Professional Documents
Culture Documents
CCIE SOLDIER
K6++ new initial faults ---------------------------- I saw people reporting: Put speed 100 duplex full on the BB interfaces on SW1, SW2 and/or SW3. So if no L2 connectivity with BB routers, keep that in mind. Check confreg (show version command, last line). Must be 2102. If 2142, it will bypass startup!!!
1.1 Troubleshoot Layer 2 Switching Cisco says that there are two faults injected. Each fault will give you 2 points. The whole K6++ Lab had 78 points to get, so you must have 62 points in order to be over 80%. - VLAN access map that is denying OSPF is in pre-configuration (change the drop to forward) --> that should be enough - root guard on BB Links (interface f0/10) - no ip cef on some routers (not sure if that is a fault)
1.2 Implement Access Switch Ports of Switched Network Configure all of the appropriate non-trunking switch ports on SW1-SW4 according to the following: SW1 is the server for the VLAN Trunking Protocol version 2 domain "CCIE" (VTP password "cisco") SW2, SW3, SW4 are expecting SW1 update their VLAN database when needed. Configure the VLAN ID and Name according to the table below (case sensitive) Configure the access ports for each VLAN as per the diagram. Using a single command ensure that all access ports are transitioned to forwarding state as quickly as possible. Using a single command ensure that the interface is forced the err-disabled state if BPDU is received by any ports. Ensure that any BPDU received by the access ports facing the backbone devices (and only these devices) have no effect to your spanning tree decision. Dont forget to configure the Layer 3 interfaces and to include SW1s port Fa0/4 into VLAN 44. VLAN_ID NAME 11 VLAN_11_BB1 22 VLAB_22_BB2 33 VLAN_33_BB3
42 VLAN_?_R2-SW4 //use ctrl+v for ?// 44 VLAN_44_R4 55 VLAN_55_R5-SW2 123 VLAN_123_SWITCHES 999 VLAN_RSPAN
1.3 Spanning-Tree Domains for Switched Network. Configure the switches according to the following requirements:
Both switches must have one instance per vlan. Ensure that SW1 is the Root Switch, and SW2 the Backup Switch for all odd vlans Ensure that SW2 is the Root Switch, and SW1 is the Backup Switch for all even vlans Configure instance per vlan and rapid transition for forwarding Configure to 30 seconds that time that all switches wait before their spanning-tree processes attempts to re-converge
if it didnt receive any spanning-tree configuration message for all future vlans.
1.4 Switch Trunking and Ether Channel
Use the following requirements to configure the Etherchannel of SW1, SW2, SW3 and SW4: Use encapsulation 802.1q
Configure Etherchannel between SW1 and SW2, use the Industry standard. Configure Etherchannel between SW3 and SW4, the proprietary method Ensure that SW1 and SW3 must initiate the negotiation and SW2 and SW4 must not start the negotiation
1.5 Spanning-Tree Tuning Find the vlan between R2 and SW4. The priority of that Vlan must be 12330 on SW2. Ensure that the port fa0/20 is in the forwarding state rather than the blocking state for even vlans on SW4.
You must do this without changing any configurations on SW4. Use the highest numerical values to complete.
1.6 RSPAN Any traffic received through from VLAN_BB1 and VLAN_BB2 must be replicated to a traffic analyser connected to SW4 Fa0/15 via VLAN 999
You need to monitor any future interfaces connecting to VLAN_BB1 and VLAN_BB2 Any traffic flowing through the trunk between SW3 and SW4 must be replicated to another traffic analyser
1.7 PPP & CHAP R4 must require R1 and R2 to authenticate using CHAP but R1 and R2 must not require R4 to authenticate R1 and R2 cannot use ppp chap hostname, they can use ppp chap password with "CCIE". Make sure that all CHAP passwords are shown in clear int the configuration
Use radius server at YY.YY.44.200 as authentication server and fallback to the local AAA database in case the server is unreachable Use CISCO as key required by the Radius server Make sure AAA authentication does not affect any console or line VTY from any PPP devices (ensure that there is no username prompt either) Use only default method list for both console and line VTY.
Ensure that all switches attached to the VLAN 123 exchange routing updates primarily with SW1 and then SW2 (in case SW1 goes down) Use highest numerical values. Make sure that all 3 prefixes for the backbone links (150.BB.YY.0/24) appear as OSPF External Type 2 routes in routing table. Do not create any additional OSPF areas. Do not use any IP address not listed in the diagram
2.2 Implement IPv4 EIGRP Configure Enhanced Interior Gateway Routing Protocol (EIGRP) 100 on SW2 in order to establish EIGRP neighbor with Backbone 3 in the IGP topology diagram. BB3 has IP address 150.3.YY.254 and is using AS number 100 Disable auto-summary
2.3 Implement RIP Version 2 Configure RIP Version 2 (RIPv2) between R3 and BB1 R3 must accept from BB1 only the following prefixes o 199.172.4.0/24 o 199.172.6.0/24
o 199.172.12.0/24 o 199.172.14.0/24 Use Standard ACL with a single entry Disable Auto Summarization
2.4 Redistribute RIP into OSPF Redistribute RIP into OSPF on R3 such that the routing table on R5 contains the following. o O N2 199.172.14.0/24
o O N2 199.172.12.0/24 o O N1 199.172.6.0/24
2.5 Redistribute EIGRP into OSPF Redistribute EIGRP into OSPF on SW2 such that Redistributed EIGRP routes must not be advertised into Area 51 Redistributed EIGRP routes must be advertised into Area 0 and 142 as OSPF Type E2 SW2 must advertise an inter-area default route into Area 51 only Dont use any route-map and do not add any static route anywhere
2.6 Implement IPv4 BGP Configure iBGP peering for R1, R2, SW2, R3 and R5 as per the following requirement. Where possible failure of a physical interface should not permanently affect BGP peer connections Minimize number of BGP peering sessions and all BGP speakers in AS YY except SW2 must have only one iBGP peer All BGP routes on all devices must be valid routes
Configure BGP as per diagram BGP routes from BB1 must have community values 254 207 103 in AS YY BGP routes from BB2 must have community values 254 208 104 in AS YY Make sure that all BGP speakers in AS YY (even R2) are pointing all BGP prefixes from AS 254 via BB1 only (their BGP next hop must be the IP address of the backbone devices)
2.7 Implement Performance Routing Implement PfR to achieve the following policies: R1 must be the Master and Border Router and R2 must be a Border Routers
Ensure that PfR sessions are established using the Lo0 interface only A specific traffic (marked with DSCP "CS2") from VLAN_44 to VLAN_55 must be routed via R1 Another traffic (marked with DSCP "CS4") from VLAN_44 to VLAN_55 must be routed via R2 Use Extended ACL with a single entry Use active probes only Configure tunnel to have direct connectivity between Border routers If required by you solution you may use any prefix that is not used in your topology Your interface is allowed to have a maximum utilization on R1 of 80% and a maximum utilization on R2 of 90% You should use access-list specifying only source address and DSCP value Monitor the load on your external interfaces with the lowest level. You must use "set mode select-exit good" You may not use: o max-range-utilization, o resolve utilization o resolve range Configure a floating static default route with an AD of 250 on R1 and R2 facing the Switches.
Use the following: o monitor-period 1 o periodic-interval 0 o period rotation 90 Use the lowest load-interval on your external interfaces to monitor the load
2.8 Implement Performance Routing Continue as per following: Set the frequency of probes to the lowest value
Make sure that all exits are probed constantly. The voice traffic is sourced from VLAN_44 destined to the voice gateway R5 (YY.YY.55.5) and marked with DSCP "EF" Voice traffic should go through R1 if the delay is 40ms and jitter is 5ms and it should fallback to R2 should these values not be met You should use access-list specifying only source address and DSCP value You must use "set mode select-exit good"
2.9 Implement IPv6 Configure OSPF Area 142 between R1, R2, R4 Configure IPv6 PIM sparse mode on the serial interfaces
R4 should have a static RP-address f0/0 (FEC1:CC1E:44::4) for the multicast group R1 interface Gi0/0 should be able to join the multicast group FFTS:4000::4000
Determine the value of TS. T = transient Multicast stream has a scope = 5 You should be able to ping the multicast group from R2 Interface S 0/0/0
2.10 Implement Advanced IPv6 feature In an attempt to reduce link-layer congestion, limit to 5 messages per second the rate at which all IPv6 enabled devices generate all IPv6 ICMP error messages Enable Netflow for IPv6 on R1 to monitor the traffic entering Area 142
Export the flows every 3 hours to the server YY.YY.44.100 (port 9876) Use R1-Lo0 as source address for the exports Aggregate the flows per destination and allow up to 20000 entries in the cache Inactive entries must be deleted from the cache after 2 minutes of inactivity
3 Section 3 IP Multicast 3.1 IPv4 Multicast (autorp) There is a multicast source on VLAN 44 and clients are located on the BB3 subnet (150.3.YY.0/24). Use a dynamic protocol that supports PIM v1 and v2.
Configure R1 and R2 loopback0 to be a rendezvous point (RP). Ensure that R2 should be the preferred RP rather than R1.
Simulate clients have sent requests to join the multicast group 239.YY.YY.1. Make sure R4 f0/0 is able to ping this multicast IP.
For traffic coming from BB1 allocate 1000 kbps on R3 s0/0/0. This should not affect any other traffic other than to all possible traffic entering from these links
4.4 Implement Routing Protocol Authentication Secure OSPF area 0 according to the following requirement Use thestrongestauthenticationtype The password must be saved in clear in the config and must be seen to "cisco" You are not allowed to use any commands in the router configuration
4.5 Implement DHCP R4 has been configured to provide the following parameters for DHCP clients on VLAN 44 IP addresses DNS servers YY.YY.55.50 and YY.YY.55.51 Domainname cisco.com Default gateway is YY.YY.44.4 The administrator wants that the DHCP deployment is as secured as possible. Complete the DHCP configuration on R4 and SW1 according to the following requirements Protect users in VLAN 44 from rogue DHCP servers Ensure that only R4 services the DHCP requests Disable the insertion and removal of option-82 field Protect the DHCP server from DHCP attacks originating from SW1 port Fa0/14, which may lead to resource exhaustion and ensure that maximum 3 different hosts can still connect to that port (Shutdown the port when violation occurred) Note: make sure that SW1 Fa 0/14 is enabled and provisioned so that the customer only needs to connect the printer to the port 4.6 Implement Layer 2 Security Continue securing the DHCP deployment according to the following requirements In the near future the customer will connect a printer to SW1s Fa0/14 in VLAN 44 and assign it the static IP address YY.YY.44.100. The printers MAC address is abcd.abcd.abcd Ensure that the printer is able to communicate with the users on VLAN 44 and ensure that your solution survives a reload (use the file flash:CCIE.TXT) Enable a feature on the switch to dynamically protect interface Fa 0/14 against spoofed IP packets and ARP request
4.7 Web Caching Communication Protocol (WCCP) Configure WCCP on R4 according to the following requirement: There will be a WAAS appliance connected to interface of Fa0/1
Any traffic from any client connected to Fa0/0 going out of the 2 serial interfaces must be redirected to the WAAS
server on Fa0/1
Traffic redirected from the server to the clients must use WCCP service 61 Traffic redirected from the clients to the server must use WCCP service 62 Traffic that is being sent from R1 to R2 and from R2 to R1 is not allowed to be redirected.
5.2 Embedded Event Manager Configure 2 eem scripts one for enabling ospf debug if the ospf neighborship of R3 goes down: Configure R3 with event manger applet ENABLE_OSPF_DEBUG when the ospf adjacency goes down to R5 ,
It should enable the debug ip ospf event and debug ip ospf adj Configure another EEM applet DISABLE_OSPF_DEBUG when OSPF neighbor ship comes up with R5. It should
activated.
These logs should be seen both in the console and in the log buffer. You MUST be able to have these events run on R3 when R5 bounces its interface