K7 Config Lab

Configuration Guidelines:
(**below guidelines are not accurate and incomplete)
The equipment on the rack assigned to you is physically Cabled and should not be tampered with.
Router and Switch hostnames, basic ip addressing, "no exec-timeout" and passwords on the Con,
AUX and VTYs have been preconfigured. Do not change these configurations.
DO NOT change the Line console preconfiguration.
All preconfigured passwords are "cisco". Do not change these passwords.
Unicast and Multicast Static routes and default routes are not permitted. Floating static routes
are not permitted as well. This includes Routes to Null generated as a result of a dynamic routing
protocol.
If you need clarification on the meaning of a question, or, if you suspect hardware problems with
you equipment, contact the lab proctor as soon as possible.
The following symbols are used throughout the exam: YY is your 2-digit rack number, for example
YY value for Rack3 is 03 and for Rack11 is 11. X is your router number, for example X Value for
router 1 is 1. Z is any number SW1 and SW2 refer to the Catalyst

My approach:
1. Read the Configuration Rules thoroughly and make a quick list of DO's and DON'Ts!
2. Skim through tasks. Make a checklist of the tasks and take note of the dependencies. Dependent
tasks are better to be configured together to save time.

3. Do "sdm prefer" and "system mtu 1504" on necessary Switches (if needed). Then
RELOAD.
#show sdm prefer
#show system mtu
4. Quick Check initial configs:
#show run
#show run | inc interface|ip address
#show protocols

5. Issue convenience commands (But check first the Lab guidelines. Guidelines may say "Do not
change pre-configuration of line console", etc)
#show run | b line con
#show run | i logging|domain
! Remove later (depends)
!
conf t
no ip domain lookup
logging console
line con 0
logging sync
do wr
6. Begin.

Config Page 1

I. L2
My Approach:
- draw own L2 Ethernet Diagram and put only the active links/trunks! (L2 diagram of real lab sucks)

1.
2.
3.
4.
5.
6.
7.

Find expected faults

setup VTP
setup Trunks and etherchannels
create VLANs, configure VLAN membership of access ports, configure SVIs and routed ports.
Finish all other Catalyst tasks (Spanning-tree, etc)
Finish the L2 WAN tasks (Frame-relay, PPP, etc)
Configure all missing IP addressing configuration then test all LAN and WAN connectivity before
proceeding to L3 section.

Task 1.1 Initial Faults

One-two(or four) faults have been injected into the pre-configurations. these issues may impede a
working solution for certain portions of this labs exam and affect any labs exam section.
You must verify that all of your configurations work as expected.
If something is not working as expected then you must fix the underlying problem
Point will be awarded for solving each problem.
However, if you fail to solve a particular problem , and the injected fault prevents you from having
a working solutions of this lab, then you will lose points for the fault and the lab that is not
working.
1.
2.
3.
4.
5.
6.

DHCP snooping and Dynamic ARP Inspection on SW2 VLAN 17.

Portfast on SW4 trunk ports.
Root Guard on BB switchports and trunk ports.
CEF disabled on other Routers.
VTP config differences (version, domain name, password).
VACL denying OSPF on SW2.

Task 1.2 Access Switch ports

Configure all of the appropriate non-trunking switch ports on SW1-SW4 according to the following
requirements:
VTP domain should be "CCIE" and password "cisco".
VTP mode on all switches should be configured to transparent mode.
Configure the VLAN ID and Name according to the table below (case sensitive).
Configure the access ports for each VLAN as per the diagram.
VLAN ID

VLAN NAME

VLAN 17

VLAN_17

R1 fa0/0
SW2 SVI

VLAN 29

VLAN_29

R2 fa0/0
SW4 SVI

VLAN 34

VLAN_34

R3 fa0/1
R4 fa0/1

VLAN 38

VLAN_38

R3 fa0/0
SW3 SVI
Config Page 2

SW3 SVI
VLAN 45

VLAN_45

R4 fa0/0
R5 fa0/1

VLAN 56

VLAN_56

R5 fa0/0
SW1 SVI

VLAN 67

VLAN_67

SW1 SVI
SW2 SVI

VLAN 89

VLAN_89

SW3 SVI
SW4 SVI

VLAN 100

VLAN_BBI

R1 fa0/1
BB1

VLAN 200

VLAN_BB2

R2 fa0/1
BB2

VLAN 300

VLAN_BB3

SW3 SVI
BB3

VLAN 333

VLAN_CUSTOMER

VLAN 500

VLAN_USER

VLAN 666

VLAN_CARRIER

VLAN 999

VLAN_NATIVE

! SW1, SW2, SW3, SW4

!
vtp version 2
vtp domain CCIE
vtp password cisco
vtp mode transparent
vlan 17
name VLAN_17
vlan 29
name VLAN_29
vlan 34
name VLAN_34
vlan 38
name VLAN_38
vlan 45
name VLAN_45
vlan 56
name VLAN_56
vlan 67
name VLAN_67
vlan 89
name VLAN_89
vlan 100
name VLAN_BB1
vlan 200
name VLAN_BB2
vlan 300
name VLAN_BB3
vlan 333
name VLAN_CUSTOMER
vlan 500
name VLAN_USER
vlan 666
name VLAN_CARRIER
vlan 999
Config Page 3

vlan 999
name VLAN_NATIVE
exit

! SW1
!
int fa0/1
switchport access vlan 17
switchport mode access
int fa0/2
switchport access vlan 29
switchport mode access
int fa0/3
switchport access vlan 38
switchport mode access

int fa0/4
switchport access vlan 45
switchport mode access
int fa0/5
switchport access vlan 56
switchport mode access
int fa0/10
switchport access vlan 100
switchport mode access
! SW2
!
int fa0/1
switchport access vlan 100
switchport mode access
int fa0/2
switchport access vlan 200
switchport mode access
int fa0/3
switchport access vlan 34
switchport mode access
int fa0/4
switchport access vlan 34
switchport mode access
int fa0/5
switchport access vlan 45
switchport mode access
int fa0/10
switchport access vlan 200
switchport mode access
! SW3
!
int fa0/10
switchport access vlan 300
switchport mode access

Config Page 4

! SW4
!
int fa0/10
switchport mode access
! SW1
!
int Vlan56
ip address YY.YY.56.6 255.255.255.0
int Vlan67
ip address YY.YY.67.6 255.255.255.0
! SW2
!
int Vlan17
ip address YY.YY.17.7 255.255.255.0
int Vlan67
ip address YY.YY.67.7 255.255.255.0
! SW3
!
int Vlan38
ip address YY.YY.38.8 255.255.255.0
int Vlan89
ip address YY.YY.89.8 255.255.255.0

int Vlan300
ip address 150.3.YY.1 255.255.255.0
! SW4
!
int Vlan29
ip address YY.YY.29.9 255.255.255.0
int Vlan89
ip address YY.YY.89.9 255.255.255.0

Task 1.3 Spanning Tree

Configure the switches according to the following requirement
Each of the following sets of VLANs must share a common spanning-tree topology:
Spanning-tree instance 1: all odd VLANS used throughout your exam
Spanning-tree instance 2: all even VLANS used throughout your exam
Spanning-tree instance 3: all other VLANs must be explicitly put in instance 3
Use domain name as "cisco"
Ensure that SW1 is the root switch for instance 1, root switch for the CIST, and backup root switch
for instance 2.
Ensure that SW2 is the root switch for instance 2, backup root switch for the CIST, and backup root
switch for instance 1.
Configure native VLAN to VLAN 999, ensure this VLAN is tagged.
All unused ports should be administratively shutdown and defined as access ports on VLAN 999.
Don't forget the 2 gigabit ethernet ports.
Config Page 5

Don't forget the 2 gigabit ethernet ports.

! SW1, SW2, SW3, SW4
!
vlan dotlq tag native
spanning-tree mode mst
spanning-tree mst configuration
name cisco
revision 1
instance 3 vlan 1-4094 issue this first

instance 1 vlan 17, 29, 45, 67, 89, 333, 999

instance 2 vlan 34, 38, 56, 100, 200, 300, 500, 666
exit
! SW1
!
spanning-tree mst 0 priority 0
spanning-tree mst 1 priority 0
spanning-tree mst 2 priority 4096
! SW2
!
spanning-tree mst 0 priority 4096
spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 0
! SW1,SW2
!
int range fa0/6-9 , fa0/11-18 , gig0/1-2 select unused ports
switchport access vlan 999
switchport mode access
shutdown

! SW3,SW4
!
int range fa0/1-9 , fa0/11-18 , gig0/1-2 select unused ports
switchport access vlan 999
switchport mode access
shutdown

Verification:
SW1#sh spann mst configuration
Name
[cisco]
Revision 1
Instances configured 4
Instance
--------0
1
2
3

Vlans mapped
-------------------------------------------------------------------

none
17,29,45,67,89,333,999
34,38,56,100,200,300,500,666
1-16,18-28,30-33,35-37,39-44,46-55,57-66,68-88,90-99,101-199
201-299,301-332,334-499,501-665,667-998,1000-4094
-----------------------------------------------------------------------------SW1#sh spann mst | i Root
Root
this switch for the CIST
Root
this switch for MST1
Config Page 6

Root
Root
Po12
Root

this switch for MST1

address 001a.a181.3f00 priority
Root FWD 100000
128.144 P2p
this switch for MST3

SW2#sh spann mst | i Root

Root
address 0015.2bf5.4b80 priority
Regional Root address 0015.2bf5.4b80 priority
Po12
Root FWD 100000
128.144 P2p
Root
address 0015.2bf5.4b80 priority
Po12
Root FWD 100000
128.144 P2p
Root
this switch for MST2
Root
address 0015.2bf5.4b80 priority
Po12
Root FWD 100000
128.144 P2p

(0 sysid 2)

0
0

(0 sysid 0)
(0 sysid 0)

(0 sysid 1)

32771 (32768 sysid 3)

Solution Breakdown:
- The MST region selects the CIST regional root as the switch with lowest IST (instance 0) Bridge ID.
Since there is only one MST Region (named "cisco") in the switching network and there are no
non-MST switches in the network, the CIST Regional root is also the CIST root.

Task 1.4 Trunking and Etherchannel

Refer to Diagram. Configure the dual trunk ports between SW1, SW2, SW3, SW4 according to the
following requirements:
Use encapsulation 802.1Q
Disable DTP on the six distribution ports for each switch.
Configure an 802.3ad 200M bps Etherchannel between SW1 and SW2.
SW2 should not actively start it.
Etherchannel load balancing should be accomplished by source and destination MAC address.
In the future, if more links(ports) are added to the bundle, make sure that interface Fa0/24 is
always chosen first for traffic flow on the channel on both SW1 and SW2.
! SW1, SW2, SW3, SW4
!
vlan dotlq tag native
int range fa0/19-24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 999
switchport nonegotiate
! SW1
!
int range fa0/23 - 24
channel-group 12 mode active
port-channel load-balance src-dst-mac
int fa0/24
lacp port-priority 1
! SW2
!
int range fa0/23 - 24
channel-group 12 mode passive
port-channel load-balance src-dst-mac
int fa0/24
lacp port-priority 1
Config Page 7

lacp port-priority 1

Task 1.5 Frame-Relay

Use the following requirements to configure R1 and R2 for Frame relay.
Use static frame relay maps with broadcast capability.
Do not use dynamic arp mapping
Do not change anything in the frame-relay switch (R4)
Use RFC1490/RFC2427 encapsulation.
Use the DLCI assignments from the table below
Use the IP addressing as documented in Diagram#1.
Set the bandwidth administrative to 50000 Kbps in the interfaces.
R1 and R2 must be able to ping each other, even self interface.
DLCI
R1 frame-relay interface 100
R2 frame-relay interface 200
! R4 (FRS)
! (Preconfigured. Use show commands to see)
!
! R1
!
int se0/0/0
shut
bandwidth 50000
encapsulation frame-relay ietf
no frame-relay inverse-arp
frame-relay lmi-type ansi set LMI-type based on pre-configuration of R4.
ip address YY.YY.12.1 255.255.255.0
frame map ip YY.YY.12.1 100
frame map ip YY.YY.12.2 100 broadcast
no shut
! R2
!
int se0/0/0
shut
bandwidth 50000
encapsulation frame-relay ietf
no frame-relay inverse-arp
frame-relay lmi-type ansi set LMI-type based on pre-configuration of R4.
ip address YY.YY.12.2 255.255.255.0
frame map ip YY.YY.12.2 200
frame map ip YY.YY.12.1 200 broadcast
no shut

Task 1.6 802.1Q Tunneling (4pts)

A dot1q tunnel needs to be configured for SW3 and SW4 to establish a trunk link between their trunk
ports fa0/19.
Users connected to Vlan 333 on SW3 must be able to communicate with users connected to Vlan
333 on SW4 via their trunk interface fa0/19.
Use YY.YY.33.8/24 on SW3 and YY.YY.33.9/24 on SW4 for VLAN 333
Config Page 8

Use YY.YY.33.8/24 on SW3 and YY.YY.33.9/24 on SW4 for VLAN 333

Vlan 333 must be allowed to flow only through SW3 and SW4 Fa0/19
No other trunk links should allow VLAN 333
SW1 and SW2 must carry the VLAN 333 data across the network using Vlan 666.
VLAN 666 is only allowed on SW1 and SW2.
Do not modify any spanning-tree cost or port-priority to achieve this task.
Referring to exhibit below SW3 must see SW4 as a CDP neighbor via interface Fa0/19 and must be
able to ping SW4 Vlan 333 IP address.

! SW1,SW2
!
int range fa0/20-22
switch trunk allowed vlan remove 333
int Po12
switch trunk allowed vlan remove 333

! SW3,SW4
! (CPE)
!
int fa0/19
switch trunk allowed vlan 333 only VLAN333 is allowed on this Trunk
int range fa0/20-24
switch trunk allowed vlan remove 333
no vlan 666 remove VLAN666.
! SW1,SW2
! (SP switches)
!
system mtu 1504 Reload needed, do this at the beginning of the Lab.
system mtu routing 1500
int fa0/19
switchport access vlan 666
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel vtp
no l2protocol-tunnel stp do not allow STP packets through the tunnel.
no cdp enable
! SW3
! (CPE)
!
int vlan 333
ip add YY.YY.33.8 255.255.255.0
! SW4
! (CPE)
!
int vlan 333
ip add YY.YY.33.9 255.255.255.0
Verification:
SW3#sh int fa0/19 trunk

Config Page 9

SW3#sh int fa0/19 trunk

Port
Fa0/19

Mode
on

Encapsulation
802.1q

Status
trunking

Native vlan
999

Port
Fa0/19

Vlans allowed on trunk

333

Port
Fa0/19

Vlans allowed and active in management domain

333

Port
Fa0/19

Vlans in spanning tree forwarding state and not pruned

333

SW3#sh cdp ne fa0/19

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID
SW4

Local Intrfce
Fas 0/19

Holdtme
141

Capability
R S I

Platform Port ID
WS-C3560- Fas 0/19

SW3#ping 19.19.33.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 19.19.33.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
SW3#sh spann mst 1 int fa0/19
FastEthernet0/19 of MST1 is designated forwarding
Edge port: no
(default)
port guard : none
Link type: point-to-point (auto)
bpdu filter: disable
Boundary : internal
bpdu guard : disable
Bpdus (MRecords) sent 6420, received 0

(default)
(default)
(default)

Instance Role Sts Cost

Prio.Nbr Vlans mapped
-------- ---- --- --------- -------- ------------------------------1
Desg FWD 200000
128.21
17,29,45,67,89,333,335,337,339,999
SW4#sh spann mst 1 int fa0/19
FastEthernet0/19 of MST1 is designated forwarding
Edge port: no
(default)
port guard : none
Link type: point-to-point (auto)
bpdu filter: disable
Boundary : internal
bpdu guard : disable
Bpdus (MRecords) sent 6419, received 0

(default)
(default)
(default)

Instance Role Sts Cost

Prio.Nbr Vlans mapped
-------- ---- --- --------- -------- ------------------------------1
Desg FWD 200000
128.21
17,29,45,67,89,333,335,337,339,999

Solution Breakdown:
- The 802.1Q tunnel configuration is pretty straightforward. The only thing that complicates this
task is MST. Vlan333 is part of MST instance 1 which share a common spanning-tree view. SW1 is
the root for instance 1. SW3 and SW4 fa0/19 are blocking for instance 1.
- The solution is to KILL Spanning-tree on SW3 and SW4's trunk link fa0/19 by preventing tunneling
of STP packets through SW1 and SW2. It will make the link not part of MST algorithm since no
BPDUs are exchanged between this trunk. This trunk will be simply marked designated and
forwarding. No loop risks in here since this trunk will just run VLAN333.

Task 1.7 PPPoE

Configure R3 as the PPPoE Server and R4 as the PPPoE Client.
Ensure R4 always gets the same IP address YY.YY.34.4 from server
Config Page 10

Ensure R4 always gets the same IP address YY.YY.34.4 from server

you are not allowed to use DHCP
Avoid unnecessary fragmentation on the PPPoE link.
The link must be up even when there is no interesting traffic.
R3 must authenticate with the Server using CHAP.
Use the device's host name as CHAP username and CISCO as password.

! R3 (PPPoE Server)
!
bba-group pppoe BBA_34
virtual-template 1

interface Virtual-Template1
ip unnumbered fa0/1 Do this if fa0/1 is preconfigured with IP address. Otherwise put the IP here.
mtu 1492
peer default ip address pool POOL_R4_IP
ppp authentication chap
ip local pool POOL_R4_IP YY.YY.34.4
username RackYYR4 password 0 CISCO
int fa0/1
pppoe enable group BBA_34
! R4 (PPPoE Client)
!
interface Dialer1
ip address negotiated
mtu 1492 to avoid fragmentation, MTU setting must consider the additional PPPoE header of 8bytes.
encapsulation ppp
dialer pool 34
dialer persistent force a dialer interface to be connected at all times, even in the absence of
interesting traffic.

dialer idle-timeout 0
ppp chap password 0 CISCO
int fa0/1
pppoe enable
pppoe-client dial-pool-number 34

Config Page 11

II. L3
Before beginning L3 section:
! All Routers
!
ip subnet-zero
ip classless
ip routing
ip cef
! All Switches that will do routing
!
ip subnet-zero
ip classless
ip routing
ip cef distributed

Section 2 Intro:
After finishing each of the following questions, make sure that all configured interfaces and
subnets are consistently visible on all pertinent routers and switches.
The backbone interfaces must be reachable only if they are part of the solutions to a question.
Unless explicitly stated, you need to ping a BGP route only if it is stated in a question. Otherwise,
the route should be only in the BGP table.
Do not redistribute between any interior gateway protocol(IGP) and Border gateway protocol
(BGP) if NOT explicitly required.
The loopback interfaces must be seen as a host route /32 in the routing tables unless stated
otherwise in a question.
At the end of this section, all Loopback0 subnets must be reachable from R3 using PING.

Task 2.1 OSPF

Configure OSPF Area 0, 1, 2 as per the IGP topology diagram and the following requirements:
The OSPF process ID can be any number.
The OSPF router IDs must be stable and must be configured using the IP address of interface
Lookback0.
Loopback0 interfaces should be advertised in the relevant OSPF area as shown in the IGP topology
diagram and must appear as /32 host routes.
Updates should be advertised only out of the interfaces that are indicated in the IGP topology
diagram.
Ensure that OSPF adjacency should be established between R1 and R2 without changing framerelay interface type.
Ensure that R4 can still reach all OSPF networks via R3 in case R1 or R5 goes down.
Do not create additional OSPF areas.
Do not use any IP address not listed in Diagram.
NOTE

SW1, SW2, R1, R5 Loopback 0 in Area 0. R2, R3 Loopback0 in Area 1, R4 loopback0 in area 2.

! R1
!
router ospf 4
router-id YY.YY.1.1
network YY.YY.1.1 0.0.0.0 area 0
network YY.YY.15.1 0.0.0.0 area 0
network YY.YY.17.1 0.0.0.0 area 0
Config Page 12

network YY.YY.17.1 0.0.0.0 area 0

network 150.1.YY.1 0.0.0.0 area 0
network YY.YY.12.1 0.0.0.0 area 1
neighbor YY.YY.12.2
area 1 virtual-link YY.YY.3.3
! R2
!
router ospf 4
router-id YY.YY.2.2
network 150.2.YY.1 0.0.0.0 area 1
network YY.YY.23.2 0.0.0.0 area 1
network YY.YY.12.2 0.0.0.0 area 1

neighbor YY.YY.12.1
! R3
!
router ospf 4
router-id YY.YY.3.3
network YY.YY.23.3 0.0.0.0 area 1
network YY.YY.35.3 0.0.0.0 area 1
network YY.YY.34.3 0.0.0.0 area 2
area 1 virtual-link YY.YY.1.1
area 1 virtual-link YY.YY.5.5
! R4
!
router ospf 4
router-id YY.YY.4.4
network YY.YY.4.4 0.0.0.0 area 2
network YY.YY.34.4 0.0.0.0 area 2
passive-interface fa0/0 OSPF task says "Only advertise Updates out to interfaces specified in
diagram".

network 19.19.45.4 0.0.0.0 area 2

advertise prefix YY.YY.45.0/24 in Area 2 to satisfy full

reachability. Redistribution is not an option because
it will put external OSPF route in R2 and R3 routing
table which is not permitted in another task.

! R5
!
router ospf 4
router-id YY.YY.5.5
network YY.YY.5.5 0.0.0.0 area 0
network YY.YY.15.5 0.0.0.0 area 0
network YY.YY.56.5 0.0.0.0 area 0
network YY.YY.35.5 0.0.0.0 area 1
area 1 virtual-link YY.YY.3.3
! SW1
!
router ospf 4
router-id YY.YY.6.6
network YY.YY.6.6 0.0.0.0 area 0
network YY.YY.56.6 0.0.0.0 area 0
Config Page 13

network YY.YY.56.6 0.0.0.0 area 0

network YY.YY.67.6 0.0.0.0 area 0
! SW2
!
router ospf 4
router-id YY.YY.7.7
network YY.YY.7.7 0.0.0.0 area 0
network YY.YY.17.7 0.0.0.0 area 0
network YY.YY.67.7 0.0.0.0 area 0

Task 2.2 EIGRP

Configure EIGRP 100 and EIGRP YY per the topology diagram

backbone 3 has the IP address 150.3.YY.254 and is using AS number 100
EIGRP updates should be advertised only out to the interface per the topology diagram
on SW3 redistribute from EIGRP 100 into EIGRP YY
do not use auto summarization for any EIGRP process

! R2
!
router eigrp YY
no auto-summary
network YY.YY.29.2 0.0.0.0
! R3
!
router eigrp YY
no auto-summary
network YY.YY.38.3 0.0.0.0
! SW4
!
router eigrp YY
no auto-summary
network YY.YY.89.9 0.0.0.0
network YY.YY.9.9 0.0.0.0
network YY.YY.29.9 0.0.0.0
! SW3
!
router eigrp 100
no auto-summary
network 150.3.YY.1 0.0.0.0
router eigrp YY
no auto-summary
network YY.YY.89.8 0.0.0.0
network YY.YY.38.8 0.0.0.0
network YY.YY.8.8 0.0.0.0
redistribute eigrp 100

Task 2.3 RIPv2

Configure RIPv2 per IGP topology diagram

RIP updates must be advertised only out to the interface per the IGP topology diagram
Disable auto-summarization in the RIP domain
Redistribute OSPF into RIP on R5
Config Page 14

 Redistribute OSPF into RIP on R5

Ensure that R4 should access SW1 Loopback0 via R5 but all other routes should go through R3

NOTE

Configure RIPv2 Authentication task on Advanced Services section after this.

! R4
!
router rip
version 2
no auto-summary
passive-interface default
no passive-interface fa0/0
network YY.0.0.0
distance 109 YY.YY.45.5 0.0.0.0 SACL_SW1_LOOP0
ip access sta SACL_SW1_LOOP0
permit YY.YY.6.6
! R5
!
router rip
version 2
no auto-summary
passive-interface default
no passive-interface fa0/1
network YY.0.0.0
redistribute ospf 4 metric 5
Additional Configuration:
- If Lab Guidelines say "Host routes should not be seen on devices routing table other than
Loopback0 prefixes" then do these additional configuration. Otherwise, it won't harm to do this.
! R4
!
router rip
distribute-list prefix PL_R3 out fa0/0
ip prefix-list PL_R3 seq 5 deny 19.19.34.3/32
ip prefix-list PL_R3 seq 10 deny 19.19.34.4/32
ip prefix-list PL_R3 seq 15 permit 0.0.0.0/0 le 32

! R3
!
router ospf 4
area 2 filter-list prefix PL_R4 out
ip prefix-list PL_R4 seq 5 deny 19.19.34.4/32
ip prefix-list PL_R4 seq 10 permit 0.0.0.0/0 le 32

Task 2.4 Redistribution between OSPF and EIGRP

Redistribute mutually between OSPF and EIGRP YY on R2 and R3 according to the following
requirements:
The only EIGRP External routes seen on R2 and R3 must be the EIGRP 100 routes and backbone 3
prefix connected to SW3.
On R2 and R3 ensure that all prefixes learned from OSPF should be seen as OSPF routes and that
the prefixes learned from EIGRP 100 should be seen as EIGRP External Route (D EX).
Ensure Optimal routing on R2 and R3.
No default route should be seen in your network .
Config Page 15

 No default route should be seen in your network .

Ensure that your solution considers that in the future, prefixes might be injected by BB3. You are
not allowed to use any access-lists, prefix-lists or AD manipulation to accomplish this requirement.
Do not use administrative tags on SW3.
! R1-R5,SW1-SW4
!
#debug ip routing
! R2,R3
!
route-map RM_EIGRP_TO_OSPF permit 10
match route-type external
match source-protocol eigrp 100
set tag 5100
route-map RM_EIGRP_TO_OSPF permit 2000
route-map RM_OSPF_DL_IN deny 10
match route-type external
match tag 5100
route-map RM_OSPF_DL_IN permit 2000
route-map RM_EIGRP_DL_IN permit 10
match route-type external
match source-protocol eigrp 100
route-map RM_EIGRP_DL_IN permit 20
match route-type internal

router eigrp YY
distribute-list route-map RM_EIGRP_DL_IN in
redistribute ospf 4 metric 1 1 1 1 1
router ospf 4
distribute-list route-map RM_OSPF_DL_IN in do not allow the EIGRP 100 routes to
be learned from OSPF peers. These
have AD=110 and will cause controlplane loop.

redistribute eigrp YY subnets route-map RM_EIGRP_TO_OSPF

Task 2.5 IPv4 iBGP

Configure iBGP between R1, R2, R3, R4 and R5 according to the following requirements:
Where possible failure of a physical interface should not permanently affect BGP peer
connections.
Use only the Loopback0 IP Addresses to propagate BGP route information within your BGP
domain.
Configure R3 as route-reflector. Minimize the number of BGP peering sessions and all BGP
speakers in AS YY.
you are not allowed to use BGP peer groups.
! R1,R2,R4,R5
!
router bgp YY
neighbor YY.YY.3.3 remote-as YY
neighbor YY.YY.3.3 update lo0
neighbor YY.YY.3.3 send-community
bgp router-id YY.YY.X.X

Config Page 16

! R3
!
router bgp YY
bgp router-id YY.YY.3.3
neighbor
neighbor
neighbor
neighbor

YY.YY.1.1
YY.YY.1.1
YY.YY.1.1
YY.YY.1.1

remote-as YY
update lo0
route-reflector-client
send-community

neighbor
neighbor
neighbor
neighbor

YY.YY.2.2
YY.YY.2.2
YY.YY.2.2
YY.YY.2.2

remote-as YY
update lo0
route-reflector-client
send-community

neighbor
neighbor
neighbor
neighbor

YY.YY.4.4
YY.YY.4.4
YY.YY.4.4
YY.YY.4.4

remote-as YY
update lo0
route-reflector-client
send-community

neighbor
neighbor
neighbor
neighbor

YY.YY.5.5
YY.YY.5.5
YY.YY.5.5
YY.YY.5.5

remote-as YY
update lo0
route-reflector-client
send-community

Task 2.6 IPv4 eBGP

Configure eBGP on R1 and R2 according to the following requirement
R1 eBGP peers with the router 150.1.YY.254 on Backbone 1 AS 254
R2 eBGP peers with the router 150.2.YY.254 on Backbone 2 AS 254
R1 and R2 should have capability to signalize End of RIB Marker
Do not change the BGP next-hop on R1 and R2.
Maximum of 5 prefix is allowed otherwise it should generate a message
NOTE

R1 receives routes with as-path 253 254.

R2 receives routes with as-path 254.

! R1
!
router bgp YY
neighbor 150.1.YY.254 remote-as 254
neighbor 150.1.YY.254 send-community
neighbor 150.1.YY.254 maximum-prefix 5 100 warning-only

! R2
!
router bgp YY
neighbor 150.2.YY.254 remote-as 254
neighbor 150.2.YY.254 send-community
neighbor 150.2.YY.254 maximum-prefix 5 100 warning-only
! R1,R2
!
router bgp YY
bgp graceful-restart
#clear ip bgp *
Config Page 17

Do not forget
that threshold
must be "100" !

#clear ip bgp *

Task 2.7 Advanced BGP (5pts)

Configure BGP path selection as following requirements
Redistribute OSPF into BGP on R1 and R2.
R1 should prefer the path pointing to BB1 AS 254. The BGP attribute for best path selection has to
be the "Internal vs External" Criteria
R3 should prefer the path through R1 to BB1 for reaching AS 254. This configuration should not
affect any other routers in AS YY.
R4 should prefer R1 as exit point for reaching AS 254.
R4 should SUCCESSFULLY ping a prefix 197.68.1.254 network in learned from BGP AS254.
You are allowed to change the OSPF cost of only one interface.
You are not allowed to change BGP attributes such as Weight, AS-Path or Local Preference on R4
and R5 to accomplish this task.
Solution Option 1:
! R1,R2
!
router bgp YY
redistribute ospf 4 match internal external
! R1
!
router bgp YY
bgp bestpath as-path ignore
! R3
!
router bgp YY
neighbor YY.YY.1.1 route-map RM_BGP_R1_IN in
route-map RM_BGP_R1_IN permit 10
match as-path 1
set weight 500
route-map RM_BGP_R1_IN permit 2000
ip as-path access-list 1 permit ^254_
! R5
!
int se0/0/0
ip ospf cost 1
Solution Option 2:
- I chose this solution because it accomplishes the same thing without using a hidden command.
! R1,R2
!
router bgp YY
redistribute ospf 4 match internal external
! R2
!
router bgp YY
neighbor 150.2.YY.254 route-map RM_BGP_BB2_IN in
Config Page 18

neighbor 150.2.YY.254 route-map RM_BGP_BB2_IN in

route-map RM_BGP_BB2_IN permit 10
set as-path prepend 254
! R3
!
router bgp YY
neighbor YY.YY.1.1 route-map RM_BGP_R1_IN in
route-map RM_BGP_R1_IN permit 10
match as-path 1
set weight 500
route-map RM_BGP_R1_IN permit 2000
ip as-path access-list 1 permit ^254_
! R5
!
int se0/0/0
ip ospf cost 1
#show ip bgp reg 254
R4#ping 197.68.1.254

Solution Breakdown:
Do not overthink this task, the phrase "This configuration should not affect any other routers in AS
YY" only implies that the BGP attributes of other BGP AS YY speakers shouldn't be affected.
Definitely we use "weight" command. The phrase doesn't mean that the "best path of other
routers in AS YY shouldn't be affected". That is simply impossible. R3 is a route-reflector so
whatever best path it chooses, R4's and R5's best path will definitely be affected.
Another thing is that in the BGP diagram of the lab, R3 is labeled as the only RR. Do not be thinking
of multiple-RR solution and the like.

Task 2.8 IPv6 addressing

The administrator has started to configure Global unicast IPv6 addresses in your network according to
the Diagram 3 IPv6 Routing:
Configure Global unicast IP's on every interface on R1, R5, SW1 and SW2
Ensure that all routers and switches can ping each other using IPv6
Configure IPv6 address Number as follow
YY - Rack number
HH - interface ipv4 3rd octet
ZZ - interface ipv4 4th octet
Interfaces - 2001:YY:HH::ZZ/64
Loopbacks - 2001:YY:HH::ZZ/128

Task 2.9 OSPFv3 Routing

Continue configuring IPv6 OSPFv3 according to the Diagram as per the following requirements:
Process ID has to be 2001.
OSPFv3 router IDs must be stable and identical to the OSPFv2 router IDs
Do no create any additional OSPFv3 areas
Ensure that periodic Router Advertisements should be disabled on the IPv6 enabled interfaces
Ensure that all IPv6 networks on all routers and switches can ping each other using IPv6
Secure the serial link between R1 and R5 using a single command. Use the authentication type
Config Page 19

 Secure the serial link between R1 and R5 using a single command. Use the authentication type
with MD5 key string "1234567890abcdef1234567890abcdef".
Make sure the routers use cisco proprietary forwarding mechanism
! SW1,SW2
!
sdm prefer dual-ipv4-and-ipv6 default do at beginning of lab then reload.
ipv6 unicast-routing
ipv6 cef dist
! R1,R5
!
ipv6 unicast-routing
ipv6 cef
! R1
!
ipv6 router ospf 2001
router-id YY.YY.1.1
int Lo0
ipv6 address 2001:YY:1::1/128
ipv6 ospf 2001 area 0
int fa0/0
ipv6 address 2001:YY:17::1/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
int se0/0/1
ipv6 address 2001:YY:15::1/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
ipv6 ospf authentication ipsec spi 512 md5
1234567890abcdef1234567890abcdef
! R5
!
ipv6 router ospf 2001
router-id YY.YY.5.5
int Lo0
ipv6 address 2001:YY:5::5/128
ipv6 ospf 2001 area 0
int fa0/0
ipv6 address 2001:YY:56::5/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
int se0/0/0
ipv6 address 2001:YY:15::5/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
ipv6 ospf authentication ipsec spi 512 md5
1234567890abcdef1234567890abcdef

! SW1
Config Page 20

! SW1
!
ipv6 router ospf 2001
router-id YY.YY.6.6
int Lo0
ipv6 address 2001:YY:6::6/128
ipv6 ospf 2001 area 0
int Vlan56
ipv6 address 2001:YY:56::6/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
int Vlan67
ipv6 address 2001:YY:67::6/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
! SW2
!
ipv6 router ospf 2001
router-id YY.YY.7.7
int Lo0
ipv6 address 2001:YY:7::7/128
ipv6 ospf 2001 area 0
int Vlan17
ipv6 address 2001:YY:17::7/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress
int Vlan67
ipv6 address 2001:YY:67::7/64
ipv6 ospf 2001 area 0
ipv6 nd ra suppress

Config Page 21

III. Multicast
Before beginning:
- check what is pre-configured !
#show run | inc pim|multicast|igmp|mroute
#show ip pim int

Task 3.1 IPv4 Multicast (1)

Configure IPv4 Multicast Routing between R3 Serial 0/0/0 and R5 Serial 0/0/1 according to the following
requirements:
Do not use any RP.
Interface Loopback0 of R3 is simulated as video server and R5 fa0/0 as client.
Ensure that unnecessary flooding & pruning does not occur.
! R3
!
ip multicast-routing

ip pim ssm range SACL_SSM

ip access-list standard SACL_SSM
permit 225.1.1.1
permit 225.1.1.3
permit 225.1.1.2
interface loopback 0
ip pim sparse-mode
int serial 0/0/0
ip pim sparse-mode
! R5
!
ip multicast-routing
ip pim ssm range SACL_SSM

ip access-list standard SACL_SSM

permit 225.1.1.1
permit 225.1.1.3
permit 225.1.1.2
int se0/0/1
ip pim sparse-mode
interface fa0/0
ip pim sparse-mode
ip igmp version 3
ip igmp join-group 225.1.1.1 source YY.YY.3.3
Solution Breakdown:
"Ensure that unnecessary flooding & pruning does not occur"
- we can't use Dense mode.
"Do no use any RP."
Config Page 22

 "Do no use any RP."

- we need PIM-SSM both on R3 and R5.

Task 3.2 IPv4 Multicast (2)

Simulated multicast traffic is sourced from R3 Loopback0 and receiver is R5 fa0/0 using group
225.1.1.1.
Ensure that only R3 Lo0 (YY.YY.3.3) is allowed to send multicast 225.1.1.1
Others users in R5 are planning to join 225.1.1.2 and 225.1.1.3 in near future
These users will use IGMPv2.
Ensure that these users can only access the two multicast streams (only for a given source)
Do not use DNS query for mapping the source.
! R5
!
ip access-list extended EACL_IGMP_FA0/0
permit igmp host YY.YY.3.3 host 225.1.1.1 allow Source YY.YY.3.3 for SSM group
225.1.1.1 in IGMPv3 reports.

deny

igmp any host 225.1.1.1 Deny all other Sources for SSM group 225.1.1.1 in IGMPv3
reports.

permit igmp any any permit all other states.

int fa0/0
ip igmp access-group EACL_IGMP_FA0/0 filter ingress IGMP reports.
access-list 15 permit 225.1.1.2
access-list 15 permit 225.1.1.3
ip igmp ssm-map enable Enables SSM mapping for groups in the configured SSM range.
This is to provide an SSM transition solution for the receivers that only
supports IGMPv1 or IGMPv2.
Note: By default, this command enables DNS-based SSM mapping.

no ip igmp ssm-map query dns disable DNS-based SSM-mapping and rely solely on static SSMmapping.

ip igmp ssm-map static 15 YY.YY.3.3

enables STATIC SSM-mapping.

When R5 receives an IGMPv2 membership report
for a Multicast Group G, it checks ACL 15. If G is
matched in ACL 15, it will be statically mapped to
the Multicast Source YY.YY.3.3. The host/receiver
will then be able to join the (YY.YY.3.3,G) multicast
channel.

Solution Breakdown:
- SSM mapping is needed only in the router connecting to the receivers. No support is needed in
any other routers in the network. SSM mapping can be configured only globally and cannot be
configured per interface.
- IGMP access-group on R5 fa0/0 is needed. This is to prevent multicast clients connected to fa0/0
from sending IGMPv3 reports for group 225.1.1.1 with source other than YY.YY.3.3.

Config Page 23

IV. Advanced Services

Task 4.1 Time-based ACL
Configure on SW1 and SW2 . Users under VLAN 500 should be restricted by following requirement:
Users are NOT allowed to access any remote Web server during Office hours (9:00 to 16:59,
Monday to Friday).
Users are allowed access any remote FTP server for backup every night (22:00 to 23:59).
Users are allowed to access any Remote Application Server using UDP outside office hours (17:00
to 8:59, Everyday).
Network control traffic can pass all the time (use specific ACL entries including Layer 4 protocol
info as clear as possible, include the destination address and destination port).
Source IP in all ACL entries must be explicitly configured as YY.YY.100.0/24. This IP subnet is
assigned to VLAN 500.
Make sure IGP is not running in this subnet ?
NOTE

Better to do HSRP task first!

! SW1,SW2
!
time-range TR_OFFICE_WEEKDAYS
periodic weekdays 9:00 to 16:59
time-range TR_NIGHT
periodic daily 22:00 to 23:59
time-range TR_OFFICE_DAILY
periodic daily 9:00 to 16:59
ip access-list extended EACL_VLAN500_IN
permit udp YY.YY.100.0 0.0.0.255 eq 1985 host 224.0.0.2 eq 1985
deny
tcp YY.YY.100.0 0.0.0.255 any eq www time-range
TR_OFFICE_WEEKDAYS
permit tcp YY.YY.100.0 0.0.0.255 any eq www
permit tcp YY.YY.100.0 0.0.0.255 any eq ftp time-range TR_NIGHT
permit tcp YY.YY.100.0 0.0.0.255 any eq ftp-data established timerange TR_NIGHT
permit tcp YY.YY.100.0 0.0.0.255 any gt 1023 time-range TR_NIGHT

deny
udp YY.YY.100.0 0.0.0.255 any time-range TR_OFFICE_DAILY
permit udp YY.YY.100.0 0.0.0.255 any
int vlan 500
ip access-group EACL_VLAN500_IN in

! Do not forget NTP!

!
! SW1
!
ntp peer YY.YY.7.7 source Loopback0
ntp server YY.YY.1.1 source Loopback0
! SW2
!
ntp peer YY.YY.6.6 source Loopback0
ntp server YY.YY.1.1 source Loopback0
Config Page 24

ntp server YY.YY.1.1 source Loopback0

! R1
!
ntp source Loopback0
ntp master 5
ntp update-calendar
clock calendar-valid

Solution Breakdown:
- Dont forget NTP! At the end of the lab, check if SW1 and SW2 are synchronized with R1 and with
each other.
- be careful in lab exam. Time ranges and Task wordings may differ slightly.
- Since task doesnt explicitly mention FTP type, we should consider both active and passive FTP.
- Remember that HSRP uses UDP port 1985 both for source and destination.
- If HSRP task uses version 2 then use this ACL entry:
permit udp YY.YY.100.0 0.0.0.255 eq 1985 host 224.0.0.102 eq 1985

Task 4.2 ZBF

Configure ZBF on R1 to be able to match the output below after the following sequence of events:
R1#clear zone-pair counter
R5#ping 150.1.YY.254
SW2#ping 150.1.YY.254

Use the exact class and policy naming as seen above (case-sensitive).
! R1
!
class-map type inspect match-all A_B
match protocol icmp
policy-map type inspect pmap_A_B
class type inspect A_B
pass
class class-default
pass
zone security A
zone security B
zone-pair security A_B source A destination B
service-policy type inspect pmap_A_B
zone-pair security B_A source B destination A
service-policy type inspect pmap_A_B
Config Page 25

service-policy type inspect pmap_A_B

int se0/0/1
zone-member security A
int se0/0/0
zone-member security A
int fa0/0
zone-member security A
int fa0/1
zone-member security B

Task 4.3 QoS

Traffic from 197.168.1.0/24 from BB1 is attacking host in OSPF Area 0 it should be limited to
128kbps on each interface on R1.
Use MQC and do not use policing.
! R1
!
ip access-list sta SACL_ATTACK
permit 197.168.1.0 0.0.0.255
class-map match-all CM_ATTACK
match access-group name SACL_ATTACK
policy-map PM_SHAPE_128K
class CM_ATTACK
shape average 128000
int fa0/0
service-policy output PM_SHAPE_128K
int se0/0/0
service-policy output PM_SHAPE_128K R1--R3 virtual-link is part of Area 0!
int se0/0/1
service-policy output PM_SHAPE_128K

Task 4.4 QoS

Configure MQC on R5 link to R3
Create classes for each type of traffic with different precedence.

Control

precedence value 6, 7

Voice

precedence value 5

Critical

precedence value 4

Video

precedence value 3

Business

precedence value 2

Internet

precedence 0

You are allowed to use only match-all in class-map

In case of congestion, the Voice traffic must be sent in priority over all other traffic.
The low latency queue may never use more than 20% of the available bandwidth
In case of congestion, reserve 100Kbps of the available 2000Kbps for the Network Control traffic
Only in case of congestion the Video traffic may not exceed 30% of the available bandwidth
Only in case of congestion the Business traffic may not exceed 30% of the available bandwidth
Config Page 26

 Only in case of congestion the Business traffic may not exceed 30% of the available bandwidth
Enable the congestion avoidance mechanism for the Business traffic using a weight factor of 10 for
the average queue size calculation
The Internet traffic should use the remaining bandwidth with no other guarantee
! R5
!
class-map match-all
match precedence 6
class-map match-all
match precedence 5
class-map match-all
match precedence 4
class-map match-all
match precedence 3
class-map match-all
match precedence 2
class-map match-all
match precedence 0

Control
7
Voice
Critical

Video
Business
Internet

policy-map PM_OUT_TO_R3
class Voice
priority percent 20
police cir percent 20
class Network
bandwidth percent 5
class Video
bandwidth percent 30
class Business
bandwidth percent 30
random-detect needs bandwidth command or fair-queue
random-detect exponential-weighting-constant 10
class Internet
int se0/0/1
bandwidth 2000
max-reserved-bandwidth 85
service-policy output PM_OUT_TO_R3

Task 4.5 Routing Protocol Authentication (2pts)

Secure the RIP domain according to the following requirements:
The key chain for RIP authentication is pre-configured on R4
Do not reconfigure on R4
Complete RIP authentication between R4 and R5.
R5 must see the key-string in its configuration as plain text.
NOTE

better to do this task together with RIPv2 task in L3 section.

R4#sh key chain

! R4
!
interface fa0/0
ip rip authentication mode md5
ip rip authentication key-chain RIP
! R5
!
no service password-encryption
Config Page 27

no service password-encryption
key chain RIP
key 1
key-string HiddenKey
interface fa0/1
ip rip authentication mode md5
ip rip authentication key-chain RIP

Task 4.6 Layer 2 Security - Private VLAN

Configure Private VLAN according to the following requirements:
R4 and R5 should be able to communicate only with each other in vlan 45. No other host is
allowed to communicate with them in vlan 45.
Hosts connected to port fa0/6 on SW1 and SW2 should be a part of vlan 45, and should only
communicate with each other. These hosts must not be able to communicate with any other host
in vlan 45.
Hosts connected to port fa0/7 on SW1 and SW2 should not be able to communicate with any host.
All ports mentioned above (fa0/6 and fa0/7 of SW1 and SW2) should be reachable from fa0/8 of
SW1.
Use only odd vlans ranging from 334-998 if you need to create new vlans.
NOTE

better to do this task together with the L2 tasks.

! SW1,SW2,SW3,SW4
!
vlan 335
private-vlan community
vlan 337
private-vlan community
vlan 339
private-vlan isolated
vlan 45
private-vlan primary
private-vlan association 335,337,339
spanning-tree mst configuration
instance 1 vlan 335, 337, 339

! SW1
!
default int range fa0/4 , fa0/6-8
interface fa0/4
switchport private-vlan host-association 45 335
switchport mode private-vlan host
interface fa0/6
switchport private-vlan host-association 45 337
switchport mode private-vlan host
interface fa0/7
switchport private-vlan host-association 45 339
switchport mode private-vlan host
interface fa0/8
switchport private-vlan mapping 45 337,339
switchport mode private-vlan promiscuous

Config Page 28

! SW2
!
default int range fa0/5-7
interface fa0/5
switchport private-vlan host-association 45 335
switchport mode private-vlan host

interface fa0/6
switchport private-vlan host-association 45 337
switchport mode private-vlan host
interface fa0/7
switchport private-vlan host-association 45 339
switchport mode private-vlan host
#show vlan private-vlan
#show int status
#show spanning-tree mst config

Task 4.7 HSRP

Consider that users are connected to VLAN 500 on both SW1 and SW2. Configure HSRP to provide
redundancy for the user gateway YY.YY.100.254/24 as per following requirements.
The HSRP topology must follow the STP topology (i.e. the default active gateway must be the root
bridge)
The active gateway IP address is YY.YY.100.1/24 and the secondary gateway IP address is
YY.YY.100.2/24.
Use priority 120 on the active gateway and the default priority on the secondary gateway.
Both HSRP gateways must authenticate each other using the MD5 password CCIE.
The standby gateway must take over the active role when the active gateway loose the
reachability to the BB1 subnet (150.1.YY.0/24)
The primary gateway must recovery its active role when reachability to the BB1 subnet is
recovered.
After 5 hello packets are missed, the secondary gateway must take over active gateway role within
1 second.
Make sure no IGP protocol is running on VLAN 500.
! SW1
!
interface vlan 500
ip address YY.YY.100.2 255.255.255.0
standby 1 ip YY.YY.100.254
standby 1 preempt
standby 1 timers msec 200 1
standby 1 authentication md5 key-string CCIE
! SW2
! (MST instance 2 Root)
!
track 1 ip route 150.1.YY.0/24 reachability
interface vlan 500
ip address YY.YY.100.1 255.255.255.0
standby 1 ip YY.YY.100.254
standby 1 preempt
standby 1 timers msec 200 1
standby 1 authentication md5 key-string CCIE
Config Page 29

standby 1 authentication md5 key-string CCIE

standby 1 priority 120
standby 1 track 1 decrement 30

Config Page 30

V. Optimize the Network

Task 5.1 SNMPv3
Configure the SNMPv3 group "admin" on R3 as per the following requirements:
Use location San Jose, USA
Use contact [email protected]
Ensure that "admin" group only allow users access from YY.YY.56.0/24.
The SNMPv3 group "admin" has a read privilege "ciscoview" and must view only ISO MIB.
The SNMPv3 group "admin" has a write privilege "ciscowrite" and must write only SYSTEM MIB.
Ensure that group "admin" should be set with strongest security mechanism.
A user "ccie" should be from group "admin" and use md5 password of "cisco".
Use R3 loopback0 as SNMP trap source.
Create an SNMPv2c instance for "nms" servers from the subnet YY.YY.67.0/24.
When configuring, note that all SNMP groups, users, community, and views mentioned above are
case-sensitive.
NOTE

Verify with proctor about the "nms" statement and where to send SNMP traps. Is it a
community? a group? or what? Most of the reports lately say that proctors confirmed that
"nms" is a community.
Also, the other thing that makes this task vague is that it doesn't mention the IP address of
the SNMP-server where traps will be sent.
But we don't have to complicate things, just configure what is told, period.

! R3
!
snmp-server location San Jose, USA
snmp-server contact [email protected]
snmp-server view ciscoview iso included
snmp-server view ciscowrite system included
snmp-server group admin v3 priv read ciscoview write ciscowrite access
SACL_56
snmp-server user ccie admin v3 auth md5 cisco
ip access-list sta SACL_56
permit YY.YY.56.0 0.0.0.255
snmp-server trap-source Loopback0
snmp-server enable traps
snmp-server community NMS rw SACL_67 give Read, Write access
no snmp-server group NMS v1
ip access-list sta SACL_67
permit YY.YY.67.0 0.0.0.255
#show snmp groups
#show snmp view
#show snmp user

Task 5.2 Reliable Netflow

Configure R1 to monitor traffic on interface connected to BB1 in both directions as per the following
requirements:
Config Page 31

requirements:
Enable Netflow on R1 to monitor the traffic entering and leaving Area 0 from BB1.
Export the flows to the server YY.YY.56.100 port 2222.
In case the export to server fails, the accounting information should be exported to backup server
YY.YY.56.101 with the same port number.
Generate netflow sample one out-of-every 1000 packets on both direction
Use R1 Loopback as source address for the exports
Use Netflow version 9 with reliable transfer
Do not use policy-map
! R1
!
ip cef
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export destination YY.YY.56.100 2222 sctp
backup destination YY.YY.56.101 2222

flow-sampler-map FLOW_INGRESS
mode random one-out-of 1000
flow-sampler-map FLOW_EGRESS
mode random one-out-of 1000

int fa0/1
flow-sampler FLOW_INGRESS
flow-sampler FLOW_EGRESS egress
ip flow-export template options
sampler

requires version 9 and flow-sampler

configured.

R1#show flow-sampler
R1#sh ip cache flow
R1#sh ip flow export sctp
IPv4 main cache exporting to 19.19.56.100, port 2222, full
status: re-establishing
backup mode: redundant
0 flows exported in 0 sctp messages.
0 packets dropped due to lack of SCTP resources
backup: 19.19.56.101, port 2222
status: re-establishing
fail-overs: 0
0 flows exported in 0 sctp messages.
0 packets dropped due to lack of SCTP resources
12 packets dropped due to primary & backup failure.

Note:
- NetFlow SCTP export configuration uses full reliability. By default, it uses Redundant mode for
backup destination and uses 25ms fail-over time for backup destination.

Config Page 32