K7 Solutions

1
K7 solutions used to pass For certcollection users only by SanjanaIE
BGP Diagram
Physical Connectivity
Switching Topology
7
Section 1 : Layer 2 Technologies
1.1 Troubleshoot Layer 2 Switch
A few faults have been injected the preconfigurations just described. These issues may impede a
working solution for certain portions of this lab exam. And these issues can affect any lab section.
You must verify that all of your configurations work as expected. If something is not working as
expected. Then you must fix the underlying problem. Point will be awarded for solving each
problem. However, if you fail to solve particular problem, and the injected fault prevents you from
having a workings solution of this lab, then will lose points for the fault and the scenario that is not
working.
Solution
Faults
1. Guard root on SW1 trunk ports
1. interface f0/19 24
2. no spanning-tree portfast guard root
2. DHCP snooping/ARP inspection on VLAN17 on SW2
1. no ip dhcp snooping vlan 17
2. no ip arp inspection vlan 17
3. Portfast trunk on SW4 trunk interfaces
1. interface f0/19 24
2. no spanning-tree portfast
4. Root Guard on interfaces connected to backbone
1. On SW1 SW3
2. interface f0/10
3. no spanning-tree guard
5. vtp version, domain name, password difference
1. ( vtp version should be 2, adjust domain name and password accord to test info).
There are two Preconfigured SVI 71 and 92 was up , but there is no access ports configured
So didnt touch
1.2 VLAN and Access-Ports
Configure all of the appropriate non-trunking switch ports on all switches according to the
following requirements:
VTP Domain is set to "CCIE" and VTP password is set to "cisco"

VTP mode on all switches should be configures to transparent mode.
Configure the VLAN ID and Name according to the table below (case sensitive).
Configure the access ports for each VLAN as per the diagram
Vlan17 VLAN_17_R1-SW2
Vlan29 - VLAN_29_R2-SW4
Vlan34 - VLAN_34
Vlan45 VLAN_45
Vlan67 - VLAN_67_SW1-SW2
Vlan89 - VLAN_89_SW3-SW4
Vlan100 - VLAN_BB1
Vlan200 -VLAN_BB2
Vlan300 - VLAN_BB3
Vlan333 - VLAN_CUSTOMER
Vlan500 - VLAN_USERS
Vlan666 - VLAN_CARRIER
Vlan999 - VLAN_NATIVE
---------------------------------Vlan17 Between R1 & SW2
Vlan29 Between R2 & SW4
Vlan34 Between R3 & R4
Vlan45 Between R4 & R5
Vlan67 SVI Between SW1 & SW2
Vlan89 SVI Between SW3 & SW4
Vlan100 Between R1 & BB1
Vlan200 Between R2 & BB2
Vlan300 Between SW3 & BB3
Vlan333 Customer Vlan
Vlan500 User Vlan
Vlan666 Carrier Vlan
Vlan999 Unused ports Vlan
NOTE
1. SW1 or any other Switch has been pre-configu#0000cd with needed vlans,
2. It is better to check switchport trunking question (1.4) at this junction as that will help
populate SWs just by setting VTP domain name and password right.
3. Make sure the VLANS has spread across SWs before setting them to TRANSPARENT to save
time.
4. Cross Check VLANS Name according to provided table
Solution
On All Switches
9
vtp domain CCIE
vtp mode trans
vtp password cisco
vtp version 2
Vlan17
Name VLAN_17_R1-SW2
Vlan29
name VLAN_29_R2-SW4
Vlan34
name VLAN_34
Vlan38
name VLAN_38_R3-SW3
Vlan45
name VLAN_45
Vlan56
name VLAN_56_R5-SW1
Vlan67
name VLAN_67_SW1-SW2
Vlan89
name VLAN_89_SW3-SW4
Vlan100
name VLAN_BB1
Vlan200
name VLAN_BB2
Vlan300
name VLAN_BB3
Vlan333
name VLAN_CUSTOMER
Vlan500
name VLAN_USERS
Vlan666
name VLAN_CARRIER
Vlan999
name VLAN_NATIVE
On SW1
interface FastEthernet0/1
switchport access vlan 17
switchport mode access
!
10
!
!
!
!
!
interface Vlan56
ip address YY.YY.56.6 255.255.255.0
!
interface Vlan67
ip address YY.YY.67.6 255.255.255.0
On SW2
!
!
!
!
!
11
!
interface Vlan17
ip address YY.YY.17.7 255.255.255.0
!
interface Vlan67
ip address YY.YY.67.7 255.255.255.0
On SW3
!
interface Vlan38
ip address YY.YY.38.8 255.255.255.0
!
interface Vlan89
ip address YY.YY.89.8 255.255.255.0
!
interface Vlan300
ip address 150.3.yy.1 255.255.255.0
On SW4
interface Vlan29
ip address YY.YY.29.9 255.255.255.0
!
interface Vlan89
ip address YY.YY.89.9 255.255.255.0
1.3 Multiple Spanning Tree (MST)
12
Configure the switches according to the following requirements
Each of the following sets of VLAN must share a common spanning-tree topology:
Spanning-tree topology 1: all odd VLANs used throughout your exam
Spanning-tree topology 2: all even VLANs used throughout your exam
Spanning-tree topology 3: all other VLANs must be explicitly put into instance 3
(Or)Spanning-tree topology 3: all other VLANs
Use domain name as cisco
o Ensure SW1 is root switch for Instance 1 and CIST VLANs and
o backup root switch for instance 2
o Ensure SW2 isroot switch for instance 2 and
o backup root switch for Instance 1 and CIST VLANs
Configure native vlan to vlan 999. Ensure this vlan is tagged.
o All unused ports should beadministratively shutdown and defined as access ports on
VLAN 999.
o Dont forget GigaEthernet ports (2 ports)
Solution
On all Switches
spanning-tree modemst
spanning-tree mst configuration
revision 1
name Cisco
instance 3 vlan 1-4094
instance 1 vlan 17,29,45,67,89,333,999
instance 2 vlan 34,38,56,100,200,300,500,666
----------------------------------------------------------------------------------interface range fastethernet 0/19-24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 999
!
interface range <all-unused-ports>
shutdown
!
vlan dot1q tag native
On SW1
spanning-tree mst 0 root primary
spanning-tree mst 2 root secondary
13
On SW2
1.4 Switch Trunking and EtherChannel
Refer to the diagram . Configure the dual trunk ports between all switches according to the
following requirements
Configure the trunk using dot1q as per the diagram (port 19 24) for SW1 SW4
Allow the native VLAN 999 and sure native VLAN tagged the frame.
Use encapsulation 802.1q
Disable DTP on the six distribution ports for each switch
Configure an 802.3ad 200 Mbps Etherchannel between SW1 and SW2
SW2 should not actively start it
Ether channel load balancing should be accomplished by source destination host MAC
addresses
If more channel members are added in the future, Fa0/24 must have the best chance to be
the first active port in the channel.
Configure EtherChannel (LACP) between 2 switches, SW2 shouldnt actively starts it.
Load balance hash of src-dst mac-add
Solution
interface range fastethernet 0/19-24
switchport trunk encapsulation dot1q
switchport nonegotiate
On SW1
channel-group 1 mode active
!
port-channel load-balance src-dst-mac
!
interface range fastethernet 0/24
lacp port-priority 1
On SW2
channel-group 1 mode passive
!
port-channel load-balance src-dst-mac
!
lacp port-priority 1
14
1.5 Implement 802.1Q Tunneling
Configure your network as per the following requirements:
User connected to VLAN 333 on SW3 must be able to communicate with users connected
to VLAN 333 on SW4 via their interfaces Fa0/19 (respectively connected to SW1 and SW2)
Configure theVLAN 333 interface onSW3 with the IP address YY.YY.33.8/24
Configure the VLAN 333 interface on SW4 with the IP address YY.YY.33.9/24
VLAN 333 must be allowed to flow only though SW3 and SW4's Fa0/19. No other trunks
may carry this VLAN
SW1 and SW2 must carry the VLAN 333 data across the network using VLAN666
VLAN 666 may exist only on SW1 and SW2
SW1 and SW2 must not allow VLAN 333 on any trunks and must allow VLAN 666 only on
the trunks between them.
No other port in any switch may carry VLAN 333
Do not modify any spanning-tree cost or port priority to achieve this task
Referring to the exhibit below
o
o
SW3 must see SW4 as a CDP neighbor via interface Fa0/19 and
must be able to ping SW4's VLAN 333
Solution
On ALL Switches
switchport trunk allowed vlan remove 333 666
On SW3 and SW4
switchport trunk allowed vlan 333
On SW1 and SW2
system mtu 1504/// reload for this command to take effect ///
system mtu routing 1500 /* default - its always better to hardcode than leaving it to the default */
!
interface fastethernet 0/19
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface Port-chanel 1
switchport trunk allowed vlan add 666
On SW3
interface vlan 333
ip address YY.YY.33.8 255.255.255.0
15
On SW4
interface vlan 333
ip address YY.YY.33.9 255.255.255.0
1.6 PPP over Ethernet
Configure PPPoE between R3 and R4 according to the following requirements:
Spoiler
Configure R3 as a PPPoE Sever
Configure R4 as a PPPoE Client
Configure group name as CISCO
R4 always gets the same IP address from R3
Do not use DHCP to receive the IP address
Ensure no interleaving in PPPoE link.Or (Ensure that there is no unnecessary ppp
fragmentation on the PPPoE link)
IP address must be give to virtual Template
R3 must require R4 to authenticate using CHAP but R4 must NOT require R3 to authenticate.
o
o
Use CISCO as CHAP password for R4.

Make sure that all CHAP passwords are shown in clear text in the configuration
On R3 (Server)
username RackYYR4 password CISCO
vpdn enable
bba-group pppoe CISCO
virtual-template 1
!
interface FastEthernet0/1 */// R3 interface facing R4///*
no ip address
pppoe enable group CISCO
!
interface Virtual-Template1
ip address YY.YY.34.3 255.255.255.0
peer default ip address pool POOL
ppp authentication chap
!
ip local pool POOL YY.YY.34.4
On R4 (Client)
interface FastEthernet0/1 *///R4 interface facing R3///*
no ip address
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
mtu 1492
ip address negotiated
encapsulation ppp
dialer pool 1
16
dialer persistent
dialer idle-timeout 0
ppp chap hostname RackYYR4
ppp chap password CISCO
1.7 Implement Frame-Relay
Use the following requirements to configure R1 and R2 for Frame-Relay
Use static frame relay maps with the broadcast capability
Do not use dynamic ARP mapping
Do not change anything in the frame-relay switch (R4)
Use RFC1490/RFC2427 encapsulation
Use the DLCI assignments from the table below
Set the bandwidth administrative to 50000 Kb in the interfaces.
R1 and R2 must be able to ping self interface
R1 use DLCI 100
R2 uses DLCI 200
Solution
On R1
interface Serial0/0/0
bandwidth 50000
ip address YY.YY.12.1 255.255.255.0
encapsulation frame-relay IETF
/* check the frame-relay switch and configure LMI - Optional - Autosensing will take care of this */
frame-relay map ip YY.YY.12.2 100 broadcast
frame-relay map ip YY.YY.12.1 100
no frame-relay inverse-arp
On R2
bandwidth 50000
ip address YY.YY.12.2 255.255.255.0
encapsulation frame-relay IETF
/* check the frame-relay switch and configure LMI - Optional - Autosensing will take care of this */
frame-relay map ip YY.YY.12.2 200
frame-relay map ip YY.YY.12.1 200 broadcast
no frame-relay inverse-arp
NOTE
If your test question did not have Set the bandwidth administrative to 50000 Kb in the interfaces
Then no need to configure bandwidth 50000
17
Section 2 : Layer 3 Technologie

2.1 IPv4 OSPF
Configure OSPF Area 0, 1, 2 as per the IGP topology diagram
The OSPF process ID can be any number.

The OSPF router IDs must be stable and must be configured using the IP address
of interface Loopback0.
Loopback0 interfaces should be advertised in the OSPF area as shown in the IGP topology
diagram and must appear as /32 host routes.
Updates should be advertised only out of the interfaces that are indicated in the IGP
topology diagram.
Ensure that OSPF neighborship should established between R1 and R2 without
changing frame-relay interface type.
Ensure that R4 can still reach all OSPF network via R3 in case R1 or R5 goes down.
Do not create additional OSPF areas.
Do not use any IP address not listed in Diagram
Configuration
On R1
Ip cef
router ospf 1
router-id YY.YY.1.1
area 1 virtual-link YY.YY.3.3
network YY.YY.1.1 0.0.0.0 area 0
network 150.1.YY.1 0.0.0.0 area 0
neighbor YY.YY.12.2
On R2
Ip cef
router ospf 1
router-id YY.YY.2.2
network 150.2.YY.1 0.0.0.0 area 1
neighbor YY.YY.12.1
On R3
Ip cef
router ospf 1
router-id YY.YY.3.3.3
18
On R4
Ip cef
router ospf 1
router-id YY.YY.4.4
On R5
Ip cef
router ospf 1
router-id YY.YY.5.5
On SW1
ip routing
Ip cef distributed
router ospf 1
router-id YY.YY.6.6
On SW2
ip routing
Ip cef distributed
router ospf 1
router-id YY.YY.7.7
19
2.2 IPv4 EIGRP
Configure Enhanced Interior Gateway Routing Protocol (EIGRP) 100 and EIGRP YY as per the IGP
topology diagram
1.
2.
3.
4.
Backbone 3 the IP address 150.3.YY.254 and is using AS number 100.

EIGRP updates should be advertised only out to the interface per the IGP topology diagram.
On SW3, redistribute from EIGRP 100 into EIGRP YY.
Do NOT use automatic summarization for any EIGRP process.
Configuration
On SW3
ip routing
Ip cef distributed
router eigrp YY
network YY.YY.8.8 0.0.0.0
redistribute eigrp 100
no auto-summary
router eigrp 100
network 150.3.YY.1 0.0.0.0
no auto-summary
On R3
router eigrp YY
network YY. YY.38.3 0.0.0.0
no auto-summary
On R2
router eigrp YY
no auto-summary
On SW4
ip routing
Ip cef distributed
router eigrp YY
no auto-summary
20
2.3 IPv4 RIPv2
Configure RIP Version 2(RIPv2) per the IGP topology diagram.
RIP updates must be advertised only out to the interface per the IGP topology diagram.
Do NOT use auto summarization.
Configuration
On R4
router rip
version 2
passive-interface default
no passive-interface FastEhternet 0/1
network YY.0.0.0
no auto-summary
On R5
router rip
version 2
passive-interface default
no passive-interface FastEhternet 0/1
network YY.0.0.0
no auto-summary
Redistribution OSPF, EIGRP, RIP

2.4 Between OSPF and EIGRP
Redistribute mutually between OSPF and EIGRP YY on R2 and R3 as per the following
requirements:
ON R2 and R3 ensure that all prefixes learned from OSPF should be seen as OSPF route and
that the prefixes learned from EIGRP 100 should be seen as EIGRP External Route (D EX).
The only EIGRP external routes on both R2 and R3 should be the EIGRP 100 routes.
No default route should be seen in this network
Ensure that optimal routing should be performed on both R2 and R3.
No route tagging permitted on SW3.
You must use a route filtering mechanism but dont allow to use access-list, prefix-list.
Do NOT change Administrative Distance to accomplish this requirement.
On R2 / R3
route-map TAG_EIGRP_EX permit 10
match source-protocol eigrp YY
match route-type external
set tag 100
route-map TAG_EIGRP_EX permit 20
route-map DROP_EIGRP_EX deny 10
match tag 100
21
route-map DROP_EIGRP_EX permit 20
router eigrp YY
redistribute ospf 1 metric 100000 100 255 1 1500
router ospf 1
redistribute eigrp YY subnets route-map TAG_EIGRP_EX
distribute-list route-map DROP_EIGRP_EX in
2.5 Between OSPF and RIPv2

Redistribute OSPF to RIP on R5 as per the following requirements:
Redistribute OSPF into RIP on R5.

Ensure that R4 should reach SW1 Loopback0 via R5 and all other routes via R3.
Advertise VLAN 45 network into OSPF without using network command
On R4
router rip
distance 100 YY.YY.45.5 0.0.0.0 1
access-list 1 permit YY.YY.6.6
On R5
router ospf 1
redistribute rip subnets route-maps NETWORK45
route-map NETWORK45 permit 10
match ip address 45
access-list 45 permit YY.YY.45.0 0.0.0.255
router rip
redistribute ospf 1 metric 10
2.6 IPv4 EBGP

Configure EBGP on R1, R2 according to the following requirements:
R1 should be eBGP peers with the router Backbone 1 AS 254.
R2 should be eBGP peers with the router Backbone 2 AS 254.
Ensure that R1 & R2 have capability to signalize end of RIB remark.
You are NOT allowed to use BGP next-hop anywhere.
Router (R1) should generate a warning message, if it receives more than 5
prefixes from Backbone (BB1).
Configuration
On R2
router bgp YY
22
bgp graceful-restart
neighbor 150.2.YY.254 remote-as 254
On R1
router bgp YY
bgp graceful-restart
neighbor 150.1.YY.254 remote-as 254
neighbor 150.1.YY.254 maximum-prefix 5 100 warning-only
2.7 IPv4 IBGP

Configure iBGP on R1, R2, R3,R4 and R5 as per the following requirements:
Where possible, failure of a physical interface should not permanently affect BGP peer
connections;
(Use only the Loopback 0 IP Addresses to propagate BGP route information within your BGP
domain)
Configure R3 route reflector to minimize the number of BGP peering sessions and all BGP
speakers in AS YY.
You are NOT allowed use BGP peer group.
On R1
router bgp YY
bgp router-id YY.YY.1.1
neighbor YY.YY.3.3 remote-as YY
neighbor YY.YY.3.3 update-source Loopback0
On R2
router bgp YY
On R4
router bgp YY
On R5
router bgp YY
On R3
router bgp YY
23
neighbor YY.YY.1.1 route-reflector-client
2.5 Advanced BGP

Configure BGP path selection as per the following requirements:
The routes from OSPF should be redistributed into BGP AS 254 on R1 and R2.
R1 should prefer the path through BB1 for AS 254. The tie breaker in the BGP best path
selection algorithm must be the "internal vs external" criteria.
R3 should prefer the path through R1 for BGP AS 254. This configuration should not affect any
other routers in AS YY getting to BGP AS 254
You are not allowed to change BGP attributes such as Weight, AS-Path or Local
Preference on R4 and R5 to accomplish this task
You are allowed to change the ospf cost of only one interface.
R4 should prefer R1 as exit point for AS 254. This change should not impact any
other BGP peer routers.
R4 should be able to ping a prefix 197.68.1.254 which located in AS 254 with path to R1.
Configuration
On R1
router bgp YY
redistribute OSPF 1 match internal external 1 external 2
On R2
router bgp YY
redistribute OSPF 1 match internal external 1 external 2
neighbor 150.2.YY.254 route-map PREPEND_AS in
!!! Then clear bgp ipv4 unicast * soft in and out
route-map PREPEND_AS permit 10

set as-path prepend 253
On R3
router bgp YY
neighbor YY.YY.1.1 weight 100
!!! Then clear bgp ipv4 unicast * soft in and out
24
On R5
interface S0/0/0 /// (serial interface facing R1)
ip ospf cost 1
2.9 IPv6 Address and OSPF Routing

The administrator has started to configure Global Unicast IPv6 addresses and OSPFv3 routing in
your network according to the Diagram IPv6 Routing
Configure Global unicast IP's on all relevant interface on R1, R5,
SW1 and SW2 including loopback 0.

Use /64 for physical interfaces and /128 for loopback interface.
Ensure that all routers and switches can ping each other using IPv6.
The process ID is 2001.
OSPFv3 router IDs must be stable and identical to the OSPFv2 router IDs.
Ensure that periodic router advertisements should be disabled on the IPv6 enabled
interfaces.
Make sure IPV6 domain use Cisco Proprietary Forwarding Mechanism.
Authenticate the OSPFv3 between R1 and R5 according to the following requirement: Use
the authentication type with MD5 with following key string
1234567890ABCDEF1234567890ABCDEF
You are not allowed to use any commands under the router configuration mode to
accomplish this task.
Do not create additional OSPFv3 areas.
Ensure that all IPv6 networks on all routers and switches can ping each other using IPv6.
Configure IPv6 Address Number as follow.
(YY- Rack number, HH- Interface ipv4 3rd octet, ZZ- Interface ip4 4th octet)
Interface- 2001:YY:HH::ZZ/64, Loopback- 2001:YY:HH::ZZ/128
On R1
ipv6 unicast-routing
ipv6 cef
ipv6 router ospf 2001
router-id YY.YY.1.1
no shutdown
ipv6 address 2001:YY:15::1/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
ipv6 ospf authentication ipsec spi md5 1234567890ABCDEF1234567890ABCDEF
25
ipv6 nd ra suppress
interface Loopback0
ipv6 nd ra suppress
On R5
ipv6 cef
router-id YY.YY.5.5
no shutdown
interface Loopback0
ipv6 nd ra suppress
ipv6 nd ra suppress
ipv6 nd ra suppress
ipv6 ospf authentication ipsec spi md5 1234567890ABCDEF1234567890ABCDEF
On SW1
sdm prefer dual-ipv4-and-ipv6 default
ipv6 cef
router-id YY.YY.6.6
no shutdown
interface Loopback0
ipv6 nd ra suppress
interface vlan 56
ipv6 nd ra suppress
26
interface vlan 67
ipv6 nd ra suppress
On SW2
sdm prefer dual-ipv4-and-ipv6 default
// must be able to reload
ipv6 cef
ipv6 router ospf 1

router-id YY.YY.7.7
no shutdown
interface Loopback0
ipv6 nd ra suppress
interface vlan 17
ipv6 nd ra suppress
interface vlan 67
ipv6 nd ra suppress
Section 3 : IP Multicast
3.1 Implement IPv4 Multicast 1
Configure Multicast Routing between R3-S0/0/0 and R5-S0/0/1 according to following
requirements:
Do NOT use any RP

Interface loopback0 of R3video server is simulated in R5client.
Multicast is sourced from on loopback0 R3 and receiver was R5Fa 0/0 (225.1.1.1)
Ensure that unnecessary flooding /pruning does not occur
3.2 Implement IPv4 Multicast 2

Ensure that only R3 lo0 (YY.YY.3.3) is allowed to send multicast 225.1.1.1 on R5 Fa0/0
27
In near future, other users in R5 are planning to join 225.1.1.2and 225.1.1.3

The users will use IGMPv2.
Ensure that these users can only access the two multicast streams.
Routers should not use DNS query for mapping the source.
R3
ip multicast-routing
access-list 10 permit 225.1.1.1
access-list 20 permit 225.1.1.2 0.0.0.1
ip pim ssm range 10
int Loopback0
ip pim sparse-mode
!
int serial x/y/z (interface facing R5)
ip pim sparse-mode
!
ip igmp ssm-map enable
no ip igmp ssm-map query dns
ip igmp ssm-map static 20 YY.YY.3.3
R5
ip multicast-routing
ip pim ssm range 10
int serial x/y/z (interface facing R3)
ip pim sparse-mode
!
ip igmp ssm-map enable
no ip igmp ssm-map query dns
ip igmp ssm-map static 20 YY.YY.3.3
!
int fa0/0
ip pim sparse-mode
ip igmp version 3
ip igmp join-group 225.1.1.1 source YY.YY.3.3
28
Section 4 : Advanced Services

4.1 IGP Authentication 1
Secure the RIP domain according to the following requirement
Complete RIP authentication between R4 and R5

The key chain for RIP authentication is pre-configured on R4
Do not reconfigure on R4
Note: The key chain pre-configured can be found using "show key chain RIP" on R4
On R5
no service password-encription
key chain rip
key 1
key-string HiddenRipKey
int fa0/1
ip rip authentication mode md5
ip rip authentication key-chain rip
On R4
int fa0/0
ip rip authentication mode md5
ip rip authentication key-chain rip
!!! The key-string is exactly as stated above "HiddenRipKey" and must be clearly seen in R5
4.2 Zone-Based Firewall

Configure Zone Based Firewall (ZBF) on R1 so that the following requirement of commands
provides the same output.
RackYYR1#clear zone-pair counter
RackYYR5#ping 150.1.YY.254
Type escapes sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.YY.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),round-trip min/avg/max = 1/5/9 ms
RackYYSW2#ping 150.1.YY.254
29
Type escapes sequence to abort.
Sending
5, 100-byte ICMP Echos to 150.1.YY.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),round-trip min/avg/max = 1/5/9 ms
RackYYR1#show policy-map type inspect zone-pair
Zone-pair: A_ B
Service-policy inspect : A_ B
Class-map: A_B (match-all)
Match: protocol icmp
Pass
55 packets, 4400 bytes
Class-map: class-default (match-any)
Match: any
Pass
8 packets, 64 bytes
You must use the exact same names for the policy and class-map (Case Sensitive)
On R1
class-map type inspect match-all A_B
match protocol icmp
Policy-map type inspect A_B
Class type inspect A_B
pass
class class-default
pass
zone security A
zone security B
zone-pair security A_B source A destination B
service-policy type inspect A_B
zone-pair security B_A source B destination A
service-policy type inspect A_B
zone-member security A
zone-member security B
30
4.3 Layer 2 security

Configure SW1 and SW2 as per the following requirements:
R4 and R5 may communicate only with each other in VLAN 45 No other host is allowed to
communicate with them inVLAN 45
Hosts connected to port Fa0/6 on SW1 and SW2 should be part of VLAN 45 and they
communicate only with each other . Must not be able to communicate with any other host in
vlan 45.
Hosts connected to port Fa0/7 of both SW1 and SW2 should not be able to communicate with
any host.
SW1 Fa0/9 as promiscuous port or (All of the above ports (Fa0/6, Fa0/7 from SW1 and
SW2)must be allowed to communicate with a device connected to port Fa0/9 of SW1 )
Use only odd VLAN number(s) (between 334 and 998) if you need to create any new VLAN(s)
ALL switches
vlan 451
private-vlan community
name COMMUNITY1
vlan 453
private-vlan community
name COMMUNITY2
vlan 455
private-vlan isolated
name ISOLATED
vlan45
name VLAN_45
private-vlan primary
private-vlan association 451,453,455
instance 1 vlan 451,453,455
On SW1
no switch port access vlan 45
switchport private-vlan host-association 45 451
switchport mode private-vlan host
no shutdown
no switchport access vlan 999
31
no shutdown
no shutdown
switchport mode private-vlan promiscuous
switchport private-vlan mapping 45 add 451,453,455
no shutdown
On SW2
no shutdown
no shutdown
4.4 Quality of Services-1

Traffic from 197.68.1.0/24 from BB1 is attacking host in OSPF Area 0
it should be limited to 128k on each interface on R1 when it goes to ospf area.

Use MQC and do not use policing.
On R1
class-map SUSPICIOUS
match access-group 40
match input-interface Gi0/1 // (interface facing R5)
!
policy-map LIMIT_SUSPICIOUS
32
class SUSPICIOUS
shape average 128000
!
int serial0/0/1 // (interface facing R5)
service-policy output LIMIT_SUSPICIOUS
!
int Gi0/0 // (interface facing SW2)
service-policy output LIMIT_SUSPICIOUS
4.5 Quality of Services-1

Configure R5's interface S0/0/1 to share its available bandwidth as per following requirements
Consider that users connected to VLAN 56 are sending traffic that is already marked as follow
o
o
o
o
o
Control IP Precedence value 6 or 7

Voice IP precedence value 5
Video IP precedence value 4
Business IP precedence value 3
Internet IP precedence 0
Use the Modular QoS CLI and class name as per the above description (Case sensitive).
Use the match all option for all Class maps.
Use only the option "match ip precedence" for all Class maps.
In case of congestion, the Voice traffic should be sent in priority over all the traffic.
The low latency queue may never use more than 20% of the available bandwidth.
In case of congestion, reserve 100Kbps of the available 2000Kbps for the Control traffic.
Only in case of congestion, the Video traffic may not exceed 30% of the available bandwidth.
Only in case of congestion, the Business traffic may not exceed 30% of the available
bandwidth.
Enable the congestion avoidance mechanism for the Business traffic using a weight factor of
10 for the average queue size calculation.
The Internet traffic should use the remaining bandwidth with no other guarantee.
Kbps : Kilo bits per second.Use the first word (case sensitive) of the above traffic description to
name your classes (i.e class control, class Voice etc)
On R5
class-map match-all Business
match ip precedence 3
class-map match-all Internet
class-map match-all Control
match ip precedence 6 7
class-map match-all Video
class-map match-all Voice
33
policy-map MQC
class Voice
priority percent 20
police cir percent 20
class Control
priority 100
class Video
bandwidth percent 30
class Business
bandwidth percent 30
random-detect
random-detect exponential-weighting-constant 10
class Internet
exit
interface Serial0/0/1 //(interface facing R3)
bandwidth 2000
// if default is not 2000Kbps, add this command
max-reserved-bandwidth 100
service-policy output MQC
4.6 Implementing HSRP

Consider that users are connected to VLAN 500 on both SW1 and SW2. Configure HSRP to
provide redundancy for the user gateway YY.YY.100.254/24 as per following requirements
On SW1
interface Vlan500
ip address YY.YY.100.2 255.255.255.0
standby 1 ip YY.YY.100.254
standby 1 authentication md5 key-string CISCO
standby 1 preempt
standby 1 timers 3 16
On SW2
track 11 ip route 150.1.YY.0 255.255.255.0 reachability
interface Vlan500
ip address YY.YY.100.1 255.255.255.0
standby 1 ip YY.YY.100.254
standby 1 authentication md5 key-string CISCO
standby 1 preempt
standby 1 priority 120
standby 1 track 11 decrement 30
standby 1 timers 3 16
On ALL Switches
instance 2 vlan 500
34
4.7 Time Based ACL

Configure SW1 and SW2 in order to restrict access for VLAN 500 users as per the following
requirements:
HTTP (from any user workstation to any remote server) is not allowed during office
hours (from 09:00 to 16:59, Monday to Friday)
FTP (from any user workstation to any remote server) is allowed only during every night for
Backup between 22:00 to 23:59 and is not allowed all any other time.
UDP traffic is allowed only outside of the office hours (every day from 17:00 to 8:59)
Any required control traffic must be allowed all any time and the ACL entry(-ies) must be as
specific as possible (i.e specify the Layer 4 with the connect port number on the destination)
Sources in all ACL entries must be explicitly configured to YY.YY.100.0/24
On SW1/SW2
time-range HTTP_BLOCK
periodic weekdays 09:00 to 1659
!
time-range FTP_ALLOW
periodic daily 22:00 to 23:59
!
time-range UDP_ALLOW
!
ip access-list extended TBACL
deny tcp YY.YY.100.0 0.0.0.255 any eq www time-range HTTP_BLOCK
permit tcp YY.YY.100.0 0.0.0.255 any eq www
permit tcp YY.YY.100.0 0.0.0.255 any eq ftp ftp-data time-range FTP_ALLOW
permit udp YY.YY.100.0 0.0.0.255 eq 1985 host 224.0.0.2 eq 1985
permit udp YY.YY.100.0 0.0.0.255 any time-range UDP_ALLOW
interface vlan 500
ip access-group TBACL in
Section 5 : Optimize the Network

5.1 Simple Network Management Protocol (SNMP)
Configure SNMPv3 for group "admin" on R3 as per following requirements
Use location San Jose, USA

Use contact ccie@cisco.com
Use R3 loopback0 interface for SNMP trap as source
A SNMPv3 group admin has a user with a view privilege adminview and must view only ISO
mib.
A SNMPv3 group admin has a user with a view privilege adminwrite and must write only
system mib.
35
Ensure that group admin should be set with strongest security mechanism.
A user ccie should be from group admin and use md5 password of cisco (case sensitive)
Ensure that admin group only allow users access from YY.YY.17.0/24
Use a SNMP v2c instance for NMS in YY.YY.67.0/24 to accomplish this task.
Note: All view name, group, username and community should be case-sensitive
On R3
snmp-server location San Jose, US
snmp-server contact ccie@cisco.com
snmp-server source-interface trap Loopback0
snmp-server view adminview iso included
snmp-server view adminwrite system included
snmp-server group admin v3 priv read adminview write adminwrite access 17
snmp-server user ccie admin v3 auth md5 cisco

snmp-server community nms ro 67
no snmp-server group nms v1
5.2 NetFlow
Configure NetFlow on R1 according to the following requirements

Enable NetFlow on R1 to monitor the traffic entering and leaving Area 0 from BB1
Generate NetFlow sample one out-of-every 1000 packets
Export the flows to the server YY.YY.56.100 port 2222
In case the export to server fails, use backup server YY.YY.56.101 with the same port number.
Use R1 Loopback as source address for the exports
Use NetFlow version 9 with reliable transfer
Do not use policy-map
On R1
ip flow-export version 9
ip flow-export source loopback 0
ip flow-export destination YY.YY.56.100 2222 sctp
backup destination YY.YY.56.101 2222
36
flow-sampler-map NETFLOW
mode random one-out-of 1000
ip flow-export template options sampler
interface Gi0/1
flow-sampler NETFLOW
flow-sampler NETFLOW egress
Best of Luck Everybody

K7 Solutions

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

K7 Solutions

Enviado por

Direitos autorais:

Formatos disponíveis

1

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

VTP Domain is set to "CCIE" and VTP password is set to "cisco"

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

1.3 Multiple Spanning Tree (MST)

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

Use CISCO as CHAP password for R4.

K7 solutions used to pass For certcollection users only by SanjanaIE

Section 2 : Layer 3 Technologie

The OSPF process ID can be any number.

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

Backbone 3 the IP address 150.3.YY.254 and is using AS number 100.

K7 solutions used to pass For certcollection users only by SanjanaIE

Redistribution OSPF, EIGRP, RIP

K7 solutions used to pass For certcollection users only by SanjanaIE

2.5 Between OSPF and RIPv2

Redistribute OSPF into RIP on R5.

2.6 IPv4 EBGP

K7 solutions used to pass For certcollection users only by SanjanaIE

2.7 IPv4 IBGP

K7 solutions used to pass For certcollection users only by SanjanaIE

2.5 Advanced BGP

route-map PREPEND_AS permit 10

K7 solutions used to pass For certcollection users only by SanjanaIE

2.9 IPv6 Address and OSPF Routing

Configure Global unicast IP's on all relevant interface on R1, R5,

SW1 and SW2 including loopback 0.

K7 solutions used to pass For certcollection users only by SanjanaIE

ipv6 router ospf 1

Do NOT use any RP

3.2 Implement IPv4 Multicast 2

K7 solutions used to pass For certcollection users only by SanjanaIE

In near future, other users in R5 are planning to join 225.1.1.2and 225.1.1.3

K7 solutions used to pass For certcollection users only by SanjanaIE

Section 4 : Advanced Services

Complete RIP authentication between R4 and R5

4.2 Zone-Based Firewall

K7 solutions used to pass For certcollection users only by SanjanaIE

K7 solutions used to pass For certcollection users only by SanjanaIE

4.3 Layer 2 security

K7 solutions used to pass For certcollection users only by SanjanaIE

4.4 Quality of Services-1

it should be limited to 128k on each interface on R1 when it goes to ospf area.

K7 solutions used to pass For certcollection users only by SanjanaIE

4.5 Quality of Services-1

Control IP Precedence value 6 or 7

K7 solutions used to pass For certcollection users only by SanjanaIE

4.6 Implementing HSRP

K7 solutions used to pass For certcollection users only by SanjanaIE

4.7 Time Based ACL

Section 5 : Optimize the Network

Use location San Jose, USA

K7 solutions used to pass For certcollection users only by SanjanaIE