You are on page 1of 208

Practice Lab 1

The CCIE exam commences with 2 hours of troubleshooting followed by 5 1/2 hours of
configuration and a final 30 minutes of additional questions. This lab consists of 100 points and
has been timed to last for 8 hours of configuration and self-troubleshooting, so aim to complete
the lab within this period. Then either score yourself at this point or continue until you believe
you have met all the objectives. You will now be guided through the equipment requirements and
pre-lab tasks in preparation for taking this practice lab.
If you do not own six routers and four switches, consider using the equipment available and
additional lab exercises and training facilities available within the CCIE R&S 360 program. You
can find detailed information on the 360 program and CCIE R&S exam on the following URLs,
respectively:
https://learningnetwork.cisco.com/community/learning_center/cisco_360/360-rs
https://learningnetwork.cisco.com/community/certifications/ccie_routing_switching

Equipment List
You need the following hardware and software components to begin this practice lab:
Six routers loaded with Cisco IOS Software Release 15.3T Advanced Enterprise image
and the minimum interface configuration, as documented in Table 1-1
Four 3560X switches with IOS 15.0S IP Services

Setting Up the Lab 1
You can use any combination of routers as long as you fulfill the requirements within the
topology diagram, as shown in Figure 1-1. However, you should use the same model of routers
because this can make life easier if you load configurations directly from those supplied with
your own devices. If your router interface speeds do not match those used in this lab, consider

reconfiguring the bandwidth statement accordingly to provide symmetry with the routing
protocol metrics.

Figure 1-1 Lab Topology

Note
The CCIE Assessor topology version B is used for this lab. Additional
interfaces available on the Assessor that are not required for this lab were
omitted from Figure 1-1. If you are not using the CCIE Assessor, use Figure
1-1 and Figure 1-4 to determine how many interfaces you need to complete
your own topology.

Note
Notice in the initial configurations supplied that some interfaces will not have
IP address preconfigured. This is because you either will not be using that
interface or you need to configure this interface from default within the
exercise. The initial configurations supplied should be used to preconfigure
your routers and switch before the lab starts.
If your routers have different interface speeds than those used within this
book, adjust the bandwidth statements on the relevant interfaces to keep all
interface speeds in line. This can ensure that you do not get unwanted
behavior due to differing IGP metrics.

Lab Topology
This practice lab uses the topology outlined in Figure 1-1, which you must re-create with your
own equipment or by simply using the CCIE Assessor.

Switch Instructions
Configure VLAN assignments from the configurations supplied or from Table 1-2, with the
exception of Switch2 Fa0/4 (which will be configured during the lab).

Table 1-2 VLAN Assignment
Note
Switch 2 will be configured during the actual lab questions for VLAN 45 and
46 interface Fa0/4.
Connect your switches with RJ-45 Ethernet cross-over cables, as shown in Figure 1-2.

Figure 1-2 Switch Cabling

Serial Link
A preconfigured PPP back-to-back serial link exists between R2 and R5, and R2 has been
configured to provide the clocking for the connection in the initial configuration files. Therefore,
R2 should have the DCE serial cable and R5 the DTE serial cable for the back-to-back
connectivity.

IP Address Instructions
In the real CCIE lab, the majority of your IP addresses will be preconfigured. For this exercise,
however, you are required to configure your IP addresses, as shown in Figure 1-3, or load the
initial router configurations supplied. If you are manually configuring your equipment, ensure
that you include the following loopback addresses:
R1 Lo0 120.100.1.1/24
R2 Lo0 120.100.2.1/24
R3 Lo0 120.100.3.1/24
R4 Lo0 120.100.4.1/24

as shown in Figure 1-3.100.9.100. and add the loopback addresses.7.R5 Lo0 120. you can load the initial configuration files supplied if your router is compatible with those used to create this exercise.1/24 SW4 Lo0 120.1/24 SW3 Lo0 120.100.8.1/24 Figure 1-3 IP Addressing Diagram Pre-Lab Tasks Build the lab topology as per Figure 1-1 and Figure 1-2.100. General Guidelines Read the whole lab before you start.5. .100. R1 requires a secondary IP address on its Gigabit Ethernet 0/1 interface for this lab.100.6.10. Configure the IP addresses on each router.1/24 SW2 Lo0 120. you can find details on the accompanying initial configuration for R1.1/24 R6 Lo0 120. Alternatively.1/24 SW1 Lo0 120.

consider opening several windows with the pages you are likely to look at. Get into a comfortable and quiet environment where you can focus for the next 8 hours. choose questions with a higher point rating to maximize your potential score.com website (because if you are permitted to use documentation during your CCIE lab exam. Note Access only this URL. To save time during your lab exam. Note that access to this URL is likely to be restricted within the real exam. Take a 30-minute break midway through the exercise. Have available a Cisco documentation CD-ROM or access online the latest documentation from http://www. failing this. not the whole Cisco. If you find yourself running out of time.com/cisco/web/psa/configure. as shown in Figure 1-4. choose questions that you are confident you can answer. Ensure full IP visibility between routers for ping testing/Telnet access to your devices (except for the switch loopback addresses.html. Practice Lab One You will now answer questions in relation to the network topology.Do not configure any static/default routes unless otherwise specified.cisco. which will not be visible to the majority of your network because of the configuration tasks). . it will be restricted).

1w mode. Switches 3 and 4 should operate in their default spanning-tree mode. Ensure that only dot1q and EtherChannel are supported. should they toggle excessively. (2 points) Switch 1 and 2 should run spanning tree in 802. if they remain stable for 35 seconds. (2 points) Ensure that user interfaces. by configuring only Switches 1 and 2.Figure 1-4 Network Topology for Practice Lab One Section 1: LAN Switching (25 Points) Configure your switches as a collapsed backbone network with Switches 1 and 2 performing core and distribution functionality and Switches 3 and 4 as access switches in your topology. (3 points) Ensure that traffic is distributed on individual Ethernet trunks between switches based on the destination MAC address of individual flows. are shut down dynamically by all switches. (2 points) Make sure that you fully use the available bandwidth between switches by grouping together your interswitch links as trunks. Switches 3 and 4 should connect only to the core switches. (2 points) Configure Switch 1 to be the root bridge and Switch 2 the secondary root bridge for VLANs 1 and 300. they should be reenabled. Configure . Ensure that Switches 3 and 4 can never become root bridges for any VLANs for which Switch 1 and Switch 2 are root bridges.

The loopback interfaces of Routers R1. (4 points) . If this network should fail either at Layer 1 or Layer 2. and R3 should be configured to be in Area 0.4/24 to communicate with R5.1/24 to the OSPF network. ensuring that while the Area 5 serial link is operational there is no neighbor relationship between R4 and R5. (2 points) No loopback networks should be advertised as host routes. all OSPF configuration where possible should not be configured under the process ID. Configure R4 with an IP address of 120. however.1: OSPF Refer to Figure 1-5. this is the only port on the network from which DHCP addresses should be allocated. (2 points) R5 should use the serial link within Area 5 for its primary communication to the OSPF network. Configure these ports as access ports for VLAN 300. To confirm the operational status of the serial network. Configure R4 and its associated switch port accordingly without using secondary addressing to communicate with R5 and R6. Use a process ID of 1. the Ethernet interfaces of R4 and R5 must remain up. Do not use any filtering techniques to achieve this.100. (6 points) For additional security. (3 points) R5 and R6 have been preconfigured with IP addresses on their Ethernet interfaces. R2. R5 should form a neighbor relationship with R4 under Area 5 to maintain connectivity. Configure R4 Gi0/1 and Switch 2 FE0/4 only. ensure that the serial interface of R5 is reachable by configuration of R5.4/24 to communicate with R6.Fast Ethernet Port 0/10 on each switch so that if multicast traffic is received on this port the port is automatically disabled. For security purposes. Ensure that the switches intercept the DHCP requests and add the ingress port and VLAN and switch MAC address before sending onward to the DHCP server. (1 point) Ensure that R1 does not advertise the preconfigured secondary address under interface Gigabit 0/1 of 120. R4 should be in Area 34 and R5 in Area 5. You are permitted to define neighbor statements between R5 and R4. which should begin forwarding traffic immediately upon connection. Use a dynamic feature to ensure that the only information forwarded upon connection is DHCP request packets.100.45. for additional security.100. and configure R4 with an IP address of 120.100. and then. Limit DHCP requests to 600 packets per minute per user port. Your solution should be dynamic. (2 points) Fast Ethernet Ports 0/11–17 will be used for future connectivity on each switch. any traffic that matches the DHCP IP information received from the DHCP binding. ensure that the user ports on Switches 1–4 and 11–17 can communicate only with the network with IP addresses gained from the DHCP feature configured previously. (3 points) Section 2: IPv4 IGP Protocols (24 Points) Section 2.46. Devices connected to these ports will dynamically receive IP addresses from a DHCP server due to be connected to Port 0/18 on SW1.

Ensure that R4 sends traffic to this destination network to R5 instead of load sharing. and perform configuration only on R4. (2 points) Ensure that R4 does not install any of the EIGRP loopback routes from any of the switches into its routing table. Perform your configuration on R4 only. (4 points) R4 will have dual equal-cost routes to VLAN 300 (network 150. or admin distance manipulation to achieve this. alter the bandwidth or delay statements on R4’s interfaces. You cannot policy route. If the route from R5 becomes unavailable.Figure 1-5 OSPF Topology Section 2.3. traffic should be sent to R6.100. Your solution should be applied to all routes . prefix lists. these routes should also not be present in the OSPF network post redistribution. Configure EIGRP with an instance name of CCIE where possible using an autonomous system number of 1.2: EIGRP Refer to Figure 1-6. or use an offset list. The loopback interfaces of all routers and switches should be advertised within EIGRP.0) from R5 and R6. Do not use any route-filtering ACLs.

and R5-R2. (2 points) . R4-R5.received from R5 and R6. EIGRP routes redistributed within the OSPF network should remain with a fixed cost of 5000 throughout the network. Configure iBGP peering as follows: R1-R3. R4-R6. SW1-R6. Use minimal configuration and use loopback interfaces for your peering with the exception of R4 to R5. Configure eBGP peering as follows: R3-R4. (2 points) Section 3: BGP (14 Points) Refer to Figure 1-7. (2 points) Use the autonomous system numbers supplied in Figure 1-7. (3 points) Configure R4 to redistribute only up to five EIGRP routes and generate a system warning when the fourth route is redistributed.3: Redistribution Perform mutual redistribution of IGPs on R4. Use minimal configuration and use loopback interfaces for your peering. Do not use any access lists in your solution. R2-R3. All routes should be accessible except for the switch loopback networks (because these should not be visible via R4 from an earlier question). and SW1-R5. as opposed to solely the route to network VLAN 300. R6-R5. (4 points) Figure 1-6 EIGRP Topology Section 2.

1/24. respectively. Use only a single ACL on R3 as part of your solution.0/24 is no longer visible to AS300.100.0.200. (3 points) Configure HSRP between R5 and R6 on VLAN300 with R5 active for . If the network 130. R6 should dynamically become the HSRP active. therefore. R3 should be configured to enable only BGP routes originated from R1 up to network 128.0. and advertise this into BGP using the network command. Configure R5 to achieve this solution. and advertise these into BGP using the network command.0 and from above network 128.1/24.100. Configure IPv6 addresses on your network as follows: 2007:C15:C0:10::1/64 – R1 Gi0/1 . (2 points) Configure a new loopback interface 2 on R2 of 130. if the serial network between R5 and R2 fails.1.1.1. ensure that the peering between R2 and R5 is not maintained via the Ethernet network. (4 points) Configure two new loopback interfaces on R1 and R2 of 126. (3 points) Section 4: IPv6 (15 Points) Refer to Figure 1-8. Configure R2 in such a way that if the serial link between R2 and R5 fails.0.1/24 and 130.0.1. Do not use any route filtering between neighbors to achieve this.1/24.Figure 1-7 BGP Topology AS200 is to be used as a backup transit network for traffic between AS10 and AS300.0 originated from R2. AS300 no longer receives this route. Do not use any ACL type restrictions or change the existing peering.200.

(4 points) . R1 must not form any neighbor relationship with R2 on VLAN 132 (without the use of any ACL. or multicast blocking feature). static neighbor relationship.R2 FE0/1 2007:C15:C0:14::2/64 – R2 S0/1 2007:C15:C0:14::5/64 – R5 S0/0/1 2007:C15:C0:15::3/64 – R3 Gi0/0 2007:C15:C0:15::4/64 – R4 Gi0/0 2007:C15:C0:16::5/64 – R5 Gi0/1 2007:C15:C0:16::6/64 – R6 Gi0/1 Figure 1-8 IPv6 Topology Section 4. R1 must dynamically learn a default route over EIGRPv6 via R3 on VLAN 132 by which to communicate with the IPv6 network.1: EIGRPv6 Configure EIGRPv6 under the instance of CCIE with a primary autonomous system of 1.2007:C15:C0:11::1/64 – R1 Gi0/0 2007:C15:C0:11::2/64 – R2 FE0/0 2007:C15:C0:11::3/64 – R3 Gi0/1 2007:C15:C0:12::2/64 .

Section 4. EIGRPv6 routes should have a fixed cost of 5000 associated with them within the OSPF network. All ports should trust the DSCP values received from their connecting devices. which should be considered as an alternative path only if a failure occurs. (1 point) Ensure that the OSPF3 network is reachable from the EIGRPv6 network by a single route of 2007::/16. 34. (2 points) Configure Cisco Modular QoS as follows on R2 for the following traffic types based on their associated per-hop behavior into classes. with all OSPF interfaces assigned to Area 0. The OSPF domain should continue to receive specific EIGRPv6 subnets. A DSCP value received locally on SW1 of AF43 should be mapped to AF42 when destined for the new domain. Switch 1 will be connected to a new trusted domain in the future using interface Gigabit 0/1. which should be seen within the EIGRPv6 domain. Packets received from the user ports with DSCP values of 48. 16.3: Redistribution Redistribute EIGRPv6 routes into the OSPFv3 demand (one way). and 10 should be re-marked to DSCP 8 (PHB CS1) in the event of traffic flowing above 5 Mbps on a per-port basis.2: OSPFv3 Configure OSPFv3 with a process ID of 1. (3 points) Ensure that the summary route configured previously is not seen back on the routing table of R5. Do not enable EIGRPv6 on the VLAN 45 interfaces of R4 and R5. routing is still possible between R5 and R4 over VLAN 45. Configure R4 and R5 to achieve this. reduce the number of LSAs flooded within the OSPF domain. Incorporate these into an overall policy that should be applied to the T1 interface S0/1. (2 points) The IPv6 network is deemed to be stable. (2 points) Section 4. Create a Modular QoS configuration for all user ports (Fast Ethernet 1–24) that facilitates the following requirements (3 points): 1. entered as a percentage. (2 points) Ensure that if the serial link fails between the OSPF and EIGRPv6 domain. 2. 24. This traffic could be a combination of any of the preceding DSCP values with any source/destination combination. Ensure a minimum burst value is configured above the 5 Mbps. configure only R5 to achieve this. 28. 32. 46. Configure R5 only to achieve this. Allow each class the effective bandwidth as detailed. (2 points) . therefore. (1 point) Section 5: QoS (8 Points) You are required to configure QoS on Switch 1 according to the Cisco QoS baseline model.

You cannot use any ACLs to block traffic to this host specifically. (1 point) Section 7: Multicast (4 Points) Configure routers R1.0 /24 on routers within AS10. Configure PIM spare mode on all required interfaces. R3. traffic destined for this host is directed to null0 of each local router. but you can use a static route pointing to null0 for traffic destined to 192. Prevent unnecessary replies when traffic is passed to the null0 interface for users residing on VLAN 100. R2. ensure that only within BGP AS10. (1 point) Section 6: Security (6 Points) Configure R3 to identify and discard the following custom virus. R3 should also advertise the IP address you are . configure CoPP so that IP packets with a TTL of 0 or 1 are dropped rather than processed.2. (2 points) An infected host is on VLAN 200 of 150. The ID of the virus begins on the third character of the payload.Configure R2 so that traffic can be monitored on the serial network with a view to a dynamic policy being generated in the future that trusts the DSCP value of traffic identified on this media. Use a BGP feature on R2 to ensure that traffic to this source is blocked. with a resulting ICMP redirect sent to the originator. configure R3 to send multicast advertisements of its own time by use of NTP sourced from interface Gig 0/0.100. R2 can have an additional static route pointing to null0. (3 points) To protect the control plane on router R6. The virus originated on VLAN 34. and R4 for IPv4 Multicast. the virus is characterized by the ASCII characters Hastings_Beer within the payload and uses UDP Ports 11664 to 11666.100.2. R3 should also be used to advertise its own gigabit interface IP address as an RP.0.

2 (to security@lab-exam.net from eem@lab-exam. and R4 should all show a clock synchronized to that of R3. Do you want me to configure the collapsed backbone network by manipulating spanning tree to ensure that Switch 1 and Switch 2 are the cores for each VLAN in use? A.1 Configure a policy on router R1 so that if a user tries to remove AAA services or disable logging via the CLI that a syslog message of UNAUTHORIZED-COMMANDENTERED is generated. (4 points) IP Services (4 Points) Configure the following commands on router R1: aaa new-model logging buffered logging 120.net subject “User-Issue” with the message body consisting of details of who was logged on the time either of the commands were entered). Switches 3 and 4 could become root bridges.using for the NTP advertisements that will be 224. The policy and CLI should run asynchronously.1. Section 1: LAN Switching Q. Routers R1.1. it won’t.0. Do you want me to disable spanning tree down to Switches 3 and 4? Is this acceptable? . the proctor will not enter into any discussions about the questions or answers. surely this will never enable Switches 3 and 4 to become root bridges. You are requested to configure root bridges in a later question. R2. If I explicitly configure Switches 1 and 2 as root bridges.100. Q. All the switches are already connected. Yes. If a superior BPDU is received on ports connecting to Switches 3 and 4 from Switches 1 and 2. Q.100.99. Do not use the command ntp server in any configurations. Is this acceptable? A. He or she will be present to ensure that you do not have problems with the lab environment and to maintain the timing element of the exam. Q. (4 points) “Ask the Proctor” Note This section should be used only if you require clues to complete the questions. The policy should also generate an email from the router to a mail server residing on IP address 120. The policy should ensure that neither command is executed and should consist of a single-line command for the CLI pattern detection. No. A. In the actual CCIE lab.99. use a feature that effectively ignores a superior BPDU if received. so I can’t change this unless I shut down some of the connections between switches.

Yes. Is there anything else I need to do? A. Take a look at the commands available to you under the interfaces. My secondary address is advertised automatically under OSPF. similarly. No. Can I configure the switchport block multicast command? A. Q. this wouldn’t disable the port if multicast traffic was present on it.1: OSPF Q. Q. the question directs you how to use the trunks. There have been recent advances in OSPF enabling you to configure it purely under specific areas of the router. Can I manipulate a helper-address function to answer the DHCP question by using ACLs? A. Q. Can I change these? A. you might want to check that Switch 2 has the required VLANs configured to enable propagation within your switched network. Q. No. I’ve configured my trunk on Switch 2 to R4 and I can’t ping between R4 and R5. use an alternative method of bringing the interface parameters back into line. use a recognized DHCP security-related solution. Surely this is the only place I can configure the parameters. No. No. Q. No. I notice I have different OSPF network types preconfigured. A. Would you like me configure Switch 1 to allocate DHCP addresses? A. Section 2: IPv4 IGP Protocols Section 2. look for a dynamic solution that does not require an ACL. Q. Q. spanning tree must remain in operation. Remember that the switches are in VTP transparent mode. Q. No. Can I use a distribute list or prefix type list to block it? . I can’t ping between R4 and R6. Can I configure port security to bind my MAC addresses? A. use a feature that complements your DHCP solution.A. Q. I am used to configuring OSPF under the process. the question relates to a fictitious DHCP server that would be connected to Fa0/18 on Switch 1. Would you like me to VLAN load balance to utilize bandwidth? A. No. Can I just configure R4 to trunk to Switch 2 and have a subinterface in both VLAN 45 and VLAN 46? A. this would block the traffic but wouldn’t disable the port. No. rather like with IPv6. My neighbor relationship is down over the serial network. Can I configure a MAC address type access list to block all multicast at Layer 2? A. Q.

this is fine and in accordance with the question. Q. Can I use BFD between R4 and R5? A. No. This feature would also ensure that the Ethernet network would be down until the backup interface is activated. If I advertise my loopbacks into EIGRP. How about an OSPF demand circuit between R4 and R5? A. Is this normal? A. No. This is fine.A. can I just ping it? A. Q. Yes. If I use IP SLA to automatically ping R5 to check the status. Not if you have configured correctly. Is this okay? A. this is fine and in accordance with the question. Q. You can use ICMP. can I stop advertising them from the switches? . To confirm the operation status of R5’s serial interface. Q. Take a look at your topology and areas. I have IP SLA running. Backup interfaces would be fine for a Layer 1 failure but not for a Layer 2 type issue if you had problems with PPP that caused neighbor failures over the serial network. this might aid in failure detection. Q.2: EIGRP Q. Q. Section 2. I can’t configure my switches with an EIGRP instance name. Is this anything to do with tracking the response to the ping? A. You need to allow the neighbor relationship to be formed only if a failure condition occurs. Okay. Q. the question states that your solution should cater for either Layer 1 or Layer 2 failures and that the Ethernet should remain up. Yes. but you need to ensure that your solution is dynamic. Something might have changed when R5 connects over the Ethernet. Yes. use an OSPF feature to disable the advertisement of this secondary address. I’ve worked out how to do this and managed to get a neighbor up when the serial network fails. Yes. is this okay? A. No. Q. but I’m stuck. I’ve attempted to form a neighbor relationship with R4 from R5 using a backup interface. but my OSPF connectivity is still not perfect through the Ethernet. How about if I use policy routing with the next hop based on the tracking status? A. Q. this would involve a neighbor relationship being maintained. Is the legacy method with just an autonomous system acceptable for the switches? A. To stop R4 from receiving the switch loopbacks. but it does not meet the objectives of the question. Q. won’t that mean that R4 and R5 will have their loopbacks advertised by both OSPF and EIGRP? A. just remember that this traffic will be based locally on the router when applying any policies. No.

You must ensure that your peering still works effectively between R3 and R4 when you have configured this feature. Yes. Is this acceptable? A. No. Yes. Yes. Q. I’ve noticed when I look at the specific loopback routes that they have a hop count associated with them. this would be superfluous. There is a specific security configuration feature within BGP to perform the TTL check. my neighbor relationship is still maintained between R2 and R5. the question doesn’t guide you to redistribute specific routes. Section 3: BGP Q. in this scenario. No.3: Redistribution Q. Can I block my loopbacks or policy route at some point to effectively break the peering? . Can I use a route map to enable five specific EIGRP routes to be redistributed into OSPF? A. Q. is this all you are looking for? A. If I use the TTL security hops with a value of 2. I have only one redistribution point.A. Use a more general method of allowing a specific number of routes. Q. but can I block routes based on their hop count? A. you should use a feature on R4 to block them. Can I use a neighbor prefix list to block the loopbacks? A. No. It’s unusual to associate hop counts with EIGRP. Q. Section 2. I find that when the serial network fails. so additional blocking would not be required. Is it okay to disable autosynchronization in BGP? A. you should have blocked these from entering your IP routing table within R4 previously. Q. Do you require a distribute list to block the switch loopbacks from entering the OSPF domain? A. Q. can I use a route map to manipulate the EIGRP K values associated on a per-neighbor basis? A. Do you want me to configure eBGP multihop but limit it to a value of 2 on R3 for a TTL security check? A. If I can’t change the bandwidth and delay on R4. and there is no benefit in creating filtering to protect against potential routing loops between protocols. Q. This is because the loopback routes are still available over the alternative path through the network. No. You need to determine whether you need this feature on or off. you cannot use any type of ACLs or prefix lists. Remember that you should have synchronization on only when you are fully redistributing between BGP and your IGP. Q.

Can I use a prefix list to achieve this? A. You would need to match only one requirement on the permit functionality. Q. Correct. but if I enable this to R2. if these were required. If I reduce this to a TTL of 2. I can break the peering. If I enable IP SLA to track a route in the routing table. the other could be met by deny. Q. No. Q. Is this okay? A. Q. you still have two ACLs. Q. Yes. Not necessarily. is this some form of conditional advertising? A. it wouldn’t make it to R5 even when the serial network is working? A. No. you are instructed to use an ACL. Q. You do need to effectively break the peering. Q. Think about what you need to configure when you have EBGP peers. So. Q. Section 4: IPv6 Q. I need an ACL with a mask suitable for both ranges? A. the clue is in the question. your solution would require additional configuration. I have configured my two new loopbacks. Just think about whether R2 is the best place to send the community to originally. Can I set community values on the routes and match on these using a single ACL? A. No. For the HSRP question. Should I use the eui-64 address format when configuring my addresses? A. it wouldn’t be advertised to R5 AS300 from R2. Yes. you are instructed to use an ACL. Q. Yes. No.A. Can I use two route maps inbound from R1 and R2 both pointing to different ACLs so that each route map calls only one ACL? A. No. Yes. the question would have instructed you to use them. . can I use this to control HSRP? A. Can I form an EIGRPv6 neighbor relationship between R1 and R3 and also R3 and R2? A. I think I can stop the loopback on R2 being advertised by using the community value of no-export. but there is a much simpler method of achieving this that still maintains unaltered communication between R2 and R5. Is it okay to use the first address in the subnet? A. I might have been a little generous with my original multihop value between R2 and R5. You haven’t told me what address I should use for HSRP. just find a way of tracking the BGP route and manipulate the HSRP process. Q.

static routes are permitted unless specified. Can I redistribute a static IPv6 route on R5 into RIPng for 2007::/16? A. Shall I rate limit my ports to 5M on a per-port basis? . What would you do if this were IPv4? Q. No. You are not requesting mutual redistribution between EIGRPv6 and OSPFv3. No.3: Redistribution Q. Can I use a prefix list to block the summary and permit all other IPv6 routes? A. can I enable OSPFv3? A. find a way to still run EIGRPv6 between routers without enabling it on the physical interfaces. Can I just trust DSCP on my physical ports? A. this network should be advertised to the OPSFv3 domain. Q. Can I tunnel between R4 and R5? A. Q. No. Can I perform some kind of backup interface to make this come up only if a failure occurs on the serial link? A. Think why the Ethernet path is preferred and manipulate it. and noticed that in my OSPFv3 domain I do not see the IPv6 network configured on the serial network between R2 and R5. Yes. Is this okay? A. Yes. Is this okay? A. can I configure OSPFv3 on VLAN 45? A. How about tunneling again and enabling EIGRPv6 over the tunnel. How will my EIGRPv6 domain communicate with the OSPFv3 domain? A. Section 4. this would also require you to perform redistribution at this point? Q. I have redistributed EIGRPv6 into OPSFv3 on R5. This issue is addressed in the following task. No. Q. this is fine. Q. If I can’t enable EIGRPv6 on VLAN 45 between R4 and R5. No. Section 5: QoS Q. Q. No. Yes. you haven’t been given sufficient information to make this judgment. This approach would also break your IPv4 network. Use a feature within the OPSFv3 process as you would to overcome this if this were IPv4 redistribution. Q. Q.Q. this should be completed as part of your policy. I have created my tunnel and found that this is now the primary route rather than an alternative path. If I can’t use EIGRPv6 directly on VLAN 45 between R4 and R5. Can I use different autonomous systems and then redistribute at R3? A. which is the only suitable location. Yes.

No. Q. Is this correct? A.0/24 won’t have any bearing on traffic destined to the infected host. If you have lost your routes. you transport next-hop information with your updates. However. I have configured CoPP on R6 and seem to have lost all my routes.A. Section 8: IP Services Q. You haven’t indicated what the minimum burst size should be.0. Can I use a route map and ACLs to identify the traffic by port number? A. Q. just use the available limits within the command options. provide a fix. you don’t need to specifically peer with R3 as the server. Q. Why is this relevant? A. Yes.1. Yes. Is this correct? A. Section 7: Multicast Q. Q. and R4. Investigate the options open to you with NBAR. R2. Think about the way BGP works. I am trying to assign bandwidth within my class with the speeds supplied. but the command won’t take the values AF43 and AF42. you must do some math. you must use a BGP-related feature. A. A static route for 192. I believe I can use a DSCP mutation map to convert the DSCP values for the future.2. Search your documentation CD or available Cisco. Yes.1 on R3? A. No. is this correct? A. No. Q.0. You are supplied with the information you require and just need to remember how fast a T1 line is. otherwise. therefore. Section 6: Security Q. but I can see only a percentage option. it won’t because these are Assured Forwarding values. It’s the only routing protocol where you don’t need to be directly connected to form a neighbor relationship. If I can’t configure ntp server on R1. No. I guess this is an EEM question? . Yes. you should aim to receive the NTP stream that R3 should be configured to multicast. this would identify the UDLD traffic but not the virus payload as per the question. Q. this should be completed as part of your policy. you would lose points in other sections. Yes. Q. Based on the email address. there won’t be a way I can get these routers to peer with R3.com pages. think about why this has happened. Is this expected behavior? Do you want me to fix this as part of the CoPP question? A. Can I policy route traffic destined to the infected host to null0? A. You need to convert these to DSCP values. Do you want me to create and announce the group 224.

I can’t get both commands onto a single CLI pattern event. Do you need me to set up a route to 120. To create a collapsed backbone topology. Lab Debrief This section analyzes each question. So. you can verify route bridge assignment by using the show spanning tree root command. Correct. (2 points) This is a simple start to the exercise. No. Section 1: LAN Switching (25 Points) Configure your switches as a collapsed backbone network with Switches 1 and 2 performing core and distribution functionality and Switches 3 and 4 as access switches in your topology. you have scored 2 points. the core switches should be connected together. Is it okay to configure two? A. (2 points) 802. The switches are fully meshed to begin with. if you configure Switches 1 and 2 into Rapid Spanning Tree mode.1w mode. you are directed to configure a single CLI pattern event command that will pick up either command. No. as shown in Example 1-2. Switches 3 and 4 should operate in their default spanning-tree mode. Switches 3 and 4 should connect to only the core switches.A. you create the required topology. You should use this section to produce an overall score for this practice lab. Even though the resulting topology is not looped at this stage.100. By shutting down the interfaces between SW3 and SW4. showing you what was required and how to achieve the desired results.0/24? A. . If you have configured this correctly. If you have configured this correctly. and each access switch should be dual-homed to the core switches. which is backward compatible with the switches’ default (PVST). Q. Q. you have earned another 2 points. The only switches that should not connect directly to each other are the access switches (SW3 and SW4).99. spanning tree can still operate effectively with Switches 3 and 4. as shown in Example 1-1. Example 1-1 SW3 and SW4 Configuration Click here to view code image SW3(config)# interface range fastethernet 0/23-24 SW3(config-if-range)# shut SW4(config)# interface range fastethernet 0/23-24 SW4(config-if-range)# shut Switch 1 and 2 should run spanning tree in 802.1w is Rapid Spanning Tree.

This ensures that if a superior BPDU is received on these ports. you have 2 points. (2 points) This is a straightforward question for the core switches. The root bridge prioritization root guard is configured on the ports that connect Switches 1 and 2 to Switches 3 and 4. Ensure that Switches 3 and 4 can never become root bridges for any VLANs for which Switch 1 and Switch 2 are root bridges by configuring only Switches 1 and 2. Example 1-3 SW1 and SW2 Root Bridge Configuration Click here to view code image SW1(config)# spanning-tree vlan 1 root primary SW1(config)# spanning-tree vlan 300 root primary SW1(config-if)# interface fastethernet 0/19 SW1(config-if)# spanning-tree guard root SW1(config-if)# interface fastethernet 0/20 SW1(config-if)# spanning-tree guard root SW1(config-if)# interface fastethernet 0/21 SW1(config-if)# spanning-tree guard root SW1(config-if)# interface fastethernet 0/22 SW1(config-if)# spanning-tree guard root SW2(config)# spanning-tree vlan 1 root secondary SW2(config)# spanning-tree vlan 300 root secondary SW2(config-if)# interface fastethernet 0/19 SW2(config-if)# spanning-tree guard root SW2(config-if)# interface fastethernet 0/20 SW2(config-if)# spanning-tree guard root SW2(config-if)# interface fastethernet 0/21 SW2(config-if)# spanning-tree guard root SW2(config-if)# interface fastethernet 0/22 SW2(config-if)# spanning-tree guard root .Example 1-2 SW1 and SW2 Configuration Click here to view code image SW1(config)# spanning-tree mode rapid-pvst SW2(config)# spanning-tree mode rapid-pvst Configure Switch 1 to be the root bridge and Switch 2 the secondary root bridge for VLANs 1 and 300. If you have configured this correctly. it is ignored. as shown in Example 1-3.

(3 points) This is another straightforward question for all switches to create EtherChannels between devices. 3. you will need to configure root guard on these interfaces to ensure that Switches 3 and 4 cannot become root bridges. 2. You can use the channel-group interface configuration command that automatically creates the portchannel interface. you do not have to create a port-channel interface first by using the interface port-channel configuration command before assigning a physical port to a channel group. Remember that now that you have EtherChannels between switches. Ensure that only dot1q and EtherChannel are supported. and 4 EtherChannel Configuration Click here to view code image SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface range fastethernet0/23-24 channel-group 3 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk spanning-tree guard root interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk spanning-tree guard root interface Port-channel3 switchport trunk encapsulation dot1q switchport mode trunk SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface range fastethernet0/23-24 channel-group 3 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel2 . This is over and above the physical interface configuration completed previously. as shown in Example 1-4. and dot1q is the trunking protocol.Make sure that you fully use the available bandwidth between switches by grouping your interswitch links as trunks. Using the command channel-group n mode on under the physical interfaces ensures that only EtherChannel is supported. Example 1-4 Switch 1. For Layer 2 EtherChannels. you have scored 3 points. If you have configured this correctly. as opposed to Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP). although a manual port channel configuration has been shown here for clarity.

SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel3 switchport trunk encapsulation dot1q switchport mode trunk SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk SW1# show interfaces port-channel 1 status Port Name Status Vlan Po1 connected trunk SW1# show interfaces port-channel 2 status Duplex a-full Speed Type a-100 Port Name Status Vlan Po2 connected trunk SW1# show interfaces port-channel 3 status Duplex a-full Speed Type a-100 Port Po3 Duplex a-full Speed Type a-100 Name Status connected Vlan trunk SW1# show etherchannel summary Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) .

3 Po3(SU) - Fa0/23(P) Fa0/24(P) SW2# show interfaces port-channel 1 status Port Name Status Vlan Po1 connected trunk SW2# show interfaces port-channel 2 status Duplex a-full Speed Type a-100 Port Name Status Vlan Po2 connected trunk SW2# show interfaces port-channel 3 status Duplex a-full Speed Type a-100 Port Po3 Duplex a-full Speed Type a-100 Name Status connected Vlan trunk SW2# show etherchannel summary Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) 3 Po3(SU) Fa0/23(P) Fa0/24(P) SW3# show interface port-channel 1 status Port Name Status Vlan Po1 connected trunk SW3# show interface port-channel 2 status Duplex a-full Speed Type a-100 Port Po2 Duplex a-full Speed Type a-100 Name Status connected Vlan trunk SW3# show etherchannel summary Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) SW4# show interface port-channel 1 status Port Name Status Vlan Po1 connected trunk SW4# show interface port-channel 2 status Duplex a-full Speed Type a-100 Port Duplex Speed Type Name Status Vlan .

as shown in Example 1-6. If you have configured this correctly. you have scored 2 points. and 4 EtherChannel Load-Balancing Configuration Click here to view code image SW1(config)# port-channel load-balance dst-mac SW2(config)# port-channel load-balance dst-mac SW3(config)# port-channel load-balance dst-mac SW4(config)# port-channel load-balance dst-mac SW1# show etherchannel load-balance EtherChannel Load-Balancing Operational State (dst-mac): Non-IP: Destination MAC address IPv4: Destination MAC address IPv6: Destination IP address Ensure that user interfaces. if they remain stable for 35 seconds. the port is automatically disabled. they should be reenabled. you have scored 3 points. as shown in Example 1-5. Configure Fast Ethernet Port 0/10 on each switch so that if multicast traffic is received on this port. 2. If you have configured this correctly. (3 points) Interfaces that flap can cause problems in a network. Toggling would usually indicate a problem such as a faulty connecting network interface card (NIC) or faulty cable. To disable a port when multicast traffic is present. are shut down dynamically by all switches.Po2 connected trunk a-full a-100 SW4# show etherchannel summary Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) Ensure that traffic is distributed on individual Ethernet trunks between switches based on the destination MAC address of individual flows. if they toggle excessively. you need to configure storm control with the multicast option set to 0. (2 points) A common problem with EtherChannels is traffic not being distributed equally among the physical interfaces. Placing the ports into error disable is a way to stabilize the environment. . 3. Example 1-5 Switch 1. Configuring channel load balancing based on the destination MAC address of an individual flow is just one method available to distribute traffic.

The question includes a couple of points that could easily be overlooked if you are suffering from exam pressure. For security purposes. a subscriber is identified by the switch port through which it connects to the network and by its MAC address. Limit DHCP requests to 600 packets per minute per user port.Example 1-6 Switch 1. 2. Ensure that the switches intercept the DHCP requests and add the ingress port and VLAN and switch MAC address before sending forward to the DHCP server. When the DHCP option-82 feature is enabled on the switch with the command ip dhcp snooping information option. and 4 Configuration Click here to view code image SW1(config)# errdisable recovery cause link-flap SW1(config)# errdisable recovery interval 35 SW1(config)# interface fastethernet 0/10 SW1(config-if)# storm-control multicast level 0 SW1(config-if)# storm-control action shutdown SW2(config)# errdisable recovery cause link-flap SW2(config)# errdisable recovery interval 35 SW2(config)# interface fastethernet 0/10 SW2(config-if)# storm-control multicast level 0 SW2(config-if)# storm-control action shutdown SW3(config)# errdisable recovery cause link-flap SW3(config)# errdisable recovery interval 35 SW3(config)# interface fastethernet 0/10 SW3(config-if)# storm-control multicast level 0 SW3(config-if)# storm-control action shutdown SW4(config)# errdisable recovery cause link-flap SW4(config)# errdisable recovery interval 35 SW3(config)# interface fastethernet 0/10 SW3(config-if)# storm-control multicast level 0 SW3(config-if)# storm-control action shutdown Fast Ethernet ports 0/11–17 will be used for future connectivity on each switch. Configure these ports as access ports for VLAN 300. (6 points) This is a Dynamic Host Control Protocol (DHCP) snooping question. This is a useful security feature that protects the network from rogue DHCP servers. not . 3. DHCP snooping also facilitates a rate-limiting feature for DHCP requests to prevent a DHCP denial of service by excessive false requests from a host. namely that the ports are required to be configured with switchport host (or by configuring portfast) to set the port mode to access and to forward immediately. The rate limiting is configured in packets per second. which should begin forwarding traffic immediately upon connection. this is the only port on the network from which DHCP addresses should be allocated. which would have the “gobbler effect” of requesting numerous leases from the same port. Devices connected to these ports will dynamically receive IP addresses from a DHCP server due to be connected to port 0/18 on SW1.

per minute as implied. and 4 DHCP Snooping Configuration Click here to view code image SW1(config)# ip dhcp snooping SW1(config)# ip dhcp snooping vlan 300 SW1(config)# ip dhcp snooping information option SW1(config)# int fastethernet 0/18 SW1(config-if)# ip dhcp snooping trust SW1(config)# interface range fastethernet 0/11-17 SW1(config-if-range)# ip dhcp snooping limit rate 10 SW1(config)# interface range fastethernet 0/11-18 SW1(config-if-range)# switchport host SW1(config-if-range)# switchport access vlan 300 SW2(config)# ip dhcp snooping SW2(config)# ip dhcp snooping vlan 300 SW2(config)# ip dhcp snooping information option SW2(config)# interface range fastethernet 0/11-17 SW2(config-if-range)# ip dhcp snooping limit rate 10 SW2(config-if-range)# switchport host SW2(config-if-range)# switchport access vlan 300 SW3(config)# ip dhcp snooping SW3(config)# ip dhcp snooping vlan 300 SW3(config)# ip dhcp snooping information option SW3(config)# interface range fastethernet 0/11-17 SW3(config-if-range)# ip dhcp snooping limit rate 10 SW3(config-if-range)# switchport host SW3(config-if-range)# switchport access vlan 300 SW4(config)# ip dhcp snooping SW4(config)# ip dhcp snooping vlan 300 SW4(config)# ip dhcp snooping information option SW4(config)# interface range fastethernet 0/11-17 SW4(config-if-range)# ip dhcp snooping limit rate 10 SW4(config-if-range)# switchport host SW4(config-if-range)# switchport access vlan 300 SW1# sh ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 300 Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted Rate limit (pps) . If you have configured this correctly. 3. as shown in Example 1-7. 2. Example 1-7 Switch 1. you have scored 6 points. so you need to pay attention to detail.

Use a dynamic feature to ensure that the only information forwarded upon connection is DHCP request packets and then. Configure R4 with an IP address of 120. Example 1-8 Switch 1. any traffic that matches the DHCP IP information received from the DHCP binding. One point to remember is that Switch 2 does not have VLAN 45 and VLAN 46 configured locally within the default configuration.100.4/24 to communicate with R5. for additional security. so you will need to create the VLANs locally . 3. (3 points) A complementary feature to DHCP snooping is IP Source Guard. you have scored 3 points. This feature binds the information received from the DHCP address offered and effectively builds a dynamic VACL on a per-port basis to enable only source traffic matched from the DHCP offer to ingress the switch port for additional security. and configure R4 with an IP address of 120. Configure R4 and its associated switch port accordingly without using secondary addressing to communicate with R5 and R6.100.-----------------------fastethernet0/11 fastethernet0/12 fastethernet0/13 fastethernet0/14 fastethernet0/15 fastethernet0/16 fastethernet0/17 fastethernet0/18 ------no no no no no no no yes ---------------10 10 10 10 10 10 10 unlimited For additional security ensure that the user ports on Switches 1–4 and 11–17 can communicate only with the network with IP addresses gained from the DHCP feature configured previously.46. and 4 IP Source Guard Configuration Click here to view code image SW1(config)# interface range fast 0/11-17 SW1(config-if-range)# ip verify source SW2(config)# interface range fast 0/11-17 SW2(config-if-range)# ip verify source SW3(config)# interface range fast 0/11-17 SW3(config-if-range)# ip verify source SW4(config)# interface range fast 0/11-17 SW4(config-if-range)# ip verify source R5 and R6 have been preconfigured with IP addresses on their Ethernet interfaces. If you have configured this correctly. as shown in Example 1-8.4/24 to communicate with R6.45. 2. (3 points) This is just a simple trunking question on Switch 2 to R4 to enable R4 to connect to VLAN 45 and VLAN 46. Configure R4 Gi0/1 and Switch 2 FE0/4 only.

45. and R3 should be configured to be in Area 0. R2.1: OSPF Use a process ID of 1.45 R4(config-if)# encapsulation dot1Q 45 R4(config-if)# ip address 120.4 255.255.46.46 R4(config-if)# encapsulation dot1Q 46 R4(config-if)# ip address 120. as shown in Example 1-9. Example 1-9 Switch 2 and R4 Trunking Configuration Click here to view code image R4(config)# interface GigabitEthernet0/1. Example 1-10 OSPF Configuration Click here to view code image R1(config)# interface GigabitEthernet 0/0 R1(config-if)# ip ospf 1 area 100 R1(config)# interface GigabitEthernet 0/1 R1(config-if)# ip ospf 1 area 0 R1(config-if)# interface Loopback 0 R1(config-if)# ip ospf 1 area 0 R2(config)# interface Loopback 0 R2(config-if)# ip ospf 1 area 0 R2(config-if)# interface fastethernet 0/0 R2(config-if)# ip ospf 1 area 0 R2(config-if)# interface Serial 0/1 .100. (2 points) Recent advances in OSPF have enabled configuration of the network area directly under the interface as opposed to within the OSPF process. all OSPF configuration where possible should not be configured under the process ID. The loopback interfaces of routers R1. R4 should be in Area 34 and R5 in Area 5.255.100.46 SW2(config-if)# switchport mode trunk Section 2: IPv4 IGP Protocols (24 Points) Section 2.4 255.0 R4(config-if)# interface GigabitEthernet0/1. If you have configured this correctly.0 SW2(config)# vlan 45-46 SW2(config)# interface fastethernet0/4 SW2(config-if)# switchport trunk encapsulation dot1q SW2(config-if)# switchport trunk allowed vlan 45.255. Example 1-10 details the Open Shortest Path First (OSPF) configuration.before configuring the trunk. you have scored 3 points.255.

3.5.100.123. .100.4.100. Serial0/1 O IA 120.100.1. Serial0/0 R2# sh ip route | include /32 C 120.123. 00:01:00. you have scored 1 point.5. GigabitEthernet0/1 O 120. 00:01:00. If you have configured this correctly.100.100.3.100.123.3. 00:04:34. Example 1-11 OSPF Loopback Interface Host Routes and Configuration Click here to view code image R2# sh ip route | include /32 O 120.25.R2(config-if)# ip ospf 1 area 5 R2(config-if)# interface fastethernet 0/1 R2(config-if)# ip ospf 1 area 200 R3(config)# interface loopback 0 R3(config-if)# ip ospf 1 area 0 R3(config-if)# interface GigabitEthernet 0/1 R3(config-if)# ip ospf 1 area 0 R3(config-if)# interface GigabitEthernet 0/0 R3(config-if)# ip ospf 1 area 34 R4(config)# interface Loopback 0 R4(config-if)# ip ospf 1 area 34 R4(config-if)# interface GigabitEthernet 0/0 R4(config-if)# ip ospf 1 area 34 R4(config-if)# interface GigabitEthernet 0/1. (1 point) Loopback interfaces within OSPF are by default advertised as host routes.1/32 [110/129] via 120.100. you have scored 2 points.1.100. Example 1-11 shows the host routes learned on R2.1/32 [110/2] via 120.3.1/32 [110/65] via 120.4.100.25.5.100.25.5/32 is directly connected. Serial0/0 O 120. as shown in Example 1-11. Serial0/0 O 120.1/32 [110/65] via 120.100. you need to override the network type that the IOS associates with the loopback interface. 00:47:32.5.100.45 R4(config-if)# ip ospf 1 area 5 R5(config)# interface Loopback 0 R5(config-if)# ip ospf 1 area 5 R5(config-if)# interface GigabitEthernet 0/0 R5(config-if)# ip ospf 1 area 5 R5(config-if)# interface Serial 0/0/1 R5(config-if)# ip ospf 1 area 5 If you have configured OSPF correctly.1/32 [110/66] via 120. 00:39:59. No loopback networks should be advertised as host routes. 00:00:42.123. Serial0/1 O 120.123.1. Serial0/1 O IA 120.100.1/32 [110/65] via 120. 00:50:56.100. as shown in Example 1-10.1/32 [110/3] via 120. To manipulate this behavior.3.

100.100.100.123.100.3. 02:52:46.100.45.3.100. 01:43:00. Do not use any filtering techniques to achieve this.5.34. fastethernet0/0 Ensure that R1 does not advertise the preconfigured secondary address under interface Gigabit 0/1 of 120.100.4. R1 has a preconfigured secondary address on interface Gigabit 0/1 that is therefore advertised. 01:42:09.100. fastethernet0/0 O 120.0/24 [110/65] via 120. GigabitEthernet0/1 R1# conf t R1(config)# int Loopback 0 R1(config-if)# ip ospf network point-to-point R2# conf t R2(config)# interface Loopback 0 R2(config-if)# ip ospf network point-to-point R3# conf t R3(config)# int Loopback 0 R3(config-if)# ip ospf network point-to-point R4# conf t R4(config)# int Loopback 0 R4(config-if)# ip ospf network point-to-point R5# conf t R4(config)# int Loopback 0 R4(config-if)# ip ospf network point-to-point R2# sh ip route ospf 1 | include /24 O IA 120.3.1/32 [110/2] via 120.123.100.123.0/24 [110/65] via 120.0/24 [110/2] via 120. fastethernet0/0 O IA 120. . If you have configured this correctly.0/24 [110/3] via 120.1.25. 01:42:26.0/24 [110/2] via 120.100.100.100.100.100.1. Serial0/1 O IA 120. 00:00:04.100.3. fastethernet0/0 O 120.5.GigabitEthernet0/1 O 120.100. as shown in Example 1-12. 00:49:20. Because you cannot filter this advertisement.1. fastethernet0/0 O 120. 01:43:00.0/24 [110/2] via 120.3.1/24 to the OSPF network.5.0/24 [110/2] via 120.100. you have scored 2 points. 00:17:09. Serial0/1 O 120.123.100.123.25.3. you need to inform OSPF not to include the secondary addresses under the interface command.123.100. (2 points) The associated behavior with configuring OSPF directly under the interface is that it will by default advertise any secondary addresses assigned to the interface.

but you will find that you can use the IP SLA feature to monitor the IP address of the serial interface on R5 by R5 itself.1. a demand scenario is also out because this would involve a neighbor relationship being formed.100. Area 100 Process ID 1. You can rule out a backup interface solution because the Ethernet needs to remain up. including secondary ip addresses Transmit Delay is 1 sec. To confirm the operational status of the serial network.1 No backup designated router on this network Timer intervals configured. You are also requested to confirm operational status of the serial interface on R5 with your overall solution being dynamic. there is no neighbor relationship between R4 and R5.100. Your solution should be dynamic.1. so some lateral thinking is required. Hello 10. If this network should fail either at Layer 1 or Layer 2. you know the serial link is up at Layers 1 and 2. This would take a great deal of effort and trial and error. Wait 40. If . however. Similarly.1. maximum is 0 Last flood scan time is 0 msec. Interface address 150. R5 should form a neighbor relationship with R4 under Area 5 to maintain connectivity. Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) R1(config)# interface GigabitEthernet 0/1 R1(config-if)# ip ospf 1 area 100 secondaries none R2# sh ip route 120.100. line protocol is up Internet Address 150.1.1.1.100.Example 1-12 OSPF Secondary Address Advertisement and Configuration Click here to view code image R1# show ip ospf int GigabitEthernet 0/1 GigabitEthernet0/1 is up. flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0. (4 points) This is a complex scenario that can consume your time. maximum is 0 msec Neighbor Count is 0. Dead 40. ensuring that while the Area 5 serial link is operational. State DR.0 % Subnet not in table R5 should use the serial link within Area 5 for its primary communication to the OSPF network. Cost: 1 Enabled by interface config. Network Type BROADCAST. You are permitted to define neighbor statements between R5 and R4.100. the Ethernet interfaces of R4 and R5 must remain up. Priority 1 Designated Router (ID) 120. ensure that the serial interface of R5 is reachable by configuration of R5.1/24. If this responds to the automatic polling with Internet Control Message Protocol (ICMP). and the solution must cater for Layer 1 and Layer 2 rather than purely Layer 1. Retransmit 5 oob-resync timeout 40 Hello due in 00:00:00 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1. but all the clues are in the question.100. Router ID 120.

So. you know the interface is down.100.683 UTC Mon Aug 05 2013Latest operation return code: OK Number of successes: 2 Number of failures: 0 Operation time to live: Forever Note OSPF should have already been configured between R4 and R5 within your original peering configuration. The traffic it manipulates needs to be OSPF that should be directed to R4 to form the adjacency over the Ethernet network (VLAN 45). IP SLA can then be used to inform the router. and a forwarding decision can be manipulated. Then. if the object status changes. we need to allow the adjacency between R5 and R4 to form. The first step in this solution is to configure the IP SLA object tracking on R5. instead of allowing normal traffic flow between . The unicast traffic between neighbors can be identified by an ACL that the PBR process can match. which ensures the routers unicast traffic to each other. The neighbor adjacency takes a while waiting for the dead time to expire (120 seconds after changing of the OSPF network type).the polling fails. this feature is known as policy-based routing (PBR) support with multiple tracking options. The tracking process provides the ability to track individual objects. To do this. OSPF needs to be configured between R4 and R5 with manual neighbor statements as directed in the question. such as ICMP ping reachability. and inform the required PBR process when an object state changes. you must change the network type to non-broadcast. When the serial link fails. when the R5 serial link is up and running. Example 1-13 R5 IP SLA Configuration and Status Click here to view code image R5(config)# ip sla 1 R5(config-ip-sla)# icmp-echo 120.25. This gives PBR access to all the objects that are available through the tracking process.5 R5(config-ip-sla-echo)# exit R5(config)# ip sla schedule 1 life forever start-time now R5(config)# track 1 rtr 1 reachability R5# show ip sla statistics Round Trip Time (RTT) for Index 1 Latest RTT: 4 milliseconds Latest operation start time: *21:17:10. we just need to break the adjacency between R5 and R4. In summary. R5 can simply manipulate the way it sends traffic by policy routing. This configuration is detailed in Example 1-13.

So. Example 1-14 shows the required OSPF configuration on R4 and R5.25.100. and the OPSF traffic to 120.100.4 R5(config)# route-map TEST permit 10 R5(config-route-map)# match ip address 100 R5(config-route-map)# set ip next-hop verify-availability 120. If the object status changes to down.45.25.100.25. R5 can forward normal OSPF traffic to 120. and the resulting neighbor partial adjacency that is formed between R4 and R5.100.45.2 (R2 serial to effectively discard the traffic) if the tracked object (1) is up.5 R5(config)# interface GigabitEthernet0/0 R5(config-if)# ip ospf network non-broadcast R5(config-if)# router ospf 1 R5(config-router)# neighbor 120. the PBR process is informed.5 (d est was 120.R5 and R4 to form the neighbor relationship. the traffic will effectively be dropped by the next hop and the OSPF between R5 and R4 will never establish.45.45.4 R5(config-router)# exit R5(config)# access-list 100 permit ospf host 120.100.847: ICMP: time exceeded (time to live) sent to 120.5 host 120. Example 1-14 R4 and R5 OSPF and PBR Configuration Click here to view code image R4(config)# interface GigabitEthernet0/1.2 would follow the usual next hop. and because the OSPF TTL is set to 1 by default.2 10 track 1.2 10 track 1 R5(config-route-map)# interface GigabitEthernet0/0 R5(config-if)# ip policy route-map TEST R5(config-if)# exit R5(config)# ip local policy route-map TEST R2# debug ip icmp ICMP packet debugging is on R2# *Feb 26 22:17:12. the PBR on R5. Similarly. the next hop can be modified.100.100. the PBR process will be overridden and traffic can flow as normal. R5 must be configured to locally policy route traffic because normal PBR behavior is for traffic manipulation for traffic that flows through the router rather than traffic generated by the router itself.4) R2# R5# show ip ospf neigh . a debug of R2 sending TTL expired to R5 after the OSPF traffic is sent to R2 instead of R5.100.45.45 R4(config-if)# ip ospf network non-broadcast R4(config-if)# router ospf 1 R4(config-router)# neighbor 120. if you use the PBR command set ip next-hop verify-availability 120.25. when the object tracking fails.45. This will then allow R5 and R4 to form an OSPF adjacency.100.100.

807: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1. changed state to administratively down *Jan 2 21:58:19.2. If you had not configured a virtual link.45. The PBR is overridden and normal routing occurs because the next hop is not verified by the object tracking.2 120.4.100.100. (This was a difficult question.100. changed state to down R5(config-if)# do show ip ospf neigh Neighbor ID Pri State Dead Time Address Interface N/A 0 ATTEMPT/DROTHER 00:00:33 GigabitEthernet0/0 120.807: %LINK-5-CHANGED: Interface Serial0/0/1.100. but a good one to practice with and examine how features operate and interact with each other. you might have been scratching your head or cursing me.1 R4(config)# router ospf 1 R4(config-router)# area 34 virtual-link 120.100. and a virtual link between R3 and R4 is required to extend area 0. Nbr 120.811: %OSPF-5-ADJCHG: Process 1.100. it would have been an easy mistake that would take your points away.3. Example 1-15 R3 and R4 OSPF Virtual Link Configuration and R5 Test Click here to view code image R3(config)# router ospf 1 R3(config-router)# area 34 virtual-link 120.Neighbor ID Pri Time Address 120.1 0 Serial0/0/1 120.45. You must remember that when an OSPF adjacency forms between R5 and R2. including the virtual link.25. Neighbor Down: Interface down or detached *Jan 2 21:58:18.1 R5(config)# interface s0/0/1 R5(config-if)# shut R5(config-if)# *Jan 2 21:58:16.4 Example 1-15 shows the OSPF adjacency formed when the serial link between R2 and R5 is shut down on R5.) If you configured this correctly.4.100.1 on Serial0/0/1 from FULL to DOWN.100.4 .2. but I’d be surprised if you didn’t learn something new from this question. you are joining Area 5 into Area 34.1 1 GigabitEthernet0/0 State Interface FULL/ - Dead 00:00:37 INIT/DROTHER 00:01:45 120. Your routing table needs to be an exact replica as that shown in Example 1-15. you have scored 4 points (definitely a question worth leaving to the end of your exam when you might have some time left over to experiment).

0.547: %OSPF-5-ADJCHG: Process 1.46.0/24 is subnetted.100. If you have configured this correctly. 00:00:12.4.0 [110/4] via 120. you have scored 2 points.0 [110/3] via 120.100.45.0.100.100.0. GigabitEthernet0/0 O IA 120.0 [110/2] via 120.45.0.0 0.0 [110/4] via 120.100. Nbr 0.2.45. Loading Done R5(config-if)# R5# sh ip route ospf 150.100. 9 subnets O IA 120.4.100.100.34.100.45.0.100.0.45. GigabitEthernet0/0 O IA 120.4.0. GigabitEthernet0/0 120.0/24 is subnetted.0 0.100.4.R5(config-if)# *Jan 2 21:59:43.255 .4.123. 00:00:12. Example 1-16 EIGRP Configuration Click here to view code image R4(config)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# network 120.255 R4(config-router-af)# network 120.45.0. as shown in Example 1-16. Neighbor Down: Dead timer expired R5(config-if)# *Jan 2 22:00:08.4.45.4. GigabitEthernet0/0 O IA 120.1 on GigabitEthernet0/0 from LOADING to FULL.0.0.45. 00:00:12. 00:00:12. The loopback interfaces of all routers and switches should be advertised within EIGRP.0 0. Use the show ip eigrp neighbor command to verify your peering before moving on to the next question. GigabitEthernet0/0 O IA 120. 00:00:12.100. 2 subnets O IA 150. GigabitEthernet0/0 Section 2.100. GigabitEthernet0/0 O IA 120.100.100.4. 00:04:49.2.100.2: EIGRP Configure EIGRP with an instance name of CCIE where possible using an autonomous system number of 1. Nbr 120.4.255 R4(config-router-af)# network 120.100.135: %OSPF-5-ADJCHG: Process 1. (2 points) This is not a difficult question by any means. 00:04:49. GigabitEthernet0/0 O IA 120.100.100.100.3.0 [110/4] via 120.0. You need to remember to include your preconfigured loopback interfaces and enable routing on the Layer 3 switches. just one that has a magnitude of configuration and sets up your Enhanced Interior Gateway Routing Protocol (EIGRP) network using the named instance and address family IPv4 for the following questions.4.4. 00:00:12.0 on GigabitEthernet0/0 from ATTEMPT to DOWN.100.45.0 [110/4] via 120.100.0 [110/2] via 120.0 [110/3] via 120.1.

0 network 150.0 no auto-summary Ensure that R4 does not install any of the EIGRP loopback routes from any of the switches into its routing table.0 0.0.0.10 0.7.0.0.0.46.0 no auto-summary SW3(config)# ip routing SW3(config)# exit SW3# sh run | beg eigrp router eigrp 1 network 120.0.6.0.0 0.10.0.45.255 SW1(config)# ip routing SW1(config)# exit SW1# sh run | beg eigrp router eigrp 1 network 120.9.1 0.100.1 0.0.5.1 0. these routes should also not be present in the OSPF .9 0.0.0 network 150.0.0 no auto-summary SW4(config)# ip routing SW4(config)# exit SW4# sh run | beg eigrp router eigrp 1 network 120.255 R6(config-router-af)# network 120.0 network 150.100.0 no auto-summary SW2(config)# ip routing SW2(config)# exit SW2# sh run | beg eigrp router eigrp 1 network 120.0.0.255 R6(config)# router eigrp CCIE R6(config-router)# address-family ipv4 unicast autonomous-system 1 R6(config-router-af)# network 120.1 0.0 network 150.100.0.8.100.100.0.100.0.0.3.100.0.255 R5(config-router-af)# network 120.100.0.0.0.0.0.0 0.0.3.0.R5(config)# router eigrp CCIE R5(config-router)# address-family ipv4 unicast autonomous-system 1 R5(config-router-af)# network 120.100.100.0.0 0.0 0.0 0.100.0.3.100.8 0.100.7 0.100.3.3.3.255 R5(config-router-af)# network 120.255 R6(config-router-af)# network 120.0.

GigabitEthernet0/1. 00:01:07.0/24 [90/156160] via 120. but this is not permitted.45. By configuring the maximum hop count of 1 on R4.45 120.46 [90/158720] via 120. 00:00:10.100. 00:00:10.45 D 120. as shown in Example 1-17.7. GigabitEthernet0/1.6. Do not use any route-filtering ACLs.100. 3 subnets D 150. but you can configure the process to ignore routes received with a hop count larger than a configured threshold with the command metric maximum-hops.100. GigabitEthernet0/1. 00:01:07.0. (4 points) A distribute or prefix list would have been the obvious choice here. GigabitEthernet0/1.5.46. you have scored 4 points. 00:00:10.45.0.45.45.45 R4# show ip route 120. If you have configured this correctly. or admin distance manipulation to achieve this.46 D 120.5. GigabitEthernet0/1. Example 1-17 EIGRP Maximum-Hops Configuration Click here to view code image R4# show ip route eigrp 150.0/8 is variably subnetted.100. you will notice that the routes have a hop count of 2 associated with them.6.0 [90/30720] via 120.5.9.100.100.100. GigabitEthernet0/1.45.46. 00:00:10.45.5.100.100.46 [90/158720] via 120.6.46 [90/30720] via 120.10.network post redistribution.100. 2 masks D 120.100.0/24 [90/158720] via 120.46.5. Hop count isn’t something you would naturally assimilate with EIGRP.6.8.6.0/24 [90/158720] via 120.0/24 [90/156160] via 120. GigabitEthernet0/1.100.100. GigabitEthernet0/1. you can simply stop the loopback routes from entering the process. GigabitEthernet0/1.100.100.100. and perform configuration only on R4. GigabitEthernet0/1. GigabitEthernet0/1.46 [90/158720] via 120. 00:00:10. Upon close inspection of the loopback routes within Example 1-17.5.46 [90/158720] via 120.6.46. prefix lists.0/24 is subnetted. 00:00:10. GigabitEthernet0/1.46.8. 00:00:10.6.100. 00:00:10.100.100.0 .3. 16 subnets.46. 00:00:10.45 D 120.0/24 [90/158720] via 120.0.45 D 120.0/24 [90/158720] via 120.45 D 120.100. 00:00:10.5.100.

type internal Redistributing via ospf 1.0/8 is variably subnetted.46. GigabitEthernet0/1. 13 subnets. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120.100.46. traffic should be sent to R6. traffic share count is 1 Total delay is 5200 microseconds. Hops 2 R4(config)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topolgy)# metric maximum-hops 1 R4(config-router-af-topology)# do show ip route eigrp 150. Should the route from R5 become unavailable.6.6. 00:00:04.Routing entry for 120. type internal Redistributing via ospf 1. 3 subnets D 150.3. Ensure that R4 sends traffic to this destination network to R5 instead of load sharing.6.100.0 Routing entry for 120.100. minimum bandwidth is 100000 Kbit Reliability 255/255.100.100.46. GigabitEthernet0/1.9.100.9.6 on GigabitEthernet0/1.5.100.45.100. via GigabitEthernet0/1. 00:00:04.100. 00:00:25 ago Routing Descriptor Blocks: * 120.0/24 is subnetted.0. GigabitEthernet0/1.45.5. minimum bandwidth is 100000 Kbit Reliability 255/255.46.100.6.46.0. traffic share count is 1 Total delay is 5200 microseconds. 00:00:15 ago Routing Descriptor Blocks: * 120.45 D 120.5.8. distance 90. metric 158720.46 Route metric is 158720.46. 2 masks D 120. alter the bandwidth or delay statements on R4’s interfaces or use an offset . metric 158720.3. minimum MTU 1500 bytes Loading 1/255.100.46 R4 will have dual equal-cost routes to VLAN 300 (network 150.6.0/24 Known via "eigrp 1". GigabitEthernet0/1.46 [90/30720] via 120. You may not policy route.100.100. 00:00:04.100. minimum MTU 1500 bytes Loading 1/255.0/24 Known via "eigrp 1". distance 90. from 120. Hops 2 R4# show ip route 120.46. via GigabitEthernet0/1.0 [90/30720] via 120.46 Route metric is 158720. from 120.100.46.100.0. 00:00:15 ago.0/24 [90/156160] via 120.6. 00:00:04.46.0/24 [90/156160] via 120. 00:00:25 ago.6.0) from R5 and R6.6 on GigabitEthernet0/1.100.100.45 120.46. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120.

minimum MTU 1500 bytes Loading 1/255. traffic share count is 1 Total delay is 200 microseconds.45. so the route is still available but with a different metric.100.100. Hops 1 120.45 Route metric is 30720. Gigabit 1/0.46 will. minimum bandwidth is 100000 Kbit Reliability 254/255.0 Routing entry for 150. from 120. Perform your configuration on R4 only. metric 30720. (4 points) To receive identical routes your topology.5 on GigabitEthernet0/1. type internal Redistributing via ospf 1. as opposed to just this individual route. as shown in Example 1-18. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120. If you want to manipulate this route. must have identical interface types or bandwidth statements used on R4. (You could have also manipulated the delay within the route map or created a statement for each individual interface as opposed to just Gigabit 1/0. 00:25:40 ago. by default. 00:25:40 ago.100. but this is not permitted.6. minimum bandwidth is 100000 Kbit Reliability 252/255.) Example 1-18 EIGRP Metric Manipulation Configuration Click here to view code image R4# sh ip route 150.list.100. Example 1-18 shows the VLAN 300 route (150. 00:25:40 ago Routing Descriptor Blocks: * 120. Example 1-18 also shows that when the interface Gigabit 0/0 is shut down on R5 that the route for VLAN 300 is still received from R6 (R4’s feasible successor).45.6.5. from 120.46.46 Route metric is 30720. traffic share count is 1 Total delay is 200 microseconds. you have scored 4 points.5.0/24 Known via "eigrp 1".45.45. and R6. you are left with only one method that can be applied on R4. via GigabitEthernet0/1. The route map is applied inbound to the process as a distribute list.100.45 set metric 2000 10 255 1 1500 route-map CHANGEMETRIC permit 20 set metric 1000 10 255 1 1500 router eigrp CCIE . via GigabitEthernet0/1. distance 90.0/24) received on R4 from both R5 and R6 with a metric of 30720.3. Hops 1 R4(config)# route-map R4(config-route-map)# R4(config-route-map)# R4(config-route-map)# R4(config-route-map)# R4(config-route-map)# CHANGEMETRIC permit 10 match interface gigabitEthernet 0/1.100. If you have configured this correctly. In fact.45.3.100.45.100.46. minimum MTU 1500 bytes Loading 1/255. have a lower bandwidth assigned to routes received from it from the permit 20 statement in the route map. the usual best practice method is to modify the bandwidth or delay on one of the Ethernet interfaces. R5. Your solution should be applied to all routes received from R5 and R6 as opposed to solely the route to network VLAN 300. A route map is required to override the EIGRP-assigned metrics assigned to routes on one interface by manipulating the bandwidth assigned to Gigabit 1/0.3. which will influence all routes from R5 and R6.

with their inherent protection against routing loops.5 on GigabitEthernet0/1. from 120.6 on GigabitEthernet0/1. via GigabitEthernet0/1.45.3. distance 90.100.100.100. minimum bandwidth is 2000 Kbit Reliability 255/255. traffic share count is 1 Total delay is 100 microseconds. as shown in Example 1-19.100.45. EIGRP routes redistributed within the OSPF network should remain with a fixed cost of 5000 throughout the network.100. traffic share count is 1 Total delay is 100 microseconds.46 Route metric is 2562560. distance 90.100. metric 2562560.100. . via GigabitEthernet0/1. If you have configured this correctly.100.6.0/24 Known via "eigrp 1". you have only a single redistribution point (R4). so have no concerns when using protocols such as EIGRP and OSPF. which is the default. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120. All routes should be accessible except for the switch loopback networks (because these should not be visible via R4 from an earlier question). from 120. you have scored 3 points.45. so no specific configuration is required for this. minimum bandwidth is 1000 Kbit Reliability 255/255. minimum MTU 1500 bytes Loading 1/255.0/24 Known via "eigrp 1". minimum MTU 1500 bytes Loading 1/255. 00:00:10 ago Routing Descriptor Blocks: * 120. 00:03:10 ago Routing Descriptor Blocks: * 120.3.R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topolgy)# distribute-list route-map CHANGEMETRIC in R4(config-router-af-topolgy)# ^Z R4# clear ip route * R4# sh ip route 150. (3 points) A simple redistribution question for the warm-up lab. The only points you need to consider when redistributing into OSPF are to use the subnets command to ensure classless redistribution and to use default metrics in each protocol. 00:03:10 ago.3.5.45 Route metric is 1282560.0 Routing entry for 150. The fixed cost of 5000 is achieved by advertising redistributed routes into OSPF using a metric type of 2.46. Hops 1 R5(config)# int gig0/0 R5(config-if)# shutdown R4# sh ip route 150. type internal Redistributing via ospf 1.100. Hops 1 Section 2. metric 1282560.3: Redistribution Perform mutual redistribution of IGPs on R4.45.0 Routing entry for 150.46. type internal Redistributing via ospf 1. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120.46.5. 00:00:10 ago.46.100.6.3.

0/24 [170/284416] via 150.123. 00:00:46. as shown in Example 1-20.1. 00:01:43.6.100.2.100. Vlan300 D EX 120.100.3.34. GigabitEthernet 0/0 O E2 120.6.0 [170/284416] via 150.6.Example 1-19 R4 Redistribution Configuration and Verification Click here to view code image R4(config-route-map)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topology)# redistribute ospf 1 R4(config-router-af-topology)# default-metric 10000 100 255 1 1500 R4(config-router-af-topology)# router ospf 1 R4(config-router)# redistribute eigrp 1 subnets R4(config-router)# default-metric 5000 R1# show ip route ospf | include E2 O E2 150. GigabitEthernet0/0 O E2 120.0/24 [110/5000] via 120.3.123.0/24 [170/284416] via 150.100.6. (2 points) You can limit the number of prefixes redistributed into OSPF and generate a warning when the number of prefixes reaches a defined maximum by use of the redistribute maximum-prefix command. Vlan300 D EX 120.100.100.3.100.100.6.3.100.100. you have scored 2 points.100.6. and generate a system warning when the fourth route is redistributed.6. 00:01:43.3.3.100.0 [170/284416] via 150.46.100.6. 00:01:43.0 [110/5000] via 120. Vlan300 D EX 120.2. 00:01:43.25.123. To generate the warning on the fourth route.0/24 [170/284416] via 150.3/32 [170/284416] via 150.0/24 [110/5000] via 120. 00:01:44.6. 00:01:43. Vlan300 D EX 120.3.3. Vlan300 Configure R4 to only redistribute up to five EIGRP routes. 00:01:43.3.3. Do not use any access lists in your solution.123.0/24 [170/284416] via 150. GigabitEthernet 0/0 SW1# show ip route eigrp | include EX D EX 150. 00:00:46.123. Example 1-20 R4 Prefix Configuration Click here to view code image .100. Vlan300 D EX 150.3. Vlan300 D EX 120. Vlan300 D EX 120.0/24 [170/284416] via 150.3. 00:01:43.1.100. you must configure a percentage threshold (80 percent).100.3.100.0/24 [170/284416] via 150.100.100.100. 00:01:43. Vlan300 D EX 120. 00:00:46.6.100.100.100.100.3. If you have configured this correctly.

and Switch 1. The field highlighted is the Time To Live (TTL) hex value displayed from the hidden command (dump) when performing the debug. Configure eBGP peering as follows: R3-R4. as shown in Example 1-21. If you have configured this correctly. You should have noticed that R3 was required to be a route reflector for iBGP peers R1 and R2 in AS10 and that no synchronization is required because the underlying IGP is not redistributed into BGP. SW1-R6. of course.3.4. which would suggest that the incoming session could be some form of remote attack with spoofed source IP address of the original neighbor. R4-R6. this will simply increment the TTL value from a default value of 0.100. Remember to verify your peering with the show ip bgp neighbor command. but you’ll have to do a lot of typing to earn them. The peering becomes complicated when the TTL security feature is enabled by use of the command neighbor 120. You need to get the hex value to FD (253 decimal) by configuring the multihop value to 255 on R4. even if you have configured the eBGP multihop feature on R4 with a value of 2. Use minimal configuration and use loopback interfaces for your peering. which will not permit a session from R4 to become established if R4 is more than 2 hops away. This command is a neat feature that will not permit the peering session if the received neighbor TTL value is less than 253 in this case.1 ttl-security hops 2 on R3. R6.1 update-source Loopback0 no auto-summary R2# sh run | begin bgp . R6-R5. R2-R3. use the TTL security feature.100.3. For your eBGP peering on R3. R4-R5. You must remember to use peer groups to minimize configuration where possible. and R5-R2. namely on R3. Because you are not permitted to configure the same feature on R4. (2 points) Use the autonomous system numbers supplied in Figure 1-7.R4(config)# router ospf 1 R4(config-router)# redistribute maximum-prefix 5 80 Section 3: BGP (14 Points) Configure iBGP peering as follows: R1-R3. (Of course. Example 1-21 BGP Peering Configuration Click here to view code image R1# sh run | begin bgp router bgp 10 no synchronization neighbor 120. and SW1-R5.) Example 1-21 shows a debug on R3 for the eBGP peering. the peering will break. and follow the peering instructions closely because these are relevant for the following questions. This feature must be configured only on R3 and not on R4. to show R3 that the R4 can only be a maximum of two hops away. (2 points) You can get some easy peering points to begin with.100. Use minimal configuration and use loopback interfaces for your peering with the exception of R4 to R5. you have scored 2 points.1 remote-as 10 neighbor 120.

100.1 remote-as 300 neighbor 120.1 ttl-security hops 2 neighbor 120.3. from R3's perspective R4 could be 254 hops away! ! Configure R4 so the TTL value will read 253 decimal (FD hex) by configuring an .1 R3(config)# exit R3# debug ip packet 100 detail dump IP packet debugging is on (detailed) (dump) for access list 100 R3# TCP src=42692.100.1 update-source Loopback0 no auto-summary R4# sh run | begin bgp router bgp 200 no synchronization neighbor 120..3.5.6.100..100.@.`.5. seq=2600279946.100.5 remote-as 300 no auto-summary R3(config)# access-list 100 permit ip host 120.3 .4.5.1 neighbor 120.100.`.100. . ! The TTL from R4 is decremented to 01 Hex = 01 decimal as R4 has ebgpmultihop 2 ! configured and the BGP session will not be established as R3 has the TTL security ! check enabled.F~.. win=163 C204 07400000 00100800 45C0002C 6A870000 01010101 03030303 A6C400B3 00000000 60024000 F1BB0000 B..4.1 remote-as 200 neighbor 120...100. . 84 SYN 0F400C00: 0F400C10: C20211E0 0F400C20: 0106467E 0F400C30: 9AFD1F8A 0F400C40: 02040218 dst=179..}...@..100.. ack=0.100.3.4.1 neighbor 120.1 neighbor 120.100.100..E@...6.100..3..4.100.1 no auto-summary remote-as 10 remote-as 300 ebgp-multihop 2 update-source Loopback0 R3# sh run | begin bgp router bgp 10 no synchronization neighbor IBGP peer-group neighbor IBGP remote-as 10 neighbor IBGP update-source Loopback0 neighbor IBGP route-reflector-client neighbor 120.6.1 peer-group IBGP neighbor 120..1.1 ebgp-multihop 2 neighbor 120...2.1 peer-group IBGP neighbor 120.100.1 remote-as 10 neighbor 120.j.100.1 update-source Loopback0 neighbor 120.router bgp 10 no synchronization neighbor 120.100.1 host 120.3.45...100.1 ebgp-multihop 2 neighbor 120..q..&D....1 update-source Loopback0 neighbor 120. B..

. ack=3209854606 C204 07400000 00100800 45C00028 8C9A0000 01010101 03030303 AC4D00B3 BF527E8E 50103F87 13FC0000 B..2.(.|..100..4...7.6.6.100.6 remote-as 200 neighbor 120..1 remote-as 200 neighbor 120.1 peer-group IBGP no auto-summary SW1# sh run | begin bgp router bgp 300 . ! Now a hex value of FD (253 Decimal) can be seen at R3 from R4.1 ebgp-multihop 255 R3# TCP src=44109. B.1 remote-as 10 neighbor 120.100.100.P.100.1 update-source Loopback0 neighbor 120.(n.7. win=16263 ACK 0F7CBB60: 0F7CBB70: C20211E0 0F7CBB80: FD06286E 0F7CBB90: E4028565 0F7CBBA0: dst=179.?.100.1 ebgp-multihop 2 neighbor 120. Minimum incoming TTL 253.! ebgp multihop value of 255 (this value will decrement down to 253 when it is ! processed by R3).2..100..1 update-source Loopback0 neighbor 120.100.1 remote-as 300 neighbor 120. Outgoing TTL 255 R5# sh run | begin bgp router bgp 300 no synchronization neighbor 120.. seq=3925370469.100.3 d..100.7..E@. }.... this shows that R4 ! can not be further than 2 hops away from R3 and the security check passes and BGP ! is established..1 remote-as 300 neighbor 120..1 peer-group IBGP neighbor 120.2.45.. Connection is ECN Disabled.1 update-source Loopback0 no auto-summary R6# sh run | beg bgp router bgp 300 no synchronization neighbor IBGP peer-group neighbor IBGP remote-as 300 neighbor IBGP update-source Loopback0 neighbor 120.4.@.5.`.100.M.e?R~. . R4(config)# router bgp 200 R4(config)# neighbor 120..1 ebgp-multihop 2 neighbor 120.100.100.1 update-source Loopback0 neighbor 120..100.3.4. R3# sh ip bgp neighbor | include hops | TTL External BGP neighbor may be up to 2 hops away.

310: ICMP: time exceeded rcvd from 120. which indicate the peering will have failed.100.1 peer-group IBGP no auto-summary AS200 is to be used as a backup transit network for traffic between AS10 and AS300. Example 1-22 also shows the ICMP debug with the TTL expiration messages.100. (2 points) As R2 and R5 peer to each other using their loopback interfaces.2. To break the peering without using ACLs. Example 1-22 eBGP TTL Expiration Click here to view code image R5(config)# int s0/0/1 R5(config-if)# shut R5# trace 120.100.100.3 R5# *Jan 17 21:32:34.34.179: ICMP: time exceeded rcvd from 120.100.45. you have scored 2 points. If your ebgp-multihop count is set at 2 between R2 and R5.100.4 . Tracing the route to 120.100.6.1 peer-group IBGP neighbor 120.34.100. Example 1-22 shows the path taken between R5 and R2 when the serial interface is shut down on R5. if the serial network between R5 and R2 fails.3 0 msec 4 msec 0 msec 3 120. therefore.no synchronization neighbor IBGP peer-group neighbor IBGP remote-as 300 neighbor IBGP update-source Loopback0 neighbor 120.5. the peering is maintained if the serial network between R2 and R5 fails.1 1 120. Do not use any ACL type restrictions or change the existing peering.3 R5# R2# debug ip icmp ICMP packet debugging is on R2# Jan 17 21:26:11.123.100.455: ICMP: time exceeded rcvd from 120. even though there is IP connectivity between loopbacks.34.100.4 0 msec 0 msec 0 msec 2 120. ensure that the peering between R2 and R5 is not maintained via the Ethernet network.2.34.1 Type escape sequence to abort.2 4 msec * 4 msec R5# debug ip icmp ICMP packet debugging is on R5# *Jan 17 21:32:32. you just need to ensure that the ebgp-multihop count used in the original peering is set at 2 and no greater.

(Received from a RR-client) 120.100. table Default-IP-Routing-Table.255.200. Configure R2 in such a way that if the serial connection between R2 and R5 fails.34.2.255.1 send-community R2(config-router)# exit R2(config)# access-list 5 permit 130. valid. (3 points) If the peering between R2 and R5 fails. best Community: no-export . metric 0.100.100.200. If you have configured this correctly.1 Metric LocPrf Weight Path 0 100 0 200 10 i R2(config)# interface Loopback2 R2(config-if)# ip address 130.3.IGP.1/24.200. and advertise this into BGP using the network command.0 R2(config-if)# router bgp 10 R2(config-router)# network 130.0 mask 255.200.0/24.255.1 BGP routing table entry for 130.100.100. internal.100.0 R2(config)# route-map NO-EXPORT permit 10 R2(config-route-map)# match ip address 5 R2(config-route-map)# set community no-export R2(config-route-map)# route-map NO-EXPORT permit 20 R3# sh ip bgp 130.incomplete Network Next Hop *>i130.R2# Jan 17 21:26:13.EGP. the new network route will flow from AS10 to AS300 via AS200 instead of flowing directly from AS10 to AS300.100. a simple use of communities can be used to ensure that the route is not exported to AS200.100. this way the route is not advertised to AS200 if a failure occurs. AS300 no longer receives this route.100.4 Configure a new loopback interface 2 on R2 of 130.200. Therefore.1 (metric 65) from 120. ? .2.100.200.100. Example 1-23 Route Advertisement and no-export Configuration on R2 Click here to view code image R5# sh ip bgp Origin codes: i .100.100. you have scored 3 points.1) Origin IGP.0/24 120. localpref 100.0 R2(config-router)# neighbor 120.4.1 255. e .3.306: ICMP: time exceeded rcvd from 120. You simply need to apply a noexport value to the route as it is advertised on R2 toward R3.255.1 route-map NO-EXPORT out R2(config-router)# neighbor 120.1 (130.200. version 4 Paths: (1 available. best #1. as shown in Example 1-23. not advertised to EBGP peer) Advertised to update-groups: 2 Local. AS200 would still see the route from AS300. Do not use any route filtering between neighbors to achieve this. Under normal conditions.100.200.

so it’s best to be aware of as many features as possible. Because the question does not specifically instruct you to configure an exact IP address for your HSRP.1/24. so this should be configured with the preempt command to reinstate control when the route becomes visible once again post withdrawal.1 R5(config-if)# standby 1 preempt R5(config-if)# standby 1 track 2 decrement 20 R6(config)# interface GigabitEthernet0/1 R6(config-if)# standby 1 ip 150. If you have configured this correctly. If the network 130. R5(config)# int s0/0/1 R5(config-if)# shut R5(config-if)# ^Z R5# show ip bgp End with CNTL/Z. you are free to use an unallocated IP address. Similarly. Example 1-24 IP SLA Tracking and HSRP Configuration on R5 and R6 Click here to view code image R5(config)# track 2 ip route 130. You might feel that this is not strictly a BGP question. R5# Configure HSRP between R5 and R6 on VLAN 300 with R5 active for .100.1 R6(config-if)# standby 1 priority 90 R6(config-if)# standby 1 preempt . (4 points) The clue is in the question.0 255.255. R5 should be the HSRP active under normal conditions. it is possible that topics and features such as this will crop up within other sections. all you need to do is track the specific route with the IP SLA object tracking feature and inform the Hot-Standby Router Protocol (HSRP) process whether the Border Gateway Protocol (BGP) route is withdrawn.0/24 is no longer visible to AS300.3.200.3. Configure R5 to achieve this solution.100.255. R5 hasn’t been configured with a priority in this example because it uses the default value of 100. Example 1-24 shows the configuration and testing steps involved to withdraw the route by shutting down the serial interface on R5 and toggling the HSRP functionality between R5 and R6. one per line. you have scored 4 points.0 reachability R5(config-track)# interface GigabitEthernet0/1 R5(config-if)# standby 1 ip 150. R6 also requires preempt to take control when the priority of R5 decrements. as shown in Example 1-24.100.R5# conf t Enter configuration commands.200. R6 should dynamically become the HSRP active. but because the IOS section has been removed from the exam.100.

1 Active virtual MAC address is 0000.Group 1 State is Active 23 state changes.Group 1 State is Standby 25 state changes.0 and permits this through one route map while denying through a separate route .100.3.0. respectively.0c07.ac01 Local virtual MAC address is 0000.1 4/0 (hold time expired) 0 bytes R5#%HSRP-6-STATECHANGE: GigabitEthernet0/1 Grp 1 state Active -> Speak R5#%HSRP-6-STATECHANGE: GigabitEthernet0/1 Grp 1 state Speak -> Standby R5# sh standby gigabitEthernet 0/1 GigabitEthernet0/1 .100.100.0.0c07.2.460 secs Preemption enabled Active router is local Standby router is 150.6.0. hold time 10 sec Next hello sent in 1.3.R5# sh standby gigabitEthernet 0/1 GigabitEthernet0/1 . hold time 10 sec Next hello sent in 0. R3 should be configured to enable only BGP routes originated from R1 up to network 128.3.100.0.1.0 originated from R2. last state change 00:00:10 Virtual IP address is 150.100.3.0.0c07. priority 90 (expires in 8.880 secs Preemption enabled Active router is 150.ac01 (v1 default) Hello time 3 sec.0.1.6. Use only a single ACL on R3 as part of your solution.0 and from above network 128. (3 points) This is quite an intricate question because you are permitted to use only a single access control list (ACL) to filter the routes on R3.1/24 and 130.ac01 Local virtual MAC address is 0000.472 sec) Priority 100 (default 100) Track object 2 state Up decrement 20 IP redundancy name is "hsrp-Gi0/1-1" (default) R5# R5# conf t R5(config)# int s0/0/1 R5(config-if)# shut R5(config-if)# R5#%BGP-3-NOTIFICATION: sent to neighbor 120. The way to do this is to use an ACL that matches networks up to 128.980 sec) Standby router is local Priority 80 (default 100) Track object 2 state Down decrement 20 IP redundancy name is "hsrp-Gi0/1-1" (default) Configure two new loopback interfaces on R1 and R2 of 126. priority 90 (expires in 8.1.ac01 (v1 default) Hello time 3 sec.1.1/24.1 Active virtual MAC address is 0000. last state change 00:20:11 Virtual IP address is 150.0c07. and advertise these into BGP using the network command.

255.255.1.1.1 Status codes: s suppressed.1. Example 1-26 shows the configuration for the new loopbacks on R1 and R2 and the filtering on R3.1.1.1 Metric LocPrf Weight Path 0 100 0 i 0 100 0 i 0 100 0 i Further testing of the filtering requires additional interfaces to be configured and advertised on R1 and R2. .1.0. Example 1-25 Route Map Filtering on R3 Click here to view code image R1(config)# interface Loopback1 R1(config-if)# ip address 126.255. i internal.255. h history.255.1. R3 simply blocks these from entering BGP.100.1 route-map ABOVE128 in R3# sh ip bgp BGP table version is 8. as shown in Example 1-25.1 255.1.0 mask 255. > best.0 R1(config-if)# router bgp 10 R1(config-router)# network 126.0 mask 255.1.0/24 R3# Next Hop 120.EGP.1 120. S Stale Origin codes: i .1 route-map UPTO128 in R3(config-router)# neighbor 120. you have scored 3 points.200.0 127.1. If you have configured this correctly. local router ID is 120.2.2.0 R2(config)# interface Loopback1 R2(config-if)# ip address 130.0. Further testing is detailed in Example 1-26 to substantiate the filtering process on R3.100.1 120.100.100. The route maps should be applied on a per-neighbor basis and both call up the same single ACL. d damped.100.0/24 *>i130.2.1.100. e .1.0 advertised on R1 and one lower advertised on R2.255.0.0/24 *>i130. r RIB-failure.0 R2(config-if)# router bgp 10 R2(config-router)# network 130.1 255.255.1.IGP.255.1. Example 1-26 shows an interface higher than 128. ? .incomplete Network *>i126.255.3.255.100.0.map.0 R3(config)# access-list 1 permit 0. * valid.255 R3(config)# route-map UPTO128 permit 10 R3(config-route-map)# match ip add 1 R3(config)# route-map ABOVE128 deny 10 R3(config-route-map)# match ip add 1 R3(config-route-map)# route-map ABOVE128 permit 20 R3(config)# router bgp 10 R3(config-router)# neighbor 120.

EGP.255.IGP.1.1 advertised BGP table version is 7.0. i - . i internal.1.1 *>i130.0/24 Next Hop 0. d damped.1. d damped.200.100.100.3.0/24 120.1.0 mask 255. ? .100. e .255. d damped.1 *>i130.0/24 *> 132.1 Metric LocPrf 0 0 0 Weight 100 100 100 0 i 0 i 0 i R2# conf t R2(config)# int Loopback3 R2(config-if)# ip add 100.1.1. final configuration.3. r RIB-failure.1. S Stale Origin codes: i .IGP.255.0. > best.255.100.2.255.1.1.1 Status codes: s suppressed.1.0. * valid. e .255.1. h history.0 0. > best.0 R1(config-if)# router bgp 10 R1(config-router)# network 132.255.1 Status codes: s suppressed. local router ID is 126.1. * valid.incomplete Network *> 126.incomplete Network Next Hop Path *>i126. S Stale Origin codes: i .0 R1(config-router)# ^Z R1# sh ip bgp neighbors 120. Example 1-26 Route Map Filtering Verification Click here to view code image R1(config)# interface Loopback3 R1(config-if)# ip address 132.100.1.2.1 advertised BGP table version is 5.0.0/24 120.1. local router ID is 130.3.Note This additional testing configuration is not present on the supplied. local router ID is 120.0 R2(config-router)# ^Z R2# sh ip bgp neighbor 120. h history.1. i internal.0 R2(config-if)# router bgp 10 R2(config-router)# network 100. r RIB-failure.100.1 Status codes: s suppressed.1.1.100.1.0 Metric LocPrf Weight Path 0 32768 i 0 32768 i Total number of prefixes 2 R3# sh ip bgp BGP table version is 4.255.0/24 120. > best.100. * valid.200.0 mask 255.1 255.EGP.1. h history. ? .1 255.

100.0.1. > best. i internal. * valid. r RIB-failure. ? .1.200.1.0/24 0. You should test your IPv6 connectivity to ensure that you are ready to progress to the routing questions.0.100.1 Status codes: s suppressed.1.0 *> 130.100.0/24 120.1 Metric LocPrf Weight 0 0 0 100 100 100 0 i 0 i 0 i Section 4: IPv6 (15 Points) The prerequisite to the questions is configuration of the IPv6 addresses.2.200.0 Metric LocPrf Weight 0 0 0 32768 i 32768 i 32768 i Total number of prefixes 3 R3# sh ip bgp BGP table version is 4.100.0/24 0.internal.1. e .0/24 0.1.1. Example 1-27 shows the required IPv6 configuration to progress to the routing questions. e .incomplete Network Next Hop Path *>i126.1 *>i130. local router ID is 120.EGP. h history.0.2.0 *> 130.1.0. S Stale Origin codes: i .1 *>i130.incomplete Network Next Hop Path *> 100. S Stale Origin codes: i .1. ? .0/24 120. d damped.IGP. Example 1-27 IPv6 Testing and Initial Configuration Click here to view code image R1(config)# ipv6 unicast-routing R1(config)# interface gigabitEthernet 0/1 R1(config-if)# ipv6 address 2007:C15:C0:10::1/64 R1(config-if)# gigabitEthernet 0/0 R1(config-if)# ipv6 address 2007:C15:C0:11::1/64 R2(config)# ipv6 unicast-routing R2(config)# interface fastethernet 0/1 R2(config-if)# ipv6 address 2007:C15:C0:12::2/64 R2(config-if)# interface fastethernet 0/0 R2(config-if)# ipv6 address 2007:C15:C0:11::2/64 R2(config-if)# interface serial 0/1 R2(config-if)# ipv6 address 2007:C15:C0:14::2/64 . r RIB-failure.0.3.0.0/24 120.EGP. Consider using the show ipv6 interfaces brief command for a quick check of your interface configuration.100.IGP.100.

R3(config)# ipv6 unicast-routing R3(config)# interface gigabitEthernet 0/0 R3(config-if)# ipv6 address 2007:C15:C0:15::3/64 R3(config-if)# gigabitEthernet 0/1 R3(config-if)# ipv6 address 2007:C15:C0:11::3/64 R4(config)# ipv6 unicast-routing R4(config)# interface gigabitEthernet 0/0 R4(config-if)# ipv6 address 2007:C15:C0:15::4/64 R5(config)# ipv6 unicast-routing R5(config)# interface gigabitEthernet 0/1 R5(config)# ipv6 address 2007:C15:C0:16::5/64 R5(config-if)# interface Serial0/0/1 R5(config-if)# ipv6 address 2007:C15:C0:14::5/64 R6(config)# ipv6 unicast-routing R6(config)# interface gigabitEthernet 0/1 R6(config-if)# ipv6 address 2007:C15:C0:16::6/64 Section 4. To ensure full visibility from R1 to R2. it is better practice to call a route map and just reference the IPv6 network on R1 for redistribution. . R1 must not form any neighbor relationship with R2 on VLAN 132 (without the use of any ACL. or multicast blocking feature). static neighbor relationships. which suggests that you can use an additional autonomous system to provide connectivity between R1 and R3. however. you have scored 4 points.1: EIGRPv6 Configure EIGRPv6 under the instance of CCIE with a primary autonomous system of 1. Bear in mind that a named instance within EIGRP can run only one autonomous system. but the question dictates that the instance is effectively limited to that of CCIE. you are required to redistribute EIGRPv6 autonomous systems on R3. This leaves you no other option but to enable the secondary autonomous system on R3 under the physical interface. so an additional named instance could be created on R3 to communicate with R1. which R2 will have no visibility of. as shown in Example 1-28. you do not require mutual redistribution on R3. The clue is in the question stating use a primary autonomous system. but the question does not permit you to do this. If you have configured this correctly. completely bypassing R2. R3 can simply send a default route within the autonomous system to which R1 belongs on VLAN 132. Because R1 will receive a default route. Although you could simply perform a one-way redistribution within the protocol. You could usually stop routers on the same subnet forming a neighbor relationship by creating some static mapping or block the multicast and so on. R1 must dynamically learn a default route over EIGRPv6 via R3 on VLAN 132 in which to communicate with the IPv6 network. (4 points) EIGRP configuration is required under an instance of CCIE under the address family IPv6.

Example 1-28 EIGRPv6 Configuration and Testing Click here to view code image R1(config)# router eigrp CCIE R1(config-router)# address-family ipv6 unicast autonomous-system 2 R1(config-router-af)# af-interface GigabitEthernet0/0 R1(config-router-af-interface)# no shutdown R1(config-router-af-interface)# af-interface GigabitEthernet0/1 R1(config-router-af-interface)# no shutdown R2(config)# router eigrp CCIE R2(config-router)# address-family ipv6 unicast autonomous-system 1 R2(config-router-af)# af-interface fastethernet0/1 R2(config-router-af-interface)# no shutdown R2(config-router-af-interface)# af-interface fastethernet0/0 R2(config-router-af-interface)# no shutdown R2(config-router-af-interface)# af-interface Serial0/1 R2(config-router-af-interface)# no shutdown R3(config)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 1 R3(config-router-af)# af-interface GigabitEthernet0/0 R3(config-router-af-interface)# no shutdown R3(config-router-af-interface)# af-interface GigabitEthernet0/1 R3(config-router-af-interface)# no shutdown R3(config-router-af-interface)# exit R3(config-router-af)# exit R3(config-router)# exit R3(config)# interface GigabitEthernet0/1 R3(config-if)# ipv6 eigrp 2 R3(config-if)# ipv6 summary-address eigrp 2 ::/0 R3(config-if)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 1 R3(config-router)# topology base R3(config-router-topology)# redistribute eigrp 2 route-map EIGRPv6-2-1 R3(config-router-topology)# exit R3(config-router-af)# exit R3(config-router)# ipv6 router eigrp 2 R3(config-rtr)# no shut R3(config-rtr)# exit R3(config)# route-map EIGRPv6-2-1 permit 10 R3(config-route-map)# match ipv6 address EIGRPv6-2 R3(config-route-map)# route-map EIGRPv6-2-1 deny 20 R3(config-route-map)# exit R3(config)# ipv6 access-list EIGRPv6-2 R3(config-ipv6-acl)# permit ipv6 2007:C15:C0:10::/64 any .

ISIS L1. L .Connected. fastethernet0/0 R3# sh ipv6 route eigrp D ::/0 [5/28160] via ::. IA .ISIS L2.RIP.OSPF intra. Null0 D 2007:C15:C0:10::/64 [90/30720] via FE80::214:69FF:FE61:5EF0. ON2 . GigabitEthernet0/0 R5# sh ipv6 route eigrp EX 2007:C15:C0:10::/64 [170/2177536] . R . GigabitEthernet0/0 R2# sh ipv6 route EX 2007:C15:C0:10::/64 [170/33280] via FE80::216:47FF:FEBB:1E12. EX . GigabitEthernet0/0 D 2007:C15:C0:12::/64 [90/33280] via FE80::216:47FF:FEBB:1E11. OI . GigabitEthernet0/1 D 2007:C15:C0:14::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABF1. IS . OE2 .6 entries Codes: C .EIGRP external D ::/0 [90/30720] via FE80::216:47FF:FEBB:1E12. GigabitEthernet0/1 D 2007:C15:C0:12::/64 [90/30720] via FE80::215:C6FF:FEF2:ABF1. M .ISIS interarea. GigabitEthernet0/0 D 2007:C15:C0:11::/64 [90/30720] via FE80::216:47FF:FEBB:1E11. GigabitEthernet0/1 R4# sh ipv6 route eigrp EX 2007:C15:C0:10::/64 [170/33280] via FE80::216:47FF:FEBB:1E11.R4(config)# router eigrp CCIE R4(config-router)# address-family ipv6 unicast autonomous-system 1 R4(config-router-af)# af-interface GigabitEthernet0/0 R4(config-router-af-interface)# no shutdown R5(config)# router eigrp CCIE R5(config-router)# address-family ipv6 unicast autonomous-system 1 R5(config-router-af)# af-interface Serial0/0/1 R5(config-router-af-interface)# no shutdown R1# sh ipv6 route eigrp IPv6 Routing Table .Local. OE1 .OSPF ext 1.OSPF NSSA ext 1.EIGRP.OSPF ext 2 ON1 . S .OSPF NSSA ext 2 D .Per-user Static route. fastethernet0/0 D 2007:C15:C0:15::/64 [90/30720] via FE80::216:47FF:FEBB:1E12.ISIS summary O .Static.OSPF inter. B .BGP U . GigabitEthernet0/0 D 2007:C15:C0:14::/64 [90/2174976] via FE80::216:47FF:FEBB:1E11.MIPv6 I1 . I2 .

Serial0/0/1 2007:C15:C0:15::/64 [90/2174976] via FE80::215:C6FF:FEF2:ABE0. as shown in Example 1-30.D D D via FE80::215:C6FF:FEF2:ABE0.100. . reduce the number of LSAs flooded within the OSPF domain. as shown in Example 1-29. (2 points) To suppress the unnecessary flooding of link-state advertisements in stable topologies.100. Serial0/0/1 2007:C15:C0:12::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0. therefore. with all OSPF interfaces assigned to Area 0. Serial0/0/1 Section 4.2: OSPFv3 Configure OSPFv3 with a process ID of 1.6. This is a clear-cut OSPFv3 configuration.5. you have scored 2 points. If you have configured this correctly. If you have configured this correctly. you have scored 2 points. (2 points). Example 1-29 R5 and R6 OSPFv3 Configuration Click here to view code image R5(config)# interface gigabitEthernet 0/1 R5(config-if)# ipv6 ospf 1 area 0 R6(config)# interface gigabitEthernet 0/1 R6(config-if)# ipv6 ospf 1 area 0 R5# show ipv6 ospf neighbor Neighbor ID 120. the ipv6 ospf flood-reduction command is required under interface configuration mode.1 ernet0/1 Pri 1 State FULL/DR Dead Time 00:00:30 Interface ID 3 Interface GigabitEth R6# show ipv6 ospf neighbor Neighbor ID 120. Serial0/0/1 2007:C15:C0:11::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0.1 ernet0/1 Pri 1 State FULL/BDR Dead Time 00:00:39 Interface ID 3 Interface GigabitEth The IPv6 network is deemed to be stable.

Connected.Static. S . so a simple redistribution configuration with a default metric of 5000 on R5 is required.OSPF ext 2 ON1 . Example 1-31 shows the required configuration and routing table on R6 for the redistributed EIGRPv6 routes. R . Example 1-31 R5 OSPFv3 Redistribution Configuration Click here to view code image R5(config)# ipv6 router ospf 1 R5(config-router)# redistribute eigrp 1 metric 5000 R6# sh ipv6 route ospf IPv6 Routing Table .Local. L .ISIS L2. you have scored 1 point. OI .EIGRP. EIGRPv6 routes should have a fixed cost of 5000 associated with them within the OSPF network.EIGRP external OE2 2007:C15:C0:10::/64 [110/5000] via FE80::214:6AFF:FEFC:F131.ISIS L1. GigabitEthernet0/1 OE2 2007:C15:C0:11::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. OE1 . I2 .OSPF NSSA ext 1. because the serial network on R5 (2007:C15:C0:14::/64) will not be present within the OSPFv3 domain unless R5 specifically redistributes its own connected interfaces.10 entries Codes: C . IA .3: Redistribution Redistribute EIGRPv6 routes into the OSPFv3 demand (one way). as shown in Example 1-31. EX .OSPF inter.OSPF ext 1. GigabitEthernet0/1 OE2 2007:C15:C0:12::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. GigabitEthernet0/1 . OE2 .Per-user Static route I1 .OSPF NSSA ext 2 D .OSPF intra. the default behavior for OSPFv3 is for redistributed routes to be advertised with a fixed cost as type 2 external routes. GigabitEthernet0/1 OE2 2007:C15:C0:13::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. B .BGP U . IS . If you have configured this correctly.RIP.ISIS summary O . Pay attention to ensure that you have full route visibility. (1 point) As per vanilla OSPF. ON2 .ISIS interarea.Example 1-30 R5 and R6 Flood-Reduction Configuration Click here to view code image R5(config)# interface gigabitEthernet 0/1 R5(config-if)# ipv6 ospf flood-reduction R6(config)# interface gigabitEthernet 0/1 R6(config-if)# ipv6 ospf flood-reduction Section 4.

Connected. L . GigabitEthernet0/1 Ensure that the OSPF3 network is reachable from the EIGRPv6 network by a single route of 2007::/16. OE1 .Static. IA .OSPF intra. OI . which should be seen within the EIGRPv6 domain.OE2 2007:C15:C0:15::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. OE2 .OSPF ext 1. EX .OSPF inter.RIP. I2 . round-trip min/avg/max = 12/12/16 ms R3# ping ipv6 2007:C15:C0:16::6 .EIGRP.OSPF NSSA ext 1. GigabitEthernet0/1 R5(config)# ipv6 router ospf 1 R5(config-rtr)# redistribute eigrp 1 metric 5000 include-connected R6# show ipv6 route 2007:C15:C0:14:: IPv6 Routing Table .10 entries Codes: C .Per-user Static route I1 . B . 100-byte ICMP Echos to 2007:C15:C0:16::5. (2 points) Because you are not mutually redistributing protocols. R .BGP U . as shown in Example 1-32.OSPF ext 2 ON1 .Local. Example 1-32 R5 EIGRPv6 Summary Configuration and Connectivity Testing Click here to view code image R5(config)# router eigrp CCIE R5(config-router)# address-family ipv6 unicast autonomous-system 1 R5(config-router-af)# af-interface Serial0/0/1 R5(config-router-af-interface)# summary-address 2007::/16 R3# sh ipv6 route | include /16 D 2007::/16 [90/2684416] R3# ping ipv6 2007:C15:C0:16::5 Type escape sequence to abort. IS . you have scored 2 points.OSPF NSSA ext 2 D . Configure R5 only to achieve this.ISIS interarea.ISIS L1.ISIS summary O . Sending 5. S . If you have configured this correctly. The OSPF domain should continue to receive specific EIGRPv6 subnets. ON2 .ISIS L2. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). you are required to configure an IPv6 summary route into the EIGRPv6 domain on R5 to provide full connectivity from the EIGRPv6 domain into OSPFv3.EIGRP external OE2 2007:C15:C0:14::/64 [110/5000] via FE80::214:6AFF:FEFC:F131.

Sending 5. R5 is still required to advertise the summary route to the EIGRPv6 network through the tunnel for reachability of the OSPFv3 network.4 R5(config-if)# tunnel mode ipv6ip R5(config-if)# router eigrp CCIE R5(config-router)# address-family ipv6 unicast autonomous-system 1 R5(config-router-af)# af-interface Tunnel0 R5(config-router-af-interface)# no shutdown R5(config-router-af-interface)# summary-address 2007::/16 R5# sh ipv6 route eigrp D 2007::/16 [5/2169856] via ::. as shown in Example 1-33.45 R4(config-if)# tunnel destination 120. instead. Example 1-34 shows the required configuration to tunnel IPv6 through IPv4 on R4 and R5.100. 100-byte ICMP Echos to 2007:C15:C0:16::6. all you can do is create a tunnel between the devices. (3 points) R4 and R5 both belong to the EIGRPv6 domain. If you cannot enable EIGRPv6 on the VLAN 45 interfaces. and it would then create additional problems in terms of redistribution points.100. round-trip min/avg/max = 12/15/16 ms Ensure that if the serial link fails between the OSPF and EIGRPv6 domain that routing is still possible between R5 and R4 over VLAN 45. Null0 .45. Do not enable EIGRPv6 on the VLAN 45 interfaces of R4 and R5. If you have configured this correctly.45. you have scored 3 points. and this should be considered as an alternative path only if a failure occurs. configure R4 and R5 to achieve this.Type escape sequence to abort. Example 1-33 R4 and R5 Tunnel Configuration and Verification Click here to view code image R4(config)# interface Tunnel0 R4(config-if)# ipv6 address 2007:C15:C0:17::4/64 R4(config-if)# tunnel source GigabitEthernet0/1.5 R4(config-if)# tunnel mode ipv6ip R4(config-if)# router eigrp CCIE R4(config-router)# address-family ipv6 unicast autonomous-system 1 R4(config-router-af)# af-interface Tunnel0 R4(config-router-af-interface)# no shutdown R5(config)# interface Tunnel0 R5(config-if)# ipv6 address 2007:C15:C0:17::5/64 R5(config-if)# ipv6 eigrp 1 R5(config-if)# tunnel source GigabitEthernet0/0 R5(config-if)# tunnel destination 120. You might have considered enabling OSPFv3 between routers. but you have not been given sufficient information to do this. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).

you are required to create a Modular QoS policy that trusts the incoming differentiated services code point (DSCP) value received from the host within the policy rather than by configuring the trust value on a per-interface basis and by policing traffic at a rate of 5 Mbps. Tunnel0 Section 5: QoS (8 Points) You are required to configure QoS on Switch 1 according to the Cisco QoS baseline model. All ports should trust the DSCP values received from their connecting devices. One way to mitigate an attack is to create a Scavenger class that simply re-marks traffic DSCP values when the threshold has been exceeded.EX D D D 2007:C15:C0:10::/64 [170/2177536] via FE80::215:C6FF:FEF2:ABE0. 28. 24. Serial0/1/0 2007:C15:C0:12::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0. Tunnel0 D 2007:C15:C0:11::/64 [90/297249536] via FE80::7864:2D04. Tunnel0 D 2007:C15:C0:12::/64 [90/297252096] via FE80::7864:2D04. it could be indicative of a denial-of-service (DoS) or Worm attack. This traffic could be a combination of any of the preceding DSCP values with any source/destination combination. Note that all DSCP baseline values are being remapped with the exception of DSCP26. Create a Modular QoS configuration for all user ports (Fast Ethernet 1–24) that facilitates the following requirements (3 points): 1. To answer the question. If traffic rates increase above this threshold. 32. Serial0/1/0 2007:C15:C0:15::/64 [90/2174976] via FE80::215:C6FF:FEF2:ABE0. and 10 should be re-marked to DSCP 8 (PHB CS1) if traffic flowing occurs above 5 Mbps on a per-port basis. This will not block traffic but will ensure that mission-critical traffic remains unaffected from an attack by trusting the DSCP value for known traffic and re-marking unknown application traffic down to CS1. Serial0/1/0 R5(config)# int s0/1/0 R5(config-if)# shut R5(config-if)# do sh ipv6 route eigrp D 2007::/16 [5/297244416] via ::. 46. the DSCP values will be remapped according to the policed-dscp map to Scavenger class CS1 (DSCP8). When the minimum burst rate is exceeded. Serial0/1/0 2007:C15:C0:11::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0. Ensure a minimum burst value is configured above the 5 Mbps. It is acknowledged within the industry that a user port rarely generates more than 5 Mbps of traffic on a standard Fast Ethernet connection. 2. Null0 EX 2007:C15:C0:10::/64 [170/297252096] via FE80::7864:2D04. Tunnel0 D 2007:C15:C0:15::/64 [90/297246976] via FE80::7864:2D04. 34. 16. Packets received from the user ports with DSCP values of 48. which is generally reserved for mission- .

you would struggle to answer this question. If you did not realize that AF43 is DSCP38 and AF42 is DSCP36. as shown in Example 1-35. However. its DSCP is marked down according to the policed DSCP map values and transmitted. If the matched traffic exceeds an average traffic rate of 5 Mbps and a normal burst size of 8000 bytes. This approach enables traffic associated with this value to remain unchanged even when traffic rates exceed 5 Mbps.critical data. the DSCP value in the incoming packet is trusted. you have scored 2 points. If you have configured this correctly. Example 1-34 Switch 1 QoS Configuration and Verification Click here to view code image SW1(config)# mls qos SW1(config)# mls qos map policed-dscp 48 46 34 32 24 28 16 10 to 8 SW1(config)# access-list 1 permit any SW1(config)# class-map POLICE SW1(config-cmap)# match access-group 1 SW1(config-cmap)# exit SW1(config)# policy-map RE-MARK SW1(config-pmap)# class POLICE SW1(config-pmap-c)# trust dscp SW1(config-pmap-c)# police 5000000 8000 exceed-action policed-dscptransmit SW1(config-pmap-c)# exit SW1(config-pmap)# exit SW1(config)# interface range fastethernet 0/1-24 SW1(config-if-range)# service-policy input RE-MARK SW1# show policy-map RE-MARK Policy Map RE-MARK Class POLICE police 5000000 8000 exceed-action policed-dscp-transmit trust dscp Switch 1 will be connected to a new trusted domain in the future using interface Gigabit 0/1. as shown in Example 1-34. you need to explicitly trust DSCP values received on the interface on which you are configuring the map. A DSCP value received locally on SW1 of AF43 should be mapped to AF42 when destined for the new domain. but a search of your documentation CD should have assisted you. The question requires you to configure a standard IP ACL that permits any traffic. This approach also assumes that the virus does not itself remark traffic to this value to increase its chances of causing damage. (2 points) This requires a DSCP mutation map to convert DSCP values between environments. you have scored 3 points. For the mutation map to function correctly. If you have configured this correctly. the exclusion of DSCP26 is not relevant to the configuration and methodology you use to answer the question. For traffic matching this classification. .

so there is a risk of configuration errors for those points to slip away. so the values required are as follows: 1% = 15 Kbps. otherwise. 25% = 386 Kbps A class map to match all values for the provided classes is required that is then associated with the policy map. 16% = 247 Kbps. Incorporate these into an overall policy that should be applied to the T1 interface S0/1. the full bandwidth is not made available for the policy. Because you are using a T1 interface. 14% = 216 Kbps. This one is a bit of both. Usually you . so you know it’s either going to be complex or involve a great deal of configuration. Allow each class the effective bandwidth as detailed. you know that the maximum available bandwidth is 1544 Kbps. entered as a percentage.Example 1-35 Switch 1 DSCP-mutation Map Configuration Click here to view code image SW1(config)# mls qos map dscp-mutation AF43-TO-AF42 38 to 36 SW1(config)# interface Gig0/1 SW1(config-if)# mls qos trust dscp SW1(config-if)# mls qos dscp-mutation AF43-TO-AF42 Configure Cisco Modular QoS as follows on R2 for the following traffic types based on their associated per-hop behavior into classes. There is also some math involved because the policy-map command requires a percentage value of bandwidth as opposed to actual speed. and a nice little gotcha is that you must configure the interface with the command max-reservedbandwidth 100. (2 points) You have 2 points available here. The overall policy is then applied to the outgoing interface Serial0/1. 3% = 46 Kbps.

as shown in Example 1-36. If you have configured this correctly. but the question doesn’t dictate this. Example 1-36 Switch1 Modular QoS Configuration Click here to view code image R2# sh run class-map ! class-map match-all VOIP match ip dscp ef class-map match-all BULK-DATA match ip dscp af11 class-map match-all NET-MAN match ip dscp cs2 class-map match-all VIDEO match ip dscp af41 class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all TRANS-DATA match ip dscp af21 class-map match-all MISSION-CRIT match ip dscp af31 class-map match-all CALL-SIG match ip dscp cs3 ! end R2# sh run policy-map ! policy-map QOS class VOIP bandwidth percent 16 class VIDEO bandwidth percent 16 class BULK-DATA bandwidth percent 3 random-detect class TRANS-DATA bandwidth percent 14 class NET-MAN bandwidth percent 3 class ROUTING bandwidth percent 3 class SCAVENGER bandwidth percent 1 class MISSION-CRIT .would assign voice traffic into a real-time queue (low-latency queuing [LLQ]). so effectively all traffic types are being assigned with different proportions of class-based weighted fair queuing (CBWFQ). you have scored 2 points.

bandwidth percent 16 class CALL-SIG bandwidth percent 3 class class-default bandwidth percent 25 ! end R2# sh run int s0/1 | begin max-reserved-bandwidth 100 max-reserved-bandwidth 100 service-policy output QOS end R2# show policy-map QOS Policy Map QOS Class VOIP Bandwidth 16 (%) Max Threshold 64 (packets) Class VIDEO Bandwidth 16 (%) Max Threshold 64 (packets) Class BULK-DATA Bandwidth 3 (%) exponential weight 9 class min-threshold max-threshold mark-probability ------------------------------------------------------0 1 2 3 4 5 6 7 rsvp - - 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 Class TRANS-DATA Bandwidth 14 (%) Max Threshold 64 (packets) Class NET-MAN Bandwidth 3 (%) Max Threshold 64 (packets) Class ROUTING Bandwidth 3 (%) Max Threshold 64 (packets) Class SCAVENGER Bandwidth 1 (%) Max Threshold 64 (packets) Class MISSION-CRIT Bandwidth 16 (%) exponential weight 9 class min-threshold max-threshold mark-probability ------------------------------------------------------0 1 2 3 - - 1/10 1/10 1/10 1/10 .

4
5
6
7
rsvp

-

-

Class CALL-SIG
Bandwidth 3 (%) Max Threshold 64 (packets)
Class class-default
Bandwidth 25 (%)
exponential weight 9
class
min-threshold
max-threshold

1/10
1/10
1/10
1/10
1/10

mark-probability

------------------------------------------------------0
1
2
3
4
5
6
7
rsvp

-

-

1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10

Configure R2 so that traffic can be monitored on the serial network with a view to a
dynamic policy being generated in the future that trusts the DSCP value of traffic
identified on this media. (1 point)
This is a simple question that requires the command auto discovery qos trust be configured
under the serial interface of R2. This command uses NBAR to inspect the application traffic that
flows through the router with a view of generating a QoS policy based on the traffic flow profile.
The keyword trust in the command ensures that the DSCP value of the traffic monitored on the
network is trusted. If you have configured this correctly, you have scored 1 point.

Section 6: Security (6 Points)
Configure R3 to identify and discard the following custom virus. The virus is
characterized by the ASCII characters Hastings_Beer within the payload and uses UDP
ports 11664 to 11666. The ID of the virus begins on the third character of the payload.
The virus originated on VLAN 34. (4 points)
This fictitious virus requires the use of Network-Based Application Recognition (NBAR) with
Packet Description Language Module (PDLM) to inspect a packet payload to identify the virus
based on the information supplied within the question. Because the virus is located within the
third ASCII character, you need to inform the custom NBAR list to ignore the first two
characters, which ensures that it will begin to check the third packet. If you have configured this
correctly, as shown in Example 1-37, you have scored 3 points. You can use the show policymap command to verify your configuration.

Example 1-37 R3 NBAR Configuration
Click here to view code image

R3(config)# ip nbar custom Hastings_Beer 2 ascii Hastings_Beer udp
range 11664 11666
R3(config)# class-map match-all VIRUS
R3(config-cmap)# match protocol Hastings_Beer
R3(config-cmap)# policy-map BLOCK-VIRUS
R3(config-pmap)# class VIRUS
R3(config-pmap-c)# drop
R3(config-pmap-c)# interface gigabit0/0
R3(config-if)# Service-policy input BLOCK-VIRUS

There is an infected host on VLAN 200 of 150.100.2.100. Ensure that only within BGP
AS10, traffic destined for this host is directed to null0 of each local router. You may not
use any ACLs to block traffic to this host specifically, but you may use a static route
pointing to null0 for traffic destined to 192.0.2.0 /24 on routers within AS10. R2 may
have an additional static route pointing to null0. Use a BGP feature on R2 to ensure traffic
to this source is blocked. Prevent unnecessary replies when traffic is passed to the null0
interface for users residing on VLAN 100. (4 points)
This question is representative of black-hole routing. This is an effective method of discarding
packets being sent to a known destination. This approach to discarding traffic is efficient because
it enables the edge routers to route traffic rather than use ACLs, and it can be deployed
dynamically by making use of the next-hop field within BGP updates. You are permitted to
create a static route on routers R1, R2, and R3 in AS10 for network 192.0.2.0/24 to null0 and one
additional route on R2. This route would need to be directing traffic to the infected host to null0,
to update routers R1 and R3. R2 simply advertises the host route for the infected host to AS10
and sets the next hop for this to 192.0.2.1. Routers R1 and R3 then direct traffic to null0 when
traffic is destined to the infected host. To ensure that the solution is used only in AS10, you must
set the community to no-export for the specific static route and tag the route with a value of 10
to identify it. You must therefore send the community values to neighbor R3 on R2, but this
should have completed previously for an earlier BGP question. Use of the no icmp unreachable
command on R1’s Gigabit Ethernet interface prevents unnecessary replies when traffic is passed
to the null0 interface. If you have configured this correctly, as shown in Example 1-38, you have
scored 3 points.
Example 1-38 BGP Black-Hole Routing Configuration and Verification
Click here to view code image

R2(config)# ip route 192.0.2.1 255.255.255.255 null0
R2(config)# ip route 150.100.2.100 255.255.255.255 Null0 Tag 10
R2(config)# router bgp 10
R2(config-router)# redistribute static route-map BLACKHOLE

R2(config-router)# route-map BLACKHOLE permit 10
R2(config-route-map)# match tag 10
R2(config-route-map)# set ip next-hop 192.0.2.1
R2(config-route-map)# set community no-export
R2(config-route-map)# exit
R2(config)# do show ip bgp neigh 120.100.3.1 advertised
BGP table version is 6, local router ID is 130.100.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*> 130.1.1.0/24
0.0.0.0
0
32768 i
*> 130.100.200.0/24 0.0.0.0
0
32768 i
*> 150.100.2.100/32 192.0.2.1
0
32768 i
Total number of prefixes 3
R2# show ip route 150.100.2.100
Routing entry for 150.100.2.100/32
Known via "static", distance 1, metric 0 (connected)
Tag 10
Redistributing via bgp 10
Advertised by bgp 10 route-map BLACKHOLE
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
Route tag 10
R3(config)# ip route 192.0.2.1 255.255.255.255 null0
R3(config)# do show ip bgp
BGP table version is 14, local router ID is 120.100.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*>i126.1.1.0/24
120.100.1.1
0
100
0 i
*>i130.1.1.0/24
120.100.2.1
0
100
0 i
*>i130.100.200.0/24 120.100.2.1
0
100
0 i
* i150.100.2.100/32 192.0.2.1
0
100
0 i
R1(config)# ip route 192.0.2.1 255.255.255.255 null0
R1(config)# interface Gigabit0/1
R1(config-if)# no icmp unreachable
R1(config-if)# do show ip bgp
BGP table version is 8, local router ID is 126.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*> 126.1.1.0/24
0.0.0.0
0
32768 i

*>i130.1.1.0/24
120.100.2.1
*>i130.100.200.0/24 120.100.2.1
* i150.100.2.100/32 192.0.2.1

0
0
0

100
100
100

0 i
0 i
0 i

R1# show ip route 150.100.2.100
Routing entry for 150.100.2.100/32
Known via "bgp 10", distance 200, metric 0, type internal
Last update from 192.0.2.1 00:00:02 ago
Routing Descriptor Blocks:
* 192.0.2.1, from 120.100.3.1, 00:00:02 ago
Route metric is 0, traffic share count is 1
AS Hops 0
R1# show ip route 192.0.2.1
Routing entry for 192.0.2.1/32
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1

To protect the control plane on router R6, configure CoPP so that IP packets with a TTL of
0 or 1 are dropped rather than processed, with a resulting ICMP redirect sent to the
source. (1 point)
Cisco IOS Software sends all packets with a TTL of 0 or 1 to the process level to be processed.
The device must then send an ICMP TTL expire message to the source. By filtering packets that
have a TTL of 0 and 1, you can reduce the load on the process level. The control plane policing
simply blocks packets with a TTL value of 0 and 1 as directed, but this will break your EIGRP
and BGP peering. So, you must specifically permit these packets within your ACL; otherwise,
you would have just lost valuable points. If you found yourself running short on time and
couldn’t justify further time to investigate how to maintain your routing peering, remember that
this is a 1-point question, worth leaving and coming back to, if possible. If you have configured
this correctly, as shown in Example 1-39, you have scored 1 point.
Example 1-39 CoPP Configuration
Click here to view code image

R6(config)# ip access-list extended TTL
R6(config-ext-nacl)# deny eigrp any any
R6(config-ext-nacl)# deny tcp any any eq bgp
R6(config-ext-nacl)# deny tcp any eq bgp any
R6(config-ext-nacl)# permit ip any any ttl eq 0 1
R6(config-ext-nacl)# class-map DROP-TTL-0/1
R6(config-cmap)# match access-group name TTL
R6(config-cmap)# policy-map CoPP-TTL
R6(config-pmap)# class DROP-TTL-0/1
R6(config-pmap-c)# drop
R6(config-pmap-c)# control-plane
R6(config-cp)# service-policy input CoPP-TTL

1 nominal freq is 250. If you have configured this correctly. actual freq is 250.7.1.127.1 R3# show ntp status Clock is synchronized. reference is 127.1 rather than the more familiar broadcast or unicast scenarios. Example 1-40 NTP Multicast Configuration and Verification Click here to view code image R3(config)# ip multicast-routing R3(config)# ntp master R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip pim sparse-mode R3(config-if)# ntp multicast ttl 2 R3(config-if)# GigabitEthernet0/1 R3(config-if)# ip pim sparse-mode R3(config-if)# ip pim send-rp-announce GigabitEthernet0/0 scope 2 group-list 4 R3(config)# ip pim send-rp-discovery GigabitEthernet0/0 scope 2 R3(config)# access-list 4 permit 224.0000 Hz. Routers R1. R2. as shown in Example 1-40. Configure PIM sparse mode on all required interfaces. and so you must configure the clients with the command ntp multicast client. They will then have the capability to join the NTP group by use of Protocol Independent Multicast (PIM). R3 should also be used to advertise its own gigabit interface IP address as an RP.1. (4 points) Network Time Protocol (NTP) can be multicast on the reserved group IP address of 224. R3 should also advertise the IP address you are using for the NTP advertisements.2AE19310 (21:17:21. which will be 224. and R4 for IPv4 multicast. The question requires you to configure R3 to become the NTP master and announce the group address to the NTP clients. It is good practice to TTL scope your multicast announcements so that they do not propagate past the domain you require. peer dispersion is 0.00 msec root dispersion is 0. stratum 8. you have scored 4 points.167 UTC Tue Feb 27 2007) clock offset is 0. If you have not taken this into consideration in your solution.0000 Hz. root delay is 0. You are not permitted to use the command ntp server.0. Configure R3 to send multicast advertisements of its own time by use of NTP sourced from interface Gig 0/0.02 msec. R2.0000 msec. precision is 2**18 reference time is C98F1E61.1. R3.0.02 msec R1(config)# ip multicast-routing R1(config-if)# interface . but be aware of the facility in case you face a question that specifies this.1.Section 7: Multicast (4 Points) Configure routers R1. Do not use the command ntp server in any configurations. you would not be deducted points. and R4 should all show a clock synchronized to that of R3.0.

3 nominal freq is 250.1 23.0000 Hz.39 Serial0/0/0 00:07:21 00:02:51 120.GigabitEthernet0/0 R1(config-if)# ip pim sparse-mode R1(config-if)# ntp multicast client R1# show ntp status Clock is synchronized.1.34.0. peer dispersion is 15875.0. root delay is 4.1. reference is 120.100. reference is 120.3 224.39 Serial0/0 00:08:12 00:02:57 120.1 23.9FB2321D (21:17:45.40 Serial0/0/0 00:40:13 00:02:52 120.02 msec R1(config-if)# R1# show ip igmp group IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.0157 msec.06 msec.88 msec root dispersion is 0.100.1 224.100.100.0000 Hz. precision is 2**18 reference time is C98F1E73. actual freq is 250.1 23.1 23. peer dispersion is 0.0182 msec.623 UTC Tue Feb 27 2007) clock offset is 0. stratum 9.0000 Hz.1 23.1.2 Change IF R4(config)# ip R4(config-if)# R4(config-if)# R4(config-if)# multicast-routing interface GigabitEthernet0/0 ip pim sparse-mode ntp multicast client R4# show ntp status .83B73E68 (21:17:39.0000 Hz.1 23.1 Serial0/0/0 00:40:12 00:02:50 120.514 UTC Tue Feb 27 2007) clock offset is 0.3 nominal freq is 250.2 224.0. root delay is 3.100.0.1.1.34. precision is 2**18 reference time is C98F1E79.40 Serial0/0 00:41:09 00:01:59 120. actual freq is 250.0.1 CHANGE interface R2(config)# ip multicast-routing R2(config-if)# interface fastethernet 0/0 R2(config-if)# ip pim sparse-mode R2(config-if)# ntp multicast client R2# show ntp status Clock is synchronized.1.100.0.100.3 224.1 Serial0/0 00:41:08 00:02:59 120.14 msec root dispersion is 15875.06 msec. stratum 9.02 msec R2# show ip igmp group IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.100.

The following sync no skip yes parameters simply state that the policy and CLI should run asynchronously and that the command entered should not be executed as directed. the policy requires the syslog message to be generated.40 GigabitEthernet0/0 00:41:07 00:02:42 120.37 msec root dispersion is 7877.6937 msec.100.39 GigabitEthernet0/0 00:08:35 00:02:42 120. . you have scored 4 points.net from eem@lab-exam.3 4. peer dispersion is 7876.4 224.1. a CLI command action to run show users. as shown in Example 1-41.3 4. with the subject “User-Issue.1 Configure a policy on router R1 so that if a user tries to remove AAA services or disable logging via the CLI that a syslog message of UNAUTHORIZED-COMMAND-ENTERED is generated.100.net. root delay is 1.99.*”.0. precision is 2**18 reference time is C98F1EF1. The policy should also generate an email from the router to a mail server residing on IP address 120.3 4.34 msec R4# show ip igmp group IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224. The policy should ensure that neither command is executed and should consist of a single-line command for the CLI pattern detection.100. You are required to configure an EEM applet with a CLI pattern event on a single line to match on either of the commands (no aaa xxx and no logging xxx).99.100.1. stratum 9. actual freq is 250.100. The policy and CLI should run asynchronously.1.Clock is synchronized.3 nominal freq is 250. and a final action to send an email with the details of the previous show command (which is achieved by the command “$_cli_result”).” with the message body consisting of details of who was logged on the time either of the commands were entered).3 224.4 IP Services (4 Points) Configure the following commands on router R1: aaa new-model logging buffered logging 120.1 GigabitEthernet0/0 00:41:29 00:02:42 120. When the commands are matched via the CLI pattern.2B7DB1F2 (21:19:45.2 (to security@lab-exam. Example 1-41 details the required configuration and resulting execution of the EEM when the commands no aaa new-model and no logging buffered are entered and not executed on the router.0.0000 Hz.34.0.100. reference is 120.0000 Hz.08 msec. If you have configured this correctly. This is achieved by a pattern of “^no (aaa|logging).169 UTC Tue Feb 27 2007) clock offset is -0. (2 points) This is an intricate Embedded Events Manager (EEM) question.

100.net" subject "User-Issue" body "$_cli_result" R1(config-applet)# no aaa new-model %HA_EM-6-LOG: CCIE-QUESTION: UNAUTHORISED-COMMAND-ENTERED %HA_EM-3-FMPD_SMTP_CONNECT: Unable to connect to SMTP server: 120. Remember that the Troubleshooting section on the v5.2 %HA_EM-3-FMPD_ERROR: Error executing applet CCIE-QUESTION statement 3.net" from "eem@lab-exam.0 R1(config)# no logging buffered %HA_EM-6-LOG: CCIE-QUESTION: UNAUTHORISED-COMMAND-ENTERED %HA_EM-3-FMPD_SMTP_CONNECT: Unable to connect to SMTP server: 120. how did it go? Did you run out of time? Did you manage to finish but miss what was actually required? If you scored over 80. Spend the time to go back over the questions and practice with the configurations using debug and show commands to fully absorb any new areas you might have come across. you will have 2 hours to complete the Troubleshooting section. .100.99. This lab was designed to ensure that you troubleshoot your own work as you progress through the questions.99.100.2 %HA_EM-3-FMPD_ERROR: Error executing applet CCIE-QUESTION statement 3.0 cli command "show user" R1(config-applet)# action 3. you will be prepared for any scenario that you are likely to face during the 5.Example 1-41 R1 EEM Configuration and Verification Testing Click here to view code image R1(config)# aaa new-model R1(config)# logging buffered R1(config)# logging 120. but it will ensure that you have the ability to think laterally—an ability that will ensure that you exceed in your networking career and one that sets CCIEs apart.100.99. What sets the CCIE exam apart within the industry is the complexity of the questions to test you further than you thought possible.0 exam is a separate section from the Configuration section and has a different scenario.5 hours of the Configuration section of the actual exam. The exam is not trying to trick you.0 mail server "120.99.0 R1(config)# do show run | include aaa new-model aaa new-model R1(config)# do show run | include logging buffered logging buffered 4096 debugging Lab Wrap-Up So.*" sync no skip yes R1(config-applet)# action 1.1 R1(config)# R1(config)# event manager applet CCIE-QUESTION R1(config-applet)# event cli pattern "^no (aaa|logging). If you accomplished this within 8 hours or less.2" to "security@lab-exam. well done.0 syslog msg "UNAUTHORIZED-COMMAND-ENTERED" R1(config-applet)# action 2.

3T Advanced Enterprise image and the minimum interface configuration. How can you ensure that you have the ability to spot any underlying issues related to a question? Well.Did you anticipate and factor into your configuration items such as the maximum reserved bandwidth within QoS? If you did.0S IP Services . congratulations. If your routers have different interface speeds than those used in this book. The initial configurations supplied should be used to preconfigure your routers and switch before the lab starts. Four 3560X switches with IOS 15. Six routers loaded with Cisco IOS Software Release 15. adjust the bandwidth statements on the relevant interfaces to keep all interface speeds in line. This is because you will either not be using that interface or you must configure it from default within the exercise. you’ll get out of your study what you put into it. as documented in Table 2-1 Table 2-1 Hardware Required per Router Note Notice in the initial configurations supplied that some interfaces will not have IP addresses preconfigured. You need the following hardware and software components to begin this practice lab. Practice Lab 2 Equipment List Practice Lab 2 follows an identical format to Lab 1 with timings and also consists of 100 points. it’s all mileage. It also shows that you fully understand the protocols involved and adapt at testing your configurations. because this would have saved you time and secured you points. This will ensure that you do not get unwanted behavior because of differing IGP metrics.

Setting Up the Lab 2 Use any combination of routers as long as you fulfill the requirements within the topology diagram. as shown in Figure 2-1. Figure 2-1 Practice Lab 2 Network Topology . However. you should use the same model of routers because this can make life easier if you load configurations directly from the supplied configurations into your own devices. If your router interface speeds do not match those used in this lab. consider reconfiguring the bandwidth statement accordingly to provide symmetry with the routing protocol metrics.

Figure 2-2 Switch-to-Switch Connectivity . Table 2-2 VLAN Assignment Connect your switches with RJ-45 Ethernet cross-over cables. as shown in Figure 2-2. which you will need to re-create with your own equipment or by using lab equipment on the CCIE R&S 360 program.Lab Topology This practice lab uses the topology as outlined in Figure 2-1. Switch Instructions Configure VLAN assignments from the configurations supplied or from Table 2-2.

1/24 Figure 2-3 IP Addressing Diagram .1/24 Lo255 200.1/24 R6 Lo0 120.6.1/24 R5 Lo0 120. If you are manually configuring your equipment.100.200.200.4. For this exercise.100.100.1/24 SW1 Lo0 120.1/24 Lo255 200.1/24 R3 Lo0 120.1/24 SW4 Lo0 120.200.100.100.100.1/24 SW2 Lo0 120.9.100.200/24 R2 Lo0 120.5.200/24 R4 Lo0 120.200.100. or load the initial router configurations supplied.) R1 Lo0 120.2.100.8.100.IP Address Instructions You will find in the actual CCIE lab that the majority of your IP addresses will be preconfigured. you are required to configure your IP addresses. ensure that you include the following loopback addresses.10. (R1 and R3 use the same IP address for Loopback 255. as shown in Figure 2-3.7.1.3.1/24 SW3 Lo0 120.

If you run out of time.html Note Access only these URLs. Have available a Cisco documentation CD-ROM or access online the latest documentation from the following URL: http://www. choose questions that you are confident you can answer.cisco. Practice Lab Two You will now be answering questions in relation to the network topology. Ensure full IP visibility between routers for ping testing/Telnet access to your devices. To save time during your lab. Take a 30-minute break midway through the exercise. Do not configure any static/default routes unless otherwise specified. or choose questions with a higher point rating to maximize your potential score. .com/cisco/web/psa/configure. consider opening several windows with the pages you are likely to look at.Pre-Lab Tasks Build the lab topology per Figure 2-1 and Figure 2-2. it will be restricted).com website (because if you are permitted to use documentation during your CCIE lab exam. Get into a comfortable and quiet environment where you can focus for the next 8 hours. you can load the initial configuration files supplied if your router is compatible with those used to create this exercise. General Guidelines Read the whole lab before you start. not the whole Cisco. Alternatively. as shown in Figure 2-4. Configure the IP addresses on each router as shown in Figure 2-3 and add the loopback addresses.

resulting in spanning-tree issues. 132. The new switches should be able to tunnel their own configured VLANs through a new VLAN (30) between Switch 1 and Switch 2.Figure 2-4 Lab Topology Diagram Section 1: LAN Switching (22 Points) Configure your switched network to use 802. (2 points) Configure Switch 1 and Switch 2 to enable connectivity of two further switches in the future to be connected to ports Fast Ethernet 0/18 on each switch. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN between Switch 1 and Switch 2. 100. 132. 200) and the interface directly connecting to Switch 1 (Fast Ethernet 0/19) for odd-numbered VLANs (53. 132. 63. 46. (3 points) Ensure a cable fault between Switches 1 and 2 could not result in one-way traffic between the two switches. 46. Switch 1 should be the root bridge for VLANs 34. (4 points) . (3 points) Switch 4 should use its interface directly connecting to Switch 2 (Fast Ethernet0/19) for traffic destined toward even-numbered VLANs (34.1w spanning tree. 100. with Switch 2 being the secondary root bridge for all listed VLANs. (3 points) Switch 3 should use its interface directly connecting to Switch 2 (Fast Ethernet 0/21) for traffic directed toward even-numbered VLANs (34. and 200. 200) and the interface directly connected to Switch 1 (Fast Ethernet 0/21) for odd-numbered VLANs (53. 46. 63). 53. 63). 100.

they will not be able to forward unicast. Do not use any form of ACL or configure the ports to belong to a PVLAN. and send only traffic destined to R2 on this switch port across your network to Switch 3 port Fast Ethernet 0/17. broadcast. each EIGRP router should have its Loopback 0 interface configured and advertised within EIGRP. (2 points) Figure 2-5 EIGRP Topology Configure R1 to advertise a summary route of 120. this Ethernet port transitions into error-disable state.0.Configure your switched network to monitor the VLAN 200 interface associated with R2 (Switch 2 Fast Ethernet 0/1). and Switch 4 should fail. use a new VLAN (20) to assist in this configuration. (3 points) Configure interfaces Fast Ethernet 0/9 and 0/10 on Switch 1 so that even if they are configured to belong to the same VLAN. (3 points) Configure the interface on Switch 2 that connects to R5 VLAN 53 (Fast Ethernet 0/5) in such a way that if all the trunks on Switch 2 connecting to Switch 1. (1 point) Section 2: IPv4 IGP Protocols (26 Points) Section 2. Switch 3. or multicast traffic to one another.100.1: EIGRP Configure EIGRP per Figure 2-5 using an instance name of CCIE and autonomous system of 1. R3 should see the original VLAN 100 and Loopback 0 individual routes in .0/16 outbound on its VLAN 132 interface. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN.

(3 points) Configure EIGRP with a new instance name of CCIE2 between R2 and R3 over VLAN 132 with an autonomous system of 2 and 256-bit encryption with a password of lake2aho3. (2 points) Section 2. advertise this network into EIGRP on each router.1. Each OSPF router should also have its Loopback 0 interface configured and advertised within OSPF as follows: (2 points) R4 Loopback 0 – Area 0 R5 Loopback 0 – Area 0 R6 Loopback 0 – Area 1 SW1 Loopback 0 – Area 2 SW2 Loopback 0 – Area 1 SW3 Loopback 0 – Area 2 SW4 Loopback 0 – Area 3 . (3 points) Ensure that the length of time that EIGRP considers neighbors to be valid without receiving a hello packet on the VLAN 132 network between R1.1/24 on both routers. You may use only one summary route in your configuration.addition to the summary route.2: OSPF Configure OSPF per Figure 2-6 using a process ID of 1. Do not manually adjust the delay associated with the interface by use of the delay command. R2.1/24. and advertise this and only this network to R3 from R2. do not change the hello-interval parameter. and R3 is 200 seconds. any additional connections to AS2 should be encrypted using the same password without further configuration on R2 and R3. Configure a new loopback interface on R2 (Loopback 3) with an IP address of 150. (2 points) Configure new loopback interfaces on R1 and R2 using a loopback interface 2 with an identical IP address of 150. should not be configured under the process ID. do not apply the summary command directly to the interface.2.101.101. Ensure that R3 prefers the route from R1 by manipulating the delay associated with this route. You are only permitted to configure R2 to influence the delay. All OSPF configuration. where possible.

34. Ensure that your network can accommodate this issue. (3 points) Section 3: BGP (15 Points) Configure BGP peering per Figure 2-7 as follows: iBGP R1-R3. (3 points) Perform mutual redistribution of EIGRP AS1 and OSPF on R4 and R5. SW4-SW3. R4-R6. R3-R5. You are not permitted to form any Area 0 neighbor relationship directly between R4 and R5 to join Area 0.101.5) for this destination subnet.2. R5-SW1 R5-SW3. R2-R3. (2 points) R3 will have equal cost external EIGRP routes to the redistributed OSPF subnet 120. eBGP R3-R4. (4 points) Section 2. Ensure that R1 shows a next hop for the AS2 advertised route of 150.100.4) should be used dynamically. R6-SW4. the route advertised from R4 (120. Configure only R3 to ensure that R3 routes via a next hop of R5 (120.0/24 (VLAN 63).34.100. Use a metric of 5000 for redistributed routes into OSPF that should appear as external type 2 routes and the following K values for OSPF routes redistributed into EIGRP: 1544 20000 255 1 1500. If this route fails. Use loopback interfaces .100.0/24 of R2 and perform configuration only on R3 for this task. R4-SW2.63.Figure 2-6 OSPF Topology Area 0 is partitioned between R4 and R5.3: Redistribution Perform a one-way redistribution of EIGRP AS2 into EIGRP AS1 on R3 using the following default metric: 1544 20000 255 1 1500.

0/24 when advertised to R3.1/24) SW4 – Loopback interface 7 (152.1/24) Configure R3 to inform R4 that it does not want to receive routes advertised from SW4 for networks 152.200.32.35. Achieve this in such a manner that R4 does not actually advertise these routes toward R3. 152.100. (3 points) Configure the following loopback interfaces on R3 and SW4. but only one prepend is permitted per line. Do not use the command ebgp-multihop within your configurations. (3 points) Section 4: IPv6 (12 Points) Configure IPv6 addresses on your network as follows: 2007:C15:C0:10::1/64 – R1 Gi0/1 . The route map may contain multiple permit statements.1/24) SW4 – Loopback interface 5 (152.0/24.200.1/24) SW4 – Loopback interface 8 (152.35. You may also configure R4.200.1/24) SW4 – Loopback interface 6 (152. and 152.0/24.33.200.to peer on all routers with the exception of peering between R3-R4 and R3-R5.200.33.32.200.34.100. (4 points) Configure a route map on R5 that prepends its local autonomous system an additional two times for network 152. advertise these networks into BGP using the network command: (2 points) R3 – Loopback interface 5 (152.200.0/24.34. R3 should be configured to only actively create BGP sessions to R1 and R2 within AS100. (3 points) Figure 2-7 BGP Topology Routers R1 and R2 in AS100 should be made to only passively accept BGP sessions.200.

EIGRPv6 should not be enabled directly under the interfaces of the routers.1: EIGRPv6 Configure EIGRPv6 with an autonomous system of 6 between R1.2: OSPFv3 Configure OSPFv3 per Figure 2-8. use an OSPFv3 process of 1 on each router. a security policy index of 500. (2 points) . use message digest 5. and a key of DEC0DECC1E0DDBA11B0BB0BBEDB00B00. Build your tunnels from R1 to R3 and R2 to R3 with source interfaces from VLAN 132 to advertise IPv6 edge networks from each router using ipv6ip mode. (2 points) Figure 2-8 IPv6 Topology Configure Area 1 with IPsec authentication.2007:C15:C0:11::1/64 – R1 tunnel0 2007:C15:C0:11::3/64 – R3 tunnel0 2007:C15:C0:12::2/64 – R2 tunnel0 2007:C15:C0:12::3/64 – R3 tunnel1 2007:C15:C0:13::2/64 – R2 fe0/1 2007:C15:C0:14::3/64 – R3 Gi0/0 2007:C15:C0:14::4/64 – R4 Gi0/0 2007:C15:C0:14::5/64 – R5 Gi0/0 2007:C15:C0:15::4/64 – R4 Gi0/1 2007:C15:C0:15::6/64 – R6 Gi0/0 Section 4. and R3. (2 points) Section 4. R2.

0.225. and 225. Each router should use PIM sparse dense mode.0.1.1. Do not redistribute OSPF into EIGRPv6 to achieve this.225.3. (2 points) Configure R3 so that both R1 and R2 have the following IPv6 EIGRPv6 route in place. (3 points) Configure R1 to monitor traffic forwarded through itself for traffic destined to the multicast group of 225.3.225.3 and 225.100. 225.100. You may configure R4 to achieve this: (2 points) I 2007::/16 [110/2] via XXXX::XXXX:XXXX:XXXX:XXXX.0.225.1 and 225.0.225.225. Redistributed EIGRPv6 routes should have a metric of 5000 associated with them.0. Ensure that the switch ports assigned to the devices do not participate in the usual spanning-tree checks.2 and R2 for groups 225. cannot form trunk links. Configure Switch 2 to assign a DSCP value of AF41 to video traffic from both of these devices. R2.0.0. If no packet for this group is received within a single 10second interval.225. and R4 for IPv4 multicast.2.3: Redistribution Redistribute EIGRPv6 into OSPFv3 on R3. R3.0.0. GigabitEthernet0/0 Section 4.225. You should limit the boundary of your multicast network so that it does propagate further into your network than R4. The remainder of the bandwidth should be guaranteed for a default queue with WRED enabled. (3 points) Configure R3 to ensure R4 has a candidate RP as R1 for groups 225. (3 points) Section 6: Multicast (9 Points) Configure routers R1. and this traffic is unmarked from the devices as it enters the switch. (3 points) Configure R2 to assign a strict-priority queue with a 40 percent reservation of the WAN bandwidth for the video conferencing traffic in the previous question. R3 should be configured as a mapping agent to announce the rendezvous points for the multicast network with the same boundary constraints. ensure that an SNMP trap is sent to an SNMP management station on 120. and cannot be configured as EtherChannels. regardless of which area they are seen in within the OSPFv3 network. (3 points) .225. and do ensure that all routers have full visibility: (2 points) D 2007::/16 [90/XXXXXXXXX] via XXXX::XXXX:XXXX:XXXX:XXXX. Maximize the available bandwidth by ensuring the RTP headers within the video stream are compressed.Ensure the area router in Area 1 receives the following route. Tunnel0 Section 5: QoS (6 Points) Two IP video conferencing units are to be installed onto Switch 2 ports Fast Ethernet 0/15 and 0/16 on VLAN 200.4 (by use of their Loopback 0 interfaces). The devices use TCP ports 3230–3231 and UDP ports 3230– 3235.100 using a community string of public. Both R1 and R2 should be configured to be candidate RPs specifically for the following multicast groups: 225. 225.

Can I change the root bridge assignments of odd. (2 points) Configure an ACL on R1 to allow TCP sessions generated on this router and through its Ethernet interface and to block TCP sessions from entering on its VLAN 132 interface that were not initiated on it or through it originally. Q. Use local authentication with a username and password of cisco. In the actual CCIE lab. You should ensure that your network runs a consistent version of spanning tree. To prevent a potential denial-of-service (DoS) attack from a flood of SYN requests. If a copper Ethernet cable fails between Switch 1 and Switch 2. Section 1: LAN Switching Q. Disable these advertisements from entering and propagating on VLAN 34. it should also enable ICMP traffic inbound for testing purposes. a key size of 768 bits. (3 points) “Ask the Proctor” Note This section should be used only if you require clues to complete the questions. Do you just want me to configure the root and secondary root bridges into 802. and apply ACLs only on the VLAN 132 interface.co. because there would not be any loops present. Do not use the established feature within standard ACLs to achieve this.and even-numbered VLANs to ensure that different interfaces are used on Switch 3 and Switch 4? A. Do not use the RA guard solution with untrusted ports.1w spanning tree? A. The router should belong to a domain of toughtest. and an SSH timeout of 2 minutes and retry value of 2. No. Not entirely. The ACL should timeout after 100 seconds of locally initiated TCP inactivity. Consider a partial failure rather than a complete breakage. (2 points) The network administrator has determined that IPv6 router advertisements are being sourced from routers on VLAN 34. Am I correct in thinking this? A. You may use an ACL applied in a single location in your solution. the proctor will not enter into any discussions about the questions or answers. (3 points) Configure R1 so that it can perform SCP. . surely I wouldn’t encounter spanning-tree issues. the router should be configured to randomly drop SYN packets from any source to this VLAN that have not been correctly established within 20 seconds. the root bridge assignment should remain as per the first question. Q. He or she will be present to ensure that you do not have problems with the lab environment and to maintain the timing element of the exam.uk.Section 7: Security (10 Points) Allow router R6 to passively watch the SYN connections that flow to only VLAN 63 for servers that might reside on this subnet.

Can I manipulate the delay associated with network 150. use a feature that enables your specific routes to leak from the summary route.101. Q. use a Layer 2 switch tunneling feature. this route overrides the VLAN 100 and Loopback 0 routes from R1 as received on R3. Yes. you must configure a feature that will place a nontrunk link into error-disable mode if all the trunks on Switch 2 fail. Yes. Is it acceptable to adjust the hold time on the Ethernet interfaces to change the hello interval? A. Q. Yes. No. Q.Q. The switches are connected with Ethernet copper cables. Q. this is the expected behavior of summarization. No. Section 2: IPv4 IGP Protocols Section 2. UDLD can operate over copper Ethernet in the same manner as fiber. If I configure a summary address on R1. Q. Q. Can I use a new EIGRP process instead? A. wouldn’t a feature like UDLD be beneficial only if the connections are fiber? A. Is this correct? A. If I can’t apply the summary statement directly under the interface can I apply it within the process instance? A. I assume you require remote span configured for R2 traffic. Q. Are you looking for a GRE type of tunnel between switches? A. you need to enable a feature that enables the more specific routes to be received on R3. No. No. a native VLAN would not facilitate transportation of multiple VLANs over the single VLAN 30 between Switch 1 and Switch 2. Nice try. Is it okay to send both TX and RX traffic to Switch 2? A. I think I can achieve this with multiple summary routes but the question restricts this. . Would you like me to configure UDLD aggressive mode on Switch 2 to transition the required port to error-disable mode if a trunk failure occurs? A.1. look for a security feature to disable communication between these ports. Q. this information has been provided.0/24 because this advertisement leaves R2 rather than by changing an interface delay on R2? A.1: EIGRP Q. Read the question carefully. Can I just shut down ports 0/9 and 0/10 so that they can’t communicate? A. Q. Would you like me to configure a native VLAN of 30 on trunks to the two new switches? A. Yes.

Section 2.100. Yes. Q. .100. Yes.63.0/24? A. Q. You can use virtual links in your solution. Can I use this technique to stretch Area 0 between R4 and R5? A.0/24? A.100. but I don’t receive the EIGRP AS2 route on R1 after redistribution. Q.Section 2.63. No. but the next hop is showing as R3. No. Q. Q. you are permitted to configure only R3. Can I manually change the router ID on one of the routers to see if this helps? A. think about where the links need to be. You will have some underlying issues before receiving the route on R1. Can I modify the OSPF cost on the interface connecting R3 to the OSPF network to attempt to change the next hop for the subnet 120.2: OSPF Q. this would affect routes received on R3 from both R4 and R5 equally because R4 and R5 reside on the same subnet as R3.63. to ensure that your topology operates correctly. though. I’d normally use a virtual link to extend Area 0 into a transit area. I’ve managed to get the EIGRP AS2 route redistributed from R3 into EIGRP on R1. No. I’ve followed the redistribution instructions. Is it acceptable to provide tunnels between R4 and R5 to join Area 0? A. Can I policy route on R1 so that the next hop for this route is directly via R2? A. Q. Can I use the EIGRP third-party next-hop feature to leave the next hop of the route unaltered from R2? A.0/24 as it advertised to R3? A. this solution would involve a neighbor relationship being formed between the routers in Area 0. I’ve noticed that due to the preconfigured loopback interfaces on R1 and R3 both of these routers have the same EIGRP router ID. Can I use an offset list or similar feature on R4 to penalize the route 120. Q. A. No. you must have the routing table reflect the next hop of this route via R2 and not R3. Yes. Is it acceptable to use a route map on R3 and match a route source to penalize the route to 120. Use your troubleshooting skills to determine the problem.3: Redistribution Q.

you must dynamically inform R4 to not advertise specific routes via R3. use a specific BGP feature to disregard the TTL check. just from R1 to R3 and from R2 to R3. ensuring that the route is received as illustrated in the question.Section 3: BGP Q. and Switch 4. Would you like me to redistribute routes into OSPFv3 as external type 1 or type 2? A. Q. Q. Can I use BGP ORF? A. Do the VC units use UDP Ports 3230 and 3235 or 3230 through 3235? A. Yes. investigate an alternative method to create this route from the preconfigured subnets you already have. Q. Section 4: IPv6 Q. Is this expected behavior? A. Switch 3. You must configure a feature that overrides this behavior. The question provides you with sufficient information to determine the redistribution type to use. Do you want me to trust the ports assigned to the VC units? A. No. Use a BGP feature to force the peering to become directional. Yes. . No. Q. Q. Do you want a tunnel between R1 and R2 also? A. Section 5: QoS Q. Q. Do you want me to configure an ACL to limit BGP connections to purely inbound or outbound on TCP port 179? A. Would you like me to configure an additional IPv6 subnet on R4 to receive the 2007::/16 route? A. These tunnels will advertise the edge networks of each router within EIGRPv6. The VC devices are not marking the traffic. Q. Q. No. They use the range 3230 through 3235. will my peering fail because I am peering from my loopback interfaces? A. an ACL would actually break the peering entirely. Can I just configure a filter on R4 to stop advertising specific routes to R3? A. Can I try to use NAT to fix my peering? A. check your router ID. I’m experiencing peering issues between R1 and R3 and have BGP notifications displayed on the console. it will. No. you had a similar issue within EIGRP. If I can’t use ebgp-multihop on my peering on R6. so there is a need to trust these ports. Yes. No.

but you need to find a method of assigning these specifically to R1 and R2. Section 7: Security Q. Would you like me to disable trunking. You need to configure a feature that monitors the SYN packets and closes down any half-opened connections. but I am not confident of my configuration. Q. Can I just use a standard ACL on R1 on the VLAN 132 interface to permit sessions outbound and deny everything else inbound? A. Yes. Q. Group lists can assist in your solution on R3. Q. Q. Any suggestions? . group lists would achieve the desired results. No. won’t R3 and R4 see both routers as RPs for the same groups? A. Can I use a reflexive ACL to dynamically permit the return traffic with a time limit of 100 seconds? A. If you were permitted to configure R1 and R2. but remember there is a single command that will disable all these features. If I use the bandwidth percent command on R2 in my 40-percent guaranteed reservation. Yes. this would block return path traffic initiated by R1. channeling. No. traffic destined to this group will be sent to R1 regardless because it is the candidate RP for this group. this isn’t required. I have configured SCP with the required SSH parameters. Can I use a reflexive ACL to drop SYN packets that are not correctly established by the servers? A. can I just configure group lists on R3? A. is this sufficient to answer the question? A. Section 6: Multicast Q. SYN packets should still enter into VLAN 63. the question dictates that a priority queue be used.1 for the SNMP question? A.Q.225. No. No.0. there is a specific TCP feature used to protect servers from a flood of SYN packets that could cause a DoS attack. Yes. but you are permitted to configure only R3. To have R1 and R2 as candidate RPs for different groups. No. you will address this behavior in the following question. and spanning-tree checks on the ports assigned to the VC units? A. Q. If I configure R1 and R2 for the same multicast groups. Do you want me to configure an ACL to block SYN packets coming into VLAN 63? A. Q. Q. Do you want me to actually configure an IGMP join group on R1 for 225.

Switch 1 should be the root bridge for VLANs 34. you have earned 3 points.63.132.A. Section 1: LAN Switching (22 Points) Configure your switched network to use 802.46. 46. Yes. but each VLAN would be identical in this configuration.100. Q. No. as shown in Example 2-1. the question stipulates the ACL can only be used in one location. Example 2-1 SW1. 53. SW3. 63. and 200.1w spanning tree. Am I missing something? A. VLAN 34 is used as an example. Q.200 root secondary SW3(config)# spanning-tree mode rapid-pvst . can I just apply it to VLAN34? A.100. and SW4 Configuration and Verification Click here to view code image SW1(config)# spanning-tree mode rapid-pvst SW1(config)# spanning-tree vlan 34. Yes. Q. can I apply an ACL on each port that connects to each router? A.46. You must consider that by default the switch would be completely transparent to IPv6 and you would need to make the switch understand what it has to filter.53.132. Example 2-1 also shows confirmation of the root bridge and which interfaces are used to reach the root bridge from the neighboring switches. try to copy the IOS image from flash on R1 with RCP.53.63. SW2. So. To stop the RA. you have configured this feature correctly. 132. do I need to enable IPv6 on the switch? A. 53. So. You should use this section to produce an overall score for the practice lab. If you have time.1w is a Rapid Spanning Tree.200 root primary SW2(config)# spanning-tree mode rapid-pvst SW2(config)# spanning-tree vlan 34. 100. but I am still seeing the RAs when I debug IPv6 on the routers. but consider that it isn’t just a case of enabling it. I have applied the ACL blocking RA ICMPv6 from entering the switch. 46. 132. If you have configured this correctly. with Switch 2 being the secondary root bridge for all listed VLANs. Practice Lab Debrief The section analyzes each question. Switch 1 is required to be the root bridge and Switch 2 the secondary root bridge for VLANs 34. showing you what was required and how to achieve the desired results. 100. 63. there is an additional step for VLAN 34. and 200. Q. the switches will be in the default mode of standard PerVLAN Spanning Tree (PVST) and require configuration to rapid-pvst mode. If you are prompted for a password and gain access to the file. (3 points) 802.

SW4(config)# spanning-tree mode rapid-pvst SW1# show spanning-tree vlan 34 | include root This bridge is the root SW1# show spanning-tree vlan 46 | include root This bridge is the root SW1# show spanning-tree vlan 53 | include root This bridge is the root SW1# show spanning-tree vlan 63 | include root This bridge is the root SW1# show spanning-tree vlan 100 | include root This bridge is the root SW1# show spanning-tree vlan 132 | include root This bridge is the root SW1# show spanning-tree vlan 200 | include root This bridge is the root SW2# show spanning-tree vlan 34 | include Root FWD Fa0/23 Root FWD 19 128. Switch 3 uses the interface directly connecting to Switch 1 (Fast Ethernet 0/19) for all VLANs as the lowest root cost path by default. 63).200 cost 100 SW3(config-if)# do show spanning-tree root . as shown in Example 2-2. (3 points) This is a straightforward VLAN load-balancing question to ensure that trunk links are utilized efficiently and not logically disabled by spanning tree.100. Example 2-2 SW3 VLAN Load-Balancing Configuration and Verification Click here to view code image SW3(config)# interface fastethernet 0/19 SW3(config-if)# spanning-tree vlan 34. you have scored 3 points. 100.25 P2p SW3# show spanning-tree vlan 34 | include Root FWD Fa0/19 Root FWD 19 128.23 P2p Switch 3 should use its interface directly connecting to Switch 2 (Fast Ethernet 0/21) for traffic directed toward even-numbered VLANs (34. To adjust this behavior.132. 46. If you have configured this correctly.21 P2p SW4# show spanning-tree vlan 34 | include Root FWD Fa0/21 Root FWD 19 128. 200) and the interface directly connecting to Switch 1 (Fast Ethernet 0/19) for odd-numbered VLANs (53. 132. this interface must effectively be penalized for the evennumbered VLANs to ensure a more attractive path is via Switch 2 (Fast Ethernet 0/21).46.

9400 38 2 20 15 VLAN0200 24776 0013.46.----. (3 points) Following from the previous question. If you have configured this correctly.806d.806d.9400 38 2 20 15 VLAN0053 24629 0013.806d.9400 19 2 20 15 VLAN0063 24639 0013. 200) and the interface directly connected to Switch 1 (Fast Ethernet 0/21) for odd-numbered VLANs (53. 46. As per the previous question.-----------VLAN0001 32769 0013.806d. to ensure a balanced access topology for VLAN load balancing. Switch 4 uses the interface directly connecting to Switch 1 (Fast Ethernet 0/21) for all VLANs as the lowest root cost path by default.9400 38 2 20 15 Root Fa0/21 Fa0/19 Fa0/19 Fa0/21 Fa0/21 Fa0/19 Fa0/19 Fa0/19 .806d.806d. rendering the second trunk connecting to Switch 2 unused unless a failover condition occurs.806d.9400 38 2 20 15 VLAN0046 24622 0013.806d.-----------VLAN0001 32769 0013.Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Port ---------------.806d. 63).--------. as shown in Example 2-3. you have scored 3 points.806d.9400 19 2 20 15 VLAN0034 24610 0013. the directly connected interface to Switch 1 needs to be penalized for the even-numbered VLANs.806d.132.----. 132.9400 19 2 20 15 VLAN0100 24676 0013.-------------------.806d.9400 19 2 20 15 VLAN0063 24639 0013.----.9400 38 2 20 15 VLAN0046 24622 0013.100.9400 19 2 20 15 VLAN0100 24676 0013.9400 38 2 20 15 VLAN0132 24676 0013. 100.9400 38 2 20 15 VLAN0200 24776 0013.9400 38 2 20 15 VLAN0132 24676 0013.806d.806d.--------. Example 2-3 SW4 VLAN Load-Balancing Configuration and Verification Click here to view code image SW4(config)# interface fastethernet 0/21 SW4(config-if)# spanning-tree vlan 34.-------------------.9400 38 2 20 15 Root Fa0/19 Fa0/21 Fa0/21 Fa0/19 Fa0/19 Fa0/21 Fa0/21 Fa0/21 Switch 4 should use its interface directly connecting to Switch 2 (Fast Ethernet0/19) for traffic destined toward even-numbered VLANs (34.200 cost 100 SW4(config-if)# do show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Port ---------------.806d.9400 38 2 20 15 VLAN0053 24629 0013.806d.9400 19 2 20 15 VLAN0034 24610 0013.----.

resulting in spanning-tree issues.Single neighbor detected Message interval: 15 Time out interval: 5 Entry 1 --Expiration time: 44 Cache Device index: 1 Current neighbor state: Bidirectional Device ID: CAT0935N2GQ Port ID: Fa0/23 Neighbor echo 1 device: CAT0911X17K Neighbor echo 1 port: Fa0/23 Message interval: 15 Time out interval: 5 CDP Device name: SW2 Configure Switch 1 and Switch 2 to allow connectivity of two further switches in the future to be connected to ports Fast Ethernet 0/18 on each switch. can detect one-way links. and shut down the link if this condition arises to mitigate spanning-tree issues. in aggressive mode.Ensure that a cable fault between Switches 1 and 2 could not result in one-way traffic between the two switches. If you configure the ports between Switch 1 and Switch 2 into aggressive mode. The new switches should be able to tunnel their own configured VLANs through a new VLAN (30) between . Example 2-4 SW1 and SW2 UDLD Configuration and Verification Click here to view code image SW1(config)# interface fastethernet 0/23 SW1(config-if)# udld port aggressive SW2(config)# interface fastethernet 0/23 SW2(config-if)# udld port aggressive SW1# show udld fastethernet 0/23 Interface Fa0/23 --Port enable administrative configuration setting: Enabled / in aggressive mode Port enable operational state: Enabled / in aggressive mode Current bidirectional state: Bidirectional Current operational state: Advertisement . you have scored 2 points. If you have configured this correctly. UDLD also detects unidirectional links because of one-way traffic on twistedpair links. (2 points) Unidirectional Link Detection (UDLD) detects unidirectional links on fiber-optic connections. the switches become UDLD neighbors. as shown in Example 2-4.

it would be worth enabling them to protect your points. a unique service provider VLAN is used to transport the customer VLANs. The only complexity is based around the question statement of where you actually need to monitor: “traffic destined to R2. (4 points) This is a service provider requirement whereby customers tunnel their own VLANs through the providers network. To mitigate any VLAN overlaps from other customers. Example 2-5 SW1 and SW2 Q in Q Configuration Click here to view code image SW1(config)# vlan 30 SW1(config-vlan)# exit SW1(config)# interface fastethernet 0/18 SW1(config-if)# switchport access vlan 30 SW1(config-if)# switchport mode dot1q-tunnel SW2(config)# vlan 30 SW2(config-vlan)# exit SW2(config)# interface fastethernet 0/18 SW2(config-if)# switchport access vlan 30 SW2(config-if)# switchport mode dot1q-tunnel Configure your switched network to monitor the VLAN 200 interface associated with R2 (Switch 2 Fast Ethernet 0/1) and send only traffic destined to R2 on this switch port across your network to Switch 3 port Fast Ethernet 0/17. as shown in Example 2-6. If you have configured this correctly.” This means that you need to configure the span parameters to only send the traffic transmitted out of the switch port toward R2. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN between Switch 1 and Switch 2. which is configured by the tx parameter. you have scored 3 points. it would be worth enabling them to protect your points. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN. Use the show dot1q-tunnel command to verify your tunnel configuration on your switches. you have scored 4 points. If this optional parameter is not configured. Example 2-5 shows VLAN 30 being used to transport VLANs over a dot1q-tunnel. Remote span requires a VLAN to propagate the span traffic between switches.Switch 1 and Switch 2. which is why you need to configure VLAN 20 on both Switches 1 and 2. If you have configured this correctly. If your ports are shut down by initial configuration. use a new VLAN (20) to assist in this configuration. Example 2-6 SW2 and SW2 Remote Span Configuration and Verification Click here to view code image . as shown in Example 2-5. (3 points) This is a remote span question. both transmit and receive traffic is monitored. If your ports are shutdown by initial configuration.

you have scored 3 points. If a link is lost on the primary interface. This feature provides redundancy in the network when used with server NIC adapter teaming. Switch 3. (3 points) The question requires link-state tracking to be configured. Ports connected to servers are configured as downstream ports. Example 2-7 shows the associated configuration and testing by shutting down the trunk ports on Switch 2. and Switch 4 should fail. which connects to Switch 1. If you have configured this correctly. and Switch 4. as shown in Example 2-7. Example 2-7 SW2 Link-State Tracking Configuration and Verification Click here to view code image SW2(config)# link state track 1 SW2(config)# interface fast0/5 . this Ethernet port transitions into error-disable state. which connects to R5 VLAN 53 (Fast Ethernet 0/5) in such a way that if all the trunks on Switch 2 connecting to Switch 1. which forces Fast Ethernet downstream port into error-disable state. and ports connected to other switches are configured as upstream ports. connectivity is transparently switched to the secondary interface.SW2(config)# vlan 20 SW2(config-vlan)# remote-span SW2(config-vlan)# exit SW2(config)# monitor session 1 source interface fastethernet 0/1 tx SW2(config)# monitor session 1 destination remote vlan 20 SW2(config)# do show monitor session 1 Session 1 --------Type : Remote Source Session Source Ports : TX Only : Fa0/1 Dest RSPAN VLAN : 20 SW3(config)# vlan 20 SW3(config-vlan)# exit SW3(config)# monitor session 1 source remote vlan 20 SW3(config)# monitor session 1 destination interface fast 0/17 SW3(config)# do show monitor session 1 Session 1 --------Type : Remote Destination Session Source RSPAN VLAN : 20 Destination Ports : Fa0/17 Encapsulation : Native Ingress : Disabled Configure the interface on Switch 2. If the upstream trunk ports on Switch 2 fail. Switch 3. link-state tracking automatically puts the downstream port connected to R5 into error-disable state.

Traffic is forwarded as normal between a protected and an unprotected port. (2 points) Use vanilla EIGRP with a virtual instance configuration in preparation for the following questions. broadcast.0. Do not use any form of ACL or configure the ports to belong to a PVLAN. you have scored 2 points.1: EIGRP Configure EIGRP per Figure 2-5 using an instance name of CCIE and autonomous system of 1. or multicast traffic to one another. Section 2: IPv4 IGP Protocols (26 Points) Section 2.255 .0.1. If you have configured this correctly. Example 2-8 EIGRP Configuration and Verification Click here to view code image R1(config)# router eigrp CCIE R1(config-router)# address-family ipv4 unicast autonomous-system 1 R1(config-router-af)# net 120. as shown in Example 2-8. you have scored 1 point.SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# link state group 1 downstream interface fastethernet 0/19 link state group 1 upstream interface fastethernet 0/21 link state group 1 upstream interface fastethernet 0/23 link state group 1 upstream SW2# show interface fastethernet 0/5 | include connected fastethernet0/5 is up.0 0. (1 point) You are required to configure the interfaces with the command switchport protected to ensure that no traffic is forwarded between these ports. If you have configured this correctly. line protocol is down (err-disabled) Configure interfaces Fast Ethernet 0/9 and 0/10 on Switch 1 so that even if they are configured to belong to the same VLAN they cannot forward unicast.100. line protocol is up (connected) SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# int fast 0/19 shut int fast 0/21 shut int fast 0/23 shut SW2# show interface fastethernet 0/5 | include err-disabled fastethernet0/5 is down. Each EIGRP router should have its Loopback 0 interface configured and advertised within EIGRP.

0.0 0.255 R4(config-router)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# network 120.255 R1(config-router-af)# net 120.123. therefore.0 [90/158720] via 120.0. GigabitEthernet0/0 D 120.100.100.3. One method used to achieve this is by configuring multiple summary routes.0 0.200. Allowing specific routes to be advertised with summary routes can be a valid requirement.255 R3(config-if)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# network 120.0.0.0.123.100.3.0.0.0 0.100.0.100. 00:23:32.255 R2(config)# router eigrp CCIE R2(config-router)# address-family ipv4 unicast autonomous-system 1 R2(config-router-af)# network 120.100.123. You can only use one summary route in your configuration.0 0.255 R3(config-router-af)# network 120.0 0. which is .0.255 R3(config-router-af)# network 120.34.0 0.255 R4(config-router-af)# network 120.0.3.34. the VLAN 100 and Loopback 0 route from R1 would not be seen by R3.100.3.R1(config-router-af)# net 120.0 [90/156160] via 120.100.0.100.100.100.0.0.123. GigabitEthernet0/0 D 120.123.0.0 [90/158720] via 120. but the question does not permit this approach.255 R2(config-router-af)# network 120. 00:23:32. 00:23:32. (3 points) Summarization will by default block all longer prefixes covered by the supernet configured on an interface. 00:23:32. To facilitate the specific routes with the summary.0.0 0.0. 9 subnets D 120.123.0.255 R1# sh ip route eigrp 120. R3 should see the original VLAN 100 and Loopback 0 individual routes in addition to the summary route.100. Do not apply the summary configuration directly to the interface.0 0.0 [90/156160] via 120. GigabitEthernet0/0 D 120. a leak map should be configured to match the VLAN 100 and Loopback 0 interfaces on R1.0.5.2. 00:23:32.0.4.0 0.5. 00:23:32.100.0.100.100.34.0.0.0 0.0/24 is subnetted.100.0 [90/30720] via 120.123. The leak map.100.2.100.0.0.0 0. GigabitEthernet0/0 D 120.100.123. GigabitEthernet0/0 D 120.0 [90/30720] via 120.4.200.123.100.0.100.100.3.100.100.100.0.2.100.255 R5(config)# router eigrp CCIE R5(config-router)# address-family ipv4 unicast autonomous-system 1 R5(config-router-af)# network 120.255 R5(config-router-af)# network 120.255 R2(config-router-af)# network 120.3.34.0 0.2.0/16 outbound on its VLAN132 interface.0. GigabitEthernet0/0 Configure R1 to advertise a summary route of 120.

0 leak-map LEAK-VLAN-100-LOOP0 R3# show ip route eigrp R3# show ip route eigrp 120.100. is then applied to the standard summary route statement on R1. 00:23:32.0 255. GigabitEthernet0/1 D 120.1. and R3 is 200 seconds.1.4. Because you cannot apply the summary configuration directly to the interface as per earlier EIGRP configuration. 2 masks D 120. and hello packets will be sent every 5 seconds.2. Example 2-9 R1 Leak Map Configuration and Verification Click here to view code image R1(config)# route-map LEAK-VLAN-100-LOOP0 permit 10 R1(config-route-map)# match ip address 1 R1(config-route-map)# exit R1(config)# access-list 1 permit 120.100.123.1. GigabitEthernet0/0 D 120.100.100.0/24 [90/156160] via 120. GigabitEthernet0/1 Ensure that the length of time that EIGRP considers neighbors to be valid without receiving a hello packet on the VLAN 132 network between R1.0.0/24 [90/30720] via 120.100.255.100.2.0/8 is variably subnetted.200. Do not change the hello-interval parameter.5.0/24 [90/156160] via 120.100.123.0 R1(config)# access-list 1 permit 120.5.0. R2.100.4. GigabitEthernet0/0 D 120.100. If you have configured this correctly.100.100.0/24 [90/156160] via 120.0/16 [90/30720] via 120. the VLAN 132 network is a high-speed link.100. (2 points) EIGRP considers neighbors to be valid up to three times the hello interval. 00:00:53.123.123.100. but this question ensures that you can achieve the desired result only by manually changing the hold time to 200 under the . as shown in Example 2-9. GigabitEthernet0/1 D 120. 00:23:32. You could usually tune the hold time by manipulating the hello intervals on an interface.100.34. you have scored 3 points. 00:23:32.34.configured per a normal route map.0/24 [90/156160] via 120.2. 00:23:32. 00:23:32.1.0. 10 subnets.100.123.100. you must apply it to the address family af-interface within the Enhanced Interior Gateway Routing Protocol (EIGRP) instance.0. GigabitEthernet0/1 D 120.1. 00:23:32. GigabitEthernet0/1 D 120.0/24 [90/30720] via 120.100.0.100.100.0 R1(config)# router eigrp CCIE R1(config-router)# address-family ipv4 unicast autonomous-system 1 R1(config-router-af)# af-interface Gigabit0/0 R1(config-router-af-interface)# summary-address 120.

(3 points) R3 will receive identical routes from both R1 and R2 for network 150.0/24.123. If you have configured this correctly. and R3. R2(config)# interface fastethernet0/0 R2(config-if)# ip hold-time eigrp 1 200 R2(config-if) R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip hold-time eigrp 1 200 R3(config-if)# do sh ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Uptime SRTT RTO Q Seq End with CNTL/Z.100. both routes will be stored in the topology and routing table.100.101. advertise this network into EIGRP on each router. the only method available is to create an offset list.34.2 00:01:00 3 200 1 120. R2 could influence the metric calculated by R3 by manipulating the delay of the new loopback interface or of the Ethernet interface connecting to R3. you have scored 2 points.4 00:23:35 35 210 0 25 0 18 0 21 0 22 Gi0/1 198 Gi0/1 199 Gi0/0 12 Gi0/0 12 (ms) Cn Configure new loopback interfaces on R1 and R2 using a Loopback 2 interface with an identical IP address of 150.123. Hold (sec) t Num 3 120.34. which enables you to match specific routes and append further delay to them as they are advertised on R2 toward R3. Example 2-10 shows the required configuration and verification of hold time by displaying the neighbors’ statistics as seen by R3. Because configuration is required solely on R2. one per line. Ensure that R3 prefers the route from R1 by manipulating the delay associated with this route.5 00:23:32 1 200 0 120. Do not manually adjust the delay associated with the interface by use of the delay command. as shown in Example 2-10 (either directly under the interfaces or within the EIGRP address family af-interface).1/24 on both routers. If the offset list is not applied to the VLAN 132 interface. Example 2-10 EIGRP Hold-Time Configuration and Verification Click here to view code image R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip hold-time eigrp 1 200 R1(config-if) Enter configuration commands.100.101. but this is not permitted. R2.1.1 00:00:57 3 200 2 120.1.100. therefore. it would affect the whole process and not just advertisements .VLAN 132 interfaces of routers R1. and you are permitted to configure only R2 to influence the delay.

minimum MTU 1500 bytes Loading 1/255. the route installed into the routing table of R3 is then the original advertised from R1 with the more appealing value of 5100μS.101.toward R3.0 IP-EIGRP (AS 1): Topology entry for 150. Post configuration of the offset list on R2.2.0. traffic share count is 1 Total delay is 5100 microseconds.101. 00:00:23 ago.1 255. from 120. Query origin flag is 1.123.101.123.0/24 Known via "eigrp 1".0 R2(config-if)# router eigrp CCIE R2(config-router)# address-family ipv4 unicast autonomous-system 1 R2(config-router)# net 150. the delay is seen to increase to 5103μS for the route received from R2. Initial delay is shown to be 5100μS.100. Hops 1 R3# show ip eigrp topology 150. minimum bandwidth is 100000 Kbit Reliability 255/255. minimum bandwidth is 100000 Kbit Reliability 255/255.255 R2(config)# interface Loopback2 R2(config-if)# ip address 150.100.255. therefore. from 120.255 R3# show ip route 150. as shown in Example 2-11.0.1 255. via fastethernet1/1 Route metric is 156160.123.101.123.1. 00:00:23 ago Routing Descriptor Blocks: 120. you have scored 3 points. 00:00:23 ago.2 on fastethernet1/1.255.0 0. via fastethernet1/1 Route metric is 156160.2. Example 2-11 EIGRP Configuration and Verification Click here to view code image R1(config)# interface Loopback2 R1(config-if)# ip address 150.255.101. FD is .0/24 State is Passive.101. 2 Successor(s).0 255.1.0 Routing entry for 150. metric 156160. type internal Redistributing via eigrp 1 Last update from 120.0.100.100. distance 90.1. minimum MTU 1500 bytes Loading 1/255.1.123.1.1.0.1.101. Example 2-11 shows the configuration required to advertise the new routes and the routes as they are received on R3.255. Hops 1 * 120.0 0.255.1. traffic share count is 1 Total delay is 5100 microseconds. If you have configured this correctly.0 R1(config-if)# router eigrp CCIE R1(config-router)# address-family ipv4 unicast autonomous-system 1 R1(config-router-af)# net 150.101.255.1.1.100.

Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 120. 1 Successor(s). 00:00:17 ago.1 (GigabitEthernet0/1). Send flag is Route is Internal R2# show interface Fast0/0 | include DLY MTU 1500 bytes.1.0 IP-EIGRP (AS 1): Topology entry for 150.1.101.2.1 on GigabitEthernet0/1. Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 120.1 (GigabitEthernet0/1). Send flag is Route is Internal 120.123. distance 90. via GigabitEthernet0/1 Route metric is 156160.0 R2(config)# router eigrp CCIE R2(config-router)# address-family ipv4 unicast autonomous-system 1 R2(config-router-af)# topology base R2(config-router-af)# offset-list 1 out 100 fastethernet0/0 R3# show ip route 150.123.123. Send flag is 0x0 . BW 100000 Kbit/sec. type internal Redistributing via eigrp 1 Last update from 120. DLY 100 usec. 00:00:17 ago Routing Descriptor Blocks: * 120.123.100.101.123.100.2 (GigabitEthernet0/1).0 255.123. from 120.1.123.0/24 State is Passive. minimum bandwidth is 100000 Kbit Reliability 255/255. from 0x0 Composite metric is (156160/128256). R2(config)# access-list 1 permit 150.0/24 Known via "eigrp 1".100. FD is 156160 Routing Descriptor Blocks: 120.100.100.100.100.255. traffic share count is 1 Total delay is 5100 microseconds.101.1. from 120. Query origin flag is 1. minimum MTU 1500 bytes Loading 1/255.156160 Routing Descriptor Blocks: 120.123.1.101.0 Routing entry for 150.1. Hops 1 R3# show ip eigrp topology 150.123.100. metric 156160.1.1. from 0x0 Composite metric is (156160/128256).255.101.100.1.

0 0.0. Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5103 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 Configure EIGRP with a new instance name of CCIE2 between R2 and R3 over VLAN 132 with an autonomous system of 2 and 256-bit encryption with a password of lake2aho3.101.123.0.255 R2(config-router-af)# network 120.0.101. Example 2-12 R2 and R3 EIGRP AS2 Configuration and Verification Click here to view code image R2(config)# interface Loopback3 R2(config-if)# ip add 150.255 .2.2.123. Example 2-16 shows the basic EIGRP configuration on R2 and R3 with HMAC authentication. Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 120.2.2 (GigabitEthernet0/1). as shown in Example 2-12. from 120. (2 points) This straightforward configuration within a new EIGRP instance facilitates subsequent redistribution between EIGRP AS1 to AS2.255. The simple fix to this is to apply authentication to all interfaces using the af-interface default command.1/24. The only twist to the question is to perform authentication without the need for further configuration should there be additional peering to AS2. Any additional connections to AS2 should be encrypted using the same password without further configuration on R2 and R3.255.2.100. and advertise this and only this network to R3 from R2. Send flag is 0x0 Composite metric is (156260/128356).100. If you have configured this correctly.100.1 255.0. Configure a new loopback interface on R2 (Loopback 3) with an IP address of 150.101.0 0.0 R2(config-if)# router eigrp CCIE2 R2(config-router)# address-family ipv4 unicast autonomous-system 2 R2(config-router-af)# af-interface default R2(config-router-af-interface)# authentication mode hmac-sha-256 0 lake2aho3 R2(config-router-af-interface)# exit R2(config-router-af)# network 150. you have scored 2 points.Composite metric is (156160/128256).123.

0. Consider using the show ip ospf interface command to verify your configuration.2. Each OSPF router should also have its Loopback 0 interface configured and advertised within OSPF as follows: (2 points) R4 Loopback 0 – Area 0 R5 Loopback 0 – Area 0 R6 Loopback 0 – Area 1 SW1 Loopback 0 – Area 2 SW2 Loopback 0 – Area 1 SW3 Loopback 0 – Area 2 SW4 Loopback 0 – Area 3 As per Lab 1.0/24 is subnetted. you have scored 2 points.0 [90/156160] via 120.123.0 R3(config-router-af)# sh ip route eigrp 2 150.101. 2 subnets D 150. as shown in Example 2-13. Did you notice that Area 0 is partitioned? If you have configured this correctly.2.123. all OSPF configuration where possible should not be configured under the process ID. 00:00:25. Example 2-13 Initial OSPF Configuration Click here to view code image R4(config)# interface Loopback 0 R4(config-if)# ip ospf 1 area 0 R4(config-if)# exit R4(config)# interface GigabitEthernet 0/1 R4(config-if)# ip ospf 1 area 1 R5(config)# interface Loopback 0 R5(config-if)# ip ospf 1 area 0 R5(config-if)# exit R5(config)# interface GigabitEthernet 0/1 . the question directs you to configure OSPF directly under the interfaces of the routers.2: OSPF Configure OSPF per Figure 2-6 using a process ID of 1. GigabitEthernet0/1 Section 2.100.101. the switches still require configuration under the OSPF process running this version of IOS.R3(config)# router eigrp CCIE2 R3(config-router)# address-family ipv4 unicast autonomous-system 2 R3(config-router-af)# af-interface default R3(config-router-af-interface)# authentication mode hmac-sha-256 0 lake2aho3 R3(config-router-af-interface)# exit R3(config-router-af)# network 120.100.

A virtual link between R4 and R5 would not work here because you would need to transit multiple OSPF areas.100. and R6-SW3.10.0. (4 points) A fundamental rule of the Open Shortest Path First (OSPF) Protocol is not to design your network with a partitioned backbone Area 0 or partition if of a failure condition occurs.63.63. You are required to configure a virtual link between R5 and Switch 3 to propagate Area 3 routes and similarly between R4 and R6.1 0.46.R5(config-if)# ip ospf 1 area 2 R6(config)# interface Loopback 0 R6(config-if)# ip ospf 1 area 1 R6(config-if)# interface GigabitEthernet 0/0 R6(config-if)# ip ospf 1 area 1 R6(config-if)# interface GigabitEthernet 0/1 R6(config-if)# ip ospf 1 area 3 SW1(config)# ip routing SW1(config)# router ospf 1 SW1(config-router)# network 120.2 0.0.0.0 area 3 SW3(config-router)# network 120.0 area 3 SW4(config-router)# network 120.9. .7.0 area 2 SW1(config-router)# network 120.53.1 0. Example 2-14 shows the required configuration to create virtual links between R5-SW3. as shown in Example 2-14.1 0. By then creating an additional virtual link between R6 and Switch 3.0.0 area 1 SW3(config)# ip routing SW3(config)# router ospf 1 SW3(config-router)# network 120.1 0.0.0 area 1 SW2(config-router)# net 120. ensure that your network can accommodate this issue.3 0.4 0.0.3 0.100.100.100.0.0.0.0.0. R4-R6.0 area 2 SW2(config)# ip routing SW2(config-if)# router ospf 1 SW2(config-router)# net 120.0.53. you have scored 4 points.100.1 0.0 area 2 SW4(config)# ip routing SW4(config)# router ospf 1 SW4(config-router)# network 120. The resulting routing table verification on Switch 4 shows all networks are being learned correctly post configuration. You are not permitted to form any Area 0 neighbor relationship directly between R4 and R5 to join Area 0.100.100.0 area 3 Area 0 is partitioned between R4 and R5.0. A tunnel between the two routers is also not permitted because this would form a direct neighbor relationship.0. the two effective halves of the network have been joined at an Area 0 level. If you have configured this correctly.0.0. Remember to configure all virtual links to the router ID of the remote router as opposed to the physical IP address on the corresponding interface.100.0.100.0.8.0 area 2 SW3(config-router)# network 120.

Vlan63 O IA 120.9.100.6.100. Vlan63 O IA 120.100.63.5.63.100.0/8 is variably subnetted.100.1 SW3(config-router)# router ospf 1 SW3(config-router)# area 2 virtual-link 120. 00:00:54.200. 00:00:54. 00:00:54. 00:00:54.8.100.4.1/32 [110/3] via 120. In fact.9.5. 2 masks O IA 120.4.100.3: Redistribution Perform a one-way redistribution of EIGRP AS2 into EIGRP AS1 on R3 using the following default metric: 1544 20000 255 1 1500.2. 10 subnets.200.6. Vlan63 O IA O IA 120. Inspection of the EIGRP topology table for the route on R3 shows that it is being advertised into EIGRP and that the router ID of R3 is 200. Vlan63 Section 2. Vlan63 O IA 120.63.46.6.100.200. 00:00:54.63.6.100. 00:00:54.3.9.100.100. Vlan63 O IA 120. Pre-lab configuration ensured that both R1 and R3 have the same Loopback 255 IP address.0.63.100.6.63.200.3.Example 2-14 OSPF Virtual-Link Configuration and Routing Table Verification Click here to view code image R5(config)# router ospf 1 R5(config-router)# area 2 virtual-link 120.1 SW4# sh ip route ospf 120. the router ID of R1 is also 200. 00:00:54.0.100.100.100.100.1 R6(config-router)# area 3 virtual-link 120.101. you would believe the only complexity would be that of modifying the next-hop attribute for R1.6.200.1/32 [110/3] via 120.6.0/24 [110/2] via 120. This is due to an inherent safety mechanism within EIGRP that will cause redistribution issues with routers that have duplicate EIGRP router IDs.0/24 [110/2] via 120.3.0/24 of R2.101.1/32 [110/2] via 120.100. Vlan63 120.0/24 is received on R3 but is absent on R1.100. Example 2-15 shows the redistribution configuration on R3.3.200.100. you would find that the AS2 route would not be seen on R1 post redistribution from R3.53.100.63.1/32 [110/3] via 120.1/32 [110/2] via 120.1 SW3(config-if)# router ospf 1 SW3(config-router)# area 3 virtual-link 120. which will force the router ID to be identical. Perform configuration only on R3 for this task.7.100. Upon inspection. The AS2 route of 150.2. similarly. Vlan63 O IA 120. (3 points) This is a simple redistribution question. 00:00:55. which would by default show as R3 for the AS2 route advertised by R2.1 R4(config)# router ospf 1 R4(config-router)# area 1 virtual-link 120.1/32 [110/3] via 120.100. Ensure that R1 shows a next hop for the AS1 advertised route of 150.1 R6(config-if)# router ospf 1 R6(config-router)# area 1 virtual-link 120.63. If you .

2.change the router ID of R3 to that of its Loopback 0 interface (120.2.2.123.200 (this system) AS number of route is 2 External protocol is EIGRP. you have scored 3 points.100.3.100.101. Route is External Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 External data: Originating router is 200. The EIGRP third-party next-hop feature can be used to modify the next-hop attribute with a router redistributing another routing protocol into EIGRP in a similar manner to that of BGP.200.101. Send flag is 0x0 Composite metric is (156160/128256). from Redistributed.2.123.1).0/24 State is Passive. from 120. Example 2-15 R3 EIGRP Redistribution Configuration and Verification Click here to view code image R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# topology base R3(config-router-af-topology)# redistribute eigrp 2 R1# show ip route 150.100. FD is 156160 Routing Descriptor Blocks: 120.101. but of course a next hop is shown as R3. external metric is 156160 Administrator tag is 0 (0x00000000) IP-EIGRP (AS 2): Topology entry for 150. If you have configured this correctly.0/24 IP-EIGRP (AS 1): Topology entry for 150.2. Query origin flag is 1.0 % Subnet not in table R3# show ip eigrp topology 150.101. as shown in Example 2-15.200.2. Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 . even though R2 resides on the same IP subnet as R1 and R2 and is the originating router. the route is then accepted by R1.0/24 State is Passive. Send flag is 0x0 Composite metric is (156160/0). Query origin flag is 1. FD is 156160 Routing Descriptor Blocks: 120. 1 Successor(s).123.2 (GigaEthernet0/1). 1 Successor(s).100.

200.101.Minimum MTU is 1500 Hop count is 1 R3# show ip eigrp topology | include ID IP-EIGRP Topology Table for AS(1)/ID(200.100.200.2.0/24 State is Passive. 1 Successor(s).0/24 State is Passive. Send flag is 0x0 Composite metric is (156160/128256).1 R3# show ip eigrp topology | include ID IP-EIGRP Topology Table for AS(1)/ID(120.3.200) IP-EIGRP Topology Table for AS(2)/ID(200.2 (GigabitEthernet0/1). Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 R1# show ip route 150.100.200.101.0/24 IP-EIGRP (AS 1): Topology entry for 150.3. Route is External Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 External data: Originating router is 120. external metric is 156160 Administrator tag is 0 (0x00000000) IP-EIGRP (AS 2): Topology entry for 150. 1 Successor(s).1) R3# show ip eigrp topology 150.0 .200.100.123.2.3. Send flag is 0x0 Composite metric is (156160/0).100.123.200) R1# show ip eigrp topology | include ID IP-EIGRP Topology Table for AS(1)/ID(200.1 (this system) AS number of route is 2 External protocol is EIGRP. Query origin flag is 1.200.200.100. Query origin flag is 1.101. from 120.2. FD is 156160 Routing Descriptor Blocks: 120.2.123.2.101.200) R1# R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# eigrp router-id 120. FD is 156160 Routing Descriptor Blocks: 120.2. from Redistributed.100.

which should appear as external type 2 routes and the following K values for OSPF rotes redistributed into EIGRP: 1544 20000 255 1 1500. traffic share count is 1 Total delay is 5200 microseconds. 00:03:06 ago. via GigabitEthernet0/0 Route metric is 158720. distance 170. you have scored 2 points.2 on Gigabit0/0.101. Example 2-16 shows the required configuration on R4 and R5 with verification of external EIGRP received routes on R3. traffic share count is 1 Total delay is 5200 microseconds.123. minimum bandwidth is 100000 Kbit Reliability 255/255.3.123.100.2. If you have configured this correctly.Routing entry for 150.3. Hops 1 Perform mutual redistribution of EIGRP AS1 and OSPF on R4 and R5. type external Redistributing via eigrp 1 Last update from 120. type external Redistributing via eigrp 1 Last update from 120. there are multiple routes with load-sharing potential. from 120.101.123.100. 00:03:06 ago Routing Descriptor Blocks: * 120. distance 170. 00:00:24 ago Routing Descriptor Blocks: * 120. minimum MTU 1500 bytes Loading 1/255. Because the metrics are identical on R4 and R5.0/24 Known via "eigrp 1". Hops 1 R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# af-interface GigabitEthernet0/1 R3(config-router-af-interface)# no next-hop-self R1# show ip route 150.2. via GigabitEthernet0/0 Route metric is 158720.123.100.3.2.100. 00:00:24 ago. from 120.100.2.0/24 Known via "eigrp 1".100. metric 158720.101.123. (2 points) This is an unambiguous redistribution question that sets the scene for the question that follows.123. Use a metric of 5000 for redistributed routes into OSPF. minimum MTU 1500 bytes Loading 1/255.3 on GigabitEthernet0/0. metric 158720. Example 2-16 R4 and R5 Redistribution Configuration and Verification on R3 Click here to view code image R4(config-router)# router ospf 1 R4(config-router)# redistribute eigrp 1 subnets .0 Routing entry for 150. minimum bandwidth is 100000 Kbit Reliability 255/255.

34. 00:05:07. GigabitEthernet0/0 D EX 120. 00:00:22. 00:00:23. 00:05:07.100.9.34. 00:07:17.100.100. 00:00:24.4.5.34.100. GigabitEthernet0/0 [170/6780416] via 120.1/32 [170/6780416] via 120.5. GigabitEthernet0/0 [170/6780416] via 120.R4(config-router)# default-metric 5000 R4(config-router)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topology)# redistribute ospf 1 R4(config-router-af-topology)# default-metric 1544 20000 255 1 1500 R5(config-router)# router ospf 1 R5(config-router)# redistribute eigrp 1 subnets R5(config-router)# default-metric 5000 R5(config-router)# router eigrp CCIE R5(config-router)# address-family ipv4 unicast autonomous-system 1 R5(config-router-af)# topology base R5(config-router-af-topology)# redistribute ospf 1 R5(config-router-af-topology)# default-metric 1544 20000 255 1 1500 R3# show ip route eigrp 150.5. 00:01:51.4. 00:00:23. Gigabit0/1 120.0 [90/2297856] via 120. GigabitEthernet0/0 [170/6780416] via 120.34. GigabitEthernet0/0 [170/6780416] via 120.5. GigabitEthernet0/1 D 120.100.1.34.100.0/24 [90/156160] via 120. 00:07:17.0.101.34. GigabitEthernet0/0 .0/8 is variably subnetted.100.0/24 is subnetted.7.34. 00:00:23.100. 00:00:22.5.2. 00:00:22.100. 00:05:07. GigabitEthernet0/1 D 120.100.4.101.0.5. GigabitEthernet0/0 [170/6780416] via 120.1/32 [170/6780416] via 120.1/32 [170/6780416] via 120.100.4.34.100. GigabitEthernet0/0 D 120.1. 00:00:24.34.63.100.4.100. GigabitEthernet0/0 D EX 120.1.1/32 [170/6780416] via 120. 00:00:24.2.5. 00:05:05.0/16 [90/2172416] via 120.0/24 [90/156160] via 120.123.34. 00:00:22.123.100.4.100.0.4.100.34.34. 00:00:24.0/24 [90/2297856] via 120.4.34.100. GigabitEthernet0/0 D EX 120.100.100.100.100. 2 subnets D 150.100.100.100.1/32 [170/6780416] via 120. GigabitEthernet0/0 D 120.1/32 [170/6780416] via 120.100.10.0.100.100.4.123. GigabitEthernet0/0 [170/6780416] via 120.0/24 [90/2297856] via 120.1/32 [170/6780416] via 120.123.6.100.34. GigabitEthernet0/1 D EX 120.5.1.0/24 [170/6780416] via 120.100. 20 subnets.4.8. GigabitEthernet0/0 D 120.34.100.100. 00:00:22. GigabitEthernet0/0 D EX 120. 00:00:22. GigabitEthernet0/0 D EX 120. 3 masks D EX 120.100.5.1.34.5. GigabitEthernet0/0 D EX 120.

100.0/24 [90/2172416] via 120.5.34. type external Redistributing via eigrp 1 Last update from 120.63.34. 00:00:24.34.46.100. 00:05:07.0/24 received on R3 from R4 and R5.5.100.0/24 Known via "eigrp 1".2. the interface connecting to R4 or R5 cannot be modified on R3 because this would affect both routes.4.5.100.123. via GigabitEthernet0/0 Route metric is 6780416.100. If this route fails. GigabitEthernet0/0 [170/6780416] via 120. This simply enables the original route received from R5 to take precedence. By configuring a route map on R3 to match only the route source of R4. Similarly. Example 2-17 shows the required configuration and verification that the route is preferred via the R5.100. minimum MTU 1500 bytes .63.D EX D EX D D 120. 00:00:24.5 on GigabitEthernet0/0.0 Routing entry for 120. you can increase the metric for the required route (120. You will need a second permit statement on the route map (permit 20) to enable all other routes inbound to R3 to enter unaltered.100.63. 00:00:24. Example 2-17 also details the routing tables of each device to confirm redistribution from EIGRP into OSPF or vice versa.0/24 [170/6780416] via 120. distance 170.34.5) for this destination subnet.123. you have scored 3 points.4. GigabitEthernet0/1 120.200.34.4) should be used dynamically. 00:01:59 ago Routing Descriptor Blocks: 120.100. GigabitEthernet0/0 [170/6780416] via 120.0/24 (VLAN 63). minimum bandwidth is 1544 Kbit Reliability 255/255. If you have configured this correctly.100. 00:00:24.1. 00:01:59 ago.100.100. Example 2-17 R3 OSPF Redistribution Configuration and Verification Click here to view code image R3# show ip route 120.0/24 [170/6780416] via 120. (3 points) Example 2-20 shows both routes for 120. Configure only R3 to ensure that R3 routes via a next hop of R5 (120.100.100.0/24 [90/2172416] via 120.100.34. GigabitEthernet0/0 120.53. the route from R5 would enter the routing table automatically.34. GigabitEthernet0/0 120. from 120.100. 00:05:08. If the route from R5 is withdrawn.63.0/24). GigabitEthernet0/1 R3 will have equal-cost external EIGRP routes to the redistributed OSPF subnet 120. Because all routers share a common media.63. an offset list to manipulate delay would be of no use because you are permitted to configure only R3.100. The topology table shows that the R4 route is also present and that R4 is effectively the feasible successor for this network on this router.100.100.34. the route advertised from R4 (120.100. metric 6780416. You are therefore required to penalize the route received from R4 only to ensure that the R5-generated route is preferred on R3.5.100.34. as shown in Example 2-17.100. traffic share count is 1 Total delay is 200100 microseconds.

34.100. minimum MTU 1500 bytes Loading 1/255.0 Routing entry for 120.63.100.34. 00:00:21 ago.0 R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# topology base R3(config-router-af-topology)# distribute-list route-map PENALISEVLAN63 in GigabitEthernet0/0 R3(config-router-af-topology)# exit R3(config-router-af)# exit R3(config-router)# exit R3(config)# route-map PENALISE-VLAN63 permit 10 R3(config-route-map)# match ip address 2 R3(config-route-map)# match ip route-source 1 R3(config-route-map)# set metric +500000 R3(config-route-map)# route-map PENALISE-VLAN63 permit 20 R3# show ip route 120. distance 170. Send flag is 0x0 Composite metric is (6780416/6777856).100. minimum MTU 1500 bytes Loading 1/255. from 120.5. 00:00:21 ago Routing Descriptor Blocks: * 120.63.100. Route is External Vector metric: Minimum bandwidth is 1544 Kbit Total delay is 200100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 . Query origin flag is 1. traffic share count is 1 Total delay is 200100 microseconds.100.100.255.0/24 Known via "eigrp 1".100.100.0/24 State is Passive.34. FD is 6780416 Routing Descriptor Blocks: 120. Hops 1 R3(config)# access-list 1 permit 120.5 on GigabitEthernet0/0. from 120.100.34.100. minimum bandwidth is 1544 Kbit Reliability 255/255.0 IP-EIGRP (AS 1): Topology entry for 120.100.63. 00:01:59 ago.34. Hops 1 * 120.34.255.4.5. type external Redistributing via eigrp 1 Last update from 120.100.5 (GigabitEthernet0/0).34.0 255.4. Hops 1 R3# show ip eigrp topology 120. metric 6780416. via GigabitEthernet0/0 Route metric is 6780416.63. traffic share count is 1 Total delay is 200100 microseconds. from 120.63.100. via GigabitEthernet0/0 Route metric is 6780416.4 R3(config)# access-list 2 permit 120.5.34.Loading 1/255. 1 Successor(s). minimum bandwidth is 1544 Kbit Reliability 255/255.

4. Example 2-18 shows the basic . and synchronization is disabled because the internal gateway protocol (IGP) will not be synchronized to BGP within this lab.5. This feature would. Autosummarization is disabled to ensure BGP does not summarize routes. R2-R3. R3-R5. Use of the command neighbor disable-connected-check on R6. the peering fails inbound and outbound from AS400. The question does. but it is considered good practice when you have more than one peer with a similar peering configuration.100.100. R6-SW4. be required for the peering from AS400 to AS300 and AS400 to AS200 because loopback interfaces are used for the external peering here.4. external metric is 2 Administrator tag is 0 (0x00000000) 120.1 AS number of route is 1 External protocol is OSPF.4 (GigabitEthernet0/0). eBGP R3-R4.1 AS number of route is 1 External protocol is OSPF. R4-SW2. and R5 as route reflectors within their own autonomous system.34. Use loopback interfaces to peer on all routers with the exception of peering between R3-R4 and R3-R5. The only way to fix this is to use a feature that disables connection verification to establish an external BGP (eBGP) peering session with a single-hop peer that uses a loopback interface. which peer from connected interfaces. and SW4 for the required peering allows the peering to be formed successfully.Hop count is 1 External data: Originating router is 120. dictate that you must not use ebgp.100. from 120.multihop. R4. Send flag is 0x0 Composite metric is (128000000/6777856). R5-SW3. unlike AS100 to AS200 and AS300. The question does not dictate that you must configure peer groups. Section 3: BGP (15 Points) Configure BGP peering per Figure 2-7 as follows: iBGP R1-R3. Without ebgp-multihop.100.34. Do not use the command ebgp-multihop within your configurations. SW4-SW3. R4-R6. external metric is 2 Administrator tag is 0 (0x00000000) Note The full IP routing tables of each device are provided within the accompanying configurations to verify your redistributed routes. (3 points) The restrictions within the internal Border Gateway Protocol (iBGP) peering require you to configure R3. R5-SW1. of course. however. Route is External Vector metric: Minimum bandwidth is 20 Kbit Total delay is 0 microseconds Reliability is 0/255 Load is 0/255 Minimum MTU is 0 Hop count is 1 External data: Originating router is 120. SW3.

peering configuration for BGP.100.100.100.3.34. the eBGP failure condition observed on peering to and from AS400.100.7.100.1 update-source Loopback0 R2(config)# router R2(config-router)# R2(config-router)# R2(config-router)# R2(config-router)# bgp 100 no auto-summary no synchronization neighbor 120. Example 2-18 BGP Peering Configuration and Verification Click here to view code image R1(config)# router R1(config-router)# R1(config-router)# R1(config-router)# R1(config-router)# bgp 100 no auto-summary no synchronization neighbor 120.1 peer-group AS300 . If you have configured this correctly. you have scored 3 points.100.1.100.5 remote-as 300 R4(config)# router R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# bgp 200 router bgp 200 no auto-summary no synchronization neighbor AS200 peer-group neighbor AS200 remote-as 200 neighbor AS200 update-source Loopback0 neighbor AS200 route-reflector-client neighbor 120.100.3 remote-as 100 R5(config)# router R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# bgp 300 no auto-summary no synchronization neighbor AS300 peer-group neighbor AS300 remote-as 300 neighbor AS300 update-source Loopback0 neighbor AS300 route-reflector-client neighbor 120.100.3.3.1 peer-group AS100 neighbor AS100 route-reflector-client neighbor 120.3.1 update-source Loopback0 R3(config)# router R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# bgp 100 no auto-summary no synchronization neighbor AS100 peer-group neighbor AS100 remote-as 100 neighbor AS100 update-source Loopback0 neighbor 120.8.100.1 remote-as 100 neighbor 120.1 peer-group AS100 neighbor 120.100.34.1 peer-group AS200 neighbor 120.34.1 peer-group AS200 neighbor 120.100. and the required configuration to rectify the condition.6.2.4 remote-as 200 neighbor 120.1 remote-as 100 neighbor 120.

R5(config-router)# neighbor 120.100.9.1 peer-group AS300
R5(config-router)# neighbor 120.100.34.3 remote-as 100
R6(config)# router
R6(config-router)#
R6(config-router)#
R6(config-router)#
R6(config-router)#
R6(config-router)#
R6(config-router)#

bgp 200
no auto-summary
no synchronization
neighbor 120.100.4.1 remote-as 200
neighbor 120.100.4.1 update-source Loopback0
neighbor 120.100.10.1 remote-as 400
neighbor 120.100.10.1 update-source Loopback0

SW1(config)# router
SW1(config-router)#
SW1(config-router)#
SW1(config-router)#
SW1(config-router)#

bgp 300
no auto-summary
no synchronization
neighbor 120.100.5.1 remote-as 300
neighbor 120.100.5.1 update-source Loopback0

SW2(config)# router
SW2(config-router)#
SW2(config-router)#
SW2(config-router)#
SW2(config-router)#

bgp 200
no auto-summary
no synchronization
neighbor 120.100.4.1 remote-as 200
neighbor 120.100.4.1 update-source Loopback0

SW3(config)# router
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#

bgp 300
no auto-summary
no synchronization
neighbor 120.100.5.1 remote-as 300
neighbor 120.100.5.1 update-source Loopback0
neighbor 120.100.10.1 remote-as 400
neighbor 120.100.10.1 update-source Loopback0

SW4(config)# router
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#

bgp 400
no auto-summary
no synchronization
neighbor 120.100.6.1
neighbor 120.100.6.1
neighbor 120.100.9.1
neighbor 120.100.9.1

remote-as 200
update-source Loopback0
remote-as 300
update-source Loopback0

SW4# sh ip bgp neigh 120.100.6.1 | include External
External BGP neighbor not directly connected.
SW4# show ip bgp neighbors 120.100.9.1 | include External
External BGP neighbor not directly connected.
SW4#
SW4#
No
SW4#
No

sh ip bgp neighbors 120.100.6.1 | include active
active TCP connection
sh ip bgp neighbors 120.100.9.1 | include active
active TCP connection

SW4(config-router)# neighbor 120.100.6.1 disable-connected-check
SW4(config-router)# neighbor 120.100.9.1 disable-connected-check
R6(config-router)# neighbor 120.100.10.1 disable-connected-check

SW3(config-router)# neighbor 120.100.10.1 disable-connected-check
SW4# show ip bgp neighbors
BGP state = Established,
SW4# show ip bgp neighbors
BGP state = Established,

120.100.6.1 | include Established
up for 00:02:01
120.100.9.1 | include Established
up for 00:02:05

You will also find peering issues between R1 and R3. Example 2-19 shows the routers are
informing each other they have an incorrect BGP identifier. This is simply because both routers
have identical loopback interface address of 200.200.200.200, which is used as the BGP
identifier. By changing the ID of one router, the peering is established. It does not matter what
you change the ID to, but it needs to be unique; the Loopback 0 interface would be a good
choice. No extra points for this task because this is part of the original peering.
Example 2-19 R1 and R3 Peering Issue Configuration and Verification
Click here to view code image

R1# * 19:30:13.287: %BGP-3-NOTIFICATION: sent to neighbor 120.100.3.1
2/3 (BGP
identifier wrong) 4 bytes C8C8C8C8
R3# * 19:25:30.043: %BGP-3-NOTIFICATION: received from neighbor
120.100.1.1 2/
3 (BGP identifier wrong) 4 bytes C8C8C8C8
R1# show ip bgp summary | include identifier
BGP router identifier 200.200.200.200, local AS number 100
R3# show ip bgp summary | include identifier
BGP router identifier 200.200.200.200, local AS number 100
R1(config-router)# bgp router-id 120.100.1.1
*19:34:45.467: %BGP-5-ADJCHANGE: neighbor 120.100.3.1 Up

Routers R1 and R2 in AS100 should be made to passively accept only BGP sessions. R3
should be configured to actively create only BGP sessions to R1 and R2 within AS100. (3
points)
A BGP speaker by default will attempt to open a session on TCP port 179 with a configured peer,
because such a normal peering arrangement will see two sessions being established to build a
successful neighbor relationship. This behavior can be modified to effectively allow sessions to
be established only either inbound or outbound. The solution to the question is achieved by
configuring the neighbor transport connection-mode to passive (only inbound connections will
be established) on R1 and R2 and active (only outbound sessions will be established) on R3. You
must manually activate each neighbor on each router for the solution to work effectively. If you

have configured this correctly, as shown in Example 2-20, you have scored 3 points. Consider
using the show ip bgp summary command to verify your configuration.
Example 2-20 R1, R2, and R3 Connection Mode Configuration
Click here to view code image

R1(config)# router bgp 100
R1(config-router)# neighbor 120.100.3.1 transport connection-mode
passive
R1(config-router)# neighbor 120.100.3.1 activate
R2(config)# router bgp 100
R2(config-router)# neighbor 120.100.3.1 transport connection-mode
passive
R2(config-router)# neighbor 120.100.3.1 activate
R3(config)# router
R3(config-router)#
R3(config-router)#
R3(config-router)#

bgp 100
neighbor AS100 transport connection-mode active
neighbor 120.100.1.1 activate
neighbor 120.100.2.1 activate

Configure the following loopback interfaces on R3 and SW4; advertise these networks
into BGP using the network command: (2 points)
R3 – Loopback interface 5 (152.100.100.1/24)
SW4 – Loopback interface 5 (152.200.32.1/24)
SW4 – Loopback interface 6 (152.200.33.1/24)
SW4 – Loopback interface 7 (152.200.34.1/24)
SW4 – Loopback interface 8 (152.200.35.1/24)
This simple question creates BGP routes for the following task. If you have configured this
correctly, as shown in Example 2-21, you have scored 2 points.
Example 2-21 R3 and SW4 Network Advertisement Configuration and Verification
Click here to view code image

R3(config)# interface Loopback5
R3(config-if)# ip address 152.100.100.1 255.255.255.0
R3(config-if)# router bgp 100
R3(config-router)# network 152.100.100.0 mask 255.255.255.0
SW4(config)# interface Loopback5
SW4(config-if)# ip address 152.200.32.1 255.255.255.0
SW4(config-if)# interface Loopback6
SW4(config-if)# ip address 152.200.33.1 255.255.255.0

SW4(config-if)# interface Loopback7
SW4(config-if)# ip address 152.200.34.1 255.255.255.0
SW4(config-if)# interface Loopback8
SW4(config-if)# ip address 152.200.35.1 255.255.255.0
SW4(config-if)# router bgp 400
SW4(config-router)# network 152.200.32.0 mask 255.255.255.0
SW4(config-router)# network 152.200.33.0 mask 255.255.255.0
SW4(config-router)# network 152.200.34.0 mask 255.255.255.0
SW4(config-router)# network 152.200.35.0 mask 255.255.255.0
R3# show ip bgp
BGP table version is 10, local router ID is 200.200.200.200
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
*>
*
*>
*
*>
*
*>
*
*>

Network
Next Hop
152.100.100.0/24 0.0.0.0
152.200.32.0/24 120.100.34.4
120.100.34.5
152.200.33.0/24 120.100.34.4
120.100.34.5
152.200.34.0/24 120.100.34.4
120.100.34.5
152.200.35.0/24 120.100.34.4
120.100.34.5

Metric LocPrf Weight Path
0
32768 i
0 200 400
0 300 400
0 200 400
0 300 400
0 200 400
0 300 400
0 200 400
0 300 400

i
i
i
i
i
i
i
i

Configure R3 to inform R4 that it does not want to receive routes advertised from SW4
for networks 152.200.33.0/24, 152.200.34.0/24, and 152.200.35.0/24. Achieve this in
such a manner that R4 does not actually advertise these routes toward R3. You may also
configure R4. (4 points)
BGP has a prefix-based outbound route filtering (ORF) mechanism that can send and receive
capabilities to minimize BGP updates sent between BGP peers. Advertisement of ORF capability
indicates that a peer will accept a prefix list from a neighbor and apply the prefix list received
from a neighbor locally to avoid the unnecessary sending of routes that would be blocked by the
receiver anyway. R3 is therefore configured with a prefix list that blocks the required routes
generated from SW4, which is sent via ORF to R4. R4 is configured to receive this prefix list via
ORF, and the routes are blocked outbound at R4. Example 2-2 shows the required ORF and
prefix-list filtering with the resulting outbound advertisement on R4. The BGP table on R3 is
also displayed showing the routes are no longer being received from R4 and solely from R5. If
you have configured this correctly, as shown in Example 2-22, you have scored 4 points.
Example 2-22 BGP ORF Configuration and Verification
Click here to view code image

33.0/24 R3(config)# ip prefix-list FILTER seq 10 deny 152. d damped.10. so you are forced to use multiple permit statements with the same autonomous system prepend statement.5 Metric LocPrf Weight Path 0 32768 i 0 200 400 0 300 400 0 300 400 0 300 400 0 300 400 i i i i i Configure a route map on R5 that prepends its local autonomous system an additional two times for network 152.0. The route map may contain multiple permit statements.34.200.34.0/24 as received initially on R3 from R5 with an autonomous system path of 300-400.0/24 Next Hop 120. r RIB-failure. After configuration of the route map to prepend the route on R5 twice.5 152.0.200.32.34. e .34.200.100. the network is received on R3 . ? .3 capability orf prefix-list receive R4(config-router)# exit R4(config)# exit R4# show ip bgp neighbors 120.33.34. local router ID is 200.0.EGP.0/0 le 32 R4(config)# router bgp 200 R4(config-router)# neighbor 120.200 Status codes: s suppressed.0/24 120. i internal. S Stale Origin codes: i . S Stale Origin codes: i . but the question restricts this.4 prefix-list FILTER in R3(config)# ip prefix-list FILTER seq 5 deny 152.200.EGP.0/24 R3(config)# ip prefix-list FILTER seq 20 permit 0.0.0 152.incomplete *> *> * *> *> *> Network Next Hop 152. h history.200.5 152.incomplete Network *>i152.3 advertised-routes BGP table version is 17. r RIB-failure. i internal.100. local router ID is 120.34.34.200.0/24 120. e .0/24 120.200.4.200.IGP.100.200.100.35.34.1 Status codes: s suppressed. but only one prepend is permitted per line.100.0/24 when advertised to R3.0/24 120.200.32.34. * valid.100. Example 2-22 shows the route 152. d damped.0/24 0. h history.35.IGP.4 capability orf prefix-list send R3(config-router)# neighbor 120.1 Metric LocPrf Weight Path 0 100 0 400 i Total number of prefixes 1 R3# clear ip bgp * R3# show ip bgp BGP table version is 6. > best.5 152.34.100.R3(config)# router bgp 100 R3(config-router)# neighbor 120.100.4 120.100.34.100.100.100.32. * valid.32.0/24 R3(config)# ip prefix-list FILTER seq 15 deny 152. Normally you would prepend the same autonomous system number multiple times within the same permit statement. > best.200. (3 points) This is a simple autonomous system path prepend question. ? .200. or so it seems.100.

e . i internal.200. Rather than dropping out of the route map after successful execution of the permit 10 statement. S Stale Origin codes: i .200.34.EGP.incomplete Network Next Hop Metric LocPrf Weight Path . the router is forced to evaluate the permit 20 line. r RIB-failure.200. and the route map will then not evaluate any additional route map entries and simply drops out.200.0/24 120. S Stale Origin codes: i .5 Metric LocPrf Weight Path 0 32768 i 0 200 400 0 300 400 0 300 400 0 300 400 0 300 400 i i i i i R5(config)# router bgp 300 R5(config-router)# neighbor 120.100. ? .100.0 152.5 152.34.IGP. By configuring a continue 20 statement within the permit 10 line.with an autonomous system path of 300-300-400.34.0 R5(config)# route-map PREPEND permit 10 R5(config-route-map)# match ip address 1 R5(config-route-map)# set as-path prepend 300 R5(config-route-map)# route-map PREPEND permit 20 R5(config-route-map)# match ip address 1 R5(config-route-map)# set as-path prepend 300 R5(config-route-map)# route-map PREPEND permit 30 R3# show ip bgp BGP table version is 6. h history.100.5 152.200. d damped.incomplete *> *> * *> *> *> Network Next Hop 152. in fact.0. so the permit 20 statement is never actually executed. i internal.EGP. h history. you have scored 3 points.200.100.0/24 0. as shown in Example 2-23.200. > best.0/24 120.34. the final verification within Example 2-23 shows the route received on R3 with successful prepend applied by R5. local router ID is 200. d damped.5 152.200 Status codes: s suppressed.32. the route has been prepended only once. e .100. This might look like the route has indeed been prepended twice. The problem is that the route map permit 10 statement on R3 has been executed.34.100. * valid. * valid.0/24 120.100.0/24 120. but the question requests an “additional” two times.34. r RIB-failure.35. ? .34. If you have configured this correctly. local router ID is 200.3 route-map PREPEND out R5(config-router)# exit R5(config)# access-list 1 permit 152.200. > best.0.32.4 120.100.200 Status codes: s suppressed.200.33.IGP. Example 2-23 R5 Prepend Configuration and Verification Click here to view code image R3# show ip bgp BGP table version is 6.

5 120. tunnel specifics are provided in later questions.incomplete Network *> 152.5 120.4 120.200.34.100.100.35.5 120.200.34.34.100. local router ID is 200.0. > best. d damped.0.0/24 * 300 400 i *> 152.34.200.5 Metric LocPrf Weight Path 0 32768 i 0 200 400 i 0 300 300 120. h history.34.200.0.100.0 120.0/24 *> 152.0/24 *> 152.34.0/24 0.100.100.200.IGP. * valid.200.4 120.34.100.200.0/24 * 400 i *> 152. so just creating the tunnel interfaces and configuring an IPv6 address is required .34.200.32.33.100.5 120.100.100.35.33.5 120. ? . Example 2-24 shows the initial IPv6 configuration.*> 152.34.200 Status codes: s suppressed.0/24 *> 152.32.200. e . r RIB-failure.0 120.0/24 *> 152.34. i internal.0/24 *> 152.100. S Stale Origin codes: i .5 0 300 400 i 0 300 400 i 0 300 400 i Section 4: IPv6 (12 Points) Configure IPv6 addresses on your network as follows: 2007:C15:C0:10::1/64 – R1 Gi0/1 2007:C15:C0:11::1/64 – R1 tunnel0 2007:C15:C0:11::3/64 – R3 tunnel0 2007:C15:C0:12::2/64 – R2 tunnel0 2007:C15:C0:12::3/64 – R3 tunnel1 2007:C15:C0:13::2/64 – R2 fe0/1 2007:C15:C0:14::3/64 – R3 Gi0/0 2007:C15:C0:14::4/64 – R4 Gi0/0 2007:C15:C0:14::5/64 – R5 Gi0/0 2007:C15:C0:15::4/64 – R4 Gi0/1 2007:C15:C0:15::6/64 – R6 Gi0/0 The prerequisite to the following questions is configuration of the IPv6 addresses and tunnel interfaces.0/24 *> 152.5 0 32768 i 0 200 400 i 0 300 300 0 300 400 i 0 300 400 i 0 300 400 i R5(config)# route-map PREPEND permit 10 R5(config-route-map)# continue 20 R3# clear ip bgp * R3# show ip bgp BGP table version is 6.EGP.0.0/24 Next Hop 0.200.100.100.100.34.34.

at this point. Build your tunnels from R1 to R3 and R2 to R3 with source interfaces from VLAN 132 to advertise IPv6 edge networks from each router using ipv6ip mode. Consider using the show ipv6 interfaces brief command for a quick check of your interface configuration. (2 points) . EIGRPv6 should not be enabled directly under the interfaces of the routers. unfortunately. No points are on offer here for this task. Example 2-24 IPv6 Initial Configuration Click here to view code image R1(config)# ipv6 unicast-routing R1(config)# interface GigabitEthernet0/1 R1(config-if)# ipv6 address 2007:C15:C0:10::1/64 R1(config-if)# interface tunnel0 R1(config-if)# ipv6 address 2007:C15:C0:11::1/64 R2(config)# ipv6 unicast-routing R2(config)# interface fastethernet 0/1 R2(config-if)# ipv6 address 2007:C15:C0:13::2/64 R2(config-if)# interface tunnel0 R2(config-if)# ipv6 address 2007:C15:C0:12::2/64 R3(config)# ipv6 unicast-routing R3(config)# int GigabitEthernet0/0 R3(config-if)# ipv6 address 2007:C15:C0:14::3/64 R3(config-if)# interface tunnel0 R3(config-if)# ipv6 address 2007:C15:C0:11::3/64 R3(config-if)# interface tunnel1 R3(config-if)# ipv6 address 2007:C15:C0:12::3/64 R4(config)# ipv6 unicast-routing R4(config)# interface GigabitEthernet0/0 R4(config-if)# ipv6 address 2007:C15:C0:14::4/64 R4(config-if)# interface GigabitEthernet0/1 R4(config-if)# ipv6 address 2007:C15:C0:15::4/64 R5(config)# ipv6 unicast-routing R5(config)# interface GigabitEthernet0/0 R5(config-if)# ipv6 address 2007:C15:C0:14::5/64 R6(config)# ipv6 unicast-routing R6(config)# interface GigabitEthernet0/0 R6(config-if)# ipv6 address 2007:C15:C0:15::6/64 Section 4. R2. and R3.1: EIGRPv6 Configure EIGRPv6 with an autonomous system of 6 between R1.

Example 2-25 EIGRPv6 Configuration and Verification Click here to view code image R1(config-if)# interface Tunnel0 R1(config-if)# tunnel source Gigabit0/0 R1(config-if)# tunnel destination 120. You should ensure that you make the IPv6-enabled interface on R3.100.100.123.2 R3(config-if)# tunnel mode ipv6ip R3(config-if)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 6 R3(config-router-af)# af-interface GigabitEthernet0/0 R3(config-router-af-interface)# passive-interface .123.3 R2(config-if)# tunnel mode ipv6ip R2(config-if)# router eigrp CCIE R2(config-router)# address-family ipv6 unicast autonomous-system 6 R2(config-router-af)# af-interface Tunnel0 R2(config-router-af-interface)# no shutdown R2(config-router-af-interface)# af-interface fastethernet0/1 R2(config-router-af-interface)# no shutdown R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# tunnel source Gigabit0/1 tunnel destination 120.100. as shown in Example 2-25.100. you have scored 2 points.123.This is a straightforward EIGRPv6 configuration that requires the autonomous system number of 6 enabled by the address-family ipv6 command under the existing EIGRP process as opposed to enabling EIGRPv6 under each interface. which provides connectivity from R3 to R2 and R1.1 tunnel mode ipv6ip interface Tunnel1 R3(config-if)# tunnel source Gigabit0/1 R3(config-if)# tunnel destination 120. The source interfaces of each tunnel are the VLAN 132 Ethernet interfaces. which will actually belong to the OSPFv3 domain passive within EIGRPv6 as a matter of good practice. The tunnel mode of ipv6ip is supplied within the question for the manually configured IPv6 tunnel.3 R1(config-if)# tunnel mode ipv6ip R1(config-if)# router eigrp CCIE R1(config-router)# address-family ipv6 unicast autonomous-system 6 R1(config-router-af)# af-interface Tunnel0 R1(config-router-af-interface)# no shutdown R1(config-router-af-interface)# af-interface Gigabit0/1 R1(config-router-af-interface)# no shutdown R2(config-if)# interface Tunnel0 R2(config-if)# tunnel source fastethernet0/0 R2(config-if)# tunnel destination 120. If you have configured this correctly.123.

ON2 .Static. IS . OE1 .OSPF NSSA ext 2 D .OSPF ext 1.ISIS summary O . M .Per-user Static route. M .Connected.ISIS interarea. IA .OSPF NSSA ext 2 D .OSPF NSSA ext 1.EIGRP. Tunnel0 D 2007:C15:C0:13::/64 [90/310070016] via FE80::7864:7B03.OSPF inter.EIGRP external D 2007:C15:C0:10::/64 [90/310070016] via FE80::7864:7C03.ISIS L2.EIGRP. S .8 entries Codes: C .ISIS L1. R . IS .OSPF inter. I2 .Static. B .OSPF intra. OE2 .Per-user Static route.ISIS L2. ON2 .ISIS L1.OSPF ext 1.RIP. M . OE1 . B . Tunnel0 D 2007:C15:C0:13::/64 [90/297270016] via FE80::7864:7C02.ISIS summary O . S .Static.OSPF intra. B .9 entries Codes: C .ISIS interarea. Tunnel1 . L .Connected.OSPF NSSA ext 1. OE1 .ISIS L2. EX . IA . IS .ISIS L1.EIGRP. EX . S .OSPF ext 1. OE2 .Per-user Static route. I2 . Tunnel0 D 2007:C15:C0:11::/64 [90/310044416] via FE80::7864:7C03. OI . IA .MIPv6 I1 .OSPF ext 2 ON1 . OE2 . EX .RIP.ISIS summary O .Local.OSPF inter.R3(config-router-af-interface)# R3(config-router-af-interface)# R3(config-router-af-interface)# R3(config-router-af-interface)# R3(config-router-af-interface)# no shutdown af-interface Tunnel0 no shutdown af-interface Tunnel1 no shutdown R1# show ipv6 route eigrp IPv6 Routing Table .BGP U .BGP U .EIGRP external D 2007:C15:C0:10::/64 [90/297270016] via FE80::7864:7B01. Tunnel0 R2# show ipv6 route eigrp IPv6 Routing Table . Tunnel0 R3# show ipv6 route eigrp IPv6 Routing Table . L .Connected.OSPF ext 2 ON1 .BGP U .EIGRP external D 2007:C15:C0:12::/64 [90/310044416] via FE80::7864:7B03.RIP. OI . R .ISIS interarea.OSPF NSSA ext 1.Local.OSPF intra. ON2 .MIPv6 I1 . I2 . L .MIPv6 I1 .8 entries Codes: C .OSPF ext 2 ON1 . R .OSPF NSSA ext 2 D .Local. OI .

R .ISIS interarea.2: OSPFv3 Configure OSPFv3 per Figure 2-8. S .RIP. ON2 . IS . R4.EIGRP external OI 2007:C15:C0:15::/64 [110/2] via FE80::213:C3FF:FE7B:E4A0. B . OE1 . R5.OSPF NSSA ext 1. ON2 . R .Local. L .Connected.ISIS interarea.OSPF inter. OE1 .Local. and R6.ISIS L2. EX .OSPF ext 2 ON1 . Example 2-26 OSPFv3 Configuration and Verification Click here to view code image R3(config)# interface GigabitEthernet 0/0 R3(config-if)# ipv6 ospf 1 area 0 R4(config)# interface GigabitEthernet0/0 R4(config-if)# ipv6 ospf 1 area 0 R4(config-if)# interface GigabitEthernet0/1 R4(config-if)# ipv6 ospf 1 area 1 R5(config)# interface GigabitEthernet0/0 R5(config-if)# ipv6 ospf 1 area 0 R6(config)# interface GigabitEthernet0/0 R6(config-if)# ipv6 ospf 1 area 1 R3# show ipv6 route ospf IPv6 Routing Table .11 entries Codes: C .EIGRP external OI 2007:C15:C0:15::/64 [110/2] via FE80::213:C3FF:FE7B:E4A0. OI .BGP U . IA .Per-user Static route I1 . OE2 . you have scored 2 points.OSPF ext 1.Per-user Static route I1 . use an OSPFv3 process of 1 on each router.ISIS L1.OSPF ext 1.BGP U . If you have configured this correctly. IA . B . (2 points) Use vanilla OSPFv3 configuration between R3.Static. OI . L .OSPF NSSA ext 2 D . I2 .OSPF ext 2 ON1 .EIGRP.OSPF NSSA ext 1.Static. as shown in Example 2-26.RIP. EX .OSPF NSSA ext 2 D .ISIS summary O . IS .EIGRP. GigabitEthernet0/0 R5# show ipv6 route ospf IPv6 Routing Table .OSPF intra.OSPF intra.Section 4.ISIS L2. S .5 entries Codes: C .ISIS L1.ISIS summary O . GigabitEthernet0/0 R6# show ipv6 route ospf .OSPF inter. OE2 . I2 .Connected.

this could easily be done while under a time constraint.Static. If you have configured this correctly. OI .OSPF ext 1.RIP.OSPF intra. and you should not encounter any issues unless you incorrectly enter one of the keys.Connected. as shown in Example 2-28. OI within the routing table is an OSPF interarea route.5 entries Codes: C .ISIS L2.EIGRP external OI 2007:C15:C0:14::/64 [110/2] via FE80::213:C3FF:FE7B:E4A1. The question explicitly states the specific parameters required. Example 2-27 Area 1 Authentication Configuration Click here to view code image R4(config)# ipv6 router ospf 1 R4(config-router)# area 1 authentication ipsec spi 500 md5 DEC0DECC1E0DDBA11B0BB0BBEDB00B00 R6(config)# ipv6 router ospf 1 R6(config-router)# area 1 authentication ipsec spi 500 md5 DEC0DECC1E0DDBA11B0BB0BBEDB00B00 Ensure that the area router in Area 1 receives the following route. B .ISIS L1. OE1 .IPv6 Routing Table . Because Area 0 is the only other area within the OSPFv3 network. IA . the route must be generated from this area as opposed to a redistributed route. GigabitEthernet0/0 Configure Area 1 with IPsec authentication. you have scored 2 points. so this route must be generated from another area. R4 is the area border router within this area. OE2 .OSPF NSSA ext 1. A summary route generated on the area border router R4 of 2007::/16 within Area 0 will provide the required route to be received on R6.OSPF inter. which would show as an external route.ISIS summary O . as shown in Example 2-27.Per-user Static route I1 .EIGRP.OSPF NSSA ext 2 D .ISIS interarea. (2 points) Authentication is required on R4 and R6 because they both belong to Area 1. you may configure R4 to achieve this: (2 points) OI 2007::/16 [110/2] via XXXX::XXXX:XXXX:XXXX:XXXX. If you have configured this correctly. use message digest 5. GigabitEthernet0/0 The only area router within Area 1 is R6. a security policy index of 500. IS . S . you have scored 2 points. I2 . ON2 .OSPF ext 2 ON1 . R . L .BGP U . EX . .Local. and a key of DEC0DECC1E0DDBA11B0BB0BBEDB00B00. At 32 hex characters long.

OSPF ext 1. If you have configured this correctly.Connected. Null0 OE2 2007:C15:C0:10::/64 [110/5000] via FE80::214:6AFF:FEFC:7390. regardless of which area they are seen in within the OSPFv3 network.EIGRP external O 2007::/16 [110/0] via ::. GigabitEthernet0/0 Section 4.OSPF NSSA ext 1.Per-user Static route I1 .EIGRP. Redistributed EIGRPv6 routes should have a metric of 5000 associated with them. The default redistribution behavior ensures that external routes are advertised as external type 2. OE1 . OE2 .OSPF intra. otherwise. L .BGP U . the OSPFv3 network will not see the directly connected tunnel interfaces on R3.3: Redistribution Redistribute EIGRPv6 into OSPFv3 on R3. R .OSPF inter. as shown in Example 229. (2 points) A one-way redistribution of EIGRPv6 to OSPFv3 is required on R3. which have a fixed cost associated with them regardless of which area or location of the OSPFv3 network they are seen in. Example 2-29 R3 Ipv6 Redistribution Configuration and Verification Click here to view code image R3(config)# ipv6 router ospf 1 R3(config-rtr)# redistribute eigrp 6 include-connected metric 5000 R4# show ipv6 route ospf IPv6 Routing Table . S . ON2 .OSPF ext 2 ON1 .ISIS L2. you have scored 2 points.RIP. B . OI .Local. GigabitEthernet0/0 OE2 2007:C15:C0:11::/64 [110/5000] via FE80::214:6AFF:FEFC:7390.11 entries Codes: C .Static. IS .ISIS interarea.ISIS summary O . You must remember to advertise connected routes also.ISIS L1. You simply require the metric set to 5000 on the OSPFv3 process. GigabitEthernet0/0 . IA .OSPF NSSA ext 2 D . I2 .Example 2-28 OSPFv3 Configuration and Verification Click here to view code image R4(config)# ipv6 router ospf 1 R4(config-rtr)# area 0 range 2007::/16 R6# show ipv6 route ospf | include OI OI 2007::/16 [110/2] via FE80::213:C3FF:FE7B:E4A1. EX .

L .MIPv6 I1 . Do not redistribute OSPF into EIGRPv6 to achieve this. B . you need to configure EIGRPv6 summarization on the tunnel interfaces on R3 toward R1 and R2.ISIS interarea.ISIS summary O . I2 .Per-user Static route.EIGRP external D 2007::/16 [90/310044416] via FE80::7864:7B03. and do ensure that all routers have full visibility: (2 points) D 2007::/16 [90/XXXXXXXXX] via XXXX::XXXX:XXXX:XXXX:XXXX.RIP. you have scored 2 points.OSPF intra. This question ensures the EIGRPv6 network sends traffic to R3 for the summarized network of 2007::/16.Static. Because you are not permitted to redistribute OSPFv3 with a summary address. therefore.BGP U .ISIS L1. OI . Tunnel0 You should have noticed in the previous question that mutual redistribution was not required.Connected. EX . R . in addition to ICMP reachability to the remote OSPFv3 Area 1 network on R6. GigabitEthernet0/0 Configure R3 so that both R1 and R2 have the following IPv6 EIGRPv6 route in place.OSPF ext 2 ON1 .OE2 OE2 2007:C15:C0:12::/64 [110/5000] via FE80::214:6AFF:FEFC:7390.OSPF inter.6 entries Codes: C . Example 2-33 shows the required configuration and verification of the route. as shown in Example 2-30. GigabitEthernet0/0 2007:C15:C0:13::/64 [110/5000] via FE80::214:6AFF:FEFC:7390. M .ISIS L2. S . OE1 . this will provide the correct route and hop count as per the question. OE2 .OSPF ext 1.OSPF NSSA ext 1. IA . This test clearly demonstrates full end-to-end reachability from EIGRPv6 to OSPFv3.Local.OSPF NSSA ext 2 D .EIGRP. IS . Tunnel0 R1# ping ipv6 2007:C15:C0:15::6 . the EIGRPv6 network would not have reachability of the OSPFv3 network. Example 2-30 R3 Ipv6 Summarization Configuration and Verification Click here to view code image R3(config)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 6 R3(config-router-af)# af-interface Tunnel0 R3(config-router-af-interface)# summary-address 2007::/16 R3(config-router-af-interface)# af-interface Tunnel1 R3(config-router-af-interface)# summary-address 2007::/16 R1# show ipv6 route eigrp IPv6 Routing Table . ON2 . If you have configured this correctly.

and cannot be configured as EtherChannels. B . IA . If you have configured this correctly.ISIS interarea. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). ON2 . OI . you have scored 3 points. Sending 5.Type escape sequence to abort. L .Static.BGP U . Use the show policy-map command to verify your configuration. Tunnel0 R2# ping ipv6 2007:C15:C0:15::6 Type escape sequence to abort. as shown in Example 2-31.Connected.MIPv6 I1 . The TCP and UDP port information is provided so that access lists matching these ports within a class map are required for identification of the video traffic. EX . R . round-trip min/avg/max = 4/7/8 ms Section 5: QoS (6 Points) Two IP video conferencing units are to be installed onto Switch 2 ports Fast Ethernet 0/15 and 0/16 on VLAN 200. round-trip min/avg/max = 4/7/8 ms R2# show ipv6 route eigrp IPv6 Routing Table . M .OSPF intra.EIGRP external D 2007::/16 [90/310044416] via FE80::7864:7C03. IS .ISIS summary O . 100-byte ICMP Echos to 2007:C15:C0:15::6. I2 . The devices use TCP ports 3230–3231 and UDP ports 3230– 3235. and trunking and channeling disabled using the command switchport host.ISIS L2. Sending 5.Local. Ensure that the switch ports assigned to the devices do not participate in the usual spanning-tree checks. but the switchport host command does all this for you.OSPF NSSA ext 1.ISIS L1.6 entries Codes: C . 100-byte ICMP Echos to 2007:C15:C0:15::6. OE2 .OSPF NSSA ext 2 D .OSPF inter. and a policy map colors the traffic to a DSCP value of 41. OE1 . cannot form trunk links.OSPF ext 2 ON1 . and this traffic is unmarked from the devices as it enters the switch.RIP. Configure Switch 2 to assign a DSCP value of AF41 to video traffic from both of these devices. The ports can also be explicitly configured to disable each feature individually. The ports are required to be set to VLAN 200 with spanning-tree checks disabled. The overall quality of service (QoS) service policy is applied to the video conferencing ports of Fast Ethernet 0/15 and 0/16 on Switch 2. .EIGRP. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). (3 points) This is a differentiated services code point (DSCP) coloring of application traffic question. S .Per-user Static route.OSPF ext 1.

you have scored 3 points. Maximize the available bandwidth by ensuring the RTP headers within the video stream are compressed. as shown in Example 2-32. a policy map is then required to call the class map and assign a strict 40-percent priority queue with the command priority percent 40.Example 2-31 QoS Configuration Click here to view code image SW2(config)# interface range fastethernet 0/15-16 SW2(config-if-range)# switchport access vlan 200 SW2(config-if-range)# switchport host SW2(config-if-range)# exit SW2(config)# mls qos SW2(config)# class-map VIDEO SW2(config-cmap)# match access-group 100 SW2(config-cmap)# exit SW2(config)# access-list 100 permit tcp any any range 3230 3231 SW2(config)# access-list 100 permit udp any any range 3230 3235 SW2(config)# policy-map VIDEO-MARK SW2(config-pmap)# class VIDEO SW2(config-pmap-c)# set dscp AF41 SW2(config-pmap-c)# exit SW2(config)# interface range fastethernet 0/15-16 SW2(config-if-range)# service-policy input VIDEO-MARK Configure R2 to assign a strict-priority queue with a 40-percent reservation of the WAN bandwidth for the video conferencing traffic in the previous question. RTP compression is configured within the policy map for the video traffic. R2 is required to provide QoS on the Ethernet link toward the rest of the network. The remainder of the bandwidth should be guaranteed for a default queue with WRED enabled. (3 points) Following from the previous question. If you have configured this correctly. The default queue has a guaranteed bandwidth reservation with the command bandwidth percent 60. Example 2-32 R2 QoS Configuration and Verification Click here to view code image R2(config)# class-map match-all VIDEO R2(config-cmap)# match dscp af41 R2(config-cmap)# policy-map VIDEO-QOS R2(config-pmap)# class VIDEO R2(config-pmap-c)# priority percent 40 R2(config-pmap-c)# compression header ip rtp R2(config-pmap-c)# class class-default . A class map matches the precolored video traffic of DSCP 41. and weighted random early detection (WRED) is enabled within this queue.

0.3.3 R1(config-std-nacl)# permit 225. Both R1 and R2 should be configured to be candidate RPs specifically for the following multicast groups: 225. R3 is required to announce the rendezvous points.0.2 R1(config-std-nacl)# permit 225.0.4 R2(config)# ip multicast-routing R2(config)# interface Loopback0 R2(config-if)# ip pim sparse-dense-mode R2(config-if)# interface fastethernet0/0 R2(config-if)# ip pim sparse-dense-mode R2(config-if)# ip pim send-rp-announce Loopback0 scope 3 group-list GROUPS R2(config)# ip access-list standard GROUPS . R3.4 (by use of their Loopback 0 interfaces). R3. and R4 for IPv4 multicast.1. R2. If you have configured this correctly.225.0. R3 should be configured as a mapping agent to announce the rendezvous points for the multicast network with the same boundary constraints. (3 points) The question dictates that R1 and R2 be rendezvous points (RPs) and advertise the same groups to the multicast network.1 R1(config-std-nacl)# permit 225. as shown in Example 2-33. and R4 Multicast Configuration and Verification Click here to view code image R1(config)# ip multicast-routing R1(config)# interface Loopback0 R1(config-if)# ip pim sparse-dense-mode R1(config-if)# interface GigabitEthernet0/0 R1(config-if)# ip pim sparse-dense-mode R1(config-if)# ip pim send-rp-announce Loopback0 scope 3 group-list GROUPS R1(config)# ip access-list standard GROUPS R1(config-std-nacl)# permit 225. Example 2-33 shows the required configuration and RP mappings as received on R4. 225. TTL scoping is used within the configuration to limit the boundary of advertisements on both the candidate RPs and the discovery agent up to R4. and R4 will by default elect R2 as the RP for each group because it has the higher loopback address compared to R1 for the same groups.0. and 225. R2.225. you have scored 3 points.0. Each router should use PIM sparse dense mode.2. 225.R2(config-pmap-c)# bandwidth percent 60 R2(config-pmap-c)# random-detect R2(config-pmap-c)# exit R2(config)# interface fastethernet0/0 R2(config-if)# service-policy output VIDEO-QOS Section 6: Multicast (9 Points) Configure routers R1.225.225.225.0. You should limit the boundary of your multicast network so that it does propagate further into your network than R4.225.225.225. Example 2-33 R1.0.

34.0. v2v1 Info source: 120.2 and R2 for groups 225. you have scored 3 points. v2v1 Info source: 120. RP announcements can be filtered. v2v1 Info source: 120.1/32 RP 120.1 225.0.100.225.3 (?). Example 2-34 shows the required configuration.225.1 (?).1 (?).100.34.3 225. expires: 00:02:55 Auto-RP Auto-RP Auto-RP Auto-RP Configure R3 to ensure that R4 has a candidate RP as R1 for groups 225.1 and 225.2/32 RP 120.4/32 RP 120.2.0.100. expires: 00:02:56 Group(s) 225. . elected via Uptime: 00:00:03. Configuring two filter lists with each candidate RP associated with them allows the discovery agent to announce two different RPs. a debug of the auto-RP announcements on R3 to detail the filtering and the resulting RP mappings on R4.2 225. as shown in Example 234. (3 points) As detailed in the previous example.34.100.100. expires: 00:02:55 Group(s) 225.3/32 RP 120.0.225. expires: 00:02:52 Group(s) 225.3 and 225.225.225.2.100.0.2.225.1 (?).225.225.R2(config-std-nacl)# R2(config-std-nacl)# R2(config-std-nacl)# R2(config-std-nacl)# permit permit permit permit 225. elected via Uptime: 00:00:03.0.3 (?).0.3 (?).225.225.2. v2v1 Info source: 120.1 (?).225.34. elected via Uptime: 00:00:03.3 (?).0.4 R3(config)# ip multicast-routing R3(config)# interface Loopback0 R3(config-if)# ip pim sparse-dense-mode R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip pim sparse-dense-mode R3(config-if)# interface GigabitEthernet0/1 R3(config-if)# ip pim sparse-dense-mode R3(config-if)# exit R3(config)# ip pim send-rp-discovery lo0 scope 2 R4(config-if)# ip multicast-routing R4(config-if)# interface GigabitEthernet0/0 R4(config-if)# ip pim sparse-dense-mode R4# show ip pim rp mapping PIM Group-to-RP Mappings Group(s) 225. If you have configured this correctly.0. By configuring a group list on the discovery agent.0.225. R2 will by default become the candidate RP as selected by the discovery agent (R3) because of having a higher loopback IP address as used in the PIM announcements compared to R1.100.0.100.4.0. elected via Uptime: 00:00:03.

225.100.1.0.1).100. v2v1 Info source: 120.225.0. expires: 00:02:51 Group(s) 225.100. v2v1 Info source: 120.225. elected via Uptime: 00:00:08.3/32 for RP 120.1/32.225.1.225.100.100.1 R3(config-std-nacl)# exit R3(config# ip access-list standard R1-GROUPS R3(config-std-nacl)# permit 225.4/32 RP 120. ht 181 v1 v1 .0.0. from 120.4 R3# debug ip pim auto-rp PIM Auto-RP debugging is on Auto-RP(0): Received RP-announce.1.1. RP_cnt Auto-RP(0): Update (225.1 Auto-RP(0): Filtered 225.225.100.2/32.225. ht 181 v1 v1 1.225.1/32 RP 120. RP:120. elected via Uptime: 00:00:47.100.1 Auto-RP(0): Received RP-announce.0.1.1).225.0.100.225.1.4/32 for RP 120.3/32 for RP 120. RP_cnt Auto-RP(0): Update (225.225.1 R3(config-std-nacl)# permit 225.0. PIMv2 Auto-RP(0): Update (225. v2v1 Info source: 120. elected via Uptime: 00:00:47.3/32 RP 120.1. PIMv2 Auto-RP(0): Update (225. from 120.100.100.3 (?).1). RP:120.0.100.100.0.2 R3(config-std-nacl)# exit R3(config)# ip access-list standard R2-GROUPS R3(config-std-nacl)# permit 225. PIMv2 Auto-RP(0): Filtered 225.2/32 RP 120. expires: 00:02:09 Auto-RP Auto-RP Auto-RP Auto-RP 1.1/32.225.1 (?).1 (?).100.34.225.0.34.2.3 R3(config-std-nacl)# permit 225.1). expires: 00:02:12 Group(s) 225.2/32.0.1.0. PIMv2 Auto-RP(0): Filtered 225.Example 2-34 R3 RP Multicast Configuration and Verification Click here to view code image R3(config)# ip pim rp-announce-filter rp-list R1 group-list R1-GROUPS R3(config)# ip pim rp-announce-filter rp-list R2 group-list R2-GROUPS R3(config)# ip access-list standard R1 R3(config-std-nacl)# permit 120. RP:120.100.100.1 Auto-RP(0): Filtered 225.1.4/32 for RP 120.3 (?).0. RP:120.1 (?).225.1 (?).100.1 R4# show ip pim rp mapping PIM Group-to-RP Mappings Group(s) 225.3 (?).0.1.0.1. elected via Uptime: 00:00:08. expires: 00:02:52 Group(s) 225.100. v2v1 Info source: 120.2.1.1.225.3 (?).1.2.34.100.0.225.1.100.100.34.1 R3(config-std-nacl)# exit R3(config)# ip access-list standard R2 R3(config-std-nacl)# permit 120.

0.3 ciscoIpMRouteHeartBeatEntry. as shown in Example 2-35.0. If no packet for this group is received within a single 10second interval.spectrap 1 ciscoIpMRouteHeartBeatEntry. traffic is still directed to it.100 traps public R1(config)# snmp-server enable traps ipmulticast R1(config)# ip multicast heartbeat 225.225.0.1. By configuring R1 to enable the heartbeat monitoring for the group 225.225.225.225.1.255.225. Example 2-35 R1 Multicast Heartbeat Configuration Click here to view code image R1(config)# snmp-server host 120. This protects TCP servers from TCP SYN-flooding attacks with a wave of half-opened connections overwhelming the server’s CPU.1.100.225.2.1 = 120.0.0.1 1 1 10 R1# debug snmp packets R3# ping 225.0. To prevent a potential DoS attack from a flood of SYN requests.225.1 = 10 ciscoIpMRouteHeartBeatEntry. Example 2-35 details the required multicast heartbeat configuration and verification of the SNMP trap by issue of a ping to 225. addr 120.100. the router monitors a packet lost within 1 interval of 10 seconds and will send an Simple Network Management Protocol (SNMP) trap to the SNMP host 120.100.100. you have scored 3 points.100.3.100.0. which is required to be configured within the basic SNMP trap configuration.5.4.0.100. ensure that an SNMP trap is sent to an SNMP management station on 120. ent ciscoExperiment.100.1 R1# SNMP: Queuing packet to 120.100. (2 points) The question requires that the TCP intercept feature be configured on R6. the router should be configured to randomly drop SYN packets from any source to this VLAN that have not been correctly established within 20 seconds.123. The default behavior of .100 SNMP: V1 Trap. the result of which can effectively cause a DoS attack.100 using a community string of public. (3 points) The IP multicast heartbeat feature facilitates the monitoring of the delivery of IP multicast packets and failure notification based on configurable parameters. and the heartbeat process is activated.3.0.1 = 1 ciscoIpMRouteHeartBeatEntry. If you have configured this correctly.1 = 0 Section 7: Security (10 Points) Allow router R6 to passively watch the SYN connections that flow to only VLAN 63 for servers that might reside on this subnet.1 with the subparameters of 1 and 10. gentrap 6.Configure R1 to monitor traffic forwarded through itself for traffic destined to the multicast group of 225. Even though R1 does not have a valid IGMP join group for this group.225.2.100.100.225.225.225.100.225.1 from R3.

so an access list is required to which the intercept features restricts its monitoring. The default behavior of the feature is to drop SYN connections based on the oldest first.the feature is to intercept the SYN connections to a server and effectively proxy the connection until it has been correctly established. as shown in Example 2-36. Switch 1 has been configured . However. you must configure the feature into watch mode by use of the global ip tcp intercept mode watch command. Example 2-36 R6 TCP Intercept Configuration Click here to view code image R6(config)# R6(config)# R6(config)# R6(config)# R6(config)# ip tcp intercept list 100 access-list 100 permit tcp any 120. you can simply use the log option on your inbound ACL on a final deny statement. and as directed.0. If you did not know what protocol IPv6 uses. IPv6 tunneling. you must configure a standard ACL inbound on the VLAN 132 Ethernet interface. Because you are requested to passively monitor the connection. You are also requested to ensure that the feature is enabled only on VLAN 63 from any source. This would show you that the tunneling from R3 inbound to R1 uses IP protocol 41. which must be included in your inbound ACL. by default. Required traffic is. This is achieved with the global command ip tcp intercept drop-mode random. EIGRP. To ensure that the 20-second limit is met as opposed to the default 30 second. Do not use the established feature within standard ACLs to achieve this. If you have configured this correctly. you have scored 2 points. The entries are simply removed.255 ip tcp intercept mode watch ip tcp intercept drop-mode random ip tcp intercept watch-timeout 20 Configure an ACL on R1 to allow TCP sessions generated on this router and through its Ethernet interface and to block TCP sessions from entering on its VLAN 132 interface that were not initiated on it or through it originally. Example 2-37 shows the required configuration and verification of the reflexive ACL. adjustment of the timers is required with the global command ip tcp intercept watch-timeout 20. PIM. It’s a cruel question because if you forget to permit any of the required traffic inbound. you will lose points from a previous section in which you might have otherwise scored the total possible points. Because traffic is evaluated only by the ACL as it passes through the router. 300 seconds after the session ends. The reflexive ACL contains only temporary entries.63. and only apply ACLs on the VLAN 132 interface.100. of course. (3 points) The question requires that a reflexive access control list (ACL) be configured on R1. it should also enable ICMP traffic inbound for testing purposes.0. which are automatically created when a new TCP session is initiated. the question requires this to be modified to 100 seconds. ICMP for testing. This enables TCP traffic for sessions originating from within the network but denies TCP traffic for sessions originating from outside the network. but the question dictated that random connections must be dropped. To facilitate the reflexive ACL.0 0. The ACL should timeout after 100 seconds of locally initiated TCP inactivity. Use the show tcp intercept connections command to verify your configuration. which permits the required traffic inbound to R1 and only returns traffic matching the reflexive ACL.

the Telnet session passes through the ACL FILTER-OUT on R1 and creates an entry in the reflexive ACL DYNAMIC-TCP. Example 2-37 R1 Reflexive ACL Configuration and Verification Click here to view code image R1(config-if)# ip access-list extended FILTER-IN R1(config-ext-nacl)# permit icmp any any R1(config-ext-nacl)# permit eigrp any any R1(config-ext-nacl)# permit pim any any R1(config-ext-nacl)# permit tcp host 120.255.0 SW1(config-if)# exit SW1(config)# ip route 120.1 eq bgp R1(config-ext-nacl)# permit 41 host 120.1. When initiated by Switch 1.100.to belong to VLAN 100 to telnet through R1 to R3 in the example.1 SW1(config)# exit SW1# trace 120.100 255.100.123.100.255 120.1 .3.3.1 R1(config-ext-nacl)# evaluate DYNAMIC-TCP R1(config-ext-nacl)# ip access-list extended FILTER-OUT R1(config-ext-nacl)# permit tcp any any reflect DYNAMIC-TCP R1(config-ext-nacl)# exit R1(config)# ip reflexive-list timeout 100 R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip access-group FILTER-IN in R1(config-if)# ip access-group FILTER-OUT out SW1(config)# interface vlan 100 SW1(config-if)# ip add 120.123. you might experience connectivity issues if you initiate a Telnet session from R1 without manipulating the Telnet source option.100.100.100.100.255.255. you have scored 3 points. Note The reflexive ACL is valid only for traffic flowing through the router. you would specifically be instructed to ensure the correct operation of Telnet on that router.3.100. This behavior has no bearing on points scored and should be considered a by-product of the solution.3 host 120. If you face a similar question in the actual exam and Telnet connectivity was required from the router you are configuring.3. Tracing the route to 120. Therefore.1 255.255.100. The reflexive ACL permits return traffic to the Telnet session inbound for the configured inactivity interval of 100 seconds.100. Real-time details can be seen by issuing the show access-lists command on R1. as shown in Example 2-37.1 host 120.100. If you have configured this correctly.1 Type escape sequence to abort.

1 20 permit 225.100. a key size of 768 bits.100. Even if you hadn’t configured SSH or SCP previously.1 !A * !A SW1# telnet 120.3.100 eq 11034 (34 matches) (time left 90) Extended IP access list FILTER-IN 5 permit icmp any any (150 matches) 10 permit eigrp any any (1710 matches) 20 permit pim any any (92 matches) 25 permit tcp host 120.100.225.100. (2 points) SCP is Secure Copy Protocol.1.100. .1 120.225.0. Open User Access Verification Password: R3>enable Password: R3# R1# show access-lists Standard IP access list 1 10 permit 120.1 host 120.3. and some SSH timeout and retry values based on the directions. It is similar to Remote Copy but requires Secure Shell (SSH) to be running on the router for security purposes. You will need to realize aspects of SSH are considered prerequisites to enable SCP. The router should belong to a domain of toughtest.100.2 30 permit 225.0.co.100.1 eq telnet host 120.100. Be careful on the values and remember to enter the timeout in seconds. If you have configured this correctly. It is a tough question because this is the kind of feature for which you will need to check the documentation.1 eq bgp (126 matches) 30 evaluate DYNAMIC-TCP Extended IP access list FILTER-OUT 10 permit tcp any any reflect DYNAMIC-TCP (18 matches) Configure R1 so that it is capable of performing SCP.100. a key of some form.100. not minutes.3 40 permit 225.100. and an SSH timeout of 2 minutes and retry value of 2. Your username and password combination requires a privilege level of 15 set for SCP.225.uk.1 0 msec 4 msec 0 msec 2 120.0 (3 matches) Standard IP access list GROUPS 10 permit 225.3.3. Use local authentication with a username and password of cisco.0.100.100.100.1. you should realize that you would need to configure a domain ID. local authentication with a username and password.225.1 .0 (3 matches) 20 permit 120. you have scored 2 points.. as shown in Example 2-38.1 Trying 120.0..4 Reflexive IP access list DYNAMIC-TCP permit tcp host 120.

toughtest. otherwise. The ACL needs to deny router advertisements. whereby you could set the switch ports connecting to the routers as untrusted. of course.[OK] R1(config)# aaa new-model R1(config)# aaa authentication login default local R1(config)# aaa authorization exec default local R1(config)# username cisco privilege 15 password 0 cisco R1(config)# ip ssh time-out 120 R1(config)# ip ssh authentication-retries 2 R1(config)# ip scp server enable R1(config)# 00:57:29. A simple solution is to enable RA guard on the switch. R4. this needs to be applied to the VLAN 34 interface. remember to use the command sdm prefer dual-ipv4-and-ipv6 routing (and reboot the device for this to take effect).co. and R5 will begin to send RAs as soon as they are configured with an IPv6 address. Disable these advertisements from entering and propagating on VLAN 34. use ICMPv6. something you might have overlooked under the time constraints and pressure of the practice exam. If you have configured this correctly. you have scored 3 points.99 has been enabled The network administrator has determined that IPv6 router advertisements are being sourced from routers on VLAN 34. which.Example 2-38 R1 RCP Configuration Click here to view code image R1(config)# ip domain-name toughtest.343: %SSH-5-ENABLED: SSH 1.. The ACL then needs to permit everything else.. you have just broken your IPv6 network. Because you are permitted to use an ACL in only a single location. as shown in Example 2-39. but this is not permitted. keys will be non-exportable. If your switch was not previously enabled for IPv6. (3 points) Routers R3.uk R1(config)# crypto key generate rsa modulus 768 The name for the keys will be: R1. You may use an ACL applied in a single location in your solution.co. Example 2-39 SW1 RA ACL Configuration Click here to view code image SW1(config)# ipv6 unicast-routing SW1(config)# ipv6 access-list RA SW1(config-ipv6-acl)# deny icmp any any router-advertisement SW1(config-ipv6-acl)# permit ipv6 any any .uk % The key modulus size is 768 bits % Generating 768 bit RSA keys. You need to remember that for the switch to process IPv6 packets. it needs to be running IPv6 and have a valid IPv6 address assigned to VLAN 34. Do not use the RA guard solution with untrusted ports.

but they can make or break your lab. Did you manage to configure items such as EIGRP third-party next hop and the continue statement within your BGP prepending? Items such as these might seem inconsequential. how did it go? Did you run out of time? Did you manage to finish but miss what was actually required? If you scored over 80.5 hours of the Configuration section of the actual exam. you will be prepared for any scenario that you are likely to face during the 5.SW1(config-ipv6-acl)# exit SW1(config)# int vlan 34 SW1(config-if)# ipv6 traffic-filter RA in SW1(config-if)# ipv6 address 2007:C15:C0:15::10/64 SW1# show log *Oct 4 17:58:23: %IPV6-6-ACCESSLOGDP: FE80::219:AAFF:FEBA:BE40 -> FF02::1 *Oct 4 17:58:23: %IPV6-6-ACCESSLOGDP: FE80::218:18FF:FEA2:3250 -> FF02::1 list RA/10 (134/0).3T Advanced Enterprise image and the minimum interface configuration. Remember that the Troubleshooting section on the v5. well done. If you accomplished this within 8 hours or less. 1 list RA/10 (134/0). as documented in Table 3-1 . You need the following hardware and software components to begin this practice lab: Six routers loaded with Cisco IOS Software Release 15.0 exam is a separate section from the Configuration section and has a different scenario. Practice Lab 3 Equipment List Practice Lab 3 follows an identical format to Lab 1 and 2 with timings and also consists of 100 points. you will have 2 hours to complete the Troubleshooting section. This lab was designed to ensure that you troubleshoot your own work as you progress through the questions. 1 denied icmpv6 packet denied icmpv6 packet Lab Wrap-Up So.

as shown in Figure 3-1. However.0S IP Services Setting Up the Lab You can use any combination of routers as long as you fulfill the requirements within the topology diagram. you should use the same model of routers because this makes life easier if you load configurations directly from those supplied into your own devices.Table 3-1 Hardware Required per Router Four 3560X switches with IOS 15. .

.Figure 3-1 Practice Lab 3 Network Topology Note Notice in the initial configurations supplied that some interfaces do not have IP addresses preconfigured. If your routers have different interface speeds than those used within this book. The initial configurations supplied should be used to preconfigure your routers and switches before the lab starts. Lab Topology This practice lab uses the topology as outlined in Figure 3-1. which you must re-create with your own equipment. This is because either you do not use that interface or you need to configure this interface from default within the exercise. This ensures that you do not get unwanted behavior because of differing IGP metrics. adjust the bandwidth statements on the relevant interfaces to keep all interface speeds in line.

4.100.100.Switch Instructions Configure VLAN assignments from the configurations supplied on the CD-ROM or from Table 3-2. Table 3-2 VLAN Assignment Connect your switches with RJ-45 Ethernet cross-over cables. be sure you include the following loopback addresses: R1 Lo0 120.1/32 R2 Lo0 120.100.5. Figure 3-2 Switch-to-Switch Connectivity IP Address Instructions In the actual CCIE lab. as shown in Figure 3-2.1. If you are manually configuring your equipment. you are required to configure your IP addresses as shown in Figure 3-3 or to load the initial router configurations supplied. For this exercise.1/32 R5 Lo0 120.3.100.1/32 .1/32 R3 Lo0 120.1/32 R4 Lo0 120.2.100. you find that the majority of your IP addresses are preconfigured.

6.1/24 Lo2 10.33.2.1.2.1/24 Lo1 10.1/24 Figure 3-3 IP Addressing Diagram Pre-Lab Tasks Build the lab topology per Figure 3-1 and Figure 3-2. Configure the IP addresses on each router as shown in Figure 3-3 and add the loopback addresses.33.45.46.35.44.44.1.33.1/32SW1 Lo0 10. .3.2.1.2.33.1.100.1/24 Lo1 10.4.1/24 Lo2 10.1/24 Lo2 10.34.44.1/24 SW3 Lo0 10.2. Alternatively. you can load the initial configuration files supplied if your router is compatible with those used to create this exercise.1/24 Lo1 10.1/24 SW4 Lo0 10.1/24 Lo1 10.3.44.1/24 Lo2 10.1/24 SW2 Lo0 10.R6 Lo0 120.

Note Access only these URLs. consider opening several windows with the pages you are likely to look at.html Note that access to this URL is likely to be restricted within the real exam. choose questions that you are confident you can answer. choose questions with a higher point rating to maximize your potential score. Take a 30-minute break midway through the exercise. If you are running out of time. Practice Lab Three You will now be answering questions in relation to the network topology. Have available a Cisco documentation CD-ROM.cisco.com website (because if you are permitted to use documentation during your CCIE lab exam. as shown in Figure 3-4. or access online the latest documentation from the following URL: http://www. Failing this. Ensure full IP visibility between routers for ping testing/Telnet access to your devices. it will be restricted). To save time during your lab. Do not configure any static/default routes unless otherwise specified. not the whole Cisco.General Guidelines Read the whole lab before you start. Get into a comfortable and quiet environment where you can focus for the next 8 hours.com/cisco/web/psa/configure. .

1Q encapsulation. 50. Restrict the VLANs permissible to use the trunk on Switch 1 Fa0/1 to VLAN 10. Your switched network is physically nonlooped and therefore does not require any STP root bridge configuration. Interface Fa0/20 of each switch has been preconfigured to be a trunk port. and 200 and VLAN 20. Configure interface Fa0/1 on SW1 to become a trunk port toward R1 and Fa0/6 on SW2 to become a trunk port toward R6. Connectivity between switches will be provided via R1 and R6 later in the lab. Configure SW1 Fa0/19 to belong to VLAN 200 and SW2 Fa0/19 to belong to VLAN 400. You should also configure R1 and R6 to terminate the VLANs on each router. (3 points) . and 400 on Switch 2 Fa0/6. 100.Figure 3-4 Lab Topology Diagram Section 1: LAN Switching (4 Points) Configure your switched network per Figure 3-5. Ports should use 802.

0/24.1. Ensure that all OSPF configuration is entered under the interfaces. The interfaces should be configured to communicate as if connected directly as a point-to-point link. configure these interfaces with IP addresses 1.1.1/24 and 1.1.1. respectively. (Actual IP end-to-end connectivity will be achieved in a later section.) (1 point) Section 2: MPLS and OSPF (27 Points) Configure OSPF on your routers per Figure 3-6 to enable your network to transport MPLS and MP-BGP.1. (3 points) .Figure 3-5 Switched Network Topology SW3 interface Fa0/19 and SW4 interface Fa0/19 are required to communicate with each other on the same IP subnet of 1.2/24. All required interfaces (including Loopback 0) should be configured to belong to Area 0.1.

R3. Routers R1 and R6 will become your PE routers. (4 points) . whereas R2. which will be configured later with an autonomous system of AS65001. R4. use LDP. and R5 will become P routers. assign the following interfaces on each PE router into separate routing instances within the routers: PE R1 interface Gi0/0 VLAN10 connection into VPN BLUE PE R1 interface Gi0/0 VLAN 50 connection into VPN RED PE R6 interface Gi0/1 VLAN 20 connection into VPN BLUE PE R6 interface Gi0/1 VLAN 100 connection into VPN RED Configure VPN BLUE to use an RD of 100 and VPN RED to use an RD of 200 for both importing and exporting routes into your BGP network. ensuring that TDP can be used on unused interfaces without specifically configuring these interfaces for TDP. (4 points) You will be configuring two VPNs over your MPLS networks per Figure 3-7 between PE routers of BLUE and RED. At this point.Figure 3-6 MPLS/OSPF Topology Configure MPLS on all routers within the OSPF domain.

(2 points) Section 3: BGP (5 Points) Configure MP-BGP between your PE routers.1/30 assigned to the PE and . this network will reside in the RED VPN. (2 points) Create a network between PE router R6 and CE device SW2 using a VLAN 20 interface on SW2 that can be trunked toward R6.0/30 with .50.0/30 with .2/30 assigned to the CE. this network will reside in the BLUE VPN.10. Use .1/30 assigned to the PE and .2/30 assigned to the CE.20. this network will reside in the BLUE VPN. (2 points) Create a network between PE router R1 and CE device SW3 using a VLAN 50 interface on SW3 that can be trunked toward R1.0/30 with . this network will reside in the RED VPN. (2 points) Create a network between PE router R6 and CE device SW4 using a VLAN 100 interface on SW4 that can be trunked toward R6.50.2/30 assigned to the CE. to enable your network to transport the VPNv4 addresses of your configured VPNs (BLUE and RED). Use a subnet of 130.100. Use a subnet of 130.10.Figure 3-7 MPLS VPN Topology Create a network between PE router R1 and CE device SW1 using a VLAN 10 interface on SW1 that can be trunked toward R1.2/30 assigned to the CE.100. per Figure 3-8.0/30 with .1/30 assigned to the PE and . Use a subnet of 10.10.1/30 assigned to the PE and . Use a subnet of 10.

You will configure the actual VPN routing in later questions.loopback interfaces for peering between your PE routers. Advertise all preconfigured loopback networks on SW2 to R6 for the BLUE VPN. (4 points) Figure 3-8 BGP Topology Section 4: EIGRP and MP-BGP (3 Points) Configure EIGRP per Figure 3-9 between your PE router R6 and CE Switch SW2. Use an EIGRP virtual instance name of VPN on R6 and a process number of 10 on SW2. Use VLAN 20 for EIGRP connectivity between R6 and SW2. (1 point) .

Use a default metric of 10000 100 255 1 1500 for BGP routes when redistributed into EIGRP. It is acceptable for these routes to come through as / 32 routes because of default OSPF behavior of loopback interfaces. Ensure that all EIGRP routes have a MED of 50 assigned to them within MP-BGP. (1 point) Configure your PE routers R1 and R6 to transport EIGRP routes from your CE devices between the BLUE VPN using MP-BGP. Use an EIGRP virtual instance name of VPN on R1 and a process number of 10 on SW1.Figure 3-9 EIGRP/MP-BGP Topology Configure EIGRP per Figure 3-9 between your PE router R1 and CE switch SW1. You should permit only internal OSPF routes to be advertised across your VPN and ensure that the redistribution of BGP routes into OSPF are assigned as type 1 external routes with no manually adjusted cost associated with them. Use VLAN 10 for EIGRP connectivity between R1 and SW1. Use a process ID of 2 on PE router R6 and CE device SW4 using VLAN 100 for connectivity. (2 points) . EIGRP networks residing on SW1 should be seen as internal EIGRP routes on SW2 and vice versa. (1 point) Section 5: OSPF and MP-BGP (6 Points) Configure OSPF per Figure 3-10 for your VRF RED with a process number of 3 on PE router R1 and SW3 using VLAN 50 for connectivity. Advertise all preconfigured loopback networks on SW1 to R1 for the BLUE VPN.

1. Both Switch 1 and Switch 4 should receive the following routes: SW1# show ip route | include 10. (4 points) Section 6: MPLS (7 Points) Leak network 10.0/24 from VRF RED into VRF BLUE on R6.1 SW1. (5 points) .44.1.0/24 [110/XX] via 130.1.10.44.44.44. Vlan10 SW1# SW4# show ip route | include 10. You are permitted to configure only router R1. Vlan100 SW4# Verify your configuration by pinging from VRF RED SW4 10.0 O E1 10. Configure your OSPF network appropriately to ensure that the routes are displayed correctly as IA routes.0 D EX 10. 00:00:27.1 to VRF BLUE SW1 10. leak 10.44.1. You are not permitted to adjust the OSPF redistribution into BGP as directed in the previous question.44. Maintain the OSPF process IDs are previously directed. 00:03:04.0/24 from SW1 VRF BLUE on PE R1 into the VRF RED on PE1.10. similarly.44.0/24 [170/XXXXXX] via 10.1.1.1.Figure 3-10 OSPF Topology You will notice that your OSPF IA (intra-area) routes between CE devices SW3 and SW4 appear as type 1 external routes.44.1.1.100.1.100.

and reduce the effects of TCP global synchronization within your Mission-Critical class.Configure your PE routers R1 and R6 to ensure that the MPLS P routers are not listed as intermediate hops when a trace route is performed on your CE devices. Switch 4 should be configured to reply to an ICMP ping on its VLAN 100 interface directed to 226. Be aware that the SW3 resides in VLAN 200 and that SW4 resides in VLAN 400 in respective PE router subinterfaces. (10 points) Section 9: IPv6 (6 Points) Configure the following IPv6 address on the PE routers R1 and R6.1. (6 points) R1 Lo0 2010:C15:C0:1::1/64 R1 Gi0/0. and implement IPv6 over MPLS between the 6PE routers to advertise the prefixes between 6PEs. Create an L2TPv3 Xconnect attachment circuit on your PE routers R1 and R6 for your CE devices (SW3 Fast Ethernet 0/19 1.1.1. The total bandwidth between the PE to CE should be shaped to 1 Mbps. Ensure that voice traffic is assigned to an LLQ. Use an appropriate method of prioritizing DSCP traffic so that AF31 packets are statistically dropped more frequently than AF32 during congestion. (10 points) Section 8: Multicast (10 Points) Configure your MPLS network for multicast support of the RED VRF using PIM sparse mode. You should use existing loopback interfaces on your PE routers for peering over your MPLS network. configure MDT appropriately.20 2010:C15:C0:62::1/64 Section 10: QoS (7 Points) Create the following QoS profile on your PE router R1 for traffic egressing to your CE device connected to the BLUE VRF.2. Ensure that PE router R6’s associated VLAN 100 IP address is used as the rendezvous point for the RED VRF multicast traffic.0.2/24) to communicate using a Layer 2 tunneling solution (use Version 3) across your Layer 3 network.1. PE routers R1 and R6 should be configured to tunnel multicast traffic using an MDT address of 232.1/24 and SW4 Fast Ethernet 0/19 1. Make sure that your loopback IPv6 addresses are used to source any locally generated IPv6 traffic. (4 points) .2.2 from Switch 3 VLAN 50.0/24 within a previous question.10 2010:C15:C0:11::1/64 R6 Lo0 2010:C15:C0:6::1/64 R6 Gi0/1.1. and solely reduce the effect of TCP global synchronization within the Default class.1.0. It can be assumed that the mVRF bandwidth requirement is low.11 from CE device Switch 3 VLAN 50 to CE device SW4 VLAN 100 over the RED VRF. (2 points) Section 7: VPLS Simulation (10 Points) Switches 3 and 4 will have been configured to belong to the subnet of 1.

with R4 and R5 being effectively spoke routers in your solution. R5.5. The source interface for the tunnel configuration on R2 should be Fast Ethernet 1/1. and a delay of 2 microseconds on the tunnel network.5. Spoke routers must communicate with each other directly using dynamic IPsec connections with the aid of NHRP at the hub. Use an MTU of 1416 for your secure traffic. NHRP should be authenticated with a password of SECRET. respectively. Use EIGRP with a named virtual instance of VPN and autonomous system of 1 to advertise the loopback networks between routers over a common GRE tunnel network of 100. and R6 using the same common EIGRP parameters. whereas hub-to-spoke IPsec connections should be permanent. (10 points) Following on from the previous question. Use an IPsec transform set of esp-des esp-md5-hmac on each router.100.6. The total aggregate speed from the CE to PE should be restricted to 1 Mbps. an NHRP timeout of 100 seconds for spoke replies. You are not permitted to enable EIGRP on your Ethernet interfaces between routers. R5.4. The hub router should provide all necessary direct next-hop information to the spoke routers when they are required to communicate between themselves. Traffic in the Voice class within the detailed CIR should have the MPLS EXP set to 5 and above discarded.5/24.100.4. 5.X/24 (X = router number) sourced from each router’s common Ethernet interface. using IPsec to encrypt all traffic between the loopback networks using a preshared ISAKMP key of CCIE. Test your solution by extended pings sourced from the configured loopback interfaces.Create the following QoS profile on your PE router R1 for traffic ingressing from your CE device connected to the BLUE VRF into the MPLS network.6. Traffic in the Mission-Critical class within the detailed CIR should have the MPLS EXP set to 3 and above set to 7.4/24. add R2 into the common GRE tunnel network as a spoke router using identical security parameters as used on R4 and R5. ensuring that it receives routes from R4. use IP addresses of 4.6/24. Traffic in the Default class within the detailed CIR should have the MPLS EXP set to 0 and above set to 4. R6 is to be a hub router. and R6. and the . and 6. (3 points) Section 11: Security (15 Points) Create three new loopback IP addresses of loopback1 on R4.

Q. Is this acceptable? A. Does it matter what OSPF process ID I use on my routers? A. He or she will be present to ensure that you do not have problems with the lab environment and to maintain the timing element of the exam. Section 2: MPLS and OSPF Q. Section 1: LAN Switching and Frame Relay Q. and advertise this identical network from R4 and R5 to the hub router R6 on the common GRE tunnel interface.1.45/24 on both R4 and R5.1. No. . this is required to advertise your loopback addresses for MPLS. No. simply configure the switches as directed in the question and Layer 2 connectivity will be provisioned later within the lab when your core network is configured. Add new Loopback 2 identical IP addresses of 45. No.66/32. the proctor will not enter into any discussions about the questions or answers. Configure R6 to advertise both destinations (R4 and R5) to spoke router R2 for network 45. is this related to MPLS TE and is a tunnel required between R1 and R2? A. Do you want me to configure Layer 2 between Switch 3 and Switch 4 so that they can communicate on the subnet 1. No. the question states that each device must be reachable over the Frame Relay network.66. With my Frame Relay. Do you require OSPF for any interfaces on R1 and R6 that connect to the switches? A. I can only reach my spoke routers from the hub. this includes spoke-to-spoke communication. this is a pure IP solution designed to speed convergence in the event of a failure without the need to tune convergence timers. Q.45.45.66. just configure OSPF per the figure.45. (3 points) The network manager of your network cannot justify a full security implementation.destination should be the Gigabit Ethernet 0/0 interface of R6.45. (2 points) Practice Lab 3: “Ask the Proctor” Note This section should be used only if you require clues to complete the questions. Q. so you can use an ID of your choice. but wants to implement a solution that provides a password prompt from R1 only when the keyboard entry 1 is entered on the console port (as opposed to the normal CR/Enter key).0/24 in EIGRP over the common GRE tunnel network. No. the question doesn’t direct you to use a specific process ID. Configure R1 appropriately.0/24? A. In the actual CCIE lab. To protect 66.

I can’t ping to my VLAN 10 interface on Switch 1 from R1. Q. Can I configure OSPFv2 Fast Reroute for the 6. Correct. So. . No. You haven’t been instructed not to use this command at this point even though this is an iBGP configuration. Do you need me to configure the PEs to send community values to each other? A. just add in the MP-BGP autonomous system number to the RD? A. Do you want the OSPF from the core routers extended into the RED VRF I created so that I run end-to-end OSPF between CE Switch 1 and CE Switch 2? A.6. Section 3: BGP Q. You need to ensure that you source your ping correctly. Q. Do I need to perform any further configuration to make this work? A.Q. MP-BGP is simply required between the PE routers. You must remember how MPLS works and ensure that the route targets are propagated to successfully configure your VPNs. MPLS. Q. Do you want me to configure my RED VRF with a route descriptor of 100 and 200 for the BLUE VRF? A. Q. this will enable your network to transport MPLS and BGP within later questions. Yes. Look for a method of making the autonomous system number the same within your VRF specific configuration on R6. otherwise. No. just remember that R1 is now a PE router with multiple VRF routing tables.6/32 prefix? A. Q. You have been provided with additional information in the question that enables you to facilitate use of MP-BGP extended communities. If I use a different number on R6 and Switch 2.6. just initially as directed OSPF. Section 5: OSPF and MP-BGP Q. I usually configure next-hop self on my BGP configurations. No. Do you want me to configure OSPF. EIGRP requires the same autonomous system number on neighbor routers to peer successfully. Q. A combination of the two will achieve the desired results. Section 4: EIGRP and MP-BGP Q. and BGP initially within the OSPF section? A. R1 would use its default routing table (which is used for the MPLS connectivity). A. Do you want me to configure a full mesh of BGP between all routers? A. you will ultimately achieve this connectivity through an MPLS VPN and not by simply extending OSPF through your core devices. Is this acceptable here? A. No. they cannot peer correctly.

Section 7: VPLS Simulation Q. yet I cannot ping between switches. though. Am I at liberty to manipulate spanning tree? A. I suspect a spanning-tree type of issue if the question states VLAN differences when I need to provide Layer 2 adjacency. Find an appropriate value and try it out. You had a similar issue with EIGRP autonomous system numbers. You could achieve the same result over a standard Layer 3 network. I have my L2TPv3 tunnel up end to end. just investigate what is possible within your VRF configuration. This must have something to do with the different OSPF process ID I had to configure. surely the routes should appear as standard interarea routes through the VPN. Can I modify my loopback interface with the OSPF network command on Switch 4 so that it is advertised with the correct mask? A. Just exercise caution where you configure your parameters to achieve the correct results in the appropriate VRF. This behavior should become apparent why in the following question.Q. but you have been directed to do so in the question. Section 6: MPLS Q. The routes will come out as type 1 external routes on your CE devices. Q. Correct. I think if I change the redistribution of OSPF into BGP. Section 8: Multicast Q. Why would I need to do this? A. or could I do this over a standard Layer 3 network? A. Changing the process ID on OSPF peers wouldn’t affect any adjacency. but the routes remain identical. Is this MPLS specific. I can make the OSPF routes appear as intra-area routes. Why would I want to advertise the OSPF routes as external type 1 routes within BGP. and it would appear that you have modified this behavior with your redistribution configuration. is that acceptable? A. Q. No. I can’t adjust this. I can manage to leak routes between VRFs but my route comes out as a host route. by all means try to change the redistribution. Do I score any points if I change the redistribution? A. Yes. A. Do you want me to enable PIM over my P routers or just PE routers? . A. I changed the redistribution. this question is a little misleading. it might help you understand the issue. It will become evident why you have been asked to do this in a later question. Q. Q. Yes. Q. so I am stuck. You are correct. If I change the domain ID on R1.

Yes. Is this DiffServ. Yes. Q. can I just configure an IGMP join group appropriately on its VLAN 100 interface? A. Do you want the first QoS policy outbound on the BLUE VRF interface on PE router R1? A. though. it just provides you with two different configuration exercises. You’re almost there. but I don’t understand what the low-bandwidth requirement is. Do you want PIM on my MPLS router loopback interfaces? A. Q. Section 10: QoS Q. use a common technique whereby traffic is dropped randomly as queues fill. Is this correct? A. Your switches are currently not capable of running IPv6. You can. The second QoS policy limits traffic to 1 Mbps. Q. this wouldn’t offer the inherent drop preference. Q. Should I just advertise my IPv6 prefixes with the BGP network command? A. though. I have a Multicast Distribution Tree tunnel between PE routers. Q. you might find that configuring PIM end to end is required. Section 9: IPv6 Q. Are you looking for random early detect? A. because there is no redistribution to be configured. The question states “MPLS network. Yes. AF31 packets should be dropped more frequently than AF32. Do you want me to run IPv6 down to my CE switches and redistribute anything over MPLS? A. Yes. Q. To get Switch 4 to reply to a ping to 226. Q. You might find it is required at certain points within your MPLS network. Q. MDT has differing requirements for high. you might or might not require a Data MDT. No.and low-bandwidth sources. Yes. To prioritize DSCP traffic. I appreciate that this isn’t the real world. do you want me to configure some priority queuing within a class for AF32 flows? A. whereby you want me to modify the topmost bits in the EXP field? A.” To provide end-to-end multicast support. Q.2. .2. Do I use the same packet-marking classes in each question? A.2. yet the first will be line rate at 1 Gbps. A.A.

Q. Practice Lab 3 Debrief This section now analyzes each question showing you what was required and how to achieve the desired results. Yes. The clues in the question suggest this is a DMVPN question. Q. rather than a CR on the line con 0 port. No. and it receives a single route to network 45. . You should use this section to produce an overall score for Practice Lab 3. Q.45. Q. just make the router provide a prompt when it receives an ASCII 1. Q.45. I have configured my solution correctly. yet I don’t get spoke routes on the spoke routers. Is this okay? A. and all traffic flowing from the new subnets you created should automatically be encrypted. Is this acceptable? A. No. Do you want me to get R1 to somehow translate a CR into a 1 to then provide a password prompt? A. Q. No. Section 11: Security Q. the question specifically states that spoke routers must be able to communicate with each other directly. Q. No.0/24 via the hub router. Configure SW1 Fa0/19 to belong to VLAN 200 and SW2 Fa0/19 to belong to VLAN 400. Section 1: LAN Switching (4 Points) Configure your switched network per Figure 3-6. Can I configure max-paths on R2? A. your solution will not require an ACL. you must configure R6 to advertise both spokes (R4 and R5) as valid next hops for this destination. Don’t I need an ACL to mark all traffic that should be encrypted? A. Do you want the policy applied to the CE-facing VRF BLUE interface as an input service policy? A.Q. I still show a next hop of the hub between spoke networks. Is this acceptable? A. No. I have added R2 as a spoke to the DMVPN network. This sounds like a split-horizon issue. use a similar feature on R6 hub to actually advertise both spokes rather than just one as a valid next hop. this would then modify the traffic as it flows into the MPLS network. can I disable this behavior? A. Your switched network is physically nonlooped and therefore does not require any STP root bridge configuration. No. Can I modify the next hop from the hub? A. Yes. Yes. you need full network visibility from all devices and not just the hub.

Configure Interface Fa0/1 on SW1 to become a trunk port toward R1 and Fa0/6 on SW2 to become a trunk port toward R6.1Q encapsulation. 100. R1 and R6 are configured with the corresponding VLAN numbers as sub interfaces to terminate the trunk connections from Switch 1 and Switch 2 using an identical reference for the dot1q encapsulation. and 400 on Switch 2 Fa0/6. (The actual VLANs would have been created previously in the initial configuration. and R6 Configuration Click here to view code image Switch1# show run interface fastethernet 0/19 ! interface fastethernet0/19 switchport access vlan 200 switchport mode access Switch1# show run interface fastethernet 0/1 ! interface fastethernet0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 10. To begin. the trunking is configured as directed with allowed VLANs of 10. but it is considered good practice to do so. 100. The configuration enables connectivity between switches when the MPLS section has been completed later in the lab. (3 points) This is a simple question. Connectivity between switches will be provided via R1 and R6 later in the lab. 50.) Next. R1. 50. SW2.50. but you are required to complete multiple configuration items to gain your points.200 switchport mode trunk Switch2# show run interface fastethernet 0/19 ! interface fastethernet0/19 switchport access vlan 400 switchport mode access Switch2# show run interface fastethernet 0/6 . you have scored 3 points. ports should use 802. Note R1 and R6 use the VLAN number for the encapsulation and the subinterface number. and 200 for Switch 1 and 20. and 200 and VLAN 20. Your subinterface number does not need to match the VLAN number. Ports Fa0/19 of Switch 1 and Switch 2 should be assigned the correct VLAN. If you have configured this correctly. Interface Fa0/20 of each switch has been preconfigured to be a trunk port. Restrict the VLANs permissible to use the trunk on Switch 1 Fa0/1 to VLAN10. and 400 for Switch 2. Example 3-1 SW1. You should also configure R1 and R6 to terminate the VLANs on each router. as shown in Example 3-1.

1.400 switchport mode trunk R1# show run | begin interface GigabitEthernet0/0 ! interface GigabitEthernet0/0 no ip address ! interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ! interface GigabitEthernet0/0.2/24. Example 3-2 SW3 and SW4 Configuration Click here to view code image .100 encapsulation dot1Q 100 ! interface GigabitEthernet0/1.200 encapsulation dot1Q 200 R6# show run | begin interface GigabitEthernet0/1 ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/1.1.1. you have scored 1 point.1.) (1 point) This is a straightforward configuration task to change the operation of the ports to non-switchport Layer 3 mode where an IP address can be configured.400 SW3 interface Fa0/19 and SW4 interface Fa0/19 are required to communicate with each other on the same IP subnet of 1.1.1.! interface fastethernet0/6 switchport trunk encapsulation dot1q switchport trunk allowed vlan 20. End-to-end connectivity is achieved through the IP network at a later stage. Configure these interfaces with IP addresses 1. as shown in Example 3-2.50 encapsulation dot1Q 50 ! interface GigabitEthernet0/0. If you have configured this correctly.1/24 and 1.0/24.100. The interfaces should be configured to communicate as if connected directly as a point-to-point link. respectively.10 encapsulation dot1Q 10 ! interface GigabitEthernet0/0. (Actual IP end-to-end connectivity will be achieved in a later section.

0 Switch4# show run interface fastethernet 0/19 ! interface fastethernet0/19 no switchport ip address 1. you have scored 3 points.1.1. Example 3-3 OSPF Configuration and Verification Click here to view code image R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# int lo0 ip ospf 1 area 0 int Gi0/1 ip ospf 1 area 0 R2(config-if)# R2(config-if)# R2(config-if)# R2(config-if)# R2(config-if)# R2(config-if)# int lo0 ip ospf 1 area 0 int Fa0/0 ip ospf 1 area 0 int Fa0/1 ip ospf 1 area 0 R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# int lo0 ip ospf 1 area 0 int Gi0/0 ip ospf 1 area 0 int Gi0/1 ip ospf 1 area 0 .Switch3# show run interface fastethernet 0/19 ! interface fastethernet0/19 no switchport ip address 1.1. Example 3-3 shows the loopback interfaces of each router from R1’s perspective advertised as host routes as required for MPLS.2 255. (3 points) OSPF is used as the IGP in which to advertise the router loopback addresses.0 Section 2: MPLS and OSPF (27 Points) Configure OSPF on your routers.1. to enable your network to transport MPLS and MP-BGP.255. as shown in Example 3-3. If you have configured this correctly. per Figure 3-6. be used for the MPLS connectivity. which will.255. Ensure that all OSPF configuration is entered under the interfaces. Consider using the show ip ospf interface command to verify your configuration. of course. The question directs you to configure OSPF directly under the interfaces of the routers. All required interfaces (including Loopback 0) should be configured to belong to Area 0.255.1 255.255.

R4(config-if)#
R4(config-if)#
R4(config-if)#
R4(config-if)#
R4(config-if)#
R4(config-if)#

int lo0
ip ospf 1 area 0
int gi0/0
ip ospf 1 area 0
int Gi0/1
ip ospf 1 area 0

R5(config-if)#
R5(config-if)#
R5(config-if)#
R5(config-if)#
R5(config-if)#
R5(config-if)#

int lo0
ip ospf 1 area 0
int gi0/0
ip ospf 1 area 0
int Gi0/1
ip ospf 1 area 0

R6(config-if)#
R6(config-if)#
R6(config-if)#
R6(config-if)#

int lo0
ip ospf 1 area 0
int gi0/0
ip ospf 1 area 0

R1# show ip route ospf
120.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
O
120.100.2.1/32 [110/2] via 120.100.132.2, 00:05:00,
GigabitEthernet0/1
O
120.100.3.1/32 [110/2] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1
O
120.100.4.1/32 [110/12] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1
O
120.100.5.1/32 [110/22] via 120.100.132.3, 00:02:36,
GigabitEthernet0/1
O
120.100.6.1/32 [110/22] via 120.100.132.3, 00:01:19,
GigabitEthernet0/1
O
120.100.25.0/24 [110/31] via 120.100.132.3, 00:02:26,
GigabitEthernet0/1
O
120.100.34.0/24 [110/11] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1
O
120.100.45.0/24 [110/21] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1

Configure MPLS on all routers within the OSPF domain; use LDP, ensuring that TDP can
be used on unused interfaces without specifically configuring these interfaces for TDP.
Routers R1 and R6 will become your PE routers, whereas R2, R3, R4, and R5 will
become P routers. (4 points)
Configuration is required on each router for them to become LSRs (label switch routers). The
LSRs must have loopback interfaces with an address mask of 32 bits, and these interfaces must
be reachable within the global IP routing table (which the previous question achieved). R1 and
R6 are the PE (provider edge) routers, which will be used to connect to switches in later
questions simulating CE (customer edge) devices. R2, R3, R4, and R5 become the P (provider)
routers, which will be used to switch labeled packets between the PE routers. The question tells
you to use LDP (Label Distribution Protocol) but facilitate the future use of TDP (Tag

Distribution Protocol) without further configuration on unused interfaces. This is achieved by
configuring TDP globally and LDP under each interface used for MPLS within this lab. (The
default global and interface configuration is LDP.) The PE routers require only MPLS configured
on their serial interfaces toward the P routers. If you have configured this correctly, as shown in
Example 3-4, you have scored 4 points.
Example 3-4 MPLS Configuration
Click here to view code image

R1(config)# mpls label protocol tdp
R1(config)# interface Gi0/1
R1(config-if)# mpls label protocol ldp
R1(config-if)# mpls ip
R2(config)# mpls label protocol tdp
R2(config)# interface Fa0/0
R2(config-if)# mpls label protocol ldp
R2(config-if)# mpls ip
R2(config)# interface Fa0/1
R2(config-if)# mpls label protocol ldp
R2(config-if)# mpls ip
R3(config)# mpls label protocol tdp
R3(config)# interface Gi0/0
R3(config-if)# mpls label protocol ldp
R3(config-if)# mpls ip
R3(config-if)# interface Gi0/1
R3(config-if)# mpls label protocol ldp
R3(config-if)# mpls ip
R4(config)# mpls label protocol tdp
R4(config)# interface GigabitEthernet0/0
R4(config-if)# mpls label protocol ldp
R4(config-if)# mpls ip
R4(config-if)# interface Gi0/1
R4(config-if)# mpls label protocol ldp
R4(config-if)# mpls ip
R5(config)# mpls label protocol tdp
R5(config)# interface Gi0/0
R5(config-if)# mpls label protocol ldp
R5(config-if)# mpls ip
R5(config-if)# interface Gi0/1
R5(config-if)# mpls label protocol ldp
R5(config-if)# mpls ip
R6(config)# mpls label protocol tdp
R6(config)# interface Gi0/0
R6(config-if)# mpls label protocol ldp
R6(config-if)# mpls ip

Example 3-5 shows verification of the configuration with the LDP peering between each router.
Notice that the loopback addresses are used for LDP peer identification.
Example 3-5 MPLS Configuration Verification
Click here to view code image

R1# show mpls ldp neighbor
Peer LDP Ident: 120.100.2.1:0; Local LDP Ident 120.100.1.1:0
TCP connection: 120.100.2.1.40418 - 120.100.1.1.646
State: Oper; Msgs sent/rcvd: 69/71; Downstream
Up time: 00:47:20
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.123.2
Addresses bound to peer LDP Ident:
120.100.123.2
120.100.25.2
120.100.2.1
Peer LDP Ident: 120.100.3.1:0; Local LDP Ident 120.100.1.1:0
TCP connection: 120.100.3.1.51369 - 120.100.1.1.646
State: Oper; Msgs sent/rcvd: 68/68; Downstream
Up time: 00:47:18
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.123.3
Addresses bound to peer LDP Ident:
120.100.123.3
120.100.3.1
120.100.34.3
R2# show mpls ldp neighbor
Peer LDP Ident: 120.100.3.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.3.1.16991 - 120.100.2.1.646
State: Oper; Msgs sent/rcvd: 71/68; Downstream
Up time: 00:46:33
LDP discovery sources:
fastethernet0/0, Src IP addr: 120.100.123.3
fastethernet0/1, Src IP addr: 120.100.34.3
Addresses bound to peer LDP Ident:
120.100.123.3
120.100.3.1
120.100.34.3
Peer LDP Ident: 120.100.5.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.5.1.13826 - 120.100.2.1.646
State: Oper; Msgs sent/rcvd: 73/76; Downstream
Up time: 00:46:24
LDP discovery sources:
fastethernet0/1, Src IP addr: 120.100.25.5
Addresses bound to peer LDP Ident:
120.100.25.5
120.100.5.1
5.5.5.5
120.100.45.5
100.100.100.5
Peer LDP Ident: 120.100.1.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.1.1.646 - 120.100.2.1.40418
State: Oper; Msgs sent/rcvd: 69/68; Downstream
Up time: 00:46:07
LDP discovery sources:
fastethernet0/0, Src IP addr: 120.100.123.1

Addresses bound to peer LDP Ident:
120.100.123.1
120.100.1.1
Peer LDP Ident: 120.100.4.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.4.1.47401 - 120.100.2.1.646
State: Oper; Msgs sent/rcvd: 54/57; Downstream
Up time: 00:32:28
LDP discovery sources:
fastethernet0/1, Src IP addr: 120.100.34.4
Addresses bound to peer LDP Ident:
120.100.4.1
4.4.4.4
120.100.45.4
100.100.100.4
120.100.34.4
R3# show mpls ldp neighbor
Peer LDP Ident: 120.100.2.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.2.1.646 - 120.100.3.1.16991
State: Oper; Msgs sent/rcvd: 69/72; Downstream
Up time: 00:47:11
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 120.100.123.2
GigabitEthernet0/1, Src IP addr: 120.100.25.2
Addresses bound to peer LDP Ident:
120.100.123.2
120.100.25.2
120.100.2.1
Peer LDP Ident: 120.100.1.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.1.1.646 - 120.100.3.1.51369
State: Oper; Msgs sent/rcvd: 67/67; Downstream
Up time: 00:46:43
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 120.100.123.1
Addresses bound to peer LDP Ident:
120.100.123.1
120.100.1.1
Peer LDP Ident: 120.100.5.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.5.1.53107 - 120.100.3.1.646
State: Oper; Msgs sent/rcvd: 67/74; Downstream
Up time: 00:45:22
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.25.5
Addresses bound to peer LDP Ident:
120.100.25.5
120.100.5.1
5.5.5.5
120.100.45.5
100.100.100.5
Peer LDP Ident: 120.100.4.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.4.1.15940 - 120.100.3.1.646
State: Oper; Msgs sent/rcvd: 52/56; Downstream
Up time: 00:33:06
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.34.4
Addresses bound to peer LDP Ident:
120.100.4.1
4.4.4.4
120.100.45.4
100.100.100.4
120.100.34.4
R4# show mpls ldp neighbor
Peer LDP Ident: 120.100.6.1:0; Local LDP Ident 120.100.4.1:0
TCP connection: 120.100.6.1.55234 - 120.100.4.1.646
State: Oper; Msgs sent/rcvd: 74/76; Downstream
Up time: 00:43:52

4.100.1:0 TCP connection: 120.1.100.1.2 Addresses bound to peer LDP Ident: 120.6.100.3 120.1:0 TCP connection: 120. Local LDP Ident 120.2 120.45.45.100.100.646 State: Oper.15940 State: Oper.1.18472 .5 120.2.25.100.5 100.646 .6.1. Src IP addr: 120.100.100.34.646 .1:0 TCP connection: 120.6.1. Downstream Up time: 00:48:58 LDP discovery sources: GigabitEthernet0/0.100.5 Peer LDP Ident: 120.4.1. Src IP addr: 120.120.100.6. Msgs sent/rcvd: 54/50.1 Peer LDP Ident: 120.120.1:0.1 6.6.100.1.100.100.47401 State: Oper. Msgs sent/rcvd: 55/52.4.120.1 5.1 120.34.6 100.120.2 120. Src IP addr: 120.100.5.1.45.123. Local LDP Ident 120.100.1 Peer LDP Ident: 120. Msgs sent/rcvd: 81/81.6 Addresses bound to peer LDP Ident: 120.5.646 .3 Addresses bound to peer LDP Ident: 120.100.1:0 TCP connection: 120.100.1:0 TCP connection: 120.6 Peer LDP Ident: 120.LDP discovery sources: GigabitEthernet0/0.45.5.100.1:0.45.25.100. Downstream Up time: 00:30:52 LDP discovery sources: GigabitEthernet0/1.3.6.1 6.5.100.100.6.100.6 Addresses bound to peer LDP Ident: 120.646 .100.2 Addresses bound to peer LDP Ident: 120.100.100. Downstream Up time: 00:30:52 LDP discovery sources: GigabitEthernet0/1.25.100.646 State: Oper. Src IP addr: 120.123.4 .3.100.4. Local LDP Ident 120.13826 State: Oper.25.100.57689 .45.100.120.2.1:0 TCP connection: 120. Msgs sent/rcvd: 80/77.6. Local LDP Ident 120.100.100.5. Local LDP Ident 120.6 120. Local LDP Ident 120.2 120.5.100.1.1. Downstream Up time: 00:48:54 LDP discovery sources: GigabitEthernet0/0.2.100.100.100.4.100.4.100.57689 State: Oper. Downstream Up time: 00:43:48 LDP discovery sources: GigabitEthernet0/0.120.5.100.3.100.6 100.100.100.100.5.45.5 120.100.5.25. Src IP addr: 120. Src IP addr: 120.100.6 Peer LDP Ident: 120.123. Msgs sent/rcvd: 72/74.100.25. Src IP addr: 120.4.5.5 GigabitEthernet0/1.3 R5# show mpls ldp neighbor Peer LDP Ident: 120.100.5 Addresses bound to peer LDP Ident: 120.4.2 120.5.1:0.100.100.2.1:0.100.1.2.1:0.6 120.100.1. Msgs sent/rcvd: 80/78.100.1:0.100.100. Src IP addr: 120.100.2. Downstream Up time: 00:49:55 LDP discovery sources: GigabitEthernet0/1.

100.100.4 100.5 120. Src IP addr: 120. Downstream Up time: 00:49:31 LDP discovery sources: GigabitEthernet0/0.100. Msgs sent/rcvd: 77/70.100.1 5.55234 State: Oper.5.3.1 4. Src IP addr: 120.3 Addresses bound to peer LDP Ident: 120.3.5 Peer LDP Ident: 120.1:0.1:0 TCP connection: 120.45.100.100.4.100.34.34.100.3 R6# show mpls ldp neighbor Peer LDP Ident: 120.4 120.100.646 .4 Addresses bound to peer LDP Ident: 120.53107 State: Oper.100.6.34.100. You are directed to use a route descriptor (RD) of 100 for the BLUE VRF and 200 for the RED VRF and must combine this with the BGP autonomous system number of 65001 to .100. Msgs sent/rcvd: 82/82. (4 points) You are required to create virtual routing forwarding (VRF) instances on the PE routers and assign the subinterfaces on each PE router into these. Downstream Up time: 00:49:31 LDP discovery sources: GigabitEthernet0/0.GigabitEthernet0/1. Msgs sent/rcvd: 82/80.100.100. Src IP addr: 120.6. Local LDP Ident 120. assign the following interfaces on each PE router into separate routing instances within the routers: PE R1 interface Gi0/0 VLAN10 connection into VPN BLUE PE R1 interface Gi0/0 VLAN 50 connection into VPN RED PE R6 interface Gi0/1 VLAN 20 connection into VPN BLUE PE R6 interface Gi0/1 VLAN 100 connection into VPN RED Configure VPN BLUE to use an RD of 100 and VPN RED to use an RD of 200 for both importing and exporting routes into your BGP network.4 100.4.4.1.4 Addresses bound to peer LDP Ident: 120.4 120. Local LDP Ident 120.100.45. Local LDP Ident 120.5 Addresses bound to peer LDP Ident: 120.6.6.646 .1.100.5.100.100.45.100.100.100. Downstream Up time: 00:48:17 LDP discovery sources: GigabitEthernet0/1.5.100.4 Peer LDP Ident: 120.1.1:0.100.100.18472 State: Oper.646 .4.120.4.3. At this point.1 4.45.5.100.45.100.5 120.1:0 TCP connection: 120.1.4.100.4 120.5.5.5.4 You will be configuring two VPNs over your MPLS networks per Figure 3-8 between PE routers of BLUE and RED.3 120.1. This will ultimately provide end-to-end virtual private networking (VPN) connectivity over the MPLS network for your CE devices to communicate.34.100.1:0 TCP connection: 120.100.100.100. which will be configured later with an autonomous system of AS65001.5 100.1 120.123.100.4 120.100.1:0.120.100.4.34. Src IP addr: 120.120.4.25.1.

2/30 assigned to the CE.50 R1(config-subif)# ip vrf forwarding RED R6(config)# ip vrf BLUE R6(config-vrf)# rd 65001:100 R6(config-vrf)# route-target export 65001:100 R6(config-vrf)# route-target import 65001:100 R6(config-vrf)# ! R6(config-vrf)# ip vrf RED R6(config-vrf)# rd 65001:200 R6(config-vrf)# route-target export 65001:200 R6(config-vrf)# route-target import 65001:200 R6(config-vrf)# exit R6(config)# interface GigabitEthernet0/1. Use a subnet of 10. This network will reside in the BLUE VPN.10. The new VLAN10 must be created on SW1.10 on R1 has been assigned to the BLUE VRF during the previous question.20 R6(config-subif)# ip vrf forwarding BLUE R6(config)# interface GigabitEthernet0/1. as shown in Example 3-6.100 R6(config-subif)# ip vrf forwarding RED Create a network between PE router R1 and CE device SW1 using a VLAN10 interface on SW1 that can be trunked toward R1. and this VLAN should have already been permitted to flow through to R1 as an allowed VLAN. If you have configured this correctly. The actual BGP configuration will be configured later in the lab.10 R1(config-subif)# ip vrf forwarding BLUE R1(config-subif)# interface GigabitEthernet0/0. you have scored 4 points. The subinterface of Gigabit 0/0.import and export route target extended communities for the specified VRFs. so connectivity between SW1 and R1 should now be .1/30 assigned to the PE and . (2 points) This is a simple configuration task to assign IP connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R6.0/30 with . Example 3-6 VRF Configuration Click here to view code image R1(config)# ip vrf BLUE R1(config-vrf)# rd 65001:100 R1(config-vrf)# route-target export 65001:100 R1(config-vrf)# route-target import 65001:100 R1(config-vrf)# ! R1(config-vrf)# ip vrf RED R1(config-vrf)# rd 65001:200 R1(config-vrf)# route-target export 65001:200 R1(config-vrf)# route-target import 65001:200 R1(config-vrf)# exit R1(config)# interface GigabitEthernet0/0.10.

0/30 with . The new VLAN 20 must be created on SW2.252 R1# ping vrf BLUE 10.20.possible (when IP addresses are assigned). If you have configured this correctly. When testing.10.252 Switch1(config)# vlan 10 Switch1(config-vlan)# exit Switch1(config)# interface vlan 10 Switch1(config-if)# no shutdown Switch1(config-if)# ip add 10.!!! Success rate is 60 percent (3/5).10.1 255.10.255.2 255.10.255. round-trip min/avg/max = 1/1/1 ms Create a network between PE router R6 and CE device SW2 using a VLAN 20 interface on SW2 that can be trunked toward R6. remember that R6 must use the appropriate VRF to confirm connectivity. Example 3-8 BLUE VRF IP Addressing and Local Connectivity Testing Click here to view code image R6(config)# interface GigabitEthernet0/1.255.10. you have scored 2 points.255.2/30 assigned to the CE.10.10. you have scored 2 points.1/30 assigned to the PE and . This network will reside in the BLUE VPN.10. Sending 5.255. If you have configured this correctly. Example 3-7 BLUE VRF IP Addressing and Local Connectivity Testing Click here to view code image R1(config)# interface GigabitEthernet0/0. and this VLAN already should have been permitted to flow through to R6 as an allowed VLAN. timeout is 2 seconds: .20 R6(config-subif)# ip add 10. as shown in Example 3-7.10 R1(config-subif)# ip add 10.20.10.255. as shown in Example 3-8.2 Type escape sequence to abort. because a normal ping would be sourced from the global routing table and will fail. remember that R1 must use the appropriate VRF to confirm connectivity. When testing.252 Switch2(config)# vlan 20 .10.20 on R6 has been assigned to the BLUE VRF during a previous question. 100-byte ICMP Echos to 10.2.1 255. Use a subnet of 10.. The subinterface of Gigabit 0/1. so connectivity between SW2 and R6 should now be possible. (2 points) This is a simple configuration task as per the previous question to assign connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R1.

50.2/30 assigned to the CE. round-trip min/avg/max = 1/1/1 ms Create a network between PE router R6 and CE device SW4 using a VLAN 100 interface on SW4 that can be trunked toward R6.Switch2(config-vlan)# exit Switch2(config)# interface vlan 20 Switch2(config-if)# no shutdown Switch2(config-if)# ip add 10. this network will reside in the RED VPN.50. Sending 5.1 255. this network will reside in the RED VPN. timeout is 2 seconds: .50. so connectivity between SW3 and R1 should now be possible. When testing.0/30 with . as shown in Example 3-9.50. If you have configured this correctly.50.!!! Success rate is 60 percent (3/5).. remember that R1 must use the appropriate VRF to confirm connectivity.50.2 Type escape sequence to abort.20..255. round-trip min/avg/max = 1/1/1 ms Create a network between PE router R1 and CE device SW3 using a VLAN 50 interface on SW3 that can be trunked toward R1. Sending 5.20.252 Switch3(config)# interface vlan 50 Switch3(config-if)# no shutdown Switch3(config-if)# ip add 130.10. Use a . This VLAN should have already been permitted to flow through SW1 to R1 as an allowed VLAN.20.255.50.2 255.10.2 255.252 R6# ping vrf BLUE 10. Use a subnet of 130. timeout is 2 seconds: .10.255.!!! Success rate is 60 percent (3/5).50. (2 points) Here’s another simple configuration to assign connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R6. Example 3-9 RED VRF IP Addressing and Local Connectivity Testing Click here to view code image R1(config)# interface GigabitEthernet0/0.1/30 assigned to the PE and . 100-byte ICMP Echos to 130.50 R1(config-subif)# ip add 130.255.252 R1# ping vrf RED 130.50. VLAN 50 has been previously created on SW3 and SW1 within the initial configuration. The subinterface of Gigabit 0/0.255.255.2 Type escape sequence to abort.50 on R1 has been assigned to the RED VRF during a previous question.50.2.2. you have scored 2 points. 100-byte ICMP Echos to 10.

. Sending 5.100 on R6 has been assigned to the RED VRF during a previous question.252 R6# ping vrf RED 130.. The configuration requires you to peer from your loopback interfaces. within the initial configuration.100. The actual VPN portion of MPBGP will be configured later within the IPv4 address family for VRF-specific advertisements.100.255. You should be aware that route targets (RTs) are implemented by the use of the BGP extended community (64 bits) and therefore the send-community both value must be configured within MP-BGP. 100-byte ICMP Echos to 130.100.0/30 with . The next-hop-self command is optional and strictly required only when you have an eBGP configuration to preserve the next-hop information to peers.1 255. which are advertised via your P routers within OSPF and that extended communities are used between PE routers to advertise your VPNv4 addresses successfully. round-trip min/avg/max = 1/1/1 ms Section 3: BGP (5 Points) Configure MP-BGP between your PE routers.255.100. You will configure the actual VPN routing in later questions. When testing. as shown in Example 3-10. remember that R6 must use the appropriate VRF to confirm connectivity.2. The VPNs will be mapped into the configuration later.100.subnet of 130. timeout is 2 seconds: .100. (4 points) MPLS requires the use of Multiprotocol BGP (MP-BGP) between the PE routers to exchange VPNv4 addresses in addition to IPv4 addresses.255.100. The subinterface of Gigabit 0/1. VLAN 100 has been previously created on SW4 and SW2. Example 3-10 RED VRF IP Addressing and Local Connectivity Testing Click here to view code image R6(config)# interface GigabitEthernet0/1. If you have configured this correctly.1/30 assigned to the PE and .2 255.2 Type escape sequence to abort. to enable your network to transport the VPNv4 addresses of your configured VPNs (BLUE and RED). per Figure 3-9.100. you have scored 2 points.100 R6(config-subif)# ip add 130.100.2/30 assigned to the CE. Use loopback interfaces for peering between your PE routers. this VLAN should have already been permitted to flow through SW2 to R6 as an allowed VLAN. (2 points) This is the final configuration task to assign connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R1.252 Switch4(config)# interface vlan 100 Switch4(config-if)# no shutdown Switch4(config-if)# ip add 130. so this question is a straightforward peering and VPNv4 setup task. you will not lose any points if you added this or left it out.100.!!! Success rate is 60 percent (3/5).255. so connectivity between SW4 and R6 should now be possible.

the autonomous system is assigned with the addressfamily vrf-specific command.1.1 activate R1(config-router-af)# neighbor 120. as shown in Example 3-11.100.100. (1 point) Until now. If you have configured this correctly. PE routers would normally connect to multiple customers.1.100.1. Therefore. Advertise all preconfigured loopback networks on SW2 to R6 for the BLUE VPN.1 activate R6(config-router-af)# neighbor 120. which will ultimately be advertised throughout the BLUE VPN to the remote PE router R1 and CE switch SW1. you have scored 1 point. Use an EIGRP virtual instance name of VPN on R6 and a process number of 10 on SW2.100. . you have scored 4 points.1 update-source Loopback0 R1(config-router)# address-family vpnv4 R1(config-router-af)# neighbor 120.100.6. as shown in Example 3-12.100.100.1 remote-as 65001 R1(config-router)# neighbor 120.100.1 send-community both Section 4: EIGRP and MP-BGP (3 Points) Configure EIGRP per Figure 3-9 between your PE router R6 and CE switch SW2.1.1 remote-as 65001 neighbor 120. the questions have merely dealt with setting up the infrastructure for MPLS connectivity. If you have configured this correctly.1 update-source Loopback0 R6(config-router)# address-family vpnv4 R6(config-router-af)# neighbor 120. Use VLAN 20 for EIGRP connectivity between R6 and SW2.This is a simple MP-BGP network with only two PE routers.1 next-hop-self R1(config-router-af)# neighbor 120. yet the question enforces you to run differing autonomous system numbers.6.6. Now you are requested to advertise routes from your CE switch SW2 to PE router R6.100.1 next-hop-self R6(config-router-af)# neighbor 120.6.1 send-community both R6(config)# router R6(config-router)# R6(config-router)# R6(config-router)# R6(config-router)# bgp 65001 no sync no auto-summary neighbor 120. Example 3-12 details the EIGRP configuration and resulting neighbor relationship and route propagation between R6 and SW2.6. additional PE routers would require a full mesh of iBGP peering or configuration of route-reflectors to aid scalability.100.1. so it is unreasonable to expect that each EIGRP domain should run the same autonomous system number. You’ll realize that to peer successfully with EIGRP you would need to be operating within the same autonomous system number. Example 3-11 MP-BGP Configuration Click here to view code image R1(config)# router bgp 65001 R1(config-router)# no synchronization R1(config-router)# no auto-summary R1(config-router)# neighbor 120.

10.2. D 10.0 0.0. GigabitEthernet0/1.0 0.2.2.10.0.3.Note The IP addressing for VLAN 20 on SW2 and associated subinterfaces on R6 has previously been configured.255 Switch2(config-router)# network 10. (ms) Cn 11 4 subnets.2.0/24 [90/156160] via 10.255 Switch2(config-router)# network 10.0. 2 masks 00:04:36.20 00:04:36.2.2.0. D 10.4.2.0 0. GigabitEthernet0/1.2.20.2.0/24 [90/156160] via 10.3.0.2.0.10.4. Example 3-12 R6 and Switch 2 EIGRP Configuration and Verification Click here to view code image R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R6(config-router-af)# network 10.20.0/8 is variably subnetted.2 Gi0/1.10. The BLUE VRF has also been associated to the R6 subinterface previously.0.2.255 R6# show ip eigrp vrf BLUE neighbors IP-EIGRP neighbors for process 10 H Address Interface Uptime SRTT RTO Q Seq Hold (sec) t Num 0 10.0 0.0.20 .0/24 [90/156160] via 10.20.0.3 Switch2(config-router)# network 10.10.20.20 00:04:18 1 200 0 1 R6# R6# show ip route vrf BLUE eigrp 10. GigabitEthernet0/1.10.0.0.0 0.0.3 Switch2(config)# ip routing Switch2(config)# router eigrp 10 Switch2(config-router)# no auto-summary Switch2(config-router)# network 10. D 10.20.20.20 00:04:36.

0 0.10.0 0. The BLUE VRF has also been associated to the R1 subinterface previously.1.0. Use VLAN10 for EIGRP connectivity between R1 and SW1.0.0 0.2. you have scored 1 point.1. Configure EIGRP per Figure 3-9 between your PE router R1 and CE switch SW1.1. Use an EIGRP virtual instance name of VPN on R1 and a process number of 10 on SW1. Example 3-13 details the EIGRP configuration and resulting neighbor relationship and route propagation between R1 and SW1.10 200 0 Cn (ms) Cn 13 1 R1# show ip eigrp vrf BLUE neighbors IP-EIGRP neighbors for process 10 H Address Interface Uptime SRTT RTO Q Seq Hold (sec) t Num (ms) .0.10.10. (1 point) As per the previous question.0.255 Switch1(config-router)# network 10.0 0.1.0 0.Note The IP addressing for VLAN 10 on SW1 and associated subinterfaces on R1 has previously been configured. as shown in Example 3-13.3 Switch1(config)# ip routing Switch1(config)# router eigrp 10 Switch1(config-router)# no auto-summary Switch1(config-router)# network 10. Advertise all preconfigured loopback networks on SW1 to R1 for the BLUE VPN.3 Switch1(config-router)# network 10.10.0.0.3.2 00:00:24 1 R1# Gi0/0.0.0. Example 3-13 R1 and Switch 1 EIGRP Configuration and Verification Click here to view code image R1(config)# router eigrp VPN R1(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R1(config-router-af)# network 10. you are requested to advertise routes from your CE switch SW1 to PE router R1.10. If you have configured this correctly.255 Switch1(config-router)# network 10.0.255 R1# show ip eigrp vrf BLUE neighbors IP-EIGRP neighbors for process 10 H Address Interface Uptime SRTT RTO Q Seq Hold (sec) t Num 0 10.10. which will ultimately be advertised throughout the BLUE VPN to the remote PE router R6 and CE switch SW2.0.

0/24 [90/153856] via 10.3.10. GigabitEthernet0/0. even though they have been redistributed via another routing protocol. EIGRP networks residing on SW1 should be seen as internal EIGRP routes on SW2 and vice versa.2. D 10.0 10. the metrics are not required because the extended community values of MP-BGP previously configured will effectively transport the internal metrics of EIGRP and ensure that the routes are shown as internal EIGRP routes at the remote location. If you have configured this correctly.10.2.10 00:00:24 1 200 0 1 R1# show ip route vrf BLUE eigrp 10.10 00:01:18.10.10. (1 point) The full end-to-end VPN routing is achieved at this point by redistributing EIGRP into the appropriate address family for the VRF.0/24 [90/153856] via 10.0/8 is variably subnetted. 13 4 subnets.1. Example 3-14 details the configuration required on the PE routers and resulting routes on the CE devices SW1 and SW2.10. GigabitEthernet0/0.1.2. Example 3-14 PE and CE MP-BGP Redistribution Configuration and Verification Click here to view code image R1(config)# router eigrp VPN R1(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R1(config-router)# topology base R1(config-router-af-topology)# redistribute bgp 65001 metric 10000 100 255 1 1500 R1(config-router-af-topology)# router bgp 65001 R1(config-router)# address-family ipv4 vrf BLUE R1(config-router-af)# redistribute eigrp 10 metric 50 R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R6(config-router)# topology base R6(config-router-af-topology)# redistribute bgp 65001 metric 10000 100 255 1 1500 R6(config-router-af-topology)# router bgp 65001 R6(config-router)# address-family ipv4 vrf BLUE R6(config-router-af)# redistribute eigrp 10 metric 50 .2.10 00:01:18.10 Configure your PE routers R1 and R6 to transport EIGRP routes from your CE devices between the BLUE VPN using MP-BGP. 2 masks 00:01:18. In reality.0. as shown in Example 3-14. The question dictates the metrics you should use.2 Gi0/0. D 10. Use a default metric of 10000 100 255 1 1500 for BGP routes when redistributed into EIGRP.10.1.0. The question is just looking for accuracy and giving you the opportunity to view routes with the metrics and later without if you choose to. GigabitEthernet0/0. D 10.10.1. you have scored 1 point. Ensure that all EIGRP routes have a MED of 50 assigned to them within MP-BGP.0/24 [90/153856] via 10.10.

1. r RIB-failure. e .0/24 [90/154112] via 10.1.10.10. r RIB-failure. Vlan10 D 10. Vlan20 D 10.4. h history.1. as shown in Example 315.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:100 (default for vrf BLUE) .EGP. d damped. Vlan10 SW2# show ip route eigrp D 10.3.0/24 10. Vlan20 D 10.0/30 [90/26112] via 10.1.0/24 [90/154112] via 10.1 Status codes: s suppressed. > best.2 50 32768 ? *> 10.10.1.2.1. ? .10. you have scored 3 points. Notice the iBGP routes on the PE routers from the remote PE router with the MED of 50.1 Status codes: s suppressed.1 50 100 0 ? *>i10.IGP. local router ID is 120. Vlan10 D 10.10.3.2. Vlan10 D 10.20.20. 00:32:05. it also details the MPLS forwarding table for the BLUE VRF. S Stale Origin codes: i .10.3.2.0/24 120.1.20. 00:33:07. h history.1.10.2.1.10.2 50 32768 ? *>i10.10. Vlan20 D 10.2.0. If you have configured this correctly.10. i internal.100.20.10.10.10. > best.0.10.1.1. i internal.2. these are the routes that are propagated to EIGRP CE devices.2.1. local router ID is 120.0/24 120. 00:33:07.0/24 [90/156416] via 10.1.10.4.1 50 100 0 ? *>i10.10.10.1 0 100 0 ? *> 10.EGP. 00:32:05. 00:33:07.1.1.0/30 120.2.0/24 [90/156416] via 10.IGP.0/24 [90/154112] via 10. e .0/24 [90/156416] via 10.3.20.0/30 0.0/24 10.1 50 100 0 ? *> 10.100. * valid.1.2 50 32768 ? *> 10.10. d damped.1.20.0 0 32768 ? R1# show ip bgp vpnv4 vrf BLUE BGP table version is 17.6.SW1# show ip route eigrp D 10. S Stale Origin codes: i .10.100.100.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:100 (default for vrf BLUE) *>i10. 00:32:05. Vlan20 Example 3-15 details the BGP routes received on the PE routers with the assigned MED value of 50.1.20.20.2.10.100.20.1. ? .0/24 10. * valid.2. Example 3-15 PE MP-BGP and MPLS Verification Click here to view code image R6# show ip bgp vpnv4 vrf BLUE BGP table version is 17.1.10.100.1.0/24 120.0/30 [90/28416] via 10. 00:33:07. 00:32:05.

2 Gi0/1.4.0/30 10.3.10. As with the EIGRP question. This direction is actually a red herring for the next question when the routes at the CE devices appear as external routes when they should in fact be internal routes.1.0/24 *> 10. You should be aware that OSPF will advertise these as host routes.100.1 50 50 50 50 50 50 100 100 100 0 0 R1# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 26 Untagged 10.0/30[V] 0 100 32768 ? 32768 ? 32768 ? 0 ? 0 ? 0 ? 32768 ? 0 ? Outgoing Next Hop interface Gi0/0. You are requested to permit only internal OSPF routes to be redistributed into BGP.20.10.0/24 *> 10.10 10.2 10.1 120.0/30 *>i10.0/24 *>i10.0/24[V] 0 27 Untagged 10.0/24 *>i10.6.2.0/30[V] 0 29 Untagged 10.10.2 10. you have scored 2 points.2.2 Gi0/0.2 Gi0/0.10.1.2.100.1.1. as shown in Example 3-16.1 120.10.10.1.20 10. you are requested to manipulate the redistribution of the IGP into BGP.2 Gi0/1.10.10.1.6.2.0/24 *> 10.2.10.0/24[V] 0 28 Aggregate 10.0/24 *>i10.10.4.10.2 120. Example 3-16 details the required configuration and verification.20.10.0/24[V] 0 27 Untagged 10. Figure 3-10 indicates that all loopback interfaces are to be included in OSPF on both CE devices.10 10.20 10.1.0/24[V] 0 28 Untagged 10.10.10. If you have configured this correctly. .3.20.10.0/24[V] 0 R6# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 26 Untagged 10.2 Outgoing Next Hop interface Gi0/1.10. (2 points) You are requested to configure OSPF over your MPLS network between CE devices SW3 and SW4 via your PE routers R1 and R6.2.2. but in reality the routes would appear to have not been redistributed through another routing protocol by default.3.20.10.0 120.2.2 Section 5: OSPF and MP-BGP (6 Points) Configure OSPF per Figure 3-10 for your VRF RED with a process number of 3 on PE router R1 and SW3 using VLAN 50 for connectivity.10.0. You should permit only internal OSPF routes to be advertised across your VPN and ensure that the redistribution of BGP routes into OSPF are assigned as type 1 external routes with no manually adjusted cost associated with them.0/24[V] 0 29 Aggregate 10.10.3. but the question states that this is acceptable behavior.0. It is acceptable for these routes to come through as / 32 routes because of default OSPF behavior of loopback interfaces.100.100.20 10.1.*> 10.6.20.1 0. Use a process ID of 2 on PE router R6 and CE device SW4 using VLAN 100 for connectivity.2.6.10.2. which is a simple match internal parameter on the redistribution configuration.10.10 10.

33.0.255 area 1 10.Example 3-16 VRF RED OSPF Configuration and Verification Click here to view code image SW3(config)# ip routing SW3(config)# router ospf 3 SW3(config-router)# network SW3(config-router)# network SW3(config-router)# network SW3(config-router)# network 130.0. R6# show ip route vrf RED ospf Routing Table: RED 10.50.0.45.255 area 2 R1(config)# router ospf 3 vrf RED R1(config-router)# network 130. 00:04:48.0.100.33.0 0.0.0.33.255 area 2 10.0.33.50 O IA 10.44.0.0.50.0.3 area 0 R1(config-router)# redistribute bgp 65001 subnets metric-type 1 R1(config-router)# router bgp 65001 R1(config-router)# address-family ipv4 vrf RED R1(config-router-af)# redistribute ospf 3 match internal R6(config)# router ospf 2 vrf RED R6(config-router)# net 130.1 [110/2] via 130.0 0. .100.0.3 area 0 10.33.2.44. 00:04:48. 00:02:32.0 0.44.46.100.100.0. 130.0.2.44.100 O IA 10.1 [110/2] via GigabitEthernet0/0.34.0.0.0.33.50.2.0.50.100.50.35.0.33.0 0.34.0. GigabitEthernet0/1. 6 subnets O IA 10.100.44.50 6 subnets 130.255 area 1 SW4(config)# ip routing SW4(config)# router ospf 2 SW4(config-router)# network SW4(config-router)# network SW4(config-router)# network SW4(config-router)# network 130.46.0 0. 00:02:32.0 0.2.3 area 0 R6(config-router)# redistribute bgp 65001 subnets metric-type 1 R6(config-router)# router bgp 65001 R6(config-router)# address-family ipv4 vrf RED R6(config-router-af)# redistribute ospf 2 match internal R1# show ip route vrf RED ospf Routing Table: RED 10.1 [110/2] via GigabitEthernet0/0.50.0. 130.0.255 area 1 10.0 0.44.35.0 0. 00:04:48.3 area 0 10.0/32 is subnetted. O IA 10.50.1 [110/2] via GigabitEthernet0/0.255 area 2 10.45.50 O IA 10.50.0.1 [110/2] via 130.0.100.50.0.50.0 0.0 0.100.33.0/32 is subnetted.2.

0/30 is subnetted.100.0/30 is subnetted. When you look at the routes in Example 3-17 for the PE routers.50.1. You will notice that your OSPF IA (intra-area) routes between CE devices SW3 and SW4 appear as type 1 external routes. (4 points) This is a tricky question and one that will really eat into your time (the kind of question that if the answer doesn’t jump out at you and the points don’t look appealing enough.1.1. Maintain the OSPF process IDs are previously directed.50.1 [110/2] via 130. 6 subnets.1/32 [110/3] via 130.1. 00:02:55. The RED VRF has also been associated to the R1 and R6 subinterfaces previously.50.100. So.100.0.100.33.0.50.1/32 [110/3] via 130.50. you can confidently leave questions like this for later. 00:02:32.100.46.100. 2 masks O E1 10.1/32 [110/3] via 130.33.100 O IA 10. 1 subnets O E1 130.100. Vlan100 O E1 10. Because you have your routes in place and following questions do not build from this one.50. Example 3-17 VRF RED OSPF Routes Click here to view code image .100. As stated previously.0.1/32 [110/3] via 130.50.100 SW3# show ip route ospf 130. Vlan100 O E1 10. Vlan50 10.100.44.GigabitEthernet0/1.0/8 is variably subnetted. Configure your OSPF network appropriately to ensure that the routes are displayed correctly as IA routes. 00:02:54.100. 00:03:37.44. 00:03:37.35.0. GigabitEthernet0/1.44. 6 subnets. 00:03:37. you will see that they are actually IA routes at this point.50.50. Vlan100 10. 2 masks O E1 10.1.1.0.44. Vlan50 O E1 10.1.1/32 [110/3] via 130. 00:06:08.34.50. it’s one to park and come back to).44.45.2. the redistribution into type 1 is actually somewhat misleading.44.100. Vlan50 O E1 10. 00:02:54. 00:03:37. You are not permitted to adjust the OSPF redistribution into BGP as directed in the previous question.1.1/32 [110/3] via 130.50.33. it is only when these routes are advertised to the CE devices that the type 1 external route change occurs. You are permitted to configure only router R1.100.0 [110/2] via 130.0. Vlan50 SW4# show ip route ospf 130.100.0 [110/2] via 130. 1 subnets O E1 130. Vlan100 Note The IP addressing for VLAN50 on SW3 and associated subinterface on R1 and VLAN 100 on SW4 and associated subinterface on R6 has previously been configured.0/8 is variably subnetted.33.

50 O IA 10.50.2.1/32 [110/3] via 130.0.45. 00:04:48.0/30 is subnetted.” Statements such as this should make you think. SW3# show ip route ospf 130. 00:02:32.1.33. You might not have known that. 130.50.0.44.2.0. the configuration required to change the domain ID on one of your PE’s Router R1. Vlan100 10.44.33.46. the LSA is changed to a type 5 and the routes become external. Vlan100 O E1 10.1/32 [110/3] via 130. Vlan50 SW4# show ip route ospf 130.50 O IA 10.44.100.2. 00:03:37.33. 00:04:48.100.33.1 [110/2] via GigabitEthernet0/1.1/32 [110/3] via 130.0/32 is subnetted. 130.0.0.50.0/8 is variably subnetted.0 [110/2] via 130.1.100.2.0.50.100. Example 3-18 details the domain ID information on your PE routers. 2 masks O E1 10.44.2.1 [110/2] via GigabitEthernet0/1.100 O IA 10.44.50.100. 00:02:32. 6 subnets.50.33. 00:02:54.100.1.1 [110/2] via GigabitEthernet0/1.2. Vlan50 10.1 [110/2] via GigabitEthernet0/0. O IA 10.1. it would most likely work.33.100.44. If the process IDs differ on PE routers that form the VPN.100. you are left with only the option of changing the domain ID. 1 subnets O E1 130.1 [110/2] via GigabitEthernet0/0.1/32 [110/3] via 130.100.1.0.0/30 is subnetted.0.1/32 [110/3] via 130. .100. but it is the kind of thing that you gain through research and rack time.1.0.1. Because you are not permitted to change the process ID. Vlan100 The clue is actually in the question “Maintain the OSPF process IDs as previously directed.35.1/32 [110/3] via 130. Vlan100 O E1 10.100.100 6 subnets 130.100.1 [110/2] via GigabitEthernet0/0. 00:02:32. 00:03:37. 6 subnets. 00:04:48. 00:02:55.34. 1 subnets O E1 130.50. Vlan50 O E1 10.0/32 is subnetted.100.1.44. O IA 10.50 6 subnets 130.46.50. Vlan50 O E1 10.100. and the resulting IA routes received on your CE devices. “Okay. 00:03:37. 130.50.50.35.34. you have scored 4 points. and how else can I achieve that?” OSPF has a domain ID by default. 00:06:08.R1# show ip route vrf RED ospf Routing Table: RED 10. as shown in Example 3-18. 00:02:54.45.33.100. If you have configured this correctly.100.0/8 is variably subnetted.50.50. 00:03:37.50.0.100. 2 masks O E1 10. This is the same as the process ID.50.50. 130.0 [110/2] via 130.100 O IA 10.44. R6# show ip route vrf RED ospf Routing Table: RED 10.50. Why would that do it.50. so if I did change the process ID.33.

0.44.1.0 [110/2] via 130.0/24 from VRF RED into VRF BLUE on R6.1.50.44.0. Similarly.0.34.0. 00:00:09. 00:00:27.1 to VRF BLUE SW1 10.44. 6 subnets.50.100.33. Vlan100 10. Vlan100 O IA 10.0.33. Vlan100 Section 6: MPLS (7 Points) Leak network 10.1.50. 00:00:09.1.35. so OSPF must be .33.1/32 [110/3] via 130.0/24 originates from a loopback interface on Switch 4.44.44.100.0.50.1/32 [110/3] via 130.1. Vlan100 O IA 10.1. 00:00:07.1.1/32 [110/3] via 130.100.33.50.100.Example 3-18 Domain ID Configuration and OSPF Route Verification Click here to view code image R1# show ip ospf 3 | include Domain Domain ID type 0x0005.0/30 is subnetted.1.100. Vlan100 SW4# Verify your configuration by pinging from VRF RED SW4 10. Vlan50 SW3# SW4# show ip route ospf 130.0 D EX 10.0/8 is variably subnetted.1.0/24 [110/XX] via 130.1.1.10.0.0 O E1 10. value 0.46.0.3 R6# show ip ospf 2 | include Domain Domain ID type 0x0005. 1 subnets O IA 130.100.44.50.0 [110/2] via 130.0/24 from SW1 VRF BLUE on PE R1 into the VRF RED on PE1. (5 points) This is a straightforward VRF export question with a slight twist for the attentive in that the OSPF route 10.1. 00:00:07.1.1.100.44. 2 masks O IA 10. Vlan50 O IA 10.1.10.44.1 SW1. 6 subnets. 1 subnets O IA 130.1.50.0/30 is subnetted. Vlan50 10.0/24 [170/XXXXXX] via 10.45.50.100.50.100. 00:00:07.1.0.0.0/8 is variably subnetted.2 SW3# show ip route ospf 130. Both Switch 1 and Switch 4 should receive the following routes: SW1# show ip route | include 10.100.44.50. Vlan50 O IA 10.44.2 R1(config)# router ospf 3 vrf RED R1(config-router)# domain-id 0.100.100. 00:03:04.44. 2 masks O IA 10. 00:00:07.1/32 [110/3] via 130. 00:00:09.0.1/32 [110/3] via 130.44.44. value 0.1/32 [110/3] via 130. leak 10. 00:00:09.50. Vlan10 SW1# SW4# show ip route | include 10.100.0.44.1.

R6. ? .6.100.1.0/30 0.2 2 32768 ? *> 10.1 2 100 0 ? *>i10.0.0.IGP.2 2 32768 ? *>i10.0.1/32 130.50.44.0 into VRF RED and R6 10. the resulting verification of the route advertisements and testing are also shown.0 into VRF BLUE R1# show ip bgp vpnv4 vrf RED BGP table version is 33.255 R1(config-vrf)# exit R1(config)# route-map SW1 permit 10 R1(config-route-map)# match ip address 10 R1(config-route-map)# set extcommunity rt 65001:200 additive R6(config)# ip vrf RED R6(config-vrf)# export map SW4 R6(config-vrf)# access-list 10 permit 10.33. h history.1 Status codes: s suppressed.100.100. Example 3-19 Selective VRF Export Configuration and Verification Click here to view code image Sw4(config)# interface Loopback0 Sw4(config-if)# ip ospf network point-to-point R1(config)# ip vrf BLUE R1(config-vrf)# export map SW1 R1(config-vrf)# access-list 10 permit 10.1/32 130. Example 3-19 details the required configuration on PE routers R1.44.1. local router ID is 120.100.33.1.44.50. > best.1/32 120. you have scored 5 points. e .44.0 0.45. * valid.50.0. permitting the required routes from each VRF to the existing BLUE and RED VRF advertisements by adding them to the appropriate route target (RT) within MP-BGP by use of the set extcommunity rt XXXXX:XXX additive command.50. as shown in Example 3-19.50. The route leaking is achieved by creation of export maps on the PE routers R1 and R6.44.0 0 32768 ? .1/32 120.50. i internal.33.1.2 2 32768 ? *> 10. d damped. r RIB-failure.1 2 100 0 ? *>i10.50. and the CE device SW4. If you have configured this correctly.1.0.44.6.manipulated to treat this interface as a point-to-point network to advertise the /24 mask.0 0.50. S Stale Origin codes: i .1/32 130.255 R6(config-vrf)# exit R6(config)# route-map SW4 permit 10 R6(config-route-map)# match ip address 10 R6(config-route-map)# set extcommunity rt 65001:100 additive ! R1 is now sending 10.1 2 100 0 ? *> 130.35.33.EGP.0.44.1/32 120.46.44.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:200 (default for vrf RED) *> 10.34.6.

6.0/24 120.50.33.*>i130. ? .20.46.1 0 100 0 ? R6# show ip bgp vpnv4 vrf BLUE BGP table version is 35.44. d damped.20.3.10.10.EGP.100.100.6.1/32 120.10.1 0 100 0 ? *> 10.33.100.1. r RIB-failure.1 2 100 0 ? *>i10.44.50.100. r RIB-failure.2 50 32768 ? *> 10. > best.2.44. d damped.6.100.0.1. * valid.0 0 32768 ? *>i130.0/24 10.0 *> 10.10.2 2 32768 ? *> 10.44.35.1.1 Status codes: s suppressed.1 0 100 0 ? ! No sign of the 10.0 route is actually listed as a host route.1/32 130.100.50.IGP.0 route.1/32 120.0/24 10.100.1.1.1 50 100 0 ? *>i10. i internal. clear the BGP session to kick start the export map R1# clear ip bgp * R1# show ip bgp vpnv4 vrf RED BGP table version is 34.33.1. local router ID is 120.2 50 32768 ? *> 10.1. h history.100.2 50 32768 ? *> 10.100.100.1.100.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:100 (default for vrf BLUE) *>i10.2 2 32768 ? *> 10.10.1.1 50 100 0 ? *>i10.0/24 120.0/30 0.1/32 120.6.1 50 100 0 ? *> 10.100.1.50.0/30 120.10.100. S Stale Origin codes: i .1 2 100 0 ? *>i10.3.0/24 120.100.50.2 2 32768 ? .6.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:200 (default for vrf RED) *> 10.44.2 2 32768 ? *>i10.0.44.50. local router ID is 120.EGP.34.1/32 130.44.2.6.44.4.1/32 130.20.1.1/32 130.0/24 10.1. h history. i internal.1 2 100 0 ? *> 130.0/30 120.100.100. S Stale Origin codes: i .0/30 120. e .50.2 2 32768 ? ! Notice the 10. > best. change the loopback interface on Sw4 to a point-to-point for OSPF to advertise it correctly SW4(config)# interface lo0 SW4(config-if)# ip ospf network point-to-point R6# show ip bgp vpnv4 vrf BLUE | include 10. * valid.IGP.2.100.0.44.100.1 Status codes: s suppressed.33.44.10.2.20. ? .50.2 50 32768 ? *>i10.10.44.0/30 0.100.1.45. e .0 0 32768 ? *> 10.44.0/24 10.2.0/24 130.0.

10. 100-byte ICMP Echos to 10. Sending 5.10 Gi0/0.1/32[V] 0 41 Untagged 10.1.33.10.44. Timestamp. 00:00:51.1/32[V] 0 40 Untagged 10.1.100.1.1.2 ! Note the Routes are not leaked within the MPLS forwarding-table R6# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 34 Untagged 10.20. 00:02:45.1 !!!!! Success rate is 100 percent (5/5).10 Gi0/0.50.2.1/32[V] 0 Outgoing Next Hop interface Gi0/0.44.2 Outgoing interface Next Hop Gi0/0.10.2 .0 O E1 10.1.44.3.0 D EX 10.1.50.2.20 10.0/30[V] 0 39 Untagged 10.10.2 35 Untagged 10.1. round-trip min/avg/max = 8/9/12 ms R1# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 34 Untagged 10.10 10.Switch1# show ip route | include 10.50 Gi0/0.10.33. Vlan100 ! Now test with an extended ping to ensure that the loopback interface is used as the source SW1# ping Protocol [ip]: Target IP address: 10.2 36 Aggregate 10.44.1.0/30[V] 0 37 Untagged 10.50 Gi0/0.1. Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort.50.0/24[V] 590 R1# show mpls forwarding-table vrf RED Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 38 Aggregate 130.1. timeout is 2 seconds: Packet sent with a source address of 10. Record.2 130.0/24[V] 0 Outgoing Next Hop interface Gi0/1.2.44.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose.50.44.34.50.44.10.50 130.1.33. Strict.33.1.1.50.100.10 10.2 130.0/24[V] 0 .1.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.10.10.44.1.10 10.35.10. Vlan10 Switch1# SW4# show ip route | include 10.0/24 [170/281856] via 10.50.0/24[V] 0 .0/24 [110/51] via 130.50.

Tracing the route to 10.20.2 12 msec 12 msec 16 msec 120.20.10. the MPLS network will be shown when a traceroute is performed.100.10.100 130.5 8 msec 12 msec 8 msec 10.123.100.10.1 1 10.100 .45. (2 points) By default.100.20 10.1 8 msec 8 msec 8 msec 10.20.44.20 Gi0/1.100.2. Example 3-20 MPLS Traceroute Configuration and Testing Click here to view code image SW1# traceroute 10. If you have configured this correctly.2.10.100.2 ! Note the Routes are not leaked within the MPLS forwarding-table Configure your PE routers R1 and R6 to ensure that the MPLS P routers are not listed as intermediate hops when a trace route is performed on your CE devices. with the no mpls ip propagate-ttl global command within your PE routers.1 Type escape sequence to abort. as shown in Example 3-20.44. This can be changed.4. you have scored 2 points.2.46.100 130.2 42 Untagged 10.1/32[V] 0 Gi0/1.35 36 37 Untagged Untagged Aggregate 10.10.2.1 0 msec 0 msec 0 msec 120. Example 3-20 shows the default behavior and modified behavior after configuration from a traceroute command issued on CE device SW1.2.44.2 0 R6# show mpls forwarding-table vrf RED Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 38 Aggregate 130.0/24[V] 10.3.1 Type escape sequence to abort.2.0/30[V] 0 0 Gi0/1.1 4 msec 0 msec 0 msec .100.0/30[V] 0 39 Untagged 10.10.100 130.2.0/24[V] 1534 Gi0/1.25.20.20. Tracing the route to 10.2.2 40 Untagged 10.44.2.10.1 1 2 3 4 5 10.0/24[V] 10.2.10.100 .2 8 msec * 4 msec R1(config)# no mpls ip propagate-ttl R6(config)# no mpls ip propagate-ttl SW1# traceroute 10.10. so that only PE routers are shown as next hops.2 10.100.100.1/32[V] 0 Gi0/1.

200 R1(config-subif)# xconnect 120. Strictly speaking. Example 3-21 PE L2TPv3 Configuration Click here to view code image R1(config)# pseudowire-class PW-CLASS R1(config-pw-class)# encapsulation l2tpv3 R1(config-pw-class)# protocol l2tpv3 R1(config-pw-class)# ip local interface Loopback0 R1(config-pw-class)# interface GigabitEthernet0/0.1.) Note that Cisco Express Forwarding (CEF) must be enabled for the L2TPv3 feature to function correctly. Be aware that the SW3 resides in VLAN 200 and that SW4 resides in VLAN 400 in respective PE router subinterfaces.1. You should use existing loopback interfaces on your PE routers for peering over your MPLS network. L2TPv3 is not covered in the current blueprint.0/24 in a previous question.100.20.20.1 200 pw-class PW-CLASS .1 200 pw-class PW-CLASS R6(config)# pseudowire-class PW-CLASS R6(config-pw-class)# encapsulation l2tpv3 R6(config-pw-class)# protocol l2tpv3 R6(config-pw-class)# ip local interface Loopback0 R6(config-pw-class)# interface GigabitEthernet0/1.1. Create an L2TPv3 Xconnect attachment circuit on your PE routers R1 and R6 for your CE devices (SW3 Fast Ethernet 0/19 1. The pseudowire class PW-CLASS configures the encapsulation to L2TPv3 and sets the loopback interfaces of the PE routers to be used for peering.1 12 msec 8 msec 12 msec 3 10.1.400 R6(config-subif)# xconnect 120.100. (10 points) This question simulates VPLS and requires that L2TPv3 (Layer 2 Tunneling Protocol Version 3) is configured between your PE routers connecting the two subinterfaces that connect to SW3 and SW4 interfaces via SW1 and SW4 (VLAN 200 and VLAN 400. Example 3-21 details the required PE configuration on routers R1 and R2. respectively). which in the example matches the subinterface number of the specific PE router.10.2 10.1. (You could have used any ID here.2/24) to communicate using a Layer 2 tunneling solution (use Version 3) across your Layer 3 network.10. SW3 and SW4 will use a pseudowire to communicate over the IP network and logically will connect in the same Layer 2 domain.6.1. The xconnect subinterface command binds the local PE interface to the remote PE loopback with a VC ID (virtual channel ID).1/24 and SW4 Fast Ethernet 0/19 1.2 4 msec * 4 msec Section 7: VPLS Simulation (10 Points) Switches 3 and 4 will have been configured to belong to the subnet of 1.1. but the simple solution is included here to create a switching issue that will enable you to hone your troubleshooting skills in this area and apply a relevant solution based on your findings.

6.1 Username.200:200 est 51446 00:24:40 1 200. yet the ping test from SW3 to 1.1. Enabling BPDU filtering on an interface is equivalent to disabling the spanning tree on an interface. Closer inspection reveals that spanning tree has actually blocked ports on SW1 and SW2 from PE routers R1 and R6. respectively.1.2 fails. you can safely assume that there is a connectivity type issue between either SW3 and PE R1 or SW4 and PE R6.1 Username. per Examples 3-22 and 3-23. so this should give you a starting point in your investigation. The problem is actually resolved by enabling BPDU filtering on SW1 with the spanning-tree bpdufilter enable command on the trunk interface toward the PE r outer R1.100. you can see spanning-tree inconsistencies exist between VLAN 200 being “bridged” to VLAN 400 via your L2TPv3 solution. R6# show l2t session L2TP Tunnel and Session Information Total tunnels 1 sessions 1 LocID RemID Remote Name Class/ State Remote Address Port Sessions L2TP VPDN Group 36190 51446 LocID Uniq ID R1 est RemID TunID 120. it is possible to create bridging loops if this command is not correctly used. As the session is up. respectively. respectively). you have scored 10 points. Circuit 51003 9619 Gi0/0. even though you have previously allowed the local VLAN 200 and 400 through the trunk on PE routers R1 and R6. or possibly between both connections.1. Intf/ VPDN Group 0 State Last Chg Vcid.Example 3-22 shows the successful L2TPv3 session established between PE R1 to PE R6. The question does bring your attention to the fact that both CE devices reside in different VLANs. When logging is enabled on SW1 and SW2 (these CE devices bring SW3 and SW4 Fast Ethernet 0/19 interfaces into VLAN 200 and VLAN 400. Example 3-22 PE and CE L2TPv3 Verification Testing and Configuration Click here to view code image R1# show l2tp session L2TP Session Information Total tunnels 1 sessions 1 LocID RemID Remote Name Class/ 51446 1 36190 LocID Uniq ID State Remote Address R6 est RemID TunID Port Sessions L2TP 120. If you have configured this correctly. Intf/ 0 State Last Chg 1 .100.

100-byte ICMP Echos to 1. Success rate is 0 percent (0/5) SW1# show spanning-tree blockedports .-----------------------------------VLAN0200 Fa0/1 Number of blocked ports (segments) in the system : 1 SW2#03:22:21: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 200 on fastethernet0/6 VLAN400.1...1. Gi0/1.1.2. SW2# show spanning-tree blockedports Name -------------------VLAN0200 VLAN0400 Blocked Interfaces List -----------------------------------Fa0/6 Fa0/6 Number of blocked ports (segments) in the system : 2 SW3# ping 1. SW1# show spanning-tree blockedports Name Blocked Interfaces List -------------------..2 Type escape sequence to abort. timeout is 2 seconds: .1.9619 1 51003 36190 Vcid.1..1. Inconsistent local vlan..2 Type escape sequence to abort.1.. 100-byte ICMP Echos to 1. 03:22:21: %SPANTREE-2-BLOCK_PVID_PEER: Blocking fastethernet0/6 on VLAN0200. Inconsistent peer vlan. 200.2. 03:22:19: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking fastethernet0/1 on VLAN0200.. !Make sure you are logging on your CE devices SW1(config)# logging console SW1# 03:22:19: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 400 on fastethernet0/1 VLAN200.1.400:400 est Circuit 00:25:26 SW3# ping 1. Sending 5. Sending 5. timeout is 2 seconds: ..

PIM sparse mode is also configured on the CE interfaces on VLAN 50 and VLAN 100 on Switches 3 and 4. Port consistency restored. which are required for Data MDT configurations. round-trip min/avg/max = 8/12/17 ms Section 8: Multicast (10 Points) Configure your MPLS network for multicast support of the RED VRF using PIM sparse mode. . PIM sparse mode is required in your solution and should be enabled on all P router MPLS interfaces and P-facing PE router MPLS interfaces. The question states that the mVRF (multicast VRF) bandwidth requirement is low.2 Type escape sequence to abort.1. 100-byte ICMP Echos to 1. Ensure that PE router R6’s associated VLAN 100 IP address is used as the rendezvous point (RP) for the RED VRF multicast traffic. PE routers R1 and R6 should be configured to tunnel multicast traffic using an MDT address of 232.2. timeout is 2 seconds: . SW3# ping 1.1.11 on PE routers R1 and R6 within the RED VRF.!!!! Success rate is 80 percent (4/5).-----------------------------------VLAN0200 Fa0/1 Number of blocked ports (segments) in the system : 1 SW1(config)# int fast 0/1 SW1(config-if)# spanning-tree bpdufilter enable SW1(config-if)#03:33:57: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking fastethernet0/1 on VLAN0200.1. Switch 4 should be configured to reply to an ICMP ping on its VLAN 100 interface directed to 226.2 from Switch 3 VLAN 50. Source Specific Multicast (SSM) is enabled on all MPLS routers with the command ip pim ssm default to allow transport of multicast information between all P and PE routers.Name Blocked Interfaces List -------------------. As directed.) You should also realize that a Data MDT is not required because there was no mention of threshold values or access-lists within the question.1.0. It can be assumed that the mVRF bandwidth requirement is low.2.2. PIM sparse mode is finally configured on the loopback interfaces of the PE routers R1 and R6 because Multicast Distribution Tree (MDT) will tunnel between these interfaces. and corresponding PE terminating interfaces on the PE routers R1 and R6. which simply means that a Data MDT is not required in this solution. Sending 5. Don’t forget that multicast routing is enabled on the CE switches with the command ip multicast-routing distributed and on the routers with ip multicast-routing. (10 points) Multicast support for MPLS VPNs is provided by configuring multicast routing within the core network.11 from CE device Switch 3 VLAN 50 to CE device SW4 VLAN 100 over the RED VRF. respectively.0. The mdt default group-address is configured to 232.0. (These are used for high-bandwidth sources and limit the traffic received to the routers’ part of the multicast tree.0. configure MDT appropriately.

As with all questions.2 under its VLAN 100 interface for it to reply to a multicast ping from CE device Switch 3 over the MPLS VPN. and this is configured on both CE (Switch 3 and Switch 4) devices and both PE routers (R1 and R6) within the RED VRF. where you might not immediately assume that it is required.2.The address of 130. Example 3-23 Multicast Configuration Click here to view code image ! Initial Multicast Setup for the MPLS Core Routers R1(config)# ip multicast-routing R1(config-vrf)# interface Loopback0 R1(config-if)# ip pim sparse-mode R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip pim sparse-mode R2(config)# ip multicast-routing R2(config)# interface fastethernet0/0 R2(config-if)# ip pim sparse-mode R2(config-if)# interface fastethernet0/1 R2(config-if)# ip pim sparse-mode R3(config)# ip multicast-routing R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip pim sparse-mode R3(config-if)# interface GigabitEthernet0/1 R3(config-if)# ip pim sparse-mode R4(config)# ip multicast-routing R4(config)# interface GigabitEthernet0/0 R4(config-if)# ip pim sparse-mode R4(config-if)# interface GigabitEthernet0/1 R4(config-if)# ip pim sparse-mode R5(config)# ip multicast-routing R5(config)# interface GigabitEthernet0/0 R5(config-if)# ip pim sparse-mode R5(config-if)# interface GigabitEthernet0/1 R5(config-if)# ip pim sparse-mode R6(config)# ip multicast-routing R6(config)# interface Loopback0 R6(config-if)# ip pim sparse-mode R6(config)# interface GigabitEthernet0/0 .1 (R6 VRF RED) is used as the RP for the mVRF.2.100. testing is key. The question is comprehensive as to the number of items that require configuration.100. and it would be an easy mistake to miss tasks such as enabling PIM on the PE loopback interfaces. CE device Switch 4 is finally configured with ip igmp join-group 226. Example 3-23 details the required configuration for the solution.

100.Bidir Capable.1 SW4(config)# ip multicast-routing distributed SW4(config)# interface vlan 100 SW4(config-if)# ip pim sparse-mode SW4(config-if)# ip igmp join-group 226.State Refresh Capable .2.100.100 R6(config-subif)# ip pim sparse-mode R6(config-subif)# exit R6(config)# ip pim vrf RED rp-address 130.50 R1(config-subif)# ip pim sparse-mode R1(config-subif)# exit R1(config)# ip pim vrf RED rp-address 130.Designated Router.2. If you have configured your solution per Example 3-24 and can successfully ping between Switch 3 and Switch 4.1 R1(config)# ip pim ssm default R6(config)# ip vrf RED R6(config-vrf)# mdt default 232. DR .1 Example 3-24 details the testing for the solution.11 R6(config-vrf)# interface GigabitEthernet0/1. the MDT tunnel is detailed and shown as an interface used for PIM adjacency between the PE routers.100.100.100. you have scored 10 points.100.11 R1(config-vrf)# interface GigabitEthernet0/0.1 R6(config)# ip pim ssm default ! CE Specific Configuration SW3(config)# ip multicast-routing distributed SW3(config)# int vlan 50 SW3(config-if)# ip pim sparse-mode SW3(config-if)# exit SW3(config)# ip pim rp-address 130.100. Example 3-24 Multicast Testing Click here to view code image R6# show ip pim vrf RED neigh PIM Neighbor Table Mode: B . N .0.0. S .100.0.Default DR Priority.R6(config-if)# ip pim sparse-mode ! PE Specific mVRF and MDT Configuration R1(config)# ip multicast-routing vrf RED R1(config)# ip vrf RED R1(config-vrf)# mdt default 232.0.2 SW4(config-if)# exit SW4(config)# ip pim rp-address 130.

100.2 Type escape sequence to abort.100.2. v2.1.100.2.6.1 Next 120.2 Type escape sequence to abort.1 100.2. Make sure that your loopback IPv6 addresses are used to source any locally generated IPv6 traffic.0.2.100.1 v2 1 / S Interface GigabitEthernet0/1.0. expires never R1# show ip pim mdt bgp Peer (Route Distinguisher + IPv4) Hop MDT group 232. timeout is 2 seconds: Reply to request 0 from 130. v2.2. Next 120.40. 12 ms SW3# ping 226. Sending 1.2.2.1.100.1.2. 9 ms SW3# show ip pim rp Group: 226.2.2 DR S 120.1.100.100 Uptime/Expires 00:02:08/00:01:34 v2 Tunnel1 1 / 00:00:05/00:01:39 R1# ping vrf RED 226. and implement IPv6 over MPLS between the six PE routers to advertise the prefixes between six PEs.100. RP: 130.Neighbor Ver DR Address Prio/Mode 130.100.2.100. 100-byte ICMP Echos to 226.2.2.0. timeout is 2 seconds: Reply to request 0 from 130. Section 9: IPv6 (6 Points) Configure the following IPv6 address on the PE routers R1 and R6. (6 points) R1 Lo0 2010:C15:C0:1::1/64 R1 Gi0/0.2. RP: 130.100.11 2:65001:200:120.10 2010:C15:C0:11::1/64 R6 Lo0 2010:C15:C0:6::1/64 .0.2.1.1.1 R6# show ip pim mdt bgp Peer (Route Distinguisher + IPv4) Hop MDT group 232.2.6. uptime 00:00:37.0. expires never Group: 224.100. Sending 1.100. 100-byte ICMP Echos to 226.11 2:65001:200:120.100. uptime 01:01:24.1 100.

1. IPv6 over MPLS backbones enables isolated IPv6 domains to communicate with each other over an MPLS IPv4 core network.100. Example 3-25 PE IPv6 Configuration and Verification Click here to view code image R1(config)# ipv6 unicast-routing R1(config)# ipv6 cef R1(config)# mpls ipv6 source-interface Loopback0 R1(config)# interface loopback0 R1(config-if)# ipv6 add 2010:C15:C0:1::1/64 R1(config-if)# interface GigabitEthernet0/0.6.100. MP-BGP is used to advertise the IPv6 prefixes between PE routers. Connected IPV6 routes are redistributed using BGP with the network command under the IPv6 address family.1 activate R6(config-router-af)# neighbor 120.100.6.R6 Gi0/1. you have scored 6 points. If you have configured your routers correctly.100. and IPv6 routing and IPv6 CEF must be enabled on your PE routers. you must deal with no IPv6 redistribution or complex issues.10 R1(config-subif)# ipv6 address 2010:C15:C0:11::1/64 R1(config-subif)# router bgp 65001 R1(config-router)# no bgp default ipv4-unicast R1(config-router)# address-family ipv6 R1(config-router-af)# neighbor 120. Aggregate label binding and advertisement is enabled for IPv6 prefixes using the neighbor send-label command.1. per Example 3-25.1 activate R1(config-router-af)# neighbor 120.20 2010:C15:C0:62::1/64 In this relatively straightforward IPv6 question.20 R6(config-subif)# ipv6 address 2010:C15:C0:62::1/64 R6(config-subif)# router bgp 65001 R6(config-router)# no bgp default ipv4-unicast R6(config-router)# address-family ipv6 R6(config-router-af)# neighbor 120. To ensure that the loopback IPv6 addresses of the PE routers are used to source locally generated IPv6 traffic.1 send-label R1(config-router-af)# network 2010:C15:C0:11::0/64 R1(config-router-af)# network 2010:C15:C0:1::/64 R1(config-router-af)# exit-address-family R6(config)# ipv6 unicast-routing R6(config)# ipv6 cef R6(config)# mpls ipv6 source-interface Loopback0 R6(config)# interface loopback0 R6(config-if)# ipv6 add 2010:C15:C0:6::1/64 R6(config-if)# interface GigabitEthernet0/1. The question directs you to configure IPv6 onto your VRF BLUE interfaces of the PE routers.1 send-label R6(config-router-af)# network 2010:C15:C0:62::/64 R6(config-router-af)# network 2010:C15:C0:6::/64 R6(config-router-af)# exit-address-family . You would usually extend this IPv6 domain into your CE devices. the PE routers are configured with mpls ipv6 sourceinterface Loopback0. and the configuration is nearly identical to that of IPv4.

IGP.EGP. > best.1 Status codes: s suppressed. d damped. 100-byte ICMP Echos to 2010:C15:C0:62::1. i internal.100.100.incomplete Network Next Hop *>i2010:C15:C0:1::/64 ::FFFF:120.1 0 0 *> 2010:C15:C0:62::/64 :: 100 0 0 i 32768 i 100 0 i 32768 i R1# ping ipv6 2010:C15:C0:62::1 Type escape sequence to abort. S Stale Origin codes: i .100.1 Metric LocPrf Weight Path 0 *> 2010:C15:C0:6::/64 :: *>i2010:C15:C0:11::/64 ::FFFF:120.100.1. local router ID is 120. e . d damped. 100-byte ICMP Echos to 2010:C15:C0:6::1.6. * valid.IGP.100. round-trip min/avg/max = 8/8/12 ms R1# ping ipv6 2010:C15:C0:6::1 Type escape sequence to abort. Sending 5. local router ID is 120.incomplete Network Next Hop *> 2010:C15:C0:1::/64 :: *>i2010:C15:C0:6::/64 ::FFFF:120. ? . ? . > best. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1.EGP. e .R1# show ip bgp ipv6 unicast BGP table version is 5.1 Metric LocPrf Weight Path 0 0 *> 2010:C15:C0:11::/64 :: *>i2010:C15:C0:62::/64 ::FFFF:120.1 32768 i 100 0 0 0 i 32768 i 100 0 i R6# show ip bgp ipv6 unicast BGP table version is 5. Sending 5. r RIB-failure.1. i internal. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1 Status codes: s suppressed. h history.6. h history. * valid. r RIB-failure. round-trip min/avg/max = 8/8/12 ms R6# ping ipv6 2010:C15:C0:11::1 .100.6. S Stale Origin codes: i .

BGP U .RIP. IS .100. OE2 .Local. ON2 . I2 . L .ISIS summary O .Per-user Static route I1 . timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).OSPF NSSA ext 1. L . OE1 .100.ISIS L1. OE1 .Per-user Static route I1 . IA .OSPF intra. B . ON2 . Null0 L FF00::/8 [0/0] via ::. EX . S .Connected.100. Sending 5.OSPF inter.ISIS L2.OSPF NSSA ext 1. IPv6-mpls C 2010:C15:C0:11::/64 [0/0] via ::. Loopback0 L 2010:C15:C0:1::1/128 [0/0] via ::.1.10 L 2010:C15:C0:11::1/128 [0/0] via ::. OI .OSPF ext 1. GigabitEthernet0/0. IA . Sending 5.Type escape sequence to abort.OSPF intra.Connected. IS .EIGRP external B 2010:C15:C0:1::/64 [200/0] via ::FFFF:120.EIGRP.OSPF ext 2 ON1 .ISIS interarea.ISIS L2.6. R .EIGRP external C 2010:C15:C0:1::/64 [0/0] via ::. EX . 100-byte ICMP Echos to 2010:C15:C0:11::1.Static. B .OSPF inter. OE2 .Static. IPv6-mpls C 2010:C15:C0:6::/64 [0/0] .EIGRP.OSPF NSSA ext 2 D .6.ISIS L1.ISIS summary O . GigabitEthernet0/0.BGP U .10 B 2010:C15:C0:62::/64 [200/0] via ::FFFF:120.OSPF ext 1. OI . round-trip min/avg/max = 8/8/12 ms R6# ping ipv6 2010:C15:C0:1::1 Type escape sequence to abort.8 entries Codes: C .OSPF NSSA ext 2 D .Local. R . I2 .8 entries Codes: C .1. IPv6-mpls L FE80::/10 [0/0] via ::. round-trip min/avg/max = 8/9/12 ms R1# show ipv6 route IPv6 Routing Table . Null0 R6# show ipv6 route IPv6 Routing Table .RIP.ISIS interarea. Loopback0 B 2010:C15:C0:6::/64 [200/0] via ::FFFF:120.OSPF ext 2 ON1 . S . timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). 100-byte ICMP Echos to 2010:C15:C0:1::1.1.1.

The parent policy map is applied outbound on the PE interface connecting to the BLUE VRF CE device. If you have configured this correctly. GigabitEthernet0/1. Null0 Section 10: QoS (7 Points) Create the following QoS profile on your PE router R1 for traffic egressing to your CE device connected to the BLUE VRF. DSCP prioritization is achieved in the Mission-Critical class by enabling WRED with the random-detect dscp-based command. whereby lower-priority DSCP traffic will be dropped more aggressively than higher priority under congestion. Mission-Critical.L B C L L L via ::. you have scored 4 points.100.1. GigabitEthernet0/1. Example 3-26 details the required configuration on PE router R1. Ensure that voice traffic is assigned to an LLQ.10 2010:C15:C0:62::1/128 [0/0] via ::. The child policy map is called from within the parent policy to provide the QoS for Voice. and Default traffic. Loopback0 2010:C15:C0:11::/64 [200/0] via ::FFFF:120. (4 points) This is a three-class PE-to-CE QoS question that requires assigning traffic to queues based on DSCP values into the listed classes and assignment of bandwidth on a per-class basis. thus reducing the effect of global synchronization. Loopback0 2010:C15:C0:6::1/128 [0/0] via ::. Voice traffic is assigned into the LLQ by configuration of a priority queue with the command priority percent 35. Use an appropriate method of prioritizing DSCP traffic so that AF31 packets are statistically dropped more frequently than AF32 during congestion and reduce the effects of TCP global synchronization within your Mission-Critical class and solely reduce the effect of TCP global synchronization within the Default class. .20 FE80::/10 [0/0] via ::. Null0 FF00::/8 [0/0] via ::. HQF Multiple Policy Support is required for the question with a parent policy shaping the output of the PE to the CE at 1Mbps.1. The total bandwidth between the PE to CE should be shaped to 1Mbps. A similar non-DSCP–based effect is achieved within the Default class by use of the random-detect command. IPv6-mpls 2010:C15:C0:62::/64 [0/0] via ::.

(3 points) . The total aggregate speed from the CE to PE should be restricted to 1 Mbps. Traffic in the Default class within the detailed CIR should have the MPLS EXP set to 0 and above set to 4. Traffic in the Voice class within the detailed CIR should have the MPLS EXP set to 5 and above discarded.10 R1(config-subif)# service-policy output PE-CE-PARENT Create the following QoS profile on your PE router R1 for traffic ingressing from your CE device connected to the BLUE VRF into the MPLS network. Traffic in the Mission-Critical class within the detailed CIR should have the MPLS EXP set to 3 and above set to 7.Example 3-26 PE to CE QoS Configuration Click here to view code image R1(config)# class-map match-any VOICE R1(config-cmap)# match ip dscp ef R1(config-cmap)# match ip dscp cs5 R1(config-cmap)# class-map match-any MISSION-CRITICAL R1(config-cmap)# match ip dscp cs6 R1(config-cmap)# match ip dscp af31 R1(config-cmap)# match ip dscp af32 R1(config-cmap)# match ip dscp cs3 R1(config-cmap)# policy-map PE-CE-CHILD R1(config-pmap)# class VOICE R1(config-pmap-c)# priority percent 35 R1(config-pmap-c)# class MISSION-CRITICAL R1(config-pmap-c)# bandwidth percent 40 R1(config-pmap-c)# random-detect dscp-based R1(config-pmap-c)# class class-default R1(config-pmap-c)# bandwidth percent 25 R1(config-pmap-c)# random-detect R1(config-pmap-c)# exit R1(config-cmap)# policy-map PE-CE-PARENT R1(config-pmap-c)# class class-default R1(config-pmap-c)# shape average 1000000 R1(config-pmap-c)# service-policy PE-CE-CHILD R1(config-pmap-c)# exit R1(config-pmap)# exit R1(config)# interface GigabitEthernet0/0.

The policy map is applied to the input interface of the PE router. and R6.6/24. The hub router should provide all necessary direct next-hop information to the spoke routers when they are required to communicate between themselves.5/24. Use an MTU of 1416 for your secure traffic.X/24 (X = router number) sourced from each router’s common Ethernet interface. Example 3-27 details the required configuration on PE router R1. Example 3-27 CE to PE QoS Configuration Click here to view code image R1(config)# policy-map CE-PE-SHAPE R1(config-pmap)# class VOICE R1(config-pmap-c)# police cir 350000 R1(config-pmap-c-police)# conform-action set-mpls-exp-topmost-transmit 5 R1(config-pmap-c-police)# exceed-action drop R1(config-pmap-c-police)# class MISSION-CRITICAL R1(config-pmap-c)# police cir 400000 R1(config-pmap-c-police)# conform-action set-mpls-exp-topmost-transmit 3 R1(config-pmap-c-police)# exceed-action set-mpls-exp-topmost-transmit 7 R1(config-pmap-c-police)# class class-default R1(config-pmap-c)# police cir 250000 R1(config-pmap-c-police)# conform-action set-mpls-exp-topmost-transmit 0 R1(config-pmap-c-police)# exceed-action set-mpls-exp-topmost-transmit 4 R1(config-pmap-c-police)# interface GigabitEthernet0/0.100.4.6. Use an IPsec transform set of esp-des esp-md5-hmac on each router.4.5. If you have configured this correctly.6.5. using IPsec to encrypt all traffic between the loopback networks using a preshared ISAKMP key of CCIE. whereas hub-to-spoke IPsec connections should be permanent. respectively. NHRP should be authenticated with a password of SECRET. an NHRP timeout of 100 seconds for spoke replies.10 R1(config-subif)# service-policy input CE-PE-SHAPE Section 11: Security (15 Points) Create three new loopback IP addresses of loopback1 on R4. and a delay of 2 milliseconds on the tunnel network.4/24. R6 is to be a hub router. Spoke routers must communicate with each other directly using dynamic IPsec connections with the aid of NHRP at the hub.This DiffServ tunneling question requires that the classes you have configured in the previous question be policed to an aggregate of 1 Mbps and have their MPLS EXP values adjusted. 5. with R4 and R5 being effectively spoke routers in your solution. You are not permitted to enable EIGRP on your Ethernet interfaces between routers.100. which connects to the BLUE VRF CE device and affects the traffic as it flows through the MPLS network. and 6. you have scored 3 points. use IP addresses of 4. Use EIGRP with a named virtual instance of VPN and autonomous system of 1 to advertise the loopback networks between routers over a common GRE tunnel network of 100. R5. Test .

0/24 in which to advertise each router’s new loopback network over GRE and EIGRP sourced from the common Ethernet interfaces.5. so this could be the kind of question that is best saved until later and tackled if you have time.4. The crypto isakmp policy command configures the preshared key to CCIE and sets the transform set with the required parameters of esp-des esp-md5-hmac.6.5. which is 2 milliseconds.255. NHRP is enabled on the tunnel interface of each router with an identical network ID to match the broadcast domain for all three routers.255 R5(config)# interface loopback1 R5(config-if)# ip address 5. Example 3-28 DMVPN Configuration Click here to view code image R4(config)# interface loopback1 R4(config-if)# ip add 4.5.0.0. which is uncomplicated.100. the complexity begins when you enable IPsec and NHRP. A delay of 2000 is configured on each tunnel interface as directed in the question. which are microseconds.0 0.255 R6(config)# interface loopback1 R6(config-if)# ip address 6. The MTU is fixed at 1416 as directed within the question on the tunnel interfaces to allow for overhead of the VPN connection.255.5 255. the tunnel mode must be set to tunnel mode gre multipoint.45.0 0.100.4 255. The tunnel source of each router is the common Ethernet network 120.0 R5(config-if)# router eigrp VPN R5(config-router)# address-family ipv4 autonomous-system 1 R5(config-router-af)# network 100.100.100.100.0 0. so be aware of the unit values. Because the spoke routers will terminate their connection to the hub on the same interface. which are applied to the tunnel interface by the use of the tunnel protection ipsec profile IPSEC command.0. The required configuration for the loopback and tunnel interfaces and the DMVPN is detailed in Example 3-28.0.255 R4(config-router-af)# network 4.100.6 255.0 R4(config-if)# router eigrp VPN R4(config-router)# address-family ipv4 autonomous-system 1 R4(config-router-af)# network 100.4.255.4. (10 points) This is a classic Dynamic Multipoint VPN (DMVPN) question in which a hub-and-spoke design is used with Next Hop Resolution Protocol (NHRP) for the spoke routers to communicate with each other.255.0 R6(config-if)# router eigrp VPN .255.100.0 0.0. The command ip nhrp map multicast dynamic permits the registration of the multicast address for EIGRP during boot or during initiation of spoke-to-hub sessions.0. The question dictates that you configure a tunnel network 100.4.6.255.0. You have numerous tasks to perform.5.your solution by extended pings sourced from the configured loopback interfaces. and the authentication password is set to SECRET as directed within the question.0.255 R5(config-router-af)# network 5. The ip nhrp holdtime 100 command sets the NHRP time for a spoke to keep the NHRP reply to 100 seconds and is configured on the hub-and-spoke routers.

0 0.6 R4(config-if)# ip nhrp map multicast 120.6.0 0.100.255 R6(config-router-af)# network 6.0.6 255.0.0 R4(config-if)# ip mtu 1416 R4(config-if)# ip nhrp authentication SECRET R4(config-if)# ip nhrp map 100.45.255 R6(config)# crypto isakmp policy 1 R6(config-isakmp)# authentication pre-share R6(config-isakmp)# crypto isakmp key CCIE address 0.0.255.255.R6(config-router)# address-family ipv4 autonomous-system 1 R6(config-router-af)# network 100.0.0.100.100.100.100.100.0.6.255.6 R4(config-if)# delay 2000 R4(config-if)# tunnel source gig 0/0 R4(config-if)# tunnel mode gre multipoint R4(config-if)# tunnel key 1 R4(config-if)# tunnel protection ipsec profile IPSEC R5(config)# crypto isakmp policy 1 R5(config-isakmp)# authentication pre-share R5(config-isakmp)# crypto isakmp key CCIE address 0.100.0 R5(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac R5(cfg-crypto-trans)# crypto ipsec profile IPSEC R5(ipsec-profile)# set transform-set DMVPN R5(ipsec-profile)# interface Tunnel0 .100.4 255.0 R4(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac R4(cfg-crypto-trans)# crypto ipsec profile IPSEC R4(ipsec-profile)# set transform-set DMVPN R4(ipsec-profile)# interface Tunnel0 R4(config-if)# ip address 100.45.6 120.0.0.255.100.0.0 R6(config-if)# ip mtu 1416 R6(config-if)# ip nhrp authentication SECRET R6(config-if)# ip nhrp map multicast dynamic R6(config-if)# ip nhrp network-id 10 R6(config-if)# ip nhrp holdtime 100 R6(config-if)# delay 2000 R6(config-if)# tunnel source gig 0/0 R6(config-if)# tunnel mode gre multipoint R6(config-if)# tunnel key 1 R6(config-if)# tunnel protection ipsec profile IPSEC R4(config)# crypto isakmp policy 1 R4(config-isakmp)# authentication pre-share R4(config-isakmp)# crypto isakmp key CCIE address 0.100.0.100.100.6 R4(config-if)# ip nhrp network-id 10 R4(config-if)# ip nhrp holdtime 100 R4(config-if)# ip nhrp nhs 100.0 R6(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac R6(cfg-crypto-trans)# crypto ipsec profile IPSEC R6(ipsec-profile)# set transform-set DMVPN R6(ipsec-profile)# interface Tunnel1 R6(config-if)# ip address 100.

6.255.0.6 ip nhrp network-id 10 ip nhrp holdtime 100 ip nhrp nhs 100.6.0 [90/285084416] via 100.5.100.100.0.4.100. this is a classic split-horizon issue.5.0. 1 subnets D 4.0 [90/285084416] via 100.100.100. 00:03:06.100. yet each spoke router discovers only the hub network.100. Tunnel0 R6# show ip route eigrp 4. the next hop for spoke networks show as the hub router 100.6.0/24 is subnetted. 00:01:02. 1 subnets D 6.0 [90/285084416] via 100.6. As you can see. 00:02:42. and this will enable the dynamic IPsec peering between spokes as directed in the question.0. 1 subnets D 6.4.0.100.100. Tunnel0 5.100.R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# ip address 100.6 delay 2000 tunnel source gig 0/0 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile IPSEC Example 3-29 details the EIGRP routes received on all routers.100. However.0/24 is subnetted.0 ip mtu 1416 ip nhrp authentication SECRET ip nhrp map 100.100. R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 autonomous-system 1 .100. The command no next-hop-self on the hub router R6 ensures that the spoke routers are used as next hops when spoke-to-spoke communication is required.0. The hub router R6 must be configured to disable the split-horizon behavior to ensure that the spoke routers receive each other’s routes. !a classic split horizon issue.6.0.100.45.6.100.5. Tunnel0 !R6 has both spoke routes yet each spoke (R4 and R5) only have the hub network route.4. the hub router shows both spoke networks.5 255.100.100.45.0 [90/285084416] via 100. Tunnel0 R5# show ip route eigrp 6. 1 subnets D 5. Example 3-29 DMVPN Spoke-to-Spoke Routing Click here to view code image R4# show ip route eigrp 6.0/24 is subnetted.” As shown in Example 3-29.255. 00:00:50.100.0.6 for each spoke network. the question dictates that spoke routers should be able to communicate “directly.6 ip nhrp map multicast 120.6 120.0/24 is subnetted.

R6(config-router-af)# af-interface Tunnel0
R6(config-router-af-interface)# no split-horizon
R4# show ip route eigrp
5.0.0.0/24 is subnetted, 1 subnets
D
5.5.5.0 [90/285596416] via 100.100.100.6, 00:00:22, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:04:14, Tunnel0
R5# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/285596416] via 100.100.100.6, 00:00:33, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:02:20, Tunnel0
R5#
! The next-hop for spoke to spoke routes shows as the hub router
(100.100.100.6) yet
! the question states traffic must flow directly between spokes so the
next-hop must
! be modified
R6(config)# router eigrp VPN
R6(config-router)# address-family ipv4 autonomous-system 1
R6(config-router-af)# af-interface Tunnel1
R6(config-router-af-interface)# no next-hop-self
R4# show ip route eigrp
5.0.0.0/24 is subnetted, 1 subnets
D
5.5.5.0 [90/285596416] via 100.100.100.5, 00:00:28, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:00:29, Tunnel0
R5# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/285596416] via 100.100.100.4, 00:00:39, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:00:39, Tunnel0

Example 3-30 shows the ISAKMP IPsec connection on spoke Router R5 to the hub. To bring up
a dynamic ISAKMP IPsec connection to the other spoke router R4, an extended ping is required
from loopback interface to loopback interface.
This question was extremely complex and is the reason why it was weighted so heavily. You had
multiple items to configure within the standard DMVPN solution, such as split horizon. It should
make you realize the importance of reading the question a number of times and taking the time to
test your configurations to ensure that you have successfully answered the question. If you have
configured your routers correctly, as detailed in Examples 3-29 and 3-30, congratulations, and
you have earned a hefty 10 points.

Example 3-30 DMVPN Spoke-to-Spoke Testing
Click here to view code image

R5# show crypto map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
Profile name: IPSEC
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
DMVPN,
}
Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 120.100.45.6
Extended IP access list
access-list permit gre host 120.100.45.5 host 120.100.45.6
Current peer: 120.100.45.6
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
DMVPN,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
R5# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
120.100.45.6
120.100.45.5

state
QM_IDLE

conn-id slot status
4001
0 ACTIVE

IPv6 Crypto ISAKMP SA
!R5 spoke router only has a connection to the hub router. An extended
ping sourced
from the loopback interface of one spoke to another is required to
bring up the
dynamic spoke to spoke connection.
R5# ping
Protocol [ip]:
Target IP address: 4.4.4.4
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 5.5.5.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:

Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
120.100.45.5
120.100.45.4
120.100.45.6
120.100.45.5

state
QM_IDLE
QM_IDLE

conn-id slot status
4002
0 ACTIVE
4001
0 ACTIVE

state
QM_IDLE
QM_IDLE

conn-id slot status
4002
0 ACTIVE
4001
0 ACTIVE

IPv6 Crypto ISAKMP SA
R5# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
120.100.45.5
120.100.45.4
120.100.45.6
120.100.45.5
IPv6 Crypto ISAKMP SA

Following on from the previous question, add R2 into the common GRE tunnel network
as a spoke router using identical security parameters as used on R4 and R5, ensuring it
receives routes from R4, R5, and R6 using the same common EIGRP parameters. The
source interface for the tunnel configuration on R2 should be Fast Ethernet 1/1, and the
destination should be the Gigabit Ethernet 0/0 interface of R6. Add new Loopback 2
identical IP addresses of 45.45.45.45/24 on both R4 and R5 and advertise this identical
network from R4 and R5 to the hub router R6 on the common GRE tunnel interface.
Configure R6 to advertise both destinations (R4 and R5) to spoke router R2 for network
45.45.45.0/24 in EIGRP over the common GRE tunnel network. (3 points)
Adding R2 as an additional spoke router into the DMVPN network is a relatively simple task if
you were successful with the previous question; it is simply a spoke repetition task. R4 and R5
are configured with a new Loopback 2 interface with an identical IP address of 45.45.45.45/24.
This network is then advertised within EIGRP over the DMVPN toward the preconfigured hub
router R6. Example 3-31 shows the required configuration on R2, R4, and R5 and the resulting
route advertisements for the new network on R4 and R5 successfully received on R6 and R2.
Example 3-31 DMVPN R2, R4, and R5 Configuration and Verification
Click here to view code image

R2(config-if)# router eigrp VPN
R2(config-router)# address-family ipv4 autonomous-system 1
R2(config-router-af)# network 100.100.100.0 0.0.0.255

R2(config-router-af)# exit-address-family
R2(config-router)# crypto isakmp policy 1
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# crypto isakmp key CCIE address 0.0.0.0
R2(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac
R2(cfg-crypto-trans)# crypto ipsec profile IPSEC
R2(ipsec-profile)# set transform-set DMVPN
R2(ipsec-profile)# interface Tunnel0
R2(config-if)# ip address 100.100.100.2 255.255.255.0
R2(config-if)# ip mtu 1416
R2(config-if)# ip nhrp authentication SECRET
R2(config-if)# ip nhrp map 100.100.100.6 120.100.45.6
R2(config-if)# ip nhrp map multicast 120.100.45.6
R2(config-if)# ip nhrp network-id 10
R2(config-if)# ip nhrp holdtime 100
R2(config-if)# ip nhrp nhs 100.100.100.6
R2(config-if)# delay 2000
R2(config-if)# tunnel source fastethernet0/1
R2(config-if)# tunnel mode gre multipoint
R2(config-if)# tunnel key 1
R2(config-if)# tunnel protection ipsec profile IPSEC
R4(config)# interface loopback2
R4(config-if)# ip add 45.45.45.45 255.255.255.0
R4(config-if)# router eigrp VPN
R4(config-router)# address-family ipv4 autonomous-system 1
R4(config-router-af)# network 45.45.45.0 0.0.0.255
R5(config)# interface loopback2
R5(config-if)# ip add 45.45.45.45 255.255.255.0
R5(config-if)# router eigrp VPN
R5(config-router)# address-family ipv4 autonomous-system 1
R5(config-router-af)# network 45.45.45.0 0.0.0.255
R6# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/61440640] via 100.100.100.4, 00:00:16, Tunnel0
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
5.5.5.0/24 [90/61440640] via 100.100.100.5, 00:00:16, Tunnel0
45.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
45.45.45.0/24 [90/61440640] via 100.100.100.5, 00:01:10,
Tunnel0
[90/61440640] via 100.100.100.4,
00:01:10, Tunnel0
R2# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/71680640] via 100.100.100.4, 00:01:40, Tunnel0
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
5.5.5.0/24 [90/71680640] via 100.100.100.5, 00:01:40, Tunnel0
6.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
6.6.6.0/24 [90/61440640] via 100.100.100.6, 00:07:05, Tunnel0
45.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

0/24 [90/71680640] via 100.45.45. you have scored 2 points. Example 3-32 DMVPN R2.0 [90/71680640] via 100. This is the default behavior of the hub router R6 when a hub has more than one path (with the same metric but through different spokes) to reach the same network.0/24 [90/71680640] via 100. R4.0/24 is subnetted. Tunnel0 6.5.6.D Tunnel0 45.5. Tunnel0 45.0. the decimal conversion is 32 + 16 + 1 = 49. If you have configured this correctly.0.100.0/8 is variably subnetted.0. 2 subnets. thereby allowing load balancing and path redundancy. 2 subnets. hubs can advertise up to four additional best paths to connected spokes.45.100. 00:01:22. the command add-paths 2 under the Tunnel 0 interface of the EIGRP af-interface section ensures that the spoke router R2 receives both paths to network 45. Tunnel0 The network manager of your network cannot justify a full security implementation but wants to implement a solution that provides only a password prompt from R1 when the keyboard entry 1 is entered on the console port (as opposed to the normal CR/Enter key).100. In this instance. With Add Path Support in EIGRP. you have scored 3 points.45.45.4. This is a nasty question because the CLI entry requires an ASCII entry. This is good question on which to use the (?) on the CLI for clues and your documentation CD or search facility in the lab if you were not aware of this feature.100.6.100.0/8 is variably subnetted. and R5 Configuration and Verification Click here to view code image R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 autonomous-system 1 R6(config-router-af)# af-interface Tunnel0 R6(config-router-af-interface)# add-paths 2 R2# show ip route eigrp 4. .0/24 [90/61440640] via 100. If you have configured this correctly per Example 3-33.100.0/24 through R4 and R5.100.100.4.4.100. EIGRP advertises only one path as the best path to connected spokes. (2 points) This question makes use of the activation-character command on the console port. 1 subnets D 4.45.0.0.45. You would need to search to discover that ASCII numeric figures (0 to 9) are prefixed by the binary value of 0011. 2 masks D 6.100.6.4. 2 subnets. 2 masks D 45.0. 2 masks D 5. as shown in Example 332.45. 00:01:14.0. Tunnel0 5. Therefore.5.0/24 [90/71680640] via 100.4. Tunnel0 [90/61440640] via 100. 00:03:39.0/8 is variably subnetted.100.0/24 is shown in the routing table of R2. Configure R1 appropriately.100. 00:01:16.0.5. 00:01:16. so a value of 1 (0001) would be 00110001. Example 3-32 shows that only a single route for network 45. 00:01:16.

0 exam is a separate section from the Configuration section and has a different scenario. how did it go? Did you run out of time? Did you manage to finish but miss what was actually required? If you scored over 80. Did you manage to configure items such as disabling split horizon for DMVPN and the area ID for OSPF? This attention to detail and complete understanding of the protocols will ultimately earn you your number. If you accomplished this within 8 hours or less. This lab was designed to ensure that you troubleshoot your own work as you progress through the questions. Remember that the Troubleshooting section on the v5.5 hours of the Configuration section of the actual exam. you will be prepared for any scenario that you are likely to face during the 5. well done. you will have 2 hours to complete the Troubleshooting section.Example 3-33 R1 Console Activation-Character Configuration Click here to view code image R1(config)# line con 0 R1(config-line)# activation-character ? CHAR or <0-127> Activation character or its decimal equivalent R1(config-line)# activation-character 49 Lab 3 Wrap-Up So. .