Wolf CCIE Lab K1 Plus

CCIE-LAB-K1
IGP
1 / 32
BGP
loopback0 Y.Y.X.X/32
R1YY.YY.1.1/32
R2YY.YY.2.2/32
R3YY.YY.3.3/32
R4YY.YY.4.4/32
2 / 32
R5YY.YY.5.5/32
SW1YY.YY.7.7/32
SW2YY.YY.8.8/32
SW3YY.YY.9.9/32
SW4YY.YY.10.10/32
BackBone
BB1150.1.YY.254/24
BB2150.2.YY.254/24
BB3150.3.YY.254/24
1.section -Layer2
1.1 Pre-configuration errors
vtp
domain
name
mismatch
between
CCIERoutingandSwitching
YY
and
CCIERoutingandswitching YY
vtp password mismatch between cisco and cisco0
Switch3 fastEthernet 0/24 interface in the access mode which should be in vtp trunk
mode.
Switch2 fastEthernet 0/10 interface backup interface fastEthernet 0/4 just use
command no switchport backup interface fastEthernet 0/4 remove it.
R5 interface serial 0/0/0 and interface serial 0/0/1 use no peer neighbor-router and
so do R1 interface serial 0/0/1 and R3 interface serial 0/0/0.
:
1.vtp
2.vtp
3.Switch3 f0/24 Switchport Trunk
4.Switch2 fastethernet 0/4 fastEthernet 0/10 Switch2 f0/10
no switchport backup interface fastEthernet 0/4
5.R5 -s0/0/0 s0/0/1R1-s0/0/1R3-0/0/0 PPP 32
no peer neighbor-route
1.2 Implement the access-switch ports of the network as following

tables
Vlan Number
Vlan Name
Ports
VLAN 15
VLAN_BB1
SW1-F0/5SW1-F0/10
VLAN 2
VLAN_BB2
SW2-F0/10
VLAN 3
VLAN_BB3
SW1-F0/3SW3-F0/10
VLAN 11
VLAN_A
SW2-F0/1
VLAN 13
VLAN_B
SW2-F0/3
3 / 32
VLAN 22
VLAN_C
R2-F0/1.Z
VLAN 24
VLAN_H
R2-F0/1.ZSW2-F0/4
VLAN 44
VLAN_F
SW1-F0/4
VLAN 45
VLAN_G
SW2-F0/5
Configure all of the appropriate nontrunking access switch ports on

sw1,sw2,sw3,according to the following requirements:
SW1 should be the root for all vlans and for any new vlan.
BB devices must not be in the path to the root bridge.
[S1]:
Configure the VLANS for the access switch ports show as the vlan tables,include the
ports to BB1,BB2 and BB3.

Configure trunk between SW2 F0/2 and R2 G0/1.
Make sure that the spanning tree enters the forwarding state immediately. Only for
these access switch ports,bypassing the listening and learning states.
Avoid transmitting bridge protocol date units(BPDUS)on these access switch ports.If
a BPDU is received on any of these ports,the ports should transition back to the
listening,learning and forward states.
Add any special layer 2 commands that are required on the routers including trunk
configuration.
1.SW1 vlan
2.BB
3.VLAN BB1,BB2,BB3
4.SW2 f0/2 R2 G0/1 Trunk R2 G0/1 SW2 f0/2
R2 G0/1 VLAN_22 VLAN_24
5.access Portfast
6.access BPDU access BPDUSTP

BPDU
7.Trunk
:
SW1 VLANSVI
SW1config#spanning-tree vlan 1-4094 priority 0
[S2]: vlan
0 SW1
SW1config# interface FastEthernet 0/3
SW1config-if# switchport mode access
SW1config-if# switchport access vlan 3
sw4(config)#spanning-tree vlan
1-4904 root primary
SW1config# interface fastEthernet 0/4

4 / 32

SW1config-if# spanning-tree guard root
[S3]: 2
SW1config# interface vlan 11

SW1config-if# ip address YY.YY.15.162 255.255.255.224
SW1config-if# no shutdown
SW2 VLANSVI
5 / 32
[S4]: 2

SW2config-if# ip address 150.2.YY.1 255.255.255.0
SW3 VLAN
[S5]: 2
SW4 SVI
R2 G0/1SW2 f0/2
[S6]: 4

SW2config-if# switchport trunk encapsulation dot1q
SW2config-if# switchport mode trunk
SW2config-if# switchport nonegotiate
SW2config-if# switchport trunk allowed vlan 22,24
R2config# interface FastEthernet 0/1
R2config-if# no ip address
R2config-if# no shutdown
R2config# interface FastEthernet 0/1.22
R2config-subif# encapsulation dot1q 22
R2config-subif# ip address YY.YY.15.129 255.255.255.224
R2config-subif# encapsulation dot1q 24
SW1 accessPortfast BPDU
[S7]: 5 6
SW1config# spanning-tree portfast default
bpduguard bb3
SW1config# spanning-tree portfast bpdufilter default

6 / 32

1.3 Trunking manipulations:

Configure the trunk ports between SW1,SW2,SW3 and SW4 according to the following
requirements:
Disable DTP on the six distribution ports for each switch.
Set the list of allowed vlans that can receive and send traffic on these
interfaces in tagged format in particular,only allow VLAN 3,11,13,44,45
[S8]:
VLAN
3,11,13,44,45
1.TrunkDTP Nonegotiate
VLAN tagged format
2.Trunkvlan311134445 switchport trunk allowed vlan 311
134445
:
SW1config# interface range fastEthernet 0/19 - 24
SW1config-if-range# switchport trunk encapsulation dot1q
SW1config-if-range# switchport mode trunk
SW1config-if-range# switchport nonegotiate
SW1config-if-range# switchport trunk allowed vlan 2,3,11,13,15,22,24,44,45
7 / 32

1.4 Implement Frame relay:

Use the following requirements to configure R1 and R2 for frame relay and R4 as the frame
relay switch.
Use ANSI LMI on frame relay switch and auto-sesing on R1 and R2.
Dont use any static frame relay maps or inverse address resolutions protocol.
Use RFC 1490/RFC2427(IETF)encapsulation.
Use the data-link connection Identifer DLCI assignments from the table below
Frame-Relay DLCI assignment
Router
DLCI assignment
R1 frame-relay interface
100
R2 frame-relay interface
200
:
R1 R2R4
1.FRLMI ANSIR1R2
2. interface-DLCI
3.IETF
4.DLCI
:
R4:
R4config# frame-switching
R4config# interface serial 0/0
R4config-if# encapsulation frame-relay ietf
R4config-if# frame-relay intf-type DCE
R4config-if# clock rate 64000
R4config-if# frame-relay lmi-type ansi
R4config-if# frame-relay route 100 interface serial 0/1 200
8 / 32
R4config-if# exit
R4config-if# frame-relay intf-type DCE
R4config-if# clock rate 64000
R4config-if# frame-relay lmi-type ansi
R4config-if# frame-relay route 200 interface serial 0/0 100
R4config-if# end
R1:
R1config-if# no frame-relay inverse-arp
R1config-if# no arp frame-relay
R1config-if# exit
R1config# interface serial 0/0.12 point-to-point
R1config-subif# no shutdown
R1config-subif# frame-relay interface-dlci 100 ietf
R1config-subif# end
R2:
R2config-if# no frame-relay inverse-arp
R2config-if# no arp frame-relay
R2config-if# exit
R2config-subif# no shutdown
R2config-subif# frame-relay interface-dlci 200 ietf
R2config-subif# end
1.5 Traffic control protection from the backbones:

9 / 32
Configure traffic control on the three backbone links,protecting your network from a
broadcast storm.This protection should begin once broadcast traffic is half(50%)
available bandwidth,the port should remain functioning during this time.
storm-controlbackbonebroadcast50%
:
SW1 storm-control :
SW1config-if# storm-control broadcast level 50
SW2 storm-control :
SW3 storm-control :
3
R1
R1config-if# ip address YY.YY.15.162 255.255.255.224
R1config-if# no shut
R1config-if# exit
R1config# bandwidth 128
R1config-if# encapsulation ppp
R1config-if# no peer neighbor-route
R1config-if#ip address YY.YY.15.249 255.255.255.252
R1config-if# end
R3
10 / 32

R3config-if# exit
R3config-if# ip address 150.3.YY.1 255.255.255.0
R3config-if# exit
R3config-if# end
R4
R4config-if# exit
R4config-if# end
R5
R5config-if# exit
R5config-if# ip address 150.1.YY.1 255.255.255.0
R5config-if# exit
R5config# bandwidth 128
R5config-if# exit
11 / 32

R5config-if# end
2.section -Layer3
After finishing each of the following questions,make sure that all configured
interfaces and subnets are consistently visible on all pertinent routers and switches.
Dont redistribute between and interior gateway protocol(IGP) and board gateway
protocol(BGP).
You need to ping a bgp route only if it is stated in a question,otherwise the route
should be only in the bgp table.
At the end of section 2,all subnets in your topology,including the loopback interface
expected for SW3,must be reachable via ping.
Therefore redistribute as you wish unless directly stated in a question.The backbone
interface must be reachable only if they are part of the solution to a question.
The loopback interface can be seen as either /24 or /32 in the routing table unless
stated otherwise in a question.
The loopback interfaces can be added into your IGP either via redistribution or added
to a routing process of your choice.
:
1.IGP
2.IGP BGPBGP
pingping
3.IGP loopbackpingSW3
4.BB
5.Loopback
2.1 Implement IPv4 OSPF

Configure open shortest path first(OSPF)
Updates should be advertised only out of the interface that are indicated in
the IGP topology diagram.
12 / 32
[S9]: IGPK1
RIP
V2 RIP V1
RIP
EIGRPno
auto-summary
Dont manually change the Router-ID

Dont create additional ospf area.
Configre ospf area 2 such that there are no TYPE-5 Advertisments(LSA)in the area,R1
should generate a default route.
Configure OSPF over frame relay between R1 and R2 choosing a network type that requires
designate router(DR) and backup designate router(BDR)negotiations and has the fatest
recover times.
1.
2.RID
3.ospf
4.area 2 5LSAR1 Area 2
area 2 nssa
5.R1 R2ospfDR,BDR
fast hello broadcast
Area 0
R3config# router ospf YY
R3config-router# network YY.YY.15.193 0.0.0.0 area 0
SW1config# ip routing
SW1config# router ospf YY
SW1config-router# network YY.YY.15.194 0.0.0.0 area 0
Area 2
13 / 32

NSSA
R1config-router# area 2 nssa default information-originate
[S10]: 3
R2config-router# area 2 nssa

SW2config-router# area 2 nssa
R1-R2ospf fast hello
R1config-subif# ip ospf network broadcast
R1config-subif# ip ospf dead-interval minimal hello-multiplier 20
[S11]: 4
5 ospf
R2config-subif# ip ospf network broadcast

R2config-subif# ip ospf dead-interval minimal hello-multiplier 20
[S12]:
2.2 Implement IPv4 EIGRP
Configure EIGRP 100 and EIGRP YY per the IGP topology diagram. EIGRP updates should be
advertise only out to the interface per the IGP topoloty diagram.
On R1,redistribute between ospf and EIGRP YY.
However all of the routes that are indicated below from backbone3 (EIGRP 100)should
not be redistributed between both protocols . 198.2.1.0/24198.2.3.0/24
198.2.5.0/24198.1.1.4/304.1.1.0/24128.28.2.0/24
Use route maps to accomplish this requirement.All route-maps should utilize the same
access lists.
On R3,redistribute from EIGRP 100 into OSPF.
On R3, Redistribute from EIGRP 100 into EIGRP YY.However three networks
198.2.1.0/24,198.2.3.0/24,198.2.5.0/24 should be aggregated into a single address
with the most specific mask possible.
IGPEIGRP 100 EIGRPYY

1.R1 OSPFEIGRPYY
2.EIGRP 100198.2.1.0/24198.2.3.0/24198.2.5.0/24198.1.1.4/30
4.1.1.0/24128.28.2.0/24
3.ACL
4.R3 EIGRP 100 OSPF
5.R3 EIGRP 100 EIGRP YY198.2.1.0/24198.2.3.0/24198.2.5.0/24
14 / 32

EIGRP YY
R1config# router eigrp YY
R1config-router# auto-summary
R1config-router# network YY.YY.15.249 0.0.0.0
SW4config# router eigrp YY
SW4config-router# auto-summary
SW4config-router# network YY.YY.15.98 0.0.0.0
SW4config-router# network YY.YY.10.10 0.0.0.0
EIGRP 100
R3config# router eigrp 100
R3config-router# network 150.3.YY.1 0.0.0.0
EIGRP 100OSPF
R3config-router# redistribute eigrp 100 subnets
EIGRP 100EIGRP YY
R3config-router# redistribute eigrp 100 metric 10000 100 255 1 1500
R3198.2.1.0/24198.2.3.0/24198.2.5.0/24
R3config-if# ip summary-address eigrp YY 198.2.0.0 255.255.248.0
R1OSPFEIGRPYYEIGRP
15 / 32

R1config-router# redistribute eigrp YY subnets route-map filter
R1config-router# redistribute ospf YY metric 10000 100 255 1 1500 route-map filter
R1config# ip access-list extended 100
R1config-ext-nacl# permit ip host 4.1.1.0 host 255.255.255.0
R1config-ext-nacl# permit ip host 150.3.YY.0 host 255.255.255.0
[S13]: EIGRP 100

[S14]: R3 BB3
[S15]: R3 EIGRP 100
R1config# route-map filter deny 10

R1config-route-map# match ip address 100
R1config# route-map filter permit 20
[S16]:
2.3 Implement RIP Version 2
Configure RIP version 2 (RIP v2)per the IGP topology diagram.

RIP updates should be advertise only out the interface per the IGP topology diagram.
All rip updates should be unicast.
All rip updates must be able to receive and process RIP V1 packets.
Manually redistribute between RIP and ospf on R2 and SW4,R4 learned routes should
be preferred EIGRP.
1.IGPRIPv2RIP
2.RIP
3RIPRIPv1
4.R2 RIP OSPFYY SW4 RIP EIGRPYY R4
EIGRPYY
R2RIP
R2config# router rip
16 / 32
[S17]:
R2config-router# version 2
R2config-router# passive-interface default
R2config-router# neighbor YY.YY.15.33
R2config-router# network YY.0.0.0
R2config-router# exit
R2config-subif# ip rip receive version 1 2
R4RIP
R4config-router# version 2
R4config-router# passive-interface default
R4config-router# network YY.0.0.0
R4config# interface fastEthernet 0/0
R4config-if# ip rip receive version 1 2
R4config-if# ip rip receive version 1 2
SW4RIP
SW4config# router rip
SW4config-router# version 2
SW4config-router# auto-summary
SW4config-router# passive-interface default
SW4config-router# neighbor YY.YY.15.65
SW4config-router# network YY.0.0.0
SW4config-router# exit
SW4config-if# ip rip receive version 1 2
R2
R2config-router# redistribute rip subnets
17 / 32
R2config-router# redistribute ospf YY metric 4
SW4
SW4config-router# redistribute eigrp YY metric 2
SW4config-router# redistribute rip meric 10000 100 255 1 1500
R2
[S18]: OSPF
R2config-router# distance 125 YY.YY.1.1 0.0.0.0 1
access-list 1
110 RIP
R2config# access-list 1 permit YY.YY.4.4
120 R2 access-list 1
OSPF
R1 125
RIP
[S19]: YY.YY.15.128/27
R2config-router# offset-list 2 out 3 FastEthernet 0/1.24
YY.YY.15.240/27
GigabitEthernet 0/1.24
R2config# access-list 2 deny YY.YY.2.2

R2config# access-list 2 permit any
3
SW4 EIGRP YY RIP
[S20]: 15.128
SW4
15.240

SW4config-router# distance 175 YY.YY.15.65 0.0.0.0 1
[S21]: SW4
RIP EIGRP
SW4config# access-list 1 deny YY.YY.2.2
YY.YY.15.128/27 YY.YY.15.240/27
RIP
120 EIGRP 170
SW4config# access-list 1 permit any
128 240 AD
175 SW4
EIGRP
SW4config-router# redistribute rip metric 10000 100 255 1 1500 route-map default
SW4config# access-list 10 permit 0.0.0.0
SW4config# route-map default deny 10
SW4config-route-map# match ip address 10
[S22]: RIP
R2 15.128 15.240
RIP
15.128 15.240
SW4config-route-map#exit
SW4config# route-map default permit 20
[S23]: SW4 RIP

EIGRP YY
GLBP
track SW4
18 / 32
K1-IGP
R2config# access-list 10 deny 4.0.0.0
R2config# access-list 10 permit any
R2config-router# distribute-list 10 in FastEthernet0/1.24
[S24]: RIP EIGRP

R4 BB
R2
R2 R1R1
SW1
OSPF area
2.4 Implement IPv6
0 R2 R2
Internet protocol version 6(IPv6) to configure IPv6 unique local unicast address
using the EUI-64 interface identifier.

R4-G0/1 and R2-G0/1.Z (VLAN 24)
FC01:DB8:74:9::/64 eui-64
R2-S0/0.Z and R1-S0/0.Z
FC01:DB8:74:A::/64 eui-64
R1-G0/1 and SW1-SVI 11
FC01:DB8:74:B::/64 eui-64
Configure OSPF v3 per the IPv6 topology.

Ensure that R4 can ping SW1 using IPv6.
1.IPv6 EUI-64
2.OSPFv3R2-s0/0.zSW1 Area 1Area 0R4 PingSW1
IPv6
R4config# ipv6 unicast-routing
[S25]: IPv6
R4config# interface fastether 0/1

R4config-if# ipv6 address fc01:db8:74:9::/64 eui-64
R2config# interface GigabitEthernet 0/1.24
R2config-if# ipv6 address fc01:db8:74:9::/64 eui-64
R2config# interface serial 0/0.12
R2config-if# ipv6 address fc01:db8:74:a::/64 eui-64
19 / 32
R1config-if# ipv6 address fc01:db8:74:a::/64 eui-64

R1config-if# ipv6 address fc01:db8:74:b::/64 eui-64
SW1config# sdm prefer dual-ipv4-and-ipv6 default
[S26]: IPv6
SW1config# ipv6 unicast-routing
wrreload

SW1config-if# ipv6 address fc01:db8:74:b::/64 eui-64
OSPFv3
R4config# ipv6 router ospf YY
R4config-router# route-id YY.YY.4.4
R4config# interface fastether 0/1
R4config-if# ipv6 ospf YY area 0
R2config# interface GigabitEthernet 0/1.24
SW1config# ipv6 router ospf YY
SW1config-router# route-id YY.YY.7.7
SW1config-if# ipv6 ospf YY area 1
[S27]:
2.5 Implement IPv4 BGP
RRnext-hop-self
Referring the BGP routing diagram.configure BGP with these parameters.

Configure two bgp confederations R1,R3,R5 and SW4 (AS YY1) and R2 and SW2 (AS YY2).
The confederation peers should neighbor between R1 and R2 and between SW4 and R2.
EBGP: SW2 EBGP peers with the router 150.2.Y.254 on backbone 2 in AS 254.This router
advertise five routes with format 197.68.Z.0/24 and the AS_PATH 254.
EBGP: R5 EBGP peers with the router 150.1.Y.254 on backbone 1 in AS 254.This router
20 / 32
advertise five routes with format 197.68.Z.0/24 and the AS_PATH 254,253.
The bgp devices should all prefer the path through R5(150.1.Y.254) for network
197.68.21.0/24 and 197.68.22.0/24,The internal board gateway protocol(IBGP)devices
should all prefer the path through SW2(150.2.Y.254) for network
197.68.1.0/24,197.68.4.0/24 and 197.68.5.0/24,this manipulation should be
accomplished only on one router using route-maps that refer to a single access-list.
ACL
Configure only the loopback 0 ip address to propagate BGP route information.
BGP routes should be advertised to AS 254.
1.R1 R3 R5 SW4 ASYY1R2 SW2 ASYY2

2.R1 R2SW4 R2
3.SW2 BB2 EBGPBB2 197.68.X.0/24AS-path254
4.R5 BB1 EBGPBB1 197.68.X.0/24AS-path254253
5.BGPR5197.68.21.0/24197.68.22.0/24IBGPSW2
197.68.1.0/24197.68.4.0/24197.68.5.0/24route-map
ACL
6loopback 0
BGP YY1
R1
R1config# router bgp YY1
R1config-router# bgp router-id YY.YY.1.1
R1config-router# bgp confederation identifier YY
R1config-router# bgp confederation peers YY2
R1config-router# neighbor ibgp peer-group
R1config-router# neighbor ibgp remote-as YY1
R1config-router# neighbor ibgp update-source Loopback0
R1config-router# neighbor YY.YY.3.3 peer-group ibgp
R1config-router# neighbor YY.YY.2.2 remote-as YY2
R1config-router# neighbor YY.YY.2.2 ebgp-multihop 255
R1config-router# neighbor YY.YY.2.2 update-source Loopback0
R3
21 / 32

R5
R5config-router# neighbor 150.1.YY.254 remote-as 254
R5config-router# neighbor 150.1.YY.254 route-map local-pre in
[S28]:
197.68.21.0/24 197.68.22.0/24 R5
R5 (config) # access-list 1 permit 197.68.20.0 0.0.3.255

R5config# route-map local-pre permit 10
R5config-route-map# match ip address 1
R5config-route-map# set local-preference 200
R5config-route-map#exit
R5config# route-map local-pre permit 20
SW4
SW4config# router bgp YY1
SW4config-router# bgp router-id YY.YY.10.10
SW4config-router# bgp confederation identifier YY
SW4config-router# bgp confederation peers YY2
SW4config-router# neighbor ibgp peer-group
SW4config-router# neighbor ibgp remote-as YY1
SW4config-router# neighbor ibgp update-source Loopback0
SW4config-router# neighbor YY.YY.1.1 peer-group ibgp
SW4config-router# neighbor YY.YY.2.2 remote-as YY2
SW4config-router# neighbor YY.YY.2.2 ebgp-multihop 255
SW4config-router# neighbor YY.YY.2.2 update-source Loopback0
22 / 32
BB1
BGP YY2
R2
R2config-router# bgp confederation peers YY1
SW2
SW2config# router bgp YY2
SW4config-router# bgp router-id YY.YY.8.8
SW4config-router# bgp confederation identifier YY
SW4config-router# neighbor YY.YY.2.2 remote-as YY2
SW4config-router# neighbor YY.YY.2.2 update-source Loopback0
SW4config-router# neighbor 150.2.YY.254 remote-as 254
R5config# route-map connbb1 permit 10

R5config-route-map# match interface FastEthernet0/0
R5config-route-map#exit
R5config-config# redistribute connected route-map connbb1
metric 10000 100 255
1 1500
SW2config# route-map connbb2 permit 10
SW2config-route-map# match interface vlan 2
SW2config-route-map#exit
SW2config-router# redistribute connected subnets route-map connbb2
R3
R3config# access-list 1 permit 150.1.38.0
R3config# access-list 1 permit 150.2.38.0
23 / 32
R3config-router# distance 175 YY.YY.1.1 0.0.0.0 1
[S29]:
OSPF SW1
SW1 BGP
R1
175 R5
MPLS
3.Section -IP Multicast

3.1 Implement PIM sparse mode for IPv6 multicast.
Enable pim sparse mode (PIM-SM) on the lan between R4-F0/1 and R2-G0/1, and on
the WAN link between R2 and R1,Using these Criteria:
Configure R4-F0/1 to be the redezvous point(RP) for the FF08::4000:4000
multicast group no other groups should be permited.
1.IPv6 multicastPIM-SMR4-f0/1 R2-G0/1R2 R1 WAN

2.R4 f0/1 FF08::4000:4000 RPRP
R4R2R1IPv6
R4config# ipv6 cef
R4config# ipv6 multicast-routing
R2config# ipv6 cef
R1config# ipv6 cef
RP
R4config# ipv6 access-list mul
R4config-acl# permit ipv6 host ff08::4000:4000 any
R4config# ipv6 pim rp-address R4-f0/1 IPv6 mul
24 / 32
3.2 Multicast joins

Configure R1 s0/0/0.Z as an IPv6 receiver for multicast
group FF08::4000:4000R1 should
be able to ping the multicast group FF08::4000:4000
R1s0/0/0.ZFF08::4000:4000Ping
R1config# interface serial 0/0/0.12

R1config-if# ipv6 mld join-group ff08::4000:4000
R4 Ping f08::4000:4000R1 replay
4.Section -Advanced Service

4.1 Secure HTTP access
Enable secure HTTP access for R5. Enable authentication using the listHTTPwhitch
utilizes local user authentication. Configure two different user for access to R5
the user cisco password ciscowho only has privilege 1 access to R5and the user
ADMINpassword CISCOwho privilege 15 access to R5.Don't change console and vty password
R5 secure HTTP secure HTTPAAA list HTTP

R5 ciscocisco
1ADMINCISCO15consolevty
R5AAA
R5config# aaa new-model
R5config# aaa authentication login default line
R5config# aaa authentication login HTTP local-case
R5config# aaa authorization exec HTTP local
R5config# no ip http server
R5config# ip http secure-server
R5config# ip http authentication aaa login-authentication HTTP
R5config# ip http authentication aaa exec-authorization HTTP
25 / 32
R5
R5config# username cisco privilege 1 password cisco
R5config# username ADMIN privilege 15 password CISCO
4.2 Secure the WAN PPP LINKS

Configure challenge handshake authentication protocol(CHAP) on R5 for the link
to R1 and R3,according to the following requirements:
An authentication,authorization,and according(AAA)list named R1 and R3 for R1 and R3
respectively.
Authentication for R1 should first try the radius server 198.2.3.128 using a key of
cisco and fall back to local login in the event of a failure to connect to the radius
server.
R1 should present itself to R5 RACKYYR1 with a shared password cisco. Authentication
for R3 should first try the TACAS server 198.2.3.129 using a key of cisco and fall back
to local login in the event of a failure to connect to the TACAS server.R3 should present
itself to R5 as BACKUP with a share password of CISCO.
R5 R1 R3PPPCHAP
1.AAA R1 listR1R3 listR3
2.R1 radius server 198.2.3.128cisco
R1RACKYYR1cisco
3 R3 tacacs server 198.2.3.129cisco
R3BACKUPCISCO
R5AAAAAA server
R5config# aaa new-model
R5config# aaa authentication ppp R1 group radius local-case
R5config# aaa authentication ppp R3 group tacacs+ local-case
R5config# radius-server host 198.2.3.128 key cisco
R5config# tacacs-server host 198.2.3.129 key cisco
R5CHAP
R5config# username RACKYYR1 password cisco
R5config# username BACKUP password CISCO
R5config-if# ppp authentication chap R1
26 / 32

R5config-if# ppp authentication chap R3
R1CHAP
R1config-if# ppp chap hostname RACKYYR1
R1config-if# ppp chap password cisco
R3CHAP
R3config-if# ppp chap hostname BACKUP
R3config-if# ppp chap password CISCO
4.3 MQC-based frame-relay traffic shapping

On R2,Configure parent class-default commited information rate(CIR)as 64kb,when
no Backward explicit congestion notification(BECNs)are present and 32kb when
BECNs are present.
Differenatiate between voice packets which should receive a guranteed bandwidth
of 40 percent and data which should receive a guaranted bandwidth of 35 percent.
Voice packes are marked as expedited forwarding(EF)
Class 1 or 2(AF11 OR AF21)Enable class-based weighted fair queuing(CBWFQ)for
child class-default.
1.EFAF11AF21
2.40%CBWFQ 35%
3.CIR64kbBECN32kb
R2config# class-map VOICE

R2config-cmap# match ip dscp ef
R2config# class-map match-any DATA

R2config-cmap# match ip dscp af11
R2config-cmap# match ip dscp af21
27 / 32
R2config# policy-map CBWFQ

R2config-pmap# class VOICE
R2config-pmap-c# priority percent 40
R2config-pmap-c# exit
R2config-pmap# class DATA
R2config-pmap-c# bandwidth percent 35
R2config# policy-map MQC
R2config-pmap# class class-default
R2config-pmap# fair-queue
R2config-pmap# shape average 64000
R2config-pmap# shape adaptive 32000
R2config-pmap# service-policy CBWFQ
Class-Base FRTS
R2config# map-class frame-relay FRTS
R2config-map-class# service-policy output MQC
Class-Base FRTS
R2config-subif# frame-relay interface-dlci 200
R2config-fr-dlci# class FRTS
4.4
Auto QOS over PPP
To 4.3 continue to address voip quality of serviceQOSby configuring cisco AutoQOS

over PPP link between R1 and R5.
R1 R5 PPP Auto QOS
:
R1Auto QOS
R1config-if# auto discovery qos trust
R1config-if# auto qos voip trust
R5Auto QOS
R5config-if# auto discovery qos trust
28 / 32
R5config-if# auto qos voip trust

multilink/32multilinkno
peer neighbor-route32
4.5 First Hop Redundancy

To facilitate load balancing and backup for hosts of VLAN_H,configure GLBP on VLAN_H,Use
any group number.R4 should have the higher priority with the ability for R2 to assume
control if the priority of R4 decreases.Use MD5 authentication to protect the GLBP
group.Use the key-string cisco. Configure the IP Y.Y.15.35 as your GLBP virtual
address.
VLAN_H GLBPR4 R2 R4
MD5 GLBPciscoGLBPYY.YY.15.35
:
R2GLBP
R2config-if# glbp 1 YY.YY.15.35
R2config-if# glbp 1 preempt
R2config-if# glbp 1 authentication MD5 key-string cisco
R4GLBP
R4config-if# glbp 1 YY.YY.15.35
R4config-if# glbp 1 preempt
R4config-if# glbp 1 priority 105
R4config-if# glbp 1 authentication MD5 key-string cisco
R4config-if# glbp 1 weighting track 10
R4config# track 10 ip route 0.0.0.0 0.0.0.0 reachability
4.6 Polled and broadcast NTP()

Enable network time protocolNTPon R2 R3 and R4 according to the following
requirements.
29 / 32
[S30]:
R4 should act as an NTP server to R3R4 should provide broadcast NTP updates only
to VLAN_H. The hardware clocks on R2 R3 and R4 should be updated by the software clock
R4 should use loopback 0 as the source address.
Absent an external time server R4 should use its own system clock to synchronize R2
and R4set the clock on R4 as 8:00 am08:00January 1 2000
Ultimatelythe clock on R2 R3 and R4 should be in synchronized
:
1.R4R3 NTP ServerR4 VLAN_HNTPloopback 0R2
R4 NTP R2R3R4
2.R4 8:00 am08:00January 1 2000
3.R2R3 R4
4R2R3R4
:
R4NTP server
R4config# clock timezone HK +8
R4config)# exit
R4 # clock set 8:00:00 1 jan 2000
R4 # configure terminal
R4config# ntp master 3
R4config# ntp source loopback 0
R4config-if# ntp broadcast
R2NTP
R2config# ntp server YY.YY.4.4
R2config-if# ntp broadcast client
R3NTP
R3config# ntp server YY.YY.4.4
R2R3R4
R2config# ntp update-calendar
30 / 32
5 section-optimize the network

5.1 Netflow data export
Configure netflow on R4 to according to the following requirement
Source should be VLAN_H
Export all data to 198.2.5.10
Use UDP port 9991 for exporting
Use netflow version 9 only.
:
R4 netflowVLAN_Hversion 9UDP 9991
198.2.5.10
:
R4config# ip flow-export version 9
R4config# ip flow-export source loopback 0
R4config# ip flow-export destination 198.2.5.10 9991
R4config# ip multicast netflow rpf-failure
R4config# ip multicast netflow output-counters
R4config# interface fastethernet 0/1
R4config-if# ip flow ingress
R4config-if# ip flow egress
5.2 Embeded event manager monitor of cpu

Configure three different event manager applets on R3 according to the following
requirements:
If the 5 min CPU value(cpmCPUTotal5minRev)goes above 60 percent,the first 10 lines
of the show processes cpu command output should be emailed to [email protected] from
[email protected] with a subject of CPUAlert5min using the mail server
198.2.5.10 .Polling should be every 60 seconds.
:
R3 EEM5 CPU poll-interval 60 60%
show processes cpu10 email [email protected] [email protected]
email 198.2.5.10
:
31 / 32
R3config# event manager applet CPU

R3config-applet# event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.8 get-type exact
entry-op ge entry-val 60 poll-interval 60
R3config-applet# action 1.0 cli command enable
R3config-applet# action 2.0 cli command "terminal length 13"
R3config-applet# action 3.0 cli command "terminal width 512"
R3config-applet# action 4.0 cli command "show processes cpu sorted 5min" pattern
"--More-- "
R3config-applet# action 5.0 mail server "198.2.5.10" to [email protected] from
[email protected] subject CPUAlert5min body $_cli_result
show event manager policy registered
5.3 TFTP Server

Configure R3 as a TFTP server with the following requirements
R4 should be able to copy the file TEST from the flash memory of R3.
No other files should be available from R3.
No other devices should be able to copy the files TEST from R3.
Note:You do not need to create the TEST file on R3 or attempt to make s actual copy.
:
R3 TFTP serverR4 R3flashTEST
R3 flashTESTTEST
:
R3config# tftp-server flash:TEST 4
32 / 32

Wolf CCIE Lab K1 Plus

Uploaded by

Copyright:

Available Formats

Wolf CCIE Lab K1 Plus

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wolf CCIE Lab K1 Plus

Uploaded by

Copyright:

Available Formats

CCIE-LAB-K1

1.2 Implement the access-switch ports of the network as following

Configure all of the appropriate nontrunking access switch ports on

ports to BB1,BB2 and BB3.

6.access BPDU access BPDUSTP

SW1config# interface FastEthernet 0/3

SW1config-if# switchport mode access

SW1config-if# switchport access vlan 3

SW1config# interface fastEthernet 0/4

SW1config-if# switchport access vlan 44

SW1config# interface vlan 11

SW2config# interface vlan 2

SW2config# interface fastEthernet 0/2

SW1config# spanning-tree portfast default

SW1config# spanning-tree portfast bpdufilter default

SW2 accessPortfast BPDU

SW2config# spanning-tree portfast bpdufilter default

1.3 Trunking manipulations:

VLAN tagged format

2.Trunkvlan311134445 switchport trunk allowed vlan 311

SW3config-if-range# switchport nonegotiate

1.4 Implement Frame relay:

1.5 Traffic control protection from the backbones:

R3config-if# ip address YY.YY.15.193 255.255.255.224

R5config-if# no peer neighbor-route

2.1 Implement IPv4 OSPF

Dont manually change the Router-ID

SW2config-router# network YY.YY.15.130 0.0.0.0 area 2

R2config-router# area 2 nssa

R2config# interface serial 0/0.12 point-to-point

R2config-subif# ip ospf network broadcast

2.2 Implement IPv4 EIGRP

IGPEIGRP 100 EIGRPYY

R1config# router ospf YY

[S13]: EIGRP 100

R1config# route-map filter deny 10

2.3 Implement RIP Version 2

Configure RIP version 2 (RIP v2)per the IGP topology diagram.

R2config-router# redistribute ospf YY metric 4

R2config-router# distance 125 YY.YY.1.1 0.0.0.0 1

R2config# access-list 1 permit YY.YY.4.4

R2config# access-list 1 permit YY.YY.10.10

R2config# access-list 1 permit YY.YY.15.64

R2config# router rip

R2config-router# offset-list 2 out 3 FastEthernet 0/1.24

R2config# access-list 2 deny YY.YY.2.2

SW4config# router rip

SW4config# access-list 1 deny YY.YY.2.2

SW4config# access-list 1 deny YY.YY.4.4

SW4config# access-list 1 deny YY.YY.15.32

120 EIGRP 170

SW4config# access-list 1 permit any

SW4config# router eigrp YY

[S23]: SW4 RIP

[S24]: RIP EIGRP

2.4 Implement IPv6

using the EUI-64 interface identifier.

R2-S0/0.Z and R1-S0/0.Z

R1-G0/1 and SW1-SVI 11