/19 and o must be able to ping SW4's VLAN 333

1.6 PPP over Ethernet Configure PPPoE between R3 and R4 according to the following requirements: Configure R3 as a PPPoE Sever Configure R4 as a PPPoE Client Configure group name as CISCO R4 always gets the same IP address from R3 Do not use DHCP to receive the IP address Ensure no interleaving in PPPoE link.Or (Ensure that there is no unnecessary ppp fragmentation on the PPPoE link) IP address must be give to virtual Template R3 must require R4 to authenticate using CHAP but R4 must NOT require R3 to authenticate. o Use CISCO as CHAP password for R4. o Make sure that all CHAP passwords are shown in clear text in the configuration

1.7 Implement Frame-Relay Use the following requirements to configure R1 and R2 for Frame-Relay Use static frame relay maps with the broadcast capability Do not use dynamic ARP mapping Do not change anything in the frame-relay switch (R4) Use RFC1490/RFC2427 encapsulation Use the DLCI assignments from the table below Set the bandwidth administrative to 50000 Kb in the interfaces. R1 and R2 must be able to ping self interface R1 use DLCI 100 R2 uses DLCI 200

Section 2 : Layer 3 Technologie

2.1 IPv4 OSPF Configure OSPF Area 0, 1, 2 as per the IGP topology diagram -The OSPF process ID can be any number. - The OSPF router IDs must be stable and must be configured using the IP address of interface Loopback0. - Loopback0 interfaces should be advertised in the OSPF area as shown in the IGP topology diagram and must appear as /32 host routes. - Updates should be advertised only out of the interfaces that are indicated in the IGP topology diagram. - Ensure that OSPF neighborship should established between R1 and R2 without changing frame-relay interface type.

- Ensure that R4 can still reach all OSPF network via R3 in case R1 or R5 goes down. - Do not create additional OSPF areas. - Do not use any IP address not listed in Diagram 2.2 IPv4 EIGRP Configure Enhanced Interior Gateway Routing Protocol (EIGRP) 100 and EIGRP YY as per the IGP topology diagram 1. Backbone 3 the IP address 150.3.YY.254 and is using AS number 100. 2. EIGRP updates should be advertised only out to the interface per the IGP topology diagram. 3. On SW3, redistribute from EIGRP 100 into EIGRP YY. 4. Do NOT use automatic summarization for any EIGRP process. 2.3 IPv4 RIPv2 Configure RIP Version 2(RIPv2) per the IGP topology diagram. RIP updates must be advertised only out to the interface per the IGP topology diagram. Do NOT use auto summarization.

Redistribution OSPF, EIGRP, RIP 2.4 Between OSPF and EIGRP

Redistribute mutually between OSPF and EIGRP YY on R2 and R3 as per the following requirements: ON R2 and R3 ensure that all prefixes learned from OSPF should be seen as OSPF route and that the prefixes learned from EIGRP 100 should be seen as EIGRP External Route (D EX). The only EIGRP external routes on both R2 and R3 should be the EIGRP 100 routes. No default route should be seen in this network Ensure that optimal routing should be performed on both R2 and R3. No route tagging permitted on SW3. You must use a route filtering mechanism but dont allow to use access-list, prefix-list. Do NOT change Administrative Distance to accomplish this requirement.

2.5 Between OSPF and RIPv2

Redistribute OSPF to RIP on R5 as per the following requirements: Redistribute OSPF into RIP on R5. Ensure that R4 should reach SW1 Loopback0 via R5 and all other routes via R3. Advertise VLAN 45 network into OSPF without using network command

2.6 IPv4 EBGP

Configure EBGP on R1, R2 according to the following requirements: R1 should be eBGP peers with the router Backbone 1 AS 254. R2 should be eBGP peers with the router Backbone 2 AS 254. Ensure that R1 & R2 have capability to signalize end of RIB remark. You are NOT allowed to use BGP next-hop anywhere. Router (R1) should generate a warning message, if it receives more than 5 prefixes from Backbone (BB1).

2.7 IPv4 IBGP

Configure iBGP on R1, R2, R3,R4 and R5 as per the following requirements: Where possible, failure of a physical interface should not permanently affect BGP peer connections; (Use only the Loopback 0 IP Addresses to propagate BGP route information within your BGP domain) Configure R3 route reflector to minimize the number of BGP peering sessions and all BGP speakers in AS YY. You are NOT allowed use BGP peer group.

2.5 Advanced BGP

Configure BGP path selection as per the following requirements: The routes from OSPF should be redistributed into BGP AS 254 on R1 and R2. R1 should prefer the path through BB1 for AS 254. The tie breaker in the BGP best path selection algorithm must be the "internal vs external" criteria. R3 should prefer the path through R1 for BGP AS 254. This configuration should not affect any other routers in AS YY getting to BGP AS 254 You are not allowed to change BGP attributes such as Weight, AS-Path or Local Preference on R4 and R5 to accomplish this task You are allowed to change the ospf cost of only one interface. R4 should prefer R1 as exit point for AS 254. This change should not impact any other BGP peer routers. R4 should be able to ping a prefix which located in AS 254 with path to R1.

2.9 IPv6 Address and OSPF Routing

The administrator has started to configure Global Unicast IPv6 addresses and OSPFv3 routing in your network according to the Diagram IPv6 Routing Configure Global unicast IP's on all relevant interface on R1, R5, SW1 and SW2 including loopback 0.
Use /64 for physical interfaces and /128 for loopback interface.

Ensure that all routers and switches can ping each other using IPv6. The process ID is 2001. OSPFv3 router IDs must be stable and identical to the OSPFv2 router IDs. Ensure that periodic router advertisements should be disabled on the IPv6 enabled interfaces. Make sure IPV6 domain use Cisco Proprietary Forwarding Mechanism. Authenticate the OSPFv3 between R1 and R5 according to the following requirement: Use the

authentication type with MD5 with following key string 1234567890ABCDEF1234567890ABCDEF

You are not allowed to use any commands under the router configuration mode to accomplish this


Do not create additional OSPFv3 areas. Ensure that all IPv6 networks on all routers and switches can ping each other using IPv6. Configure IPv6 Address Number as follow.

(YY- Rack number, HH- Interface ipv4 3rd octet, ZZ- Interface ip4 4th octet) Interface2001:YY:HH::ZZ/64, Loopback- 2001:YY:HH::ZZ/128

3.1 Implement IPv4 Multicast 1

Configure Multicast Routing between R3-S0/0/0 and R5-S0/0/1 according to following requirements: Do NOT use any RP Interface loopback0 of R3video server is simulated in R5client. Multicast is sourced from on loopback0 R3 and receiver was R5Fa 0/0 ( Ensure that unnecessary flooding /pruning does not occur

3.2 Implement IPv4 Multicast 2

Ensure that only R3 lo0 (YY.YY.3.3) is allowed to send multicast on R5 Fa0/0

In near future, other users in R5 are planning to join The users will use IGMPv2. Ensure that these users can only access the two multicast streams. Routers should not use DNS query for mapping the source.

Section 4 : Advanced Services 4.1 IGP Authentication 1

Secure the RIP domain according to the following requirement Complete RIP authentication between R4 and R5 The key chain for RIP authentication is pre-configured on R4

Do not reconfigure on R4

Note: The key chain pre-configured can be found using "show key chain RIP" on R4

4.2 Zone-Based Firewall

Configure Zone Based Firewall (ZBF) on R1 so that the following requirement of commands provides the same output. RackYYR1#clear zone-pair counter RackYYR5#ping 150.1.YY.254 Type escapes sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.YY.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5),round-trip min/avg/max = 1/5/9 ms RackYYSW2#ping 150.1.YY.254 Type escapes sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.YY.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5),round-trip min/avg/max = 1/5/9 ms RackYYR1#show policy-map type inspect zone-pair Zone-pair: A_ B Service-policy inspect : A_ B Class-map: A_B (match-all) Match: protocol icmp Pass 55 packets, 4400 bytes Class-map: class-default (match-any) Match: any Pass 8 packets, 64 bytes //You must use the exact same names for the policy and class-map (Case Sensitive)//

4.3 Layer 2 security

Configure SW1 and SW2 as per the following requirements: R4 and R5 may communicate only with each other in VLAN 45 No other host is allowed to communicate with them inVLAN 45 Hosts connected to port Fa0/6 on SW1 and SW2 should be part of VLAN 45 and they communicate only with each other . Must not be able to communicate with any other host in vlan 45. Hosts connected to port Fa0/7 of both SW1 and SW2 should not be able to communicate with any host.

SW1 Fa0/9 as promiscuous port or (All of the above ports (Fa0/6, Fa0/7 from SW1 and SW2)must

be allowed to communicate with a device connected to port Fa0/9 of SW1 ) Use only odd VLAN number(s) (between 334 and 998) if you need to create any new VLAN(s)

4.4 Quality of Services-1

Traffic from from BB1 is attacking host in OSPF Area 0 it should be limited to 128k on each interface on R1 when it goes to ospf area 0. Use MQC and do not use policing.

4.5 Quality of Services-1

Configure R5's interface S0/0/1 to share its available bandwidth as per following requirements Consider that users connected to VLAN 56 are sending traffic that is already marked as follow o Control IP Precedence value 6 or 7 o Voice IP precedence value 5 o Video IP precedence value 4 o Business IP precedence value 3 o Internet IP precedence 0 Use the Modular QoS CLI and class name as per the above description (Case sensitive). Use the match all option for all Class maps. Use only the option "match ip precedence" for all Class maps. In case of congestion, the Voice traffic should be sent in priority over all the traffic. The low latency queue may never use more than 20% of the available bandwidth. In case of congestion, reserve 100Kbps of the available 2000Kbps for the Control traffic. Only in case of congestion, the Video traffic may not exceed 30% of the available bandwidth. Only in case of congestion, the Business traffic may not exceed 30% of the available bandwidth. Enable the congestion avoidance mechanism for the Business traffic using a weight factor of 10 for the average queue size calculation. The Internet traffic should use the remaining bandwidth with no other guarantee. Kbps : Kilo bits per second.Use the first word (case sensitive) of the above traffic description to name your classes (i.e class control, class Voice etc)

4.6 Implementing HSRP

Consider that users are connected to VLAN 500 on both SW1 and SW2. Configure HSRP to provide redundancy for the user gateway YY.YY.100.254/24 as per following requirements

Configure HSRP between SW1 and SW2 under VLAN 500 - Define user gateway for VLAN 500 as YY.YY.100.254: - The IP YY.YY.100.1 should be assigned to the primary HSRP gateway and YY.YY.100.2 should be assigned to the secondary HSRP gateway. - Active group gateway assignment should comply with active root of spanning tree of VLAN 500.

- Active Gateway Priority 120 and the Standby is left at the default. - Define track object for group, which is the reachability of one network 150.1.YY.0/24 - Standby will take up active role in a second if 5 hello packets not received - Authentication between both switches - md5 password CISCO - The primary gateway should have the ability to resume the Primary role once the tracked object is reachable - Make sure IGP is not running in this subnet

4.7 Time Based ACL

Configure SW1 and SW2 in order to restrict access for VLAN 500 users as per the following requirements: HTTP (from any user workstation to any remote server) is not allowed during office hours (from 09:00 to 16:59, Monday to Friday) FTP (from any user workstation to any remote server) is allowed only during every night for Backup between 22:00 to 23:59 and is not allowed all any other time. UDP traffic is allowed only outside of the office hours (every day from 17:00 to 8:59) Any required control traffic must be allowed all any time and the ACL entry(-ies) must be as specific as possible (i.e specify the Layer 4 with the connect port number on the destination) Sources in all ACL entries must be explicitly configured to YY.YY.100.0/24

Section 5 : Optimize the Network 5.1 Simple Network Management Protocol (SNMP)
Configure SNMPv3 for group "admin" on R3 as per following requirements Use location San Jose, USA Use contact Use R3 loopback0 interface for SNMP trap as source A SNMPv3 group admin has a user with a view privilege adminview and must view only ISO mib. A SNMPv3 group admin has a user with a view privilege adminwrite and must write only system

mib. Ensure that group admin should be set with strongest security mechanism. A user ccie should be from group admin and use md5 password of cisco (case sensitive) Ensure that admin group only allow users access from YY.YY.17.0/24 Use a SNMP v2c instance for NMS in YY.YY.67.0/24 to accomplish this task. Note: All view name, group, username and community should be case-sensitive

5.2 NetFlow
Configure NetFlow on R1 according to the following requirements Enable NetFlow on R1 to monitor the traffic entering and leaving Area 0 from BB1 Generate NetFlow sample one out-of-every 1000 packets Export the flows to the server YY.YY.56.100 port 2222

In case the export to server fails, use backup server YY.YY.56.101 with the same port number. Use R1 Loopback as source address for the exports Use NetFlow version 9 with reliable transfer Do not use policy-map