CIERSASSESS-5-AK

Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1
The Cisco 360 CCIE® Routing and Switching (R&S) Advanced Workshop 2 is a five-day course for CCIE candidates who are ready to attempt the Cisco CCIE lab. Advanced Workshop 2 is not an entry-level course. You should take this course only if you are close to passing the actual CCIE lab. Advanced Workshop 2 further develops such high-level candidates by presenting learners with five multitopic labs that simulate the actual Cisco CCIE lab experience. Four of the labs are eight hours long; one is four hours long. One lab is administered on each day of the course. On the first four days, you will perform an eight-hour lab. On the fifth day of the course, you will perform the four-hour lab. During each lab, you will be tested on your knowledge of complex internetworking subjects, your problemsolving skills, and your test-taking strategies. After each of the labs, you will receive a detailed assessment score report combined with an answer key and Mentor Guide support. To supplement this feedback, Cisco CCIE instructors will provide review sessions after each lab and directed instruction during each lab, if necessary. These resources provide feedback that maximizes the learning experience of each lab.

Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1 Answer Key

COPYRIGHT 2009, CISCO SYSTEMS, INC. ALL RIGHTS RESERVED. ALL CONTENT AND MATERIALS, INCLUDING WITHOUT LIMITATION, RECORDINGS, COURSE MATERIALS, HANDOUTS AND PRESENTATIONS AVAILABLE ON THIS PAGE, ARE PROTECTED BY COPYRIGHT LAWS. THESE MATERIALS ARE LICENSED EXCLUSIVELY TO REGISTERED STUDENTS FOR THEIR INDIVIDUAL PARTICIPATION IN THE SUBJECT COURSE. DOWNLOADING THESE MATERIALS SIGNIFIES YOUR AGREEMENT TO THE FOLLOWING: (1) YOU ARE PERMITTED TO PRINT THESE MATERIALS ONLY ONCE, AND OTHERWISE MAY NOT REPRODUCE THESE MATERIALS IN ANY FORM, OR BY ANY MEANS, WITHOUT PRIOR WRITTEN PERMISSION FROM CISCO; AND (2) YOU ARE NOT PERMITTED TO SAVE ON ANY SYSTEM, MODIFY, DISTRIBUTE, REBROADCAST, PUBLISH, TRANSMIT, SHARE OR CREATE DERIVATIVE WORKS ANY OF THESE MATERIALS. IF YOU ARE NOT A REGISTERED STUDENT THAT HAS ACCEPTED THESE AND OTHER TERMS OUTLINED IN THE STUDENT AGREEMENT OR OTHERWISE AUTHORIZED BY CISCO, YOU ARE NOT AUTHORIZED TO ACCESS THESE MATERIALS.

2

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

© 2009 Cisco Systems, Inc.

Table of Contents
Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1.....................................1
Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1 Answer Key ...................... 2 Table of Contents ..................................................................................................................................... 3 Answer Key Structure .............................................................................................................................. 4 Section One ....................................................................................................................................... 4 Section Two ....................................................................................................................................... 4 Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1 Answer Key ...................... 5 Grading and Duration ............................................................................................................................... 5 Restrictions and Goals ............................................................................................................................. 5 Explanation of Each of the Restrictions and Goals.................................................................................. 7 1. Frame Relay and Serial Communications Section ............................................................................. 9 2. Cisco Catalyst Switch Configuration Section.................................................................................... 11 3. IPv4 OSPF Section .......................................................................................................................... 22 4. IPv4 EIGRP Section ......................................................................................................................... 24 5. IPv4 RIP Section .............................................................................................................................. 27 6. Cisco OER and NAT Section ........................................................................................................... 28 7. Border Gateway Protocol Section .................................................................................................... 37 8. IPv6 Routing Section ........................................................................................................................ 41 9. Security Section ............................................................................................................................... 46 10. QoS Section ................................................................................................................................... 49 11. Address Administration Section ..................................................................................................... 50 12. HSRP Gateway Redundancy Section ............................................................................................ 51 13. NTP Configuration Section ............................................................................................................. 52 14. Multicast Configuration Section ...................................................................................................... 54 15. SNMP Section ................................................................................................................................ 57

© 2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

3

Answer Key Structure
Section One
The answer key PDF document is downloadable from the web portal.

Section Two
To obtain a comprehensive view of the configuration, access the Mentor Guide engine in the web portal.

4

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

© 2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1 Answer Key
Regardless of any configuration that you perform in this lab, you must conform to the general guidelines that are provided. If you do not conform to the guidelines, you can expect a significant deduction of points in your final exam score.

Grading and Duration

Lab duration: Maximum score: Minimum passing score:

8 hours 100 points 80 points

Restrictions and Goals
Note Read this section carefully.

To receive any credit for a subsection, you must complete the subsection. You will not get partial credit for partially completed subsections. IP subnets on the Lab IPv4 IGP diagram belong to network 172.16.0.0/16. Use a minimum number of statements in all filters unless otherwise directed. Use only the IP version 4 (IPv4) and IP version 6 (IPv6) addresses that are displayed on the IPv4 and IPv6 interior gateway protocol (IGP) diagrams. Do not introduce new addresses. The Frame Relay switching router is configured for a full mesh of permanent virtual circuits (PVCs). Do not change the PVC configuration on the Frame Relay switching router. Do not rely on Frame Relay Inverse Address Resolution Protocol (Inverse ARP). Do not create any static routes on any routers and switches except for R6 and SW2. Do not use policy-based routing (PBR). Advertise all loopback interfaces with their original masks, unless noted otherwise. All IPv4 IP addresses involved in this scenario must be reachable, except for the prefixes from the 1.0.0.0/8 network that are involved in Cisco Optimized Edge Routing (OER), prefixes that are advertised from the backbone, and interfaces that are connected to the shared equipment.

© 2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

5

or vty configuration unless you are specifically asked to do so. Do not modify the initial interface or IP address numbering. N represents the group number. Check your online instructions for your number NX. Inc. X represents the pod number. Failure to assign the correct IP address could result in losing points in multiple sections. . 6 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems. Do not modify the hostname. console.

0/16. Advertise all IPv4 and IPv6 loopback interfaces with their original mask. Do not rely on dynamic Frame Relay Inverse ARP. Do not create any new IP addresses. Static routes can solve a range of reachability problems. You can create only one tunnel link in this scenario. The Frame Relay switch router is configured for a full mesh of PVCs. you cannot use them.0. Use only the IPv4 and IPv6 addresses that are displayed on the IPv4 and IPv6 IGP diagrams. You are not required to make backbone prefixes reachable from all routers in your pod. Use the existing addresses to accomplish all tasks. the loopback will be advertised as a /32 host entry by default. Use a minimum number of statements whenever possible.16. All IP interfaces in the diagram must be reachable within this internetwork. Although the term “redistribution” might never be explicitly used in this exam. and the distance command. Otherwise. The scenario is not concerned about static routes created by any Cisco IOS Software protocol or feature. © 2009 Cisco Systems. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 7 . Think of a Frame Relay map statement as the equivalent of a static Inverse ARP entry. This requirement forces you to fulfill your Frame Relay Inverse ARP requirements with Frame Relay map statements. This is a key goal and requires that all IGPs and routing policy tasks be configured properly. This requirement is primarily for the Open Shortest Path First (OSPF) advertised loopbacks. These lines are used for grading. The third and fourth octets of the IP addresses that are displayed on the diagrams belong to 172. prefix list or. Do not create any static routes manually. Find alternate methods of controlling the full mesh of PVCs. use as few statements as possible. Inc. route maps. Do not introduce new ones. unless noted otherwise.Explanation of Each of the Restrictions and Goals IP subnets in the scenario diagrams belong to network 172. Do not change the PVC configuration. autonomous system (AS) path filter list. Only one tunnel interface is allowed between R1 and R6 to encapsulate and exchange the Cisco Discovery Protocol packets. You must rely on skillful configuration of all your unicast routing protocols. The key elements of your routing policy include route redistribution and the controlling of routing updates using distribute lists. If a task requires an access list.0/16. you must perform redistribution to ensure that all IP addresses are reachable without the use of static routes. However. Do not change the configuration on the lines CON and AUX. Use the ip ospf network point-to-point command under the loopback interface.16. IP addresses from the networks that are connected to the backbone are excluded from the previous requirement.0.

initial interface. X represents the pod number. Follow the numbering conventions carefully. Check your online instructions for your group and pod numbers.N represents the group number. or IP address numbering. console configuration. vty configuration. . Check your online instructions for your number NX. 8 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems. Do not modify the hostname. Inc.

16. Solution: The Frame Relay switch is preconfigured for a full mesh of PVCs.16. make sure that routers R2 and R3 not only possess a Frame Relay map statement to R1 but also possess map statements to one another. Even if the router pings its own local interface. and control the full mesh with static maps.1. Verify Layer 3 connectivity.1. To make the local address capable of receiving pings. including local interfaces. Solution: A local Frame Relay interface will not respond to a ping from a router unless you provide Layer 3-to-Layer 2 mapping for the destination address.16. Make sure that one spoke of the Frame Relay topology can ping the other spoke. Inc.123. For example.2 102 broadcast frame-relay map ip 172.123. To fulfill this requirement. You are instructed to use “a minimum amount of data-link connection identifiers (DLCIs) to provide Layer 3 connectivity. perform the following tasks: Disable Inverse ARP.123.1 102 frame-relay map ip 172. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 9 .16.16. R1#show run interface Serial0/0/0.123.3 201 R2# © 2009 Cisco Systems. Solution: This requirement suggests using DLCI 102 in the map statement for the local Frame Relay mapping to the R1 IP address 172. Issue: All Frame Relay interfaces must be capable of receiving pings.1 from R1.3 103 broadcast R1# R2#show run int Serial0/0/0 | inc map ip + frame-relay map ip 172. the ICMP packet will be encapsulated into a Frame Relay frame with the respective DLCI and will be transmitted to the other end of the PVC associated with the DLCI. R3 is configured similarly to R2. Use the PVC associated with the interface where the local IP address is configured for the Frame Relay map. To fulfill this requirement. you see that the Layer 3 connections over the nonbroadcast multiaccess (NBMA) network reflect a hub-and-spoke topology. assuming that the other router possesses necessary Layer 3-to-Layer 2 mapping information. Frame Relay and Serial Communications Section Issue: Configure the Frame Relay interface.16.2 201 command on R2.” When examining the Lab IPv4 IGP diagram.123. Issue: R1 must be sending Internet Control Message Protocol (ICMP) packets to R2 when you ping 172.123 | inc map ip + frame-relay map ip 172. use the frame-relay map IP 172.16.123.16. Provide static Frame Relay mappings on each of the Frame Relay attached routers.123.16. there must be a mapping for the local address as well.123. Configuration and verification: R1 and R2 are used as an example of configuration of hub and spoke.2 201 broadcast frame-relay map ip 172.1 201 frame-relay map ip 172. The remote end will send it back.123.

16.16.123.255.16.16.16. round-trip min/avg/max = 100/104/120 ms Verify that when R1 pings its own IP address 172.123.255 rep 1 Type escape sequence to abort.16.1.1.0 frame-relay interface-dlci 602 Verify connectivity on the Frame Relay subnet: R2#ping 172.3. 20 ms R1# interface Serial0/0/0. which are not destined to R2 but are rerouted to R1: R2(config)#int Serial0/0/0 R2(config-if)#no ip route-cache Run the debug ip packets detail 199 and debug ip icmp commands on R2: R2#deb ip pack det 199 IP packet debugging is on (detailed) for access list 199 R2#debug ip icmp ICMP packet debugging is on R2# Go to R1 and ping 172.123.3 Type escape sequence to abort. 100-byte ICMP Echos to 172. the ICMP packets travel to R2.62. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).62. 199: R2(config)#access-list 199 permit icmp any any Disable fast switching on the serial interface so that the debugging process can pick up the ICMP packets. R1#ping 172. create an access list for the debugging purpose—for example.16.16.1 Type escape sequence to abort.123.2 255.62 point-to-point ip address 172.0 frame-relay interface-dlci 206 R6: interface Serial0/0/0.123.16.16.2 Type escape sequence to abort. 100-byte ICMP Echos to 172. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). 100-byte ICMP Echos to 172.2. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).16. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).16.123.255. round-trip min/avg/max = 24/24/28 ms R2# R6#ping 172.123. Sending 1.255.123. timeout is 2 seconds: Reply to request 0 from 172.16. .6 255.16.Note Only one map statement for a protocol and a DLCI is configured with the broadcast statement. round-trip min/avg/max = 4/6/8 ms R2#ping 172.2. round-trip min/avg/max = 8/27/88 ms R2#ping 172. Sending 5.16.62.123. On R2. 8 ms Reply to request 0 from 172.62.255. Sending 5.123.255. Inc.2 Type escape sequence to abort. It will satisfy the requirement to encapsulate the broadcast and multicast packets on this DLCI if necessary (IGP routing and multicast routing).123.16. Sending 5.2. 100-byte ICMP Echos to 172. 100-byte ICMP Echos to 172.3.1: 10 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.62 point-to-point ip address 172.123. Sending 5.

123.16.123.1.123.123. and assign the ports of the switches to these VLANs. s=172. and use the undebug all command. len 100. Switch-to-Router Connections table.16. d=172. Do not forget to remove the access list. Sending 5.1 for dest 172.123.16. you should see similar debugging traces: R2# *May 29 18:33:36.16. create a VLAN propagation diagram like the one that follows. 2.123.16. Switch-to-Switch Connections table. and match the letter case.123. To ensure a thorough understanding of the Layer 2 topology.16. and then carefully document each connection on a copy of the physical layer diagram. apply fast switching. code=0 ICMP: redirect sent to 172. Inc.1 IP: tableid=0.123.16. use gw R2 receives the Frame Relay packets on DLCI 102 and redirects the IPv4 packets back to R1 according to the destination IPv4 address 172.1 Type escape sequence to abort. You will find that. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1 (Serial0/0/0). With the Mentor Guide engine. © 2009 Cisco Systems. you can create such a diagram quickly and find it to be a valuable tool. routed *May 29 18:33:36.123.1 (Serial0/0/0).16. 100-byte ICMP Echos to 172.R1#ping 172. ICMP type=8. Spell the VLAN names correctly.1.123. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all.123. d=172. the IGP diagrams.16.169: redirected *May 29 18:33:36.1 (Serial0/0/0).1 and DLCI 201.169: (Serial0/0/0). Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 11 . and the other section requirements. Note To obtain a comprehensive view of the configuration tasks in this section. round-trip min/avg/max = 20/36/100 ms R1# On R2. with practice. Cisco Catalyst Switch Configuration Section Configure the VLANs and the VLAN names according to the scenario specifications. Construct it by studying the VLAN table.1 and Frame Relay map statement for 172.1 via FIB IP: s=172.169: *May 29 18:33:36.16. access the Mentor Guide engine.16.169: 172.

. Inc.VLAN Propagation 12 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.

150 12.17.150 12 12.34. Solution: The preceding VLAN Propagation diagram will help you determine which VLANs stay within one switch and which VLANs span across the links between SW1.1q isl isl Status trunking trunking trunking Native vlan 1 1 1 Vlans allowed on trunk 16-17. The diagram also shows which VLANs must be allowed on the trunks.150 SW2#show interfaces trunk Port Fa0/1 Fa0/19 Po1 Port Fa0/1 Fa0/19 Po1 Port Fa0/1 Fa0/19 Po1 Port Fa0/1 Fa0/19 Po1 Mode on on on Encapsulation 802.88.88.100. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 13 . 16.88. VTP transparent mode does not advertise any VLANs that are locally created.34.16.16. Inc.16.150 12.17.88.88.Issue: Do not use any dynamic VLAN advertisement techniques.88.150 Vlans allowed and active in management domain 16-17.100 12.17. Verification: SW1#show int trunk Port Fa0/5 Fa0/19 Po1 Port Fa0/5 Fa0/19 Po1 Port Fa0/5 Fa0/19 Po1 Port Fa0/5 Fa0/19 Po1 SW1# Mode on desirable desirable Encapsulation 802. client mode.16. SW2.150 © 2009 Cisco Systems.100. 88.16. SW3.150 Vlans in spanning tree forwarding state and not pruned 25. and SW4. and 150 will be allowed between SW1 and SW2 on the port channel. Issue: Allow only necessary VLANs on the trunk between switches SW1 and SW2.16 12.150 12.100 12.34.100. configure VTP transparent mode.150 12.88.16.88. Solution: The Cisco Catalyst switch can be configured in one of three modes: server mode. The client and server communicate VLANs dynamically to each other using the VLAN Trunking Protocol (VTP). This scenario requires no dynamic VLAN advertisements.88. or transparent mode.150 Vlans in spanning tree forwarding state and not pruned 16-17. therefore. Only VLANs 12.16 12.100 12.150 12.1q isl n-isl Status trunking trunking trunking Native vlan 1 1 1 Vlans allowed on trunk 25.150 Vlans allowed and active in management domain 25.

8afb.Device is requesting Slow LACPDUs F . If the interface is configured as passive.Device is requesting Fast LACPDUs A .2680 4s Oper Key 0x1 0x1 Port Number 0x13 0x14 Port State 0x3C 0x3C Port Fa0/23 Fa0/24 SW1# Flags SP SP Issue: Use a Cisco proprietary trunk protocol on the link between SW1 and SW2. This protocol is defined in IEEE 802. Inc.Device is in Passive mode Channel group 1 Port Fa0/23 Fa0/24 SW1# Flags SA SA State bndl bndl LACP port Priority 32768 32768 Admin Key 0x1 0x1 Oper Key 0x1 0x1 Port Number 0x13 0x14 Port State 0x3D 0x3D SW1#show lacp neighbor Flags: S .1Q.Device is in Passive mode Channel group 1 neighbors Partner's information: LACP port Priority Dev ID Age 32768 000a. Use the IEEE tagging method on these trunk links where necessary. Specify the trunk encapsulation on SW2 only. Solution: Inter-Switch Link (ISL) is a proprietary Cisco protocol.Device is in Active mode P .8afb. it simply precludes the configuration of modes other than LACP. but it does not initiate the packets itself.3ad. . it listens to the LACP packets and responds to them. The SW2 end will be set with the encapsulation ISL and mode trunk. Issue: Automatically aggregate ports 0/23 and 0/24 between SW1 and SW2 using the protocol that is nonproprietary to Cisco.Issue: Configure the following switch-to-router connections.2680 4s 32768 000a. Solution: The Cisco proprietary protocol is ISL.Device is requesting Slow LACPDUs F . Solution: The interface starts actively sending LACP negotiation protocol packets if it is configured with the keyword active. A summary of the configuration is shown here.Device is in Active mode P . Issue: Initiate this process from the SW1 switch only. SW1 will retain the default mode. dynamic desirable. Solution: The ports 0/23 and 0/24 can be automatically aggregated using Link Aggregation Control Protocol (LACP). 802.Device is requesting Fast LACPDUs A . Note that the channel-protocol lacp command is optional here. Verification: SW1#show lacp internal Flags: S . The solution is to configure the SW1 ports as active (SA below) and the SW2 ports as passive (SP below). The SW2 end of the trunk should be set to permanent trunking. is an IEEE standard. 14 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems. the alternative trunking protocol.

make sure that forwarding on the link between SW1 and SW3 resumes within 5 seconds maximum. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 15 . Solution: Look at the following diagram. By default. If the link between SW1 and SW2 goes down. Inc. Leave all path cost values on the links of VLAN 12 to the default values set by the Cisco IOS Software. you should find the interface 0/19 on SW1 blocking for VLAN 12: © 2009 Cisco Systems.SW1: interface Port-channel1 switchport mode dynamic desirable ! interface FastEthernet0/23 switchport mode dynamic desirable channel-group 1 mode active channel-protocol lacp ! interface FastEthernet0/24 switchport mode dynamic desirable channel-group 1 mode active channel-protocol lacp SW2: interface Port-channel1 switchport trunk encapsulation isl switchport mode trunk ! interface FastEthernet0/23 switchport trunk encapsulation isl switchport mode trunk channel-group 1 mode passive channel-protocol lacp ! interface FastEthernet0/24 switchport trunk encapsulation isl switchport mode trunk channel-group 1 mode passive channel-protocol lacp Verification: SW1#sh interfaces trunk | inc isl Fa0/19 desirable isl Po1 desirable n-isl SW1# SW2#sh interfaces trunk | inc isl Fa0/19 on isl Po1 on isl SW2# trunking trunking 1 1 trunking trunking 1 1 Issue: Make SW4 the root bridge for VLAN 12 with priority 24576.

The uplink group provides an alternate path in case the currently forwarding link fails. The scenario specifies a maximum of only 5 seconds. An uplink group is a set of Layer 2 interfaces (per VLAN). except for self-looping ports. Specifically. namely listening and learning. an uplink group consists of the root port. and interface 0/23 will go through different states. which is forwarding. The optional spanning-tree feature UplinkFast can help you to solve this task: UplinkFast provides fast convergence after a direct link failure and achieves load balancing between redundant Layer 2 links using uplink groups. . Inc. This can take up to 50 seconds. and a set of blocked ports. the Spanning Tree Protocol (STP) will recalculate a new forwarding path from SW1 to the root.If the link between SW1 and SW2 goes down. only one of which is forwarding at any given time. 16 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.

7900 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Uplinkfast enabled Interface ---------------Fa0/6 Fa0/19 Po1 SW1 Role ---Desg Altn Root Sts --FWD BLK FWD Cost Prio.As the preceding diagram shows.b7f7. For example: © 2009 Cisco Systems.-------------------------------3019 128.19 P2p 12 128.4080 Cost 3031 Port 65 (Port-channel1) Hello Time 2 sec Max Age 20 sec Bridge ID Forward Delay 15 sec Priority 49164 (priority 49152 sys-id-ext 12) Address 000a. This change takes approximately 1 to 5 seconds. a blocking port transitions from blocking to a forwarding state through listening and learning states.65 P2p As you can see.-------. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 17 .Nbr Type --------.0e3f.8 P2p 19 128. verify the blocking interface: SW1#sh spanning-tree vlan 12 VLAN0012 Spanning tree enabled protocol ieee Root ID Priority 24588 Address 0017. Normally. if SW1 detects a direct link failure on its root port—the port channel link—UplinkFast unblocks the blocked interface on SW1 and transitions it to the forwarding state without going through the listening and learning states. The following diagram illustrates this process: Configuration and verification: Configure the root bridge on SW4: spanning-tree vlan 12 priority 24576 On SW1. Inc. the blocking interface is on the link just as on the diagram.

changed state to down 20:51:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24. cost 38 20:51:37: STP: VLAN0012 Fa0/19 -> listening 20:51:37: STP: VLAN0016 we are the spanning tree root 20:51:37: STP: VLAN0088 we are the spanning tree root 20:51:38: STP: VLAN0016 heard root 24592-000a. End with CNTL/Z.2680 on Fa0/19 20:51:38: supersedes 32784-000a.2680 on port Fa0/19.7900 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Uplinkfast enabled Interface ---------------Fa0/6 Fa0/19 Po1 SW1# Role ---Desg Altn Root Sts --FWD BLK FWD Cost --------3019 3019 3012 Prio.b7f7. SW1(config)#spanning-tree uplinkfast SW1#show spanning-tree vlan 12 VLAN0012 Spanning tree enabled protocol ieee Root ID Priority 24588 Address 0017.65 Type -------------------------------P2p P2p P2p Note Path cost and bridge priority are changed. SW1(config)#int po1 SW1(config-if)#shut SW1(config-if)# 20:51:37: STP: VLAN0012 new root port Fa0/19. 000a. or UplinkFast is already enabled.b7f7. If you change the path cost to a value less than 3000 and enable UplinkFast.SW1#debug spanning-tree events Spanning Tree event debugging is on SW1#conf t Enter configuration commands.8afb. and configure UplinkFast. the switch priority of all VLANs is set to 49152. the path cost is not altered. it affects all VLANs on the switch.8 128. . 18 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.4080 Cost 3031 Port 65 (Port-channel1) Hello Time 2 sec Max Age 20 sec Bridge ID Forward Delay 15 sec Priority 49164 (priority 49152 sys-id-ext 12) Address 000a.Nbr -------128. When UplinkFast is enabled.0e3f. one per line. changed state to administratively down 20:51:39: STP: VLAN0012 sent Topology Change Notice on Fa0/19 SW1(config-if)# 20:51:39: %LINK-5-CHANGED: Interface Port-channel1.) The changes to the switch priority reduce the chance that a switch will become the root switch. changed state to down 20:51:39: %LINK-5-CHANGED: Interface FastEthernet0/23. You cannot configure UplinkFast on an individual VLAN. Bring the interface port channel back up. the path cost of all interfaces and VLAN trunks is increased by 3000. changed state to down SW1(config-if)# 20:51:52: STP: VLAN0012 Fa0/19 -> learning SW1(config-if)# 20:52:07: STP: VLAN0012 sent Topology Change Notice on Fa0/19 20:52:07: STP: VLAN0012 Fa0/19 -> forwarding SW1(config-if)# It took about 30 seconds in this example to get from blocking to forwarding. Inc.23 128. cost 38 20:51:38: STP: VLAN0016 sent Topology C SW1(config-if)#hange Notice on Fa0/19 20:51:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1. changed state to administratively down 20:51:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23. changed state to administratively down 20:51:39: %LINK-5-CHANGED: Interface FastEthernet0/24.7900 20:51:38: STP: VLAN0016 new root is 24592. When you enable UplinkFast. (If you change the path cost to 3000 or above.8afb.

changed state to administratively down 21:02:11: STP: VLAN0012 sent Topology Change Notice on Fa0/19 21:02:11: STP: VLAN0016 sent Topology Change Notice on Fa0/19 SW1(config-if)# 21:02:11: %LINK-5-CHANGED: Interface Port-channel1. Solution: Look at the following diagram. cost 3038 21:02:09: STP: VLAN0088 we are the spanning tree root 21:02:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1. you should find that the blocking interface is 0/19 on SW1 for VLAN 16: © 2009 Cisco Systems. Leave all path cost values on the links of VLAN 16 to the default set by Cisco IOS Software. changed state to down SW1(config-if)# Note Port 0/19 immediately moved to the forwarding state. Make SW2 the root bridge for VLAN 16 with priority 24576. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 19 . If the link between SW2 and SW3 goes down. changed state to administratively down 21:02:11: %LINK-5-CHANGED: Interface FastEthernet0/24. make sure that forwarding on the link between SW1 and SW3 resumes without waiting for maximum aging time expiration. changed state to down 21:02:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24. changed state to down SW1(config-if)# 21:02:11: %LINK-5-CHANGED: Interface FastEthernet0/23. changed state to administratively down 21:02:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23. Issue: Place the access interfaces 0/21 of SW2 and SW3 on the STP. and observe the spanning-tree events: SW1(config)#int po 1 SW1(config-if)#shut SW1(config-if)# 21:02:09: STP: VLAN0012 new root port Fa0/19. cost 3038 21:02:09: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0012 FastEthernet0/19 moved to Forwarding (UplinkFast). 21:02:09: STP: VLAN0016 new root port Fa0/19.Shut down the port channel interface. Inc. By default.

The following diagram shows how BackboneFast reconfigures the topology to account for the failure between SW2 and SW3. it detects the failure. because it is not connected directly to the failed link.21 128. BackboneFast allows the blocked interface on SW1 to move immediately to the listening state without waiting for the maximum aging time for the interface to expire.If the link between SW2 and SW3 fails.2680 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Desg Desg Desg Sts --FWD FWD FWD Cost --------19 19 12 Prio. as shown in the following diagram. BackboneFast then transitions the Layer 2 interface on SW1 to the forwarding state. SW1 cannot detect this failure. When SW1 receives the inferior BPDUs from SW3.8afb. because SW3 is directly connected to the root switch over this link.Nbr -------128. SW1 assumes that an indirect failure has occurred. twice the forward delay time if the default forward delay time of 15 seconds is set. At that point. If you use BackboneFast. verify the blocking interface: SW2#show spanning-tree vlan 16 VLAN0016 Spanning tree enabled protocol ieee Root ID Priority 24592 Address 000a. However.2680 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID Forward Delay 15 sec Priority 24592 (priority 24576 sys-id-ext 16) Address 000a.8afb. Inc. and begins sending bridge protocol data units (BPDUs) to SW1.65 Type -------------------------------P2p P2p P2p Interface ---------------Fa0/6 Fa0/21 Po1 SW2# SW1#show spanning-tree vlan 16 20 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems. elects itself the root. you must enable it on all switches in the network.8 128. The root-switch election takes approximately 30 seconds. Configuration and verification: Configure the root bridge on SW2: spanning-tree vlan 16 priority 24576 On SW2 and SW1. identifying itself as the root. . providing a path from SW3 to SW2.

2680 Cost 3012 Port 65 (Port-channel1) Hello Time 2 sec Max Age 20 sec Bridge ID Forward Delay 15 sec Priority 49168 (priority 49152 sys-id-ext 16) Address 000a.55af.55af.7800 on heard root 32784-0019.7800 on heard root 32784-0019.7800 on heard root 32784-0019. Inc.55af.23 128. and configure BackboneFast on all switches configured for VLAN 16: SW1#show run | inc backbone spanning-tree backbonefast SW1# SW2#show run | inc backbone spanning-tree backbonefast SW2# SW3#show run | inc backbone spanning-tree backbonefast SW3# © 2009 Cisco Systems.Nbr -------128.7800 on heard root 32784-0019.55af. Shut down the interface 0/21 of SW2.55af.VLAN0016 Spanning tree enabled protocol ieee Root ID Priority 24592 Address 000a. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 21 .55af. and observe the spanning-tree events on SW1: SW1#debug spanning-tree events Spanning Tree event debugging is on SW1# 21:25:19: 21:25:21: 21:25:23: 21:25:25: 21:25:27: 21:25:29: 21:25:31: 21:25:33: 21:25:35: 21:25:37: 21:25:37: 21:25:38: 21:25:38: 21:25:52: 21:26:07: 21:26:07: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 heard root 32784-0019.7800 on heard root 32784-0019.55af.7800 on heard root 32784-0019. Bring the interface 0/21 of SW2 back up.55af.65 Type -------------------------------P2p P2p P2p The blocking interface is on the link.7800 on Fa0/19 -> listening Topology Change rcvd on Fa0/19 sent Topology Change Notice on Po1 Fa0/19 -> learning sent Topology Change Notice on Po1 Fa0/19 -> forwarding Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 In this example.7900 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Uplinkfast enabled Interface ---------------Fa0/1 Fa0/19 Po1 SW1# Role ---Desg Altn Root Sts --FWD BLK FWD Cost --------3019 3019 3012 Prio. it took about 18 seconds to get to a listening state. just as on the diagram. Path cost and bridge priority are changed by the previous UplinkFast configuration.7800 on heard root 32784-0019.7800 on heard root 32784-0019.b7f7.7800 on heard root 32784-0019.55af.8 128.8afb.55af.

55af. OSPF speakers will “automatically” discover each other through the multicast address 224.0. fulfilling both tasks.7800 on Fa0/19 Fa0/19 -> listening Topology Change rcvd on Fa0/19 sent Topology Change Notice on Po1 Fa0/19 -> learning sent Topology Change Notice on Po1 Fa0/19 -> forwarding Port Fa0/19 moved to listening state right after it received the inferior BPDU from SW3. The network command was used in this answer key. Configure OSPF Area 126 on the Frame Relay interface on R2. With the Mentor Guide engine. Configure OSPF Area 126 on the R2 Frame Relay interface configured with the IPv4 address 172. the DR must be on the hub router. which makes the spokes ineligible for DR or BDR election.Shut down interface 0/21 of SW2.62. and elect a designated router (DR). because all DROTHERs—routers that are neither DRs nor DBRs—must form an adjacency with both the DR and the BDR. The OSPF speakers will also elect at least a DR and possibly a backup designated router (BDR).5 during the initial hello exchange. Solution: The OSPF network type “broadcast” is the correct answer here. No BDR should be elected in this topology. and observe the spanning-tree events: 21:40:47: 21:40:47: 21:40:48: 21:40:48: 21:41:02: 21:41:17: 21:41:17: STP: STP: STP: STP: STP: STP: STP: VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 heard root 32784-0019. Solution: Add loopback 2 into OSPF using the redistribute connected command. Issue: Allow backbone OSPF speakers to automatically discover each other. Use your IGP diagram to help guide configuration.2. To ensure that the hub router is elected as the DR and that a spoke router is not elected as a BDR. a BDR cannot be designated in a hub-and-spoke topology. . In a Frame Relay hub-and-spoke topology. Fulfill this filtering requirement by applying either a route map or a distribution list to the redistribution of the connected networks.16. You can use the OSPF router network command or the ip ospf PID area 126 interface command to accomplish this task. Any other spoke router cannot form an OSPF adjacency with another spoke router. use the ip ospf priority command on the spoke routers to set the priority to 0. IPv4 OSPF Section Note Configure all OSPF routers with only one OSPF process ID (PID). you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all. 22 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems. Note To obtain a comprehensive view of the configuration tasks in this section. 3. Inc. Issue: Add loopback 2 on R2 into the OSPF as an external route. access the Mentor Guide engine.0. Therefore. Make sure that you filter the redistribution process so that only loopback 2 and no other connected network is injected into OSPF.

16.0 0.0.2/24 VL0 100 0 172.16.30.3.20.255 area 30 network 172.123.16. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 23 .2.16.0 0.5/30 Fa0/0 100 25 172.0 0.0.16.123.2.255 area 126 ! access-list 1 permit 172.255 area 0 R3# R3#show ip ospf int brie Interface PID Area Se0/0/0 100 0 Lo30 100 30 Lo3 100 30 R3# IP Address/Mask 172.16.2/24 R2# R2#show ip ospf database external 172.0.20. Inc.0 (External Network Number ) Advertising Router: 172.16.0.16.0.0.5) (Process ID 100) Type-5 AS External Link States LS age: 267 Options: (No TOS-capability.0 0.0.123.5 LS Seq Number: 8000027C Checksum: 0x127C Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.3/24 172.20.3.16.3.62. DC) LS Type: AS External Link Link State ID: 172.62 100 126 172.3/22 3.255 ! route-map CONNECTED permit 10 match ip address 1 R2#show ip ospf int brie Interface PID Area IP Address/Mask Se0/0/0 100 0 172.16.62.0.25.16.255 area 30 network 172.16.0 Cost 64 1 1 1 64 State DROTH P2P P2P BDR P2P Nbrs F/C 1/1 1/1 0/0 1/1 0/0 OSPF Router with ID (172.0.16.2/24 Se0/0/0.0.router ospf 100 redistribute connected subnets route-map CONNECTED network 172.16.16.2/24 Lo20 100 20 172.0.0 External Route Tag: 0 R2# Issue: Place loopback 30 and loopback 3 in OSPF Area 30 on R3.25.3.3/24 Cost 64 1 1 State DROTH P2P P2P Nbrs F/C 1/1 0/0 0/0 © 2009 Cisco Systems.2.30. Solution: Configure OSPF Area 30 on R3 as requested in the scenario: R3#show run | section router ospf router ospf 100 log-adjacency-changes redistribute eigrp 1 subnets redistribute eigrp 2 subnets network 3.0 0.

0.5) (Process ID 100) Type-5 AS External Link States LS age: 480 Options: (No TOS-capability.0. Solution: R5 possesses a connection to R2 through Area 25.0 External Route Tag: 100 R2# Issue: Configure Area 25 between R2 and R5.16. The 0.0.0/0 prefix is just an extreme summary: R2#show ip ospf database external 0.0.” The scenario allows only the 3. R4 will not be able to reach all addresses in the test pod unless a gateway of last resort is set to R3.0 OSPF Router with ID (172.0. access the Mentor Guide engine.0. Note To obtain a comprehensive view of the configuration tasks in this section.5 LS Seq Number: 8000027C Checksum: 0xFDFD Length: 36 Network Mask: /0 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 1 Forward Address: 0.0. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all.20.2.0 (External Network Number ) Advertising Router: 172. consider advertising a summary that includes the network.0 and its subnets do not appear in the routing tables of any router except R2. it requires a virtual link for Area 50. The scenario does not specify how the 3.16. With the Mentor Guide engine. DC) LS Type: AS External Link Link State ID: 0.0/8 prefix should be advertised from 24 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.20. R5 also has a loopback interface assigned to Area 50. Add loopback 50 on R5 into OSPF as Area 50.0. IPv4 EIGRP Section Issue: Solving reachability issues on R4 Solution: The only IGP configured on R4 is Enhanced Interior Gateway Routing Protocol (EIGRP).0/8 prefix to be advertised from R3 to R4. .0. Because R5 maintains a connection to an area that has no direct connection to Area 0.0. An EIGRP speaker sets the gateway of last resort based on a 0.2.0. R5 has no direct connection to Area 0. Solution: The challenge in this task is to make the 2.0/24 network reachable throughout the pod without announcing it to any other router.0. Inc.0. Whenever you must make an unadvertised network reachable.0/0 network or a prefix marked as a “candidate default.0. However. The solution is provided by configuring defaultinformation originate always on R2. 4.0.0.Issue: Make sure that the network 2.

0/0 route learned from R2 through OSPF.0/0.0/0 prefix from R2. Add network 3. because it already has a necessary 0. it must use the ip default-network command referencing a non-0. 3.OSPF external type 2 i .EIGRP external.0.IS-IS level-1.0/0 prefix.connected.2.0. E2 .16.123.3. because any non-0. If R3 is configured to advertise a default route to the stub EIGRP R4.0. Configure the ip default-network command on R4: R4#sh run | inc ip default-network ip default-network 3.0.0.0.OSPF inter area N1 .periodic downloaded static route Gateway of last resort is 172.0. 2.0 on R4.16. 4.0.EIGRP.static.0 B 192.IS-IS inter area. .3.0/0 prefix. R3 learns the 0.0.3.RIP.OSPF.0.0/0 route. IA . N2 . The ip default-network command will take precedence over 0. This will provide a default route configuration for R4 referencing the next-hop router as R3. M . * .per-user static route o . L2 .0/0 prefix on R3.2.OSPF NSSA external type 1.0.0/24 [200/0] via 172.0.candidate default. If R3 references the 3.0 unreachable.255 network 172. EX .OSPF external type 1. EIGRP is not allowed to advertise the 0.BGP D .0. due to the constraints of this exam. U .R3 to R4.0.104. the EIGRP network statement is chosen in this answer key. R .3.0.IS-IS level-2 ia .0.0.2. this command will deactivate the use of the 0.0.1. consider the following progression of events: 1.0. So the solution to this issue is to configure ip default-network 3.0/8 prefix using the ip default-network command.0.0.3 to network 3.OSPF NSSA external type 2 E1 . The 0.0 R4# R4#sho ip route Codes: C .0/24 prefix on R2.34.168. You cannot use the ip default-network command on R3. To best understand this statement.mobile.16.0 in EIGRP AS1 on R3: router eigrp 1 network 3.ODR. Inc.0/0 on R3 allows R3 to reach the 2. S .2. 1d01h Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 25 © 2009 Cisco Systems.0. B .0.0. O .0.34.0.0 0. P .0 0.IS-IS.0. L1 . su .0.0. making network 2.0/0 prefix that is specified by ip default-network takes precedence over the 0.IS-IS summary.0.127 no auto-summary no eigrp log-neighbor-changes ! R4#show ip route summary IP routing table name is Default-IP-Routing-Table(0) IP routing table maximum-paths is 16 Route Source Networks Subnets Overhead Memory (bytes) connected 0 2 144 272 static 0 0 0 0 eigrp 1 1 0 72 136 bgp 64600 3 0 216 408 External: 0 Internal: 3 Local: 0 internal 1 1156 Total 5 2 432 1972 Removing Queue Size 0 R4# Note that R4 receives only an EIGRP prefix.

0 is directly connected.16. Null0 172.40.0/24 [90/156160] via 172. FastEthernet0/1 192.16.16.16.168. 1 Successor(s).0.0/25 [170/2588160] via 172.16.127 ! route-map CONNECTED permit 10 match ip address 1 ! R4#show ip eigrp 1 topology 172.0/25 IP-EIGRP (AS 1): Topology entry for 172.16.34. external metric is 0 Administrator tag is 0 (0x00000000) R4# R3#show ip route eigrp 3.1.16. FastEthernet0/1 D EX 172.0.100.0. Solution: Prefix 0. and the gateway of last resort is set to R3.40.40.16.0. Send flag is 0x0 Composite metric is (2585600/0). FD is 2585600 Routing Descriptor Blocks: 0.105.127 ! access-list 1 permit 172. from Rconnected.0.0/25 State is Passive.0/0 to be advertised from R3 to SW4.0.34.0/8 is a summary. FastEthernet0/1 R3# Issue: Allow only one prefix—the one that represents the entire IPv4 address space—to be advertised from R3 to SW4.40. 2w0d. 2 subnets 172.140.0/0 represents the entire IPv4 address space. .34.0 0. On R3.0/22 [200/0] via 172.0/8 [90/156160] via 172. 1d01h 172.0/25 is subnetted. filter all other prefixes. Solution: Redistribute the loopback 40 network as a connected network into EIGRP AS1 on R4: router eigrp 1 redistribute connected metric 1000 100 255 3 1500 route-map CONNECTED network 172.0.0.0.16. It is a default route.0.16. and allow only 0. 16 subnets.0.16.0.40.16. Issue: Add loopback 40 on R4 into EIGRP as an “EX” prefix.0.0/8 is variably subnetted.0/8 is a candidate default prefix.0.16. 2w0d.0/0 through OSPF.0. Inc. 2 masks D 3.168. Loopback40 172.0.40.0. Route is External Vector metric: Minimum bandwidth is 1000 Kbit Total delay is 1000 microseconds Reliability is 255/255 Load is 3/255 Minimum MTU is 1500 Hop count is 0 External data: Originating router is 172. 1d01h Note that the prefix 3.4.0/24 [200/0] via 172.16.0.0.0.0 is directly connected.34.123. R3 learns 0.1. 2 subnets. 3 masks D 172.0/16 is variably subnetted.123. Query origin flag is 1. 2w0d. FastEthernet0/1 192.0 0.3. redistribute OSPF into EIGRP AS2. 2w0d.D* B C C B R4# 3.1 (this system) AS number of route is 0 External protocol is Connected.0.16. as shown: router eigrp 2 redistribute ospf 100 26 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.34.40.0.0.16.

0.16.0.34. * .0 is directly connected.EGP i .140.16.0.0/16 is variably subnetted. 18 subnets.BGP D .0.0. access the Mentor Guide engine. 5 masks D 172.34.IS-IS summary.16.140.network 172. B .34. su . L2 . 18:08:12.0. S .16.RIP.80.0.34. Make sure that EIGRP AS2 is redistributed into OSPF to propagate loopback 140 to other routers.static.IS-IS level-1.0/8 is a summary.128 under interface VLAN 88. 1d19h.OSPF NSSA external type 1. Vlan34 SW4# On SW4.EIGRP.0 is directly connected.0/24 is subnetted.80.0 0.OSPF external type 1.0 172.OSPF NSSA external type 2 E1 . E . E2 .16.34. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all. FastEthernet0/0 D EX 172. Null0 172. R3#show ip route eigrp 3.periodic downloaded static route Gateway of last resort is 172.0 0.per-user static route o .16. R .34.OSPF external type 2.0 255.0/24 [90/156160] via 172. Issue: Restrict the advertisement of Routing Information Protocol (RIP) updates to the VLAN 17 and VLAN 88 interfaces only.16.0.IS-IS inter area. M . 5.255 auto-summary Verify the results on R3.0/25 on VLAN 88.16.mobile.0. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 27 .255.40.34.16.3 to network 0.candidate default.127 default-metric 1000 100 3 255 1500 distribute-list 10 out FastEthernet0/0 auto-summary ! access-list 10 permit 0.0.0.0.16.connected.16. Solution: Configure this summary on SW1 with the command ip summary-address rip 172.16.IS-IS.0/8 is variably subnetted. O .4. IA . advertise loopback 140 with the EIGRP network statement: router eigrp 2 network 172. Vlan34 D*EX 0. P .IS-IS level-2 ia .EIGRP external.16. EX .0.0. N2 .0.0/0 [170/2585856] via 172. U . Loopback140 C 172.16.255.OSPF. 2 masks D 3.0/25 [170/2588160] via 172.140. L1 . FastEthernet0/0 R3# R3#sh run | beg router ospf router ospf 100 log-adjacency-changes redistribute eigrp 1 subnets redistribute eigrp 2 subnets R3# Note To obtain a comprehensive view of the configuration tasks in this section.255 network 172. 2 subnets.OSPF inter area N1 .0.40.0.3. With the Mentor Guide engine. IPv4 RIP Section Issue: Configure SW1 to send only a summary 172. 2 subnets C 172. Inc.0. 18:05:17.ODR.0 0.16. 1d19h. © 2009 Cisco Systems.0 Verify the results of the configuration on SW4: SW4#sh ip route Codes: C .

2 Verify static routing entries in the show ip route table on R6: R6#show ip route 0. traffic share count is 1 R6# Configure a default networks on SW2: ip route 0. You do not have to redistribute RIP into OSPF to provide reachability to RIP-originated networks.0. based on the lower delay.16. One could filter the more specific prefixes using a distribution list or route map.0. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all.1. access the Mentor Guide engine.16.1 ip route 0.16.1.0. The 0.0.Solution: Configure R1. select R1 as a gateway for the network 3.0 172.3.1.0 Routing entry for 0.1.0 0. Then.2. traffic share count is 1 * 172.0. Statically configure a default route to 1.0. metric 0. Solution: The lab general restrictions prohibit the use of static routes except for R6.62.1 Route metric is 0.6 on SW2.0.3.3/32.0.2 Route metric is 0.0 0.0/0.0. There are no fixed-length subnet mask (FLSM) or variable-length subnet mask (VLSM) issues. 6.6 Issue: R6 should be configured as a master controller and a border Cisco OER router.3. Inc.0. candidate default path Routing Descriptor Blocks: 172.3.2.0.16.0 172.16. Cisco OER and NAT Section Issue: Statically configure two default routes to 172. because RIP version 2 (RIPv2) is classless.16. including 2. This will provide full reachability from the RIP domain to the rest of the pod addresses. but this is not required.1 and 172.3/32 and.0.0/0 default generated on R2.16. R6 should measure a network delay to network 3.0.0.0 1. The RIP domain will receive the 0.0. distance 1. With the Mentor Guide engine.62.16. and SW1 with passive interface default. Issue: Solving reachability issues in the RIP domain Solution: You can redistribute OSPF into RIP on R1. Note To obtain a comprehensive view of the configuration tasks in this section.0/24 on R2.0.0/0 route will provide the reachability to these networks.62.0. .2 on R6.0 0. 28 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems. Configure two default networks on R6: ip route 0. supernet Known via "static". disable passive interface on the VLAN 17 and VLAN and 88 interfaces with the no passive command.0.0.16. SW3.0.

Solution: Cisco OER provides automatic route optimization and load distribution for multiple connections between networks. Local interfaces are used only for master controller and border router MD5-protected communication. The router must also have one interface. reachable by the internal network. link bandwidth monetary cost. At least one internal interface must be configured on each border router. This memory impact should be considered when selecting a router for dual operation. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 29 . There are three interface configurations required to deploy Cisco OER: External interfaces are configured as Cisco OER-managed exit links to forward traffic. Cisco OER deployment has two primary components: a master controller and one or more border routers. The following diagram illustrates R6 configured as a single router that is configured to run a master controller and border router process: Note that a Cisco router that is configured to run both a master controller and border router process will use more memory than a router that is configured to run only a border router process. because the lab does not explicitly specify it. The internal interface is configured as a Cisco OER internal interface on the master controller. Communication between the master controller and border router is protected by Message Digest 5 (MD5) authentication. The string “OER” is used in this answer key: key chain OER key 1 key-string OER ! oer master © 2009 Cisco Systems. Inc. link-load distribution. Internal interfaces are used only for passive performance monitoring with NetFlow. You can use any string in this lab. Cisco OER is an integrated Cisco IOS Software solution that allows you to monitor IP traffic flows and then define policies and rules based on network delay. traffic class performance. The master controller is a decision maker. A Cisco OER-managed network must have at least two egress interfaces that can carry outbound traffic and can be configured as external interfaces. and a minimum of two external interfaces are required in a Cisco OER-managed network. that can be configured as an internal interface. Configure the Cisco OER master controller and the border router on R6. Each border router must have at least one external interface. MD5 authentication is required. and traffic type.

.policy-rules prfx logging ! border 1. Inc. learn 0.1.1.3.3.1.1.62 external ! learn delay periodic-interval 3 monitor-period 1 mode route control mode monitor active ! active-probe echo 3.6 key-chain OER interface FastEthernet0/0 internal interface FastEthernet0/1 external interface Serial0/0/0.1.6 <skipped> Status ACTIVE UP UP/DOWN 2d22h AuthFail 0 30 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.1. PORT: 3949 Number of Border routers: 1 Number of Exits: 2 Number of monitored prefixes: 1 (max 5000) Max prefixes: total 5000 learn 2500 Prefix count: total 1.3 ! oer border logging local Loopback80 master 1. cfg 1 Border 1.6 key-chain OER ! Internal communication between the master controller and the border router is illustrated in the following diagram: Verification: R6#show oer master OER state: ENABLED and ACTIVE Conn Status: SUCCESS.

MC 1.3. If you run the debug ip icmp command on R6.3.3.3/32. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 31 .3/32 ! oer-map prfx 10 match ip address prefix-list prfx ! R6# Note that R6 is configured with the command active-probe echo 3.3.R6#show oer border OER BR 1.1. you can see the ICMP echo replies from R3 to the ICMP probes: © 2009 Cisco Systems.1.3.6 key-chain OER ! ip prefix-list prfx seq 5 permit 3. using NetFlow functionality. There is a requirement for active monitoring of ICMP traffic between R6 and 3. R6 will be sending the ICMP probes. R6 should forward packets to R2.6 ACTIVE.1.3. Periodically. If the ICMP probe fails between the R6 interface on VLAN 16 and the network 3.3.3/32 by sending ICMP probes and.3. Both active and passive monitoring are used to generate a more complete picture of traffic flows within the network.3.1.1. Active monitoring creates a stream of traffic that replicates a traffic class as closely as possible and measures the performance metrics of the traffic.62 external ! learn delay periodic-interval 3 monitor-period 1 mode route control mode monitor active ! active-probe echo 3.6 key-chain OER interface FastEthernet0/0 internal interface FastEthernet0/1 external interface Serial0/0/0.6 UP/DOWN: UP 2d22h. Active monitoring uses integrated Cisco IOS IP Service Level Agreements (IP SLAs) functionality.3.1.3.3. Auth Failures: 0 Conn Status: SUCCESS. PORT: 3949 Exits Fa0/0 INTERNAL Fa0/1 EXTERNAL Se0/0/0. Solution: Cisco OER uses three methods of traffic class performance measurement: Passive monitoring measures the performance metrics of traffic class entries while the traffic is flowing through the device.3/32.3 ! oer border logging local Loopback80 master 1.3.3/32 in this lab: oer master policy-rules prfx logging ! border 1.1. Inc.3. select R1 as a gateway for 3.62 EXTERNAL R6# Issue: R6 should actively monitor a network delay to the network 3. based on the lower delay.1.3.

16.uncontrolled. N .active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3. I .3/32: R6#show oer master prefix OER Prefix Statistics: Pas .Long term.6 Verify the watched prefix 3. Dly .Ingress. E .Packet Loss (packets-per-million). Los .” and “INPOLICY”—as R6 learns about the prefix.Not applicable U . Un . dst 172. + .3.control more specific. + .*May 22 17:16:35.3.443: ICMP: echo reply rcvd. Los .16.Active. N . E . Inc.3.Short term. * . Un .Egress.1.3.3.Delay (ms).3.unknown.Ingress.16.uncontrolled. @ .3.3.Unreachable (flows-per-million).3. dst 172.6 *May 22 17:16:35. src 3.Egress. Act .” “HOLDDOWN. L .3.3/32 HOLDDOWN 321 1.Passive. src 3. Dly .unknown. S .Bandwidth (kbps). .3. * .Bandwidth (kbps).control more specific.active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3.Unreachable (flows-per-million).62.3/32 DEFAULT* 36 U U R6# Verify the master controller policy: R6#show oer master policy Default Policy Settings: backoff 300 3000 300 delay relative 50 holddown 300 periodic 0 mode route control mode monitor active mode select-exit good loss relative 10 unreachable relative 50 resolve delay priority 11 variance 20 resolve utilization priority 12 variance 20 oer-map prfx 10 match ip prefix-lists: prfx backoff 300 3000 300 delay relative 50 holddown 300 periodic 0 mode route control mode monitor active mode select-exit good loss relative 10 unreachable relative 50 resolve delay priority 11 variance 20 resolve utilization priority 12 variance 20 * Overrides Default Policy Setting R6# The prefix will go through the different states—“DEFAULT.Packet Loss (packets-per-million).Passive.3. S .Long term.Short term.Not applicable U . I . @ .Active.6 Fa0/1 STATIC N N N N N N U U 0 0 N N R6# 32 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems. Act . L .1.Delay (ms). Bw .359: ICMP: echo reply rcvd. Bw . R6#show oer master prefix OER Prefix Statistics: Pas .

@ .3.16.Active.Ingress.Bandwidth (kbps).3. Un .control more specific.16.Long term.active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3.3.16.3.3.Unreachable (flows-per-million).1. © 2009 Cisco Systems.0.0.3. N .62.0.unknown. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 33 .uncontrolled.16.16. S . L .R6#show oer master prefix OER Prefix Statistics: Pas .6 Fa0/1 STATIC N N N N N N 31 35 0 0 N N R6# *May 22 17:19:25. * .1 S* 0.0/0 [1/0] via 172. Dly .2 [1/0] via 172.16.6.16.6 or 172.Not applicable U .3.0/32 is subnetted.3.3/32 INPOLICY 0 1.0/24 with either source IP addresses 172. Inc. + . E .3 [1/0] via 172.62.Delay (ms).Egress. Act .0. Los . 1 subnets S 3.847: OER MC APC: R6#show ip route stat 3. I .1.Passive. Issue: IP packets that originated from SW2 should arrive on the network 3.1 R6# Note that the static route to the watched prefix 3.3/32 is added when it is in policy.Packet Loss (packets-per-million).16. Bw .Short term.

. and carefully look for hidden issues that might involve multiple tasks.1. see the following diagram: Network Address Translation (NAT) and Cisco OER configuration tasks are related. Tip Always read a CCIE lab exam end-to-end.Solution: Translate the source IP address 1.1. 34 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.20 on R6. Inc.

I .62.Active. new NATs are given the source IP address of the interface that Cisco OER has selected for the packet. Verify the OER prefix before VLAN 16 pruning: R6#show oer master prefix OER Prefix Statistics: Pas .255.0 ip nat inside ! interface Serial0/0/0. When the oer keyword is configured. E . that has been added to the ip nat inside source command.255.255 ! ! route-map TR2 permit 10 match ip address 1 ! route-map TR1 permit 10 match ip address 1 ! ! Verification: This step is not required to perform during the lab.3.16.3.3. and Cisco OER forces existing flows to be routed through the interface for which the NAT was created.Ingress.3.3.Egress.62 point-to-point ip address 172.6 255. N .3.Passive.uncontrolled.16.255.0 ip nat outside ! ip nat inside source route-map TR1 interface FastEthernet0/1 overload oer ip nat inside source route-map TR2 interface Serial0/0/0. The static routing on R6 would not be able to detect this kind of failure and would continue forwarding traffic to R1. and Fa0/1 is used for forwarding as requested in the lab.6 Fa0/1 STATIC N N N N N N 31 34 0 0 N N R6# Note that the prefix 3.1.3/32 is in policy.0.unknown.3/32 INPOLICY 0 1.Packet Loss (packets-per-million).3/32 © 2009 Cisco Systems.active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3. Configure NAT on R6: interface FastEthernet0/0 ip address 1. it is provided in the answer key for education purposes.6 255.1.Unreachable (flows-per-million).control more specific.Short term. Inc. Un . Los . Run the following debug commands on R6: R6#debug oer master prefix 3.The solution also involves a minimal configuration change with a new keyword.Bandwidth (kbps). @ . Dly . * .255. Bw .255.Delay (ms).255.1.255.Long term.0. Act .6 255.16. S .Not applicable U . + .0 0. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 35 . L .0 ip nat outside ! interface FastEthernet0/1 ip address 172.255. Verify a Cisco OER failover by removing VLAN 16 on the SW1 interface Fa0/1 that is connected to R1.1.62 overload oer ! ! access-list 1 permit 1. oer.

62.62 *May 22 18:33:17. * .3.1.975: OER MC PFX 3.Delay (ms).759: OER BR ACTIVE PROBE: Probe deletion completed. E .3. probeSourcePort = 0.3. State HOLDDOWN is a route-flapping prevention measure.3.3/32: Check ACT REL delay: delay 31.0. Reason Unreachable.3. SW1(config)#int fa 0/1 SW1(config-if)#no switchport access vlan 16 SW1(config-if)#end SW1# End with CNTL/Z.3.3/32: PDP start timer = 15 secs. and HOLDDOWN.2 probeIfIndex = 11. SAA index = 35 R6# Note that the Cisco OER detected an out of policy (OOP) condition based on the reason “unreachable.3.1.62.1.3. probeTargetPort R6# = 0 probeSource = Default.3.6 Se0/0/0. to select the new interface S0/0/0. notify FALSE *May 22 18:33:17. Los .3.3. probeNextHop = 172.3.3. Note that the Cisco OER on R6 detected that the prefix 3.Not applicable U .3. policy 50%.747: OER MC PFX 3.1.Active. Inc.1. probeTargetPort = 0 probeSource = 172.3.Unreachable (flows-per-million). probeTarget = 3.3.3. notify TRUE R6# In a few minutes: R6# *May 22 18:33:17. probeSourcePort = 0.Bandwidth (kbps).16.unknown.Packet Loss (packets-per-million). probeType = echo.0. R6#show oer master prefix OER Prefix Statistics: Pas . probeNextHop = Default probeIfIndex = 2 *May 22 18:33:17.uncontrolled.3. Act . Un .1.Egress. br = 1. + .3. probeType = echo.62 STATIC N N N N N N U U 0 0 N N R6# Also. to hold it for a default 5 minutes. proto 2.747: OER MC PFX 3.6 i/f = Se0/0/0.0. i/f = Se0/0/0. Cisco OER creates a new static route for 3.3. BR 1. probeNextHop = Default probeIfIndex = 11 *May 22 18:33:17.Passive.711: OER MC PFX 3. exact TRUE *May 22 18:33:17.6.1.3/32 through the S0/0/0. probeType = echo. I . policy 50%. prefix state = CHOOSE *May 22 18:33:17. one per line.3/32: Check ACT REL unreachable: unreachable 166666. S .747: OER MC PFX 3.Ingress. probeTarget = 3. probeTargetPort = 0 probeSource = Default. based on unreachable *May 22 18:33:17.1.711: OER MC PFX 3. N .3/32: PDP start timer = 300 secs.62.3.6. nexthop 0.979: OER BR ACTIVE PROBE: Creation of SAA probe completed successfully.3/32 is unreachable: R6# *May 22 18:30:26.Long term.3.3.62.control more specific.3/32: Check ACT REL unreachable: unreachable 166666.Short term.62.3.1. probeSourcePort = 0.975: OER MC PFX 3. L . .3. @ .16. i/f Se0/0/0. at this step.3.747: OER MC PFX 3.1.3/32.62. OOP Reason Unreachable *May 22 18:33:17.62 interface: 36 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3.975: %OER_MC-5-NOTICE: Route changed 3.3/32: Start FWD on new exit. Bw . probeTarget = 3. seq 1812.3. br = 1.3.” The Cisco OER transitions through the states CHOOSE. prefix state = HOLDDOWN *May 22 18:33:17.OER Master Prefix debugging is on R6#debug oer border active-probes OER Border Router Active Probes debugging is on Remove VLAN 16 on SW1 interface Fa0/1: SW1#conf t Enter configuration commands.6.6 Se0/0/0.3.771: OER BR ACTIVE PROBE: Probe deletion completed.3.3/32 HOLDDOWN 318 1.3. policy 50%. notify TRUE *May 22 18:30:26.3/32: Best exit is 1.3. Dly .3.3/32: prefix_status 0 received.

I . E .3.Not applicable U . notify FALSE *May 22 18:38:40. prefix state = HOLDDOWN.6 Se0/0/0. Dly .3.uncontrolled.Short term.1 R6# In about 5 minutes: R6# *May 22 18:38:40.Packet Loss (packets-per-million).3/32: PDP choose exit. With the Mentor Guide engine.3. + .3 Type escape sequence to abort. 0 *May 22 18:38:40.3.0.863: OER MC PFX 3.3.3. N . @ . Un .3/32 is in policy through the S0/0/0/.Unreachable (flows-per-million).Ingress. S .Active. Border Gateway Protocol Section Issue: © 2009 Cisco Systems.3. Note To obtain a comprehensive view of the configuration tasks in this section. Inc.Delay (ms). policy 50%.3.62. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all. prefix state = INPOLICY R6#show oer master prefix OER Prefix Statistics: Pas .Long term. notify FALSE *May 22 18:38:40.0.3.Bandwidth (kbps).16.16.0.3.0/0 [1/0] via 172.3/32: Check ACT REL delay: delay 99. 100-byte ICMP Echos to 3. L .3. Sending 5. Do not forget to add the SW1 interface Fa0/1 to VLAN 16 after you complete testing: SW1#conf t Enter configuration commands.0.3.R6#show ip route static 3.3.16.3.863: OER MC PFX 3.Passive.62 interface: SW2#ping 3.3:25 Outside global 3.863: OER MC PFX 3.1.3:25 Note that the packet is forwarded out the S0/0/0. policy 50%.0/32 is subnetted.62 interface of R6 and is translated according to the NAT rules. as specified in the lab.1.3. Act .3.62. * .3.Egress.3.6:25 1.1.3/32 INPOLICY 0 1.16.3.2 [1/0] via 172.16.3 [1/0] via 172.active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3.control more specific. SW1(config)#int fa 0/1 SW1(config-if)#switchport access vlan 16 SW1(config-if)# End with CNTL/Z. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). 1 subnets S 3. Los .2 S* 0. Bw .3.3/32: PDP no start timer.62 STATIC N N N N N N 99 99 0 0 N N R6# Note that the prefix 3.3. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 37 . 7.3.3.20:25 R6# Outside local 3.62.3/32: Check ACT REL unreachable: unreachable 0. access the Mentor Guide engine. one per line.unknown.863: OER MC PFX 3.1. round-trip min/avg/max = 151/151/151 ms SW2# R6#show ip nat translations Pro Inside global Inside local icmp 172.

0/24 and 192. By default. The summary must have the same AS path attribute as its constituents. because you are instructed not to form a BGP peer relationship between R2 and R4.Originate the following prefixes from SW3 with the origin code “incomplete. Use the AS numbers that are given in the exam. and (3) a summary for the remaining prefixes that are advertised by SW3 through BGP.168. the longer matching subnets of an aggregate are advertised with 38 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.168.168.168.” Issue: Do not form a BGP peer relationship between R2 and R4.0.104. Instead.101. (2) 192.168.102. and 192.255. 192. 192.” Solution: Do not use the network command to originate these prefixes in Border Gateway Protocol (BGP). 192. Solution: Configure the BGP aggregate command as follows: aggregate-address 192. . will also be advertised. and R4 are Internal BGP (IBGP) speakers within the same AS.0/24. use redistribution. their origin code is set to “incomplete.252. By default.0/24. Solution: R2.105.168.168. Apply this configuration on R1. The remedy for this non-full-mesh requirement is to configure a route reflector on R3. Inc. R3.0. The following diagram will help you understand the configuration of the BGP section: Issue: Make sure that all BGP speakers in AS64600 have the following prefixes in their BGP and IP routing tables: (1) 192. When prefixes are originated in BGP through redistribution.0/24. you cannot form a full mesh. However.104.105.100.0 255.0. a full mesh of IBGP neighbor relationships must be formed between IBGP speakers.0 as-set summary-only This aggregate covers the prefixes 192. The specified additional subnets.168.100.0.103.168.

Issue: On SW3.0 prefix from R3 through EIGRP. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 39 .23.0. 524.0.3. One way to do this would be to configure an interarea summary. Solution: Apply the remove private-as command to the neighbor relationship between R1 and SW3.0.matches other AS numbers or EOL ! ! ! ! ! ! ! +---------------or optionally an additional 23.” These symbols are reserved regular expressions that represent a logical OR operation.match 1 for example 51 ! +------------------------must match 5.0. Examine the following regular expression: ip as-path access list 1 permit _5(1|24|23(23)?)_ ! !!! !! ! ! ! ! ! ! ! ! ! ! ! ! ! +-------------------. Issue: Allow into BGP AS11111 only prefixes that have one of the following AS numbers in their AS path: 51. this major network should be shown as originated from AS100. R3 must advertise the classful prefix into OSPF. Issue: All BGP speakers should have only a classful prefix of the IP address assigned to the R3 loopback 3 interface in their BGP tables. To synchronize 3.0.0. When combined.the aggregate.0. Using a 3. The parentheses “( )” are reserved regular expression symbols that group all the characters enclosed within them as a single entity. 523. 1 OR 24. Solution: Originate the 3.0/8 on R2.0. for example 524 ! ! ! +-------------------------or ! ! +-------------------------. Including the asset option in the aggregate statement can fulfill the second requirement. This will originate the classful prefix for the Class A address 3. you can use these symbols in the following manner: _5(1|24)_. Solution: The rule of synchronization requires that all routes learned from an IBGP peer must have matching routes in the forwarding table from a source other than BGP. “|. for example 5 +-----------------matches other transit AS numbers or BOL The regular expression that is displayed includes a few special characters that deserve a detailed description.or ! ! ! ! +------------------------------------.0 into BGP. This behavior is suppressed with the summary-only command. and 52323. Solution: AS path-based filtering can be used to accomplish this goal. Inc.0/24 network statement and then aggregating it to 3. This regular expression will match on an AS number that begins with 5 and is appended by one of two possible combinations. for example 52323 ! ! ! ! ! ! +-------------------. because R4 must receive only the 3.0. Use the minimal number of statements and characters in the filtering solution.3.24. Within the “( )” grouping are a series of vertical bars. The result of this regular expression is that it will match: 51 OR © 2009 Cisco Systems.0/8 network on R3 into BGP using a network statement without a mask. Issue: Use the synchronization method on R2 and R3. You must disable synchronization on R4.0/8 would not meet the requirement. for example 523 ! ! ! ! ! +---------------------.0. You can satisfy the synchronization requirement on R3 by redistributing BGP into OSPF on R2.

16.50. Inc.0. and so on. weight 32768. best Community: no-advertise R5# Another solution would be to use the distribute-list out command under the BGP process. for example. The “?” symbol is a reserved regular expression expansion character. 2323. Finally. the regular expression 52? will match one of two possible strings: 5 or 52.0 summary-only attribute-map NOADV route-map NOADV permit 10 set community no-advertise By changing the community attribute to the well-known community no-advertise. but there are certain general rules that you should enforce.0. valid. Using the show ip route command with some of its extensions can help you focus on the needed information. test for optimal paths. The latter expression is only 15 characters but assumes that the AS path field will never grow beyond 16 bits. Simple Tcl Script to Test for Universal Reachability 40 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.0.17.1) Origin IGP. .17. use show ip route rip. With the Mentor Guide engine. show ip route | include E. Note To obtain a comprehensive view of the configuration tasks in this section. aggregated. You can create it once in Notepad and then paste it into each router. The summary must not be listed in the BGP tables of the other routers. For example. 52323 or the additional 23 will be ignored. The plus sign (+) indicates “one or more of the previous. you stop R5 from advertising the aggregate to any peer. (aggregated by 11111 172. localpref 100. R5#sho ip bgp 172.0. or some delimiter such as a blank space.0 from 0.0/19. atomic-aggregate. Beginning and ending the regular expression with underscores ensures that the entire expression will match one and only one AS number.” which would match on 23. show ip route | include Serial0/0/0.50.524.0. access the Mentor Guide engine.0 255. The solution should work even if new BGP peer relationships are added in the future without any additional configuration. like the one shown below.17.0. Other acceptable expressions would include _5(1|24|23|2323)_ and _5(1|24|(23)+)_. for example.0. 232323. end of line. observe the output of the debug ip routing command. For example. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all.16. By grouping the string of digits 23 together in the regular expression of this task (23)? the effect is that the AS number that possesses an additional string of 23 will be matched. show ip route | include /22.0 (172. table Default-IP-Routing-Table.1) 0. Whatever symbol is to the immediate left of the “?” symbol can be present in the desired matching string or it can be absent. local. version 6 Paths: (1 available. the underscore symbol will match on the following: beginning of line. It shows you each time that a route goes into or out of the routing table. To test for stability. Finally. It is useful for detecting route feedback. Solution: This task can be accomplished by using prefix aggregation under the BGP routing process: aggregate-address 172. Issue: Summarize the received prefixes on R5 with an optimal mask.0/19 BGP routing table entry for 172.224. not advertised to any peer) Not advertised to any peer Local. Connectivity verification: You can verify universal reachability with a simple Tool Command Language (Tcl) script. best #1.255. 523. The definition of optimal can be related to specific lab tasks.

3. and R3.1 172.103.105.1 192.foreach address { 172.16.3 172.5 2.168.16.16.16.34.16.168. Inc.1 192.” Solution: Before you start configuring the IPv6 routing protocols. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 41 . enter ipv6 unicast-routing in global configuration mode on the IPv6 routers.3 3.123.16.1 172.168.1 192.16.2 172.16.168.16.16.7 192.16.100.16.3.88.80.16.5 172.1 172. configure IPv6 addresses on the Frame Relay link between R1. IPv6 Routing Section Issue: Configure IPv6 addresses and the RIP next generation (RIPng) routing process “frame.104.16.25.2 172.1 172.123 multipoint ipv6 address 1230::1/16 ipv6 address FE80::123:1 link-local ipv6 rip frame enable frame-relay map ipv6 1230::2 102 frame-relay map ipv6 1230::3 103 frame-relay map ipv6 FE80::123:2 102 broadcast frame-relay map ipv6 FE80::123:3 103 broadcast R2: interface Serial0/0/0 ipv6 address 1230::2/16 ipv6 address FE80::123:2 link-local © 2009 Cisco Systems.30.16.77.40.3 172.1 172.” Change the port and multicast address for the process “frame.2.7 172.1 172.168.2 172.2 172.3 172.17. Map the remote IPv6 addresses to the local DLCIs.123.1 } { ping $address} 8.34.40 172.16. R1: interface Serial0/0/0.16.2.17.16.1 172.168.1 172.6 172. Then.20.1 172.16.50.10.4 172.102.1 192.101.123.88.16.16.16.1 192. This configuration is similar to IPv4.2.140.34. except that you do not have to provide mapping for the local IPv6 addresses to be able to ping them.25.16. R2.16.1 172.16.

Sending 5. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).123 multipoint ipv6 address 1230::1/16 ipv6 address FE80::123:1 link-local ipv6 rip frame enable frame-relay map ipv6 1230::2 102 frame-relay map ipv6 1230::3 103 frame-relay map ipv6 FE80::123:2 102 broadcast frame-relay map ipv6 FE80::123:3 103 broadcast ! ipv6 router rip frame redistribute ospf 1 metric 3 42 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). 100-byte ICMP Echos to FE80::123:1. Sending 5. round-trip min/avg/max = 28/49/128 ms R2#ping fe80::123:2 Output Interface: Serial0/0/0 Type escape sequence to abort. 100-byte ICMP Echos to FE80::123:3. Sending 5. configure other IPv6 addresses in the RIP domain and RIPng routing processes according to the scenario specifications: R1: interface Serial0/0/0. Sending 5. 100-byte ICMP Echos to 1230::3. 100-byte ICMP Echos to 1230::1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). round-trip min/avg/max = 1/2/4 ms R2#ping fe80::123:1 Output Interface: Serial0/0/0 Type escape sequence to abort. Inc. round-trip min/avg/max = 28/50/128 ms Next.ipv6 rip frame enable frame-relay map ipv6 1230::1 201 frame-relay map ipv6 1230::3 201 frame-relay map ipv6 FE80::123:1 201 broadcast frame-relay map ipv6 FE80::123:3 201 broadcast R3: interface Serial0/0/0 ipv6 address 1230::3/16 ipv6 address FE80::123:3 link-local ipv6 rip frame enable frame-relay map ipv6 1230::1 301 frame-relay map ipv6 1230::2 301 frame-relay map ipv6 FE80::123:1 301 broadcast frame-relay map ipv6 FE80::123:2 301 broadcast To verify connectivity within the Frame Relay subnet. round-trip min/avg/max = 4/4/4 ms R2#ping fe80::123:3 Output Interface: Serial0/0/0 Type escape sequence to abort. Sending 5. round-trip min/avg/max = 1/2/4 ms R2#ping 1230::1 Type escape sequence to abort. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). ping each Frame Relay address from each connected router. . round-trip min/avg/max = 4/5/8 ms R2#ping 1230::3 Type escape sequence to abort. as follows: R2#ping 1230::2 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 1230::2. 100-byte ICMP Echos to FE80::123:2.

no split-horizon port 65000 multicast-group FF02::9999 R2: interface Serial0/0/0 ipv6 address 1230::2/16 ipv6 address FE80::123:2 link-local ipv6 rip frame enable frame-relay map ipv6 1230::1 201 frame-relay map ipv6 1230::3 201 frame-relay map ipv6 FE80::123:1 201 broadcast frame-relay map ipv6 FE80::123:3 201 broadcast ipv6 router rip frame port 65000 multicast-group FF02::9999 ! R3: interface Serial0/0/0 ipv6 address 1230::3/16 ipv6 address FE80::123:3 link-local ipv6 rip frame enable ! ipv6 router rip frame port 65000 multicast-group FF02::9999 Note that the RIP port and the multicast address are changed under the RIP process.. The dual-ipv4-and-ipv6 default template is used in this answer key. verify the current template: SW4#show sdm prefer The current template is "desktop IPv4 and IPv6 default" template. 1d01h: %SYS-5-CONFIG_I: Configured from console by console[OK] SW4#reload Proceed with reload? [confirm] When the switch comes back up. 2K 1K 3K 2K 1K 1152 2K 1K 43 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key . Inc. You also have to configure the port and the multicast address between R3 and SW4. and reload the switches: SW4#write memory Building configuration. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. because they are in the same RIP instance frame. Use 'show sdm prefer' to see what SDM preference is currently active. number of unicast mac addresses: number of IPv4 IGMP groups + multicast routes: number of IPv4 unicast routes: number of directly-connected IPv4 hosts: number of indirect IPv4 routes: number of IPv6 multicast groups: number of directly-connected IPv6 addresses: number of indirect IPv6 unicast routes: © 2009 Cisco Systems. but cannot take effect until the next reload. The output was generated on SW4: SW4(config)#sdm prefer dual-ipv4-and-ipv6 default Changes to the running SDM preferences have been stored.. activate the dualstack template. SW4#sh run | beg ipv6 router rip ipv6 router rip frame port 65000 multicast-group FF02::9999 SW4# To configure IPv4 and IPv6 protocols on Cisco Catalyst 3560 Series Switches. SW4(config)#end Save your running configuration. Look at the following configuration and the Cisco IOS Software output.

Router ID 172.1 Network Type POINT_TO_MULTIPOINT.255. Cost: 1 Transmit Delay is 1 sec. The point-to-point network type would meet this requirement. Dead 120. Issue: Configure IPv6 addresses and IPv6 OSPF Area 0 on the VLAN 16 link between R1 and R6 and Area 80 on the loopback 80 interface of R6. line protocol is up Link Local Address FE80::16:1.255. Retransmit 5 Hello due in 00:00:07 Index 1/1/1. as shown: R1: interface FastEthernet0/0 encapsulation dot1Q 16 ipv6 address 1600::1/16 ipv6 address FE80::16:1 link-local ipv6 ospf network point-to-multipoint ipv6 ospf 1 area 0 ! ipv6 router ospf 1 log-adjacency-changes R6: interface Loopback80 ipv6 address 8000::1/16 ipv6 ospf network point-to-point ipv6 ospf 1 area 80 ! interface FastEthernet0/1 ip address 172.16. Solution: First. Inc.6 255. Wait 120.16.10. Instance ID 0. . flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 3.0 duplex auto speed auto ipv6 address 1600::6/16 ipv6 address FE80::16:6 link-local ipv6 ospf network point-to-multipoint ipv6 ospf 1 area 0 ! ipv6 router ospf 1 Notice that the IPv6 OSPF network type on the Fast Ethernet interfaces defaults to broadcast. and add them to the IPv6 OSPF process. disable split horizon on the hub router R1. Interface ID 13 Area 0. Use the OSPF network type that does not elect a DR or BDR and that would permit additional OSPF routers on the link. Adjacent neighbor count is 2 44 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.number number number number number number SW4# of of of of of of IPv4 policy based routing aces: IPv4/MAC qos aces: IPv4/MAC security aces: IPv6 policy based routing aces: IPv6 qos aces: IPv6 security aces: 0 512 1K 0 510 510 To exchange RIP updates between the spokes R2 and R3. Then. Therefore. maximum is 0 msec Neighbor Count is 2. State POINT_TO_MULTIPOINT.16. but it would not permit more than two OSPF neighbors on the link. assign routable and link-local addresses on each required interface. maximum is 6 Last flood scan time is 0 msec. Timer intervals configured. Process ID 1. The scenario requires that you choose the OSPF network type that does not elect a DR and BDR. issue the ipv6 unicast-routing command on the IPv6 routers. change the network type on R1 and R6 to point-tomultipoint or point-to-multipoint nonbroadcast: R1#show ipv6 ospf int fa 0/0 FastEthernet0/0 is up. Hello 30.

the point-to-multipoint OSPF network type generates host routes for devices on the subnet. OE1 . Configure the redistribute connected command into both RIP and OSPF.OSPF inter.Static. B .Per-user Static route I1 .OSPF ext 2 ON1 .OSPF NSSA ext 2 O 1600::6/128 [110/1] via FE80::16:6.ISIS L2.OSPF intra.80.BGP U .9 entries Codes: C . S .OSPF ext 1. OI .Connected.16. IPv6 Redistribution Strategy On R1.ISIS L1. mutually redistribute the RIPng frame process and IPv6 OSPF into each other.ISIS summary O . they are /128.16.16.ISIS interarea. OE2 . Inc. FastEthernet0/0 R1# Just as with IPv4.16. IS .Adjacent with neighbor 172.RIP. ON2 .30 Suppress hello for 0 neighbor(s) R1#show ipv6 ospf neighbor Neighbor ID 172.OSPF NSSA ext 1. I2 .97 Adjacent with neighbor 172.62. In the case of IPv6. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 45 . L .6 R1# Pri 1 State FULL/ Dead Time 00:01:45 Interface ID 4 Interface FastEthernet0/0 R1#show ipv6 route ospf IPv6 Routing Table . R . FastEthernet0/0 OI 8000::/16 [110/2] via FE80::16:6. This diagram illustrates the steps described: IPv6 OSPF R1 RIPng frame IPv6 CONNECTED Configuration and verification: R1: ipv6 router ospf 1 log-adjacency-changes redistribute connected redistribute rip frame ! ipv6 router rip frame redistribute connected metric 3 redistribute ospf 1 metric 3 no split-horizon © 2009 Cisco Systems. IA . or use the include-connected keyword where available.Local.

be an option field. Solution: Here is the format of an IP datagram: There may. and your supervisor decided to drop all IP traffic containing IP options on R5. access the Mentor Guide engine. With the Mentor Guide engine. . 46 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems. Inc.port 65000 multicast-group FF02::9999 Here is a Tcl script that you can use to verify connectivity between the IPv6 addresses: foreach address { 1230::1 1600::1 1230::2 1230::3 3400::3 1600::6 8000::1 3400::40 1400::1 } {ping $address} Note To obtain a comprehensive view of the configuration tasks in this section. If there is one. Security Section Issue: The IPv4 options are not used very much in modern networks. The following diagram expands the IP Options field: The IP options values are documented at http://www. Do not apply the solution to any interface.org/assignments/ip-parameters. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all. it can vary in length. or may not. 9.iana.

ptr 5 >>Current pointer<< Time= 00:00:00. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). 0 fragments. 0 extended security.000 UTC (00000000) Time= 00:00:00.16. 0 alert. Strict. 0 couldn't reassemble 0 fragmented.3(4)T.000 UTC (00000000) Time= 00:00:00. 100-byte ICMP Echos to 172.16.000 UTC (00000000) Time= 00:00:00. padded length=40 Timestamp: Type 0. Record. Inc.000 UTC (00000000) Time= 00:00:00.50. Sending 5. The timestamp IP option is used in this test: R1#ping Protocol [ip]: Target IP address: 172. 0 checksum errors. allows Cisco routers to filter packets containing IP options or to mitigate the effects of IP options on a router or downstream routers by dropping these packets or ignoring the processing of the IP options.1. 0 not a gateway 0 security failures.50. 100-byte ICMP Echos to 172. Overflows: 0 length 40. Verification: Verify that R5 does not drop IP packets with no IP options: R1#ping 172.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose. Record.000 UTC (00000000) Time= 00:00:00. 0 strict source route.000 UTC (00000000) Request Request Request Request Request Success 0 timed 1 timed 2 timed 3 timed 4 timed rate is out out out out out 0 percent (0/5) You can see the statistics in the output of the following command: R5#show ip traffic IP statistics: Rcvd: 5551 total. Sending 5. round-trip min/avg/max = 36/39/40 ms Verify that R5 does drop the IP packets with IP options. 5527 local destination 0 format errors.50. timeout is 2 seconds: Packet has IP options: Total option bytes= 40.000 UTC (00000000) Time= 00:00:00. 0 record route 0 stream ID. Timestamp.16. 0 nop. 0 with options Opts: 0 end. 0 basic security. Timestamp. 0 bad hop count 10 unknown protocol. Configure ip options drop on R5. Verbose[TV]: Sweep range of sizes [n]: Type escape sequence to abort. 0 bad options. integrated into Cisco IOS Software Release 12. 0 timeouts.000 UTC (00000000) Time= 00:00:00. 0 couldn't fragment © 2009 Cisco Systems. The ignore option is not available in the Cisco IOS Software release used to generate this answer key.The ACL IP Options Selective Drop feature. 0 loose source route 0 timestamp.000 UTC (00000000) Time= 00:00:00.50. 0 cipso.16. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 47 .1. Verbose[none]: Time Number of timestamps [ 9 ]: Loose. Strict.1 Type escape sequence to abort. 0 ump 0 other Frags: 0 reassembled.

0 0.0 ip traffic-export apply TRAFFIC-R5-SW3 Generate the traffic to be exported: R5#ping 172.255 Apply the traffic export profile on the interface: interface Serial0/0/0. Solution: The IP Traffic Export feature.50.0e00 incoming sample one-in-every 5 Specify the access list to match the required criteria for the incoming traffic on R1: access-list 199 permit ip 172.Bcast: Mcast: Sent: Drop: Drop: Drop: R5# 145 received.255. 0 forced drop 5 options denied 0 packets with source IP address zero 0 packets with internal loop back IP address Issue: An imaginary intrusion prevention system (IPS) probe with the MAC address 0007. allows users to configure their router to export IP packets that are received on multiple.0.16.7 source 172.ebaa.0 0.16.16.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100). .50. 3595 sent 5146 generated.0e00 is residing on VLAN 16. 0 unicast RPF.255.50. simultaneous WAN or LAN interfaces. One in every five packets of the incoming traffic from the network 172. 10 forwarded 1 encapsulation failed.3(4)T.1 repeat 100 Type escape sequence to abort. introduced in Cisco IOS Software Release 12.50. according to the sampling rate.0.0e00 bi-directional traffic export is off Input IP Traffic Export Information Packets/Bytes Exported Packets Dropped 81 Sampling Rate one-in-every 5 packets Access List 199 [extended IP] Profile TRAFFIC-R5-SW3 is Active R1# 20/2000 Note that the number of exported packets is 20 out of a total number of 100 generated packets.123 multipoint ip address 172.16.16.16. 0 no adjacency 0 no route.ebaa.77.255 172. Inc. 100-byte ICMP Echos to 172. The unaltered IP packets are exported on a single LAN or VLAN interface. 0 sent 3799 received. round-trip min/avg/max = 40/43/240 ms R5# R1#show ip traffic-export Router IP Traffic Export Parameters Monitored Interface Serial0/0/0 Export Interface FastEthernet0/0 Destination MAC address 0007.1 255. Configuration and verification: Configure the traffic export profile on R1: ip traffic-export profile TRAFFIC-R5-SW3 interface FastEthernet0/0 incoming access-list 199 mac-address 0007.7.ebaa.0/24 destined to the network 172.77. 0 unresolved.16. easing deployment of protocol analyzers and monitoring devices. timeout is 2 seconds: Packet sent with a source address of 172.77.16. 48 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.77.123.0/24 must be exported to the IPS probe.16.0.0. Sending 100.

Issue: The committed information rate (CIR) of the PVC should be set to 96000 b/s.Note To obtain a comprehensive view of the configuration tasks in this section. and do not use the throttling mechanism. The Cisco IOS Software will let you know that you have to use at least the maximum transmission unit (MTU) size for the burst size. Verification: R3#sh frame-relay pvc 301 PVC Statistics for interface Serial0/0/0 (Frame Relay DTE) © 2009 Cisco Systems. In other words. you will notice that the listed 1000 byte minimal value will not be accepted. if you do not allow the CIR to be exceeded. The MQC configuration must not be used to accomplish this quality of service (QoS) task according to the scenario requirement. The Tc value should be 10 ms. Set excess burst (Be) to zero. Inc. The resulting map class is displayed: map-class frame-relay SHAPE-R1-R3 frame-relay cir 96000 frame-relay mincir 96000 frame-relay bc 1000 frame-relay be 0 The fragment size was not explicitly specified anywhere in the scenario. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all. Configure the minimal values for normal burst size and maximum burst size. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 49 . Make committed burst size (Bc) small so that Tc is small (Tc = Bc/CIR). Do not use Frame Relay adaptive shaping. Solution: To accomplish this task. you must configure Frame Relay traffic shaping (FRTS). there is no reason to configure the throttling-down mechanism based on the backward explicit congestion notifications (BECNs). access the Mentor Guide engine. Determine these minimal values by using the “?” key with the Cisco IOS Software help facility. Use an access list to specify only the required UDP stream for rate limiting. The value 70 is used as a fragment size in this answer key. Make sure that you do not excessively burst the data traffic. With the Mentor Guide engine. The committed rate measurement interval (Tc) value should be 10 ms. Keep in mind the following recommended practices: Do not exceed the CIR of the PVC. Look at the first recommendation. When you use CAR. 10. QoS Section Issue: Limit only incoming User Datagram Protocol (UDP) traffic destined to port 5120 to an 8000-b/s rate on the VLAN 100 interface of R1. The minimal values depend on the Cisco IOS Software version. do not allow the router to burst to port speed. Making Bc equal 1000 bits is usually a low enough value to force the router to use the minimum Tc of 10 ms. The only option left is a CAR. Solution: You have two traffic policing configuration options: committed access rate (CAR) rate limit and Modular QoS CLI (MQC) policing.

10.34.10 ip dhcp excluded-address 172.1 dns-server 10.04df.16.16.10 domain-name test.128 default-router 172.16.16.128 hardware-address 0050. .16.16.255.34.DLCI = 301. Configuration and verification: ip dhcp excluded-address 172. servers. PVC STATUS = ACTIVE. and printers.1 dns-server 10.10. 2 packets/sec 5 minute output rate 2000 bits/sec. To fulfill this task.34. Solution: Configure an ip dhcp excluded-address command for these addresses.1 172. the manual bindings for each supplied MAC address.34.34.40 ! ip dhcp pool test network 172. Solution: Create separate DHCP pools. Solution: This task is tied to the Hot Standby Router Protocol (HSRP) configuration in the next section. and configure the corresponding IP address to each separate pool.5f61 default-router 172.61 255.10.16. 11.10.16. DLCI USAGE = LOCAL. access the Mentor Guide engine.40 is configured on the VLAN 34 interface of SW4.0 255.34. last time pvc status changed 01:48:39 cir 96000 bc 1000 be 0 byte limit 125 interval 10 mincir 96000 byte increment 120 Adaptive Shaping none pkts 2090 bytes 217372 pkts delayed 306 bytes delayed 26050 shaping inactive traffic shaping drops 0 Queueing strategy: fifo Output queue 0/40. 3 packets/sec pvc create time 01:49:49.34.net ! 50 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.255. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all. Issue: Specific workstations with supplied MAC addresses should always receive the same IP address. INTERFACE = Serial0/0/0 input pkts 2875 output pkts 5420 in bytes 287787 out bytes 465979 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 4265 out bcast bytes 329530 5 minute input rate 2000 bits/sec.10 domain-name test.34.net ! ip dhcp pool 1 host 172. and the lowest 10 IP addresses will be used for routers. Address Administration Section Issue: IP address 172.255. 0 drop.255. read ahead and determine the virtual IP address used by HSRP. 306 dequeued R3# Note To obtain a comprehensive view of the configuration tasks in this section. Issue: Supply the appropriate gateway IP address. Inc. With the Mentor Guide engine.

12.16. change the state of the HSRP router.128 hardware-address 0050. access the Mentor Guide engine. prefer R4.60 0050.5f60 default-router 172.04df.04df.16.16.16.ac01 Local virtual MAC address is 0000. On R3. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 51 . HSRP Gateway Redundancy Section Issue: If the Frame Relay connection fails.10. The virtual IP address will be used in the DHCP pools.34. Solution: Configure the HSRP preempt command to allow R3 to regain the active standby status when its Frame Relay link becomes active again.255.34.5f60 Infinite 172.0c07.34.1 dns-server 10.5f61 Infinite R4# Type Manual Manual Tip Always read a CCIE lab exam end-to-end. Issue: Why would pre-empt be required? Will R4 take over from R3 when the serial goes down without the preempt statement on R4? Verification steps: 1.10 domain-name test.34.0c07. With the Mentor Guide engine. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all.Group 1 State is Active 2 state changes.34.16.ac01 (default) Hello time 3 sec.ip dhcp pool 2 host 172. If the R3 Frame Relay interface goes down. Inc. hold time 10 sec Next hello sent in 1.120 secs Preemption enabled © 2009 Cisco Systems.10. Issue: Prefer R3 when the Frame Relay connection becomes active. tracked interface S0/0/0 is shut down.255.61 0050.1 Active virtual MAC address is 0000. Solution: Configure the HSRP track command to allow R3 to check the status of the Frame Relay interface. Note To obtain a comprehensive view of the configuration tasks in this section.04df. and carefully look for hidden issues that might involve multiple tasks.net R4#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 172. last state change 00:01:58 Virtual IP address is 172.60 255. and priority is decremented to 99: R3#show stand FastEthernet0/0 .

Solution: Configure the ntp master command on R1.16. one per line. Note To obtain a comprehensive view of the configuration tasks in this section. R4 remains in standby state.ac01 (default) Hello time 3 sec. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all.16. Check the HSRP status on R4: R4#sh standby FastEthernet0/0 . setting the stratum level to 5.0c07. NTP Configuration Section Issue: Make R1 the Network Time Protocol (NTP) master with stratum 5. Because pre-emption is disabled on R4.Active router is local Standby router is 172. Issue: Assign the lowest IP address on VLAN 34 to the virtual gateway.164 sec) Standby router is local Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-1" (default) R4# Note that the local priority is 100.34.617: %HSRP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active R4(config-if)# 4. priority 99 (expires in 9. Enable pre-emption on R4: R4#conf t Enter configuration commands.3. Solution: From the DHCP configuration in the previous section.1 Active virtual MAC address is 0000. access the Mentor Guide engine. With the Mentor Guide engine.0c07.34. priority 100 (expires in 8. which is higher than the advertised priority from R3—99.ac01 Local virtual MAC address is 0000. Inc. End with CNTL/Z.272 sec) Priority 99 (configured 109) Track interface Serial0/0/0 state Down decrement 10 IP redundancy name is "hsrp-Fa0/0-1" (default) R3# 2. 3. select the lowest IP address from the DHCP excluded-address pool. hold time 10 sec Next hello sent in 2. Solution: 52 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.Group 1 State is Standby 1 state change.34. With the disabled pre-emption.4. .16. R4(config)#int fa 0/0 R4(config-if)#standby 1 preempt R4(config-if)# *Mar 1 00:09:19. R4 would become an active router only if R3 goes down entirely and R4 stops receiving the HSRP hello from R3. last state change 00:04:51 Virtual IP address is 172. Issue: Configure a server association between R3 and R1.316 secs Preemption disabled Active router is 172. 13.

B49D5EB9 (23:44:09.9930 Hz. reference is 127. stratum 5.02 msec On R3. actual freq is 250. root delay is 20.D7302378 (23:43:09. precision is 2**18 reference time is C71E59C9. use the ntp peer command on R4. access the Mentor Guide engine. use the ntp server command on R3. verify show ntp status: Clock is synchronized.1 nominal freq is 250. actual freq is 249. pointing to R3.09 msec Note To obtain a comprehensive view of the configuration tasks in this section. peer dispersion is 0.0000 Hz.0000 Hz. actual freq is 249.705 UTC Thu Nov 10 2005) clock offset is -0. peer dispersion is 0.123.0000 msec. Issue: Configure a peer association between R3 and R4.637 UTC Thu Nov 10 2005) clock offset is -0.02 msec.16.To fulfill this requirement.7. reference is 172. stratum 7. reference is 172.9976 Hz. because the default configuration of a Cisco router allows it to become an NTP peer.19 msec On R4.127.1 nominal freq is 250. © 2009 Cisco Systems. With the Mentor Guide engine.62 msec root dispersion is 1.0807 msec.31 msec. verify show ntp status: Clock is synchronized.1109 msec.A34BDA8D (23:39:55.34. root delay is 17.47 msec.0000 Hz.00 msec root dispersion is 0. root delay is 0.840 UTC Thu Nov 10 2005) clock offset is 0. verify show ntp status: Clock is synchronized. peer dispersion is 1. Inc. Solution: To fulfill this requirement. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 53 . stratum 6. Verify the correctness of your approach with show ntp association detail.0000 Hz.55 msec root dispersion is 0. precision is 2**18 reference time is C71E58CB. You need not configure an NTP peer command on R3.16. precision is 2**24 reference time is C71E598D.3 nominal freq is 250. Verification: On R1.

Use the ip pim bidir-enable command to activate bidirectional functionality on the multicast router. Issue: All the member multicast routers of this tree should be configured statically to form the shared tree. Solution: Normally.30. Static ip pim rp-address configuration on every member of the shared tree 2.G) forwarding entries along the path from the RP to the first-hop router from the source of the multicast traffic. which is also a part of the overall reachability requirement.30 from the interface loopback 10 of R1. Loopback 10 must be reachable through unicast routing.G) state in their respective multicast routing tables. Solution: The wording of this task clearly leads toward a Protocol Independent Multicast (PIM) sparse configuration. 54 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.30. Solution: R6 is a source of the multicast stream and does not have to be a multicast router. The scenario prohibits the configuration of R6 as a multicast router. a sparse mode multicast distribution tree has (S. The rendezvous point (RP) IP address will be the IP address of the loopback 10 interface of R1. Issue: R6 is excluded from the multicast tree and should not have any PIM configuration. Multicast Configuration Section Issue: Root the shared tree for the group 230.G) entries only for the forwarding of multicast traffic. Bidirectional PIM uses (*. Bootstrap router (BSR) protocol You will use the static configuration in this scenario. Inc.14. Issue: No multicast routers should display (S. Solution: Three methods exist for letting the multicast routers know where the RP is: 1. . Autodiscovery protocol 3.

Issue: Build the shared tree only for 230. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 55 .16. Solution: You can use the loopback interfaces for active multicast receiver simulation.30.30. Solution: Use the named access list “MCAST” to restrict the use of the RP to the specified group. 2.30.30.30.30 © 2009 Cisco Systems. Use a standard access list with the name “MCAST” to accomplish this task.30. Inc.Issue: Use loopback interfaces to simulate the receivers of the traffic destined to the group 230. Enable IP PIM on the interface.10.30. R3 is used as an example: R3: ip pim rp-address 172. Use the interface configuration command ip igmp join-group 230.30. Follow these steps for each loopback interface that is required in this scenario: 1.30.30.1 MCAST bidir ! ip access-list standard MCAST permit 230.30. 3. Configure an IP address on the loopback interface.

Ping the multicast group 230.123.0. 230. 4 ms 172.Pruned. 64 ms 172.16.0.MSDP created entry. RP 172.16. Inc. F .2.3. J .10.123.1.6 Type escape sequence to abort. RP 172. flags: BCL Bidir-Upstream: Serial0/0/0. 76 ms 172.0.6 Reply Reply Reply Reply R6# to to to to request request request request 0 0 0 0 from from from from 172.0. P . S .123. 56 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems. Static. access the Mentor Guide engine.3.Received Source Specific Host Report.0 RP itself Outgoing interface list: Loopback10.3.25.0 Outgoing interface list: Loopback10. C . Forward/Sparse. A .30. Bidir-Upstream/Sparse. Forward/Sparse. B . I .123.1 (?) R3# Here is a configuration verification procedure: 1.Joined MDT-data group.16. RP 0. Forward/Sparse.16.0.SPT-bit set. 00:04:07/00:03:21 R1#show ip mroute IP Multicast Routing Table Flags: D .Join SPT.0.30). R3: R3#show ip mroute bidirectional (*.Local. . 00:05:38/00:02:31 Serial0/0/0. RPF nbr 172. Forward/Sparse. 00:05:26/00:02:43 Serial0/0/0.1. y .0. 224.123. 172. State/Mode (*.SSM Group. R1: R1#show ip mroute bidirectional (*.16.30 from R6: R6#ping 230. 172. L .Bidir Group.16.Register flag. Bidir Mode RP: 172.123.Hardware switched Timers: Uptime/Expires Interface state: Interface. U . T .0. Sending 1. 00:04:19/00:03:09 (*.2.123.123. R . RPF nbr 0. Check the multicast routing table on the router members of the shared tree—for example.10.30.16.30. Forward/Sparse.16.16. 00:09:30/00:02:46 Note To obtain a comprehensive view of the configuration tasks in this section.30.30.16. Forward/Sparse. RP 172.URD.30.30.0.30 source 172. Next-Hop or VCD. M .R3#sh ip pim rp map PIM Group-to-RP Mappings Acl: MCAST.Sending to MDT-data group Outgoing interface flags: H .16.1.Sparse.123. Forward/Sparse.Proxy Join Timer Running.16. 52 ms 2. timeout is 2 seconds: Packet sent with a source address of 172.30.Dense.16. 00:08:12/00:00:00 Loopback30.30. Check the multicast routing table on the RP.RP-bit set.2. flags: BCL Bidir-Upstream: Null. 230. 172.123. 00:05:38/00:02:32.10.1. X .Connected. Z .30.30. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all. Forward/Sparse.30. 230. 00:04:15/00:03:10 Serial0/0/0.0 Outgoing interface list: Loopback10. flags: BCL Bidir-Upstream: Null. 00:05:39/00:02:31 R1# 3.5.1 Outgoing interface list: Serial0/0/0.16. 100-byte ICMP Echos to 230. With the Mentor Guide engine. s .10.0.Multicast Tunnel Y .16.30).16.1. 00:04:27/00:02:59 Serial0/0/0. 00:05:38/00:03:09.30).30. 00:09:30/00:02:46.Candidate for MSDP Advertisement.123. 00:05:26/00:03:21.16. flags: DCL Incoming interface: Null.16. RPF nbr 0. RPF nbr 0. 172.40).

SNMP Section Issue: Use the Simple Network Management Protocol version 3 (SNMPv3) security model to enable user “OPER” in the “OPERATORS” group to have read access to the Cisco MIB.1. members of the ADMINISTRATORS group have complete read access through the default view and have write privileges to objects in the CISCO view. but restrict access by source IP address. ADMINISTRATORS can read any MIB object and have write privileges to the CISCO view. By contrast. it excludes the built-in groups: R1#show snmp group groupname: OPERATORS readview : CISCO notifyview: <no notifyview specified> row status: active access-list: 90 groupname: ADMINISTRATORS readview : v1default notifyview: <no notifyview specified> row status: active access-list: 91 security model:v3 noauth writeview: <no writeview specified> security model:v3 noauth writeview: CISCO As required.15.1.90 access-list 91 permit 10. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 57 . Solution: The SNMPv3 security model is based on users and groups. They can neither read any other MIB objects nor make any changes. Verify your user and group configuration: R1#show snmp user User name: OPER Engine ID: 80000009030000D0BA8B0021 storage-type: nonvolatile active Authentication Protocol: None Privacy Protocol: None Group-name: OPERATORS User name: ADMIN Engine ID: 80000009030000D0BA8B0021 storage-type: nonvolatile active Authentication Protocol: None Privacy Protocol: None Group-name: ADMINISTRATORS The users have been created without authentication and have been assigned to the required groups.1. Do not use authentication. In this exercise. Here is output verifying the group configuration.91 It is possible to apply the access list at the user or group level. Here is the configuration: snmp-server snmp-server snmp-server snmp-server snmp-server user OPER OPERATORS v3 user ADMIN ADMINISTRATORS v3 group OPERATORS v3 noauth read CISCO access 90 group ADMINISTRATORS v3 noauth write CISCO access 91 view CISCO cisco included access-list 90 permit 10. The OPERATORS group has only read access to this view.1. Inc. and create user “ADMIN” in the “ADMINISTRATORS” group to have write access to this view. members of the OPERATORS have only read access to the CISCO view. group access is limited by source IP address. You create a view with the name “CISCO” that includes just the Cisco branch of the MIB tree. but this task specifically required the group restriction. In addition. © 2009 Cisco Systems. you create two groups—OPERATORS and ADMINISTRATORS—and create a user for each group—OPER and ADMIN.

1.exe from a workstation on VLAN 100.9.1.40.Here you see a portion of the MIB tree in graphical form.1.1.1.3.exe and snmpset.” because they both were given read access to the CISCO view.1. . First.4.4.6.18 1.9.1.2.1.4.10.3.0 iso.1. try to read an object outside of the CISCO view—the sysUpTime object from the MIB-2 branch: C:###BOT_TEXT###gt;snmpget -v 3 -u OPER 172.2.10.6.9.1.40.3.0 iso.3.1.3.4.1.3.3.1.3.4.1.6.3.2.2.1.” To demonstrate and verify this configuration.9.3.18 1. Next.18 1.2. The Cisco portion of the MIB tree is part of the org/dod/internet/private/enterprises branch.6.9.0 = STRING: "R1" Both users get a response of “R1.6.3. demonstrate that both users OPER and ADMIN can read the hostname string from the Cisco MIB: C:###BOT_TEXT###gt;snmpget -v 3 -u OPER 172.1.10.0 = No Such Object available on this agent at this OID 58 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key © 2009 Cisco Systems.1.2.0 = STRING: "R1" C:###BOT_TEXT###gt;snmpget -v 3 -u ADMIN 172. Inc. use the network entity title (NET)-SNMP programs snmpget.3.1.3.6.40.1.0 iso. and all its object IDs (OIDs) begin “1.6.1.

Reason: noAccess Failed object: iso.2.4.1.10. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 59 .18 1. access the Mentor Guide engine.1.2.1.0 = INTEGER: 0 C:###BOT_TEXT###gt;snmpset -v 3 -u OPER 172.1.3.40.0 = Timeticks: (7905507) 21:57:35.1.Note that user OPER gets an error message. Issuing an SNMP set command to OID 1.3. © 2009 Cisco Systems.6.0 iso.6. Note To obtain a comprehensive view of the configuration tasks in this section.2.1.10. you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all.10. Verify that user ADMIN has write access to the CISCO view but user OPER does not.1. C:###BOT_TEXT###gt;snmpset -v 3 -u ADMIN 172.75.1.6.1.75.6. but user OPER gets an error message indicating that write access was denied. just as required.1.1.1.9.1.6.0 For user ADMIN.4.0 i 0 iso. Inc.3.3.1.75.18 1. and the ARP cache is cleared.6. Here is the response when the same command is issued by ADMIN: C:###BOT_TEXT###gt;snmpget -v 3 -u ADMIN 172.3.6.3.0 i 0 Error in packet.1.3.40.1.1.4.18 1.07 User ADMIN has read access to the entire MIB tree.2. the set variable is echoed back.75.0 of the Cisco MIB with integer value zero clears the ARP cache.9.9.75.1.40.4.3.1.9.3.2.2.1. but user OPER cannot read objects outside the CISCO view.1.9. With the Mentor Guide engine.2.4.