You are on page 1of 208

Practice Lab 1

The CCIE exam commences with 2 hours of troubleshooting followed by 5 1/2 hours of
configuration and a final 30 minutes of additional questions. This lab consists of 100 points and
has been timed to last for 8 hours of configuration and self-troubleshooting, so aim to complete
the lab within this period. Then either score yourself at this point or continue until you believe
you have met all the objectives. You will now be guided through the equipment requirements and
pre-lab tasks in preparation for taking this practice lab.
If you do not own six routers and four switches, consider using the equipment available and
additional lab exercises and training facilities available within the CCIE R&S 360 program. You
can find detailed information on the 360 program and CCIE R&S exam on the following URLs,
respectively:
https://learningnetwork.cisco.com/community/learning_center/cisco_360/360-rs
https://learningnetwork.cisco.com/community/certifications/ccie_routing_switching

Equipment List
You need the following hardware and software components to begin this practice lab:
Six routers loaded with Cisco IOS Software Release 15.3T Advanced Enterprise image
and the minimum interface configuration, as documented in Table 1-1
Four 3560X switches with IOS 15.0S IP Services

Setting Up the Lab 1
You can use any combination of routers as long as you fulfill the requirements within the
topology diagram, as shown in Figure 1-1. However, you should use the same model of routers
because this can make life easier if you load configurations directly from those supplied with
your own devices. If your router interface speeds do not match those used in this lab, consider

reconfiguring the bandwidth statement accordingly to provide symmetry with the routing
protocol metrics.

Figure 1-1 Lab Topology

Note
The CCIE Assessor topology version B is used for this lab. Additional
interfaces available on the Assessor that are not required for this lab were
omitted from Figure 1-1. If you are not using the CCIE Assessor, use Figure
1-1 and Figure 1-4 to determine how many interfaces you need to complete
your own topology.

Note
Notice in the initial configurations supplied that some interfaces will not have
IP address preconfigured. This is because you either will not be using that
interface or you need to configure this interface from default within the
exercise. The initial configurations supplied should be used to preconfigure
your routers and switch before the lab starts.
If your routers have different interface speeds than those used within this
book, adjust the bandwidth statements on the relevant interfaces to keep all
interface speeds in line. This can ensure that you do not get unwanted
behavior due to differing IGP metrics.

Lab Topology
This practice lab uses the topology outlined in Figure 1-1, which you must re-create with your
own equipment or by simply using the CCIE Assessor.

Switch Instructions
Configure VLAN assignments from the configurations supplied or from Table 1-2, with the
exception of Switch2 Fa0/4 (which will be configured during the lab).

Table 1-2 VLAN Assignment
Note
Switch 2 will be configured during the actual lab questions for VLAN 45 and
46 interface Fa0/4.
Connect your switches with RJ-45 Ethernet cross-over cables, as shown in Figure 1-2.

Figure 1-2 Switch Cabling

Serial Link
A preconfigured PPP back-to-back serial link exists between R2 and R5, and R2 has been
configured to provide the clocking for the connection in the initial configuration files. Therefore,
R2 should have the DCE serial cable and R5 the DTE serial cable for the back-to-back
connectivity.

IP Address Instructions
In the real CCIE lab, the majority of your IP addresses will be preconfigured. For this exercise,
however, you are required to configure your IP addresses, as shown in Figure 1-3, or load the
initial router configurations supplied. If you are manually configuring your equipment, ensure
that you include the following loopback addresses:
R1 Lo0 120.100.1.1/24
R2 Lo0 120.100.2.1/24
R3 Lo0 120.100.3.1/24
R4 Lo0 120.100.4.1/24

you can load the initial configuration files supplied if your router is compatible with those used to create this exercise.1/24 Figure 1-3 IP Addressing Diagram Pre-Lab Tasks Build the lab topology as per Figure 1-1 and Figure 1-2.10.6.100. .100. you can find details on the accompanying initial configuration for R1.8.100.100. and add the loopback addresses. R1 requires a secondary IP address on its Gigabit Ethernet 0/1 interface for this lab. as shown in Figure 1-3.7.1/24 SW1 Lo0 120.5.1/24 R6 Lo0 120.1/24 SW3 Lo0 120. General Guidelines Read the whole lab before you start.9.1/24 SW4 Lo0 120.100. Alternatively. Configure the IP addresses on each router.100.1/24 SW2 Lo0 120.R5 Lo0 120.

Get into a comfortable and quiet environment where you can focus for the next 8 hours. Have available a Cisco documentation CD-ROM or access online the latest documentation from http://www. consider opening several windows with the pages you are likely to look at.com/cisco/web/psa/configure. If you find yourself running out of time.cisco. which will not be visible to the majority of your network because of the configuration tasks). as shown in Figure 1-4. it will be restricted). To save time during your lab exam. Take a 30-minute break midway through the exercise. Note that access to this URL is likely to be restricted within the real exam.html. Practice Lab One You will now answer questions in relation to the network topology. not the whole Cisco. choose questions that you are confident you can answer. Ensure full IP visibility between routers for ping testing/Telnet access to your devices (except for the switch loopback addresses.Do not configure any static/default routes unless otherwise specified. choose questions with a higher point rating to maximize your potential score. . Note Access only this URL. failing this.com website (because if you are permitted to use documentation during your CCIE lab exam.

Figure 1-4 Network Topology for Practice Lab One Section 1: LAN Switching (25 Points) Configure your switches as a collapsed backbone network with Switches 1 and 2 performing core and distribution functionality and Switches 3 and 4 as access switches in your topology. are shut down dynamically by all switches. should they toggle excessively. by configuring only Switches 1 and 2. Switches 3 and 4 should operate in their default spanning-tree mode.1w mode. if they remain stable for 35 seconds. they should be reenabled. (2 points) Make sure that you fully use the available bandwidth between switches by grouping together your interswitch links as trunks. (2 points) Ensure that user interfaces. Ensure that Switches 3 and 4 can never become root bridges for any VLANs for which Switch 1 and Switch 2 are root bridges. (2 points) Configure Switch 1 to be the root bridge and Switch 2 the secondary root bridge for VLANs 1 and 300. Switches 3 and 4 should connect only to the core switches. (3 points) Ensure that traffic is distributed on individual Ethernet trunks between switches based on the destination MAC address of individual flows. (2 points) Switch 1 and 2 should run spanning tree in 802. Ensure that only dot1q and EtherChannel are supported. Configure .

and R3 should be configured to be in Area 0.4/24 to communicate with R6. Use a dynamic feature to ensure that the only information forwarded upon connection is DHCP request packets. Configure R4 and its associated switch port accordingly without using secondary addressing to communicate with R5 and R6. Use a process ID of 1. If this network should fail either at Layer 1 or Layer 2. for additional security.45. (4 points) . R2. Your solution should be dynamic.4/24 to communicate with R5. any traffic that matches the DHCP IP information received from the DHCP binding.100. Configure R4 with an IP address of 120. To confirm the operational status of the serial network. and configure R4 with an IP address of 120. ensuring that while the Area 5 serial link is operational there is no neighbor relationship between R4 and R5. and then. Ensure that the switches intercept the DHCP requests and add the ingress port and VLAN and switch MAC address before sending onward to the DHCP server.100.100.46.100. the Ethernet interfaces of R4 and R5 must remain up. R4 should be in Area 34 and R5 in Area 5. ensure that the user ports on Switches 1–4 and 11–17 can communicate only with the network with IP addresses gained from the DHCP feature configured previously. The loopback interfaces of Routers R1. R5 should form a neighbor relationship with R4 under Area 5 to maintain connectivity. You are permitted to define neighbor statements between R5 and R4. however. Do not use any filtering techniques to achieve this. (2 points) Fast Ethernet Ports 0/11–17 will be used for future connectivity on each switch.Fast Ethernet Port 0/10 on each switch so that if multicast traffic is received on this port the port is automatically disabled. (6 points) For additional security. which should begin forwarding traffic immediately upon connection. (3 points) Section 2: IPv4 IGP Protocols (24 Points) Section 2. Devices connected to these ports will dynamically receive IP addresses from a DHCP server due to be connected to Port 0/18 on SW1. Limit DHCP requests to 600 packets per minute per user port. (2 points) R5 should use the serial link within Area 5 for its primary communication to the OSPF network.1: OSPF Refer to Figure 1-5. Configure these ports as access ports for VLAN 300.1/24 to the OSPF network. (3 points) R5 and R6 have been preconfigured with IP addresses on their Ethernet interfaces. (1 point) Ensure that R1 does not advertise the preconfigured secondary address under interface Gigabit 0/1 of 120. For security purposes. Configure R4 Gi0/1 and Switch 2 FE0/4 only. (2 points) No loopback networks should be advertised as host routes. this is the only port on the network from which DHCP addresses should be allocated. all OSPF configuration where possible should not be configured under the process ID. ensure that the serial interface of R5 is reachable by configuration of R5.

You cannot policy route. and perform configuration only on R4. Configure EIGRP with an instance name of CCIE where possible using an autonomous system number of 1. these routes should also not be present in the OSPF network post redistribution. Do not use any route-filtering ACLs. Perform your configuration on R4 only. traffic should be sent to R6. prefix lists.2: EIGRP Refer to Figure 1-6. Your solution should be applied to all routes .Figure 1-5 OSPF Topology Section 2. Ensure that R4 sends traffic to this destination network to R5 instead of load sharing. (4 points) R4 will have dual equal-cost routes to VLAN 300 (network 150. If the route from R5 becomes unavailable. or use an offset list. or admin distance manipulation to achieve this.3.0) from R5 and R6. (2 points) Ensure that R4 does not install any of the EIGRP loopback routes from any of the switches into its routing table.100. alter the bandwidth or delay statements on R4’s interfaces. The loopback interfaces of all routers and switches should be advertised within EIGRP.

received from R5 and R6. R4-R5. (2 points) Section 3: BGP (14 Points) Refer to Figure 1-7. R4-R6. Configure eBGP peering as follows: R3-R4. Configure iBGP peering as follows: R1-R3. Do not use any access lists in your solution. (3 points) Configure R4 to redistribute only up to five EIGRP routes and generate a system warning when the fourth route is redistributed. as opposed to solely the route to network VLAN 300. (4 points) Figure 1-6 EIGRP Topology Section 2. Use minimal configuration and use loopback interfaces for your peering with the exception of R4 to R5. EIGRP routes redistributed within the OSPF network should remain with a fixed cost of 5000 throughout the network. R6-R5. R2-R3. and SW1-R5. All routes should be accessible except for the switch loopback networks (because these should not be visible via R4 from an earlier question). SW1-R6. (2 points) Use the autonomous system numbers supplied in Figure 1-7. Use minimal configuration and use loopback interfaces for your peering. (2 points) .3: Redistribution Perform mutual redistribution of IGPs on R4. and R5-R2.

200. Configure R2 in such a way that if the serial link between R2 and R5 fails.1.Figure 1-7 BGP Topology AS200 is to be used as a backup transit network for traffic between AS10 and AS300. ensure that the peering between R2 and R5 is not maintained via the Ethernet network.100.1/24.0 and from above network 128. if the serial network between R5 and R2 fails. Do not use any route filtering between neighbors to achieve this.1/24.0/24 is no longer visible to AS300. Use only a single ACL on R3 as part of your solution.1.1. (4 points) Configure two new loopback interfaces on R1 and R2 of 126.1/24. Configure R5 to achieve this solution.0.0. (3 points) Configure HSRP between R5 and R6 on VLAN300 with R5 active for . therefore.0.0. respectively. R3 should be configured to enable only BGP routes originated from R1 up to network 128. If the network 130. and advertise these into BGP using the network command.100. AS300 no longer receives this route. Configure IPv6 addresses on your network as follows: 2007:C15:C0:10::1/64 – R1 Gi0/1 . (2 points) Configure a new loopback interface 2 on R2 of 130.200. R6 should dynamically become the HSRP active. Do not use any ACL type restrictions or change the existing peering. (3 points) Section 4: IPv6 (15 Points) Refer to Figure 1-8.1/24 and 130. and advertise this into BGP using the network command.0 originated from R2.1.

2007:C15:C0:11::1/64 – R1 Gi0/0 2007:C15:C0:11::2/64 – R2 FE0/0 2007:C15:C0:11::3/64 – R3 Gi0/1 2007:C15:C0:12::2/64 . R1 must not form any neighbor relationship with R2 on VLAN 132 (without the use of any ACL. R1 must dynamically learn a default route over EIGRPv6 via R3 on VLAN 132 by which to communicate with the IPv6 network.R2 FE0/1 2007:C15:C0:14::2/64 – R2 S0/1 2007:C15:C0:14::5/64 – R5 S0/0/1 2007:C15:C0:15::3/64 – R3 Gi0/0 2007:C15:C0:15::4/64 – R4 Gi0/0 2007:C15:C0:16::5/64 – R5 Gi0/1 2007:C15:C0:16::6/64 – R6 Gi0/1 Figure 1-8 IPv6 Topology Section 4. or multicast blocking feature).1: EIGRPv6 Configure EIGRPv6 under the instance of CCIE with a primary autonomous system of 1. static neighbor relationship. (4 points) .

2: OSPFv3 Configure OSPFv3 with a process ID of 1. Packets received from the user ports with DSCP values of 48. which should be seen within the EIGRPv6 domain. All ports should trust the DSCP values received from their connecting devices. Configure R5 only to achieve this. (2 points) Ensure that if the serial link fails between the OSPF and EIGRPv6 domain. (3 points) Ensure that the summary route configured previously is not seen back on the routing table of R5. Ensure a minimum burst value is configured above the 5 Mbps. 24. which should be considered as an alternative path only if a failure occurs. 32. (1 point) Ensure that the OSPF3 network is reachable from the EIGRPv6 network by a single route of 2007::/16. reduce the number of LSAs flooded within the OSPF domain. (2 points) . 2. Configure R4 and R5 to achieve this. A DSCP value received locally on SW1 of AF43 should be mapped to AF42 when destined for the new domain. Incorporate these into an overall policy that should be applied to the T1 interface S0/1. 28. Allow each class the effective bandwidth as detailed. routing is still possible between R5 and R4 over VLAN 45.3: Redistribution Redistribute EIGRPv6 routes into the OSPFv3 demand (one way). therefore. This traffic could be a combination of any of the preceding DSCP values with any source/destination combination. (2 points) Section 4. with all OSPF interfaces assigned to Area 0. 34.Section 4. Do not enable EIGRPv6 on the VLAN 45 interfaces of R4 and R5. entered as a percentage. (2 points) The IPv6 network is deemed to be stable. Switch 1 will be connected to a new trusted domain in the future using interface Gigabit 0/1. 16. 46. The OSPF domain should continue to receive specific EIGRPv6 subnets. Create a Modular QoS configuration for all user ports (Fast Ethernet 1–24) that facilitates the following requirements (3 points): 1. EIGRPv6 routes should have a fixed cost of 5000 associated with them within the OSPF network. configure only R5 to achieve this. and 10 should be re-marked to DSCP 8 (PHB CS1) in the event of traffic flowing above 5 Mbps on a per-port basis. (2 points) Configure Cisco Modular QoS as follows on R2 for the following traffic types based on their associated per-hop behavior into classes. (1 point) Section 5: QoS (8 Points) You are required to configure QoS on Switch 1 according to the Cisco QoS baseline model.

(3 points) To protect the control plane on router R6.100. (1 point) Section 7: Multicast (4 Points) Configure routers R1. but you can use a static route pointing to null0 for traffic destined to 192.100.Configure R2 so that traffic can be monitored on the serial network with a view to a dynamic policy being generated in the future that trusts the DSCP value of traffic identified on this media. ensure that only within BGP AS10. Use a BGP feature on R2 to ensure that traffic to this source is blocked. the virus is characterized by the ASCII characters Hastings_Beer within the payload and uses UDP Ports 11664 to 11666. and R4 for IPv4 Multicast. configure CoPP so that IP packets with a TTL of 0 or 1 are dropped rather than processed. (1 point) Section 6: Security (6 Points) Configure R3 to identify and discard the following custom virus. The virus originated on VLAN 34. The ID of the virus begins on the third character of the payload.2. with a resulting ICMP redirect sent to the originator. Prevent unnecessary replies when traffic is passed to the null0 interface for users residing on VLAN 100. configure R3 to send multicast advertisements of its own time by use of NTP sourced from interface Gig 0/0. (2 points) An infected host is on VLAN 200 of 150. R2 can have an additional static route pointing to null0.0 /24 on routers within AS10. R3 should also advertise the IP address you are . R2. traffic destined for this host is directed to null0 of each local router. Configure PIM spare mode on all required interfaces.0. R3.2. R3 should also be used to advertise its own gigabit interface IP address as an RP. You cannot use any ACLs to block traffic to this host specifically.

Q. the proctor will not enter into any discussions about the questions or answers.1 Configure a policy on router R1 so that if a user tries to remove AAA services or disable logging via the CLI that a syslog message of UNAUTHORIZED-COMMANDENTERED is generated. He or she will be present to ensure that you do not have problems with the lab environment and to maintain the timing element of the exam. (4 points) IP Services (4 Points) Configure the following commands on router R1: aaa new-model logging buffered logging 120. Do you want me to disable spanning tree down to Switches 3 and 4? Is this acceptable? .100. All the switches are already connected. surely this will never enable Switches 3 and 4 to become root bridges. use a feature that effectively ignores a superior BPDU if received. In the actual CCIE lab. If I explicitly configure Switches 1 and 2 as root bridges.using for the NTP advertisements that will be 224.net subject “User-Issue” with the message body consisting of details of who was logged on the time either of the commands were entered). Q. (4 points) “Ask the Proctor” Note This section should be used only if you require clues to complete the questions. Section 1: LAN Switching Q. If a superior BPDU is received on ports connecting to Switches 3 and 4 from Switches 1 and 2. The policy should also generate an email from the router to a mail server residing on IP address 120.1.net from eem@lab-exam.2 (to security@lab-exam. Is this acceptable? A. Do you want me to configure the collapsed backbone network by manipulating spanning tree to ensure that Switch 1 and Switch 2 are the cores for each VLAN in use? A. so I can’t change this unless I shut down some of the connections between switches.99. Routers R1. Q.0. Do not use the command ntp server in any configurations. and R4 should all show a clock synchronized to that of R3. R2. Yes. it won’t.1. No. The policy and CLI should run asynchronously.100. The policy should ensure that neither command is executed and should consist of a single-line command for the CLI pattern detection. Switches 3 and 4 could become root bridges. A. You are requested to configure root bridges in a later question.99.

Q. the question relates to a fictitious DHCP server that would be connected to Fa0/18 on Switch 1. Q. Can I configure a MAC address type access list to block all multicast at Layer 2? A. My neighbor relationship is down over the serial network. No. the question directs you how to use the trunks. this would block the traffic but wouldn’t disable the port. Can I just configure R4 to trunk to Switch 2 and have a subinterface in both VLAN 45 and VLAN 46? A. Q. There have been recent advances in OSPF enabling you to configure it purely under specific areas of the router. I notice I have different OSPF network types preconfigured. No. Q. Q. No. you might want to check that Switch 2 has the required VLANs configured to enable propagation within your switched network. Can I manipulate a helper-address function to answer the DHCP question by using ACLs? A. Can I change these? A. Q. I am used to configuring OSPF under the process. Q. A. Section 2: IPv4 IGP Protocols Section 2. No. Q. Is there anything else I need to do? A. My secondary address is advertised automatically under OSPF. Yes. I’ve configured my trunk on Switch 2 to R4 and I can’t ping between R4 and R5. similarly.1: OSPF Q. No. this wouldn’t disable the port if multicast traffic was present on it. use a feature that complements your DHCP solution. spanning tree must remain in operation. No. Would you like me to VLAN load balance to utilize bandwidth? A. Q. No. Can I use a distribute list or prefix type list to block it? .A. Surely this is the only place I can configure the parameters. Remember that the switches are in VTP transparent mode. Q. I can’t ping between R4 and R6. Take a look at the commands available to you under the interfaces. use an alternative method of bringing the interface parameters back into line. use a recognized DHCP security-related solution. No. Can I configure the switchport block multicast command? A. rather like with IPv6. look for a dynamic solution that does not require an ACL. Would you like me configure Switch 1 to allocate DHCP addresses? A. Can I configure port security to bind my MAC addresses? A.

Q. Q. this is fine and in accordance with the question. this might aid in failure detection. Section 2. Yes. I’ve attempted to form a neighbor relationship with R4 from R5 using a backup interface. To confirm the operation status of R5’s serial interface. Take a look at your topology and areas. Is this normal? A. Is this anything to do with tracking the response to the ping? A. this would involve a neighbor relationship being maintained. can I stop advertising them from the switches? . Q. Q. can I just ping it? A. is this okay? A. No. If I advertise my loopbacks into EIGRP. Q. Yes. I’ve worked out how to do this and managed to get a neighbor up when the serial network fails. Is this okay? A. use an OSPF feature to disable the advertisement of this secondary address. just remember that this traffic will be based locally on the router when applying any policies. Okay. but you need to ensure that your solution is dynamic. but I’m stuck. Yes. This is fine.A. This feature would also ensure that the Ethernet network would be down until the backup interface is activated. You need to allow the neighbor relationship to be formed only if a failure condition occurs. Q. I can’t configure my switches with an EIGRP instance name. How about an OSPF demand circuit between R4 and R5? A. How about if I use policy routing with the next hop based on the tracking status? A. the question states that your solution should cater for either Layer 1 or Layer 2 failures and that the Ethernet should remain up. Yes. Backup interfaces would be fine for a Layer 1 failure but not for a Layer 2 type issue if you had problems with PPP that caused neighbor failures over the serial network. this is fine and in accordance with the question. You can use ICMP. No. Q. Q. Is the legacy method with just an autonomous system acceptable for the switches? A. Q. but it does not meet the objectives of the question.2: EIGRP Q. Q. Something might have changed when R5 connects over the Ethernet. No. To stop R4 from receiving the switch loopbacks. Not if you have configured correctly. If I use IP SLA to automatically ping R5 to check the status. but my OSPF connectivity is still not perfect through the Ethernet. won’t that mean that R4 and R5 will have their loopbacks advertised by both OSPF and EIGRP? A. I have IP SLA running. Can I use BFD between R4 and R5? A. No.

Do you want me to configure eBGP multihop but limit it to a value of 2 on R3 for a TTL security check? A. so additional blocking would not be required. No. Can I block my loopbacks or policy route at some point to effectively break the peering? . Do you require a distribute list to block the switch loopbacks from entering the OSPF domain? A. If I can’t change the bandwidth and delay on R4. This is because the loopback routes are still available over the alternative path through the network. you should have blocked these from entering your IP routing table within R4 previously. Q. No. my neighbor relationship is still maintained between R2 and R5. Is it okay to disable autosynchronization in BGP? A.3: Redistribution Q. Q. If I use the TTL security hops with a value of 2. Can I use a neighbor prefix list to block the loopbacks? A. Q. Section 3: BGP Q. Yes. Use a more general method of allowing a specific number of routes.A. Can I use a route map to enable five specific EIGRP routes to be redistributed into OSPF? A. Is this acceptable? A. Remember that you should have synchronization on only when you are fully redistributing between BGP and your IGP. Q. Yes. Q. Q. in this scenario. It’s unusual to associate hop counts with EIGRP. you cannot use any type of ACLs or prefix lists. is this all you are looking for? A. the question doesn’t guide you to redistribute specific routes. Section 2. Yes. Q. No. Q. I find that when the serial network fails. I have only one redistribution point. can I use a route map to manipulate the EIGRP K values associated on a per-neighbor basis? A. There is a specific security configuration feature within BGP to perform the TTL check. You need to determine whether you need this feature on or off. I’ve noticed when I look at the specific loopback routes that they have a hop count associated with them. you should use a feature on R4 to block them. No. You must ensure that your peering still works effectively between R3 and R4 when you have configured this feature. and there is no benefit in creating filtering to protect against potential routing loops between protocols. but can I block routes based on their hop count? A. this would be superfluous.

Q. No. Yes. Q. your solution would require additional configuration. You would need to match only one requirement on the permit functionality. you are instructed to use an ACL. Should I use the eui-64 address format when configuring my addresses? A. Can I use a prefix list to achieve this? A. if these were required. If I reduce this to a TTL of 2. Think about what you need to configure when you have EBGP peers. No. No. Q. the question would have instructed you to use them. Q. I might have been a little generous with my original multihop value between R2 and R5. I think I can stop the loopback on R2 being advertised by using the community value of no-export. I can break the peering.A. . Not necessarily. Q. but there is a much simpler method of achieving this that still maintains unaltered communication between R2 and R5. Can I use two route maps inbound from R1 and R2 both pointing to different ACLs so that each route map calls only one ACL? A. If I enable IP SLA to track a route in the routing table. Q. Yes. the other could be met by deny. Can I form an EIGRPv6 neighbor relationship between R1 and R3 and also R3 and R2? A. Q. You do need to effectively break the peering. you still have two ACLs. the clue is in the question. Is it okay to use the first address in the subnet? A. can I use this to control HSRP? A. Correct. it wouldn’t be advertised to R5 AS300 from R2. Is this okay? A. is this some form of conditional advertising? A. Yes. I have configured my two new loopbacks. For the HSRP question. but if I enable this to R2. You haven’t told me what address I should use for HSRP. you are instructed to use an ACL. Q. Yes. No. it wouldn’t make it to R5 even when the serial network is working? A. Can I set community values on the routes and match on these using a single ACL? A. I need an ACL with a mask suitable for both ranges? A. Q. So. just find a way of tracking the BGP route and manipulate the HSRP process. Section 4: IPv6 Q. No. Q. Just think about whether R2 is the best place to send the community to originally.

Yes. this should be completed as part of your policy. How will my EIGRPv6 domain communicate with the OSPFv3 domain? A. What would you do if this were IPv4? Q. Yes. Can I use different autonomous systems and then redistribute at R3? A. Section 5: QoS Q. static routes are permitted unless specified. Q. This approach would also break your IPv4 network. This issue is addressed in the following task. this is fine. No.Q. Q. can I enable OSPFv3? A. No. Section 4. Is this okay? A. If I can’t use EIGRPv6 directly on VLAN 45 between R4 and R5. How about tunneling again and enabling EIGRPv6 over the tunnel. Can I perform some kind of backup interface to make this come up only if a failure occurs on the serial link? A. Can I redistribute a static IPv6 route on R5 into RIPng for 2007::/16? A. I have redistributed EIGRPv6 into OPSFv3 on R5. Yes. Q.3: Redistribution Q. Shall I rate limit my ports to 5M on a per-port basis? . You are not requesting mutual redistribution between EIGRPv6 and OSPFv3. No. this network should be advertised to the OPSFv3 domain. Q. No. Can I just trust DSCP on my physical ports? A. which is the only suitable location. No. and noticed that in my OSPFv3 domain I do not see the IPv6 network configured on the serial network between R2 and R5. Q. Yes. I have created my tunnel and found that this is now the primary route rather than an alternative path. Can I use a prefix list to block the summary and permit all other IPv6 routes? A. Q. Think why the Ethernet path is preferred and manipulate it. If I can’t enable EIGRPv6 on VLAN 45 between R4 and R5. Q. Use a feature within the OPSFv3 process as you would to overcome this if this were IPv4 redistribution. can I configure OSPFv3 on VLAN 45? A. this would also require you to perform redistribution at this point? Q. No. Can I tunnel between R4 and R5? A. Is this okay? A. you haven’t been given sufficient information to make this judgment. find a way to still run EIGRPv6 between routers without enabling it on the physical interfaces.

but I can see only a percentage option. Q. think about why this has happened. this would identify the UDLD traffic but not the virus payload as per the question. Section 6: Security Q. Q. I believe I can use a DSCP mutation map to convert the DSCP values for the future. Based on the email address. you transport next-hop information with your updates. No. you don’t need to specifically peer with R3 as the server. provide a fix. Yes. Do you want me to create and announce the group 224. You haven’t indicated what the minimum burst size should be. If I can’t configure ntp server on R1.0. Is this correct? A. Yes. Q. R2. Why is this relevant? A.0/24 won’t have any bearing on traffic destined to the infected host. Section 7: Multicast Q. Is this expected behavior? Do you want me to fix this as part of the CoPP question? A.1 on R3? A. Think about the way BGP works. it won’t because these are Assured Forwarding values. but the command won’t take the values AF43 and AF42. Search your documentation CD or available Cisco. Can I policy route traffic destined to the infected host to null0? A. I guess this is an EEM question? . Yes. A static route for 192. No. Can I use a route map and ACLs to identify the traffic by port number? A. Yes. I am trying to assign bandwidth within my class with the speeds supplied. If you have lost your routes. No. However. you must do some math. Is this correct? A. just use the available limits within the command options. Yes. You need to convert these to DSCP values. It’s the only routing protocol where you don’t need to be directly connected to form a neighbor relationship. otherwise. you would lose points in other sections. Q. Q. this should be completed as part of your policy. A. Q.2. and R4. Section 8: IP Services Q.1. you must use a BGP-related feature. No.com pages.A. Investigate the options open to you with NBAR. you should aim to receive the NTP stream that R3 should be configured to multicast. there won’t be a way I can get these routers to peer with R3. You are supplied with the information you require and just need to remember how fast a T1 line is. therefore.0. Q. I have configured CoPP on R6 and seem to have lost all my routes. is this correct? A.

To create a collapsed backbone topology. showing you what was required and how to achieve the desired results. you can verify route bridge assignment by using the show spanning tree root command. you have earned another 2 points. and each access switch should be dual-homed to the core switches. which is backward compatible with the switches’ default (PVST). you create the required topology. The switches are fully meshed to begin with. If you have configured this correctly. Is it okay to configure two? A. By shutting down the interfaces between SW3 and SW4. Q. So. if you configure Switches 1 and 2 into Rapid Spanning Tree mode. The only switches that should not connect directly to each other are the access switches (SW3 and SW4). Lab Debrief This section analyzes each question. the core switches should be connected together. (2 points) 802. Correct. Section 1: LAN Switching (25 Points) Configure your switches as a collapsed backbone network with Switches 1 and 2 performing core and distribution functionality and Switches 3 and 4 as access switches in your topology. No. You should use this section to produce an overall score for this practice lab. . No. as shown in Example 1-1. Do you need me to set up a route to 120.100.1w is Rapid Spanning Tree.99.A. Even though the resulting topology is not looped at this stage. you have scored 2 points.0/24? A. Switches 3 and 4 should operate in their default spanning-tree mode. I can’t get both commands onto a single CLI pattern event. (2 points) This is a simple start to the exercise. If you have configured this correctly. Q. you are directed to configure a single CLI pattern event command that will pick up either command. Switches 3 and 4 should connect to only the core switches.1w mode. Example 1-1 SW3 and SW4 Configuration Click here to view code image SW3(config)# interface range fastethernet 0/23-24 SW3(config-if-range)# shut SW4(config)# interface range fastethernet 0/23-24 SW4(config-if-range)# shut Switch 1 and 2 should run spanning tree in 802. as shown in Example 1-2. spanning tree can still operate effectively with Switches 3 and 4.

The root bridge prioritization root guard is configured on the ports that connect Switches 1 and 2 to Switches 3 and 4. Example 1-3 SW1 and SW2 Root Bridge Configuration Click here to view code image SW1(config)# spanning-tree vlan 1 root primary SW1(config)# spanning-tree vlan 300 root primary SW1(config-if)# interface fastethernet 0/19 SW1(config-if)# spanning-tree guard root SW1(config-if)# interface fastethernet 0/20 SW1(config-if)# spanning-tree guard root SW1(config-if)# interface fastethernet 0/21 SW1(config-if)# spanning-tree guard root SW1(config-if)# interface fastethernet 0/22 SW1(config-if)# spanning-tree guard root SW2(config)# spanning-tree vlan 1 root secondary SW2(config)# spanning-tree vlan 300 root secondary SW2(config-if)# interface fastethernet 0/19 SW2(config-if)# spanning-tree guard root SW2(config-if)# interface fastethernet 0/20 SW2(config-if)# spanning-tree guard root SW2(config-if)# interface fastethernet 0/21 SW2(config-if)# spanning-tree guard root SW2(config-if)# interface fastethernet 0/22 SW2(config-if)# spanning-tree guard root . it is ignored. you have 2 points. This ensures that if a superior BPDU is received on these ports. If you have configured this correctly. (2 points) This is a straightforward question for the core switches. Ensure that Switches 3 and 4 can never become root bridges for any VLANs for which Switch 1 and Switch 2 are root bridges by configuring only Switches 1 and 2.Example 1-2 SW1 and SW2 Configuration Click here to view code image SW1(config)# spanning-tree mode rapid-pvst SW2(config)# spanning-tree mode rapid-pvst Configure Switch 1 to be the root bridge and Switch 2 the secondary root bridge for VLANs 1 and 300. as shown in Example 1-3.

as shown in Example 1-4. Remember that now that you have EtherChannels between switches. and 4 EtherChannel Configuration Click here to view code image SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# SW1(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface range fastethernet0/23-24 channel-group 3 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk spanning-tree guard root interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk spanning-tree guard root interface Port-channel3 switchport trunk encapsulation dot1q switchport mode trunk SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface range fastethernet0/23-24 channel-group 3 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel2 .Make sure that you fully use the available bandwidth between switches by grouping your interswitch links as trunks. although a manual port channel configuration has been shown here for clarity. (3 points) This is another straightforward question for all switches to create EtherChannels between devices. you do not have to create a port-channel interface first by using the interface port-channel configuration command before assigning a physical port to a channel group. 3. Example 1-4 Switch 1. Ensure that only dot1q and EtherChannel are supported. You can use the channel-group interface configuration command that automatically creates the portchannel interface. you will need to configure root guard on these interfaces to ensure that Switches 3 and 4 cannot become root bridges. If you have configured this correctly. Using the command channel-group n mode on under the physical interfaces ensures that only EtherChannel is supported. For Layer 2 EtherChannels. you have scored 3 points. as opposed to Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP). This is over and above the physical interface configuration completed previously. and dot1q is the trunking protocol. 2.

SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel3 switchport trunk encapsulation dot1q switchport mode trunk SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# SW3(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# SW4(config-if)# interface range fastethernet0/19-20 channel-group 1 mode on interface range fastethernet0/21-22 channel-group 2 mode on interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk SW1# show interfaces port-channel 1 status Port Name Status Vlan Po1 connected trunk SW1# show interfaces port-channel 2 status Duplex a-full Speed Type a-100 Port Name Status Vlan Po2 connected trunk SW1# show interfaces port-channel 3 status Duplex a-full Speed Type a-100 Port Po3 Duplex a-full Speed Type a-100 Name Status connected Vlan trunk SW1# show etherchannel summary Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) .

3 Po3(SU) - Fa0/23(P) Fa0/24(P) SW2# show interfaces port-channel 1 status Port Name Status Vlan Po1 connected trunk SW2# show interfaces port-channel 2 status Duplex a-full Speed Type a-100 Port Name Status Vlan Po2 connected trunk SW2# show interfaces port-channel 3 status Duplex a-full Speed Type a-100 Port Po3 Duplex a-full Speed Type a-100 Name Status connected Vlan trunk SW2# show etherchannel summary Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) 3 Po3(SU) Fa0/23(P) Fa0/24(P) SW3# show interface port-channel 1 status Port Name Status Vlan Po1 connected trunk SW3# show interface port-channel 2 status Duplex a-full Speed Type a-100 Port Po2 Duplex a-full Speed Type a-100 Name Status connected Vlan trunk SW3# show etherchannel summary Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) SW4# show interface port-channel 1 status Port Name Status Vlan Po1 connected trunk SW4# show interface port-channel 2 status Duplex a-full Speed Type a-100 Port Duplex Speed Type Name Status Vlan .

Po2 connected trunk a-full a-100 SW4# show etherchannel summary Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports ------+-------------+----------+----------------------------------------------1 Po1(SU) Fa0/19(P) Fa0/20(P) 2 Po2(SU) Fa0/21(P) Fa0/22(P) Ensure that traffic is distributed on individual Ethernet trunks between switches based on the destination MAC address of individual flows. Placing the ports into error disable is a way to stabilize the environment. you need to configure storm control with the multicast option set to 0. To disable a port when multicast traffic is present. . as shown in Example 1-6. as shown in Example 1-5. the port is automatically disabled. Toggling would usually indicate a problem such as a faulty connecting network interface card (NIC) or faulty cable. Configure Fast Ethernet Port 0/10 on each switch so that if multicast traffic is received on this port. 2. If you have configured this correctly. 3. if they remain stable for 35 seconds. if they toggle excessively. (2 points) A common problem with EtherChannels is traffic not being distributed equally among the physical interfaces. If you have configured this correctly. and 4 EtherChannel Load-Balancing Configuration Click here to view code image SW1(config)# port-channel load-balance dst-mac SW2(config)# port-channel load-balance dst-mac SW3(config)# port-channel load-balance dst-mac SW4(config)# port-channel load-balance dst-mac SW1# show etherchannel load-balance EtherChannel Load-Balancing Operational State (dst-mac): Non-IP: Destination MAC address IPv4: Destination MAC address IPv6: Destination IP address Ensure that user interfaces. you have scored 2 points. are shut down dynamically by all switches. (3 points) Interfaces that flap can cause problems in a network. Configuring channel load balancing based on the destination MAC address of an individual flow is just one method available to distribute traffic. you have scored 3 points. they should be reenabled. Example 1-5 Switch 1.

which should begin forwarding traffic immediately upon connection. When the DHCP option-82 feature is enabled on the switch with the command ip dhcp snooping information option. 3. DHCP snooping also facilitates a rate-limiting feature for DHCP requests to prevent a DHCP denial of service by excessive false requests from a host. a subscriber is identified by the switch port through which it connects to the network and by its MAC address. This is a useful security feature that protects the network from rogue DHCP servers. For security purposes. which would have the “gobbler effect” of requesting numerous leases from the same port. not . Configure these ports as access ports for VLAN 300.Example 1-6 Switch 1. Devices connected to these ports will dynamically receive IP addresses from a DHCP server due to be connected to port 0/18 on SW1. The rate limiting is configured in packets per second. Ensure that the switches intercept the DHCP requests and add the ingress port and VLAN and switch MAC address before sending forward to the DHCP server. this is the only port on the network from which DHCP addresses should be allocated. 2. Limit DHCP requests to 600 packets per minute per user port. and 4 Configuration Click here to view code image SW1(config)# errdisable recovery cause link-flap SW1(config)# errdisable recovery interval 35 SW1(config)# interface fastethernet 0/10 SW1(config-if)# storm-control multicast level 0 SW1(config-if)# storm-control action shutdown SW2(config)# errdisable recovery cause link-flap SW2(config)# errdisable recovery interval 35 SW2(config)# interface fastethernet 0/10 SW2(config-if)# storm-control multicast level 0 SW2(config-if)# storm-control action shutdown SW3(config)# errdisable recovery cause link-flap SW3(config)# errdisable recovery interval 35 SW3(config)# interface fastethernet 0/10 SW3(config-if)# storm-control multicast level 0 SW3(config-if)# storm-control action shutdown SW4(config)# errdisable recovery cause link-flap SW4(config)# errdisable recovery interval 35 SW3(config)# interface fastethernet 0/10 SW3(config-if)# storm-control multicast level 0 SW3(config-if)# storm-control action shutdown Fast Ethernet ports 0/11–17 will be used for future connectivity on each switch. The question includes a couple of points that could easily be overlooked if you are suffering from exam pressure. namely that the ports are required to be configured with switchport host (or by configuring portfast) to set the port mode to access and to forward immediately. (6 points) This is a Dynamic Host Control Protocol (DHCP) snooping question.

2. If you have configured this correctly. as shown in Example 1-7. you have scored 6 points. and 4 DHCP Snooping Configuration Click here to view code image SW1(config)# ip dhcp snooping SW1(config)# ip dhcp snooping vlan 300 SW1(config)# ip dhcp snooping information option SW1(config)# int fastethernet 0/18 SW1(config-if)# ip dhcp snooping trust SW1(config)# interface range fastethernet 0/11-17 SW1(config-if-range)# ip dhcp snooping limit rate 10 SW1(config)# interface range fastethernet 0/11-18 SW1(config-if-range)# switchport host SW1(config-if-range)# switchport access vlan 300 SW2(config)# ip dhcp snooping SW2(config)# ip dhcp snooping vlan 300 SW2(config)# ip dhcp snooping information option SW2(config)# interface range fastethernet 0/11-17 SW2(config-if-range)# ip dhcp snooping limit rate 10 SW2(config-if-range)# switchport host SW2(config-if-range)# switchport access vlan 300 SW3(config)# ip dhcp snooping SW3(config)# ip dhcp snooping vlan 300 SW3(config)# ip dhcp snooping information option SW3(config)# interface range fastethernet 0/11-17 SW3(config-if-range)# ip dhcp snooping limit rate 10 SW3(config-if-range)# switchport host SW3(config-if-range)# switchport access vlan 300 SW4(config)# ip dhcp snooping SW4(config)# ip dhcp snooping vlan 300 SW4(config)# ip dhcp snooping information option SW4(config)# interface range fastethernet 0/11-17 SW4(config-if-range)# ip dhcp snooping limit rate 10 SW4(config-if-range)# switchport host SW4(config-if-range)# switchport access vlan 300 SW1# sh ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 300 Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted Rate limit (pps) .per minute as implied. so you need to pay attention to detail. 3. Example 1-7 Switch 1.

3. Configure R4 and its associated switch port accordingly without using secondary addressing to communicate with R5 and R6. Configure R4 Gi0/1 and Switch 2 FE0/4 only. If you have configured this correctly. for additional security.4/24 to communicate with R6.-----------------------fastethernet0/11 fastethernet0/12 fastethernet0/13 fastethernet0/14 fastethernet0/15 fastethernet0/16 fastethernet0/17 fastethernet0/18 ------no no no no no no no yes ---------------10 10 10 10 10 10 10 unlimited For additional security ensure that the user ports on Switches 1–4 and 11–17 can communicate only with the network with IP addresses gained from the DHCP feature configured previously. you have scored 3 points. 2. any traffic that matches the DHCP IP information received from the DHCP binding. (3 points) A complementary feature to DHCP snooping is IP Source Guard.4/24 to communicate with R5. One point to remember is that Switch 2 does not have VLAN 45 and VLAN 46 configured locally within the default configuration.100. and 4 IP Source Guard Configuration Click here to view code image SW1(config)# interface range fast 0/11-17 SW1(config-if-range)# ip verify source SW2(config)# interface range fast 0/11-17 SW2(config-if-range)# ip verify source SW3(config)# interface range fast 0/11-17 SW3(config-if-range)# ip verify source SW4(config)# interface range fast 0/11-17 SW4(config-if-range)# ip verify source R5 and R6 have been preconfigured with IP addresses on their Ethernet interfaces. This feature binds the information received from the DHCP address offered and effectively builds a dynamic VACL on a per-port basis to enable only source traffic matched from the DHCP offer to ingress the switch port for additional security.45. Use a dynamic feature to ensure that the only information forwarded upon connection is DHCP request packets and then.100. and configure R4 with an IP address of 120. Configure R4 with an IP address of 120.46. as shown in Example 1-8. Example 1-8 Switch 1. so you will need to create the VLANs locally . (3 points) This is just a simple trunking question on Switch 2 to R4 to enable R4 to connect to VLAN 45 and VLAN 46.

R2.255.0 SW2(config)# vlan 45-46 SW2(config)# interface fastethernet0/4 SW2(config-if)# switchport trunk encapsulation dot1q SW2(config-if)# switchport trunk allowed vlan 45.0 R4(config-if)# interface GigabitEthernet0/1. Example 1-10 OSPF Configuration Click here to view code image R1(config)# interface GigabitEthernet 0/0 R1(config-if)# ip ospf 1 area 100 R1(config)# interface GigabitEthernet 0/1 R1(config-if)# ip ospf 1 area 0 R1(config-if)# interface Loopback 0 R1(config-if)# ip ospf 1 area 0 R2(config)# interface Loopback 0 R2(config-if)# ip ospf 1 area 0 R2(config-if)# interface fastethernet 0/0 R2(config-if)# ip ospf 1 area 0 R2(config-if)# interface Serial 0/1 .4 255.100.255. you have scored 3 points.46.45 R4(config-if)# encapsulation dot1Q 45 R4(config-if)# ip address 120.100.255. Example 1-9 Switch 2 and R4 Trunking Configuration Click here to view code image R4(config)# interface GigabitEthernet0/1.46 SW2(config-if)# switchport mode trunk Section 2: IPv4 IGP Protocols (24 Points) Section 2.before configuring the trunk. and R3 should be configured to be in Area 0.46 R4(config-if)# encapsulation dot1Q 46 R4(config-if)# ip address 120. as shown in Example 1-9. R4 should be in Area 34 and R5 in Area 5.255.1: OSPF Use a process ID of 1. all OSPF configuration where possible should not be configured under the process ID. (2 points) Recent advances in OSPF have enabled configuration of the network area directly under the interface as opposed to within the OSPF process.45. If you have configured this correctly. Example 1-10 details the Open Shortest Path First (OSPF) configuration.4 255. The loopback interfaces of routers R1.

1.3. 00:01:00. Serial0/0 O 120.100.100.100.5.4. you need to override the network type that the IOS associates with the loopback interface.25. Serial0/1 O 120.5.123.100. Example 1-11 OSPF Loopback Interface Host Routes and Configuration Click here to view code image R2# sh ip route | include /32 O 120.3.R2(config-if)# ip ospf 1 area 5 R2(config-if)# interface fastethernet 0/1 R2(config-if)# ip ospf 1 area 200 R3(config)# interface loopback 0 R3(config-if)# ip ospf 1 area 0 R3(config-if)# interface GigabitEthernet 0/1 R3(config-if)# ip ospf 1 area 0 R3(config-if)# interface GigabitEthernet 0/0 R3(config-if)# ip ospf 1 area 34 R4(config)# interface Loopback 0 R4(config-if)# ip ospf 1 area 34 R4(config-if)# interface GigabitEthernet 0/0 R4(config-if)# ip ospf 1 area 34 R4(config-if)# interface GigabitEthernet 0/1.123. as shown in Example 1-10. If you have configured this correctly.1/32 [110/65] via 120. Serial0/0 R2# sh ip route | include /32 C 120.1/32 [110/129] via 120.1/32 [110/3] via 120.100.4.25.100. Serial0/0 O 120.5.123. as shown in Example 1-11. you have scored 2 points. 00:01:00.3.1/32 [110/2] via 120.25.1/32 [110/65] via 120.100. 00:50:56.1/32 [110/65] via 120.123. . 00:00:42. Serial0/1 O IA 120.100.100. 00:39:59. (1 point) Loopback interfaces within OSPF are by default advertised as host routes. 00:04:34. Serial0/1 O IA 120.45 R4(config-if)# ip ospf 1 area 5 R5(config)# interface Loopback 0 R5(config-if)# ip ospf 1 area 5 R5(config-if)# interface GigabitEthernet 0/0 R5(config-if)# ip ospf 1 area 5 R5(config-if)# interface Serial 0/0/1 R5(config-if)# ip ospf 1 area 5 If you have configured OSPF correctly. you have scored 1 point.123.3. No loopback networks should be advertised as host routes. To manipulate this behavior.5.3.1. Example 1-11 shows the host routes learned on R2. GigabitEthernet0/1 O 120.1.100.100.100.100.100.5/32 is directly connected. 00:47:32.1/32 [110/66] via 120.100.

.5.100.100. as shown in Example 1-12.100. fastethernet0/0 O 120.1/24 to the OSPF network. fastethernet0/0 O IA 120.123.1.123.100.25.1. Because you cannot filter this advertisement.1/32 [110/2] via 120. GigabitEthernet0/1 R1# conf t R1(config)# int Loopback 0 R1(config-if)# ip ospf network point-to-point R2# conf t R2(config)# interface Loopback 0 R2(config-if)# ip ospf network point-to-point R3# conf t R3(config)# int Loopback 0 R3(config-if)# ip ospf network point-to-point R4# conf t R4(config)# int Loopback 0 R4(config-if)# ip ospf network point-to-point R5# conf t R4(config)# int Loopback 0 R4(config-if)# ip ospf network point-to-point R2# sh ip route ospf 1 | include /24 O IA 120.45.123. 00:49:20. Serial0/1 O 120.123.100.100.0/24 [110/2] via 120.100. Serial0/1 O IA 120.5.5. fastethernet0/0 O 120. 00:00:04. 01:42:26.0/24 [110/65] via 120. you need to inform OSPF not to include the secondary addresses under the interface command.100.0/24 [110/2] via 120.100.100.3. 01:43:00.100. fastethernet0/0 Ensure that R1 does not advertise the preconfigured secondary address under interface Gigabit 0/1 of 120.3.100. fastethernet0/0 O 120.0/24 [110/2] via 120.100.0/24 [110/65] via 120. Do not use any filtering techniques to achieve this.100.3.GigabitEthernet0/1 O 120.100. you have scored 2 points. If you have configured this correctly. 01:43:00.0/24 [110/2] via 120.0/24 [110/3] via 120.3.3.123.34.100.100.1.25.100.4.3. 00:17:09.100. 02:52:46. (2 points) The associated behavior with configuring OSPF directly under the interface is that it will by default advertise any secondary addresses assigned to the interface. R1 has a preconfigured secondary address on interface Gigabit 0/1 that is therefore advertised.123. 01:42:09.

100. you know the serial link is up at Layers 1 and 2. and the solution must cater for Layer 1 and Layer 2 rather than purely Layer 1.1.1.1.1. ensuring that while the Area 5 serial link is operational.0 % Subnet not in table R5 should use the serial link within Area 5 for its primary communication to the OSPF network. the Ethernet interfaces of R4 and R5 must remain up. Your solution should be dynamic. a demand scenario is also out because this would involve a neighbor relationship being formed. State DR.1. ensure that the serial interface of R5 is reachable by configuration of R5. but all the clues are in the question.1/24. R5 should form a neighbor relationship with R4 under Area 5 to maintain connectivity. flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0.100. Priority 1 Designated Router (ID) 120. so some lateral thinking is required. Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) R1(config)# interface GigabitEthernet 0/1 R1(config-if)# ip ospf 1 area 100 secondaries none R2# sh ip route 120. Similarly.Example 1-12 OSPF Secondary Address Advertisement and Configuration Click here to view code image R1# show ip ospf int GigabitEthernet 0/1 GigabitEthernet0/1 is up. Retransmit 5 oob-resync timeout 40 Hello due in 00:00:00 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1. maximum is 0 msec Neighbor Count is 0. Hello 10.1 No backup designated router on this network Timer intervals configured.1. Area 100 Process ID 1. Router ID 120. To confirm the operational status of the serial network. Cost: 1 Enabled by interface config. (4 points) This is a complex scenario that can consume your time. This would take a great deal of effort and trial and error. You can rule out a backup interface solution because the Ethernet needs to remain up.100. Network Type BROADCAST.100. If . You are permitted to define neighbor statements between R5 and R4. maximum is 0 Last flood scan time is 0 msec. however. line protocol is up Internet Address 150. You are also requested to confirm operational status of the serial interface on R5 with your overall solution being dynamic. Dead 40. Interface address 150. If this responds to the automatic polling with Internet Control Message Protocol (ICMP). including secondary ip addresses Transmit Delay is 1 sec.100. but you will find that you can use the IP SLA feature to monitor the IP address of the serial interface on R5 by R5 itself. there is no neighbor relationship between R4 and R5. Wait 40.100. If this network should fail either at Layer 1 or Layer 2.

When the serial link fails. we just need to break the adjacency between R5 and R4. OSPF needs to be configured between R4 and R5 with manual neighbor statements as directed in the question. The neighbor adjacency takes a while waiting for the dead time to expire (120 seconds after changing of the OSPF network type).5 R5(config-ip-sla-echo)# exit R5(config)# ip sla schedule 1 life forever start-time now R5(config)# track 1 rtr 1 reachability R5# show ip sla statistics Round Trip Time (RTT) for Index 1 Latest RTT: 4 milliseconds Latest operation start time: *21:17:10. and a forwarding decision can be manipulated. Example 1-13 R5 IP SLA Configuration and Status Click here to view code image R5(config)# ip sla 1 R5(config-ip-sla)# icmp-echo 120.the polling fails. This configuration is detailed in Example 1-13. IP SLA can then be used to inform the router. you must change the network type to non-broadcast. if the object status changes. we need to allow the adjacency between R5 and R4 to form. The traffic it manipulates needs to be OSPF that should be directed to R4 to form the adjacency over the Ethernet network (VLAN 45). This gives PBR access to all the objects that are available through the tracking process. In summary. and inform the required PBR process when an object state changes. The unicast traffic between neighbors can be identified by an ACL that the PBR process can match. The first step in this solution is to configure the IP SLA object tracking on R5. when the R5 serial link is up and running. instead of allowing normal traffic flow between . The tracking process provides the ability to track individual objects.100. Then. this feature is known as policy-based routing (PBR) support with multiple tracking options. R5 can simply manipulate the way it sends traffic by policy routing. To do this.683 UTC Mon Aug 05 2013Latest operation return code: OK Number of successes: 2 Number of failures: 0 Operation time to live: Forever Note OSPF should have already been configured between R4 and R5 within your original peering configuration. So. such as ICMP ping reachability. you know the interface is down. which ensures the routers unicast traffic to each other.25.

So.5 (d est was 120.45.4 R5(config)# route-map TEST permit 10 R5(config-route-map)# match ip address 100 R5(config-route-map)# set ip next-hop verify-availability 120.100. Example 1-14 shows the required OSPF configuration on R4 and R5. and the resulting neighbor partial adjacency that is formed between R4 and R5.R5 and R4 to form the neighbor relationship.100. the next hop can be modified.100.2 would follow the usual next hop.100. when the object tracking fails.100. the PBR process will be overridden and traffic can flow as normal.4 R5(config-router)# exit R5(config)# access-list 100 permit ospf host 120.45.45. If the object status changes to down.5 R5(config)# interface GigabitEthernet0/0 R5(config-if)# ip ospf network non-broadcast R5(config-if)# router ospf 1 R5(config-router)# neighbor 120.2 (R2 serial to effectively discard the traffic) if the tracked object (1) is up.100. R5 must be configured to locally policy route traffic because normal PBR behavior is for traffic manipulation for traffic that flows through the router rather than traffic generated by the router itself.25. the traffic will effectively be dropped by the next hop and the OSPF between R5 and R4 will never establish.5 host 120.25. if you use the PBR command set ip next-hop verify-availability 120. the PBR on R5.4) R2# R5# show ip ospf neigh . a debug of R2 sending TTL expired to R5 after the OSPF traffic is sent to R2 instead of R5.100.25.2 10 track 1. Similarly.45.100. and the OPSF traffic to 120.45.45 R4(config-if)# ip ospf network non-broadcast R4(config-if)# router ospf 1 R4(config-router)# neighbor 120. This will then allow R5 and R4 to form an OSPF adjacency. and because the OSPF TTL is set to 1 by default.847: ICMP: time exceeded (time to live) sent to 120.100. R5 can forward normal OSPF traffic to 120.2 10 track 1 R5(config-route-map)# interface GigabitEthernet0/0 R5(config-if)# ip policy route-map TEST R5(config-if)# exit R5(config)# ip local policy route-map TEST R2# debug ip icmp ICMP packet debugging is on R2# *Feb 26 22:17:12.25. the PBR process is informed.45.100. Example 1-14 R4 and R5 OSPF and PBR Configuration Click here to view code image R4(config)# interface GigabitEthernet0/1.

Your routing table needs to be an exact replica as that shown in Example 1-15. Nbr 120.100.3.100.100. and a virtual link between R3 and R4 is required to extend area 0. but a good one to practice with and examine how features operate and interact with each other.45. you have scored 4 points (definitely a question worth leaving to the end of your exam when you might have some time left over to experiment).Neighbor ID Pri Time Address 120.807: %LINK-5-CHANGED: Interface Serial0/0/1. (This was a difficult question. If you had not configured a virtual link.4 Example 1-15 shows the OSPF adjacency formed when the serial link between R2 and R5 is shut down on R5.4. You must remember that when an OSPF adjacency forms between R5 and R2. Example 1-15 R3 and R4 OSPF Virtual Link Configuration and R5 Test Click here to view code image R3(config)# router ospf 1 R3(config-router)# area 34 virtual-link 120.) If you configured this correctly.2.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1. including the virtual link.100.1 1 GigabitEthernet0/0 State Interface FULL/ - Dead 00:00:37 INIT/DROTHER 00:01:45 120.4 .100.1 on Serial0/0/1 from FULL to DOWN. you might have been scratching your head or cursing me. The PBR is overridden and normal routing occurs because the next hop is not verified by the object tracking.4. Neighbor Down: Interface down or detached *Jan 2 21:58:18.100.1 R5(config)# interface s0/0/1 R5(config-if)# shut R5(config-if)# *Jan 2 21:58:16. it would have been an easy mistake that would take your points away.100. but I’d be surprised if you didn’t learn something new from this question. changed state to administratively down *Jan 2 21:58:19.2 120.2. you are joining Area 5 into Area 34.1 R4(config)# router ospf 1 R4(config-router)# area 34 virtual-link 120.25.45.100.811: %OSPF-5-ADJCHG: Process 1.1 0 Serial0/0/1 120. changed state to down R5(config-if)# do show ip ospf neigh Neighbor ID Pri State Dead Time Address Interface N/A 0 ATTEMPT/DROTHER 00:00:33 GigabitEthernet0/0 120.

255 .45. GigabitEthernet0/0 O IA 120.45.255 R4(config-router-af)# network 120. 00:04:49. GigabitEthernet0/0 O IA 120.0. you have scored 2 points.0 0.0/24 is subnetted. 00:00:12.2.0. GigabitEthernet0/0 O IA 120.0.100. Example 1-16 EIGRP Configuration Click here to view code image R4(config)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# network 120.100.100. 00:00:12.100.4. as shown in Example 1-16. If you have configured this correctly.0.100.4. Nbr 120.4.45.4.0.3.100.255 R4(config-router-af)# network 120.100.2.0.100.123.0 [110/4] via 120.0 0. You need to remember to include your preconfigured loopback interfaces and enable routing on the Layer 3 switches. GigabitEthernet0/0 O IA 120.45.45.4.100. Nbr 0.4.0/24 is subnetted.100.4.34. 00:04:49. 2 subnets O IA 150.0.100.0 [110/3] via 120. 00:00:12.45. Neighbor Down: Dead timer expired R5(config-if)# *Jan 2 22:00:08.0.45. 00:00:12.4.0 [110/2] via 120. (2 points) This is not a difficult question by any means.100.547: %OSPF-5-ADJCHG: Process 1.4.46. GigabitEthernet0/0 120.0.2: EIGRP Configure EIGRP with an instance name of CCIE where possible using an autonomous system number of 1.4. just one that has a magnitude of configuration and sets up your Enhanced Interior Gateway Routing Protocol (EIGRP) network using the named instance and address family IPv4 for the following questions.0 [110/4] via 120.100. GigabitEthernet0/0 Section 2.0 [110/4] via 120.100. The loopback interfaces of all routers and switches should be advertised within EIGRP.1.100.4. Loading Done R5(config-if)# R5# sh ip route ospf 150.0 [110/3] via 120. 00:00:12.45.100.100.1 on GigabitEthernet0/0 from LOADING to FULL.45.100.0 [110/4] via 120. 9 subnets O IA 120.0.0.100. 00:00:12. Use the show ip eigrp neighbor command to verify your peering before moving on to the next question.0 on GigabitEthernet0/0 from ATTEMPT to DOWN.100. GigabitEthernet0/0 O IA 120.100.R5(config-if)# *Jan 2 21:59:43.135: %OSPF-5-ADJCHG: Process 1. GigabitEthernet0/0 O IA 120.0 0.100.0 [110/2] via 120.

0.0.3.0 0.0 0.0.0.3.100.100.0 network 150.0.0.0 no auto-summary Ensure that R4 does not install any of the EIGRP loopback routes from any of the switches into its routing table.0.100.100.0.100.100.100.100.0 network 150.0.0 0.0.0 network 150.0.0.0 no auto-summary SW4(config)# ip routing SW4(config)# exit SW4# sh run | beg eigrp router eigrp 1 network 120.5.255 R5(config-router-af)# network 120.8.7.1 0.0.255 R6(config-router-af)# network 120.6.100.10 0.0.0.3.0 network 150.9.0.7 0.0.0 0.0 no auto-summary SW2(config)# ip routing SW2(config)# exit SW2# sh run | beg eigrp router eigrp 1 network 120.9 0.0.100.R5(config)# router eigrp CCIE R5(config-router)# address-family ipv4 unicast autonomous-system 1 R5(config-router-af)# network 120.0.0 0.100.0 no auto-summary SW3(config)# ip routing SW3(config)# exit SW3# sh run | beg eigrp router eigrp 1 network 120.255 SW1(config)# ip routing SW1(config)# exit SW1# sh run | beg eigrp router eigrp 1 network 120.0.0.0.255 R5(config-router-af)# network 120. these routes should also not be present in the OSPF .0.100.1 0.255 R6(config)# router eigrp CCIE R6(config-router)# address-family ipv4 unicast autonomous-system 1 R6(config-router-af)# network 120.0.10.255 R6(config-router-af)# network 120.0 0.1 0.8 0.3.100.0.3.0.3.1 0.46.0.45.0.100.

6.5. By configuring the maximum hop count of 1 on R4.100.100. GigabitEthernet0/1.46.0/24 [90/158720] via 120.100. GigabitEthernet0/1. but you can configure the process to ignore routes received with a hop count larger than a configured threshold with the command metric maximum-hops.0. 3 subnets D 150.46.46 [90/158720] via 120. but this is not permitted. you will notice that the routes have a hop count of 2 associated with them. GigabitEthernet0/1.46 [90/158720] via 120.100.100.46.45.3.6.0/24 is subnetted.100.100.45 120.100. you have scored 4 points.45 D 120. Do not use any route-filtering ACLs. 00:00:10.7.45 D 120. 00:00:10. 00:00:10.46. 00:00:10.0 . (4 points) A distribute or prefix list would have been the obvious choice here.0.5.100.100.46 [90/30720] via 120. GigabitEthernet0/1. If you have configured this correctly. GigabitEthernet0/1.0/24 [90/158720] via 120.0/24 [90/158720] via 120.100.45 D 120.network post redistribution.5.100. as shown in Example 1-17.45. GigabitEthernet0/1. or admin distance manipulation to achieve this.45.5.9.0/24 [90/158720] via 120. GigabitEthernet0/1.5.46 [90/158720] via 120.45 D 120. 00:00:10.45 R4# show ip route 120. GigabitEthernet0/1.0/8 is variably subnetted.100.5. GigabitEthernet0/1. Upon close inspection of the loopback routes within Example 1-17. Example 1-17 EIGRP Maximum-Hops Configuration Click here to view code image R4# show ip route eigrp 150.6.45. 00:00:10.0/24 [90/156160] via 120.6.46 D 120.46.5.6. 00:01:07. 00:00:10.45.100.100. 16 subnets.8.8. and perform configuration only on R4.100.6.0/24 [90/156160] via 120. 00:00:10.46. Hop count isn’t something you would naturally assimilate with EIGRP.6.100. GigabitEthernet0/1. 00:01:07.46 [90/158720] via 120. 00:00:10.100.45. prefix lists.10. 00:00:10.100. GigabitEthernet0/1.0 [90/30720] via 120.100. GigabitEthernet0/1. you can simply stop the loopback routes from entering the process.0. 2 masks D 120.100.

5.6 on GigabitEthernet0/1. via GigabitEthernet0/1.0) from R5 and R6.46 [90/30720] via 120.46.100. metric 158720. minimum bandwidth is 100000 Kbit Reliability 255/255.6.46. 00:00:15 ago Routing Descriptor Blocks: * 120. minimum bandwidth is 100000 Kbit Reliability 255/255.0 [90/30720] via 120.8.0/24 [90/156160] via 120. distance 90.0.6.6.46 Route metric is 158720. 3 subnets D 150.46 Route metric is 158720.100.100.9. via GigabitEthernet0/1.6. 2 masks D 120.45.100.0 Routing entry for 120.46. metric 158720.100. distance 90.0.3. type internal Redistributing via ospf 1.46 R4 will have dual equal-cost routes to VLAN 300 (network 150.6 on GigabitEthernet0/1.100.0/24 [90/156160] via 120.46.100. 00:00:25 ago.46. You may not policy route.5.Routing entry for 120.46. Ensure that R4 sends traffic to this destination network to R5 instead of load sharing. GigabitEthernet0/1.5.6. traffic share count is 1 Total delay is 5200 microseconds.45. minimum MTU 1500 bytes Loading 1/255.100. 00:00:04.3.100. traffic share count is 1 Total delay is 5200 microseconds. traffic should be sent to R6.100.6.100.100.0/24 Known via "eigrp 1".0/24 Known via "eigrp 1". type internal Redistributing via ospf 1.9. 00:00:04. alter the bandwidth or delay statements on R4’s interfaces or use an offset . 00:00:04. 13 subnets. GigabitEthernet0/1. 00:00:04.100.0/24 is subnetted. GigabitEthernet0/1.0.100.46. Should the route from R5 become unavailable. from 120. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120.100. minimum MTU 1500 bytes Loading 1/255.46.0/8 is variably subnetted.100. GigabitEthernet0/1.46. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120. from 120.46.6.45 D 120.45 120. 00:00:15 ago.100. Hops 2 R4# show ip route 120. 00:00:25 ago Routing Descriptor Blocks: * 120. Hops 2 R4(config)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topolgy)# metric maximum-hops 1 R4(config-router-af-topology)# do show ip route eigrp 150.100.

100. you have scored 4 points. In fact. as opposed to just this individual route. you are left with only one method that can be applied on R4. the usual best practice method is to modify the bandwidth or delay on one of the Ethernet interfaces.3.45 Route metric is 30720. Example 1-18 also shows that when the interface Gigabit 0/0 is shut down on R5 that the route for VLAN 300 is still received from R6 (R4’s feasible successor).100. metric 30720.100. Hops 1 120. Example 1-18 shows the VLAN 300 route (150.45. Gigabit 1/0.100. by default. so the route is still available but with a different metric. 00:25:40 ago Routing Descriptor Blocks: * 120.45.0/24 Known via "eigrp 1". If you have configured this correctly. and R6.5 on GigabitEthernet0/1. The route map is applied inbound to the process as a distribute list. but this is not permitted.45. traffic share count is 1 Total delay is 200 microseconds.100.5.46.45.45 set metric 2000 10 255 1 1500 route-map CHANGEMETRIC permit 20 set metric 1000 10 255 1 1500 router eigrp CCIE . minimum MTU 1500 bytes Loading 1/255. type internal Redistributing via ospf 1.list.5.45. 00:25:40 ago. traffic share count is 1 Total delay is 200 microseconds.100.0/24) received on R4 from both R5 and R6 with a metric of 30720. Your solution should be applied to all routes received from R5 and R6 as opposed to solely the route to network VLAN 300. minimum bandwidth is 100000 Kbit Reliability 254/255.6. must have identical interface types or bandwidth statements used on R4. distance 90. Perform your configuration on R4 only. from 120. If you want to manipulate this route. have a lower bandwidth assigned to routes received from it from the permit 20 statement in the route map.3.100. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120. 00:25:40 ago.45. A route map is required to override the EIGRP-assigned metrics assigned to routes on one interface by manipulating the bandwidth assigned to Gigabit 1/0. via GigabitEthernet0/1.46 will. (You could have also manipulated the delay within the route map or created a statement for each individual interface as opposed to just Gigabit 1/0.46. minimum MTU 1500 bytes Loading 1/255. which will influence all routes from R5 and R6. as shown in Example 1-18.) Example 1-18 EIGRP Metric Manipulation Configuration Click here to view code image R4# sh ip route 150. from 120.6.0 Routing entry for 150. (4 points) To receive identical routes your topology.46 Route metric is 30720.100. Hops 1 R4(config)# route-map R4(config-route-map)# R4(config-route-map)# R4(config-route-map)# R4(config-route-map)# R4(config-route-map)# CHANGEMETRIC permit 10 match interface gigabitEthernet 0/1. R5. via GigabitEthernet0/1.3. minimum bandwidth is 100000 Kbit Reliability 252/255.

100. you have scored 3 points. 00:00:10 ago Routing Descriptor Blocks: * 120. distance 90. so no specific configuration is required for this. (3 points) A simple redistribution question for the warm-up lab. metric 1282560. The fixed cost of 5000 is achieved by advertising redistributed routes into OSPF using a metric type of 2.100.46.45 Route metric is 1282560.100.0/24 Known via "eigrp 1".3: Redistribution Perform mutual redistribution of IGPs on R4. metric 2562560.100. via GigabitEthernet0/1.5. 00:03:10 ago. type internal Redistributing via ospf 1. from 120. with their inherent protection against routing loops.100.45. The only points you need to consider when redistributing into OSPF are to use the subnets command to ensure classless redistribution and to use default metrics in each protocol. so have no concerns when using protocols such as EIGRP and OSPF.6. via GigabitEthernet0/1.46. from 120. Hops 1 Section 2. minimum bandwidth is 2000 Kbit Reliability 255/255. . traffic share count is 1 Total delay is 100 microseconds.46.3. minimum MTU 1500 bytes Loading 1/255. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120. 00:03:10 ago Routing Descriptor Blocks: * 120.3.0 Routing entry for 150. traffic share count is 1 Total delay is 100 microseconds. minimum MTU 1500 bytes Loading 1/255. minimum bandwidth is 1000 Kbit Reliability 255/255. distance 90.45. type internal Redistributing via ospf 1. as shown in Example 1-19.45.46 Route metric is 2562560. which is the default.6 on GigabitEthernet0/1.3.3. 00:00:10 ago.0/24 Known via "eigrp 1".100.5. All routes should be accessible except for the switch loopback networks (because these should not be visible via R4 from an earlier question).100.0 Routing entry for 150.100.6.100.R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topolgy)# distribute-list route-map CHANGEMETRIC in R4(config-router-af-topolgy)# ^Z R4# clear ip route * R4# sh ip route 150.46. If you have configured this correctly.5 on GigabitEthernet0/1. Hops 1 R5(config)# int gig0/0 R5(config-if)# shutdown R4# sh ip route 150.45. eigrp 1 Advertised by ospf 1 metric 5000 subnets Last update from 120.100. you have only a single redistribution point (R4). EIGRP routes redistributed within the OSPF network should remain with a fixed cost of 5000 throughout the network.

GigabitEthernet 0/0 O E2 120.3.3.34.0/24 [170/284416] via 150. If you have configured this correctly.2.100.0/24 [110/5000] via 120.3. you must configure a percentage threshold (80 percent). Vlan300 Configure R4 to only redistribute up to five EIGRP routes. and generate a system warning when the fourth route is redistributed.6. (2 points) You can limit the number of prefixes redistributed into OSPF and generate a warning when the number of prefixes reaches a defined maximum by use of the redistribute maximum-prefix command.0 [170/284416] via 150.100.6.100.0/24 [110/5000] via 120. 00:01:43.0/24 [170/284416] via 150.3.6.100.100.0 [170/284416] via 150.100.100. GigabitEthernet 0/0 SW1# show ip route eigrp | include EX D EX 150.25.6. Vlan300 D EX 120.0/24 [170/284416] via 150.3.6.3.0/24 [170/284416] via 150. Vlan300 D EX 120.123.3.100. Do not use any access lists in your solution. Vlan300 D EX 120.3.3.100.6.3. GigabitEthernet0/0 O E2 120. 00:01:43. 00:00:46.1.100.3/32 [170/284416] via 150. Vlan300 D EX 120. Vlan300 D EX 150.100.46. 00:01:43.0/24 [170/284416] via 150.100.100.2.6.100.100. To generate the warning on the fourth route.100.123.100.6.100. 00:01:43. 00:01:43. Example 1-20 R4 Prefix Configuration Click here to view code image .6.0/24 [170/284416] via 150. Vlan300 D EX 120.100. 00:00:46. 00:01:43.123. 00:00:46. 00:01:43.123.3.100.3. you have scored 2 points.100. Vlan300 D EX 120.123. 00:01:43.1. as shown in Example 1-20.Example 1-19 R4 Redistribution Configuration and Verification Click here to view code image R4(config-route-map)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topology)# redistribute ospf 1 R4(config-router-af-topology)# default-metric 10000 100 255 1 1500 R4(config-router-af-topology)# router ospf 1 R4(config-router)# redistribute eigrp 1 subnets R4(config-router)# default-metric 5000 R1# show ip route ospf | include E2 O E2 150.3.100.3.6.0 [110/5000] via 120. Vlan300 D EX 120.100. 00:01:44.100.

which will not permit a session from R4 to become established if R4 is more than 2 hops away. Configure eBGP peering as follows: R3-R4. even if you have configured the eBGP multihop feature on R4 with a value of 2. R6.100. to show R3 that the R4 can only be a maximum of two hops away.100. For your eBGP peering on R3. The peering becomes complicated when the TTL security feature is enabled by use of the command neighbor 120. (Of course. (2 points) You can get some easy peering points to begin with.1 ttl-security hops 2 on R3. This feature must be configured only on R3 and not on R4. Use minimal configuration and use loopback interfaces for your peering with the exception of R4 to R5. you have scored 2 points. and SW1-R5. Example 1-21 BGP Peering Configuration Click here to view code image R1# sh run | begin bgp router bgp 10 no synchronization neighbor 120. as shown in Example 1-21.1 remote-as 10 neighbor 120. Remember to verify your peering with the show ip bgp neighbor command. The field highlighted is the Time To Live (TTL) hex value displayed from the hidden command (dump) when performing the debug. R4-R6. the peering will break. SW1-R6. namely on R3.3. and follow the peering instructions closely because these are relevant for the following questions. Use minimal configuration and use loopback interfaces for your peering.) Example 1-21 shows a debug on R3 for the eBGP peering. You should have noticed that R3 was required to be a route reflector for iBGP peers R1 and R2 in AS10 and that no synchronization is required because the underlying IGP is not redistributed into BGP.100. R2-R3. You must remember to use peer groups to minimize configuration where possible. This command is a neat feature that will not permit the peering session if the received neighbor TTL value is less than 253 in this case.1 update-source Loopback0 no auto-summary R2# sh run | begin bgp . of course.4.R4(config)# router ospf 1 R4(config-router)# redistribute maximum-prefix 5 80 Section 3: BGP (14 Points) Configure iBGP peering as follows: R1-R3. use the TTL security feature. and R5-R2. Because you are not permitted to configure the same feature on R4. R6-R5. this will simply increment the TTL value from a default value of 0. but you’ll have to do a lot of typing to earn them. which would suggest that the incoming session could be some form of remote attack with spoofed source IP address of the original neighbor. R4-R5. You need to get the hex value to FD (253 decimal) by configuring the multihop value to 255 on R4. and Switch 1. (2 points) Use the autonomous system numbers supplied in Figure 1-7.3. If you have configured this correctly.

.100..1 ebgp-multihop 2 neighbor 120.`.`... 84 SYN 0F400C00: 0F400C10: C20211E0 0F400C20: 0106467E 0F400C30: 9AFD1F8A 0F400C40: 02040218 dst=179..4..1 neighbor 120..E@.3.100.j.3 .100.100.100.100.. from R3's perspective R4 could be 254 hops away! ! Configure R4 so the TTL value will read 253 decimal (FD hex) by configuring an .4.5...3.100.2...100.100.45.&D.3.5.100. ack=0.4..6.F~.1 neighbor 120.100.6.}.5.1 update-source Loopback0 neighbor 120.100.@..1 ebgp-multihop 2 neighbor 120. ! The TTL from R4 is decremented to 01 Hex = 01 decimal as R4 has ebgpmultihop 2 ! configured and the BGP session will not be established as R3 has the TTL security ! check enabled.1 host 120..1 no auto-summary remote-as 10 remote-as 300 ebgp-multihop 2 update-source Loopback0 R3# sh run | begin bgp router bgp 10 no synchronization neighbor IBGP peer-group neighbor IBGP remote-as 10 neighbor IBGP update-source Loopback0 neighbor IBGP route-reflector-client neighbor 120....1 remote-as 300 neighbor 120.100.1 update-source Loopback0 neighbor 120...q.1 peer-group IBGP neighbor 120..3.@.5 remote-as 300 no auto-summary R3(config)# access-list 100 permit ip host 120.1 neighbor 120. seq=2600279946..6. .3.1 peer-group IBGP neighbor 120.100. B.100.1 R3(config)# exit R3# debug ip packet 100 detail dump IP packet debugging is on (detailed) (dump) for access list 100 R3# TCP src=42692.100...1 ttl-security hops 2 neighbor 120.1 update-source Loopback0 no auto-summary R4# sh run | begin bgp router bgp 200 no synchronization neighbor 120. win=163 C204 07400000 00100800 45C0002C 6A870000 01010101 03030303 A6C400B3 00000000 60024000 F1BB0000 B.100.1. .1 remote-as 200 neighbor 120.router bgp 10 no synchronization neighbor 120..4..1 remote-as 10 neighbor 120.100..

100.1 update-source Loopback0 neighbor 120.e?R~...3.1 peer-group IBGP neighbor 120. R4(config)# router bgp 200 R4(config)# neighbor 120.100.100......1 ebgp-multihop 2 neighbor 120.1 update-source Loopback0 no auto-summary R6# sh run | beg bgp router bgp 300 no synchronization neighbor IBGP peer-group neighbor IBGP remote-as 300 neighbor IBGP update-source Loopback0 neighbor 120..7.2.4.P.100.`..1 ebgp-multihop 255 R3# TCP src=44109.5.. this shows that R4 ! can not be further than 2 hops away from R3 and the security check passes and BGP ! is established. ! Now a hex value of FD (253 Decimal) can be seen at R3 from R4. R3# sh ip bgp neighbor | include hops | TTL External BGP neighbor may be up to 2 hops away...100.|.7.4. B.1 peer-group IBGP no auto-summary SW1# sh run | begin bgp router bgp 300 ..100.E@.1 update-source Loopback0 neighbor 120..?.4.(.1 update-source Loopback0 neighbor 120. }.1 remote-as 200 neighbor 120. win=16263 ACK 0F7CBB60: 0F7CBB70: C20211E0 0F7CBB80: FD06286E 0F7CBB90: E4028565 0F7CBBA0: dst=179.6 remote-as 200 neighbor 120.100..3 d. Minimum incoming TTL 253.100.@..1 ebgp-multihop 2 neighbor 120. .100. ack=3209854606 C204 07400000 00100800 45C00028 8C9A0000 01010101 03030303 AC4D00B3 BF527E8E 50103F87 13FC0000 B.45.7..1 remote-as 300 neighbor 120.(n.2.. Outgoing TTL 255 R5# sh run | begin bgp router bgp 300 no synchronization neighbor 120.M.2.100..1 remote-as 300 neighbor 120.! ebgp multihop value of 255 (this value will decrement down to 253 when it is ! processed by R3).100.6.100.100.. Connection is ECN Disabled.6. seq=3925370469.1 remote-as 10 neighbor 120.100.

5.100.100. To break the peering without using ACLs.100.1 Type escape sequence to abort.34. which indicate the peering will have failed.1 peer-group IBGP neighbor 120. ensure that the peering between R2 and R5 is not maintained via the Ethernet network. you have scored 2 points. (2 points) As R2 and R5 peer to each other using their loopback interfaces.100. Example 1-22 shows the path taken between R5 and R2 when the serial interface is shut down on R5.34. if the serial network between R5 and R2 fails.100.no synchronization neighbor IBGP peer-group neighbor IBGP remote-as 300 neighbor IBGP update-source Loopback0 neighbor 120. Do not use any ACL type restrictions or change the existing peering.4 .4 0 msec 0 msec 0 msec 2 120.100.310: ICMP: time exceeded rcvd from 120.3 0 msec 4 msec 0 msec 3 120.6.100.100.3 R5# R2# debug ip icmp ICMP packet debugging is on R2# Jan 17 21:26:11. Example 1-22 also shows the ICMP debug with the TTL expiration messages.2 4 msec * 4 msec R5# debug ip icmp ICMP packet debugging is on R5# *Jan 17 21:32:32.179: ICMP: time exceeded rcvd from 120. Example 1-22 eBGP TTL Expiration Click here to view code image R5(config)# int s0/0/1 R5(config-if)# shut R5# trace 120. Tracing the route to 120.100.123.45. even though there is IP connectivity between loopbacks.100.2.455: ICMP: time exceeded rcvd from 120.1 peer-group IBGP no auto-summary AS200 is to be used as a backup transit network for traffic between AS10 and AS300. the peering is maintained if the serial network between R2 and R5 fails.34. If your ebgp-multihop count is set at 2 between R2 and R5.34.3 R5# *Jan 17 21:32:34.2. therefore.1 1 120. you just need to ensure that the ebgp-multihop count used in the original peering is set at 2 and no greater.

2.1 route-map NO-EXPORT out R2(config-router)# neighbor 120. Do not use any route filtering between neighbors to achieve this.IGP. Example 1-23 Route Advertisement and no-export Configuration on R2 Click here to view code image R5# sh ip bgp Origin codes: i .4 Configure a new loopback interface 2 on R2 of 130. valid.incomplete Network Next Hop *>i130.1 255.200.0 R2(config-router)# neighbor 120. and advertise this into BGP using the network command. metric 0. a simple use of communities can be used to ensure that the route is not exported to AS200.3. version 4 Paths: (1 available.2.306: ICMP: time exceeded rcvd from 120. localpref 100.1/24.200.200.200. ? .100.255. Therefore.34. not advertised to EBGP peer) Advertised to update-groups: 2 Local.100. (Received from a RR-client) 120.100.100.0/24 120.1 BGP routing table entry for 130. internal.1) Origin IGP.1 (metric 65) from 120. AS300 no longer receives this route. If you have configured this correctly.0 mask 255.0/24. the new network route will flow from AS10 to AS300 via AS200 instead of flowing directly from AS10 to AS300.EGP.100. best Community: no-export .255.200.100.100.1 (130. best #1. table Default-IP-Routing-Table.3.100.1 send-community R2(config-router)# exit R2(config)# access-list 5 permit 130.100.200.100. Under normal conditions. this way the route is not advertised to AS200 if a failure occurs.0 R2(config)# route-map NO-EXPORT permit 10 R2(config-route-map)# match ip address 5 R2(config-route-map)# set community no-export R2(config-route-map)# route-map NO-EXPORT permit 20 R3# sh ip bgp 130. as shown in Example 1-23. e .0 R2(config-if)# router bgp 10 R2(config-router)# network 130.200. AS200 would still see the route from AS300.4. you have scored 3 points.200.100.100.100. (3 points) If the peering between R2 and R5 fails. You simply need to apply a noexport value to the route as it is advertised on R2 toward R3.255.100.1 Metric LocPrf Weight Path 0 100 0 200 10 i R2(config)# interface Loopback2 R2(config-if)# ip address 130.255. Configure R2 in such a way that if the serial connection between R2 and R5 fails.R2# Jan 17 21:26:13.

100. it is possible that topics and features such as this will crop up within other sections. Example 1-24 IP SLA Tracking and HSRP Configuration on R5 and R6 Click here to view code image R5(config)# track 2 ip route 130. you are free to use an unallocated IP address. If you have configured this correctly. R6 also requires preempt to take control when the priority of R5 decrements.0/24 is no longer visible to AS300. (4 points) The clue is in the question. so this should be configured with the preempt command to reinstate control when the route becomes visible once again post withdrawal. you have scored 4 points.R5# conf t Enter configuration commands. but because the IOS section has been removed from the exam.255.3.255. Because the question does not specifically instruct you to configure an exact IP address for your HSRP.100.100.200.0 255. R5 should be the HSRP active under normal conditions. R5 hasn’t been configured with a priority in this example because it uses the default value of 100.3. as shown in Example 1-24.1/24. Configure R5 to achieve this solution. You might feel that this is not strictly a BGP question. R5# Configure HSRP between R5 and R6 on VLAN 300 with R5 active for . all you need to do is track the specific route with the IP SLA object tracking feature and inform the Hot-Standby Router Protocol (HSRP) process whether the Border Gateway Protocol (BGP) route is withdrawn. one per line. Similarly.200.1 R5(config-if)# standby 1 preempt R5(config-if)# standby 1 track 2 decrement 20 R6(config)# interface GigabitEthernet0/1 R6(config-if)# standby 1 ip 150.0 reachability R5(config-track)# interface GigabitEthernet0/1 R5(config-if)# standby 1 ip 150.1 R6(config-if)# standby 1 priority 90 R6(config-if)# standby 1 preempt . R5(config)# int s0/0/1 R5(config-if)# shut R5(config-if)# ^Z R5# show ip bgp End with CNTL/Z.100. Example 1-24 shows the configuration and testing steps involved to withdraw the route by shutting down the serial interface on R5 and toggling the HSRP functionality between R5 and R6. If the network 130. so it’s best to be aware of as many features as possible. R6 should dynamically become the HSRP active.

0c07.100. hold time 10 sec Next hello sent in 0.1/24.Group 1 State is Active 23 state changes.ac01 Local virtual MAC address is 0000.1 Active virtual MAC address is 0000. and advertise these into BGP using the network command. respectively.0.0c07.ac01 (v1 default) Hello time 3 sec.100. last state change 00:20:11 Virtual IP address is 150.3. R3 should be configured to enable only BGP routes originated from R1 up to network 128.6. priority 90 (expires in 8.0.0. (3 points) This is quite an intricate question because you are permitted to use only a single access control list (ACL) to filter the routes on R3.980 sec) Standby router is local Priority 80 (default 100) Track object 2 state Down decrement 20 IP redundancy name is "hsrp-Gi0/1-1" (default) Configure two new loopback interfaces on R1 and R2 of 126.2.ac01 (v1 default) Hello time 3 sec. priority 90 (expires in 8.100.100.0c07.100.Group 1 State is Standby 25 state changes.1 4/0 (hold time expired) 0 bytes R5#%HSRP-6-STATECHANGE: GigabitEthernet0/1 Grp 1 state Active -> Speak R5#%HSRP-6-STATECHANGE: GigabitEthernet0/1 Grp 1 state Speak -> Standby R5# sh standby gigabitEthernet 0/1 GigabitEthernet0/1 .0.1.1 Active virtual MAC address is 0000.1.0 and permits this through one route map while denying through a separate route .880 secs Preemption enabled Active router is 150.472 sec) Priority 100 (default 100) Track object 2 state Up decrement 20 IP redundancy name is "hsrp-Gi0/1-1" (default) R5# R5# conf t R5(config)# int s0/0/1 R5(config-if)# shut R5(config-if)# R5#%BGP-3-NOTIFICATION: sent to neighbor 120. hold time 10 sec Next hello sent in 1. The way to do this is to use an ACL that matches networks up to 128.0 and from above network 128.0. Use only a single ACL on R3 as part of your solution.1. last state change 00:00:10 Virtual IP address is 150.1.0c07.3.0 originated from R2.3.ac01 Local virtual MAC address is 0000.3.0.1/24 and 130.460 secs Preemption enabled Active router is local Standby router is 150.6.R5# sh standby gigabitEthernet 0/1 GigabitEthernet0/1 .

0 R2(config)# interface Loopback1 R2(config-if)# ip address 130.0 advertised on R1 and one lower advertised on R2.0 R3(config)# access-list 1 permit 0. local router ID is 120.1. S Stale Origin codes: i .0. as shown in Example 1-25. you have scored 3 points.255 R3(config)# route-map UPTO128 permit 10 R3(config-route-map)# match ip add 1 R3(config)# route-map ABOVE128 deny 10 R3(config-route-map)# match ip add 1 R3(config-route-map)# route-map ABOVE128 permit 20 R3(config)# router bgp 10 R3(config-router)# neighbor 120. r RIB-failure.1 Status codes: s suppressed. > best.100.100.1.0 mask 255.1 120.255.1.0/24 *>i130.1 route-map ABOVE128 in R3# sh ip bgp BGP table version is 8. e . * valid.1.1 120.1.1.incomplete Network *>i126.2.3. d damped.255.255. i internal.2. Further testing is detailed in Example 1-26 to substantiate the filtering process on R3.1. The route maps should be applied on a per-neighbor basis and both call up the same single ACL.255.1.1.255. h history.1 255.255.255.1 255. R3 simply blocks these from entering BGP.EGP.0.IGP.1.0. .0/24 *>i130.1 Metric LocPrf Weight Path 0 100 0 i 0 100 0 i 0 100 0 i Further testing of the filtering requires additional interfaces to be configured and advertised on R1 and R2.100.255.map.100.1.100.1.1 route-map UPTO128 in R3(config-router)# neighbor 120.100.100. Example 1-25 Route Map Filtering on R3 Click here to view code image R1(config)# interface Loopback1 R1(config-if)# ip address 126.200.0.0 mask 255.255.1.0 R2(config-if)# router bgp 10 R2(config-router)# network 130. ? .0/24 R3# Next Hop 120.255.0 127. Example 1-26 shows the configuration for the new loopbacks on R1 and R2 and the filtering on R3.1.0 R1(config-if)# router bgp 10 R1(config-router)# network 126. If you have configured this correctly.2. Example 1-26 shows an interface higher than 128.

3.255. ? .1 255.1.IGP.1 Status codes: s suppressed.0 mask 255.0 0. i internal.100.0.2.255.0 R2(config-router)# ^Z R2# sh ip bgp neighbor 120.0 R1(config-if)# router bgp 10 R1(config-router)# network 132.100.255.255. i internal. > best.200. e .1 advertised BGP table version is 7.1.0 mask 255. S Stale Origin codes: i . h history.255. local router ID is 130.1.1.1.1 Status codes: s suppressed.100.1.1.0/24 Next Hop 0.1 255. * valid. final configuration.1.1.0 R2(config-if)# router bgp 10 R2(config-router)# network 100.1. * valid.2. local router ID is 126.255.100. e .incomplete Network Next Hop Path *>i126. d damped.EGP.1 *>i130. i - .EGP.100.0/24 120.Note This additional testing configuration is not present on the supplied.1.0/24 *> 132. h history.incomplete Network *> 126.3. h history.1. r RIB-failure.0.1.1 Metric LocPrf 0 0 0 Weight 100 100 100 0 i 0 i 0 i R2# conf t R2(config)# int Loopback3 R2(config-if)# ip add 100.255.0.IGP.255.100.0/24 120.1. d damped. ? .1 advertised BGP table version is 5.0/24 120.1 Status codes: s suppressed.0 Metric LocPrf Weight Path 0 32768 i 0 32768 i Total number of prefixes 2 R3# sh ip bgp BGP table version is 4. S Stale Origin codes: i .100.200.0 R1(config-router)# ^Z R1# sh ip bgp neighbors 120. * valid.100. r RIB-failure. local router ID is 120.1.1.1.1 *>i130. Example 1-26 Route Map Filtering Verification Click here to view code image R1(config)# interface Loopback3 R1(config-if)# ip address 132.0.1. d damped.1. > best. > best.3.

S Stale Origin codes: i .EGP.1.1 Status codes: s suppressed.200.1 Metric LocPrf Weight 0 0 0 100 100 100 0 i 0 i 0 i Section 4: IPv6 (15 Points) The prerequisite to the questions is configuration of the IPv6 addresses.0/24 0.0.0.100. S Stale Origin codes: i .3.0/24 120.0 *> 130. e .1.100.incomplete Network Next Hop Path *>i126.0 Metric LocPrf Weight 0 0 0 32768 i 32768 i 32768 i Total number of prefixes 3 R3# sh ip bgp BGP table version is 4.0.0/24 120.1.2.internal. r RIB-failure.100.1 *>i130.0/24 0.100. ? .0.200. d damped.incomplete Network Next Hop Path *> 100.1.0/24 0. You should test your IPv6 connectivity to ensure that you are ready to progress to the routing questions.IGP. Consider using the show ipv6 interfaces brief command for a quick check of your interface configuration. > best.0 *> 130.1 *>i130. ? .1. * valid. e .EGP.1. Example 1-27 IPv6 Testing and Initial Configuration Click here to view code image R1(config)# ipv6 unicast-routing R1(config)# interface gigabitEthernet 0/1 R1(config-if)# ipv6 address 2007:C15:C0:10::1/64 R1(config-if)# gigabitEthernet 0/0 R1(config-if)# ipv6 address 2007:C15:C0:11::1/64 R2(config)# ipv6 unicast-routing R2(config)# interface fastethernet 0/1 R2(config-if)# ipv6 address 2007:C15:C0:12::2/64 R2(config-if)# interface fastethernet 0/0 R2(config-if)# ipv6 address 2007:C15:C0:11::2/64 R2(config-if)# interface serial 0/1 R2(config-if)# ipv6 address 2007:C15:C0:14::2/64 .0.IGP.0/24 120.0. local router ID is 120. i internal.100.2. Example 1-27 shows the required IPv6 configuration to progress to the routing questions. r RIB-failure.1.1. h history.100.1.

completely bypassing R2. which R2 will have no visibility of. R3 can simply send a default route within the autonomous system to which R1 belongs on VLAN 132. The clue is in the question stating use a primary autonomous system. Because R1 will receive a default route. static neighbor relationships. (4 points) EIGRP configuration is required under an instance of CCIE under the address family IPv6. however. you have scored 4 points. Bear in mind that a named instance within EIGRP can run only one autonomous system. you are required to redistribute EIGRPv6 autonomous systems on R3.R3(config)# ipv6 unicast-routing R3(config)# interface gigabitEthernet 0/0 R3(config-if)# ipv6 address 2007:C15:C0:15::3/64 R3(config-if)# gigabitEthernet 0/1 R3(config-if)# ipv6 address 2007:C15:C0:11::3/64 R4(config)# ipv6 unicast-routing R4(config)# interface gigabitEthernet 0/0 R4(config-if)# ipv6 address 2007:C15:C0:15::4/64 R5(config)# ipv6 unicast-routing R5(config)# interface gigabitEthernet 0/1 R5(config)# ipv6 address 2007:C15:C0:16::5/64 R5(config-if)# interface Serial0/0/1 R5(config-if)# ipv6 address 2007:C15:C0:14::5/64 R6(config)# ipv6 unicast-routing R6(config)# interface gigabitEthernet 0/1 R6(config-if)# ipv6 address 2007:C15:C0:16::6/64 Section 4. R1 must not form any neighbor relationship with R2 on VLAN 132 (without the use of any ACL.1: EIGRPv6 Configure EIGRPv6 under the instance of CCIE with a primary autonomous system of 1. but the question does not permit you to do this. To ensure full visibility from R1 to R2. . or multicast blocking feature). Although you could simply perform a one-way redistribution within the protocol. you do not require mutual redistribution on R3. but the question dictates that the instance is effectively limited to that of CCIE. it is better practice to call a route map and just reference the IPv6 network on R1 for redistribution. R1 must dynamically learn a default route over EIGRPv6 via R3 on VLAN 132 in which to communicate with the IPv6 network. which suggests that you can use an additional autonomous system to provide connectivity between R1 and R3. This leaves you no other option but to enable the secondary autonomous system on R3 under the physical interface. so an additional named instance could be created on R3 to communicate with R1. as shown in Example 1-28. You could usually stop routers on the same subnet forming a neighbor relationship by creating some static mapping or block the multicast and so on. If you have configured this correctly.

Example 1-28 EIGRPv6 Configuration and Testing Click here to view code image R1(config)# router eigrp CCIE R1(config-router)# address-family ipv6 unicast autonomous-system 2 R1(config-router-af)# af-interface GigabitEthernet0/0 R1(config-router-af-interface)# no shutdown R1(config-router-af-interface)# af-interface GigabitEthernet0/1 R1(config-router-af-interface)# no shutdown R2(config)# router eigrp CCIE R2(config-router)# address-family ipv6 unicast autonomous-system 1 R2(config-router-af)# af-interface fastethernet0/1 R2(config-router-af-interface)# no shutdown R2(config-router-af-interface)# af-interface fastethernet0/0 R2(config-router-af-interface)# no shutdown R2(config-router-af-interface)# af-interface Serial0/1 R2(config-router-af-interface)# no shutdown R3(config)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 1 R3(config-router-af)# af-interface GigabitEthernet0/0 R3(config-router-af-interface)# no shutdown R3(config-router-af-interface)# af-interface GigabitEthernet0/1 R3(config-router-af-interface)# no shutdown R3(config-router-af-interface)# exit R3(config-router-af)# exit R3(config-router)# exit R3(config)# interface GigabitEthernet0/1 R3(config-if)# ipv6 eigrp 2 R3(config-if)# ipv6 summary-address eigrp 2 ::/0 R3(config-if)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 1 R3(config-router)# topology base R3(config-router-topology)# redistribute eigrp 2 route-map EIGRPv6-2-1 R3(config-router-topology)# exit R3(config-router-af)# exit R3(config-router)# ipv6 router eigrp 2 R3(config-rtr)# no shut R3(config-rtr)# exit R3(config)# route-map EIGRPv6-2-1 permit 10 R3(config-route-map)# match ipv6 address EIGRPv6-2 R3(config-route-map)# route-map EIGRPv6-2-1 deny 20 R3(config-route-map)# exit R3(config)# ipv6 access-list EIGRPv6-2 R3(config-ipv6-acl)# permit ipv6 2007:C15:C0:10::/64 any .

GigabitEthernet0/1 D 2007:C15:C0:14::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABF1. I2 . GigabitEthernet0/0 D 2007:C15:C0:14::/64 [90/2174976] via FE80::216:47FF:FEBB:1E11.ISIS summary O . GigabitEthernet0/0 R5# sh ipv6 route eigrp EX 2007:C15:C0:10::/64 [170/2177536] .OSPF NSSA ext 2 D .OSPF NSSA ext 1. OE1 . GigabitEthernet0/0 R2# sh ipv6 route EX 2007:C15:C0:10::/64 [170/33280] via FE80::216:47FF:FEBB:1E12.MIPv6 I1 . GigabitEthernet0/0 D 2007:C15:C0:12::/64 [90/33280] via FE80::216:47FF:FEBB:1E11.ISIS L2.OSPF ext 2 ON1 . IA . OI .R4(config)# router eigrp CCIE R4(config-router)# address-family ipv6 unicast autonomous-system 1 R4(config-router-af)# af-interface GigabitEthernet0/0 R4(config-router-af-interface)# no shutdown R5(config)# router eigrp CCIE R5(config-router)# address-family ipv6 unicast autonomous-system 1 R5(config-router-af)# af-interface Serial0/0/1 R5(config-router-af-interface)# no shutdown R1# sh ipv6 route eigrp IPv6 Routing Table .EIGRP. GigabitEthernet0/0 D 2007:C15:C0:11::/64 [90/30720] via FE80::216:47FF:FEBB:1E11. GigabitEthernet0/1 R4# sh ipv6 route eigrp EX 2007:C15:C0:10::/64 [170/33280] via FE80::216:47FF:FEBB:1E11.EIGRP external D ::/0 [90/30720] via FE80::216:47FF:FEBB:1E12.OSPF intra.OSPF ext 1.Static.Local. ON2 .OSPF inter. OE2 .ISIS L1.BGP U .Connected. R .Per-user Static route. fastethernet0/0 D 2007:C15:C0:15::/64 [90/30720] via FE80::216:47FF:FEBB:1E12. fastethernet0/0 R3# sh ipv6 route eigrp D ::/0 [5/28160] via ::.6 entries Codes: C . M . IS . B . Null0 D 2007:C15:C0:10::/64 [90/30720] via FE80::214:69FF:FE61:5EF0. L . EX .RIP. S .ISIS interarea. GigabitEthernet0/1 D 2007:C15:C0:12::/64 [90/30720] via FE80::215:C6FF:FEF2:ABF1.

1 ernet0/1 Pri 1 State FULL/DR Dead Time 00:00:30 Interface ID 3 Interface GigabitEth R6# show ipv6 ospf neighbor Neighbor ID 120.D D D via FE80::215:C6FF:FEF2:ABE0. Serial0/0/1 2007:C15:C0:11::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0. therefore. as shown in Example 1-30.100. Serial0/0/1 2007:C15:C0:12::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0.6.1 ernet0/1 Pri 1 State FULL/BDR Dead Time 00:00:39 Interface ID 3 Interface GigabitEth The IPv6 network is deemed to be stable. If you have configured this correctly.5. Example 1-29 R5 and R6 OSPFv3 Configuration Click here to view code image R5(config)# interface gigabitEthernet 0/1 R5(config-if)# ipv6 ospf 1 area 0 R6(config)# interface gigabitEthernet 0/1 R6(config-if)# ipv6 ospf 1 area 0 R5# show ipv6 ospf neighbor Neighbor ID 120. Serial0/0/1 2007:C15:C0:15::/64 [90/2174976] via FE80::215:C6FF:FEF2:ABE0. reduce the number of LSAs flooded within the OSPF domain. as shown in Example 1-29. with all OSPF interfaces assigned to Area 0. Serial0/0/1 Section 4. you have scored 2 points. (2 points).100. you have scored 2 points. (2 points) To suppress the unnecessary flooding of link-state advertisements in stable topologies. If you have configured this correctly. This is a clear-cut OSPFv3 configuration.2: OSPFv3 Configure OSPFv3 with a process ID of 1. the ipv6 ospf flood-reduction command is required under interface configuration mode. .

IA . OE1 .ISIS summary O . S .ISIS interarea.OSPF inter.10 entries Codes: C . you have scored 1 point. GigabitEthernet0/1 . If you have configured this correctly. Example 1-31 R5 OSPFv3 Redistribution Configuration Click here to view code image R5(config)# ipv6 router ospf 1 R5(config-router)# redistribute eigrp 1 metric 5000 R6# sh ipv6 route ospf IPv6 Routing Table .ISIS L1.Example 1-30 R5 and R6 Flood-Reduction Configuration Click here to view code image R5(config)# interface gigabitEthernet 0/1 R5(config-if)# ipv6 ospf flood-reduction R6(config)# interface gigabitEthernet 0/1 R6(config-if)# ipv6 ospf flood-reduction Section 4. OE2 . R . IS .OSPF NSSA ext 2 D .BGP U . I2 . B . the default behavior for OSPFv3 is for redistributed routes to be advertised with a fixed cost as type 2 external routes.EIGRP external OE2 2007:C15:C0:10::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. L . ON2 . Pay attention to ensure that you have full route visibility.Static. (1 point) As per vanilla OSPF.EIGRP.RIP. GigabitEthernet0/1 OE2 2007:C15:C0:11::/64 [110/5000] via FE80::214:6AFF:FEFC:F131.OSPF NSSA ext 1.Local. as shown in Example 1-31.ISIS L2. GigabitEthernet0/1 OE2 2007:C15:C0:13::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. Example 1-31 shows the required configuration and routing table on R6 for the redistributed EIGRPv6 routes.OSPF intra. so a simple redistribution configuration with a default metric of 5000 on R5 is required. OI . because the serial network on R5 (2007:C15:C0:14::/64) will not be present within the OSPFv3 domain unless R5 specifically redistributes its own connected interfaces.OSPF ext 2 ON1 .Connected. EX .3: Redistribution Redistribute EIGRPv6 routes into the OSPFv3 demand (one way).OSPF ext 1. GigabitEthernet0/1 OE2 2007:C15:C0:12::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. EIGRPv6 routes should have a fixed cost of 5000 associated with them within the OSPF network.Per-user Static route I1 .

you have scored 2 points. which should be seen within the EIGRPv6 domain. Configure R5 only to achieve this.ISIS L2.Connected.OSPF intra.Static. as shown in Example 1-32.ISIS L1. Sending 5. I2 .Per-user Static route I1 . R . OI .OSPF ext 2 ON1 . B . ON2 .OSPF ext 1.OSPF inter.RIP. If you have configured this correctly.EIGRP external OE2 2007:C15:C0:14::/64 [110/5000] via FE80::214:6AFF:FEFC:F131. L .BGP U .EIGRP. GigabitEthernet0/1 Ensure that the OSPF3 network is reachable from the EIGRPv6 network by a single route of 2007::/16. 100-byte ICMP Echos to 2007:C15:C0:16::5. GigabitEthernet0/1 R5(config)# ipv6 router ospf 1 R5(config-rtr)# redistribute eigrp 1 metric 5000 include-connected R6# show ipv6 route 2007:C15:C0:14:: IPv6 Routing Table . timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).Local. EX .OSPF NSSA ext 1. round-trip min/avg/max = 12/12/16 ms R3# ping ipv6 2007:C15:C0:16::6 . IA . OE1 .OSPF NSSA ext 2 D . Example 1-32 R5 EIGRPv6 Summary Configuration and Connectivity Testing Click here to view code image R5(config)# router eigrp CCIE R5(config-router)# address-family ipv6 unicast autonomous-system 1 R5(config-router-af)# af-interface Serial0/0/1 R5(config-router-af-interface)# summary-address 2007::/16 R3# sh ipv6 route | include /16 D 2007::/16 [90/2684416] R3# ping ipv6 2007:C15:C0:16::5 Type escape sequence to abort.OE2 2007:C15:C0:15::/64 [110/5000] via FE80::214:6AFF:FEFC:F131.ISIS summary O . you are required to configure an IPv6 summary route into the EIGRPv6 domain on R5 to provide full connectivity from the EIGRPv6 domain into OSPFv3.10 entries Codes: C .ISIS interarea. The OSPF domain should continue to receive specific EIGRPv6 subnets. OE2 . IS . S . (2 points) Because you are not mutually redistributing protocols.

100-byte ICMP Echos to 2007:C15:C0:16::6. configure R4 and R5 to achieve this. you have scored 3 points.100. all you can do is create a tunnel between the devices. round-trip min/avg/max = 12/15/16 ms Ensure that if the serial link fails between the OSPF and EIGRPv6 domain that routing is still possible between R5 and R4 over VLAN 45. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). If you have configured this correctly. Example 1-33 R4 and R5 Tunnel Configuration and Verification Click here to view code image R4(config)# interface Tunnel0 R4(config-if)# ipv6 address 2007:C15:C0:17::4/64 R4(config-if)# tunnel source GigabitEthernet0/1.Type escape sequence to abort.100. You might have considered enabling OSPFv3 between routers. as shown in Example 1-33. R5 is still required to advertise the summary route to the EIGRPv6 network through the tunnel for reachability of the OSPFv3 network. Sending 5.45. and this should be considered as an alternative path only if a failure occurs. Example 1-34 shows the required configuration to tunnel IPv6 through IPv4 on R4 and R5. but you have not been given sufficient information to do this. and it would then create additional problems in terms of redistribution points.4 R5(config-if)# tunnel mode ipv6ip R5(config-if)# router eigrp CCIE R5(config-router)# address-family ipv6 unicast autonomous-system 1 R5(config-router-af)# af-interface Tunnel0 R5(config-router-af-interface)# no shutdown R5(config-router-af-interface)# summary-address 2007::/16 R5# sh ipv6 route eigrp D 2007::/16 [5/2169856] via ::.5 R4(config-if)# tunnel mode ipv6ip R4(config-if)# router eigrp CCIE R4(config-router)# address-family ipv6 unicast autonomous-system 1 R4(config-router-af)# af-interface Tunnel0 R4(config-router-af-interface)# no shutdown R5(config)# interface Tunnel0 R5(config-if)# ipv6 address 2007:C15:C0:17::5/64 R5(config-if)# ipv6 eigrp 1 R5(config-if)# tunnel source GigabitEthernet0/0 R5(config-if)# tunnel destination 120.45. instead. If you cannot enable EIGRPv6 on the VLAN 45 interfaces.45 R4(config-if)# tunnel destination 120. (3 points) R4 and R5 both belong to the EIGRPv6 domain. Do not enable EIGRPv6 on the VLAN 45 interfaces of R4 and R5. Null0 .

34. Tunnel0 Section 5: QoS (8 Points) You are required to configure QoS on Switch 1 according to the Cisco QoS baseline model. 16. Tunnel0 D 2007:C15:C0:15::/64 [90/297246976] via FE80::7864:2D04. To answer the question. When the minimum burst rate is exceeded. Tunnel0 D 2007:C15:C0:12::/64 [90/297252096] via FE80::7864:2D04. 24. 32. Serial0/1/0 R5(config)# int s0/1/0 R5(config-if)# shut R5(config-if)# do sh ipv6 route eigrp D 2007::/16 [5/297244416] via ::. This will not block traffic but will ensure that mission-critical traffic remains unaffected from an attack by trusting the DSCP value for known traffic and re-marking unknown application traffic down to CS1. This traffic could be a combination of any of the preceding DSCP values with any source/destination combination. you are required to create a Modular QoS policy that trusts the incoming differentiated services code point (DSCP) value received from the host within the policy rather than by configuring the trust value on a per-interface basis and by policing traffic at a rate of 5 Mbps. 46. 2. it could be indicative of a denial-of-service (DoS) or Worm attack. Serial0/1/0 2007:C15:C0:11::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0. One way to mitigate an attack is to create a Scavenger class that simply re-marks traffic DSCP values when the threshold has been exceeded.EX D D D 2007:C15:C0:10::/64 [170/2177536] via FE80::215:C6FF:FEF2:ABE0. Ensure a minimum burst value is configured above the 5 Mbps. Null0 EX 2007:C15:C0:10::/64 [170/297252096] via FE80::7864:2D04. 28. Serial0/1/0 2007:C15:C0:15::/64 [90/2174976] via FE80::215:C6FF:FEF2:ABE0. Serial0/1/0 2007:C15:C0:12::/64 [90/2172416] via FE80::215:C6FF:FEF2:ABE0. which is generally reserved for mission- . All ports should trust the DSCP values received from their connecting devices. the DSCP values will be remapped according to the policed-dscp map to Scavenger class CS1 (DSCP8). Packets received from the user ports with DSCP values of 48. Note that all DSCP baseline values are being remapped with the exception of DSCP26. and 10 should be re-marked to DSCP 8 (PHB CS1) if traffic flowing occurs above 5 Mbps on a per-port basis. Tunnel0 D 2007:C15:C0:11::/64 [90/297249536] via FE80::7864:2D04. Create a Modular QoS configuration for all user ports (Fast Ethernet 1–24) that facilitates the following requirements (3 points): 1. If traffic rates increase above this threshold. It is acknowledged within the industry that a user port rarely generates more than 5 Mbps of traffic on a standard Fast Ethernet connection.

The question requires you to configure a standard IP ACL that permits any traffic. the exclusion of DSCP26 is not relevant to the configuration and methodology you use to answer the question. . you have scored 2 points. Example 1-34 Switch 1 QoS Configuration and Verification Click here to view code image SW1(config)# mls qos SW1(config)# mls qos map policed-dscp 48 46 34 32 24 28 16 10 to 8 SW1(config)# access-list 1 permit any SW1(config)# class-map POLICE SW1(config-cmap)# match access-group 1 SW1(config-cmap)# exit SW1(config)# policy-map RE-MARK SW1(config-pmap)# class POLICE SW1(config-pmap-c)# trust dscp SW1(config-pmap-c)# police 5000000 8000 exceed-action policed-dscptransmit SW1(config-pmap-c)# exit SW1(config-pmap)# exit SW1(config)# interface range fastethernet 0/1-24 SW1(config-if-range)# service-policy input RE-MARK SW1# show policy-map RE-MARK Policy Map RE-MARK Class POLICE police 5000000 8000 exceed-action policed-dscp-transmit trust dscp Switch 1 will be connected to a new trusted domain in the future using interface Gigabit 0/1. as shown in Example 1-35. However. you would struggle to answer this question. If you have configured this correctly. you need to explicitly trust DSCP values received on the interface on which you are configuring the map. This approach also assumes that the virus does not itself remark traffic to this value to increase its chances of causing damage. but a search of your documentation CD should have assisted you. A DSCP value received locally on SW1 of AF43 should be mapped to AF42 when destined for the new domain. This approach enables traffic associated with this value to remain unchanged even when traffic rates exceed 5 Mbps.critical data. as shown in Example 1-34. If the matched traffic exceeds an average traffic rate of 5 Mbps and a normal burst size of 8000 bytes. you have scored 3 points. For traffic matching this classification. the DSCP value in the incoming packet is trusted. its DSCP is marked down according to the policed DSCP map values and transmitted. For the mutation map to function correctly. If you did not realize that AF43 is DSCP38 and AF42 is DSCP36. (2 points) This requires a DSCP mutation map to convert DSCP values between environments. If you have configured this correctly.

16% = 247 Kbps. otherwise.Example 1-35 Switch 1 DSCP-mutation Map Configuration Click here to view code image SW1(config)# mls qos map dscp-mutation AF43-TO-AF42 38 to 36 SW1(config)# interface Gig0/1 SW1(config-if)# mls qos trust dscp SW1(config-if)# mls qos dscp-mutation AF43-TO-AF42 Configure Cisco Modular QoS as follows on R2 for the following traffic types based on their associated per-hop behavior into classes. so there is a risk of configuration errors for those points to slip away. Incorporate these into an overall policy that should be applied to the T1 interface S0/1. (2 points) You have 2 points available here. so the values required are as follows: 1% = 15 Kbps. and a nice little gotcha is that you must configure the interface with the command max-reservedbandwidth 100. entered as a percentage. the full bandwidth is not made available for the policy. you know that the maximum available bandwidth is 1544 Kbps. 14% = 216 Kbps. This one is a bit of both. The overall policy is then applied to the outgoing interface Serial0/1. so you know it’s either going to be complex or involve a great deal of configuration. Usually you . Allow each class the effective bandwidth as detailed. 3% = 46 Kbps. 25% = 386 Kbps A class map to match all values for the provided classes is required that is then associated with the policy map. Because you are using a T1 interface. There is also some math involved because the policy-map command requires a percentage value of bandwidth as opposed to actual speed.

but the question doesn’t dictate this. you have scored 2 points.would assign voice traffic into a real-time queue (low-latency queuing [LLQ]). If you have configured this correctly. Example 1-36 Switch1 Modular QoS Configuration Click here to view code image R2# sh run class-map ! class-map match-all VOIP match ip dscp ef class-map match-all BULK-DATA match ip dscp af11 class-map match-all NET-MAN match ip dscp cs2 class-map match-all VIDEO match ip dscp af41 class-map match-all ROUTING match ip dscp cs6 class-map match-all SCAVENGER match ip dscp cs1 class-map match-all TRANS-DATA match ip dscp af21 class-map match-all MISSION-CRIT match ip dscp af31 class-map match-all CALL-SIG match ip dscp cs3 ! end R2# sh run policy-map ! policy-map QOS class VOIP bandwidth percent 16 class VIDEO bandwidth percent 16 class BULK-DATA bandwidth percent 3 random-detect class TRANS-DATA bandwidth percent 14 class NET-MAN bandwidth percent 3 class ROUTING bandwidth percent 3 class SCAVENGER bandwidth percent 1 class MISSION-CRIT . as shown in Example 1-36. so effectively all traffic types are being assigned with different proportions of class-based weighted fair queuing (CBWFQ).

bandwidth percent 16 class CALL-SIG bandwidth percent 3 class class-default bandwidth percent 25 ! end R2# sh run int s0/1 | begin max-reserved-bandwidth 100 max-reserved-bandwidth 100 service-policy output QOS end R2# show policy-map QOS Policy Map QOS Class VOIP Bandwidth 16 (%) Max Threshold 64 (packets) Class VIDEO Bandwidth 16 (%) Max Threshold 64 (packets) Class BULK-DATA Bandwidth 3 (%) exponential weight 9 class min-threshold max-threshold mark-probability ------------------------------------------------------0 1 2 3 4 5 6 7 rsvp - - 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 Class TRANS-DATA Bandwidth 14 (%) Max Threshold 64 (packets) Class NET-MAN Bandwidth 3 (%) Max Threshold 64 (packets) Class ROUTING Bandwidth 3 (%) Max Threshold 64 (packets) Class SCAVENGER Bandwidth 1 (%) Max Threshold 64 (packets) Class MISSION-CRIT Bandwidth 16 (%) exponential weight 9 class min-threshold max-threshold mark-probability ------------------------------------------------------0 1 2 3 - - 1/10 1/10 1/10 1/10 .

4
5
6
7
rsvp

-

-

Class CALL-SIG
Bandwidth 3 (%) Max Threshold 64 (packets)
Class class-default
Bandwidth 25 (%)
exponential weight 9
class
min-threshold
max-threshold

1/10
1/10
1/10
1/10
1/10

mark-probability

------------------------------------------------------0
1
2
3
4
5
6
7
rsvp

-

-

1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10
1/10

Configure R2 so that traffic can be monitored on the serial network with a view to a
dynamic policy being generated in the future that trusts the DSCP value of traffic
identified on this media. (1 point)
This is a simple question that requires the command auto discovery qos trust be configured
under the serial interface of R2. This command uses NBAR to inspect the application traffic that
flows through the router with a view of generating a QoS policy based on the traffic flow profile.
The keyword trust in the command ensures that the DSCP value of the traffic monitored on the
network is trusted. If you have configured this correctly, you have scored 1 point.

Section 6: Security (6 Points)
Configure R3 to identify and discard the following custom virus. The virus is
characterized by the ASCII characters Hastings_Beer within the payload and uses UDP
ports 11664 to 11666. The ID of the virus begins on the third character of the payload.
The virus originated on VLAN 34. (4 points)
This fictitious virus requires the use of Network-Based Application Recognition (NBAR) with
Packet Description Language Module (PDLM) to inspect a packet payload to identify the virus
based on the information supplied within the question. Because the virus is located within the
third ASCII character, you need to inform the custom NBAR list to ignore the first two
characters, which ensures that it will begin to check the third packet. If you have configured this
correctly, as shown in Example 1-37, you have scored 3 points. You can use the show policymap command to verify your configuration.

Example 1-37 R3 NBAR Configuration
Click here to view code image

R3(config)# ip nbar custom Hastings_Beer 2 ascii Hastings_Beer udp
range 11664 11666
R3(config)# class-map match-all VIRUS
R3(config-cmap)# match protocol Hastings_Beer
R3(config-cmap)# policy-map BLOCK-VIRUS
R3(config-pmap)# class VIRUS
R3(config-pmap-c)# drop
R3(config-pmap-c)# interface gigabit0/0
R3(config-if)# Service-policy input BLOCK-VIRUS

There is an infected host on VLAN 200 of 150.100.2.100. Ensure that only within BGP
AS10, traffic destined for this host is directed to null0 of each local router. You may not
use any ACLs to block traffic to this host specifically, but you may use a static route
pointing to null0 for traffic destined to 192.0.2.0 /24 on routers within AS10. R2 may
have an additional static route pointing to null0. Use a BGP feature on R2 to ensure traffic
to this source is blocked. Prevent unnecessary replies when traffic is passed to the null0
interface for users residing on VLAN 100. (4 points)
This question is representative of black-hole routing. This is an effective method of discarding
packets being sent to a known destination. This approach to discarding traffic is efficient because
it enables the edge routers to route traffic rather than use ACLs, and it can be deployed
dynamically by making use of the next-hop field within BGP updates. You are permitted to
create a static route on routers R1, R2, and R3 in AS10 for network 192.0.2.0/24 to null0 and one
additional route on R2. This route would need to be directing traffic to the infected host to null0,
to update routers R1 and R3. R2 simply advertises the host route for the infected host to AS10
and sets the next hop for this to 192.0.2.1. Routers R1 and R3 then direct traffic to null0 when
traffic is destined to the infected host. To ensure that the solution is used only in AS10, you must
set the community to no-export for the specific static route and tag the route with a value of 10
to identify it. You must therefore send the community values to neighbor R3 on R2, but this
should have completed previously for an earlier BGP question. Use of the no icmp unreachable
command on R1’s Gigabit Ethernet interface prevents unnecessary replies when traffic is passed
to the null0 interface. If you have configured this correctly, as shown in Example 1-38, you have
scored 3 points.
Example 1-38 BGP Black-Hole Routing Configuration and Verification
Click here to view code image

R2(config)# ip route 192.0.2.1 255.255.255.255 null0
R2(config)# ip route 150.100.2.100 255.255.255.255 Null0 Tag 10
R2(config)# router bgp 10
R2(config-router)# redistribute static route-map BLACKHOLE

R2(config-router)# route-map BLACKHOLE permit 10
R2(config-route-map)# match tag 10
R2(config-route-map)# set ip next-hop 192.0.2.1
R2(config-route-map)# set community no-export
R2(config-route-map)# exit
R2(config)# do show ip bgp neigh 120.100.3.1 advertised
BGP table version is 6, local router ID is 130.100.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*> 130.1.1.0/24
0.0.0.0
0
32768 i
*> 130.100.200.0/24 0.0.0.0
0
32768 i
*> 150.100.2.100/32 192.0.2.1
0
32768 i
Total number of prefixes 3
R2# show ip route 150.100.2.100
Routing entry for 150.100.2.100/32
Known via "static", distance 1, metric 0 (connected)
Tag 10
Redistributing via bgp 10
Advertised by bgp 10 route-map BLACKHOLE
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
Route tag 10
R3(config)# ip route 192.0.2.1 255.255.255.255 null0
R3(config)# do show ip bgp
BGP table version is 14, local router ID is 120.100.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*>i126.1.1.0/24
120.100.1.1
0
100
0 i
*>i130.1.1.0/24
120.100.2.1
0
100
0 i
*>i130.100.200.0/24 120.100.2.1
0
100
0 i
* i150.100.2.100/32 192.0.2.1
0
100
0 i
R1(config)# ip route 192.0.2.1 255.255.255.255 null0
R1(config)# interface Gigabit0/1
R1(config-if)# no icmp unreachable
R1(config-if)# do show ip bgp
BGP table version is 8, local router ID is 126.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*> 126.1.1.0/24
0.0.0.0
0
32768 i

*>i130.1.1.0/24
120.100.2.1
*>i130.100.200.0/24 120.100.2.1
* i150.100.2.100/32 192.0.2.1

0
0
0

100
100
100

0 i
0 i
0 i

R1# show ip route 150.100.2.100
Routing entry for 150.100.2.100/32
Known via "bgp 10", distance 200, metric 0, type internal
Last update from 192.0.2.1 00:00:02 ago
Routing Descriptor Blocks:
* 192.0.2.1, from 120.100.3.1, 00:00:02 ago
Route metric is 0, traffic share count is 1
AS Hops 0
R1# show ip route 192.0.2.1
Routing entry for 192.0.2.1/32
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1

To protect the control plane on router R6, configure CoPP so that IP packets with a TTL of
0 or 1 are dropped rather than processed, with a resulting ICMP redirect sent to the
source. (1 point)
Cisco IOS Software sends all packets with a TTL of 0 or 1 to the process level to be processed.
The device must then send an ICMP TTL expire message to the source. By filtering packets that
have a TTL of 0 and 1, you can reduce the load on the process level. The control plane policing
simply blocks packets with a TTL value of 0 and 1 as directed, but this will break your EIGRP
and BGP peering. So, you must specifically permit these packets within your ACL; otherwise,
you would have just lost valuable points. If you found yourself running short on time and
couldn’t justify further time to investigate how to maintain your routing peering, remember that
this is a 1-point question, worth leaving and coming back to, if possible. If you have configured
this correctly, as shown in Example 1-39, you have scored 1 point.
Example 1-39 CoPP Configuration
Click here to view code image

R6(config)# ip access-list extended TTL
R6(config-ext-nacl)# deny eigrp any any
R6(config-ext-nacl)# deny tcp any any eq bgp
R6(config-ext-nacl)# deny tcp any eq bgp any
R6(config-ext-nacl)# permit ip any any ttl eq 0 1
R6(config-ext-nacl)# class-map DROP-TTL-0/1
R6(config-cmap)# match access-group name TTL
R6(config-cmap)# policy-map CoPP-TTL
R6(config-pmap)# class DROP-TTL-0/1
R6(config-pmap-c)# drop
R6(config-pmap-c)# control-plane
R6(config-cp)# service-policy input CoPP-TTL

Configure R3 to send multicast advertisements of its own time by use of NTP sourced from interface Gig 0/0.0.0000 Hz. reference is 127. Do not use the command ntp server in any configurations. If you have configured this correctly. stratum 8.02 msec. It is good practice to TTL scope your multicast announcements so that they do not propagate past the domain you require.Section 7: Multicast (4 Points) Configure routers R1. actual freq is 250. you would not be deducted points. If you have not taken this into consideration in your solution. as shown in Example 1-40.1. R2. which will be 224.2AE19310 (21:17:21. Routers R1. The question requires you to configure R3 to become the NTP master and announce the group address to the NTP clients. R2.1 nominal freq is 250. peer dispersion is 0. R3. R3 should also be used to advertise its own gigabit interface IP address as an RP. You are not permitted to use the command ntp server. root delay is 0. R3 should also advertise the IP address you are using for the NTP advertisements. They will then have the capability to join the NTP group by use of Protocol Independent Multicast (PIM).0.0000 msec.127.0000 Hz.1. you have scored 4 points.1 rather than the more familiar broadcast or unicast scenarios. precision is 2**18 reference time is C98F1E61.1 R3# show ntp status Clock is synchronized.1.02 msec R1(config)# ip multicast-routing R1(config-if)# interface . but be aware of the facility in case you face a question that specifies this.167 UTC Tue Feb 27 2007) clock offset is 0.00 msec root dispersion is 0. Example 1-40 NTP Multicast Configuration and Verification Click here to view code image R3(config)# ip multicast-routing R3(config)# ntp master R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip pim sparse-mode R3(config-if)# ntp multicast ttl 2 R3(config-if)# GigabitEthernet0/1 R3(config-if)# ip pim sparse-mode R3(config-if)# ip pim send-rp-announce GigabitEthernet0/0 scope 2 group-list 4 R3(config)# ip pim send-rp-discovery GigabitEthernet0/0 scope 2 R3(config)# access-list 4 permit 224.1. and so you must configure the clients with the command ntp multicast client. (4 points) Network Time Protocol (NTP) can be multicast on the reserved group IP address of 224. and R4 should all show a clock synchronized to that of R3.7.0. and R4 for IPv4 multicast. Configure PIM sparse mode on all required interfaces.

0000 Hz. peer dispersion is 15875.100.1.06 msec.88 msec root dispersion is 0.83B73E68 (21:17:39.1 Serial0/0/0 00:40:12 00:02:50 120.0000 Hz.14 msec root dispersion is 15875.2 224.1 23.100. peer dispersion is 0.0157 msec.1 Serial0/0 00:41:08 00:02:59 120.0.1.1 23.0.1 23.1 23.1.0. precision is 2**18 reference time is C98F1E79.0000 Hz. stratum 9.514 UTC Tue Feb 27 2007) clock offset is 0. actual freq is 250.0.39 Serial0/0 00:08:12 00:02:57 120.02 msec R1(config-if)# R1# show ip igmp group IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.1 224.3 nominal freq is 250.GigabitEthernet0/0 R1(config-if)# ip pim sparse-mode R1(config-if)# ntp multicast client R1# show ntp status Clock is synchronized.100.1. actual freq is 250. stratum 9.9FB2321D (21:17:45.40 Serial0/0 00:41:09 00:01:59 120.3 224.100. reference is 120.100.0.3 nominal freq is 250.06 msec.1.0000 Hz.100.1 CHANGE interface R2(config)# ip multicast-routing R2(config-if)# interface fastethernet 0/0 R2(config-if)# ip pim sparse-mode R2(config-if)# ntp multicast client R2# show ntp status Clock is synchronized.0182 msec.100.3 224. precision is 2**18 reference time is C98F1E73.1 23. reference is 120.2 Change IF R4(config)# ip R4(config-if)# R4(config-if)# R4(config-if)# multicast-routing interface GigabitEthernet0/0 ip pim sparse-mode ntp multicast client R4# show ntp status .1. root delay is 4.39 Serial0/0/0 00:07:21 00:02:51 120.40 Serial0/0/0 00:40:13 00:02:52 120.34.1 23.100.02 msec R2# show ip igmp group IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.623 UTC Tue Feb 27 2007) clock offset is 0.34.0. root delay is 3.

1 Configure a policy on router R1 so that if a user tries to remove AAA services or disable logging via the CLI that a syslog message of UNAUTHORIZED-COMMAND-ENTERED is generated. you have scored 4 points.2B7DB1F2 (21:19:45.1 GigabitEthernet0/0 00:41:29 00:02:42 120. If you have configured this correctly.0000 Hz.1.100. peer dispersion is 7876.100. actual freq is 250.0. The policy and CLI should run asynchronously.net from eem@lab-exam.3 nominal freq is 250.1. Example 1-41 details the required configuration and resulting execution of the EEM when the commands no aaa new-model and no logging buffered are entered and not executed on the router.0.4 224.3 224.3 4. and a final action to send an email with the details of the previous show command (which is achieved by the command “$_cli_result”).*”.08 msec. reference is 120. with the subject “User-Issue.100. (2 points) This is an intricate Embedded Events Manager (EEM) question. The policy should ensure that neither command is executed and should consist of a single-line command for the CLI pattern detection.39 GigabitEthernet0/0 00:08:35 00:02:42 120. precision is 2**18 reference time is C98F1EF1. root delay is 1.100. This is achieved by a pattern of “^no (aaa|logging).net. The policy should also generate an email from the router to a mail server residing on IP address 120.6937 msec.37 msec root dispersion is 7877.” with the message body consisting of details of who was logged on the time either of the commands were entered). stratum 9.0.3 4.0000 Hz.40 GigabitEthernet0/0 00:41:07 00:02:42 120. as shown in Example 1-41. a CLI command action to run show users.99.4 IP Services (4 Points) Configure the following commands on router R1: aaa new-model logging buffered logging 120. When the commands are matched via the CLI pattern.2 (to security@lab-exam.Clock is synchronized.100.34. the policy requires the syslog message to be generated.34 msec R4# show ip igmp group IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.100.3 4.169 UTC Tue Feb 27 2007) clock offset is -0. You are required to configure an EEM applet with a CLI pattern event on a single line to match on either of the commands (no aaa xxx and no logging xxx). The following sync no skip yes parameters simply state that the policy and CLI should run asynchronously and that the command entered should not be executed as directed. .1.99.

you will be prepared for any scenario that you are likely to face during the 5.2" to "security@lab-exam.*" sync no skip yes R1(config-applet)# action 1.2 %HA_EM-3-FMPD_ERROR: Error executing applet CCIE-QUESTION statement 3.100. Remember that the Troubleshooting section on the v5.100. The exam is not trying to trick you.0 mail server "120. This lab was designed to ensure that you troubleshoot your own work as you progress through the questions.0 syslog msg "UNAUTHORIZED-COMMAND-ENTERED" R1(config-applet)# action 2.99.1 R1(config)# R1(config)# event manager applet CCIE-QUESTION R1(config-applet)# event cli pattern "^no (aaa|logging).100. how did it go? Did you run out of time? Did you manage to finish but miss what was actually required? If you scored over 80.5 hours of the Configuration section of the actual exam.0 exam is a separate section from the Configuration section and has a different scenario.99. What sets the CCIE exam apart within the industry is the complexity of the questions to test you further than you thought possible.net" subject "User-Issue" body "$_cli_result" R1(config-applet)# no aaa new-model %HA_EM-6-LOG: CCIE-QUESTION: UNAUTHORISED-COMMAND-ENTERED %HA_EM-3-FMPD_SMTP_CONNECT: Unable to connect to SMTP server: 120. .net" from "eem@lab-exam.99.0 R1(config)# no logging buffered %HA_EM-6-LOG: CCIE-QUESTION: UNAUTHORISED-COMMAND-ENTERED %HA_EM-3-FMPD_SMTP_CONNECT: Unable to connect to SMTP server: 120. If you accomplished this within 8 hours or less. Spend the time to go back over the questions and practice with the configurations using debug and show commands to fully absorb any new areas you might have come across.100.2 %HA_EM-3-FMPD_ERROR: Error executing applet CCIE-QUESTION statement 3. well done.0 cli command "show user" R1(config-applet)# action 3.99.Example 1-41 R1 EEM Configuration and Verification Testing Click here to view code image R1(config)# aaa new-model R1(config)# logging buffered R1(config)# logging 120. you will have 2 hours to complete the Troubleshooting section. but it will ensure that you have the ability to think laterally—an ability that will ensure that you exceed in your networking career and one that sets CCIEs apart.0 R1(config)# do show run | include aaa new-model aaa new-model R1(config)# do show run | include logging buffered logging buffered 4096 debugging Lab Wrap-Up So.

it’s all mileage. How can you ensure that you have the ability to spot any underlying issues related to a question? Well. Four 3560X switches with IOS 15.3T Advanced Enterprise image and the minimum interface configuration. you’ll get out of your study what you put into it. adjust the bandwidth statements on the relevant interfaces to keep all interface speeds in line. as documented in Table 2-1 Table 2-1 Hardware Required per Router Note Notice in the initial configurations supplied that some interfaces will not have IP addresses preconfigured.0S IP Services . congratulations. This is because you will either not be using that interface or you must configure it from default within the exercise. The initial configurations supplied should be used to preconfigure your routers and switch before the lab starts. Six routers loaded with Cisco IOS Software Release 15. You need the following hardware and software components to begin this practice lab.Did you anticipate and factor into your configuration items such as the maximum reserved bandwidth within QoS? If you did. because this would have saved you time and secured you points. Practice Lab 2 Equipment List Practice Lab 2 follows an identical format to Lab 1 with timings and also consists of 100 points. It also shows that you fully understand the protocols involved and adapt at testing your configurations. If your routers have different interface speeds than those used in this book. This will ensure that you do not get unwanted behavior because of differing IGP metrics.

consider reconfiguring the bandwidth statement accordingly to provide symmetry with the routing protocol metrics. Figure 2-1 Practice Lab 2 Network Topology . However. If your router interface speeds do not match those used in this lab. you should use the same model of routers because this can make life easier if you load configurations directly from the supplied configurations into your own devices. as shown in Figure 2-1.Setting Up the Lab 2 Use any combination of routers as long as you fulfill the requirements within the topology diagram.

which you will need to re-create with your own equipment or by using lab equipment on the CCIE R&S 360 program.Lab Topology This practice lab uses the topology as outlined in Figure 2-1. Switch Instructions Configure VLAN assignments from the configurations supplied or from Table 2-2. Figure 2-2 Switch-to-Switch Connectivity . as shown in Figure 2-2. Table 2-2 VLAN Assignment Connect your switches with RJ-45 Ethernet cross-over cables.

100.100.100.5. ensure that you include the following loopback addresses.1/24 R6 Lo0 120.6.2. you are required to configure your IP addresses.200.4.3.200/24 R2 Lo0 120.9. If you are manually configuring your equipment. as shown in Figure 2-3.10.1/24 Lo255 200.1/24 Lo255 200.100. (R1 and R3 use the same IP address for Loopback 255.1/24 SW2 Lo0 120. or load the initial router configurations supplied.100.1/24 SW4 Lo0 120.200/24 R4 Lo0 120.100.8.100.1/24 R3 Lo0 120.1/24 SW1 Lo0 120.1/24 SW3 Lo0 120.100.200.1.200.7.100.200.1/24 R5 Lo0 120. For this exercise.IP Address Instructions You will find in the actual CCIE lab that the majority of your IP addresses will be preconfigured.) R1 Lo0 120.1/24 Figure 2-3 IP Addressing Diagram .100.

Pre-Lab Tasks Build the lab topology per Figure 2-1 and Figure 2-2. Have available a Cisco documentation CD-ROM or access online the latest documentation from the following URL: http://www. Get into a comfortable and quiet environment where you can focus for the next 8 hours. as shown in Figure 2-4. Alternatively. Configure the IP addresses on each router as shown in Figure 2-3 and add the loopback addresses.com/cisco/web/psa/configure. . To save time during your lab. Practice Lab Two You will now be answering questions in relation to the network topology. you can load the initial configuration files supplied if your router is compatible with those used to create this exercise. choose questions that you are confident you can answer. Ensure full IP visibility between routers for ping testing/Telnet access to your devices. Take a 30-minute break midway through the exercise. If you run out of time. or choose questions with a higher point rating to maximize your potential score.html Note Access only these URLs.cisco. consider opening several windows with the pages you are likely to look at. not the whole Cisco. General Guidelines Read the whole lab before you start.com website (because if you are permitted to use documentation during your CCIE lab exam. Do not configure any static/default routes unless otherwise specified. it will be restricted).

63. 200) and the interface directly connected to Switch 1 (Fast Ethernet 0/21) for odd-numbered VLANs (53. 53. and 200. 132. 100. resulting in spanning-tree issues. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN between Switch 1 and Switch 2. 200) and the interface directly connecting to Switch 1 (Fast Ethernet 0/19) for odd-numbered VLANs (53. The new switches should be able to tunnel their own configured VLANs through a new VLAN (30) between Switch 1 and Switch 2. (3 points) Switch 3 should use its interface directly connecting to Switch 2 (Fast Ethernet 0/21) for traffic directed toward even-numbered VLANs (34. (3 points) Switch 4 should use its interface directly connecting to Switch 2 (Fast Ethernet0/19) for traffic destined toward even-numbered VLANs (34. 100. with Switch 2 being the secondary root bridge for all listed VLANs. (4 points) . (2 points) Configure Switch 1 and Switch 2 to enable connectivity of two further switches in the future to be connected to ports Fast Ethernet 0/18 on each switch. 132. 100. Switch 1 should be the root bridge for VLANs 34.1w spanning tree.Figure 2-4 Lab Topology Diagram Section 1: LAN Switching (22 Points) Configure your switched network to use 802. 63). 46. 132. 46. (3 points) Ensure a cable fault between Switches 1 and 2 could not result in one-way traffic between the two switches. 63). 46.

(3 points) Configure interfaces Fast Ethernet 0/9 and 0/10 on Switch 1 so that even if they are configured to belong to the same VLAN.100. or multicast traffic to one another. and send only traffic destined to R2 on this switch port across your network to Switch 3 port Fast Ethernet 0/17. Do not use any form of ACL or configure the ports to belong to a PVLAN. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN. each EIGRP router should have its Loopback 0 interface configured and advertised within EIGRP. (3 points) Configure the interface on Switch 2 that connects to R5 VLAN 53 (Fast Ethernet 0/5) in such a way that if all the trunks on Switch 2 connecting to Switch 1. this Ethernet port transitions into error-disable state.Configure your switched network to monitor the VLAN 200 interface associated with R2 (Switch 2 Fast Ethernet 0/1). R3 should see the original VLAN 100 and Loopback 0 individual routes in .0. (2 points) Figure 2-5 EIGRP Topology Configure R1 to advertise a summary route of 120. (1 point) Section 2: IPv4 IGP Protocols (26 Points) Section 2. broadcast. Switch 3. use a new VLAN (20) to assist in this configuration.0/16 outbound on its VLAN 132 interface.1: EIGRP Configure EIGRP per Figure 2-5 using an instance name of CCIE and autonomous system of 1. and Switch 4 should fail. they will not be able to forward unicast.

Configure a new loopback interface on R2 (Loopback 3) with an IP address of 150. You are only permitted to configure R2 to influence the delay.2: OSPF Configure OSPF per Figure 2-6 using a process ID of 1. Each OSPF router should also have its Loopback 0 interface configured and advertised within OSPF as follows: (2 points) R4 Loopback 0 – Area 0 R5 Loopback 0 – Area 0 R6 Loopback 0 – Area 1 SW1 Loopback 0 – Area 2 SW2 Loopback 0 – Area 1 SW3 Loopback 0 – Area 2 SW4 Loopback 0 – Area 3 .addition to the summary route. and R3 is 200 seconds. (2 points) Configure new loopback interfaces on R1 and R2 using a loopback interface 2 with an identical IP address of 150.101.1/24 on both routers. Ensure that R3 prefers the route from R1 by manipulating the delay associated with this route. (3 points) Ensure that the length of time that EIGRP considers neighbors to be valid without receiving a hello packet on the VLAN 132 network between R1. (2 points) Section 2. advertise this network into EIGRP on each router. where possible.2. R2. You may use only one summary route in your configuration.1/24. Do not manually adjust the delay associated with the interface by use of the delay command. do not apply the summary command directly to the interface. All OSPF configuration. and advertise this and only this network to R3 from R2.1. do not change the hello-interval parameter. any additional connections to AS2 should be encrypted using the same password without further configuration on R2 and R3.101. (3 points) Configure EIGRP with a new instance name of CCIE2 between R2 and R3 over VLAN 132 with an autonomous system of 2 and 256-bit encryption with a password of lake2aho3. should not be configured under the process ID.

You are not permitted to form any Area 0 neighbor relationship directly between R4 and R5 to join Area 0.0/24 (VLAN 63).3: Redistribution Perform a one-way redistribution of EIGRP AS2 into EIGRP AS1 on R3 using the following default metric: 1544 20000 255 1 1500.34. R4-R6. Ensure that R1 shows a next hop for the AS2 advertised route of 150. Ensure that your network can accommodate this issue. R4-SW2. (4 points) Section 2. R5-SW1 R5-SW3.63.100. (2 points) R3 will have equal cost external EIGRP routes to the redistributed OSPF subnet 120.34.100. R2-R3.Figure 2-6 OSPF Topology Area 0 is partitioned between R4 and R5. If this route fails. R6-SW4. (3 points) Perform mutual redistribution of EIGRP AS1 and OSPF on R4 and R5. Use loopback interfaces .5) for this destination subnet. Configure only R3 to ensure that R3 routes via a next hop of R5 (120.4) should be used dynamically. (3 points) Section 3: BGP (15 Points) Configure BGP peering per Figure 2-7 as follows: iBGP R1-R3.100. eBGP R3-R4.2.0/24 of R2 and perform configuration only on R3 for this task. Use a metric of 5000 for redistributed routes into OSPF that should appear as external type 2 routes and the following K values for OSPF routes redistributed into EIGRP: 1544 20000 255 1 1500. SW4-SW3. the route advertised from R4 (120. R3-R5.101.

0/24 when advertised to R3.33.1/24) SW4 – Loopback interface 6 (152. Do not use the command ebgp-multihop within your configurations.33.200.1/24) SW4 – Loopback interface 5 (152.34.to peer on all routers with the exception of peering between R3-R4 and R3-R5.200.34.1/24) SW4 – Loopback interface 8 (152.100. Achieve this in such a manner that R4 does not actually advertise these routes toward R3. (3 points) Configure the following loopback interfaces on R3 and SW4. You may also configure R4. (4 points) Configure a route map on R5 that prepends its local autonomous system an additional two times for network 152.100.200.200. and 152.200. The route map may contain multiple permit statements.0/24.1/24) Configure R3 to inform R4 that it does not want to receive routes advertised from SW4 for networks 152. (3 points) Figure 2-7 BGP Topology Routers R1 and R2 in AS100 should be made to only passively accept BGP sessions.200.35.200. R3 should be configured to only actively create BGP sessions to R1 and R2 within AS100.0/24.0/24.32. 152.1/24) SW4 – Loopback interface 7 (152. advertise these networks into BGP using the network command: (2 points) R3 – Loopback interface 5 (152. but only one prepend is permitted per line.32. (3 points) Section 4: IPv6 (12 Points) Configure IPv6 addresses on your network as follows: 2007:C15:C0:10::1/64 – R1 Gi0/1 .35.200.

2: OSPFv3 Configure OSPFv3 per Figure 2-8. (2 points) Figure 2-8 IPv6 Topology Configure Area 1 with IPsec authentication. (2 points) . Build your tunnels from R1 to R3 and R2 to R3 with source interfaces from VLAN 132 to advertise IPv6 edge networks from each router using ipv6ip mode. and a key of DEC0DECC1E0DDBA11B0BB0BBEDB00B00. R2.1: EIGRPv6 Configure EIGRPv6 with an autonomous system of 6 between R1. and R3. EIGRPv6 should not be enabled directly under the interfaces of the routers. use an OSPFv3 process of 1 on each router. use message digest 5.2007:C15:C0:11::1/64 – R1 tunnel0 2007:C15:C0:11::3/64 – R3 tunnel0 2007:C15:C0:12::2/64 – R2 tunnel0 2007:C15:C0:12::3/64 – R3 tunnel1 2007:C15:C0:13::2/64 – R2 fe0/1 2007:C15:C0:14::3/64 – R3 Gi0/0 2007:C15:C0:14::4/64 – R4 Gi0/0 2007:C15:C0:14::5/64 – R5 Gi0/0 2007:C15:C0:15::4/64 – R4 Gi0/1 2007:C15:C0:15::6/64 – R6 Gi0/0 Section 4. (2 points) Section 4. a security policy index of 500.

2. Redistributed EIGRPv6 routes should have a metric of 5000 associated with them.3 and 225. Configure Switch 2 to assign a DSCP value of AF41 to video traffic from both of these devices.1. and do ensure that all routers have full visibility: (2 points) D 2007::/16 [90/XXXXXXXXX] via XXXX::XXXX:XXXX:XXXX:XXXX.0.225.1 and 225.0. and cannot be configured as EtherChannels. cannot form trunk links.0. and 225. The devices use TCP ports 3230–3231 and UDP ports 3230– 3235.225. Do not redistribute OSPF into EIGRPv6 to achieve this. Each router should use PIM sparse dense mode.0. (2 points) Configure R3 so that both R1 and R2 have the following IPv6 EIGRPv6 route in place. ensure that an SNMP trap is sent to an SNMP management station on 120.4 (by use of their Loopback 0 interfaces). (3 points) Configure R1 to monitor traffic forwarded through itself for traffic destined to the multicast group of 225. Tunnel0 Section 5: QoS (6 Points) Two IP video conferencing units are to be installed onto Switch 2 ports Fast Ethernet 0/15 and 0/16 on VLAN 200.100 using a community string of public.0. 225. Both R1 and R2 should be configured to be candidate RPs specifically for the following multicast groups: 225. R2.225.1.225. (3 points) Configure R2 to assign a strict-priority queue with a 40 percent reservation of the WAN bandwidth for the video conferencing traffic in the previous question.3. R3 should be configured as a mapping agent to announce the rendezvous points for the multicast network with the same boundary constraints.Ensure the area router in Area 1 receives the following route. Maximize the available bandwidth by ensuring the RTP headers within the video stream are compressed.100.3. GigabitEthernet0/0 Section 4.225.225.0.0.225. (3 points) Configure R3 to ensure R4 has a candidate RP as R1 for groups 225. R3.3: Redistribution Redistribute EIGRPv6 into OSPFv3 on R3. (3 points) Section 6: Multicast (9 Points) Configure routers R1. If no packet for this group is received within a single 10second interval. 225.0.100. You should limit the boundary of your multicast network so that it does propagate further into your network than R4.225. You may configure R4 to achieve this: (2 points) I 2007::/16 [110/2] via XXXX::XXXX:XXXX:XXXX:XXXX. and R4 for IPv4 multicast.0.225. and this traffic is unmarked from the devices as it enters the switch. (3 points) . The remainder of the bandwidth should be guaranteed for a default queue with WRED enabled. regardless of which area they are seen in within the OSPFv3 network.2 and R2 for groups 225. Ensure that the switch ports assigned to the devices do not participate in the usual spanning-tree checks.

Do not use the RA guard solution with untrusted ports. To prevent a potential denial-of-service (DoS) attack from a flood of SYN requests.and even-numbered VLANs to ensure that different interfaces are used on Switch 3 and Switch 4? A. the proctor will not enter into any discussions about the questions or answers. and an SSH timeout of 2 minutes and retry value of 2. Q.Section 7: Security (10 Points) Allow router R6 to passively watch the SYN connections that flow to only VLAN 63 for servers that might reside on this subnet. and apply ACLs only on the VLAN 132 interface. The ACL should timeout after 100 seconds of locally initiated TCP inactivity. The router should belong to a domain of toughtest. Q. the root bridge assignment should remain as per the first question. Not entirely. Do not use the established feature within standard ACLs to achieve this. You should ensure that your network runs a consistent version of spanning tree. the router should be configured to randomly drop SYN packets from any source to this VLAN that have not been correctly established within 20 seconds. (3 points) “Ask the Proctor” Note This section should be used only if you require clues to complete the questions. because there would not be any loops present. it should also enable ICMP traffic inbound for testing purposes. Consider a partial failure rather than a complete breakage. (2 points) Configure an ACL on R1 to allow TCP sessions generated on this router and through its Ethernet interface and to block TCP sessions from entering on its VLAN 132 interface that were not initiated on it or through it originally. Use local authentication with a username and password of cisco. Am I correct in thinking this? A. Do you just want me to configure the root and secondary root bridges into 802. Can I change the root bridge assignments of odd. surely I wouldn’t encounter spanning-tree issues.1w spanning tree? A. a key size of 768 bits. He or she will be present to ensure that you do not have problems with the lab environment and to maintain the timing element of the exam.uk.co. In the actual CCIE lab. No. (2 points) The network administrator has determined that IPv6 router advertisements are being sourced from routers on VLAN 34. (3 points) Configure R1 so that it can perform SCP. . If a copper Ethernet cable fails between Switch 1 and Switch 2. You may use an ACL applied in a single location in your solution. Disable these advertisements from entering and propagating on VLAN 34. Section 1: LAN Switching Q.

this route overrides the VLAN 100 and Loopback 0 routes from R1 as received on R3. Q. Q. Q.1.101. Q. a native VLAN would not facilitate transportation of multiple VLANs over the single VLAN 30 between Switch 1 and Switch 2. Is this correct? A. No. Q. you need to enable a feature that enables the more specific routes to be received on R3. Yes. Nice try. I assume you require remote span configured for R2 traffic. Q. Can I use a new EIGRP process instead? A. Yes. Can I manipulate the delay associated with network 150. Q. Is it acceptable to adjust the hold time on the Ethernet interfaces to change the hello interval? A. use a Layer 2 switch tunneling feature. No. Yes. use a feature that enables your specific routes to leak from the summary route.Q. look for a security feature to disable communication between these ports. wouldn’t a feature like UDLD be beneficial only if the connections are fiber? A. The switches are connected with Ethernet copper cables. Section 2: IPv4 IGP Protocols Section 2. Yes. you must configure a feature that will place a nontrunk link into error-disable mode if all the trunks on Switch 2 fail.0/24 because this advertisement leaves R2 rather than by changing an interface delay on R2? A. Would you like me to configure UDLD aggressive mode on Switch 2 to transition the required port to error-disable mode if a trunk failure occurs? A. If I can’t apply the summary statement directly under the interface can I apply it within the process instance? A. Are you looking for a GRE type of tunnel between switches? A. Q. No. If I configure a summary address on R1. No. Q. this information has been provided. I think I can achieve this with multiple summary routes but the question restricts this. Read the question carefully. Is it okay to send both TX and RX traffic to Switch 2? A. Would you like me to configure a native VLAN of 30 on trunks to the two new switches? A. Can I just shut down ports 0/9 and 0/10 so that they can’t communicate? A. this is the expected behavior of summarization. . UDLD can operate over copper Ethernet in the same manner as fiber.1: EIGRP Q.

but I don’t receive the EIGRP AS2 route on R1 after redistribution. Q.0/24? A. I’ve noticed that due to the preconfigured loopback interfaces on R1 and R3 both of these routers have the same EIGRP router ID. but the next hop is showing as R3. Is it acceptable to use a route map on R3 and match a route source to penalize the route to 120.63. Q. I’d normally use a virtual link to extend Area 0 into a transit area.3: Redistribution Q. You can use virtual links in your solution.0/24? A.63. I’ve managed to get the EIGRP AS2 route redistributed from R3 into EIGRP on R1.Section 2. Yes. this solution would involve a neighbor relationship being formed between the routers in Area 0. Can I manually change the router ID on one of the routers to see if this helps? A. No. No. No. A. Section 2. to ensure that your topology operates correctly. Can I policy route on R1 so that the next hop for this route is directly via R2? A. though. Q. Can I use the EIGRP third-party next-hop feature to leave the next hop of the route unaltered from R2? A.2: OSPF Q. Use your troubleshooting skills to determine the problem. you are permitted to configure only R3. Q. No. Can I use an offset list or similar feature on R4 to penalize the route 120. . Q.0/24 as it advertised to R3? A. Is it acceptable to provide tunnels between R4 and R5 to join Area 0? A. Yes. Can I modify the OSPF cost on the interface connecting R3 to the OSPF network to attempt to change the next hop for the subnet 120. Q. I’ve followed the redistribution instructions. this would affect routes received on R3 from both R4 and R5 equally because R4 and R5 reside on the same subnet as R3. think about where the links need to be. Can I use this technique to stretch Area 0 between R4 and R5? A.100. Yes. you must have the routing table reflect the next hop of this route via R2 and not R3.100.63. You will have some underlying issues before receiving the route on R1. Q.100.

Switch 3.Section 3: BGP Q. No. Can I use BGP ORF? A. Do you want me to trust the ports assigned to the VC units? A. You must configure a feature that overrides this behavior. Can I just configure a filter on R4 to stop advertising specific routes to R3? A. No. Section 4: IPv6 Q. Yes. Do the VC units use UDP Ports 3230 and 3235 or 3230 through 3235? A. They use the range 3230 through 3235. Q. Q. Yes. Do you want me to configure an ACL to limit BGP connections to purely inbound or outbound on TCP port 179? A. Q. No. Q. Use a BGP feature to force the peering to become directional. ensuring that the route is received as illustrated in the question. Q. investigate an alternative method to create this route from the preconfigured subnets you already have. Q. No. Can I try to use NAT to fix my peering? A. The question provides you with sufficient information to determine the redistribution type to use. use a specific BGP feature to disregard the TTL check. you must dynamically inform R4 to not advertise specific routes via R3. so there is a need to trust these ports. If I can’t use ebgp-multihop on my peering on R6. Would you like me to redistribute routes into OSPFv3 as external type 1 or type 2? A. . Q. just from R1 to R3 and from R2 to R3. These tunnels will advertise the edge networks of each router within EIGRPv6. Section 5: QoS Q. an ACL would actually break the peering entirely. will my peering fail because I am peering from my loopback interfaces? A. No. check your router ID. The VC devices are not marking the traffic. Yes. I’m experiencing peering issues between R1 and R3 and have BGP notifications displayed on the console. Would you like me to configure an additional IPv6 subnet on R4 to receive the 2007::/16 route? A. you had a similar issue within EIGRP. it will. Is this expected behavior? A. Do you want a tunnel between R1 and R2 also? A. Q. and Switch 4.

Would you like me to disable trunking. traffic destined to this group will be sent to R1 regardless because it is the candidate RP for this group. there is a specific TCP feature used to protect servers from a flood of SYN packets that could cause a DoS attack. can I just configure group lists on R3? A. If I use the bandwidth percent command on R2 in my 40-percent guaranteed reservation. but remember there is a single command that will disable all these features. but you are permitted to configure only R3. To have R1 and R2 as candidate RPs for different groups. No. Q. Section 6: Multicast Q. I have configured SCP with the required SSH parameters. No. this would block return path traffic initiated by R1.Q. is this sufficient to answer the question? A. If you were permitted to configure R1 and R2. channeling. Q. No. the question dictates that a priority queue be used. Can I use a reflexive ACL to drop SYN packets that are not correctly established by the servers? A. SYN packets should still enter into VLAN 63. Q. No. Any suggestions? . You need to configure a feature that monitors the SYN packets and closes down any half-opened connections. Yes.1 for the SNMP question? A. Q. Section 7: Security Q. this isn’t required. but I am not confident of my configuration. group lists would achieve the desired results. Group lists can assist in your solution on R3. Yes. Do you want me to actually configure an IGMP join group on R1 for 225. Can I use a reflexive ACL to dynamically permit the return traffic with a time limit of 100 seconds? A. but you need to find a method of assigning these specifically to R1 and R2.225. Yes. If I configure R1 and R2 for the same multicast groups. won’t R3 and R4 see both routers as RPs for the same groups? A. No. and spanning-tree checks on the ports assigned to the VC units? A. Q.0. Do you want me to configure an ACL to block SYN packets coming into VLAN 63? A. Q. you will address this behavior in the following question. Q. Can I just use a standard ACL on R1 on the VLAN 132 interface to permit sessions outbound and deny everything else inbound? A.

No. Example 2-1 SW1.46. To stop the RA. do I need to enable IPv6 on the switch? A. but each VLAN would be identical in this configuration. 63. and 200. showing you what was required and how to achieve the desired results. 53. You should use this section to produce an overall score for the practice lab.53.200 root primary SW2(config)# spanning-tree mode rapid-pvst SW2(config)# spanning-tree vlan 34. If you have time. (3 points) 802. 100.63. So. the switches will be in the default mode of standard PerVLAN Spanning Tree (PVST) and require configuration to rapid-pvst mode.46. and SW4 Configuration and Verification Click here to view code image SW1(config)# spanning-tree mode rapid-pvst SW1(config)# spanning-tree vlan 34.100.200 root secondary SW3(config)# spanning-tree mode rapid-pvst . 46. Switch 1 should be the root bridge for VLANs 34. Q. 100. but consider that it isn’t just a case of enabling it. 132.1w is a Rapid Spanning Tree. 53. I have applied the ACL blocking RA ICMPv6 from entering the switch. can I just apply it to VLAN34? A.1w spanning tree. 46. Example 2-1 also shows confirmation of the root bridge and which interfaces are used to reach the root bridge from the neighboring switches. Switch 1 is required to be the root bridge and Switch 2 the secondary root bridge for VLANs 34. If you are prompted for a password and gain access to the file. 132. with Switch 2 being the secondary root bridge for all listed VLANs. try to copy the IOS image from flash on R1 with RCP. there is an additional step for VLAN 34. Q.132. Practice Lab Debrief The section analyzes each question. you have configured this feature correctly. Section 1: LAN Switching (22 Points) Configure your switched network to use 802. Am I missing something? A. SW3. If you have configured this correctly. and 200. So. can I apply an ACL on each port that connects to each router? A.132.63. 63. Q. but I am still seeing the RAs when I debug IPv6 on the routers.100. the question stipulates the ACL can only be used in one location. SW2. Yes. Yes. you have earned 3 points.A. VLAN 34 is used as an example. Q.53. You must consider that by default the switch would be completely transparent to IPv6 and you would need to make the switch understand what it has to filter. as shown in Example 2-1.

100. Example 2-2 SW3 VLAN Load-Balancing Configuration and Verification Click here to view code image SW3(config)# interface fastethernet 0/19 SW3(config-if)# spanning-tree vlan 34. this interface must effectively be penalized for the evennumbered VLANs to ensure a more attractive path is via Switch 2 (Fast Ethernet 0/21). If you have configured this correctly.23 P2p Switch 3 should use its interface directly connecting to Switch 2 (Fast Ethernet 0/21) for traffic directed toward even-numbered VLANs (34.25 P2p SW3# show spanning-tree vlan 34 | include Root FWD Fa0/19 Root FWD 19 128. To adjust this behavior.SW4(config)# spanning-tree mode rapid-pvst SW1# show spanning-tree vlan 34 | include root This bridge is the root SW1# show spanning-tree vlan 46 | include root This bridge is the root SW1# show spanning-tree vlan 53 | include root This bridge is the root SW1# show spanning-tree vlan 63 | include root This bridge is the root SW1# show spanning-tree vlan 100 | include root This bridge is the root SW1# show spanning-tree vlan 132 | include root This bridge is the root SW1# show spanning-tree vlan 200 | include root This bridge is the root SW2# show spanning-tree vlan 34 | include Root FWD Fa0/23 Root FWD 19 128. as shown in Example 2-2.200 cost 100 SW3(config-if)# do show spanning-tree root . 200) and the interface directly connecting to Switch 1 (Fast Ethernet 0/19) for odd-numbered VLANs (53. Switch 3 uses the interface directly connecting to Switch 1 (Fast Ethernet 0/19) for all VLANs as the lowest root cost path by default.132.21 P2p SW4# show spanning-tree vlan 34 | include Root FWD Fa0/21 Root FWD 19 128. 132. you have scored 3 points.46. 46. 100. 63). (3 points) This is a straightforward VLAN load-balancing question to ensure that trunk links are utilized efficiently and not logically disabled by spanning tree.

46.9400 38 2 20 15 Root Fa0/21 Fa0/19 Fa0/19 Fa0/21 Fa0/21 Fa0/19 Fa0/19 Fa0/19 .9400 38 2 20 15 VLAN0132 24676 0013. as shown in Example 2-3.9400 38 2 20 15 VLAN0053 24629 0013. Example 2-3 SW4 VLAN Load-Balancing Configuration and Verification Click here to view code image SW4(config)# interface fastethernet 0/21 SW4(config-if)# spanning-tree vlan 34.-------------------.806d.9400 38 2 20 15 VLAN0200 24776 0013.9400 19 2 20 15 VLAN0100 24676 0013.----.----.806d.-----------VLAN0001 32769 0013.806d.100. 100.806d.9400 38 2 20 15 VLAN0046 24622 0013.----.806d.200 cost 100 SW4(config-if)# do show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Port ---------------.9400 38 2 20 15 VLAN0046 24622 0013.46.9400 19 2 20 15 VLAN0034 24610 0013.9400 38 2 20 15 VLAN0200 24776 0013. As per the previous question. rendering the second trunk connecting to Switch 2 unused unless a failover condition occurs.9400 19 2 20 15 VLAN0100 24676 0013.--------. 63).----. (3 points) Following from the previous question.9400 19 2 20 15 VLAN0034 24610 0013. If you have configured this correctly. 200) and the interface directly connected to Switch 1 (Fast Ethernet 0/21) for odd-numbered VLANs (53.9400 38 2 20 15 VLAN0132 24676 0013.9400 19 2 20 15 VLAN0063 24639 0013. you have scored 3 points.806d.-------------------. the directly connected interface to Switch 1 needs to be penalized for the even-numbered VLANs.806d.806d. Switch 4 uses the interface directly connecting to Switch 1 (Fast Ethernet 0/21) for all VLANs as the lowest root cost path by default.9400 38 2 20 15 VLAN0053 24629 0013.9400 38 2 20 15 Root Fa0/19 Fa0/21 Fa0/21 Fa0/19 Fa0/19 Fa0/21 Fa0/21 Fa0/21 Switch 4 should use its interface directly connecting to Switch 2 (Fast Ethernet0/19) for traffic destined toward even-numbered VLANs (34. 132.806d.806d.806d.806d.--------.806d.Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Port ---------------.-----------VLAN0001 32769 0013.806d.132.9400 19 2 20 15 VLAN0063 24639 0013. to ensure a balanced access topology for VLAN load balancing.806d.806d.

as shown in Example 2-4. The new switches should be able to tunnel their own configured VLANs through a new VLAN (30) between . UDLD also detects unidirectional links because of one-way traffic on twistedpair links. in aggressive mode. resulting in spanning-tree issues. If you configure the ports between Switch 1 and Switch 2 into aggressive mode.Single neighbor detected Message interval: 15 Time out interval: 5 Entry 1 --Expiration time: 44 Cache Device index: 1 Current neighbor state: Bidirectional Device ID: CAT0935N2GQ Port ID: Fa0/23 Neighbor echo 1 device: CAT0911X17K Neighbor echo 1 port: Fa0/23 Message interval: 15 Time out interval: 5 CDP Device name: SW2 Configure Switch 1 and Switch 2 to allow connectivity of two further switches in the future to be connected to ports Fast Ethernet 0/18 on each switch. (2 points) Unidirectional Link Detection (UDLD) detects unidirectional links on fiber-optic connections. you have scored 2 points. Example 2-4 SW1 and SW2 UDLD Configuration and Verification Click here to view code image SW1(config)# interface fastethernet 0/23 SW1(config-if)# udld port aggressive SW2(config)# interface fastethernet 0/23 SW2(config-if)# udld port aggressive SW1# show udld fastethernet 0/23 Interface Fa0/23 --Port enable administrative configuration setting: Enabled / in aggressive mode Port enable operational state: Enabled / in aggressive mode Current bidirectional state: Bidirectional Current operational state: Advertisement . If you have configured this correctly. can detect one-way links. the switches become UDLD neighbors.Ensure that a cable fault between Switches 1 and 2 could not result in one-way traffic between the two switches. and shut down the link if this condition arises to mitigate spanning-tree issues.

” This means that you need to configure the span parameters to only send the traffic transmitted out of the switch port toward R2. as shown in Example 2-6. which is why you need to configure VLAN 20 on both Switches 1 and 2. (3 points) This is a remote span question. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN between Switch 1 and Switch 2. use a new VLAN (20) to assist in this configuration. it would be worth enabling them to protect your points. Example 2-5 SW1 and SW2 Q in Q Configuration Click here to view code image SW1(config)# vlan 30 SW1(config-vlan)# exit SW1(config)# interface fastethernet 0/18 SW1(config-if)# switchport access vlan 30 SW1(config-if)# switchport mode dot1q-tunnel SW2(config)# vlan 30 SW2(config-vlan)# exit SW2(config)# interface fastethernet 0/18 SW2(config-if)# switchport access vlan 30 SW2(config-if)# switchport mode dot1q-tunnel Configure your switched network to monitor the VLAN 200 interface associated with R2 (Switch 2 Fast Ethernet 0/1) and send only traffic destined to R2 on this switch port across your network to Switch 3 port Fast Ethernet 0/17. which is configured by the tx parameter. (4 points) This is a service provider requirement whereby customers tunnel their own VLANs through the providers network. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN. Remote span requires a VLAN to propagate the span traffic between switches. both transmit and receive traffic is monitored. To mitigate any VLAN overlaps from other customers. The only complexity is based around the question statement of where you actually need to monitor: “traffic destined to R2. If you have configured this correctly. Use the show dot1q-tunnel command to verify your tunnel configuration on your switches. it would be worth enabling them to protect your points.Switch 1 and Switch 2. Example 2-5 shows VLAN 30 being used to transport VLANs over a dot1q-tunnel. you have scored 3 points. Example 2-6 SW2 and SW2 Remote Span Configuration and Verification Click here to view code image . If this optional parameter is not configured. If you have configured this correctly. If your ports are shut down by initial configuration. you have scored 4 points. If your ports are shutdown by initial configuration. as shown in Example 2-5. a unique service provider VLAN is used to transport the customer VLANs.

which connects to Switch 1. and Switch 4 should fail. you have scored 3 points. as shown in Example 2-7. which forces Fast Ethernet downstream port into error-disable state. link-state tracking automatically puts the downstream port connected to R5 into error-disable state. Switch 3. If the upstream trunk ports on Switch 2 fail. If a link is lost on the primary interface. If you have configured this correctly. Ports connected to servers are configured as downstream ports. Example 2-7 SW2 Link-State Tracking Configuration and Verification Click here to view code image SW2(config)# link state track 1 SW2(config)# interface fast0/5 .SW2(config)# vlan 20 SW2(config-vlan)# remote-span SW2(config-vlan)# exit SW2(config)# monitor session 1 source interface fastethernet 0/1 tx SW2(config)# monitor session 1 destination remote vlan 20 SW2(config)# do show monitor session 1 Session 1 --------Type : Remote Source Session Source Ports : TX Only : Fa0/1 Dest RSPAN VLAN : 20 SW3(config)# vlan 20 SW3(config-vlan)# exit SW3(config)# monitor session 1 source remote vlan 20 SW3(config)# monitor session 1 destination interface fast 0/17 SW3(config)# do show monitor session 1 Session 1 --------Type : Remote Destination Session Source RSPAN VLAN : 20 Destination Ports : Fa0/17 Encapsulation : Native Ingress : Disabled Configure the interface on Switch 2. and Switch 4. Example 2-7 shows the associated configuration and testing by shutting down the trunk ports on Switch 2. connectivity is transparently switched to the secondary interface. this Ethernet port transitions into error-disable state. which connects to R5 VLAN 53 (Fast Ethernet 0/5) in such a way that if all the trunks on Switch 2 connecting to Switch 1. and ports connected to other switches are configured as upstream ports. (3 points) The question requires link-state tracking to be configured. This feature provides redundancy in the network when used with server NIC adapter teaming. Switch 3.

Example 2-8 EIGRP Configuration and Verification Click here to view code image R1(config)# router eigrp CCIE R1(config-router)# address-family ipv4 unicast autonomous-system 1 R1(config-router-af)# net 120. you have scored 2 points. you have scored 1 point.0.1.1: EIGRP Configure EIGRP per Figure 2-5 using an instance name of CCIE and autonomous system of 1. Each EIGRP router should have its Loopback 0 interface configured and advertised within EIGRP. line protocol is down (err-disabled) Configure interfaces Fast Ethernet 0/9 and 0/10 on Switch 1 so that even if they are configured to belong to the same VLAN they cannot forward unicast. Section 2: IPv4 IGP Protocols (26 Points) Section 2.0 0. broadcast. If you have configured this correctly.100.SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# link state group 1 downstream interface fastethernet 0/19 link state group 1 upstream interface fastethernet 0/21 link state group 1 upstream interface fastethernet 0/23 link state group 1 upstream SW2# show interface fastethernet 0/5 | include connected fastethernet0/5 is up. or multicast traffic to one another. line protocol is up (connected) SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# SW2(config-if)# int fast 0/19 shut int fast 0/21 shut int fast 0/23 shut SW2# show interface fastethernet 0/5 | include err-disabled fastethernet0/5 is down. Do not use any form of ACL or configure the ports to belong to a PVLAN. Traffic is forwarded as normal between a protected and an unprotected port. (2 points) Use vanilla EIGRP with a virtual instance configuration in preparation for the following questions.255 .0. If you have configured this correctly. as shown in Example 2-8. (1 point) You are required to configure the interfaces with the command switchport protected to ensure that no traffic is forwarded between these ports.

0 0. which is .0/16 outbound on its VLAN132 interface.0 [90/156160] via 120.2.255 R5(config)# router eigrp CCIE R5(config-router)# address-family ipv4 unicast autonomous-system 1 R5(config-router-af)# network 120.100.100.100.0. R3 should see the original VLAN 100 and Loopback 0 individual routes in addition to the summary route.0. GigabitEthernet0/0 D 120.100.123.3.0.255 R1# sh ip route eigrp 120.0.34. (3 points) Summarization will by default block all longer prefixes covered by the supernet configured on an interface.100.0 0.3.0.3.0 0.255 R3(config-router-af)# network 120.255 R5(config-router-af)# network 120. 00:23:32.0.0.0 [90/30720] via 120.5.100.0.5.0.100. 00:23:32. but the question does not permit this approach. 00:23:32.255 R4(config-router)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# network 120.0 [90/158720] via 120.123.100.0.255 R3(config-if)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# network 120.100.0.255 R1(config-router-af)# net 120.0 0.123.100.2.255 R2(config-router-af)# network 120.0. GigabitEthernet0/0 D 120.0 0.100.0.100.123.0 [90/30720] via 120.0.200.100.100. The leak map.0 0.255 R3(config-router-af)# network 120.4. One method used to achieve this is by configuring multiple summary routes. 00:23:32.100.123.0 0.0.3.34.2.2.0.0 0. the VLAN 100 and Loopback 0 route from R1 would not be seen by R3.100. a leak map should be configured to match the VLAN 100 and Loopback 0 interfaces on R1.34.100.0 0.0 0.0.255 R2(config)# router eigrp CCIE R2(config-router)# address-family ipv4 unicast autonomous-system 1 R2(config-router-af)# network 120. You can only use one summary route in your configuration.34.100.0.123. Do not apply the summary configuration directly to the interface.0. GigabitEthernet0/0 Configure R1 to advertise a summary route of 120. 00:23:32.0 0.0 [90/156160] via 120.0.100. GigabitEthernet0/0 D 120.123.123. therefore. GigabitEthernet0/0 D 120.100.100.255 R2(config-router-af)# network 120.0.3. GigabitEthernet0/0 D 120. Allowing specific routes to be advertised with summary routes can be a valid requirement.0.0/24 is subnetted.0.0.123. To facilitate the specific routes with the summary.200.R1(config-router-af)# net 120.0.100. 9 subnets D 120.100.100.0.100.3. 00:23:32.255 R4(config-router-af)# network 120.4.0.100.0 [90/158720] via 120.0 0.

0. and R3 is 200 seconds.0/24 [90/156160] via 120. Example 2-9 R1 Leak Map Configuration and Verification Click here to view code image R1(config)# route-map LEAK-VLAN-100-LOOP0 permit 10 R1(config-route-map)# match ip address 1 R1(config-route-map)# exit R1(config)# access-list 1 permit 120.100.configured per a normal route map. 00:23:32.0. GigabitEthernet0/1 D 120.1. Because you cannot apply the summary configuration directly to the interface as per earlier EIGRP configuration.0 R1(config)# access-list 1 permit 120.123.100. GigabitEthernet0/1 Ensure that the length of time that EIGRP considers neighbors to be valid without receiving a hello packet on the VLAN 132 network between R1. as shown in Example 2-9.123. 10 subnets. GigabitEthernet0/1 D 120.100.0 255.100.100. 2 masks D 120. Do not change the hello-interval parameter. R2.0/24 [90/156160] via 120.1.0. 00:23:32.0/16 [90/30720] via 120.100.1.34.1.0/24 [90/156160] via 120.100.0/24 [90/30720] via 120. 00:23:32. You could usually tune the hold time by manipulating the hello intervals on an interface.123. 00:23:32. and hello packets will be sent every 5 seconds. (2 points) EIGRP considers neighbors to be valid up to three times the hello interval.100.0/24 [90/30720] via 120.0.0.100. you must apply it to the address family af-interface within the Enhanced Interior Gateway Routing Protocol (EIGRP) instance.123.100.100.123. but this question ensures that you can achieve the desired result only by manually changing the hold time to 200 under the .100.100.0/8 is variably subnetted.5.100. GigabitEthernet0/1 D 120.100.200.2. GigabitEthernet0/1 D 120. 00:23:32.4.34. the VLAN 132 network is a high-speed link. is then applied to the standard summary route statement on R1. 00:00:53.100.100.0 leak-map LEAK-VLAN-100-LOOP0 R3# show ip route eigrp R3# show ip route eigrp 120.100. 00:23:32. GigabitEthernet0/0 D 120. GigabitEthernet0/0 D 120.0/24 [90/156160] via 120.0 R1(config)# router eigrp CCIE R1(config-router)# address-family ipv4 unicast autonomous-system 1 R1(config-router-af)# af-interface Gigabit0/0 R1(config-router-af-interface)# summary-address 120. you have scored 3 points.100.5. If you have configured this correctly.4.1.255.2.2.

123.VLAN 132 interfaces of routers R1.1/24 on both routers. Ensure that R3 prefers the route from R1 by manipulating the delay associated with this route. and you are permitted to configure only R2 to influence the delay.5 00:23:32 1 200 0 120.1.100. Do not manually adjust the delay associated with the interface by use of the delay command. R2.101. If the offset list is not applied to the VLAN 132 interface. one per line. R2(config)# interface fastethernet0/0 R2(config-if)# ip hold-time eigrp 1 200 R2(config-if) R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip hold-time eigrp 1 200 R3(config-if)# do sh ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Uptime SRTT RTO Q Seq End with CNTL/Z.100. therefore. as shown in Example 2-10 (either directly under the interfaces or within the EIGRP address family af-interface).34. but this is not permitted. the only method available is to create an offset list. both routes will be stored in the topology and routing table. and R3. R2 could influence the metric calculated by R3 by manipulating the delay of the new loopback interface or of the Ethernet interface connecting to R3. Example 2-10 shows the required configuration and verification of hold time by displaying the neighbors’ statistics as seen by R3.100.123. (3 points) R3 will receive identical routes from both R1 and R2 for network 150. advertise this network into EIGRP on each router. Example 2-10 EIGRP Hold-Time Configuration and Verification Click here to view code image R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip hold-time eigrp 1 200 R1(config-if) Enter configuration commands. If you have configured this correctly. it would affect the whole process and not just advertisements .2 00:01:00 3 200 1 120.100.34.4 00:23:35 35 210 0 25 0 18 0 21 0 22 Gi0/1 198 Gi0/1 199 Gi0/0 12 Gi0/0 12 (ms) Cn Configure new loopback interfaces on R1 and R2 using a Loopback 2 interface with an identical IP address of 150.0/24. Hold (sec) t Num 3 120.1 00:00:57 3 200 2 120. Because configuration is required solely on R2.1. which enables you to match specific routes and append further delay to them as they are advertised on R2 toward R3. you have scored 2 points.101.

255. minimum MTU 1500 bytes Loading 1/255.255.0 0. you have scored 3 points.101.100. from 120. distance 90.101. 00:00:23 ago.0.1. minimum bandwidth is 100000 Kbit Reliability 255/255.1.1. If you have configured this correctly.0.1.101. the route installed into the routing table of R3 is then the original advertised from R1 with the more appealing value of 5100μS.100.0 R2(config-if)# router eigrp CCIE R2(config-router)# address-family ipv4 unicast autonomous-system 1 R2(config-router)# net 150.0/24 Known via "eigrp 1".123.255.255.1.255 R2(config)# interface Loopback2 R2(config-if)# ip address 150.1. as shown in Example 2-11. Post configuration of the offset list on R2.0/24 State is Passive. minimum bandwidth is 100000 Kbit Reliability 255/255.255. the delay is seen to increase to 5103μS for the route received from R2.1 255. therefore. 2 Successor(s).100.255.0 0.101. Example 2-11 shows the configuration required to advertise the new routes and the routes as they are received on R3.2.123. type internal Redistributing via eigrp 1 Last update from 120. traffic share count is 1 Total delay is 5100 microseconds. FD is .1. via fastethernet1/1 Route metric is 156160.101.0 R1(config-if)# router eigrp CCIE R1(config-router)# address-family ipv4 unicast autonomous-system 1 R1(config-router-af)# net 150.0 255. Initial delay is shown to be 5100μS.101.0.123. Example 2-11 EIGRP Configuration and Verification Click here to view code image R1(config)# interface Loopback2 R1(config-if)# ip address 150. minimum MTU 1500 bytes Loading 1/255.1.255 R3# show ip route 150.100.101. Hops 1 R3# show ip eigrp topology 150.1.0 IP-EIGRP (AS 1): Topology entry for 150.100. Hops 1 * 120.1.101.toward R3.0 Routing entry for 150.123. Query origin flag is 1. 00:00:23 ago.2 on fastethernet1/1. traffic share count is 1 Total delay is 5100 microseconds.2.1 255.0. 00:00:23 ago Routing Descriptor Blocks: 120.123. via fastethernet1/1 Route metric is 156160. metric 156160. from 120.

1. metric 156160.100.100. minimum bandwidth is 100000 Kbit Reliability 255/255.0 R2(config)# router eigrp CCIE R2(config-router)# address-family ipv4 unicast autonomous-system 1 R2(config-router-af)# topology base R2(config-router-af)# offset-list 1 out 100 fastethernet0/0 R3# show ip route 150. 00:00:17 ago Routing Descriptor Blocks: * 120.2.1. Send flag is 0x0 . from 0x0 Composite metric is (156160/128256).0/24 Known via "eigrp 1".1 on GigabitEthernet0/1. 00:00:17 ago.2 (GigabitEthernet0/1). traffic share count is 1 Total delay is 5100 microseconds.1. Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 120.100.1.123.100. FD is 156160 Routing Descriptor Blocks: 120.123. Query origin flag is 1. R2(config)# access-list 1 permit 150.1. from 120.123.100.101.101.1. Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 120.100.123. Send flag is Route is Internal 120.255. Send flag is Route is Internal R2# show interface Fast0/0 | include DLY MTU 1500 bytes. from 0x0 Composite metric is (156160/128256).0/24 State is Passive. minimum MTU 1500 bytes Loading 1/255.123. BW 100000 Kbit/sec.100.123. via GigabitEthernet0/1 Route metric is 156160.123.1.101. Hops 1 R3# show ip eigrp topology 150.100.0 Routing entry for 150. distance 90. from 120.1 (GigabitEthernet0/1).0 IP-EIGRP (AS 1): Topology entry for 150. DLY 100 usec. 1 Successor(s).156160 Routing Descriptor Blocks: 120.101. type internal Redistributing via eigrp 1 Last update from 120.123.0 255.1 (GigabitEthernet0/1).255.1.1.100.123.101.

2. and advertise this and only this network to R3 from R2.Composite metric is (156160/128256).0 0.1 255. Example 2-12 R2 and R3 EIGRP AS2 Configuration and Verification Click here to view code image R2(config)# interface Loopback3 R2(config-if)# ip add 150. Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5103 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 Configure EIGRP with a new instance name of CCIE2 between R2 and R3 over VLAN 132 with an autonomous system of 2 and 256-bit encryption with a password of lake2aho3.0.1/24. Example 2-16 shows the basic EIGRP configuration on R2 and R3 with HMAC authentication.101.0 R2(config-if)# router eigrp CCIE2 R2(config-router)# address-family ipv4 unicast autonomous-system 2 R2(config-router-af)# af-interface default R2(config-router-af-interface)# authentication mode hmac-sha-256 0 lake2aho3 R2(config-router-af-interface)# exit R2(config-router-af)# network 150. The only twist to the question is to perform authentication without the need for further configuration should there be additional peering to AS2.255 . Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 120.255.2.100. as shown in Example 2-12. from 120. Send flag is 0x0 Composite metric is (156260/128356).0.123.0.0 0.255. (2 points) This straightforward configuration within a new EIGRP instance facilitates subsequent redistribution between EIGRP AS1 to AS2. Configure a new loopback interface on R2 (Loopback 3) with an IP address of 150.123.101.100.2.255 R2(config-router-af)# network 120.123. you have scored 2 points.100.2 (GigabitEthernet0/1).101. The simple fix to this is to apply authentication to all interfaces using the af-interface default command. Any additional connections to AS2 should be encrypted using the same password without further configuration on R2 and R3.0. If you have configured this correctly.2.

Consider using the show ip ospf interface command to verify your configuration.100.2. GigabitEthernet0/1 Section 2.123.0.2.2: OSPF Configure OSPF per Figure 2-6 using a process ID of 1. Did you notice that Area 0 is partitioned? If you have configured this correctly. you have scored 2 points. 00:00:25. the switches still require configuration under the OSPF process running this version of IOS. Example 2-13 Initial OSPF Configuration Click here to view code image R4(config)# interface Loopback 0 R4(config-if)# ip ospf 1 area 0 R4(config-if)# exit R4(config)# interface GigabitEthernet 0/1 R4(config-if)# ip ospf 1 area 1 R5(config)# interface Loopback 0 R5(config-if)# ip ospf 1 area 0 R5(config-if)# exit R5(config)# interface GigabitEthernet 0/1 . all OSPF configuration where possible should not be configured under the process ID. 2 subnets D 150.123.101.0/24 is subnetted.101.0 [90/156160] via 120. the question directs you to configure OSPF directly under the interfaces of the routers. as shown in Example 2-13.0 R3(config-router-af)# sh ip route eigrp 2 150. Each OSPF router should also have its Loopback 0 interface configured and advertised within OSPF as follows: (2 points) R4 Loopback 0 – Area 0 R5 Loopback 0 – Area 0 R6 Loopback 0 – Area 1 SW1 Loopback 0 – Area 2 SW2 Loopback 0 – Area 1 SW3 Loopback 0 – Area 2 SW4 Loopback 0 – Area 3 As per Lab 1.R3(config)# router eigrp CCIE2 R3(config-router)# address-family ipv4 unicast autonomous-system 2 R3(config-router-af)# af-interface default R3(config-router-af-interface)# authentication mode hmac-sha-256 0 lake2aho3 R3(config-router-af-interface)# exit R3(config-router-af)# network 120.100.

By then creating an additional virtual link between R6 and Switch 3.3 0. ensure that your network can accommodate this issue.1 0.1 0.0.0.R5(config-if)# ip ospf 1 area 2 R6(config)# interface Loopback 0 R6(config-if)# ip ospf 1 area 1 R6(config-if)# interface GigabitEthernet 0/0 R6(config-if)# ip ospf 1 area 1 R6(config-if)# interface GigabitEthernet 0/1 R6(config-if)# ip ospf 1 area 3 SW1(config)# ip routing SW1(config)# router ospf 1 SW1(config-router)# network 120.100.2 0.0.0 area 3 Area 0 is partitioned between R4 and R5.0 area 2 SW3(config-router)# network 120. (4 points) A fundamental rule of the Open Shortest Path First (OSPF) Protocol is not to design your network with a partitioned backbone Area 0 or partition if of a failure condition occurs.0.3 0.53.0.63.0. the two effective halves of the network have been joined at an Area 0 level. Remember to configure all virtual links to the router ID of the remote router as opposed to the physical IP address on the corresponding interface.0 area 2 SW1(config-router)# network 120.8.53.100.0.1 0.100.100.100. If you have configured this correctly.100. The resulting routing table verification on Switch 4 shows all networks are being learned correctly post configuration.0.10.0. A tunnel between the two routers is also not permitted because this would form a direct neighbor relationship.4 0. as shown in Example 2-14.9. you have scored 4 points.0.0. .0 area 3 SW3(config-router)# network 120.0.1 0. You are required to configure a virtual link between R5 and Switch 3 to propagate Area 3 routes and similarly between R4 and R6.0 area 1 SW2(config-router)# net 120. You are not permitted to form any Area 0 neighbor relationship directly between R4 and R5 to join Area 0.0.0.100.0.46.0 area 2 SW2(config)# ip routing SW2(config-if)# router ospf 1 SW2(config-router)# net 120.0 area 2 SW4(config)# ip routing SW4(config)# router ospf 1 SW4(config-router)# network 120.0.1 0. Example 2-14 shows the required configuration to create virtual links between R5-SW3.100. A virtual link between R4 and R5 would not work here because you would need to transit multiple OSPF areas.0 area 3 SW4(config-router)# network 120. R4-R6. and R6-SW3.7.0.63.0.0 area 1 SW3(config)# ip routing SW3(config)# router ospf 1 SW3(config-router)# network 120.100.

1 R6(config-if)# router ospf 1 R6(config-router)# area 1 virtual-link 120.1 R4(config)# router ospf 1 R4(config-router)# area 1 virtual-link 120. Vlan63 O IA 120.1 R6(config-router)# area 3 virtual-link 120.5.53. The AS2 route of 150.100.5. 00:00:54. This is due to an inherent safety mechanism within EIGRP that will cause redistribution issues with routers that have duplicate EIGRP router IDs.46.101.100. Vlan63 O IA 120.200.100.63.6.63.63. Vlan63 O IA 120.6. Vlan63 O IA 120.101.9.100.8. Perform configuration only on R3 for this task.200. which will force the router ID to be identical.9.4. Example 2-15 shows the redistribution configuration on R3.3: Redistribution Perform a one-way redistribution of EIGRP AS2 into EIGRP AS1 on R3 using the following default metric: 1544 20000 255 1 1500. Ensure that R1 shows a next hop for the AS1 advertised route of 150.200.100.1/32 [110/3] via 120.6.100. Pre-lab configuration ensured that both R1 and R3 have the same Loopback 255 IP address. Inspection of the EIGRP topology table for the route on R3 shows that it is being advertised into EIGRP and that the router ID of R3 is 200. you would believe the only complexity would be that of modifying the next-hop attribute for R1. (3 points) This is a simple redistribution question.9.1/32 [110/3] via 120.63.3. Vlan63 O IA O IA 120. 00:00:54.6.100.0. which would by default show as R3 for the AS2 route advertised by R2.Example 2-14 OSPF Virtual-Link Configuration and Routing Table Verification Click here to view code image R5(config)# router ospf 1 R5(config-router)# area 2 virtual-link 120. 00:00:54.100. 00:00:55. If you .100.100. Vlan63 120. Vlan63 Section 2. 00:00:54.100. In fact.1 SW3(config-if)# router ospf 1 SW3(config-router)# area 3 virtual-link 120.100. you would find that the AS2 route would not be seen on R1 post redistribution from R3.0/8 is variably subnetted.1/32 [110/2] via 120.1/32 [110/3] via 120.0.100.200.4.100.63. 00:00:54.1 SW4# sh ip route ospf 120. similarly.1 SW3(config-router)# router ospf 1 SW3(config-router)# area 2 virtual-link 120.100.63. 00:00:54.0/24 is received on R3 but is absent on R1. Vlan63 O IA 120. 00:00:54.1/32 [110/3] via 120.100. 2 masks O IA 120. Upon inspection. the router ID of R1 is also 200.100.100.0/24 of R2.100.100.3.3.200.6.200.0/24 [110/2] via 120.63.100.6.2.7. 10 subnets.6.3.1/32 [110/2] via 120.63.100.2.0/24 [110/2] via 120.

100.0/24 State is Passive.123.200.2.101.100. FD is 156160 Routing Descriptor Blocks: 120.2. Send flag is 0x0 Composite metric is (156160/0). Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 . as shown in Example 2-15.2.100.101. Route is External Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 External data: Originating router is 200.1).200.2. from 120. FD is 156160 Routing Descriptor Blocks: 120.0 % Subnet not in table R3# show ip eigrp topology 150. Query origin flag is 1.100. the route is then accepted by R1. even though R2 resides on the same IP subnet as R1 and R2 and is the originating router.2. 1 Successor(s).0/24 State is Passive.101.3.change the router ID of R3 to that of its Loopback 0 interface (120. but of course a next hop is shown as R3.101.0/24 IP-EIGRP (AS 1): Topology entry for 150. If you have configured this correctly. The EIGRP third-party next-hop feature can be used to modify the next-hop attribute with a router redistributing another routing protocol into EIGRP in a similar manner to that of BGP.123. Query origin flag is 1.123. external metric is 156160 Administrator tag is 0 (0x00000000) IP-EIGRP (AS 2): Topology entry for 150.200 (this system) AS number of route is 2 External protocol is EIGRP.2. Send flag is 0x0 Composite metric is (156160/128256). 1 Successor(s).2 (GigaEthernet0/1). you have scored 3 points. Example 2-15 R3 EIGRP Redistribution Configuration and Verification Click here to view code image R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# topology base R3(config-router-af-topology)# redistribute eigrp 2 R1# show ip route 150. from Redistributed.

101.100.0/24 State is Passive.123.3.Minimum MTU is 1500 Hop count is 1 R3# show ip eigrp topology | include ID IP-EIGRP Topology Table for AS(1)/ID(200. Query origin flag is 1. external metric is 156160 Administrator tag is 0 (0x00000000) IP-EIGRP (AS 2): Topology entry for 150.1 (this system) AS number of route is 2 External protocol is EIGRP. Route is External Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 External data: Originating router is 120.2.3. Query origin flag is 1.101.2.2 (GigabitEthernet0/1).1) R3# show ip eigrp topology 150.2.0 .2. Send flag is 0x0 Composite metric is (156160/128256).100.2.200.200.2.200) R1# show ip eigrp topology | include ID IP-EIGRP Topology Table for AS(1)/ID(200.100.1 R3# show ip eigrp topology | include ID IP-EIGRP Topology Table for AS(1)/ID(120.0/24 IP-EIGRP (AS 1): Topology entry for 150.200) IP-EIGRP Topology Table for AS(2)/ID(200.200.200.100. 1 Successor(s).100.200) R1# R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# eigrp router-id 120. FD is 156160 Routing Descriptor Blocks: 120.123.200. Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 5100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 R1# show ip route 150. Send flag is 0x0 Composite metric is (156160/0).101.100. from 120.200.123. from Redistributed.101.3.0/24 State is Passive. 1 Successor(s). FD is 156160 Routing Descriptor Blocks: 120.

100. via GigabitEthernet0/0 Route metric is 158720.123. (2 points) This is an unambiguous redistribution question that sets the scene for the question that follows.101. metric 158720. type external Redistributing via eigrp 1 Last update from 120.123.100.2.101. traffic share count is 1 Total delay is 5200 microseconds.100. traffic share count is 1 Total delay is 5200 microseconds. from 120. minimum MTU 1500 bytes Loading 1/255. Hops 1 Perform mutual redistribution of EIGRP AS1 and OSPF on R4 and R5.101.2. via GigabitEthernet0/0 Route metric is 158720.3.0/24 Known via "eigrp 1". distance 170.100. Use a metric of 5000 for redistributed routes into OSPF. type external Redistributing via eigrp 1 Last update from 120.Routing entry for 150. there are multiple routes with load-sharing potential. Example 2-16 R4 and R5 Redistribution Configuration and Verification on R3 Click here to view code image R4(config-router)# router ospf 1 R4(config-router)# redistribute eigrp 1 subnets . 00:03:06 ago Routing Descriptor Blocks: * 120. minimum bandwidth is 100000 Kbit Reliability 255/255. distance 170.2. minimum bandwidth is 100000 Kbit Reliability 255/255. which should appear as external type 2 routes and the following K values for OSPF rotes redistributed into EIGRP: 1544 20000 255 1 1500. Hops 1 R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# af-interface GigabitEthernet0/1 R3(config-router-af-interface)# no next-hop-self R1# show ip route 150.100. Because the metrics are identical on R4 and R5. If you have configured this correctly.3.123.0 Routing entry for 150.100.123.3 on GigabitEthernet0/0. minimum MTU 1500 bytes Loading 1/255.2 on Gigabit0/0. Example 2-16 shows the required configuration on R4 and R5 with verification of external EIGRP received routes on R3.123. metric 158720. 00:00:24 ago. 00:00:24 ago Routing Descriptor Blocks: * 120.2. 00:03:06 ago. you have scored 2 points.0/24 Known via "eigrp 1".123.3. from 120.

GigabitEthernet0/0 D 120. GigabitEthernet0/0 D EX 120.100.100. 00:05:05. GigabitEthernet0/1 D 120.4.123. Gigabit0/1 120.101.34.10.100.5.9.0/24 [90/2297856] via 120.34. GigabitEthernet0/0 [170/6780416] via 120.1/32 [170/6780416] via 120. GigabitEthernet0/1 D 120. 00:05:07.100.4.100. GigabitEthernet0/0 D EX 120.5.5.100. 00:00:22.34. 00:00:22. 00:00:22.5.4. GigabitEthernet0/0 D EX 120. GigabitEthernet0/0 D 120.34.1/32 [170/6780416] via 120.34.123.34.34.100.4. GigabitEthernet0/0 D EX 120.100.2. 00:07:17.1. 00:07:17.0/16 [90/2172416] via 120. GigabitEthernet0/0 [170/6780416] via 120. 00:00:24.34.5.100.4. 00:00:22. GigabitEthernet0/0 [170/6780416] via 120. 00:01:51.100.100.34. 00:00:22.100.123.1/32 [170/6780416] via 120.4.0. 3 masks D EX 120. 00:00:24.R4(config-router)# default-metric 5000 R4(config-router)# router eigrp CCIE R4(config-router)# address-family ipv4 unicast autonomous-system 1 R4(config-router-af)# topology base R4(config-router-af-topology)# redistribute ospf 1 R4(config-router-af-topology)# default-metric 1544 20000 255 1 1500 R5(config-router)# router ospf 1 R5(config-router)# redistribute eigrp 1 subnets R5(config-router)# default-metric 5000 R5(config-router)# router eigrp CCIE R5(config-router)# address-family ipv4 unicast autonomous-system 1 R5(config-router-af)# topology base R5(config-router-af-topology)# redistribute ospf 1 R5(config-router-af-topology)# default-metric 1544 20000 255 1 1500 R3# show ip route eigrp 150.123.100.100.100.34.8. 00:00:23.0.63.34.5.0/24 is subnetted.34. GigabitEthernet0/0 [170/6780416] via 120.4.0/24 [90/156160] via 120.0. GigabitEthernet0/0 D 120.100.5. 00:00:23. GigabitEthernet0/0 [170/6780416] via 120. 00:05:07.0/8 is variably subnetted.6.5.1/32 [170/6780416] via 120.34.0/24 [90/156160] via 120.1/32 [170/6780416] via 120.100.2.100. GigabitEthernet0/0 .100.0/24 [170/6780416] via 120.34.100.1. GigabitEthernet0/0 D EX 120.1/32 [170/6780416] via 120.0/24 [90/2297856] via 120.1. 00:00:24.100.0.100.5.100. 00:00:22.100.4.100.7.1.4. 20 subnets.0 [90/2297856] via 120. GigabitEthernet0/0 D EX 120.100.5.100.1/32 [170/6780416] via 120. 00:00:23. 00:00:24.100.4. GigabitEthernet0/0 [170/6780416] via 120.101.100.34.100.34.100. 00:05:07. GigabitEthernet0/1 D EX 120.100. 2 subnets D 150.100.1.

123.4) should be used dynamically. via GigabitEthernet0/0 Route metric is 6780416.0 Routing entry for 120.100.63. minimum MTU 1500 bytes .4. you have scored 3 points. 00:01:59 ago.123. you can increase the metric for the required route (120.0/24 [90/2172416] via 120. This simply enables the original route received from R5 to take precedence. By configuring a route map on R3 to match only the route source of R4. If this route fails. Example 2-17 shows the required configuration and verification that the route is preferred via the R5.100.34.100.100.100.100. traffic share count is 1 Total delay is 200100 microseconds. GigabitEthernet0/0 [170/6780416] via 120. as shown in Example 2-17.34.100.D EX D EX D D 120.5.100.0/24 Known via "eigrp 1". Similarly.34.100.34.46.0/24 (VLAN 63). GigabitEthernet0/0 [170/6780416] via 120. GigabitEthernet0/0 120. the interface connecting to R4 or R5 cannot be modified on R3 because this would affect both routes. The topology table shows that the R4 route is also present and that R4 is effectively the feasible successor for this network on this router.100. metric 6780416. GigabitEthernet0/1 120.100. (3 points) Example 2-20 shows both routes for 120.1. 00:00:24.34. Because all routers share a common media. Example 2-17 also details the routing tables of each device to confirm redistribution from EIGRP into OSPF or vice versa.100. from 120. minimum bandwidth is 1544 Kbit Reliability 255/255. Configure only R3 to ensure that R3 routes via a next hop of R5 (120. 00:00:24. GigabitEthernet0/1 R3 will have equal-cost external EIGRP routes to the redistributed OSPF subnet 120.4. GigabitEthernet0/0 120. 00:00:24. Example 2-17 R3 OSPF Redistribution Configuration and Verification Click here to view code image R3# show ip route 120.5. the route advertised from R4 (120.0/24 [170/6780416] via 120.0/24 [90/2172416] via 120.2.0/24 [170/6780416] via 120. 00:05:08.34.34.5. type external Redistributing via eigrp 1 Last update from 120.63.0/24 received on R3 from R4 and R5.5) for this destination subnet.100. If the route from R5 is withdrawn. If you have configured this correctly. an offset list to manipulate delay would be of no use because you are permitted to configure only R3.5 on GigabitEthernet0/0.200.63.63. 00:01:59 ago Routing Descriptor Blocks: 120.100.100.100.53.5.0/24).100.100.100.34. distance 170.63.100. 00:00:24. 00:05:07. You will need a second permit statement on the route map (permit 20) to enable all other routes inbound to R3 to enter unaltered. You are therefore required to penalize the route received from R4 only to ensure that the R5-generated route is preferred on R3. the route from R5 would enter the routing table automatically.34.100.

type external Redistributing via eigrp 1 Last update from 120. minimum bandwidth is 1544 Kbit Reliability 255/255.100.63. minimum MTU 1500 bytes Loading 1/255.4 R3(config)# access-list 2 permit 120.100.100.63. 00:00:21 ago Routing Descriptor Blocks: * 120.0/24 Known via "eigrp 1".34. Route is External Vector metric: Minimum bandwidth is 1544 Kbit Total delay is 200100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 .0 R3(config)# router eigrp CCIE R3(config-router)# address-family ipv4 unicast autonomous-system 1 R3(config-router-af)# topology base R3(config-router-af-topology)# distribute-list route-map PENALISEVLAN63 in GigabitEthernet0/0 R3(config-router-af-topology)# exit R3(config-router-af)# exit R3(config-router)# exit R3(config)# route-map PENALISE-VLAN63 permit 10 R3(config-route-map)# match ip address 2 R3(config-route-map)# match ip route-source 1 R3(config-route-map)# set metric +500000 R3(config-route-map)# route-map PENALISE-VLAN63 permit 20 R3# show ip route 120.63.5.255.100.100.0 IP-EIGRP (AS 1): Topology entry for 120. Send flag is 0x0 Composite metric is (6780416/6777856).0 Routing entry for 120. Hops 1 R3(config)# access-list 1 permit 120. from 120.63. 00:01:59 ago.34.34. via GigabitEthernet0/0 Route metric is 6780416. from 120. Hops 1 R3# show ip eigrp topology 120.100. via GigabitEthernet0/0 Route metric is 6780416.34.63. Hops 1 * 120. 1 Successor(s).100.100. from 120.5 (GigabitEthernet0/0). Query origin flag is 1.4. traffic share count is 1 Total delay is 200100 microseconds.Loading 1/255.34.34.4. FD is 6780416 Routing Descriptor Blocks: 120.34.5. 00:00:21 ago. minimum bandwidth is 1544 Kbit Reliability 255/255.5.5 on GigabitEthernet0/0.100.34. metric 6780416. distance 170.100. traffic share count is 1 Total delay is 200100 microseconds.255. minimum MTU 1500 bytes Loading 1/255.100.100.0/24 State is Passive.100.0 255.

100. of course. unlike AS100 to AS200 and AS300. the peering fails inbound and outbound from AS400. from 120. Example 2-18 shows the basic .1 AS number of route is 1 External protocol is OSPF. and SW4 for the required peering allows the peering to be formed successfully. The only way to fix this is to use a feature that disables connection verification to establish an external BGP (eBGP) peering session with a single-hop peer that uses a loopback interface. but it is considered good practice when you have more than one peer with a similar peering configuration.5. SW4-SW3. be required for the peering from AS400 to AS300 and AS400 to AS200 because loopback interfaces are used for the external peering here. R5-SW3. Do not use the command ebgp-multihop within your configurations.100. R4-R6. SW3. This feature would. Section 3: BGP (15 Points) Configure BGP peering per Figure 2-7 as follows: iBGP R1-R3. The question does not dictate that you must configure peer groups. Use of the command neighbor disable-connected-check on R6. R2-R3. Send flag is 0x0 Composite metric is (128000000/6777856).100. R4. (3 points) The restrictions within the internal Border Gateway Protocol (iBGP) peering require you to configure R3.4.Hop count is 1 External data: Originating router is 120. The question does. and R5 as route reflectors within their own autonomous system. Route is External Vector metric: Minimum bandwidth is 20 Kbit Total delay is 0 microseconds Reliability is 0/255 Load is 0/255 Minimum MTU is 0 Hop count is 1 External data: Originating router is 120.multihop. R5-SW1.4 (GigabitEthernet0/0). Autosummarization is disabled to ensure BGP does not summarize routes.34. Use loopback interfaces to peer on all routers with the exception of peering between R3-R4 and R3-R5. which peer from connected interfaces. external metric is 2 Administrator tag is 0 (0x00000000) 120. Without ebgp-multihop. R6-SW4. eBGP R3-R4. R4-SW2.4. external metric is 2 Administrator tag is 0 (0x00000000) Note The full IP routing tables of each device are provided within the accompanying configurations to verify your redistributed routes.1 AS number of route is 1 External protocol is OSPF.100. dictate that you must not use ebgp.34. however. and synchronization is disabled because the internal gateway protocol (IGP) will not be synchronized to BGP within this lab. R3-R5.

3.3. the eBGP failure condition observed on peering to and from AS400.100.34.4 remote-as 200 neighbor 120. and the required configuration to rectify the condition.1 remote-as 100 neighbor 120.8.100.2.1 update-source Loopback0 R3(config)# router R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# R3(config-router)# bgp 100 no auto-summary no synchronization neighbor AS100 peer-group neighbor AS100 remote-as 100 neighbor AS100 update-source Loopback0 neighbor 120.1.100.1 peer-group AS200 neighbor 120.34.peering configuration for BGP.1 peer-group AS100 neighbor 120.3.3 remote-as 100 R5(config)# router R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# R5(config-router)# bgp 300 no auto-summary no synchronization neighbor AS300 peer-group neighbor AS300 remote-as 300 neighbor AS300 update-source Loopback0 neighbor AS300 route-reflector-client neighbor 120. you have scored 3 points.1 peer-group AS300 .100.1 peer-group AS200 neighbor 120.100.100.100.34.5 remote-as 300 R4(config)# router R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# R4(config-router)# bgp 200 router bgp 200 no auto-summary no synchronization neighbor AS200 peer-group neighbor AS200 remote-as 200 neighbor AS200 update-source Loopback0 neighbor AS200 route-reflector-client neighbor 120.100.100.1 remote-as 100 neighbor 120. If you have configured this correctly.1 peer-group AS100 neighbor AS100 route-reflector-client neighbor 120.1 update-source Loopback0 R2(config)# router R2(config-router)# R2(config-router)# R2(config-router)# R2(config-router)# bgp 100 no auto-summary no synchronization neighbor 120. Example 2-18 BGP Peering Configuration and Verification Click here to view code image R1(config)# router R1(config-router)# R1(config-router)# R1(config-router)# R1(config-router)# bgp 100 no auto-summary no synchronization neighbor 120.100.6.3.100.7.100.

R5(config-router)# neighbor 120.100.9.1 peer-group AS300
R5(config-router)# neighbor 120.100.34.3 remote-as 100
R6(config)# router
R6(config-router)#
R6(config-router)#
R6(config-router)#
R6(config-router)#
R6(config-router)#
R6(config-router)#

bgp 200
no auto-summary
no synchronization
neighbor 120.100.4.1 remote-as 200
neighbor 120.100.4.1 update-source Loopback0
neighbor 120.100.10.1 remote-as 400
neighbor 120.100.10.1 update-source Loopback0

SW1(config)# router
SW1(config-router)#
SW1(config-router)#
SW1(config-router)#
SW1(config-router)#

bgp 300
no auto-summary
no synchronization
neighbor 120.100.5.1 remote-as 300
neighbor 120.100.5.1 update-source Loopback0

SW2(config)# router
SW2(config-router)#
SW2(config-router)#
SW2(config-router)#
SW2(config-router)#

bgp 200
no auto-summary
no synchronization
neighbor 120.100.4.1 remote-as 200
neighbor 120.100.4.1 update-source Loopback0

SW3(config)# router
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#
SW3(config-router)#

bgp 300
no auto-summary
no synchronization
neighbor 120.100.5.1 remote-as 300
neighbor 120.100.5.1 update-source Loopback0
neighbor 120.100.10.1 remote-as 400
neighbor 120.100.10.1 update-source Loopback0

SW4(config)# router
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#
SW4(config-router)#

bgp 400
no auto-summary
no synchronization
neighbor 120.100.6.1
neighbor 120.100.6.1
neighbor 120.100.9.1
neighbor 120.100.9.1

remote-as 200
update-source Loopback0
remote-as 300
update-source Loopback0

SW4# sh ip bgp neigh 120.100.6.1 | include External
External BGP neighbor not directly connected.
SW4# show ip bgp neighbors 120.100.9.1 | include External
External BGP neighbor not directly connected.
SW4#
SW4#
No
SW4#
No

sh ip bgp neighbors 120.100.6.1 | include active
active TCP connection
sh ip bgp neighbors 120.100.9.1 | include active
active TCP connection

SW4(config-router)# neighbor 120.100.6.1 disable-connected-check
SW4(config-router)# neighbor 120.100.9.1 disable-connected-check
R6(config-router)# neighbor 120.100.10.1 disable-connected-check

SW3(config-router)# neighbor 120.100.10.1 disable-connected-check
SW4# show ip bgp neighbors
BGP state = Established,
SW4# show ip bgp neighbors
BGP state = Established,

120.100.6.1 | include Established
up for 00:02:01
120.100.9.1 | include Established
up for 00:02:05

You will also find peering issues between R1 and R3. Example 2-19 shows the routers are
informing each other they have an incorrect BGP identifier. This is simply because both routers
have identical loopback interface address of 200.200.200.200, which is used as the BGP
identifier. By changing the ID of one router, the peering is established. It does not matter what
you change the ID to, but it needs to be unique; the Loopback 0 interface would be a good
choice. No extra points for this task because this is part of the original peering.
Example 2-19 R1 and R3 Peering Issue Configuration and Verification
Click here to view code image

R1# * 19:30:13.287: %BGP-3-NOTIFICATION: sent to neighbor 120.100.3.1
2/3 (BGP
identifier wrong) 4 bytes C8C8C8C8
R3# * 19:25:30.043: %BGP-3-NOTIFICATION: received from neighbor
120.100.1.1 2/
3 (BGP identifier wrong) 4 bytes C8C8C8C8
R1# show ip bgp summary | include identifier
BGP router identifier 200.200.200.200, local AS number 100
R3# show ip bgp summary | include identifier
BGP router identifier 200.200.200.200, local AS number 100
R1(config-router)# bgp router-id 120.100.1.1
*19:34:45.467: %BGP-5-ADJCHANGE: neighbor 120.100.3.1 Up

Routers R1 and R2 in AS100 should be made to passively accept only BGP sessions. R3
should be configured to actively create only BGP sessions to R1 and R2 within AS100. (3
points)
A BGP speaker by default will attempt to open a session on TCP port 179 with a configured peer,
because such a normal peering arrangement will see two sessions being established to build a
successful neighbor relationship. This behavior can be modified to effectively allow sessions to
be established only either inbound or outbound. The solution to the question is achieved by
configuring the neighbor transport connection-mode to passive (only inbound connections will
be established) on R1 and R2 and active (only outbound sessions will be established) on R3. You
must manually activate each neighbor on each router for the solution to work effectively. If you

have configured this correctly, as shown in Example 2-20, you have scored 3 points. Consider
using the show ip bgp summary command to verify your configuration.
Example 2-20 R1, R2, and R3 Connection Mode Configuration
Click here to view code image

R1(config)# router bgp 100
R1(config-router)# neighbor 120.100.3.1 transport connection-mode
passive
R1(config-router)# neighbor 120.100.3.1 activate
R2(config)# router bgp 100
R2(config-router)# neighbor 120.100.3.1 transport connection-mode
passive
R2(config-router)# neighbor 120.100.3.1 activate
R3(config)# router
R3(config-router)#
R3(config-router)#
R3(config-router)#

bgp 100
neighbor AS100 transport connection-mode active
neighbor 120.100.1.1 activate
neighbor 120.100.2.1 activate

Configure the following loopback interfaces on R3 and SW4; advertise these networks
into BGP using the network command: (2 points)
R3 – Loopback interface 5 (152.100.100.1/24)
SW4 – Loopback interface 5 (152.200.32.1/24)
SW4 – Loopback interface 6 (152.200.33.1/24)
SW4 – Loopback interface 7 (152.200.34.1/24)
SW4 – Loopback interface 8 (152.200.35.1/24)
This simple question creates BGP routes for the following task. If you have configured this
correctly, as shown in Example 2-21, you have scored 2 points.
Example 2-21 R3 and SW4 Network Advertisement Configuration and Verification
Click here to view code image

R3(config)# interface Loopback5
R3(config-if)# ip address 152.100.100.1 255.255.255.0
R3(config-if)# router bgp 100
R3(config-router)# network 152.100.100.0 mask 255.255.255.0
SW4(config)# interface Loopback5
SW4(config-if)# ip address 152.200.32.1 255.255.255.0
SW4(config-if)# interface Loopback6
SW4(config-if)# ip address 152.200.33.1 255.255.255.0

SW4(config-if)# interface Loopback7
SW4(config-if)# ip address 152.200.34.1 255.255.255.0
SW4(config-if)# interface Loopback8
SW4(config-if)# ip address 152.200.35.1 255.255.255.0
SW4(config-if)# router bgp 400
SW4(config-router)# network 152.200.32.0 mask 255.255.255.0
SW4(config-router)# network 152.200.33.0 mask 255.255.255.0
SW4(config-router)# network 152.200.34.0 mask 255.255.255.0
SW4(config-router)# network 152.200.35.0 mask 255.255.255.0
R3# show ip bgp
BGP table version is 10, local router ID is 200.200.200.200
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
*>
*
*>
*
*>
*
*>
*
*>

Network
Next Hop
152.100.100.0/24 0.0.0.0
152.200.32.0/24 120.100.34.4
120.100.34.5
152.200.33.0/24 120.100.34.4
120.100.34.5
152.200.34.0/24 120.100.34.4
120.100.34.5
152.200.35.0/24 120.100.34.4
120.100.34.5

Metric LocPrf Weight Path
0
32768 i
0 200 400
0 300 400
0 200 400
0 300 400
0 200 400
0 300 400
0 200 400
0 300 400

i
i
i
i
i
i
i
i

Configure R3 to inform R4 that it does not want to receive routes advertised from SW4
for networks 152.200.33.0/24, 152.200.34.0/24, and 152.200.35.0/24. Achieve this in
such a manner that R4 does not actually advertise these routes toward R3. You may also
configure R4. (4 points)
BGP has a prefix-based outbound route filtering (ORF) mechanism that can send and receive
capabilities to minimize BGP updates sent between BGP peers. Advertisement of ORF capability
indicates that a peer will accept a prefix list from a neighbor and apply the prefix list received
from a neighbor locally to avoid the unnecessary sending of routes that would be blocked by the
receiver anyway. R3 is therefore configured with a prefix list that blocks the required routes
generated from SW4, which is sent via ORF to R4. R4 is configured to receive this prefix list via
ORF, and the routes are blocked outbound at R4. Example 2-2 shows the required ORF and
prefix-list filtering with the resulting outbound advertisement on R4. The BGP table on R3 is
also displayed showing the routes are no longer being received from R4 and solely from R5. If
you have configured this correctly, as shown in Example 2-22, you have scored 4 points.
Example 2-22 BGP ORF Configuration and Verification
Click here to view code image

34.IGP.5 152.0/24 0.0.200. Normally you would prepend the same autonomous system number multiple times within the same permit statement. d damped.32.34.33.0/0 le 32 R4(config)# router bgp 200 R4(config-router)# neighbor 120.10.200.100.34. The route map may contain multiple permit statements.32. or so it seems.1 Status codes: s suppressed. * valid.4 prefix-list FILTER in R3(config)# ip prefix-list FILTER seq 5 deny 152.4 120.0/24 Next Hop 120.100.0.33.0/24 R3(config)# ip prefix-list FILTER seq 10 deny 152.100.0.R3(config)# router bgp 100 R3(config-router)# neighbor 120. the network is received on R3 . r RIB-failure.IGP.100.100.3 capability orf prefix-list receive R4(config-router)# exit R4(config)# exit R4# show ip bgp neighbors 120. h history.34.34.200. e .0 152.incomplete Network *>i152. so you are forced to use multiple permit statements with the same autonomous system prepend statement. (3 points) This is a simple autonomous system path prepend question.0/24 R3(config)# ip prefix-list FILTER seq 15 deny 152. e .35.32.200. > best.34.0/24 120. ? .200.100.100.5 Metric LocPrf Weight Path 0 32768 i 0 200 400 0 300 400 0 300 400 0 300 400 0 300 400 i i i i i Configure a route map on R5 that prepends its local autonomous system an additional two times for network 152.100.incomplete *> *> * *> *> *> Network Next Hop 152.200. but the question restricts this.34. ? .200.3 advertised-routes BGP table version is 17.0/24 120. local router ID is 120.200.0/24 when advertised to R3.0/24 120. After configuration of the route map to prepend the route on R5 twice. d damped.34.EGP.34.0.200. r RIB-failure.34.200.100. > best. S Stale Origin codes: i .4 capability orf prefix-list send R3(config-router)# neighbor 120. Example 2-22 shows the route 152. h history. i internal.35.100. but only one prepend is permitted per line.100. * valid.5 152.0/24 R3(config)# ip prefix-list FILTER seq 20 permit 0.32.1 Metric LocPrf Weight Path 0 100 0 400 i Total number of prefixes 1 R3# clear ip bgp * R3# show ip bgp BGP table version is 6.0/24 120. S Stale Origin codes: i . local router ID is 200.200.5 152.0/24 as received initially on R3 from R5 with an autonomous system path of 300-400.4. i internal.200.200 Status codes: s suppressed.EGP.100.34.100.

200.0/24 120.200 Status codes: s suppressed.200 Status codes: s suppressed.0/24 0.200.5 152.34. you have scored 3 points. By configuring a continue 20 statement within the permit 10 line. in fact. r RIB-failure.0/24 120.34.incomplete *> *> * *> *> *> Network Next Hop 152.200. h history.100.IGP. but the question requests an “additional” two times.200.100.0.0/24 120.0 152.100.100. i internal. so the permit 20 statement is never actually executed.0 R5(config)# route-map PREPEND permit 10 R5(config-route-map)# match ip address 1 R5(config-route-map)# set as-path prepend 300 R5(config-route-map)# route-map PREPEND permit 20 R5(config-route-map)# match ip address 1 R5(config-route-map)# set as-path prepend 300 R5(config-route-map)# route-map PREPEND permit 30 R3# show ip bgp BGP table version is 6. and the route map will then not evaluate any additional route map entries and simply drops out. * valid.5 Metric LocPrf Weight Path 0 32768 i 0 200 400 0 300 400 0 300 400 0 300 400 0 300 400 i i i i i R5(config)# router bgp 300 R5(config-router)# neighbor 120.34. d damped. r RIB-failure.IGP.34. The problem is that the route map permit 10 statement on R3 has been executed.200. This might look like the route has indeed been prepended twice.0/24 120.with an autonomous system path of 300-300-400. Example 2-23 R5 Prepend Configuration and Verification Click here to view code image R3# show ip bgp BGP table version is 6. > best. i internal.0. as shown in Example 2-23. e . d damped.5 152. S Stale Origin codes: i .34. If you have configured this correctly. the router is forced to evaluate the permit 20 line.200.200. ? . h history.100.200.incomplete Network Next Hop Metric LocPrf Weight Path .EGP.32.33.200. local router ID is 200. > best.100.100.100. local router ID is 200. S Stale Origin codes: i . Rather than dropping out of the route map after successful execution of the permit 10 statement.3 route-map PREPEND out R5(config-router)# exit R5(config)# access-list 1 permit 152. * valid.34.EGP.34. ? .4 120.35.5 152. the route has been prepended only once. the final verification within Example 2-23 shows the route received on R3 with successful prepend applied by R5.32. e .

200.100.200.100.100.5 120.200.0/24 *> 152.33.35.0/24 Next Hop 0.34.100. S Stale Origin codes: i .EGP. local router ID is 200.34.100.200.34.*> 152.incomplete Network *> 152.32.0/24 *> 152.0.32.34.34.34.200 Status codes: s suppressed.34.100.4 120.5 0 32768 i 0 200 400 i 0 300 300 0 300 400 i 0 300 400 i 0 300 400 i R5(config)# route-map PREPEND permit 10 R5(config-route-map)# continue 20 R3# clear ip bgp * R3# show ip bgp BGP table version is 6.100.100.34.200.34.200. tunnel specifics are provided in later questions.5 Metric LocPrf Weight Path 0 32768 i 0 200 400 i 0 300 300 120.0/24 * 400 i *> 152.100.200.100.0/24 *> 152.0 120.200.0. ? .5 120.0/24 *> 152.34.0.5 120. h history.5 120. r RIB-failure.100.35.200. e . Example 2-24 shows the initial IPv6 configuration.0 120.0.34.5 0 300 400 i 0 300 400 i 0 300 400 i Section 4: IPv6 (12 Points) Configure IPv6 addresses on your network as follows: 2007:C15:C0:10::1/64 – R1 Gi0/1 2007:C15:C0:11::1/64 – R1 tunnel0 2007:C15:C0:11::3/64 – R3 tunnel0 2007:C15:C0:12::2/64 – R2 tunnel0 2007:C15:C0:12::3/64 – R3 tunnel1 2007:C15:C0:13::2/64 – R2 fe0/1 2007:C15:C0:14::3/64 – R3 Gi0/0 2007:C15:C0:14::4/64 – R4 Gi0/0 2007:C15:C0:14::5/64 – R5 Gi0/0 2007:C15:C0:15::4/64 – R4 Gi0/1 2007:C15:C0:15::6/64 – R6 Gi0/0 The prerequisite to the following questions is configuration of the IPv6 addresses and tunnel interfaces. * valid.0/24 *> 152.200.0/24 0. > best.100. d damped.33.34. i internal.100.4 120. so just creating the tunnel interfaces and configuring an IPv6 address is required .IGP.0/24 * 300 400 i *> 152.5 120.0/24 *> 152.100.

Consider using the show ipv6 interfaces brief command for a quick check of your interface configuration. unfortunately. and R3.1: EIGRPv6 Configure EIGRPv6 with an autonomous system of 6 between R1. No points are on offer here for this task. (2 points) . Build your tunnels from R1 to R3 and R2 to R3 with source interfaces from VLAN 132 to advertise IPv6 edge networks from each router using ipv6ip mode. EIGRPv6 should not be enabled directly under the interfaces of the routers. R2. Example 2-24 IPv6 Initial Configuration Click here to view code image R1(config)# ipv6 unicast-routing R1(config)# interface GigabitEthernet0/1 R1(config-if)# ipv6 address 2007:C15:C0:10::1/64 R1(config-if)# interface tunnel0 R1(config-if)# ipv6 address 2007:C15:C0:11::1/64 R2(config)# ipv6 unicast-routing R2(config)# interface fastethernet 0/1 R2(config-if)# ipv6 address 2007:C15:C0:13::2/64 R2(config-if)# interface tunnel0 R2(config-if)# ipv6 address 2007:C15:C0:12::2/64 R3(config)# ipv6 unicast-routing R3(config)# int GigabitEthernet0/0 R3(config-if)# ipv6 address 2007:C15:C0:14::3/64 R3(config-if)# interface tunnel0 R3(config-if)# ipv6 address 2007:C15:C0:11::3/64 R3(config-if)# interface tunnel1 R3(config-if)# ipv6 address 2007:C15:C0:12::3/64 R4(config)# ipv6 unicast-routing R4(config)# interface GigabitEthernet0/0 R4(config-if)# ipv6 address 2007:C15:C0:14::4/64 R4(config-if)# interface GigabitEthernet0/1 R4(config-if)# ipv6 address 2007:C15:C0:15::4/64 R5(config)# ipv6 unicast-routing R5(config)# interface GigabitEthernet0/0 R5(config-if)# ipv6 address 2007:C15:C0:14::5/64 R6(config)# ipv6 unicast-routing R6(config)# interface GigabitEthernet0/0 R6(config-if)# ipv6 address 2007:C15:C0:15::6/64 Section 4.at this point.

1 tunnel mode ipv6ip interface Tunnel1 R3(config-if)# tunnel source Gigabit0/1 R3(config-if)# tunnel destination 120. If you have configured this correctly.3 R1(config-if)# tunnel mode ipv6ip R1(config-if)# router eigrp CCIE R1(config-router)# address-family ipv6 unicast autonomous-system 6 R1(config-router-af)# af-interface Tunnel0 R1(config-router-af-interface)# no shutdown R1(config-router-af-interface)# af-interface Gigabit0/1 R1(config-router-af-interface)# no shutdown R2(config-if)# interface Tunnel0 R2(config-if)# tunnel source fastethernet0/0 R2(config-if)# tunnel destination 120.100.123.100. which will actually belong to the OSPFv3 domain passive within EIGRPv6 as a matter of good practice.This is a straightforward EIGRPv6 configuration that requires the autonomous system number of 6 enabled by the address-family ipv6 command under the existing EIGRP process as opposed to enabling EIGRPv6 under each interface.100.2 R3(config-if)# tunnel mode ipv6ip R3(config-if)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 6 R3(config-router-af)# af-interface GigabitEthernet0/0 R3(config-router-af-interface)# passive-interface . which provides connectivity from R3 to R2 and R1.3 R2(config-if)# tunnel mode ipv6ip R2(config-if)# router eigrp CCIE R2(config-router)# address-family ipv6 unicast autonomous-system 6 R2(config-router-af)# af-interface Tunnel0 R2(config-router-af-interface)# no shutdown R2(config-router-af-interface)# af-interface fastethernet0/1 R2(config-router-af-interface)# no shutdown R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# tunnel source Gigabit0/1 tunnel destination 120.123. you have scored 2 points. The tunnel mode of ipv6ip is supplied within the question for the manually configured IPv6 tunnel. Example 2-25 EIGRPv6 Configuration and Verification Click here to view code image R1(config-if)# interface Tunnel0 R1(config-if)# tunnel source Gigabit0/0 R1(config-if)# tunnel destination 120. as shown in Example 2-25.123. The source interfaces of each tunnel are the VLAN 132 Ethernet interfaces. You should ensure that you make the IPv6-enabled interface on R3.100.123.

MIPv6 I1 .Per-user Static route. OI . R . B . M . OE1 .OSPF inter. OE2 . ON2 . Tunnel1 .Connected. Tunnel0 D 2007:C15:C0:13::/64 [90/297270016] via FE80::7864:7C02.Per-user Static route.RIP.EIGRP. L . Tunnel0 R3# show ipv6 route eigrp IPv6 Routing Table . L . IA . I2 .Local.ISIS interarea.OSPF NSSA ext 1.OSPF ext 2 ON1 .OSPF NSSA ext 1.OSPF intra. ON2 .OSPF ext 1. OE1 . IA . IS .OSPF ext 1.Local.Local. IS .OSPF ext 2 ON1 . R .MIPv6 I1 .ISIS L1. EX . ON2 .OSPF intra. Tunnel0 R2# show ipv6 route eigrp IPv6 Routing Table . Tunnel0 D 2007:C15:C0:13::/64 [90/310070016] via FE80::7864:7B03.OSPF NSSA ext 1. S . IA .ISIS summary O .8 entries Codes: C .R3(config-router-af-interface)# R3(config-router-af-interface)# R3(config-router-af-interface)# R3(config-router-af-interface)# R3(config-router-af-interface)# no shutdown af-interface Tunnel0 no shutdown af-interface Tunnel1 no shutdown R1# show ipv6 route eigrp IPv6 Routing Table .ISIS L2.Per-user Static route.ISIS summary O .OSPF NSSA ext 2 D .BGP U .ISIS interarea. OE2 . R . B . S .EIGRP.ISIS L1.9 entries Codes: C .BGP U .OSPF inter.OSPF NSSA ext 2 D .Connected. B .Static. EX .OSPF inter.ISIS L2.EIGRP. OE2 .ISIS L1. OI . OI .Static.ISIS summary O . M . L .RIP.OSPF NSSA ext 2 D .OSPF intra.OSPF ext 1.EIGRP external D 2007:C15:C0:10::/64 [90/310070016] via FE80::7864:7C03.Static.EIGRP external D 2007:C15:C0:10::/64 [90/297270016] via FE80::7864:7B01. IS .ISIS L2. EX .8 entries Codes: C . OE1 . I2 . I2 . Tunnel0 D 2007:C15:C0:11::/64 [90/310044416] via FE80::7864:7C03. S .MIPv6 I1 .BGP U . M .EIGRP external D 2007:C15:C0:12::/64 [90/310044416] via FE80::7864:7B03.ISIS interarea.OSPF ext 2 ON1 .Connected.RIP.

OE1 . Example 2-26 OSPFv3 Configuration and Verification Click here to view code image R3(config)# interface GigabitEthernet 0/0 R3(config-if)# ipv6 ospf 1 area 0 R4(config)# interface GigabitEthernet0/0 R4(config-if)# ipv6 ospf 1 area 0 R4(config-if)# interface GigabitEthernet0/1 R4(config-if)# ipv6 ospf 1 area 1 R5(config)# interface GigabitEthernet0/0 R5(config-if)# ipv6 ospf 1 area 0 R6(config)# interface GigabitEthernet0/0 R6(config-if)# ipv6 ospf 1 area 1 R3# show ipv6 route ospf IPv6 Routing Table .Section 4.Static. OI .OSPF NSSA ext 2 D . I2 .OSPF intra.EIGRP.Static. GigabitEthernet0/0 R6# show ipv6 route ospf .OSPF NSSA ext 1.ISIS interarea. I2 .11 entries Codes: C .EIGRP.ISIS summary O .ISIS L2. L . R4. B .BGP U .OSPF ext 2 ON1 . R . If you have configured this correctly. use an OSPFv3 process of 1 on each router.OSPF ext 1. OE2 .Local.ISIS L1.ISIS interarea. B . ON2 . IA .5 entries Codes: C . IS .OSPF NSSA ext 1. S .Per-user Static route I1 . EX .OSPF NSSA ext 2 D .OSPF inter. (2 points) Use vanilla OSPFv3 configuration between R3.2: OSPFv3 Configure OSPFv3 per Figure 2-8.OSPF ext 1. IA .OSPF inter.RIP. ON2 .ISIS L2.BGP U . L .ISIS L1.EIGRP external OI 2007:C15:C0:15::/64 [110/2] via FE80::213:C3FF:FE7B:E4A0. OE2 . EX . R .RIP.Connected. R5. OE1 . you have scored 2 points. as shown in Example 2-26. and R6.EIGRP external OI 2007:C15:C0:15::/64 [110/2] via FE80::213:C3FF:FE7B:E4A0.Connected.Local.OSPF ext 2 ON1 . IS . S . OI . GigabitEthernet0/0 R5# show ipv6 route ospf IPv6 Routing Table .Per-user Static route I1 .ISIS summary O .OSPF intra.

EX . The question explicitly states the specific parameters required. OE2 . use message digest 5.BGP U . I2 .ISIS L2. If you have configured this correctly.RIP.ISIS summary O . B .IPv6 Routing Table . (2 points) Authentication is required on R4 and R6 because they both belong to Area 1.Per-user Static route I1 . At 32 hex characters long. Example 2-27 Area 1 Authentication Configuration Click here to view code image R4(config)# ipv6 router ospf 1 R4(config-router)# area 1 authentication ipsec spi 500 md5 DEC0DECC1E0DDBA11B0BB0BBEDB00B00 R6(config)# ipv6 router ospf 1 R6(config-router)# area 1 authentication ipsec spi 500 md5 DEC0DECC1E0DDBA11B0BB0BBEDB00B00 Ensure that the area router in Area 1 receives the following route. GigabitEthernet0/0 The only area router within Area 1 is R6. . ON2 .OSPF inter.OSPF NSSA ext 2 D .OSPF ext 1. A summary route generated on the area border router R4 of 2007::/16 within Area 0 will provide the required route to be received on R6. L . and a key of DEC0DECC1E0DDBA11B0BB0BBEDB00B00.Static. R . you have scored 2 points.OSPF intra.OSPF NSSA ext 1. as shown in Example 2-28.ISIS L1. R4 is the area border router within this area. S . which would show as an external route.OSPF ext 2 ON1 .ISIS interarea.Local. IA . this could easily be done while under a time constraint. OI . you may configure R4 to achieve this: (2 points) OI 2007::/16 [110/2] via XXXX::XXXX:XXXX:XXXX:XXXX. OI within the routing table is an OSPF interarea route. GigabitEthernet0/0 Configure Area 1 with IPsec authentication. you have scored 2 points. IS . the route must be generated from this area as opposed to a redistributed route.EIGRP external OI 2007:C15:C0:14::/64 [110/2] via FE80::213:C3FF:FE7B:E4A1.Connected. as shown in Example 2-27. a security policy index of 500.EIGRP. If you have configured this correctly. Because Area 0 is the only other area within the OSPFv3 network. so this route must be generated from another area. OE1 . and you should not encounter any issues unless you incorrectly enter one of the keys.5 entries Codes: C .

which have a fixed cost associated with them regardless of which area or location of the OSPFv3 network they are seen in.11 entries Codes: C .Example 2-28 OSPFv3 Configuration and Verification Click here to view code image R4(config)# ipv6 router ospf 1 R4(config-rtr)# area 0 range 2007::/16 R6# show ipv6 route ospf | include OI OI 2007::/16 [110/2] via FE80::213:C3FF:FE7B:E4A1. GigabitEthernet0/0 OE2 2007:C15:C0:11::/64 [110/5000] via FE80::214:6AFF:FEFC:7390. IS . Null0 OE2 2007:C15:C0:10::/64 [110/5000] via FE80::214:6AFF:FEFC:7390.Connected.OSPF inter.ISIS L2. regardless of which area they are seen in within the OSPFv3 network. OE2 . GigabitEthernet0/0 .Static.ISIS L1. you have scored 2 points. OI .Per-user Static route I1 .EIGRP.OSPF NSSA ext 2 D . ON2 . otherwise.RIP. the OSPFv3 network will not see the directly connected tunnel interfaces on R3. B . I2 . You must remember to advertise connected routes also. as shown in Example 229. S . L .OSPF ext 2 ON1 . Example 2-29 R3 Ipv6 Redistribution Configuration and Verification Click here to view code image R3(config)# ipv6 router ospf 1 R3(config-rtr)# redistribute eigrp 6 include-connected metric 5000 R4# show ipv6 route ospf IPv6 Routing Table . The default redistribution behavior ensures that external routes are advertised as external type 2.ISIS summary O .EIGRP external O 2007::/16 [110/0] via ::.Local.OSPF ext 1.ISIS interarea. If you have configured this correctly. OE1 .OSPF intra.BGP U . IA .3: Redistribution Redistribute EIGRPv6 into OSPFv3 on R3. EX . R . GigabitEthernet0/0 Section 4. You simply require the metric set to 5000 on the OSPFv3 process. (2 points) A one-way redistribution of EIGRPv6 to OSPFv3 is required on R3.OSPF NSSA ext 1. Redistributed EIGRPv6 routes should have a metric of 5000 associated with them.

EIGRP external D 2007::/16 [90/310044416] via FE80::7864:7B03. GigabitEthernet0/0 2007:C15:C0:13::/64 [110/5000] via FE80::214:6AFF:FEFC:7390.OSPF intra.ISIS L1.6 entries Codes: C .ISIS L2. OI . M . IS . in addition to ICMP reachability to the remote OSPFv3 Area 1 network on R6.Local.Static. OE1 . L . I2 . and do ensure that all routers have full visibility: (2 points) D 2007::/16 [90/XXXXXXXXX] via XXXX::XXXX:XXXX:XXXX:XXXX. B . the EIGRPv6 network would not have reachability of the OSPFv3 network. ON2 .RIP.OSPF NSSA ext 2 D .OE2 OE2 2007:C15:C0:12::/64 [110/5000] via FE80::214:6AFF:FEFC:7390.ISIS summary O . If you have configured this correctly.Per-user Static route.OSPF NSSA ext 1.OSPF ext 1. IA .OSPF ext 2 ON1 . Tunnel0 R1# ping ipv6 2007:C15:C0:15::6 . Example 2-30 R3 Ipv6 Summarization Configuration and Verification Click here to view code image R3(config)# router eigrp CCIE R3(config-router)# address-family ipv6 unicast autonomous-system 6 R3(config-router-af)# af-interface Tunnel0 R3(config-router-af-interface)# summary-address 2007::/16 R3(config-router-af-interface)# af-interface Tunnel1 R3(config-router-af-interface)# summary-address 2007::/16 R1# show ipv6 route eigrp IPv6 Routing Table . therefore. EX . you need to configure EIGRPv6 summarization on the tunnel interfaces on R3 toward R1 and R2.BGP U .ISIS interarea. S . This question ensures the EIGRPv6 network sends traffic to R3 for the summarized network of 2007::/16. This test clearly demonstrates full end-to-end reachability from EIGRPv6 to OSPFv3. R .Connected. Because you are not permitted to redistribute OSPFv3 with a summary address. Do not redistribute OSPF into EIGRPv6 to achieve this.OSPF inter.EIGRP. this will provide the correct route and hop count as per the question. Tunnel0 You should have noticed in the previous question that mutual redistribution was not required. Example 2-33 shows the required configuration and verification of the route. OE2 . GigabitEthernet0/0 Configure R3 so that both R1 and R2 have the following IPv6 EIGRPv6 route in place.MIPv6 I1 . as shown in Example 2-30. you have scored 2 points.

but the switchport host command does all this for you. 100-byte ICMP Echos to 2007:C15:C0:15::6. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). If you have configured this correctly. Ensure that the switch ports assigned to the devices do not participate in the usual spanning-tree checks. I2 .ISIS L2. The ports are required to be set to VLAN 200 with spanning-tree checks disabled.ISIS interarea.ISIS L1. 100-byte ICMP Echos to 2007:C15:C0:15::6.OSPF ext 2 ON1 . M .OSPF intra. The devices use TCP ports 3230–3231 and UDP ports 3230– 3235. Tunnel0 R2# ping ipv6 2007:C15:C0:15::6 Type escape sequence to abort. The overall quality of service (QoS) service policy is applied to the video conferencing ports of Fast Ethernet 0/15 and 0/16 on Switch 2.EIGRP external D 2007::/16 [90/310044416] via FE80::7864:7C03. Configure Switch 2 to assign a DSCP value of AF41 to video traffic from both of these devices. and a policy map colors the traffic to a DSCP value of 41.Per-user Static route.OSPF inter. . you have scored 3 points. OI .ISIS summary O . Sending 5.Local. IA .Type escape sequence to abort.RIP. EX . and this traffic is unmarked from the devices as it enters the switch. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). S .6 entries Codes: C . round-trip min/avg/max = 4/7/8 ms R2# show ipv6 route eigrp IPv6 Routing Table . and trunking and channeling disabled using the command switchport host. OE1 . B . The ports can also be explicitly configured to disable each feature individually.OSPF NSSA ext 1. Sending 5. ON2 .Static.EIGRP. IS .OSPF NSSA ext 2 D .OSPF ext 1. The TCP and UDP port information is provided so that access lists matching these ports within a class map are required for identification of the video traffic. Use the show policy-map command to verify your configuration. cannot form trunk links. as shown in Example 2-31. (3 points) This is a differentiated services code point (DSCP) coloring of application traffic question. L . R .MIPv6 I1 . and cannot be configured as EtherChannels. OE2 .BGP U . round-trip min/avg/max = 4/7/8 ms Section 5: QoS (6 Points) Two IP video conferencing units are to be installed onto Switch 2 ports Fast Ethernet 0/15 and 0/16 on VLAN 200.Connected.

as shown in Example 2-32. Maximize the available bandwidth by ensuring the RTP headers within the video stream are compressed. (3 points) Following from the previous question. and weighted random early detection (WRED) is enabled within this queue. The default queue has a guaranteed bandwidth reservation with the command bandwidth percent 60. If you have configured this correctly.Example 2-31 QoS Configuration Click here to view code image SW2(config)# interface range fastethernet 0/15-16 SW2(config-if-range)# switchport access vlan 200 SW2(config-if-range)# switchport host SW2(config-if-range)# exit SW2(config)# mls qos SW2(config)# class-map VIDEO SW2(config-cmap)# match access-group 100 SW2(config-cmap)# exit SW2(config)# access-list 100 permit tcp any any range 3230 3231 SW2(config)# access-list 100 permit udp any any range 3230 3235 SW2(config)# policy-map VIDEO-MARK SW2(config-pmap)# class VIDEO SW2(config-pmap-c)# set dscp AF41 SW2(config-pmap-c)# exit SW2(config)# interface range fastethernet 0/15-16 SW2(config-if-range)# service-policy input VIDEO-MARK Configure R2 to assign a strict-priority queue with a 40-percent reservation of the WAN bandwidth for the video conferencing traffic in the previous question. Example 2-32 R2 QoS Configuration and Verification Click here to view code image R2(config)# class-map match-all VIDEO R2(config-cmap)# match dscp af41 R2(config-cmap)# policy-map VIDEO-QOS R2(config-pmap)# class VIDEO R2(config-pmap-c)# priority percent 40 R2(config-pmap-c)# compression header ip rtp R2(config-pmap-c)# class class-default . RTP compression is configured within the policy map for the video traffic. you have scored 3 points. R2 is required to provide QoS on the Ethernet link toward the rest of the network. A class map matches the precolored video traffic of DSCP 41. a policy map is then required to call the class map and assign a strict 40-percent priority queue with the command priority percent 40. The remainder of the bandwidth should be guaranteed for a default queue with WRED enabled.

R2.0. as shown in Example 2-33. and 225. If you have configured this correctly. R3.225.4 (by use of their Loopback 0 interfaces).4 R2(config)# ip multicast-routing R2(config)# interface Loopback0 R2(config-if)# ip pim sparse-dense-mode R2(config-if)# interface fastethernet0/0 R2(config-if)# ip pim sparse-dense-mode R2(config-if)# ip pim send-rp-announce Loopback0 scope 3 group-list GROUPS R2(config)# ip access-list standard GROUPS .2.2 R1(config-std-nacl)# permit 225. R3 is required to announce the rendezvous points. Example 2-33 shows the required configuration and RP mappings as received on R4. You should limit the boundary of your multicast network so that it does propagate further into your network than R4. 225.R2(config-pmap-c)# bandwidth percent 60 R2(config-pmap-c)# random-detect R2(config-pmap-c)# exit R2(config)# interface fastethernet0/0 R2(config-if)# service-policy output VIDEO-QOS Section 6: Multicast (9 Points) Configure routers R1. Each router should use PIM sparse dense mode. R2.0.3 R1(config-std-nacl)# permit 225.3. you have scored 3 points. R3.225. and R4 Multicast Configuration and Verification Click here to view code image R1(config)# ip multicast-routing R1(config)# interface Loopback0 R1(config-if)# ip pim sparse-dense-mode R1(config-if)# interface GigabitEthernet0/0 R1(config-if)# ip pim sparse-dense-mode R1(config-if)# ip pim send-rp-announce Loopback0 scope 3 group-list GROUPS R1(config)# ip access-list standard GROUPS R1(config-std-nacl)# permit 225.0. 225.0.225.225. Both R1 and R2 should be configured to be candidate RPs specifically for the following multicast groups: 225. Example 2-33 R1.225.225.225.225.0.1 R1(config-std-nacl)# permit 225. and R4 for IPv4 multicast. (3 points) The question dictates that R1 and R2 be rendezvous points (RPs) and advertise the same groups to the multicast network. R3 should be configured as a mapping agent to announce the rendezvous points for the multicast network with the same boundary constraints. and R4 will by default elect R2 as the RP for each group because it has the higher loopback address compared to R1 for the same groups.0. TTL scoping is used within the configuration to limit the boundary of advertisements on both the candidate RPs and the discovery agent up to R4.1.0.0.

225.0.225. elected via Uptime: 00:00:03. v2v1 Info source: 120. elected via Uptime: 00:00:03.225.1 (?). expires: 00:02:52 Group(s) 225.34.100.0.225.0.3 (?).0.100. expires: 00:02:56 Group(s) 225.0.3 and 225.3 (?).2 and R2 for groups 225. RP announcements can be filtered.2.225.225.1 (?).R2(config-std-nacl)# R2(config-std-nacl)# R2(config-std-nacl)# R2(config-std-nacl)# permit permit permit permit 225.4 R3(config)# ip multicast-routing R3(config)# interface Loopback0 R3(config-if)# ip pim sparse-dense-mode R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip pim sparse-dense-mode R3(config-if)# interface GigabitEthernet0/1 R3(config-if)# ip pim sparse-dense-mode R3(config-if)# exit R3(config)# ip pim send-rp-discovery lo0 scope 2 R4(config-if)# ip multicast-routing R4(config-if)# interface GigabitEthernet0/0 R4(config-if)# ip pim sparse-dense-mode R4# show ip pim rp mapping PIM Group-to-RP Mappings Group(s) 225. as shown in Example 234.2 225.0. .34.2. (3 points) As detailed in the previous example.0.225. Configuring two filter lists with each candidate RP associated with them allows the discovery agent to announce two different RPs.225.1 and 225. you have scored 3 points.100.34.1 (?).1 225.100.225. expires: 00:02:55 Auto-RP Auto-RP Auto-RP Auto-RP Configure R3 to ensure that R4 has a candidate RP as R1 for groups 225.0.34.100.3 (?). expires: 00:02:55 Group(s) 225.3 (?). v2v1 Info source: 120.1/32 RP 120. elected via Uptime: 00:00:03.100.0.4/32 RP 120.225.2/32 RP 120.225.1 (?).3/32 RP 120. R2 will by default become the candidate RP as selected by the discovery agent (R3) because of having a higher loopback IP address as used in the PIM announcements compared to R1. v2v1 Info source: 120. a debug of the auto-RP announcements on R3 to detail the filtering and the resulting RP mappings on R4.4.225.2. By configuring a group list on the discovery agent. v2v1 Info source: 120.0.2.3 225.100. Example 2-34 shows the required configuration.100.0. If you have configured this correctly.0. elected via Uptime: 00:00:03.

225. RP:120.3 R3(config-std-nacl)# permit 225.225.0.3/32 RP 120.34.100.100.0.225.100.34.1 R3(config-std-nacl)# permit 225.3 (?). PIMv2 Auto-RP(0): Filtered 225. elected via Uptime: 00:00:47. elected via Uptime: 00:00:08. expires: 00:02:12 Group(s) 225.100. PIMv2 Auto-RP(0): Filtered 225.Example 2-34 R3 RP Multicast Configuration and Verification Click here to view code image R3(config)# ip pim rp-announce-filter rp-list R1 group-list R1-GROUPS R3(config)# ip pim rp-announce-filter rp-list R2 group-list R2-GROUPS R3(config)# ip access-list standard R1 R3(config-std-nacl)# permit 120.1 R4# show ip pim rp mapping PIM Group-to-RP Mappings Group(s) 225.0. expires: 00:02:51 Group(s) 225.225. RP:120.1 R3(config-std-nacl)# exit R3(config# ip access-list standard R1-GROUPS R3(config-std-nacl)# permit 225.0.1.1).4/32 for RP 120.3 (?). v2v1 Info source: 120.1. expires: 00:02:09 Auto-RP Auto-RP Auto-RP Auto-RP 1.1. v2v1 Info source: 120.225.1. ht 181 v1 v1 .100.34.225.225.100.100.1.0.100.1 (?).100.1).2. ht 181 v1 v1 1.0.100.1).225.100.1/32 RP 120.100.100.0.2/32. RP_cnt Auto-RP(0): Update (225.1. RP:120.100.100. elected via Uptime: 00:00:08.4 R3# debug ip pim auto-rp PIM Auto-RP debugging is on Auto-RP(0): Received RP-announce.225. RP:120.1 (?).0. expires: 00:02:52 Group(s) 225.2/32.1.1.1. elected via Uptime: 00:00:47. PIMv2 Auto-RP(0): Update (225.1.2.100.1 (?). RP_cnt Auto-RP(0): Update (225.1 Auto-RP(0): Filtered 225.1 (?).225.225.0.100.1 Auto-RP(0): Received RP-announce.1.100.2/32 RP 120.225.3 (?).0.225.34.1 R3(config-std-nacl)# exit R3(config)# ip access-list standard R2 R3(config-std-nacl)# permit 120.0.225.0.3/32 for RP 120.3/32 for RP 120.1/32.1/32.100.1 Auto-RP(0): Filtered 225.1).225.1.100. v2v1 Info source: 120.0.3 (?). from 120.2 R3(config-std-nacl)# exit R3(config)# ip access-list standard R2-GROUPS R3(config-std-nacl)# permit 225.0. from 120.1.1. PIMv2 Auto-RP(0): Update (225.0.4/32 RP 120.1.4/32 for RP 120. v2v1 Info source: 120.0.2.225.

the router should be configured to randomly drop SYN packets from any source to this VLAN that have not been correctly established within 20 seconds.1 with the subparameters of 1 and 10. you have scored 3 points.1 from R3.100. If no packet for this group is received within a single 10second interval.225. (2 points) The question requires that the TCP intercept feature be configured on R6. By configuring R1 to enable the heartbeat monitoring for the group 225.0.123. the router monitors a packet lost within 1 interval of 10 seconds and will send an Simple Network Management Protocol (SNMP) trap to the SNMP host 120.1. Even though R1 does not have a valid IGMP join group for this group.100 traps public R1(config)# snmp-server enable traps ipmulticast R1(config)# ip multicast heartbeat 225.spectrap 1 ciscoIpMRouteHeartBeatEntry.2.100.100.225.1.1 = 120.255.4.100.0.100.100 SNMP: V1 Trap.225. Example 2-35 details the required multicast heartbeat configuration and verification of the SNMP trap by issue of a ping to 225.225.1 R1# SNMP: Queuing packet to 120.225.0.1.3 ciscoIpMRouteHeartBeatEntry.100. This protects TCP servers from TCP SYN-flooding attacks with a wave of half-opened connections overwhelming the server’s CPU.100 using a community string of public.225.1 = 10 ciscoIpMRouteHeartBeatEntry. If you have configured this correctly.225.225.0. which is required to be configured within the basic SNMP trap configuration.3.0. ent ciscoExperiment.225.100.100. (3 points) The IP multicast heartbeat feature facilitates the monitoring of the delivery of IP multicast packets and failure notification based on configurable parameters.1 = 0 Section 7: Security (10 Points) Allow router R6 to passively watch the SYN connections that flow to only VLAN 63 for servers that might reside on this subnet.225.2.0.3.100.1 = 1 ciscoIpMRouteHeartBeatEntry.225.0.1 1 1 10 R1# debug snmp packets R3# ping 225.100. gentrap 6. addr 120.100.100.Configure R1 to monitor traffic forwarded through itself for traffic destined to the multicast group of 225. as shown in Example 2-35. traffic is still directed to it. ensure that an SNMP trap is sent to an SNMP management station on 120.225. The default behavior of .0. and the heartbeat process is activated. the result of which can effectively cause a DoS attack.0. Example 2-35 R1 Multicast Heartbeat Configuration Click here to view code image R1(config)# snmp-server host 120. To prevent a potential DoS attack from a flood of SYN requests.5.

you will lose points from a previous section in which you might have otherwise scored the total possible points. and as directed.0.255 ip tcp intercept mode watch ip tcp intercept drop-mode random ip tcp intercept watch-timeout 20 Configure an ACL on R1 to allow TCP sessions generated on this router and through its Ethernet interface and to block TCP sessions from entering on its VLAN 132 interface that were not initiated on it or through it originally.100.the feature is to intercept the SYN connections to a server and effectively proxy the connection until it has been correctly established. To ensure that the 20-second limit is met as opposed to the default 30 second.63. it should also enable ICMP traffic inbound for testing purposes. The default behavior of the feature is to drop SYN connections based on the oldest first. To facilitate the reflexive ACL. Example 2-37 shows the required configuration and verification of the reflexive ACL.0 0. you can simply use the log option on your inbound ACL on a final deny statement. ICMP for testing. you must configure a standard ACL inbound on the VLAN 132 Ethernet interface. which permits the required traffic inbound to R1 and only returns traffic matching the reflexive ACL. 300 seconds after the session ends. by default. and only apply ACLs on the VLAN 132 interface. The entries are simply removed. Example 2-36 R6 TCP Intercept Configuration Click here to view code image R6(config)# R6(config)# R6(config)# R6(config)# R6(config)# ip tcp intercept list 100 access-list 100 permit tcp any 120. This is achieved with the global command ip tcp intercept drop-mode random. If you have configured this correctly. Do not use the established feature within standard ACLs to achieve this. so an access list is required to which the intercept features restricts its monitoring. the question requires this to be modified to 100 seconds. Because traffic is evaluated only by the ACL as it passes through the router. which must be included in your inbound ACL. If you did not know what protocol IPv6 uses. (3 points) The question requires that a reflexive access control list (ACL) be configured on R1.0. You are also requested to ensure that the feature is enabled only on VLAN 63 from any source. you have scored 2 points. adjustment of the timers is required with the global command ip tcp intercept watch-timeout 20. EIGRP. you must configure the feature into watch mode by use of the global ip tcp intercept mode watch command. The ACL should timeout after 100 seconds of locally initiated TCP inactivity. This would show you that the tunneling from R3 inbound to R1 uses IP protocol 41. Switch 1 has been configured . Use the show tcp intercept connections command to verify your configuration. Required traffic is. However. of course. The reflexive ACL contains only temporary entries. This enables TCP traffic for sessions originating from within the network but denies TCP traffic for sessions originating from outside the network. but the question dictated that random connections must be dropped. as shown in Example 2-36. which are automatically created when a new TCP session is initiated. Because you are requested to passively monitor the connection. IPv6 tunneling. PIM. It’s a cruel question because if you forget to permit any of the required traffic inbound.

255.100.1 Type escape sequence to abort.1 255.255 120.1 host 120. The reflexive ACL permits return traffic to the Telnet session inbound for the configured inactivity interval of 100 seconds.to belong to VLAN 100 to telnet through R1 to R3 in the example.0 SW1(config-if)# exit SW1(config)# ip route 120.100 255. Tracing the route to 120. you would specifically be instructed to ensure the correct operation of Telnet on that router.1 . If you face a similar question in the actual exam and Telnet connectivity was required from the router you are configuring. you might experience connectivity issues if you initiate a Telnet session from R1 without manipulating the Telnet source option.3. as shown in Example 2-37.255.100. Real-time details can be seen by issuing the show access-lists command on R1.3 host 120.100. Example 2-37 R1 Reflexive ACL Configuration and Verification Click here to view code image R1(config-if)# ip access-list extended FILTER-IN R1(config-ext-nacl)# permit icmp any any R1(config-ext-nacl)# permit eigrp any any R1(config-ext-nacl)# permit pim any any R1(config-ext-nacl)# permit tcp host 120.100.100.3.1 eq bgp R1(config-ext-nacl)# permit 41 host 120.3. the Telnet session passes through the ACL FILTER-OUT on R1 and creates an entry in the reflexive ACL DYNAMIC-TCP. This behavior has no bearing on points scored and should be considered a by-product of the solution. Note The reflexive ACL is valid only for traffic flowing through the router.255.3.100.255.1 SW1(config)# exit SW1# trace 120.1 R1(config-ext-nacl)# evaluate DYNAMIC-TCP R1(config-ext-nacl)# ip access-list extended FILTER-OUT R1(config-ext-nacl)# permit tcp any any reflect DYNAMIC-TCP R1(config-ext-nacl)# exit R1(config)# ip reflexive-list timeout 100 R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip access-group FILTER-IN in R1(config-if)# ip access-group FILTER-OUT out SW1(config)# interface vlan 100 SW1(config-if)# ip add 120.100.100.100.123. If you have configured this correctly.100. you have scored 3 points. When initiated by Switch 1.100.1. Therefore.123.

0. you should realize that you would need to configure a domain ID. Even if you hadn’t configured SSH or SCP previously.0.1 120.3 40 permit 225.co. If you have configured this correctly.100.100. Use local authentication with a username and password of cisco.100.225.1. not minutes.225..100.100.225.3.225.100. as shown in Example 2-38.100.1 0 msec 4 msec 0 msec 2 120.uk.0 (3 matches) Standard IP access list GROUPS 10 permit 225.100.1 !A * !A SW1# telnet 120.100. Open User Access Verification Password: R3>enable Password: R3# R1# show access-lists Standard IP access list 1 10 permit 120.1 eq telnet host 120.100.. It is a tough question because this is the kind of feature for which you will need to check the documentation. and an SSH timeout of 2 minutes and retry value of 2.4 Reflexive IP access list DYNAMIC-TCP permit tcp host 120.1 eq bgp (126 matches) 30 evaluate DYNAMIC-TCP Extended IP access list FILTER-OUT 10 permit tcp any any reflect DYNAMIC-TCP (18 matches) Configure R1 so that it is capable of performing SCP.1.0 (3 matches) 20 permit 120. you have scored 2 points. .1 . Your username and password combination requires a privilege level of 15 set for SCP.0.3. Be careful on the values and remember to enter the timeout in seconds. a key size of 768 bits.1 20 permit 225.1 Trying 120. and some SSH timeout and retry values based on the directions. local authentication with a username and password.100.3.100. a key of some form.100. It is similar to Remote Copy but requires Secure Shell (SSH) to be running on the router for security purposes. The router should belong to a domain of toughtest.100 eq 11034 (34 matches) (time left 90) Extended IP access list FILTER-IN 5 permit icmp any any (150 matches) 10 permit eigrp any any (1710 matches) 20 permit pim any any (92 matches) 25 permit tcp host 120.1 host 120.0.100. You will need to realize aspects of SSH are considered prerequisites to enable SCP.2 30 permit 225. (2 points) SCP is Secure Copy Protocol.3.

co. and R5 will begin to send RAs as soon as they are configured with an IPv6 address. The ACL needs to deny router advertisements.Example 2-38 R1 RCP Configuration Click here to view code image R1(config)# ip domain-name toughtest.uk % The key modulus size is 768 bits % Generating 768 bit RSA keys. of course. You may use an ACL applied in a single location in your solution. Because you are permitted to use an ACL in only a single location.. which. You need to remember that for the switch to process IPv6 packets.. it needs to be running IPv6 and have a valid IPv6 address assigned to VLAN 34. but this is not permitted. Example 2-39 SW1 RA ACL Configuration Click here to view code image SW1(config)# ipv6 unicast-routing SW1(config)# ipv6 access-list RA SW1(config-ipv6-acl)# deny icmp any any router-advertisement SW1(config-ipv6-acl)# permit ipv6 any any . you have just broken your IPv6 network. Disable these advertisements from entering and propagating on VLAN 34. something you might have overlooked under the time constraints and pressure of the practice exam.343: %SSH-5-ENABLED: SSH 1. Do not use the RA guard solution with untrusted ports. otherwise. A simple solution is to enable RA guard on the switch.[OK] R1(config)# aaa new-model R1(config)# aaa authentication login default local R1(config)# aaa authorization exec default local R1(config)# username cisco privilege 15 password 0 cisco R1(config)# ip ssh time-out 120 R1(config)# ip ssh authentication-retries 2 R1(config)# ip scp server enable R1(config)# 00:57:29. use ICMPv6. you have scored 3 points.toughtest.uk R1(config)# crypto key generate rsa modulus 768 The name for the keys will be: R1. If you have configured this correctly. keys will be non-exportable. as shown in Example 2-39. (3 points) Routers R3. whereby you could set the switch ports connecting to the routers as untrusted.co. R4. If your switch was not previously enabled for IPv6. The ACL then needs to permit everything else.99 has been enabled The network administrator has determined that IPv6 router advertisements are being sourced from routers on VLAN 34. remember to use the command sdm prefer dual-ipv4-and-ipv6 routing (and reboot the device for this to take effect). this needs to be applied to the VLAN 34 interface.

Practice Lab 3 Equipment List Practice Lab 3 follows an identical format to Lab 1 and 2 with timings and also consists of 100 points.3T Advanced Enterprise image and the minimum interface configuration. Remember that the Troubleshooting section on the v5. you will be prepared for any scenario that you are likely to face during the 5. This lab was designed to ensure that you troubleshoot your own work as you progress through the questions.SW1(config-ipv6-acl)# exit SW1(config)# int vlan 34 SW1(config-if)# ipv6 traffic-filter RA in SW1(config-if)# ipv6 address 2007:C15:C0:15::10/64 SW1# show log *Oct 4 17:58:23: %IPV6-6-ACCESSLOGDP: FE80::219:AAFF:FEBA:BE40 -> FF02::1 *Oct 4 17:58:23: %IPV6-6-ACCESSLOGDP: FE80::218:18FF:FEA2:3250 -> FF02::1 list RA/10 (134/0). how did it go? Did you run out of time? Did you manage to finish but miss what was actually required? If you scored over 80.0 exam is a separate section from the Configuration section and has a different scenario. You need the following hardware and software components to begin this practice lab: Six routers loaded with Cisco IOS Software Release 15. 1 denied icmpv6 packet denied icmpv6 packet Lab Wrap-Up So. well done. but they can make or break your lab. 1 list RA/10 (134/0). you will have 2 hours to complete the Troubleshooting section. If you accomplished this within 8 hours or less. as documented in Table 3-1 . Did you manage to configure items such as EIGRP third-party next hop and the continue statement within your BGP prepending? Items such as these might seem inconsequential.5 hours of the Configuration section of the actual exam.

However. you should use the same model of routers because this makes life easier if you load configurations directly from those supplied into your own devices.Table 3-1 Hardware Required per Router Four 3560X switches with IOS 15. .0S IP Services Setting Up the Lab You can use any combination of routers as long as you fulfill the requirements within the topology diagram. as shown in Figure 3-1.

which you must re-create with your own equipment. Lab Topology This practice lab uses the topology as outlined in Figure 3-1. . adjust the bandwidth statements on the relevant interfaces to keep all interface speeds in line. This ensures that you do not get unwanted behavior because of differing IGP metrics. The initial configurations supplied should be used to preconfigure your routers and switches before the lab starts. If your routers have different interface speeds than those used within this book. This is because either you do not use that interface or you need to configure this interface from default within the exercise.Figure 3-1 Practice Lab 3 Network Topology Note Notice in the initial configurations supplied that some interfaces do not have IP addresses preconfigured.

Switch Instructions Configure VLAN assignments from the configurations supplied on the CD-ROM or from Table 3-2.100.3. If you are manually configuring your equipment.1/32 . For this exercise. Table 3-2 VLAN Assignment Connect your switches with RJ-45 Ethernet cross-over cables. you are required to configure your IP addresses as shown in Figure 3-3 or to load the initial router configurations supplied. be sure you include the following loopback addresses: R1 Lo0 120.4.100.1/32 R4 Lo0 120. Figure 3-2 Switch-to-Switch Connectivity IP Address Instructions In the actual CCIE lab.2.100.5.1/32 R2 Lo0 120.100. as shown in Figure 3-2.1.1/32 R3 Lo0 120.1/32 R5 Lo0 120.100. you find that the majority of your IP addresses are preconfigured.

2.33.4.1/24 SW2 Lo0 10.33.1/24 Lo1 10.1/24 Lo1 10.46.44.R6 Lo0 120.1/24 Lo2 10.1/32SW1 Lo0 10.1/24 Figure 3-3 IP Addressing Diagram Pre-Lab Tasks Build the lab topology per Figure 3-1 and Figure 3-2.1/24 Lo2 10.3.1/24 Lo1 10.44.45.1.2.1.100.44.33.33. Configure the IP addresses on each router as shown in Figure 3-3 and add the loopback addresses.1/24 Lo2 10.1/24 SW4 Lo0 10.1/24 Lo1 10.3.2.34.1.1/24 Lo2 10.44.2.35. Alternatively.6. .2. you can load the initial configuration files supplied if your router is compatible with those used to create this exercise.1.1/24 SW3 Lo0 10.

Have available a Cisco documentation CD-ROM. choose questions with a higher point rating to maximize your potential score. not the whole Cisco. choose questions that you are confident you can answer. it will be restricted).html Note that access to this URL is likely to be restricted within the real exam. . Get into a comfortable and quiet environment where you can focus for the next 8 hours.cisco.General Guidelines Read the whole lab before you start. consider opening several windows with the pages you are likely to look at. Failing this. Note Access only these URLs. Ensure full IP visibility between routers for ping testing/Telnet access to your devices. To save time during your lab. Practice Lab Three You will now be answering questions in relation to the network topology. or access online the latest documentation from the following URL: http://www. Do not configure any static/default routes unless otherwise specified.com website (because if you are permitted to use documentation during your CCIE lab exam. as shown in Figure 3-4.com/cisco/web/psa/configure. If you are running out of time. Take a 30-minute break midway through the exercise.

100. Interface Fa0/20 of each switch has been preconfigured to be a trunk port. Configure interface Fa0/1 on SW1 to become a trunk port toward R1 and Fa0/6 on SW2 to become a trunk port toward R6. 50. Restrict the VLANs permissible to use the trunk on Switch 1 Fa0/1 to VLAN 10.1Q encapsulation.Figure 3-4 Lab Topology Diagram Section 1: LAN Switching (4 Points) Configure your switched network per Figure 3-5. You should also configure R1 and R6 to terminate the VLANs on each router. Your switched network is physically nonlooped and therefore does not require any STP root bridge configuration. Connectivity between switches will be provided via R1 and R6 later in the lab. (3 points) . Configure SW1 Fa0/19 to belong to VLAN 200 and SW2 Fa0/19 to belong to VLAN 400. Ports should use 802. and 400 on Switch 2 Fa0/6. and 200 and VLAN 20.

Ensure that all OSPF configuration is entered under the interfaces.1.) (1 point) Section 2: MPLS and OSPF (27 Points) Configure OSPF on your routers per Figure 3-6 to enable your network to transport MPLS and MP-BGP. (Actual IP end-to-end connectivity will be achieved in a later section.1/24 and 1. The interfaces should be configured to communicate as if connected directly as a point-to-point link. (3 points) . respectively.Figure 3-5 Switched Network Topology SW3 interface Fa0/19 and SW4 interface Fa0/19 are required to communicate with each other on the same IP subnet of 1.1. All required interfaces (including Loopback 0) should be configured to belong to Area 0.1.1.2/24.0/24. configure these interfaces with IP addresses 1.1.1.

whereas R2. and R5 will become P routers. R4. (4 points) . (4 points) You will be configuring two VPNs over your MPLS networks per Figure 3-7 between PE routers of BLUE and RED. R3. ensuring that TDP can be used on unused interfaces without specifically configuring these interfaces for TDP. assign the following interfaces on each PE router into separate routing instances within the routers: PE R1 interface Gi0/0 VLAN10 connection into VPN BLUE PE R1 interface Gi0/0 VLAN 50 connection into VPN RED PE R6 interface Gi0/1 VLAN 20 connection into VPN BLUE PE R6 interface Gi0/1 VLAN 100 connection into VPN RED Configure VPN BLUE to use an RD of 100 and VPN RED to use an RD of 200 for both importing and exporting routes into your BGP network. use LDP. which will be configured later with an autonomous system of AS65001. Routers R1 and R6 will become your PE routers. At this point.Figure 3-6 MPLS/OSPF Topology Configure MPLS on all routers within the OSPF domain.

10. (2 points) Section 3: BGP (5 Points) Configure MP-BGP between your PE routers.50. (2 points) Create a network between PE router R6 and CE device SW2 using a VLAN 20 interface on SW2 that can be trunked toward R6.2/30 assigned to the CE.1/30 assigned to the PE and .0/30 with . Use a subnet of 10.2/30 assigned to the CE.1/30 assigned to the PE and .1/30 assigned to the PE and .1/30 assigned to the PE and . Use a subnet of 10. to enable your network to transport the VPNv4 addresses of your configured VPNs (BLUE and RED).10.0/30 with .2/30 assigned to the CE. Use .10. this network will reside in the BLUE VPN.50.20. Use a subnet of 130.0/30 with . this network will reside in the RED VPN. this network will reside in the RED VPN. (2 points) Create a network between PE router R1 and CE device SW3 using a VLAN 50 interface on SW3 that can be trunked toward R1.Figure 3-7 MPLS VPN Topology Create a network between PE router R1 and CE device SW1 using a VLAN 10 interface on SW1 that can be trunked toward R1. this network will reside in the BLUE VPN.2/30 assigned to the CE.0/30 with . per Figure 3-8. (2 points) Create a network between PE router R6 and CE device SW4 using a VLAN 100 interface on SW4 that can be trunked toward R6. Use a subnet of 130.100.100.

loopback interfaces for peering between your PE routers. Use an EIGRP virtual instance name of VPN on R6 and a process number of 10 on SW2. Use VLAN 20 for EIGRP connectivity between R6 and SW2. (1 point) . Advertise all preconfigured loopback networks on SW2 to R6 for the BLUE VPN. (4 points) Figure 3-8 BGP Topology Section 4: EIGRP and MP-BGP (3 Points) Configure EIGRP per Figure 3-9 between your PE router R6 and CE Switch SW2. You will configure the actual VPN routing in later questions.

Use an EIGRP virtual instance name of VPN on R1 and a process number of 10 on SW1. Ensure that all EIGRP routes have a MED of 50 assigned to them within MP-BGP. Use a process ID of 2 on PE router R6 and CE device SW4 using VLAN 100 for connectivity.Figure 3-9 EIGRP/MP-BGP Topology Configure EIGRP per Figure 3-9 between your PE router R1 and CE switch SW1. (1 point) Section 5: OSPF and MP-BGP (6 Points) Configure OSPF per Figure 3-10 for your VRF RED with a process number of 3 on PE router R1 and SW3 using VLAN 50 for connectivity. Use VLAN 10 for EIGRP connectivity between R1 and SW1. EIGRP networks residing on SW1 should be seen as internal EIGRP routes on SW2 and vice versa. Use a default metric of 10000 100 255 1 1500 for BGP routes when redistributed into EIGRP. (1 point) Configure your PE routers R1 and R6 to transport EIGRP routes from your CE devices between the BLUE VPN using MP-BGP. (2 points) . It is acceptable for these routes to come through as / 32 routes because of default OSPF behavior of loopback interfaces. You should permit only internal OSPF routes to be advertised across your VPN and ensure that the redistribution of BGP routes into OSPF are assigned as type 1 external routes with no manually adjusted cost associated with them. Advertise all preconfigured loopback networks on SW1 to R1 for the BLUE VPN.

Vlan100 SW4# Verify your configuration by pinging from VRF RED SW4 10. Both Switch 1 and Switch 4 should receive the following routes: SW1# show ip route | include 10. similarly. Vlan10 SW1# SW4# show ip route | include 10.1 to VRF BLUE SW1 10.100. 00:00:27.0 O E1 10.0 D EX 10.1 SW1. Maintain the OSPF process IDs are previously directed.0/24 from VRF RED into VRF BLUE on R6.1.1. You are permitted to configure only router R1.0/24 [170/XXXXXX] via 10. (4 points) Section 6: MPLS (7 Points) Leak network 10.1.44.10.1.1. You are not permitted to adjust the OSPF redistribution into BGP as directed in the previous question.44. Configure your OSPF network appropriately to ensure that the routes are displayed correctly as IA routes.44.0/24 [110/XX] via 130. (5 points) .0/24 from SW1 VRF BLUE on PE R1 into the VRF RED on PE1.44.44. leak 10.Figure 3-10 OSPF Topology You will notice that your OSPF IA (intra-area) routes between CE devices SW3 and SW4 appear as type 1 external routes.10.1.44.1.1.44.1. 00:03:04.1.100.44.

configure MDT appropriately. You should use existing loopback interfaces on your PE routers for peering over your MPLS network.0/24 within a previous question.2.Configure your PE routers R1 and R6 to ensure that the MPLS P routers are not listed as intermediate hops when a trace route is performed on your CE devices. and implement IPv6 over MPLS between the 6PE routers to advertise the prefixes between 6PEs.10 2010:C15:C0:11::1/64 R6 Lo0 2010:C15:C0:6::1/64 R6 Gi0/1. Ensure that voice traffic is assigned to an LLQ. (4 points) . Ensure that PE router R6’s associated VLAN 100 IP address is used as the rendezvous point for the RED VRF multicast traffic.1. (6 points) R1 Lo0 2010:C15:C0:1::1/64 R1 Gi0/0.1/24 and SW4 Fast Ethernet 0/19 1. and solely reduce the effect of TCP global synchronization within the Default class. (2 points) Section 7: VPLS Simulation (10 Points) Switches 3 and 4 will have been configured to belong to the subnet of 1.20 2010:C15:C0:62::1/64 Section 10: QoS (7 Points) Create the following QoS profile on your PE router R1 for traffic egressing to your CE device connected to the BLUE VRF.1. Make sure that your loopback IPv6 addresses are used to source any locally generated IPv6 traffic.1.2. Use an appropriate method of prioritizing DSCP traffic so that AF31 packets are statistically dropped more frequently than AF32 during congestion.2/24) to communicate using a Layer 2 tunneling solution (use Version 3) across your Layer 3 network. It can be assumed that the mVRF bandwidth requirement is low.0.0.1. The total bandwidth between the PE to CE should be shaped to 1 Mbps. (10 points) Section 8: Multicast (10 Points) Configure your MPLS network for multicast support of the RED VRF using PIM sparse mode.1. Switch 4 should be configured to reply to an ICMP ping on its VLAN 100 interface directed to 226. Be aware that the SW3 resides in VLAN 200 and that SW4 resides in VLAN 400 in respective PE router subinterfaces. (10 points) Section 9: IPv6 (6 Points) Configure the following IPv6 address on the PE routers R1 and R6.1. and reduce the effects of TCP global synchronization within your Mission-Critical class.2 from Switch 3 VLAN 50.11 from CE device Switch 3 VLAN 50 to CE device SW4 VLAN 100 over the RED VRF. PE routers R1 and R6 should be configured to tunnel multicast traffic using an MDT address of 232. Create an L2TPv3 Xconnect attachment circuit on your PE routers R1 and R6 for your CE devices (SW3 Fast Ethernet 0/19 1.

Traffic in the Mission-Critical class within the detailed CIR should have the MPLS EXP set to 3 and above set to 7. an NHRP timeout of 100 seconds for spoke replies.100. You are not permitted to enable EIGRP on your Ethernet interfaces between routers.5/24. Use EIGRP with a named virtual instance of VPN and autonomous system of 1 to advertise the loopback networks between routers over a common GRE tunnel network of 100. NHRP should be authenticated with a password of SECRET. add R2 into the common GRE tunnel network as a spoke router using identical security parameters as used on R4 and R5. Use an IPsec transform set of esp-des esp-md5-hmac on each router.4.6. Use an MTU of 1416 for your secure traffic. whereas hub-to-spoke IPsec connections should be permanent. and a delay of 2 microseconds on the tunnel network. and R6 using the same common EIGRP parameters. ensuring that it receives routes from R4.5.Create the following QoS profile on your PE router R1 for traffic ingressing from your CE device connected to the BLUE VRF into the MPLS network. (3 points) Section 11: Security (15 Points) Create three new loopback IP addresses of loopback1 on R4.4/24. and the . Test your solution by extended pings sourced from the configured loopback interfaces.6. The source interface for the tunnel configuration on R2 should be Fast Ethernet 1/1.X/24 (X = router number) sourced from each router’s common Ethernet interface.5. The total aggregate speed from the CE to PE should be restricted to 1 Mbps. Traffic in the Default class within the detailed CIR should have the MPLS EXP set to 0 and above set to 4. 5.4. using IPsec to encrypt all traffic between the loopback networks using a preshared ISAKMP key of CCIE.6/24. Spoke routers must communicate with each other directly using dynamic IPsec connections with the aid of NHRP at the hub. Traffic in the Voice class within the detailed CIR should have the MPLS EXP set to 5 and above discarded. R6 is to be a hub router.100. use IP addresses of 4. (10 points) Following on from the previous question. and 6. R5. The hub router should provide all necessary direct next-hop information to the spoke routers when they are required to communicate between themselves. R5. and R6. respectively. with R4 and R5 being effectively spoke routers in your solution.

Do you require OSPF for any interfaces on R1 and R6 that connect to the switches? A.66. Is this acceptable? A. this is required to advertise your loopback addresses for MPLS. (2 points) Practice Lab 3: “Ask the Proctor” Note This section should be used only if you require clues to complete the questions. Q. Configure R1 appropriately. No.0/24? A. and advertise this identical network from R4 and R5 to the hub router R6 on the common GRE tunnel interface. Do you want me to configure Layer 2 between Switch 3 and Switch 4 so that they can communicate on the subnet 1.0/24 in EIGRP over the common GRE tunnel network. this is a pure IP solution designed to speed convergence in the event of a failure without the need to tune convergence timers. No. In the actual CCIE lab. I can only reach my spoke routers from the hub.1. . this includes spoke-to-spoke communication. To protect 66.45. the question states that each device must be reachable over the Frame Relay network. is this related to MPLS TE and is a tunnel required between R1 and R2? A. With my Frame Relay. Add new Loopback 2 identical IP addresses of 45.1.45. the proctor will not enter into any discussions about the questions or answers. the question doesn’t direct you to use a specific process ID. No. Section 2: MPLS and OSPF Q. No. Does it matter what OSPF process ID I use on my routers? A. so you can use an ID of your choice. Q. but wants to implement a solution that provides a password prompt from R1 only when the keyboard entry 1 is entered on the console port (as opposed to the normal CR/Enter key).45. Section 1: LAN Switching and Frame Relay Q. Configure R6 to advertise both destinations (R4 and R5) to spoke router R2 for network 45. (3 points) The network manager of your network cannot justify a full security implementation. He or she will be present to ensure that you do not have problems with the lab environment and to maintain the timing element of the exam.66. just configure OSPF per the figure. No. simply configure the switches as directed in the question and Layer 2 connectivity will be provisioned later within the lab when your core network is configured. Q.66/32.45.45/24 on both R4 and R5.destination should be the Gigabit Ethernet 0/0 interface of R6.

Do I need to perform any further configuration to make this work? A.6/32 prefix? A. No. you will ultimately achieve this connectivity through an MPLS VPN and not by simply extending OSPF through your core devices. Correct. MPLS. Q. MP-BGP is simply required between the PE routers.6. just remember that R1 is now a PE router with multiple VRF routing tables. Section 3: BGP Q. Is this acceptable here? A. Q. Do you want me to configure OSPF. No. I usually configure next-hop self on my BGP configurations. Can I configure OSPFv2 Fast Reroute for the 6. A. this will enable your network to transport MPLS and BGP within later questions. EIGRP requires the same autonomous system number on neighbor routers to peer successfully. Section 5: OSPF and MP-BGP Q. Q. . You need to ensure that you source your ping correctly. Do you want me to configure my RED VRF with a route descriptor of 100 and 200 for the BLUE VRF? A. Q. Do you need me to configure the PEs to send community values to each other? A. they cannot peer correctly. A combination of the two will achieve the desired results. Q. No. You have been provided with additional information in the question that enables you to facilitate use of MP-BGP extended communities. Q. I can’t ping to my VLAN 10 interface on Switch 1 from R1. Section 4: EIGRP and MP-BGP Q. Look for a method of making the autonomous system number the same within your VRF specific configuration on R6. You haven’t been instructed not to use this command at this point even though this is an iBGP configuration. Do you want the OSPF from the core routers extended into the RED VRF I created so that I run end-to-end OSPF between CE Switch 1 and CE Switch 2? A. R1 would use its default routing table (which is used for the MPLS connectivity). So. You must remember how MPLS works and ensure that the route targets are propagated to successfully configure your VPNs. No. Yes. otherwise.Q. just add in the MP-BGP autonomous system number to the RD? A. just initially as directed OSPF.6. Do you want me to configure a full mesh of BGP between all routers? A. If I use a different number on R6 and Switch 2. and BGP initially within the OSPF section? A.

it might help you understand the issue. Section 7: VPLS Simulation Q. and it would appear that you have modified this behavior with your redistribution configuration. A. so I am stuck. I think if I change the redistribution of OSPF into BGP. Section 8: Multicast Q. surely the routes should appear as standard interarea routes through the VPN. No. Correct. I can manage to leak routes between VRFs but my route comes out as a host route. I changed the redistribution. Yes. This must have something to do with the different OSPF process ID I had to configure. Why would I want to advertise the OSPF routes as external type 1 routes within BGP. It will become evident why you have been asked to do this in a later question. or could I do this over a standard Layer 3 network? A. I suspect a spanning-tree type of issue if the question states VLAN differences when I need to provide Layer 2 adjacency. Q. Why would I need to do this? A. Q. I can’t adjust this. Yes. The routes will come out as type 1 external routes on your CE devices. You are correct. If I change the domain ID on R1.Q. but you have been directed to do so in the question. I have my L2TPv3 tunnel up end to end. Q. Q. yet I cannot ping between switches. Find an appropriate value and try it out. You had a similar issue with EIGRP autonomous system numbers. Q. this question is a little misleading. Can I modify my loopback interface with the OSPF network command on Switch 4 so that it is advertised with the correct mask? A. is that acceptable? A. Section 6: MPLS Q. but the routes remain identical. Just exercise caution where you configure your parameters to achieve the correct results in the appropriate VRF. You could achieve the same result over a standard Layer 3 network. though. A. Do you want me to enable PIM over my P routers or just PE routers? . I can make the OSPF routes appear as intra-area routes. Is this MPLS specific. Do I score any points if I change the redistribution? A. This behavior should become apparent why in the following question. just investigate what is possible within your VRF configuration. Am I at liberty to manipulate spanning tree? A. by all means try to change the redistribution. Changing the process ID on OSPF peers wouldn’t affect any adjacency.

A. Q. You’re almost there. it just provides you with two different configuration exercises. you might find that configuring PIM end to end is required. do you want me to configure some priority queuing within a class for AF32 flows? A. You might find it is required at certain points within your MPLS network. To prioritize DSCP traffic. Yes.2. Do I use the same packet-marking classes in each question? A. Q.2.and low-bandwidth sources. Yes. Section 9: IPv6 Q. Your switches are currently not capable of running IPv6. Is this DiffServ. Should I just advertise my IPv6 prefixes with the BGP network command? A. Yes. Q. you might or might not require a Data MDT. Do you want me to run IPv6 down to my CE switches and redistribute anything over MPLS? A. Is this correct? A. yet the first will be line rate at 1 Gbps. can I just configure an IGMP join group appropriately on its VLAN 100 interface? A. Q. I appreciate that this isn’t the real world. Do you want PIM on my MPLS router loopback interfaces? A. To get Switch 4 to reply to a ping to 226. Q.2. No. A. though. because there is no redistribution to be configured. this wouldn’t offer the inherent drop preference. Are you looking for random early detect? A. . Q. MDT has differing requirements for high. Section 10: QoS Q. I have a Multicast Distribution Tree tunnel between PE routers. Yes.” To provide end-to-end multicast support. Q. Q. You can. though. but I don’t understand what the low-bandwidth requirement is. use a common technique whereby traffic is dropped randomly as queues fill. whereby you want me to modify the topmost bits in the EXP field? A. Yes. The question states “MPLS network. Q. The second QoS policy limits traffic to 1 Mbps. AF31 packets should be dropped more frequently than AF32. Do you want the first QoS policy outbound on the BLUE VRF interface on PE router R1? A.

Is this okay? A. Don’t I need an ACL to mark all traffic that should be encrypted? A. Your switched network is physically nonlooped and therefore does not require any STP root bridge configuration. Configure SW1 Fa0/19 to belong to VLAN 200 and SW2 Fa0/19 to belong to VLAN 400. Q. you need full network visibility from all devices and not just the hub. Is this acceptable? A. Do you want the policy applied to the CE-facing VRF BLUE interface as an input service policy? A. No. and all traffic flowing from the new subnets you created should automatically be encrypted. Can I modify the next hop from the hub? A. Q.Q.0/24 via the hub router. I have added R2 as a spoke to the DMVPN network. Q. rather than a CR on the line con 0 port. and it receives a single route to network 45. Q. No. No. Is this acceptable? A. just make the router provide a prompt when it receives an ASCII 1.45. you must configure R6 to advertise both spokes (R4 and R5) as valid next hops for this destination. . You should use this section to produce an overall score for Practice Lab 3. Can I configure max-paths on R2? A. Q. The clues in the question suggest this is a DMVPN question. the question specifically states that spoke routers must be able to communicate with each other directly. Yes. No. Section 1: LAN Switching (4 Points) Configure your switched network per Figure 3-6. Q. Section 11: Security Q. I have configured my solution correctly. Yes. I still show a next hop of the hub between spoke networks. Do you want me to get R1 to somehow translate a CR into a 1 to then provide a password prompt? A.45. this would then modify the traffic as it flows into the MPLS network. yet I don’t get spoke routes on the spoke routers. Practice Lab 3 Debrief This section now analyzes each question showing you what was required and how to achieve the desired results. No. Q. No. Yes. your solution will not require an ACL. can I disable this behavior? A. This sounds like a split-horizon issue. use a similar feature on R6 hub to actually advertise both spokes rather than just one as a valid next hop.

as shown in Example 3-1. but you are required to complete multiple configuration items to gain your points.200 switchport mode trunk Switch2# show run interface fastethernet 0/19 ! interface fastethernet0/19 switchport access vlan 400 switchport mode access Switch2# show run interface fastethernet 0/6 . and 200 and VLAN 20. Connectivity between switches will be provided via R1 and R6 later in the lab. If you have configured this correctly. Ports Fa0/19 of Switch 1 and Switch 2 should be assigned the correct VLAN. (The actual VLANs would have been created previously in the initial configuration. Example 3-1 SW1. and R6 Configuration Click here to view code image Switch1# show run interface fastethernet 0/19 ! interface fastethernet0/19 switchport access vlan 200 switchport mode access Switch1# show run interface fastethernet 0/1 ! interface fastethernet0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 10. the trunking is configured as directed with allowed VLANs of 10. and 200 for Switch 1 and 20. (3 points) This is a simple question. 50. R1. Note R1 and R6 use the VLAN number for the encapsulation and the subinterface number. Interface Fa0/20 of each switch has been preconfigured to be a trunk port. To begin. SW2. Restrict the VLANs permissible to use the trunk on Switch 1 Fa0/1 to VLAN10. 100.Configure Interface Fa0/1 on SW1 to become a trunk port toward R1 and Fa0/6 on SW2 to become a trunk port toward R6.50. but it is considered good practice to do so. R1 and R6 are configured with the corresponding VLAN numbers as sub interfaces to terminate the trunk connections from Switch 1 and Switch 2 using an identical reference for the dot1q encapsulation. you have scored 3 points. The configuration enables connectivity between switches when the MPLS section has been completed later in the lab. 100. and 400 on Switch 2 Fa0/6. You should also configure R1 and R6 to terminate the VLANs on each router. and 400 for Switch 2.) Next. ports should use 802. Your subinterface number does not need to match the VLAN number. 50.1Q encapsulation.

The interfaces should be configured to communicate as if connected directly as a point-to-point link. (Actual IP end-to-end connectivity will be achieved in a later section.! interface fastethernet0/6 switchport trunk encapsulation dot1q switchport trunk allowed vlan 20.100. If you have configured this correctly.2/24.) (1 point) This is a straightforward configuration task to change the operation of the ports to non-switchport Layer 3 mode where an IP address can be configured.1.400 SW3 interface Fa0/19 and SW4 interface Fa0/19 are required to communicate with each other on the same IP subnet of 1.1.400 switchport mode trunk R1# show run | begin interface GigabitEthernet0/0 ! interface GigabitEthernet0/0 no ip address ! interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ! interface GigabitEthernet0/0.200 encapsulation dot1Q 200 R6# show run | begin interface GigabitEthernet0/1 ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/1. Configure these interfaces with IP addresses 1.1. Example 3-2 SW3 and SW4 Configuration Click here to view code image . as shown in Example 3-2. you have scored 1 point.20 encapsulation dot1Q 20 ! interface GigabitEthernet0/0.50 encapsulation dot1Q 50 ! interface GigabitEthernet0/0.1. respectively.1. End-to-end connectivity is achieved through the IP network at a later stage.1/24 and 1.100 encapsulation dot1Q 100 ! interface GigabitEthernet0/1.1.0/24.

you have scored 3 points. as shown in Example 3-3.1. (3 points) OSPF is used as the IGP in which to advertise the router loopback addresses.255.1 255.0 Switch4# show run interface fastethernet 0/19 ! interface fastethernet0/19 no switchport ip address 1. Example 3-3 OSPF Configuration and Verification Click here to view code image R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# int lo0 ip ospf 1 area 0 int Gi0/1 ip ospf 1 area 0 R2(config-if)# R2(config-if)# R2(config-if)# R2(config-if)# R2(config-if)# R2(config-if)# int lo0 ip ospf 1 area 0 int Fa0/0 ip ospf 1 area 0 int Fa0/1 ip ospf 1 area 0 R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# int lo0 ip ospf 1 area 0 int Gi0/0 ip ospf 1 area 0 int Gi0/1 ip ospf 1 area 0 .Switch3# show run interface fastethernet 0/19 ! interface fastethernet0/19 no switchport ip address 1. All required interfaces (including Loopback 0) should be configured to belong to Area 0.1.255.1.0 Section 2: MPLS and OSPF (27 Points) Configure OSPF on your routers.255. Consider using the show ip ospf interface command to verify your configuration. The question directs you to configure OSPF directly under the interfaces of the routers.1. which will. be used for the MPLS connectivity. per Figure 3-6. If you have configured this correctly. Ensure that all OSPF configuration is entered under the interfaces. to enable your network to transport MPLS and MP-BGP. Example 3-3 shows the loopback interfaces of each router from R1’s perspective advertised as host routes as required for MPLS.255. of course.2 255.

R4(config-if)#
R4(config-if)#
R4(config-if)#
R4(config-if)#
R4(config-if)#
R4(config-if)#

int lo0
ip ospf 1 area 0
int gi0/0
ip ospf 1 area 0
int Gi0/1
ip ospf 1 area 0

R5(config-if)#
R5(config-if)#
R5(config-if)#
R5(config-if)#
R5(config-if)#
R5(config-if)#

int lo0
ip ospf 1 area 0
int gi0/0
ip ospf 1 area 0
int Gi0/1
ip ospf 1 area 0

R6(config-if)#
R6(config-if)#
R6(config-if)#
R6(config-if)#

int lo0
ip ospf 1 area 0
int gi0/0
ip ospf 1 area 0

R1# show ip route ospf
120.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
O
120.100.2.1/32 [110/2] via 120.100.132.2, 00:05:00,
GigabitEthernet0/1
O
120.100.3.1/32 [110/2] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1
O
120.100.4.1/32 [110/12] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1
O
120.100.5.1/32 [110/22] via 120.100.132.3, 00:02:36,
GigabitEthernet0/1
O
120.100.6.1/32 [110/22] via 120.100.132.3, 00:01:19,
GigabitEthernet0/1
O
120.100.25.0/24 [110/31] via 120.100.132.3, 00:02:26,
GigabitEthernet0/1
O
120.100.34.0/24 [110/11] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1
O
120.100.45.0/24 [110/21] via 120.100.132.3, 00:06:16,
GigabitEthernet0/1

Configure MPLS on all routers within the OSPF domain; use LDP, ensuring that TDP can
be used on unused interfaces without specifically configuring these interfaces for TDP.
Routers R1 and R6 will become your PE routers, whereas R2, R3, R4, and R5 will
become P routers. (4 points)
Configuration is required on each router for them to become LSRs (label switch routers). The
LSRs must have loopback interfaces with an address mask of 32 bits, and these interfaces must
be reachable within the global IP routing table (which the previous question achieved). R1 and
R6 are the PE (provider edge) routers, which will be used to connect to switches in later
questions simulating CE (customer edge) devices. R2, R3, R4, and R5 become the P (provider)
routers, which will be used to switch labeled packets between the PE routers. The question tells
you to use LDP (Label Distribution Protocol) but facilitate the future use of TDP (Tag

Distribution Protocol) without further configuration on unused interfaces. This is achieved by
configuring TDP globally and LDP under each interface used for MPLS within this lab. (The
default global and interface configuration is LDP.) The PE routers require only MPLS configured
on their serial interfaces toward the P routers. If you have configured this correctly, as shown in
Example 3-4, you have scored 4 points.
Example 3-4 MPLS Configuration
Click here to view code image

R1(config)# mpls label protocol tdp
R1(config)# interface Gi0/1
R1(config-if)# mpls label protocol ldp
R1(config-if)# mpls ip
R2(config)# mpls label protocol tdp
R2(config)# interface Fa0/0
R2(config-if)# mpls label protocol ldp
R2(config-if)# mpls ip
R2(config)# interface Fa0/1
R2(config-if)# mpls label protocol ldp
R2(config-if)# mpls ip
R3(config)# mpls label protocol tdp
R3(config)# interface Gi0/0
R3(config-if)# mpls label protocol ldp
R3(config-if)# mpls ip
R3(config-if)# interface Gi0/1
R3(config-if)# mpls label protocol ldp
R3(config-if)# mpls ip
R4(config)# mpls label protocol tdp
R4(config)# interface GigabitEthernet0/0
R4(config-if)# mpls label protocol ldp
R4(config-if)# mpls ip
R4(config-if)# interface Gi0/1
R4(config-if)# mpls label protocol ldp
R4(config-if)# mpls ip
R5(config)# mpls label protocol tdp
R5(config)# interface Gi0/0
R5(config-if)# mpls label protocol ldp
R5(config-if)# mpls ip
R5(config-if)# interface Gi0/1
R5(config-if)# mpls label protocol ldp
R5(config-if)# mpls ip
R6(config)# mpls label protocol tdp
R6(config)# interface Gi0/0
R6(config-if)# mpls label protocol ldp
R6(config-if)# mpls ip

Example 3-5 shows verification of the configuration with the LDP peering between each router.
Notice that the loopback addresses are used for LDP peer identification.
Example 3-5 MPLS Configuration Verification
Click here to view code image

R1# show mpls ldp neighbor
Peer LDP Ident: 120.100.2.1:0; Local LDP Ident 120.100.1.1:0
TCP connection: 120.100.2.1.40418 - 120.100.1.1.646
State: Oper; Msgs sent/rcvd: 69/71; Downstream
Up time: 00:47:20
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.123.2
Addresses bound to peer LDP Ident:
120.100.123.2
120.100.25.2
120.100.2.1
Peer LDP Ident: 120.100.3.1:0; Local LDP Ident 120.100.1.1:0
TCP connection: 120.100.3.1.51369 - 120.100.1.1.646
State: Oper; Msgs sent/rcvd: 68/68; Downstream
Up time: 00:47:18
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.123.3
Addresses bound to peer LDP Ident:
120.100.123.3
120.100.3.1
120.100.34.3
R2# show mpls ldp neighbor
Peer LDP Ident: 120.100.3.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.3.1.16991 - 120.100.2.1.646
State: Oper; Msgs sent/rcvd: 71/68; Downstream
Up time: 00:46:33
LDP discovery sources:
fastethernet0/0, Src IP addr: 120.100.123.3
fastethernet0/1, Src IP addr: 120.100.34.3
Addresses bound to peer LDP Ident:
120.100.123.3
120.100.3.1
120.100.34.3
Peer LDP Ident: 120.100.5.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.5.1.13826 - 120.100.2.1.646
State: Oper; Msgs sent/rcvd: 73/76; Downstream
Up time: 00:46:24
LDP discovery sources:
fastethernet0/1, Src IP addr: 120.100.25.5
Addresses bound to peer LDP Ident:
120.100.25.5
120.100.5.1
5.5.5.5
120.100.45.5
100.100.100.5
Peer LDP Ident: 120.100.1.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.1.1.646 - 120.100.2.1.40418
State: Oper; Msgs sent/rcvd: 69/68; Downstream
Up time: 00:46:07
LDP discovery sources:
fastethernet0/0, Src IP addr: 120.100.123.1

Addresses bound to peer LDP Ident:
120.100.123.1
120.100.1.1
Peer LDP Ident: 120.100.4.1:0; Local LDP Ident 120.100.2.1:0
TCP connection: 120.100.4.1.47401 - 120.100.2.1.646
State: Oper; Msgs sent/rcvd: 54/57; Downstream
Up time: 00:32:28
LDP discovery sources:
fastethernet0/1, Src IP addr: 120.100.34.4
Addresses bound to peer LDP Ident:
120.100.4.1
4.4.4.4
120.100.45.4
100.100.100.4
120.100.34.4
R3# show mpls ldp neighbor
Peer LDP Ident: 120.100.2.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.2.1.646 - 120.100.3.1.16991
State: Oper; Msgs sent/rcvd: 69/72; Downstream
Up time: 00:47:11
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 120.100.123.2
GigabitEthernet0/1, Src IP addr: 120.100.25.2
Addresses bound to peer LDP Ident:
120.100.123.2
120.100.25.2
120.100.2.1
Peer LDP Ident: 120.100.1.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.1.1.646 - 120.100.3.1.51369
State: Oper; Msgs sent/rcvd: 67/67; Downstream
Up time: 00:46:43
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 120.100.123.1
Addresses bound to peer LDP Ident:
120.100.123.1
120.100.1.1
Peer LDP Ident: 120.100.5.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.5.1.53107 - 120.100.3.1.646
State: Oper; Msgs sent/rcvd: 67/74; Downstream
Up time: 00:45:22
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.25.5
Addresses bound to peer LDP Ident:
120.100.25.5
120.100.5.1
5.5.5.5
120.100.45.5
100.100.100.5
Peer LDP Ident: 120.100.4.1:0; Local LDP Ident 120.100.3.1:0
TCP connection: 120.100.4.1.15940 - 120.100.3.1.646
State: Oper; Msgs sent/rcvd: 52/56; Downstream
Up time: 00:33:06
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 120.100.34.4
Addresses bound to peer LDP Ident:
120.100.4.1
4.4.4.4
120.100.45.4
100.100.100.4
120.100.34.4
R4# show mpls ldp neighbor
Peer LDP Ident: 120.100.6.1:0; Local LDP Ident 120.100.4.1:0
TCP connection: 120.100.6.1.55234 - 120.100.4.1.646
State: Oper; Msgs sent/rcvd: 74/76; Downstream
Up time: 00:43:52

Src IP addr: 120.1. Msgs sent/rcvd: 55/52.1:0 TCP connection: 120.4.100. Local LDP Ident 120.646 State: Oper.34.5.2. Downstream Up time: 00:49:55 LDP discovery sources: GigabitEthernet0/1. Src IP addr: 120.100.1:0.1.100.2.100.34.120.100.1:0.25.2 120.6.45.45.6 Addresses bound to peer LDP Ident: 120.3 R5# show mpls ldp neighbor Peer LDP Ident: 120.646 State: Oper.100.5.5.47401 State: Oper.100.100. Downstream Up time: 00:48:58 LDP discovery sources: GigabitEthernet0/0.120.45. Msgs sent/rcvd: 80/78.1:0 TCP connection: 120.120.100.LDP discovery sources: GigabitEthernet0/0.100.6.120. Local LDP Ident 120.1.100.100.5 Addresses bound to peer LDP Ident: 120.1.100.100.100.6 100.1:0.646 .4.57689 State: Oper.4. Src IP addr: 120.5.100.100.25.5. Msgs sent/rcvd: 72/74.1:0.100.1:0 TCP connection: 120.3 Addresses bound to peer LDP Ident: 120.646 .5.6. Local LDP Ident 120.1 6.4.1. Msgs sent/rcvd: 81/81.100. Downstream Up time: 00:43:48 LDP discovery sources: GigabitEthernet0/0.2.4. Downstream Up time: 00:30:52 LDP discovery sources: GigabitEthernet0/1.1.100.6 100.100.100.1:0 TCP connection: 120. Local LDP Ident 120.100.2 Addresses bound to peer LDP Ident: 120.646 .2 120.1.100. Src IP addr: 120.2.100.3. Src IP addr: 120. Downstream Up time: 00:48:54 LDP discovery sources: GigabitEthernet0/0.6.2.5 GigabitEthernet0/1.25.100.123.646 .2 120.5.45. Msgs sent/rcvd: 54/50.6 Peer LDP Ident: 120.6.5 120.57689 .3.15940 State: Oper. Msgs sent/rcvd: 80/77.2 Addresses bound to peer LDP Ident: 120.120.100.25.1:0.100.5 100.25.100.120.6 120.1:0.5.6.100.1 5.100.100.45.100.3.100.6.100.100.100.100.1.100.1.45.45. Src IP addr: 120.2.100.100.100.6 Peer LDP Ident: 120.123.3 120.100.100. Src IP addr: 120.5.5.100.6 120.25.123.100.1 6.100.1 Peer LDP Ident: 120.18472 .6. Local LDP Ident 120. Src IP addr: 120.5 Peer LDP Ident: 120.13826 State: Oper.1 Peer LDP Ident: 120.4 .100. Local LDP Ident 120.1:0 TCP connection: 120.1.6 Addresses bound to peer LDP Ident: 120.5 120.4.2 120.100.100.1.1.5. Downstream Up time: 00:30:52 LDP discovery sources: GigabitEthernet0/1.100.4.1 120.1:0 TCP connection: 120.4.100.100.100.

53107 State: Oper.3.646 .45.100.1 5.120.100. Msgs sent/rcvd: 82/80.45.100.100.5.100.45.646 .100. Local LDP Ident 120. At this point.100.6. Src IP addr: 120.34.5.100.4 100. Src IP addr: 120. Downstream Up time: 00:49:31 LDP discovery sources: GigabitEthernet0/0.100.4. Downstream Up time: 00:49:31 LDP discovery sources: GigabitEthernet0/0.6.100.5 120.1 4.100.4.100.1.1.1:0 TCP connection: 120.100.100.1.4.34.100.5.3 R6# show mpls ldp neighbor Peer LDP Ident: 120.3.100.5 120.4 Addresses bound to peer LDP Ident: 120.1:0.GigabitEthernet0/1.100.5.1:0.6.1:0. Src IP addr: 120.100.34.100. (4 points) You are required to create virtual routing forwarding (VRF) instances on the PE routers and assign the subinterfaces on each PE router into these.100. You are directed to use a route descriptor (RD) of 100 for the BLUE VRF and 200 for the RED VRF and must combine this with the BGP autonomous system number of 65001 to .55234 State: Oper.100.5 100. Downstream Up time: 00:48:17 LDP discovery sources: GigabitEthernet0/1.5.3 120.45.4 100.100.100. Msgs sent/rcvd: 82/82.1 4.5 Addresses bound to peer LDP Ident: 120.100.1 120.120.3 Addresses bound to peer LDP Ident: 120.1:0 TCP connection: 120.4. Msgs sent/rcvd: 77/70. assign the following interfaces on each PE router into separate routing instances within the routers: PE R1 interface Gi0/0 VLAN10 connection into VPN BLUE PE R1 interface Gi0/0 VLAN 50 connection into VPN RED PE R6 interface Gi0/1 VLAN 20 connection into VPN BLUE PE R6 interface Gi0/1 VLAN 100 connection into VPN RED Configure VPN BLUE to use an RD of 100 and VPN RED to use an RD of 200 for both importing and exporting routes into your BGP network.45.4 You will be configuring two VPNs over your MPLS networks per Figure 3-8 between PE routers of BLUE and RED.25.100.100.4 120.123.4.646 .3.1:0 TCP connection: 120.4 120.100.4 120.100. Local LDP Ident 120.4 120.4 Peer LDP Ident: 120.5.4 Addresses bound to peer LDP Ident: 120.6.100. Src IP addr: 120.5 Peer LDP Ident: 120.1.1. Local LDP Ident 120.1.100.100.4.5.34.4.18472 State: Oper. This will ultimately provide end-to-end virtual private networking (VPN) connectivity over the MPLS network for your CE devices to communicate.120.4.100. which will be configured later with an autonomous system of AS65001.100.100.34.

1/30 assigned to the PE and . (2 points) This is a simple configuration task to assign IP connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R6. The subinterface of Gigabit 0/0. The new VLAN10 must be created on SW1.2/30 assigned to the CE.20 R6(config-subif)# ip vrf forwarding BLUE R6(config)# interface GigabitEthernet0/1. and this VLAN should have already been permitted to flow through to R1 as an allowed VLAN.50 R1(config-subif)# ip vrf forwarding RED R6(config)# ip vrf BLUE R6(config-vrf)# rd 65001:100 R6(config-vrf)# route-target export 65001:100 R6(config-vrf)# route-target import 65001:100 R6(config-vrf)# ! R6(config-vrf)# ip vrf RED R6(config-vrf)# rd 65001:200 R6(config-vrf)# route-target export 65001:200 R6(config-vrf)# route-target import 65001:200 R6(config-vrf)# exit R6(config)# interface GigabitEthernet0/1.import and export route target extended communities for the specified VRFs. The actual BGP configuration will be configured later in the lab.0/30 with . This network will reside in the BLUE VPN. so connectivity between SW1 and R1 should now be . as shown in Example 3-6.100 R6(config-subif)# ip vrf forwarding RED Create a network between PE router R1 and CE device SW1 using a VLAN10 interface on SW1 that can be trunked toward R1. Use a subnet of 10.10.10 R1(config-subif)# ip vrf forwarding BLUE R1(config-subif)# interface GigabitEthernet0/0.10.10 on R1 has been assigned to the BLUE VRF during the previous question. you have scored 4 points. Example 3-6 VRF Configuration Click here to view code image R1(config)# ip vrf BLUE R1(config-vrf)# rd 65001:100 R1(config-vrf)# route-target export 65001:100 R1(config-vrf)# route-target import 65001:100 R1(config-vrf)# ! R1(config-vrf)# ip vrf RED R1(config-vrf)# rd 65001:200 R1(config-vrf)# route-target export 65001:200 R1(config-vrf)# route-target import 65001:200 R1(config-vrf)# exit R1(config)# interface GigabitEthernet0/0. If you have configured this correctly.

remember that R6 must use the appropriate VRF to confirm connectivity. and this VLAN already should have been permitted to flow through to R6 as an allowed VLAN.2.10. 100-byte ICMP Echos to 10.1 255.10 R1(config-subif)# ip add 10.10. you have scored 2 points. When testing. (2 points) This is a simple configuration task as per the previous question to assign connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R1.255. as shown in Example 3-8.1 255. If you have configured this correctly.10.2 255. remember that R1 must use the appropriate VRF to confirm connectivity. Example 3-7 BLUE VRF IP Addressing and Local Connectivity Testing Click here to view code image R1(config)# interface GigabitEthernet0/0.10.20 R6(config-subif)# ip add 10.10.20 on R6 has been assigned to the BLUE VRF during a previous question.10.!!! Success rate is 60 percent (3/5).2 Type escape sequence to abort.252 Switch1(config)# vlan 10 Switch1(config-vlan)# exit Switch1(config)# interface vlan 10 Switch1(config-if)# no shutdown Switch1(config-if)# ip add 10.255.2/30 assigned to the CE.252 Switch2(config)# vlan 20 . as shown in Example 3-7.10. This network will reside in the BLUE VPN.0/30 with .20. Sending 5.255. so connectivity between SW2 and R6 should now be possible.255.252 R1# ping vrf BLUE 10.possible (when IP addresses are assigned). When testing. The subinterface of Gigabit 0/1.. If you have configured this correctly. Example 3-8 BLUE VRF IP Addressing and Local Connectivity Testing Click here to view code image R6(config)# interface GigabitEthernet0/1. round-trip min/avg/max = 1/1/1 ms Create a network between PE router R6 and CE device SW2 using a VLAN 20 interface on SW2 that can be trunked toward R6. Use a subnet of 10.255.10. timeout is 2 seconds: .20.255.10. because a normal ping would be sourced from the global routing table and will fail.1/30 assigned to the PE and .10. The new VLAN 20 must be created on SW2. you have scored 2 points.

2/30 assigned to the CE.2 255. Use a . Sending 5.252 R6# ping vrf BLUE 10. round-trip min/avg/max = 1/1/1 ms Create a network between PE router R6 and CE device SW4 using a VLAN 100 interface on SW4 that can be trunked toward R6.50 R1(config-subif)# ip add 130.252 R1# ping vrf RED 130.. If you have configured this correctly.1/30 assigned to the PE and . this network will reside in the RED VPN. 100-byte ICMP Echos to 130.10. this network will reside in the RED VPN.2 Type escape sequence to abort.50.255.50.255. Use a subnet of 130.50.50. (2 points) Here’s another simple configuration to assign connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R6..50.20.2. timeout is 2 seconds: . VLAN 50 has been previously created on SW3 and SW1 within the initial configuration. as shown in Example 3-9.255.50. 100-byte ICMP Echos to 10. Sending 5. remember that R1 must use the appropriate VRF to confirm connectivity. The subinterface of Gigabit 0/0.10.Switch2(config-vlan)# exit Switch2(config)# interface vlan 20 Switch2(config-if)# no shutdown Switch2(config-if)# ip add 10.1 255.20.255. timeout is 2 seconds: .2 Type escape sequence to abort.!!! Success rate is 60 percent (3/5).50.50.255.20.10.!!! Success rate is 60 percent (3/5).2 255.0/30 with . This VLAN should have already been permitted to flow through SW1 to R1 as an allowed VLAN. so connectivity between SW3 and R1 should now be possible. you have scored 2 points.2. Example 3-9 RED VRF IP Addressing and Local Connectivity Testing Click here to view code image R1(config)# interface GigabitEthernet0/0.50.252 Switch3(config)# interface vlan 50 Switch3(config-if)# no shutdown Switch3(config-if)# ip add 130. When testing.50.255. round-trip min/avg/max = 1/1/1 ms Create a network between PE router R1 and CE device SW3 using a VLAN 50 interface on SW3 that can be trunked toward R1.50 on R1 has been assigned to the RED VRF during a previous question.

100. The actual VPN portion of MPBGP will be configured later within the IPv4 address family for VRF-specific advertisements.255. timeout is 2 seconds: .100.1 255. Sending 5.100.100.2 Type escape sequence to abort. which are advertised via your P routers within OSPF and that extended communities are used between PE routers to advertise your VPNv4 addresses successfully. The next-hop-self command is optional and strictly required only when you have an eBGP configuration to preserve the next-hop information to peers. Example 3-10 RED VRF IP Addressing and Local Connectivity Testing Click here to view code image R6(config)# interface GigabitEthernet0/1. You should be aware that route targets (RTs) are implemented by the use of the BGP extended community (64 bits) and therefore the send-community both value must be configured within MP-BGP.100.0/30 with . this VLAN should have already been permitted to flow through SW2 to R6 as an allowed VLAN. .100.255.100.255. The configuration requires you to peer from your loopback interfaces.!!! Success rate is 60 percent (3/5).2/30 assigned to the CE.2 255.1/30 assigned to the PE and .. you will not lose any points if you added this or left it out. VLAN 100 has been previously created on SW4 and SW2. as shown in Example 3-10.255.252 R6# ping vrf RED 130. per Figure 3-9. Use loopback interfaces for peering between your PE routers.100. (2 points) This is the final configuration task to assign connectivity between the PE and CE devices for future routing between the devices and remote VPN connectivity via R1. The subinterface of Gigabit 0/1.subnet of 130. within the initial configuration. you have scored 2 points.100 R6(config-subif)# ip add 130.100. (4 points) MPLS requires the use of Multiprotocol BGP (MP-BGP) between the PE routers to exchange VPNv4 addresses in addition to IPv4 addresses. The VPNs will be mapped into the configuration later. When testing. to enable your network to transport the VPNv4 addresses of your configured VPNs (BLUE and RED). You will configure the actual VPN routing in later questions. round-trip min/avg/max = 1/1/1 ms Section 3: BGP (5 Points) Configure MP-BGP between your PE routers. 100-byte ICMP Echos to 130.2. If you have configured this correctly. so this question is a straightforward peering and VPNv4 setup task.100. remember that R6 must use the appropriate VRF to confirm connectivity. so connectivity between SW4 and R6 should now be possible.252 Switch4(config)# interface vlan 100 Switch4(config-if)# no shutdown Switch4(config-if)# ip add 130.100 on R6 has been assigned to the RED VRF during a previous question.

If you have configured this correctly. If you have configured this correctly.1 update-source Loopback0 R1(config-router)# address-family vpnv4 R1(config-router-af)# neighbor 120. the autonomous system is assigned with the addressfamily vrf-specific command. You’ll realize that to peer successfully with EIGRP you would need to be operating within the same autonomous system number.1 next-hop-self R6(config-router-af)# neighbor 120. (1 point) Until now.100. yet the question enforces you to run differing autonomous system numbers. additional PE routers would require a full mesh of iBGP peering or configuration of route-reflectors to aid scalability. Use VLAN 20 for EIGRP connectivity between R6 and SW2.1. you have scored 1 point.1. PE routers would normally connect to multiple customers. Therefore.1 remote-as 65001 neighbor 120. Example 3-12 details the EIGRP configuration and resulting neighbor relationship and route propagation between R6 and SW2.1 send-community both R6(config)# router R6(config-router)# R6(config-router)# R6(config-router)# R6(config-router)# bgp 65001 no sync no auto-summary neighbor 120. Use an EIGRP virtual instance name of VPN on R6 and a process number of 10 on SW2. Advertise all preconfigured loopback networks on SW2 to R6 for the BLUE VPN.100.100.100.100.This is a simple MP-BGP network with only two PE routers.1 activate R6(config-router-af)# neighbor 120.6.100. . the questions have merely dealt with setting up the infrastructure for MPLS connectivity. as shown in Example 3-12.100.100.100.6.6.100.1 update-source Loopback0 R6(config-router)# address-family vpnv4 R6(config-router-af)# neighbor 120. Now you are requested to advertise routes from your CE switch SW2 to PE router R6. so it is unreasonable to expect that each EIGRP domain should run the same autonomous system number.6.1. as shown in Example 3-11. you have scored 4 points.1 next-hop-self R1(config-router-af)# neighbor 120.1 activate R1(config-router-af)# neighbor 120. which will ultimately be advertised throughout the BLUE VPN to the remote PE router R1 and CE switch SW1.1 remote-as 65001 R1(config-router)# neighbor 120. Example 3-11 MP-BGP Configuration Click here to view code image R1(config)# router bgp 65001 R1(config-router)# no synchronization R1(config-router)# no auto-summary R1(config-router)# neighbor 120.1 send-community both Section 4: EIGRP and MP-BGP (3 Points) Configure EIGRP per Figure 3-9 between your PE router R6 and CE switch SW2.1.6.1.

0.0.20. Example 3-12 R6 and Switch 2 EIGRP Configuration and Verification Click here to view code image R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R6(config-router-af)# network 10.20 00:04:18 1 200 0 1 R6# R6# show ip route vrf BLUE eigrp 10.20 .255 Switch2(config-router)# network 10. D 10.10.0 0. D 10.2. GigabitEthernet0/1.2.10.3 Switch2(config)# ip routing Switch2(config)# router eigrp 10 Switch2(config-router)# no auto-summary Switch2(config-router)# network 10.4.20. GigabitEthernet0/1.20. The BLUE VRF has also been associated to the R6 subinterface previously.10.2.3.2.0.0.2. 2 masks 00:04:36.0 0.3.2.4.20.255 Switch2(config-router)# network 10.0.20.0.10.0.2.20 00:04:36. (ms) Cn 11 4 subnets.20. GigabitEthernet0/1.10.3 Switch2(config-router)# network 10.0.0.0 0.0 0.Note The IP addressing for VLAN 20 on SW2 and associated subinterfaces on R6 has previously been configured.2.0 0.0/24 [90/156160] via 10.0/8 is variably subnetted.0/24 [90/156160] via 10.0.20 00:04:36.2 Gi0/1.10.2.0/24 [90/156160] via 10.2.2. D 10.255 R6# show ip eigrp vrf BLUE neighbors IP-EIGRP neighbors for process 10 H Address Interface Uptime SRTT RTO Q Seq Hold (sec) t Num 0 10.0.0.

10 200 0 Cn (ms) Cn 13 1 R1# show ip eigrp vrf BLUE neighbors IP-EIGRP neighbors for process 10 H Address Interface Uptime SRTT RTO Q Seq Hold (sec) t Num (ms) .3.0 0.255 Switch1(config-router)# network 10. which will ultimately be advertised throughout the BLUE VPN to the remote PE router R6 and CE switch SW2.10.0. you have scored 1 point.0. If you have configured this correctly. Advertise all preconfigured loopback networks on SW1 to R1 for the BLUE VPN.0.0.2 00:00:24 1 R1# Gi0/0.0 0.10.0.2. as shown in Example 3-13. Example 3-13 details the EIGRP configuration and resulting neighbor relationship and route propagation between R1 and SW1.1.0.3 Switch1(config-router)# network 10.255 Switch1(config-router)# network 10. Configure EIGRP per Figure 3-9 between your PE router R1 and CE switch SW1. The BLUE VRF has also been associated to the R1 subinterface previously.0. Example 3-13 R1 and Switch 1 EIGRP Configuration and Verification Click here to view code image R1(config)# router eigrp VPN R1(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R1(config-router-af)# network 10.10.0.10.1.0 0.0.255 R1# show ip eigrp vrf BLUE neighbors IP-EIGRP neighbors for process 10 H Address Interface Uptime SRTT RTO Q Seq Hold (sec) t Num 0 10.1.10.0 0. Use an EIGRP virtual instance name of VPN on R1 and a process number of 10 on SW1.Note The IP addressing for VLAN 10 on SW1 and associated subinterfaces on R1 has previously been configured.10.0 0. Use VLAN10 for EIGRP connectivity between R1 and SW1. you are requested to advertise routes from your CE switch SW1 to PE router R1. (1 point) As per the previous question.0.1.3 Switch1(config)# ip routing Switch1(config)# router eigrp 10 Switch1(config-router)# no auto-summary Switch1(config-router)# network 10.

0.0. D 10.10.10.1.3.10 00:01:18.1. Ensure that all EIGRP routes have a MED of 50 assigned to them within MP-BGP. even though they have been redistributed via another routing protocol. In reality. 2 masks 00:01:18.10.10.0/8 is variably subnetted. Use a default metric of 10000 100 255 1 1500 for BGP routes when redistributed into EIGRP. GigabitEthernet0/0.2 Gi0/0. as shown in Example 3-14.0/24 [90/153856] via 10.2. Example 3-14 details the configuration required on the PE routers and resulting routes on the CE devices SW1 and SW2.10.10 00:01:18.10. The question dictates the metrics you should use. the metrics are not required because the extended community values of MP-BGP previously configured will effectively transport the internal metrics of EIGRP and ensure that the routes are shown as internal EIGRP routes at the remote location. D 10. you have scored 1 point.2.10.1. D 10. Example 3-14 PE and CE MP-BGP Redistribution Configuration and Verification Click here to view code image R1(config)# router eigrp VPN R1(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R1(config-router)# topology base R1(config-router-af-topology)# redistribute bgp 65001 metric 10000 100 255 1 1500 R1(config-router-af-topology)# router bgp 65001 R1(config-router)# address-family ipv4 vrf BLUE R1(config-router-af)# redistribute eigrp 10 metric 50 R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 vrf BLUE autonomous-system 10 R6(config-router)# topology base R6(config-router-af-topology)# redistribute bgp 65001 metric 10000 100 255 1 1500 R6(config-router-af-topology)# router bgp 65001 R6(config-router)# address-family ipv4 vrf BLUE R6(config-router-af)# redistribute eigrp 10 metric 50 .2. EIGRP networks residing on SW1 should be seen as internal EIGRP routes on SW2 and vice versa. The question is just looking for accuracy and giving you the opportunity to view routes with the metrics and later without if you choose to.0/24 [90/153856] via 10.10 Configure your PE routers R1 and R6 to transport EIGRP routes from your CE devices between the BLUE VPN using MP-BGP.2.0 10. GigabitEthernet0/0.10. If you have configured this correctly. GigabitEthernet0/0.1. 13 4 subnets.0/24 [90/153856] via 10. (1 point) The full end-to-end VPN routing is achieved at this point by redistributing EIGRP into the appropriate address family for the VRF.10 00:00:24 1 200 0 1 R1# show ip route vrf BLUE eigrp 10.

0/24 120.10.1 Status codes: s suppressed.0.0/30 0.100. d damped. i internal.1.10. If you have configured this correctly. S Stale Origin codes: i . 00:32:05.20.4.10.2. it also details the MPLS forwarding table for the BLUE VRF.1.2 50 32768 ? *>i10. 00:33:07.1 50 100 0 ? *> 10.IGP.20.1 50 100 0 ? *>i10. Vlan20 D 10. h history.100. Vlan10 SW2# show ip route eigrp D 10.10.1.100.2.2.0/30 [90/28416] via 10.0/24 [90/156416] via 10. e .0/30 [90/26112] via 10.10. i internal.10. d damped.2. 00:32:05. e .2.20.2. Vlan10 D 10.10.0/24 [90/154112] via 10.2 50 32768 ? *> 10.20.1.1. 00:33:07. 00:32:05.10.0/24 10.20. as shown in Example 315. Notice the iBGP routes on the PE routers from the remote PE router with the MED of 50.1.0/24 [90/154112] via 10.SW1# show ip route eigrp D 10.10.10. > best.1.2.1.10. Vlan10 D 10.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:100 (default for vrf BLUE) . Vlan20 D 10.100. 00:33:07.20.0/24 [90/154112] via 10.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:100 (default for vrf BLUE) *>i10.1. Vlan20 Example 3-15 details the BGP routes received on the PE routers with the assigned MED value of 50.10.10. 00:33:07.1.10.1.3. r RIB-failure. * valid. r RIB-failure.1.1.10.EGP.4.2.EGP.1 0 100 0 ? *> 10.10.0 0 32768 ? R1# show ip bgp vpnv4 vrf BLUE BGP table version is 17. ? .0/30 120.0/24 10.10. h history.10.2.1.1.1.1.2 50 32768 ? *> 10.100.3.1.1.1 50 100 0 ? *>i10.10.0/24 120. * valid.0/24 120.10.10. these are the routes that are propagated to EIGRP CE devices.2.IGP.1.0/24 10.20.3.1.20.0/24 [90/156416] via 10.100.1 Status codes: s suppressed. local router ID is 120. local router ID is 120. Example 3-15 PE MP-BGP and MPLS Verification Click here to view code image R6# show ip bgp vpnv4 vrf BLUE BGP table version is 17.3.20. > best. S Stale Origin codes: i . Vlan20 D 10.0. you have scored 3 points.0/24 [90/156416] via 10. 00:32:05. Vlan10 D 10.6. ? .

20.1.6.0/24[V] 0 R6# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 26 Untagged 10.10.3.0/24[V] 0 29 Aggregate 10.2.10.0/24 *>i10. (2 points) You are requested to configure OSPF over your MPLS network between CE devices SW3 and SW4 via your PE routers R1 and R6. but in reality the routes would appear to have not been redistributed through another routing protocol by default. .10. Example 3-16 details the required configuration and verification.6. You are requested to permit only internal OSPF routes to be redistributed into BGP. You should be aware that OSPF will advertise these as host routes.2.2 Gi0/1. but the question states that this is acceptable behavior.10 10.0/24[V] 0 28 Untagged 10.0.3.1.3.0/30 10.20.10.10.4.100.4.2.2 Gi0/1.1.10.1 0.10 10. Use a process ID of 2 on PE router R6 and CE device SW4 using VLAN 100 for connectivity.1 120. This direction is actually a red herring for the next question when the routes at the CE devices appear as external routes when they should in fact be internal routes.10.1.2.3.0/24 *>i10.10.20.0/24 *>i10. as shown in Example 3-16.2 Section 5: OSPF and MP-BGP (6 Points) Configure OSPF per Figure 3-10 for your VRF RED with a process number of 3 on PE router R1 and SW3 using VLAN 50 for connectivity.10.0/24 *> 10.20 10.10.10.6.2.1.2.0/24[V] 0 28 Aggregate 10.10. you are requested to manipulate the redistribution of the IGP into BGP.20 10. If you have configured this correctly.0.10.2.1 50 50 50 50 50 50 100 100 100 0 0 R1# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 26 Untagged 10. You should permit only internal OSPF routes to be advertised across your VPN and ensure that the redistribution of BGP routes into OSPF are assigned as type 1 external routes with no manually adjusted cost associated with them. It is acceptable for these routes to come through as / 32 routes because of default OSPF behavior of loopback interfaces.1.2 Gi0/0.10.10.0/24[V] 0 27 Untagged 10.100. which is a simple match internal parameter on the redistribution configuration.2 10.0/30 *>i10.*> 10.10.10.10 10. Figure 3-10 indicates that all loopback interfaces are to be included in OSPF on both CE devices.0 120.10. you have scored 2 points.10.1 120.0/24 *> 10.0/30[V] 0 100 32768 ? 32768 ? 32768 ? 0 ? 0 ? 0 ? 32768 ? 0 ? Outgoing Next Hop interface Gi0/0.2 Outgoing Next Hop interface Gi0/1.6.20 10.100.1.2 10.1.2.2 120.20.10.2 Gi0/0.0/24[V] 0 27 Untagged 10.2.10.100.0/24 *> 10. As with the EIGRP question.20.2.0/30[V] 0 29 Untagged 10.

0. 00:02:32.0.50.44.46.0/32 is subnetted.1 [110/2] via GigabitEthernet0/0.0 0.255 area 1 SW4(config)# ip routing SW4(config)# router ospf 2 SW4(config-router)# network SW4(config-router)# network SW4(config-router)# network SW4(config-router)# network 130.2.33. .50 O IA 10. 00:04:48.35.3 area 0 10.44.0/32 is subnetted.0 0.0. 130.2.33. O IA 10.0.0.0.0. 00:04:48.Example 3-16 VRF RED OSPF Configuration and Verification Click here to view code image SW3(config)# ip routing SW3(config)# router ospf 3 SW3(config-router)# network SW3(config-router)# network SW3(config-router)# network SW3(config-router)# network 130.100.33.0.0 0.3 area 0 10.50 O IA 10.33.0.255 area 1 10.44.1 [110/2] via GigabitEthernet0/0.0 0.50.255 area 2 10.100.1 [110/2] via 130.0.255 area 2 10.2.50.45.1 [110/2] via 130.0.0.255 area 1 10.100.2.33.0 0.50.33. GigabitEthernet0/1.0 0.45.50.44.100 O IA 10.44.0. 6 subnets O IA 10.0.44.100.0.0.0 0.46.33.0 0.0.0.100.0 0.0.1 [110/2] via GigabitEthernet0/0.34.100.35.3 area 0 R1(config-router)# redistribute bgp 65001 subnets metric-type 1 R1(config-router)# router bgp 65001 R1(config-router)# address-family ipv4 vrf RED R1(config-router-af)# redistribute ospf 3 match internal R6(config)# router ospf 2 vrf RED R6(config-router)# net 130.0.33.0.3 area 0 R6(config-router)# redistribute bgp 65001 subnets metric-type 1 R6(config-router)# router bgp 65001 R6(config-router)# address-family ipv4 vrf RED R6(config-router-af)# redistribute ospf 2 match internal R1# show ip route vrf RED ospf Routing Table: RED 10.0. 00:04:48. 00:02:32.0.255 area 2 R1(config)# router ospf 3 vrf RED R1(config-router)# network 130.34.50.50.50 6 subnets 130.100.50.100. R6# show ip route vrf RED ospf Routing Table: RED 10.50.2.0 0.50. 130.0.

0. Vlan100 O E1 10.GigabitEthernet0/1. Configure your OSPF network appropriately to ensure that the routes are displayed correctly as IA routes. 00:02:32.0.1/32 [110/3] via 130.44. The RED VRF has also been associated to the R1 and R6 subinterfaces previously.45.100. (4 points) This is a tricky question and one that will really eat into your time (the kind of question that if the answer doesn’t jump out at you and the points don’t look appealing enough.44.1.100. Vlan100 O E1 10. 00:02:54. it’s one to park and come back to).50.1. You are permitted to configure only router R1.46.100. 00:03:37.50.1/32 [110/3] via 130.50.2.100.100.100 O IA 10. 1 subnets O E1 130.50.35.0/30 is subnetted.100. Vlan50 SW4# show ip route ospf 130.1 [110/2] via 130. 00:03:37. 00:03:37. Vlan50 O E1 10.0.1/32 [110/3] via 130.44. 00:02:54.33.44. As stated previously. it is only when these routes are advertised to the CE devices that the type 1 external route change occurs. Because you have your routes in place and following questions do not build from this one. Maintain the OSPF process IDs are previously directed.0/8 is variably subnetted.0.33. you will see that they are actually IA routes at this point. 00:06:08. 1 subnets O E1 130.1.34. 00:03:37.0 [110/2] via 130. GigabitEthernet0/1. Vlan100 Note The IP addressing for VLAN50 on SW3 and associated subinterface on R1 and VLAN 100 on SW4 and associated subinterface on R6 has previously been configured.0/8 is variably subnetted.0.50.100. You will notice that your OSPF IA (intra-area) routes between CE devices SW3 and SW4 appear as type 1 external routes.100.100 SW3# show ip route ospf 130.50.1.100. 00:02:55.1/32 [110/3] via 130. Example 3-17 VRF RED OSPF Routes Click here to view code image .0/30 is subnetted.50.0. the redistribution into type 1 is actually somewhat misleading.100. 2 masks O E1 10. Vlan50 O E1 10. 2 masks O E1 10.1.44.1.1/32 [110/3] via 130. 6 subnets. You are not permitted to adjust the OSPF redistribution into BGP as directed in the previous question. When you look at the routes in Example 3-17 for the PE routers. 6 subnets. you can confidently leave questions like this for later. So.100.100.33.33.50. Vlan50 10.1/32 [110/3] via 130.44.50.1. Vlan100 10.0 [110/2] via 130.50.100.50.1.

Vlan100 O E1 10. so if I did change the process ID.33. Vlan100 The clue is actually in the question “Maintain the OSPF process IDs as previously directed.1/32 [110/3] via 130.0/30 is subnetted.100.100 6 subnets 130. Because you are not permitted to change the process ID.100.1/32 [110/3] via 130.0. 130.100.33. 00:02:54. This is the same as the process ID. 00:06:08.34.100. 130.100. You might not have known that.100. . 00:04:48. 6 subnets.50. 00:03:37. 1 subnets O E1 130.1.50.100. you have scored 4 points.46.44. 00:02:32.50.1 [110/2] via GigabitEthernet0/0.44. Vlan50 10. Vlan100 O E1 10.1. Example 3-18 details the domain ID information on your PE routers.50. as shown in Example 3-18.46. 130.1/32 [110/3] via 130. 1 subnets O E1 130.100.0.0.33.50 O IA 10.50.2. Vlan50 O E1 10.2.44.100.2.44. 00:02:32.0. 2 masks O E1 10.45. 130. but it is the kind of thing that you gain through research and rack time.1/32 [110/3] via 130. If the process IDs differ on PE routers that form the VPN. 00:03:37.1.100 O IA 10.50. 00:02:55.33.33.45.0/8 is variably subnetted.100.50.100.50. “Okay.0.1. 6 subnets. SW3# show ip route ospf 130.44.0/8 is variably subnetted. Why would that do it.1.100.33. 00:03:37.0/32 is subnetted.50.0. O IA 10.50.0.0.44.0. 00:02:54.50.1/32 [110/3] via 130. 00:04:48.1 [110/2] via GigabitEthernet0/1. 00:02:32. 00:04:48.0. it would most likely work.35. you are left with only the option of changing the domain ID.2.1.44.1 [110/2] via GigabitEthernet0/1. the configuration required to change the domain ID on one of your PE’s Router R1.44.100. Vlan50 SW4# show ip route ospf 130. and how else can I achieve that?” OSPF has a domain ID by default.35.50.2. O IA 10.100.100.1. 2 masks O E1 10.1 [110/2] via GigabitEthernet0/0. Vlan100 10.0/32 is subnetted.1.100. If you have configured this correctly.50.100 O IA 10.50 6 subnets 130.1/32 [110/3] via 130.50. R6# show ip route vrf RED ospf Routing Table: RED 10. the LSA is changed to a type 5 and the routes become external. Vlan50 O E1 10.50. and the resulting IA routes received on your CE devices.50.33.1 [110/2] via GigabitEthernet0/1.0/30 is subnetted.2.34.0 [110/2] via 130.1 [110/2] via GigabitEthernet0/0.100.50.0 [110/2] via 130.50 O IA 10.” Statements such as this should make you think.33.R1# show ip route vrf RED ospf Routing Table: RED 10. 00:03:37.

100.50.1/32 [110/3] via 130. 00:00:07.45.44.33.44.44.0/24 originates from a loopback interface on Switch 4.1. Both Switch 1 and Switch 4 should receive the following routes: SW1# show ip route | include 10.1. value 0.44.0 [110/2] via 130.0. 00:00:07.35.50.0/8 is variably subnetted.50.0.1.44.100.44.1. leak 10.0. Vlan50 SW3# SW4# show ip route ospf 130.44.44.1.50.1/32 [110/3] via 130.1/32 [110/3] via 130.0/30 is subnetted. Vlan50 O IA 10.50.0.0/24 from VRF RED into VRF BLUE on R6.1.50. so OSPF must be .0. Vlan100 O IA 10.44.1.100.100.100. 6 subnets.0/30 is subnetted.100. Vlan50 O IA 10.1/32 [110/3] via 130.1/32 [110/3] via 130. Vlan100 10.50.Example 3-18 Domain ID Configuration and OSPF Route Verification Click here to view code image R1# show ip ospf 3 | include Domain Domain ID type 0x0005.34. Vlan100 O IA 10.0. 00:00:09.10.44. Vlan100 SW4# Verify your configuration by pinging from VRF RED SW4 10. 00:03:04.100.1. Similarly. 1 subnets O IA 130.0/24 [170/XXXXXX] via 10.1. 00:00:07.1.1.0.1.0 D EX 10.0. 00:00:07.0/24 from SW1 VRF BLUE on PE R1 into the VRF RED on PE1.0. Vlan10 SW1# SW4# show ip route | include 10.44.0 O E1 10.100.44.1.2 R1(config)# router ospf 3 vrf RED R1(config-router)# domain-id 0. 00:00:09.1. 2 masks O IA 10.33.1 to VRF BLUE SW1 10.33. 00:00:09.0. 00:00:27. (5 points) This is a straightforward VRF export question with a slight twist for the attentive in that the OSPF route 10. 6 subnets. 1 subnets O IA 130.1.0.44.50.0/8 is variably subnetted.3 R6# show ip ospf 2 | include Domain Domain ID type 0x0005. 2 masks O IA 10.2 SW3# show ip route ospf 130.0/24 [110/XX] via 130.100.33.1 SW1.0 [110/2] via 130.100.1.100.100. Vlan100 Section 6: MPLS (7 Points) Leak network 10. value 0.50.1.44.1/32 [110/3] via 130. Vlan50 10.46.50.100.0.50.10.1. 00:00:09.

The route leaking is achieved by creation of export maps on the PE routers R1 and R6.44.0.1.50. and the CE device SW4.0. If you have configured this correctly.1.0.0.6.45.0 0. > best.1.6.44. you have scored 5 points.1.EGP.100.1/32 120. e .manipulated to treat this interface as a point-to-point network to advertise the /24 mask. h history. d damped.33.0.1 2 100 0 ? *>i10.33.1/32 120.44.50.1. R6.46.44.50.44. Example 3-19 details the required configuration on PE routers R1.0.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:200 (default for vrf RED) *> 10.33.100.6.50.50.44. * valid.35.1/32 130. Example 3-19 Selective VRF Export Configuration and Verification Click here to view code image Sw4(config)# interface Loopback0 Sw4(config-if)# ip ospf network point-to-point R1(config)# ip vrf BLUE R1(config-vrf)# export map SW1 R1(config-vrf)# access-list 10 permit 10.255 R6(config-vrf)# exit R6(config)# route-map SW4 permit 10 R6(config-route-map)# match ip address 10 R6(config-route-map)# set extcommunity rt 65001:100 additive ! R1 is now sending 10.1/32 120.255 R1(config-vrf)# exit R1(config)# route-map SW1 permit 10 R1(config-route-map)# match ip address 10 R1(config-route-map)# set extcommunity rt 65001:200 additive R6(config)# ip vrf RED R6(config-vrf)# export map SW4 R6(config-vrf)# access-list 10 permit 10.1 Status codes: s suppressed. permitting the required routes from each VRF to the existing BLUE and RED VRF advertisements by adding them to the appropriate route target (RT) within MP-BGP by use of the set extcommunity rt XXXXX:XXX additive command.1 2 100 0 ? *> 130. the resulting verification of the route advertisements and testing are also shown.2 2 32768 ? *> 10.1/32 130. S Stale Origin codes: i . local router ID is 120.100.IGP.0/30 0.0 into VRF RED and R6 10.33.0 into VRF BLUE R1# show ip bgp vpnv4 vrf RED BGP table version is 33.50. ? .50. as shown in Example 3-19.44.1 2 100 0 ? *>i10. i internal.34.50.44.100.0 0.2 2 32768 ? *>i10.2 2 32768 ? *> 10.1/32 130. r RIB-failure.0 0 32768 ? .

2 50 32768 ? *>i10. change the loopback interface on Sw4 to a point-to-point for OSPF to advertise it correctly SW4(config)# interface lo0 SW4(config-if)# ip ospf network point-to-point R6# show ip bgp vpnv4 vrf BLUE | include 10.10. local router ID is 120.3.6.EGP.10.34. * valid.46.1 50 100 0 ? *>i10.1 0 100 0 ? ! No sign of the 10.44. local router ID is 120.1.1.2.100.0 route.1.0.100.2 2 32768 ? *> 10.1.44. > best.1. d damped.IGP.1 2 100 0 ? *>i10.4.20.44.1 50 100 0 ? *> 10.100.0/24 130.2 50 32768 ? *> 10.44.44. r RIB-failure.100.0/24 120.6.100.100.50.50.20.1 50 100 0 ? *>i10.100.0/30 120.44.6. r RIB-failure.2.100.50.1.1 0 100 0 ? *> 10.0.50.33.6.6. i internal.100.44.100.45.33. e .33.1/32 120.44.2.1.0/24 120.1 Status codes: s suppressed. > best.0/30 120.100.100.0/30 120.2 2 32768 ? *> 10. d damped.2 50 32768 ? *> 10.2 2 32768 ? .50.100.1. clear the BGP session to kick start the export map R1# clear ip bgp * R1# show ip bgp vpnv4 vrf RED BGP table version is 34.100.EGP.0/24 120.2 50 32768 ? *> 10.0/24 10.50.1 2 100 0 ? *> 130.1/32 130.2.100.2.0 route is actually listed as a host route.0/24 10.20.IGP.1/32 130.1/32 120.*>i130.2 2 32768 ? ! Notice the 10.2 2 32768 ? *>i10.44.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:200 (default for vrf RED) *> 10.44.10.6.35.1/32 120.10.44.10.100.100. * valid.0.1. i internal.10. S Stale Origin codes: i .0 0 32768 ? *>i130.0/30 0.1 2 100 0 ? *>i10.0 0 32768 ? *> 10.3.1/32 130.0 *> 10.0/24 10.10.44. h history.10.1 0 100 0 ? R6# show ip bgp vpnv4 vrf BLUE BGP table version is 35. e .50.1.1. ? .0.1. ? .1 Status codes: s suppressed.50.1.33.0/24 10.incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:100 (default for vrf BLUE) *>i10.1/32 130.20.0/30 0.100.100. S Stale Origin codes: i . h history.

44.2 130.10.2.1.1.44.44.10.1/32[V] 0 Outgoing Next Hop interface Gi0/0. Timestamp.2.33.0/30[V] 0 37 Untagged 10.44. Sending 5.33.2.44.50.50 Gi0/0.50. round-trip min/avg/max = 8/9/12 ms R1# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 34 Untagged 10.50 130.0/24[V] 590 R1# show mpls forwarding-table vrf RED Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 38 Aggregate 130.1 !!!!! Success rate is 100 percent (5/5). Vlan100 ! Now test with an extended ping to ensure that the loopback interface is used as the source SW1# ping Protocol [ip]: Target IP address: 10.10.1.50.50 Gi0/0.33.10 10.2 Outgoing interface Next Hop Gi0/0.1.10 10. Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort.1.44.1.2 .20.0/24 [170/281856] via 10.1. Vlan10 Switch1# SW4# show ip route | include 10.1/32[V] 0 41 Untagged 10. 00:00:51. 100-byte ICMP Echos to 10. 00:02:45.1.0/24 [110/51] via 130.10.50.10.2 35 Untagged 10.2 130.35.44.0/24[V] 0 .1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose. Record.50. Strict.33.2 36 Aggregate 10.0 D EX 10.1.10.10 10.3.1.0/24[V] 0 Outgoing Next Hop interface Gi0/1.0/30[V] 0 39 Untagged 10.50.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.10.44.1.1. timeout is 2 seconds: Packet sent with a source address of 10.50.10 Gi0/0.20 10.0/24[V] 0 .Switch1# show ip route | include 10.1.50.10 Gi0/0.1.10.2 ! Note the Routes are not leaked within the MPLS forwarding-table R6# show mpls forwarding-table vrf BLUE Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 34 Untagged 10.34.10.1/32[V] 0 40 Untagged 10.100.0 O E1 10.1.100.

1 1 2 3 4 5 10.44.25.100 130.44. (2 points) By default.20.100 130.10. the MPLS network will be shown when a traceroute is performed.100 .1 Type escape sequence to abort.2 12 msec 12 msec 16 msec 120.20.2.3. Example 3-20 shows the default behavior and modified behavior after configuration from a traceroute command issued on CE device SW1.45.100 .20 Gi0/1.2 ! Note the Routes are not leaked within the MPLS forwarding-table Configure your PE routers R1 and R6 to ensure that the MPLS P routers are not listed as intermediate hops when a trace route is performed on your CE devices.44.2 42 Untagged 10.2.100.2.100 130.0/24[V] 10.20.1/32[V] 0 Gi0/1.100.46. Tracing the route to 10.20.4.2 0 R6# show mpls forwarding-table vrf RED Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 38 Aggregate 130.5 8 msec 12 msec 8 msec 10.10.10.100.2.123.10. with the no mpls ip propagate-ttl global command within your PE routers.1 Type escape sequence to abort.1 0 msec 0 msec 0 msec 120.2 8 msec * 4 msec R1(config)# no mpls ip propagate-ttl R6(config)# no mpls ip propagate-ttl SW1# traceroute 10.44.1 4 msec 0 msec 0 msec .2.2. as shown in Example 3-20.0/30[V] 0 39 Untagged 10.10.10.2 40 Untagged 10. so that only PE routers are shown as next hops.35 36 37 Untagged Untagged Aggregate 10.2.10.1 1 10.0/24[V] 1534 Gi0/1. If you have configured this correctly.100. Tracing the route to 10.0/24[V] 10.2. you have scored 2 points. Example 3-20 MPLS Traceroute Configuration and Testing Click here to view code image SW1# traceroute 10.100.20.100.1/32[V] 0 Gi0/1.1 8 msec 8 msec 8 msec 10.2 10.10.100.2.20 10. This can be changed.100.2.10.0/30[V] 0 0 Gi0/1.

1 200 pw-class PW-CLASS .1.100.10.100. You should use existing loopback interfaces on your PE routers for peering over your MPLS network. L2TPv3 is not covered in the current blueprint.20.1/24 and SW4 Fast Ethernet 0/19 1. which in the example matches the subinterface number of the specific PE router.1. but the simple solution is included here to create a switching issue that will enable you to hone your troubleshooting skills in this area and apply a relevant solution based on your findings.0/24 in a previous question.2/24) to communicate using a Layer 2 tunneling solution (use Version 3) across your Layer 3 network.1. Create an L2TPv3 Xconnect attachment circuit on your PE routers R1 and R6 for your CE devices (SW3 Fast Ethernet 0/19 1. The xconnect subinterface command binds the local PE interface to the remote PE loopback with a VC ID (virtual channel ID).20.200 R1(config-subif)# xconnect 120.1.1.10.1 12 msec 8 msec 12 msec 3 10. (You could have used any ID here.1 200 pw-class PW-CLASS R6(config)# pseudowire-class PW-CLASS R6(config-pw-class)# encapsulation l2tpv3 R6(config-pw-class)# protocol l2tpv3 R6(config-pw-class)# ip local interface Loopback0 R6(config-pw-class)# interface GigabitEthernet0/1.6. Strictly speaking.) Note that Cisco Express Forwarding (CEF) must be enabled for the L2TPv3 feature to function correctly. Example 3-21 details the required PE configuration on routers R1 and R2.2 4 msec * 4 msec Section 7: VPLS Simulation (10 Points) Switches 3 and 4 will have been configured to belong to the subnet of 1. SW3 and SW4 will use a pseudowire to communicate over the IP network and logically will connect in the same Layer 2 domain. Example 3-21 PE L2TPv3 Configuration Click here to view code image R1(config)# pseudowire-class PW-CLASS R1(config-pw-class)# encapsulation l2tpv3 R1(config-pw-class)# protocol l2tpv3 R1(config-pw-class)# ip local interface Loopback0 R1(config-pw-class)# interface GigabitEthernet0/0.1. The pseudowire class PW-CLASS configures the encapsulation to L2TPv3 and sets the loopback interfaces of the PE routers to be used for peering.400 R6(config-subif)# xconnect 120.1. (10 points) This question simulates VPLS and requires that L2TPv3 (Layer 2 Tunneling Protocol Version 3) is configured between your PE routers connecting the two subinterfaces that connect to SW3 and SW4 interfaces via SW1 and SW4 (VLAN 200 and VLAN 400. Be aware that the SW3 resides in VLAN 200 and that SW4 resides in VLAN 400 in respective PE router subinterfaces. respectively).2 10.

2 fails. Enabling BPDU filtering on an interface is equivalent to disabling the spanning tree on an interface.100.1 Username. Intf/ VPDN Group 0 State Last Chg Vcid. The question does bring your attention to the fact that both CE devices reside in different VLANs. As the session is up. The problem is actually resolved by enabling BPDU filtering on SW1 with the spanning-tree bpdufilter enable command on the trunk interface toward the PE r outer R1. per Examples 3-22 and 3-23.100. respectively. R6# show l2t session L2TP Tunnel and Session Information Total tunnels 1 sessions 1 LocID RemID Remote Name Class/ State Remote Address Port Sessions L2TP VPDN Group 36190 51446 LocID Uniq ID R1 est RemID TunID 120. yet the ping test from SW3 to 1.6. you have scored 10 points.1 Username. even though you have previously allowed the local VLAN 200 and 400 through the trunk on PE routers R1 and R6.1.1. Intf/ 0 State Last Chg 1 .200:200 est 51446 00:24:40 1 200. respectively. respectively). Closer inspection reveals that spanning tree has actually blocked ports on SW1 and SW2 from PE routers R1 and R6. If you have configured this correctly. When logging is enabled on SW1 and SW2 (these CE devices bring SW3 and SW4 Fast Ethernet 0/19 interfaces into VLAN 200 and VLAN 400. you can safely assume that there is a connectivity type issue between either SW3 and PE R1 or SW4 and PE R6. Example 3-22 PE and CE L2TPv3 Verification Testing and Configuration Click here to view code image R1# show l2tp session L2TP Session Information Total tunnels 1 sessions 1 LocID RemID Remote Name Class/ 51446 1 36190 LocID Uniq ID State Remote Address R6 est RemID TunID Port Sessions L2TP 120.1. or possibly between both connections. so this should give you a starting point in your investigation. Circuit 51003 9619 Gi0/0. you can see spanning-tree inconsistencies exist between VLAN 200 being “bridged” to VLAN 400 via your L2TPv3 solution.Example 3-22 shows the successful L2TPv3 session established between PE R1 to PE R6. it is possible to create bridging loops if this command is not correctly used.

..1. SW2# show spanning-tree blockedports Name -------------------VLAN0200 VLAN0400 Blocked Interfaces List -----------------------------------Fa0/6 Fa0/6 Number of blocked ports (segments) in the system : 2 SW3# ping 1.. Inconsistent local vlan. Success rate is 0 percent (0/5) SW1# show spanning-tree blockedports .1. Inconsistent peer vlan.2 Type escape sequence to abort..1.. 03:22:21: %SPANTREE-2-BLOCK_PVID_PEER: Blocking fastethernet0/6 on VLAN0200. !Make sure you are logging on your CE devices SW1(config)# logging console SW1# 03:22:19: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 400 on fastethernet0/1 VLAN200. timeout is 2 seconds: ..2. Sending 5.2.1.9619 1 51003 36190 Vcid.2 Type escape sequence to abort.-----------------------------------VLAN0200 Fa0/1 Number of blocked ports (segments) in the system : 1 SW2#03:22:21: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 200 on fastethernet0/6 VLAN400. 03:22:19: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking fastethernet0/1 on VLAN0200..1. 100-byte ICMP Echos to 1. 100-byte ICMP Echos to 1..1. 200. SW1# show spanning-tree blockedports Name Blocked Interfaces List -------------------. timeout is 2 seconds: .1. Gi0/1.400:400 est Circuit 00:25:26 SW3# ping 1.1. Sending 5.

respectively.0. PIM sparse mode is also configured on the CE interfaces on VLAN 50 and VLAN 100 on Switches 3 and 4. Switch 4 should be configured to reply to an ICMP ping on its VLAN 100 interface directed to 226.0. timeout is 2 seconds: . configure MDT appropriately.2.2 from Switch 3 VLAN 50. It can be assumed that the mVRF bandwidth requirement is low.2. PE routers R1 and R6 should be configured to tunnel multicast traffic using an MDT address of 232. (These are used for high-bandwidth sources and limit the traffic received to the routers’ part of the multicast tree. Don’t forget that multicast routing is enabled on the CE switches with the command ip multicast-routing distributed and on the routers with ip multicast-routing. Sending 5. The mdt default group-address is configured to 232.1. (10 points) Multicast support for MPLS VPNs is provided by configuring multicast routing within the core network. Ensure that PE router R6’s associated VLAN 100 IP address is used as the rendezvous point (RP) for the RED VRF multicast traffic. which simply means that a Data MDT is not required in this solution.2 Type escape sequence to abort. As directed. PIM sparse mode is finally configured on the loopback interfaces of the PE routers R1 and R6 because Multicast Distribution Tree (MDT) will tunnel between these interfaces. which are required for Data MDT configurations.1. PIM sparse mode is required in your solution and should be enabled on all P router MPLS interfaces and P-facing PE router MPLS interfaces.Name Blocked Interfaces List -------------------. Port consistency restored.1. 100-byte ICMP Echos to 1.!!!! Success rate is 80 percent (4/5). round-trip min/avg/max = 8/12/17 ms Section 8: Multicast (10 Points) Configure your MPLS network for multicast support of the RED VRF using PIM sparse mode. SW3# ping 1.0.2. . Source Specific Multicast (SSM) is enabled on all MPLS routers with the command ip pim ssm default to allow transport of multicast information between all P and PE routers.0.11 on PE routers R1 and R6 within the RED VRF.-----------------------------------VLAN0200 Fa0/1 Number of blocked ports (segments) in the system : 1 SW1(config)# int fast 0/1 SW1(config-if)# spanning-tree bpdufilter enable SW1(config-if)#03:33:57: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking fastethernet0/1 on VLAN0200.1. The question states that the mVRF (multicast VRF) bandwidth requirement is low. and corresponding PE terminating interfaces on the PE routers R1 and R6.11 from CE device Switch 3 VLAN 50 to CE device SW4 VLAN 100 over the RED VRF.) You should also realize that a Data MDT is not required because there was no mention of threshold values or access-lists within the question.

testing is key. and it would be an easy mistake to miss tasks such as enabling PIM on the PE loopback interfaces.The address of 130.2. Example 3-23 details the required configuration for the solution.1 (R6 VRF RED) is used as the RP for the mVRF. CE device Switch 4 is finally configured with ip igmp join-group 226. where you might not immediately assume that it is required. As with all questions.2 under its VLAN 100 interface for it to reply to a multicast ping from CE device Switch 3 over the MPLS VPN.100. The question is comprehensive as to the number of items that require configuration.100.2. Example 3-23 Multicast Configuration Click here to view code image ! Initial Multicast Setup for the MPLS Core Routers R1(config)# ip multicast-routing R1(config-vrf)# interface Loopback0 R1(config-if)# ip pim sparse-mode R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip pim sparse-mode R2(config)# ip multicast-routing R2(config)# interface fastethernet0/0 R2(config-if)# ip pim sparse-mode R2(config-if)# interface fastethernet0/1 R2(config-if)# ip pim sparse-mode R3(config)# ip multicast-routing R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip pim sparse-mode R3(config-if)# interface GigabitEthernet0/1 R3(config-if)# ip pim sparse-mode R4(config)# ip multicast-routing R4(config)# interface GigabitEthernet0/0 R4(config-if)# ip pim sparse-mode R4(config-if)# interface GigabitEthernet0/1 R4(config-if)# ip pim sparse-mode R5(config)# ip multicast-routing R5(config)# interface GigabitEthernet0/0 R5(config-if)# ip pim sparse-mode R5(config-if)# interface GigabitEthernet0/1 R5(config-if)# ip pim sparse-mode R6(config)# ip multicast-routing R6(config)# interface Loopback0 R6(config-if)# ip pim sparse-mode R6(config)# interface GigabitEthernet0/0 . and this is configured on both CE (Switch 3 and Switch 4) devices and both PE routers (R1 and R6) within the RED VRF.

100.0.100.100. the MDT tunnel is detailed and shown as an interface used for PIM adjacency between the PE routers.1 R6(config)# ip pim ssm default ! CE Specific Configuration SW3(config)# ip multicast-routing distributed SW3(config)# int vlan 50 SW3(config-if)# ip pim sparse-mode SW3(config-if)# exit SW3(config)# ip pim rp-address 130.2. N .2 SW4(config-if)# exit SW4(config)# ip pim rp-address 130.1 Example 3-24 details the testing for the solution.100.0.1 R1(config)# ip pim ssm default R6(config)# ip vrf RED R6(config-vrf)# mdt default 232.2.100.1 SW4(config)# ip multicast-routing distributed SW4(config)# interface vlan 100 SW4(config-if)# ip pim sparse-mode SW4(config-if)# ip igmp join-group 226.Designated Router.0. S .Bidir Capable.Default DR Priority.100.100.11 R6(config-vrf)# interface GigabitEthernet0/1.50 R1(config-subif)# ip pim sparse-mode R1(config-subif)# exit R1(config)# ip pim vrf RED rp-address 130. you have scored 10 points.R6(config-if)# ip pim sparse-mode ! PE Specific mVRF and MDT Configuration R1(config)# ip multicast-routing vrf RED R1(config)# ip vrf RED R1(config-vrf)# mdt default 232.State Refresh Capable .11 R1(config-vrf)# interface GigabitEthernet0/0.100 R6(config-subif)# ip pim sparse-mode R6(config-subif)# exit R6(config)# ip pim vrf RED rp-address 130.100. DR . Example 3-24 Multicast Testing Click here to view code image R6# show ip pim vrf RED neigh PIM Neighbor Table Mode: B . If you have configured your solution per Example 3-24 and can successfully ping between Switch 3 and Switch 4.0.

2.2.2.2 Type escape sequence to abort.100. timeout is 2 seconds: Reply to request 0 from 130.1 Next 120.100.1.1 R6# show ip pim mdt bgp Peer (Route Distinguisher + IPv4) Hop MDT group 232.2.11 2:65001:200:120. Sending 1.2.100. Next 120. 12 ms SW3# ping 226.6.Neighbor Ver DR Address Prio/Mode 130.0.2.11 2:65001:200:120.100.40.1. expires never R1# show ip pim mdt bgp Peer (Route Distinguisher + IPv4) Hop MDT group 232. RP: 130. RP: 130. v2.2 Type escape sequence to abort. Sending 1.2. Make sure that your loopback IPv6 addresses are used to source any locally generated IPv6 traffic.2.1.100.0. uptime 00:00:37.2. uptime 01:01:24.1.100 Uptime/Expires 00:02:08/00:01:34 v2 Tunnel1 1 / 00:00:05/00:01:39 R1# ping vrf RED 226.1 100. Section 9: IPv6 (6 Points) Configure the following IPv6 address on the PE routers R1 and R6.0. 9 ms SW3# show ip pim rp Group: 226. 100-byte ICMP Echos to 226. v2.2. (6 points) R1 Lo0 2010:C15:C0:1::1/64 R1 Gi0/0.100. timeout is 2 seconds: Reply to request 0 from 130.1.100.0.1 100.100.2. expires never Group: 224.2.2.10 2010:C15:C0:11::1/64 R6 Lo0 2010:C15:C0:6::1/64 .100. and implement IPv6 over MPLS between the six PE routers to advertise the prefixes between six PEs.1.2 DR S 120.2.100.1 v2 1 / S Interface GigabitEthernet0/1.6.100.2. 100-byte ICMP Echos to 226.100.100.0.

1. Aggregate label binding and advertisement is enabled for IPv6 prefixes using the neighbor send-label command. per Example 3-25. Example 3-25 PE IPv6 Configuration and Verification Click here to view code image R1(config)# ipv6 unicast-routing R1(config)# ipv6 cef R1(config)# mpls ipv6 source-interface Loopback0 R1(config)# interface loopback0 R1(config-if)# ipv6 add 2010:C15:C0:1::1/64 R1(config-if)# interface GigabitEthernet0/0. The question directs you to configure IPv6 onto your VRF BLUE interfaces of the PE routers. If you have configured your routers correctly. Connected IPV6 routes are redistributed using BGP with the network command under the IPv6 address family.20 2010:C15:C0:62::1/64 In this relatively straightforward IPv6 question. you must deal with no IPv6 redistribution or complex issues.1 activate R1(config-router-af)# neighbor 120. the PE routers are configured with mpls ipv6 sourceinterface Loopback0. To ensure that the loopback IPv6 addresses of the PE routers are used to source locally generated IPv6 traffic. IPv6 over MPLS backbones enables isolated IPv6 domains to communicate with each other over an MPLS IPv4 core network.6.100.100. and IPv6 routing and IPv6 CEF must be enabled on your PE routers.1 send-label R6(config-router-af)# network 2010:C15:C0:62::/64 R6(config-router-af)# network 2010:C15:C0:6::/64 R6(config-router-af)# exit-address-family . and the configuration is nearly identical to that of IPv4.R6 Gi0/1.100. MP-BGP is used to advertise the IPv6 prefixes between PE routers.100. You would usually extend this IPv6 domain into your CE devices.20 R6(config-subif)# ipv6 address 2010:C15:C0:62::1/64 R6(config-subif)# router bgp 65001 R6(config-router)# no bgp default ipv4-unicast R6(config-router)# address-family ipv6 R6(config-router-af)# neighbor 120.1 send-label R1(config-router-af)# network 2010:C15:C0:11::0/64 R1(config-router-af)# network 2010:C15:C0:1::/64 R1(config-router-af)# exit-address-family R6(config)# ipv6 unicast-routing R6(config)# ipv6 cef R6(config)# mpls ipv6 source-interface Loopback0 R6(config)# interface loopback0 R6(config-if)# ipv6 add 2010:C15:C0:6::1/64 R6(config-if)# interface GigabitEthernet0/1.6. you have scored 6 points.1.10 R1(config-subif)# ipv6 address 2010:C15:C0:11::1/64 R1(config-subif)# router bgp 65001 R1(config-router)# no bgp default ipv4-unicast R1(config-router)# address-family ipv6 R1(config-router-af)# neighbor 120.1 activate R6(config-router-af)# neighbor 120.

6. local router ID is 120.1 Metric LocPrf Weight Path 0 0 *> 2010:C15:C0:11::/64 :: *>i2010:C15:C0:62::/64 ::FFFF:120.EGP.1 Status codes: s suppressed. * valid.incomplete Network Next Hop *> 2010:C15:C0:1::/64 :: *>i2010:C15:C0:6::/64 ::FFFF:120. > best.1 0 0 *> 2010:C15:C0:62::/64 :: 100 0 0 i 32768 i 100 0 i 32768 i R1# ping ipv6 2010:C15:C0:62::1 Type escape sequence to abort. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).100. round-trip min/avg/max = 8/8/12 ms R6# ping ipv6 2010:C15:C0:11::1 . S Stale Origin codes: i . i internal.IGP.100. 100-byte ICMP Echos to 2010:C15:C0:62::1. S Stale Origin codes: i . r RIB-failure.100. round-trip min/avg/max = 8/8/12 ms R1# ping ipv6 2010:C15:C0:6::1 Type escape sequence to abort. Sending 5. local router ID is 120. h history. 100-byte ICMP Echos to 2010:C15:C0:6::1. e . * valid.1 Status codes: s suppressed.1. d damped.incomplete Network Next Hop *>i2010:C15:C0:1::/64 ::FFFF:120. ? .1 32768 i 100 0 0 0 i 32768 i 100 0 i R6# show ip bgp ipv6 unicast BGP table version is 5. ? .100. Sending 5.1 Metric LocPrf Weight Path 0 *> 2010:C15:C0:6::/64 :: *>i2010:C15:C0:11::/64 ::FFFF:120.1. d damped.100. > best.IGP.6. r RIB-failure.R1# show ip bgp ipv6 unicast BGP table version is 5.1. i internal. e .6.100. h history.EGP. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).

Type escape sequence to abort. S . Loopback0 B 2010:C15:C0:6::/64 [200/0] via ::FFFF:120. IA . L .10 L 2010:C15:C0:11::1/128 [0/0] via ::.OSPF intra.OSPF NSSA ext 1.OSPF NSSA ext 2 D .OSPF ext 1. IPv6-mpls C 2010:C15:C0:6::/64 [0/0] . R .1. OE2 .100. round-trip min/avg/max = 8/8/12 ms R6# ping ipv6 2010:C15:C0:1::1 Type escape sequence to abort.EIGRP. OI . Null0 L FF00::/8 [0/0] via ::.8 entries Codes: C .Local.OSPF ext 2 ON1 . round-trip min/avg/max = 8/9/12 ms R1# show ipv6 route IPv6 Routing Table . B .Local.1.8 entries Codes: C .ISIS interarea.Per-user Static route I1 .ISIS summary O .6. 100-byte ICMP Echos to 2010:C15:C0:1::1. OE1 . ON2 . IS .OSPF inter.1.BGP U . OE2 .Static.ISIS L2.EIGRP external B 2010:C15:C0:1::/64 [200/0] via ::FFFF:120.Connected. OE1 . GigabitEthernet0/0.6.ISIS L1.EIGRP external C 2010:C15:C0:1::/64 [0/0] via ::. OI .OSPF NSSA ext 2 D . I2 . IPv6-mpls L FE80::/10 [0/0] via ::. IPv6-mpls C 2010:C15:C0:11::/64 [0/0] via ::. GigabitEthernet0/0. I2 . S . Null0 R6# show ipv6 route IPv6 Routing Table .OSPF inter. R . IA .EIGRP.OSPF NSSA ext 1.100.RIP. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).ISIS interarea.OSPF ext 2 ON1 . Loopback0 L 2010:C15:C0:1::1/128 [0/0] via ::.OSPF ext 1. EX .ISIS L1.Connected. EX .Static. ON2 .OSPF intra. Sending 5. Sending 5.100.10 B 2010:C15:C0:62::/64 [200/0] via ::FFFF:120. 100-byte ICMP Echos to 2010:C15:C0:11::1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). L .Per-user Static route I1 . B .RIP.BGP U .ISIS L2.1.ISIS summary O . IS .

GigabitEthernet0/1. The parent policy map is applied outbound on the PE interface connecting to the BLUE VRF CE device. Voice traffic is assigned into the LLQ by configuration of a priority queue with the command priority percent 35. The total bandwidth between the PE to CE should be shaped to 1Mbps. . If you have configured this correctly. Null0 Section 10: QoS (7 Points) Create the following QoS profile on your PE router R1 for traffic egressing to your CE device connected to the BLUE VRF.1. and Default traffic. thus reducing the effect of global synchronization. (4 points) This is a three-class PE-to-CE QoS question that requires assigning traffic to queues based on DSCP values into the listed classes and assignment of bandwidth on a per-class basis. Null0 FF00::/8 [0/0] via ::. you have scored 4 points. DSCP prioritization is achieved in the Mission-Critical class by enabling WRED with the random-detect dscp-based command. Use an appropriate method of prioritizing DSCP traffic so that AF31 packets are statistically dropped more frequently than AF32 during congestion and reduce the effects of TCP global synchronization within your Mission-Critical class and solely reduce the effect of TCP global synchronization within the Default class.100. The child policy map is called from within the parent policy to provide the QoS for Voice.L B C L L L via ::. Example 3-26 details the required configuration on PE router R1. IPv6-mpls 2010:C15:C0:62::/64 [0/0] via ::. Loopback0 2010:C15:C0:11::/64 [200/0] via ::FFFF:120. HQF Multiple Policy Support is required for the question with a parent policy shaping the output of the PE to the CE at 1Mbps.1. A similar non-DSCP–based effect is achieved within the Default class by use of the random-detect command. whereby lower-priority DSCP traffic will be dropped more aggressively than higher priority under congestion. GigabitEthernet0/1.10 2010:C15:C0:62::1/128 [0/0] via ::. Mission-Critical. Ensure that voice traffic is assigned to an LLQ.20 FE80::/10 [0/0] via ::. Loopback0 2010:C15:C0:6::1/128 [0/0] via ::.

The total aggregate speed from the CE to PE should be restricted to 1 Mbps.Example 3-26 PE to CE QoS Configuration Click here to view code image R1(config)# class-map match-any VOICE R1(config-cmap)# match ip dscp ef R1(config-cmap)# match ip dscp cs5 R1(config-cmap)# class-map match-any MISSION-CRITICAL R1(config-cmap)# match ip dscp cs6 R1(config-cmap)# match ip dscp af31 R1(config-cmap)# match ip dscp af32 R1(config-cmap)# match ip dscp cs3 R1(config-cmap)# policy-map PE-CE-CHILD R1(config-pmap)# class VOICE R1(config-pmap-c)# priority percent 35 R1(config-pmap-c)# class MISSION-CRITICAL R1(config-pmap-c)# bandwidth percent 40 R1(config-pmap-c)# random-detect dscp-based R1(config-pmap-c)# class class-default R1(config-pmap-c)# bandwidth percent 25 R1(config-pmap-c)# random-detect R1(config-pmap-c)# exit R1(config-cmap)# policy-map PE-CE-PARENT R1(config-pmap-c)# class class-default R1(config-pmap-c)# shape average 1000000 R1(config-pmap-c)# service-policy PE-CE-CHILD R1(config-pmap-c)# exit R1(config-pmap)# exit R1(config)# interface GigabitEthernet0/0. Traffic in the Voice class within the detailed CIR should have the MPLS EXP set to 5 and above discarded.10 R1(config-subif)# service-policy output PE-CE-PARENT Create the following QoS profile on your PE router R1 for traffic ingressing from your CE device connected to the BLUE VRF into the MPLS network. (3 points) . Traffic in the Mission-Critical class within the detailed CIR should have the MPLS EXP set to 3 and above set to 7. Traffic in the Default class within the detailed CIR should have the MPLS EXP set to 0 and above set to 4.

whereas hub-to-spoke IPsec connections should be permanent. Example 3-27 CE to PE QoS Configuration Click here to view code image R1(config)# policy-map CE-PE-SHAPE R1(config-pmap)# class VOICE R1(config-pmap-c)# police cir 350000 R1(config-pmap-c-police)# conform-action set-mpls-exp-topmost-transmit 5 R1(config-pmap-c-police)# exceed-action drop R1(config-pmap-c-police)# class MISSION-CRITICAL R1(config-pmap-c)# police cir 400000 R1(config-pmap-c-police)# conform-action set-mpls-exp-topmost-transmit 3 R1(config-pmap-c-police)# exceed-action set-mpls-exp-topmost-transmit 7 R1(config-pmap-c-police)# class class-default R1(config-pmap-c)# police cir 250000 R1(config-pmap-c-police)# conform-action set-mpls-exp-topmost-transmit 0 R1(config-pmap-c-police)# exceed-action set-mpls-exp-topmost-transmit 4 R1(config-pmap-c-police)# interface GigabitEthernet0/0. you have scored 3 points. and 6. Use EIGRP with a named virtual instance of VPN and autonomous system of 1 to advertise the loopback networks between routers over a common GRE tunnel network of 100. R6 is to be a hub router.10 R1(config-subif)# service-policy input CE-PE-SHAPE Section 11: Security (15 Points) Create three new loopback IP addresses of loopback1 on R4. using IPsec to encrypt all traffic between the loopback networks using a preshared ISAKMP key of CCIE. You are not permitted to enable EIGRP on your Ethernet interfaces between routers. Use an IPsec transform set of esp-des esp-md5-hmac on each router. If you have configured this correctly.4. with R4 and R5 being effectively spoke routers in your solution.6/24. NHRP should be authenticated with a password of SECRET. Test .6.5.4. which connects to the BLUE VRF CE device and affects the traffic as it flows through the MPLS network. respectively.This DiffServ tunneling question requires that the classes you have configured in the previous question be policed to an aggregate of 1 Mbps and have their MPLS EXP values adjusted. Use an MTU of 1416 for your secure traffic. The policy map is applied to the input interface of the PE router.100.X/24 (X = router number) sourced from each router’s common Ethernet interface.100.4/24.5. use IP addresses of 4. an NHRP timeout of 100 seconds for spoke replies. Example 3-27 details the required configuration on PE router R1. and R6. The hub router should provide all necessary direct next-hop information to the spoke routers when they are required to communicate between themselves. and a delay of 2 milliseconds on the tunnel network. 5.6. Spoke routers must communicate with each other directly using dynamic IPsec connections with the aid of NHRP at the hub. R5.5/24.

Example 3-28 DMVPN Configuration Click here to view code image R4(config)# interface loopback1 R4(config-if)# ip add 4. and the authentication password is set to SECRET as directed within the question.0. NHRP is enabled on the tunnel interface of each router with an identical network ID to match the broadcast domain for all three routers.0 R4(config-if)# router eigrp VPN R4(config-router)# address-family ipv4 autonomous-system 1 R4(config-router-af)# network 100. The crypto isakmp policy command configures the preshared key to CCIE and sets the transform set with the required parameters of esp-des esp-md5-hmac. You have numerous tasks to perform.255 R4(config-router-af)# network 4.0. Because the spoke routers will terminate their connection to the hub on the same interface. The tunnel source of each router is the common Ethernet network 120.100. so this could be the kind of question that is best saved until later and tackled if you have time.0.255. which is 2 milliseconds.6. The command ip nhrp map multicast dynamic permits the registration of the multicast address for EIGRP during boot or during initiation of spoke-to-hub sessions. (10 points) This is a classic Dynamic Multipoint VPN (DMVPN) question in which a hub-and-spoke design is used with Next Hop Resolution Protocol (NHRP) for the spoke routers to communicate with each other.4. The required configuration for the loopback and tunnel interfaces and the DMVPN is detailed in Example 3-28.255. which is uncomplicated. The ip nhrp holdtime 100 command sets the NHRP time for a spoke to keep the NHRP reply to 100 seconds and is configured on the hub-and-spoke routers.4. so be aware of the unit values.255 R6(config)# interface loopback1 R6(config-if)# ip address 6. The MTU is fixed at 1416 as directed within the question on the tunnel interfaces to allow for overhead of the VPN connection. which are applied to the tunnel interface by the use of the tunnel protection ipsec profile IPSEC command.255 R5(config)# interface loopback1 R5(config-if)# ip address 5.255.6 255.255. which are microseconds.255.0 R5(config-if)# router eigrp VPN R5(config-router)# address-family ipv4 autonomous-system 1 R5(config-router-af)# network 100.4.0.0 0.45.255 R5(config-router-af)# network 5.5.5. the complexity begins when you enable IPsec and NHRP.5.100.255.100. the tunnel mode must be set to tunnel mode gre multipoint. A delay of 2000 is configured on each tunnel interface as directed in the question.5 255.0 0.0 0.4.0 0.5.4 255.6.100.100.100.0.100.0. The question dictates that you configure a tunnel network 100.your solution by extended pings sourced from the configured loopback interfaces.0.0 R6(config-if)# router eigrp VPN .0/24 in which to advertise each router’s new loopback network over GRE and EIGRP sourced from the common Ethernet interfaces.0.

6 R4(config-if)# delay 2000 R4(config-if)# tunnel source gig 0/0 R4(config-if)# tunnel mode gre multipoint R4(config-if)# tunnel key 1 R4(config-if)# tunnel protection ipsec profile IPSEC R5(config)# crypto isakmp policy 1 R5(config-isakmp)# authentication pre-share R5(config-isakmp)# crypto isakmp key CCIE address 0.0 R6(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac R6(cfg-crypto-trans)# crypto ipsec profile IPSEC R6(ipsec-profile)# set transform-set DMVPN R6(ipsec-profile)# interface Tunnel1 R6(config-if)# ip address 100.4 255.0 0.100.45.100.100.0.255 R6(config)# crypto isakmp policy 1 R6(config-isakmp)# authentication pre-share R6(config-isakmp)# crypto isakmp key CCIE address 0.255 R6(config-router-af)# network 6.6 255.100.255.255.100.0.100.255.255.100.R6(config-router)# address-family ipv4 autonomous-system 1 R6(config-router-af)# network 100.6.0 R4(config-if)# ip mtu 1416 R4(config-if)# ip nhrp authentication SECRET R4(config-if)# ip nhrp map 100.0.6 120.0.0.0.45.100.0 0.0.0 R4(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac R4(cfg-crypto-trans)# crypto ipsec profile IPSEC R4(ipsec-profile)# set transform-set DMVPN R4(ipsec-profile)# interface Tunnel0 R4(config-if)# ip address 100.0 R6(config-if)# ip mtu 1416 R6(config-if)# ip nhrp authentication SECRET R6(config-if)# ip nhrp map multicast dynamic R6(config-if)# ip nhrp network-id 10 R6(config-if)# ip nhrp holdtime 100 R6(config-if)# delay 2000 R6(config-if)# tunnel source gig 0/0 R6(config-if)# tunnel mode gre multipoint R6(config-if)# tunnel key 1 R6(config-if)# tunnel protection ipsec profile IPSEC R4(config)# crypto isakmp policy 1 R4(config-isakmp)# authentication pre-share R4(config-isakmp)# crypto isakmp key CCIE address 0.6.6 R4(config-if)# ip nhrp network-id 10 R4(config-if)# ip nhrp holdtime 100 R4(config-if)# ip nhrp nhs 100.100.0.6 R4(config-if)# ip nhrp map multicast 120.100.100.0.0.100.0 R5(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac R5(cfg-crypto-trans)# crypto ipsec profile IPSEC R5(ipsec-profile)# set transform-set DMVPN R5(ipsec-profile)# interface Tunnel0 .

00:00:50.6.255. 00:03:06.R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# R5(config-if)# ip address 100. 00:01:02. !a classic split horizon issue. R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 autonomous-system 1 . yet each spoke router discovers only the hub network.6 ip nhrp map multicast 120.6.0 [90/285084416] via 100. and this will enable the dynamic IPsec peering between spokes as directed in the question.100. Example 3-29 DMVPN Spoke-to-Spoke Routing Click here to view code image R4# show ip route eigrp 6.0 [90/285084416] via 100. the hub router shows both spoke networks.100.100.255.0/24 is subnetted.100. 1 subnets D 5. The command no next-hop-self on the hub router R6 ensures that the spoke routers are used as next hops when spoke-to-spoke communication is required.4.0.100.45.0 [90/285084416] via 100.100. 1 subnets D 6.0.100. the next hop for spoke networks show as the hub router 100.100.100.6 ip nhrp network-id 10 ip nhrp holdtime 100 ip nhrp nhs 100. Tunnel0 R6# show ip route eigrp 4.100. 1 subnets D 6.100.6. Tunnel0 5.6.” As shown in Example 3-29.100. However.0 ip mtu 1416 ip nhrp authentication SECRET ip nhrp map 100.0.100.0.6 delay 2000 tunnel source gig 0/0 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile IPSEC Example 3-29 details the EIGRP routes received on all routers.6.100. As you can see. The hub router R6 must be configured to disable the split-horizon behavior to ensure that the spoke routers receive each other’s routes.100.5 255. the question dictates that spoke routers should be able to communicate “directly.100.100.0.45.5. 1 subnets D 4.0.6 120.100.0 [90/285084416] via 100.0. Tunnel0 !R6 has both spoke routes yet each spoke (R4 and R5) only have the hub network route. this is a classic split-horizon issue.4.5.6.0/24 is subnetted.4. Tunnel0 R5# show ip route eigrp 6.6 for each spoke network. 00:02:42.0.0/24 is subnetted.5.0/24 is subnetted.

R6(config-router-af)# af-interface Tunnel0
R6(config-router-af-interface)# no split-horizon
R4# show ip route eigrp
5.0.0.0/24 is subnetted, 1 subnets
D
5.5.5.0 [90/285596416] via 100.100.100.6, 00:00:22, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:04:14, Tunnel0
R5# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/285596416] via 100.100.100.6, 00:00:33, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:02:20, Tunnel0
R5#
! The next-hop for spoke to spoke routes shows as the hub router
(100.100.100.6) yet
! the question states traffic must flow directly between spokes so the
next-hop must
! be modified
R6(config)# router eigrp VPN
R6(config-router)# address-family ipv4 autonomous-system 1
R6(config-router-af)# af-interface Tunnel1
R6(config-router-af-interface)# no next-hop-self
R4# show ip route eigrp
5.0.0.0/24 is subnetted, 1 subnets
D
5.5.5.0 [90/285596416] via 100.100.100.5, 00:00:28, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:00:29, Tunnel0
R5# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/285596416] via 100.100.100.4, 00:00:39, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
D
6.6.6.0 [90/285084416] via 100.100.100.6, 00:00:39, Tunnel0

Example 3-30 shows the ISAKMP IPsec connection on spoke Router R5 to the hub. To bring up
a dynamic ISAKMP IPsec connection to the other spoke router R4, an extended ping is required
from loopback interface to loopback interface.
This question was extremely complex and is the reason why it was weighted so heavily. You had
multiple items to configure within the standard DMVPN solution, such as split horizon. It should
make you realize the importance of reading the question a number of times and taking the time to
test your configurations to ensure that you have successfully answered the question. If you have
configured your routers correctly, as detailed in Examples 3-29 and 3-30, congratulations, and
you have earned a hefty 10 points.

Example 3-30 DMVPN Spoke-to-Spoke Testing
Click here to view code image

R5# show crypto map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
Profile name: IPSEC
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
DMVPN,
}
Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 120.100.45.6
Extended IP access list
access-list permit gre host 120.100.45.5 host 120.100.45.6
Current peer: 120.100.45.6
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
DMVPN,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
R5# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
120.100.45.6
120.100.45.5

state
QM_IDLE

conn-id slot status
4001
0 ACTIVE

IPv6 Crypto ISAKMP SA
!R5 spoke router only has a connection to the hub router. An extended
ping sourced
from the loopback interface of one spoke to another is required to
bring up the
dynamic spoke to spoke connection.
R5# ping
Protocol [ip]:
Target IP address: 4.4.4.4
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 5.5.5.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:

Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
120.100.45.5
120.100.45.4
120.100.45.6
120.100.45.5

state
QM_IDLE
QM_IDLE

conn-id slot status
4002
0 ACTIVE
4001
0 ACTIVE

state
QM_IDLE
QM_IDLE

conn-id slot status
4002
0 ACTIVE
4001
0 ACTIVE

IPv6 Crypto ISAKMP SA
R5# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
120.100.45.5
120.100.45.4
120.100.45.6
120.100.45.5
IPv6 Crypto ISAKMP SA

Following on from the previous question, add R2 into the common GRE tunnel network
as a spoke router using identical security parameters as used on R4 and R5, ensuring it
receives routes from R4, R5, and R6 using the same common EIGRP parameters. The
source interface for the tunnel configuration on R2 should be Fast Ethernet 1/1, and the
destination should be the Gigabit Ethernet 0/0 interface of R6. Add new Loopback 2
identical IP addresses of 45.45.45.45/24 on both R4 and R5 and advertise this identical
network from R4 and R5 to the hub router R6 on the common GRE tunnel interface.
Configure R6 to advertise both destinations (R4 and R5) to spoke router R2 for network
45.45.45.0/24 in EIGRP over the common GRE tunnel network. (3 points)
Adding R2 as an additional spoke router into the DMVPN network is a relatively simple task if
you were successful with the previous question; it is simply a spoke repetition task. R4 and R5
are configured with a new Loopback 2 interface with an identical IP address of 45.45.45.45/24.
This network is then advertised within EIGRP over the DMVPN toward the preconfigured hub
router R6. Example 3-31 shows the required configuration on R2, R4, and R5 and the resulting
route advertisements for the new network on R4 and R5 successfully received on R6 and R2.
Example 3-31 DMVPN R2, R4, and R5 Configuration and Verification
Click here to view code image

R2(config-if)# router eigrp VPN
R2(config-router)# address-family ipv4 autonomous-system 1
R2(config-router-af)# network 100.100.100.0 0.0.0.255

R2(config-router-af)# exit-address-family
R2(config-router)# crypto isakmp policy 1
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# crypto isakmp key CCIE address 0.0.0.0
R2(config-isakmp)# crypto ipsec transform-set DMVPN esp-des esp-md5hmac
R2(cfg-crypto-trans)# crypto ipsec profile IPSEC
R2(ipsec-profile)# set transform-set DMVPN
R2(ipsec-profile)# interface Tunnel0
R2(config-if)# ip address 100.100.100.2 255.255.255.0
R2(config-if)# ip mtu 1416
R2(config-if)# ip nhrp authentication SECRET
R2(config-if)# ip nhrp map 100.100.100.6 120.100.45.6
R2(config-if)# ip nhrp map multicast 120.100.45.6
R2(config-if)# ip nhrp network-id 10
R2(config-if)# ip nhrp holdtime 100
R2(config-if)# ip nhrp nhs 100.100.100.6
R2(config-if)# delay 2000
R2(config-if)# tunnel source fastethernet0/1
R2(config-if)# tunnel mode gre multipoint
R2(config-if)# tunnel key 1
R2(config-if)# tunnel protection ipsec profile IPSEC
R4(config)# interface loopback2
R4(config-if)# ip add 45.45.45.45 255.255.255.0
R4(config-if)# router eigrp VPN
R4(config-router)# address-family ipv4 autonomous-system 1
R4(config-router-af)# network 45.45.45.0 0.0.0.255
R5(config)# interface loopback2
R5(config-if)# ip add 45.45.45.45 255.255.255.0
R5(config-if)# router eigrp VPN
R5(config-router)# address-family ipv4 autonomous-system 1
R5(config-router-af)# network 45.45.45.0 0.0.0.255
R6# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/61440640] via 100.100.100.4, 00:00:16, Tunnel0
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
5.5.5.0/24 [90/61440640] via 100.100.100.5, 00:00:16, Tunnel0
45.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
45.45.45.0/24 [90/61440640] via 100.100.100.5, 00:01:10,
Tunnel0
[90/61440640] via 100.100.100.4,
00:01:10, Tunnel0
R2# show ip route eigrp
4.0.0.0/24 is subnetted, 1 subnets
D
4.4.4.0 [90/71680640] via 100.100.100.4, 00:01:40, Tunnel0
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
5.5.5.0/24 [90/71680640] via 100.100.100.5, 00:01:40, Tunnel0
6.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
6.6.6.0/24 [90/61440640] via 100.100.100.6, 00:07:05, Tunnel0
45.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

0/24 [90/71680640] via 100. Tunnel0 5.0/24 is shown in the routing table of R2.0/8 is variably subnetted.100.45.6. as shown in Example 332. .100. In this instance.5.5. Configure R1 appropriately.4. thereby allowing load balancing and path redundancy. With Add Path Support in EIGRP.100.45. you have scored 2 points.100.100.100. Tunnel0 45. R4.0/8 is variably subnetted.4. 00:01:16. Example 3-32 shows that only a single route for network 45.0.45. 00:01:16.0/24 [90/71680640] via 100. 2 masks D 45.D Tunnel0 45. Therefore. 00:01:22. Tunnel0 [90/61440640] via 100. and R5 Configuration and Verification Click here to view code image R6(config)# router eigrp VPN R6(config-router)# address-family ipv4 autonomous-system 1 R6(config-router-af)# af-interface Tunnel0 R6(config-router-af-interface)# add-paths 2 R2# show ip route eigrp 4. 00:01:14. 2 subnets.45.100. If you have configured this correctly per Example 3-33. Tunnel0 The network manager of your network cannot justify a full security implementation but wants to implement a solution that provides only a password prompt from R1 when the keyboard entry 1 is entered on the console port (as opposed to the normal CR/Enter key). 2 masks D 6. hubs can advertise up to four additional best paths to connected spokes. You would need to search to discover that ASCII numeric figures (0 to 9) are prefixed by the binary value of 0011.100.45.4. so a value of 1 (0001) would be 00110001. 1 subnets D 4. 00:01:16. Example 3-32 DMVPN R2.0.0. the command add-paths 2 under the Tunnel 0 interface of the EIGRP af-interface section ensures that the spoke router R2 receives both paths to network 45.6.100.0.6.45. you have scored 3 points. the decimal conversion is 32 + 16 + 1 = 49. 2 subnets.5. 2 masks D 5. Tunnel0 6.0. This is the default behavior of the hub router R6 when a hub has more than one path (with the same metric but through different spokes) to reach the same network.0.100. This is good question on which to use the (?) on the CLI for clues and your documentation CD or search facility in the lab if you were not aware of this feature. 2 subnets.45.5.0/24 [90/61440640] via 100.0/24 through R4 and R5. (2 points) This question makes use of the activation-character command on the console port.0/24 [90/71680640] via 100. This is a nasty question because the CLI entry requires an ASCII entry. 00:03:39.100.0.4.45.4. If you have configured this correctly.0/8 is variably subnetted.0/24 is subnetted.100. EIGRP advertises only one path as the best path to connected spokes.0.0 [90/71680640] via 100.

well done.Example 3-33 R1 Console Activation-Character Configuration Click here to view code image R1(config)# line con 0 R1(config-line)# activation-character ? CHAR or <0-127> Activation character or its decimal equivalent R1(config-line)# activation-character 49 Lab 3 Wrap-Up So.0 exam is a separate section from the Configuration section and has a different scenario. you will be prepared for any scenario that you are likely to face during the 5. This lab was designed to ensure that you troubleshoot your own work as you progress through the questions. how did it go? Did you run out of time? Did you manage to finish but miss what was actually required? If you scored over 80. you will have 2 hours to complete the Troubleshooting section.5 hours of the Configuration section of the actual exam. Remember that the Troubleshooting section on the v5. . If you accomplished this within 8 hours or less. Did you manage to configure items such as disabling split horizon for DMVPN and the area ID for OSPF? This attention to detail and complete understanding of the protocols will ultimately earn you your number.