You are on page 1of 26

Section 1 - Layer 2 ---------------------------------1.1 Troubleshoot Layer 2 Switching ---------------------------------Cisco says that there are two faults injected.

Each fault will give you 2 points. The whole K6++ Lab had 78 points to get, so you must have 62 points in order to be over 80%. - VLAN access map that is denying OSPF is in pre-configuration (change the drop to forward) --> that should be enough - root guard on BB Links (interface f0/10) - no ip cef on some routers (not sure if that is a fault) ----------------------------------------------------1.2 Implement Access Switch Ports of Switched Network ----------------------------------------------------Configure all of the appropriate non-trunking switch ports on SW1 – SW4 according to the following - SW1 is the server for the VLAN Trunking Protocol version 2 domain "CCIE" (VTP password "cisco" ) - SW2, SW3, SW4 are expecting SW1 update their VLAN database when needed - Configure the VLAN ID and Name according to the table below (case sensitive) - Configure the access ports for each VLAN as per the diagram - Using a single command ensure that all access ports are transitioned to forwarding state as quickly as possible - Using a single command ensure that the interface is forced the err-disabled state if BPDU is received by any ports - Ensure that any BPDU received by the access ports facing the backbone devices (and only these devices) have no effect to your spanning tree decision - Don’t forget to configure the Layer 3 interfaces and to include SW1’s port fa 0/4 into VLAN 44 VLAN_ID NAME 11 VLAN_11_BB1 22 VLAB_22_BB2 33 VLAN_33_BB3 42 VLAN_?_R2-SW4 44 VLAN_44_R4 55 VLAN_55_R5-SW2 123 VLAN_123_SWITCHES 999 VLAN_RSPAN SW1 vtp version 2 vtp domain CCIE vtp password cisco

vtp mode server SW2-SW4 vtp version 2 vtp domain CCIE vtp password cisco vtp mode client SW1-SW2 interface f0/2 switchport mode access switchport access vlan xx Repeat that for every access interface on the switches. SW1-SW3 interface f0/10 spanning-tree bpdufilter enable SW1-SW4 spanning-tree portfast default spanning-tree bpduguard default Need to find the clan between R2 and SW4. They tell you that the bridge priority has to be 12330 for that vlan. Now you multiple the spanning-tree vlan priority in steps of 4096 until you get close. That is 12288. Then you subtract 12288 from 12330 and get 42. -------------------------------------------------------------------------------------------------------------1.3 Spanning-Tree Domains for Switched Network Configure the switches according to the following requirements: -------------------------------------------------------------------------------------------------------------- Both switches must have one instance per vlan. - Ensure that SW1 is the Root Switch, and SW2 the Backup Switch for all odd vlans - Ensure that SW2 is the Root Switch, and SW1 is the Backup Switch for all even vlans - Configure instance per vlan and rapid transition for forwarding - Configure to 30 seconds that time that all switches wait before their spanning-tree processes attempts to re-converge if it didn’t receive any spanning-tree configuration message for all future vlans. SW1

44 root primary spanning-tree vlan 42 priority 12288 SW1-SW4 spanning-tree vlan 1-4094 max-age 30 ------------------------------------1. use the Industry standard.11.Configure Etherchannel between SW3 and SW4.999 root secondary root secondary spanning-tree vlan 22.Use encapsulation 802.24 switchport trunk encapsulation dot1q switchport mode trunk SW1 interface range f0/x .55.55.999 root primary spanning-tree vlan 22.44 root secondary SW2 spanning-tree mode rpvst spanning-tree vlan 1.x (range of ports to SW2) channel-group 12 mode active SW2 interface range f0/x . .33.Configure Etherchannel between SW1 and SW2.4 Switch Trunking and Ether Channel ------------------------------------Use the following requirements to configure the Etherchannel of SW1.123. SW3 and SW4: .33.spanning-tree mode rpvst spanning-tree vlan 1.11.Ensure that SW1 and SW3 must initiate the negotiation and SW2 and SW4 must not start the negotiation SW1-SW4 interface range f0/19 .1q .123.x (range of ports to SW1) channel-group 12 mode passive SW3 .42. SW2.42. the proprietary method .

x (range of ports to SW4) channel-group 12 mode desirable SW4 interface range f0/x .5 Spanning-Tree Tuning -----------------------.Any traffic flowing through the trunk between SW3 and SW4 must be replicated to another traffic analyser connected to SW4 Fa0/16 .x (range of ports to SW3) channel-group 12 mode auto -----------------------1.42.You need to monitor any future interfaces connecting to VLAN_BB1 and VLAN_BB2 . . 22 rx monitor session 1 destination remote vlan 999 .6 RSPAN --------.Use the highest numerical value to complete SW2 int f0/19 spanning-tree vlan 22. .interface range f0/x . The Bride ID priority of that Vlan must be 12330 on SW2 .Ensure that the port fa0/20 is in the forwarding state rather than the blocking state for even vlans on SW4.There should not be any configuration regarding this on SW3.Find the vlan between R2 and SW4.Don’t create any new VLAN while configuring this SW1 vlan 999 remote-span monitor session 1 source vlan 11 .You must do this without changing any configurations on SW4 . 22 rx monitor session 1 destination remote vlan 999 SW2 monitor session 1 source vlan 11 .Any traffic received (and only received) from VLAN_BB1 and VLAN_BB2 must be replicated to a traffic analyser connected to SW4 Fa0/15 via VLAN 999 .44 port-priority 240 --------1.

44.R4 must require R1 and R2 to authenticate using CHAP but R1 and R2 must not require R4 to authenticate .200 key CISCO username RackYYR1 password 0 CCIE username RackYYR2 password 0 CCIE interface s0/0/0 encapsulation ppp ppp authentication chap default interface s0/1/0 / encapsulation ppp ppp authentication chap default .YY.Use radius server at YY.Make sure that all CHAP passwords are shown in clear int the configuration .SW4 monitor session 1 source remote vlan 999 monitor session 1 destination interface f0/15 monitor session 2 source interface port-channel 34 both monitor session 2 destination interface f0/16 -------------1.44.Use CISCO as key required by the Radius server .Use only default authentication list for both console and line VTY. .R1 and R2 cannot use ppp chap hostname.YY. R4 no service password-encryption aaa new-model aaa authentication login default line aaa authentication ppp default group radius local-case radius host YY. they can use ppp chap password with "CCIE".Make sure AAA authentication does not affect any console or line VTY from any PPP devices (ensure that there is no username prompt either) .200 as authentication server and fallback to the local AAA database in case the server is unreachable .7 PPP & CHAP -------------.

1 0.2.R1-R2 no service password-encryption interface s0/0/0 encapsulation ppp ppp chap password 0 CCIE -------------------------------Section 2 – Layer 3 Technologies -------------------------------2. 142 and 51 as per diagram .0 area 142 network YY.0 area 142 network YY.0.0.Do not create any additional OSPF areas.Ensure that all switches attached to the VLAN 123 exchange routing updates primarily with SW1 and then SW2 (in case SW1 goes down) .YY.1 network YY.2 network YY. Do not use any IP address not listed in the diagram R1 router ospf YY router-id YY.0.0 area 142 redistribute connected subnets route-map BB2 route-map BB2 match interface g0/1 R3 .0.1 0.0.0 area 142 network YY.0/24) appear as OSPF External Type 2 routes in routing table .24.42.Lo0 interfaces must be advertised in the OSPF area as shown in the IGP topology diagram and must appear as /32 routes .0.0.YY.YY.2 0.BB.YY.YY.0.1 0.Use highest numerical values .1.0.0 area 142 network YY.1.2 0.2.0.Make sure that all 3 prefixes for the backbone links (150.YY.0 area 142 R2 router ospf YY router-id YY.YY.2 0.Router ID must be stable and must be configed using the IP Address of Lo0 .1 Configure OSPF Area 0.OSPF process ID can be any number .17.0.0.YY.YY.14.

0.7 0.0 area 142 network YY.5 network YY.YY.0.123.YY.YY.0 area 0 network YY.0 area 51 SW1 ip routing router ospf YY router-id YY.7 0.8 0.YY.3 0.YY.4 0.8 network YY.0 area 51 R4 router ospf YY router-id YY.router ospf YY router-id YY.0 area 142 network YY.YY.0.4 0.YY.0 area 142 network YY.4 0.YY.0.7 0.0.YY.7.5.0.0.0.14.3 network YY.3 0.YY.0.0.4 0.0 area 142 network YY.0.YY.5 0.YY.58.0.0.0 area 142 interface vlan 123 ip ospf priority 255 SW2 ip routing router ospf YY router-id YY.8 0.0 area 51 network YY.4.4.YY.0.0 area 0 network YY.YY.0 area 51 network YY.3.0.0.0 area 51 network YY.4 0.0.35.7.4 network YY.0.YY.0 area 0 network YY.5 0.0.YY.YY.YY.17.24.0.7 network YY.0.5.8.144.0.YY.44.3.0.0.123.0.0.0 area 0 .YY.5 0.0.0.35.0.8.0 area 142 passive-interface f0/0 passive-interface f0/1 R5 router ospf YY router-id YY.0.

0 area 142 -------------------------2.YY.0/24 .YY.0.0.YY.0 area 0 SW4 ip routing router ospf YY router-id YY.9.1 0.10 0.0.YY.0.9 0.10 0.9 network YY.0. .3.BB3 has IP address 150.9.0.0.0 area 0 network YY.9 0.0.8 0.0 --------------------------2.0.0.123.10 network YY.3.network YY.2 – Implement IPv4 EIGRP -------------------------Configure Enhanced Interior Gateway Routing Protocol (EIGRP) 100 on SW2 in order to establish EIGRP neighbor with Backbone 3 in the IGP topology diagram.10.0 area 51 interface vlan 123 ip ospf priority 254 SW3 ip routing router ospf YY router-id YY.0.YY.123.10 0.Disable auto-summary SW2 router eigrp 100 no auto-summary network 150.0.3 Implement RIP Version 2 --------------------------Configure RIP Version 2 (RIPv2) between R3 and BB1 R3 must accept from BB1 only the following prefixes 199.YY.YY.0.0.254 and is using AS number 100 .YY.172.42.4.0.58.10.0 area 0 network YY.0 area 0 network YY.YY.

1.12.0/24 O N1 199.172.0 0. O N2 199.0/24 199.5 Redistribute EIGRP into OSPF -------------------------------Redistribute EIGRP into OSPF on SW2 such that .14.Disable Auto Summarization router rip version 2 no auto-summary network 150.4.Redistributed EIGRP routes must be advertised into Area 0 and 142 as OSPF Type E2 .0/24 199.172.12.14.0.0 distribute-list 1 in interface g0/0 access-list 1 permit 199.199.172.Redistributed EIGRP routes must not be advertised into Area 51 .0/24 O N2 150.0.0 .6.4.172.10.172.0/24 .0/24 O N2 199.0 route-map RIP_TO_OSPF match ip address 2 set metric-type type-1 route-map RIP_TO_OSPF permit 20 router ospf YY redistribute rip subnets route-map RIP_TO_OSPF -------------------------------2.4 Redistribute RIP into OSPF -----------------------------Redistribute RIP into OSPF on R3 such that the routing table on R5 contains the following.172.6.YY.172.2.Use Standard ACL with a single entry .172.172.0 0.Use Standard ACL with a single entry access-list 2 permit 199.0 -----------------------------2.0/24 O N1 199.1.4.0.

X neighbor YY.BGP routes from BB2 must have community values 254 208 104 in AS YY ..8 update-source loopback0 neighbor YY.YY.YY.YY.6 Implement IPv4 BGP ---------------------Configure iBGP peering for R1.X.8.YY.Make sure that all BGP speakers in AS YY (even R2) are pointing all BGP prefixes from AS 254 via BB1 only (their BGP next hop must be the IP address of the backbone devices) R1 / R2 / R3 / R5 router bgp YY bgp router-id YY.SW2 must advertise an inter-area default route into Area 51 only .8.YY.YY.X.Where possible failure of a physical interface should not permanently affect BGP peer connections .X neighbor YY. SW2.1.All BGP routes on all devices must be valid routes Configure BGP as per diagram .8.BGP routes from BB1 must have community values 254 207 103 in AS YY .Minimize number of BGP peering sessions and all BGP speakers in AS YY except SW2 must have only one iBGP peer .8 send-community SW2 router bgp YY bgp router-id YY.1 remote-as YY . R2.8 remote-as YY neighbor YY. R3 and R5 as per the following requirement.Don’t use any route-map and do not add any static route anywhere SW2 router ospf YY redistribute eigrp YY subnets area 51 nssa no-summary no-redistribution R3 and R5 router ospf yy area 51 nssa ---------------------2. .

2.5.1 update-source loopback 0 neighbor YY.1.5 send-community R2 neighbor 150.YY.1.3.2 remote-as YY neighbor YY.YY.2 send-community neighbor YY.5 update-source loopback 0 neighbor YY.1.2.1.3 remote-as YY neighbor YY.YY.2.YY.YY.Another traffic (marked with DSCP "CS4") from VLAN_44 to VLAN_55 must be routed via R2 .3 send-community neighbor YY.2.3.2.YY.YY.YY.3.1.254 route-map BB1 in route-map BB1 set local-preference 111 set community 103 207 additive --------------------------------2.2 update-source loopback 0 neighbor YY.254 remote-as 254 neighbor 150.YY.5 remote-as YY neighbor YY.YY.YY.YY.1 route-reflector-client neighbor YY.3 route-reflector-client neighbor YY.2 route-reflector-client neighbor YY.3.254 route-map BB2 in route-map BB2 set community 104 208 additive R3 neighbor 150.Use Extended ACL with a single entry .1 send-community neighbor YY.neighbor YY.YY.5.A specific traffic (marked with DSCP "CS2") from VLAN_44 to VLAN_55 must be routed via R1 .YY.YY.YY.2.3 update-source loopback 0 neighbor YY.5 route-reflector-client neighbor YY.R1 must be the Master and Border Router and R2 must be a Border Routers .7 Implement Performance Routing --------------------------------Implement PfR to achieve the following policies: .YY.254 remote-as 254 neighbor 150.YY.YY.Ensure that PfR sessions are established using the Lo0 interface only .5.5.

0.y.1.Use the lowest load-interval on your external interfaces to monitor the load .0.You must use "set mode select-exit good" everywhere in your config .11.0.42.255.2 255.y.You should use access-list specifying only source address and DSCP value .Your interface is allowed to have a maximum utilization on R1 of 80% and a maximum utilization on R2 of 90% .1 ip addr y.Your border routers must be directly connected.Use the following: monitor-period 1 periodic-interval 0 period rotation 90 R2 key chain PFR key 1 key-string PFR oer border local loopback0 active-probe address source interface loopback 0 master y.10 250 R1 key chain PFR key 1 key-string PFR oer border .1.y.Use active probes only .0 ip route 0.0. .255.Configure a floating static default route with an AD of 250 on R1 and R2 facing the Switches ..Disable the following global commands: max-range-utilization. Create a GRE tunnel between them and use any subnet that is not used in your config.1 key-chain PFR int tunnel 12 tunnel source lo0 tunnel destination y. resolve utilization resolve range .0 y.0 0.y.

y.5 set link-group R1 oer-map PFR_MAP 20 match ip address access-list CS4 set mode select-exit good active-probe icmp y.0.2 key-chain PFR .55.1.2.255 any dscp cs2 ip access-list extended CS4 permit ip y.y.2 ip addr y.0.y.0 ip route 0.7 250 ip access-list extended CS2 permit ip y.0.1.y.1 key-chain PFR interface tunnel 12 internal interface s0/0/0 internal interface g0/0 external max-xmit-utilization percentage 80 link-group R1 border y.255 any dscp cs4 oer-map PFR_MAP 10 match ip address access-list CS2 set mode select-exit good active-probe icmp y.0 0.0.17.255.11.0.y.y.0.44.local loopback0 active-probe address source interface loopback 0 master y.y.2.0 0.1 key-chain PFR int tunnel 12 tunnel source lo0 tunnel destination y.0.y.5 set link-group R2 oer master logging policy PFR_MAP no max-range-utilization.55.0. no resolve utilization no resolve range periodic 90 border y.y.0 0.255.0 y.y.44.1 255.

check for it!) .YY.The voice traffic is sourced from VLAN_44 destined to the voice gateway R5 (YY.interface tunnel 12 internal interface s0/0/0 internal interface g0/0 external max-xmit-utilization percentage 90 link-group R2 learn periodic-interval 0 monitor-period 1 --------------------------------2.Configure OSPF Area 142 between R1.Set the frequency of probes to the lowest value ..8 Implement Performance Routing --------------------------------Continue as per following: .Configure IPv6 PIM sparse mode on the serial interfaces .You should use access-list specifying only source address and DSCP value R1 ip access-list extended EF permit ip y.5 target-port 16384 codec g729a set delay 40 set jitter 5 set link-group R1 -----------------2.55.9 Implement IPv6 -----------------The ipv6 address are preconfigured for you.y.y.44.0. ..55.Voice traffic should go through R1 if the delay is 40ms and jitter is 5ms and it should fallback to R2 should these values not be met . R2.255 any dscp ef oer-map PFR_MAP 30 match ip address access-list EF set mode select-exit good set active-probe jitter y.Make sure that all exits are probed constantly. R4 .5) and marked with DSCP "EF" .0. (ipv6 unicast-routing was enabled for me as well.0 0.

R4's interface f0/0 should be the static RP-address (FEC1:CC1E:44::4) for the multicast group FFTS::4000:4000 Determine the value of TS. You should be able to ping the multicast group from R2 Interface s0/0/0 R1 ipv6 multicast-routing ipv6 cef int g0/0 ipv6 ospf yy area 142 ipv6 mld join-group FF15::4000:4000 int s0/0/0 ipv6 ospf yy area 142 ipv6 router ospf yy passive-interface g0/0 ipv6 pim rp-address fec1:cc1e:44::4 R2 ipv6 multicast-routing ipv6 cef int g0/0 ipv6 ospf yy area 142 int s0/0/0 ipv6 ospf yy area 142 ipv6 router ospf yy passive-interface g0/0 ipv6 pim rp-address fec1:cc1e:44::4 R4 ipv6 multicast-routing ipv6 cef .. The multicast stream should be a transient one and the scope should be 5 for company wide.

limit to 5 messages per second the rate at which all IPv6 enabled devices generate all IPv6 ICMP error messages .Inactive entries must be deleted from the cache after 2 minutes of inactivity R1/R2/R4 ipv6 icmp error-interval 200 1 R1 ipv6 flow-export source Loopback0 .Aggregate the flows per destination and allow up to 20000 entries in the cache .YY.int f0/0 ipv6 ospf yy area 142 int f0/1 ipv6 ospf yy area 142 int s0/0/0 ipv6 ospf yy area 142 int s0/0/1 ipv6 ospf yy area 142 ipv6 router ospf yy passive-interface f0/0 passive-interface f0/1 ipv6 pim rp-address fec1:cc1e:44::4 MCAST ipv6 access-list MCAST permit ipv6 any FF15::4000:4000/127 If you use /128 in the lab and apply this acl to the static rp command.44. IOS will warn you that you need a bigger mask and that /128 is not working.100 (port 9876) .Export the flows every 3 hours to the server YY.10 Implement Advanced IPv6 feature -----------------------------------.Use R1-Lo0 as source address for the exports . -----------------------------------2.In an attempt to reduce link-layer congestion.Enable Netflow for IPv6 on R1 to monitor the traffic entering Area 142 .

Make sure R4 f0/0 is able to ping this multicast IP.1.100 9876 enabled int g0/0 ipv6 flow ingress -------------------------3 Section 3 – IP Multicast -------------------------3.0/24).Ensure that R2 should be the preferred RP rather than R1.YY. Use a dynamic protocol that supports PIM v1 and v2.44.3.1 IPv4 Multicast .Configure R1 and R2 loopback0 to be a rendezvous point (RP). .There is a multicast source on VLAN 44 and clients are located on the BB3 subnet (150.YY.YY.Simulate clients have sent requests to join the multicast group 239. . .ipv6 flow-aggregation cache destination-prefix export template timeout-rate 180 cache entries 20000 cache timeout inactive 120 export version 9 export destination YY.YY. Note: For IOU: int vlan 123 no ip mfib cef input no ip mfib cef output R4 ip multicast-routing int lo0 ip pim sparse-mode int s0/0/0 ip pim sparse-mode . .

int s0/0/1 ip pim sparse-mode int f0/0 ip pim sparse-mode ip pim autorp listener ip pim send-rp-discovery lo0 scope 16 R1 .R2 ip multicast-routing int lo0 ip pim sparse-mode int s0/0/0 ip pim sparse-mode int g0/0 ip pim sparse-mode ip pim autorp listener ip pim send-rp-announce lo0 scope 16 SW1 ip multicast-routing distributed int f0/1 ip pim sparse-mode int vlan 123 ip pim sparse-mode ip pim autorp listener SW2 ip multicast-routing distributed int vlan 33 ip pim sparse-mode .

If SW1 goes down PIM register messages should reach RP via one of the other switches.0.1 int vlan 123 ip pim sparse-mode ip pim autorp listener SW3 ip multicast-routing distributed int vlan 123 ip pim sparse-mode ip pim autorp listener Sw4 ip multicast-routing distributed int vlan 123 ip pim sparse-mode int vlan 42 ip pim sparse-mode ip pim autorp listener -------------3.39 .Ensure PIM register message should reach RP via SW1.2 PIM Tuning -------------. .1.PIM register messages should reach the RP upstream via SW1.ip igmp join-group 239.y.Vlan 33 should not receive any RP messages SW1: int vlan 123 ip pim dr-prio <MAX VALUE> SW2: access-list 1 deny 224. .y.

.7 source lo 100 R4: show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 100.YY.17.40 access-list 1 permit any int vlan33 ip multicast boundary 1 filter-autorp SW4: int vlan 123 ip pim dr-prio <MAX VALUE-1> ----------------------------Section 4 – Advanced Services ----------------------------4. . .100.100.100.7:0 YY.17.100.Do not add any static route in R4.YY.17.255.255.42.0/8 in any routing protocol.255.YY.42.10:0 YY.7:0 icmp 100.42.7:N YY.255.access-list 1 deny 224.7 255.YY.17.You are allowed to add one /24 static in four devices.YY.42.0.17.0 YY.10:N YY.17.100.17.10:0 icmp 100.17.100.42.7:0 100.100.10:0 icmp 100.255 ip route 100.0 255.YY.10:0 100.14.100.7:0 YY.0 YY.1 R1 ip route 100.4 SW4 . Screenshot: SW1# ping 100.42.7:N YY.42.42.Do not propagate and prefix from the network 100.100.7:0 SW1 interface loopback100 ip address 100.17.100.0.100.10:N YY.255. You need to match the output in the screenshots provided.10:0 100.10 source lo 100 SW4# ping 100.1.100.YY.17.7:0 100.0.10:0 YY.17.YY.100.42.0 255.42.YY.42.YY.1 Network Address Translations (NAT) You are required to implement NAT.255.

42.255.10 ----------4.255.17.Make sure that ports SW1-f0/1 to SW1-F0/5 are marking all untagged packets to "COS 1" .255.42.2 MLS QoS ----------Configure your four switches according to the following requirements.17.255.YY.0 255.100.100.4 R4 interface serials0/0/0 ip nat outside interface serial0/0/1 ip nat outside ip nat inside source static YY.YY.0 YY.Ensure that all switches are queuing packets marked with "COS 1" in the ingress queue #1 .interface loopback100 ip address 100.255 ip route 100.100.7 100.17.255. .100.17.7 ip nat inside source static YY.42.YY.100.YY.42.Make sure that these ports are trusting the COS value if packets are already marked.255.0 255.24.Ensure that the switches do not drop packets marked with "COS 5" in ingress until the respective ingress queue in completely full SW1-SW4 mls qos mls qos srr-queue input threshold 1 40 100 interface range fastethernet 0/19 – 24 mls qos trust cos SW1 interface range fastethernet 0/1 – 5 .10 255.Ensure that all switches drop ingress traffic marked with "COS 1" when the respective ingress queue level is between 40 and 100 percent .2 R2 ip route 100.10 100.0 YY. .

4 Implement Routing Protocol Authentication --------------------------------------------Secure OSPF area 0 according to the following requirement .3 QoS – Class Based Weighted Fair Queuing (CBWFQ) --------------------------------------------------The IT administrator requires that you implement QoS.mls qos cos 1 mls qos trust cos --------------------------------------------------4.For traffic coming from BB2 allocate 10000 kbps on R2 g0/0.This should not affect any other traffic other than to all possible traffic entering from these links R2 class-map BB2 match input-interface fastethernet0/1 policy-map CBWFQ class BB2 bandwidth 10000 interface g0/0 service-policy output CBWFQ R3 class-map BB1 match input-interface g0/0 policy-map CBWFQ class BB1 bandwidth 1000 interface serial0/0/0 service-policy output CBWFQ --------------------------------------------4.Use the strongest authentication type .The password must be saved in clear in the config and must be seen to "cisco" .You are not allowed to use any commands in the router configuration SW1-SW4 . . . .For traffic coming from BB1 allocate 1000 kbps on R3 s0/0/0.

4 .Protect the DHCP server from DHCP attacks originating from SW1 port Fa0/14.YY.y.YY.Ensure that only R4 services the DHCP requests .55.200 SW1 ip dhcp snooping ip dhcp snooping vlan 44 no ip dhcp snooping information option interface fastethernet0/4 ip dhcp snooping trust interface fastethernet0/14 switchport mode access .5 Implement DHCP -----------------R4 has been configured to provide the following parameters for DHCP clients on VLAN 44 .y.no service password-encryption interface vlan 123 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco -----------------4.44.100 ip dhcp excluded-address y.44.50 and YY.55.IP addresses .Disable the insertion and removal of option-82 field .com .The administrator wants that the DHCP deployment is as secured as possible.Protect users in VLAN 44 from rogue DHCP servers .44. Complete the DHCP configuration on R4 and SW1 according to the following requirements .Domain name cisco.DNS servers YY.51 .Make sure that SW1 Fa 0/14 is enabled and provisioned so that the customer only needs to connect the printer to the port R4 ip dhcp excluded-address y. which may lead to resource exhaustion and ensure that maximum 3 different hosts can still connect to that port (Shutdown the port when violation occurred) .YY.Default gateway is YY.

The printers MAC address is abcd.Any traffic from any client connected to Fa0/0 going out of the 2 serial interfaces must be redirected to the WAAS server on Fa0/1 .In the near future the customer will connect a printer to SW1’s Fa0/14 in VLAN 44 and assign it the static IP address YY.100.switchport access vlan 44 switchport port-security switchport port-security maximum 3 switchport port-security violation shutdown ip dhcp snooping limit rate 150 no shutdown -----------------------------4.100 interface fastEthernet 0/14 expiry <MAX VALUE> int f0/4 ip arp inspection trust int f0/14 ip verify source -.44.abcd .YY.7 Web Caching Communication Protocol (WCCP) -------------------------------------------Configure WCCP on R4 according to the following requirement .YY.Ensure that the printer is able to communicate with the users on VLAN 44 and ensure that your solution survives a reload (use the file flash:CCIE.TXT (after 300s the binding from below will be written into that file.only source ip // ip verify source port-sec .There will be a WAAS appliance connected to interface of Fa0/1 .Enable a feature on the switch to dynamically protect interface Fa 0/14 against spoofed IP packets and ARP request SW1 ip dhcp snooping database flash:CCIE. check with "more flash:CCIE.abcd.txt") ip arp inspection vlan 44 (in exec mode) ip dhcp snooping binding abcd.+ mac -------------------------------------------4.6 Implement Layer 2 Security -----------------------------Continue securing the DHCP deployment according to the following requirements .TXT) .abcd vlan 44 YY.44.abcd.

Traffic redirected from the clients to the server must use WCCP service 62 .240 which is the only SNMP manager that should be able to use this community string .Traffic redirected from the server to the clients must use WCCP service 61 .YY. .55.0.The NMS system is located at YY.0 0.0 0.0.44.44.55.1 Implement SNMP .Configure R5 to send bgp traps. . R5 snmp-server community CiscoWorks RW 1 snmp-server enable traps bgp snmp-server host YY. .Use the community string of CiscoWorks.Traffic that is being sent from R1 to R2 and from R2 to R1 is not allowed to be redirected.y.255 any ip access ext CLIENTS_IN permit ip any y.0.y.0.240 CiscoWorks bgp .On R5 implement SNMP to send traps to an NMS system.YY.255 ip wccp check services all int f0/0 ip wccp 62 redirect in ints0/0/0 ip wccp 61 redirect in ints0/0/1 ip wccp 61 redirect in int f0/1 ip wccp redirect exclude in -------------------------------Section 5 – Optimize the Network -------------------------------5. R4 ip wccp version 2 ip wccp 61 redirect-list CLIENTS_IN ip wccp 62 redirect-list CLIENTS_OUT ip access ext CLIENTS_OUT permit ip y..SNMP manager should be able to modify any MIB on R5.

*%OSPF-5-ADJCHG: Process y. It should disable all the debug messages.0 syslog priority informational msg " logging on logging console debugging logging buffered debugging .These logs should be seen both in the console and in the log buffer.*" action 1.YY.5 on Serial0/0/0 from FULL to DOWN. Nbr y.2 Embedded Event Manager -------------------------Configure 2 eem scripts one for enabling ospf debug if the ospf neighborship of R3 goes down.*%OSPF-5-ADJCHG: Process y.0 cli command "enable" action 2.0 cli command "enable" action 2. Nbr y.y.0 syslog priority informational msg "ENABLE_OSPF_DEBUG" event manager applet DISABLE_OSPF_DEBUG event syslog pattern ".Make sure that each event generates a syslog message with a priority of 6 that shows the name of the event being activated.5.0 cli command "debug ip ospf adj" action 4. .5 on Serial0/0/0 from LOADING to FULL. event manager applet ENABLE_OSPF_DEBUG event syslog pattern ". .0 cli command "undebug all" action 3. .You MUST be able to have these events run on R3 when R5 bounces its interface.Configure another EEM applet “ DISABLE_OSPF_DEBUG” when OSPF neighbor ship comes up with R5.access-list 1 permit YY.*" action 1. . .55.240 -------------------------5.5.Configure R3 with event manger applet “ENABLE_OSPF_DEBUG” when the ospf adjacency goes down to R5 .0 cli command "debug ip ospf event" action 3.It should enable the “debug ip ospf event” and “debug ip ospf adj” .u.