ARTOR K8 Solution reference from certcollection.

sh run | i cef|guard|snooping|access-map|arp|portfast|filter|block|protected|tcp|nrzi ============================

SECTION 1-1.1,1.2,1.3,1.4,1.5,1.6
SW1 conf t vtp mode server vtp domain CCIE vtp password cisco vtp version 2

vlan 16 name VLAN_16_R1toSW1 vlan 18 name VLAN_18_R1toSW3 vlan 28 name VLAN_28_R2toSW3 vlan 36 name VLAN_36_R3toSW1 vlan 45 name VLAN_45_R4toR5 vlan 68 name VLAN_68_SW1toSW3 vlan 69 name VLAN_69_SW1toSW4

vlan 89 name VLAN_89_SW3toSW4 vlan 100 name VLAN_100_BB1 vlan 200 name VLAN_200_BB2 vlan 300 name VLAN_300_BB3 vlan 500 name VLAN_500_Client vlan 999 name Unused_Ports

int range e0/0-3,e1/0-3,e2/0-1 sw acc vlan 999 sw mode acc shut exit

int e2/0 sw access vlan 100 sw mode access no shut int e0/1 sw access vlan 18

sw mode access no shut int e0/2 sw access vlan 28 sw mode access no shut int e0/3 sw access vlan 36 sw mode access no shut int e1/0 sw access vlan 100 sw mode access no shut int e1/1 sw access vlan 200 sw mode access no shut

int vlan 36 ip address 10.28.36.6 255.255.255.0 no shut int vlan 16 ip address 10.28.16.6 255.255.255.0 no shut

int vlan 68 ip address 10.28.68.6 255.255.255.0 no shut int vlan 69 ip address 10.28.69.6 255.255.255.0 no shut exit

int range e2/2-3,e3/0-3 no sw access vlan 999 sw trunk encap dot1q sw mode trunk sw trunk native vlan 1 sw nonegotiate no shut exit vlan dot1q tag native

int range e2/2-3 channel-group 14 mode active int range e3/2-3 channel-group 13 mode active int range e3/0-1 channel-group 12 mode active

exit port-channel load-balance src-dst-mac

spanning-tree mode rapid-pvst spanning-tree vlan 1-4094 root primary int e2/0 spanning-tree bpduguard disable spanning-tree bpdufilter enable exit int range e0/1-2 sw port-security sw port-security maximum 1 sw port-security mac-address sticky sw port-security violation shutdown exit

SW2
conf t vtp mode client vtp domain CCIE vtp password cisco vtp version 2

int range e0/0-3,e1/0-3,e2/0-1 sw acc vlan 999

sw mode acc shut exit

int e2/0 sw access vlan 200 sw mode access no shut int e0/1 sw access vlan 16 sw mode access no shut int e0/2 no switchport ip address 172.16.27.7 255.255.255.0 no shut int e0/3 no switchport ip address 172.16.37.7 255.255.255.0 no shut int e1/0 sw access vlan 45 sw mode access no shut int e1/1

sw access vlan 45 sw mode access no shut

int range e2/2-3,e3/0-3 no sw access vlan 999 sw trunk encap dot1q sw mode trunk sw trunk native vlan 1 sw nonegotiate no shut exit vlan dot1q tag native

int range e2/2-3 channel-group 23 mode active int range e3/2-3 channel-group 24 mode active int range e3/0-1 channel-group 12 mode active exit port-channel load-balance src-dst-mac

spanning-tree mode rapid-pvst spanning-tree vlan 1-4094 root secondary

int e2/0 spanning-tree bpduguard disable spanning-tree bpdufilter enable exit

SW3 conf t vtp mode client vtp domain CCIE vtp password cisco vtp version 2

int range e0/0-3,e1/0-3,e2/0-1 sw acc vlan 999 sw mode acc shut exit

int e2/0 sw access vlan 3 no shut exit

int vlan 68 ip add 10.28.68.8 255.255.255.0

no shut int vlan 89 ip add 10.28.89.8 255.255.255.0 no shut int vlan 500 ip add 10.28.188.8 255.255.255.0 no shut int vlan 18 ip add 10.8.18.8 255.255.255.0 no shut int vlan 28 ip add 10.8.28.8 255.255.255.0 no shut

int range e2/2-3,e3/0-3 no sw access vlan 999 sw trunk encap dot1q sw mode trunk sw trunk native vlan 1 sw nonegotiate no shut exit vlan dot1q tag native

int range e2/2-3 channel-group 23 mode active int range e3/2-3 channel-group 13 mode active int range e3/0-1 channel-group 34 mode active exit port-channel load-balance src-dst-mac

spanning-tree mode rapid-pvst int e2/0 spanning-tree bpduguard disable spanning-tree bpdufilter enable exit SW4 conf t vtp mode client vtp domain CCIE vtp password cisco vtp version 2

int range e0/0-3,e1/0-3,e2/0-1 sw acc vlan 999 sw mode acc shut

exit

int range e0/1-3,e1/0-1 sw access vlan 500 sw mode access spanning-tree porfast sw protected sw block unicast sw block multicast no shut exit int vlan 300 ip add 150.3.8.1 255.255.255.0 no shut

int range e2/2-3,e3/0-3 no sw access vlan 999 sw trunk encap dot1q sw mode trunk sw trunk native vlan 1 sw nonegotiate no shut exit vlan dot1q tag native

int range e2/2-3 channel-group 14 mode active int range e3/2-3 channel-group 24 mode active int range e3/0-1 channel-group 34 mode active exit port-channel load-balance src-dst-mac

spanning-tree mode rapid-pvst SW1/SW2,SW3,SW4 vtp mode transparent

=============================================

1.7 Frame-relay with frame-relay ipv6,mpls and multicast config for interfaces
R3 conf t ip cef ipv6 unicast-routing ipv6 cef ip multicast-routing mpls ldp router-id lo 0 mpls label protocol ldp int s1/0 encapsulation ppp

mpls ip ip pim sparse-mode exit int e0/0 ip pim sparse-mode exit R5 conf t ip cef ipv6 unicast-routing ipv6 cef ip multicast-routing mpls ldp router-id lo 0 mpls label protocol ldp frame-relay switching int s1/0 encapsulation frame-relay no frame-relay inverse-arp clock rate 128000 frame-relay intf-type dce no shut exit int s1/0.100 frame-relay interface-dlci 100 mpls ip

ip pim sparse-mode int s1/0.8 frame-relay interface-dlci 18 mpls ip ip pim sparse-mode

int s1/1 encapsulation ppp mpls ip ip pim sparse-mode exit

int e0/1 ip pim sparse-mode mpls ip exit R1 conf t ip cef ipv6 unicast-routing ipv6 cef ip multicast-routing mpls ldp router-id lo 0 mpls label protocol ldp

int s1/1 encapsulation frame-relay no frame-relay inverse-arp no shut exit int s1/1.100 frame-relay interface-dlci 100 mpls ip ip pim sparse-mode int s1/1.8 frame-relay interface-dlci 18 mpls ip ip pim sparse-mode

int s1/0 encapsulation frame-relay no frame-relay inverse-arp ipv6 address FE80::14 link-local frame-relay map ip 10.8.14.4 200 broadcast frame-relay map ip 10.8.14.1 200 frame-relay map ipv6 2001:8:8:14::1 200 frame-relay map ipv6 2001:8:8:14::4 200 broadcast frame-relay map ipv6 FE80::41 200 broadcast ip pim sparse-mode mpls ip

no shut exit int e0/1 ip pim sparse-mode exit int e0/0 ip pim sparse-mode exit

R4 conf t ip cef ipv6 unicast-routing ipv6 cef ip multicast-routing mpls ldp router-id lo 0 mpls label protocol ldp frame-relay switching int s1/1 encapsulation frame-relay no frame-relay inverse-arp clock rate 128000 frame-relay intf-type dce ipv6 address FE80::42 link-local frame-relay map ip 10.8.24.2 28 broadcast

frame-relay map ip 10.8.24.4 28 frame-relay map ipv6 2001:8:8:24::4 28 frame-relay map ipv6 2001:8:8:24::2 28 broadcast frame-relay map ipv6 FE80::24 28 broadcast ip pim sparse-mode mpls ip no shut exit

int s1/0 encapsulation frame-relay no frame-relay inverse-arp clock rate 128000 frame-relay intf-type dce ipv6 address FE80::41 link-local frame-relay map ip 10.8.14.1 200 broadcast frame-relay map ip 10.8.14.4 200 frame-relay map ipv6 2001:8:8:14::4 200 frame-relay map ipv6 2001:8:8:14::1 200 broadcast frame-relay map ipv6 FE80::14 200 broadcast ip pim sparse-mode mpls ip no shut exit int e0/1

ip pim sparse-mode mpls ip

R2 conf t ip cef ipv6 unicast-routing ipv6 cef ip multicast-routing mpls ldp router-id lo 0 mpls label protocol ldp int s1/0 encapsulation frame-relay no frame-relay inverse-arp ipv6 address FE80::24 link-local frame-relay map ip 10.8.24.4 28 broadcast frame-relay map ip 10.8.24.2 28 frame-relay map ipv6 2001:8:8:24::2 28 frame-relay map ipv6 2001:8:8:24::4 28 broadcast frame-relay map ipv6 FE80::42 28 broadcast ip pim sparse-mode mpls ip no shut exit int e0/0

ip pim sparse-mode ===================================================

SECTION 2 IGP 2.1,2.2,2.3,2.4,2.5

SW1 conf t sdm prefer dual-ipv4-and-ipv6 default ip routing ip multicast-routing router ospf 100 router-id 18.6.6.6 network 18.6.6.6 0.0.0.0 area 0 network 10.28.68.6 0.0.0.0 area 0 network 10.28.16.6 0.0.0.0 area 1 network 10.28.36.6 0.0.0.0 area 1 area 1 nssa default-information-originate default-information originate always area 0 filter-list prefix VLAN500 out

exit ip prefix-list VLAN500 deny 10.28.188.0/24 ip prefix-list VLAN500 permit 0.0.0.0/0 le 32

int vlan 16

ip ospf priority 255 int vlan 36 ip ospf priority 255 int vlan 68 ip ospf priority 255 exit router rip version 2 no auto-summary passive-interface default no passive-interface vlan 69 network 10.28.69.0 redistribute ospf 100 metric 5 exit

SW3 conf t sdm prefer dual-ipv4-and-ipv6 default ip routing ip multicast-routing router ospf 100 router-id 18.8.8.8 passive-interface vlan 500 network 18.8.8.8 0.0.0.0 area 0 network 10.28.68.8 0.0.0.0 area 0

network 10.28.188.8 0.0.0.255 area 500 area 0 filter-list prefix VLAN500 out exit ip prefix-list VLAN500 deny 10.28.188.0/24 ip prefix-list VLAN500 permit 0.0.0.0/0 le 32

router eigrp 8 no auto-summary network 10.8.18.8 0.0.0.0 network 10.8.28.8 0.0.0.0 exit router rip version 2 no auto-summary passive-interface default no passive-interface vlan 89 network 10.28.89.0 exit

SW4 conf t ip routing router eigrp 100 no auto-summary

network 150.3.8.0 0.0.0.255 redistribute rip metric 1544 20000 1 255 1500 exit router rip version 2 no auto-summary passive-interface default no passive-interface vlan 89 no passive-interface vlan 69 network 18.9.9.9 network 10.28.89.0 network 10.28.69.0 redistribute eigrp 100 metric 5 exit

R1 conf t router ospf 100 router-id 18.1.1.1 network 18.1.1.1 0.0.0.0 area 1 network 10.28.16.1 0.0.0.0 area 1 network 10.28.15.1 0.0.0.255 area 1 area 1 nssa exit int e0/1

ip ospf priority 0 exit router eigrp 8 no auto-summary network 10.8.18.1 0.0.0.0 network 10.8.14.1 0.0.0.0 network 10.8.15.1 0.0.0.0 distance eigrp 90 100 exit access-list 2 permit host 18.2.2.2

R3 conf t router ospf 100 router-id 18.3.3.3 network 18.3.3.3 0.0.0.0 area 1 network 10.28.36.3 0.0.0.0 area 1 network 10.28.35.3 0.0.0.255 area 1 area 1 nssa exit int e0/0 ip ospf priority 0 exit

R5 conf t router ospf 100 router-id 18.5.5.5 network 18.5.5.5 0.0.0.0 area 1 network 10.28.35.5 0.0.0.0 area 1 network 10.28.15.5 0.0.0.255 area 1 area 1 nssa redistribute eigrp 8 subnets exit router eigrp 8 no auto-summary network 10.8.45.5 0.0.0.0 network 10.8.15.5 0.0.0.0 redistribute ospf 100 metric 1544 2000 1 255 1500 exit int e0/1 delay 10000 exit int s1/0.100 ip ospf cost 1000 exit

R4 conf t router eigrp 8 no auto-summary network 18.4.4.4 0.0.0.0 network 10.8.45.4 0.0.0.0 network 10.8.14.4 0.0.0.0 network 10.8.24.4 0.0.0.0 exit int e0/1 delay 10000 exit

R2 conf t router eigrp 8 no auto-summary network 18.2.2.2 0.0.0.0 network 10.8.28.2 0.0.0.0 network 10.8.24.2 0.0.0.0 exit ================ tclsh foreach address { 10.8.14.1

10.8.15.1 10.8.18.1 10.28.15.1 10.28.16.1 18.1.1.1 10.8.24.2 10.8.28.2 18.2.2.2 10.28.35.3 10.28.36.3 18.3.3.3 10.8.14.4 10.8.24.4 10.8.45.4 18.4.4.4 10.8.15.5 10.8.45.5 10.28.15.5 10.28.35.5 18.5.5.5 10.28.16.6 10.28.36.6 10.28.68.6 10.28.69.6 18.6.6.6

10.8.18.8 10.8.28.8 10.28.68.8 10.28.89.8 10.28.188.8 18.8.8.8 10.28.69.9 10.28.89.9 18.9.9.9 150.3.8.1 150.3.8.254 } {ping $address}

========================

2.6 BGP
SW1/SW3/R2/R4/R5/R3

conf t router bgp 8 no bgp default ipv4-unicast bgp router-id 18.

neighbor 18.1.1.1 remote-as 8 neighbor 18.1.1.1 update-source lo 0

neighbor 18.1.1.1 transport connection-mode passive neighbor 18.1.1.1 password cisco address-family ipv4 neighbor 18.1.1.1 activate

R1 neighbor 18.2.2.2 remote-as 8 neighbor 18.2.2.2 update-source lo 0 neighbor 18.2.2.2 transport connection-mode active neighbor 18.2.2.2 password cisco neighbor 18.3.3.3 remote-as 8 neighbor 18.3.3.3 update-source lo 0 neighbor 18.3.3.3 transport connection-mode active neighbor 18.3.3.3 password cisco neighbor 18.4.4.4 remote-as 8 neighbor 18.4.4.4 update-source lo 0 neighbor 18.4.4.4 transport connection-mode active neighbor 18.4.4.4 password cisco neighbor 18.5.5.5 remote-as 8 neighbor 18.5.5.5 update-source lo 0 neighbor 18.5.5.5 transport connection-mode active neighbor 18.5.5.5 password cisco neighbor 18.6.6.6 remote-as 8 neighbor 18.6.6.6 update-source lo 0 neighbor 18.6.6.6 transport connection-mode active

neighbor 18.6.6.6 password cisco neighbor 18.8.8.8 remote-as 8 neighbor 18.8.8.8 update-source lo 0 neighbor 18.8.8.8 transport connection-mode active neighbor 18.8.8.8 password cisco

address-family ipv4 neighbor 18.2.2.2 activate neighbor 18.2.2.2 route-reflector-client

neighbor 18.3.3.3 activate neighbor 18.3.3.3 route-reflector-client

neighbor 18.4.4.4 activate neighbor 18.4.4.4 route-reflector-client

neighbor 18.5.5.5 activate neighbor 18.5.5.5 route-reflector-client

neighbor 18.6.6.6 activate neighbor 18.6.6.6 route-reflector-client

neighbor 18.8.8.8 activate neighbor 18.8.8.8 route-reflector-client

exit

2.7 Advance BGP

R4 conf t router bgp 8 neighbor 150.1.8.254 remote-as 254 neighbor 150.1.8.254 route-map LP in address-family ipv4 neighbor 150.1.8.254 activate neighbor 18.1.1.1 next-hop-self exit route-map LP permit 10 set local-preference 200 exit

R5 conf t router bgp 8 neighbor 150.2.8.254 remote-as 254 address-family ipv4 neighbor 150.2.8.254 activate neighbor 18.1.1.1 next-hop-self exit

SW4 conf t router bgp 144 bgp router-id 18.9.9.9 neighbor 10.28.69.6 remote-as 8 neighbor 10.28.89.8 remote-as 8 maximum-paths 2 exit

SW1 conf t router bgp 8 neighbor 10.28.69.9 remote-as 144 address-family ipv4 neighbor 10.28.69.9 activate exit

SW3 conf t router bgp 8 neighbor 10.28.89.9 remote-as 144 address-family ipv4 neighbor 10.28.89.9 activate exit

==========================================

2.8 MPLS
Note : mpls interface configuration already done in Section 1.7 SW2 conf t ip routing ip cef ip vrf SITE1 rd 3:3 ip vrf SITE2 rd 2:2 exit

int lo 71 ip vrf forwarding SITE1 ip add 71.71.71.71 255.255.255.255 exit int e0/3 ip vrf forwarding SITE1 ip add 172.16.37.7 255.255.255.0 no shut exit

int lo 72 ip vrf forwarding SITE2

ip add 72.72.72.72 255.255.255.255 exit int e0/2 ip vrf forwarding SITE2 ip add 172.16.27.7 255.255.255.0 no shut exit

router bgp 777 bgp router-id 18.7.7.7

address-family ipv4 vrf SITE1 network 71.71.71.71 mask 255.255.255.255 network 172.16.37.0 mask 255.255.255.0 neighbor 172.16.37.3 remote-as 8 neighbor 172.16.37.3 activate exit

address-family ipv4 vrf SITE2 network 72.72.72.72 mask 255.255.255.255 network 172.16.27.0 mask 255.255.255.0 neighbor 172.16.27.2 remote-as 8 neighbor 172.16.27.2 activate exit

R3 conf t mpls ldp explicit-null

ip vrf SITE1 rd 3:3 route-target both 3:3 route-target import 2:2 exit

int e0/1 ip vrf forwarding SITE1 ip add 172.16.37.3 255.255.255.0 no shut

router bgp 8 neighbor 18.5.5.5 remote-as 8 neighbor 18.5.5.5 update-source lo 0

address-family vpnv4 neighbor 18.5.5.5 activate neighbor 18.5.5.5 send-community extended

address-family ipv4 vrf SITE1

neighbor 172.16.37.7 remote-as 777 neighbor 172.16.37.7 activate neighbor 172.16.37.7 as-override exit

R2 conf t mpls ldp explicit-null

ip vrf SITE2 rd 2:2 route-target both 2:2 route-target import 3:3 exit

int e0/1 ip vrf forwarding SITE2 ip add 172.16.27.2 255.255.255.0 no shut

router bgp 8 neighbor 18.5.5.5 remote-as 8 neighbor 18.5.5.5 update-source lo 0 address-family vpnv4 neighbor 18.5.5.5 activate

neighbor 18.5.5.5 send-community extended address-family ipv4 vrf SITE2 neighbor 172.16.27.7 remote-as 777 neighbor 172.16.27.7 activate neighbor 172.16.27.7 as-override exit

R5 conf t router bgp 8 neighbor 18.2.2.2 remote-as 8 neighbor 18.2.2.2 update-source lo 0 neighbor 18.3.3.3 remote-as 8 neighbor 18.3.3.3 update-source lo 0 address-family vpnv4 neighbor 18.2.2.2 activate neighbor 18.3.3.3 activate neighbor 18.2.2.2 route-reflector-client neighbor 18.3.3.3 route-reflector-client exit ================================

2.9 & 2.10 ipv6 addressing

Note : IPv6 frame-relay configuration is already done in Section 1.7 SW1 conf t

ipv6 unicast-routing ipv6 cef ipv6 router ospf 100 router-id 18.6.6.6 exit int lo 0 ipv6 address 2001:28:8:6::6/128 ipv6 ospf 100 area 0 exit int vlan 68 ipv6 address 2001:28:8:68::6/64 ipv6 ospf 100 area 0 exit

SW3 conf t ipv6 unicast-routing ipv6 cef ipv6 router ospf 100 router-id 18.8.8.8 redistribute eigrp 8 redistribute connected exit ipv6 router eigrp 8 router-id 18.8.8.8

redistribute ospf 100 metric 10000 2000 255 1 1500 redistribute connected metric 10000 2000 255 1 1500 no shut exit int lo 0 ipv6 address 2001:28:8:8::8/128 ipv6 ospf 100 area 0 exit int vlan 68 ipv6 address 2001:28:8:68::8/64 ipv6 ospf 100 area 0 exit int vlan 18 ipv6 address 2001:8:8:18::8/64 ipv6 eigrp 8 exit int vlan 28 ipv6 address 2001:8:8:28::8/64 ipv6 eigrp 8 exit

R2 conf t ipv6 router eigrp 8 router-id 18.2.2.2

no shut exit int lo 0 ipv6 eigrp 8 int e0/0 ipv6 eigrp 8 int s1/0 ipv6 eigrp 8

R4 conf t ipv6 router eigrp 8 router-id 18.4.4.4 no shut exit int lo 0 ipv6 eigrp 8 int e0/1 ipv6 eigrp 8 int s1/0 ipv6 eigrp 8 int s1/1 ipv6 eigrp 8

R1 conf t ipv6 router eigrp 8 router-id 18.1.1.1 no shut exit int lo 0 ipv6 eigrp 8 int e0/0 ipv6 eigrp 8 int s1/0 ipv6 eigrp 8 int s1/1.8 ipv6 eigrp 8 exit int tunnel 13 ipv6 address 2001:13:13:13::1/64 tunnel source lo 0 tunnel destination 18.3.3.3 ipv6 eigrp 8 exit

R5 conf t ipv6 router eigrp 8

router-id 18.5.5.5 no shut exit int lo 0 ipv6 eigrp 8 int e0/1 ipv6 eigrp 8 int s1/0.8 ipv6 eigrp 8 exit R3 conf t ipv6 router eigrp 8 router-id 18.3.3.3 no shut exit int lo 0 ipv6 eigrp 8 int tunnel 13 ipv6 address 2001:13:13:13::3/64 tunnel source lo 0 tunnel destination 18.1.1.1 ipv6 eigrp 8 exit

=========================

SECTION 3 3.1 Multicast

Note All the remaining interfaces already configured during Section 1.7 SW1 conf t ip multicast-routing

int lo 0 ip pim sparse-mode int vlan 16 ip pim sparse-mode int vlan 36 ip pim sparse-mode int vlan 68 ip pim sparse-mode ip pim dr-priority

SW3 conf t ip multicast-routing int lo 0 ip pim sparse-mode int vlan 18 ip pim sparse-mode

int vlan 28 ip pim sparse-mode int vlan 68 ip pim sparse-mode int vlan 500 ip pim sparse-mode exit R3 conf t int lo 1 ip add 200.100.100.100 255.255.255.255 no shut exit router ospf 100 network 200.100.100.100 0.0.0.0 area 1 exit ip msdp peer 18.2.2.2 connect-source lo 0 ip msdp originator-id lo 0 ip pim bsr-candidate lo 1 ip pim rp-candidate lo 1 exit

R2 conf t int lo 1

ip add 200.100.100.100 255.255.255.255 no shut exit router eigrp 8 network 200.100.100.100 0.0.0.0 exit ip msdp peer 18.3.3.3 connect-source lo 0 ip msdp originator-id lo 0 ip pim bsr-candidate lo 1 ip pim rp-candidate lo 1 exit R4 conf t int e0/1 ip igmp join-group 232.1.1.1 exit do wr int lo 0 ip pim sparse-mode exit

3.2 Advance multicasting

R2/R3 conf t access-list 10 permit host 232.1.1.1 access-list 100 permit ip 10.28.68.0 0.0.0.255 host 232.1.1.1

ip pim rp-candidate lo 1 group-list 10 ip pim accept-register list 100 ================================

SECTION 4 4.1 FIRST HOP REDUNDANCY

R4 conf t int e0/1 glbp 0 ip 10.8.45.1 glbp 0 load-balance weighted glbp 0 weighting 150 glbp 0 preempt glbp 0 authentication md5 key-string CCIE123 exit R5 conf t int e0/1 glbp 0 ip 10.8.45.1 glbp 0 load-balancing weighted glbp 0 weighting 50 glbp 0 preempt glbp 0 authentication md5 key-string CCIE123 exit

4.2 LAYER 2 SECURITY

SW3

conf t ip access-list extended FILTER permit tcp any any eq smtp permit tcp any eq smtp any permit tcp any any eq www permit tcp any eq www any permit udp any any eq domain permit udp any eq domain any permit icmp any any exit

vlan access-map BLOCK 10 action forward match ip address FILTER exit vlan filter BLOCK vlan-list 500

4.3 IMPLEMENTATION SSH

R5 conf t username admin privilege 15 password 0 ccie username guest password 0 cisco ip domain name ccie.com ip ssh version 2 ip ssh maxstartup 16

crypto key generate rsa line con 0 no login local line vty 0 4 login local transport input none transport input ssh exit Verify with R3 ssh -l admin 18.5.5.5 ssh -l guest 18.3.3.3 ===================================

4.4 L3VPN QOS

R1 policy-map MPLS-CORE-FACING class CRITICAL bandwidth percent 30 class BESTEFFORT bandwidth percent 30 class REALTIME priority percent 15 set mpls experimental topmost 4

R2/R3

conf t class-map match-all QOSGROUP123 match qos-group 1 match qos-group 2 match qos-group 3 class-map match-all QOSGROUP5 match qos-group 5 class-map match-all QOSGROUP467 match qos-group 4 match qos-group 6 match qos-group 7

policy-map INBOUND class class-default set qos-group mpls experimental topmost exit

policy-map SHAPING class class-default shape average 3000000 set prec qos-group service-policy CE-FACING exit

int s1/0

service-policy input INBOUND exit int e0/1 no service-policy output CE-FACING service-policy output SHAPING exit

Verify by using two method

1) ping vrf SITE 1 target ip : 72.72.72.72 Datagram : 150000 (if R1 has police with set-mpls-exp-transmit 4 TOS : 160

Go to R1 sh polic-map interface Serial0/0 (interface between R1 and R4)

2) ip access-list extended QOSTEST 10 permit ip any any precedence routine 20 permit ip any any precedence priority 30 permit ip any any precedence immediate 40 permit ip any any precedence flash 50 permit ip any any precedence flash-override

60 permit ip any any precedence critical 70 permit ip any any precedence internet 80 permit ip any any precedence network

int e0/2 ip access-group QOSTEST in exit

ping vrf SITE 1 target ip : 72.72.72.72 TOS : 160

4.5 IMPLEMENTATION QOS

SW3 conf t int lo 148 ip add 148.0.0.8 255.255.255.255 exit router eigrp 8 network 148.0.0.8 0.0.0.0 exit access-list 148 permit ip host 148.0.0.8 host 148.0.0.4

route-map LO148

match ip address 148 set interface vlan 18 null0 exit

ip local policy route-map LO148

R4 conf t int lo 148 ip add 148.0.0.4 255.255.255.255 exit router eigrp 8 network 148.0.0.4 0.0.0.0 exit

4.6 NTP R1 conf t ntp master 1 clock calendar-valid ntp source lo 0 ntp update-calendar

R3/R5 conf t

ntp source lo 0 ntp update-calendar ntp server 18.1.1.1

4.7 DEVICE SECURITY

R5 conf t ip access-list extended SSH deny tcp 10.8.18.0 0.0.0.255 host 10.28.35.5 eq 22 permit tcp any any eq 22 ip access-list extended HTTP permit tcp 10.28.188.0 0.0.0.255 any eq 80 permit tcp 10.28.188.0 0.0.0.255 any eq 443 ip access-list extended ALL_ICMP permit icmp any any

ip access-list extended ICMP_ECHO permit icmp any any echo permit icmp any any echo-reply

class-map SSH match access-group name SSH class-map ICMP_LIMIT match access-group name ICMP_ECHO class-map match-any BLOCK match access-group name HTTP

match access-group name ALL_ICMP

policy-map CONTROL class SSH police cir 16000 conform-action transmit exceed-action drop class ICMP_LIMIT police rate 100 pps burst 10 packets class BLOCK drop exit control-plane service-policy input CONTROL

===================================================

SECTION 5 5.1 OPTIMIZE THE NETWORK

R1 conf t no logging buffered logging host 10.28.69.100 archive log config logging enable

logging size 10 hidekeys notify syslog exit

5.2 EEM IMPLEMENTATION

R3 conf t event manager applet BOUNCEGIG event syslog pattern ".*SYS-5-RESTART.*" action 1.0 cli command "enable" action 2.0 cli command "conf t" action 3.0 cli command "int e0/0" action 4.0 cli command "shut" action 5.0 cli command "no shut" action 6.0 cli command "int e0/1" action 7.0 cli command "shut" action 8.0 cli command "no shut" exit

RELOAD the router