CCIEv5 New Lab Exam Topics Free workbook

Lab 1

IP addressing & Multilayer Switch configurations

R1
int s1/0
ip add 10.1.14.1 255.255.255.0
no sh

int s1/1
ip add 10.1.15.1 255.255.255.0
no sh

int loop 1
ip add 1.1.1.1 255.255.255.255

int loop 2
ip add 11.11.11.11 255.255.255.255

1
R2
int s1/0
ip add 10.1.24.2 255.255.255.0
no sh

int e0/0
ip add 2.2.2.10 255.255.255.0
no sh

int loop 0
ip add 192.168.2.1 255.255.255.0

int loop 1
ip add 12.12.12.12 255.255.255.255

int loop 2
ip add 22.22.22.22 255.255.255.255

R3
int loop 0
ip add 192.168.3.1 255.255.255.0

int e0/0
ip add 3.3.3.10 255.255.255.0
no sh

R4
int s1/1
ip add 10.1.24.4 255.255.255.0
no sh

int s1/0
ip add 10.1.14.4 255.255.255.0
no sh

int loop 1
ip add 4.4.4.4 255.255.255.255

int loop 2
ip add 44.44.44.44 255.255.255.255

R5
int loop 0
ip add 192.168.1.1 255.255.255.0

int e0/0
ip add 1.1.1.10 255.255.255.0
no sh

2
int s1/0
ip add 10.1.15.5 255.255.255.0
no sh

SW1
ip routing
ip cef

vlan 1
vlan 2
vlan 3

int e1/1
sw acc vlan 1
int e0/2
sw acc vlan 2
int e0/3
sw acc vlan 3

int vlan 1
ip add 1.1.1.100 255.255.255.0
no sh

int vlan 2
ip add 2.2.2.100 255.255.255.0
no sh

int vlan 3
ip add 3.3.3.100 255.255.255.0
no sh

we will need to make R5 , R2 , R3 had layer3 connectivity to each other so we go on each one of them
and create default route point to SW1
by doing this ,SW1 will simulated as internet and connecting the three routers while they use
different subnets ,this will help us later in DMVPN Task

on R5
ip route 0.0.0.0 0.0.0.0 1.1.1.100

on R2
ip route 0.0.0.0 0.0.0.0 2.2.2.100

on R3
ip route 0.0.0.0 0.0.0.0 3.3.3.100

now we are ready to answer this lab Tasks:

3
VPN Site To Site using pre shared key Task

Create VPN site to site connection between R2 & R4 using pre shared key “Cbtme” and according to
following requirements:
-VPN connection must be established if loop1 in R4 communicate with loop1 in R2 or vice versa using IP
protocol or ICMP.
-Confidentiality must be secured with AES and integrity with sha in both IKE1 & IK2 phases
- make sure key will be changed after 86400 seconds
-IPsec will use Tunnel protocol
-R2 & R4 loop 1, loop 2 will be advertised using static route

EIGRP Named Mode Task

-R1 & R4 will run EIGRP AS 101 and both will advertise all connected physical interfaces but not R1 s1/1
-R1 will advertise its own loop 0 in EIGRP domain
-Both routers must configured with EIGRP md5 authentication using key #1 , Key string (cbtme)
-Both routers any physical interface will not be connected to EIGRP domain must never send any EIGRP
hello messages. And make sure auto summarization is disabled .
-R1 will use EIGRP named mode , R4 will use Classic mode
-R4 interface s1/0 will have ipv6 add 2001:10:1:14::4/64 , loop0 2001:4:4:4::4/128
-R1 interface s1/0 will have ipv6 add 2001:10:1:14::1/64 , loop0 2001:1:1:1::1/128
-Run EIGRPv6 with same requirements we follow above for ipv4 domain.
-Redistribute OSPF 100 into EIGRP 101 in R1 (in next task we will create this OSPF process)

4
OSPF BFD Task

-Run OSPF 100 between R1 s1/1 & R5 s1/0 using router-id 0.0.0.x where x is the router number
-Both routers will be in area 0
-Advertise R1 loop1 into your OSPF domain
-Run BFD feature in both routers interfaces but make sure its enabled only in each OSPF enabled
physical interface
-Redistribute EIGRP101 into OSPF 100

EPC Task

-In R5 capture all icmp & ipv4 packets send or receive between R5 & R1 for 15 minutes
-Create buffer with name "MYBUFFER" with size 2048 and support maximum packet size to 1518
-your capture point name must be "MYPOINT"
-export captured packet to TFTP server 10.1.34.100 so later you can analyze using wireshark

5
DMVPN Task

-R5. R3 , R2 will connected to each others using SW1

-each router Ethernet interface had ip address act as public ip address :
R5 E0/0 1.1.1.10
R2 E0/0 2.2.2.10
R3 E0/0 3.3.3.10
-we need to implement DMVPN solution using secured mGRE Tunnels with subnet 172.16.0.0./24
where R5 will act as HUB and R2 ,R3 will act as SPOKES

-any communication between these three routers to reach their loop 0 subnets must go through our
mGRE tunnels
R5 loop 0 network 192.168.1.1 255.255.255.0
R2 loop 0 network 192.168.2.1 255.255.255.0
R3 loop 0 network 192.168.3.1 255.255.255.0

6
 Lab 1 Answers
VPN site to site Task
Configure ISAKMP (ISAKMP Phase 1)
Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)

1-Configure ISAKMP (IKE) - (ISAKMP Phase 1) and create static routes to provide layer three connectivity
to loop 0 & loop 1 as Task required .

IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate
an SA (an ISAKMP SA) relationship with the peer.

R2
ip route 4.4.4.4 255.255.255.255 10.1.24.4
ip route 44.44.44.44 255.255.255.255 10.1.24.4

crypto isakmp enable

crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
exit

The above commands define the following (in listed order):

3DES - The encryption method to be used for Phase 1.
MD5 - The hashing algorithm
Pre-share - Use Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or
seconds. Value set is the default value.

Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the
following command:

crypto isakmp key 0 cisco address 10.1.24.4 255.255.255.0

The peer’s pre shared key is set to cisco and its public IP Address is 10.1.24.4 Every time R2 tries to
establish a VPN tunnel with R4 (10.1.24.4), this pre shared key will be used.

2- Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)

To configure IPSec we need to setup the following in order:
- Create extended ACL
- Create IPSec Transform
- Create Crypto Map
- Apply crypto map to the public interface

7
Creating Extended ACL

ip access-list ext VPN_Networks

permit ip host 12.12.12.12 host 4.4.4.4
permit icmp host 12.12.12.12 host 4.4.4.4
exit

Create IPSec Transform (ISAKMP Phase 2 policy)

crypto ipsec transform-set TS1 esp-aes esp-sha-hmac

crypto ipsec security-ass lifetime seconds 86400

Create Crypto Map

The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec
configuration together:

crypto map MYMAP 100 ipsec-isakmp

match address VPN_Networks
set peer 10.1.24.4
set pfs group2
set transform-set TS1
exit

We’ve named our crypto map MYMAP. The ipsec-isakmp tag tells the router that this crypto map is an
IPsec crypto map.

Apply Crypto Map to the Public Interface

int S1/0
crypto map MYMAP

R4

ip route 12.12.12.12 255.255.255.255 10.1.24.2

ip route 22.22.22.22 255.255.255.255 10.1.24.2

crypto isakmp enable

crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
exit

crypto isakmp key 0 cisco address 10.1.24.2 255.255.255.0

ip access-list ext VPN_Networks
permit ip host 4.4.4.4 host 12.12.12.12
permit icmp host 4.4.4.4 host 12.12.12.12

8
exit
crypto ipsec transform-set TS1 esp-aes esp-sha-hmac
crypto ipsec security-ass lifetime seconds 86400
crypto map MYMAP 100 ipsec-isakmp
match address VPN_Networks
set peer 10.1.24.2
set pfs group2
set transform-set TS1
exit

int S1/1
crypto map MYMAP

Verification :

As we can see IPsec Tunnel was down but once we triggered it by ping ip address 12.12.12.12 using
source 4.4.4.4 which match ACL we made before , tunnel become up and ping traffic send & received
encrypted . your friend command here is Show Crypto Session

9
EIGRP named mode

R4 will run Classic EIGRP commands ( the ones we used to type normally)
R4
key chain cisco
key 1
key-string cbtme

router eigrp 101

no auto
eigrp router-id 0.0.0.4
network 10.1.14.4 0.0.0.0
network 10.1.24.4 0.0.0.0
passive-interface s1/1

int s1/0
ip authentication mode eigrp 101 md5
ip authentication key-chain eigrp 101 cisco

ipv6 unicast-routing
ipv6 router eigrp 101
router-id 0.0.0.4
no shutdown

int s1/0
ipv6 add 2001:10:1:14::4/64
ipv6 eigrp 101

int loop0
ipv6 add 2001:4:4:4::4/128
ipv6 eigrp 101

when you finish typing these commands notice on show run that EIGRP commands not in one place ,
some commands under EIGRP section , others under interfaces it self which make your troubleshooting
in the future not easy .

10
R1 will run EIGRP Named Mode , where we can have one name represent all our EIGRP configuration
this including ipv4 or ipv6 commands and whatever its made for RIB or for VRFs using address family
concept we used to use with BGP . in EIGRP named mode NO AUTO SUMMARY IS ENABLED BY
DEFAULT .

R1
key chain cisco
key 1
key-string cbtme

router eigrp Yasser

no shutdown
add ipv4 unicast as 101
network 10.1.14.1 0.0.0.0
network 2.2.2.2 0.0.0.0

topology base
redistribute ospf 100 metric 1000 100 255 1 1500
exit
af-interface default
passive-interface
exit
af-interface serial 1/0
no passive-interface
authentication mode md5
authentication key-chain cisco
exit
exit
exit

ipv6 unicast-routing

int s1/0
ipv6 add 2001:10:1:14::1/64
int loop 0
ipv6 add 2001:1:1:1::1/128

router eigrp yasser

add ipv6 unicast as 101
( no need to write networks he will advertise all)
af-interface s1/1
passive-interface
shutdown
exit

11
12
Notice All our configuration in one place in running configuration file
In EIGRP Named Mode we have four address families available
For IPv4:
R2(config-router)#address-family ipv4 unicast autonomous-system 1

For IPv4 VRF:

R2(config-router)#address-family ipv4 unicast vrf Customer_A autonomous-system 1

For IPv6:
R2(config-router)#address-family ipv6 unicast autonomous-system 1

For IPv6 VRF

R2(config-router)#address-family ipv6 unicast vrf site_A autonomous-system 1

13
A) Address-family configuration mode:
In this mode, you can configure networks, EIGRP neighbor, EIGRP Router-id, metric etc. From this mode
you can access the other two configuration modes used in EIGRP named configuration.

R2(config-router)#address-family ipv4 unicast autonomous-system 1

R2(config-router-af)#?

Address Family configuration commands:

af-interface Enter Address Family interface configuration

default Set a command to its defaults

eigrp EIGRP Address Family specific commands

exit-address-family Exit Address Family configuration mode

help Description of the interactive help system

maximum-prefix Maximum number of prefixes acceptable in aggregate

metric Modify metrics and parameters for address advertisement

neighbor Specify an IPv4 neighbor router

network Enable routing on an IP network

no Negate a command or set its defaults

shutdown Shutdown address family

timers Adjust peering based timers

topology Topology configuration mode

R2(config-router-af)#

B) Address-family interface configuration mode:

This mode takes all the interface specific commands that were previously configured on an actual
interface (logical or physical) and moves them into the EIGRP configuration. EIGRP authentication,
Bandwidth-percentage, split-horizon, and summary-address configuration are some of the options that
are now configured here instead of in interface configuration mode.

R2(config-router-af)#af-interface fa0/0
R2(config-router-af-interface)#?

Address Family Interfaces configuration commands:

14
 authentication authentication subcommands

bandwidth-percent Set percentage of bandwidth percentage limit

bfd Enable Bidirectional Forwarding Detection

dampening-change Percent interface metric must change to cause update

dampening-interval Time in seconds to check interface metrics

default Set a command to its defaults

exit-af-interface Exit from Address Family Interface configuration mode

hello-interval Configures hello interval

hold-time Configures hold time

next-hop-self Configures EIGRP next-hop-self

no Negate a command or set its defaults

passive-interface Suppress address updates on an interface

shutdown Disable Address-Family on interface

split-horizon Perform split horizon

summary-address Perform address summarization

R2(config-router-af-interface)#

In traditional way if we want run EIGRP on all interface we use "network 0.0.0.0 0.0.0.0" command.
Here you can use “af-interface default” to function same.

R2(config-router-af)#af-interface default

R2(config-router-af-interface)#

C) Address-family topology configuration mode:

This mode provide several options which operates on EIGRP topology table .here you can define content
like redistribution, distance, offset list, variance etc. To enter this mode, we need to go back to address-
family configuration mode:

R2(config-router-af-interface)#exit
R2(config-router-af)#topology base
R2(config-router-af-topology)#?

15
Address Family Topology configuration commands:

auto-summary Enable automatic network number summarization

default Set a command to its defaults

default-information Control distribution of default information

default-metric Set metric of redistributed routes

distance Define an administrative distance

distribute-list Filter entries in eigrp updates

eigrp EIGRP specific commands

exit-af-topology Exit from Address Family Topology configuration mode

fast-reroute Configure Fast-Reroute

maximum-paths Forward packets over multiple paths

metric Modify metrics and parameters for advertisement

no Negate a command or set its defaults

offset-list Add or subtract offset from EIGRP metrics

redistribute Redistribute IPv4 routes from another routing protocol

snmp Modify snmp parameters

summary-metric Specify summary to apply metric/filtering

timers Adjust topology specific timers

traffic-share How to compute traffic share over alternate paths

variance Control load balancing variance

R2(config-router-af-topology)#

16
OSPF BFD Task
R1
router ospf 100
router-id 0.0.0.1
network 10.1.15.1 0.0.0.0 area 0
net 11.11.11.11 0.0.0.0 area 0
bfd all-interfaces

int s1/1
bfd interval 50 min_rx 50 multiplier 5
(bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier)

int s1/0
ip ospf bfd disable

R5
router ospf 100
router-id 0.0.0.5
network 10.1.15.5 0.0.0.0 area 0

int s1/0
ip ospf bfd
bfd interval 50 min_rx 50 multiplier 5

Your friend commands are : SHOW BFD ENIGHBORS , SHOW BFD DROPS , SHOW BFD SUMAMRY

BFD (Bidirectional Forwarding Detection) is defined in RFC 5880.

BFD for one-hop IPv4/IPv6 is defined in RFC 5881.
BFD for multi-hop is defined in RFC 5883.
BFD for MPLS LSPs is defined in RFC 5884

17
BFD provide better way to check neighbors availability other than hello messages
It will not replace hello messages but will add additional functionality where we can send Keepalive
messages to our neighbors in milliseconds

BFD modes

 Asynchronous mode
o continuous and periodic BFD packets
 Demand mode
o BFD packets only after a demand

BFD echo (where a stream of echo packets is sent and received) is the most common function
for both modes.

Cisco supports the asynchronous mode and the echo function by default.

BFD payload control packets are encapsulated in UDP packets

 destination port 3784

 source port 49152

Echo packets are also encapsulated in UDP packets

 destination port 3785

 source port 3785

BFD control packets are always sent as unicast packets to the BFD peer.

The encapsulation of BFD Control packets for multihop application in IPv4 and IPv6 is identical
to that above, except that the UDP destination port is 4784.

Each system reports in the BFD Control packet how rapidly it would like to transmit BFD
packets, as well as how rapidly it is prepared to receive them. This allows either system to
determine the max packet rate (minimum interval) in both directions.

18
EPC Task

R5
config t
ip access-list ext 101
permit icmp any any
permit ip any any
exit

monitor capture buffer MYBUFFER

monitor capture buffer MYBUFFER size 2048 max-size 1518 circular
monitor capture buffer MYBUFFER filter access-list 101

monitor capture point ip cef MYPOINT serial 1/0 both

monitor capture point associate MYPOINT MYBUFFER
monitor capture mycap limit duration 900

monitor capture buffer MYBUFFER export tftp://10.1.34.100/capture.pcap

19
DMVPN Task

R1 HUB
int loop 0
ip add 192.168.1.1 255.255.255.0
int e0/0
ip add 1.1.1.10 255.255.255.0
no sh

int tunnel 0
ip add 172.16.0.1 255.255.255.0
no ip redirects
tunnel source 1.1.1.10
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1

tunnel mode gre multipoint

the absence of the tunnel destination command. It has been replaced with the tunnel mode gre
multipointcommand, which designates this tunnel as a multipoint GRE tunnel.

ip nhrp map multicast dynamic

enables the forwarding of multicast traffic across the tunnel to dynamic spokes. This is usually required
by routing protocols such as OSPF and EIGRP. In most cases, DMVPN is accompanied by a routing
protocol to send and receive dynamic updates about the private networks.

ip nhrp network-id 1
used to identify this DMVPN cloud. All routers participating in this DMVPN cloud must have the same
network-id configured in order for tunnels to form between them.

ip nhrp authentication
used to allow the authenticated updates and queries to the NHRP Database, ensuring unwanted queries
are not provided with any information about the DMVPN network.

20
R2 SPOKE
int loop 0
192.168.2.1 255.255.255.0
int f0/0
ip add 2.2.2.10 255.255.255.0
no sh

int tunnel 0
ip add 172.16.0.2 255.255.255.0
no ip redirects
tunnel source e0/0
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp map 172.16.0.1 1.1.1.10
ip nhrp map multicast 1.1.1.10
ip nhrp nhs 172.16.0.1

R3 SPOKE
int loop 0
192.168.3.1 255.255.255.0
int f0/0
ip add 3.3.3.10 255.255.255.0
no sh

int tunnel 0
ip add 172.16.0.3 255.255.255.0
no ip redirects
tunnel source e0/0
tunnel mode gre multipoint
ip nhrp authentication cbtme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp map 172.16.0.1 1.1.1.10
ip nhrp map multicast 1.1.1.10
ip nhrp nhs 172.16.0.1

ip nhrp nhs 172.16.0.1

tells our spoke router who the Next Hop Server (NHS) is, while the ip nhrp map 172.16.0.1 1.1.1.10
command maps the NHS address (172.16.0.1) to the Hub’s (R1) public IP address (1.1.1.10).

ip nhrp map multicast 1.1.1.10

ensures multicast traffic is sent only from spokes to the hub and not from spoke to spoke. All multicast
traffic should be received by the hub, processed and then updates are sent out to the spokes

21
tunnel source FastEthernet0/1

All spokes with dynamic WAN IP address must be configured to bind the physical WAN
interface as the tunnel source. This way, when the spoke’s WAN IP changes, it will be able to
update the NHS server with its new WAN IP address.

Note: In R2’s configuration, we’ve configured a static IP address on its WAN interface
FastEthernet0/1, but for the sake of this example, let us assume it was dynamically provided by
the ISP.

Now lets secure our DMVPN with IPsec

R1
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key firewall.cx address 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre

R2/R3
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key firewall.cx address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre

22
now lets create routing for internal networks in all of our routers
On the R5 hub router:
ip route 192.168.2.0 255.255.255.0 172.16.0.2
ip route 192.168.3.0 255.255.255.0 172.16.0.3
On R2 spoke router:
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip route 192.168.3.0 255.255.255.0 172.16.0.3
On R3 spoke router:
ip route 192.168.1.0 255.255.255.0 172.16.0.1
ip route 192.168.2.0 255.255.255.0 172.16.0.2

23
Your Friend command here is SHOW DMVPN , notice once we ping R2 loop0 from R3 , Dynamic mGRE
tunnel created and shown in your show dmvpn output , also your crypto session is up one for HUB and
one for Spoke you communicate with which is R2 in our case above.

24
Soon Lab2 will be added covering Tasks for :
-GRE with IPsec Tunnel
- GRE with IPsec Tunnel VTI
-IPv6 FHS

CCIEv5 New Topics Resources:

EPC

https://supportforums.cisco.com/document/139686/configuration-example-embedded-packet-
capture-cisco-ios-and-ios-xe

http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-embedded-packet-
capture/index.html

BFD

https://supportforums.cisco.com/video/12061606/bfd-configuration-troubleshooting-cisco-ios-
and-xr-routers

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/12-4t/irb-12-4t-
book/Bidirectional_Forwarding_Detection.html

EIGRP Named Mode

https://supportforums.cisco.com/blog/11939146/glimpse-eigrp-name-mode-configuration

http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/enhanced-interior-
gateway-routing-protocol-eigrp/Advances_In_EIGRP.pdf

Video from IPexpert:

http://www.youtube.com/watch?v=XsV6Rq8eiJ0

GRE with ipsec

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-
ipsec.html

VPN site to site

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-
site-ipsec-vpn.html

25
DMVPN

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-services-tech/896-cisco-dmvpn-
intro.html

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpn-
configuration.html

http://blog.ine.com/2008/08/02/dmvpn-explained/

Videos from INE:

http://www.youtube.com/watch?v=CIWcYSClbio

http://www.youtube.com/watch?v=DA9K0eGG17E

IPV6 FHS

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-
solution/whitepaper_c11-602135.html

http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2s/ipv6-15-2s-book/ip6-
first-hop-security.html

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-s/ip6f-15-s-
book.pdf

Videos from INE:

http://www.youtube.com/watch?v=Zv-stl5kRnI

http://www.youtube.com/watch?v=UtsHZmb1CYc

http://www.youtube.com/watch?v=goHublIvV-8

Good Luck
CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasser.r.a?view=documents
https://www.youtube.com/user/yasserramzyauda

26