Practice Lab 1

The CCIE exam commences with 2 hours of troubleshooting followed by 5 1/2 hours of
configuration and a final 30 minutes of additional questions. This lab consists of 100 points and
has been timed to last for 8 hours of configuration and self-troubleshooting, so aim to complete
the lab within this period. Then either score yourself at this point or continue until you believe
you have met all the objectives. You will now be guided through the equipment requirements and
pre-lab tasks in preparation for taking this practice lab.
If you do not own six routers and four switches, consider using the equipment available and
additional lab exercises and training facilities available within the CCIE R&S 360 program. You
can find detailed information on the 360 program and CCIE R&S exam on the following URLs,
respectively:
https://learningnetwork.cisco.com/community/learning_center/cisco_360/360-rs
https://learningnetwork.cisco.com/community/certifications/ccie_routing_switching

Equipment List
You need the following hardware and software components to begin this practice lab:
Six routers loaded with Cisco IOS Software Release 15.3T Advanced Enterprise image
and the minimum interface configuration, as documented in Table 1-1
Four 3560X switches with IOS 15.0S IP Services

Setting Up the Lab 1
You can use any combination of routers as long as you fulfill the requirements within the
topology diagram, as shown in Figure 1-1. However, you should use the same model of routers
because this can make life easier if you load configurations directly from those supplied with
your own devices. If your router interface speeds do not match those used in this lab, consider

reconfiguring the bandwidth statement accordingly to provide symmetry with the routing
protocol metrics.

Figure 1-1 Lab Topology

Note
The CCIE Assessor topology version B is used for this lab. Additional
interfaces available on the Assessor that are not required for this lab were
omitted from Figure 1-1. If you are not using the CCIE Assessor, use Figure
1-1 and Figure 1-4 to determine how many interfaces you need to complete
your own topology.

Note
Notice in the initial configurations supplied that some interfaces will not have
IP address preconfigured. This is because you either will not be using that
interface or you need to configure this interface from default within the
exercise. The initial configurations supplied should be used to preconfigure
your routers and switch before the lab starts.
If your routers have different interface speeds than those used within this
book, adjust the bandwidth statements on the relevant interfaces to keep all
interface speeds in line. This can ensure that you do not get unwanted
behavior due to differing IGP metrics.

Lab Topology
This practice lab uses the topology outlined in Figure 1-1, which you must re-create with your
own equipment or by simply using the CCIE Assessor.

Switch Instructions
Configure VLAN assignments from the configurations supplied or from Table 1-2, with the
exception of Switch2 Fa0/4 (which will be configured during the lab).

Table 1-2 VLAN Assignment
Note
Switch 2 will be configured during the actual lab questions for VLAN 45 and
46 interface Fa0/4.
Connect your switches with RJ-45 Ethernet cross-over cables, as shown in Figure 1-2.

Figure 1-2 Switch Cabling

Serial Link
A preconfigured PPP back-to-back serial link exists between R2 and R5, and R2 has been
configured to provide the clocking for the connection in the initial configuration files. Therefore,
R2 should have the DCE serial cable and R5 the DTE serial cable for the back-to-back
connectivity.

IP Address Instructions
In the real CCIE lab, the majority of your IP addresses will be preconfigured. For this exercise,
however, you are required to configure your IP addresses, as shown in Figure 1-3, or load the
initial router configurations supplied. If you are manually configuring your equipment, ensure
that you include the following loopback addresses:
R1 Lo0 120.100.1.1/24
R2 Lo0 120.100.2.1/24
R3 Lo0 120.100.3.1/24
R4 Lo0 120.100.4.1/24

1/24 Figure 1-3 IP Addressing Diagram Pre-Lab Tasks Build the lab topology as per Figure 1-1 and Figure 1-2.6.100. as shown in Figure 1-3.1/24 SW2 Lo0 120.100. and add the loopback addresses.9.5.100.R5 Lo0 120.1/24 SW1 Lo0 120. General Guidelines Read the whole lab before you start.10. you can load the initial configuration files supplied if your router is compatible with those used to create this exercise. Configure the IP addresses on each router.7. R1 requires a secondary IP address on its Gigabit Ethernet 0/1 interface for this lab. Alternatively.100.1/24 SW3 Lo0 120. you can find details on the accompanying initial configuration for R1.100.100.1/24 R6 Lo0 120.1/24 SW4 Lo0 120.8. .

Ensure full IP visibility between routers for ping testing/Telnet access to your devices (except for the switch loopback addresses.html. Note Access only this URL.com/cisco/web/psa/configure. as shown in Figure 1-4. Have available a Cisco documentation CD-ROM or access online the latest documentation from http://www. it will be restricted). failing this. To save time during your lab exam. If you find yourself running out of time.com website (because if you are permitted to use documentation during your CCIE lab exam. which will not be visible to the majority of your network because of the configuration tasks). . not the whole Cisco.Do not configure any static/default routes unless otherwise specified. choose questions that you are confident you can answer. Practice Lab One You will now answer questions in relation to the network topology.cisco. Take a 30-minute break midway through the exercise. Note that access to this URL is likely to be restricted within the real exam. Get into a comfortable and quiet environment where you can focus for the next 8 hours. consider opening several windows with the pages you are likely to look at. choose questions with a higher point rating to maximize your potential score.

(2 points) Configure Switch 1 to be the root bridge and Switch 2 the secondary root bridge for VLANs 1 and 300. by configuring only Switches 1 and 2. if they remain stable for 35 seconds. Configure . should they toggle excessively. (2 points) Ensure that user interfaces. Ensure that only dot1q and EtherChannel are supported. they should be reenabled.Figure 1-4 Network Topology for Practice Lab One Section 1: LAN Switching (25 Points) Configure your switches as a collapsed backbone network with Switches 1 and 2 performing core and distribution functionality and Switches 3 and 4 as access switches in your topology. Switches 3 and 4 should operate in their default spanning-tree mode. are shut down dynamically by all switches. (2 points) Make sure that you fully use the available bandwidth between switches by grouping together your interswitch links as trunks. (2 points) Switch 1 and 2 should run spanning tree in 802. Switches 3 and 4 should connect only to the core switches.1w mode. Ensure that Switches 3 and 4 can never become root bridges for any VLANs for which Switch 1 and Switch 2 are root bridges. (3 points) Ensure that traffic is distributed on individual Ethernet trunks between switches based on the destination MAC address of individual flows.

100.4/24 to communicate with R5. For security purposes.Fast Ethernet Port 0/10 on each switch so that if multicast traffic is received on this port the port is automatically disabled. ensuring that while the Area 5 serial link is operational there is no neighbor relationship between R4 and R5. ensure that the serial interface of R5 is reachable by configuration of R5. and R3 should be configured to be in Area 0. any traffic that matches the DHCP IP information received from the DHCP binding. R2. Ensure that the switches intercept the DHCP requests and add the ingress port and VLAN and switch MAC address before sending onward to the DHCP server. (3 points) R5 and R6 have been preconfigured with IP addresses on their Ethernet interfaces. To confirm the operational status of the serial network. Use a process ID of 1.100. Devices connected to these ports will dynamically receive IP addresses from a DHCP server due to be connected to Port 0/18 on SW1. R4 should be in Area 34 and R5 in Area 5. all OSPF configuration where possible should not be configured under the process ID.1: OSPF Refer to Figure 1-5. If this network should fail either at Layer 1 or Layer 2. (2 points) R5 should use the serial link within Area 5 for its primary communication to the OSPF network. ensure that the user ports on Switches 1–4 and 11–17 can communicate only with the network with IP addresses gained from the DHCP feature configured previously. You are permitted to define neighbor statements between R5 and R4. and then. this is the only port on the network from which DHCP addresses should be allocated. (1 point) Ensure that R1 does not advertise the preconfigured secondary address under interface Gigabit 0/1 of 120. Do not use any filtering techniques to achieve this. (6 points) For additional security. Configure these ports as access ports for VLAN 300. (3 points) Section 2: IPv4 IGP Protocols (24 Points) Section 2. for additional security. (2 points) No loopback networks should be advertised as host routes. Configure R4 with an IP address of 120. Configure R4 Gi0/1 and Switch 2 FE0/4 only.46. Configure R4 and its associated switch port accordingly without using secondary addressing to communicate with R5 and R6. however. Use a dynamic feature to ensure that the only information forwarded upon connection is DHCP request packets. (2 points) Fast Ethernet Ports 0/11–17 will be used for future connectivity on each switch. The loopback interfaces of Routers R1. (4 points) . Limit DHCP requests to 600 packets per minute per user port.45.4/24 to communicate with R6. R5 should form a neighbor relationship with R4 under Area 5 to maintain connectivity. the Ethernet interfaces of R4 and R5 must remain up.100. Your solution should be dynamic. and configure R4 with an IP address of 120. which should begin forwarding traffic immediately upon connection.1/24 to the OSPF network.100.

100. traffic should be sent to R6. Perform your configuration on R4 only. (4 points) R4 will have dual equal-cost routes to VLAN 300 (network 150. Configure EIGRP with an instance name of CCIE where possible using an autonomous system number of 1. or admin distance manipulation to achieve this. You cannot policy route. Do not use any route-filtering ACLs. these routes should also not be present in the OSPF network post redistribution. Your solution should be applied to all routes .0) from R5 and R6. (2 points) Ensure that R4 does not install any of the EIGRP loopback routes from any of the switches into its routing table. prefix lists. alter the bandwidth or delay statements on R4’s interfaces.Figure 1-5 OSPF Topology Section 2. or use an offset list.3. and perform configuration only on R4. If the route from R5 becomes unavailable.2: EIGRP Refer to Figure 1-6. The loopback interfaces of all routers and switches should be advertised within EIGRP. Ensure that R4 sends traffic to this destination network to R5 instead of load sharing.

received from R5 and R6. (4 points) Figure 1-6 EIGRP Topology Section 2. Do not use any access lists in your solution. EIGRP routes redistributed within the OSPF network should remain with a fixed cost of 5000 throughout the network. R4-R6. Use minimal configuration and use loopback interfaces for your peering. R2-R3. All routes should be accessible except for the switch loopback networks (because these should not be visible via R4 from an earlier question). and SW1-R5. (2 points) Section 3: BGP (14 Points) Refer to Figure 1-7. Use minimal configuration and use loopback interfaces for your peering with the exception of R4 to R5. and R5-R2.3: Redistribution Perform mutual redistribution of IGPs on R4. R6-R5. R4-R5. (2 points) Use the autonomous system numbers supplied in Figure 1-7. (3 points) Configure R4 to redistribute only up to five EIGRP routes and generate a system warning when the fourth route is redistributed. as opposed to solely the route to network VLAN 300. (2 points) . Configure iBGP peering as follows: R1-R3. Configure eBGP peering as follows: R3-R4. SW1-R6.

respectively. AS300 no longer receives this route. Use only a single ACL on R3 as part of your solution.0 and from above network 128.1/24.0.Figure 1-7 BGP Topology AS200 is to be used as a backup transit network for traffic between AS10 and AS300. Do not use any ACL type restrictions or change the existing peering.0. and advertise this into BGP using the network command. ensure that the peering between R2 and R5 is not maintained via the Ethernet network. Do not use any route filtering between neighbors to achieve this.1/24 and 130.1.200.100. therefore.100. (3 points) Section 4: IPv6 (15 Points) Refer to Figure 1-8. (4 points) Configure two new loopback interfaces on R1 and R2 of 126. (3 points) Configure HSRP between R5 and R6 on VLAN300 with R5 active for . Configure IPv6 addresses on your network as follows: 2007:C15:C0:10::1/64 – R1 Gi0/1 . and advertise these into BGP using the network command.200.1.0.1/24. R6 should dynamically become the HSRP active. Configure R5 to achieve this solution.1. if the serial network between R5 and R2 fails.0 originated from R2.0/24 is no longer visible to AS300.1.0. R3 should be configured to enable only BGP routes originated from R1 up to network 128. If the network 130.1/24. (2 points) Configure a new loopback interface 2 on R2 of 130. Configure R2 in such a way that if the serial link between R2 and R5 fails.

or multicast blocking feature).2007:C15:C0:11::1/64 – R1 Gi0/0 2007:C15:C0:11::2/64 – R2 FE0/0 2007:C15:C0:11::3/64 – R3 Gi0/1 2007:C15:C0:12::2/64 .1: EIGRPv6 Configure EIGRPv6 under the instance of CCIE with a primary autonomous system of 1. static neighbor relationship. R1 must not form any neighbor relationship with R2 on VLAN 132 (without the use of any ACL. (4 points) .R2 FE0/1 2007:C15:C0:14::2/64 – R2 S0/1 2007:C15:C0:14::5/64 – R5 S0/0/1 2007:C15:C0:15::3/64 – R3 Gi0/0 2007:C15:C0:15::4/64 – R4 Gi0/0 2007:C15:C0:16::5/64 – R5 Gi0/1 2007:C15:C0:16::6/64 – R6 Gi0/1 Figure 1-8 IPv6 Topology Section 4. R1 must dynamically learn a default route over EIGRPv6 via R3 on VLAN 132 by which to communicate with the IPv6 network.

Section 4.3: Redistribution Redistribute EIGRPv6 routes into the OSPFv3 demand (one way). reduce the number of LSAs flooded within the OSPF domain. (2 points) Section 4. (2 points) The IPv6 network is deemed to be stable. 16. (2 points) Ensure that if the serial link fails between the OSPF and EIGRPv6 domain. therefore. which should be seen within the EIGRPv6 domain. Configure R4 and R5 to achieve this. Do not enable EIGRPv6 on the VLAN 45 interfaces of R4 and R5. This traffic could be a combination of any of the preceding DSCP values with any source/destination combination. (3 points) Ensure that the summary route configured previously is not seen back on the routing table of R5. Ensure a minimum burst value is configured above the 5 Mbps. All ports should trust the DSCP values received from their connecting devices. Incorporate these into an overall policy that should be applied to the T1 interface S0/1. 24. configure only R5 to achieve this.2: OSPFv3 Configure OSPFv3 with a process ID of 1. 32. with all OSPF interfaces assigned to Area 0. The OSPF domain should continue to receive specific EIGRPv6 subnets. routing is still possible between R5 and R4 over VLAN 45. 46. (1 point) Section 5: QoS (8 Points) You are required to configure QoS on Switch 1 according to the Cisco QoS baseline model. (1 point) Ensure that the OSPF3 network is reachable from the EIGRPv6 network by a single route of 2007::/16. which should be considered as an alternative path only if a failure occurs. Create a Modular QoS configuration for all user ports (Fast Ethernet 1–24) that facilitates the following requirements (3 points): 1. entered as a percentage. Switch 1 will be connected to a new trusted domain in the future using interface Gigabit 0/1. (2 points) . Packets received from the user ports with DSCP values of 48. Allow each class the effective bandwidth as detailed. 2. (2 points) Configure Cisco Modular QoS as follows on R2 for the following traffic types based on their associated per-hop behavior into classes. EIGRPv6 routes should have a fixed cost of 5000 associated with them within the OSPF network. 34. Configure R5 only to achieve this. and 10 should be re-marked to DSCP 8 (PHB CS1) in the event of traffic flowing above 5 Mbps on a per-port basis. A DSCP value received locally on SW1 of AF43 should be mapped to AF42 when destined for the new domain. 28.

R3 should also advertise the IP address you are . The virus originated on VLAN 34. configure CoPP so that IP packets with a TTL of 0 or 1 are dropped rather than processed. Configure PIM spare mode on all required interfaces.100.0. and R4 for IPv4 Multicast.100.2. Prevent unnecessary replies when traffic is passed to the null0 interface for users residing on VLAN 100. R2. (1 point) Section 6: Security (6 Points) Configure R3 to identify and discard the following custom virus. ensure that only within BGP AS10. R2 can have an additional static route pointing to null0. (1 point) Section 7: Multicast (4 Points) Configure routers R1. (2 points) An infected host is on VLAN 200 of 150.2.0 /24 on routers within AS10. (3 points) To protect the control plane on router R6. Use a BGP feature on R2 to ensure that traffic to this source is blocked. You cannot use any ACLs to block traffic to this host specifically. The ID of the virus begins on the third character of the payload.Configure R2 so that traffic can be monitored on the serial network with a view to a dynamic policy being generated in the future that trusts the DSCP value of traffic identified on this media. R3 should also be used to advertise its own gigabit interface IP address as an RP. configure R3 to send multicast advertisements of its own time by use of NTP sourced from interface Gig 0/0. traffic destined for this host is directed to null0 of each local router. with a resulting ICMP redirect sent to the originator. R3. but you can use a static route pointing to null0 for traffic destined to 192. the virus is characterized by the ASCII characters Hastings_Beer within the payload and uses UDP Ports 11664 to 11666.

99. Yes.99. Routers R1. use a feature that effectively ignores a superior BPDU if received. Q.using for the NTP advertisements that will be 224. (4 points) “Ask the Proctor” Note This section should be used only if you require clues to complete the questions.1.net from eem@lab-exam. Do you want me to disable spanning tree down to Switches 3 and 4? Is this acceptable? . The policy should ensure that neither command is executed and should consist of a single-line command for the CLI pattern detection. In the actual CCIE lab. No. Switches 3 and 4 could become root bridges. Do you want me to configure the collapsed backbone network by manipulating spanning tree to ensure that Switch 1 and Switch 2 are the cores for each VLAN in use? A.net subject “User-Issue” with the message body consisting of details of who was logged on the time either of the commands were entered). Do not use the command ntp server in any configurations.1. Q.1 Configure a policy on router R1 so that if a user tries to remove AAA services or disable logging via the CLI that a syslog message of UNAUTHORIZED-COMMANDENTERED is generated. the proctor will not enter into any discussions about the questions or answers. All the switches are already connected. The policy should also generate an email from the router to a mail server residing on IP address 120.100. He or she will be present to ensure that you do not have problems with the lab environment and to maintain the timing element of the exam. it won’t. The policy and CLI should run asynchronously.100. Section 1: LAN Switching Q. A. Is this acceptable? A.2 (to security@lab-exam. If a superior BPDU is received on ports connecting to Switches 3 and 4 from Switches 1 and 2. so I can’t change this unless I shut down some of the connections between switches. surely this will never enable Switches 3 and 4 to become root bridges. and R4 should all show a clock synchronized to that of R3. Q. R2. (4 points) IP Services (4 Points) Configure the following commands on router R1: aaa new-model logging buffered logging 120. You are requested to configure root bridges in a later question.0. If I explicitly configure Switches 1 and 2 as root bridges.

Surely this is the only place I can configure the parameters. Q. Q. No. use an alternative method of bringing the interface parameters back into line. No. this would block the traffic but wouldn’t disable the port. I notice I have different OSPF network types preconfigured. I am used to configuring OSPF under the process. No. No. Q. Section 2: IPv4 IGP Protocols Section 2. No. Q. Would you like me configure Switch 1 to allocate DHCP addresses? A. look for a dynamic solution that does not require an ACL. use a feature that complements your DHCP solution. I can’t ping between R4 and R6. My neighbor relationship is down over the serial network. Would you like me to VLAN load balance to utilize bandwidth? A. Q. No. Q. Take a look at the commands available to you under the interfaces. rather like with IPv6. I’ve configured my trunk on Switch 2 to R4 and I can’t ping between R4 and R5. No. Can I just configure R4 to trunk to Switch 2 and have a subinterface in both VLAN 45 and VLAN 46? A. Can I change these? A. Can I configure a MAC address type access list to block all multicast at Layer 2? A. use a recognized DHCP security-related solution. the question relates to a fictitious DHCP server that would be connected to Fa0/18 on Switch 1. Q. the question directs you how to use the trunks. spanning tree must remain in operation. Q. Is there anything else I need to do? A. No. you might want to check that Switch 2 has the required VLANs configured to enable propagation within your switched network. Q. Can I configure the switchport block multicast command? A. similarly. Q. My secondary address is advertised automatically under OSPF. Remember that the switches are in VTP transparent mode.A. Can I use a distribute list or prefix type list to block it? . Can I configure port security to bind my MAC addresses? A. A. this wouldn’t disable the port if multicast traffic was present on it.1: OSPF Q. Can I manipulate a helper-address function to answer the DHCP question by using ACLs? A. Yes. There have been recent advances in OSPF enabling you to configure it purely under specific areas of the router.

A. No. Okay. Is the legacy method with just an autonomous system acceptable for the switches? A. If I advertise my loopbacks into EIGRP. Q. Q. Q. No. this is fine and in accordance with the question. use an OSPF feature to disable the advertisement of this secondary address. Q. No.2: EIGRP Q. but it does not meet the objectives of the question. If I use IP SLA to automatically ping R5 to check the status. Yes. Is this okay? A. Take a look at your topology and areas. How about an OSPF demand circuit between R4 and R5? A. but I’m stuck. can I stop advertising them from the switches? . Not if you have configured correctly. Q. This feature would also ensure that the Ethernet network would be down until the backup interface is activated. No. Q. Q. this would involve a neighbor relationship being maintained. Is this normal? A. this might aid in failure detection. won’t that mean that R4 and R5 will have their loopbacks advertised by both OSPF and EIGRP? A. Section 2. Q. To confirm the operation status of R5’s serial interface. I’ve worked out how to do this and managed to get a neighbor up when the serial network fails. Is this anything to do with tracking the response to the ping? A. How about if I use policy routing with the next hop based on the tracking status? A. the question states that your solution should cater for either Layer 1 or Layer 2 failures and that the Ethernet should remain up. To stop R4 from receiving the switch loopbacks. Something might have changed when R5 connects over the Ethernet. I can’t configure my switches with an EIGRP instance name. but my OSPF connectivity is still not perfect through the Ethernet. You can use ICMP. I have IP SLA running. this is fine and in accordance with the question. You need to allow the neighbor relationship to be formed only if a failure condition occurs. Q. just remember that this traffic will be based locally on the router when applying any policies. Backup interfaces would be fine for a Layer 1 failure but not for a Layer 2 type issue if you had problems with PPP that caused neighbor failures over the serial network. can I just ping it? A. is this okay? A. This is fine. I’ve attempted to form a neighbor relationship with R4 from R5 using a backup interface. Can I use BFD between R4 and R5? A. Q. Yes. but you need to ensure that your solution is dynamic. Yes. Yes.

3: Redistribution Q. If I can’t change the bandwidth and delay on R4. Q. you should have blocked these from entering your IP routing table within R4 previously. Remember that you should have synchronization on only when you are fully redistributing between BGP and your IGP. I have only one redistribution point. You need to determine whether you need this feature on or off. Can I use a neighbor prefix list to block the loopbacks? A. Q. Is it okay to disable autosynchronization in BGP? A. the question doesn’t guide you to redistribute specific routes. I’ve noticed when I look at the specific loopback routes that they have a hop count associated with them. Q. Do you require a distribute list to block the switch loopbacks from entering the OSPF domain? A. is this all you are looking for? A. so additional blocking would not be required. Yes. Do you want me to configure eBGP multihop but limit it to a value of 2 on R3 for a TTL security check? A. You must ensure that your peering still works effectively between R3 and R4 when you have configured this feature. Q. It’s unusual to associate hop counts with EIGRP. Q. I find that when the serial network fails. you should use a feature on R4 to block them. This is because the loopback routes are still available over the alternative path through the network. this would be superfluous. No. you cannot use any type of ACLs or prefix lists. Yes. in this scenario. Q. Can I use a route map to enable five specific EIGRP routes to be redistributed into OSPF? A. Can I block my loopbacks or policy route at some point to effectively break the peering? . Q.A. Q. No. No. Section 3: BGP Q. There is a specific security configuration feature within BGP to perform the TTL check. but can I block routes based on their hop count? A. Section 2. No. Is this acceptable? A. If I use the TTL security hops with a value of 2. and there is no benefit in creating filtering to protect against potential routing loops between protocols. can I use a route map to manipulate the EIGRP K values associated on a per-neighbor basis? A. Use a more general method of allowing a specific number of routes. Yes. my neighbor relationship is still maintained between R2 and R5.

Q. Is this okay? A. it wouldn’t make it to R5 even when the serial network is working? A. Q. your solution would require additional configuration. Correct. just find a way of tracking the BGP route and manipulate the HSRP process. You would need to match only one requirement on the permit functionality. if these were required. Section 4: IPv6 Q.A. is this some form of conditional advertising? A. Q. You haven’t told me what address I should use for HSRP. Is it okay to use the first address in the subnet? A. So. Yes. Not necessarily. Q. Can I use a prefix list to achieve this? A. I think I can stop the loopback on R2 being advertised by using the community value of no-export. No. you are instructed to use an ACL. it wouldn’t be advertised to R5 AS300 from R2. I can break the peering. Just think about whether R2 is the best place to send the community to originally. No. Can I set community values on the routes and match on these using a single ACL? A. If I reduce this to a TTL of 2. No. can I use this to control HSRP? A. You do need to effectively break the peering. I might have been a little generous with my original multihop value between R2 and R5. the clue is in the question. Should I use the eui-64 address format when configuring my addresses? A. . Q. Can I form an EIGRPv6 neighbor relationship between R1 and R3 and also R3 and R2? A. Yes. I have configured my two new loopbacks. No. For the HSRP question. Can I use two route maps inbound from R1 and R2 both pointing to different ACLs so that each route map calls only one ACL? A. Think about what you need to configure when you have EBGP peers. Q. Yes. No. the other could be met by deny. Q. but if I enable this to R2. Q. the question would have instructed you to use them. Yes. you still have two ACLs. you are instructed to use an ACL. I need an ACL with a mask suitable for both ranges? A. but there is a much simpler method of achieving this that still maintains unaltered communication between R2 and R5. Q. If I enable IP SLA to track a route in the routing table. Q.

I have created my tunnel and found that this is now the primary route rather than an alternative path. This issue is addressed in the following task. Q. You are not requesting mutual redistribution between EIGRPv6 and OSPFv3. Q. Can I perform some kind of backup interface to make this come up only if a failure occurs on the serial link? A. this network should be advertised to the OPSFv3 domain. this should be completed as part of your policy. No. this would also require you to perform redistribution at this point? Q. No. Q.Q. No. Q. static routes are permitted unless specified. Use a feature within the OPSFv3 process as you would to overcome this if this were IPv4 redistribution. This approach would also break your IPv4 network. What would you do if this were IPv4? Q. which is the only suitable location. No. you haven’t been given sufficient information to make this judgment. If I can’t use EIGRPv6 directly on VLAN 45 between R4 and R5. Can I use different autonomous systems and then redistribute at R3? A. No. How about tunneling again and enabling EIGRPv6 over the tunnel. If I can’t enable EIGRPv6 on VLAN 45 between R4 and R5. Q. Yes. Can I use a prefix list to block the summary and permit all other IPv6 routes? A. I have redistributed EIGRPv6 into OPSFv3 on R5. Yes. Is this okay? A.3: Redistribution Q. Q. this is fine. can I configure OSPFv3 on VLAN 45? A. Section 5: QoS Q. Can I tunnel between R4 and R5? A. No. Think why the Ethernet path is preferred and manipulate it. Q. Yes. Can I just trust DSCP on my physical ports? A. Can I redistribute a static IPv6 route on R5 into RIPng for 2007::/16? A. Section 4. Is this okay? A. Yes. Shall I rate limit my ports to 5M on a per-port basis? . find a way to still run EIGRPv6 between routers without enabling it on the physical interfaces. How will my EIGRPv6 domain communicate with the OSPFv3 domain? A. and noticed that in my OSPFv3 domain I do not see the IPv6 network configured on the serial network between R2 and R5. can I enable OSPFv3? A.

you transport next-hop information with your updates. Yes. therefore. Q. Is this correct? A.0/24 won’t have any bearing on traffic destined to the infected host. Section 6: Security Q. Yes.com pages. Investigate the options open to you with NBAR. Yes. Q. you must use a BGP-related feature. is this correct? A. Do you want me to create and announce the group 224. think about why this has happened. No. Yes. If you have lost your routes. you would lose points in other sections.A.1. Based on the email address. but I can see only a percentage option. Q. it won’t because these are Assured Forwarding values. However. If I can’t configure ntp server on R1. I believe I can use a DSCP mutation map to convert the DSCP values for the future. A static route for 192. this would identify the UDLD traffic but not the virus payload as per the question. I guess this is an EEM question? .2. Is this correct? A. Why is this relevant? A. Think about the way BGP works.0. A. Is this expected behavior? Do you want me to fix this as part of the CoPP question? A. I have configured CoPP on R6 and seem to have lost all my routes. you should aim to receive the NTP stream that R3 should be configured to multicast. you don’t need to specifically peer with R3 as the server. No.0. Section 7: Multicast Q. Q. provide a fix. R2. I am trying to assign bandwidth within my class with the speeds supplied. Can I policy route traffic destined to the infected host to null0? A. just use the available limits within the command options.1 on R3? A. otherwise. You are supplied with the information you require and just need to remember how fast a T1 line is. Yes. this should be completed as part of your policy. Q. but the command won’t take the values AF43 and AF42. No. It’s the only routing protocol where you don’t need to be directly connected to form a neighbor relationship. Can I use a route map and ACLs to identify the traffic by port number? A. You need to convert these to DSCP values. No. Q. Section 8: IP Services Q. and R4. You haven’t indicated what the minimum burst size should be. there won’t be a way I can get these routers to peer with R3. you must do some math. Search your documentation CD or available Cisco. Q.

. (2 points) 802. you are directed to configure a single CLI pattern event command that will pick up either command.100. Lab Debrief This section analyzes each question. I can’t get both commands onto a single CLI pattern event. you have scored 2 points. By shutting down the interfaces between SW3 and SW4. showing you what was required and how to achieve the desired results.99. (2 points) This is a simple start to the exercise.0/24? A. If you have configured this correctly.A. Is it okay to configure two? A. you can verify route bridge assignment by using the show spanning tree root command. Section 1: LAN Switching (25 Points) Configure your switches as a collapsed backbone network with Switches 1 and 2 performing core and distribution functionality and Switches 3 and 4 as access switches in your topology. Q. You should use this section to produce an overall score for this practice lab. Do you need me to set up a route to 120. if you configure Switches 1 and 2 into Rapid Spanning Tree mode. So. you create the required topology. If you have configured this correctly. the core switches should be connected together. Even though the resulting topology is not looped at this stage. To create a collapsed backbone topology. you have earned another 2 points. and each access switch should be dual-homed to the core switches.1w mode.1w is Rapid Spanning Tree. Correct. The switches are fully meshed to begin with. which is backward compatible with the switches’ default (PVST). as shown in Example 1-2. No. as shown in Example 1-1. No. spanning tree can still operate effectively with Switches 3 and 4. Switches 3 and 4 should connect to only the core switches. Switches 3 and 4 should operate in their default spanning-tree mode. Q. Example 1-1 SW3 and SW4 Configuration Click here to view code image SW3(config)# interface range fastethernet 0/23-24 SW3(config-if-range)# shut SW4(config)# interface range fastethernet 0/23-24 SW4(config-if-range)# shut Switch 1 and 2 should run spanning tree in 802. The only switches that should not connect directly to each other are the access switches (SW3 and SW4).

Ensure that Switches 3 and 4 can never become root bridges for any VLANs for which Switch 1 and Switch 2 are root bridges by configuring only Switches 1 and 2. The root bridge prioritization root guard is configured on the ports that connect Switches 1 and 2 to Switches 3 and 4. it is ignored. This ensures that if a superior BPDU is received on these ports. you have 2 points. Example 1-3 SW1 and SW2 Root Bridge Configuration Click here to view code image SW1(config)# spanning-tree vlan 1 root primary SW1(config)# spanning-tree vlan 300 root primary SW1(config-if)# interface fastethernet 0/19 SW1(config-if)# spanning-tree guard root SW1(config-if)# interface fastethernet 0/20 SW1(config-if)# spanning-tree guard root SW1(config-if)# interface fastethernet 0/21 SW1(config-if)# spanning-tree guard root SW1(config-if)# interface fastethernet 0/22 SW1(config-if)# spanning-tree guard root SW2(config)# spanning-tree vlan 1 root secondary SW2(config)# spanning-tree vlan 300 root secondary SW2(config-if)# interface fastethernet 0/19 SW2(config-if)# spanning-tree guard root SW2(config-if)# interface fastethernet 0/20 SW2(config-if)# spanning-tree guard root SW2(config-if)# interface fastethernet 0/21 SW2(config-if)# spanning-tree guard root SW2(config-if)# interface fastethernet 0/22 SW2(config-if)# spanning-tree guard root . as shown in Example 1-3. (2 points) This is a straightforward question for the core switches.Example 1-2 SW1 and SW2 Configuration Click here to view code image SW1(config)# spanning-tree mode rapid-pvst SW2(config)# spanning-tree mode rapid-pvst Configure Switch 1 to be the root bridge and Switch 2 the secondary root bridge for VLANs 1 and 300. If you have configured this correctly.

If you have configured this correctly.Make sure that you fully use the available bandwidth between switches by grouping your interswitch links as trunks. Ensure that only dot1q and EtherChannel are supported. as opposed to Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP). This is over and above the physical interface configuration completed previously. 3. and dot1q is the trunking protocol. you have scored 3 points. Example 1-4 Switch 1. You can use the channel-group interface configuration command that automatically creates the portchannel interface. Using the command channel-group n mode on under the physical interfaces ensures that only EtherChannel is supported. and 4 EtherChannel Configuration Click here to view code image SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface range fastethernet0/23-24 channel-group 3 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk spanning-tree guard root interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk spanning-tree guard root interface Port-channel3 switchport trunk encapsulation dot1q switchport mode trunk SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface range fastethernet0/23-24 channel-group 3 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel2 . you do not have to create a port-channel interface first by using the interface port-channel configuration command before assigning a physical port to a channel group. Remember that now that you have EtherChannels between switches. For Layer 2 EtherChannels. you will need to configure root guard on these interfaces to ensure that Switches 3 and 4 cannot become root bridges. although a manual port channel configuration has been shown here for clarity. (3 points) This is another straightforward question for all switches to create EtherChannels between devices. as shown in Example 1-4. 2.

SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel3 switchport trunk encapsulation dot1q switchport mode trunk SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk SW1# show interfaces port-channel 1 status Port Name Status Vlan Po1 connected trunk SW1# show interfaces port-channel 2 status Duplex a-full Speed Type a-100 Port Name Status Vlan Po2 connected trunk SW1# show interfaces port-channel 3 status Duplex a-full Speed Type a-100 Port Po3 Duplex a-full Speed Type a-100 Name Status connected Vlan trunk SW1# show etherchannel summary Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) .

3 Po3(SU) - Fa0/23(P) Fa0/24(P) SW2# show interfaces port-channel 1 status Port Name Status Vlan Po1 connected trunk SW2# show interfaces port-channel 2 status Duplex a-full Speed Type a-100 Port Name Status Vlan Po2 connected trunk SW2# show interfaces port-channel 3 status Duplex a-full Speed Type a-100 Port Po3 Duplex a-full Speed Type a-100 Name Status connected Vlan trunk SW2# show etherchannel summary Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) 3 Po3(SU) Fa0/23(P) Fa0/24(P) SW3# show interface port-channel 1 status Port Name Status Vlan Po1 connected trunk SW3# show interface port-channel 2 status Duplex a-full Speed Type a-100 Port Po2 Duplex a-full Speed Type a-100 Name Status connected Vlan trunk SW3# show etherchannel summary Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) SW4# show interface port-channel 1 status Port Name Status Vlan Po1 connected trunk SW4# show interface port-channel 2 status Duplex a-full Speed Type a-100 Port Duplex Speed Type Name Status Vlan .

If you have configured this correctly. If you have configured this correctly. Placing the ports into error disable is a way to stabilize the environment. (3 points) Interfaces that flap can cause problems in a network. To disable a port when multicast traffic is present. they should be reenabled. the port is automatically disabled.Po2 connected trunk a-full a-100 SW4# show etherchannel summary Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) Ensure that traffic is distributed on individual Ethernet trunks between switches based on the destination MAC address of individual flows. you need to configure storm control with the multicast option set to 0. Toggling would usually indicate a problem such as a faulty connecting network interface card (NIC) or faulty cable. are shut down dynamically by all switches. if they toggle excessively. 2. 3. Configuring channel load balancing based on the destination MAC address of an individual flow is just one method available to distribute traffic. you have scored 3 points. as shown in Example 1-5. if they remain stable for 35 seconds. . you have scored 2 points. and 4 EtherChannel Load-Balancing Configuration Click here to view code image SW1(config)# port-channel load-balance dst-mac SW2(config)# port-channel load-balance dst-mac SW3(config)# port-channel load-balance dst-mac SW4(config)# port-channel load-balance dst-mac SW1# show etherchannel load-balance EtherChannel Load-Balancing Operational State (dst-mac): Non-IP: Destination MAC address IPv4: Destination MAC address IPv6: Destination IP address Ensure that user interfaces. (2 points) A common problem with EtherChannels is traffic not being distributed equally among the physical interfaces. Configure Fast Ethernet Port 0/10 on each switch so that if multicast traffic is received on this port. as shown in Example 1-6. Example 1-5 Switch 1.

namely that the ports are required to be configured with switchport host (or by configuring portfast) to set the port mode to access and to forward immediately. The rate limiting is configured in packets per second. this is the only port on the network from which DHCP addresses should be allocated. a subscriber is identified by the switch port through which it connects to the network and by its MAC address. Ensure that the switches intercept the DHCP requests and add the ingress port and VLAN and switch MAC address before sending forward to the DHCP server.Example 1-6 Switch 1. DHCP snooping also facilitates a rate-limiting feature for DHCP requests to prevent a DHCP denial of service by excessive false requests from a host. When the DHCP option-82 feature is enabled on the switch with the command ip dhcp snooping information option. (6 points) This is a Dynamic Host Control Protocol (DHCP) snooping question. For security purposes. This is a useful security feature that protects the network from rogue DHCP servers. not . which would have the “gobbler effect” of requesting numerous leases from the same port. The question includes a couple of points that could easily be overlooked if you are suffering from exam pressure. Devices connected to these ports will dynamically receive IP addresses from a DHCP server due to be connected to port 0/18 on SW1. Configure these ports as access ports for VLAN 300. and 4 Configuration Click here to view code image SW1(config)# errdisable recovery cause link-flap SW1(config)# errdisable recovery interval 35 SW1(config)# interface fastethernet 0/10 SW1(config-if)# storm-control multicast level 0 SW1(config-if)# storm-control action shutdown SW2(config)# errdisable recovery cause link-flap SW2(config)# errdisable recovery interval 35 SW2(config)# interface fastethernet 0/10 SW2(config-if)# storm-control multicast level 0 SW2(config-if)# storm-control action shutdown SW3(config)# errdisable recovery cause link-flap SW3(config)# errdisable recovery interval 35 SW3(config)# interface fastethernet 0/10 SW3(config-if)# storm-control multicast level 0 SW3(config-if)# storm-control action shutdown SW4(config)# errdisable recovery cause link-flap SW4(config)# errdisable recovery interval 35 SW3(config)# interface fastethernet 0/10 SW3(config-if)# storm-control multicast level 0 SW3(config-if)# storm-control action shutdown Fast Ethernet ports 0/11–17 will be used for future connectivity on each switch. 2. 3. Limit DHCP requests to 600 packets per minute per user port. which should begin forwarding traffic immediately upon connection.

per minute as implied. If you have configured this correctly. and 4 DHCP Snooping Configuration Click here to view code image SW1(config)# ip dhcp snooping SW1(config)# ip dhcp snooping vlan 300 SW1(config)# ip dhcp snooping information option SW1(config)# int fastethernet 0/18 SW1(config-if)# ip dhcp snooping trust SW1(config)# interface range fastethernet 0/11-17 SW1(config-if-range)# ip dhcp snooping limit rate 10 SW1(config)# interface range fastethernet 0/11-18 SW1(config-if-range)# switchport host SW1(config-if-range)# switchport access vlan 300 SW2(config)# ip dhcp snooping SW2(config)# ip dhcp snooping vlan 300 SW2(config)# ip dhcp snooping information option SW2(config)# interface range fastethernet 0/11-17 SW2(config-if-range)# ip dhcp snooping limit rate 10 SW2(config-if-range)# switchport host SW2(config-if-range)# switchport access vlan 300 SW3(config)# ip dhcp snooping SW3(config)# ip dhcp snooping vlan 300 SW3(config)# ip dhcp snooping information option SW3(config)# interface range fastethernet 0/11-17 SW3(config-if-range)# ip dhcp snooping limit rate 10 SW3(config-if-range)# switchport host SW3(config-if-range)# switchport access vlan 300 SW4(config)# ip dhcp snooping SW4(config)# ip dhcp snooping vlan 300 SW4(config)# ip dhcp snooping information option SW4(config)# interface range fastethernet 0/11-17 SW4(config-if-range)# ip dhcp snooping limit rate 10 SW4(config-if-range)# switchport host SW4(config-if-range)# switchport access vlan 300 SW1# sh ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 300 Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted Rate limit (pps) . you have scored 6 points. as shown in Example 1-7. so you need to pay attention to detail. 3. 2. Example 1-7 Switch 1.

Use a dynamic feature to ensure that the only information forwarded upon connection is DHCP request packets and then. (3 points) This is just a simple trunking question on Switch 2 to R4 to enable R4 to connect to VLAN 45 and VLAN 46. 2. (3 points) A complementary feature to DHCP snooping is IP Source Guard.-----------------------fastethernet0/11 fastethernet0/12 fastethernet0/13 fastethernet0/14 fastethernet0/15 fastethernet0/16 fastethernet0/17 fastethernet0/18 ------no no no no no no no yes ---------------10 10 10 10 10 10 10 unlimited For additional security ensure that the user ports on Switches 1–4 and 11–17 can communicate only with the network with IP addresses gained from the DHCP feature configured previously.100. for additional security. Configure R4 Gi0/1 and Switch 2 FE0/4 only.45. 3.4/24 to communicate with R6. Configure R4 with an IP address of 120. as shown in Example 1-8. If you have configured this correctly. One point to remember is that Switch 2 does not have VLAN 45 and VLAN 46 configured locally within the default configuration.46. any traffic that matches the DHCP IP information received from the DHCP binding.100. Example 1-8 Switch 1. and 4 IP Source Guard Configuration Click here to view code image SW1(config)# interface range fast 0/11-17 SW1(config-if-range)# ip verify source SW2(config)# interface range fast 0/11-17 SW2(config-if-range)# ip verify source SW3(config)# interface range fast 0/11-17 SW3(config-if-range)# ip verify source SW4(config)# interface range fast 0/11-17 SW4(config-if-range)# ip verify source R5 and R6 have been preconfigured with IP addresses on their Ethernet interfaces. Configure R4 and its associated switch port accordingly without using secondary addressing to communicate with R5 and R6. so you will need to create the VLANs locally . you have scored 3 points.4/24 to communicate with R5. This feature binds the information received from the DHCP address offered and effectively builds a dynamic VACL on a per-port basis to enable only source traffic matched from the DHCP offer to ingress the switch port for additional security. and configure R4 with an IP address of 120.

46 SW2(config-if)# switchport mode trunk Section 2: IPv4 IGP Protocols (24 Points) Section 2. R2.100.1: OSPF Use a process ID of 1.255. If you have configured this correctly.255.45.4 255.0 SW2(config)# vlan 45-46 SW2(config)# interface fastethernet0/4 SW2(config-if)# switchport trunk encapsulation dot1q SW2(config-if)# switchport trunk allowed vlan 45.46. you have scored 3 points.255.before configuring the trunk. The loopback interfaces of routers R1.45 R4(config-if)# encapsulation dot1Q 45 R4(config-if)# ip address 120. (2 points) Recent advances in OSPF have enabled configuration of the network area directly under the interface as opposed to within the OSPF process. Example 1-10 OSPF Configuration Click here to view code image R1(config)# interface GigabitEthernet 0/0 R1(config-if)# ip ospf 1 area 100 R1(config)# interface GigabitEthernet 0/1 R1(config-if)# ip ospf 1 area 0 R1(config-if)# interface Loopback 0 R1(config-if)# ip ospf 1 area 0 R2(config)# interface Loopback 0 R2(config-if)# ip ospf 1 area 0 R2(config-if)# interface fastethernet 0/0 R2(config-if)# ip ospf 1 area 0 R2(config-if)# interface Serial 0/1 . R4 should be in Area 34 and R5 in Area 5. Example 1-9 Switch 2 and R4 Trunking Configuration Click here to view code image R4(config)# interface GigabitEthernet0/1.4 255.255.100.0 R4(config-if)# interface GigabitEthernet0/1. Example 1-10 details the Open Shortest Path First (OSPF) configuration. and R3 should be configured to be in Area 0. all OSPF configuration where possible should not be configured under the process ID. as shown in Example 1-9.46 R4(config-if)# encapsulation dot1Q 46 R4(config-if)# ip address 120.

3.100. Serial0/0 O 120.1/32 [110/129] via 120.100.123.100.R2(config-if)# ip ospf 1 area 5 R2(config-if)# interface fastethernet 0/1 R2(config-if)# ip ospf 1 area 200 R3(config)# interface loopback 0 R3(config-if)# ip ospf 1 area 0 R3(config-if)# interface GigabitEthernet 0/1 R3(config-if)# ip ospf 1 area 0 R3(config-if)# interface GigabitEthernet 0/0 R3(config-if)# ip ospf 1 area 34 R4(config)# interface Loopback 0 R4(config-if)# ip ospf 1 area 34 R4(config-if)# interface GigabitEthernet 0/0 R4(config-if)# ip ospf 1 area 34 R4(config-if)# interface GigabitEthernet 0/1. you have scored 1 point.3.100. Serial0/1 O IA 120. you have scored 2 points.100. you need to override the network type that the IOS associates with the loopback interface.100.1.1/32 [110/65] via 120.1.100.123.25. If you have configured this correctly. Serial0/1 O 120.100. .1.1/32 [110/65] via 120.100. Serial0/1 O IA 120.45 R4(config-if)# ip ospf 1 area 5 R5(config)# interface Loopback 0 R5(config-if)# ip ospf 1 area 5 R5(config-if)# interface GigabitEthernet 0/0 R5(config-if)# ip ospf 1 area 5 R5(config-if)# interface Serial 0/0/1 R5(config-if)# ip ospf 1 area 5 If you have configured OSPF correctly. 00:01:00.123.25.1/32 [110/2] via 120.5.3.123. 00:04:34. 00:01:00.5. No loopback networks should be advertised as host routes. 00:47:32.3. Serial0/0 R2# sh ip route | include /32 C 120.100.1/32 [110/66] via 120. 00:50:56.100. (1 point) Loopback interfaces within OSPF are by default advertised as host routes. To manipulate this behavior. as shown in Example 1-10. as shown in Example 1-11.100.100.5.25.1/32 [110/65] via 120. Serial0/0 O 120. Example 1-11 shows the host routes learned on R2.4. 00:00:42.3. GigabitEthernet0/1 O 120.5/32 is directly connected.4.123.5.100.1/32 [110/3] via 120. Example 1-11 OSPF Loopback Interface Host Routes and Configuration Click here to view code image R2# sh ip route | include /32 O 120.100. 00:39:59.

Serial0/1 O IA 120.45.3. fastethernet0/0 O IA 120.3.100. . 00:17:09.100.123. fastethernet0/0 O 120.100. fastethernet0/0 Ensure that R1 does not advertise the preconfigured secondary address under interface Gigabit 0/1 of 120.100. (2 points) The associated behavior with configuring OSPF directly under the interface is that it will by default advertise any secondary addresses assigned to the interface.GigabitEthernet0/1 O 120.100.100. Do not use any filtering techniques to achieve this. 01:43:00.0/24 [110/2] via 120. as shown in Example 1-12.5. you need to inform OSPF not to include the secondary addresses under the interface command.100.123.0/24 [110/2] via 120.100. you have scored 2 points.100. 01:43:00.123.100.0/24 [110/65] via 120.0/24 [110/3] via 120.0/24 [110/2] via 120.100. 01:42:26.100.25. 02:52:46.1/32 [110/2] via 120.1.4.123.123. 00:00:04.100. Because you cannot filter this advertisement.1/24 to the OSPF network. R1 has a preconfigured secondary address on interface Gigabit 0/1 that is therefore advertised. fastethernet0/0 O 120.3.5.1.100. 01:42:09.0/24 [110/65] via 120.3.34.100.100.25.3.0/24 [110/2] via 120. GigabitEthernet0/1 R1# conf t R1(config)# int Loopback 0 R1(config-if)# ip ospf network point-to-point R2# conf t R2(config)# interface Loopback 0 R2(config-if)# ip ospf network point-to-point R3# conf t R3(config)# int Loopback 0 R3(config-if)# ip ospf network point-to-point R4# conf t R4(config)# int Loopback 0 R4(config-if)# ip ospf network point-to-point R5# conf t R4(config)# int Loopback 0 R4(config-if)# ip ospf network point-to-point R2# sh ip route ospf 1 | include /24 O IA 120.123. Serial0/1 O 120.3.100.5. If you have configured this correctly.100.1. 00:49:20. fastethernet0/0 O 120.100.

a demand scenario is also out because this would involve a neighbor relationship being formed. but you will find that you can use the IP SLA feature to monitor the IP address of the serial interface on R5 by R5 itself. ensuring that while the Area 5 serial link is operational. maximum is 0 msec Neighbor Count is 0. including secondary ip addresses Transmit Delay is 1 sec. If . so some lateral thinking is required.1.1. Similarly. Router ID 120. maximum is 0 Last flood scan time is 0 msec.100. flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0.100.Example 1-12 OSPF Secondary Address Advertisement and Configuration Click here to view code image R1# show ip ospf int GigabitEthernet 0/1 GigabitEthernet0/1 is up. (4 points) This is a complex scenario that can consume your time. line protocol is up Internet Address 150. You can rule out a backup interface solution because the Ethernet needs to remain up.1. you know the serial link is up at Layers 1 and 2.0 % Subnet not in table R5 should use the serial link within Area 5 for its primary communication to the OSPF network. You are permitted to define neighbor statements between R5 and R4.100.100. You are also requested to confirm operational status of the serial interface on R5 with your overall solution being dynamic. R5 should form a neighbor relationship with R4 under Area 5 to maintain connectivity.1. This would take a great deal of effort and trial and error. Interface address 150. but all the clues are in the question.100. Wait 40. If this responds to the automatic polling with Internet Control Message Protocol (ICMP).1 No backup designated router on this network Timer intervals configured. the Ethernet interfaces of R4 and R5 must remain up. Your solution should be dynamic.1/24. Area 100 Process ID 1. To confirm the operational status of the serial network.1. Hello 10. Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) R1(config)# interface GigabitEthernet 0/1 R1(config-if)# ip ospf 1 area 100 secondaries none R2# sh ip route 120. State DR. ensure that the serial interface of R5 is reachable by configuration of R5. and the solution must cater for Layer 1 and Layer 2 rather than purely Layer 1. Cost: 1 Enabled by interface config.100.1. there is no neighbor relationship between R4 and R5. If this network should fail either at Layer 1 or Layer 2. however. Dead 40. Retransmit 5 oob-resync timeout 40 Hello due in 00:00:00 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1. Priority 1 Designated Router (ID) 120. Network Type BROADCAST.

if the object status changes. R5 can simply manipulate the way it sends traffic by policy routing.the polling fails. Then. you must change the network type to non-broadcast. when the R5 serial link is up and running.100. So. The neighbor adjacency takes a while waiting for the dead time to expire (120 seconds after changing of the OSPF network type). this feature is known as policy-based routing (PBR) support with multiple tracking options. OSPF needs to be configured between R4 and R5 with manual neighbor statements as directed in the question. which ensures the routers unicast traffic to each other. you know the interface is down. This gives PBR access to all the objects that are available through the tracking process. and inform the required PBR process when an object state changes. such as ICMP ping reachability. we just need to break the adjacency between R5 and R4. In summary.5 R5(config-ip-sla-echo)# exit R5(config)# ip sla schedule 1 life forever start-time now R5(config)# track 1 rtr 1 reachability R5# show ip sla statistics Round Trip Time (RTT) for Index 1 Latest RTT: 4 milliseconds Latest operation start time: *21:17:10. When the serial link fails. we need to allow the adjacency between R5 and R4 to form. The traffic it manipulates needs to be OSPF that should be directed to R4 to form the adjacency over the Ethernet network (VLAN 45).25. The first step in this solution is to configure the IP SLA object tracking on R5. Example 1-13 R5 IP SLA Configuration and Status Click here to view code image R5(config)# ip sla 1 R5(config-ip-sla)# icmp-echo 120.683 UTC Mon Aug 05 2013Latest operation return code: OK Number of successes: 2 Number of failures: 0 Operation time to live: Forever Note OSPF should have already been configured between R4 and R5 within your original peering configuration. and a forwarding decision can be manipulated. To do this. This configuration is detailed in Example 1-13. The unicast traffic between neighbors can be identified by an ACL that the PBR process can match. IP SLA can then be used to inform the router. The tracking process provides the ability to track individual objects. instead of allowing normal traffic flow between .

Example 1-14 shows the required OSPF configuration on R4 and R5.25. Example 1-14 R4 and R5 OSPF and PBR Configuration Click here to view code image R4(config)# interface GigabitEthernet0/1. So.2 10 track 1 R5(config-route-map)# interface GigabitEthernet0/0 R5(config-if)# ip policy route-map TEST R5(config-if)# exit R5(config)# ip local policy route-map TEST R2# debug ip icmp ICMP packet debugging is on R2# *Feb 26 22:17:12. Similarly. when the object tracking fails.4 R5(config)# route-map TEST permit 10 R5(config-route-map)# match ip address 100 R5(config-route-map)# set ip next-hop verify-availability 120. and the resulting neighbor partial adjacency that is formed between R4 and R5. the PBR on R5.100. R5 must be configured to locally policy route traffic because normal PBR behavior is for traffic manipulation for traffic that flows through the router rather than traffic generated by the router itself. and because the OSPF TTL is set to 1 by default. the traffic will effectively be dropped by the next hop and the OSPF between R5 and R4 will never establish.847: ICMP: time exceeded (time to live) sent to 120.4 R5(config-router)# exit R5(config)# access-list 100 permit ospf host 120.45.25.45.R5 and R4 to form the neighbor relationship.100.100. the next hop can be modified.25.100.100.100.5 R5(config)# interface GigabitEthernet0/0 R5(config-if)# ip ospf network non-broadcast R5(config-if)# router ospf 1 R5(config-router)# neighbor 120. the PBR process will be overridden and traffic can flow as normal. the PBR process is informed. and the OPSF traffic to 120.45.2 (R2 serial to effectively discard the traffic) if the tracked object (1) is up. R5 can forward normal OSPF traffic to 120.100.45.45.5 host 120.4) R2# R5# show ip ospf neigh . If the object status changes to down.2 10 track 1.100.45 R4(config-if)# ip ospf network non-broadcast R4(config-if)# router ospf 1 R4(config-router)# neighbor 120. This will then allow R5 and R4 to form an OSPF adjacency.100.25. a debug of R2 sending TTL expired to R5 after the OSPF traffic is sent to R2 instead of R5.45. if you use the PBR command set ip next-hop verify-availability 120.5 (d est was 120.100.2 would follow the usual next hop.

2. but I’d be surprised if you didn’t learn something new from this question.4. If you had not configured a virtual link.Neighbor ID Pri Time Address 120. Neighbor Down: Interface down or detached *Jan 2 21:58:18.45.4.4 . Example 1-15 R3 and R4 OSPF Virtual Link Configuration and R5 Test Click here to view code image R3(config)# router ospf 1 R3(config-router)# area 34 virtual-link 120.1 1 GigabitEthernet0/0 State Interface FULL/ - Dead 00:00:37 INIT/DROTHER 00:01:45 120.100.3. Your routing table needs to be an exact replica as that shown in Example 1-15.4 Example 1-15 shows the OSPF adjacency formed when the serial link between R2 and R5 is shut down on R5. Nbr 120. changed state to down R5(config-if)# do show ip ospf neigh Neighbor ID Pri State Dead Time Address Interface N/A 0 ATTEMPT/DROTHER 00:00:33 GigabitEthernet0/0 120.45.100. changed state to administratively down *Jan 2 21:58:19.100.100. The PBR is overridden and normal routing occurs because the next hop is not verified by the object tracking.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1. you have scored 4 points (definitely a question worth leaving to the end of your exam when you might have some time left over to experiment). you are joining Area 5 into Area 34.2. but a good one to practice with and examine how features operate and interact with each other. and a virtual link between R3 and R4 is required to extend area 0. it would have been an easy mistake that would take your points away.1 R4(config)# router ospf 1 R4(config-router)# area 34 virtual-link 120.2 120.100.811: %OSPF-5-ADJCHG: Process 1.100.100.807: %LINK-5-CHANGED: Interface Serial0/0/1.1 on Serial0/0/1 from FULL to DOWN.100.) If you configured this correctly. including the virtual link. (This was a difficult question.1 0 Serial0/0/1 120.25. you might have been scratching your head or cursing me.1 R5(config)# interface s0/0/1 R5(config-if)# shut R5(config-if)# *Jan 2 21:58:16. You must remember that when an OSPF adjacency forms between R5 and R2.

100.0.45. 00:04:49. GigabitEthernet0/0 O IA 120. GigabitEthernet0/0 O IA 120.46.100.0 [110/3] via 120.2. 00:00:12.135: %OSPF-5-ADJCHG: Process 1.100.0 0. GigabitEthernet0/0 Section 2. 00:00:12.0. Example 1-16 EIGRP Configuration Click here to view code image R4(config)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# network 120.0 [110/4] via 120.100. Loading Done R5(config-if)# R5# sh ip route ospf 150.1 on GigabitEthernet0/0 from LOADING to FULL.45.100.3.100.0. 00:04:49.0 [110/4] via 120.547: %OSPF-5-ADJCHG: Process 1.100. Nbr 0. Neighbor Down: Dead timer expired R5(config-if)# *Jan 2 22:00:08.0 0.4.45.0.45.100.4.100.0 [110/2] via 120.4.100.0.0.0.100.100.45.255 R4(config-router-af)# network 120.100. You need to remember to include your preconfigured loopback interfaces and enable routing on the Layer 3 switches. If you have configured this correctly. 00:00:12.255 .4.100.45. GigabitEthernet0/0 O IA 120. as shown in Example 1-16. you have scored 2 points.4.4. 00:00:12.100.2. 00:00:12. GigabitEthernet0/0 O IA 120.0/24 is subnetted.45. GigabitEthernet0/0 O IA 120.2: EIGRP Configure EIGRP with an instance name of CCIE where possible using an autonomous system number of 1.4. 9 subnets O IA 120. GigabitEthernet0/0 O IA 120.0 [110/2] via 120.100.34.4.45.R5(config-if)# *Jan 2 21:59:43.0 [110/4] via 120.100.0 [110/3] via 120.0 [110/4] via 120. 2 subnets O IA 150.100.0 on GigabitEthernet0/0 from ATTEMPT to DOWN.123. (2 points) This is not a difficult question by any means.0.45.0 0.255 R4(config-router-af)# network 120.100. Use the show ip eigrp neighbor command to verify your peering before moving on to the next question.100. The loopback interfaces of all routers and switches should be advertised within EIGRP.100.4. just one that has a magnitude of configuration and sets up your Enhanced Interior Gateway Routing Protocol (EIGRP) network using the named instance and address family IPv4 for the following questions.0.0. GigabitEthernet0/0 120.0.4. Nbr 120.0/24 is subnetted.1.100.4. 00:00:12.

0.0.0.5.0 0.100.0 no auto-summary SW2(config)# ip routing SW2(config)# exit SW2# sh run | beg eigrp router eigrp 1 network 120.0 0.7 0.0.0 network 150.100.8.100.0.1 0.100.9 0.255 R5(config-router-af)# network 120.0 0.0 network 150.0.46.0 network 150.0.0.1 0.0.0.0.0 no auto-summary SW3(config)# ip routing SW3(config)# exit SW3# sh run | beg eigrp router eigrp 1 network 120.3. these routes should also not be present in the OSPF .100.3.0 0.0 network 150.0 0.0.3.0.0.0.255 R6(config-router-af)# network 120.100.100.100.0 no auto-summary Ensure that R4 does not install any of the EIGRP loopback routes from any of the switches into its routing table.255 R6(config)# router eigrp CCIE R6(config-router)# address-family ipv4 unicast autonomous-system 1 R6(config-router-af)# network 120.0 0.1 0.0.10 0.3.0.100.100.8 0.0.0.255 R6(config-router-af)# network 120.1 0.0.0.0.100.100.7.10.45.100.0.0 no auto-summary SW4(config)# ip routing SW4(config)# exit SW4# sh run | beg eigrp router eigrp 1 network 120.3.0.6.255 SW1(config)# ip routing SW1(config)# exit SW1# sh run | beg eigrp router eigrp 1 network 120.0.3.0.0.9.100.255 R5(config-router-af)# network 120.R5(config)# router eigrp CCIE R5(config-router)# address-family ipv4 unicast autonomous-system 1 R5(config-router-af)# network 120.0.

0/24 [90/156160] via 120.46. GigabitEthernet0/1.100. 00:00:10.100.45.100. Hop count isn’t something you would naturally assimilate with EIGRP. If you have configured this correctly. 00:00:10.100. but you can configure the process to ignore routes received with a hop count larger than a configured threshold with the command metric maximum-hops.100.100.6.5.6.46.46 [90/158720] via 120. GigabitEthernet0/1. but this is not permitted. or admin distance manipulation to achieve this.0.3.45 D 120.0 . GigabitEthernet0/1.45.45.45. GigabitEthernet0/1.100.46 [90/30720] via 120.45 120.network post redistribution.6.46. GigabitEthernet0/1.0.0/24 [90/156160] via 120. GigabitEthernet0/1.100.45 R4# show ip route 120. GigabitEthernet0/1.6. you have scored 4 points. 00:00:10.100.46 [90/158720] via 120.100.100.9. 00:00:10. (4 points) A distribute or prefix list would have been the obvious choice here. 16 subnets. 00:00:10. 00:00:10.5.0/8 is variably subnetted. GigabitEthernet0/1.8.6. GigabitEthernet0/1. 00:01:07.45 D 120.6. GigabitEthernet0/1.0. 00:01:07. Do not use any route-filtering ACLs. and perform configuration only on R4.46 D 120.0/24 [90/158720] via 120. 00:00:10.46.5.46. Upon close inspection of the loopback routes within Example 1-17. 2 masks D 120.6. 3 subnets D 150. By configuring the maximum hop count of 1 on R4.100.100.0 [90/30720] via 120. GigabitEthernet0/1.8.46 [90/158720] via 120. 00:00:10.100. GigabitEthernet0/1.0/24 is subnetted.100. you can simply stop the loopback routes from entering the process. 00:00:10.0/24 [90/158720] via 120.5. prefix lists.100.46 [90/158720] via 120.45 D 120.45.100.10.5.7.100.100.45.0/24 [90/158720] via 120.100.5. Example 1-17 EIGRP Maximum-Hops Configuration Click here to view code image R4# show ip route eigrp 150.5.100. you will notice that the routes have a hop count of 2 associated with them. as shown in Example 1-17. 00:00:10.45 D 120.46.0/24 [90/158720] via 120.

100. GigabitEthernet0/1.46.46 R4 will have dual equal-cost routes to VLAN 300 (network 150. GigabitEthernet0/1.6.0/24 [90/156160] via 120. GigabitEthernet0/1. Hops 2 R4(config)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topolgy)# metric maximum-hops 1 R4(config-router-af-topology)# do show ip route eigrp 150. You may not policy route.100.0/24 Known via "eigrp 1". 2 masks D 120. distance 90.100.100.100.45.46 [90/30720] via 120.0/24 Known via "eigrp 1".0 [90/30720] via 120.6.0/24 is subnetted. via GigabitEthernet0/1.100. type internal Redistributing via ospf 1.46.6. 00:00:25 ago.6 on GigabitEthernet0/1.46.5.6.6. 00:00:04.100. 00:00:15 ago Routing Descriptor Blocks: * 120.3.0/24 [90/156160] via 120.46.46.5. minimum MTU 1500 bytes Loading 1/255. distance 90.46. Hops 2 R4# show ip route 120.Routing entry for 120. traffic should be sent to R6.9.3. via GigabitEthernet0/1. Should the route from R5 become unavailable. 00:00:15 ago.100. type internal Redistributing via ospf 1. Ensure that R4 sends traffic to this destination network to R5 instead of load sharing.100. metric 158720. traffic share count is 1 Total delay is 5200 microseconds.0.6. traffic share count is 1 Total delay is 5200 microseconds.0. minimum MTU 1500 bytes Loading 1/255. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120.6 on GigabitEthernet0/1.46.46.0.45. 00:00:04.45 120. GigabitEthernet0/1.100.100. alter the bandwidth or delay statements on R4’s interfaces or use an offset .100.0/8 is variably subnetted. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120.46. minimum bandwidth is 100000 Kbit Reliability 255/255. 3 subnets D 150.45 D 120.6.100. minimum bandwidth is 100000 Kbit Reliability 255/255.9.46 Route metric is 158720.100.100.5.100.100. 00:00:04. from 120.8.0) from R5 and R6.100. 13 subnets.46 Route metric is 158720. 00:00:25 ago Routing Descriptor Blocks: * 120. from 120.46. 00:00:04. metric 158720.0 Routing entry for 120.

5 on GigabitEthernet0/1. by default. 00:25:40 ago Routing Descriptor Blocks: * 120. traffic share count is 1 Total delay is 200 microseconds.3. as shown in Example 1-18. Gigabit 1/0. Hops 1 120. 00:25:40 ago. via GigabitEthernet0/1.45 set metric 2000 10 255 1 1500 route-map CHANGEMETRIC permit 20 set metric 1000 10 255 1 1500 router eigrp CCIE .100.0/24 Known via "eigrp 1". traffic share count is 1 Total delay is 200 microseconds. minimum bandwidth is 100000 Kbit Reliability 252/255. as opposed to just this individual route. In fact.3. from 120.46 Route metric is 30720. (4 points) To receive identical routes your topology.100.45. from 120. so the route is still available but with a different metric. the usual best practice method is to modify the bandwidth or delay on one of the Ethernet interfaces.45. The route map is applied inbound to the process as a distribute list.45.45.46.100.) Example 1-18 EIGRP Metric Manipulation Configuration Click here to view code image R4# sh ip route 150.5. If you have configured this correctly.45.100. (You could have also manipulated the delay within the route map or created a statement for each individual interface as opposed to just Gigabit 1/0.100. metric 30720. Hops 1 R4(config)# route-map R4(config-route-map)# R4(config-route-map)# R4(config-route-map)# R4(config-route-map)# R4(config-route-map)# CHANGEMETRIC permit 10 match interface gigabitEthernet 0/1.46 will. you have scored 4 points.100. Perform your configuration on R4 only. but this is not permitted. minimum bandwidth is 100000 Kbit Reliability 254/255. minimum MTU 1500 bytes Loading 1/255. Example 1-18 also shows that when the interface Gigabit 0/0 is shut down on R5 that the route for VLAN 300 is still received from R6 (R4’s feasible successor). type internal Redistributing via ospf 1. and R6. distance 90. If you want to manipulate this route. via GigabitEthernet0/1. minimum MTU 1500 bytes Loading 1/255.list. you are left with only one method that can be applied on R4. 00:25:40 ago. Example 1-18 shows the VLAN 300 route (150. have a lower bandwidth assigned to routes received from it from the permit 20 statement in the route map. Your solution should be applied to all routes received from R5 and R6 as opposed to solely the route to network VLAN 300. which will influence all routes from R5 and R6.6.0/24) received on R4 from both R5 and R6 with a metric of 30720.5.100.3. R5.45 Route metric is 30720. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120.6.45.100. must have identical interface types or bandwidth statements used on R4.0 Routing entry for 150. A route map is required to override the EIGRP-assigned metrics assigned to routes on one interface by manipulating the bandwidth assigned to Gigabit 1/0.46.

5.46. which is the default. The only points you need to consider when redistributing into OSPF are to use the subnets command to ensure classless redistribution and to use default metrics in each protocol.5. with their inherent protection against routing loops. (3 points) A simple redistribution question for the warm-up lab.45. from 120. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120.45 Route metric is 1282560.100. minimum bandwidth is 2000 Kbit Reliability 255/255. minimum MTU 1500 bytes Loading 1/255. 00:03:10 ago Routing Descriptor Blocks: * 120.100. Hops 1 R5(config)# int gig0/0 R5(config-if)# shutdown R4# sh ip route 150. minimum MTU 1500 bytes Loading 1/255. traffic share count is 1 Total delay is 100 microseconds. 00:03:10 ago.100. distance 90. The fixed cost of 5000 is achieved by advertising redistributed routes into OSPF using a metric type of 2.46. metric 2562560.3: Redistribution Perform mutual redistribution of IGPs on R4.3. All routes should be accessible except for the switch loopback networks (because these should not be visible via R4 from an earlier question).46. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120.46 Route metric is 2562560.3.45.100. minimum bandwidth is 1000 Kbit Reliability 255/255.0/24 Known via "eigrp 1". 00:00:10 ago Routing Descriptor Blocks: * 120. distance 90.100. so no specific configuration is required for this. Hops 1 Section 2.100. .0/24 Known via "eigrp 1".3.5 on GigabitEthernet0/1. via GigabitEthernet0/1.100.3.6 on GigabitEthernet0/1. metric 1282560.R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topolgy)# distribute-list route-map CHANGEMETRIC in R4(config-router-af-topolgy)# ^Z R4# clear ip route * R4# sh ip route 150.0 Routing entry for 150. via GigabitEthernet0/1.45. 00:00:10 ago. type internal Redistributing via ospf 1. so have no concerns when using protocols such as EIGRP and OSPF.100. type internal Redistributing via ospf 1.6. If you have configured this correctly.6.100.0 Routing entry for 150. as shown in Example 1-19.100.46. you have scored 3 points. from 120. you have only a single redistribution point (R4). EIGRP routes redistributed within the OSPF network should remain with a fixed cost of 5000 throughout the network. traffic share count is 1 Total delay is 100 microseconds.45.

100.100.100.100. and generate a system warning when the fourth route is redistributed.0 [170/284416] via 150.3.3. If you have configured this correctly. Example 1-20 R4 Prefix Configuration Click here to view code image .3. 00:01:44.100.100. 00:01:43.6.6.100.3.100. (2 points) You can limit the number of prefixes redistributed into OSPF and generate a warning when the number of prefixes reaches a defined maximum by use of the redistribute maximum-prefix command. Vlan300 D EX 150.3.3.0/24 [170/284416] via 150. Vlan300 D EX 120. 00:00:46. Vlan300 Configure R4 to only redistribute up to five EIGRP routes.2. Vlan300 D EX 120.100. GigabitEthernet 0/0 SW1# show ip route eigrp | include EX D EX 150.3. 00:01:43.100.34.0/24 [170/284416] via 150.100. 00:00:46.6.3. Vlan300 D EX 120.2.0/24 [170/284416] via 150.3.3. 00:01:43.1.3/32 [170/284416] via 150. Vlan300 D EX 120.6. GigabitEthernet0/0 O E2 120.100.6.3.123.6.123. Vlan300 D EX 120.123.1.46.0/24 [170/284416] via 150.0 [170/284416] via 150.6.3. 00:01:43.6. 00:01:43.100. GigabitEthernet 0/0 O E2 120. you must configure a percentage threshold (80 percent). you have scored 2 points. 00:01:43. Do not use any access lists in your solution.100.0/24 [110/5000] via 120.100.0/24 [110/5000] via 120.0/24 [170/284416] via 150.100. 00:01:43. as shown in Example 1-20. 00:01:43.100.100.3.123.6.100.6.100.Example 1-19 R4 Redistribution Configuration and Verification Click here to view code image R4(config-route-map)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topology)# redistribute ospf 1 R4(config-router-af-topology)# default-metric 10000 100 255 1 1500 R4(config-router-af-topology)# router ospf 1 R4(config-router)# redistribute eigrp 1 subnets R4(config-router)# default-metric 5000 R1# show ip route ospf | include E2 O E2 150.3. To generate the warning on the fourth route. 00:00:46.25. Vlan300 D EX 120.123.100.100.0/24 [170/284416] via 150. Vlan300 D EX 120.0 [110/5000] via 120.100.100.

(Of course.) Example 1-21 shows a debug on R3 for the eBGP peering. You must remember to use peer groups to minimize configuration where possible. Use minimal configuration and use loopback interfaces for your peering with the exception of R4 to R5. R4-R5. and Switch 1. R6. Because you are not permitted to configure the same feature on R4. to show R3 that the R4 can only be a maximum of two hops away. which would suggest that the incoming session could be some form of remote attack with spoofed source IP address of the original neighbor. SW1-R6. For your eBGP peering on R3.1 ttl-security hops 2 on R3.1 update-source Loopback0 no auto-summary R2# sh run | begin bgp . R4-R6. namely on R3. use the TTL security feature.100. the peering will break. and R5-R2. Use minimal configuration and use loopback interfaces for your peering. The field highlighted is the Time To Live (TTL) hex value displayed from the hidden command (dump) when performing the debug.R4(config)# router ospf 1 R4(config-router)# redistribute maximum-prefix 5 80 Section 3: BGP (14 Points) Configure iBGP peering as follows: R1-R3. which will not permit a session from R4 to become established if R4 is more than 2 hops away.100.4. Configure eBGP peering as follows: R3-R4. If you have configured this correctly. (2 points) You can get some easy peering points to begin with. this will simply increment the TTL value from a default value of 0. of course. Remember to verify your peering with the show ip bgp neighbor command. you have scored 2 points. R2-R3. This command is a neat feature that will not permit the peering session if the received neighbor TTL value is less than 253 in this case.3. even if you have configured the eBGP multihop feature on R4 with a value of 2. and follow the peering instructions closely because these are relevant for the following questions. R6-R5. (2 points) Use the autonomous system numbers supplied in Figure 1-7. Example 1-21 BGP Peering Configuration Click here to view code image R1# sh run | begin bgp router bgp 10 no synchronization neighbor 120.100. and SW1-R5. This feature must be configured only on R3 and not on R4.1 remote-as 10 neighbor 120. You need to get the hex value to FD (253 decimal) by configuring the multihop value to 255 on R4. You should have noticed that R3 was required to be a route reflector for iBGP peers R1 and R2 in AS10 and that no synchronization is required because the underlying IGP is not redistributed into BGP. as shown in Example 1-21. but you’ll have to do a lot of typing to earn them. The peering becomes complicated when the TTL security feature is enabled by use of the command neighbor 120.3.

..100.3.`..100. 84 SYN 0F400C00: 0F400C10: C20211E0 0F400C20: 0106467E 0F400C30: 9AFD1F8A 0F400C40: 02040218 dst=179.4.1 update-source Loopback0 no auto-summary R4# sh run | begin bgp router bgp 200 no synchronization neighbor 120. ! The TTL from R4 is decremented to 01 Hex = 01 decimal as R4 has ebgpmultihop 2 ! configured and the BGP session will not be established as R3 has the TTL security ! check enabled..E@.45.100.3 .}..3.......1 remote-as 200 neighbor 120.. win=163 C204 07400000 00100800 45C0002C 6A870000 01010101 03030303 A6C400B3 00000000 60024000 F1BB0000 B.@.1.5.100.1 R3(config)# exit R3# debug ip packet 100 detail dump IP packet debugging is on (detailed) (dump) for access list 100 R3# TCP src=42692...`.100.F~.100.3.100.1 remote-as 10 neighbor 120.@. ..1 ebgp-multihop 2 neighbor 120..1 remote-as 300 neighbor 120.. from R3's perspective R4 could be 254 hops away! ! Configure R4 so the TTL value will read 253 decimal (FD hex) by configuring an .3.100.6.100.1 neighbor 120.4.5. seq=2600279946.1 update-source Loopback0 neighbor 120.j.1 peer-group IBGP neighbor 120.100.q.4.100.5 remote-as 300 no auto-summary R3(config)# access-list 100 permit ip host 120.5..100.6..100.100.. B.100.6.3.100.1 ebgp-multihop 2 neighbor 120...1 neighbor 120.. ack=0.router bgp 10 no synchronization neighbor 120.1 ttl-security hops 2 neighbor 120...4.2.1 update-source Loopback0 neighbor 120.100.1 peer-group IBGP neighbor 120..&D..1 host 120.1 no auto-summary remote-as 10 remote-as 300 ebgp-multihop 2 update-source Loopback0 R3# sh run | begin bgp router bgp 10 no synchronization neighbor IBGP peer-group neighbor IBGP remote-as 10 neighbor IBGP update-source Loopback0 neighbor IBGP route-reflector-client neighbor 120.100.1 neighbor 120..

R3# sh ip bgp neighbor | include hops | TTL External BGP neighbor may be up to 2 hops away.1 update-source Loopback0 no auto-summary R6# sh run | beg bgp router bgp 300 no synchronization neighbor IBGP peer-group neighbor IBGP remote-as 300 neighbor IBGP update-source Loopback0 neighbor 120..100..e?R~.(n.3 d. ack=3209854606 C204 07400000 00100800 45C00028 8C9A0000 01010101 03030303 AC4D00B3 BF527E8E 50103F87 13FC0000 B. B.100.100.2.7.1 update-source Loopback0 neighbor 120.. Connection is ECN Disabled.E@.100.100.1 peer-group IBGP neighbor 120....100.100.6 remote-as 200 neighbor 120.@.4.`.100....1 ebgp-multihop 255 R3# TCP src=44109.P. win=16263 ACK 0F7CBB60: 0F7CBB70: C20211E0 0F7CBB80: FD06286E 0F7CBB90: E4028565 0F7CBBA0: dst=179. seq=3925370469.2..3.. }. .5. this shows that R4 ! can not be further than 2 hops away from R3 and the security check passes and BGP ! is established....100.2.1 remote-as 300 neighbor 120.100.6.7.1 remote-as 300 neighbor 120.100.?.7.1 ebgp-multihop 2 neighbor 120.4.1 ebgp-multihop 2 neighbor 120.1 update-source Loopback0 neighbor 120.! ebgp multihop value of 255 (this value will decrement down to 253 when it is ! processed by R3). Minimum incoming TTL 253.1 remote-as 10 neighbor 120. R4(config)# router bgp 200 R4(config)# neighbor 120.1 peer-group IBGP no auto-summary SW1# sh run | begin bgp router bgp 300 ....100.1 remote-as 200 neighbor 120.|.6.. ! Now a hex value of FD (253 Decimal) can be seen at R3 from R4.100.100.(. Outgoing TTL 255 R5# sh run | begin bgp router bgp 300 no synchronization neighbor 120.1 update-source Loopback0 neighbor 120.45.4.M...

Example 1-22 also shows the ICMP debug with the TTL expiration messages. Example 1-22 shows the path taken between R5 and R2 when the serial interface is shut down on R5.100. ensure that the peering between R2 and R5 is not maintained via the Ethernet network.2.100.100. If your ebgp-multihop count is set at 2 between R2 and R5.100.4 .3 R5# *Jan 17 21:32:34.34. which indicate the peering will have failed.1 peer-group IBGP no auto-summary AS200 is to be used as a backup transit network for traffic between AS10 and AS300.3 R5# R2# debug ip icmp ICMP packet debugging is on R2# Jan 17 21:26:11.179: ICMP: time exceeded rcvd from 120. Example 1-22 eBGP TTL Expiration Click here to view code image R5(config)# int s0/0/1 R5(config-if)# shut R5# trace 120.34.2 4 msec * 4 msec R5# debug ip icmp ICMP packet debugging is on R5# *Jan 17 21:32:32.123. even though there is IP connectivity between loopbacks. you just need to ensure that the ebgp-multihop count used in the original peering is set at 2 and no greater.no synchronization neighbor IBGP peer-group neighbor IBGP remote-as 300 neighbor IBGP update-source Loopback0 neighbor 120. the peering is maintained if the serial network between R2 and R5 fails.3 0 msec 4 msec 0 msec 3 120. therefore.1 peer-group IBGP neighbor 120.310: ICMP: time exceeded rcvd from 120.5. you have scored 2 points.34.100.100.34.100.6.100.1 1 120. Do not use any ACL type restrictions or change the existing peering.2. if the serial network between R5 and R2 fails.45. (2 points) As R2 and R5 peer to each other using their loopback interfaces.4 0 msec 0 msec 0 msec 2 120.455: ICMP: time exceeded rcvd from 120.100. To break the peering without using ACLs.1 Type escape sequence to abort.100. Tracing the route to 120.

100.4 Configure a new loopback interface 2 on R2 of 130. table Default-IP-Routing-Table. localpref 100.100. e .200. Therefore.0/24.200.100. Example 1-23 Route Advertisement and no-export Configuration on R2 Click here to view code image R5# sh ip bgp Origin codes: i .1 (metric 65) from 120.200.200. the new network route will flow from AS10 to AS300 via AS200 instead of flowing directly from AS10 to AS300.IGP.200.3.100.0 R2(config-if)# router bgp 10 R2(config-router)# network 130.255. you have scored 3 points.200.306: ICMP: time exceeded rcvd from 120.incomplete Network Next Hop *>i130. (Received from a RR-client) 120.255. (3 points) If the peering between R2 and R5 fails.100. and advertise this into BGP using the network command. Under normal conditions. valid.100. not advertised to EBGP peer) Advertised to update-groups: 2 Local.100.255.100.EGP.R2# Jan 17 21:26:13.100.100. Configure R2 in such a way that if the serial connection between R2 and R5 fails. as shown in Example 1-23.1 Metric LocPrf Weight Path 0 100 0 200 10 i R2(config)# interface Loopback2 R2(config-if)# ip address 130. best Community: no-export .4.0 R2(config)# route-map NO-EXPORT permit 10 R2(config-route-map)# match ip address 5 R2(config-route-map)# set community no-export R2(config-route-map)# route-map NO-EXPORT permit 20 R3# sh ip bgp 130.0/24 120.1/24.1 255.100.255. internal.100. AS300 no longer receives this route. AS200 would still see the route from AS300.1 (130. If you have configured this correctly. You simply need to apply a noexport value to the route as it is advertised on R2 toward R3. best #1.2.1) Origin IGP. this way the route is not advertised to AS200 if a failure occurs. ? .34.1 send-community R2(config-router)# exit R2(config)# access-list 5 permit 130. version 4 Paths: (1 available.200. Do not use any route filtering between neighbors to achieve this.1 BGP routing table entry for 130.100. metric 0.200. a simple use of communities can be used to ensure that the route is not exported to AS200.0 R2(config-router)# neighbor 120.3.100.0 mask 255.2.1 route-map NO-EXPORT out R2(config-router)# neighbor 120.

R6 also requires preempt to take control when the priority of R5 decrements.3. R5# Configure HSRP between R5 and R6 on VLAN 300 with R5 active for . one per line.100.100.R5# conf t Enter configuration commands. Configure R5 to achieve this solution.3. it is possible that topics and features such as this will crop up within other sections.100. If you have configured this correctly.1 R5(config-if)# standby 1 preempt R5(config-if)# standby 1 track 2 decrement 20 R6(config)# interface GigabitEthernet0/1 R6(config-if)# standby 1 ip 150. R5 should be the HSRP active under normal conditions.0 255. Similarly. R6 should dynamically become the HSRP active. as shown in Example 1-24.255. R5 hasn’t been configured with a priority in this example because it uses the default value of 100. you are free to use an unallocated IP address. you have scored 4 points. If the network 130.100. but because the IOS section has been removed from the exam. (4 points) The clue is in the question.1/24. You might feel that this is not strictly a BGP question. Example 1-24 shows the configuration and testing steps involved to withdraw the route by shutting down the serial interface on R5 and toggling the HSRP functionality between R5 and R6.255. so this should be configured with the preempt command to reinstate control when the route becomes visible once again post withdrawal.200. all you need to do is track the specific route with the IP SLA object tracking feature and inform the Hot-Standby Router Protocol (HSRP) process whether the Border Gateway Protocol (BGP) route is withdrawn.200. Because the question does not specifically instruct you to configure an exact IP address for your HSRP. so it’s best to be aware of as many features as possible. Example 1-24 IP SLA Tracking and HSRP Configuration on R5 and R6 Click here to view code image R5(config)# track 2 ip route 130. R5(config)# int s0/0/1 R5(config-if)# shut R5(config-if)# ^Z R5# show ip bgp End with CNTL/Z.0/24 is no longer visible to AS300.0 reachability R5(config-track)# interface GigabitEthernet0/1 R5(config-if)# standby 1 ip 150.1 R6(config-if)# standby 1 priority 90 R6(config-if)# standby 1 preempt .

0 and from above network 128.ac01 Local virtual MAC address is 0000.0c07. priority 90 (expires in 8.100.0c07.Group 1 State is Active 23 state changes.R5# sh standby gigabitEthernet 0/1 GigabitEthernet0/1 . R3 should be configured to enable only BGP routes originated from R1 up to network 128.1.1 Active virtual MAC address is 0000. priority 90 (expires in 8.1/24. and advertise these into BGP using the network command.3. respectively.472 sec) Priority 100 (default 100) Track object 2 state Up decrement 20 IP redundancy name is "hsrp-Gi0/1-1" (default) R5# R5# conf t R5(config)# int s0/0/1 R5(config-if)# shut R5(config-if)# R5#%BGP-3-NOTIFICATION: sent to neighbor 120.Group 1 State is Standby 25 state changes.3.1. last state change 00:00:10 Virtual IP address is 150.0c07. hold time 10 sec Next hello sent in 0.0.ac01 (v1 default) Hello time 3 sec.0.1 Active virtual MAC address is 0000.100.100. The way to do this is to use an ACL that matches networks up to 128.100. Use only a single ACL on R3 as part of your solution.6.980 sec) Standby router is local Priority 80 (default 100) Track object 2 state Down decrement 20 IP redundancy name is "hsrp-Gi0/1-1" (default) Configure two new loopback interfaces on R1 and R2 of 126.0.0 and permits this through one route map while denying through a separate route .3.0.1 4/0 (hold time expired) 0 bytes R5#%HSRP-6-STATECHANGE: GigabitEthernet0/1 Grp 1 state Active -> Speak R5#%HSRP-6-STATECHANGE: GigabitEthernet0/1 Grp 1 state Speak -> Standby R5# sh standby gigabitEthernet 0/1 GigabitEthernet0/1 .ac01 Local virtual MAC address is 0000.460 secs Preemption enabled Active router is local Standby router is 150. last state change 00:20:11 Virtual IP address is 150.3. hold time 10 sec Next hello sent in 1.1/24 and 130.0. (3 points) This is quite an intricate question because you are permitted to use only a single access control list (ACL) to filter the routes on R3.0 originated from R2.880 secs Preemption enabled Active router is 150.ac01 (v1 default) Hello time 3 sec.0.1.100.2.6.1.0c07.

0 R3(config)# access-list 1 permit 0.255.100.0 R2(config)# interface Loopback1 R2(config-if)# ip address 130.0/24 R3# Next Hop 120.255. Further testing is detailed in Example 1-26 to substantiate the filtering process on R3.0/24 *>i130. h history.1.3.EGP.0 mask 255.1. r RIB-failure.255. Example 1-26 shows an interface higher than 128. local router ID is 120.1 255.2.1. S Stale Origin codes: i . If you have configured this correctly.1.1. you have scored 3 points.1.255. e .0 R1(config-if)# router bgp 10 R1(config-router)# network 126.1. R3 simply blocks these from entering BGP.100.100.255.1 route-map UPTO128 in R3(config-router)# neighbor 120. as shown in Example 1-25.IGP.100.1 route-map ABOVE128 in R3# sh ip bgp BGP table version is 8.0 127.255. Example 1-25 Route Map Filtering on R3 Click here to view code image R1(config)# interface Loopback1 R1(config-if)# ip address 126.255.1 120. . ? .1.0 advertised on R1 and one lower advertised on R2.1.0.0.0 R2(config-if)# router bgp 10 R2(config-router)# network 130.2.0.100.1. d damped.incomplete Network *>i126.0 mask 255.100.1. Example 1-26 shows the configuration for the new loopbacks on R1 and R2 and the filtering on R3.200. > best.1 Status codes: s suppressed.2.1.255.1. * valid.100.0/24 *>i130. The route maps should be applied on a per-neighbor basis and both call up the same single ACL.255 R3(config)# route-map UPTO128 permit 10 R3(config-route-map)# match ip add 1 R3(config)# route-map ABOVE128 deny 10 R3(config-route-map)# match ip add 1 R3(config-route-map)# route-map ABOVE128 permit 20 R3(config)# router bgp 10 R3(config-router)# neighbor 120.255.1.1 Metric LocPrf Weight Path 0 100 0 i 0 100 0 i 0 100 0 i Further testing of the filtering requires additional interfaces to be configured and advertised on R1 and R2.1 255.map.0. i internal.255.1 120.

e .1 Status codes: s suppressed.0 Metric LocPrf Weight Path 0 32768 i 0 32768 i Total number of prefixes 2 R3# sh ip bgp BGP table version is 4. h history.255. i internal. * valid.0/24 Next Hop 0.255. r RIB-failure.255. > best.100.1 255.0/24 120.1.1. local router ID is 120.200.0 R1(config-if)# router bgp 10 R1(config-router)# network 132.255.1. ? .1.1. i internal. d damped.100.1.100.3.0.1 255.IGP.0/24 *> 132.incomplete Network Next Hop Path *>i126. final configuration. i - .0 R2(config-if)# router bgp 10 R2(config-router)# network 100.1.100.0. > best.1.0/24 120. S Stale Origin codes: i .1 advertised BGP table version is 5.1. h history.100.Note This additional testing configuration is not present on the supplied. local router ID is 130.255.1. h history.EGP.1. * valid.2.2.100.1.1.1.0.1 advertised BGP table version is 7.1.1.IGP.100.1 *>i130. e .255. * valid.1.1 Metric LocPrf 0 0 0 Weight 100 100 100 0 i 0 i 0 i R2# conf t R2(config)# int Loopback3 R2(config-if)# ip add 100.0 0.1.100.0 mask 255. S Stale Origin codes: i .255. Example 1-26 Route Map Filtering Verification Click here to view code image R1(config)# interface Loopback3 R1(config-if)# ip address 132.0 R2(config-router)# ^Z R2# sh ip bgp neighbor 120.0 mask 255.0/24 120. > best.255.1 *>i130.1 Status codes: s suppressed. d damped.incomplete Network *> 126. d damped. ? .0. r RIB-failure.1.200. local router ID is 126.3.0 R1(config-router)# ^Z R1# sh ip bgp neighbors 120.1 Status codes: s suppressed.3.EGP.

1 Status codes: s suppressed.0.internal.200.1.1 Metric LocPrf Weight 0 0 0 100 100 100 0 i 0 i 0 i Section 4: IPv6 (15 Points) The prerequisite to the questions is configuration of the IPv6 addresses.1.1 *>i130. h history. Example 1-27 shows the required IPv6 configuration to progress to the routing questions.100.0.100.1. local router ID is 120. S Stale Origin codes: i .0.1.IGP.0/24 0.IGP.0.100.0 *> 130. You should test your IPv6 connectivity to ensure that you are ready to progress to the routing questions.100.100.incomplete Network Next Hop Path *>i126.1 *>i130.1.EGP. e .0/24 0. d damped.0.100. S Stale Origin codes: i .200. * valid.2.0 Metric LocPrf Weight 0 0 0 32768 i 32768 i 32768 i Total number of prefixes 3 R3# sh ip bgp BGP table version is 4.0.1. ? .1.1.2. > best.1. Example 1-27 IPv6 Testing and Initial Configuration Click here to view code image R1(config)# ipv6 unicast-routing R1(config)# interface gigabitEthernet 0/1 R1(config-if)# ipv6 address 2007:C15:C0:10::1/64 R1(config-if)# gigabitEthernet 0/0 R1(config-if)# ipv6 address 2007:C15:C0:11::1/64 R2(config)# ipv6 unicast-routing R2(config)# interface fastethernet 0/1 R2(config-if)# ipv6 address 2007:C15:C0:12::2/64 R2(config-if)# interface fastethernet 0/0 R2(config-if)# ipv6 address 2007:C15:C0:11::2/64 R2(config-if)# interface serial 0/1 R2(config-if)# ipv6 address 2007:C15:C0:14::2/64 . r RIB-failure. r RIB-failure.EGP.incomplete Network Next Hop Path *> 100. e .0/24 0.0/24 120.0/24 120. Consider using the show ipv6 interfaces brief command for a quick check of your interface configuration. ? .0 *> 130.0/24 120.3. i internal.

You could usually stop routers on the same subnet forming a neighbor relationship by creating some static mapping or block the multicast and so on. you have scored 4 points. R1 must not form any neighbor relationship with R2 on VLAN 132 (without the use of any ACL. The clue is in the question stating use a primary autonomous system.1: EIGRPv6 Configure EIGRPv6 under the instance of CCIE with a primary autonomous system of 1. it is better practice to call a route map and just reference the IPv6 network on R1 for redistribution. which suggests that you can use an additional autonomous system to provide connectivity between R1 and R3. as shown in Example 1-28. but the question does not permit you to do this. but the question dictates that the instance is effectively limited to that of CCIE. completely bypassing R2. R1 must dynamically learn a default route over EIGRPv6 via R3 on VLAN 132 in which to communicate with the IPv6 network. To ensure full visibility from R1 to R2. you are required to redistribute EIGRPv6 autonomous systems on R3. which R2 will have no visibility of. Bear in mind that a named instance within EIGRP can run only one autonomous system. static neighbor relationships. so an additional named instance could be created on R3 to communicate with R1. however. Because R1 will receive a default route. Although you could simply perform a one-way redistribution within the protocol. (4 points) EIGRP configuration is required under an instance of CCIE under the address family IPv6.R3(config)# ipv6 unicast-routing R3(config)# interface gigabitEthernet 0/0 R3(config-if)# ipv6 address 2007:C15:C0:15::3/64 R3(config-if)# gigabitEthernet 0/1 R3(config-if)# ipv6 address 2007:C15:C0:11::3/64 R4(config)# ipv6 unicast-routing R4(config)# interface gigabitEthernet 0/0 R4(config-if)# ipv6 address 2007:C15:C0:15::4/64 R5(config)# ipv6 unicast-routing R5(config)# interface gigabitEthernet 0/1 R5(config)# ipv6 address 2007:C15:C0:16::5/64 R5(config-if)# interface Serial0/0/1 R5(config-if)# ipv6 address 2007:C15:C0:14::5/64 R6(config)# ipv6 unicast-routing R6(config)# interface gigabitEthernet 0/1 R6(config-if)# ipv6 address 2007:C15:C0:16::6/64 Section 4. This leaves you no other option but to enable the secondary autonomous system on R3 under the physical interface. or multicast blocking feature). . R3 can simply send a default route within the autonomous system to which R1 belongs on VLAN 132. If you have configured this correctly. you do not require mutual redistribution on R3.

Example 1-28 EIGRPv6 Configuration and Testing Click here to view code image R1(config)# router eigrp CCIE R1(config-router)# address-family ipv6 unicast autonomous-system 2 R1(config-router-af)# af-interface GigabitEthernet0/0 R1(config-router-af-interface)# no shutdown R1(config-router-af-interface)# af-interface GigabitEthernet0/1 R1(config-router-af-interface)# no shutdown R2(config)# router eigrp CCIE R2(config-router)# address-family ipv6 unicast autonomous-system 1 R2(config-router-af)# af-interface fastethernet0/1 R2(config-router-af-interface)# no shutdown R2(config-router-af-interface)# af-interface fastethernet0/0 R2(config-router-af-interface)# no shutdown R2(config-router-af-interface)# af-interface Serial0/1 R2(config-router-af-interface)# no shutdown R3(config)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 1 R3(config-router-af)# af-interface GigabitEthernet0/0 R3(config-router-af-interface)# no shutdown R3(config-router-af-interface)# af-interface GigabitEthernet0/1 R3(config-router-af-interface)# no shutdown R3(config-router-af-interface)# exit R3(config-router-af)# exit R3(config-router)# exit R3(config)# interface GigabitEthernet0/1 R3(config-if)# ipv6 eigrp 2 R3(config-if)# ipv6 summary-address eigrp 2 ::/0 R3(config-if)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 1 R3(config-router)# topology base R3(config-router-topology)# redistribute eigrp 2 route-map EIGRPv6-2-1 R3(config-router-topology)# exit R3(config-router-af)# exit R3(config-router)# ipv6 router eigrp 2 R3(config-rtr)# no shut R3(config-rtr)# exit R3(config)# route-map EIGRPv6-2-1 permit 10 R3(config-route-map)# match ipv6 address EIGRPv6-2 R3(config-route-map)# route-map EIGRPv6-2-1 deny 20 R3(config-route-map)# exit R3(config)# ipv6 access-list EIGRPv6-2 R3(config-ipv6-acl)# permit ipv6 2007:C15:C0:10::/64 any .

fastethernet0/0 D 2007:C15:C0:15::/64 [90/30720] via FE80::216:47FF:FEBB:1E12.OSPF NSSA ext 1. Null0 D 2007:C15:C0:10::/64 [90/30720] via FE80::214:69FF:FE61:5EF0.ISIS L2.Local.EIGRP external D ::/0 [90/30720] via FE80::216:47FF:FEBB:1E12. IA . GigabitEthernet0/1 D 2007:C15:C0:12::/64 [90/30720] via FE80::215:C6FF:FEF2:ABF1. GigabitEthernet0/1 R4# sh ipv6 route eigrp EX 2007:C15:C0:10::/64 [170/33280] via FE80::216:47FF:FEBB:1E11.RIP.ISIS summary O . B .ISIS interarea.Static.Connected.ISIS L1.Per-user Static route.OSPF NSSA ext 2 D .OSPF inter.R4(config)# router eigrp CCIE R4(config-router)# address-family ipv6 unicast autonomous-system 1 R4(config-router-af)# af-interface GigabitEthernet0/0 R4(config-router-af-interface)# no shutdown R5(config)# router eigrp CCIE R5(config-router)# address-family ipv6 unicast autonomous-system 1 R5(config-router-af)# af-interface Serial0/0/1 R5(config-router-af-interface)# no shutdown R1# sh ipv6 route eigrp IPv6 Routing Table . I2 .BGP U . R .EIGRP.OSPF ext 1.MIPv6 I1 . M . ON2 . OE2 . GigabitEthernet0/0 D 2007:C15:C0:11::/64 [90/30720] via FE80::216:47FF:FEBB:1E11. GigabitEthernet0/0 R5# sh ipv6 route eigrp EX 2007:C15:C0:10::/64 [170/2177536] . IS . GigabitEthernet0/0 D 2007:C15:C0:14::/64 [90/2174976] via FE80::216:47FF:FEBB:1E11.6 entries Codes: C . GigabitEthernet0/0 D 2007:C15:C0:12::/64 [90/33280] via FE80::216:47FF:FEBB:1E11. GigabitEthernet0/0 R2# sh ipv6 route EX 2007:C15:C0:10::/64 [170/33280] via FE80::216:47FF:FEBB:1E12. OI . S . EX .OSPF intra.OSPF ext 2 ON1 . OE1 . fastethernet0/0 R3# sh ipv6 route eigrp D ::/0 [5/28160] via ::. L . GigabitEthernet0/1 D 2007:C15:C0:14::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABF1.

the ipv6 ospf flood-reduction command is required under interface configuration mode.100. you have scored 2 points.D D D via FE80::215:C6FF:FEF2:ABE0. If you have configured this correctly. as shown in Example 1-30.1 ernet0/1 Pri 1 State FULL/DR Dead Time 00:00:30 Interface ID 3 Interface GigabitEth R6# show ipv6 ospf neighbor Neighbor ID 120.1 ernet0/1 Pri 1 State FULL/BDR Dead Time 00:00:39 Interface ID 3 Interface GigabitEth The IPv6 network is deemed to be stable.6. (2 points). . Serial0/0/1 Section 4. Serial0/0/1 2007:C15:C0:12::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0. If you have configured this correctly. with all OSPF interfaces assigned to Area 0. therefore. Serial0/0/1 2007:C15:C0:15::/64 [90/2174976] via FE80::215:C6FF:FEF2:ABE0. you have scored 2 points. as shown in Example 1-29. reduce the number of LSAs flooded within the OSPF domain.100.5. (2 points) To suppress the unnecessary flooding of link-state advertisements in stable topologies. This is a clear-cut OSPFv3 configuration. Serial0/0/1 2007:C15:C0:11::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0.2: OSPFv3 Configure OSPFv3 with a process ID of 1. Example 1-29 R5 and R6 OSPFv3 Configuration Click here to view code image R5(config)# interface gigabitEthernet 0/1 R5(config-if)# ipv6 ospf 1 area 0 R6(config)# interface gigabitEthernet 0/1 R6(config-if)# ipv6 ospf 1 area 0 R5# show ipv6 ospf neighbor Neighbor ID 120.

(1 point) As per vanilla OSPF. Example 1-31 R5 OSPFv3 Redistribution Configuration Click here to view code image R5(config)# ipv6 router ospf 1 R5(config-router)# redistribute eigrp 1 metric 5000 R6# sh ipv6 route ospf IPv6 Routing Table . OE2 . I2 .3: Redistribution Redistribute EIGRPv6 routes into the OSPFv3 demand (one way). GigabitEthernet0/1 OE2 2007:C15:C0:13::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. OE1 . GigabitEthernet0/1 OE2 2007:C15:C0:11::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. IS . R .BGP U . S .10 entries Codes: C .OSPF ext 2 ON1 . ON2 . so a simple redistribution configuration with a default metric of 5000 on R5 is required.Local.OSPF intra.Static.ISIS summary O .ISIS L2.EIGRP external OE2 2007:C15:C0:10::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. you have scored 1 point. If you have configured this correctly.OSPF inter.Connected. the default behavior for OSPFv3 is for redistributed routes to be advertised with a fixed cost as type 2 external routes. B . L . GigabitEthernet0/1 . Example 1-31 shows the required configuration and routing table on R6 for the redistributed EIGRPv6 routes. OI . EX .ISIS L1.OSPF NSSA ext 1.OSPF ext 1. EIGRPv6 routes should have a fixed cost of 5000 associated with them within the OSPF network.Example 1-30 R5 and R6 Flood-Reduction Configuration Click here to view code image R5(config)# interface gigabitEthernet 0/1 R5(config-if)# ipv6 ospf flood-reduction R6(config)# interface gigabitEthernet 0/1 R6(config-if)# ipv6 ospf flood-reduction Section 4. IA .OSPF NSSA ext 2 D .Per-user Static route I1 .EIGRP. as shown in Example 1-31. Pay attention to ensure that you have full route visibility. GigabitEthernet0/1 OE2 2007:C15:C0:12::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. because the serial network on R5 (2007:C15:C0:14::/64) will not be present within the OSPFv3 domain unless R5 specifically redistributes its own connected interfaces.RIP.ISIS interarea.

ISIS interarea.Per-user Static route I1 . as shown in Example 1-32. Configure R5 only to achieve this. R . 100-byte ICMP Echos to 2007:C15:C0:16::5. GigabitEthernet0/1 Ensure that the OSPF3 network is reachable from the EIGRPv6 network by a single route of 2007::/16. you have scored 2 points. you are required to configure an IPv6 summary route into the EIGRPv6 domain on R5 to provide full connectivity from the EIGRPv6 domain into OSPFv3. OE1 .EIGRP external OE2 2007:C15:C0:14::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).ISIS L1.Static.ISIS summary O . OI . The OSPF domain should continue to receive specific EIGRPv6 subnets. Example 1-32 R5 EIGRPv6 Summary Configuration and Connectivity Testing Click here to view code image R5(config)# router eigrp CCIE R5(config-router)# address-family ipv6 unicast autonomous-system 1 R5(config-router-af)# af-interface Serial0/0/1 R5(config-router-af-interface)# summary-address 2007::/16 R3# sh ipv6 route | include /16 D 2007::/16 [90/2684416] R3# ping ipv6 2007:C15:C0:16::5 Type escape sequence to abort. S . ON2 . B .10 entries Codes: C .BGP U .OSPF ext 1.OSPF NSSA ext 2 D . I2 . which should be seen within the EIGRPv6 domain.OSPF ext 2 ON1 . EX . Sending 5. If you have configured this correctly.OSPF intra.RIP.OSPF inter. IS . OE2 . (2 points) Because you are not mutually redistributing protocols. L .OSPF NSSA ext 1. round-trip min/avg/max = 12/12/16 ms R3# ping ipv6 2007:C15:C0:16::6 . IA .EIGRP.ISIS L2. GigabitEthernet0/1 R5(config)# ipv6 router ospf 1 R5(config-rtr)# redistribute eigrp 1 metric 5000 include-connected R6# show ipv6 route 2007:C15:C0:14:: IPv6 Routing Table .Local.Connected.OE2 2007:C15:C0:15::/64 [110/5000] via FE80::214:6AFF:FEFC:F131.

If you have configured this correctly.100. Do not enable EIGRPv6 on the VLAN 45 interfaces of R4 and R5. and it would then create additional problems in terms of redistribution points. configure R4 and R5 to achieve this.Type escape sequence to abort. Sending 5. Example 1-33 R4 and R5 Tunnel Configuration and Verification Click here to view code image R4(config)# interface Tunnel0 R4(config-if)# ipv6 address 2007:C15:C0:17::4/64 R4(config-if)# tunnel source GigabitEthernet0/1. If you cannot enable EIGRPv6 on the VLAN 45 interfaces. R5 is still required to advertise the summary route to the EIGRPv6 network through the tunnel for reachability of the OSPFv3 network.45.45. instead.5 R4(config-if)# tunnel mode ipv6ip R4(config-if)# router eigrp CCIE R4(config-router)# address-family ipv6 unicast autonomous-system 1 R4(config-router-af)# af-interface Tunnel0 R4(config-router-af-interface)# no shutdown R5(config)# interface Tunnel0 R5(config-if)# ipv6 address 2007:C15:C0:17::5/64 R5(config-if)# ipv6 eigrp 1 R5(config-if)# tunnel source GigabitEthernet0/0 R5(config-if)# tunnel destination 120. as shown in Example 1-33.4 R5(config-if)# tunnel mode ipv6ip R5(config-if)# router eigrp CCIE R5(config-router)# address-family ipv6 unicast autonomous-system 1 R5(config-router-af)# af-interface Tunnel0 R5(config-router-af-interface)# no shutdown R5(config-router-af-interface)# summary-address 2007::/16 R5# sh ipv6 route eigrp D 2007::/16 [5/2169856] via ::. and this should be considered as an alternative path only if a failure occurs. but you have not been given sufficient information to do this. You might have considered enabling OSPFv3 between routers. 100-byte ICMP Echos to 2007:C15:C0:16::6. Example 1-34 shows the required configuration to tunnel IPv6 through IPv4 on R4 and R5. you have scored 3 points. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). all you can do is create a tunnel between the devices.100. Null0 . round-trip min/avg/max = 12/15/16 ms Ensure that if the serial link fails between the OSPF and EIGRPv6 domain that routing is still possible between R5 and R4 over VLAN 45.45 R4(config-if)# tunnel destination 120. (3 points) R4 and R5 both belong to the EIGRPv6 domain.

Tunnel0 Section 5: QoS (8 Points) You are required to configure QoS on Switch 1 according to the Cisco QoS baseline model. This traffic could be a combination of any of the preceding DSCP values with any source/destination combination. One way to mitigate an attack is to create a Scavenger class that simply re-marks traffic DSCP values when the threshold has been exceeded. To answer the question. Ensure a minimum burst value is configured above the 5 Mbps. If traffic rates increase above this threshold. 34. Tunnel0 D 2007:C15:C0:11::/64 [90/297249536] via FE80::7864:2D04. Serial0/1/0 2007:C15:C0:12::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0. It is acknowledged within the industry that a user port rarely generates more than 5 Mbps of traffic on a standard Fast Ethernet connection. Packets received from the user ports with DSCP values of 48. Serial0/1/0 2007:C15:C0:15::/64 [90/2174976] via FE80::215:C6FF:FEF2:ABE0. 32. Note that all DSCP baseline values are being remapped with the exception of DSCP26. Tunnel0 D 2007:C15:C0:12::/64 [90/297252096] via FE80::7864:2D04. Serial0/1/0 R5(config)# int s0/1/0 R5(config-if)# shut R5(config-if)# do sh ipv6 route eigrp D 2007::/16 [5/297244416] via ::. When the minimum burst rate is exceeded. Tunnel0 D 2007:C15:C0:15::/64 [90/297246976] via FE80::7864:2D04. 28. Null0 EX 2007:C15:C0:10::/64 [170/297252096] via FE80::7864:2D04. All ports should trust the DSCP values received from their connecting devices.EX D D D 2007:C15:C0:10::/64 [170/2177536] via FE80::215:C6FF:FEF2:ABE0. 46. which is generally reserved for mission- . 2. the DSCP values will be remapped according to the policed-dscp map to Scavenger class CS1 (DSCP8). it could be indicative of a denial-of-service (DoS) or Worm attack. you are required to create a Modular QoS policy that trusts the incoming differentiated services code point (DSCP) value received from the host within the policy rather than by configuring the trust value on a per-interface basis and by policing traffic at a rate of 5 Mbps. Create a Modular QoS configuration for all user ports (Fast Ethernet 1–24) that facilitates the following requirements (3 points): 1. 24. This will not block traffic but will ensure that mission-critical traffic remains unaffected from an attack by trusting the DSCP value for known traffic and re-marking unknown application traffic down to CS1. 16. Serial0/1/0 2007:C15:C0:11::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0. and 10 should be re-marked to DSCP 8 (PHB CS1) if traffic flowing occurs above 5 Mbps on a per-port basis.

as shown in Example 1-34. For traffic matching this classification. Example 1-34 Switch 1 QoS Configuration and Verification Click here to view code image SW1(config)# mls qos SW1(config)# mls qos map policed-dscp 48 46 34 32 24 28 16 10 to 8 SW1(config)# access-list 1 permit any SW1(config)# class-map POLICE SW1(config-cmap)# match access-group 1 SW1(config-cmap)# exit SW1(config)# policy-map RE-MARK SW1(config-pmap)# class POLICE SW1(config-pmap-c)# trust dscp SW1(config-pmap-c)# police 5000000 8000 exceed-action policed-dscptransmit SW1(config-pmap-c)# exit SW1(config-pmap)# exit SW1(config)# interface range fastethernet 0/1-24 SW1(config-if-range)# service-policy input RE-MARK SW1# show policy-map RE-MARK Policy Map RE-MARK Class POLICE police 5000000 8000 exceed-action policed-dscp-transmit trust dscp Switch 1 will be connected to a new trusted domain in the future using interface Gigabit 0/1. This approach enables traffic associated with this value to remain unchanged even when traffic rates exceed 5 Mbps. For the mutation map to function correctly. If you have configured this correctly. This approach also assumes that the virus does not itself remark traffic to this value to increase its chances of causing damage.critical data. The question requires you to configure a standard IP ACL that permits any traffic. you have scored 3 points. If you have configured this correctly. A DSCP value received locally on SW1 of AF43 should be mapped to AF42 when destined for the new domain. the DSCP value in the incoming packet is trusted. its DSCP is marked down according to the policed DSCP map values and transmitted. If the matched traffic exceeds an average traffic rate of 5 Mbps and a normal burst size of 8000 bytes. (2 points) This requires a DSCP mutation map to convert DSCP values between environments. If you did not realize that AF43 is DSCP38 and AF42 is DSCP36. However. the exclusion of DSCP26 is not relevant to the configuration and methodology you use to answer the question. you would struggle to answer this question. you have scored 2 points. you need to explicitly trust DSCP values received on the interface on which you are configuring the map. . but a search of your documentation CD should have assisted you. as shown in Example 1-35.

16% = 247 Kbps. This one is a bit of both. otherwise. The overall policy is then applied to the outgoing interface Serial0/1. entered as a percentage. Usually you .Example 1-35 Switch 1 DSCP-mutation Map Configuration Click here to view code image SW1(config)# mls qos map dscp-mutation AF43-TO-AF42 38 to 36 SW1(config)# interface Gig0/1 SW1(config-if)# mls qos trust dscp SW1(config-if)# mls qos dscp-mutation AF43-TO-AF42 Configure Cisco Modular QoS as follows on R2 for the following traffic types based on their associated per-hop behavior into classes. Because you are using a T1 interface. you know that the maximum available bandwidth is 1544 Kbps. so the values required are as follows: 1% = 15 Kbps. the full bandwidth is not made available for the policy. and a nice little gotcha is that you must configure the interface with the command max-reservedbandwidth 100. 25% = 386 Kbps A class map to match all values for the provided classes is required that is then associated with the policy map. 3% = 46 Kbps. Incorporate these into an overall policy that should be applied to the T1 interface S0/1. There is also some math involved because the policy-map command requires a percentage value of bandwidth as opposed to actual speed. so you know it’s either going to be complex or involve a great deal of configuration. so there is a risk of configuration errors for those points to slip away. 14% = 216 Kbps. Allow each class the effective bandwidth as detailed. (2 points) You have 2 points available here.

If you have configured this correctly. you have scored 2 points. as shown in Example 1-36.would assign voice traffic into a real-time queue (low-latency queuing [LLQ]). Example 1-36 Switch1 Modular QoS Configuration Click here to view code image R2# sh run class-map ! class-map match-all VOIP match ip dscp ef class-map match-all BULK-DATA match ip dscp af11 class-map match-all NET-MAN match ip dscp cs2 class-map match-all VIDEO match ip dscp af41 class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all TRANS-DATA match ip dscp af21 class-map match-all MISSION-CRIT match ip dscp af31 class-map match-all CALL-SIG match ip dscp cs3 ! end R2# sh run policy-map ! policy-map QOS class VOIP bandwidth percent 16 class VIDEO bandwidth percent 16 class BULK-DATA bandwidth percent 3 random-detect class TRANS-DATA bandwidth percent 14 class NET-MAN bandwidth percent 3 class ROUTING bandwidth percent 3 class SCAVENGER bandwidth percent 1 class MISSION-CRIT . but the question doesn’t dictate this. so effectively all traffic types are being assigned with different proportions of class-based weighted fair queuing (CBWFQ).

bandwidth percent 16 class CALL-SIG bandwidth percent 3 class class-default bandwidth percent 25 ! end R2# sh run int s0/1 | begin max-reserved-bandwidth 100 max-reserved-bandwidth 100 service-policy output QOS end R2# show policy-map QOS Policy Map QOS Class VOIP Bandwidth 16 (%) Max Threshold 64 (packets) Class VIDEO Bandwidth 16 (%) Max Threshold 64 (packets) Class BULK-DATA Bandwidth 3 (%) exponential weight 9 class min-threshold max-threshold mark-probability ------------------------------------------------------0 1 2 3 4 5 6 7 rsvp - - 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 Class TRANS-DATA Bandwidth 14 (%) Max Threshold 64 (packets) Class NET-MAN Bandwidth 3 (%) Max Threshold 64 (packets) Class ROUTING Bandwidth 3 (%) Max Threshold 64 (packets) Class SCAVENGER Bandwidth 1 (%) Max Threshold 64 (packets) Class MISSION-CRIT Bandwidth 16 (%) exponential weight 9 class min-threshold max-threshold mark-probability ------------------------------------------------------0 1 2 3 - - 1/10 1/10 1/10 1/10 .

4
5
6
7
rsvp

-

-

Class CALL-SIG
Bandwidth 3 (%) Max Threshold 64 (packets)
Class class-default
Bandwidth 25 (%)
exponential weight 9
class
min-threshold
max-threshold

1/10
1/10
1/10
1/10
1/10

mark-probability

------------------------------------------------------0
1
2
3
4
5
6
7
rsvp

-

-

1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10

Configure R2 so that traffic can be monitored on the serial network with a view to a
dynamic policy being generated in the future that trusts the DSCP value of traffic
identified on this media. (1 point)
This is a simple question that requires the command auto discovery qos trust be configured
under the serial interface of R2. This command uses NBAR to inspect the application traffic that
flows through the router with a view of generating a QoS policy based on the traffic flow profile.
The keyword trust in the command ensures that the DSCP value of the traffic monitored on the
network is trusted. If you have configured this correctly, you have scored 1 point.

Section 6: Security (6 Points)
Configure R3 to identify and discard the following custom virus. The virus is
characterized by the ASCII characters Hastings_Beer within the payload and uses UDP
ports 11664 to 11666. The ID of the virus begins on the third character of the payload.
The virus originated on VLAN 34. (4 points)
This fictitious virus requires the use of Network-Based Application Recognition (NBAR) with
Packet Description Language Module (PDLM) to inspect a packet payload to identify the virus
based on the information supplied within the question. Because the virus is located within the
third ASCII character, you need to inform the custom NBAR list to ignore the first two
characters, which ensures that it will begin to check the third packet. If you have configured this
correctly, as shown in Example 1-37, you have scored 3 points. You can use the show policymap command to verify your configuration.

Example 1-37 R3 NBAR Configuration
Click here to view code image

R3(config)# ip nbar custom Hastings_Beer 2 ascii Hastings_Beer udp
range 11664 11666
R3(config)# class-map match-all VIRUS
R3(config-cmap)# match protocol Hastings_Beer
R3(config-cmap)# policy-map BLOCK-VIRUS
R3(config-pmap)# class VIRUS
R3(config-pmap-c)# drop
R3(config-pmap-c)# interface gigabit0/0
R3(config-if)# Service-policy input BLOCK-VIRUS

There is an infected host on VLAN 200 of 150.100.2.100. Ensure that only within BGP
AS10, traffic destined for this host is directed to null0 of each local router. You may not
use any ACLs to block traffic to this host specifically, but you may use a static route
pointing to null0 for traffic destined to 192.0.2.0 /24 on routers within AS10. R2 may
have an additional static route pointing to null0. Use a BGP feature on R2 to ensure traffic
to this source is blocked. Prevent unnecessary replies when traffic is passed to the null0
interface for users residing on VLAN 100. (4 points)
This question is representative of black-hole routing. This is an effective method of discarding
packets being sent to a known destination. This approach to discarding traffic is efficient because
it enables the edge routers to route traffic rather than use ACLs, and it can be deployed
dynamically by making use of the next-hop field within BGP updates. You are permitted to
create a static route on routers R1, R2, and R3 in AS10 for network 192.0.2.0/24 to null0 and one
additional route on R2. This route would need to be directing traffic to the infected host to null0,
to update routers R1 and R3. R2 simply advertises the host route for the infected host to AS10
and sets the next hop for this to 192.0.2.1. Routers R1 and R3 then direct traffic to null0 when
traffic is destined to the infected host. To ensure that the solution is used only in AS10, you must
set the community to no-export for the specific static route and tag the route with a value of 10
to identify it. You must therefore send the community values to neighbor R3 on R2, but this
should have completed previously for an earlier BGP question. Use of the no icmp unreachable
command on R1’s Gigabit Ethernet interface prevents unnecessary replies when traffic is passed
to the null0 interface. If you have configured this correctly, as shown in Example 1-38, you have
scored 3 points.
Example 1-38 BGP Black-Hole Routing Configuration and Verification
Click here to view code image

R2(config)# ip route 192.0.2.1 255.255.255.255 null0
R2(config)# ip route 150.100.2.100 255.255.255.255 Null0 Tag 10
R2(config)# router bgp 10
R2(config-router)# redistribute static route-map BLACKHOLE

R2(config-router)# route-map BLACKHOLE permit 10
R2(config-route-map)# match tag 10
R2(config-route-map)# set ip next-hop 192.0.2.1
R2(config-route-map)# set community no-export
R2(config-route-map)# exit
R2(config)# do show ip bgp neigh 120.100.3.1 advertised
BGP table version is 6, local router ID is 130.100.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*> 130.1.1.0/24
0.0.0.0
0
32768 i
*> 130.100.200.0/24 0.0.0.0
0
32768 i
*> 150.100.2.100/32 192.0.2.1
0
32768 i
Total number of prefixes 3
R2# show ip route 150.100.2.100
Routing entry for 150.100.2.100/32
Known via "static", distance 1, metric 0 (connected)
Tag 10
Redistributing via bgp 10
Advertised by bgp 10 route-map BLACKHOLE
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
Route tag 10
R3(config)# ip route 192.0.2.1 255.255.255.255 null0
R3(config)# do show ip bgp
BGP table version is 14, local router ID is 120.100.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*>i126.1.1.0/24
120.100.1.1
0
100
0 i
*>i130.1.1.0/24
120.100.2.1
0
100
0 i
*>i130.100.200.0/24 120.100.2.1
0
100
0 i
* i150.100.2.100/32 192.0.2.1
0
100
0 i
R1(config)# ip route 192.0.2.1 255.255.255.255 null0
R1(config)# interface Gigabit0/1
R1(config-if)# no icmp unreachable
R1(config-if)# do show ip bgp
BGP table version is 8, local router ID is 126.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*> 126.1.1.0/24
0.0.0.0
0
32768 i

*>i130.1.1.0/24
120.100.2.1
*>i130.100.200.0/24 120.100.2.1
* i150.100.2.100/32 192.0.2.1

0
0
0

100
100
100

0 i
0 i
0 i

R1# show ip route 150.100.2.100
Routing entry for 150.100.2.100/32
Known via "bgp 10", distance 200, metric 0, type internal
Last update from 192.0.2.1 00:00:02 ago
Routing Descriptor Blocks:
* 192.0.2.1, from 120.100.3.1, 00:00:02 ago
Route metric is 0, traffic share count is 1
AS Hops 0
R1# show ip route 192.0.2.1
Routing entry for 192.0.2.1/32
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1

To protect the control plane on router R6, configure CoPP so that IP packets with a TTL of
0 or 1 are dropped rather than processed, with a resulting ICMP redirect sent to the
source. (1 point)
Cisco IOS Software sends all packets with a TTL of 0 or 1 to the process level to be processed.
The device must then send an ICMP TTL expire message to the source. By filtering packets that
have a TTL of 0 and 1, you can reduce the load on the process level. The control plane policing
simply blocks packets with a TTL value of 0 and 1 as directed, but this will break your EIGRP
and BGP peering. So, you must specifically permit these packets within your ACL; otherwise,
you would have just lost valuable points. If you found yourself running short on time and
couldn’t justify further time to investigate how to maintain your routing peering, remember that
this is a 1-point question, worth leaving and coming back to, if possible. If you have configured
this correctly, as shown in Example 1-39, you have scored 1 point.
Example 1-39 CoPP Configuration
Click here to view code image

R6(config)# ip access-list extended TTL
R6(config-ext-nacl)# deny eigrp any any
R6(config-ext-nacl)# deny tcp any any eq bgp
R6(config-ext-nacl)# deny tcp any eq bgp any
R6(config-ext-nacl)# permit ip any any ttl eq 0 1
R6(config-ext-nacl)# class-map DROP-TTL-0/1
R6(config-cmap)# match access-group name TTL
R6(config-cmap)# policy-map CoPP-TTL
R6(config-pmap)# class DROP-TTL-0/1
R6(config-pmap-c)# drop
R6(config-pmap-c)# control-plane
R6(config-cp)# service-policy input CoPP-TTL

which will be 224. and R4 should all show a clock synchronized to that of R3.1. Example 1-40 NTP Multicast Configuration and Verification Click here to view code image R3(config)# ip multicast-routing R3(config)# ntp master R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip pim sparse-mode R3(config-if)# ntp multicast ttl 2 R3(config-if)# GigabitEthernet0/1 R3(config-if)# ip pim sparse-mode R3(config-if)# ip pim send-rp-announce GigabitEthernet0/0 scope 2 group-list 4 R3(config)# ip pim send-rp-discovery GigabitEthernet0/0 scope 2 R3(config)# access-list 4 permit 224.1 R3# show ntp status Clock is synchronized. as shown in Example 1-40.127. you have scored 4 points. R3 should also advertise the IP address you are using for the NTP advertisements.0. The question requires you to configure R3 to become the NTP master and announce the group address to the NTP clients. You are not permitted to use the command ntp server.2AE19310 (21:17:21. actual freq is 250. R3 should also be used to advertise its own gigabit interface IP address as an RP.0.1 nominal freq is 250. Configure R3 to send multicast advertisements of its own time by use of NTP sourced from interface Gig 0/0. (4 points) Network Time Protocol (NTP) can be multicast on the reserved group IP address of 224. stratum 8.0000 Hz.Section 7: Multicast (4 Points) Configure routers R1. R2.1. R3. you would not be deducted points. and R4 for IPv4 multicast.0000 msec. and so you must configure the clients with the command ntp multicast client. They will then have the capability to join the NTP group by use of Protocol Independent Multicast (PIM).1. R2. reference is 127.02 msec R1(config)# ip multicast-routing R1(config-if)# interface . Routers R1.167 UTC Tue Feb 27 2007) clock offset is 0.00 msec root dispersion is 0. Configure PIM sparse mode on all required interfaces.0000 Hz. peer dispersion is 0. If you have configured this correctly. precision is 2**18 reference time is C98F1E61.1 rather than the more familiar broadcast or unicast scenarios. If you have not taken this into consideration in your solution. It is good practice to TTL scope your multicast announcements so that they do not propagate past the domain you require. root delay is 0. but be aware of the facility in case you face a question that specifies this.7.0. Do not use the command ntp server in any configurations.1.02 msec.

1 23. stratum 9.1 CHANGE interface R2(config)# ip multicast-routing R2(config-if)# interface fastethernet 0/0 R2(config-if)# ip pim sparse-mode R2(config-if)# ntp multicast client R2# show ntp status Clock is synchronized.100.14 msec root dispersion is 15875.623 UTC Tue Feb 27 2007) clock offset is 0. peer dispersion is 15875.39 Serial0/0/0 00:07:21 00:02:51 120.3 nominal freq is 250.1 Serial0/0/0 00:40:12 00:02:50 120.1 224.100.2 224.100.9FB2321D (21:17:45.0000 Hz.1 Serial0/0 00:41:08 00:02:59 120. root delay is 3.0000 Hz.0157 msec.3 224.34.0.88 msec root dispersion is 0.39 Serial0/0 00:08:12 00:02:57 120.1.514 UTC Tue Feb 27 2007) clock offset is 0.06 msec.1 23.100.1 23.2 Change IF R4(config)# ip R4(config-if)# R4(config-if)# R4(config-if)# multicast-routing interface GigabitEthernet0/0 ip pim sparse-mode ntp multicast client R4# show ntp status .0.02 msec R1(config-if)# R1# show ip igmp group IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.0.1.100.02 msec R2# show ip igmp group IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224. reference is 120. root delay is 4.40 Serial0/0 00:41:09 00:01:59 120.0000 Hz. precision is 2**18 reference time is C98F1E79.1.34.1.3 nominal freq is 250. actual freq is 250.3 224.1 23.0182 msec. stratum 9.0000 Hz.1.1.100.0.06 msec.1 23. precision is 2**18 reference time is C98F1E73. reference is 120. actual freq is 250.GigabitEthernet0/0 R1(config-if)# ip pim sparse-mode R1(config-if)# ntp multicast client R1# show ntp status Clock is synchronized. peer dispersion is 0.100.40 Serial0/0/0 00:40:13 00:02:52 120.83B73E68 (21:17:39.100.0.1 23.0.

1.3 4. You are required to configure an EEM applet with a CLI pattern event on a single line to match on either of the commands (no aaa xxx and no logging xxx).net from eem@lab-exam.100. peer dispersion is 7876.100. as shown in Example 1-41.37 msec root dispersion is 7877. .99.34.2B7DB1F2 (21:19:45. the policy requires the syslog message to be generated. When the commands are matched via the CLI pattern. actual freq is 250. This is achieved by a pattern of “^no (aaa|logging).40 GigabitEthernet0/0 00:41:07 00:02:42 120.169 UTC Tue Feb 27 2007) clock offset is -0.0. with the subject “User-Issue. If you have configured this correctly. and a final action to send an email with the details of the previous show command (which is achieved by the command “$_cli_result”).3 224. The following sync no skip yes parameters simply state that the policy and CLI should run asynchronously and that the command entered should not be executed as directed.net.99.0000 Hz.1 Configure a policy on router R1 so that if a user tries to remove AAA services or disable logging via the CLI that a syslog message of UNAUTHORIZED-COMMAND-ENTERED is generated.100. you have scored 4 points.100. a CLI command action to run show users.4 IP Services (4 Points) Configure the following commands on router R1: aaa new-model logging buffered logging 120.4 224.2 (to security@lab-exam.3 nominal freq is 250. stratum 9.3 4.6937 msec.Clock is synchronized.0.39 GigabitEthernet0/0 00:08:35 00:02:42 120.34 msec R4# show ip igmp group IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.0000 Hz.1.*”.1. Example 1-41 details the required configuration and resulting execution of the EEM when the commands no aaa new-model and no logging buffered are entered and not executed on the router. root delay is 1. precision is 2**18 reference time is C98F1EF1.” with the message body consisting of details of who was logged on the time either of the commands were entered).0. The policy and CLI should run asynchronously.3 4.08 msec.1 GigabitEthernet0/0 00:41:29 00:02:42 120.100. (2 points) This is an intricate Embedded Events Manager (EEM) question. The policy should ensure that neither command is executed and should consist of a single-line command for the CLI pattern detection. reference is 120.100. The policy should also generate an email from the router to a mail server residing on IP address 120.

0 syslog msg "UNAUTHORIZED-COMMAND-ENTERED" R1(config-applet)# action 2.100. how did it go? Did you run out of time? Did you manage to finish but miss what was actually required? If you scored over 80.0 exam is a separate section from the Configuration section and has a different scenario.99. If you accomplished this within 8 hours or less. you will have 2 hours to complete the Troubleshooting section.99. well done.99.0 mail server "120. .100. you will be prepared for any scenario that you are likely to face during the 5.2" to "security@lab-exam.99. What sets the CCIE exam apart within the industry is the complexity of the questions to test you further than you thought possible.100.2 %HA_EM-3-FMPD_ERROR: Error executing applet CCIE-QUESTION statement 3. The exam is not trying to trick you. but it will ensure that you have the ability to think laterally—an ability that will ensure that you exceed in your networking career and one that sets CCIEs apart.5 hours of the Configuration section of the actual exam.net" from "eem@lab-exam. This lab was designed to ensure that you troubleshoot your own work as you progress through the questions.net" subject "User-Issue" body "$_cli_result" R1(config-applet)# no aaa new-model %HA_EM-6-LOG: CCIE-QUESTION: UNAUTHORISED-COMMAND-ENTERED %HA_EM-3-FMPD_SMTP_CONNECT: Unable to connect to SMTP server: 120.*" sync no skip yes R1(config-applet)# action 1. Remember that the Troubleshooting section on the v5.0 R1(config)# no logging buffered %HA_EM-6-LOG: CCIE-QUESTION: UNAUTHORISED-COMMAND-ENTERED %HA_EM-3-FMPD_SMTP_CONNECT: Unable to connect to SMTP server: 120.100.1 R1(config)# R1(config)# event manager applet CCIE-QUESTION R1(config-applet)# event cli pattern "^no (aaa|logging). Spend the time to go back over the questions and practice with the configurations using debug and show commands to fully absorb any new areas you might have come across.2 %HA_EM-3-FMPD_ERROR: Error executing applet CCIE-QUESTION statement 3.0 R1(config)# do show run | include aaa new-model aaa new-model R1(config)# do show run | include logging buffered logging buffered 4096 debugging Lab Wrap-Up So.0 cli command "show user" R1(config-applet)# action 3.Example 1-41 R1 EEM Configuration and Verification Testing Click here to view code image R1(config)# aaa new-model R1(config)# logging buffered R1(config)# logging 120.

Practice Lab 2 Equipment List Practice Lab 2 follows an identical format to Lab 1 with timings and also consists of 100 points. How can you ensure that you have the ability to spot any underlying issues related to a question? Well.0S IP Services . adjust the bandwidth statements on the relevant interfaces to keep all interface speeds in line.Did you anticipate and factor into your configuration items such as the maximum reserved bandwidth within QoS? If you did. It also shows that you fully understand the protocols involved and adapt at testing your configurations. congratulations. as documented in Table 2-1 Table 2-1 Hardware Required per Router Note Notice in the initial configurations supplied that some interfaces will not have IP addresses preconfigured. The initial configurations supplied should be used to preconfigure your routers and switch before the lab starts. because this would have saved you time and secured you points. This will ensure that you do not get unwanted behavior because of differing IGP metrics. it’s all mileage. If your routers have different interface speeds than those used in this book. Six routers loaded with Cisco IOS Software Release 15. This is because you will either not be using that interface or you must configure it from default within the exercise. You need the following hardware and software components to begin this practice lab.3T Advanced Enterprise image and the minimum interface configuration. Four 3560X switches with IOS 15. you’ll get out of your study what you put into it.

consider reconfiguring the bandwidth statement accordingly to provide symmetry with the routing protocol metrics. as shown in Figure 2-1. However. If your router interface speeds do not match those used in this lab.Setting Up the Lab 2 Use any combination of routers as long as you fulfill the requirements within the topology diagram. you should use the same model of routers because this can make life easier if you load configurations directly from the supplied configurations into your own devices. Figure 2-1 Practice Lab 2 Network Topology .

as shown in Figure 2-2. Table 2-2 VLAN Assignment Connect your switches with RJ-45 Ethernet cross-over cables. Figure 2-2 Switch-to-Switch Connectivity .Lab Topology This practice lab uses the topology as outlined in Figure 2-1. Switch Instructions Configure VLAN assignments from the configurations supplied or from Table 2-2. which you will need to re-create with your own equipment or by using lab equipment on the CCIE R&S 360 program.

100.4.100.1/24 R6 Lo0 120.1.1/24 SW3 Lo0 120. as shown in Figure 2-3.1/24 R5 Lo0 120.200.100.200.100.1/24 Lo255 200.1/24 SW1 Lo0 120.200/24 R4 Lo0 120.100.100.1/24 Figure 2-3 IP Addressing Diagram .1/24 Lo255 200. you are required to configure your IP addresses. If you are manually configuring your equipment.1/24 SW2 Lo0 120.100.100.1/24 R3 Lo0 120. For this exercise.3.8.100.7.6. or load the initial router configurations supplied.5.10. (R1 and R3 use the same IP address for Loopback 255.200.IP Address Instructions You will find in the actual CCIE lab that the majority of your IP addresses will be preconfigured.200.9.1/24 SW4 Lo0 120.) R1 Lo0 120.2.100.200/24 R2 Lo0 120. ensure that you include the following loopback addresses.

Take a 30-minute break midway through the exercise. Ensure full IP visibility between routers for ping testing/Telnet access to your devices. it will be restricted). you can load the initial configuration files supplied if your router is compatible with those used to create this exercise. Alternatively.com/cisco/web/psa/configure.com website (because if you are permitted to use documentation during your CCIE lab exam. Have available a Cisco documentation CD-ROM or access online the latest documentation from the following URL: http://www. Get into a comfortable and quiet environment where you can focus for the next 8 hours. Configure the IP addresses on each router as shown in Figure 2-3 and add the loopback addresses. Practice Lab Two You will now be answering questions in relation to the network topology. If you run out of time.html Note Access only these URLs.Pre-Lab Tasks Build the lab topology per Figure 2-1 and Figure 2-2.cisco. not the whole Cisco. . or choose questions with a higher point rating to maximize your potential score. Do not configure any static/default routes unless otherwise specified. choose questions that you are confident you can answer. consider opening several windows with the pages you are likely to look at. To save time during your lab. General Guidelines Read the whole lab before you start. as shown in Figure 2-4.

(3 points) Switch 4 should use its interface directly connecting to Switch 2 (Fast Ethernet0/19) for traffic destined toward even-numbered VLANs (34. 132. 100. (3 points) Ensure a cable fault between Switches 1 and 2 could not result in one-way traffic between the two switches. 100. 46. (2 points) Configure Switch 1 and Switch 2 to enable connectivity of two further switches in the future to be connected to ports Fast Ethernet 0/18 on each switch. with Switch 2 being the secondary root bridge for all listed VLANs. 46. (4 points) . 63). 132.1w spanning tree. 132. 63. resulting in spanning-tree issues. 100. Switch 1 should be the root bridge for VLANs 34. 46.Figure 2-4 Lab Topology Diagram Section 1: LAN Switching (22 Points) Configure your switched network to use 802. 63). and 200. (3 points) Switch 3 should use its interface directly connecting to Switch 2 (Fast Ethernet 0/21) for traffic directed toward even-numbered VLANs (34. 53. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN between Switch 1 and Switch 2. 200) and the interface directly connected to Switch 1 (Fast Ethernet 0/21) for odd-numbered VLANs (53. 200) and the interface directly connecting to Switch 1 (Fast Ethernet 0/19) for odd-numbered VLANs (53. The new switches should be able to tunnel their own configured VLANs through a new VLAN (30) between Switch 1 and Switch 2.

100. this Ethernet port transitions into error-disable state. Do not use any form of ACL or configure the ports to belong to a PVLAN. and send only traffic destined to R2 on this switch port across your network to Switch 3 port Fast Ethernet 0/17. and Switch 4 should fail. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN. broadcast. they will not be able to forward unicast. use a new VLAN (20) to assist in this configuration.0.0/16 outbound on its VLAN 132 interface. (3 points) Configure the interface on Switch 2 that connects to R5 VLAN 53 (Fast Ethernet 0/5) in such a way that if all the trunks on Switch 2 connecting to Switch 1. (2 points) Figure 2-5 EIGRP Topology Configure R1 to advertise a summary route of 120. (3 points) Configure interfaces Fast Ethernet 0/9 and 0/10 on Switch 1 so that even if they are configured to belong to the same VLAN.Configure your switched network to monitor the VLAN 200 interface associated with R2 (Switch 2 Fast Ethernet 0/1). or multicast traffic to one another.1: EIGRP Configure EIGRP per Figure 2-5 using an instance name of CCIE and autonomous system of 1. R3 should see the original VLAN 100 and Loopback 0 individual routes in . (1 point) Section 2: IPv4 IGP Protocols (26 Points) Section 2. each EIGRP router should have its Loopback 0 interface configured and advertised within EIGRP. Switch 3.

where possible. Ensure that R3 prefers the route from R1 by manipulating the delay associated with this route. R2.1. (2 points) Configure new loopback interfaces on R1 and R2 using a loopback interface 2 with an identical IP address of 150. advertise this network into EIGRP on each router.addition to the summary route.2: OSPF Configure OSPF per Figure 2-6 using a process ID of 1. All OSPF configuration. should not be configured under the process ID. and R3 is 200 seconds.101. (3 points) Ensure that the length of time that EIGRP considers neighbors to be valid without receiving a hello packet on the VLAN 132 network between R1.1/24 on both routers.2. (3 points) Configure EIGRP with a new instance name of CCIE2 between R2 and R3 over VLAN 132 with an autonomous system of 2 and 256-bit encryption with a password of lake2aho3. and advertise this and only this network to R3 from R2. You may use only one summary route in your configuration.1/24. do not apply the summary command directly to the interface.101. do not change the hello-interval parameter. You are only permitted to configure R2 to influence the delay. Configure a new loopback interface on R2 (Loopback 3) with an IP address of 150. Each OSPF router should also have its Loopback 0 interface configured and advertised within OSPF as follows: (2 points) R4 Loopback 0 – Area 0 R5 Loopback 0 – Area 0 R6 Loopback 0 – Area 1 SW1 Loopback 0 – Area 2 SW2 Loopback 0 – Area 1 SW3 Loopback 0 – Area 2 SW4 Loopback 0 – Area 3 . (2 points) Section 2. Do not manually adjust the delay associated with the interface by use of the delay command. any additional connections to AS2 should be encrypted using the same password without further configuration on R2 and R3.

R5-SW1 R5-SW3.100.100.101. (4 points) Section 2. R4-SW2. R6-SW4. You are not permitted to form any Area 0 neighbor relationship directly between R4 and R5 to join Area 0. R3-R5. SW4-SW3.34.Figure 2-6 OSPF Topology Area 0 is partitioned between R4 and R5.63. (3 points) Section 3: BGP (15 Points) Configure BGP peering per Figure 2-7 as follows: iBGP R1-R3.5) for this destination subnet. Use loopback interfaces .0/24 (VLAN 63).4) should be used dynamically.34.3: Redistribution Perform a one-way redistribution of EIGRP AS2 into EIGRP AS1 on R3 using the following default metric: 1544 20000 255 1 1500. eBGP R3-R4. R4-R6. If this route fails. (2 points) R3 will have equal cost external EIGRP routes to the redistributed OSPF subnet 120. Use a metric of 5000 for redistributed routes into OSPF that should appear as external type 2 routes and the following K values for OSPF routes redistributed into EIGRP: 1544 20000 255 1 1500. Ensure that R1 shows a next hop for the AS2 advertised route of 150. the route advertised from R4 (120. (3 points) Perform mutual redistribution of EIGRP AS1 and OSPF on R4 and R5.0/24 of R2 and perform configuration only on R3 for this task.2. R2-R3. Ensure that your network can accommodate this issue.100. Configure only R3 to ensure that R3 routes via a next hop of R5 (120.

(3 points) Configure the following loopback interfaces on R3 and SW4.200.200.34.200.0/24 when advertised to R3.34. R3 should be configured to only actively create BGP sessions to R1 and R2 within AS100. and 152.33.1/24) SW4 – Loopback interface 8 (152.1/24) Configure R3 to inform R4 that it does not want to receive routes advertised from SW4 for networks 152. Do not use the command ebgp-multihop within your configurations.100.0/24.200.1/24) SW4 – Loopback interface 7 (152.0/24. but only one prepend is permitted per line. 152.1/24) SW4 – Loopback interface 6 (152.to peer on all routers with the exception of peering between R3-R4 and R3-R5.200.200.100.35. You may also configure R4.32.1/24) SW4 – Loopback interface 5 (152. Achieve this in such a manner that R4 does not actually advertise these routes toward R3.32. (3 points) Section 4: IPv6 (12 Points) Configure IPv6 addresses on your network as follows: 2007:C15:C0:10::1/64 – R1 Gi0/1 .35. (3 points) Figure 2-7 BGP Topology Routers R1 and R2 in AS100 should be made to only passively accept BGP sessions. (4 points) Configure a route map on R5 that prepends its local autonomous system an additional two times for network 152.200. The route map may contain multiple permit statements.0/24.200.33. advertise these networks into BGP using the network command: (2 points) R3 – Loopback interface 5 (152.

1: EIGRPv6 Configure EIGRPv6 with an autonomous system of 6 between R1. Build your tunnels from R1 to R3 and R2 to R3 with source interfaces from VLAN 132 to advertise IPv6 edge networks from each router using ipv6ip mode. use message digest 5. (2 points) Section 4. use an OSPFv3 process of 1 on each router. EIGRPv6 should not be enabled directly under the interfaces of the routers. a security policy index of 500. (2 points) Figure 2-8 IPv6 Topology Configure Area 1 with IPsec authentication.2007:C15:C0:11::1/64 – R1 tunnel0 2007:C15:C0:11::3/64 – R3 tunnel0 2007:C15:C0:12::2/64 – R2 tunnel0 2007:C15:C0:12::3/64 – R3 tunnel1 2007:C15:C0:13::2/64 – R2 fe0/1 2007:C15:C0:14::3/64 – R3 Gi0/0 2007:C15:C0:14::4/64 – R4 Gi0/0 2007:C15:C0:14::5/64 – R5 Gi0/0 2007:C15:C0:15::4/64 – R4 Gi0/1 2007:C15:C0:15::6/64 – R6 Gi0/0 Section 4. (2 points) . and R3.2: OSPFv3 Configure OSPFv3 per Figure 2-8. and a key of DEC0DECC1E0DDBA11B0BB0BBEDB00B00. R2.

regardless of which area they are seen in within the OSPFv3 network.3.225.100.225.0.1 and 225. GigabitEthernet0/0 Section 4.0.2 and R2 for groups 225. 225. Each router should use PIM sparse dense mode.0. Both R1 and R2 should be configured to be candidate RPs specifically for the following multicast groups: 225. Configure Switch 2 to assign a DSCP value of AF41 to video traffic from both of these devices. Redistributed EIGRPv6 routes should have a metric of 5000 associated with them. You should limit the boundary of your multicast network so that it does propagate further into your network than R4.0.0. (3 points) Configure R1 to monitor traffic forwarded through itself for traffic destined to the multicast group of 225. (2 points) Configure R3 so that both R1 and R2 have the following IPv6 EIGRPv6 route in place. R2.225. cannot form trunk links. and R4 for IPv4 multicast.0.3: Redistribution Redistribute EIGRPv6 into OSPFv3 on R3.225.0. Do not redistribute OSPF into EIGRPv6 to achieve this. Maximize the available bandwidth by ensuring the RTP headers within the video stream are compressed.1. R3.225. (3 points) Configure R2 to assign a strict-priority queue with a 40 percent reservation of the WAN bandwidth for the video conferencing traffic in the previous question.3 and 225. If no packet for this group is received within a single 10second interval. and this traffic is unmarked from the devices as it enters the switch. You may configure R4 to achieve this: (2 points) I 2007::/16 [110/2] via XXXX::XXXX:XXXX:XXXX:XXXX.0.1. (3 points) Section 6: Multicast (9 Points) Configure routers R1. R3 should be configured as a mapping agent to announce the rendezvous points for the multicast network with the same boundary constraints. ensure that an SNMP trap is sent to an SNMP management station on 120. and 225. and cannot be configured as EtherChannels.Ensure the area router in Area 1 receives the following route.2. (3 points) .0. 225.4 (by use of their Loopback 0 interfaces).225. and do ensure that all routers have full visibility: (2 points) D 2007::/16 [90/XXXXXXXXX] via XXXX::XXXX:XXXX:XXXX:XXXX.3.225.225. The devices use TCP ports 3230–3231 and UDP ports 3230– 3235. Ensure that the switch ports assigned to the devices do not participate in the usual spanning-tree checks.225. (3 points) Configure R3 to ensure R4 has a candidate RP as R1 for groups 225. Tunnel0 Section 5: QoS (6 Points) Two IP video conferencing units are to be installed onto Switch 2 ports Fast Ethernet 0/15 and 0/16 on VLAN 200. The remainder of the bandwidth should be guaranteed for a default queue with WRED enabled.100.100 using a community string of public.

the proctor will not enter into any discussions about the questions or answers. In the actual CCIE lab. surely I wouldn’t encounter spanning-tree issues.and even-numbered VLANs to ensure that different interfaces are used on Switch 3 and Switch 4? A. (3 points) Configure R1 so that it can perform SCP. Q. (2 points) The network administrator has determined that IPv6 router advertisements are being sourced from routers on VLAN 34. the router should be configured to randomly drop SYN packets from any source to this VLAN that have not been correctly established within 20 seconds. Am I correct in thinking this? A. Do not use the RA guard solution with untrusted ports. You may use an ACL applied in a single location in your solution.uk. If a copper Ethernet cable fails between Switch 1 and Switch 2. Do you just want me to configure the root and secondary root bridges into 802. Section 1: LAN Switching Q. the root bridge assignment should remain as per the first question. Disable these advertisements from entering and propagating on VLAN 34. and apply ACLs only on the VLAN 132 interface. Q.co.Section 7: Security (10 Points) Allow router R6 to passively watch the SYN connections that flow to only VLAN 63 for servers that might reside on this subnet. No. . He or she will be present to ensure that you do not have problems with the lab environment and to maintain the timing element of the exam. (2 points) Configure an ACL on R1 to allow TCP sessions generated on this router and through its Ethernet interface and to block TCP sessions from entering on its VLAN 132 interface that were not initiated on it or through it originally. it should also enable ICMP traffic inbound for testing purposes. The ACL should timeout after 100 seconds of locally initiated TCP inactivity. a key size of 768 bits. The router should belong to a domain of toughtest. Not entirely. Use local authentication with a username and password of cisco. To prevent a potential denial-of-service (DoS) attack from a flood of SYN requests. (3 points) “Ask the Proctor” Note This section should be used only if you require clues to complete the questions. Consider a partial failure rather than a complete breakage. because there would not be any loops present. Can I change the root bridge assignments of odd. Do not use the established feature within standard ACLs to achieve this. You should ensure that your network runs a consistent version of spanning tree.1w spanning tree? A. and an SSH timeout of 2 minutes and retry value of 2.

Is it okay to send both TX and RX traffic to Switch 2? A. Q. Q. Would you like me to configure UDLD aggressive mode on Switch 2 to transition the required port to error-disable mode if a trunk failure occurs? A. If I can’t apply the summary statement directly under the interface can I apply it within the process instance? A. use a Layer 2 switch tunneling feature. Q. a native VLAN would not facilitate transportation of multiple VLANs over the single VLAN 30 between Switch 1 and Switch 2. UDLD can operate over copper Ethernet in the same manner as fiber.1. you must configure a feature that will place a nontrunk link into error-disable mode if all the trunks on Switch 2 fail. No. No. . you need to enable a feature that enables the more specific routes to be received on R3. Q. Is it acceptable to adjust the hold time on the Ethernet interfaces to change the hello interval? A. Q. Q. Is this correct? A. Yes.Q. wouldn’t a feature like UDLD be beneficial only if the connections are fiber? A. Q. Can I manipulate the delay associated with network 150. I think I can achieve this with multiple summary routes but the question restricts this.101. Nice try. Q. No.1: EIGRP Q. Would you like me to configure a native VLAN of 30 on trunks to the two new switches? A. If I configure a summary address on R1. Yes. Are you looking for a GRE type of tunnel between switches? A. this route overrides the VLAN 100 and Loopback 0 routes from R1 as received on R3. Yes. Q. Section 2: IPv4 IGP Protocols Section 2.0/24 because this advertisement leaves R2 rather than by changing an interface delay on R2? A. No. Read the question carefully. Can I just shut down ports 0/9 and 0/10 so that they can’t communicate? A. I assume you require remote span configured for R2 traffic. this is the expected behavior of summarization. use a feature that enables your specific routes to leak from the summary route. Yes. The switches are connected with Ethernet copper cables. Can I use a new EIGRP process instead? A. look for a security feature to disable communication between these ports. this information has been provided.

Q. to ensure that your topology operates correctly. Can I use an offset list or similar feature on R4 to penalize the route 120. You can use virtual links in your solution. though.100. I’ve followed the redistribution instructions.0/24? A. this would affect routes received on R3 from both R4 and R5 equally because R4 and R5 reside on the same subnet as R3. Can I use this technique to stretch Area 0 between R4 and R5? A. this solution would involve a neighbor relationship being formed between the routers in Area 0. think about where the links need to be. Use your troubleshooting skills to determine the problem. No. you are permitted to configure only R3.63.0/24 as it advertised to R3? A.Section 2. Can I modify the OSPF cost on the interface connecting R3 to the OSPF network to attempt to change the next hop for the subnet 120. I’ve managed to get the EIGRP AS2 route redistributed from R3 into EIGRP on R1.100. Q. No. Q.63. Yes. Yes.0/24? A. Can I use the EIGRP third-party next-hop feature to leave the next hop of the route unaltered from R2? A. A. but the next hop is showing as R3. I’ve noticed that due to the preconfigured loopback interfaces on R1 and R3 both of these routers have the same EIGRP router ID. but I don’t receive the EIGRP AS2 route on R1 after redistribution. Yes. Q. I’d normally use a virtual link to extend Area 0 into a transit area. Is it acceptable to use a route map on R3 and match a route source to penalize the route to 120. .100. You will have some underlying issues before receiving the route on R1. No. No. you must have the routing table reflect the next hop of this route via R2 and not R3. Can I policy route on R1 so that the next hop for this route is directly via R2? A. Q. Q.2: OSPF Q. Can I manually change the router ID on one of the routers to see if this helps? A.3: Redistribution Q.63. Q. Is it acceptable to provide tunnels between R4 and R5 to join Area 0? A. Section 2.

Yes. No. just from R1 to R3 and from R2 to R3. Use a BGP feature to force the peering to become directional. Yes. Q. The question provides you with sufficient information to determine the redistribution type to use. Would you like me to configure an additional IPv6 subnet on R4 to receive the 2007::/16 route? A. No. Q. check your router ID. an ACL would actually break the peering entirely.Section 3: BGP Q. you had a similar issue within EIGRP. Q. Do you want a tunnel between R1 and R2 also? A. ensuring that the route is received as illustrated in the question. Yes. Q. No. Do the VC units use UDP Ports 3230 and 3235 or 3230 through 3235? A. Q. . so there is a need to trust these ports. Section 5: QoS Q. investigate an alternative method to create this route from the preconfigured subnets you already have. They use the range 3230 through 3235. Switch 3. Can I just configure a filter on R4 to stop advertising specific routes to R3? A. You must configure a feature that overrides this behavior. Can I use BGP ORF? A. These tunnels will advertise the edge networks of each router within EIGRPv6. you must dynamically inform R4 to not advertise specific routes via R3. No. Do you want me to configure an ACL to limit BGP connections to purely inbound or outbound on TCP port 179? A. it will. will my peering fail because I am peering from my loopback interfaces? A. Can I try to use NAT to fix my peering? A. Is this expected behavior? A. Section 4: IPv6 Q. If I can’t use ebgp-multihop on my peering on R6. Q. The VC devices are not marking the traffic. Would you like me to redistribute routes into OSPFv3 as external type 1 or type 2? A. No. Q. I’m experiencing peering issues between R1 and R3 and have BGP notifications displayed on the console. and Switch 4. Do you want me to trust the ports assigned to the VC units? A. use a specific BGP feature to disregard the TTL check. Q.

Q. You need to configure a feature that monitors the SYN packets and closes down any half-opened connections. is this sufficient to answer the question? A. this would block return path traffic initiated by R1. channeling. Section 6: Multicast Q. Can I use a reflexive ACL to dynamically permit the return traffic with a time limit of 100 seconds? A.225. Q. but you are permitted to configure only R3. Section 7: Security Q. I have configured SCP with the required SSH parameters. To have R1 and R2 as candidate RPs for different groups. traffic destined to this group will be sent to R1 regardless because it is the candidate RP for this group. Q. No.Q. but I am not confident of my configuration. won’t R3 and R4 see both routers as RPs for the same groups? A. No.0. and spanning-tree checks on the ports assigned to the VC units? A. Yes. If you were permitted to configure R1 and R2. there is a specific TCP feature used to protect servers from a flood of SYN packets that could cause a DoS attack. this isn’t required. Can I just use a standard ACL on R1 on the VLAN 132 interface to permit sessions outbound and deny everything else inbound? A. the question dictates that a priority queue be used. Can I use a reflexive ACL to drop SYN packets that are not correctly established by the servers? A. No. group lists would achieve the desired results. but remember there is a single command that will disable all these features. Yes. SYN packets should still enter into VLAN 63. Do you want me to actually configure an IGMP join group on R1 for 225. Any suggestions? . Would you like me to disable trunking. No. Q. If I configure R1 and R2 for the same multicast groups. No. Group lists can assist in your solution on R3. Q. Q. Q. but you need to find a method of assigning these specifically to R1 and R2. Yes. If I use the bandwidth percent command on R2 in my 40-percent guaranteed reservation. Do you want me to configure an ACL to block SYN packets coming into VLAN 63? A.1 for the SNMP question? A. can I just configure group lists on R3? A. you will address this behavior in the following question.

Practice Lab Debrief The section analyzes each question. Section 1: LAN Switching (22 Points) Configure your switched network to use 802. try to copy the IOS image from flash on R1 with RCP. 100. you have earned 3 points. Example 2-1 SW1. Am I missing something? A. and SW4 Configuration and Verification Click here to view code image SW1(config)# spanning-tree mode rapid-pvst SW1(config)# spanning-tree vlan 34. SW2.1w spanning tree. but I am still seeing the RAs when I debug IPv6 on the routers.100.46. but consider that it isn’t just a case of enabling it. but each VLAN would be identical in this configuration. 63. 53. 53. If you have time. 100.1w is a Rapid Spanning Tree. No. 132.63. showing you what was required and how to achieve the desired results. To stop the RA. 63.132.200 root secondary SW3(config)# spanning-tree mode rapid-pvst . (3 points) 802. If you have configured this correctly. Switch 1 should be the root bridge for VLANs 34. Q. So.132. If you are prompted for a password and gain access to the file. Switch 1 is required to be the root bridge and Switch 2 the secondary root bridge for VLANs 34. and 200. Q.200 root primary SW2(config)# spanning-tree mode rapid-pvst SW2(config)# spanning-tree vlan 34. Q. and 200. 46. VLAN 34 is used as an example. you have configured this feature correctly.100. SW3. Yes. Q.63. there is an additional step for VLAN 34. Yes. I have applied the ACL blocking RA ICMPv6 from entering the switch. So. You must consider that by default the switch would be completely transparent to IPv6 and you would need to make the switch understand what it has to filter. 132.53.53. can I just apply it to VLAN34? A. with Switch 2 being the secondary root bridge for all listed VLANs.A. the question stipulates the ACL can only be used in one location. do I need to enable IPv6 on the switch? A. 46. the switches will be in the default mode of standard PerVLAN Spanning Tree (PVST) and require configuration to rapid-pvst mode. as shown in Example 2-1. You should use this section to produce an overall score for the practice lab. can I apply an ACL on each port that connects to each router? A. Example 2-1 also shows confirmation of the root bridge and which interfaces are used to reach the root bridge from the neighboring switches.46.

If you have configured this correctly.200 cost 100 SW3(config-if)# do show spanning-tree root .SW4(config)# spanning-tree mode rapid-pvst SW1# show spanning-tree vlan 34 | include root This bridge is the root SW1# show spanning-tree vlan 46 | include root This bridge is the root SW1# show spanning-tree vlan 53 | include root This bridge is the root SW1# show spanning-tree vlan 63 | include root This bridge is the root SW1# show spanning-tree vlan 100 | include root This bridge is the root SW1# show spanning-tree vlan 132 | include root This bridge is the root SW1# show spanning-tree vlan 200 | include root This bridge is the root SW2# show spanning-tree vlan 34 | include Root FWD Fa0/23 Root FWD 19 128.21 P2p SW4# show spanning-tree vlan 34 | include Root FWD Fa0/21 Root FWD 19 128. you have scored 3 points. 100.100. 46.25 P2p SW3# show spanning-tree vlan 34 | include Root FWD Fa0/19 Root FWD 19 128. (3 points) This is a straightforward VLAN load-balancing question to ensure that trunk links are utilized efficiently and not logically disabled by spanning tree. 63).132. as shown in Example 2-2.23 P2p Switch 3 should use its interface directly connecting to Switch 2 (Fast Ethernet 0/21) for traffic directed toward even-numbered VLANs (34. 200) and the interface directly connecting to Switch 1 (Fast Ethernet 0/19) for odd-numbered VLANs (53. To adjust this behavior. 132. Switch 3 uses the interface directly connecting to Switch 1 (Fast Ethernet 0/19) for all VLANs as the lowest root cost path by default. Example 2-2 SW3 VLAN Load-Balancing Configuration and Verification Click here to view code image SW3(config)# interface fastethernet 0/19 SW3(config-if)# spanning-tree vlan 34.46. this interface must effectively be penalized for the evennumbered VLANs to ensure a more attractive path is via Switch 2 (Fast Ethernet 0/21).

9400 19 2 20 15 VLAN0100 24676 0013.9400 38 2 20 15 VLAN0053 24629 0013. If you have configured this correctly. you have scored 3 points. 132.806d.Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Port ---------------.9400 38 2 20 15 VLAN0046 24622 0013.9400 19 2 20 15 VLAN0063 24639 0013.9400 38 2 20 15 VLAN0200 24776 0013. 200) and the interface directly connected to Switch 1 (Fast Ethernet 0/21) for odd-numbered VLANs (53.9400 38 2 20 15 VLAN0046 24622 0013. as shown in Example 2-3.132.9400 38 2 20 15 VLAN0132 24676 0013.--------.806d.806d.100. Example 2-3 SW4 VLAN Load-Balancing Configuration and Verification Click here to view code image SW4(config)# interface fastethernet 0/21 SW4(config-if)# spanning-tree vlan 34.9400 19 2 20 15 VLAN0063 24639 0013.----.----. the directly connected interface to Switch 1 needs to be penalized for the even-numbered VLANs.806d. Switch 4 uses the interface directly connecting to Switch 1 (Fast Ethernet 0/21) for all VLANs as the lowest root cost path by default.9400 38 2 20 15 VLAN0200 24776 0013.-----------VLAN0001 32769 0013.----.--------.806d.9400 19 2 20 15 VLAN0100 24676 0013. 46.806d. 100.9400 38 2 20 15 VLAN0132 24676 0013.9400 38 2 20 15 Root Fa0/21 Fa0/19 Fa0/19 Fa0/21 Fa0/21 Fa0/19 Fa0/19 Fa0/19 . (3 points) Following from the previous question.806d.806d.9400 38 2 20 15 Root Fa0/19 Fa0/21 Fa0/21 Fa0/19 Fa0/19 Fa0/21 Fa0/21 Fa0/21 Switch 4 should use its interface directly connecting to Switch 2 (Fast Ethernet0/19) for traffic destined toward even-numbered VLANs (34. As per the previous question. rendering the second trunk connecting to Switch 2 unused unless a failover condition occurs.806d.-------------------. to ensure a balanced access topology for VLAN load balancing.-------------------.806d. 63).----.806d.806d.9400 38 2 20 15 VLAN0053 24629 0013.46.806d.9400 19 2 20 15 VLAN0034 24610 0013.200 cost 100 SW4(config-if)# do show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Port ---------------.806d.806d.9400 19 2 20 15 VLAN0034 24610 0013.-----------VLAN0001 32769 0013.806d.

The new switches should be able to tunnel their own configured VLANs through a new VLAN (30) between . you have scored 2 points. (2 points) Unidirectional Link Detection (UDLD) detects unidirectional links on fiber-optic connections. the switches become UDLD neighbors. If you configure the ports between Switch 1 and Switch 2 into aggressive mode. in aggressive mode. resulting in spanning-tree issues.Single neighbor detected Message interval: 15 Time out interval: 5 Entry 1 --Expiration time: 44 Cache Device index: 1 Current neighbor state: Bidirectional Device ID: CAT0935N2GQ Port ID: Fa0/23 Neighbor echo 1 device: CAT0911X17K Neighbor echo 1 port: Fa0/23 Message interval: 15 Time out interval: 5 CDP Device name: SW2 Configure Switch 1 and Switch 2 to allow connectivity of two further switches in the future to be connected to ports Fast Ethernet 0/18 on each switch. and shut down the link if this condition arises to mitigate spanning-tree issues.Ensure that a cable fault between Switches 1 and 2 could not result in one-way traffic between the two switches. Example 2-4 SW1 and SW2 UDLD Configuration and Verification Click here to view code image SW1(config)# interface fastethernet 0/23 SW1(config-if)# udld port aggressive SW2(config)# interface fastethernet 0/23 SW2(config-if)# udld port aggressive SW1# show udld fastethernet 0/23 Interface Fa0/23 --Port enable administrative configuration setting: Enabled / in aggressive mode Port enable operational state: Enabled / in aggressive mode Current bidirectional state: Bidirectional Current operational state: Advertisement . UDLD also detects unidirectional links because of one-way traffic on twistedpair links. as shown in Example 2-4. If you have configured this correctly. can detect one-way links.

which is configured by the tx parameter. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN. Remote span requires a VLAN to propagate the span traffic between switches. If your ports are shutdown by initial configuration. you have scored 3 points. you have scored 4 points. Example 2-6 SW2 and SW2 Remote Span Configuration and Verification Click here to view code image . it would be worth enabling them to protect your points. as shown in Example 2-6. use a new VLAN (20) to assist in this configuration. it would be worth enabling them to protect your points. which is why you need to configure VLAN 20 on both Switches 1 and 2. Use the show dot1q-tunnel command to verify your tunnel configuration on your switches. Example 2-5 shows VLAN 30 being used to transport VLANs over a dot1q-tunnel. If this optional parameter is not configured. If you have configured this correctly. If you have configured this correctly. The only complexity is based around the question statement of where you actually need to monitor: “traffic destined to R2. a unique service provider VLAN is used to transport the customer VLANs.” This means that you need to configure the span parameters to only send the traffic transmitted out of the switch port toward R2. Example 2-5 SW1 and SW2 Q in Q Configuration Click here to view code image SW1(config)# vlan 30 SW1(config-vlan)# exit SW1(config)# interface fastethernet 0/18 SW1(config-if)# switchport access vlan 30 SW1(config-if)# switchport mode dot1q-tunnel SW2(config)# vlan 30 SW2(config-vlan)# exit SW2(config)# interface fastethernet 0/18 SW2(config-if)# switchport access vlan 30 SW2(config-if)# switchport mode dot1q-tunnel Configure your switched network to monitor the VLAN 200 interface associated with R2 (Switch 2 Fast Ethernet 0/1) and send only traffic destined to R2 on this switch port across your network to Switch 3 port Fast Ethernet 0/17.Switch 1 and Switch 2. If your ports are shut down by initial configuration. (4 points) This is a service provider requirement whereby customers tunnel their own VLANs through the providers network. as shown in Example 2-5. both transmit and receive traffic is monitored. (3 points) This is a remote span question. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN between Switch 1 and Switch 2. To mitigate any VLAN overlaps from other customers.

SW2(config)# vlan 20 SW2(config-vlan)# remote-span SW2(config-vlan)# exit SW2(config)# monitor session 1 source interface fastethernet 0/1 tx SW2(config)# monitor session 1 destination remote vlan 20 SW2(config)# do show monitor session 1 Session 1 --------Type : Remote Source Session Source Ports : TX Only : Fa0/1 Dest RSPAN VLAN : 20 SW3(config)# vlan 20 SW3(config-vlan)# exit SW3(config)# monitor session 1 source remote vlan 20 SW3(config)# monitor session 1 destination interface fast 0/17 SW3(config)# do show monitor session 1 Session 1 --------Type : Remote Destination Session Source RSPAN VLAN : 20 Destination Ports : Fa0/17 Encapsulation : Native Ingress : Disabled Configure the interface on Switch 2. connectivity is transparently switched to the secondary interface. you have scored 3 points. Switch 3. and Switch 4 should fail. as shown in Example 2-7. This feature provides redundancy in the network when used with server NIC adapter teaming. link-state tracking automatically puts the downstream port connected to R5 into error-disable state. Example 2-7 shows the associated configuration and testing by shutting down the trunk ports on Switch 2. and Switch 4. If the upstream trunk ports on Switch 2 fail. which forces Fast Ethernet downstream port into error-disable state. which connects to Switch 1. (3 points) The question requires link-state tracking to be configured. Switch 3. Example 2-7 SW2 Link-State Tracking Configuration and Verification Click here to view code image SW2(config)# link state track 1 SW2(config)# interface fast0/5 . Ports connected to servers are configured as downstream ports. which connects to R5 VLAN 53 (Fast Ethernet 0/5) in such a way that if all the trunks on Switch 2 connecting to Switch 1. and ports connected to other switches are configured as upstream ports. this Ethernet port transitions into error-disable state. If you have configured this correctly. If a link is lost on the primary interface.

as shown in Example 2-8. line protocol is down (err-disabled) Configure interfaces Fast Ethernet 0/9 and 0/10 on Switch 1 so that even if they are configured to belong to the same VLAN they cannot forward unicast.100.255 . Do not use any form of ACL or configure the ports to belong to a PVLAN. broadcast. Each EIGRP router should have its Loopback 0 interface configured and advertised within EIGRP.1: EIGRP Configure EIGRP per Figure 2-5 using an instance name of CCIE and autonomous system of 1. or multicast traffic to one another.0.SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# link state group 1 downstream interface fastethernet 0/19 link state group 1 upstream interface fastethernet 0/21 link state group 1 upstream interface fastethernet 0/23 link state group 1 upstream SW2# show interface fastethernet 0/5 | include connected fastethernet0/5 is up. you have scored 1 point.0 0. you have scored 2 points. Example 2-8 EIGRP Configuration and Verification Click here to view code image R1(config)# router eigrp CCIE R1(config-router)# address-family ipv4 unicast autonomous-system 1 R1(config-router-af)# net 120. Section 2: IPv4 IGP Protocols (26 Points) Section 2. (1 point) You are required to configure the interfaces with the command switchport protected to ensure that no traffic is forwarded between these ports. If you have configured this correctly. Traffic is forwarded as normal between a protected and an unprotected port.0. line protocol is up (connected) SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# int fast 0/19 shut int fast 0/21 shut int fast 0/23 shut SW2# show interface fastethernet 0/5 | include err-disabled fastethernet0/5 is down. (2 points) Use vanilla EIGRP with a virtual instance configuration in preparation for the following questions. If you have configured this correctly.1.

R3 should see the original VLAN 100 and Loopback 0 individual routes in addition to the summary route.100. 00:23:32. One method used to achieve this is by configuring multiple summary routes.0.0.2.100. therefore.0. GigabitEthernet0/0 D 120.0 0.255 R2(config-router-af)# network 120.123.255 R3(config-router-af)# network 120.34.100.0.255 R3(config-router-af)# network 120.100.R1(config-router-af)# net 120.0.100.0.100.255 R2(config-router-af)# network 120.255 R5(config)# router eigrp CCIE R5(config-router)# address-family ipv4 unicast autonomous-system 1 R5(config-router-af)# network 120. (3 points) Summarization will by default block all longer prefixes covered by the supernet configured on an interface.0. but the question does not permit this approach.200.0.123.100.0. GigabitEthernet0/0 D 120. the VLAN 100 and Loopback 0 route from R1 would not be seen by R3.0 0.0 0.100.0 [90/156160] via 120.0.0.100.0. 00:23:32.0.100.123.0.0 0. 00:23:32.3.0.123.123.100.3.2. GigabitEthernet0/0 D 120.3.255 R3(config-if)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# network 120.3.200.0.0 0.0.0.100.34.100.2.0 [90/158720] via 120.0 0.0. 00:23:32.123.0 [90/30720] via 120.0 [90/156160] via 120.5. 00:23:32. a leak map should be configured to match the VLAN 100 and Loopback 0 interfaces on R1.34.100.0 0.4.0.100.255 R4(config-router-af)# network 120.0/24 is subnetted. The leak map.100.100.100.100.0.0 0. 9 subnets D 120.3.100.100.0 0.123.100.255 R1# sh ip route eigrp 120. Do not apply the summary configuration directly to the interface. To facilitate the specific routes with the summary. Allowing specific routes to be advertised with summary routes can be a valid requirement.100. You can only use one summary route in your configuration.255 R1(config-router-af)# net 120.0.255 R2(config)# router eigrp CCIE R2(config-router)# address-family ipv4 unicast autonomous-system 1 R2(config-router-af)# network 120.0.100.0 [90/158720] via 120.0.100.0 [90/30720] via 120.0.0 0. which is .0.123. 00:23:32.4.123. GigabitEthernet0/0 D 120.3. GigabitEthernet0/0 D 120.5.2.100.0 0.255 R5(config-router-af)# network 120. GigabitEthernet0/0 Configure R1 to advertise a summary route of 120.0.0 0.255 R4(config-router)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# network 120.34.0/16 outbound on its VLAN132 interface.

0 255.5.0/24 [90/30720] via 120.4.2.5.0/24 [90/156160] via 120.0 R1(config)# access-list 1 permit 120. GigabitEthernet0/1 D 120.4. GigabitEthernet0/1 D 120.100. (2 points) EIGRP considers neighbors to be valid up to three times the hello interval.configured per a normal route map. you must apply it to the address family af-interface within the Enhanced Interior Gateway Routing Protocol (EIGRP) instance. is then applied to the standard summary route statement on R1.34.100.1.123.2. 00:23:32.123. 2 masks D 120. Example 2-9 R1 Leak Map Configuration and Verification Click here to view code image R1(config)# route-map LEAK-VLAN-100-LOOP0 permit 10 R1(config-route-map)# match ip address 1 R1(config-route-map)# exit R1(config)# access-list 1 permit 120.100.100.0.0.100.1.100.100.100. 00:23:32. GigabitEthernet0/0 D 120.0/16 [90/30720] via 120. 00:23:32.100.1.100. If you have configured this correctly.255. 10 subnets.100.0 leak-map LEAK-VLAN-100-LOOP0 R3# show ip route eigrp R3# show ip route eigrp 120.100. and R3 is 200 seconds. GigabitEthernet0/1 D 120. 00:00:53. GigabitEthernet0/1 Ensure that the length of time that EIGRP considers neighbors to be valid without receiving a hello packet on the VLAN 132 network between R1. You could usually tune the hold time by manipulating the hello intervals on an interface. 00:23:32.0/24 [90/156160] via 120. Because you cannot apply the summary configuration directly to the interface as per earlier EIGRP configuration.0.100.123.100.1.0.100.0 R1(config)# router eigrp CCIE R1(config-router)# address-family ipv4 unicast autonomous-system 1 R1(config-router-af)# af-interface Gigabit0/0 R1(config-router-af-interface)# summary-address 120. as shown in Example 2-9. R2. 00:23:32.123. and hello packets will be sent every 5 seconds. GigabitEthernet0/0 D 120.34.123. Do not change the hello-interval parameter.0/24 [90/30720] via 120.0.100. the VLAN 132 network is a high-speed link.100.1.2.0/24 [90/156160] via 120.0/8 is variably subnetted.200.100.0/24 [90/156160] via 120. 00:23:32. GigabitEthernet0/1 D 120. but this question ensures that you can achieve the desired result only by manually changing the hold time to 200 under the . you have scored 3 points.100.

R2. R2 could influence the metric calculated by R3 by manipulating the delay of the new loopback interface or of the Ethernet interface connecting to R3. Example 2-10 EIGRP Hold-Time Configuration and Verification Click here to view code image R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip hold-time eigrp 1 200 R1(config-if) Enter configuration commands. Hold (sec) t Num 3 120.123.VLAN 132 interfaces of routers R1. advertise this network into EIGRP on each router. Ensure that R3 prefers the route from R1 by manipulating the delay associated with this route. Because configuration is required solely on R2.5 00:23:32 1 200 0 120. which enables you to match specific routes and append further delay to them as they are advertised on R2 toward R3. therefore. you have scored 2 points. (3 points) R3 will receive identical routes from both R1 and R2 for network 150. as shown in Example 2-10 (either directly under the interfaces or within the EIGRP address family af-interface).100. If the offset list is not applied to the VLAN 132 interface. but this is not permitted.101.101. it would affect the whole process and not just advertisements . R2(config)# interface fastethernet0/0 R2(config-if)# ip hold-time eigrp 1 200 R2(config-if) R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip hold-time eigrp 1 200 R3(config-if)# do sh ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Uptime SRTT RTO Q Seq End with CNTL/Z.34.123.1 00:00:57 3 200 2 120.1. If you have configured this correctly. and R3.1.4 00:23:35 35 210 0 25 0 18 0 21 0 22 Gi0/1 198 Gi0/1 199 Gi0/0 12 Gi0/0 12 (ms) Cn Configure new loopback interfaces on R1 and R2 using a Loopback 2 interface with an identical IP address of 150. both routes will be stored in the topology and routing table.2 00:01:00 3 200 1 120. Do not manually adjust the delay associated with the interface by use of the delay command.100.100. one per line.100.0/24.1/24 on both routers. and you are permitted to configure only R2 to influence the delay.34. the only method available is to create an offset list. Example 2-10 shows the required configuration and verification of hold time by displaying the neighbors’ statistics as seen by R3.

the delay is seen to increase to 5103μS for the route received from R2.100.0 R2(config-if)# router eigrp CCIE R2(config-router)# address-family ipv4 unicast autonomous-system 1 R2(config-router)# net 150. the route installed into the routing table of R3 is then the original advertised from R1 with the more appealing value of 5100μS.100. Query origin flag is 1. therefore. minimum MTU 1500 bytes Loading 1/255.2.1.255.2.2 on fastethernet1/1. as shown in Example 2-11. traffic share count is 1 Total delay is 5100 microseconds.101.1.101. minimum bandwidth is 100000 Kbit Reliability 255/255.0 255. via fastethernet1/1 Route metric is 156160.0.255. minimum bandwidth is 100000 Kbit Reliability 255/255.101.1.0.toward R3.0 Routing entry for 150. Hops 1 * 120. from 120. FD is .255.255 R3# show ip route 150.255 R2(config)# interface Loopback2 R2(config-if)# ip address 150.0/24 Known via "eigrp 1".1. 00:00:23 ago. 00:00:23 ago.1. Post configuration of the offset list on R2.123. minimum MTU 1500 bytes Loading 1/255. Hops 1 R3# show ip eigrp topology 150.123.0 R1(config-if)# router eigrp CCIE R1(config-router)# address-family ipv4 unicast autonomous-system 1 R1(config-router-af)# net 150.100. via fastethernet1/1 Route metric is 156160. Example 2-11 EIGRP Configuration and Verification Click here to view code image R1(config)# interface Loopback2 R1(config-if)# ip address 150.101. metric 156160. traffic share count is 1 Total delay is 5100 microseconds.123. 00:00:23 ago Routing Descriptor Blocks: 120. type internal Redistributing via eigrp 1 Last update from 120.123.0 0.1. from 120. distance 90.100.100.1 255.1. If you have configured this correctly.255. Example 2-11 shows the configuration required to advertise the new routes and the routes as they are received on R3.101.255.1.0 IP-EIGRP (AS 1): Topology entry for 150. you have scored 3 points.1.1 255.1.0 0.101.255. 2 Successor(s).0.101.123.0.0/24 State is Passive.101. Initial delay is shown to be 5100μS.

FD is 156160 Routing Descriptor Blocks: 120.101.123.101.123.100. from 120.1.156160 Routing Descriptor Blocks: 120. 00:00:17 ago.123.1. from 0x0 Composite metric is (156160/128256). 00:00:17 ago Routing Descriptor Blocks: * 120.100. via GigabitEthernet0/1 Route metric is 156160. metric 156160.100. from 0x0 Composite metric is (156160/128256). Hops 1 R3# show ip eigrp topology 150.123. Query origin flag is 1.0 255.100.1.1.101. Send flag is 0x0 . BW 100000 Kbit/sec. Send flag is Route is Internal R2# show interface Fast0/0 | include DLY MTU 1500 bytes.0 IP-EIGRP (AS 1): Topology entry for 150.1 (GigabitEthernet0/1).1. distance 90.2 (GigabitEthernet0/1).1 (GigabitEthernet0/1).0 R2(config)# router eigrp CCIE R2(config-router)# address-family ipv4 unicast autonomous-system 1 R2(config-router-af)# topology base R2(config-router-af)# offset-list 1 out 100 fastethernet0/0 R3# show ip route 150.100. from 120.101.0 Routing entry for 150. minimum bandwidth is 100000 Kbit Reliability 255/255.123.1.100. minimum MTU 1500 bytes Loading 1/255.255.1 on GigabitEthernet0/1.2. Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 120. DLY 100 usec.1.123. Send flag is Route is Internal 120.101.100. 1 Successor(s). R2(config)# access-list 1 permit 150.123.0/24 State is Passive.123.255.1.0/24 Known via "eigrp 1".100. type internal Redistributing via eigrp 1 Last update from 120.1. traffic share count is 1 Total delay is 5100 microseconds.123.100. Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 120.

Send flag is 0x0 Composite metric is (156260/128356).2.2.0 R2(config-if)# router eigrp CCIE2 R2(config-router)# address-family ipv4 unicast autonomous-system 2 R2(config-router-af)# af-interface default R2(config-router-af-interface)# authentication mode hmac-sha-256 0 lake2aho3 R2(config-router-af-interface)# exit R2(config-router-af)# network 150.2.0. Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 120.2.100.0 0. Example 2-16 shows the basic EIGRP configuration on R2 and R3 with HMAC authentication.0.255.255.123. as shown in Example 2-12.123. The simple fix to this is to apply authentication to all interfaces using the af-interface default command.123.1/24.255 R2(config-router-af)# network 120.101. you have scored 2 points.1 255.100.101. If you have configured this correctly.101.0 0. The only twist to the question is to perform authentication without the need for further configuration should there be additional peering to AS2. Example 2-12 R2 and R3 EIGRP AS2 Configuration and Verification Click here to view code image R2(config)# interface Loopback3 R2(config-if)# ip add 150. Any additional connections to AS2 should be encrypted using the same password without further configuration on R2 and R3.255 . (2 points) This straightforward configuration within a new EIGRP instance facilitates subsequent redistribution between EIGRP AS1 to AS2. and advertise this and only this network to R3 from R2. Configure a new loopback interface on R2 (Loopback 3) with an IP address of 150.0.0. Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5103 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 Configure EIGRP with a new instance name of CCIE2 between R2 and R3 over VLAN 132 with an autonomous system of 2 and 256-bit encryption with a password of lake2aho3. from 120.2 (GigabitEthernet0/1).Composite metric is (156160/128256).100.

2. 00:00:25.0/24 is subnetted. you have scored 2 points.101. Did you notice that Area 0 is partitioned? If you have configured this correctly.R3(config)# router eigrp CCIE2 R3(config-router)# address-family ipv4 unicast autonomous-system 2 R3(config-router-af)# af-interface default R3(config-router-af-interface)# authentication mode hmac-sha-256 0 lake2aho3 R3(config-router-af-interface)# exit R3(config-router-af)# network 120.100. all OSPF configuration where possible should not be configured under the process ID. Each OSPF router should also have its Loopback 0 interface configured and advertised within OSPF as follows: (2 points) R4 Loopback 0 – Area 0 R5 Loopback 0 – Area 0 R6 Loopback 0 – Area 1 SW1 Loopback 0 – Area 2 SW2 Loopback 0 – Area 1 SW3 Loopback 0 – Area 2 SW4 Loopback 0 – Area 3 As per Lab 1. 2 subnets D 150. the switches still require configuration under the OSPF process running this version of IOS.101.2: OSPF Configure OSPF per Figure 2-6 using a process ID of 1.0.100. as shown in Example 2-13.2.123. the question directs you to configure OSPF directly under the interfaces of the routers. Consider using the show ip ospf interface command to verify your configuration.0 R3(config-router-af)# sh ip route eigrp 2 150.123.0 [90/156160] via 120. GigabitEthernet0/1 Section 2. Example 2-13 Initial OSPF Configuration Click here to view code image R4(config)# interface Loopback 0 R4(config-if)# ip ospf 1 area 0 R4(config-if)# exit R4(config)# interface GigabitEthernet 0/1 R4(config-if)# ip ospf 1 area 1 R5(config)# interface Loopback 0 R5(config-if)# ip ospf 1 area 0 R5(config-if)# exit R5(config)# interface GigabitEthernet 0/1 .

0.0.0 area 2 SW1(config-router)# network 120.3 0. A tunnel between the two routers is also not permitted because this would form a direct neighbor relationship.100.R5(config-if)# ip ospf 1 area 2 R6(config)# interface Loopback 0 R6(config-if)# ip ospf 1 area 1 R6(config-if)# interface GigabitEthernet 0/0 R6(config-if)# ip ospf 1 area 1 R6(config-if)# interface GigabitEthernet 0/1 R6(config-if)# ip ospf 1 area 3 SW1(config)# ip routing SW1(config)# router ospf 1 SW1(config-router)# network 120. .0.0 area 2 SW4(config)# ip routing SW4(config)# router ospf 1 SW4(config-router)# network 120.0. you have scored 4 points.100.10.7. By then creating an additional virtual link between R6 and Switch 3.0.0.1 0. The resulting routing table verification on Switch 4 shows all networks are being learned correctly post configuration.0.0.0.63.63.0 area 3 Area 0 is partitioned between R4 and R5.0.0 area 3 SW3(config-router)# network 120. If you have configured this correctly.0.46. and R6-SW3. ensure that your network can accommodate this issue.0.1 0.0 area 1 SW3(config)# ip routing SW3(config)# router ospf 1 SW3(config-router)# network 120.100. R4-R6.2 0. as shown in Example 2-14.0 area 2 SW3(config-router)# network 120. Remember to configure all virtual links to the router ID of the remote router as opposed to the physical IP address on the corresponding interface.100.0 area 1 SW2(config-router)# net 120.0.1 0. A virtual link between R4 and R5 would not work here because you would need to transit multiple OSPF areas.0. Example 2-14 shows the required configuration to create virtual links between R5-SW3.3 0.0.0.0. the two effective halves of the network have been joined at an Area 0 level.1 0.9. You are not permitted to form any Area 0 neighbor relationship directly between R4 and R5 to join Area 0.100.100.100.1 0.53.100. (4 points) A fundamental rule of the Open Shortest Path First (OSPF) Protocol is not to design your network with a partitioned backbone Area 0 or partition if of a failure condition occurs.8.0 area 3 SW4(config-router)# network 120. You are required to configure a virtual link between R5 and Switch 3 to propagate Area 3 routes and similarly between R4 and R6.100.0 area 2 SW2(config)# ip routing SW2(config-if)# router ospf 1 SW2(config-router)# net 120.0.4 0.53.

Vlan63 120.6. 00:00:54. similarly. 00:00:54.9.200.1 R6(config-if)# router ospf 1 R6(config-router)# area 1 virtual-link 120. Vlan63 O IA O IA 120. which would by default show as R3 for the AS2 route advertised by R2.100.1 R6(config-router)# area 3 virtual-link 120.100. The AS2 route of 150. Vlan63 O IA 120.53.9.101.6.63. which will force the router ID to be identical. Inspection of the EIGRP topology table for the route on R3 shows that it is being advertised into EIGRP and that the router ID of R3 is 200. 00:00:54.1 SW3(config-if)# router ospf 1 SW3(config-router)# area 3 virtual-link 120.Example 2-14 OSPF Virtual-Link Configuration and Routing Table Verification Click here to view code image R5(config)# router ospf 1 R5(config-router)# area 2 virtual-link 120. Vlan63 O IA 120.100. you would find that the AS2 route would not be seen on R1 post redistribution from R3.100.100. Example 2-15 shows the redistribution configuration on R3.63. Upon inspection.100. 00:00:54.200.3. Pre-lab configuration ensured that both R1 and R3 have the same Loopback 255 IP address. 00:00:54. 2 masks O IA 120. (3 points) This is a simple redistribution question.5.100. This is due to an inherent safety mechanism within EIGRP that will cause redistribution issues with routers that have duplicate EIGRP router IDs.8.100.100.6.100.200.6.100.200.0/24 [110/2] via 120.2. 00:00:54.0/24 of R2.46.6. If you .100.1 SW4# sh ip route ospf 120.200.6.3: Redistribution Perform a one-way redistribution of EIGRP AS2 into EIGRP AS1 on R3 using the following default metric: 1544 20000 255 1 1500. 10 subnets.3.7.1/32 [110/3] via 120.1/32 [110/2] via 120.4.100.63.100.3. 00:00:55.4.1 R4(config)# router ospf 1 R4(config-router)# area 1 virtual-link 120.100.2.1/32 [110/3] via 120.100.63.101. Vlan63 O IA 120. Vlan63 Section 2. you would believe the only complexity would be that of modifying the next-hop attribute for R1. 00:00:54. the router ID of R1 is also 200.9.5.63.63.100.1 SW3(config-router)# router ospf 1 SW3(config-router)# area 2 virtual-link 120. Perform configuration only on R3 for this task.6.3.63. Ensure that R1 shows a next hop for the AS1 advertised route of 150.100.0.1/32 [110/3] via 120.0/8 is variably subnetted.100.200.1/32 [110/3] via 120.100.100.0/24 [110/2] via 120. Vlan63 O IA 120.0/24 is received on R3 but is absent on R1.1/32 [110/2] via 120.0. In fact. Vlan63 O IA 120.63.100.

0 % Subnet not in table R3# show ip eigrp topology 150. 1 Successor(s).123. even though R2 resides on the same IP subnet as R1 and R2 and is the originating router. Query origin flag is 1. the route is then accepted by R1. The EIGRP third-party next-hop feature can be used to modify the next-hop attribute with a router redistributing another routing protocol into EIGRP in a similar manner to that of BGP.2.2 (GigaEthernet0/1).2.101.200. 1 Successor(s). Example 2-15 R3 EIGRP Redistribution Configuration and Verification Click here to view code image R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# topology base R3(config-router-af-topology)# redistribute eigrp 2 R1# show ip route 150.change the router ID of R3 to that of its Loopback 0 interface (120.100.200.123.101.0/24 IP-EIGRP (AS 1): Topology entry for 150.0/24 State is Passive.100.0/24 State is Passive. Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 .200 (this system) AS number of route is 2 External protocol is EIGRP.101.1). Send flag is 0x0 Composite metric is (156160/128256). external metric is 156160 Administrator tag is 0 (0x00000000) IP-EIGRP (AS 2): Topology entry for 150.100. Query origin flag is 1. FD is 156160 Routing Descriptor Blocks: 120.3. from 120. Route is External Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 External data: Originating router is 200.2.2. FD is 156160 Routing Descriptor Blocks: 120. Send flag is 0x0 Composite metric is (156160/0). as shown in Example 2-15. you have scored 3 points.2.123. If you have configured this correctly.2.101. from Redistributed.100. but of course a next hop is shown as R3.

1 R3# show ip eigrp topology | include ID IP-EIGRP Topology Table for AS(1)/ID(120.101.2.Minimum MTU is 1500 Hop count is 1 R3# show ip eigrp topology | include ID IP-EIGRP Topology Table for AS(1)/ID(200. from Redistributed.101. FD is 156160 Routing Descriptor Blocks: 120.2 (GigabitEthernet0/1).101.0/24 State is Passive. FD is 156160 Routing Descriptor Blocks: 120. from 120.2. Send flag is 0x0 Composite metric is (156160/128256).200. 1 Successor(s). Query origin flag is 1.2. Send flag is 0x0 Composite metric is (156160/0).200) IP-EIGRP Topology Table for AS(2)/ID(200.200. external metric is 156160 Administrator tag is 0 (0x00000000) IP-EIGRP (AS 2): Topology entry for 150.2.100.123. Query origin flag is 1.100.200.200) R1# show ip eigrp topology | include ID IP-EIGRP Topology Table for AS(1)/ID(200.0 .123.0/24 IP-EIGRP (AS 1): Topology entry for 150.100.200.100.3.3.200) R1# R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# eigrp router-id 120.100. Route is External Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 External data: Originating router is 120.100.123.1) R3# show ip eigrp topology 150.2.200.200.2. 1 Successor(s). Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 R1# show ip route 150.1 (this system) AS number of route is 2 External protocol is EIGRP.3.0/24 State is Passive.101.

101.100. minimum bandwidth is 100000 Kbit Reliability 255/255. via GigabitEthernet0/0 Route metric is 158720. minimum bandwidth is 100000 Kbit Reliability 255/255. 00:03:06 ago.2.123.Routing entry for 150. metric 158720.0 Routing entry for 150. Because the metrics are identical on R4 and R5. Hops 1 R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# af-interface GigabitEthernet0/1 R3(config-router-af-interface)# no next-hop-self R1# show ip route 150. Use a metric of 5000 for redistributed routes into OSPF. distance 170. Example 2-16 R4 and R5 Redistribution Configuration and Verification on R3 Click here to view code image R4(config-router)# router ospf 1 R4(config-router)# redistribute eigrp 1 subnets .3 on GigabitEthernet0/0. distance 170. type external Redistributing via eigrp 1 Last update from 120. type external Redistributing via eigrp 1 Last update from 120.100. (2 points) This is an unambiguous redistribution question that sets the scene for the question that follows. from 120.0/24 Known via "eigrp 1".100. from 120.2 on Gigabit0/0.123.3.100. traffic share count is 1 Total delay is 5200 microseconds. which should appear as external type 2 routes and the following K values for OSPF rotes redistributed into EIGRP: 1544 20000 255 1 1500. 00:00:24 ago Routing Descriptor Blocks: * 120.3.101.2. there are multiple routes with load-sharing potential. you have scored 2 points. Hops 1 Perform mutual redistribution of EIGRP AS1 and OSPF on R4 and R5. metric 158720.123.3.123.2. minimum MTU 1500 bytes Loading 1/255.100.2. traffic share count is 1 Total delay is 5200 microseconds.123.123.100. minimum MTU 1500 bytes Loading 1/255. 00:00:24 ago. via GigabitEthernet0/0 Route metric is 158720.0/24 Known via "eigrp 1".101. Example 2-16 shows the required configuration on R4 and R5 with verification of external EIGRP received routes on R3. If you have configured this correctly. 00:03:06 ago Routing Descriptor Blocks: * 120.

10.4.0 [90/2297856] via 120. 00:01:51. 00:00:24.0/16 [90/2172416] via 120.0/24 is subnetted.1/32 [170/6780416] via 120.34.7.4.100.34. GigabitEthernet0/0 [170/6780416] via 120.100.100. GigabitEthernet0/0 D 120. 00:05:05. 00:00:22.34.1/32 [170/6780416] via 120.34.0.123.0.5. 00:00:22.4. 00:00:23. GigabitEthernet0/0 D EX 120.1.100.100. GigabitEthernet0/0 [170/6780416] via 120.5.100.1.0/24 [90/156160] via 120. Gigabit0/1 120. GigabitEthernet0/0 [170/6780416] via 120.4.100. 00:05:07.123. GigabitEthernet0/0 [170/6780416] via 120.0.100.100. 00:00:24. 00:00:23.34.100.100.101.34. GigabitEthernet0/0 D EX 120.100.63.0/24 [170/6780416] via 120.34.34.100. 00:00:24.100. GigabitEthernet0/0 D 120.1.34.4.34.100.5.123.4.100.100. GigabitEthernet0/1 D EX 120.101.100.34. 00:00:22. 00:07:17.100. GigabitEthernet0/0 D EX 120. 00:05:07.5. 3 masks D EX 120. 00:05:07.4.100.9.123.1.1.34.100. 00:00:22.4.1/32 [170/6780416] via 120.100.5. 00:00:23. GigabitEthernet0/1 D 120.5.8.4.100.34.5. GigabitEthernet0/1 D 120.100.100. GigabitEthernet0/0 D EX 120.0/8 is variably subnetted.0.0/24 [90/156160] via 120. GigabitEthernet0/0 D EX 120.4.2. 00:00:24. 00:00:22.1/32 [170/6780416] via 120.100.100.1/32 [170/6780416] via 120.6. GigabitEthernet0/0 D 120.R4(config-router)# default-metric 5000 R4(config-router)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topology)# redistribute ospf 1 R4(config-router-af-topology)# default-metric 1544 20000 255 1 1500 R5(config-router)# router ospf 1 R5(config-router)# redistribute eigrp 1 subnets R5(config-router)# default-metric 5000 R5(config-router)# router eigrp CCIE R5(config-router)# address-family ipv4 unicast autonomous-system 1 R5(config-router-af)# topology base R5(config-router-af-topology)# redistribute ospf 1 R5(config-router-af-topology)# default-metric 1544 20000 255 1 1500 R3# show ip route eigrp 150. 2 subnets D 150.5.100.34. GigabitEthernet0/0 D EX 120. GigabitEthernet0/0 .100. 20 subnets.5.1/32 [170/6780416] via 120.34.1/32 [170/6780416] via 120.0/24 [90/2297856] via 120. GigabitEthernet0/0 [170/6780416] via 120. GigabitEthernet0/0 [170/6780416] via 120.100.34. 00:00:22.5.2. 00:07:17.100.100.100.0/24 [90/2297856] via 120.

1.4.34.123. This simply enables the original route received from R5 to take precedence.34.2. metric 6780416. (3 points) Example 2-20 shows both routes for 120. 00:00:24.100. an offset list to manipulate delay would be of no use because you are permitted to configure only R3.100.100.D EX D EX D D 120.100. If the route from R5 is withdrawn. GigabitEthernet0/0 [170/6780416] via 120.100.100.100.100.63.100.0/24 [90/2172416] via 120. the route from R5 would enter the routing table automatically.100. By configuring a route map on R3 to match only the route source of R4. minimum MTU 1500 bytes .63.0/24 (VLAN 63). You are therefore required to penalize the route received from R4 only to ensure that the R5-generated route is preferred on R3.0/24 [170/6780416] via 120. Example 2-17 also details the routing tables of each device to confirm redistribution from EIGRP into OSPF or vice versa. the route advertised from R4 (120.34.0 Routing entry for 120.63.5) for this destination subnet.53.34.63. 00:01:59 ago Routing Descriptor Blocks: 120. GigabitEthernet0/0 120.100.5.0/24 [90/2172416] via 120. Because all routers share a common media.34. GigabitEthernet0/0 120.63.46.100. GigabitEthernet0/1 R3 will have equal-cost external EIGRP routes to the redistributed OSPF subnet 120. distance 170. Similarly.200.100.0/24).100.0/24 received on R3 from R4 and R5. 00:00:24.100. 00:00:24.34. If this route fails. The topology table shows that the R4 route is also present and that R4 is effectively the feasible successor for this network on this router. as shown in Example 2-17. traffic share count is 1 Total delay is 200100 microseconds. Example 2-17 R3 OSPF Redistribution Configuration and Verification Click here to view code image R3# show ip route 120. If you have configured this correctly.5 on GigabitEthernet0/0.34. 00:05:08.100. GigabitEthernet0/0 [170/6780416] via 120.4) should be used dynamically. Example 2-17 shows the required configuration and verification that the route is preferred via the R5.100.5. Configure only R3 to ensure that R3 routes via a next hop of R5 (120. GigabitEthernet0/1 120. 00:00:24. 00:01:59 ago.100. minimum bandwidth is 1544 Kbit Reliability 255/255.0/24 Known via "eigrp 1". you can increase the metric for the required route (120.34.5.34. You will need a second permit statement on the route map (permit 20) to enable all other routes inbound to R3 to enter unaltered. type external Redistributing via eigrp 1 Last update from 120. via GigabitEthernet0/0 Route metric is 6780416. the interface connecting to R4 or R5 cannot be modified on R3 because this would affect both routes.0/24 [170/6780416] via 120.5. 00:05:07. you have scored 3 points.4.100.100.100. from 120.123.

minimum bandwidth is 1544 Kbit Reliability 255/255.63. via GigabitEthernet0/0 Route metric is 6780416.34.63.100.63. 00:00:21 ago.5 on GigabitEthernet0/0. Query origin flag is 1.Loading 1/255.0 R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# topology base R3(config-router-af-topology)# distribute-list route-map PENALISEVLAN63 in GigabitEthernet0/0 R3(config-router-af-topology)# exit R3(config-router-af)# exit R3(config-router)# exit R3(config)# route-map PENALISE-VLAN63 permit 10 R3(config-route-map)# match ip address 2 R3(config-route-map)# match ip route-source 1 R3(config-route-map)# set metric +500000 R3(config-route-map)# route-map PENALISE-VLAN63 permit 20 R3# show ip route 120. type external Redistributing via eigrp 1 Last update from 120.5.5 (GigabitEthernet0/0).100.100.34.0 255.100. 1 Successor(s).63. FD is 6780416 Routing Descriptor Blocks: 120.100. Route is External Vector metric: Minimum bandwidth is 1544 Kbit Total delay is 200100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 .100. from 120.255. from 120.63.100.34. traffic share count is 1 Total delay is 200100 microseconds.5. minimum bandwidth is 1544 Kbit Reliability 255/255.34.100.4 R3(config)# access-list 2 permit 120. via GigabitEthernet0/0 Route metric is 6780416.4. 00:01:59 ago.34.0 Routing entry for 120.100.4. minimum MTU 1500 bytes Loading 1/255.100. 00:00:21 ago Routing Descriptor Blocks: * 120.100.34. Hops 1 R3# show ip eigrp topology 120. minimum MTU 1500 bytes Loading 1/255. Hops 1 * 120.0 IP-EIGRP (AS 1): Topology entry for 120.0/24 State is Passive. metric 6780416. Send flag is 0x0 Composite metric is (6780416/6777856). traffic share count is 1 Total delay is 200100 microseconds. from 120.255.0/24 Known via "eigrp 1".100. distance 170.34. Hops 1 R3(config)# access-list 1 permit 120.34.100.5.

Section 3: BGP (15 Points) Configure BGP peering per Figure 2-7 as follows: iBGP R1-R3. Send flag is 0x0 Composite metric is (128000000/6777856).100.4 (GigabitEthernet0/0). and R5 as route reflectors within their own autonomous system. Autosummarization is disabled to ensure BGP does not summarize routes. The question does not dictate that you must configure peer groups. the peering fails inbound and outbound from AS400. be required for the peering from AS400 to AS300 and AS400 to AS200 because loopback interfaces are used for the external peering here. which peer from connected interfaces. external metric is 2 Administrator tag is 0 (0x00000000) Note The full IP routing tables of each device are provided within the accompanying configurations to verify your redistributed routes. R5-SW1. Do not use the command ebgp-multihop within your configurations. (3 points) The restrictions within the internal Border Gateway Protocol (iBGP) peering require you to configure R3.Hop count is 1 External data: Originating router is 120. of course. from 120. but it is considered good practice when you have more than one peer with a similar peering configuration.100. external metric is 2 Administrator tag is 0 (0x00000000) 120. R6-SW4.34.1 AS number of route is 1 External protocol is OSPF.100. This feature would.multihop. unlike AS100 to AS200 and AS300. Route is External Vector metric: Minimum bandwidth is 20 Kbit Total delay is 0 microseconds Reliability is 0/255 Load is 0/255 Minimum MTU is 0 Hop count is 1 External data: Originating router is 120.34. R4-SW2. Use of the command neighbor disable-connected-check on R6. R4. however. R2-R3. and synchronization is disabled because the internal gateway protocol (IGP) will not be synchronized to BGP within this lab. The question does. R3-R5. Use loopback interfaces to peer on all routers with the exception of peering between R3-R4 and R3-R5. dictate that you must not use ebgp.1 AS number of route is 1 External protocol is OSPF. SW3. R5-SW3. The only way to fix this is to use a feature that disables connection verification to establish an external BGP (eBGP) peering session with a single-hop peer that uses a loopback interface.4. Without ebgp-multihop. Example 2-18 shows the basic .100. eBGP R3-R4. and SW4 for the required peering allows the peering to be formed successfully.4. SW4-SW3. R4-R6.5.

1 update-source Loopback0 R2(config)# router R2(config-router)# R2(config-router)# R2(config-router)# R2(config-router)# bgp 100 no auto-summary no synchronization neighbor 120. If you have configured this correctly.34.100.6.100.peering configuration for BGP.7.100.3.1 remote-as 100 neighbor 120.8.100.100.1 peer-group AS100 neighbor 120.1 peer-group AS300 .100.4 remote-as 200 neighbor 120.5 remote-as 300 R4(config)# router R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# bgp 200 router bgp 200 no auto-summary no synchronization neighbor AS200 peer-group neighbor AS200 remote-as 200 neighbor AS200 update-source Loopback0 neighbor AS200 route-reflector-client neighbor 120.1 remote-as 100 neighbor 120.3. you have scored 3 points.100. Example 2-18 BGP Peering Configuration and Verification Click here to view code image R1(config)# router R1(config-router)# R1(config-router)# R1(config-router)# R1(config-router)# bgp 100 no auto-summary no synchronization neighbor 120.100.34.1. the eBGP failure condition observed on peering to and from AS400.1 peer-group AS100 neighbor AS100 route-reflector-client neighbor 120.3.1 peer-group AS200 neighbor 120.3 remote-as 100 R5(config)# router R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# bgp 300 no auto-summary no synchronization neighbor AS300 peer-group neighbor AS300 remote-as 300 neighbor AS300 update-source Loopback0 neighbor AS300 route-reflector-client neighbor 120.1 update-source Loopback0 R3(config)# router R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# bgp 100 no auto-summary no synchronization neighbor AS100 peer-group neighbor AS100 remote-as 100 neighbor AS100 update-source Loopback0 neighbor 120. and the required configuration to rectify the condition.34.3.100.100.2.100.100.1 peer-group AS200 neighbor 120.

R5(config-router)# neighbor 120.100.9.1 peer-group AS300
R5(config-router)# neighbor 120.100.34.3 remote-as 100
R6(config)# router
R6(config-router)#
R6(config-router)#
R6(config-router)#
R6(config-router)#
R6(config-router)#
R6(config-router)#

bgp 200
no auto-summary
no synchronization
neighbor 120.100.4.1 remote-as 200
neighbor 120.100.4.1 update-source Loopback0
neighbor 120.100.10.1 remote-as 400
neighbor 120.100.10.1 update-source Loopback0

SW1(config)# router
SW1(config-router)#
SW1(config-router)#
SW1(config-router)#
SW1(config-router)#

bgp 300
no auto-summary
no synchronization
neighbor 120.100.5.1 remote-as 300
neighbor 120.100.5.1 update-source Loopback0

SW2(config)# router
SW2(config-router)#
SW2(config-router)#
SW2(config-router)#
SW2(config-router)#

bgp 200
no auto-summary
no synchronization
neighbor 120.100.4.1 remote-as 200
neighbor 120.100.4.1 update-source Loopback0

SW3(config)# router
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#

bgp 300
no auto-summary
no synchronization
neighbor 120.100.5.1 remote-as 300
neighbor 120.100.5.1 update-source Loopback0
neighbor 120.100.10.1 remote-as 400
neighbor 120.100.10.1 update-source Loopback0

SW4(config)# router
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#

bgp 400
no auto-summary
no synchronization
neighbor 120.100.6.1
neighbor 120.100.6.1
neighbor 120.100.9.1
neighbor 120.100.9.1

remote-as 200
update-source Loopback0
remote-as 300
update-source Loopback0

SW4# sh ip bgp neigh 120.100.6.1 | include External
External BGP neighbor not directly connected.
SW4# show ip bgp neighbors 120.100.9.1 | include External
External BGP neighbor not directly connected.
SW4#
SW4#
No
SW4#
No

sh ip bgp neighbors 120.100.6.1 | include active
active TCP connection
sh ip bgp neighbors 120.100.9.1 | include active
active TCP connection

SW4(config-router)# neighbor 120.100.6.1 disable-connected-check
SW4(config-router)# neighbor 120.100.9.1 disable-connected-check
R6(config-router)# neighbor 120.100.10.1 disable-connected-check

SW3(config-router)# neighbor 120.100.10.1 disable-connected-check
SW4# show ip bgp neighbors
BGP state = Established,
SW4# show ip bgp neighbors
BGP state = Established,

120.100.6.1 | include Established
up for 00:02:01
120.100.9.1 | include Established
up for 00:02:05

You will also find peering issues between R1 and R3. Example 2-19 shows the routers are
informing each other they have an incorrect BGP identifier. This is simply because both routers
have identical loopback interface address of 200.200.200.200, which is used as the BGP
identifier. By changing the ID of one router, the peering is established. It does not matter what
you change the ID to, but it needs to be unique; the Loopback 0 interface would be a good
choice. No extra points for this task because this is part of the original peering.
Example 2-19 R1 and R3 Peering Issue Configuration and Verification
Click here to view code image

R1# * 19:30:13.287: %BGP-3-NOTIFICATION: sent to neighbor 120.100.3.1
2/3 (BGP
identifier wrong) 4 bytes C8C8C8C8
R3# * 19:25:30.043: %BGP-3-NOTIFICATION: received from neighbor
120.100.1.1 2/
3 (BGP identifier wrong) 4 bytes C8C8C8C8
R1# show ip bgp summary | include identifier
BGP router identifier 200.200.200.200, local AS number 100
R3# show ip bgp summary | include identifier
BGP router identifier 200.200.200.200, local AS number 100
R1(config-router)# bgp router-id 120.100.1.1
*19:34:45.467: %BGP-5-ADJCHANGE: neighbor 120.100.3.1 Up

Routers R1 and R2 in AS100 should be made to passively accept only BGP sessions. R3
should be configured to actively create only BGP sessions to R1 and R2 within AS100. (3
points)
A BGP speaker by default will attempt to open a session on TCP port 179 with a configured peer,
because such a normal peering arrangement will see two sessions being established to build a
successful neighbor relationship. This behavior can be modified to effectively allow sessions to
be established only either inbound or outbound. The solution to the question is achieved by
configuring the neighbor transport connection-mode to passive (only inbound connections will
be established) on R1 and R2 and active (only outbound sessions will be established) on R3. You
must manually activate each neighbor on each router for the solution to work effectively. If you

have configured this correctly, as shown in Example 2-20, you have scored 3 points. Consider
using the show ip bgp summary command to verify your configuration.
Example 2-20 R1, R2, and R3 Connection Mode Configuration
Click here to view code image

R1(config)# router bgp 100
R1(config-router)# neighbor 120.100.3.1 transport connection-mode
passive
R1(config-router)# neighbor 120.100.3.1 activate
R2(config)# router bgp 100
R2(config-router)# neighbor 120.100.3.1 transport connection-mode
passive
R2(config-router)# neighbor 120.100.3.1 activate
R3(config)# router
R3(config-router)#
R3(config-router)#
R3(config-router)#

bgp 100
neighbor AS100 transport connection-mode active
neighbor 120.100.1.1 activate
neighbor 120.100.2.1 activate

Configure the following loopback interfaces on R3 and SW4; advertise these networks
into BGP using the network command: (2 points)
R3 – Loopback interface 5 (152.100.100.1/24)
SW4 – Loopback interface 5 (152.200.32.1/24)
SW4 – Loopback interface 6 (152.200.33.1/24)
SW4 – Loopback interface 7 (152.200.34.1/24)
SW4 – Loopback interface 8 (152.200.35.1/24)
This simple question creates BGP routes for the following task. If you have configured this
correctly, as shown in Example 2-21, you have scored 2 points.
Example 2-21 R3 and SW4 Network Advertisement Configuration and Verification
Click here to view code image

R3(config)# interface Loopback5
R3(config-if)# ip address 152.100.100.1 255.255.255.0
R3(config-if)# router bgp 100
R3(config-router)# network 152.100.100.0 mask 255.255.255.0
SW4(config)# interface Loopback5
SW4(config-if)# ip address 152.200.32.1 255.255.255.0
SW4(config-if)# interface Loopback6
SW4(config-if)# ip address 152.200.33.1 255.255.255.0

SW4(config-if)# interface Loopback7
SW4(config-if)# ip address 152.200.34.1 255.255.255.0
SW4(config-if)# interface Loopback8
SW4(config-if)# ip address 152.200.35.1 255.255.255.0
SW4(config-if)# router bgp 400
SW4(config-router)# network 152.200.32.0 mask 255.255.255.0
SW4(config-router)# network 152.200.33.0 mask 255.255.255.0
SW4(config-router)# network 152.200.34.0 mask 255.255.255.0
SW4(config-router)# network 152.200.35.0 mask 255.255.255.0
R3# show ip bgp
BGP table version is 10, local router ID is 200.200.200.200
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
*>
*
*>
*
*>
*
*>
*
*>

Network
Next Hop
152.100.100.0/24 0.0.0.0
152.200.32.0/24 120.100.34.4
120.100.34.5
152.200.33.0/24 120.100.34.4
120.100.34.5
152.200.34.0/24 120.100.34.4
120.100.34.5
152.200.35.0/24 120.100.34.4
120.100.34.5

Metric LocPrf Weight Path
0
32768 i
0 200 400
0 300 400
0 200 400
0 300 400
0 200 400
0 300 400
0 200 400
0 300 400

i
i
i
i
i
i
i
i

Configure R3 to inform R4 that it does not want to receive routes advertised from SW4
for networks 152.200.33.0/24, 152.200.34.0/24, and 152.200.35.0/24. Achieve this in
such a manner that R4 does not actually advertise these routes toward R3. You may also
configure R4. (4 points)
BGP has a prefix-based outbound route filtering (ORF) mechanism that can send and receive
capabilities to minimize BGP updates sent between BGP peers. Advertisement of ORF capability
indicates that a peer will accept a prefix list from a neighbor and apply the prefix list received
from a neighbor locally to avoid the unnecessary sending of routes that would be blocked by the
receiver anyway. R3 is therefore configured with a prefix list that blocks the required routes
generated from SW4, which is sent via ORF to R4. R4 is configured to receive this prefix list via
ORF, and the routes are blocked outbound at R4. Example 2-2 shows the required ORF and
prefix-list filtering with the resulting outbound advertisement on R4. The BGP table on R3 is
also displayed showing the routes are no longer being received from R4 and solely from R5. If
you have configured this correctly, as shown in Example 2-22, you have scored 4 points.
Example 2-22 BGP ORF Configuration and Verification
Click here to view code image

200.incomplete *> *> * *> *> *> Network Next Hop 152.200.34. ? .32.34.34. ? . h history. d damped.3 advertised-routes BGP table version is 17.100.0/24 120.200.4 120. e .100.EGP. r RIB-failure. the network is received on R3 .0/24 R3(config)# ip prefix-list FILTER seq 20 permit 0.0.100. After configuration of the route map to prepend the route on R5 twice.34. r RIB-failure. e .200.0/24 0.EGP.200.5 152.IGP.4. h history.5 Metric LocPrf Weight Path 0 32768 i 0 200 400 0 300 400 0 300 400 0 300 400 0 300 400 i i i i i Configure a route map on R5 that prepends its local autonomous system an additional two times for network 152.200.200 Status codes: s suppressed.0/24 as received initially on R3 from R5 with an autonomous system path of 300-400.200.34.100.incomplete Network *>i152.0/24 R3(config)# ip prefix-list FILTER seq 15 deny 152. > best.0/24 120. i internal.35. S Stale Origin codes: i .34.200.0/24 when advertised to R3. Example 2-22 shows the route 152. but only one prepend is permitted per line.200.100.32.1 Status codes: s suppressed.34. or so it seems.100.100. local router ID is 200.33. * valid.0.0 152.34.R3(config)# router bgp 100 R3(config-router)# neighbor 120.33.200.5 152.0/24 120. Normally you would prepend the same autonomous system number multiple times within the same permit statement.100.IGP.34. S Stale Origin codes: i .10.5 152.0.4 capability orf prefix-list send R3(config-router)# neighbor 120.100.0. i internal.35.34. (3 points) This is a simple autonomous system path prepend question. local router ID is 120.34. so you are forced to use multiple permit statements with the same autonomous system prepend statement.100.100.1 Metric LocPrf Weight Path 0 100 0 400 i Total number of prefixes 1 R3# clear ip bgp * R3# show ip bgp BGP table version is 6. > best. The route map may contain multiple permit statements.100.200.0/24 R3(config)# ip prefix-list FILTER seq 10 deny 152. but the question restricts this.32.200.0/0 le 32 R4(config)# router bgp 200 R4(config-router)# neighbor 120. d damped. * valid.32.0/24 Next Hop 120.4 prefix-list FILTER in R3(config)# ip prefix-list FILTER seq 5 deny 152.100.3 capability orf prefix-list receive R4(config-router)# exit R4(config)# exit R4# show ip bgp neighbors 120.0/24 120.

d damped.33.34. local router ID is 200. ? .200 Status codes: s suppressed.100. h history.0/24 0.5 152. If you have configured this correctly.IGP. S Stale Origin codes: i . Example 2-23 R5 Prepend Configuration and Verification Click here to view code image R3# show ip bgp BGP table version is 6. and the route map will then not evaluate any additional route map entries and simply drops out. h history.100.200. Rather than dropping out of the route map after successful execution of the permit 10 statement.35.34.3 route-map PREPEND out R5(config-router)# exit R5(config)# access-list 1 permit 152.34. i internal. ? .0 152. > best.200.200. > best. in fact.0 R5(config)# route-map PREPEND permit 10 R5(config-route-map)# match ip address 1 R5(config-route-map)# set as-path prepend 300 R5(config-route-map)# route-map PREPEND permit 20 R5(config-route-map)# match ip address 1 R5(config-route-map)# set as-path prepend 300 R5(config-route-map)# route-map PREPEND permit 30 R3# show ip bgp BGP table version is 6.incomplete *> *> * *> *> *> Network Next Hop 152.200.34.incomplete Network Next Hop Metric LocPrf Weight Path .0/24 120. as shown in Example 2-23. but the question requests an “additional” two times.34. d damped. * valid. i internal.32.100.200.0/24 120.32.200 Status codes: s suppressed.200. e . local router ID is 200. r RIB-failure.100. This might look like the route has indeed been prepended twice.EGP.200.200.34.100.IGP.0/24 120. the final verification within Example 2-23 shows the route received on R3 with successful prepend applied by R5.100. The problem is that the route map permit 10 statement on R3 has been executed.100. e . so the permit 20 statement is never actually executed.5 152. r RIB-failure.4 120. * valid. you have scored 3 points. the route has been prepended only once.0/24 120. By configuring a continue 20 statement within the permit 10 line.0.5 Metric LocPrf Weight Path 0 32768 i 0 200 400 0 300 400 0 300 400 0 300 400 0 300 400 i i i i i R5(config)# router bgp 300 R5(config-router)# neighbor 120.100.5 152.EGP.34.0.200. S Stale Origin codes: i . the router is forced to evaluate the permit 20 line.with an autonomous system path of 300-300-400.

5 Metric LocPrf Weight Path 0 32768 i 0 200 400 i 0 300 300 120.34.5 0 32768 i 0 200 400 i 0 300 300 0 300 400 i 0 300 400 i 0 300 400 i R5(config)# route-map PREPEND permit 10 R5(config-route-map)# continue 20 R3# clear ip bgp * R3# show ip bgp BGP table version is 6.34.100.100.0/24 * 300 400 i *> 152.200 Status codes: s suppressed.34.32.200.200.33.0/24 *> 152.34.200.100.100.34.5 120.5 120.5 120. * valid.100. ? .4 120.200.200.EGP.100.incomplete Network *> 152.100. i internal.5 120. tunnel specifics are provided in later questions.0 120.100.0/24 *> 152.4 120.5 120.0.33.34.0/24 0.0/24 *> 152.100.*> 152.34.0. so just creating the tunnel interfaces and configuring an IPv6 address is required .200.34. > best.5 0 300 400 i 0 300 400 i 0 300 400 i Section 4: IPv6 (12 Points) Configure IPv6 addresses on your network as follows: 2007:C15:C0:10::1/64 – R1 Gi0/1 2007:C15:C0:11::1/64 – R1 tunnel0 2007:C15:C0:11::3/64 – R3 tunnel0 2007:C15:C0:12::2/64 – R2 tunnel0 2007:C15:C0:12::3/64 – R3 tunnel1 2007:C15:C0:13::2/64 – R2 fe0/1 2007:C15:C0:14::3/64 – R3 Gi0/0 2007:C15:C0:14::4/64 – R4 Gi0/0 2007:C15:C0:14::5/64 – R5 Gi0/0 2007:C15:C0:15::4/64 – R4 Gi0/1 2007:C15:C0:15::6/64 – R6 Gi0/0 The prerequisite to the following questions is configuration of the IPv6 addresses and tunnel interfaces. local router ID is 200.0/24 * 400 i *> 152.32.200. Example 2-24 shows the initial IPv6 configuration.0.0/24 *> 152.34.100.100. r RIB-failure.0/24 Next Hop 0. S Stale Origin codes: i .100.34. d damped.35.100.200.34.35.0. h history.200. e .34.0/24 *> 152.200.0/24 *> 152.0 120.IGP.100.

No points are on offer here for this task. Example 2-24 IPv6 Initial Configuration Click here to view code image R1(config)# ipv6 unicast-routing R1(config)# interface GigabitEthernet0/1 R1(config-if)# ipv6 address 2007:C15:C0:10::1/64 R1(config-if)# interface tunnel0 R1(config-if)# ipv6 address 2007:C15:C0:11::1/64 R2(config)# ipv6 unicast-routing R2(config)# interface fastethernet 0/1 R2(config-if)# ipv6 address 2007:C15:C0:13::2/64 R2(config-if)# interface tunnel0 R2(config-if)# ipv6 address 2007:C15:C0:12::2/64 R3(config)# ipv6 unicast-routing R3(config)# int GigabitEthernet0/0 R3(config-if)# ipv6 address 2007:C15:C0:14::3/64 R3(config-if)# interface tunnel0 R3(config-if)# ipv6 address 2007:C15:C0:11::3/64 R3(config-if)# interface tunnel1 R3(config-if)# ipv6 address 2007:C15:C0:12::3/64 R4(config)# ipv6 unicast-routing R4(config)# interface GigabitEthernet0/0 R4(config-if)# ipv6 address 2007:C15:C0:14::4/64 R4(config-if)# interface GigabitEthernet0/1 R4(config-if)# ipv6 address 2007:C15:C0:15::4/64 R5(config)# ipv6 unicast-routing R5(config)# interface GigabitEthernet0/0 R5(config-if)# ipv6 address 2007:C15:C0:14::5/64 R6(config)# ipv6 unicast-routing R6(config)# interface GigabitEthernet0/0 R6(config-if)# ipv6 address 2007:C15:C0:15::6/64 Section 4.at this point. Build your tunnels from R1 to R3 and R2 to R3 with source interfaces from VLAN 132 to advertise IPv6 edge networks from each router using ipv6ip mode. (2 points) . R2. EIGRPv6 should not be enabled directly under the interfaces of the routers. unfortunately. and R3.1: EIGRPv6 Configure EIGRPv6 with an autonomous system of 6 between R1. Consider using the show ipv6 interfaces brief command for a quick check of your interface configuration.

you have scored 2 points.123.123. Example 2-25 EIGRPv6 Configuration and Verification Click here to view code image R1(config-if)# interface Tunnel0 R1(config-if)# tunnel source Gigabit0/0 R1(config-if)# tunnel destination 120. The tunnel mode of ipv6ip is supplied within the question for the manually configured IPv6 tunnel. The source interfaces of each tunnel are the VLAN 132 Ethernet interfaces. If you have configured this correctly.123.2 R3(config-if)# tunnel mode ipv6ip R3(config-if)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 6 R3(config-router-af)# af-interface GigabitEthernet0/0 R3(config-router-af-interface)# passive-interface .100.100. You should ensure that you make the IPv6-enabled interface on R3. as shown in Example 2-25.100.123.This is a straightforward EIGRPv6 configuration that requires the autonomous system number of 6 enabled by the address-family ipv6 command under the existing EIGRP process as opposed to enabling EIGRPv6 under each interface. which provides connectivity from R3 to R2 and R1.3 R1(config-if)# tunnel mode ipv6ip R1(config-if)# router eigrp CCIE R1(config-router)# address-family ipv6 unicast autonomous-system 6 R1(config-router-af)# af-interface Tunnel0 R1(config-router-af-interface)# no shutdown R1(config-router-af-interface)# af-interface Gigabit0/1 R1(config-router-af-interface)# no shutdown R2(config-if)# interface Tunnel0 R2(config-if)# tunnel source fastethernet0/0 R2(config-if)# tunnel destination 120. which will actually belong to the OSPFv3 domain passive within EIGRPv6 as a matter of good practice.100.1 tunnel mode ipv6ip interface Tunnel1 R3(config-if)# tunnel source Gigabit0/1 R3(config-if)# tunnel destination 120.3 R2(config-if)# tunnel mode ipv6ip R2(config-if)# router eigrp CCIE R2(config-router)# address-family ipv6 unicast autonomous-system 6 R2(config-router-af)# af-interface Tunnel0 R2(config-router-af-interface)# no shutdown R2(config-router-af-interface)# af-interface fastethernet0/1 R2(config-router-af-interface)# no shutdown R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# tunnel source Gigabit0/1 tunnel destination 120.

MIPv6 I1 . OE1 . EX . R .ISIS interarea.OSPF inter.Connected. S . OE2 . Tunnel0 R3# show ipv6 route eigrp IPv6 Routing Table .Per-user Static route.Local. IS .ISIS L2.OSPF NSSA ext 1. B . IA . S .OSPF NSSA ext 2 D .Static.BGP U . I2 . R . S .OSPF inter.OSPF NSSA ext 1.Local.OSPF NSSA ext 1.OSPF ext 1. Tunnel1 .OSPF ext 2 ON1 .OSPF ext 2 ON1 .EIGRP.EIGRP.ISIS interarea. M .OSPF intra. M . EX .OSPF NSSA ext 2 D .Static.R3(config-router-af-interface)# R3(config-router-af-interface)# R3(config-router-af-interface)# R3(config-router-af-interface)# R3(config-router-af-interface)# no shutdown af-interface Tunnel0 no shutdown af-interface Tunnel1 no shutdown R1# show ipv6 route eigrp IPv6 Routing Table .RIP. OE1 . ON2 . ON2 . OE2 . I2 .BGP U .8 entries Codes: C .ISIS summary O .9 entries Codes: C .Per-user Static route. B . EX . I2 .EIGRP external D 2007:C15:C0:10::/64 [90/310070016] via FE80::7864:7C03. Tunnel0 D 2007:C15:C0:11::/64 [90/310044416] via FE80::7864:7C03. OI . B .OSPF ext 1.OSPF intra. M .ISIS summary O . R . Tunnel0 D 2007:C15:C0:13::/64 [90/310070016] via FE80::7864:7B03.BGP U . OI . L .ISIS summary O .RIP.ISIS L1.OSPF intra. OI .EIGRP. IA .Local.RIP.EIGRP external D 2007:C15:C0:12::/64 [90/310044416] via FE80::7864:7B03. OE2 . IS .Per-user Static route. Tunnel0 R2# show ipv6 route eigrp IPv6 Routing Table . L . ON2 . L .MIPv6 I1 .ISIS interarea.Connected.8 entries Codes: C .EIGRP external D 2007:C15:C0:10::/64 [90/297270016] via FE80::7864:7B01.ISIS L2. OE1 .ISIS L1.Static. IS .ISIS L1.ISIS L2.OSPF ext 2 ON1 .MIPv6 I1 . Tunnel0 D 2007:C15:C0:13::/64 [90/297270016] via FE80::7864:7C02.OSPF inter.OSPF NSSA ext 2 D .Connected. IA .OSPF ext 1.

Per-user Static route I1 . L . I2 .OSPF inter.OSPF intra. GigabitEthernet0/0 R5# show ipv6 route ospf IPv6 Routing Table .Local.OSPF ext 1. OE1 . OE2 . If you have configured this correctly.EIGRP.ISIS L1. GigabitEthernet0/0 R6# show ipv6 route ospf .BGP U . I2 .RIP.OSPF inter. OI .5 entries Codes: C .OSPF ext 2 ON1 . B . IS . ON2 . R .ISIS interarea. OE2 .Connected.RIP. R5. R4. S .OSPF NSSA ext 2 D . B . as shown in Example 2-26. (2 points) Use vanilla OSPFv3 configuration between R3.EIGRP. S . Example 2-26 OSPFv3 Configuration and Verification Click here to view code image R3(config)# interface GigabitEthernet 0/0 R3(config-if)# ipv6 ospf 1 area 0 R4(config)# interface GigabitEthernet0/0 R4(config-if)# ipv6 ospf 1 area 0 R4(config-if)# interface GigabitEthernet0/1 R4(config-if)# ipv6 ospf 1 area 1 R5(config)# interface GigabitEthernet0/0 R5(config-if)# ipv6 ospf 1 area 0 R6(config)# interface GigabitEthernet0/0 R6(config-if)# ipv6 ospf 1 area 1 R3# show ipv6 route ospf IPv6 Routing Table .Per-user Static route I1 .Static.BGP U .OSPF intra. ON2 .OSPF NSSA ext 2 D .11 entries Codes: C .2: OSPFv3 Configure OSPFv3 per Figure 2-8.OSPF ext 1. and R6. you have scored 2 points. use an OSPFv3 process of 1 on each router.EIGRP external OI 2007:C15:C0:15::/64 [110/2] via FE80::213:C3FF:FE7B:E4A0.ISIS L2.OSPF NSSA ext 1.OSPF NSSA ext 1. EX .Static. OE1 . R .OSPF ext 2 ON1 .ISIS L2.Section 4. IA .ISIS interarea.Local.EIGRP external OI 2007:C15:C0:15::/64 [110/2] via FE80::213:C3FF:FE7B:E4A0. IS . IA .ISIS summary O .ISIS summary O .Connected. L . OI .ISIS L1. EX .

GigabitEthernet0/0 Configure Area 1 with IPsec authentication. OE1 .Connected. OE2 .EIGRP. you may configure R4 to achieve this: (2 points) OI 2007::/16 [110/2] via XXXX::XXXX:XXXX:XXXX:XXXX. so this route must be generated from another area. you have scored 2 points.Per-user Static route I1 . . the route must be generated from this area as opposed to a redistributed route.OSPF inter. you have scored 2 points. R4 is the area border router within this area.Local.Static. I2 .ISIS summary O . L . OI .OSPF NSSA ext 2 D .OSPF NSSA ext 1.IPv6 Routing Table .RIP. If you have configured this correctly.EIGRP external OI 2007:C15:C0:14::/64 [110/2] via FE80::213:C3FF:FE7B:E4A1.BGP U . use message digest 5. A summary route generated on the area border router R4 of 2007::/16 within Area 0 will provide the required route to be received on R6. GigabitEthernet0/0 The only area router within Area 1 is R6.5 entries Codes: C . If you have configured this correctly. this could easily be done while under a time constraint.ISIS L2.ISIS L1. as shown in Example 2-27. IS . EX . OI within the routing table is an OSPF interarea route. a security policy index of 500. and a key of DEC0DECC1E0DDBA11B0BB0BBEDB00B00. Example 2-27 Area 1 Authentication Configuration Click here to view code image R4(config)# ipv6 router ospf 1 R4(config-router)# area 1 authentication ipsec spi 500 md5 DEC0DECC1E0DDBA11B0BB0BBEDB00B00 R6(config)# ipv6 router ospf 1 R6(config-router)# area 1 authentication ipsec spi 500 md5 DEC0DECC1E0DDBA11B0BB0BBEDB00B00 Ensure that the area router in Area 1 receives the following route. (2 points) Authentication is required on R4 and R6 because they both belong to Area 1. and you should not encounter any issues unless you incorrectly enter one of the keys. R . as shown in Example 2-28.OSPF ext 2 ON1 .OSPF intra. IA . ON2 . The question explicitly states the specific parameters required.OSPF ext 1. S . At 32 hex characters long. B .ISIS interarea. Because Area 0 is the only other area within the OSPFv3 network. which would show as an external route.

OSPF inter. You must remember to advertise connected routes also. regardless of which area they are seen in within the OSPFv3 network. the OSPFv3 network will not see the directly connected tunnel interfaces on R3.BGP U . OE1 . IA .11 entries Codes: C . Example 2-29 R3 Ipv6 Redistribution Configuration and Verification Click here to view code image R3(config)# ipv6 router ospf 1 R3(config-rtr)# redistribute eigrp 6 include-connected metric 5000 R4# show ipv6 route ospf IPv6 Routing Table .Static. Redistributed EIGRPv6 routes should have a metric of 5000 associated with them. EX .ISIS interarea. B . Null0 OE2 2007:C15:C0:10::/64 [110/5000] via FE80::214:6AFF:FEFC:7390. (2 points) A one-way redistribution of EIGRPv6 to OSPFv3 is required on R3.ISIS summary O .3: Redistribution Redistribute EIGRPv6 into OSPFv3 on R3. GigabitEthernet0/0 . ON2 .Example 2-28 OSPFv3 Configuration and Verification Click here to view code image R4(config)# ipv6 router ospf 1 R4(config-rtr)# area 0 range 2007::/16 R6# show ipv6 route ospf | include OI OI 2007::/16 [110/2] via FE80::213:C3FF:FE7B:E4A1.Connected.OSPF NSSA ext 2 D .OSPF ext 2 ON1 . as shown in Example 229.EIGRP external O 2007::/16 [110/0] via ::. OI . GigabitEthernet0/0 OE2 2007:C15:C0:11::/64 [110/5000] via FE80::214:6AFF:FEFC:7390. GigabitEthernet0/0 Section 4. R . IS . which have a fixed cost associated with them regardless of which area or location of the OSPFv3 network they are seen in.EIGRP.Per-user Static route I1 . you have scored 2 points. otherwise. OE2 .OSPF ext 1.OSPF NSSA ext 1.RIP. The default redistribution behavior ensures that external routes are advertised as external type 2.ISIS L1. L . You simply require the metric set to 5000 on the OSPFv3 process. S . I2 .ISIS L2.Local. If you have configured this correctly.OSPF intra.

in addition to ICMP reachability to the remote OSPFv3 Area 1 network on R6. OI .6 entries Codes: C . B . the EIGRPv6 network would not have reachability of the OSPFv3 network.OSPF NSSA ext 2 D .MIPv6 I1 . L . This question ensures the EIGRPv6 network sends traffic to R3 for the summarized network of 2007::/16.OSPF intra. Example 2-30 R3 Ipv6 Summarization Configuration and Verification Click here to view code image R3(config)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 6 R3(config-router-af)# af-interface Tunnel0 R3(config-router-af-interface)# summary-address 2007::/16 R3(config-router-af-interface)# af-interface Tunnel1 R3(config-router-af-interface)# summary-address 2007::/16 R1# show ipv6 route eigrp IPv6 Routing Table .ISIS summary O . Tunnel0 R1# ping ipv6 2007:C15:C0:15::6 .OSPF NSSA ext 1. Tunnel0 You should have noticed in the previous question that mutual redistribution was not required. EX . IA . as shown in Example 2-30.ISIS L1.OE2 OE2 2007:C15:C0:12::/64 [110/5000] via FE80::214:6AFF:FEFC:7390. GigabitEthernet0/0 2007:C15:C0:13::/64 [110/5000] via FE80::214:6AFF:FEFC:7390.Connected. GigabitEthernet0/0 Configure R3 so that both R1 and R2 have the following IPv6 EIGRPv6 route in place. and do ensure that all routers have full visibility: (2 points) D 2007::/16 [90/XXXXXXXXX] via XXXX::XXXX:XXXX:XXXX:XXXX. I2 .BGP U .ISIS interarea. you have scored 2 points.RIP. OE1 . therefore.OSPF ext 1. Do not redistribute OSPF into EIGRPv6 to achieve this. S . Because you are not permitted to redistribute OSPFv3 with a summary address. you need to configure EIGRPv6 summarization on the tunnel interfaces on R3 toward R1 and R2. M .EIGRP.OSPF inter. If you have configured this correctly. this will provide the correct route and hop count as per the question.Local.EIGRP external D 2007::/16 [90/310044416] via FE80::7864:7B03.OSPF ext 2 ON1 . OE2 . R .Per-user Static route. Example 2-33 shows the required configuration and verification of the route. This test clearly demonstrates full end-to-end reachability from EIGRPv6 to OSPFv3. ON2 .Static. IS .ISIS L2.

and trunking and channeling disabled using the command switchport host.OSPF intra. The overall quality of service (QoS) service policy is applied to the video conferencing ports of Fast Ethernet 0/15 and 0/16 on Switch 2.OSPF ext 2 ON1 .ISIS L1. and this traffic is unmarked from the devices as it enters the switch.EIGRP external D 2007::/16 [90/310044416] via FE80::7864:7C03.BGP U . OE1 .ISIS summary O .Connected. as shown in Example 2-31. Sending 5. Use the show policy-map command to verify your configuration. round-trip min/avg/max = 4/7/8 ms R2# show ipv6 route eigrp IPv6 Routing Table . OE2 .ISIS interarea.OSPF ext 1.Per-user Static route. I2 . B . If you have configured this correctly. OI . . cannot form trunk links. M . (3 points) This is a differentiated services code point (DSCP) coloring of application traffic question. EX . L . round-trip min/avg/max = 4/7/8 ms Section 5: QoS (6 Points) Two IP video conferencing units are to be installed onto Switch 2 ports Fast Ethernet 0/15 and 0/16 on VLAN 200.Type escape sequence to abort. IA .OSPF NSSA ext 1. but the switchport host command does all this for you.RIP.MIPv6 I1 . Configure Switch 2 to assign a DSCP value of AF41 to video traffic from both of these devices. The TCP and UDP port information is provided so that access lists matching these ports within a class map are required for identification of the video traffic.OSPF NSSA ext 2 D . IS .Local. R . The ports can also be explicitly configured to disable each feature individually.EIGRP. ON2 . Sending 5.OSPF inter. you have scored 3 points. Ensure that the switch ports assigned to the devices do not participate in the usual spanning-tree checks. Tunnel0 R2# ping ipv6 2007:C15:C0:15::6 Type escape sequence to abort. 100-byte ICMP Echos to 2007:C15:C0:15::6. 100-byte ICMP Echos to 2007:C15:C0:15::6.Static. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). The devices use TCP ports 3230–3231 and UDP ports 3230– 3235. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).6 entries Codes: C . and cannot be configured as EtherChannels. and a policy map colors the traffic to a DSCP value of 41. The ports are required to be set to VLAN 200 with spanning-tree checks disabled.ISIS L2. S .

R2 is required to provide QoS on the Ethernet link toward the rest of the network. The default queue has a guaranteed bandwidth reservation with the command bandwidth percent 60. as shown in Example 2-32. Example 2-32 R2 QoS Configuration and Verification Click here to view code image R2(config)# class-map match-all VIDEO R2(config-cmap)# match dscp af41 R2(config-cmap)# policy-map VIDEO-QOS R2(config-pmap)# class VIDEO R2(config-pmap-c)# priority percent 40 R2(config-pmap-c)# compression header ip rtp R2(config-pmap-c)# class class-default .Example 2-31 QoS Configuration Click here to view code image SW2(config)# interface range fastethernet 0/15-16 SW2(config-if-range)# switchport access vlan 200 SW2(config-if-range)# switchport host SW2(config-if-range)# exit SW2(config)# mls qos SW2(config)# class-map VIDEO SW2(config-cmap)# match access-group 100 SW2(config-cmap)# exit SW2(config)# access-list 100 permit tcp any any range 3230 3231 SW2(config)# access-list 100 permit udp any any range 3230 3235 SW2(config)# policy-map VIDEO-MARK SW2(config-pmap)# class VIDEO SW2(config-pmap-c)# set dscp AF41 SW2(config-pmap-c)# exit SW2(config)# interface range fastethernet 0/15-16 SW2(config-if-range)# service-policy input VIDEO-MARK Configure R2 to assign a strict-priority queue with a 40-percent reservation of the WAN bandwidth for the video conferencing traffic in the previous question. RTP compression is configured within the policy map for the video traffic. A class map matches the precolored video traffic of DSCP 41. and weighted random early detection (WRED) is enabled within this queue. The remainder of the bandwidth should be guaranteed for a default queue with WRED enabled. you have scored 3 points. (3 points) Following from the previous question. Maximize the available bandwidth by ensuring the RTP headers within the video stream are compressed. If you have configured this correctly. a policy map is then required to call the class map and assign a strict 40-percent priority queue with the command priority percent 40.

3 R1(config-std-nacl)# permit 225.2 R1(config-std-nacl)# permit 225. Example 2-33 shows the required configuration and RP mappings as received on R4. R3. and R4 for IPv4 multicast. Each router should use PIM sparse dense mode. R2.0. you have scored 3 points.0. 225.0.225.4 (by use of their Loopback 0 interfaces). TTL scoping is used within the configuration to limit the boundary of advertisements on both the candidate RPs and the discovery agent up to R4. (3 points) The question dictates that R1 and R2 be rendezvous points (RPs) and advertise the same groups to the multicast network. If you have configured this correctly. R2.3.225.0.0. and R4 Multicast Configuration and Verification Click here to view code image R1(config)# ip multicast-routing R1(config)# interface Loopback0 R1(config-if)# ip pim sparse-dense-mode R1(config-if)# interface GigabitEthernet0/0 R1(config-if)# ip pim sparse-dense-mode R1(config-if)# ip pim send-rp-announce Loopback0 scope 3 group-list GROUPS R1(config)# ip access-list standard GROUPS R1(config-std-nacl)# permit 225.225.4 R2(config)# ip multicast-routing R2(config)# interface Loopback0 R2(config-if)# ip pim sparse-dense-mode R2(config-if)# interface fastethernet0/0 R2(config-if)# ip pim sparse-dense-mode R2(config-if)# ip pim send-rp-announce Loopback0 scope 3 group-list GROUPS R2(config)# ip access-list standard GROUPS . R3 should be configured as a mapping agent to announce the rendezvous points for the multicast network with the same boundary constraints. Both R1 and R2 should be configured to be candidate RPs specifically for the following multicast groups: 225.225.0.225. and R4 will by default elect R2 as the RP for each group because it has the higher loopback address compared to R1 for the same groups.225.225. and 225.0. R3 is required to announce the rendezvous points.1 R1(config-std-nacl)# permit 225.225.1. as shown in Example 2-33. Example 2-33 R1.R2(config-pmap-c)# bandwidth percent 60 R2(config-pmap-c)# random-detect R2(config-pmap-c)# exit R2(config)# interface fastethernet0/0 R2(config-if)# service-policy output VIDEO-QOS Section 6: Multicast (9 Points) Configure routers R1.2. R3. You should limit the boundary of your multicast network so that it does propagate further into your network than R4. 225.0.

1 and 225.225.3 (?).100.4/32 RP 120.2.0.1/32 RP 120. If you have configured this correctly.100.0.100.0.100.34. elected via Uptime: 00:00:03. expires: 00:02:55 Auto-RP Auto-RP Auto-RP Auto-RP Configure R3 to ensure that R4 has a candidate RP as R1 for groups 225. elected via Uptime: 00:00:03. Example 2-34 shows the required configuration.0.1 (?). By configuring a group list on the discovery agent.0.100.225.100.0.1 (?).3 225.0.3 (?).34.225. elected via Uptime: 00:00:03.2. as shown in Example 234.0.225.4. elected via Uptime: 00:00:03. v2v1 Info source: 120. (3 points) As detailed in the previous example.34.225.1 (?).0. v2v1 Info source: 120. RP announcements can be filtered.2.1 (?).225.0.1 225.0. you have scored 3 points.225.100.3/32 RP 120. . v2v1 Info source: 120.R2(config-std-nacl)# R2(config-std-nacl)# R2(config-std-nacl)# R2(config-std-nacl)# permit permit permit permit 225.2 225. R2 will by default become the candidate RP as selected by the discovery agent (R3) because of having a higher loopback IP address as used in the PIM announcements compared to R1.2/32 RP 120. expires: 00:02:56 Group(s) 225.4 R3(config)# ip multicast-routing R3(config)# interface Loopback0 R3(config-if)# ip pim sparse-dense-mode R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip pim sparse-dense-mode R3(config-if)# interface GigabitEthernet0/1 R3(config-if)# ip pim sparse-dense-mode R3(config-if)# exit R3(config)# ip pim send-rp-discovery lo0 scope 2 R4(config-if)# ip multicast-routing R4(config-if)# interface GigabitEthernet0/0 R4(config-if)# ip pim sparse-dense-mode R4# show ip pim rp mapping PIM Group-to-RP Mappings Group(s) 225.225.3 and 225.225.3 (?).225. expires: 00:02:55 Group(s) 225.225. expires: 00:02:52 Group(s) 225.225.100. a debug of the auto-RP announcements on R3 to detail the filtering and the resulting RP mappings on R4. Configuring two filter lists with each candidate RP associated with them allows the discovery agent to announce two different RPs.0.3 (?).2.34.2 and R2 for groups 225. v2v1 Info source: 120.

1 R4# show ip pim rp mapping PIM Group-to-RP Mappings Group(s) 225. expires: 00:02:51 Group(s) 225.1.0. elected via Uptime: 00:00:47.1 Auto-RP(0): Filtered 225.225. RP:120.1).1 (?).100. PIMv2 Auto-RP(0): Update (225.225.225.1.1 Auto-RP(0): Received RP-announce.1 Auto-RP(0): Filtered 225. v2v1 Info source: 120.0.0.0.100.0.225. PIMv2 Auto-RP(0): Filtered 225.100.2.1. expires: 00:02:52 Group(s) 225.1.1).2.1.1.1/32.1.225.2/32.100.1/32 RP 120. expires: 00:02:12 Group(s) 225.3 (?).34.225.4/32 RP 120.0.100.0.3/32 for RP 120.100.3/32 for RP 120. v2v1 Info source: 120.4/32 for RP 120.100.100. elected via Uptime: 00:00:08. PIMv2 Auto-RP(0): Filtered 225.100.0.1.4 R3# debug ip pim auto-rp PIM Auto-RP debugging is on Auto-RP(0): Received RP-announce.100.225.3 (?).1.0.225.3 R3(config-std-nacl)# permit 225.4/32 for RP 120. RP_cnt Auto-RP(0): Update (225.225.1 (?). from 120. ht 181 v1 v1 .1.225.1/32.225.3/32 RP 120.1.0.0.100. RP_cnt Auto-RP(0): Update (225.34.100.1 R3(config-std-nacl)# exit R3(config# ip access-list standard R1-GROUPS R3(config-std-nacl)# permit 225. from 120. PIMv2 Auto-RP(0): Update (225.1).100.1.2/32. elected via Uptime: 00:00:47.100.2/32 RP 120.1 (?).100.1).225.1 R3(config-std-nacl)# exit R3(config)# ip access-list standard R2 R3(config-std-nacl)# permit 120.1.100.2 R3(config-std-nacl)# exit R3(config)# ip access-list standard R2-GROUPS R3(config-std-nacl)# permit 225.34.3 (?).Example 2-34 R3 RP Multicast Configuration and Verification Click here to view code image R3(config)# ip pim rp-announce-filter rp-list R1 group-list R1-GROUPS R3(config)# ip pim rp-announce-filter rp-list R2 group-list R2-GROUPS R3(config)# ip access-list standard R1 R3(config-std-nacl)# permit 120.100.3 (?). RP:120. elected via Uptime: 00:00:08. expires: 00:02:09 Auto-RP Auto-RP Auto-RP Auto-RP 1.225.0.34.2.100.225.0.1. v2v1 Info source: 120.0.100.0.1 (?).1 R3(config-std-nacl)# permit 225.225. RP:120. RP:120.225.1. v2v1 Info source: 120. ht 181 v1 v1 1.100.0.

225. By configuring R1 to enable the heartbeat monitoring for the group 225. Example 2-35 R1 Multicast Heartbeat Configuration Click here to view code image R1(config)# snmp-server host 120.0.225.1 = 10 ciscoIpMRouteHeartBeatEntry.3. Example 2-35 details the required multicast heartbeat configuration and verification of the SNMP trap by issue of a ping to 225. gentrap 6.2. If you have configured this correctly. To prevent a potential DoS attack from a flood of SYN requests.225. The default behavior of . which is required to be configured within the basic SNMP trap configuration.100.100.225. ent ciscoExperiment. as shown in Example 2-35.100.225. the router monitors a packet lost within 1 interval of 10 seconds and will send an Simple Network Management Protocol (SNMP) trap to the SNMP host 120.1 R1# SNMP: Queuing packet to 120.225. (2 points) The question requires that the TCP intercept feature be configured on R6.100.3 ciscoIpMRouteHeartBeatEntry. you have scored 3 points.100.100.100 using a community string of public. (3 points) The IP multicast heartbeat feature facilitates the monitoring of the delivery of IP multicast packets and failure notification based on configurable parameters.225. This protects TCP servers from TCP SYN-flooding attacks with a wave of half-opened connections overwhelming the server’s CPU.0.255.3. ensure that an SNMP trap is sent to an SNMP management station on 120.Configure R1 to monitor traffic forwarded through itself for traffic destined to the multicast group of 225.100.100.100.1 = 0 Section 7: Security (10 Points) Allow router R6 to passively watch the SYN connections that flow to only VLAN 63 for servers that might reside on this subnet.225.4. Even though R1 does not have a valid IGMP join group for this group. addr 120. traffic is still directed to it.1 from R3.5.123.100.100 traps public R1(config)# snmp-server enable traps ipmulticast R1(config)# ip multicast heartbeat 225.0. If no packet for this group is received within a single 10second interval.1 = 120. the router should be configured to randomly drop SYN packets from any source to this VLAN that have not been correctly established within 20 seconds.100.0.1.1 = 1 ciscoIpMRouteHeartBeatEntry.2.0.spectrap 1 ciscoIpMRouteHeartBeatEntry.0. the result of which can effectively cause a DoS attack.225.100.1.225.1 with the subparameters of 1 and 10.0. and the heartbeat process is activated.225.0.0.1 1 1 10 R1# debug snmp packets R3# ping 225.100 SNMP: V1 Trap.1.225.

Because you are requested to passively monitor the connection. Required traffic is.the feature is to intercept the SYN connections to a server and effectively proxy the connection until it has been correctly established. which are automatically created when a new TCP session is initiated. PIM.0. and only apply ACLs on the VLAN 132 interface. You are also requested to ensure that the feature is enabled only on VLAN 63 from any source. The entries are simply removed. This is achieved with the global command ip tcp intercept drop-mode random.0 0. you have scored 2 points. If you did not know what protocol IPv6 uses. This enables TCP traffic for sessions originating from within the network but denies TCP traffic for sessions originating from outside the network. of course. The ACL should timeout after 100 seconds of locally initiated TCP inactivity. ICMP for testing. Use the show tcp intercept connections command to verify your configuration. It’s a cruel question because if you forget to permit any of the required traffic inbound.255 ip tcp intercept mode watch ip tcp intercept drop-mode random ip tcp intercept watch-timeout 20 Configure an ACL on R1 to allow TCP sessions generated on this router and through its Ethernet interface and to block TCP sessions from entering on its VLAN 132 interface that were not initiated on it or through it originally. IPv6 tunneling. the question requires this to be modified to 100 seconds. and as directed. Do not use the established feature within standard ACLs to achieve this. (3 points) The question requires that a reflexive access control list (ACL) be configured on R1. you must configure a standard ACL inbound on the VLAN 132 Ethernet interface. you must configure the feature into watch mode by use of the global ip tcp intercept mode watch command. To facilitate the reflexive ACL. Switch 1 has been configured . but the question dictated that random connections must be dropped. Because traffic is evaluated only by the ACL as it passes through the router. by default. However. it should also enable ICMP traffic inbound for testing purposes. EIGRP. which permits the required traffic inbound to R1 and only returns traffic matching the reflexive ACL. 300 seconds after the session ends. you can simply use the log option on your inbound ACL on a final deny statement. you will lose points from a previous section in which you might have otherwise scored the total possible points. The reflexive ACL contains only temporary entries. as shown in Example 2-36. adjustment of the timers is required with the global command ip tcp intercept watch-timeout 20. Example 2-36 R6 TCP Intercept Configuration Click here to view code image R6(config)# R6(config)# R6(config)# R6(config)# R6(config)# ip tcp intercept list 100 access-list 100 permit tcp any 120. This would show you that the tunneling from R3 inbound to R1 uses IP protocol 41. Example 2-37 shows the required configuration and verification of the reflexive ACL. so an access list is required to which the intercept features restricts its monitoring.100. The default behavior of the feature is to drop SYN connections based on the oldest first. which must be included in your inbound ACL.63. To ensure that the 20-second limit is met as opposed to the default 30 second. If you have configured this correctly.0.

1.to belong to VLAN 100 to telnet through R1 to R3 in the example.255. Tracing the route to 120.1 host 120.255. Therefore.3.100.3 host 120.0 SW1(config-if)# exit SW1(config)# ip route 120. the Telnet session passes through the ACL FILTER-OUT on R1 and creates an entry in the reflexive ACL DYNAMIC-TCP. If you face a similar question in the actual exam and Telnet connectivity was required from the router you are configuring. as shown in Example 2-37.100. When initiated by Switch 1.3.100.1 SW1(config)# exit SW1# trace 120. This behavior has no bearing on points scored and should be considered a by-product of the solution.3.100.255 120.100.123.255. you might experience connectivity issues if you initiate a Telnet session from R1 without manipulating the Telnet source option.100.1 Type escape sequence to abort.100. Note The reflexive ACL is valid only for traffic flowing through the router.3. you have scored 3 points.123.100. Real-time details can be seen by issuing the show access-lists command on R1. If you have configured this correctly. Example 2-37 R1 Reflexive ACL Configuration and Verification Click here to view code image R1(config-if)# ip access-list extended FILTER-IN R1(config-ext-nacl)# permit icmp any any R1(config-ext-nacl)# permit eigrp any any R1(config-ext-nacl)# permit pim any any R1(config-ext-nacl)# permit tcp host 120.100.100 255.1 . The reflexive ACL permits return traffic to the Telnet session inbound for the configured inactivity interval of 100 seconds.255.1 eq bgp R1(config-ext-nacl)# permit 41 host 120.1 255.100. you would specifically be instructed to ensure the correct operation of Telnet on that router.1 R1(config-ext-nacl)# evaluate DYNAMIC-TCP R1(config-ext-nacl)# ip access-list extended FILTER-OUT R1(config-ext-nacl)# permit tcp any any reflect DYNAMIC-TCP R1(config-ext-nacl)# exit R1(config)# ip reflexive-list timeout 100 R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip access-group FILTER-IN in R1(config-if)# ip access-group FILTER-OUT out SW1(config)# interface vlan 100 SW1(config-if)# ip add 120.100.

0.100. you have scored 2 points.1 !A * !A SW1# telnet 120.2 30 permit 225..100. a key of some form. and an SSH timeout of 2 minutes and retry value of 2.100.1.100.co.225.1 0 msec 4 msec 0 msec 2 120. If you have configured this correctly. not minutes. and some SSH timeout and retry values based on the directions.3. You will need to realize aspects of SSH are considered prerequisites to enable SCP.100. Even if you hadn’t configured SSH or SCP previously. (2 points) SCP is Secure Copy Protocol. It is similar to Remote Copy but requires Secure Shell (SSH) to be running on the router for security purposes.100. It is a tough question because this is the kind of feature for which you will need to check the documentation.100.1 . Your username and password combination requires a privilege level of 15 set for SCP.100.1 20 permit 225.1 host 120..100.1.100.4 Reflexive IP access list DYNAMIC-TCP permit tcp host 120. .100.100 eq 11034 (34 matches) (time left 90) Extended IP access list FILTER-IN 5 permit icmp any any (150 matches) 10 permit eigrp any any (1710 matches) 20 permit pim any any (92 matches) 25 permit tcp host 120.225.100.100.uk.0 (3 matches) 20 permit 120. Use local authentication with a username and password of cisco. local authentication with a username and password.3 40 permit 225.1 eq telnet host 120.1 eq bgp (126 matches) 30 evaluate DYNAMIC-TCP Extended IP access list FILTER-OUT 10 permit tcp any any reflect DYNAMIC-TCP (18 matches) Configure R1 so that it is capable of performing SCP.0.3. Be careful on the values and remember to enter the timeout in seconds. a key size of 768 bits.0.225.1 Trying 120.3.1 120. Open User Access Verification Password: R3>enable Password: R3# R1# show access-lists Standard IP access list 1 10 permit 120.0 (3 matches) Standard IP access list GROUPS 10 permit 225.0.225. as shown in Example 2-38. The router should belong to a domain of toughtest.100.3. you should realize that you would need to configure a domain ID.

.co. The ACL needs to deny router advertisements. whereby you could set the switch ports connecting to the routers as untrusted. keys will be non-exportable. Example 2-39 SW1 RA ACL Configuration Click here to view code image SW1(config)# ipv6 unicast-routing SW1(config)# ipv6 access-list RA SW1(config-ipv6-acl)# deny icmp any any router-advertisement SW1(config-ipv6-acl)# permit ipv6 any any . The ACL then needs to permit everything else.toughtest. it needs to be running IPv6 and have a valid IPv6 address assigned to VLAN 34. but this is not permitted.[OK] R1(config)# aaa new-model R1(config)# aaa authentication login default local R1(config)# aaa authorization exec default local R1(config)# username cisco privilege 15 password 0 cisco R1(config)# ip ssh time-out 120 R1(config)# ip ssh authentication-retries 2 R1(config)# ip scp server enable R1(config)# 00:57:29. use ICMPv6. remember to use the command sdm prefer dual-ipv4-and-ipv6 routing (and reboot the device for this to take effect). otherwise. of course. as shown in Example 2-39. you have scored 3 points.343: %SSH-5-ENABLED: SSH 1. Because you are permitted to use an ACL in only a single location..99 has been enabled The network administrator has determined that IPv6 router advertisements are being sourced from routers on VLAN 34. You need to remember that for the switch to process IPv6 packets.uk R1(config)# crypto key generate rsa modulus 768 The name for the keys will be: R1.co. A simple solution is to enable RA guard on the switch. Disable these advertisements from entering and propagating on VLAN 34. something you might have overlooked under the time constraints and pressure of the practice exam. this needs to be applied to the VLAN 34 interface.uk % The key modulus size is 768 bits % Generating 768 bit RSA keys. and R5 will begin to send RAs as soon as they are configured with an IPv6 address. (3 points) Routers R3.Example 2-38 R1 RCP Configuration Click here to view code image R1(config)# ip domain-name toughtest. You may use an ACL applied in a single location in your solution. R4. Do not use the RA guard solution with untrusted ports. you have just broken your IPv6 network. If you have configured this correctly. which. If your switch was not previously enabled for IPv6.

1 list RA/10 (134/0).SW1(config-ipv6-acl)# exit SW1(config)# int vlan 34 SW1(config-if)# ipv6 traffic-filter RA in SW1(config-if)# ipv6 address 2007:C15:C0:15::10/64 SW1# show log *Oct 4 17:58:23: %IPV6-6-ACCESSLOGDP: FE80::219:AAFF:FEBA:BE40 -> FF02::1 *Oct 4 17:58:23: %IPV6-6-ACCESSLOGDP: FE80::218:18FF:FEA2:3250 -> FF02::1 list RA/10 (134/0). Practice Lab 3 Equipment List Practice Lab 3 follows an identical format to Lab 1 and 2 with timings and also consists of 100 points. well done. you will be prepared for any scenario that you are likely to face during the 5. how did it go? Did you run out of time? Did you manage to finish but miss what was actually required? If you scored over 80. This lab was designed to ensure that you troubleshoot your own work as you progress through the questions. you will have 2 hours to complete the Troubleshooting section. Did you manage to configure items such as EIGRP third-party next hop and the continue statement within your BGP prepending? Items such as these might seem inconsequential. You need the following hardware and software components to begin this practice lab: Six routers loaded with Cisco IOS Software Release 15. but they can make or break your lab.0 exam is a separate section from the Configuration section and has a different scenario.3T Advanced Enterprise image and the minimum interface configuration. Remember that the Troubleshooting section on the v5.5 hours of the Configuration section of the actual exam. 1 denied icmpv6 packet denied icmpv6 packet Lab Wrap-Up So. If you accomplished this within 8 hours or less. as documented in Table 3-1 .

Table 3-1 Hardware Required per Router Four 3560X switches with IOS 15. . However.0S IP Services Setting Up the Lab You can use any combination of routers as long as you fulfill the requirements within the topology diagram. you should use the same model of routers because this makes life easier if you load configurations directly from those supplied into your own devices. as shown in Figure 3-1.

Figure 3-1 Practice Lab 3 Network Topology Note Notice in the initial configurations supplied that some interfaces do not have IP addresses preconfigured. adjust the bandwidth statements on the relevant interfaces to keep all interface speeds in line. This ensures that you do not get unwanted behavior because of differing IGP metrics. This is because either you do not use that interface or you need to configure this interface from default within the exercise. . which you must re-create with your own equipment. If your routers have different interface speeds than those used within this book. Lab Topology This practice lab uses the topology as outlined in Figure 3-1. The initial configurations supplied should be used to preconfigure your routers and switches before the lab starts.

Switch Instructions Configure VLAN assignments from the configurations supplied on the CD-ROM or from Table 3-2.1. For this exercise. Table 3-2 VLAN Assignment Connect your switches with RJ-45 Ethernet cross-over cables.100.3.1/32 R5 Lo0 120.5.4.1/32 . If you are manually configuring your equipment. you find that the majority of your IP addresses are preconfigured.100.1/32 R3 Lo0 120.1/32 R4 Lo0 120.100. Figure 3-2 Switch-to-Switch Connectivity IP Address Instructions In the actual CCIE lab.100.100. you are required to configure your IP addresses as shown in Figure 3-3 or to load the initial router configurations supplied. as shown in Figure 3-2.1/32 R2 Lo0 120. be sure you include the following loopback addresses: R1 Lo0 120.2.

Alternatively.1/24 Figure 3-3 IP Addressing Diagram Pre-Lab Tasks Build the lab topology per Figure 3-1 and Figure 3-2.3.6.44.2.44.1/24 Lo1 10.33.1/24 Lo1 10.33. Configure the IP addresses on each router as shown in Figure 3-3 and add the loopback addresses.33. you can load the initial configuration files supplied if your router is compatible with those used to create this exercise.34.2.3.2.1.1/24 Lo2 10.1/24 Lo1 10.44.2.45.1/24 Lo2 10.1/24 Lo2 10.100. .1/24 Lo1 10.4.1/24 SW4 Lo0 10.35.46.33.1/32SW1 Lo0 10.2.1.1/24 Lo2 10.R6 Lo0 120.1/24 SW2 Lo0 10.1.1.44.1/24 SW3 Lo0 10.

or access online the latest documentation from the following URL: http://www. it will be restricted). Do not configure any static/default routes unless otherwise specified. Note Access only these URLs. . choose questions with a higher point rating to maximize your potential score.com/cisco/web/psa/configure. Take a 30-minute break midway through the exercise. choose questions that you are confident you can answer. Have available a Cisco documentation CD-ROM. Practice Lab Three You will now be answering questions in relation to the network topology.html Note that access to this URL is likely to be restricted within the real exam.cisco. Ensure full IP visibility between routers for ping testing/Telnet access to your devices. To save time during your lab. Failing this. as shown in Figure 3-4. consider opening several windows with the pages you are likely to look at.General Guidelines Read the whole lab before you start.com website (because if you are permitted to use documentation during your CCIE lab exam. not the whole Cisco. Get into a comfortable and quiet environment where you can focus for the next 8 hours. If you are running out of time.

Figure 3-4 Lab Topology Diagram Section 1: LAN Switching (4 Points) Configure your switched network per Figure 3-5. Connectivity between switches will be provided via R1 and R6 later in the lab. and 400 on Switch 2 Fa0/6. You should also configure R1 and R6 to terminate the VLANs on each router. (3 points) . and 200 and VLAN 20. 100. Ports should use 802. Your switched network is physically nonlooped and therefore does not require any STP root bridge configuration. Restrict the VLANs permissible to use the trunk on Switch 1 Fa0/1 to VLAN 10.1Q encapsulation. 50. Interface Fa0/20 of each switch has been preconfigured to be a trunk port. Configure SW1 Fa0/19 to belong to VLAN 200 and SW2 Fa0/19 to belong to VLAN 400. Configure interface Fa0/1 on SW1 to become a trunk port toward R1 and Fa0/6 on SW2 to become a trunk port toward R6.

0/24.1/24 and 1. The interfaces should be configured to communicate as if connected directly as a point-to-point link.Figure 3-5 Switched Network Topology SW3 interface Fa0/19 and SW4 interface Fa0/19 are required to communicate with each other on the same IP subnet of 1. All required interfaces (including Loopback 0) should be configured to belong to Area 0. configure these interfaces with IP addresses 1. Ensure that all OSPF configuration is entered under the interfaces. (3 points) .1.1. (Actual IP end-to-end connectivity will be achieved in a later section.1.1.1.) (1 point) Section 2: MPLS and OSPF (27 Points) Configure OSPF on your routers per Figure 3-6 to enable your network to transport MPLS and MP-BGP. respectively.2/24.1.

R3. which will be configured later with an autonomous system of AS65001. and R5 will become P routers. (4 points) .Figure 3-6 MPLS/OSPF Topology Configure MPLS on all routers within the OSPF domain. use LDP. ensuring that TDP can be used on unused interfaces without specifically configuring these interfaces for TDP. Routers R1 and R6 will become your PE routers. R4. assign the following interfaces on each PE router into separate routing instances within the routers: PE R1 interface Gi0/0 VLAN10 connection into VPN BLUE PE R1 interface Gi0/0 VLAN 50 connection into VPN RED PE R6 interface Gi0/1 VLAN 20 connection into VPN BLUE PE R6 interface Gi0/1 VLAN 100 connection into VPN RED Configure VPN BLUE to use an RD of 100 and VPN RED to use an RD of 200 for both importing and exporting routes into your BGP network. At this point. (4 points) You will be configuring two VPNs over your MPLS networks per Figure 3-7 between PE routers of BLUE and RED. whereas R2.

(2 points) Create a network between PE router R6 and CE device SW2 using a VLAN 20 interface on SW2 that can be trunked toward R6.1/30 assigned to the PE and .0/30 with . Use a subnet of 10. (2 points) Section 3: BGP (5 Points) Configure MP-BGP between your PE routers. Use .2/30 assigned to the CE.50.2/30 assigned to the CE.100.1/30 assigned to the PE and .10. per Figure 3-8.100. (2 points) Create a network between PE router R6 and CE device SW4 using a VLAN 100 interface on SW4 that can be trunked toward R6. to enable your network to transport the VPNv4 addresses of your configured VPNs (BLUE and RED). this network will reside in the RED VPN.2/30 assigned to the CE.0/30 with . Use a subnet of 130.Figure 3-7 MPLS VPN Topology Create a network between PE router R1 and CE device SW1 using a VLAN 10 interface on SW1 that can be trunked toward R1. this network will reside in the BLUE VPN.20.0/30 with .10.0/30 with .1/30 assigned to the PE and . Use a subnet of 10. this network will reside in the RED VPN.2/30 assigned to the CE.50.10. this network will reside in the BLUE VPN.1/30 assigned to the PE and . Use a subnet of 130. (2 points) Create a network between PE router R1 and CE device SW3 using a VLAN 50 interface on SW3 that can be trunked toward R1.

Use an EIGRP virtual instance name of VPN on R6 and a process number of 10 on SW2. Use VLAN 20 for EIGRP connectivity between R6 and SW2. Advertise all preconfigured loopback networks on SW2 to R6 for the BLUE VPN.loopback interfaces for peering between your PE routers. You will configure the actual VPN routing in later questions. (4 points) Figure 3-8 BGP Topology Section 4: EIGRP and MP-BGP (3 Points) Configure EIGRP per Figure 3-9 between your PE router R6 and CE Switch SW2. (1 point) .

Ensure that all EIGRP routes have a MED of 50 assigned to them within MP-BGP. EIGRP networks residing on SW1 should be seen as internal EIGRP routes on SW2 and vice versa. Use VLAN 10 for EIGRP connectivity between R1 and SW1. (1 point) Section 5: OSPF and MP-BGP (6 Points) Configure OSPF per Figure 3-10 for your VRF RED with a process number of 3 on PE router R1 and SW3 using VLAN 50 for connectivity.Figure 3-9 EIGRP/MP-BGP Topology Configure EIGRP per Figure 3-9 between your PE router R1 and CE switch SW1. (2 points) . It is acceptable for these routes to come through as / 32 routes because of default OSPF behavior of loopback interfaces. Use a process ID of 2 on PE router R6 and CE device SW4 using VLAN 100 for connectivity. Advertise all preconfigured loopback networks on SW1 to R1 for the BLUE VPN. You should permit only internal OSPF routes to be advertised across your VPN and ensure that the redistribution of BGP routes into OSPF are assigned as type 1 external routes with no manually adjusted cost associated with them. (1 point) Configure your PE routers R1 and R6 to transport EIGRP routes from your CE devices between the BLUE VPN using MP-BGP. Use a default metric of 10000 100 255 1 1500 for BGP routes when redistributed into EIGRP. Use an EIGRP virtual instance name of VPN on R1 and a process number of 10 on SW1.

00:00:27. (5 points) . similarly.1.1.1.Figure 3-10 OSPF Topology You will notice that your OSPF IA (intra-area) routes between CE devices SW3 and SW4 appear as type 1 external routes.0/24 from VRF RED into VRF BLUE on R6.44. You are not permitted to adjust the OSPF redistribution into BGP as directed in the previous question.0/24 [170/XXXXXX] via 10. Maintain the OSPF process IDs are previously directed.0 O E1 10.44. leak 10.44.44. Both Switch 1 and Switch 4 should receive the following routes: SW1# show ip route | include 10.1.100.1.1.1 SW1.0/24 from SW1 VRF BLUE on PE R1 into the VRF RED on PE1. Configure your OSPF network appropriately to ensure that the routes are displayed correctly as IA routes. (4 points) Section 6: MPLS (7 Points) Leak network 10.44. Vlan10 SW1# SW4# show ip route | include 10. You are permitted to configure only router R1.1.10.44.1.44.100.10. Vlan100 SW4# Verify your configuration by pinging from VRF RED SW4 10.1.0 D EX 10.44.1. 00:03:04.1 to VRF BLUE SW1 10.0/24 [110/XX] via 130.

10 2010:C15:C0:11::1/64 R6 Lo0 2010:C15:C0:6::1/64 R6 Gi0/1. (10 points) Section 9: IPv6 (6 Points) Configure the following IPv6 address on the PE routers R1 and R6.2/24) to communicate using a Layer 2 tunneling solution (use Version 3) across your Layer 3 network.1. configure MDT appropriately. (4 points) .11 from CE device Switch 3 VLAN 50 to CE device SW4 VLAN 100 over the RED VRF. Be aware that the SW3 resides in VLAN 200 and that SW4 resides in VLAN 400 in respective PE router subinterfaces. The total bandwidth between the PE to CE should be shaped to 1 Mbps.2.2 from Switch 3 VLAN 50. It can be assumed that the mVRF bandwidth requirement is low. Ensure that voice traffic is assigned to an LLQ.1. Make sure that your loopback IPv6 addresses are used to source any locally generated IPv6 traffic. Switch 4 should be configured to reply to an ICMP ping on its VLAN 100 interface directed to 226. PE routers R1 and R6 should be configured to tunnel multicast traffic using an MDT address of 232. and implement IPv6 over MPLS between the 6PE routers to advertise the prefixes between 6PEs. and reduce the effects of TCP global synchronization within your Mission-Critical class. Create an L2TPv3 Xconnect attachment circuit on your PE routers R1 and R6 for your CE devices (SW3 Fast Ethernet 0/19 1.1. (10 points) Section 8: Multicast (10 Points) Configure your MPLS network for multicast support of the RED VRF using PIM sparse mode.2. Use an appropriate method of prioritizing DSCP traffic so that AF31 packets are statistically dropped more frequently than AF32 during congestion.0/24 within a previous question.1.1/24 and SW4 Fast Ethernet 0/19 1. and solely reduce the effect of TCP global synchronization within the Default class. Ensure that PE router R6’s associated VLAN 100 IP address is used as the rendezvous point for the RED VRF multicast traffic.20 2010:C15:C0:62::1/64 Section 10: QoS (7 Points) Create the following QoS profile on your PE router R1 for traffic egressing to your CE device connected to the BLUE VRF.Configure your PE routers R1 and R6 to ensure that the MPLS P routers are not listed as intermediate hops when a trace route is performed on your CE devices.1. You should use existing loopback interfaces on your PE routers for peering over your MPLS network.1. (2 points) Section 7: VPLS Simulation (10 Points) Switches 3 and 4 will have been configured to belong to the subnet of 1. (6 points) R1 Lo0 2010:C15:C0:1::1/64 R1 Gi0/0.0.0.

4. NHRP should be authenticated with a password of SECRET.4. R6 is to be a hub router. respectively.6. Test your solution by extended pings sourced from the configured loopback interfaces. Traffic in the Voice class within the detailed CIR should have the MPLS EXP set to 5 and above discarded. 5. R5. Use an IPsec transform set of esp-des esp-md5-hmac on each router. add R2 into the common GRE tunnel network as a spoke router using identical security parameters as used on R4 and R5. The total aggregate speed from the CE to PE should be restricted to 1 Mbps. and R6. Traffic in the Default class within the detailed CIR should have the MPLS EXP set to 0 and above set to 4. Use an MTU of 1416 for your secure traffic. (10 points) Following on from the previous question.100. Use EIGRP with a named virtual instance of VPN and autonomous system of 1 to advertise the loopback networks between routers over a common GRE tunnel network of 100.100. with R4 and R5 being effectively spoke routers in your solution.5/24.5. and the . ensuring that it receives routes from R4.Create the following QoS profile on your PE router R1 for traffic ingressing from your CE device connected to the BLUE VRF into the MPLS network. R5. (3 points) Section 11: Security (15 Points) Create three new loopback IP addresses of loopback1 on R4.6. an NHRP timeout of 100 seconds for spoke replies. whereas hub-to-spoke IPsec connections should be permanent.6/24. The source interface for the tunnel configuration on R2 should be Fast Ethernet 1/1. and a delay of 2 microseconds on the tunnel network. and 6.4/24.X/24 (X = router number) sourced from each router’s common Ethernet interface. Spoke routers must communicate with each other directly using dynamic IPsec connections with the aid of NHRP at the hub. use IP addresses of 4.5. You are not permitted to enable EIGRP on your Ethernet interfaces between routers. The hub router should provide all necessary direct next-hop information to the spoke routers when they are required to communicate between themselves. and R6 using the same common EIGRP parameters. using IPsec to encrypt all traffic between the loopback networks using a preshared ISAKMP key of CCIE. Traffic in the Mission-Critical class within the detailed CIR should have the MPLS EXP set to 3 and above set to 7.

just configure OSPF per the figure. No. and advertise this identical network from R4 and R5 to the hub router R6 on the common GRE tunnel interface. Does it matter what OSPF process ID I use on my routers? A. the question states that each device must be reachable over the Frame Relay network. simply configure the switches as directed in the question and Layer 2 connectivity will be provisioned later within the lab when your core network is configured. Q. Is this acceptable? A. the question doesn’t direct you to use a specific process ID.0/24 in EIGRP over the common GRE tunnel network.45. (3 points) The network manager of your network cannot justify a full security implementation.1. . so you can use an ID of your choice. No. Q.45.66. No. Q. I can only reach my spoke routers from the hub. Section 2: MPLS and OSPF Q. this includes spoke-to-spoke communication.66. the proctor will not enter into any discussions about the questions or answers. is this related to MPLS TE and is a tunnel required between R1 and R2? A. No. Configure R6 to advertise both destinations (R4 and R5) to spoke router R2 for network 45. No.45. Section 1: LAN Switching and Frame Relay Q. Configure R1 appropriately. but wants to implement a solution that provides a password prompt from R1 only when the keyboard entry 1 is entered on the console port (as opposed to the normal CR/Enter key).1.0/24? A. Do you require OSPF for any interfaces on R1 and R6 that connect to the switches? A. He or she will be present to ensure that you do not have problems with the lab environment and to maintain the timing element of the exam. In the actual CCIE lab. To protect 66. Add new Loopback 2 identical IP addresses of 45.45/24 on both R4 and R5. this is required to advertise your loopback addresses for MPLS.66/32.destination should be the Gigabit Ethernet 0/0 interface of R6. Do you want me to configure Layer 2 between Switch 3 and Switch 4 so that they can communicate on the subnet 1. (2 points) Practice Lab 3: “Ask the Proctor” Note This section should be used only if you require clues to complete the questions. this is a pure IP solution designed to speed convergence in the event of a failure without the need to tune convergence timers.45. With my Frame Relay.

Do you need me to configure the PEs to send community values to each other? A. You haven’t been instructed not to use this command at this point even though this is an iBGP configuration. . If I use a different number on R6 and Switch 2. Look for a method of making the autonomous system number the same within your VRF specific configuration on R6. Section 4: EIGRP and MP-BGP Q. Can I configure OSPFv2 Fast Reroute for the 6. Do you want me to configure a full mesh of BGP between all routers? A. A. Do I need to perform any further configuration to make this work? A. Section 3: BGP Q. Yes. just remember that R1 is now a PE router with multiple VRF routing tables. EIGRP requires the same autonomous system number on neighbor routers to peer successfully. You have been provided with additional information in the question that enables you to facilitate use of MP-BGP extended communities. No.6. Do you want the OSPF from the core routers extended into the RED VRF I created so that I run end-to-end OSPF between CE Switch 1 and CE Switch 2? A. just initially as directed OSPF. just add in the MP-BGP autonomous system number to the RD? A. MP-BGP is simply required between the PE routers. Q. Do you want me to configure OSPF. No. Q. and BGP initially within the OSPF section? A. Q. No. they cannot peer correctly. R1 would use its default routing table (which is used for the MPLS connectivity). Q. You must remember how MPLS works and ensure that the route targets are propagated to successfully configure your VPNs. you will ultimately achieve this connectivity through an MPLS VPN and not by simply extending OSPF through your core devices. this will enable your network to transport MPLS and BGP within later questions. I usually configure next-hop self on my BGP configurations. Q. Section 5: OSPF and MP-BGP Q. MPLS. Is this acceptable here? A.6. I can’t ping to my VLAN 10 interface on Switch 1 from R1. Do you want me to configure my RED VRF with a route descriptor of 100 and 200 for the BLUE VRF? A. You need to ensure that you source your ping correctly. A combination of the two will achieve the desired results.6/32 prefix? A.Q. So. Correct. Q. otherwise. No.

This must have something to do with the different OSPF process ID I had to configure. Q. No. I can’t adjust this. Do I score any points if I change the redistribution? A. I can make the OSPF routes appear as intra-area routes. Just exercise caution where you configure your parameters to achieve the correct results in the appropriate VRF. Q. this question is a little misleading. Section 8: Multicast Q. though. If I change the domain ID on R1. A. This behavior should become apparent why in the following question. Changing the process ID on OSPF peers wouldn’t affect any adjacency. I have my L2TPv3 tunnel up end to end. or could I do this over a standard Layer 3 network? A. Yes. Q. surely the routes should appear as standard interarea routes through the VPN. yet I cannot ping between switches. Do you want me to enable PIM over my P routers or just PE routers? . it might help you understand the issue. but the routes remain identical. Q. and it would appear that you have modified this behavior with your redistribution configuration. Q. Correct. You had a similar issue with EIGRP autonomous system numbers. I think if I change the redistribution of OSPF into BGP. Am I at liberty to manipulate spanning tree? A. I changed the redistribution. Section 6: MPLS Q. You could achieve the same result over a standard Layer 3 network. You are correct. Find an appropriate value and try it out. so I am stuck. A. Why would I need to do this? A. but you have been directed to do so in the question. Can I modify my loopback interface with the OSPF network command on Switch 4 so that it is advertised with the correct mask? A. The routes will come out as type 1 external routes on your CE devices. Section 7: VPLS Simulation Q. Is this MPLS specific. Why would I want to advertise the OSPF routes as external type 1 routes within BGP. I suspect a spanning-tree type of issue if the question states VLAN differences when I need to provide Layer 2 adjacency. just investigate what is possible within your VRF configuration. It will become evident why you have been asked to do this in a later question. I can manage to leak routes between VRFs but my route comes out as a host route.Q. Yes. by all means try to change the redistribution. is that acceptable? A.

you might or might not require a Data MDT. though. Do you want the first QoS policy outbound on the BLUE VRF interface on PE router R1? A. whereby you want me to modify the topmost bits in the EXP field? A. use a common technique whereby traffic is dropped randomly as queues fill. yet the first will be line rate at 1 Gbps. Your switches are currently not capable of running IPv6. Is this correct? A. Is this DiffServ. do you want me to configure some priority queuing within a class for AF32 flows? A. No. Do you want me to run IPv6 down to my CE switches and redistribute anything over MPLS? A.A. The question states “MPLS network. The second QoS policy limits traffic to 1 Mbps. AF31 packets should be dropped more frequently than AF32.and low-bandwidth sources. You might find it is required at certain points within your MPLS network. To prioritize DSCP traffic. I appreciate that this isn’t the real world. . You can. but I don’t understand what the low-bandwidth requirement is. Yes. Yes. Yes. Are you looking for random early detect? A. this wouldn’t offer the inherent drop preference. MDT has differing requirements for high. Yes. Q. can I just configure an IGMP join group appropriately on its VLAN 100 interface? A.2. Q. Q.2. because there is no redistribution to be configured. Do you want PIM on my MPLS router loopback interfaces? A. Yes. Section 9: IPv6 Q. Q. though. Q. it just provides you with two different configuration exercises. Q.” To provide end-to-end multicast support. you might find that configuring PIM end to end is required. Section 10: QoS Q. To get Switch 4 to reply to a ping to 226. Q. Q. Should I just advertise my IPv6 prefixes with the BGP network command? A. I have a Multicast Distribution Tree tunnel between PE routers. Q. You’re almost there. Do I use the same packet-marking classes in each question? A. A.2.

Section 11: Security Q. Yes. No. Yes. use a similar feature on R6 hub to actually advertise both spokes rather than just one as a valid next hop. this would then modify the traffic as it flows into the MPLS network. No. Yes. Can I modify the next hop from the hub? A. Do you want the policy applied to the CE-facing VRF BLUE interface as an input service policy? A. No. The clues in the question suggest this is a DMVPN question.Q. Section 1: LAN Switching (4 Points) Configure your switched network per Figure 3-6. No. No. Q. Q. and it receives a single route to network 45.45. rather than a CR on the line con 0 port. I still show a next hop of the hub between spoke networks. and all traffic flowing from the new subnets you created should automatically be encrypted. Is this acceptable? A. just make the router provide a prompt when it receives an ASCII 1. Q. Configure SW1 Fa0/19 to belong to VLAN 200 and SW2 Fa0/19 to belong to VLAN 400. Is this okay? A. Don’t I need an ACL to mark all traffic that should be encrypted? A. your solution will not require an ACL. you need full network visibility from all devices and not just the hub. Q. Is this acceptable? A. You should use this section to produce an overall score for Practice Lab 3. Can I configure max-paths on R2? A. No. the question specifically states that spoke routers must be able to communicate with each other directly. . you must configure R6 to advertise both spokes (R4 and R5) as valid next hops for this destination. Your switched network is physically nonlooped and therefore does not require any STP root bridge configuration. Q. can I disable this behavior? A. This sounds like a split-horizon issue. I have added R2 as a spoke to the DMVPN network. Do you want me to get R1 to somehow translate a CR into a 1 to then provide a password prompt? A. Q. I have configured my solution correctly. Practice Lab 3 Debrief This section now analyzes each question showing you what was required and how to achieve the desired results. Q. yet I don’t get spoke routes on the spoke routers.45.0/24 via the hub router.

R1. and 200 and VLAN 20. Example 3-1 SW1. R1 and R6 are configured with the corresponding VLAN numbers as sub interfaces to terminate the trunk connections from Switch 1 and Switch 2 using an identical reference for the dot1q encapsulation. Note R1 and R6 use the VLAN number for the encapsulation and the subinterface number. and R6 Configuration Click here to view code image Switch1# show run interface fastethernet 0/19 ! interface fastethernet0/19 switchport access vlan 200 switchport mode access Switch1# show run interface fastethernet 0/1 ! interface fastethernet0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 10. Your subinterface number does not need to match the VLAN number. you have scored 3 points. If you have configured this correctly. but it is considered good practice to do so. 50. ports should use 802.50. The configuration enables connectivity between switches when the MPLS section has been completed later in the lab. 100. Connectivity between switches will be provided via R1 and R6 later in the lab. 50. Restrict the VLANs permissible to use the trunk on Switch 1 Fa0/1 to VLAN10.Configure Interface Fa0/1 on SW1 to become a trunk port toward R1 and Fa0/6 on SW2 to become a trunk port toward R6. To begin. and 400 for Switch 2. SW2. the trunking is configured as directed with allowed VLANs of 10. You should also configure R1 and R6 to terminate the VLANs on each router. (The actual VLANs would have been created previously in the initial configuration.1Q encapsulation. Interface Fa0/20 of each switch has been preconfigured to be a trunk port. (3 points) This is a simple question.) Next.200 switchport mode trunk Switch2# show run interface fastethernet 0/19 ! interface fastethernet0/19 switchport access vlan 400 switchport mode access Switch2# show run interface fastethernet 0/6 . but you are required to complete multiple configuration items to gain your points. and 400 on Switch 2 Fa0/6. as shown in Example 3-1. and 200 for Switch 1 and 20. Ports Fa0/19 of Switch 1 and Switch 2 should be assigned the correct VLAN. 100.

0/24.1.) (1 point) This is a straightforward configuration task to change the operation of the ports to non-switchport Layer 3 mode where an IP address can be configured.20 encapsulation dot1Q 20 ! interface GigabitEthernet0/0.1/24 and 1.100.! interface fastethernet0/6 switchport trunk encapsulation dot1q switchport trunk allowed vlan 20. (Actual IP end-to-end connectivity will be achieved in a later section. The interfaces should be configured to communicate as if connected directly as a point-to-point link.200 encapsulation dot1Q 200 R6# show run | begin interface GigabitEthernet0/1 ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/1.1.1.100 encapsulation dot1Q 100 ! interface GigabitEthernet0/1.2/24. If you have configured this correctly.400 switchport mode trunk R1# show run | begin interface GigabitEthernet0/0 ! interface GigabitEthernet0/0 no ip address ! interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ! interface GigabitEthernet0/0.1.1.50 encapsulation dot1Q 50 ! interface GigabitEthernet0/0.1.400 SW3 interface Fa0/19 and SW4 interface Fa0/19 are required to communicate with each other on the same IP subnet of 1. Example 3-2 SW3 and SW4 Configuration Click here to view code image . you have scored 1 point. End-to-end connectivity is achieved through the IP network at a later stage. respectively. as shown in Example 3-2. Configure these interfaces with IP addresses 1.

1. as shown in Example 3-3. Ensure that all OSPF configuration is entered under the interfaces. Consider using the show ip ospf interface command to verify your configuration.255. Example 3-3 OSPF Configuration and Verification Click here to view code image R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# int lo0 ip ospf 1 area 0 int Gi0/1 ip ospf 1 area 0 R2(config-if)# R2(config-if)# R2(config-if)# R2(config-if)# R2(config-if)# R2(config-if)# int lo0 ip ospf 1 area 0 int Fa0/0 ip ospf 1 area 0 int Fa0/1 ip ospf 1 area 0 R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# int lo0 ip ospf 1 area 0 int Gi0/0 ip ospf 1 area 0 int Gi0/1 ip ospf 1 area 0 .255. which will.1.0 Section 2: MPLS and OSPF (27 Points) Configure OSPF on your routers. If you have configured this correctly. per Figure 3-6.2 255.255. to enable your network to transport MPLS and MP-BGP.1. be used for the MPLS connectivity. of course.0 Switch4# show run interface fastethernet 0/19 ! interface fastethernet0/19 no switchport ip address 1. (3 points) OSPF is used as the IGP in which to advertise the router loopback addresses.1 255. The question directs you to configure OSPF directly under the interfaces of the routers.Switch3# show run interface fastethernet 0/19 ! interface fastethernet0/19 no switchport ip address 1. All required interfaces (including Loopback 0) should be configured to belong to Area 0.255. you have scored 3 points. Example 3-3 shows the loopback interfaces of each router from R1’s perspective advertised as host routes as required for MPLS.1.

R4(config-if)#
R4(config-if)#
R4(config-if)#
R4(config-if)#
R4(config-if)#
R4(config-if)#

int lo0
ip ospf 1 area 0
int gi0/0
ip ospf 1 area 0
int Gi0/1
ip ospf 1 area 0

R5(config-if)#
R5(config-if)#
R5(config-if)#
R5(config-if)#
R5(config-if)#
R5(config-if)#

int lo0
ip ospf 1 area 0
int gi0/0
ip ospf 1 area 0
int Gi0/1
ip ospf 1 area 0

R6(config-if)#
R6(config-if)#
R6(config-if)#
R6(config-if)#

int lo0
ip ospf 1 area 0
int gi0/0
ip ospf 1 area 0

R1# show ip route ospf
120.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
O
120.100.2.1/32 [110/2] via 120.100.132.2, 00:05:00,
GigabitEthernet0/1
O
120.100.3.1/32 [110/2] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1
O
120.100.4.1/32 [110/12] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1
O
120.100.5.1/32 [110/22] via 120.100.132.3, 00:02:36,
GigabitEthernet0/1
O
120.100.6.1/32 [110/22] via 120.100.132.3, 00:01:19,
GigabitEthernet0/1
O
120.100.25.0/24 [110/31] via 120.100.132.3, 00:02:26,
GigabitEthernet0/1
O
120.100.34.0/24 [110/11] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1
O
120.100.45.0/24 [110/21] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1

Configure MPLS on all routers within the OSPF domain; use LDP, ensuring that TDP can
be used on unused interfaces without specifically configuring these interfaces for TDP.
Routers R1 and R6 will become your PE routers, whereas R2, R3, R4, and R5 will
become P routers. (4 points)
Configuration is required on each router for them to become LSRs (label switch routers). The
LSRs must have loopback interfaces with an address mask of 32 bits, and these interfaces must
be reachable within the global IP routing table (which the previous question achieved). R1 and
R6 are the PE (provider edge) routers, which will be used to connect to switches in later
questions simulating CE (customer edge) devices. R2, R3, R4, and R5 become the P (provider)
routers, which will be used to switch labeled packets between the PE routers. The question tells
you to use LDP (Label Distribution Protocol) but facilitate the future use of TDP (Tag

Distribution Protocol) without further configuration on unused interfaces. This is achieved by
configuring TDP globally and LDP under each interface used for MPLS within this lab. (The
default global and interface configuration is LDP.) The PE routers require only MPLS configured
on their serial interfaces toward the P routers. If you have configured this correctly, as shown in
Example 3-4, you have scored 4 points.
Example 3-4 MPLS Configuration
Click here to view code image

R1(config)# mpls label protocol tdp
R1(config)# interface Gi0/1
R1(config-if)# mpls label protocol ldp
R1(config-if)# mpls ip
R2(config)# mpls label protocol tdp
R2(config)# interface Fa0/0
R2(config-if)# mpls label protocol ldp
R2(config-if)# mpls ip
R2(config)# interface Fa0/1
R2(config-if)# mpls label protocol ldp
R2(config-if)# mpls ip
R3(config)# mpls label protocol tdp
R3(config)# interface Gi0/0
R3(config-if)# mpls label protocol ldp
R3(config-if)# mpls ip
R3(config-if)# interface Gi0/1
R3(config-if)# mpls label protocol ldp
R3(config-if)# mpls ip
R4(config)# mpls label protocol tdp
R4(config)# interface GigabitEthernet0/0
R4(config-if)# mpls label protocol ldp
R4(config-if)# mpls ip
R4(config-if)# interface Gi0/1
R4(config-if)# mpls label protocol ldp
R4(config-if)# mpls ip
R5(config)# mpls label protocol tdp
R5(config)# interface Gi0/0
R5(config-if)# mpls label protocol ldp
R5(config-if)# mpls ip
R5(config-if)# interface Gi0/1
R5(config-if)# mpls label protocol ldp
R5(config-if)# mpls ip
R6(config)# mpls label protocol tdp
R6(config)# interface Gi0/0
R6(config-if)# mpls label protocol ldp
R6(config-if)# mpls ip

Example 3-5 shows verification of the configuration with the LDP peering between each router.
Notice that the loopback addresses are used for LDP peer identification.
Example 3-5 MPLS Configuration Verification
Click here to view code image

R1# show mpls ldp neighbor
Peer LDP Ident: 120.100.2.1:0; Local LDP Ident 120.100.1.1:0
TCP connection: 120.100.2.1.40418 - 120.100.1.1.646
State: Oper; Msgs sent/rcvd: 69/71; Downstream
Up time: 00:47:20
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.123.2
Addresses bound to peer LDP Ident:
120.100.123.2
120.100.25.2
120.100.2.1
Peer LDP Ident: 120.100.3.1:0; Local LDP Ident 120.100.1.1:0
TCP connection: 120.100.3.1.51369 - 120.100.1.1.646
State: Oper; Msgs sent/rcvd: 68/68; Downstream
Up time: 00:47:18
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.123.3
Addresses bound to peer LDP Ident:
120.100.123.3
120.100.3.1
120.100.34.3
R2# show mpls ldp neighbor
Peer LDP Ident: 120.100.3.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.3.1.16991 - 120.100.2.1.646
State: Oper; Msgs sent/rcvd: 71/68; Downstream
Up time: 00:46:33
LDP discovery sources:
fastethernet0/0, Src IP addr: 120.100.123.3
fastethernet0/1, Src IP addr: 120.100.34.3
Addresses bound to peer LDP Ident:
120.100.123.3
120.100.3.1
120.100.34.3
Peer LDP Ident: 120.100.5.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.5.1.13826 - 120.100.2.1.646
State: Oper; Msgs sent/rcvd: 73/76; Downstream
Up time: 00:46:24
LDP discovery sources:
fastethernet0/1, Src IP addr: 120.100.25.5
Addresses bound to peer LDP Ident:
120.100.25.5
120.100.5.1
5.5.5.5
120.100.45.5
100.100.100.5
Peer LDP Ident: 120.100.1.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.1.1.646 - 120.100.2.1.40418
State: Oper; Msgs sent/rcvd: 69/68; Downstream
Up time: 00:46:07
LDP discovery sources:
fastethernet0/0, Src IP addr: 120.100.123.1

Addresses bound to peer LDP Ident:
120.100.123.1
120.100.1.1
Peer LDP Ident: 120.100.4.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.4.1.47401 - 120.100.2.1.646
State: Oper; Msgs sent/rcvd: 54/57; Downstream
Up time: 00:32:28
LDP discovery sources:
fastethernet0/1, Src IP addr: 120.100.34.4
Addresses bound to peer LDP Ident:
120.100.4.1
4.4.4.4
120.100.45.4
100.100.100.4
120.100.34.4
R3# show mpls ldp neighbor
Peer LDP Ident: 120.100.2.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.2.1.646 - 120.100.3.1.16991
State: Oper; Msgs sent/rcvd: 69/72; Downstream
Up time: 00:47:11
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 120.100.123.2
GigabitEthernet0/1, Src IP addr: 120.100.25.2
Addresses bound to peer LDP Ident:
120.100.123.2
120.100.25.2
120.100.2.1
Peer LDP Ident: 120.100.1.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.1.1.646 - 120.100.3.1.51369
State: Oper; Msgs sent/rcvd: 67/67; Downstream
Up time: 00:46:43
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 120.100.123.1
Addresses bound to peer LDP Ident:
120.100.123.1
120.100.1.1
Peer LDP Ident: 120.100.5.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.5.1.53107 - 120.100.3.1.646
State: Oper; Msgs sent/rcvd: 67/74; Downstream
Up time: 00:45:22
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.25.5
Addresses bound to peer LDP Ident:
120.100.25.5
120.100.5.1
5.5.5.5
120.100.45.5
100.100.100.5
Peer LDP Ident: 120.100.4.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.4.1.15940 - 120.100.3.1.646
State: Oper; Msgs sent/rcvd: 52/56; Downstream
Up time: 00:33:06
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.34.4
Addresses bound to peer LDP Ident:
120.100.4.1
4.4.4.4
120.100.45.4
100.100.100.4
120.100.34.4
R4# show mpls ldp neighbor
Peer LDP Ident: 120.100.6.1:0; Local LDP Ident 120.100.4.1:0
TCP connection: 120.100.6.1.55234 - 120.100.4.1.646
State: Oper; Msgs sent/rcvd: 74/76; Downstream
Up time: 00:43:52

100.4.6 Addresses bound to peer LDP Ident: 120. Src IP addr: 120. Local LDP Ident 120.1. Local LDP Ident 120.1.100. Local LDP Ident 120.1:0 TCP connection: 120. Downstream Up time: 00:30:52 LDP discovery sources: GigabitEthernet0/1.6.100.100.6 120.57689 State: Oper.5.6 100.100.1.100.100.2.123.2.100.1.100.120. Msgs sent/rcvd: 72/74.4.1.1:0 TCP connection: 120.1:0 TCP connection: 120.1 Peer LDP Ident: 120.25.45.120.100.100. Downstream Up time: 00:48:54 LDP discovery sources: GigabitEthernet0/0.6 Peer LDP Ident: 120. Src IP addr: 120.1:0 TCP connection: 120. Local LDP Ident 120.5 Addresses bound to peer LDP Ident: 120.1.47401 State: Oper.3 120.1:0.1 6.100.1:0 TCP connection: 120.5.1:0.123.57689 .100.1 Peer LDP Ident: 120.646 State: Oper. Src IP addr: 120.100.100.45.100. Downstream Up time: 00:49:55 LDP discovery sources: GigabitEthernet0/1. Src IP addr: 120. Src IP addr: 120. Msgs sent/rcvd: 80/77.5 120. Downstream Up time: 00:30:52 LDP discovery sources: GigabitEthernet0/1.100.45.5.6.6.100.25.646 .6.100.100.2 120.1:0.100.100.646 .100.100.646 State: Oper.100.13826 State: Oper.2 120.100.100.1:0.25.100.1.2.100.6.1:0.45.4.120.4.2 Addresses bound to peer LDP Ident: 120.2.5 120.6 100.100.100.646 .4 .100.100.1.3 Addresses bound to peer LDP Ident: 120.100.120.100.1. Msgs sent/rcvd: 81/81.5.5.34. Downstream Up time: 00:43:48 LDP discovery sources: GigabitEthernet0/0.100.100.18472 . Local LDP Ident 120.1:0 TCP connection: 120. Local LDP Ident 120.100.5 GigabitEthernet0/1.LDP discovery sources: GigabitEthernet0/0.100.100. Src IP addr: 120.5.100.5.1:0.5.2.25.6.3 R5# show mpls ldp neighbor Peer LDP Ident: 120.45.5 100.1 120.100.15940 State: Oper.100.45.100.4.100.100.4.1 5.5. Downstream Up time: 00:48:58 LDP discovery sources: GigabitEthernet0/0.3.5 Peer LDP Ident: 120.4.4.100.25.45.34. Msgs sent/rcvd: 80/78.2 Addresses bound to peer LDP Ident: 120.123.646 .5. Msgs sent/rcvd: 55/52.100.6 Peer LDP Ident: 120.100. Msgs sent/rcvd: 54/50.100.5.100. Src IP addr: 120.3.100.1.1 6.6.6 120.2 120.2.25.2 120.1.100.3. Src IP addr: 120.1.6 Addresses bound to peer LDP Ident: 120.120.6.100.120.

Src IP addr: 120.1:0.100.45. Src IP addr: 120.100.1.100.100.100. Local LDP Ident 120. Src IP addr: 120.4.1.4 120.1 5.100.GigabitEthernet0/1.100.4. Local LDP Ident 120.6.4 You will be configuring two VPNs over your MPLS networks per Figure 3-8 between PE routers of BLUE and RED.100.1. Downstream Up time: 00:48:17 LDP discovery sources: GigabitEthernet0/1.4.5 100.45.120.5.5 Addresses bound to peer LDP Ident: 120.3. Msgs sent/rcvd: 82/82.55234 State: Oper.4.34.123.4.100.45.100.646 .18472 State: Oper.4.100.4 Peer LDP Ident: 120.100.6.100.5 Peer LDP Ident: 120.100.1:0.5.5.100.100.100.100.53107 State: Oper. Src IP addr: 120.100.4 120. At this point. which will be configured later with an autonomous system of AS65001.646 .1.4 Addresses bound to peer LDP Ident: 120. assign the following interfaces on each PE router into separate routing instances within the routers: PE R1 interface Gi0/0 VLAN10 connection into VPN BLUE PE R1 interface Gi0/0 VLAN 50 connection into VPN RED PE R6 interface Gi0/1 VLAN 20 connection into VPN BLUE PE R6 interface Gi0/1 VLAN 100 connection into VPN RED Configure VPN BLUE to use an RD of 100 and VPN RED to use an RD of 200 for both importing and exporting routes into your BGP network.1.5.5 120.3.120.100. (4 points) You are required to create virtual routing forwarding (VRF) instances on the PE routers and assign the subinterfaces on each PE router into these.34.100.100.1 4.3 Addresses bound to peer LDP Ident: 120. Local LDP Ident 120. Msgs sent/rcvd: 77/70.100.100.4 100.1:0 TCP connection: 120.100.45.100.6.6.120.25.646 .3 120.100.1:0 TCP connection: 120.5 120.100.45.100.3.34.100.5.1.1 4.4. Downstream Up time: 00:49:31 LDP discovery sources: GigabitEthernet0/0.5.1:0. Msgs sent/rcvd: 82/80.4 100.100.34.4 Addresses bound to peer LDP Ident: 120.4.3 R6# show mpls ldp neighbor Peer LDP Ident: 120. This will ultimately provide end-to-end virtual private networking (VPN) connectivity over the MPLS network for your CE devices to communicate.4 120.1:0 TCP connection: 120. You are directed to use a route descriptor (RD) of 100 for the BLUE VRF and 200 for the RED VRF and must combine this with the BGP autonomous system number of 65001 to .100.4 120.1 120.5.34.100. Downstream Up time: 00:49:31 LDP discovery sources: GigabitEthernet0/0.100.

50 R1(config-subif)# ip vrf forwarding RED R6(config)# ip vrf BLUE R6(config-vrf)# rd 65001:100 R6(config-vrf)# route-target export 65001:100 R6(config-vrf)# route-target import 65001:100 R6(config-vrf)# ! R6(config-vrf)# ip vrf RED R6(config-vrf)# rd 65001:200 R6(config-vrf)# route-target export 65001:200 R6(config-vrf)# route-target import 65001:200 R6(config-vrf)# exit R6(config)# interface GigabitEthernet0/1. Use a subnet of 10.10. so connectivity between SW1 and R1 should now be . This network will reside in the BLUE VPN.10 R1(config-subif)# ip vrf forwarding BLUE R1(config-subif)# interface GigabitEthernet0/0.100 R6(config-subif)# ip vrf forwarding RED Create a network between PE router R1 and CE device SW1 using a VLAN10 interface on SW1 that can be trunked toward R1. The subinterface of Gigabit 0/0.10 on R1 has been assigned to the BLUE VRF during the previous question.import and export route target extended communities for the specified VRFs.20 R6(config-subif)# ip vrf forwarding BLUE R6(config)# interface GigabitEthernet0/1. The new VLAN10 must be created on SW1. (2 points) This is a simple configuration task to assign IP connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R6. you have scored 4 points. If you have configured this correctly. as shown in Example 3-6.1/30 assigned to the PE and .2/30 assigned to the CE.10. The actual BGP configuration will be configured later in the lab.0/30 with . Example 3-6 VRF Configuration Click here to view code image R1(config)# ip vrf BLUE R1(config-vrf)# rd 65001:100 R1(config-vrf)# route-target export 65001:100 R1(config-vrf)# route-target import 65001:100 R1(config-vrf)# ! R1(config-vrf)# ip vrf RED R1(config-vrf)# rd 65001:200 R1(config-vrf)# route-target export 65001:200 R1(config-vrf)# route-target import 65001:200 R1(config-vrf)# exit R1(config)# interface GigabitEthernet0/0. and this VLAN should have already been permitted to flow through to R1 as an allowed VLAN.

If you have configured this correctly. Example 3-8 BLUE VRF IP Addressing and Local Connectivity Testing Click here to view code image R6(config)# interface GigabitEthernet0/1. because a normal ping would be sourced from the global routing table and will fail.2 255.255.2. you have scored 2 points.10.20 R6(config-subif)# ip add 10.10. When testing.20 on R6 has been assigned to the BLUE VRF during a previous question. remember that R1 must use the appropriate VRF to confirm connectivity. as shown in Example 3-8.10.10 R1(config-subif)# ip add 10. Use a subnet of 10.10. as shown in Example 3-7.255.252 Switch2(config)# vlan 20 .!!! Success rate is 60 percent (3/5).10.2/30 assigned to the CE. and this VLAN already should have been permitted to flow through to R6 as an allowed VLAN.1 255.2 Type escape sequence to abort.252 R1# ping vrf BLUE 10.255.255.20.255.1/30 assigned to the PE and . This network will reside in the BLUE VPN.252 Switch1(config)# vlan 10 Switch1(config-vlan)# exit Switch1(config)# interface vlan 10 Switch1(config-if)# no shutdown Switch1(config-if)# ip add 10.10.10. Sending 5. When testing. The new VLAN 20 must be created on SW2.1 255.255. Example 3-7 BLUE VRF IP Addressing and Local Connectivity Testing Click here to view code image R1(config)# interface GigabitEthernet0/0.0/30 with . If you have configured this correctly.20.possible (when IP addresses are assigned). (2 points) This is a simple configuration task as per the previous question to assign connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R1. timeout is 2 seconds: . 100-byte ICMP Echos to 10. round-trip min/avg/max = 1/1/1 ms Create a network between PE router R6 and CE device SW2 using a VLAN 20 interface on SW2 that can be trunked toward R6. remember that R6 must use the appropriate VRF to confirm connectivity. so connectivity between SW2 and R6 should now be possible.10. The subinterface of Gigabit 0/1.10.10.. you have scored 2 points.

1/30 assigned to the PE and .50 on R1 has been assigned to the RED VRF during a previous question.50. This VLAN should have already been permitted to flow through SW1 to R1 as an allowed VLAN. remember that R1 must use the appropriate VRF to confirm connectivity.255.50. timeout is 2 seconds: . as shown in Example 3-9. Sending 5. If you have configured this correctly. round-trip min/avg/max = 1/1/1 ms Create a network between PE router R6 and CE device SW4 using a VLAN 100 interface on SW4 that can be trunked toward R6. this network will reside in the RED VPN.255.2. Use a subnet of 130.2 255.252 Switch3(config)# interface vlan 50 Switch3(config-if)# no shutdown Switch3(config-if)# ip add 130.255. this network will reside in the RED VPN. timeout is 2 seconds: ..2 Type escape sequence to abort.20.2 255.50.. Sending 5.255. round-trip min/avg/max = 1/1/1 ms Create a network between PE router R1 and CE device SW3 using a VLAN 50 interface on SW3 that can be trunked toward R1. 100-byte ICMP Echos to 130.0/30 with .Switch2(config-vlan)# exit Switch2(config)# interface vlan 20 Switch2(config-if)# no shutdown Switch2(config-if)# ip add 10.2/30 assigned to the CE.50.50.20.10. Example 3-9 RED VRF IP Addressing and Local Connectivity Testing Click here to view code image R1(config)# interface GigabitEthernet0/0.50 R1(config-subif)# ip add 130.252 R6# ping vrf BLUE 10.252 R1# ping vrf RED 130. 100-byte ICMP Echos to 10.255. (2 points) Here’s another simple configuration to assign connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R6.50. When testing. The subinterface of Gigabit 0/0.50.20. you have scored 2 points.10.2. Use a .!!! Success rate is 60 percent (3/5).50.2 Type escape sequence to abort.50.255.1 255.10. VLAN 50 has been previously created on SW3 and SW1 within the initial configuration.!!! Success rate is 60 percent (3/5). so connectivity between SW3 and R1 should now be possible.50.

0/30 with . which are advertised via your P routers within OSPF and that extended communities are used between PE routers to advertise your VPNv4 addresses successfully. The VPNs will be mapped into the configuration later. (4 points) MPLS requires the use of Multiprotocol BGP (MP-BGP) between the PE routers to exchange VPNv4 addresses in addition to IPv4 addresses.100. so connectivity between SW4 and R6 should now be possible. 100-byte ICMP Echos to 130.100. within the initial configuration. Example 3-10 RED VRF IP Addressing and Local Connectivity Testing Click here to view code image R6(config)# interface GigabitEthernet0/1.100.100 on R6 has been assigned to the RED VRF during a previous question.100. Use loopback interfaces for peering between your PE routers.255. Sending 5. The actual VPN portion of MPBGP will be configured later within the IPv4 address family for VRF-specific advertisements.100 R6(config-subif)# ip add 130.2 Type escape sequence to abort. You will configure the actual VPN routing in later questions. round-trip min/avg/max = 1/1/1 ms Section 3: BGP (5 Points) Configure MP-BGP between your PE routers.100. You should be aware that route targets (RTs) are implemented by the use of the BGP extended community (64 bits) and therefore the send-community both value must be configured within MP-BGP. The subinterface of Gigabit 0/1. per Figure 3-9.255. as shown in Example 3-10. this VLAN should have already been permitted to flow through SW2 to R6 as an allowed VLAN. remember that R6 must use the appropriate VRF to confirm connectivity.2. timeout is 2 seconds: .100. The next-hop-self command is optional and strictly required only when you have an eBGP configuration to preserve the next-hop information to peers.!!! Success rate is 60 percent (3/5).255. you will not lose any points if you added this or left it out..1 255. (2 points) This is the final configuration task to assign connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R1.2/30 assigned to the CE.252 R6# ping vrf RED 130.1/30 assigned to the PE and . If you have configured this correctly.100.2 255. to enable your network to transport the VPNv4 addresses of your configured VPNs (BLUE and RED).subnet of 130. When testing.100. VLAN 100 has been previously created on SW4 and SW2. so this question is a straightforward peering and VPNv4 setup task.255.100. .252 Switch4(config)# interface vlan 100 Switch4(config-if)# no shutdown Switch4(config-if)# ip add 130. The configuration requires you to peer from your loopback interfaces. you have scored 2 points.100.

If you have configured this correctly. Example 3-11 MP-BGP Configuration Click here to view code image R1(config)# router bgp 65001 R1(config-router)# no synchronization R1(config-router)# no auto-summary R1(config-router)# neighbor 120.1.100.100. as shown in Example 3-12. You’ll realize that to peer successfully with EIGRP you would need to be operating within the same autonomous system number.100.1 update-source Loopback0 R1(config-router)# address-family vpnv4 R1(config-router-af)# neighbor 120.6.1.1 activate R1(config-router-af)# neighbor 120.6. Now you are requested to advertise routes from your CE switch SW2 to PE router R6.100.100.This is a simple MP-BGP network with only two PE routers.100. PE routers would normally connect to multiple customers.100. (1 point) Until now.100. Use an EIGRP virtual instance name of VPN on R6 and a process number of 10 on SW2. you have scored 1 point.1 send-community both R6(config)# router R6(config-router)# R6(config-router)# R6(config-router)# R6(config-router)# bgp 65001 no sync no auto-summary neighbor 120. as shown in Example 3-11. you have scored 4 points.1.1.1 update-source Loopback0 R6(config-router)# address-family vpnv4 R6(config-router-af)# neighbor 120.1 activate R6(config-router-af)# neighbor 120.6. which will ultimately be advertised throughout the BLUE VPN to the remote PE router R1 and CE switch SW1.1 next-hop-self R6(config-router-af)# neighbor 120. Example 3-12 details the EIGRP configuration and resulting neighbor relationship and route propagation between R6 and SW2.1 remote-as 65001 neighbor 120. so it is unreasonable to expect that each EIGRP domain should run the same autonomous system number.1 next-hop-self R1(config-router-af)# neighbor 120.100.6. Advertise all preconfigured loopback networks on SW2 to R6 for the BLUE VPN. the questions have merely dealt with setting up the infrastructure for MPLS connectivity. . Use VLAN 20 for EIGRP connectivity between R6 and SW2. If you have configured this correctly.1 remote-as 65001 R1(config-router)# neighbor 120.1 send-community both Section 4: EIGRP and MP-BGP (3 Points) Configure EIGRP per Figure 3-9 between your PE router R6 and CE switch SW2.6. the autonomous system is assigned with the addressfamily vrf-specific command. Therefore. additional PE routers would require a full mesh of iBGP peering or configuration of route-reflectors to aid scalability.1.100. yet the question enforces you to run differing autonomous system numbers.

20 00:04:36.2. D 10.10.10.20.20 00:04:36.20.0/24 [90/156160] via 10.0. D 10.2. D 10. Example 3-12 R6 and Switch 2 EIGRP Configuration and Verification Click here to view code image R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R6(config-router-af)# network 10.10.255 Switch2(config-router)# network 10.20 .0 0.0.3.0 0.20.2.2. GigabitEthernet0/1.10. (ms) Cn 11 4 subnets.0.0.0 0.10.0.4.2.4. The BLUE VRF has also been associated to the R6 subinterface previously.0 0.0.2. 2 masks 00:04:36.2.0.3.3 Switch2(config)# ip routing Switch2(config)# router eigrp 10 Switch2(config-router)# no auto-summary Switch2(config-router)# network 10.0/24 [90/156160] via 10.0.2.0. GigabitEthernet0/1.0. GigabitEthernet0/1.255 Switch2(config-router)# network 10.20 00:04:18 1 200 0 1 R6# R6# show ip route vrf BLUE eigrp 10.2.255 R6# show ip eigrp vrf BLUE neighbors IP-EIGRP neighbors for process 10 H Address Interface Uptime SRTT RTO Q Seq Hold (sec) t Num 0 10.0.2.2 Gi0/1.20.3 Switch2(config-router)# network 10.0 0.20.2.10.Note The IP addressing for VLAN 20 on SW2 and associated subinterfaces on R6 has previously been configured.0/24 [90/156160] via 10.0/8 is variably subnetted.0.20.

Use an EIGRP virtual instance name of VPN on R1 and a process number of 10 on SW1.10. which will ultimately be advertised throughout the BLUE VPN to the remote PE router R6 and CE switch SW2.255 Switch1(config-router)# network 10. If you have configured this correctly. you are requested to advertise routes from your CE switch SW1 to PE router R1.10 200 0 Cn (ms) Cn 13 1 R1# show ip eigrp vrf BLUE neighbors IP-EIGRP neighbors for process 10 H Address Interface Uptime SRTT RTO Q Seq Hold (sec) t Num (ms) .10.0.255 Switch1(config-router)# network 10.0 0.3 Switch1(config-router)# network 10. (1 point) As per the previous question. The BLUE VRF has also been associated to the R1 subinterface previously.3 Switch1(config)# ip routing Switch1(config)# router eigrp 10 Switch1(config-router)# no auto-summary Switch1(config-router)# network 10.2.0.0.255 R1# show ip eigrp vrf BLUE neighbors IP-EIGRP neighbors for process 10 H Address Interface Uptime SRTT RTO Q Seq Hold (sec) t Num 0 10.10.0 0.3. Advertise all preconfigured loopback networks on SW1 to R1 for the BLUE VPN.1.0.0.0. Example 3-13 R1 and Switch 1 EIGRP Configuration and Verification Click here to view code image R1(config)# router eigrp VPN R1(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R1(config-router-af)# network 10. Use VLAN10 for EIGRP connectivity between R1 and SW1.10.0 0.0.1.1.0 0. you have scored 1 point.0.10.2 00:00:24 1 R1# Gi0/0.10.0.0. as shown in Example 3-13. Example 3-13 details the EIGRP configuration and resulting neighbor relationship and route propagation between R1 and SW1.0 0.1. Configure EIGRP per Figure 3-9 between your PE router R1 and CE switch SW1.Note The IP addressing for VLAN 10 on SW1 and associated subinterfaces on R1 has previously been configured.

2.0.2. Example 3-14 PE and CE MP-BGP Redistribution Configuration and Verification Click here to view code image R1(config)# router eigrp VPN R1(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R1(config-router)# topology base R1(config-router-af-topology)# redistribute bgp 65001 metric 10000 100 255 1 1500 R1(config-router-af-topology)# router bgp 65001 R1(config-router)# address-family ipv4 vrf BLUE R1(config-router-af)# redistribute eigrp 10 metric 50 R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R6(config-router)# topology base R6(config-router-af-topology)# redistribute bgp 65001 metric 10000 100 255 1 1500 R6(config-router-af-topology)# router bgp 65001 R6(config-router)# address-family ipv4 vrf BLUE R6(config-router-af)# redistribute eigrp 10 metric 50 .10 00:01:18.0/24 [90/153856] via 10. GigabitEthernet0/0.0/24 [90/153856] via 10. 2 masks 00:01:18. even though they have been redistributed via another routing protocol.10 00:00:24 1 200 0 1 R1# show ip route vrf BLUE eigrp 10.3.10.10. (1 point) The full end-to-end VPN routing is achieved at this point by redistributing EIGRP into the appropriate address family for the VRF.10. D 10.1. Example 3-14 details the configuration required on the PE routers and resulting routes on the CE devices SW1 and SW2. EIGRP networks residing on SW1 should be seen as internal EIGRP routes on SW2 and vice versa. If you have configured this correctly.0/8 is variably subnetted.1. GigabitEthernet0/0. Ensure that all EIGRP routes have a MED of 50 assigned to them within MP-BGP. you have scored 1 point. The question dictates the metrics you should use. The question is just looking for accuracy and giving you the opportunity to view routes with the metrics and later without if you choose to. D 10.0.2. 13 4 subnets.2 Gi0/0.10. the metrics are not required because the extended community values of MP-BGP previously configured will effectively transport the internal metrics of EIGRP and ensure that the routes are shown as internal EIGRP routes at the remote location. GigabitEthernet0/0.1.10.10 00:01:18.0 10. D 10.0/24 [90/153856] via 10. as shown in Example 3-14. Use a default metric of 10000 100 255 1 1500 for BGP routes when redistributed into EIGRP.10 Configure your PE routers R1 and R6 to transport EIGRP routes from your CE devices between the BLUE VPN using MP-BGP.10.10.10.2. In reality.1.

0/24 10.0/24 [90/156416] via 10.10. e .2 50 32768 ? *> 10. If you have configured this correctly. you have scored 3 points.10.2.10. > best.1.10.20.10. 00:32:05.100.100.1.20.10.IGP.0/24 [90/154112] via 10.100.10.10. r RIB-failure.0/24 10. Vlan10 D 10. S Stale Origin codes: i . * valid.20.10. h history. d damped.20.0.20.1.20.EGP. it also details the MPLS forwarding table for the BLUE VRF.1. Vlan20 Example 3-15 details the BGP routes received on the PE routers with the assigned MED value of 50.2. * valid.2.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:100 (default for vrf BLUE) .0.2.3.100. Notice the iBGP routes on the PE routers from the remote PE router with the MED of 50.10.100. 00:32:05.4. h history.10.3.IGP.20.0/30 [90/28416] via 10.100. Example 3-15 PE MP-BGP and MPLS Verification Click here to view code image R6# show ip bgp vpnv4 vrf BLUE BGP table version is 17.1 50 100 0 ? *>i10.10.1.3.10.0/30 0.1 50 100 0 ? *> 10. Vlan10 SW2# show ip route eigrp D 10.0/24 [90/154112] via 10.10.1.10.10. Vlan10 D 10.1.0/24 [90/156416] via 10. e . 00:33:07.10.6. Vlan20 D 10.10.3.EGP.10.1.1.2.SW1# show ip route eigrp D 10. 00:32:05.1. i internal. > best.1 Status codes: s suppressed.0/24 120.0/24 120. local router ID is 120. as shown in Example 315.1. Vlan20 D 10.10.1.1.20. d damped. ? .2. ? . 00:33:07. Vlan20 D 10.1 Status codes: s suppressed.2 50 32768 ? *>i10.1 0 100 0 ? *> 10. 00:33:07.1. S Stale Origin codes: i .2 50 32768 ? *> 10.2.1. Vlan10 D 10.0/24 [90/154112] via 10. i internal.1.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:100 (default for vrf BLUE) *>i10.0/24 [90/156416] via 10.2.1.0/30 120.1.1.1 50 100 0 ? *>i10.2.1. r RIB-failure. 00:32:05.0/24 120. local router ID is 120. 00:33:07.0/24 10.20.4.2.1.10. these are the routes that are propagated to EIGRP CE devices.0/30 [90/26112] via 10.0 0 32768 ? R1# show ip bgp vpnv4 vrf BLUE BGP table version is 17.

0/24[V] 0 28 Aggregate 10.20.*> 10.10.0/30 *>i10.10.0. Use a process ID of 2 on PE router R6 and CE device SW4 using VLAN 100 for connectivity.2 10.2 120.0/24[V] 0 29 Aggregate 10. as shown in Example 3-16.10. You are requested to permit only internal OSPF routes to be redistributed into BGP.100.1 120.2 Gi0/1.1.2.0/30[V] 0 29 Untagged 10.0/24[V] 0 R6# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 26 Untagged 10. you have scored 2 points.10 10.2.0/24 *> 10.0/24 *>i10.2.10.10.3.10.10.1.0/24[V] 0 27 Untagged 10. but in reality the routes would appear to have not been redistributed through another routing protocol by default.0/24 *>i10. Figure 3-10 indicates that all loopback interfaces are to be included in OSPF on both CE devices.0/24 *> 10.2.2.2 Gi0/0.2.2 Section 5: OSPF and MP-BGP (6 Points) Configure OSPF per Figure 3-10 for your VRF RED with a process number of 3 on PE router R1 and SW3 using VLAN 50 for connectivity.10.10.20 10.20.100.10.1.2.3.10.10.4.6.2.20.1.1 50 50 50 50 50 50 100 100 100 0 0 R1# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 26 Untagged 10.10 10. (2 points) You are requested to configure OSPF over your MPLS network between CE devices SW3 and SW4 via your PE routers R1 and R6.0/24 *> 10.1. If you have configured this correctly.10.1.20.2 Gi0/0.2.2 Outgoing Next Hop interface Gi0/1.1.0/24 *>i10.10.10.0/30 10.1 0. As with the EIGRP question. . It is acceptable for these routes to come through as / 32 routes because of default OSPF behavior of loopback interfaces. but the question states that this is acceptable behavior.10 10.6.4.1.3. This direction is actually a red herring for the next question when the routes at the CE devices appear as external routes when they should in fact be internal routes. Example 3-16 details the required configuration and verification. you are requested to manipulate the redistribution of the IGP into BGP.10.0/24[V] 0 27 Untagged 10.2 10.10.100.2 Gi0/1.1 120.2.0/24[V] 0 28 Untagged 10.100.20.3.0.10.0/30[V] 0 100 32768 ? 32768 ? 32768 ? 0 ? 0 ? 0 ? 32768 ? 0 ? Outgoing Next Hop interface Gi0/0. You should be aware that OSPF will advertise these as host routes.0 120. You should permit only internal OSPF routes to be advertised across your VPN and ensure that the redistribution of BGP routes into OSPF are assigned as type 1 external routes with no manually adjusted cost associated with them.20 10.6. which is a simple match internal parameter on the redistribution configuration.6.10.20 10.10.10.

0.0.1 [110/2] via GigabitEthernet0/0.Example 3-16 VRF RED OSPF Configuration and Verification Click here to view code image SW3(config)# ip routing SW3(config)# router ospf 3 SW3(config-router)# network SW3(config-router)# network SW3(config-router)# network SW3(config-router)# network 130.33.1 [110/2] via GigabitEthernet0/0.50.0.0 0.33.0 0.1 [110/2] via GigabitEthernet0/0. R6# show ip route vrf RED ospf Routing Table: RED 10.3 area 0 R1(config-router)# redistribute bgp 65001 subnets metric-type 1 R1(config-router)# router bgp 65001 R1(config-router)# address-family ipv4 vrf RED R1(config-router-af)# redistribute ospf 3 match internal R6(config)# router ospf 2 vrf RED R6(config-router)# net 130.50.100.0.46. 130.2.0 0.255 area 2 R1(config)# router ospf 3 vrf RED R1(config-router)# network 130.45.0. 00:04:48.0 0.35.0 0.0.44.100. 00:04:48.50.100 O IA 10.0. 00:04:48.0.0.44.50.100.0.44.46. 00:02:32.100.0 0.0.3 area 0 R6(config-router)# redistribute bgp 65001 subnets metric-type 1 R6(config-router)# router bgp 65001 R6(config-router)# address-family ipv4 vrf RED R6(config-router-af)# redistribute ospf 2 match internal R1# show ip route vrf RED ospf Routing Table: RED 10.3 area 0 10.0 0.2.50.0.34. 6 subnets O IA 10.50 6 subnets 130.50 O IA 10.50.33.0/32 is subnetted.3 area 0 10.1 [110/2] via 130.33.33.0.0/32 is subnetted.100.44.100.50.0.44.33.45.2.0.255 area 1 SW4(config)# ip routing SW4(config)# router ospf 2 SW4(config-router)# network SW4(config-router)# network SW4(config-router)# network SW4(config-router)# network 130.0 0.0 0.0. GigabitEthernet0/1.100.255 area 1 10.35.34. O IA 10.255 area 2 10.100.50.255 area 2 10.50.50 O IA 10. 130.2.33.0.255 area 1 10.0. .0.2.0.0 0.0.0.33.50.44.0.0.1 [110/2] via 130. 00:02:32.

100.1/32 [110/3] via 130. it is only when these routes are advertised to the CE devices that the type 1 external route change occurs.44.1 [110/2] via 130.44.100.1/32 [110/3] via 130. 00:02:54. 00:03:37.0.100 O IA 10.100.50. Because you have your routes in place and following questions do not build from this one. 00:03:37.100.1.1. So.34.100.44.44. Vlan50 10.100.1.0/30 is subnetted.33. Vlan50 SW4# show ip route ospf 130. You are not permitted to adjust the OSPF redistribution into BGP as directed in the previous question.50. 00:02:54. As stated previously. When you look at the routes in Example 3-17 for the PE routers.100. You are permitted to configure only router R1.33. you can confidently leave questions like this for later.0 [110/2] via 130.33.33.50.44.1.0.50.0.1/32 [110/3] via 130. 1 subnets O E1 130. 00:03:37. Vlan100 O E1 10. GigabitEthernet0/1.100.1/32 [110/3] via 130. 6 subnets. it’s one to park and come back to). 1 subnets O E1 130.0.0 [110/2] via 130. (4 points) This is a tricky question and one that will really eat into your time (the kind of question that if the answer doesn’t jump out at you and the points don’t look appealing enough.0/8 is variably subnetted.0.44. Vlan100 O E1 10.50. Vlan50 O E1 10.100.50.50. Vlan100 Note The IP addressing for VLAN50 on SW3 and associated subinterface on R1 and VLAN 100 on SW4 and associated subinterface on R6 has previously been configured.46. you will see that they are actually IA routes at this point.1/32 [110/3] via 130.GigabitEthernet0/1.1.100.1.0/30 is subnetted.1/32 [110/3] via 130. 00:03:37. 2 masks O E1 10. 2 masks O E1 10.50.1. 00:02:55.100.50.50. You will notice that your OSPF IA (intra-area) routes between CE devices SW3 and SW4 appear as type 1 external routes. 00:06:08.2.45. Example 3-17 VRF RED OSPF Routes Click here to view code image . the redistribution into type 1 is actually somewhat misleading. Maintain the OSPF process IDs are previously directed.100. 6 subnets. Vlan50 O E1 10.1.50.100. Configure your OSPF network appropriately to ensure that the routes are displayed correctly as IA routes.100 SW3# show ip route ospf 130. The RED VRF has also been associated to the R1 and R6 subinterfaces previously.0/8 is variably subnetted. 00:02:32.35.0. Vlan100 10.

1. Vlan100 The clue is actually in the question “Maintain the OSPF process IDs as previously directed.100. 130.50 O IA 10.50.0. and the resulting IA routes received on your CE devices. 00:06:08. This is the same as the process ID.1 [110/2] via GigabitEthernet0/0. . Vlan100 10.100. If you have configured this correctly. Example 3-18 details the domain ID information on your PE routers.44.R1# show ip route vrf RED ospf Routing Table: RED 10. O IA 10.35. 2 masks O E1 10. it would most likely work.45.0 [110/2] via 130.46.0/32 is subnetted. Vlan100 O E1 10. Vlan100 O E1 10. 130.100.100.0.1.2.1.1/32 [110/3] via 130. Vlan50 O E1 10. SW3# show ip route ospf 130.33.100.” Statements such as this should make you think. 00:04:48.2. 00:02:54.1.1 [110/2] via GigabitEthernet0/1. You might not have known that.33. O IA 10.33. 00:03:37. R6# show ip route vrf RED ospf Routing Table: RED 10.0/8 is variably subnetted. Because you are not permitted to change the process ID. you have scored 4 points.1 [110/2] via GigabitEthernet0/1.33.100. so if I did change the process ID.44.0/30 is subnetted.50.50.1.50.0 [110/2] via 130. 1 subnets O E1 130.0. and how else can I achieve that?” OSPF has a domain ID by default.0/32 is subnetted.44. 00:02:32. 00:02:32.46.0. Vlan50 SW4# show ip route ospf 130.50.33.100.100.1/32 [110/3] via 130.100 O IA 10.0. If the process IDs differ on PE routers that form the VPN.44.100.34.0.50.33.1/32 [110/3] via 130. 00:04:48.50. you are left with only the option of changing the domain ID.44.2.1 [110/2] via GigabitEthernet0/1.1 [110/2] via GigabitEthernet0/0.50. 00:02:55.0.100. as shown in Example 3-18.1.50. 130.100.0.100 6 subnets 130. 00:02:54.44.50.1.50. the configuration required to change the domain ID on one of your PE’s Router R1. Why would that do it.33.35.2.1/32 [110/3] via 130.50.100.34.0/8 is variably subnetted.0/30 is subnetted. Vlan50 10.44. “Okay.0.100.33.50.1/32 [110/3] via 130.44.50.1/32 [110/3] via 130. 00:03:37.100 O IA 10. 00:04:48.1.2.100.100.50 O IA 10.2.1 [110/2] via GigabitEthernet0/0. Vlan50 O E1 10.100. 00:03:37.50 6 subnets 130. 00:03:37.50.50. 00:02:32. 1 subnets O E1 130. but it is the kind of thing that you gain through research and rack time.50. 2 masks O E1 10.100.45.0. 6 subnets. 130. 6 subnets. the LSA is changed to a type 5 and the routes become external.

44. Vlan100 10.33.100.0.0. leak 10.0.Example 3-18 Domain ID Configuration and OSPF Route Verification Click here to view code image R1# show ip ospf 3 | include Domain Domain ID type 0x0005. 00:00:07.2 SW3# show ip route ospf 130.50.100.44.0/24 from VRF RED into VRF BLUE on R6.44.44. 00:03:04.1.0. 00:00:07.1.1.1/32 [110/3] via 130.1.1.1. value 0.1/32 [110/3] via 130.44.100.50.50.1. 00:00:09.44.50.34.44.0/24 originates from a loopback interface on Switch 4.33.50.2 R1(config)# router ospf 3 vrf RED R1(config-router)# domain-id 0.0.1 SW1.0/24 [110/XX] via 130.50. 6 subnets.1. Both Switch 1 and Switch 4 should receive the following routes: SW1# show ip route | include 10.50.0 [110/2] via 130. Vlan100 SW4# Verify your configuration by pinging from VRF RED SW4 10.1.100. so OSPF must be .100. 1 subnets O IA 130.0/24 [170/XXXXXX] via 10. 00:00:09.1.0. Vlan50 SW3# SW4# show ip route ospf 130. Vlan100 O IA 10.1.1.100.1. 00:00:07.0 O E1 10.50. Vlan100 O IA 10. Similarly.0 [110/2] via 130.100.1/32 [110/3] via 130.0/8 is variably subnetted. 00:00:09.0/30 is subnetted.44.0.50. Vlan100 Section 6: MPLS (7 Points) Leak network 10.100. 2 masks O IA 10.0.1/32 [110/3] via 130.0. 1 subnets O IA 130.0.0. 00:00:09.44.33. Vlan50 O IA 10.0/8 is variably subnetted. Vlan10 SW1# SW4# show ip route | include 10.1.100.3 R6# show ip ospf 2 | include Domain Domain ID type 0x0005.0/24 from SW1 VRF BLUE on PE R1 into the VRF RED on PE1.33.1/32 [110/3] via 130.10. Vlan50 10.44. value 0.10.45.100.50.1.0. 2 masks O IA 10.0 D EX 10.1.100.44.46.0/30 is subnetted. (5 points) This is a straightforward VRF export question with a slight twist for the attentive in that the OSPF route 10.44. 6 subnets.50. 00:00:07.1/32 [110/3] via 130. 00:00:27.100.1.1. Vlan50 O IA 10.44.1 to VRF BLUE SW1 10.44.100.35.

manipulated to treat this interface as a point-to-point network to advertise the /24 mask.0.1 2 100 0 ? *>i10.EGP. and the CE device SW4.44.50. * valid.1 Status codes: s suppressed.2 2 32768 ? *>i10.0 into VRF BLUE R1# show ip bgp vpnv4 vrf RED BGP table version is 33. permitting the required routes from each VRF to the existing BLUE and RED VRF advertisements by adding them to the appropriate route target (RT) within MP-BGP by use of the set extcommunity rt XXXXX:XXX additive command. e .6.2 2 32768 ? *> 10.50.1/32 120.0/30 0. The route leaking is achieved by creation of export maps on the PE routers R1 and R6.1. S Stale Origin codes: i .0.255 R6(config-vrf)# exit R6(config)# route-map SW4 permit 10 R6(config-route-map)# match ip address 10 R6(config-route-map)# set extcommunity rt 65001:100 additive ! R1 is now sending 10.0.1.50. the resulting verification of the route advertisements and testing are also shown.1/32 120.0 into VRF RED and R6 10.1/32 120.1.50. i internal.1/32 130.33.45.2 2 32768 ? *> 10. h history.1/32 130.1/32 130.1.0 0.33. Example 3-19 details the required configuration on PE routers R1.100.IGP. R6. If you have configured this correctly.1 2 100 0 ? *>i10.50.46.44.50.0.0 0 32768 ? .0.44.50. as shown in Example 3-19.1 2 100 0 ? *> 130. d damped. you have scored 5 points. ? .100.100.44.0 0.6.6.255 R1(config-vrf)# exit R1(config)# route-map SW1 permit 10 R1(config-route-map)# match ip address 10 R1(config-route-map)# set extcommunity rt 65001:200 additive R6(config)# ip vrf RED R6(config-vrf)# export map SW4 R6(config-vrf)# access-list 10 permit 10.34.0. local router ID is 120.33.44.44. Example 3-19 Selective VRF Export Configuration and Verification Click here to view code image Sw4(config)# interface Loopback0 Sw4(config-if)# ip ospf network point-to-point R1(config)# ip vrf BLUE R1(config-vrf)# export map SW1 R1(config-vrf)# access-list 10 permit 10.35.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:200 (default for vrf RED) *> 10. > best.100. r RIB-failure.44.44.50.33.1.

6. d damped.20.2.3.1/32 130.6.33.3.0. > best.0/24 10.20.100. S Stale Origin codes: i .2 2 32768 ? .44.100.1/32 130.50. e .10.100.0/24 130. * valid.4.2 2 32768 ? ! Notice the 10.50.2 2 32768 ? *> 10.44.10.2 50 32768 ? *> 10.0/24 120.100. clear the BGP session to kick start the export map R1# clear ip bgp * R1# show ip bgp vpnv4 vrf RED BGP table version is 34.2 50 32768 ? *> 10.IGP.33.0. i internal. i internal.0/30 120.2.1 2 100 0 ? *>i10.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:100 (default for vrf BLUE) *>i10.0 *> 10.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:200 (default for vrf RED) *> 10.1 Status codes: s suppressed.100.0 route.1 50 100 0 ? *>i10.100.10.10.*>i130.50.1/32 120.0/24 10.1.1 2 100 0 ? *> 130.50.2 50 32768 ? *>i10.0/24 120.100.10.35.1. ? .100.44.33.1.6.50.0 0 32768 ? *>i130.50.44.1. d damped.1 0 100 0 ? R6# show ip bgp vpnv4 vrf BLUE BGP table version is 35.100. ? .IGP.0 route is actually listed as a host route.10.0/30 120.6.44.2.100. r RIB-failure.1.100.2 2 32768 ? *>i10.EGP.100.100.2.6.46.0/24 10. > best. local router ID is 120.0.2 50 32768 ? *> 10.100.0/30 0.10.1.2.0/30 0.100.1.1/32 130.1. S Stale Origin codes: i .100. h history.50.34.1.100.44.0.50.10.1 50 100 0 ? *> 10.1/32 120.33. e .1 50 100 0 ? *>i10.1 Status codes: s suppressed.1 2 100 0 ? *>i10.44.44.1.44.100.1. * valid.1 0 100 0 ? ! No sign of the 10.1.6.45. change the loopback interface on Sw4 to a point-to-point for OSPF to advertise it correctly SW4(config)# interface lo0 SW4(config-if)# ip ospf network point-to-point R6# show ip bgp vpnv4 vrf BLUE | include 10.44. r RIB-failure.1.2 2 32768 ? *> 10.20.0/30 120.44.20. local router ID is 120.0 0 32768 ? *> 10.0/24 10. h history.44.EGP.1/32 130.1 0 100 0 ? *> 10.1/32 120.0/24 120.100.

2.10 Gi0/0. 00:00:51.44.10 10.1.0 D EX 10.50.Switch1# show ip route | include 10.10.1.10 10.100.1/32[V] 0 41 Untagged 10.1.0/24[V] 590 R1# show mpls forwarding-table vrf RED Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 38 Aggregate 130.10.1.3.33.1.1/32[V] 0 40 Untagged 10. Record.33.2 130.10 10.50 Gi0/0.1.20 10.1.0 O E1 10.10.50.0/30[V] 0 37 Untagged 10. Strict.1.10.44.1.10.44.0/24[V] 0 .44.100.34.1.0/30[V] 0 39 Untagged 10.50.2 35 Untagged 10. Vlan100 ! Now test with an extended ping to ensure that the loopback interface is used as the source SW1# ping Protocol [ip]: Target IP address: 10. timeout is 2 seconds: Packet sent with a source address of 10. 100-byte ICMP Echos to 10.1/32[V] 0 Outgoing Next Hop interface Gi0/0.1.44.1.10.2 36 Aggregate 10.0/24 [110/51] via 130.35.1.1 !!!!! Success rate is 100 percent (5/5).50.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose.10.10 Gi0/0.0/24 [170/281856] via 10.33.1.50 130.2 .0/24[V] 0 .44. 00:02:45.44.2.10. round-trip min/avg/max = 8/9/12 ms R1# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 34 Untagged 10.50.50.2 Outgoing interface Next Hop Gi0/0.33.1.2.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.50.20.50 Gi0/0. Vlan10 Switch1# SW4# show ip route | include 10.44.2 130.10.2 ! Note the Routes are not leaked within the MPLS forwarding-table R6# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 34 Untagged 10. Sending 5.50. Timestamp. Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort.0/24[V] 0 Outgoing Next Hop interface Gi0/1.

4.20 10.100 130.25.2.20.10.100.100.2.2 12 msec 12 msec 16 msec 120.20. Tracing the route to 10. the MPLS network will be shown when a traceroute is performed.10.100 130.1 4 msec 0 msec 0 msec .2.20.10.1 Type escape sequence to abort.44. as shown in Example 3-20.20.3. Example 3-20 shows the default behavior and modified behavior after configuration from a traceroute command issued on CE device SW1. If you have configured this correctly.10.2.20 Gi0/1.100.1 1 2 3 4 5 10. This can be changed.2 40 Untagged 10.46. with the no mpls ip propagate-ttl global command within your PE routers.10.0/24[V] 1534 Gi0/1. you have scored 2 points.0/30[V] 0 39 Untagged 10. (2 points) By default.1/32[V] 0 Gi0/1.0/24[V] 10.100.1/32[V] 0 Gi0/1.44.2.10.2 42 Untagged 10. Example 3-20 MPLS Traceroute Configuration and Testing Click here to view code image SW1# traceroute 10.20.2.2 ! Note the Routes are not leaked within the MPLS forwarding-table Configure your PE routers R1 and R6 to ensure that the MPLS P routers are not listed as intermediate hops when a trace route is performed on your CE devices.10.2.100.44.2 8 msec * 4 msec R1(config)# no mpls ip propagate-ttl R6(config)# no mpls ip propagate-ttl SW1# traceroute 10.100.123.35 36 37 Untagged Untagged Aggregate 10.100 130.45.2.100.0/24[V] 10.2 10.1 8 msec 8 msec 8 msec 10.5 8 msec 12 msec 8 msec 10.44. Tracing the route to 10.100 .10.100.100 .2.2.1 Type escape sequence to abort.1 1 10.2 0 R6# show mpls forwarding-table vrf RED Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 38 Aggregate 130. so that only PE routers are shown as next hops.10.1 0 msec 0 msec 0 msec 120.0/30[V] 0 0 Gi0/1.

You should use existing loopback interfaces on your PE routers for peering over your MPLS network.1. Strictly speaking. SW3 and SW4 will use a pseudowire to communicate over the IP network and logically will connect in the same Layer 2 domain.100.20.1.1.1 12 msec 8 msec 12 msec 3 10. Be aware that the SW3 resides in VLAN 200 and that SW4 resides in VLAN 400 in respective PE router subinterfaces. respectively). L2TPv3 is not covered in the current blueprint.) Note that Cisco Express Forwarding (CEF) must be enabled for the L2TPv3 feature to function correctly.6. Example 3-21 PE L2TPv3 Configuration Click here to view code image R1(config)# pseudowire-class PW-CLASS R1(config-pw-class)# encapsulation l2tpv3 R1(config-pw-class)# protocol l2tpv3 R1(config-pw-class)# ip local interface Loopback0 R1(config-pw-class)# interface GigabitEthernet0/0.2/24) to communicate using a Layer 2 tunneling solution (use Version 3) across your Layer 3 network. The pseudowire class PW-CLASS configures the encapsulation to L2TPv3 and sets the loopback interfaces of the PE routers to be used for peering.1.100. Create an L2TPv3 Xconnect attachment circuit on your PE routers R1 and R6 for your CE devices (SW3 Fast Ethernet 0/19 1. The xconnect subinterface command binds the local PE interface to the remote PE loopback with a VC ID (virtual channel ID).1/24 and SW4 Fast Ethernet 0/19 1.2 10. but the simple solution is included here to create a switching issue that will enable you to hone your troubleshooting skills in this area and apply a relevant solution based on your findings. (You could have used any ID here.1 200 pw-class PW-CLASS .200 R1(config-subif)# xconnect 120.10. which in the example matches the subinterface number of the specific PE router.1.0/24 in a previous question.1.20.1.400 R6(config-subif)# xconnect 120. Example 3-21 details the required PE configuration on routers R1 and R2.1 200 pw-class PW-CLASS R6(config)# pseudowire-class PW-CLASS R6(config-pw-class)# encapsulation l2tpv3 R6(config-pw-class)# protocol l2tpv3 R6(config-pw-class)# ip local interface Loopback0 R6(config-pw-class)# interface GigabitEthernet0/1.10. (10 points) This question simulates VPLS and requires that L2TPv3 (Layer 2 Tunneling Protocol Version 3) is configured between your PE routers connecting the two subinterfaces that connect to SW3 and SW4 interfaces via SW1 and SW4 (VLAN 200 and VLAN 400.2 4 msec * 4 msec Section 7: VPLS Simulation (10 Points) Switches 3 and 4 will have been configured to belong to the subnet of 1.

respectively).1 Username.200:200 est 51446 00:24:40 1 200.Example 3-22 shows the successful L2TPv3 session established between PE R1 to PE R6.2 fails.1 Username. Circuit 51003 9619 Gi0/0. you have scored 10 points.6. or possibly between both connections. As the session is up. The question does bring your attention to the fact that both CE devices reside in different VLANs. The problem is actually resolved by enabling BPDU filtering on SW1 with the spanning-tree bpdufilter enable command on the trunk interface toward the PE r outer R1. so this should give you a starting point in your investigation. respectively. Intf/ VPDN Group 0 State Last Chg Vcid.1. When logging is enabled on SW1 and SW2 (these CE devices bring SW3 and SW4 Fast Ethernet 0/19 interfaces into VLAN 200 and VLAN 400. respectively. even though you have previously allowed the local VLAN 200 and 400 through the trunk on PE routers R1 and R6. you can see spanning-tree inconsistencies exist between VLAN 200 being “bridged” to VLAN 400 via your L2TPv3 solution. Enabling BPDU filtering on an interface is equivalent to disabling the spanning tree on an interface. If you have configured this correctly.1. you can safely assume that there is a connectivity type issue between either SW3 and PE R1 or SW4 and PE R6. Example 3-22 PE and CE L2TPv3 Verification Testing and Configuration Click here to view code image R1# show l2tp session L2TP Session Information Total tunnels 1 sessions 1 LocID RemID Remote Name Class/ 51446 1 36190 LocID Uniq ID State Remote Address R6 est RemID TunID Port Sessions L2TP 120. Closer inspection reveals that spanning tree has actually blocked ports on SW1 and SW2 from PE routers R1 and R6.1. it is possible to create bridging loops if this command is not correctly used. Intf/ 0 State Last Chg 1 . yet the ping test from SW3 to 1.100. per Examples 3-22 and 3-23.100. R6# show l2t session L2TP Tunnel and Session Information Total tunnels 1 sessions 1 LocID RemID Remote Name Class/ State Remote Address Port Sessions L2TP VPDN Group 36190 51446 LocID Uniq ID R1 est RemID TunID 120.

1. timeout is 2 seconds: .2 Type escape sequence to abort. Sending 5..9619 1 51003 36190 Vcid. Success rate is 0 percent (0/5) SW1# show spanning-tree blockedports . Inconsistent local vlan.1.. Inconsistent peer vlan. 100-byte ICMP Echos to 1.1.-----------------------------------VLAN0200 Fa0/1 Number of blocked ports (segments) in the system : 1 SW2#03:22:21: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 200 on fastethernet0/6 VLAN400. !Make sure you are logging on your CE devices SW1(config)# logging console SW1# 03:22:19: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 400 on fastethernet0/1 VLAN200. 200. Gi0/1. SW2# show spanning-tree blockedports Name -------------------VLAN0200 VLAN0400 Blocked Interfaces List -----------------------------------Fa0/6 Fa0/6 Number of blocked ports (segments) in the system : 2 SW3# ping 1.400:400 est Circuit 00:25:26 SW3# ping 1.1. 100-byte ICMP Echos to 1..1.. Sending 5.2 Type escape sequence to abort.. 03:22:21: %SPANTREE-2-BLOCK_PVID_PEER: Blocking fastethernet0/6 on VLAN0200...1.1.2.1. timeout is 2 seconds: . 03:22:19: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking fastethernet0/1 on VLAN0200..2. SW1# show spanning-tree blockedports Name Blocked Interfaces List -------------------.

timeout is 2 seconds: .1. and corresponding PE terminating interfaces on the PE routers R1 and R6.2 from Switch 3 VLAN 50. As directed. which simply means that a Data MDT is not required in this solution. Don’t forget that multicast routing is enabled on the CE switches with the command ip multicast-routing distributed and on the routers with ip multicast-routing. Source Specific Multicast (SSM) is enabled on all MPLS routers with the command ip pim ssm default to allow transport of multicast information between all P and PE routers. . PE routers R1 and R6 should be configured to tunnel multicast traffic using an MDT address of 232. 100-byte ICMP Echos to 1.1. The mdt default group-address is configured to 232.0.2 Type escape sequence to abort.0. which are required for Data MDT configurations.0.2.1. PIM sparse mode is required in your solution and should be enabled on all P router MPLS interfaces and P-facing PE router MPLS interfaces.-----------------------------------VLAN0200 Fa0/1 Number of blocked ports (segments) in the system : 1 SW1(config)# int fast 0/1 SW1(config-if)# spanning-tree bpdufilter enable SW1(config-if)#03:33:57: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking fastethernet0/1 on VLAN0200.2. respectively.11 on PE routers R1 and R6 within the RED VRF.!!!! Success rate is 80 percent (4/5). (These are used for high-bandwidth sources and limit the traffic received to the routers’ part of the multicast tree. (10 points) Multicast support for MPLS VPNs is provided by configuring multicast routing within the core network. Port consistency restored. PIM sparse mode is also configured on the CE interfaces on VLAN 50 and VLAN 100 on Switches 3 and 4. Switch 4 should be configured to reply to an ICMP ping on its VLAN 100 interface directed to 226. PIM sparse mode is finally configured on the loopback interfaces of the PE routers R1 and R6 because Multicast Distribution Tree (MDT) will tunnel between these interfaces. SW3# ping 1.11 from CE device Switch 3 VLAN 50 to CE device SW4 VLAN 100 over the RED VRF. round-trip min/avg/max = 8/12/17 ms Section 8: Multicast (10 Points) Configure your MPLS network for multicast support of the RED VRF using PIM sparse mode. Ensure that PE router R6’s associated VLAN 100 IP address is used as the rendezvous point (RP) for the RED VRF multicast traffic.) You should also realize that a Data MDT is not required because there was no mention of threshold values or access-lists within the question. configure MDT appropriately. Sending 5.0. The question states that the mVRF (multicast VRF) bandwidth requirement is low.1.2.Name Blocked Interfaces List -------------------. It can be assumed that the mVRF bandwidth requirement is low.

testing is key. CE device Switch 4 is finally configured with ip igmp join-group 226.100.The address of 130.2. Example 3-23 Multicast Configuration Click here to view code image ! Initial Multicast Setup for the MPLS Core Routers R1(config)# ip multicast-routing R1(config-vrf)# interface Loopback0 R1(config-if)# ip pim sparse-mode R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip pim sparse-mode R2(config)# ip multicast-routing R2(config)# interface fastethernet0/0 R2(config-if)# ip pim sparse-mode R2(config-if)# interface fastethernet0/1 R2(config-if)# ip pim sparse-mode R3(config)# ip multicast-routing R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip pim sparse-mode R3(config-if)# interface GigabitEthernet0/1 R3(config-if)# ip pim sparse-mode R4(config)# ip multicast-routing R4(config)# interface GigabitEthernet0/0 R4(config-if)# ip pim sparse-mode R4(config-if)# interface GigabitEthernet0/1 R4(config-if)# ip pim sparse-mode R5(config)# ip multicast-routing R5(config)# interface GigabitEthernet0/0 R5(config-if)# ip pim sparse-mode R5(config-if)# interface GigabitEthernet0/1 R5(config-if)# ip pim sparse-mode R6(config)# ip multicast-routing R6(config)# interface Loopback0 R6(config-if)# ip pim sparse-mode R6(config)# interface GigabitEthernet0/0 .100. and it would be an easy mistake to miss tasks such as enabling PIM on the PE loopback interfaces. where you might not immediately assume that it is required.2 under its VLAN 100 interface for it to reply to a multicast ping from CE device Switch 3 over the MPLS VPN.1 (R6 VRF RED) is used as the RP for the mVRF. The question is comprehensive as to the number of items that require configuration.2. As with all questions. and this is configured on both CE (Switch 3 and Switch 4) devices and both PE routers (R1 and R6) within the RED VRF. Example 3-23 details the required configuration for the solution.

11 R6(config-vrf)# interface GigabitEthernet0/1.Bidir Capable.11 R1(config-vrf)# interface GigabitEthernet0/0. If you have configured your solution per Example 3-24 and can successfully ping between Switch 3 and Switch 4.0.0.R6(config-if)# ip pim sparse-mode ! PE Specific mVRF and MDT Configuration R1(config)# ip multicast-routing vrf RED R1(config)# ip vrf RED R1(config-vrf)# mdt default 232.100. Example 3-24 Multicast Testing Click here to view code image R6# show ip pim vrf RED neigh PIM Neighbor Table Mode: B .100.2.2 SW4(config-if)# exit SW4(config)# ip pim rp-address 130.100.1 Example 3-24 details the testing for the solution.Designated Router.100. the MDT tunnel is detailed and shown as an interface used for PIM adjacency between the PE routers. you have scored 10 points.50 R1(config-subif)# ip pim sparse-mode R1(config-subif)# exit R1(config)# ip pim vrf RED rp-address 130. DR .State Refresh Capable .100.2.1 R1(config)# ip pim ssm default R6(config)# ip vrf RED R6(config-vrf)# mdt default 232.100 R6(config-subif)# ip pim sparse-mode R6(config-subif)# exit R6(config)# ip pim vrf RED rp-address 130.Default DR Priority.0. N .100.1 R6(config)# ip pim ssm default ! CE Specific Configuration SW3(config)# ip multicast-routing distributed SW3(config)# int vlan 50 SW3(config-if)# ip pim sparse-mode SW3(config-if)# exit SW3(config)# ip pim rp-address 130.0.100. S .1 SW4(config)# ip multicast-routing distributed SW4(config)# interface vlan 100 SW4(config-if)# ip pim sparse-mode SW4(config-if)# ip igmp join-group 226.100.

6.11 2:65001:200:120. 100-byte ICMP Echos to 226.2 Type escape sequence to abort.1.2. RP: 130.2.1.100.0.1.1 R6# show ip pim mdt bgp Peer (Route Distinguisher + IPv4) Hop MDT group 232.40. 100-byte ICMP Echos to 226.1 100. Sending 1.2.1.100.0.100.0.1 v2 1 / S Interface GigabitEthernet0/1.2. Sending 1.100. 9 ms SW3# show ip pim rp Group: 226. expires never R1# show ip pim mdt bgp Peer (Route Distinguisher + IPv4) Hop MDT group 232.2 DR S 120.100. v2.2.2.2. timeout is 2 seconds: Reply to request 0 from 130.2.100.0.100. Make sure that your loopback IPv6 addresses are used to source any locally generated IPv6 traffic.10 2010:C15:C0:11::1/64 R6 Lo0 2010:C15:C0:6::1/64 .11 2:65001:200:120.Neighbor Ver DR Address Prio/Mode 130. Section 9: IPv6 (6 Points) Configure the following IPv6 address on the PE routers R1 and R6.100.100 Uptime/Expires 00:02:08/00:01:34 v2 Tunnel1 1 / 00:00:05/00:01:39 R1# ping vrf RED 226. 12 ms SW3# ping 226.100.2.100.2.1 100.1.0.2.2 Type escape sequence to abort. v2.100.100. (6 points) R1 Lo0 2010:C15:C0:1::1/64 R1 Gi0/0.2.6. and implement IPv6 over MPLS between the six PE routers to advertise the prefixes between six PEs. RP: 130.1. uptime 00:00:37.2. Next 120.1 Next 120. uptime 01:01:24. timeout is 2 seconds: Reply to request 0 from 130. expires never Group: 224.2.2.100.

100.1 send-label R6(config-router-af)# network 2010:C15:C0:62::/64 R6(config-router-af)# network 2010:C15:C0:6::/64 R6(config-router-af)# exit-address-family . If you have configured your routers correctly. MP-BGP is used to advertise the IPv6 prefixes between PE routers. you must deal with no IPv6 redistribution or complex issues. you have scored 6 points. per Example 3-25. Example 3-25 PE IPv6 Configuration and Verification Click here to view code image R1(config)# ipv6 unicast-routing R1(config)# ipv6 cef R1(config)# mpls ipv6 source-interface Loopback0 R1(config)# interface loopback0 R1(config-if)# ipv6 add 2010:C15:C0:1::1/64 R1(config-if)# interface GigabitEthernet0/0.1 send-label R1(config-router-af)# network 2010:C15:C0:11::0/64 R1(config-router-af)# network 2010:C15:C0:1::/64 R1(config-router-af)# exit-address-family R6(config)# ipv6 unicast-routing R6(config)# ipv6 cef R6(config)# mpls ipv6 source-interface Loopback0 R6(config)# interface loopback0 R6(config-if)# ipv6 add 2010:C15:C0:6::1/64 R6(config-if)# interface GigabitEthernet0/1.100.20 R6(config-subif)# ipv6 address 2010:C15:C0:62::1/64 R6(config-subif)# router bgp 65001 R6(config-router)# no bgp default ipv4-unicast R6(config-router)# address-family ipv6 R6(config-router-af)# neighbor 120.1. and the configuration is nearly identical to that of IPv4.1 activate R6(config-router-af)# neighbor 120. To ensure that the loopback IPv6 addresses of the PE routers are used to source locally generated IPv6 traffic.20 2010:C15:C0:62::1/64 In this relatively straightforward IPv6 question. the PE routers are configured with mpls ipv6 sourceinterface Loopback0. Aggregate label binding and advertisement is enabled for IPv6 prefixes using the neighbor send-label command. and IPv6 routing and IPv6 CEF must be enabled on your PE routers. Connected IPV6 routes are redistributed using BGP with the network command under the IPv6 address family.1. The question directs you to configure IPv6 onto your VRF BLUE interfaces of the PE routers.100.100.R6 Gi0/1.6. You would usually extend this IPv6 domain into your CE devices. IPv6 over MPLS backbones enables isolated IPv6 domains to communicate with each other over an MPLS IPv4 core network.6.10 R1(config-subif)# ipv6 address 2010:C15:C0:11::1/64 R1(config-subif)# router bgp 65001 R1(config-router)# no bgp default ipv4-unicast R1(config-router)# address-family ipv6 R1(config-router-af)# neighbor 120.1 activate R1(config-router-af)# neighbor 120.

> best.1.100.incomplete Network Next Hop *>i2010:C15:C0:1::/64 ::FFFF:120. local router ID is 120. 100-byte ICMP Echos to 2010:C15:C0:6::1.1 Metric LocPrf Weight Path 0 *> 2010:C15:C0:6::/64 :: *>i2010:C15:C0:11::/64 ::FFFF:120. h history.100. local router ID is 120.incomplete Network Next Hop *> 2010:C15:C0:1::/64 :: *>i2010:C15:C0:6::/64 ::FFFF:120.1. Sending 5. S Stale Origin codes: i . S Stale Origin codes: i . i internal. d damped. * valid.1 32768 i 100 0 0 0 i 32768 i 100 0 i R6# show ip bgp ipv6 unicast BGP table version is 5.6. 100-byte ICMP Echos to 2010:C15:C0:62::1. e .IGP.1 Status codes: s suppressed. ? .100. h history.R1# show ip bgp ipv6 unicast BGP table version is 5. d damped. r RIB-failure. i internal.1.1 Status codes: s suppressed.100. r RIB-failure. round-trip min/avg/max = 8/8/12 ms R1# ping ipv6 2010:C15:C0:6::1 Type escape sequence to abort. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).6.100. * valid.EGP.EGP. > best.IGP. e .1 Metric LocPrf Weight Path 0 0 *> 2010:C15:C0:11::/64 :: *>i2010:C15:C0:62::/64 ::FFFF:120. Sending 5. round-trip min/avg/max = 8/8/12 ms R6# ping ipv6 2010:C15:C0:11::1 .6.100. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). ? .1 0 0 *> 2010:C15:C0:62::/64 :: 100 0 0 i 32768 i 100 0 i 32768 i R1# ping ipv6 2010:C15:C0:62::1 Type escape sequence to abort.

Local.RIP. Null0 L FF00::/8 [0/0] via ::. B . R .100. OE1 . IPv6-mpls L FE80::/10 [0/0] via ::. round-trip min/avg/max = 8/9/12 ms R1# show ipv6 route IPv6 Routing Table .OSPF NSSA ext 2 D .OSPF inter. ON2 . GigabitEthernet0/0.OSPF NSSA ext 2 D . S .OSPF ext 1. round-trip min/avg/max = 8/8/12 ms R6# ping ipv6 2010:C15:C0:1::1 Type escape sequence to abort. IS . S .10 L 2010:C15:C0:11::1/128 [0/0] via ::. 100-byte ICMP Echos to 2010:C15:C0:11::1.EIGRP.BGP U . I2 .Connected.ISIS interarea.BGP U .Per-user Static route I1 . OI . IA .10 B 2010:C15:C0:62::/64 [200/0] via ::FFFF:120.EIGRP external B 2010:C15:C0:1::/64 [200/0] via ::FFFF:120.1.ISIS summary O .ISIS L1.OSPF intra. OE1 . timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).OSPF ext 1.Type escape sequence to abort.OSPF ext 2 ON1 . Loopback0 B 2010:C15:C0:6::/64 [200/0] via ::FFFF:120.ISIS L2.8 entries Codes: C .6.Connected. EX . IPv6-mpls C 2010:C15:C0:6::/64 [0/0] . ON2 . L .OSPF intra.100.Static. R .Local.OSPF NSSA ext 1. Loopback0 L 2010:C15:C0:1::1/128 [0/0] via ::.OSPF NSSA ext 1.ISIS L1.1.EIGRP.100.ISIS L2.OSPF ext 2 ON1 .1.8 entries Codes: C .EIGRP external C 2010:C15:C0:1::/64 [0/0] via ::. I2 . L . Null0 R6# show ipv6 route IPv6 Routing Table . OE2 . OE2 .1. IS .Per-user Static route I1 . GigabitEthernet0/0. EX . timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).6.OSPF inter.RIP. IPv6-mpls C 2010:C15:C0:11::/64 [0/0] via ::.ISIS summary O . Sending 5.Static. B . OI .ISIS interarea. 100-byte ICMP Echos to 2010:C15:C0:1::1. Sending 5. IA .

thus reducing the effect of global synchronization. HQF Multiple Policy Support is required for the question with a parent policy shaping the output of the PE to the CE at 1Mbps. . The total bandwidth between the PE to CE should be shaped to 1Mbps. Use an appropriate method of prioritizing DSCP traffic so that AF31 packets are statistically dropped more frequently than AF32 during congestion and reduce the effects of TCP global synchronization within your Mission-Critical class and solely reduce the effect of TCP global synchronization within the Default class. GigabitEthernet0/1. If you have configured this correctly. Null0 Section 10: QoS (7 Points) Create the following QoS profile on your PE router R1 for traffic egressing to your CE device connected to the BLUE VRF.10 2010:C15:C0:62::1/128 [0/0] via ::. you have scored 4 points. IPv6-mpls 2010:C15:C0:62::/64 [0/0] via ::. A similar non-DSCP–based effect is achieved within the Default class by use of the random-detect command. Voice traffic is assigned into the LLQ by configuration of a priority queue with the command priority percent 35.1. whereby lower-priority DSCP traffic will be dropped more aggressively than higher priority under congestion. DSCP prioritization is achieved in the Mission-Critical class by enabling WRED with the random-detect dscp-based command. Example 3-26 details the required configuration on PE router R1. The parent policy map is applied outbound on the PE interface connecting to the BLUE VRF CE device. GigabitEthernet0/1. The child policy map is called from within the parent policy to provide the QoS for Voice.20 FE80::/10 [0/0] via ::.L B C L L L via ::. Null0 FF00::/8 [0/0] via ::. (4 points) This is a three-class PE-to-CE QoS question that requires assigning traffic to queues based on DSCP values into the listed classes and assignment of bandwidth on a per-class basis. Loopback0 2010:C15:C0:6::1/128 [0/0] via ::.1. Loopback0 2010:C15:C0:11::/64 [200/0] via ::FFFF:120. Ensure that voice traffic is assigned to an LLQ. and Default traffic.100. Mission-Critical.

Traffic in the Default class within the detailed CIR should have the MPLS EXP set to 0 and above set to 4. Traffic in the Mission-Critical class within the detailed CIR should have the MPLS EXP set to 3 and above set to 7. (3 points) . Traffic in the Voice class within the detailed CIR should have the MPLS EXP set to 5 and above discarded.Example 3-26 PE to CE QoS Configuration Click here to view code image R1(config)# class-map match-any VOICE R1(config-cmap)# match ip dscp ef R1(config-cmap)# match ip dscp cs5 R1(config-cmap)# class-map match-any MISSION-CRITICAL R1(config-cmap)# match ip dscp cs6 R1(config-cmap)# match ip dscp af31 R1(config-cmap)# match ip dscp af32 R1(config-cmap)# match ip dscp cs3 R1(config-cmap)# policy-map PE-CE-CHILD R1(config-pmap)# class VOICE R1(config-pmap-c)# priority percent 35 R1(config-pmap-c)# class MISSION-CRITICAL R1(config-pmap-c)# bandwidth percent 40 R1(config-pmap-c)# random-detect dscp-based R1(config-pmap-c)# class class-default R1(config-pmap-c)# bandwidth percent 25 R1(config-pmap-c)# random-detect R1(config-pmap-c)# exit R1(config-cmap)# policy-map PE-CE-PARENT R1(config-pmap-c)# class class-default R1(config-pmap-c)# shape average 1000000 R1(config-pmap-c)# service-policy PE-CE-CHILD R1(config-pmap-c)# exit R1(config-pmap)# exit R1(config)# interface GigabitEthernet0/0.10 R1(config-subif)# service-policy output PE-CE-PARENT Create the following QoS profile on your PE router R1 for traffic ingressing from your CE device connected to the BLUE VRF into the MPLS network. The total aggregate speed from the CE to PE should be restricted to 1 Mbps.

Use an MTU of 1416 for your secure traffic. The policy map is applied to the input interface of the PE router. an NHRP timeout of 100 seconds for spoke replies.6. Spoke routers must communicate with each other directly using dynamic IPsec connections with the aid of NHRP at the hub. use IP addresses of 4.This DiffServ tunneling question requires that the classes you have configured in the previous question be policed to an aggregate of 1 Mbps and have their MPLS EXP values adjusted. NHRP should be authenticated with a password of SECRET. and a delay of 2 milliseconds on the tunnel network. 5. you have scored 3 points. using IPsec to encrypt all traffic between the loopback networks using a preshared ISAKMP key of CCIE. Example 3-27 details the required configuration on PE router R1.5. with R4 and R5 being effectively spoke routers in your solution. You are not permitted to enable EIGRP on your Ethernet interfaces between routers. Use an IPsec transform set of esp-des esp-md5-hmac on each router. R5.5/24.4. and R6.10 R1(config-subif)# service-policy input CE-PE-SHAPE Section 11: Security (15 Points) Create three new loopback IP addresses of loopback1 on R4. The hub router should provide all necessary direct next-hop information to the spoke routers when they are required to communicate between themselves. Use EIGRP with a named virtual instance of VPN and autonomous system of 1 to advertise the loopback networks between routers over a common GRE tunnel network of 100.5.100.100.6/24. Test . Example 3-27 CE to PE QoS Configuration Click here to view code image R1(config)# policy-map CE-PE-SHAPE R1(config-pmap)# class VOICE R1(config-pmap-c)# police cir 350000 R1(config-pmap-c-police)# conform-action set-mpls-exp-topmost-transmit 5 R1(config-pmap-c-police)# exceed-action drop R1(config-pmap-c-police)# class MISSION-CRITICAL R1(config-pmap-c)# police cir 400000 R1(config-pmap-c-police)# conform-action set-mpls-exp-topmost-transmit 3 R1(config-pmap-c-police)# exceed-action set-mpls-exp-topmost-transmit 7 R1(config-pmap-c-police)# class class-default R1(config-pmap-c)# police cir 250000 R1(config-pmap-c-police)# conform-action set-mpls-exp-topmost-transmit 0 R1(config-pmap-c-police)# exceed-action set-mpls-exp-topmost-transmit 4 R1(config-pmap-c-police)# interface GigabitEthernet0/0.4/24.X/24 (X = router number) sourced from each router’s common Ethernet interface. whereas hub-to-spoke IPsec connections should be permanent. which connects to the BLUE VRF CE device and affects the traffic as it flows through the MPLS network. and 6. If you have configured this correctly. respectively. R6 is to be a hub router.4.6.

The required configuration for the loopback and tunnel interfaces and the DMVPN is detailed in Example 3-28.100.100.5 255. NHRP is enabled on the tunnel interface of each router with an identical network ID to match the broadcast domain for all three routers.4.0. (10 points) This is a classic Dynamic Multipoint VPN (DMVPN) question in which a hub-and-spoke design is used with Next Hop Resolution Protocol (NHRP) for the spoke routers to communicate with each other. the tunnel mode must be set to tunnel mode gre multipoint.0 R6(config-if)# router eigrp VPN .0 0. Example 3-28 DMVPN Configuration Click here to view code image R4(config)# interface loopback1 R4(config-if)# ip add 4.255 R4(config-router-af)# network 4.your solution by extended pings sourced from the configured loopback interfaces.255 R5(config-router-af)# network 5.255 R5(config)# interface loopback1 R5(config-if)# ip address 5. which is uncomplicated.100.255. and the authentication password is set to SECRET as directed within the question. The crypto isakmp policy command configures the preshared key to CCIE and sets the transform set with the required parameters of esp-des esp-md5-hmac.5. which is 2 milliseconds.0/24 in which to advertise each router’s new loopback network over GRE and EIGRP sourced from the common Ethernet interfaces.0 R4(config-if)# router eigrp VPN R4(config-router)# address-family ipv4 autonomous-system 1 R4(config-router-af)# network 100.6 255. so be aware of the unit values.0 R5(config-if)# router eigrp VPN R5(config-router)# address-family ipv4 autonomous-system 1 R5(config-router-af)# network 100.4. A delay of 2000 is configured on each tunnel interface as directed in the question. The command ip nhrp map multicast dynamic permits the registration of the multicast address for EIGRP during boot or during initiation of spoke-to-hub sessions.255. Because the spoke routers will terminate their connection to the hub on the same interface.100.255.0. which are applied to the tunnel interface by the use of the tunnel protection ipsec profile IPSEC command. The ip nhrp holdtime 100 command sets the NHRP time for a spoke to keep the NHRP reply to 100 seconds and is configured on the hub-and-spoke routers.255. so this could be the kind of question that is best saved until later and tackled if you have time.45.0.0. The MTU is fixed at 1416 as directed within the question on the tunnel interfaces to allow for overhead of the VPN connection.255 R6(config)# interface loopback1 R6(config-if)# ip address 6. You have numerous tasks to perform.0.0 0.6.255. the complexity begins when you enable IPsec and NHRP.4 255.100.5.255. The tunnel source of each router is the common Ethernet network 120. which are microseconds.4.100. The question dictates that you configure a tunnel network 100.6.100.0.5.5.0 0.0 0.4.0.0.

6 R4(config-if)# ip nhrp map multicast 120.0 R6(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac R6(cfg-crypto-trans)# crypto ipsec profile IPSEC R6(ipsec-profile)# set transform-set DMVPN R6(ipsec-profile)# interface Tunnel1 R6(config-if)# ip address 100.0.0.0.45.0 R4(config-if)# ip mtu 1416 R4(config-if)# ip nhrp authentication SECRET R4(config-if)# ip nhrp map 100.0 R4(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac R4(cfg-crypto-trans)# crypto ipsec profile IPSEC R4(ipsec-profile)# set transform-set DMVPN R4(ipsec-profile)# interface Tunnel0 R4(config-if)# ip address 100.255.0 R5(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac R5(cfg-crypto-trans)# crypto ipsec profile IPSEC R5(ipsec-profile)# set transform-set DMVPN R5(ipsec-profile)# interface Tunnel0 .255.255 R6(config-router-af)# network 6.0.0.6.6 120.100.255 R6(config)# crypto isakmp policy 1 R6(config-isakmp)# authentication pre-share R6(config-isakmp)# crypto isakmp key CCIE address 0.100.6 R4(config-if)# ip nhrp network-id 10 R4(config-if)# ip nhrp holdtime 100 R4(config-if)# ip nhrp nhs 100.R6(config-router)# address-family ipv4 autonomous-system 1 R6(config-router-af)# network 100.0 R6(config-if)# ip mtu 1416 R6(config-if)# ip nhrp authentication SECRET R6(config-if)# ip nhrp map multicast dynamic R6(config-if)# ip nhrp network-id 10 R6(config-if)# ip nhrp holdtime 100 R6(config-if)# delay 2000 R6(config-if)# tunnel source gig 0/0 R6(config-if)# tunnel mode gre multipoint R6(config-if)# tunnel key 1 R6(config-if)# tunnel protection ipsec profile IPSEC R4(config)# crypto isakmp policy 1 R4(config-isakmp)# authentication pre-share R4(config-isakmp)# crypto isakmp key CCIE address 0.0.0 0.0.6 255.0.255.0.100.100.0.100.100.100.6 R4(config-if)# delay 2000 R4(config-if)# tunnel source gig 0/0 R4(config-if)# tunnel mode gre multipoint R4(config-if)# tunnel key 1 R4(config-if)# tunnel protection ipsec profile IPSEC R5(config)# crypto isakmp policy 1 R5(config-isakmp)# authentication pre-share R5(config-isakmp)# crypto isakmp key CCIE address 0.100.0 0.45.100.100.4 255.100.6.100.255.

yet each spoke router discovers only the hub network.0/24 is subnetted.5.0.6 for each spoke network.100. 1 subnets D 6.100.100. the question dictates that spoke routers should be able to communicate “directly.6.100.100.0/24 is subnetted. The command no next-hop-self on the hub router R6 ensures that the spoke routers are used as next hops when spoke-to-spoke communication is required.45.0 [90/285084416] via 100.100.4.6.5. and this will enable the dynamic IPsec peering between spokes as directed in the question.R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# ip address 100.100.6 120.100.100.6 delay 2000 tunnel source gig 0/0 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile IPSEC Example 3-29 details the EIGRP routes received on all routers.100. the hub router shows both spoke networks. 1 subnets D 4.0/24 is subnetted. Tunnel0 R6# show ip route eigrp 4.0 [90/285084416] via 100. R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 autonomous-system 1 .100. 00:02:42.6.0/24 is subnetted.0 ip mtu 1416 ip nhrp authentication SECRET ip nhrp map 100.6.6. 00:01:02.255.255.0.4.0. the next hop for spoke networks show as the hub router 100. Tunnel0 !R6 has both spoke routes yet each spoke (R4 and R5) only have the hub network route.0 [90/285084416] via 100.” As shown in Example 3-29.100.100.6 ip nhrp network-id 10 ip nhrp holdtime 100 ip nhrp nhs 100.100. this is a classic split-horizon issue.100. !a classic split horizon issue.100.4.100. As you can see. The hub router R6 must be configured to disable the split-horizon behavior to ensure that the spoke routers receive each other’s routes.6.0. 1 subnets D 6. 1 subnets D 5.0 [90/285084416] via 100.5. Example 3-29 DMVPN Spoke-to-Spoke Routing Click here to view code image R4# show ip route eigrp 6. However. Tunnel0 5. Tunnel0 R5# show ip route eigrp 6. 00:00:50.0. 00:03:06.0.100.0.6 ip nhrp map multicast 120.45.0.5 255.

R6(config-router-af)# af-interface Tunnel0
R6(config-router-af-interface)# no split-horizon
R4# show ip route eigrp
5.0.0.0/24 is subnetted, 1 subnets
D
5.5.5.0 [90/285596416] via 100.100.100.6, 00:00:22, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:04:14, Tunnel0
R5# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/285596416] via 100.100.100.6, 00:00:33, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:02:20, Tunnel0
R5#
! The next-hop for spoke to spoke routes shows as the hub router
(100.100.100.6) yet
! the question states traffic must flow directly between spokes so the
next-hop must
! be modified
R6(config)# router eigrp VPN
R6(config-router)# address-family ipv4 autonomous-system 1
R6(config-router-af)# af-interface Tunnel1
R6(config-router-af-interface)# no next-hop-self
R4# show ip route eigrp
5.0.0.0/24 is subnetted, 1 subnets
D
5.5.5.0 [90/285596416] via 100.100.100.5, 00:00:28, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:00:29, Tunnel0
R5# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/285596416] via 100.100.100.4, 00:00:39, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:00:39, Tunnel0

Example 3-30 shows the ISAKMP IPsec connection on spoke Router R5 to the hub. To bring up
a dynamic ISAKMP IPsec connection to the other spoke router R4, an extended ping is required
from loopback interface to loopback interface.
This question was extremely complex and is the reason why it was weighted so heavily. You had
multiple items to configure within the standard DMVPN solution, such as split horizon. It should
make you realize the importance of reading the question a number of times and taking the time to
test your configurations to ensure that you have successfully answered the question. If you have
configured your routers correctly, as detailed in Examples 3-29 and 3-30, congratulations, and
you have earned a hefty 10 points.

Example 3-30 DMVPN Spoke-to-Spoke Testing
Click here to view code image

R5# show crypto map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
Profile name: IPSEC
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
DMVPN,
}
Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 120.100.45.6
Extended IP access list
access-list permit gre host 120.100.45.5 host 120.100.45.6
Current peer: 120.100.45.6
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
DMVPN,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
R5# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
120.100.45.6
120.100.45.5

state
QM_IDLE

conn-id slot status
4001
0 ACTIVE

IPv6 Crypto ISAKMP SA
!R5 spoke router only has a connection to the hub router. An extended
ping sourced
from the loopback interface of one spoke to another is required to
bring up the
dynamic spoke to spoke connection.
R5# ping
Protocol [ip]:
Target IP address: 4.4.4.4
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 5.5.5.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:

Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
120.100.45.5
120.100.45.4
120.100.45.6
120.100.45.5

state
QM_IDLE
QM_IDLE

conn-id slot status
4002
0 ACTIVE
4001
0 ACTIVE

state
QM_IDLE
QM_IDLE

conn-id slot status
4002
0 ACTIVE
4001
0 ACTIVE

IPv6 Crypto ISAKMP SA
R5# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
120.100.45.5
120.100.45.4
120.100.45.6
120.100.45.5
IPv6 Crypto ISAKMP SA

Following on from the previous question, add R2 into the common GRE tunnel network
as a spoke router using identical security parameters as used on R4 and R5, ensuring it
receives routes from R4, R5, and R6 using the same common EIGRP parameters. The
source interface for the tunnel configuration on R2 should be Fast Ethernet 1/1, and the
destination should be the Gigabit Ethernet 0/0 interface of R6. Add new Loopback 2
identical IP addresses of 45.45.45.45/24 on both R4 and R5 and advertise this identical
network from R4 and R5 to the hub router R6 on the common GRE tunnel interface.
Configure R6 to advertise both destinations (R4 and R5) to spoke router R2 for network
45.45.45.0/24 in EIGRP over the common GRE tunnel network. (3 points)
Adding R2 as an additional spoke router into the DMVPN network is a relatively simple task if
you were successful with the previous question; it is simply a spoke repetition task. R4 and R5
are configured with a new Loopback 2 interface with an identical IP address of 45.45.45.45/24.
This network is then advertised within EIGRP over the DMVPN toward the preconfigured hub
router R6. Example 3-31 shows the required configuration on R2, R4, and R5 and the resulting
route advertisements for the new network on R4 and R5 successfully received on R6 and R2.
Example 3-31 DMVPN R2, R4, and R5 Configuration and Verification
Click here to view code image

R2(config-if)# router eigrp VPN
R2(config-router)# address-family ipv4 autonomous-system 1
R2(config-router-af)# network 100.100.100.0 0.0.0.255

R2(config-router-af)# exit-address-family
R2(config-router)# crypto isakmp policy 1
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# crypto isakmp key CCIE address 0.0.0.0
R2(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac
R2(cfg-crypto-trans)# crypto ipsec profile IPSEC
R2(ipsec-profile)# set transform-set DMVPN
R2(ipsec-profile)# interface Tunnel0
R2(config-if)# ip address 100.100.100.2 255.255.255.0
R2(config-if)# ip mtu 1416
R2(config-if)# ip nhrp authentication SECRET
R2(config-if)# ip nhrp map 100.100.100.6 120.100.45.6
R2(config-if)# ip nhrp map multicast 120.100.45.6
R2(config-if)# ip nhrp network-id 10
R2(config-if)# ip nhrp holdtime 100
R2(config-if)# ip nhrp nhs 100.100.100.6
R2(config-if)# delay 2000
R2(config-if)# tunnel source fastethernet0/1
R2(config-if)# tunnel mode gre multipoint
R2(config-if)# tunnel key 1
R2(config-if)# tunnel protection ipsec profile IPSEC
R4(config)# interface loopback2
R4(config-if)# ip add 45.45.45.45 255.255.255.0
R4(config-if)# router eigrp VPN
R4(config-router)# address-family ipv4 autonomous-system 1
R4(config-router-af)# network 45.45.45.0 0.0.0.255
R5(config)# interface loopback2
R5(config-if)# ip add 45.45.45.45 255.255.255.0
R5(config-if)# router eigrp VPN
R5(config-router)# address-family ipv4 autonomous-system 1
R5(config-router-af)# network 45.45.45.0 0.0.0.255
R6# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/61440640] via 100.100.100.4, 00:00:16, Tunnel0
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
5.5.5.0/24 [90/61440640] via 100.100.100.5, 00:00:16, Tunnel0
45.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
45.45.45.0/24 [90/61440640] via 100.100.100.5, 00:01:10,
Tunnel0
[90/61440640] via 100.100.100.4,
00:01:10, Tunnel0
R2# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/71680640] via 100.100.100.4, 00:01:40, Tunnel0
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
5.5.5.0/24 [90/71680640] via 100.100.100.5, 00:01:40, Tunnel0
6.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
6.6.6.0/24 [90/61440640] via 100.100.100.6, 00:07:05, Tunnel0
45.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

so a value of 1 (0001) would be 00110001.0.6.4. 00:01:16.0/24 [90/71680640] via 100.100. Therefore. 2 subnets. and R5 Configuration and Verification Click here to view code image R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 autonomous-system 1 R6(config-router-af)# af-interface Tunnel0 R6(config-router-af-interface)# add-paths 2 R2# show ip route eigrp 4.100.45. you have scored 3 points.45. the command add-paths 2 under the Tunnel 0 interface of the EIGRP af-interface section ensures that the spoke router R2 receives both paths to network 45.0/24 is shown in the routing table of R2.0.4.5. 1 subnets D 4.45.100.0. 00:03:39.100.45.0.0/8 is variably subnetted.5. Tunnel0 The network manager of your network cannot justify a full security implementation but wants to implement a solution that provides only a password prompt from R1 when the keyboard entry 1 is entered on the console port (as opposed to the normal CR/Enter key). hubs can advertise up to four additional best paths to connected spokes.0. 2 masks D 45.D Tunnel0 45.6.4. Tunnel0 45. 2 subnets.0/8 is variably subnetted.100.100. 2 masks D 5. Tunnel0 [90/61440640] via 100.0/24 [90/61440640] via 100.100. With Add Path Support in EIGRP. the decimal conversion is 32 + 16 + 1 = 49.100.100. 00:01:16. 00:01:22.0. Configure R1 appropriately. you have scored 2 points.45. This is the default behavior of the hub router R6 when a hub has more than one path (with the same metric but through different spokes) to reach the same network. 00:01:16. You would need to search to discover that ASCII numeric figures (0 to 9) are prefixed by the binary value of 0011.45.0 [90/71680640] via 100.5. 2 subnets. 2 masks D 6. thereby allowing load balancing and path redundancy. In this instance.100. If you have configured this correctly.5. (2 points) This question makes use of the activation-character command on the console port.0/24 [90/71680640] via 100.4. Example 3-32 DMVPN R2. Example 3-32 shows that only a single route for network 45. . Tunnel0 5. as shown in Example 332.6. This is a nasty question because the CLI entry requires an ASCII entry.0.45.0/24 [90/71680640] via 100.4. 00:01:14. This is good question on which to use the (?) on the CLI for clues and your documentation CD or search facility in the lab if you were not aware of this feature. If you have configured this correctly per Example 3-33. EIGRP advertises only one path as the best path to connected spokes.0.100.0/24 through R4 and R5.0/8 is variably subnetted.45. R4.0/24 is subnetted. Tunnel0 6.100.

you will be prepared for any scenario that you are likely to face during the 5. This lab was designed to ensure that you troubleshoot your own work as you progress through the questions. Remember that the Troubleshooting section on the v5.0 exam is a separate section from the Configuration section and has a different scenario. how did it go? Did you run out of time? Did you manage to finish but miss what was actually required? If you scored over 80.Example 3-33 R1 Console Activation-Character Configuration Click here to view code image R1(config)# line con 0 R1(config-line)# activation-character ? CHAR or <0-127> Activation character or its decimal equivalent R1(config-line)# activation-character 49 Lab 3 Wrap-Up So. you will have 2 hours to complete the Troubleshooting section. Did you manage to configure items such as disabling split horizon for DMVPN and the area ID for OSPF? This attention to detail and complete understanding of the protocols will ultimately earn you your number.5 hours of the Configuration section of the actual exam. . well done. If you accomplished this within 8 hours or less.