K8 OTHER Q & SOL.

CCIE SOLDIER
1.5 Advance L2 Features
Switchport protected, to use private VLANs. Should use port security to dynamically add MAC address to the configuration Five users connected to VLAN 500 (SW3) These users will connect to SW4 ports Fa0/1-5 These ports should move quickly to the forwarding state These ports should be protected and learn the MAC address dynamically Shut the ports down if a violation occurs

SW3 int range fa01-5 swi access vlan 500 swi mode access spanning-tree portfast swi port-security swi port-security maximum 1 vlan 500 swi port-security violation shutdown swi protected no shut

2.6 IPV4 IBGP

Configure your network as per "Diagram 2 : BGP Routingand according to the following requirements: With the exception of R1, all routers in BGP AS YY must have only one IBGP neighbor. Secure all IBGP sessions with a MD5 hash, use the string "cisco" to that effect (without quotes) All BGP connections should survive a physical link failure R1 should always initiate the TCP session for the BGP connection for the BGP neighbor Configure 'no bgp default ipv4-unicast' on all BGP speakers

R1 router bgp 10 no synchronization bgp router-id 110.1.1.1 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor IBGP peer-group neighbor IBGP remote-as 10 neighbor IBGP update-source Loopback0 neighbor IBGP password cisco neighbor 110.2.2.2 peer-group IBGP neighbor 110.3.3.3 peer-group IBGP neighbor 110.4.4.4 peer-group IBGP neighbor 110.5.5.5 peer-group IBGP neighbor 110.6.6.6 peer-group IBGP neighbor 110.8.8.8 peer-group IBGP address-family ipv4 neighbor IBGP route-reflector-client neighbor 110.2.2.2 activate neighbor 110.3.3.3 activate neighbor 110.4.4.4 activate neighbor 110.5.5.5 activate neighbor 110.6.6.6 activate neighbor 110.8.8.8 activate R2 router bgp 10 bgp router-id 110.2.2.2 R3 router bgp 10 bgp router-id 110.3.3.3 R4 router bgp 10 bgp router-id 110.4.4.4 R5 router bgp 10 bgp router-id 110.5.5.5 SW1 router bgp 10 bgp router-id 110.6.6.6 SW3 router bgp 10 bgp router-id 110.8.8.8 R2/R3/R4/R5/SW1/SW3 router bgp 10 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 110.1.1.1 remote-as 10

neighbor 110.1.1.1 transport connection-mode passive neighbor 110.1.1.1 update-source Loopback0 neighbor 110.1.1.1 password cisco no auto-summary address-family ipv4 neighbor 110.1.1.1 activate

4.5 Securing Layer 2

-Users in VLAN 500 should only be able to access SMTP, HTTP, ICMP and DNS (UDP only) to any host - Use a single named ACL and do not use any deny statements -The configuration should be done on SW3 SW3 ip access-list extended VLAN500_USER permit tcp any eq smtp 10.110.188.0 .0.0.0.255 permit udp any eq domain 10.110.188.0 .0.0.0.255 permit tcp any eq www 10.110.188.0 .0.0.0.255 permit tcp any eq telnet 10.110.188.0 .0.0.0.255 permit icmp any 10.110.188.0 .0.0.0.255 int vlan 500 ip access-group VLAN500_USER out

4.7 Network Time Protocol (NTP)

-R1 should be master 1 -R3 and R5 should be clients and authenticate with the server -Use NTP authentication key cisco -Calendar should update periodically -The clocks should survive a router reload R1 ntp authentication-key 1 md5 cisco ntp trusted-key 1 ntp master 1 ntp update-calendar R3/R5 ntp authentication-key 1 md5 cisco ntp authenticate ntp trusted-key 1 ntp update-calendar ntp server 110.1.1.1 key 1 ntp source Loopback0