You are on page 1of 34

HCIE-R&S Mock Exam 1 INTERNAL

HCIE-R&S Lab Mock Exam 1

2017-5-23 HUAWEI Confidential Page 1, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

2017-5-23 HUAWEI Confidential Page 2, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

Test Questions: (Y Represents the Rack Number, and X


Represents the Equipment Number)
i. Section 1: Layer 2 Technologies

1.1.1.1 VLAN
Create VLANs 3, 5, 18, 26, 41, 43 and 62 on switches SW1 and SW2. Create
VLAN 43 on switch SW3.
Apply VLANs to access interfaces according to the table below.

VLAN Switch Interfaces


3 SW1 Eth0/0/1
5 SW1 Eth0/0/5
18 SW2 Eth0/0/1, Eth0/0/3
26 SW1 Eth0/0/2, Eth0/0/6
41 SW1 Eth0/0/4
43 SW2 Eth0/0/4
SW3 Eth0/0/22
62 SW2 Eth0/0/6

2017-5-23 HUAWEI Confidential Page 3, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

SW1 Eth0/0/21

SW1/SW2:
vlan batch 3 5 18 26 41 43 62

SW3:
vlan 43

SW1:
interface Ethernet0/0/1
port link-type access
port default vlan 3
interface Ethernet0/0/2
port link-type access
port default vlan 26
interface Ethernet0/0/4
port link-type access
port default vlan 41
interface Ethernet0/0/5
port link-type access
port default vlan 5
interface Ethernet0/0/6
port link-type access
port default vlan 26
interface Ethernet0/0/21
port link-type access
port default vlan 62

SW2:
interface Ethernet0/0/1
port link-type access
port default vlan 18
interface Ethernet0/0/3
port link-type access
port default vlan 18
interface Ethernet0/0/4
port link-type access
port default vlan 43
interface Ethernet0/0/6
port link-type access
port default vlan 62

2017-5-23 HUAWEI Confidential Page 4, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

SW3:
interface Ethernet0/0/22
port link-type access
port default vlan 43

1.1.1.2 Link Aggregation


Combine Eth0/0/12 and Eth0/0/13 between switches SW3 and SW4 into a single
logical interface with LACP disabled. Both physical interfaces should be active,
load balancing should be based on destination MAC addresses.
SW3/SW4:
interface Eth-Trunk34
load-balance dst-mac

interface Ethernet0/0/12
eth-trunk 34
interface Ethernet0/0/13
eth-trunk 34

1.1.1.3 Trunk
All links between switches SW1, SW2, SW3 and SW4 should be configured as
trunk links, allow VLANs 1 through to 4094 across all trunks.
SW1:
interface Ethernet0/0/10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Ethernet0/0/11
port link-type trunk
port trunk allow-pass vlan 2 to 4094

SW2:
interface Ethernet0/0/14
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Ethernet0/0/15
port link-type trunk
port trunk allow-pass vlan 2 to 4094

SW3:
interface Ethernet0/0/10
port link-type trunk

2017-5-23 HUAWEI Confidential Page 5, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

port trunk allow-pass vlan 2 to 4094


interface Ethernet0/0/14
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Eth-Trunk34
port link-type trunk
port trunk allow-pass vlan 2 to 4094

SW4:
interface Ethernet0/0/11
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Ethernet0/0/15
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Eth-Trunk34
port link-type trunk
port trunk allow-pass vlan 2 to 4094

1.1.1.4 GVRP
Enable GVRP on switches to enable SW3 and SW4 to learn statically configured
VLAN information from SW1 and SW2.
SW1:
gvrp
interface Ethernet0/0/10
gvrp
interface Ethernet0/0/11
gvrp

SW2:
gvrp
interface Ethernet0/0/14
gvrp
interface Ethernet0/0/15
gvrp

SW3:
gvrp
interface Ethernet0/0/10
gvrp
interface Ethernet0/0/14

2017-5-23 HUAWEI Confidential Page 6, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

gvrp
interface Eth-Trunk34
gvrp

SW4:
gvrp
interface Ethernet0/0/11
gvrp
interface Ethernet0/0/15
gvrp
interface Eth-Trunk34
gvrp

1.1.1.5 MSTP
Switches SW1, SW2, SW3 and SW4 run MSTP as follows.
VLANs 3, 5 and 18 are in instance 1 for which SW1 should be primary root and
SW2 the secondary root. VLANs 26, 41, 43 and 62 are in instance 2, for which
SW2 is the primary root and SW1 is the secondary root. The MSTP region name is
HW and revision level is 1.
Interface E0/0/20 on SW1 is directly connected to a PC. Ensure that E0/0/20 enters
the forwarding state as soon as the PC is connected and the link becomes active.
E0/0/20 should to be shut down automatically after receiving BPDUs and should
recover after 50s.
SW1-SW4:
stp region-configuration
region-name HW
revision-level 1
instance 1 vlan 3 5 18
instance 2 vlan 26 41 43 62
active region-configuration

SW1:
stp instance 1 root primary
stp instance 2 root secondary

stp bpdu-protection
error-down auto-recovery cause bpdu-protection interval 50
interface Ethernet0/0/20
stp edged-port enable

SW2:

2017-5-23 HUAWEI Confidential Page 7, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

stp instance 1 root secondary


stp instance 2 root primary

1.1.1.6 Frame Relay


R1, R2 and R3 use Frame Relay (FR) encapsulation and are connected in hub and
spoke mode with R2 as the hub. S1/0/0.2 on R2 and S1/0/0.1 on R3 may not use
static mapping, inverse ARP must be disabled on all devices.
R1, R4 and R5 use Frame Relay (FR) encapsulation and are connected in hub and
spoke mode with R1 as the hub. Inverse ARP must be disabled on all devices and
sub-interfaces may not be used.
R1 connects to R4 using DLCI 104 and R5 using DLCI 105, R4 connects to R1
using DLCI 401 and R5 connects to R1 using DLCI 501. Only the specified DLCIs
may be used. All these FR interfaces should be able to ping each other.
Perform the following configuration to ensure that R2 can communicate with R1
and R3:
Configure R1 to connect to R2 using DLCI 102.
Configure R2 to connect to R3 using DLCI 203.
Configure R2 to connect to R1 using DLCI 201.
Configure R3 to connect to R2 using DLCI 302.
Use only the specified DLCIs.

R1:
interface Serial1/0/0
link-protocol fr
undo fr inarp
fr map ip 10.1.12.2 102 broadcast
ip address 10.1.12.1 255.255.255.0
interface Serial2/0/0
link-protocol fr
undo fr inarp
fr map ip 10.1.145.4 104 broadcast
fr map ip 10.1.145.5 105 broadcast
ip address 10.1.145.1 255.255.255.0

R2:
interface Serial1/0/0
link-protocol fr
undo fr inarp
interface Serial1/0/0.1
fr dlci 201
fr map ip 10.1.12.1 201 broadcast

2017-5-23 HUAWEI Confidential Page 8, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

ip address 10.1.12.2 255.255.255.0


interface Serial1/0/0.2 p2p
fr dlci 203

ip address 10.1.23.2 255.255.255.0

R3:
interface Serial1/0/0
link-protocol fr
undo fr inarp
interface Serial1/0/0.1 p2p
fr dlci 302
ip address 10.1.23.3 255.255.255.0

R4:
interface Serial1/0/0
link-protocol fr
undo fr inarp
fr map ip 10.1.145.1 401 broadcast
fr map ip 10.1.145.5 401 broadcast
ip address 10.1.145.4 255.255.255.0

R5:
interface Serial1/0/0
link-protocol fr
undo fr inarp
fr map ip 10.1.145.1 501 broadcast
fr map ip 10.1.145.4 501 broadcast
ip address 10.1.145.5 255.255.255.0

ii. Section 2: IGP

2.1.1.1 Basic Configurations


When implementing IP addressing, replace Y with your rack number and replace X
with the device number. For example the device numbers of R1, R2, SW1 and
SW2 are 1, 2, 11 and 22. The IP addresses on all physical interfaces use 24-bit
masks. All routers have Loopback0 interfaces with an IP address of 10.Y.X.X and a
24-bit mask.
Configure IP addresses on device interfaces as per the information in the IPv4
logical topology diagram.

2017-5-23 HUAWEI Confidential Page 9, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

SW1 VLAN interfaces 3, 62 and 41 should be assigned IP addresses 10.Y.33.11/24,


10.Y.62.11/24 and 10.Y.41.11/24, respectively. SW2 VLAN interfaces 62 and 18
should be assigned IP addresses 10.Y.62.22/24 and 10.Y.32.22/24, respectively.
The IP address of the interface that connects R6 to BB1 is 157.68.1.6/24.
The IP address of the interface that connects R6 to BB2 is 157.68.2.6/24.
The IP address of the interface that connects R4 to BB3 is 157.68.3.4/24.
Set the router ID of each router to the IP address of Loopback0.
Set the IP address of VLANIF 41 as the router ID of SW1.

R1:
router id 10.1.1.1
interface Serial1/0/1
ip address 10.1.13.1 255.255.255.0
interface GigabitEthernet0/0/0
ip address 10.1.10.1 255.255.255.0
interface LoopBack0
ip address 10.1.1.1 255.255.255.0

R2:
router id 10.1.2.2
interface Ethernet2/0/0
ip address 10.1.26.2 255.255.255.0
interface LoopBack0
ip address 10.1.2.2 255.255.255.0

R3:
router id 10.1.3.3
interface Ethernet2/0/1
ip address 10.1.32.3 255.255.255.0
interface Serial1/0/1
ip address 10.1.13.3 255.255.255.0
interface LoopBack0
ip address 10.1.3.3 255.255.255.0

R4:
router id 10.1.4.4
interface Ethernet2/0/0
ip address 10.1.41.4 255.255.255.0
interface Ethernet2/0/1
ip address 157.68.3.4 255.255.255.0
interface Serial1/0/1
ip address 10.1.45.4 255.255.255.0

2017-5-23 HUAWEI Confidential Page 10, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

interface LoopBack0
ip address 10.1.4.4 255.255.255.0

R5:
router id 10.1.5.5
interface Ethernet2/0/0
ip address 10.1.50.5 255.255.255.0
interface Serial1/0/1
ip address 10.1.45.5 255.255.255.0
interface LoopBack0
ip address 10.1.5.5 255.255.255.0

R6:
router id 10.1.6.6
interface Ethernet2/0/1
ip address 157.68.2.6 255.255.255.0
interface Serial1/0/1
ip address 157.68.1.6 255.255.255.0
interface GigabitEthernet0/0/0
ip address 10.1.26.6 255.255.255.0
interface LoopBack0
ip address 10.1.6.6 255.255.255.0

SW1:
router id 10.1.41.11
interface Vlanif3
ip address 10.1.33.11 255.255.255.0
interface Vlanif41
ip address 10.1.41.11 255.255.255.0
interface Vlanif62
ip address 10.1.62.11 255.255.255.0

SW2:
interface Vlanif18
ip address 10.1.32.22 255.255.255.0
interface Vlanif62
ip address 10.1.62.22 255.255.255.0

2.1.1.2 Basic IS-IS


IS-IS runs on the connected interfaces between R1, R2 and R3 as well as their
loopback interfaces. IS-IS also runs on the interfaces between R6 and R2, the
loopback interface of R6 and VLANIF 18 on SW2. All devices belong to area

2017-5-23 HUAWEI Confidential Page 11, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

49.0001 and all routers are Level 1 routers. Set the system ID to 0000.0000.000X
and the IS-IS process ID to Y.
On R6, import BB2 network segment 157.68.2.0/24 into IS-IS and set the cost of
imported routes to 200 and tag to 200.
R1:
isis 1
is-level level-1
cost-style wide
network-entity 49.0001.0000.0000.0001.00
interface Serial1/0/0
isis enable 1
interface Serial1/0/1
isis enable 1
interface LoopBack0
isis enable 1

R2:
isis 1
is-level level-1
cost-style wide
network-entity 49.0001.0000.0000.0002.00
interface Ethernet2/0/0
isis enable 1
interface Serial1/0/0.1
isis enable 1
interface Serial1/0/0.2 p2p
isis enable 1
interface LoopBack0
isis enable 1

R3:
isis 1
is-level level-1
cost-style wide
network-entity 49.0001.0000.0000.0003.00
interface Ethernet2/0/1
isis enable 1
interface Serial1/0/0.1 p2p
isis enable 1
interface Serial1/0/1
isis enable 1
interface LoopBack0

2017-5-23 HUAWEI Confidential Page 12, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

isis enable 1

R6:
isis 1
is-level level-1
cost-style wide
network-entity 49.0001.0000.0000.0006.00
interface GigabitEthernet0/0/0
isis enable 1
interface LoopBack0
isis enable 1

route-policy BB2 permit node 10


if-match ip-prefix BB2
#
ip ip-prefix BB2 index 10 permit 157.68.2.0 24
#
isis 1
import-route direct cost 200 level-1 tag 200 route-policy BB2

SW2:
isis 1
is-level level-1
cost-style wide
network-entity 49.0001.0000.0000.0022.00
interface Vlanif18
isis enable 1

Note:
This section requires the specific network segment 157.68.2.0/24 to be imported into IS-IS.
Therefore, filter routes during route import. For example, since ip-prefix matches the exact
mask length of routes, it is preferred for route operations over ACLs that only match the
address segment. Use ACLs when ip-prefix is unable to solve problems.
This section of the exam also requires tag setting for external routes imported into IS-IS. IS-
IS routes have a narrow cost style by default, but a wide cost style must be set for them to
carry the tag. Therefore, you need to change the cost style of imported routes.

2.1.1.3 IS-IS Optimization


Where equal-cost routes exist on R1 and R3, the route over FR network should be
preferred. The standby command may not be used.
When IS-IS neighbor relationships change state, the change should be logged.

2017-5-23 HUAWEI Confidential Page 13, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

Establish a reliable neighbor relationship without DIS between R2 and R6.

R1:
isis 1
nexthop 10.1.12.2 weight 1

R2:
interface Ethernet2/0/0
isis circuit-type p2p
isis ppp-negotiation 3-way only

R3:
isis 1
nexthop 10.1.23.2 weight 1

R1, R2, R3, R6 and SW2:


isis 1
log-peer-change

R6:
interface GigabitEthernet0/0/0
isis circuit-type p2p
isis ppp-negotiation 3-way only

Note:
IS-IS supports two network types: broadcast networks (DIS is elected) and P2P networks
(DIS is not elected).
Broadcast is the default IS-IS network type on an Ethernet network. Change it to P2P to
prevent DIS election on the network segment.
In IS-IS, neighbor relationships are established on a P2P network in either two-way
handshake or three-way handshake mode. In the two-way handshake mode established by
default, IS-IS neighbor statuses on both ends of the link may be mismatched. This problem will
not occur in three-way handshake mode. For this part of the exam, change the handshake
mode from two-way to three-way manually.

2.1.1.4 IS-IS Verification


Hello packets sent from FR interfaces on R1, R2 and R3 should be authenticated.
Use a password of HuaWei, which should be transmitted in plain text and be
displayed in plain text in the display current-configuration command output.
R1:
interface Serial1/0/0
isis authentication-mode simple plain HuaWei

2017-5-23 HUAWEI Confidential Page 14, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

R2:
interface Serial1/0/0.1
isis authentication-mode simple plain HuaWei
interface Serial1/0/0.2 p2p
isis authentication-mode simple plain HuaWei

R3:
interface Serial1/0/0.1 p2p
isis authentication-mode simple plain HuaWei

2.1.1.5 Base OSPF


All OSPF routers should use a process ID Y.
Advertise network segments where both Loopback 0 on R4 and R5 and E2/0/0 on
R5 reside into Area 0.
OSPF should run in area 0 on the FR links between R1, R4 and R5. The network
command may not be used within the OSPF process configuration of R1. Change
the network type of Area 0 to broadcast, and ensure that R1, R4, and R5 can learn
routes from each other after restarting these devices or OSPF processes.Ensure the
Loopback interface addresses of R4 and R5 are shown with the full 24bit mask in
the OSPF routing tables.
R1:
interface Serial2/0/0
ospf enable 1 area 0.0.0.0
ospf 1
peer 10.1.145.4
peer 10.1.145.5
area 0.0.0.0

interface Serial2/0/0
ospf network-type broadcast

R4:
ospf 1
peer 10.1.145.1
area 0.0.0.0
network 10.1.4.4 0.0.0.0
network 10.1.145.4 0.0.0.0

R5:
ospf 1
peer 10.1.145.1

2017-5-23 HUAWEI Confidential Page 15, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

area 0.0.0.0
network 10.1.5.5 0.0.0.0
network 10.1.50.5 0.0.0.0
network 10.1.145.5 0.0.0.0

R4, R5:
interface Serial1/0/0
ospf dr-priority 0
ospf network-type broadcast

interface LoopBack0
ospf network-type broadcast

2.1.1.6 OSPF Area Partition


Use the network command to add the PPP link between R4 and R5 to OSPF area
2.
Advertise network segments where both E2/0/0 on R4 and VLANIF41 on SW1
reside into Area 1.
Advertise network segments where VLANIF 62 on SW1 and SW2 resides into
Area 3.
Import the route to the network segment 10.1.33.0/24 where VLANIF 3 on SW1
resides into OSPF, and set the route tag to 200.
Run OSPF between R4 and BB3, add them to Area 4, and set Area 4 as an NSSA.
Add Loopback 40 on R4 and assign it a 10.1.40.4/24 IP address. Import the
network segment where it resides into OSPF and prevent its import into Area 3 and
Area 4.
R5:
ospf 1
area 0.0.0.2
network 10.1.45.5 0.0.0.0

R4:
ospf 1
import-route direct route-policy Loo40
area 0.0.0.1
network 10.1.41.4 0.0.0.0
vlink-peer 10.1.41.11
area 0.0.0.2
network 10.1.45.4 0.0.0.0
area 0.0.0.4

2017-5-23 HUAWEI Confidential Page 16, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

network 157.68.3.4 0.0.0.0


nssa no-import-route

interface LoopBack40
ip address 10.1.40.4 255.255.255.0
route-policy Loo40 permit node 10
if-match ip-prefix Loo40
#
ip ip-prefix Loo40 index 10 permit 10.1.40.0 24

SW1:
ospf 1
area 0.0.0.1

network 10.1.41.11 0.0.0.0


vlink-peer 10.1.4.4
area 0.0.0.3
network 10.1.62.11 0.0.0.0

acl number 2000


rule 5 deny source 10.1.40.0 0.0.0.255
rule 10 permit

interface Vlanif62
ospf filter-lsa-out ase acl 2000

route-policy VLAN3 permit node 10


if-match ip-prefix VLAN3
#
ip ip-prefix VLAN3 index 10 permit 10.1.33.11 24
#
ospf 1
import-route direct route-policy VLAN3 tag 200

SW2:
ospf 1
area 0.0.0.1
network 10.1.62.22 0.0.0.0

Note:
1. The network segment connecting SW1 and SW2 belongs to Area 3, a non-backbone area
not directly connected to Area 0. Establish a virtual link between R4 and SW1 to connect Area

2017-5-23 HUAWEI Confidential Page 17, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

3 to Area 0.
2. The external routes to be imported when configuring an ABR in an NSSA are: routes
carried in Type 5 LSAs into other areas, and routes carried in Type 7 LSAs into the NSSA.
Specify the no-import-route parameter on the ABR if the external routes it imports are not
required learning for the NSSA. Configure the nssa no-import-route command on R4 in Area
4 as required by this section.
3. This section requires that external routes imported by R4 not be imported into Area 3.
Area 3 is a common area and so requires routes carried in Type 5 LSAs to be filtered on its
ABR. Use ACLs on the ABR to prohibit these routes from being advertised into Area 3. An
additional measure against the import of external routes to SW2 and consequently into Area 3
is to prevent such routes imported by R4 from being imported by R1 into IS-IS. However, these
external routes will not be imported to SW2 and then into Area 3, so this operation is not
required. This is because of route tag and filtering that prevent routing loops and sub-optimal
routes when two routing protocols on two devices import routes from each other. The route tag
and filtering used for OSPF and IS-IS protocols thus prevents routes imported from OSPF into
IS-IS through R1 from being imported from SW2 into OSPF.

2.1.1.7 Traffic Optimization


Traffic between VLAN 3 on SW1 and E2/0/0 on R5 should use the direct PPP link
as the primary path, the FR network should be the backup path.

R4:
ospf 1
area 0.0.0.2
vlink-peer 10.1.5.5
R5:
ospf 1
area 0.0.0.2
vlink-peer 10.1.4.4
After a vlink is configured, traffic is load balanced between the FR network and the PPP
link. Set the cost of the interface on the network segment 10.1.45.0 to a smaller value (the
default value is 48).

R4 and R5:
interface Serial1/0/1
ospf cost 47

The network segment 10.1.45.0 is preferred and the FR link functions as the backup.

2017-5-23 HUAWEI Confidential Page 18, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

2.1.1.8 OSPF Authentication


Configure MD5 authentication in area 0 and set the authentication password to
HuaWei. The password must be displayed in plain text in the display current-
configuration command output. The authentication-mode command in ospf
area configuration mode cannot be used.
For details about Vlink authentication, see 2.7.
R1:
interface Serial2/0/0
ospf authentication-mode md5 1 plain HuaWei

R4:
interface Serial1/0/0
ospf authentication-mode md5 1 plain HuaWei

ospf 1
area 1
vlink-peer 10.1.41.11 md5 1 plain HuaWei
area 2
vlink-peer 10.1.5.5 md5 1 plain HuaWei

R5:
interface Serial1/0/0
ospf authentication-mode md5 1 plain HuaWei
ospf 1
area 2
vlink-peer 10.1.4.4 md5 1 plain HuaWei

SW1
ospf 1
area 1
vlink-peer 10.1.4.4 md5 1 plain HuaWei

Note:
1. When configuring authentication in OSPF Area 0, pay attention to virtual links because
they belong to Area 0. In the exam, a virtual link must be established between R4 and SW1.
Ensure that it is established by configuring Area 0 authentication on SW1 after Area 0
authentication is configured on R4.

2.1.1.9 RIP
Run RIPv2 on R6 and ensure that only BB1-connected S1/0/1 can send and receive
packets.

2017-5-23 HUAWEI Confidential Page 19, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

On R6, configure RIP and IS-IS to import routes from each other. Configure IS-IS
to summarize imported RIP routes so that other IS-IS routers can only view the
summarized route 212.18.0.0/22.
Configure R6 to set the cost of routes imported by IS-IS to 200 and tag to 200.
Disable RIP automatic summarization and use manual summarization on R6 so that
it sends only one route 10.1.0.0/16 to BB1.
R6:
rip 1
undo summary
version 2
network 157.68.0.0
import-route isis 1
filter-policy ip-prefix to_bb1 export Serial1/0/1

interface Ethernet2/0/1
undo rip output
undo rip input

isis 1
import-route rip 1 cost 200 tag 200 level-1 route-policy from_bb1
summary 212.18.0.0 255.255.252.0 level-1 tag 200

route-policy from_bb1 permit node 10


if-match ip-prefix from_bb1

ip ip-prefix to_bb1 index 10 permit 10.1.0.0 16


ip ip-prefix from_bb1 index 10 permit 212.18.0.0 22 greater-equal 24 less-equal 24

int s1/0/1
rip summary-address 10.1.0.0 255.255.0.0 avoid-feedback

Note:
1. BB1 and BB2 connect to R6 with IP addresses from the same unsubnetted network. RIP
can only advertise routes to the unsubnetted network segment. However, this section requires
that only S1/0/1 connecting R6 to BB1 send and receive RIP packets. Therefore, configure the
interface connecting R6 to BB2 not to send or receive RIP routes to control RIP packet flow.
In RIP, the passive-interface function can only prohibit RIP from sending Update packets but
cannot prohibit RIP from receiving Update packets.
2. After RIP and IS-IS import routes from each other, IS-IS can learn four specific routes
from RIP: 212.18.0.0/24, 212.18.1.0/24, 212.18.2.0/24, and 212.18.3.0/24. This section
requires that other IS-IS routers can view only the summarized route 212.18.0.0/22. To meet
this requirement, configure route summarization when IS-IS imports RIP routes and use ip-

2017-5-23 HUAWEI Confidential Page 20, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

prefix for exact route matching to filter other imported external routes.
3. When RIP imports IS-IS routes, configure route summarization because all learned IS-IS
routes are specific routes. To filter 157.68.3.0/24, the BB3 route that does not belong to the
network segment 10.1.0.0, use ip-prefix for exact route matching so that R6 sends BB1 only
one route 10.1.0.0/16.

2.1.1.10 IGP Import


On R1 and SW2, configure full mutual route import between IS-IS and OSPF.
Only one route covering the loopback networks of R4 and R5 should exist in the
IS-IS domain, consider loop prevention in your solution.
Fully consider routing loop prevention and sub-optimal route issues.
R3 should use the direct PPP link as the primary path to OSPF Area.

R1:
isis 1
import-route ospf 1 level-1 tag 122 route-policy OSPF2ISIS
summary 10.1.4.0 255.255.254.0 level-1

ospf 1
import-route isis 1 tag 1022 route-policy ISIS2OSPF
preference ase route-policy external

route-policy OSPF2ISIS deny node 10


if-match tag 221
route-policy OSPF2ISIS permit node 20

route-policy ISIS2OSPF deny node 10


if-match tag 2210
route-policy ISIS2OSPF permit node 20

route-policy external permit node 10


if-match tag 200
apply preference 12
route-policy external permit node 20

SW2:
isis 1
import-route ospf 1 level-1 tag 2210 route-policy OSPF2ISIS
summary 10.1.4.0 255.255.254.0 level-1

ospf 1

2017-5-23 HUAWEI Confidential Page 21, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

import-route isis 1 tag 221 route-policy ISIS2OSPF


preference ase route-policy external

route-policy OSPF2ISIS deny node 10


if-match tag 1022
route-policy OSPF2ISIS permit node 20

route-policy ISIS2OSPF deny node 10


if-match tag 122
route-policy ISIS2OSPF permit node 20

route-policy external permit node 10


if-match tag 200
apply preference 12
route-policy external permit node 20

R3:
interface Ethernet2/0/1
isis cost 20

Note:
Routing loops and sub-optimal routes may occur when two routing protocols on two devices
import routes from each other.
After one OSPF external route is imported into IS-IS through R1, this route may be imported
into OSPF again through SW2 unless you filter it.
Multiple methods can filter these routes. For example, use ACLs or ip-prefix to match
specific routes for filtering. However, these matching policies need to be manually modified
when routes on the network change, resulting in poor scalability. As both OSPF and IS-IS
routes can carry the tag, set the tag to filter routes imported between two routing protocols.
In OSPF, the preference of internal and external routes is 10 and 150 respectively. In IS-IS,
both routes prefer a preference of 15. In this exam, after R1 imports an OSPF external route
into IS-IS, SW2 can learn this route through OSPF and IS-IS. Route selection rules dictate
that SW2 will use the route learned through IS-IS, leading to a sub-optimal route. To prevent
this, change the OSPF external route preference to a value between 10 and 15.
OSPF routes are imported on SW2 and filtered by R1, and OSPF routes are imported on R1
and filtered by SW2. There may be other methods.

iii. Section 3: EGP

3.1.1.1 BGP Neighbor


Configure BGP neighbors as shown in the table below, AS numbers are shown in
the IPv4 BGP topology diagram.

2017-5-23 HUAWEI Confidential Page 22, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

All IBGP neighbor relationships are established using loopback interface


addresses, except SW2, which uses a directly connected address. All EBGP
neighbor relationships use directly connected addresses.
R1 and R6 are clients of R2.

Device Device
1 2
R4 BB3
R4 R5
R5 R1
R1 R3
R1 R2
R3 SW2
R3 R2
R2 R6
R6 BB2

R1:
bgp 200
peer 10.1.2.2 as-number 200
peer 10.1.13.3 as-number 300
peer 10.1.145.5 as-number 400
ipv4-family unicast
peer 10.1.145.4 enable
peer 10.1.2.2 enable
peer 10.1.13.3 enable

R2:
bgp 200
peer 10.1.1.1 as-number 200
peer 10.1.1.1 connect-interface LoopBack0
peer 10.1.23.3 as-number 300
peer 10.1.6.6 as-number 200
peer 10.1.6.6 connect-interface LoopBack0
ipv4-family unicast
peer 10.1.1.1 enable
peer 10.1.1.1 reflect-client
peer 10.1.23.3 enable
peer 10.1.6.6 enable
peer 10.1.6.6 reflect-client

R3:
bgp 300

2017-5-23 HUAWEI Confidential Page 23, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

peer 10.1.13.1 as-number 200


peer 10.1.23.2 as-number 200
peer 10.1.32.22 as-number 300
ipv4-family unicast
peer 10.1.13.1 enable
peer 10.1.23.2 enable
peer 10.1.32.22 enable

R4:
bgp 400
peer 10.1.5.5 as-number 400
peer 10.1.5.5 connect-interface LoopBack0
peer 157.68.3.254 as-number 33
ipv4-family unicast
peer 10.1.5.5 enable
peer 157.68.3.254 enable

R5:
bgp 400
peer 10.1.4.4 as-number 400
peer 10.1.4.4 connect-interface LoopBack0
peer 10.1.145.1 as-number 200
ipv4-family unicast
peer 10.1.145.1 enable
peer 10.1.4.4 enable

R6:
bgp 200
peer 10.1.2.2 as-number 200
peer 10.1.2.2 connect-interface LoopBack0
peer 157.68.2.254 as-number 22
peer 157.68.2.254 password simple HW
ipv4-family unicast
peer 10.1.2.2 enable
peer 157.68.2.254 enable

SW2:
bgp 300
peer 10.1.32.3 as-number 300
ipv4-family unicast
peer 10.1.32.3 enable

Note:

2017-5-23 HUAWEI Confidential Page 24, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

IP addresses of physical interfaces on routers may become invalid due to line faults. This
will interrupt BGP neighbor relationships established using these IP addresses. This problem
does occur on loopback interfaces, especially when there are redundant routes between two
BGP routers. Therefore, the use of loopback interface addresses enhances BGP connection
reliability and is common in IBGP connections.

3.1.1.2 BGP Control


When the serial link between R4 and R5 is interrupted, perform configuration on
R1 to ensure that routers in AS 200 can access AS 33 as usual.
R1
bgp 200
peer 10.1.145.5 route-policy BB3 import

route-policy BB3 permit node 10


apply ip-address next-hop 10.1.145.4

Note:
R4 and R5 establish the BGP connection through Loopback0 interfaces so that BGP function
is maintained when the serial link between them is interrupted.
R1 and R5 establish an EBGP connection so that the next hop of BGP routes to AS 33 that
are received by R1 from R5 is 10.1.145.5. However, these BGP routes on R5 still point to R4.
When data destined for AS 33 is sent from R1, the data will be sent to R5 using BGP routing.
After discovering that the next hop of the data in the BGP routing table does not reside on a
directly connected network segment, R5 performs recursive route query. In this case of an
interrupted serial link between R4 and R5, R5 finds the directly connected next hop
10.1.145.4. The special FR structure prevents R5 from directly sending the data to R4. R5 can
only send the data to R1 instead, causing a routing loop during data transmission between R1
and R5.
To prevent this loop and ensure normal data transmission when the serial link between R4
and R5 is interrupted, change the BGP next hop.

3.1.1.3 BGP BFD


When a network fault interrupts the BGP connection between R3 and SW2, detect
this connection failure within 1 second.
R3:
bfd
bgp 300
peer 10.1.32.22 bfd min-tx-interval 300 min-rx-interval 300
peer 10.1.32.22 bfd enable

2017-5-23 HUAWEI Confidential Page 25, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

SW2:
bfd
bgp 300
peer 10.1.32.3 bfd min-tx-interval 300 min-rx-interval 300
peer 10.1.32.3 bfd enable

3.1.1.4 BGP Summarization


R1 G0/0/0 network should be advertised in BGP.
Ensure that AS 33 reaches other ASs through only one route, which cannot be sent
back to R1.
R6 receives BGP routes from BB2with the community attribute 1:254. Summarize
these routes into a summarized route and prevent the summarized route from being
advertised outside AS 200 without using the route filtering method.
R1:
bgp 200
ipv4-family unicast
network 10.1.10.0 255.255.255.0

R2:
bgp 200
peer 10.1.1.1 advertise-community

R4:
bgp 400
ipv4-family unicast
aggregate 10.1.0.0 16 detail-suppressed as-set

R6:
bgp 200
aggregate 220.20.0.0 22 attribute-policy attribute origin-policy origin
peer 10.1.2.2 advertise-community

route-policy origine permit node 10


if-match community-filter 1
#
route-policy attribute permit node 10
apply community no-export additive
#
ip community-filter 1 permit 1:254

Note:

2017-5-23 HUAWEI Confidential Page 26, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

AS_Path information carried in specific routes will be lost during route summarization. To
prevent the summarized route from being sent back to the ASs that specific routes pass
through, use the as-set parameter to allow the summarized route to carry the numbers of these
ASs.

3.1.1.5 BGP Default Settings


SW2 does not need to learn routes from other ASs. SW2 must use R3 to access all
other ASs.
Configure R3 to ensure that SW2 does not learn unnecessary BGP prefixes.

R3:
bgp 300
ipv4-family unicast
peer 10.1.32.22 route-policy DEFAULT export
peer 10.1.32.22 default-route-advertise

route-policy DEFAULT permit node 10


if-match ip-prefix DEFAULT

ip ip-prefix DEFAULT index 10 permit 0.0.0.0 0

3.1.1.6 BGP Filtering


Traffic from AS 300 may not traverse AS 200. You may only configure AS 200 to
achieve this.
Configure the preferred-value attribute to ensure that R3 learns routes from R2 in
preference to R1.
R1:
bgp 200
ipv4-family unicast
peer 10.1.13.3 route-policy ONLY200 export

route-policy ONLY200 permit node 10


if-match as-path-filter 1
ip as-path-filter 1 permit ^$

R2:
bgp 200
ipv4-family unicast
peer 10.1.23.3 route-policy ONLY200 export

route-policy ONLY200 permit node 10

2017-5-23 HUAWEI Confidential Page 27, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

if-match as-path-filter 1
ip as-path-filter 1 permit ^$

R3
route-policy PRE permit node 10
apply preferred-value 10
bgp 300
peer 10.1.23.2 route-policy PRE import

iv. Section 4: IP Multicast

4.1.1.1 PIM
Enable multicast routing on R1, R2, R4 and SW1.
Enable PIM sparse mode on FR links from R1 to R2 and from R1 to R4.
Enable PIM sparse mode on R4 E2/0/0, R1 G0/0/0, SW1 VLAN 3 and SW1
VLAN 41.
R1:
multicast routing-enable
interface Serial2/0/0
pim sm
interface Serial1/0/0
pim sm
interface GigabitEthernet0/0/0
pim sm

R2:
multicast routing-enable
interface Serial1/0/0.1 p2p
pim sm

R4:
multicast routing-enable
interface Ethernet2/0/0
pim sm
interface Serial1/0/0
pim sm

SW1:
multicast routing-enable
interface Vlanif3
pim sm

2017-5-23 HUAWEI Confidential Page 28, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

interface Vlanif41
pim sm

4.1.1.2 RP
The IP address of Loopback 0 on R1 is used as RP for the following multicast
ranges.
225.10.0.0 - 225.10.255.255
225.26.0.0 - 225.26.255.255
225.42.0.0 - 225.42.255.255
225.58.0.0 - 225.58.255.255
The IP address of Loopback 0 on R4 is used as RP for the following multicast
ranges.
226.37.0.0 - 226.37.255.255
226.45.0.0 - 226.45.255.255
227.37.0.0- 227.37.255.255
227.45.0.0 - 227.45.255.255
Configure minimum number of ACL rules to achieve this.

R1, R2, R4 and SW1:


pim
static-rp 10.1.1.1 2000
static-rp 10.1.4.4 2001

acl number 2000


rule 5 permit source 225.10.0.0 0.48.255.255
acl number 2001
rule 5 permit source 226.37.0.0 1.8.255.255

4.1.1.3 IGMP
Configure R1 G0/0/0 to send IGMP General Query messages at 5 second intervals.
The maximum response time for IGMP Query messages should be 3s on R1
G0/0/0.
Use an ACL to prevent users on R1 G0/0/0 segment from joining the multicast
group 226.37.1.1.
R1:
interface GigabitEthernet0/0/0
igmp enable
igmp timer query 5
igmp max-response-time 3

2017-5-23 HUAWEI Confidential Page 29, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

igmp group-policy 2002 3


acl number 2002
rule 5 deny source 226.37.1.1 0
rule 10 permit

v. Section 5: IPv6

5.1.1.1 Basic IPv6 Configuration


Configure IPv6 on R1, R3 and SW2.
IPV6 addresses on the PPP link between R1 and R3 are 2001:10:Y:13::X/64.
IPV6 addresses on the Ethernet link between R3 E2/0/1 and SW2 VLANIF 18 are
2001:10:Y:32::X/64.
R1:
ipv6
interface Serial1/0/1
ipv6 enable
ipv6 address 2001:10:1:13::1/64

R3:
ipv6
interface Serial1/0/1
ipv6 enable
ipv6 address 2001:10:1:13::3/64
interface Ethernet2/0/1
ipv6 enable
ipv6 address 2001:10:1:32::3/64

SW2:
ipv6
interface Vlanif18
ipv6 enable
ipv6 address 2001:10:1:32::22/64

5.1.1.2 RIPng
Enable RIPng on the PPP link between R1 and R3.
Enable RIPng on the Ethernet link between R3 and SW2.

R1:
ripng 1
interface Serial1/0/1

2017-5-23 HUAWEI Confidential Page 30, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

ripng 1 enable

R3:
ripng 1
interface Serial1/0/1
ripng 1 enable
interface Ethernet2/0/1
ripng 1 enable

SW2:
ripng 1
interface Vlanif18
ripng 1 enable

vi. Section 6: QoS

6.1.1.1 QoS Configuration


Configure SW2 to police received traffic with an 802.1p priority of 1, set the CIR
to 1000 kbit/s. The police should allow green and yellow packets to pass through,
re-mark the 802.1p priorities of green and yellow packets to 4 and 7 respectively,
red packets should be discarded.
Configure inbound traffic policing on R3 S1/0/1 and set the CIR to 2000 kbit/s.
Set the DSCP priority of voice packets to EF. The voice packets are received by
G0/0/2 on SW2 and contain source address 10.1.26.201 and destination address
10.1.33.201.
The three types of packets NMS control, video, and data packets received by
R1 are marked with different DSCP priorities. The DSCP priorities are cs6, af21,
and af11 respectively. NMS control, video, and data packets sent from R1 to R3
must occupy 5%, 30%, and 45% of bandwidth respectively. Configure congestion
avoidance and set the following parameters. For data packets, set the upper drop
threshold to 85, lower drop threshold to 70, and maximum drop probability to 6.
For video packets, set the upper drop threshold to 95, lower drop threshold to 80,
and maximum drop probability to 60.
SW2:
traffic classifier TC
if-match 8021p 1
traffic behavior TB
car cir 1000 pir 1000 cbs 125000 pbs 125000 green pass remark-8021p 4 yellow pass
remark-8021p 7 red discard
traffic policy FILTER
classifier TC behavior TB

2017-5-23 HUAWEI Confidential Page 31, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

traffic-policy FILTER global inbound

acl number 3001


rule 0 permit ip source 10.1.26.201 0 destination 10.1.33.201 0
traffic classifier class-voice
if-match acl 3001
traffic behavior behavior-voice
remark dscp ef
traffic policy policy-voice
classifier class-voice behavior behavior-voice
interface GigabitEthernet 0/0/2
traffic-policy policy-voice inbound

R1:
traffic classifier data
if-match dscp af11
traffic classifier video
if-match dscp af21
traffic classifier control
if-match dscp cs6
drop-profile data
wred dscp
dscp 10 low-limit 70 high-limit 85 discard-percentage 60
drop-profile video
wred dscp
dscp 18 low-limit 80 high-limit 95 discard-percentage 60
traffic behavior data
queue af bandwidth pct 45
drop-profile data
traffic behavior video
queue af bandwidth pct 30
drop-profile video
traffic behavior control
queue ef bandwidth pct 5

traffic policy group


classifier control behavior control
classifier video behavior video
classifier data behavior data
interface S1/0/1
traffic-policy group outbound

R3:

2017-5-23 HUAWEI Confidential Page 32, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

interface Serial1/0/1
qos car inbound cir 2000 cbs 376000 pbs 626000 green pass yellow discard red discard

Note:
Use different optimization policies for packets with different DSCP priorities.
Configure filtering conditions based on source and destination IP addresses and port
numbers.

vii. Section 7: Security

7.1.1.1 Header Configuration


When a user connects to R3, the message "Please do not attempt to log in to this
system if you are not authorized!"should be displayed on the terminal.
R3:
header login information "Please do not attempt to log in to this system if you are not
authorized !"

7.1.1.2 Port Security


SW1 E0/0/20 should accept a maximum of 2 secure dynamic MAC addresses. Any
frames from MAC addresses which are not one of the secure dynamic entries on
SW1 E0/0/20 should be discarded. A trap should be generated on SW1 when
E0/0/20 learns more than two secure dynamic MAC address entries. If SW1 is
restarted, the learned MAC addresses should not be lost.
SW1:
interface Ethernet0/0/20
port-security enable
port-security max-mac-num 2
port-security mac-address sticky
port-security protect-action restrict

7.1.1.3 uRPF
DoS attacks with forged source IP addresses occur on E2/0/1 of R3. To solve this
problem, use URPF for IPV4 packets on E2/0/1 of R3.
Configure uRPF for IPv6 packets on R3 E2/0/1. Packets with a source addresses in
the FIB may be forwarded. It is not necessary for the outbound interface in the FIB
to match the inbound interface of the packets.
R3:
interface Ethernet2/0/1
urpf strict

2017-5-23 HUAWEI Confidential Page 33, Total 34


HCIE-R&S Mock Exam 1 INTERNAL

ipv6 urpf loose

Note:
Compared with the loose mode, the strict mode offers better defense against DoS attacks
with forged source IP addresses.

Section 8: IP feature

8.1 NetStream
NMS personnel require key information in packets received by G0/0/0 on R6
through NetStream. Set the packet sampling interval to 100 ms and configure
aggregation using Protocol-Port to collect exported packets. The address of the
NetStream server is 10.1.26.200 and the port number is 6000. The exported packets
must carry BGP next hop information and MPLS information.
R6:
int g0/0/0
ip netstream sampler fix-time 100 inbound
ip netstream inbound
ip netstream aggregation protocol-port
enable
export version 9
ip netstream export source 10.1.26.6
ip netstream export host 10.1.26.200 6000

Note:
1. Time-based regular sampling meets sampling requirements.
2. Exported version v9 meets the statistical requirements.

2017-5-23 HUAWEI Confidential Page 34, Total 34