Scribd Logo
Upload

Welcome to Scribd!

  • k8 Question Book

    Uploaded by

    satourism
    505 views11 pages
    k8 Question Book

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    k8 Question Book

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    505 views11 pages

    k8 Question Book

    Uploaded by

    satourism
    k8 Question Book

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    K8 QUESTION BOOK

    CCIE SOLDIER

    Section 1 - Layer 2 Technologies 1.1Troubleshoot layer 2 switching Two faults have been injected into the preconfigured . These issues may impede a working solution for certain portions of this lab exam, and these issues can also affect any lab exam section. You must verify that all of your configurations work as expected. If something is not working as expected, then you must fix the underlying problem. Points will be awarded for solving each problem correctly.However, if you fail to solve a particular problem but the injected fault prevent you from having a working solution in any section ofthis lab, then you will lose points for the fault and for the scenario that is not working. NOTE: -There are no physical faults. ALL hardware is in working order, and you do not need to physically touch any device or cable in order to solve a problem. -Depending on the scenario, resolving a fault may require either one or multiple command lines on one or multiple devices.

    1.2 Implement Access Switch Ports of Switched Network Configure all of the appropriate non-trunking switch ports on SW1-SW4 according to the following requirements: VTP domain should be CCIE and password cisco VTPv2 should be configured with SW1 as server, SW2,SW3,SW4 vlan database should be updated by SW1 Configure the VLAN ID and Name according to the table below (case sensitive). Configure the access ports for each VLAN as per the diagram.

    All 4 switches must run in transparent mode after synchronization All unused ports including Giga ports have to be on access vlan 999 and shutdown. Vlans VLAN_ID NAME 16 R1toSW1 18 R1toSW3 28 R2toSW3 36 R3toSW1 45 R4toR5 68 SW1toSW3 69 SW1toSW4 89 SW3toSW4 100 BB1 200 BB2 300 BB3 500 Client 999 Unused After synchronization, SW1/SW2/SW3/SW4 should be in vtp mode transparent Assign access ports to VLANs according to the diagram. 1.3 Spanning-Tree Domains for Switched Network Configure STP on all four switches as per the following requirements All switches must run a separate STP instance for each VLAN All STP instances must use the default hello, forward, and max-age timers. Enable rapid convergence on all four switches SW1 must be elected the root switch for ALL VLANS (effectively, for the entire range of all possible VLAN IDs). SW2 must be elected the backup switches for ALL VLANS (effectively, for the entire range of all possible VLAN IDs). Ensure that both SW1 and sw2 have the best chance of keeping their respective root or backup role even if a new switch is added to the topology later on. Ensure that SW1, SW2 and SW3 do not send BPDUs and do not process received BPDUs on their port Fao/10 only.

    1.4 Switch Trunking and Etherchannel Refer to Diagram 5 Trunk ports", and configure your network as per the following requirements: All inter-switch links must use encapsulation 802.1Q Disable DTP on all trunks Ensure that the native VLAN (VLAN 1 ) is always tagged On each switch, configure three 200Mb/s fault-tolerant links relying on the IEEE 802.3ad standard. Traffic forwarded through these fault-tolerant links must be load-balanced based on the source and destination MAC addresses.

    1.5 LAN Feature Configure your network as per the following requirements: Ensure that only the legitimate router interface is allowed to connect to Fa0/1 and FaO0/2 of SW1 (refer to "Diagram 6 : Access ports). SW1 must dynamically learn these legitimate MAC addresses and automatically save them in the configuration file.

    Ensure that SW1 does not need to relearn the legitimate MAC addresses after SW1 restarted. SW1 must shut down the port if a security violation occurs on either of these two ports.

    1.6 Advanced LAN Feature Five users will connect to the network via VLAN 500 on fa0/1 to fa0/5 on SW4. Configure your network as per the following requirements: Ensure that these five ports start forwarding traffic as soon as the workstation is connected to them. Ensure that these five ports are allowed to communicate with their Layer 3 gateway (the VLAN 500 SVI on SW3) and are prohibited from directly sending frames to each other. Ensure that none of these five ports forwards flooded traffic due to an unknown unicast or unknown multicast. Do not use private vlans.

    1.7 WAN Technology Configure your network as per the following requirements: Configure PPP on the serial link between R3 and R5 Configure Frame-Relay on the serial links between R5, R1, R4 and R2. All Frame-Relay interfaces must be able to ping the neighboring IPV4 address as well as their own IPV4 address. Use the interface and DLCI numbers indicated in "Diagram 8 : Frame-Relay" in order to accomplish this task. Disable Frame-Relay Inverse ARP on all Frame-Relay interfaces. Do not disable the interfaces keepalives. Section 2 - Layer 3 Technologies 2.1 IPV4 OSPF Configure OSPFV2 as per "Diagram 1: IGP Routing and according to the following requirements: The OSPF process ID must be 100 for all OSPF devices. The OSPF router IDs must be stable and must be configured using the IP address of interface Loopback0. Loopback0 interfaces must be advertised in the OSPF area shown in "Diagram 1: IGP Routing and must appear as host routes. The VLAN 500 interface of SW3 must be configured into OSPF area 500, but no OSPF hello may be sent out of this interface Ensure that SW1 is elected as the Designated Router on all three VLAN interfaces (VLAN 16, 36 and 68) and ensure that it maintains the best chance of being re-elected as such. The f0/1 interface of R1 and the f0/0 interface of R3 must always remain in the DROTHER state. OSPF area 1 must be configured as a stub area, which allows the injection of external routes. Enable label switching on the serial interfaces between R1, R3 and R5 by using LDP. Ensure that the LDP sessions are always sourced from the loopback0 interface on aII devices. Do not create additional OSPF areas. Do not use any IP address not listed in "Diagram 1: IGP Routing unless explicitly required. Do not enable OSPF on any interfaces other than the ones shown in "Diagram 1: IGP Routing unless explicitly required.

    2.2 IPV4 EIGRP Configure your network as per the following requirements: Configure EIGRP AS YY and EIGRP AS 100 as per "Diagram 1 : IGP Routing" Disable automatic summarization in both autonomous systems. SW4 must receive six EIGRP external prefixes from BB3. Configure the delay for interface f0/1 of both R4 and R5 to 100 milliseconds (10,000 tens of microseconds) Enable LDP on the serial interfaces between R1, R2, R4 and R5 as well as on the fastEthernet link between R4 and R5. Ensure that the LDP sessions are always sourced from the loopback0 interface en all devices. 2.3 IPV4 RIP Configure RIP version 2 as per "Diagram 1: IGP Routing and according to the following requirements. Disable automatic summarization. RIP must be enabled only for the required interfaces, no other interfaces may send any RIP updates. 2.4 Redistribution : EIGRP into OSPF Configure your network as per the following requirements: Redistribute OSPF into EIGRP and vice versa on R5 only. Do not redistribute anywhere else between these two protocols. Ensure that all EIGRP routers are still able to reach any OSPF prefix, when the link between R4 and R5 fail. The interface VLAN 500 of SW3 must appear as prefix in area 0 only. It must never appear in any other areas , your solution must remain valid, even if a new area was added to the OSPF domain. Do not modify the administrative distance of OSPF.

    2.5 Redistribution: EIGRP versus RIP Configure your network as per the following requirements: Redistribute EIGRP 100 into RIPV2 and vice versa on SW4 Redistribute OSPF into RIPv2 on SW1 only. Do not redistribute RIPv2 into OSPF. Ensure that SW1 originates a default route everywhere into the OSPF domain. Ensure that all devices (but SW2) in your topology can reach 150.3.YY.254. Do not use any static route to resolve any routing issue. At this time in your lab, you must be able to reach every internal IP addresses from any device (but SW2)

    2.6 IPV4 IBGP Configure your network as per "Diagram 2 : BGP Routingand according to the following requirements: With the exception of R1, all routers in BGP AS YY must have only one IBGP neighbor. Secure all IBGP sessions with a MD5 hash, use the string "cisco" to that effect (without quotes) All BGP connections should survive a physical link failure R1 should always initiate the TCP session for the BGP connection for the BGP neighbor Configure 'no bgp default ipv4-unicast' on all BGP speakers

    2.7 IPV4 EBGP Configure your network as per "Diagram 2 : BGP Routing" and according to the following requirements: Establish EBGP between AS YY and AS 254 on both R4 and R5 by using their physical interfaces. The prefixes of VLAN_100 and VLAN_200 may appear as a BGP next-hop address in R4 and R5 only. Configure AS 144 on SW4 to peer with AS YY Ensure that SW4 installs in its routing table two equal-cost paths for any BGP prefixes originated in AS 254. Ensure that SW3 load-balances any traffic that is destined to AS 254 through both R1 and R2.Use the following command to verify this requirement: Rack10SW3#sh ip cef 197.168.1.1 197.168.1.0/24 nexthop 10.10.18.1 Vlan18 nexthop 10.10.28.2 Vlan28

    2.8 MPLS AND L3VPN SW2 is simulating two distant customer sites in BGP AS 777 that are interconnected with L3VPN , which is provided by your core network. The interface loopback 71 of SW2 simulates the SITE1, which is connected to R3, and the interface loopback 72 simulates the SITE2, which is connected to R2. Refer to "Diagram 3 : for more details. Configure your network as per the following requirements: R2 and R5 must exchange VPN prefixes via BGP by using the route distinguisher 2:2 R3 and R5 must exchange VPN prefixes via BGP by using the route distinguisher 3:3 R2 and R3 may not per directly with one another. Confgure mpls Idp explicit-null on both PEs SW2 must maintain two separate routing tables for each site as described in the "Diagram 3 : The only prefix that SW2 may see in its global routing table is its preconfigured Ioopback0 interface Your configuration must fully reconverge after a reload of any PE router at the end of the exam. Verify your solution by using the following commands on SW2. Rack10SW2#ping vrf SITE2 71.71.71.71 source lo72 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 71.71.71.71, timeout is 2 seconds: Packet sent with a source address of 72.72.72.72 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms Rack10SW2#traceroute vrf SITE2 Protocol [ip]: Target IP address: 71.71.71.71 Source address: 72.72.72.72 Numeric display [n]: Resolve AS number in (G)lobal table, (V)RF or(N)one [G]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort.

    Tracing the route to 71.71.71.71 1 172.16.27.2 0 msec 0 msec 9 msec 2 10.10.24.4 8 msec 9 msec 8 msec 3 10.10.14.1 50 msec 93 msec 100 msec 4 10.10.15.5 17 msec 17 msec 17 msec 5 172.16.37.3 8 msec 8 msec 9 msec 6 172.16.37.7 8 msec * 0 msec Rack10SW2#ping vrf SITE1 72.72.72.72 source lo71 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 72.72.72.72, timeout is 2 seconds: Packet sent with a source address of 71.71.71.71 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/17 ms Rack10SW2#traceroute vrf SITE1 Protocol [ip]: Target IP address: 72.72.72.72 Source address: 71.71.71.71 Numeric display [n]: Resolve AS number in (G)lobal table, (V)RF or(N)one [G]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 72.72.72.72 1 172.16.37.3 0 msec 8 msec 0 msec 2 10.110.35.5 42 msec 84 msec 92 msec 3 10.10.15.1 17 msec 17 msec 8 msec 4 10.10.14.4 17 msec 17 msec 8 msec 5 172.16.27.2 9 msec 17 msec 8 msec 6 172.16.27.7 8 msec * 9 msec

    2.9 IPv6 Addressing Preconfiguration. All IPv6 addresses were preconfigured as follows. All global unicast addresses match 2001:RR:YY:SS::HH/MM, where: RR is the identifier of the routing domain (YY for EIGRP YY, 1YY for OSPF ). YY stands for your two-digit rack number, written in decimal format SS is the third octet ofthe IPV4 address of the same interface, written in decimal format HH is the forth octet of the IPV4 address of the same interface, written in decimal format MM is the subnet mask and must be /128 for loopback interfaces and /64 for other interfaces. Question text: Configure your network as per "Diagram 4 :IPv6 Routing" and according to the following requirements: Configure EIGRPv6 YY on all routers in the EIGRPv4 AS YY Use the Loopback 0 IPv4 address as the EIGRPv4 router ID. Configure the area 0 of OSPFv6 (between the SW1 and SW3 as shown the "Diagram of IPv6 Routing"). The OSPFv3 process ID must be 100. Redistribute OSPFv3 into EIGRPv6 and vice versa on SW3. Ensure that there is full reachability among aII IPv6 speakers.

    (The diagram shows loopbacks of SW1 and SW3 in OSPFv3 area0 and loopbacks of R5, R2, R4, and R1 in EIGRPv6 AS YY.) 2.10 IPv6 Routing Configure your network as per "Diagram 4 :IPv6 Routing" and according to the following requirements. Configure a tunnel between R1 and R3 to transport IPv6 traffic from R3 to the EIGRPv6 domain. The tunnel transport mode must be GRE, and it must be resilient to single physical link failure. The tunnel must use the IPv6 prefix 2001:13:13:13::/64 Extend the EIGRPv6 domain YY to R3 over the tunnel. R3 must be able to reach the Loopback0 interface of SW1 via the tunnel. (The diagram shows lo0 of R3 in EIGRPv6 AS YY) Section 3 - IP multicast 3.1 multicast Configure multicast in your network as per the following requirements: Enable multicast for all interfaces belonging to ospf 100 and eigrp YY (including loopback0 interfaces) The network should never have to flood and prune multicast traffic unnecessary Add a loopback1 interface on both R2 and R3 with the same ip address 200.100.100.100 R2 must advertise loopback1 into EIGRP YY , R3 must advertise loopback1 into OSPF 100. Each loopback 1 must be elected as the rendezvous point (RP) in their respective domain and must also be used as the source of the mapping information broadcasts Use a non-proprietary method to discover and announce the RP information Multicast service are located in vlan 68, and receivers are located on the link between R4 and R5 Simulate the receivers with a static join on the f0/1 interface of R4. Receivers must be able to receive traffic sent to the group 232.1.1.1 from SW1 Ensure that R2 is the actual RP in use in the EIGRP domain, R3 is the actual RP in use in the OSPF domain, and that R3 sends the source-active cache to R2

    3.2 Advanced multicast feature Continue configuring multicast in your network as per the following requirements: Ensure that both RPs process join requests for group 232.1.1.1 only. Ensure that only the authorized sources (located in VLAN_68) are allowed to register with the RPs Do not use any route-map or named access-list to achieve this task. Section 4 - Advance IP Features 4.1 First Hop Redundancy Configure your network as per the following requirements Both R4 and R5 must provide automatic default gateway backup for hosts located on VLAN 45 by using the virtual IP address 10.YY.45.1/24. Ensure that both R4 and R5 participate at the same time in forwarding traffic destined to the virtual IP address ,with R4 weighted at 150 and processing three clients for every one processed by R5. Use the password "CCIE123" (without quotes) to secure the relationship between R4 and R5 , use the strongest security available .(Do not use a keychain to accomplish this requirement).

    4.2 L2 Security Consider that three servers (SMTP , WEB , DNS) connected to VLAN 500 on SW3 must be reachable from any host anywhere in the network . Many users are connected to VLAN 500 on SW3 as well , and are allowed to connect to these local servers. These users must also be allowed to connect to other SMTP ,WEB and DNS servers located outside of VLAN 500. A number of these users are abusing the link with unnecessary traffic. Configure your network as per the following requirements Create a filter on SW3 to allow only legitimate traffic (SMTP-TCP port 25 , WEB-TCP port 80 , DNS-U DP port 53 , ICMP-all types) on VLAN 500 going from and to any hosts (Do not specify any IP address in the filter). All non-legitimate traffic must be dropped. User a single named access-list to accomplish this requirement of this task. Do not include any deny statement in the access-list.

    4.3 Device Security SSH Configure R5 as per the following requirements The administrator user "admin' must be able to use the SSH protocol in order to manage the router by using the password "ccie" This user must receive the enable prompt directly when logging in to R5 The user "guest" must be able to use the SSH protocol in order to connect to the router by using the password "cisco". This user must receive the user-mode (non-enable-mode) prompt when logging in to R5. Disable all non-SSH access methods on the VTY lines of R5. Do not user the command "access-class" to accomplish this . Enable a maximum of 16 users to connect concurrently at any point in time. Configure the domain name "ccie.com" on R5. Ensure that the console does not require a username prompt and that it presents the user with the usermode (non-enable-mode) prompt Do not modify the enable password. Verify your solution by using R3 as the SSH client and verify if the following commands succeed as expected. Rack10R3#ssh -l admin 110.5.5.5 Rack10R3#ssh -l guest 110.5.5.5 4.4 PBR Configure your network as per the following requirements Create interface Loopback148 in SW3 with the IP address 148.0.0.8/32 and add it into EIGRP YY by any means available. Create interface Loopback148 in R4 with the IP address 148.0.0.4/32 and add it into EIGRP YY by any means available. Traffic sourced from Loopback148 of SW3 and destined to Loopback148 of R4 (and only this traffic) must always leave SW3 via interface VLAN18, no other interface may ever transmit these packets. SW3 must load-balance (between R1 and R2) any other traffic destined to Lo148 of R4. In case interface VLAN 18 of SW3 is not operational packets between Lo148 of SW3 and Lo148 of R4 must be drooped on SW3. Use a single numbered and extended access-list with a single entry in order to accomplish this requirement. Do not modify any EIGRP parameter anywhere to accomplish this requirement.

    Use the following tests to validate your solution Rack10SW3#trace Protocol [ip]: Target IP address: 148.0.0.4 Source address: 148.0.0.8 Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 148.0.0.4 1 10.10.18.1 4 msec 4 msec 4 msec 2 10.10.14.4 0 msec * 4 msec Rack10SW3#trace 148.0.0.4 Type escape sequence to abort. Tracing the route to 148.0.0.4 1 10.10.18.1 4 msec 10.10.28.2 4 msec 10.10.18.1 4 msec 2 10.10.24.4 4 msec 10.10.14.4 4 msec *

    4.5 L3VPN Quality of Services The MPLS enabled routers in your network have been preconfigured to service three classes of traffic based on the MPLS experimental bits. The PE routers are also provisioning three classes of traffic towards the CE routers. R1 contains a policy that will remark traffic for testing purposes. Do not modify this policy. Configure both PE routers in your network as per the following requirements: The traffic leaving the MPLS core and going to the CE must be remarked using the latest value found in the MPLS experimental bits. Both PE routers must shape the traffic towards the CEs to 3Mb/s CIR. Your solution must include the existing QoS preconfigurations. Do not create any new non-default class-map to accomplish the above requirements (i.e. if you need to create any new class-map, it must be the class-map default). You may check your solution by using an extended ping, with the TOS value set to 160. Counters must increment accordingly on the class CRITICAL on the egress policy of the remote PE. 4.6 Device Security Configure and apply on R5 a single ingress policy-map named "CONTROL" that contains exactly three userdefined class-maps according to the following requirements: Configure a class-map called "SSH_POLICE" according to the following requirements. Any SSH session initiated from VLAN 18 and destined to the interface Se0/0/1 of R5 must not be policed. Police to 16 kb/s all other SSH traffic according to the following requirements. The conform-action must be "transmit". The exceed-action must be "drop".

    The burst value must not be configured Configure a named access-list called "SSH" in order to classify the above SSH traffic. Configure another class-map called "BLOCK" according to the following requirements: HTTP (destined to port 80) and HTTPS(destined to port 443) traffic sourced from any host located on VLAN500 and destined to anywhere must be dropped. Configure a named access-list called "HTTP" containing exactly two entries in order to classify the above HTTP and HTTPS traffics. Configure another named access-list called "ALL_ICMP" containing the single statement "permit icmp any any". The class-map "BLOCK' must drop the traffic matched by these two access-list("HTTP" and "ALL_ICMP"). Configure another class-map called "ICMP_LIMIT" according to the following requirements. ICMP echo and echo-reply to or from anywhere must be policed to 100p/s ,allowing 10 packets in burst. Configure a named access-list called "ICMP_ECHO" in order to classify the above ICMP echo and echoreply traffic. Do not use any "match not" statement in any class-map. Ensure that any device (but SW2) can still ping the interfaces of R5. AII class-map and access-list names are case sensitive and must not include any quotes. Note : kilobits per second and p/s = packets per second.

    4.7 Network Services Configure your network as per the following requirements R1 is the NTP master (stratum 1). R3 and R5 must synchronize their clock to the clock of R1. Ensure that all three devices retain the clock between reboots. ALL NTP peer must use their Loopback0 interface as the NTP source. Section 5 - Optimize the Network 5.1 Network management Configure R1 as per the following requirements Track all changes to the running configuration. Notify the syslog server 10.1YY.69.100 when any configuration change happens. Retain the last 10 entries in the configuration log. Suppress the display of password information in the configuration log files. Ensure that configuration changes are not saved to the local file system. 5.2 Network management In order to avoid hitting a (fictive) software defect on R3 , the vendor support engineer recommends bouncing (shut / no shut) both GigabitEthernet interfaces of R3 as soon as it restarts. Configure R3 as per the following requirements: Write a Cisco IOS EEM applet named "BOUNCEGIG" that automates the above task. User the "%SYS-5-RESTART" syslog pattern in order to trigger the script when R3 has restarted. Ensure that the script bounces interface Gig0/0 first, then bounces interface Gig0/1 Test router solution and ensure that there is an entry in the EEM events history similar to the following output. Rack10R3#sh event manager history events No. Time of Event Event Type Name 1 Fri Mar 1 00:00:03 2002 syslog applet: BOUNCEGIG

    You might also like