You are on page 1of 26

Section 1 - Layer 2 ---------------------------------1.1 Troubleshoot Layer 2 Switching ---------------------------------Cisco says that there are two faults injected.

Each fault will give you 2 points. The whole K6++ Lab had 78 points to get, so you must have 62 points in order to be over 80%. - VLAN access map that is denying OSPF is in pre-configuration (change the drop to forward) --> that should be enough - root guard on BB Links (interface f0/10) - no ip cef on some routers (not sure if that is a fault) ----------------------------------------------------1.2 Implement Access Switch Ports of Switched Network ----------------------------------------------------Configure all of the appropriate non-trunking switch ports on SW1 – SW4 according to the following - SW1 is the server for the VLAN Trunking Protocol version 2 domain "CCIE" (VTP password "cisco" ) - SW2, SW3, SW4 are expecting SW1 update their VLAN database when needed - Configure the VLAN ID and Name according to the table below (case sensitive) - Configure the access ports for each VLAN as per the diagram - Using a single command ensure that all access ports are transitioned to forwarding state as quickly as possible - Using a single command ensure that the interface is forced the err-disabled state if BPDU is received by any ports - Ensure that any BPDU received by the access ports facing the backbone devices (and only these devices) have no effect to your spanning tree decision - Don’t forget to configure the Layer 3 interfaces and to include SW1’s port fa 0/4 into VLAN 44 VLAN_ID NAME 11 VLAN_11_BB1 22 VLAB_22_BB2 33 VLAN_33_BB3 42 VLAN_?_R2-SW4 44 VLAN_44_R4 55 VLAN_55_R5-SW2 123 VLAN_123_SWITCHES 999 VLAN_RSPAN SW1 vtp version 2 vtp domain CCIE vtp password cisco

vtp mode server SW2-SW4 vtp version 2 vtp domain CCIE vtp password cisco vtp mode client SW1-SW2 interface f0/2 switchport mode access switchport access vlan xx Repeat that for every access interface on the switches. SW1-SW3 interface f0/10 spanning-tree bpdufilter enable SW1-SW4 spanning-tree portfast default spanning-tree bpduguard default Need to find the clan between R2 and SW4. They tell you that the bridge priority has to be 12330 for that vlan. Now you multiple the spanning-tree vlan priority in steps of 4096 until you get close. That is 12288. Then you subtract 12288 from 12330 and get 42. -------------------------------------------------------------------------------------------------------------1.3 Spanning-Tree Domains for Switched Network Configure the switches according to the following requirements: -------------------------------------------------------------------------------------------------------------- Both switches must have one instance per vlan. - Ensure that SW1 is the Root Switch, and SW2 the Backup Switch for all odd vlans - Ensure that SW2 is the Root Switch, and SW1 is the Backup Switch for all even vlans - Configure instance per vlan and rapid transition for forwarding - Configure to 30 seconds that time that all switches wait before their spanning-tree processes attempts to re-converge if it didn’t receive any spanning-tree configuration message for all future vlans. SW1

1q .42.33.999 root secondary root secondary spanning-tree vlan 22.Configure Etherchannel between SW3 and SW4.123.x (range of ports to SW2) channel-group 12 mode active SW2 interface range f0/x .24 switchport trunk encapsulation dot1q switchport mode trunk SW1 interface range f0/x .x (range of ports to SW1) channel-group 12 mode passive SW3 .55.33.999 root primary spanning-tree vlan 22. SW3 and SW4: .11. use the Industry standard. SW2.spanning-tree mode rpvst spanning-tree vlan 1.11.4 Switch Trunking and Ether Channel ------------------------------------Use the following requirements to configure the Etherchannel of SW1.Configure Etherchannel between SW1 and SW2.Ensure that SW1 and SW3 must initiate the negotiation and SW2 and SW4 must not start the negotiation SW1-SW4 interface range f0/19 . the proprietary method . .55.42.44 root primary spanning-tree vlan 42 priority 12288 SW1-SW4 spanning-tree vlan 1-4094 max-age 30 ------------------------------------1.123.44 root secondary SW2 spanning-tree mode rpvst spanning-tree vlan 1.Use encapsulation 802.

44 port-priority 240 --------1.You need to monitor any future interfaces connecting to VLAN_BB1 and VLAN_BB2 .5 Spanning-Tree Tuning -----------------------.Find the vlan between R2 and SW4.Don’t create any new VLAN while configuring this SW1 vlan 999 remote-span monitor session 1 source vlan 11 .42.There should not be any configuration regarding this on SW3. .Any traffic received (and only received) from VLAN_BB1 and VLAN_BB2 must be replicated to a traffic analyser connected to SW4 Fa0/15 via VLAN 999 .Any traffic flowing through the trunk between SW3 and SW4 must be replicated to another traffic analyser connected to SW4 Fa0/16 . The Bride ID priority of that Vlan must be 12330 on SW2 .Ensure that the port fa0/20 is in the forwarding state rather than the blocking state for even vlans on SW4.x (range of ports to SW3) channel-group 12 mode auto -----------------------1. .You must do this without changing any configurations on SW4 .x (range of ports to SW4) channel-group 12 mode desirable SW4 interface range f0/x .interface range f0/x .6 RSPAN --------. 22 rx monitor session 1 destination remote vlan 999 .Use the highest numerical value to complete SW2 int f0/19 spanning-tree vlan 22. 22 rx monitor session 1 destination remote vlan 999 SW2 monitor session 1 source vlan 11 .

44.SW4 monitor session 1 source remote vlan 999 monitor session 1 destination interface f0/15 monitor session 2 source interface port-channel 34 both monitor session 2 destination interface f0/16 -------------1.44. they can use ppp chap password with "CCIE".Make sure that all CHAP passwords are shown in clear int the configuration .Use radius server at YY.YY.Make sure AAA authentication does not affect any console or line VTY from any PPP devices (ensure that there is no username prompt either) .7 PPP & CHAP -------------. . R4 no service password-encryption aaa new-model aaa authentication login default line aaa authentication ppp default group radius local-case radius host YY.YY.R1 and R2 cannot use ppp chap hostname.Use only default authentication list for both console and line VTY.200 as authentication server and fallback to the local AAA database in case the server is unreachable .Use CISCO as key required by the Radius server .200 key CISCO username RackYYR1 password 0 CCIE username RackYYR2 password 0 CCIE interface s0/0/0 encapsulation ppp ppp authentication chap default interface s0/1/0 / encapsulation ppp ppp authentication chap default .R4 must require R1 and R2 to authenticate using CHAP but R1 and R2 must not require R4 to authenticate .

0.2.0 area 142 network YY.Router ID must be stable and must be configed using the IP Address of Lo0 .YY.0 area 142 redistribute connected subnets route-map BB2 route-map BB2 match interface g0/1 R3 .2 0.YY.0.YY.42.0.0 area 142 network YY.0.0.YY.YY.0/24) appear as OSPF External Type 2 routes in routing table .1 0.0 area 142 network YY.1.0.1 0.YY.0.0.YY.Make sure that all 3 prefixes for the backbone links (150.Use highest numerical values .R1-R2 no service password-encryption interface s0/0/0 encapsulation ppp ppp chap password 0 CCIE -------------------------------Section 2 – Layer 3 Technologies -------------------------------2.2.0 area 142 network YY.0.0.Do not create any additional OSPF areas.2 network YY.2 0.17.1 Configure OSPF Area 0.1 network YY.Lo0 interfaces must be advertised in the OSPF area as shown in the IGP topology diagram and must appear as /32 routes .BB.2 0.1.Ensure that all switches attached to the VLAN 123 exchange routing updates primarily with SW1 and then SW2 (in case SW1 goes down) .0.YY.YY.0. 142 and 51 as per diagram .0 area 142 R2 router ospf YY router-id YY.14.1 0.24.OSPF process ID can be any number . Do not use any IP address not listed in the diagram R1 router ospf YY router-id YY.

0 area 142 network YY.0.7 0.YY.17.0 area 51 network YY.5 0.7 network YY.YY. area 51 network YY.YY. 0.5 0.0 area 142 network YY.8.YY. area 51 R4 router ospf YY router-id YY.0.YY.0 area 0 network YY.35.YY.YY.44.YY. area 142 interface vlan 123 ip ospf priority 255 SW2 ip routing router ospf YY router-id YY.14.0.YY.YY.0.YY.0.YY.0 area 142 passive-interface f0/0 passive-interface f0/1 R5 router ospf YY router-id YY.4.3 0.0.3.YY.0.YY.YY.4 network YY. area 0 network YY.4 0.0.YY.0.YY.8 network YY.0.0.4 0.0.0 area 0 network YY.0.4 network YY. 0.0 area 51 SW1 ip routing router ospf YY router-id YY.7 0.8 0.router ospf YY router-id YY.4 0.0 area 142 network YY.0 area 51 network YY.3 network YY. 0.YY.YY.0 area 142 network YY.4 0.0 area 0 .7 0.0.

0.0 area 0 network YY.9 network YY. .8 0.42.1 0.0 area 51 interface vlan 123 ip ospf priority 254 SW3 ip routing router ospf YY router-id YY. has IP address 150.0.0.YY.0.YY.0/24 .0.0.0 area 0 network YY.9 0.0 --------------------------2.YY.0.10 0.3 Implement RIP Version 2 --------------------------Configure RIP Version 2 (RIPv2) between R3 and BB1 R3 must accept from BB1 only the following prefixes 199.0 area 0 network YY.254 and is using AS number 100 .Disable auto-summary SW2 router eigrp 100 no auto-summary network 150.123.YY.2 – Implement IPv4 EIGRP -------------------------Configure Enhanced Interior Gateway Routing Protocol (EIGRP) 100 on SW2 in order to establish EIGRP neighbor with Backbone 3 in the IGP topology diagram.9.YY.3.YY.0 area 0 SW4 ip routing router ospf YY router-id YY.0 area 142 ------------------------- network YY.YY.0.4.YY.10 0.3.10 0.

0 0.0 distribute-list 1 in interface g0/0 access-list 1 permit 199.0 . .0 route-map RIP_TO_OSPF match ip address 2 set metric-type type-1 route-map RIP_TO_OSPF permit 20 router ospf YY redistribute rip subnets route-map RIP_TO_OSPF ------------------------------- O N1 199.YY.14.1.Redistributed EIGRP routes must be advertised into Area 0 and 142 as OSPF Type E2 .0/24 O N1 199.Use Standard ACL with a single entry access-list 2 permit 199.0 0.0/24 199.0/24 O N2 150.0 -----------------------------2.12.Use Standard ACL with a single entry .172.Disable Auto Summarization router rip version 2 no auto-summary network Redistribute RIP into OSPF -----------------------------Redistribute RIP into OSPF on R3 such that the routing table on R5 contains the following.0.0/24 199. O N2 199.5 Redistribute EIGRP into OSPF -------------------------------Redistribute EIGRP into OSPF on SW2 such that .0/24 O N2 EIGRP routes must not be advertised into Area 51 .

YY.8 remote-as YY neighbor YY.X.YY.8.YY.8.8 update-source loopback0 neighbor YY.1 remote-as YY . SW2.Don’t use any route-map and do not add any static route anywhere SW2 router ospf YY redistribute eigrp YY subnets area 51 nssa no-summary no-redistribution R3 and R5 router ospf yy area 51 nssa ---------------------2.YY.Minimize number of BGP peering sessions and all BGP speakers in AS YY except SW2 must have only one iBGP peer .8 send-community SW2 router bgp YY bgp router-id YY.YY.Make sure that all BGP speakers in AS YY (even R2) are pointing all BGP prefixes from AS 254 via BB1 only (their BGP next hop must be the IP address of the backbone devices) R1 / R2 / R3 / R5 router bgp YY bgp router-id YY.Where possible failure of a physical interface should not permanently affect BGP peer connections .BGP routes from BB1 must have community values 254 207 103 in AS YY .BGP routes from BB2 must have community values 254 208 104 in AS YY . R3 and R5 as per the following requirement.6 Implement IPv4 BGP ---------------------Configure iBGP peering for R1.YY. R2.X neighbor YY..1.SW2 must advertise an inter-area default route into Area 51 only .8.All BGP routes on all devices must be valid routes Configure BGP as per diagram .X neighbor YY. .X.

1 route-reflector-client neighbor YY.254 route-map BB1 in route-map BB1 set local-preference 111 set community 103 207 additive --------------------------------2.3 update-source loopback 0 neighbor YY.5.1.YY.YY.5.YY.1 update-source loopback 0 neighbor YY.YY.5.2.YY.3.2.YY.254 route-map BB2 in route-map BB2 set community 104 208 additive R3 neighbor 150.R1 must be the Master and Border Router and R2 must be a Border Routers .7 Implement Performance Routing --------------------------------Implement PfR to achieve the following policies: .254 remote-as 254 neighbor 150.3 route-reflector-client neighbor YY.YY.2.YY.YY.5 remote-as YY neighbor YY.2 route-reflector-client neighbor YY.2.YY.1.YY.Use Extended ACL with a single entry .2 send-community neighbor YY.YY.YY.254 remote-as 254 neighbor 150.3.3 remote-as YY neighbor YY.YY.2 update-source loopback 0 neighbor YY.neighbor YY.2 remote-as YY neighbor YY.YY.1 send-community neighbor YY.YY.YY.3 send-community neighbor YY.2.YY.5.3.5 update-source loopback 0 neighbor YY.3.Ensure that PfR sessions are established using the Lo0 interface only .1.A specific traffic (marked with DSCP "CS2") from VLAN_44 to VLAN_55 must be routed via R1 .5 send-community R2 neighbor 150.1.YY.Another traffic (marked with DSCP "CS4") from VLAN_44 to VLAN_55 must be routed via R2 .2.5 route-reflector-client neighbor YY.1.

10 250 R1 key chain PFR key 1 key-string PFR oer border .y.11.y.1 key-chain PFR int tunnel 12 tunnel source lo0 tunnel destination y. .Disable the following global commands: max-range-utilization. resolve utilization resolve range .Use the following: monitor-period 1 periodic-interval 0 period rotation 90 R2 key chain PFR key 1 key-string PFR oer border local loopback0 active-probe address source interface loopback 0 master y.255.1 ip addr y.1..y.255.0.You should use access-list specifying only source address and DSCP value .0 ip route 0.Your border routers must be directly connected.Configure a floating static default route with an AD of 250 on R1 and R2 facing the Switches .0.0 y. Create a GRE tunnel between them and use any subnet that is not used in your config.You must use "set mode select-exit good" everywhere in your config .42.Use active probes only .1.Use the lowest load-interval on your external interfaces to monitor the load .0.2 255.0 0.Your interface is allowed to have a maximum utilization on R1 of 80% and a maximum utilization on R2 of 90% .0.y.

255.0.255 any dscp cs4 oer-map PFR_MAP 10 match ip address access-list CS2 set mode select-exit good active-probe icmp y.1 255. no resolve utilization no resolve range periodic 90 border y.255 any dscp cs2 ip access-list extended CS4 permit ip y.2 key-chain PFR .0.2 ip addr y.y.0.5 set link-group R1 oer-map PFR_MAP 20 match ip address access-list CS4 set mode select-exit good active-probe icmp y.1.0.y.5 set link-group R2 oer master logging policy PFR_MAP no max-range-utilization.2.y.0 y.y.11.1 key-chain PFR interface tunnel 12 internal interface s0/0/0 internal interface g0/0 external max-xmit-utilization percentage 80 link-group R1 border y.0.7 250 ip access-list extended CS2 permit ip y.1.0 ip route 0.0 0.local loopback0 active-probe address source interface loopback 0 master y.0.y.y.255.1 key-chain PFR int tunnel 12 tunnel source lo0 tunnel destination y.44.0 0.2.

check for it!) .9 Implement IPv6 -----------------The ipv6 address are preconfigured for you.YY.55.Set the frequency of probes to the lowest value . .Voice traffic should go through R1 if the delay is 40ms and jitter is 5ms and it should fallback to R2 should these values not be met .interface tunnel 12 internal interface s0/0/0 internal interface g0/0 external max-xmit-utilization percentage 90 link-group R2 learn periodic-interval 0 monitor-period 1 --------------------------------2.55.44.y. R4 .y.You should use access-list specifying only source address and DSCP value R1 ip access-list extended EF permit ip y.0. (ipv6 unicast-routing was enabled for me as well.Make sure that all exits are probed constantly..0 0.8 Implement Performance Routing --------------------------------Continue as per following: .255 any dscp ef oer-map PFR_MAP 30 match ip address access-list EF set mode select-exit good set active-probe jitter y.Configure OSPF Area 142 between R1..0.Configure IPv6 PIM sparse mode on the serial interfaces . R2.5) and marked with DSCP "EF" .5 target-port 16384 codec g729a set delay 40 set jitter 5 set link-group R1 -----------------2.The voice traffic is sourced from VLAN_44 destined to the voice gateway R5 (YY.

You should be able to ping the multicast group from R2 Interface s0/0/0 R1 ipv6 multicast-routing ipv6 cef int g0/0 ipv6 ospf yy area 142 ipv6 mld join-group FF15::4000:4000 int s0/0/0 ipv6 ospf yy area 142 ipv6 router ospf yy passive-interface g0/0 ipv6 pim rp-address fec1:cc1e:44::4 R2 ipv6 multicast-routing ipv6 cef int g0/0 ipv6 ospf yy area 142 int s0/0/0 ipv6 ospf yy area 142 ipv6 router ospf yy passive-interface g0/0 ipv6 pim rp-address fec1:cc1e:44::4 R4 ipv6 multicast-routing ipv6 cef .R4's interface f0/0 should be the static RP-address (FEC1:CC1E:44::4) for the multicast group FFTS::4000:4000 Determine the value of TS. The multicast stream should be a transient one and the scope should be 5 for company wide..

44.100 (port 9876) .Export the flows every 3 hours to the server YY.Inactive entries must be deleted from the cache after 2 minutes of inactivity R1/R2/R4 ipv6 icmp error-interval 200 1 R1 ipv6 flow-export source Loopback0 .In an attempt to reduce link-layer congestion.Aggregate the flows per destination and allow up to 20000 entries in the cache .Enable Netflow for IPv6 on R1 to monitor the traffic entering Area 142 . -----------------------------------2. IOS will warn you that you need a bigger mask and that /128 is not working.Use R1-Lo0 as source address for the exports . limit to 5 messages per second the rate at which all IPv6 enabled devices generate all IPv6 ICMP error messages .int f0/0 ipv6 ospf yy area 142 int f0/1 ipv6 ospf yy area 142 int s0/0/0 ipv6 ospf yy area 142 int s0/0/1 ipv6 ospf yy area 142 ipv6 router ospf yy passive-interface f0/0 passive-interface f0/1 ipv6 pim rp-address fec1:cc1e:44::4 MCAST ipv6 access-list MCAST permit ipv6 any FF15::4000:4000/127 If you use /128 in the lab and apply this acl to the static rp command.YY.10 Implement Advanced IPv6 feature -----------------------------------.

YY. . Use a dynamic protocol that supports PIM v1 and v2.100 9876 enabled int g0/0 ipv6 flow ingress -------------------------3 Section 3 – IP Multicast -------------------------3.Simulate clients have sent requests to join the multicast group 239.YY. .Configure R1 and R2 loopback0 to be a rendezvous point (RP).YY.Make sure R4 f0/0 is able to ping this multicast IP.Ensure that R2 should be the preferred RP rather than R1.1 IPv4 Multicast . .ipv6 flow-aggregation cache destination-prefix export template timeout-rate 180 cache entries 20000 cache timeout inactive 120 export version 9 export destination YY.44. .There is a multicast source on VLAN 44 and clients are located on the BB3 subnet (150.3. Note: For IOU: int vlan 123 no ip mfib cef input no ip mfib cef output R4 ip multicast-routing int lo0 ip pim sparse-mode int s0/0/0 ip pim sparse-mode .0/24).YY.1.

R2 ip multicast-routing int lo0 ip pim sparse-mode int s0/0/0 ip pim sparse-mode int g0/0 ip pim sparse-mode ip pim autorp listener ip pim send-rp-announce lo0 scope 16 SW1 ip multicast-routing distributed int f0/1 ip pim sparse-mode int vlan 123 ip pim sparse-mode ip pim autorp listener SW2 ip multicast-routing distributed int vlan 33 ip pim sparse-mode .int s0/0/1 ip pim sparse-mode int f0/0 ip pim sparse-mode ip pim autorp listener ip pim send-rp-discovery lo0 scope 16 R1 .

.Ensure PIM register message should reach RP via SW1.1 int vlan 123 ip pim sparse-mode ip pim autorp listener SW3 ip multicast-routing distributed int vlan 123 ip pim sparse-mode ip pim autorp listener Sw4 ip multicast-routing distributed int vlan 123 ip pim sparse-mode int vlan 42 ip pim sparse-mode ip pim autorp listener -------------3.y.y. If SW1 goes down PIM register messages should reach RP via one of the other switches.2 PIM Tuning -------------.PIM register messages should reach the RP upstream via SW1.ip igmp join-group 239.0.39 .1. .Vlan 33 should not receive any RP messages SW1: int vlan 123 ip pim dr-prio <MAX VALUE> SW2: access-list 1 deny 224.

100.40 access-list 1 permit any int vlan33 ip multicast boundary 1 filter-autorp SW4: int vlan 123 ip pim dr-prio <MAX VALUE-1> ----------------------------Section 4 – Advanced Services ----------------------------4.7:0 100.YY. 100.255.42.YY. 1 deny 224.0 255.1 Network Address Translations (NAT) You are required to implement NAT.7:0 YY.YY.10 source lo 100 SW4# ping 100.17. .17.100.Do not add any static route in R4.YY.100.255 ip route 100.4 SW4 .10:N YY.7 source lo 100 R4: show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 100.100.0 icmp 100.10:0 YY.0.100. Screenshot: SW1# ping 100.17.You are allowed to add one /24 static in four devices.255.1.7:0 YY.255.YY. YY.42.10:0 icmp 100.100.YY.7:0 100.100.100. .17.100.10:0 100.7:N YY.0.7:N YY.100.17.0 YY.1 R1 ip route 100.7:0 SW1 interface loopback100 ip address 100.YY.0 YY.42.YY.7 255.100.17.Do not propagate and prefix from the network 100. .17.42.YY.0/8 in any routing protocol.10:0 icmp 100.17.YY.10:0 YY. You need to match the output in the screenshots provided.42.42.

.100.0 YY.10 ----------4.42.0 255.255.255.Make sure that these ports are trusting the COS value if packets are already marked.YY.255.YY.10 that the switches do not drop packets marked with "COS 5" in ingress until the respective ingress queue in completely full SW1-SW4 mls qos mls qos srr-queue input threshold 1 40 100 interface range fastethernet 0/19 – 24 mls qos trust cos SW1 interface range fastethernet 0/1 – 5 .255.10 255.0 YY.7 100.YY.42.255 ip route 100.255.interface loopback100 ip address 100.17.Ensure that all switches drop ingress traffic marked with "COS 1" when the respective ingress queue level is between 40 and 100 percent .24.2 MLS QoS ----------Configure your four switches according to the following requirements.17.Make sure that ports SW1-f0/1 to SW1-F0/5 are marking all untagged packets to "COS 1" .YY.7 ip nat inside source static YY.Ensure that all switches are queuing packets marked with "COS 1" in the ingress queue #1 .42.0 255.100.100. .17.4 R4 interface serials0/0/0 ip nat outside interface serial0/0/1 ip nat outside ip nat inside source static YY.100.2 R2 ip route 100.

.The password must be saved in clear in the config and must be seen to "cisco" .mls qos cos 1 mls qos trust cos --------------------------------------------------4. . .Use the strongest authentication type .For traffic coming from BB2 allocate 10000 kbps on R2 g0/0.For traffic coming from BB1 allocate 1000 kbps on R3 s0/0/0.This should not affect any other traffic other than to all possible traffic entering from these links R2 class-map BB2 match input-interface fastethernet0/1 policy-map CBWFQ class BB2 bandwidth 10000 interface g0/0 service-policy output CBWFQ R3 class-map BB1 match input-interface g0/0 policy-map CBWFQ class BB1 bandwidth 1000 interface serial0/0/0 service-policy output CBWFQ --------------------------------------------4.4 Implement Routing Protocol Authentication --------------------------------------------Secure OSPF area 0 according to the following requirement .You are not allowed to use any commands in the router configuration SW1-SW4 .3 QoS – Class Based Weighted Fair Queuing (CBWFQ) --------------------------------------------------The IT administrator requires that you implement QoS.

DNS servers YY. which may lead to resource exhaustion and ensure that maximum 3 different hosts can still connect to that port (Shutdown the port when violation occurred) .Ensure that only R4 services the DHCP requests .YY.Make sure that SW1 Fa 0/14 is enabled and provisioned so that the customer only needs to connect the printer to the port R4 ip dhcp excluded-address y.IP addresses .Protect the DHCP server from DHCP attacks originating from SW1 port Fa0/14.44.51 .55.y.Domain name cisco.y.100 ip dhcp excluded-address service password-encryption interface vlan 123 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco -----------------4.200 SW1 ip dhcp snooping ip dhcp snooping vlan 44 no ip dhcp snooping information option interface fastethernet0/4 ip dhcp snooping trust interface fastethernet0/14 switchport mode access .YY.44.Protect users in VLAN 44 from rogue DHCP servers .The administrator wants that the DHCP deployment is as secured as possible.Disable the insertion and removal of option-82 field . Complete the DHCP configuration on R4 and SW1 according to the following requirements .44.4 .Default gateway is YY.YY.55.50 and .5 Implement DHCP -----------------R4 has been configured to provide the following parameters for DHCP clients on VLAN 44 .

TXT) .In the near future the customer will connect a printer to SW1’s Fa0/14 in VLAN 44 and assign it the static IP address YY.100.7 Web Caching Communication Protocol (WCCP) -------------------------------------------Configure WCCP on R4 according to the following requirement .Ensure that the printer is able to communicate with the users on VLAN 44 and ensure that your solution survives a reload (use the file flash:CCIE.abcd . check with "more flash:CCIE.txt") ip arp inspection vlan 44 (in exec mode) ip dhcp snooping binding abcd.100 interface fastEthernet 0/14 expiry <MAX VALUE> int f0/4 ip arp inspection trust int f0/14 ip verify source -.abcd vlan 44 YY.Enable a feature on the switch to dynamically protect interface Fa 0/14 against spoofed IP packets and ARP request SW1 ip dhcp snooping database flash:CCIE.YY.only source ip // ip verify source port-sec .44.abcd.switchport access vlan 44 switchport port-security switchport port-security maximum 3 switchport port-security violation shutdown ip dhcp snooping limit rate 150 no shutdown -----------------------------4.Any traffic from any client connected to Fa0/0 going out of the 2 serial interfaces must be redirected to the WAAS server on Fa0/1 .TXT (after 300s the binding from below will be written into that file.+ mac -------------------------------------------4.44.There will be a WAAS appliance connected to interface of Fa0/1 .abcd.YY.6 Implement Layer 2 Security -----------------------------Continue securing the DHCP deployment according to the following requirements . The printers MAC address is abcd.

0.y.0 0.0.On R5 implement SNMP to send traps to an NMS system.0.YY.The NMS system is located at YY.Traffic that is being sent from R1 to R2 and from R2 to R1 is not allowed to be redirected.44.Use the community string of CiscoWorks. R5 snmp-server community CiscoWorks RW 1 snmp-server enable traps bgp snmp-server host YY. .Configure R5 to send bgp traps.0 0.Traffic redirected from the clients to the server must use WCCP service 62 .55.y. R4 ip wccp version 2 ip wccp 61 redirect-list CLIENTS_IN ip wccp 62 redirect-list CLIENTS_OUT ip access ext CLIENTS_OUT permit ip y.255 any ip access ext CLIENTS_IN permit ip any y.240 which is the only SNMP manager that should be able to use this community string .240 CiscoWorks bgp .0..255 ip wccp check services all int f0/0 ip wccp 62 redirect in ints0/0/0 ip wccp 61 redirect in ints0/0/1 ip wccp 61 redirect in int f0/1 ip wccp redirect exclude in -------------------------------Section 5 – Optimize the Network -------------------------------5. .Traffic redirected from the server to the clients must use WCCP service 61 .44. .55.1 Implement SNMP .YY.SNMP manager should be able to modify any MIB on R5.

.Make sure that each event generates a syslog message with a priority of 6 that shows the name of the event being activated.Configure another EEM applet “ DISABLE_OSPF_DEBUG” when OSPF neighbor ship comes up with R5.y.*%OSPF-5-ADJCHG: Process y.u. .2 Embedded Event Manager -------------------------Configure 2 eem scripts one for enabling ospf debug if the ospf neighborship of R3 goes down. Nbr y.*%OSPF-5-ADJCHG: Process y. Nbr y.*" action 1.240 -------------------------5.5 on Serial0/0/0 from FULL to DOWN.These logs should be seen both in the console and in the log buffer.0 cli command "debug ip ospf adj" action 4. event manager applet ENABLE_OSPF_DEBUG event syslog pattern ".5.0 cli command "undebug all" action 3.It should enable the “debug ip ospf event” and “debug ip ospf adj” .YY. .*" action 1.0 cli command "enable" action 2. It should disable all the debug messages.55.0 cli command "debug ip ospf event" action 3.5 on Serial0/0/0 from LOADING to FULL.access-list 1 permit YY.0 cli command "enable" action 2. .Configure R3 with event manger applet “ENABLE_OSPF_DEBUG” when the ospf adjacency goes down to R5 .You MUST be able to have these events run on R3 when R5 bounces its interface.0 syslog priority informational msg " logging on logging console debugging logging buffered debugging .0 syslog priority informational msg "ENABLE_OSPF_DEBUG" event manager applet DISABLE_OSPF_DEBUG event syslog pattern ".5. .