CCIE R&S LAB – CFG H2/A5CCIE R&S LAB – CFG H2/A5 Section 1 – Layer 2 Technologies 1.1 Jameson’s Datacenter: Access port There has been pre‐configured in Jameson’s Datacenter

CCIER&SLAB–CFGH2/A5

Section1–Layer2Technologies

1.1Jameson’sDatacenter:AccessportThere has been pre‐configured in Jameson’s Datacenter. SW3 is the server and the other three

switches are clients. Do not modify this configuration. Some other configuration was already started

but it is your responsibility to verify and complete them.

Configure all four switches in Jameson’s datacenter network (AS 65002) as per the following

requirements:

All unused ports must be configured in VLAN 999 and administratively shutdown. Refer to

“Table 1: Jameson’s VLAN to Port Mapping” to figure out which ports are used and unused.

Access‐ports must immediately transition to the forwarding state upon link up, as long as

they do not receive a BPDU. Use a unique command per switch to enable this feature.

PORTFAST

If an access‐port received a BPDU, it must automatically shutdown, generate a syslog and a

SNMP trap (to solve this issue add. Use a unique command per switch to enable to this

feature.

logging trap 6

Ports that were shutdown must always rely on a manual intervention to recover.

VLAN 911 (10.2.100.X/24) will be used as the management VLAN in Jameson’s datacenter.

Ensure that all datacenter switches are able to ping each other IP address in the

management VLAN.

SW5 and SW6 are low‐end access switches and they do not have much processing power.

Ensure that their only Layer 3 interfaces are Loopback0 and VLAN 911.

SW3 and SW4 are robust and powerful distribution switches. Ensure that they maintain a

Layer 3 interface for all local VLANs as well as all access VLANs, as specified in “Table 1:

Jameson’s VLAN to Port Mapping”.

Answers:

SW3:

vtp domain CCIE vtp mode server vlan 34,100,153,156,164,184,911,999 interface range ethernet 0/2‐3,e1/1‐3,e3/2‐3 switchport mode access switchport access vlan 999 shutdown spanning‐tree portfast default

spanning‐tree portfast bpduguard default interface e0/0 switchport mode access switchport access vlan 173 exi interface e1/0 switchport mode access switchport access vlan 153 exi int Eth 0/1 switchport mode access switchport access vlan 156 end wr SW4: vtp domain CCIE vtp mode client interface range ethernet 0/2‐3,e1/1‐3,e3/2‐3 switchport mode access switchport access vlan 999 shutdown spanning‐tree portfast default spanning‐tree portfast bpduguard default interface e0/0 switchport mode access switchport access vlan 184 exi interface e1/0 switchport mode access switchport access vlan 164 exi int Eth 0/1 switchport mode access switchport access vlan 156 end wr SW5: vtp domain CCIE vtp mode client interface range ethernet 0/0,e1/0‐3 switchport mode access switchport access vlan 999

shutdown exi spanning‐tree portfast default spanning‐tree portfast bpduguard default interface range ethernet 0/1‐3 switchport mode access switchport access vlan 100 end wr SW6: vtp domain CCIE vtp mode client interface range ethernet 0/0,e1/0‐3 switchport mode access switchport access vlan 999 shutdown exi spanning‐tree portfast default spanning‐tree portfast bpduguard default interface range ethernet 0/1‐3 switchport mode access switchport access vlan 100 end wr

1.2Jameson’sDatacenter:TrunkportsRefer to “Diagram 1: Jameson’s Layer 2 Connections” and “Table 1: Jameson’s VLAN to Port

Mapping”.

Configure Jameson’s datacenter network (AS 65002) as per the following requirements:

All inter‐switch links must be configured to use dot1q encapsulation.

Ensure that no switch attempt to negotiate the trunk parameters.

Ensure that all four switches send and receive untagged frames on VLAN 1.

All four switches must maintain a separate Spanning‐tree instance for each VLAN.

Rapid‐pvst

Spanning‐tree must immediately delete dynamically learned MAC address entries on a per‐

port basis upon receiving a topology change.

SW3 must be the root switch for all VLANs. SW4 must be the backup root switch for all

VLANs. Ensure that they both have the best chances of maintaining their respective role

even if any new normal‐range VLAN were to be added in the future.

Spanning‐tree vlan 1‐4094 priority 0

Spanning‐tree vlan 1‐4094 priority 4096

Answers:

#SW3

interface range ethernet 2/0‐3 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate exi interface range ethernet 3/0‐1 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning‐tree mode rapid‐pvst spanning‐tree vlan 1‐4094 priority 0 end wr #SW4 interface range ethernet 2/0‐3 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate exi interface range ethernet 3/0‐1 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate exit spanning‐tree mode rapid‐pvst spanning‐tree vlan 1‐4094 priority 4096 end wr #SW5 interface range ethernet 2/0‐3 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate exi spanning‐tree mode rapid‐pvst end wr

#SW6 interface range ethernet 2/0‐3 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning‐tree mode rapid‐pvst end wr Verfiy: SW3#sho interfaces trunk Port Mode Encapsulation Status Native vlan Et2/0 on 802.1q trunking 1 Et2/1 on 802.1q trunking 1 Et2/2 on 802.1q trunking 1 Et2/3 on 802.1q trunking 1 Et3/0 on 802.1q trunking 1 Et3/1 on 802.1q trunking 1 Port Vlans allowed on trunk Et2/0 1‐4094 Et2/1 1‐4094 Et2/2 1‐4094 Et2/3 1‐4094 Et3/0 1‐4094 Et3/1 1‐4094 Port Vlans allowed and active in management domain Et2/0 1,34,100,153,156,164,173,184,911,999 Et2/1 1,34,100,153,156,164,173,184,911,999 Et2/2 1,34,100,153,156,164,173,184,911,999 Et2/3 1,34,100,153,156,164,173,184,911,999 Et3/0 1,34,100,153,156,164,173,184,911,999 Et3/1 1,34,100,153,156,164,173,184,911,999 Port Vlans in spanning tree forwarding state and not pruned Et2/0 1,34,100,153,156,164,173,184,911,999 Port Vlans in spanning tree forwarding state and not pruned Et2/1 1,34,100,153,156,164,173,184,911,999 Et2/2 1,34,100,153,156,164,173,184,911,999 Et2/3 1,34,100,153,156,164,173,184,911,999 Et3/0 1,34,100,153,156,164,173,184,911,999 Et3/1 1,34,100,153,156,164,173,184,911,999

SW4#sho interfaces trunk Port Mode Encapsulation Status Native vlan Et2/0 on 802.1q trunking 1 Et2/1 on 802.1q trunking 1 Et2/2 on 802.1q trunking 1 Et2/3 on 802.1q trunking 1 Et3/0 on 802.1q trunking 1 Et3/1 on 802.1q trunking 1 Port Vlans allowed on trunk Et2/0 1‐4094 Et2/1 1‐4094 Et2/2 1‐4094 Et2/3 1‐4094 Et3/0 1‐4094 Et3/1 1‐4094 Port Vlans allowed and active in management domain Et2/0 1,34,100,153,156,164,173,184,911,999 Et2/1 1,34,100,153,156,164,173,184,911,999 Et2/2 1,34,100,153,156,164,173,184,911,999 Et2/3 1,34,100,153,156,164,173,184,911,999 Et3/0 1,34,100,153,156,164,173,184,911,999 Port Vlans allowed and active in management domain Et3/1 1,34,100,153,156,164,173,184,911,999 Port Vlans in spanning tree forwarding state and not pruned Et2/0 none Et2/1 none Et2/2 none Et2/3 none Et3/0 none Et3/1 none SW5#show interfaces trunk Port Mode Encapsulation Status Native vlan Et2/0 on 802.1q trunking 1 Et2/1 on 802.1q trunking 1 Et2/2 on 802.1q trunking 1 Et2/3 on 802.1q trunking 1 SW6#show interfaces trunk Port Mode Encapsulation Status Native vlan Et2/0 on 802.1q trunking 1 Et2/1 on 802.1q trunking 1 Et2/2 on 802.1q trunking 1

Et2/3 on 802.1q trunking 1

1.3Jameson’sDatacenter:LinkbundlingRefer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”

Configure Jameson’s datacenter network as per the following requirements:

All four switches must bundle trunk ports so that they maintain a single logical link to each

other (excepted between SW5 and SW6), as shown in the “Diagram 2: Initial Topology”.

Ensure that no switch attempt to negotiate which ports should become active in the bundle.

The distribution switches SW3 and SW4 must balance traffic between all members of the

link bundle based on source and destination IP addresses.

Port‐channel load‐balance src‐dst‐ip

The access switches SW5 and SW6 must balance the income traffic (that is originated from

server) between all members of the link bundle based on the servers’ MAC address.

Port‐channel load‐balance src‐mac

#SW3

interface range ethernet 3/0‐1 channel‐group 34 mode on exi interface range e2/0‐1 channel‐group 35 mode on exi interface range ethernet 2/2‐3 channel‐group 36 mode on exit

port‐channel load‐balance src‐dst‐ip

#SW4

interface range ethernet 3/0‐1 channel‐group 34 mode on exi interface range e2/0‐1 channel‐group 45 mode on exi interface range ethernet 2/2‐3 channel‐group 46 mode on exi port‐channel load‐balance src‐dst‐ip #SW5 interface range ethernet 2/0‐1 channel‐group 45 mode on exi interface range ethernet 2/2‐3 channel‐group 35 mode on exit port‐channel load‐balance src‐mac #SW6 interface range ethernet 2/0‐1 channel‐group 36 mode on exi interface range ethernet 2/2‐3 channel‐group 46 mode on exit port‐channel load‐balance src‐mac Verify: SW3#show etherchannel summary Flags: D ‐ down P ‐ bundled in port‐channel I ‐ stand‐alone s ‐ suspended H ‐ Hot‐standby (LACP only) R ‐ Layer3 S ‐ Layer2

U ‐ in use N ‐ not in use, no aggregation f ‐ failed to allocate aggregator M ‐ not in use, minimum links not met m ‐ not in use, port not aggregated due to minimum links not met u ‐ unsuitable for bundling w ‐ waiting to be aggregated d ‐ default port A ‐ formed by Auto LAG Number of channel‐groups in use: 3 Number of aggregators: 3 Group Port‐channel Protocol Ports ‐‐‐‐‐‐+‐‐‐‐‐‐‐‐‐‐‐‐‐+‐‐‐‐‐‐‐‐‐‐‐+‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 34 Po34(SU) ‐ Et3/0(P) Et3/1(P) 35 Po35(SU) ‐ Et2/0(P) Et2/1(P) 36 Po36(SU) ‐ Et2/2(P) Et2/3(P)

1.4Jameson’sBranchOfficesRefer to “Diagram 1: Jameson’s Layer 2 Connections”.

Configure interface Ethernet0/0 in Jameson’s branch routers R19, R20 and R21 as per the following

requirements:

The Ethernet WAN links must rely on a Layer 2 protocol that supports link negotiation and

authentication.

The service provider expects that the branch routers complete a three‐way handshake by

providing the expected response of a challenge that is sent by R49.

R19 must use the username “Jamesons‐R19” and password “CCIE” (without quotes).



The interface Eth0/0 of all three routers must receive an IP address from R49.

Ensure that all three routers can ping the IP address of each other’s interface Eth0/0.

You are allowed to configure a single static route in each branch router to achieve the

previous requirement.

Vrf definition LOCALSP

Address‐family ipv4

!

Interface eth 0/0

Dialer pool 1

!

Interface dialer 1

Encap ppp

Dialer pool 1

Ip vrf for LOCALSP

!

Ip route vrf LOCALSP 0.0.0.0 0.0.0.0 192.0.2.13

Answers:

R19:

ip vrf LOCALSP rd 65002:10 ! ! interface Dialer0 ip vrf forwarding LOCALSP ip address negotiated encapsulation ppp dialer pool 1 ppp chap hostname Jamesons‐R19 ppp chap password 0 CCIE interface Ethernet0/0 no ip address pppoe enable pppoe‐client dial‐pool‐number 1 no sh exit ip route vrf LOCALSP 0.0.0.0 0.0.0.0 192.0.2.1 end wr R20:

ip vrf LOCALSP

rd 65002:10 ! ! interface Dialer0 ip vrf forwarding LOCALSP ip address negotiated encapsulation ppp dialer pool 1 ppp chap hostname Jamesons‐R20 ppp chap password 0 CCIE interface Ethernet0/0 no ip address pppoe enable pppoe‐client dial‐pool‐number 1 no sh exit ip route vrf LOCALSP 0.0.0.0 0.0.0.0 192.0.2.1 end wr R21:

ip vrf LOCALSP rd 65002:10 ! ! interface Dialer0 ip vrf forwarding LOCALSP ip address negotiated encapsulation ppp dialer pool 1 ppp chap hostname Jamesons‐R21 ppp chap password 0 CCIE interface Ethernet0/0 no ip address pppoe enable pppoe‐client dial‐pool‐number 1 no sh exit ip route vrf LOCALSP 0.0.0.0 0.0.0.0 192.0.2.1 end wr

R19#show ip route vrf LOCALSP

Routing Table: LOCALSP

Codes: L ‐ local, C ‐ connected, S ‐ static, R ‐ RIP, M ‐ mobile, B ‐ BGP

D ‐ EIGRP, EX ‐ EIGRP external, O ‐ OSPF, IA ‐ OSPF inter area

N1 ‐ OSPF NSSA external type 1, N2 ‐ OSPF NSSA external type 2

E1 ‐ OSPF external type 1, E2 ‐ OSPF external type 2

i ‐ IS‐IS, su ‐ IS‐IS summary, L1 ‐ IS‐IS level‐1, L2 ‐ IS‐IS level‐2

ia ‐ IS‐IS inter area, * ‐ candidate default, U ‐ per‐user static route

o ‐ ODR, P ‐ periodic downloaded static route, H ‐ NHRP, l ‐ LISP

a ‐ application route

+ ‐ replicated route, % ‐ next hop override

Gateway of last resort is 192.0.2.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.0.2.1

192.0.2.0/32 is subnetted, 2 subnets

C 192.0.2.1 is directly connected, Dialer0

C 192.0.2.10 is directly connected, Dialer0

R19#ping vrf LOCALSP 192.0.2.11

Type escape sequence to abort.

Sending 5, 100‐byte ICMP Echos to 192.0.2.11, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round‐trip min/avg/max = 1/1/1 ms




!!!!!





!!!!!


Section2–Layer3Technologies

2.1Jameson’sIGP,part1Refer to “Diagram 2: Initial Topology”.

The configuration was already started. It is your responsibility to complete and verify all

requirements.

Configure Jameson’s network (AS 65001 and AS 65002) according to the following requirements:

Ensure that all routers use their interface Lo0 as OSPF router‐id.

Ensure that OSPF is not running on any interface that is facing another BGP AS.

SW5 and SW6 must not participate in OSPF at all.

Do not use the “network” statement under the “router ospf” configuration anywhere in the

core network (AS 65001).

Do not change the default OSPF cost of any interface anywhere.

Ensure that R1, SW1 and SW2 are elected the designated router on all of their interfaces,

and that they have the best chances of maintaining that role as long as their interfaces are

up.

Ensure that R2 is elected the Backup Designated router on all of their interfaces, and that it

has the best chances of maintaining that role as long as its interfaces are up.

Answers:

Data Center Network(AS65002)

SW3:

router ospf 65002 router‐id 10.255.1.33 network 10.0.0.0 0.255.255.255 area 0 SW4: router ospf 65002

router‐id 10.255.1.34 network 10.0.0.0 0.255.255.255 area 0 R17: router ospf 65002 router‐id 10.255.1.17 network 10.2.0.38 0.0.0.0 area 0 network 10.255.1.17 0.0.0.0 area 0 R18: router ospf 65002 router‐id 10.255.1.18 network 10.2.0.42 0.0.0.0 area 0 network 10.255.1.18 0.0.0.0 area 0 R15: router ospf 65002 router‐id 10.255.1.15 network 10.2.0.1 0.0.0.0 area 0 network 10.2.0.5 0.0.0.0 area 0 network 10.255.1.15 0.0.0.0 area 0 router ospf 65002 router‐id 10.255.1.16 network 10.2.0.2 0.0.0.0 area 0 network 10.2.0.9 0.0.0.0 area 0 network 10.255.1.16 0.0.0.0 area 0 Headquarter Network (AS65002): SW1: router ospf 65002 router‐id 10.255.1.31 network 10.0.0.0 0.255.255.255 area 0 interface vlan 101 ip ospf priority 255

R11:

router ospf 65002 router‐id 10.255.1.11 network 10.1.254.1 0.0.0.0 area 0 network 10.255.1.11 0.0.0.0 area 0

R12:

router ospf 65002 router‐id 10.255.1.12 network 10.1.254.2 0.0.0.0 area 0 network 10.255.1.12 0.0.0.0 area 0 Main Office(AS65002): SW2: router ospf 65002 router‐id 10.255.1.32 network 10.0.0.0 0.255.255.255 area 0 exi interface vlan 101 ip ospf priority 255 R14: router ospf 65002 network 10.3.254.2 0.0.0.0 area 0 network 10.255.1.14 0.0.0.0 area 0 R13: router ospf 65002 network 10.3.254.1 0.0.0.0 area 0 network 10.255.1.13 0.0.0.0 area 0 Core Network (AS65001): R1: router ospf 65001 router‐id 10.255.1.1 int lo0 ip ospf 65001 area 0 exi inter range e0/0,e0/2‐3,e1/0,e1/2 ip ospf 65001 area 0 ip ospf priority 255 R2: router ospf 65001 router‐id 10.255.1.2 int lo0 ip ospf 65001 area 0 exi inter range e0/0‐3,e1/0

ip ospf 65001 area 0 ip ospf priority 254 R3: router ospf 65001 router‐id 10.255.1.3 int lo0 ip ospf 65001 area 0 exi inter range e0/2‐3 ip ospf 65001 area 0 R4: router ospf 65001 router‐id 10.255.1.4 int lo0 ip ospf 65001 area 0 exi inter range e0/2‐3 ip ospf 65001 area 0 R5: router ospf 65001 router‐id 10.255.1.5 int lo0 ip ospf 65001 area 0 exi inter range e0/1,e0/3 ip ospf 65001 area 0 R6: router ospf 65001 router‐id 10.255.1.6 int lo0 ip ospf 65001 area 0 exi inter range e0/1,e0/3 ip ospf 65001 area 0 end wr R7:

router ospf 65001 router‐id 10.255.1.7 int lo0 ip ospf 65001 area 0 exi inter Ethernet0/2 ip ospf 65001 area 0 end wr R8: router ospf 65001 router‐id 10.255.1.8 int lo0 ip ospf 65001 area 0 exi inter Ethernet0/2 ip ospf 65001 area 0 end wr R9: router ospf 65001 router‐id 10.255.1.9 int lo0 ip ospf 65001 area 0 exi inter Ethernet0/1 ip ospf 65001 area 0 end wr R10: router ospf 65001 router‐id 10.255.1.10 int lo0 ip ospf 65001 area 0 exi inter Ethernet0/1 ip ospf 65001 area 0 end wr

2.2Jameson’sIGP,part2Refer to “Diagram 2: Initial Topology”.

Configure Jameson’s branch network according to the following requirements:

R17 must propagate a default route in its OSPF domain, but only if it already has a default

route in its routing table.

Do not redistribute BGP into OSPF and vice versa on R17.

Each branch router must establish an OSPF adjacency with R17 and must receive a default

route via OSPF. They may not receive any other LSA type 3 from the ABR.

Each branch router must advertise their interface Lo0 and Eth0/1 into OSPF.

None of the branch routers may attempt to elect a Designated Router on their Tunnel0

interface.

R17:

ip route 0.0.0.0 0.0.0.0 192.0.2.1

interface Tunnel0 bandwidth 1000 ip address 10.100.0.1 255.255.255.0 no ip redirects ip nhrp authentication 65002key ip nhrp map multicast dynamic ip nhrp network‐id 65002 ip nhrp holdtime 300 ip nhrp redirect ip ospf network broadcast ip ospf priority 255 delay 100 tunnel source Ethernet0/1 tunnel mode gre multipoint tunnel key 100000

router ospf 65002 area 51 stub no‐summary network 10.100.0.1 0.0.0.0 area 51 default‐information originate R19: interface Tunnel0 bandwidth 1000 ip address 10.100.0.19 255.255.255.0 no ip redirects

ip nhrp authentication 65002key ip nhrp map multicast 192.0.2.2 ip nhrp map 10.100.0.1 192.0.2.2 ip nhrp network‐id 65002 ip nhrp holdtime 300 ip nhrp nhs 10.100.0.1 ip nhrp redirect ip ospf network broadcast ip ospf priority 0 delay 100 tunnel source Dialer0 tunnel mode gre multipoint tunnel key 100000 tunnel vrf LOCALSP router ospf 65002 router‐id 10.255.1.19 area 51 stub network 10.0.0.0 0.255.255.255 area 51 R20: interface Tunnel0 bandwidth 1000 ip address 10.100.0.20 255.255.255.0 no ip redirects ip nhrp authentication 65002key ip nhrp map multicast 192.0.2.2 ip nhrp map 10.100.0.1 192.0.2.2 ip nhrp network‐id 65002 ip nhrp holdtime 300 ip nhrp nhs 10.100.0.1 ip nhrp redirect ip ospf network broadcast ip ospf priority 0 delay 100 tunnel source Dialer0 tunnel mode gre multipoint tunnel key 100000 tunnel vrf LOCALSP router ospf 65002 router‐id 10.255.1.20 area 51 stub network 10.0.0.0 0.255.255.255 area 51 R21: interface Tunnel0

bandwidth 1000 ip address 10.100.0.21 255.255.255.0 no ip redirects ip nhrp authentication 65002key ip nhrp map multicast 192.0.2.2 ip nhrp map 10.100.0.1 192.0.2.2 ip nhrp network‐id 65002 ip nhrp holdtime 300 ip nhrp nhs 10.100.0.1 ip nhrp redirect ip ospf network broadcast ip ospf priority 0 delay 100 tunnel source Dialer0 tunnel mode gre multipoint tunnel key 100000 tunnel vrf LOCALSP router ospf 65002 router‐id 10.255.1.21 area 51 stub network 10.0.0.0 0.255.255.255 area 51

2.3Jacob’sIGPRefer to “Diagram 2: Initial Topology”.

Jacob’s network is partly preconfigured. It is your responsibility to verify and complete them.

Configure EIGRP for IPv4 in Jacob’s core network (AS 65006) according to the following

requirements:

All EIGRP routers must support 64‐bit metric calculations and Routing Information Base (RIB)

scaling in EIGRP topologies.

The interface Lo0 of each router must be seen as an internal EIGRP prefix by all other routers

in their local domain.

Ensure that EIGRP is not running on any interface that is facing another AS. Use any method

to accomplish this requirement.

Jacob’s core network must use the EIGRP autonomous system number 1.

R52 must inject its interface Lo52 into EIGRP as an external prefix.

All EIGRP core routers R50, R51 must add the administrative tag “172.172.172.172” to all

prefixes that they inject into EIGRP.

Ensure that operators can filter routes by using the route tag wildcard mask.

The following output must be seen on R50:

Core Network (AS 65006) EIGRP 1

R50:

route‐tag notation dotted‐decimal

route‐map TAG‐IN permit 10 set tag 172.172.172.172 router eigrp CCIE address‐family ipv4 unicast autonomous‐system 1 topology base distribute‐list route‐map TAG‐IN in exit‐af‐topology network 172.17.253.1 0.0.0.0 network 172.30.1.50 0.0.0.0 exit‐address‐family R51:

route‐tag notation dotted‐decimal

route‐map TAG‐IN permit 10 set tag 172.172.172.172 router eigrp CCIE address‐family ipv4 unicast autonomous‐system 1 topology base distribute‐list route‐map TAG‐IN in exit‐af‐topology network 172.17.253.2 0.0.0.0 network 172.30.1.51 0.0.0.0 exit‐address‐family

R52: Interface lo052 ip address 52.52.52.52 255.255.255.255 route‐map Lo52‐IN permit 10 match interface Loopback52 router eigrp CCIE address‐family ipv4 unicast autonomous‐system 1 topology base redistribute connected route‐map Lo52‐IN exit‐af‐topology network 172.17.253.3 0.0.0.0 network 172.30.1.52 0.0.0.0 exit‐address‐family R53: router eigrp CCIE address‐family ipv4 unicast autonomous‐system 1 network 10.254.0.62 0.0.0.0 network 172.17.253.4 0.0.0.0 network 172.30.1.53 0.0.0.0 exit‐address‐family R54: router eigrp CCIE address‐family ipv4 unicast autonomous‐system 1 network 10.254.0.66 0.0.0.0 network 172.17.253.5 0.0.0.0 network 172.30.1.54 0.0.0.0 exit‐address‐family Configure EIGRP for IPv4 in Jacob’s Headquarter network (AS 65005) according to the following

requirements:








Headquarters Network BGP (AS 65005) EIGRP 10 R55: router eigrp CCIE address‐family ipv4 unicast autonomous‐system 10 network 172.18.254.3 0.0.0.0 network 172.30.1.55 0.0.0.0 exit‐address‐family R56: router eigrp CCIE address‐family ipv4 unicast autonomous‐system 10 network 172.18.254.2 0.0.0.0 network 172.30.1.56 0.0.0.0 exit‐address‐family SW10: vlan 100,101

router eigrp CCIE address‐family ipv4 unicast autonomous‐system 10 network 172.18.1.254 0.0.0.0 network 172.18.254.254 0.0.0.0 network 172.30.1.10 0.0.0.0 exit‐address‐family R57: router eigrp CCIE address‐family ipv4 unicast autonomous‐system 10 network 172.18.254.1 0.0.0.0 network 172.30.1.57 0.0.0.0 exit‐address‐family

Configure EIGRP for IPv4 in Jacob’s Office network (AS 65007) according to the following

requirements:








OFFICE Network BGP AS 65007 with EIGRP 10 R58: router eigrp CCIE address‐family ipv4 unicast autonomous‐system 10 network 172.17.254.1 0.0.0.0 network 172.30.1.58 0.0.0.0 SW11: vlan 100,101 router eigrp CCIE address‐family ipv4 unicast autonomous‐system 10 network 172.17.1.254 0.0.0.0 network 172.17.254.254 0.0.0.0 network 172.30.1.11 0.0.0.0

2.4Jameson’sPre‐mergeRefer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Pre‐merge Topology”.

Jameson’s decided to enable MPLS VPN in their network

Configure Jameson’s network as per the following requirements:

R11, R12, R13 and R14 must redistribute OSPF into BGP and they must advertise a default

route into their respective OSPF domain. They may not redistribute BGP into OSPF.

R15 and R16 must mutually redistribute OSPF and BGP.

R11, R12, R13 and R14 must advertise only four prefixes via eBGP to Jameson’s core network

as follows:

o R11 and R12 must advertise 10.1.0.0/16, 10.255.1.11/32, 10.255.1.12/32 and

10.255.1.101/32;

o R13 and R14 must advertise 10.3.0.0/16, 10.255.1.13/32, 10.255.1.14/32 and

10.255.1.102/32;

R1 must reflect IPv4 BGP prefixes to all core routers except R2. All internal BGP peering must

be established using interface Lo0.

Ensure that each Jameson’s site receives BGP prefixes from other sites.

A very smaller output as the one shown below must be seen on R11, R12, R13 and R14 (only

the next‐hop, version and update‐group may differ).

R11#sh ip top 10.2.0.0/16

R1:

router bgp 65001 neighbor iBGP peer‐group neighbor iBGP remote‐as 65001 neighbor iBGP update‐source Loopback0 neighbor iBGP route‐reflector‐client neighbor 10.255.1.3 peer‐group iBGP neighbor 10.255.1.4 peer‐group iBGP neighbor 10.255.1.5 peer‐group iBGP neighbor 10.255.1.6 peer‐group iBGP neighbor 10.255.1.7 peer‐group iBGP neighbor 10.255.1.8 peer‐group iBGP R3: router bgp 65001 bgp log‐neighbor‐changes neighbor 10.254.0.74 remote‐as 65002 neighbor 10.255.1.1 remote‐as 65001 neighbor 10.255.1.1 update‐source Loopback0 R4: router bgp 65001 bgp log‐neighbor‐changes neighbor 10.254.0.78 remote‐as 65002 neighbor 10.255.1.1 remote‐as 65001 neighbor 10.255.1.1 update‐source Loopback0 R5: router bgp 65001

bgp log‐neighbor‐changes neighbor 10.254.0.42 remote‐as 65002 neighbor 10.255.1.1 remote‐as 65001 neighbor 10.255.1.1 update‐source Loopback0 R6: router bgp 65001 bgp log‐neighbor‐changes neighbor 10.254.0.46 remote‐as 65002 neighbor 10.255.1.1 remote‐as 65001 neighbor 10.255.1.1 update‐source Loopback0 R7: router bgp 65001 bgp log‐neighbor‐changes neighbor 10.254.0.54 remote‐as 65002 neighbor 10.255.1.1 remote‐as 65001 neighbor 10.255.1.1 update‐source Loopback0 R8: router bgp 65001 bgp log‐neighbor‐changes neighbor 10.254.0.58 remote‐as 65002 neighbor 10.255.1.1 remote‐as 65001 neighbor 10.255.1.1 update‐source Loopback0 Headquarters Network: R11: router bgp 65002 bgp log‐neighbor‐changes aggregate‐address 10.1.0.0 255.255.0.0 redistribute ospf 65002 neighbor 10.254.0.53 remote‐as 65001 neighbor 10.254.0.53 prefix‐list PERMIT_OUT out ip prefix‐list PERMIT_OUT seq 5 permit 10.1.0.0/16 ip prefix‐list PERMIT_OUT seq 10 permit 10.255.1.11/32 ip prefix‐list PERMIT_OUT seq 15 permit 10.255.1.12/32 ip prefix‐list PERMIT_OUT seq 20 permit 10.255.1.31/32

router ospf 65002 default‐information originate

R12:

router bgp 65002 bgp log‐neighbor‐changes

aggregate‐address 10.1.0.0 255.255.0.0 redistribute ospf 65002 neighbor 10.254.0.57 remote‐as 65001 neighbor 10.254.0.57 prefix‐list PERMIT_OUT out ip prefix‐list PERMIT_OUT seq 5 permit 10.1.0.0/16 ip prefix‐list PERMIT_OUT seq 10 permit 10.255.1.11/32 ip prefix‐list PERMIT_OUT seq 15 permit 10.255.1.12/32 ip prefix‐list PERMIT_OUT seq 20 permit 10.255.1.31/32

router ospf 65002 default‐information originate Main Office R13: router bgp 65002 bgp log‐neighbor‐changes aggregate‐address 10.3.0.0 255.255.0.0 redistribute ospf 65002 neighbor 10.254.0.41 remote‐as 65001 neighbor 10.254.0.41 prefix‐list PERMIT_OUT out ip prefix‐list PERMIT_OUT seq 5 permit 10.3.0.0/16 ip prefix‐list PERMIT_OUT seq 10 permit 10.255.1.13/32 ip prefix‐list PERMIT_OUT seq 15 permit 10.255.1.14/32 ip prefix‐list PERMIT_OUT seq 20 permit 10.255.1.32/32 router ospf 65002 default‐information originate R14: router bgp 65002 bgp log‐neighbor‐changes aggregate‐address 10.3.0.0 255.255.0.0 redistribute ospf 65002 neighbor 10.254.0.45 remote‐as 65001 neighbor 10.254.0.45 prefix‐list PERMIT_OUT out ip prefix‐list PERMIT_OUT seq 5 permit 10.3.0.0/16 ip prefix‐list PERMIT_OUT seq 10 permit 10.255.1.13/32 ip prefix‐list PERMIT_OUT seq 15 permit 10.255.1.14/32 ip prefix‐list PERMIT_OUT seq 20 permit 10.255.1.32/32 router ospf 65002 default‐information originate

Data Center Network: R15: router bgp 65002 bgp log‐neighbor‐changes aggregate‐address 10.2.0.0 255.255.255.0 summary‐only redistribute ospf 65002 neighbor 10.254.0.73 remote‐as 65001 neighbor 10.254.0.73 default‐originate router ospf 65002 redistribute bgp 65002 subnets R16: router bgp 65002 bgp log‐neighbor‐changes aggregate‐address 10.2.0.0 255.255.255.0 summary‐only redistribute ospf 65002 neighbor 10.254.0.77 remote‐as 65001 neighbor 10.254.0.77 default‐originate router ospf 65002 redistribute bgp 65002 subnets

2.5Jacob’sPre‐mergeRefer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Premerge Topology”.

Jameson’s decided to enable MPLS VPN in their network


R55, R56and R58 must redistribute EIGRP and BGP

R50:

router bgp 65006 bgp log‐neighbor‐changes neighbor 172.18.253.2 remote‐as 65005

R51:

router bgp 65006 bgp log‐neighbor‐changes neighbor 172.18.253.6 remote‐as 65005 R52: router bgp 65006 bgp log‐neighbor‐changes neighbor 172.17.253.21 remote‐as 65007

R55:

router bgp 65005 bgp log‐neighbor‐changes redistribute eigrp 10 neighbor 172.18.253.1 remote‐as 65006 router eigrp CCIE ! address‐family ipv4 unicast autonomous‐system 10 topology base redistribute bgp 65005 metric 100000 100 255 1 1500 exit‐af‐topology R56: router bgp 65005 bgp log‐neighbor‐changes redistribute eigrp 10 neighbor 172.18.253.5 remote‐as 65006 router eigrp CCIE ! address‐family ipv4 unicast autonomous‐system 10 topology base redistribute bgp 65005 metric 100000 100 255 1 1500 exit‐af‐topology R58: router bgp 65007 bgp log‐neighbor‐changes redistribute eigrp 10 neighbor 172.17.253.22 remote‐as 65006 router eigrp CCIE ! address‐family ipv4 unicast autonomous‐system 10 topology base redistribute bgp 65007 metric 100000 100 255 1 1500 exit‐af‐topology

2.6Mergephase1:BGPRefer to the “Overall Scenario” and “Diagram 5: Merge Phase: 1”

Jameson’s and Jacob’s started the first phase of their merge and add a new border router in their

respective main site (R18 and R57).

Configure the network as per the following requirements:

Interface Lo0 of both R18 and R57 must be add into their respective IGP domain.

Interface Eth0/1 of both R18 and R57 must peer with its connected IGP neighbor.

Both R18 and R57 must advertise a summary prefix via eBGP to each other as follows:

o R18 advertises 10.0.0.0/8

o R57 advertises 172.0.0.0/8

Both R18 and R57 must propagate the received summary prefix into their respective IGP

domain.

R18:

router bgp 65002 bgp log‐neighbor‐changes aggregate‐address 10.0.0.0 255.0.0.0 redistribute ospf 65002 neighbor 10.2.0.46 remote‐as 65005 neighbor 10.2.0.46 prefix‐list PERMIT_OUT out router ospf 65002 redistribute bgp 65002 subnets ip prefix‐list PERMIT_OUT seq 5 permit 10.0.0.0/8 R57: ip prefix‐list PERMIT_OUT seq 5 permit 172.0.0.0/8 router bgp 65005 bgp log‐neighbor‐changes aggregate‐address 172.0.0.0 255.0.0.0 redistribute eigrp 10 neighbor 10.2.0.45 remote‐as 65002 neighbor 10.2.0.45 prefix‐list PERMIT_OUT out router eigrp CCIE ! address‐family ipv4 unicast autonomous‐system 10 ! topology base redistribute bgp 65005 metric 100000 100 255 1 1500 exit‐af‐topology

2.7Mergephase2:IGPRefer to “Diagram 2: Initial Topology” and “Diagram 6: Merge Phase 2”.

Jameson’s and Jacob’s are entering in the second phase of the merge and have deployed two new

border routers in their respective core network.

Configure the core networks as per the following requirements:

R9 and R10 must run OSPF on their interface Eth0/0 and Lo0.

R9 and R10 must run EIGRP on their interface Eth0/1.

R53 and R54 must run EIGRP on all of their interfaces.

Mutually redistribute EIGRP and OSPF on both R9 and R10

Avoid routing loops and ensure that all current and future prefixes are routed via their

optimal path. Do not use any access‐list or prefix‐list in order to achieve this requirement.

Do not change any administrative distance of any protocol in any router.

R9:

route‐tag notation dotted‐decimal route‐map EIGRP_TO_OSPF deny 10 match tag 10.0.0.0 route‐map EIGRP_TO_OSPF permit 20 set tag 172.0.0.0 route‐map OSPF_TO_EIGRP deny 10 match tag 172.0.0.0 route‐map OSPF_TO_EIGRP permit 20 set tag 10.0.0.0 router eigrp CCIE ! address‐family ipv4 unicast autonomous‐system 1 topology base redistribute ospf 65001 metric 100000 100 255 1 1500 route‐map OSPF_TO_EIGRP exit‐af‐topology router ospf 65001 redistribute eigrp 1 subnets route‐map EIGRP_TO_OSPF R10: route‐tag notation dotted‐decimal route‐map EIGRP_TO_OSPF deny 10 match tag 10.0.0.0 route‐map EIGRP_TO_OSPF permit 20 set tag 172.0.0.0 route‐map OSPF_TO_EIGRP deny 10 match tag 172.0.0.0 route‐map OSPF_TO_EIGRP permit 20 set tag 10.0.0.0 router eigrp CCIE ! address‐family ipv4 unicast autonomous‐system 1 topology base redistribute ospf 65001 metric 100000 100 255 1 1500 route‐map OSPF_TO_EIGRP exit‐af‐topology router ospf 65001

redistribute eigrp 1 subnets route‐map EIGRP_TO_OSPF

2.8Mergephase2:RoutingPoliciesRefer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 6: Merge Phase 2”.


Network managers have decided that the primary path for all traffic between Jameson’s

10.2.1.0/24 and Jacob’s 172.18.1.0/24 must be routed preferably via the BGP backdoor link

between R18 and R57. If this link should fail then traffic should fall back over the MPLS core

network.

All other traffic must be routed preferably via the MPLS core network.

Do not configure any route‐map nor access‐list in order to achieve this requirement.

Ensure that the following test reveals the same path as shown below:

R57:

ip prefix‐list PERMIT_OUT permit 172.18.1.0/24

R18:

ip prefix‐list PERMIT_OUT permit 10.2.1.0/24

2.9IPv6Routing,part1Refer to “Diagram 2: Initial Topology”.

Jameson’s started deploying IPv6 in dual‐stack mode in the datacenter

Configure Jameson’s datacenter network as per the following requirements:

Establish OSPFv3 adjacencies in Area 0 between SW3, SW4, R15 and R16.

Do not use the command “ipv6 ospf” anywhere in order to accomplish the previous

requirement.

Interface VLAN 100 of SW3 must be configured with default route preference set to “high”.

Interface VLAN 100 of SW4 must be configured with default route preference set to

“medium”.

The interval between Router Advertisement transmissions on VLAN 100 must be set 20

seconds on both SW3 and SW4.

R15:

ipv6 unicast‐routing

router ospfv3 1 router‐id 10.255.1.15 interface Loopback0 ipv6 address 2001:6500:2:15::15/128 ospfv3 1 ipv6 area 0 interface Ethernet0/0 ipv6 address 2001:6500:2:315::15/64 ospfv3 1 ipv6 area 0 interface Ethernet0/2 ipv6 address 2001:6500:2:1516::15/64 ospfv3 1 ipv6 area 0

R16:

ipv6 unicast‐routing router ospfv3 1 router‐id 10.255.1.16 interface Loopback0 ipv6 address 2001:6500:2:16::16/128 ospfv3 1 ipv6 area 0 interface Ethernet0/0 ipv6 address 2001:6500:2:416::16/64 ospfv3 1 ipv6 area 0 interface Ethernet0/2 ipv6 address 2001:6500:2:1516::16/64 ospfv3 1 ipv6 area 0

SW3:

ipv6 unicast‐routing router ospfv3 1 router‐id 10.255.1.33 interface Loopback0 ipv6 address 2001:6500:2:33::33/128 ospfv3 1 ipv6 area 0 interface vlan153 ipv6 address 2001:6500:2:315::33/64 ospfv3 1 ipv6 area 0 interface Vlan100 ip address 10.2.1.253 255.255.255.0 ipv6 address 2001:6500:2:100::33/64 ipv6 nd router‐preference High ipv6 nd ra interval 20 ospfv3 1 ipv6 area 0 SW4: ipv6 unicast‐routing router ospfv3 1 router‐id 10.255.1.44 interface Loopback0 ipv6 address 2001:6500:2:44::44/128 ospfv3 1 ipv6 area 0 interface vlan164 ipv6 address 2001:6500:2:416::44/64 ospfv3 1 ipv6 area 0 interface vlan 100 ipv6 address 2001:6500:2:100::44/64 ipv6 nd ra interval 20 ospfv3 1 ipv6 area 0

2.10IPv6Routing,part2Configure Jameson’s datacenter network as per the following requirements:

SW3 and SW4 must provide first‐hop redundancy for hosts in VLAN 100 by sharing the

virtual link‐local address FE80:100::1.

SW3 must be elected as the active router and SW4 must be elected the standby router

In case SW3 is down, SW4 must take over the active role. If SW3 comes back online, it must

automatically recover the active role from SW4.

Ensure that HSRP Hello packets are exchanged every second and that the standby takes over

the active role if three consecutive Hello packets were missed from the active.

SW3:

interface Vlan100 standby version 2 standby 1 ipv6 FE80:100::1 standby 1 timers 1 3 standby 1 priority 105 standby 1 preempt

SW4:

interface Vlan100 standby version 2 standby 1 ipv6 FE80:100::1 standby 1 timers 1 3 standby 1 preempt SW3#show standby brief P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Vl100 1 105 P Active local FE80::A8BB:CCFF:FE80:2200 FE80:100::1

2.11MulticastinJameson’sRefer to “Diagram 2: Initial Topology”.

An application running on server R101 (which is located in Jameson’s datacenter) uses multicast to

deliver specific traffic to users located in Jameson’s branch network.

Configure Jameson’s network as per following requirements:

Use PIM Sparse‐mode.

The interface Lo0 of R15 must be elected as the Rendezvous point for the whole multicast

domain.

R15 must announce its candidacy to advertise the group‐to‐RP mapping set to the router link

local address.

For interoperability reasons, the selection of R15 as the RP must adhere to open standard

and must use the default priority value as per the standard.

The source R101 uses the group address 239.1.1.1 to send traffic to interested receivers.

Receivers are located in the branch network and they are connected to the datacenter via

DMVPN.

Ensure that the following test is successful:

SW3:

ip multicast‐routing int vlan 100 ip pim sparse‐mode int vlan 173 ip pim sparse‐mode int vlan 153 ip pim sparse‐mode int vlan 34 ip pim sparse‐mode SW4: ip multicast‐routing int vlan 100 ip pim sparse‐mode int vlan 164 ip pim sparse‐mode int vlan 184 ip pim sparse‐mode int vlan 34 ip pim sparse‐mode R15: ip multicast‐routing interface Loopback0 ip pim sparse‐mode

interface Ethernet0/0 ip pim sparse‐mode interface Ethernet0/2 ip pim sparse‐mode ip pim bsr‐candidate Loopback0 ip pim rp‐candidate Loopback0 R16: ip multicast‐routing interface Ethernet0/0 ip pim sparse‐mode interface Ethernet0/2 ip pim sparse‐mode R17: ip multicast‐routing interface Ethernet0/0 ip pim sparse‐mode interface tunnel0 ip pim sparse‐mode R19: ip multicast‐routing interface Tunnel0 ip pim sparse‐mode interface Ethernet0/1 ip pim sparse‐mode ip igmp join‐group 239.1.1.1 R20: ip multicast‐routing interface Tunnel0 ip pim sparse‐mode interface Ethernet0/1 ip pim sparse‐mode ip igmp join‐group 239.1.1.1 R21:

ip multicast‐routing interface Tunnel0 ip pim sparse‐mode interface Ethernet0/1 ip pim sparse‐mode ip igmp join‐group 239.1.1.1

Section3–VPNTechnologies

3.1Jameson’sBranchOfficesRefer to “Diagram 2: Initial Topology”.

Configure DMVPN Phase 3 in Jameson’s branch network as per the following requirements:

Use the preconfigured interface Tunnel0 on all four routers in order to accomplish this task.

R17 must be configured as the hub router.

R19, R20 and R21 must be the spoke routers and must participate in the NHRP information

exchange.

Ensure that spoke‐to‐spoke traffic does not transit via the hub.

Protect the tunneled traffic by attaching the preconfigured IPsec profile to the tunnel

interface on all tunnel end‐points.

Ensure that all spoke establish an OSPF adjacency through the tunnel with the hub R17,

without attempting to elect any Designated Router.

Ensure that the following test are successful:

R17:

crypto isakmp policy 10 encr aes authentication pre‐share group 2 crypto isakmp key CCIE address 0.0.0.0

! ! crypto ipsec transform‐set DMVPN_SET esp‐aes mode transport ! crypto ipsec profile DMVPN_PROFILE set transform‐set DMVPN_SET interface tunnel tunnel protection ipsec profile DMVPN_PROFILE R19: crypto isakmp policy 10 encr aes authentication pre‐share group 2 crypto keyring CCIE vrf LOCALSP pre‐shared‐key address 0.0.0.0 0.0.0.0 key CCIE crypto ipsec transform‐set DMVPN_SET esp‐aes mode transport ! crypto ipsec profile DMVPN_PROFILE set transform‐set DMVPN_SET interface tunnel 0 no ip nhrp redirect ip nhrp shortcut tunnel protection ipsec profile DMVPN_PROFILE R20: crypto isakmp policy 10 encr aes authentication pre‐share group 2 crypto keyring CCIE vrf LOCALSP pre‐shared‐key address 0.0.0.0 0.0.0.0 key CCIE crypto ipsec transform‐set DMVPN_SET esp‐aes mode transport ! crypto ipsec profile DMVPN_PROFILE set transform‐set DMVPN_SET interface tunnel 0 no ip nhrp redirect

ip nhrp shortcut tunnel protection ipsec profile DMVPN_PROFILE R21: crypto isakmp policy 10 encr aes authentication pre‐share group 2 crypto keyring CCIE vrf LOCALSP pre‐shared‐key address 0.0.0.0 0.0.0.0 key CCIE crypto ipsec transform‐set DMVPN_SET esp‐aes mode transport ! crypto ipsec profile DMVPN_PROFILE set transform‐set DMVPN_SET interface tunnel 0 no ip nhrp redirect ip nhrp shortcut tunnel protection ipsec profile DMVPN_PROFILE

3.2Jameson’sPre‐mergeVPNRefer to the “Overall Scenario” and “Diagram 4: Pre‐merge Topology”.

Jameson’s decided to enable MPLS VPN in their network.

They started configuring it but it is your responsibility to complete it and verify that it is fully

functional.


Enable LDP in the core network as indicated in “Diagram 4: Pre‐merge Topology”.

Ensure that all LDP routers use their interface Lo0 as their LDP router‐id.

R1 must reflect VPNv4 prefixes to all PE’s.

The datacenter and main office network must be connected to the VPN “GREEN” via eBGP.

The headquarter network must be connected to the VPN “RED” via eBGP.

All six PE’s must use a consistent format “ASN.nn” for the VPN route distinguisher, where:

o ASN is the Autonomous System Number of the connected CE

o nn is any relevant number for the VPN site.

Ensure that R101 in the datacenter’s VLAN 100 can successfully ping SW2 in the main office

as shown below:

R1‐to‐ R10 mpls label protocol ldp mpls ldp router‐id lo0 force router ospf 65001 mpls ldp autoconfig

R1:

router bgp 65001 address‐family vpnv4 neighbor iBGP send‐community extended neighbor iBGP route‐reflector‐client neighbor 10.255.1.3 activate neighbor 10.255.1.4 activate neighbor 10.255.1.5 activate neighbor 10.255.1.6 activate neighbor 10.255.1.7 activate neighbor 10.255.1.8 activate R3: ip vrf GREEN rd 65002:102 interface Ethernet0/0 ip vrf forwarding GREEN ip address 10.254.0.73 255.255.255.252 ! router bgp 65001 ! address‐family vpnv4 neighbor 10.255.1.1 activate neighbor 10.255.1.1 send‐community extended exit‐address‐family ! address‐family ipv4 vrf GREEN neighbor 10.254.0.74 remote‐as 65002 neighbor 10.254.0.74 activate

neighbor 10.254.0.74 as‐override R4: ip vrf GREEN rd 65002:102 ! ! interface Ethernet0/0 ip vrf forwarding GREEN ip address 10.254.0.77 255.255.255.252 ! router bgp 65001 ! address‐family vpnv4 neighbor 10.255.1.1 activate neighbor 10.255.1.1 send‐community extended exit‐address‐family address‐family ipv4 vrf GREEN neighbor 10.254.0.78 remote‐as 65002 neighbor 10.254.0.78 activate neighbor 10.254.0.78 as‐override R5: ip vrf GREEN rd 65002:103 ! interface Ethernet0/0 ip vrf forwarding GREEN ip address 10.254.0.41 255.255.255.252 ! router bgp 65001 ! address‐family vpnv4 neighbor 10.255.1.1 activate neighbor 10.255.1.1 send‐community extended ! address‐family ipv4 vrf GREEN neighbor 10.254.0.42 remote‐as 65002 neighbor 10.254.0.42 activate neighbor 10.254.0.42 as‐override R6: ip vrf GREEN rd 65002:103 ! interface Ethernet0/0 ip vrf forwarding GREEN ip address 10.254.0.45 255.255.255.252 ! router bgp 65001

address‐family vpnv4 neighbor 10.255.1.1 activate neighbor 10.255.1.1 send‐community extended ! address‐family ipv4 vrf GREEN neighbor 10.254.0.46 remote‐as 65002 neighbor 10.254.0.46 activate neighbor 10.254.0.46 as‐override R7: ip vrf RED rd 65002:101 ! ! interface Ethernet0/0 ip vrf forwarding RED ip address 10.254.0.53 255.255.255.252 ! router bgp 65001 ! address‐family vpnv4 neighbor 10.255.1.1 activate neighbor 10.255.1.1 send‐community extended ! address‐family ipv4 vrf RED neighbor 10.254.0.54 remote‐as 65002 neighbor 10.254.0.54 activate neighbor 10.254.0.54 as‐override R8: ip vrf RED rd 65002:101 ! interface Ethernet0/0 ip vrf forwarding RED ip address 10.254.0.57 255.255.255.252 ! router bgp 65001 ! address‐family vpnv4 neighbor 10.255.1.1 activate neighbor 10.255.1.1 send‐community extended ! address‐family ipv4 vrf RED neighbor 10.254.0.58 remote‐as 65002 neighbor 10.254.0.58 activate neighbor 10.254.0.58 as‐override

3.3Mergephase2:VPNRefer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”.

Jameson’s and Jacob’s are entering in the second phase of the merge and have deployed two new

border routers in their respective core network.


The BGP AS number of Jacob’s original core network must be converted to use Jameson’s AS

number 65001, as indicated in “Diagram 6: Merge Phase 2”.

All BGP sessions between Jacob’s core and remote sites (including headquarters and office

networks) must be recovered using the new AS number.

Do not modify the BGP configuration of Jacob’s CEs (R55, R56, R58) in order to accomplish

this requirement.

Enable LDP in the merged core network as indicated in “Diagram 6: Merge Phase2”,

including the four new border router (R9, R10, R53, R54) and Jacob’s core network.

Ensure that all LDP routers use their interface Lo0 as their LDP router‐id.

R1 must reflect VPNv4 prefixes to all PE’s, including to Jacob’s PE.

Jacob’s headquarters network must be added to the VPN GREEN.

Jacob’s office network must be added to the VPN BLUE.

All nine PE’s must use a consistent format “ASN.nn” for the VPN route distinguisher, where:

o ASN is the Autonomous System Number of the connected CE

o nn is any relevant number

R9 – R10:

interface Ethernet0/0 mpls ip R53 and R54:

mpls label protocol ldp mpls ldp router‐id Loopback0 force

interface Ethernet0/0 mpls ip interface Ethernet0/1 mpls ip

R50 – R52: mpls label protocol ldp mpls ldp router‐id Loopback0 force interface Ethernet0/0 mpls ip R1:

router bgp 65001 neighbor 172.30.1.50 peer‐group iBGP neighbor 172.30.1.51 peer‐group iBGP neighbor 172.30.1.52 peer‐group iBGP address‐family vpnv4 neighbor 172.30.1.50 activate neighbor 172.30.1.51 activate neighbor 172.30.1.52 activate R50: ip vrf GREEN rd 65005:18 ! ! interface Ethernet0/1 ip vrf forwarding GREEN ip address 172.18.253.1 255.255.255.252 ! router bgp 65006 ! neighbor 10.255.1.1 remote‐as 65001 neighbor 10.255.1.1 local‐as 65001 neighbor 10.255.1.1 update‐source Loopback0 ! address‐family vpnv4 neighbor 10.255.1.1 activate neighbor 10.255.1.1 send‐community extended exit‐address‐family ! address‐family ipv4 vrf GREEN neighbor 172.18.253.2 remote‐as 65005 neighbor 172.18.253.2 activate exit‐address‐family R51: ip vrf GREEN rd 65005:18 !

! interface Ethernet0/1 ip vrf forwarding GREEN ip address 172.18.253.5 255.255.255.252 ! router bgp 65006 ! neighbor 10.255.1.1 remote‐as 65001 neighbor 10.255.1.1 local‐as 65001 neighbor 10.255.1.1 update‐source Loopback0 ! address‐family vpnv4 neighbor 10.255.1.1 activate neighbor 10.255.1.1 send‐community extended exit‐address‐family address‐family ipv4 vrf GREEN neighbor 172.18.253.6 remote‐as 65005 neighbor 172.18.253.6 activate exit‐address‐family R52: ip vrf BLUE rd 65007:17 ! ! interface Ethernet0/1 ip vrf forwarding BLUE ip address 172.17.253.22 255.255.255.248 ! router bgp 65006 ! neighbor 10.255.1.1 remote‐as 65001 neighbor 10.255.1.1 local‐as 65001 neighbor 10.255.1.1 update‐source Loopback0 ! address‐family vpnv4 neighbor 10.255.1.1 activate neighbor 10.255.1.1 send‐community extended exit‐address‐family address‐family ipv4 vrf BLUE neighbor 172.17.253.21 remote‐as 65007 neighbor 172.17.253.21 activate exit‐address‐family

3.4Inter‐VPNRoutingRefer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”.


Jameson’s headquarters (VPN RED), main office (VPN GREEN) and Jacob’ office (VPN BLUE)

must receive datacenter prefixes (VPN GREEN).

Jameson’s main office (VPN GREEN) may not receive headquarters (VPN RED) prefixes nor

Jacob’s headquarters (VPN GREEN) prefixes.

In order to simplify future changes, your solution may not be limited to specific prefixes.

R3 and R4:

ip vrf GREEN rd 65002:102 route‐target export 65002:102 route‐target import 65002:101 route‐target import 65002:103 route‐target import 65005:18 route‐target import 65007:17

R5 and R6:

ip vrf GREEN rd 65002:103 route‐target export 65002:103 route‐target import 65002:102

R7 and R8:

ip vrf RED rd 65002:101 route‐target export 65002:101 route‐target import 65002:102 R50 and R51: ip vrf GREEN rd 65005:18 route‐target export 65005:18 route‐target import 65002:102 R52: ip vrf BLUE rd 65007:17 route‐target export 65007:17 route‐target import 65002:102

Section4–InfrastructureSecurity

4.1DeviceSecurityRefer to “Diagram 1: Initial Topology”.


Protect R17’s control‐plane from TTL expiry attacks so that illegitimate IP packets with a TTL

of 0 or 1 are dropped before the CPU processes them.

Legit packets include expected control protocols running on the link.

R17:

access‐list 101 permit icmp any any ttl‐exceeded policy‐map CONTROL_PLANE class TTL_EX drop class class‐default police cir 8000 conform‐action transmit exceed‐action transmit control‐plane service‐policy input CONTROL_PLANE

4.2NetworkSecurityRefer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.


SW5 and SW6 must filter DHCP message received by untrusted hosts by comparing the

source MAC address and the DHCP client hardware address. If the address match, the

switches must forward the packet. If the addresses do not match, the switches must drop

the packet.

Ensure that these access switches do not filter DHCP packets on their uplinks.

Ensure that the DHCP relay switches (refer to item 5.1) allow DHCP message received on

their interface VLAN 100 with the added Option 82 and uninitialized GIADDR field to be

accepted.

SW5:

ip dhcp snooping ip dhcp snooping vlan 100 ip arp inspection vlan 100 interface port35 ip dhcp snooping trust ip arp inspection trust interface port45 ip arp inspection trust ip dhcp snooping trust SW6: ip dhcp snooping ip dhcp snooping vlan 100 ip arp inspection vlan 100 interface port36 ip dhcp snooping trust ip arp inspection trust interface port46 ip arp inspection trust ip dhcp snooping trust SW3 and SW4: interface vlan 100 ip helper‐address 10.255.1.15 ip dhcp relay information trusted

Section5–InfrastructureServices

5.1CentralizedDHCPRefer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.

Jameson’s R15 must centralize DHCP service for the datacenter’s hosts VLANs.


Ensure that the distribution switches SW3 and SW4 forward DHCP discover broadcast

message received from VLAN 100’s hosts to interface Lo0 of R15 as unicast messages.

R15 must assign hosts in VLAN 100 a valid IP address from the prefix 10.2.1.0/24.

Ensure that addresses that were statically configured will never be assigned to any host.

The DHCP offer must include the IP address 10.2.1.1/24 as the default gateway for VLAN 100

users.

Ensure that the server R101 effectively receives an IP address from the expected prefix

10.2.1.0/24 as well as its default gateway information.

R15:

ip dhcp excluded‐address 10.2.1.1 ip dhcp excluded‐address 10.2.1.253 10.2.1.254 ! ip dhcp pool VLAN_100 network 10.2.1.0 255.255.255.0 default‐router 10.2.1.1 !

5.2InternetGatewayRefer to “Diagram 1: Initial Topology”.


R17 is Jameson’s Internet gateway router.

Ensure that R17 enables all internal hosts (that is: hosts with source IP address in the range

of 10.0.0.0/8 or 172.0.0.0/8) to simultaneously connect to the Internet using the public IP

address of interface Eth0/0.

The following tests must be successful:

R17:

access‐list 10 permit 10.0.0.0 0.255.255.255 access‐list 10 permit 172.0.0.0 0.255.255.255 ip nat inside source list 10 interface ethernet 0/1 overload inter e0/1 ip nat outside

int e0/0 ip nat inside int tu0 ip nat inside

5.3FirsthopredundancyRefer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.

Jameson’s datacenter’s SW3 and SW4 must offer first hop redundancy to VLAN 100’s host using

HSRP.


SW3 and SW4 must use the multicast address 224.0.0.102 in order to negotiate the active

and standby roles.

SW3 must be elected as the active router and SW4 must be elected as the standby router.

In case SW3 is down, SW4 must take over the active role. If SW3 comes back online, it must

automatically recover the active role from SW4.

Ensure that HSRP hello packets are exchanged every second and that the standby takes over

the active role if three consecutive Hello packets were missed from the active.

Both routers must share the virtual IP address 10.2.1.1 that will be used as default gateway

for VLAN 100’s hosts.

SW3:

interface Vlan100 standby version 2 standby 2 ip 10.2.1.1 standby 2 timers 1 3 standby 2 priority 105 standby 2 preempt SW4: interface Vlan100 standby version 2 standby 2 ip 10.2.1.1 standby 2 timers 1 3 standby 2 preempt

5.4TrackingreachabilityRefer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.


SW3 and SW4 must monitor the reachability of their OSPF IPv4 default route and in case it is

not available, the HSRP priority must be decreased by 10.

SW3 and SW4: track 1 ip route 0.0.0.0/0 reachability inter vlan 100 standby 2 track 1 decrement 1

PC101: interface Ethernet0/0 ip address dhcp ipv6 address autoconfig

Documents

CCIE R&S LAB – CFG H2/A5CCIE R&S LAB – CFG H2/A5 Section 1 – Layer 2 Technologies 1.1 Jameson’s Datacenter: Access port There has been pre‐configured in Jameson’s Datacenter