IPxperes L’ ab t eparPr ation Workbook · 2019-05-03 · IPxperes L’ ab t eparPr ation Workbook for the Cisco® CCIE™ Data Center v1.0 Lab Exam Volume 1 Authored by: Rick Mur

IPexpert’s Lab Preparation Workbook for the Cisco® CCIE™ Data Center v1.0 Lab Exam

Volume 1

Authored by: Rick Mur - CCIE3 #21946 (R&S / SP / Storage), JNCIE-SP #851

CCIE Data Center Lab Preparation Workbook

Copyright © by IPexpert. All rights reserved. 1

IPexpert’s Lab Preparation Workbook for Cisco’s CCIE

Data Center Lab Before We Begin This product is part of the IPexpert suite of materials that provide CCIE candidates and network engineers with a comprehensive training program. For information about the full solution, contact an IPexpert Training Advisor today. Telephone: +1.810.326.1444 Email: [email protected] Congratulations! You now possess one of the ULTIMATE CCIETM Lab preparation and network operation resources available today! This resource was produced by senior engineers, technical instructors, and author boasting decades of internetworking experience. Although there is no way to 100% guarantee success rate on the CCIE™ Data Center Lab exam, we feel VERY confident that your chances of passing the Lab will improve dramatically after completing this industry-‐recognized Workbook! Technical Support from IPexpert, and your CCIE community!



IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our online communities have attracted a membership of over 20,000 of your peers from around the world! At blog.ipexpert.com, you can keep up to date with everything IPexpert does and read the latest in technical articles from world-‐renowned IPexpert instructors. At OnlineStudyList.com, you may subscribe to multiple “SPAM-‐free,” moderated CCIE-‐focused email lists.

Feedback Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert, we look to you – our valued clients – for the real world, frontline evaluation that we believe is necessary so that we may always improve. Please send an email with your thoughts to [email protected] or call 1.866.225.8064 (international callers dial +1.810.326.1444). In addition, for those using this book as CCIETM preparation, when you pass the CCIETM Lab exam, we want to hear about it! Email your CCIETM number to [email protected] and let us know how IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations.

Additional CCIETM Preparation Material IPexpert, Inc. is committed to developing the most effective Cisco CCIETM R&S, Security, Voice, Wireless and Data Center Lab certification preparation tools available. Our team of certified networking professionals develops the most up-‐to-‐date and comprehensive materials for networking certification, including self-‐paced workbooks, online Cisco hardware rental, classroom training, online (distance learning) instructor-‐led training, audio products, and video training materials. Unlike other certification-‐training providers, we employ the most experienced and accomplished teams of experts to create, maintain, and constantly update our products. At IPexpert, we are focus on making your CCIETM Lab preparation more effective.

Issues with this Book This book is carefully edited to ensure the accuracy of all content. Should you find any error whatsoever, please email a page reference and detailed comment to [email protected]. Your email will be responded to promptly.



IPEXPERT END-‐USER LICENSE AGREEMENT END USER LICENSE FOR ONE (1) PERSON ONLY

IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,

DO NOT OPEN OR USE THE TRAINING MATERIALS.

This is a legally binding agreement between you and IPEXPERT, the “Licensor,” from whom you have licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms have been modified by a written agreement (the “Governing Agreement”) signed by you (or the party that has licensed the Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions. The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Training Materials throughout the term of this License.

Copyright and Proprietary Rights The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT.

The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-‐share the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing out or downloading portions of the text and images for your own personal, non-‐commercial use without the prior written permission of IPEXPERT.

You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity.



Exclusions of Warranties THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS.” LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may have other rights that vary from state to state.

Choice of Law and Jurisdiction This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall be brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this Agreement is held invalid, the remainder of this License shall continue in full force and effect.

Limitation of Claims and Liability ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR’S LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER.



Entire Agreement This is the entire agreement between the parties and may not be modified except in writing signed by both parties.

U.S. Government -‐ Restricted Rights

The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction release, performance, display, or disclosure of the Training Materials and accompanying documentation by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.

IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIAL



Contents IPexpert’s ..................................................................................................................................................... 1

Lab Preparation Workbook for Cisco’s CCIE Data Center Lab ................................................................. 1 Before We Begin ...................................................................................................................................... 1 Feedback ................................................................................................................................................. 2 Additional CCIETM Preparation Material .................................................................................................. 2 Issues with this Book ............................................................................................................................... 2 IPEXPERT END-‐USER LICENSE AGREEMENT ............................................................................................. 3 Copyright and Proprietary Rights ............................................................................................................ 3 Exclusions of Warranties ......................................................................................................................... 4 Choice of Law and Jurisdiction ................................................................................................................ 4 Limitation of Claims and Liability ............................................................................................................ 4 Entire Agreement .................................................................................................................................... 5 U.S. Government -‐ Restricted Rights ....................................................................................................... 5 Default Lab Topology ............................................................................................................................ 10 Default passwords and IP addresses ..................................................................................................... 10

Chapter 1: Introduction to CCIE Data Center ............................................................................................. 11 Who Should Read this Book? ................................................................................................................ 12 How to Use this Book ............................................................................................................................ 12 An Introduction to CCIE Data Center ..................................................................................................... 12 Availability ............................................................................................................................................. 13 Written exam ........................................................................................................................................ 13 The current published reading list: ....................................................................................................... 13 Lab exam ............................................................................................................................................... 14 Software Versions ................................................................................................................................. 14 CCIE Storage? ........................................................................................................................................ 14 What about P and A tracks? .................................................................................................................. 14 Troubleshooting .................................................................................................................................... 14 An Introduction to the Proctor Labs CCIE Data Center hardware rack ................................................. 15 Software Versions ................................................................................................................................. 17

Chapter 2: Data Center Networking Layer 2 Infrastructure ...................................................................... 19 (NX-‐OS) ...................................................................................................................................................... 19

General Rules ........................................................................................................................................ 20 Pre-‐setup ............................................................................................................................................... 20 Topology ................................................................................................................................................ 20 Configuration tasks ................................................................................................................................ 21 Task 1: General set-‐up ....................................................................................................................... 21 Task 2: Implement VLANs .................................................................................................................. 21 Task 3: Implement Private-‐VLANs ..................................................................................................... 22 Task 4: Implement Rapid Spanning-‐Tree protocol ............................................................................ 23 Task 5: Implement Multiple Spanning-‐Tree protocol ........................................................................ 24 Task 6: Spanning-‐Tree and UDLD features ........................................................................................ 25 Task 7: Fabric Extenders .................................................................................................................... 25 Task 8: Misc features ......................................................................................................................... 26

Chapter 3: Data Center Networking Layer 3 Infrastructure (NX-‐OS) ......................................................... 27 General Rules ........................................................................................................................................ 28 Pre-‐setup ............................................................................................................................................... 28



Drawing 1: Physical Topology Routing .................................................................................................. 29 Drawing 2: Logical Routing Topology .................................................................................................... 29 ............................................................................................................................................................... 29 Configuration tasks ................................................................................................................................ 30 Task 1: Layer 3 topology set-‐up ......................................................................................................... 30 Task 2: Static routing ......................................................................................................................... 30 Task 3: EIGRP ..................................................................................................................................... 30 Task 4: OSPF ....................................................................................................................................... 31 Task 5: Redistribution, BFD and ECMP .............................................................................................. 32 Task 6: Layer 3 switching features ..................................................................................................... 32

Drawing 3: FabricPath / OTV Topology ................................................................................................. 33 Task 7: FabricPath and OTV ............................................................................................................... 33

Chapter 4: Data Center Networking High Availability (NX-‐OS) .................................................................. 35 General Rules ........................................................................................................................................ 36 Pre-‐setup ............................................................................................................................................... 36 Drawing 1: Physical Topology ................................................................................................................ 37 Drawing 2: Logical Topology .................................................................................................................. 38 Configuration tasks ................................................................................................................................ 39 Task 1: Topology set-‐up ..................................................................................................................... 39 Task 2: Port-‐Channels ........................................................................................................................ 39 Task 3: Virtual Port-‐channels (vPCs) .................................................................................................. 40 Task 4: Graceful Restart / Non-‐Stop Forwarding ............................................................................... 41 Task 5: HSRP ...................................................................................................................................... 41 Task 6: VRRP ...................................................................................................................................... 42 Task 7: GLBP ...................................................................................................................................... 43 ........................................................................................................................................................... 44 Task 8: Virtual Port-‐Channels (vPCs) and FabricPath ......................................................................... 44

Chapter 5: Data Center Storage Networking ............................................................................................. 45 General Rules ........................................................................................................................................ 46 Pre-‐setup ............................................................................................................................................... 46 Drawing 1: Physical Topology ................................................................................................................ 47 ............................................................................................................................................................... 47 Configuration tasks ................................................................................................................................ 48 Task 1: Initial set-‐up ........................................................................................................................... 48 Task 2: VSANs .................................................................................................................................... 49 Task 3: Zoning .................................................................................................................................... 50 Task 4: FC Domain ............................................................................................................................. 51 Task 5: Fibre Channel Security Features ............................................................................................ 52 Task 6: Advanced Features ................................................................................................................ 53

Chapter 6: Data Center Storage Networking Extension ............................................................................ 54 General Rules ........................................................................................................................................ 55 Pre-‐setup ............................................................................................................................................... 56 Drawing 1: Physical Topology ................................................................................................................ 56 Drawing 2: Logical Topology .................................................................................................................. 57 ............................................................................................................................................................... 57 Configuration tasks ................................................................................................................................ 58 Task 1: Initial set-‐up ........................................................................................................................... 58 Task 2: FCIP ........................................................................................................................................ 58



Task 3: FCIP Security .......................................................................................................................... 59 Task 4: SAN Extension Tuner ............................................................................................................. 59 Task 5: iSCSI ....................................................................................................................................... 59 Task 6: iSLB ........................................................................................................................................ 60

Chapter 7: Data Center Unified Fabric ....................................................................................................... 62 General Rules ........................................................................................................................................ 63 Pre-‐setup ........................................................................................................................................... 64

Drawing 1: Physical Topology ................................................................................................................ 64 Drawing 2: Logical Topology VSAN 20 ................................................................................................... 65 Configuration tasks ................................................................................................................................ 66 Task 1: Native Fibre Channel on Nexus ............................................................................................. 66 Task 2: Fibre Channel over Ethernet (FCoE) ...................................................................................... 66 Task 3: Multi hop FCoE ...................................................................................................................... 67 Task 4: FCoE Quality of Service (QoS) ................................................................................................ 67

Drawing 3: NPV topology ...................................................................................................................... 68 Task 5: N-‐Port Virtualization (NPV) and N-‐Port ID Virtualization (NPIV) ............................................... 68 Task 6: FCoE NPV ............................................................................................................................... 69

Chapter 8: Security Features ..................................................................................................................... 70 General Rules ........................................................................................................................................ 71 Pre-‐setup ............................................................................................................................................... 71 Drawing 1: Physical Topology ................................................................................................................ 71 Drawing 2: Logical Topology .................................................................................................................. 72 ............................................................................................................................................................... 72 Configuration tasks ................................................................................................................................ 73 Task 1: Port Security .......................................................................................................................... 73 Task 2: DHCP Snooping, DAI, IP Source Guard ................................................................................... 74 Task 3: Access Control Lists ............................................................................................................... 74 Task 4: AAA services .......................................................................................................................... 75 Task 5: 802.1X .................................................................................................................................... 76 Task 6: Cisco TrustSec ........................................................................................................................ 77

Chapter 9: Management Features ............................................................................................................. 78 General Rules ........................................................................................................................................ 79 Pre-‐setup ............................................................................................................................................... 79 Drawing 1: Physical Topology ................................................................................................................ 79 Drawing 2: Logical Topology .................................................................................................................. 80 ............................................................................................................................................................... 80 Configuration tasks ................................................................................................................................ 81 Task 1: Role Based Access Control (RBAC) ......................................................................................... 81 Task 2: Traffic monitoring .................................................................................................................. 82 Task 3: NetFlow ................................................................................................................................. 82 Task 4: Management protocols ......................................................................................................... 82 Task 5: Device management .............................................................................................................. 83 Task 6: Smart Call Home and GOLD ................................................................................................... 84

Chapter 10: Data Center Unified Computing Networking ......................................................................... 85 General Rules ........................................................................................................................................ 86 Pre-‐setup ............................................................................................................................................... 87 Drawing 1: Physical Topology ................................................................................................................ 87 Configuration tasks ................................................................................................................................ 88



Task 1: Initial set-‐up ........................................................................................................................... 88 Task 2: VLANs ..................................................................................................................................... 88 Task 3: vNIC templates ...................................................................................................................... 88 Task 4: Policies and pin groups .......................................................................................................... 89 Task 5: Quality of Service ................................................................................................................... 89 Task 6: Disjoint Layer 2 ...................................................................................................................... 90 Task 7: Switch mode .......................................................................................................................... 90

Chapter 11: Data Center Unified Computing Storage ............................................................................... 91 General Rules ..................................................................................................................................... 92 Pre-‐setup ........................................................................................................................................... 93 Drawing 1: Physical Topology ............................................................................................................ 93 Configuration tasks ............................................................................................................................ 94

Task 1: Initial set-‐up .............................................................................................................................. 94 Task 2: VSANs ........................................................................................................................................ 94 Task 3: Fibre Channel Trunks and Port Channels .................................................................................. 95 Task 4: Pools .......................................................................................................................................... 95 Task 5: vHBA templates ......................................................................................................................... 95 Task 6: SAN Pinning and Storage Policies .............................................................................................. 96 Task 7: Fibre Channel Boot policies ....................................................................................................... 96 Task 8: iSCSI Boot policies ..................................................................................................................... 97 Task 9: Local Disk policies ...................................................................................................................... 97

Chapter 12: Data Center Unified Computing Servers and Blades .............................................................. 98 General Rules ..................................................................................................................................... 99 Pre-‐setup ......................................................................................................................................... 100 Drawing 1: Physical Topology .......................................................................................................... 100

Configuration tasks .............................................................................................................................. 101 Task 1: Server pools ............................................................................................................................. 101 Task 2: UUID pools .............................................................................................................................. 101 Task 3: Management IP addresses ...................................................................................................... 101 Task 4: Server policies ......................................................................................................................... 102 Task 5: Service Profile Templates ........................................................................................................ 102 Task 6: Service Profiles ........................................................................................................................ 103



Default Lab Topology

Default passwords and IP addresses • Default management username / password: admin / IPexpert123 • Other passwords: ipexpert • Management IP addressing: 172.16.100.0/24 • Management Default Gateway: 172.16.100.254



Chapter 1: Introduction to CCIE Data Center

Chapter 1: Introduction to CCIE Data Center introduces the team of authors, consultants, and editors that completed this book and describes the book’s purpose. This chapter also provides suggestions for the usage of this written work.



Who Should Read this Book? This workbooks primary audience is for those CCIE candidates that are searching for the most comprehensive and error-‐free materials available covering the CCIE Data Center practical lab exam. These students should possess a home rack of equipment for CCIE-‐level command-‐line practice, they should possess an equipment emulator (for certain parts of the topology), or they should rent equipment from a company like www.proctorlabs.com. The authors and technical editors exhaustively tested all of the demonstrations found throughout the technology tasks, troubleshooting-‐ and full-‐scale lab exercises against all practice rack options described earlier. Where issues arise with popular equipment emulators, the text makes note. This book is the most remarkably thorough and technically accurate book written on the CCIE Data Center lab exam to date.

How to Use this Book This book breaks all specific CCIE Data Center technologies down on a chapter-‐by-‐chapter basis for a complete and thorough review of this broad set of topics. Each chapter is broken down is various tasks regarding the subject. Following this, the Detailed Solutions Guide provided with this workbook provides an intense examination of the operation of the tasks, including key aspects of troubleshooting for the specific technology. After this, the book presents some of the most common issues that can result with a particular technology-‐set, and most importantly, details the simple troubleshooting tools and steps that succeed for remediation.

The final chapters conclude the book with sample lab scenarios that provide a full scale lab exam as you will see it when you take the actual test. The Detailed Solutions Guide then provides a well-‐designed approach for troubleshooting each major task and offers detailed explanations. The text provides reference guides for the most popular and powerful show and debug commands for a specific technology.

Each chapter uses specific initial configurations on the specific chapter. Readers may download initial configurations, or install them in a simple Graphical User Interface (GUI) on www.proctorlabs.com.

Students are encouraged to follow along on a rack of equipment for every section of every chapter. This really enhances and strengthens the learning process.

An Introduction to CCIE Data Center Since the release of the Nexus platform there has been talk about when these platforms were to be introduced in a CCIE track. With the introduction of UCS in 2009 this became an even higher request especially since UCS really took off in sales.



The scope of the exam is pretty much based on the usual suspects, so in summary you should be aware of the:

• UCS B-‐series blade systems • UCS C-‐series rackmount systems connected to UCS Manager via FEX • Virtual Interface Cards (virtualized NICs and HBAs) in all servers • Nexus 7000 with all features like VDC, OTV, FabricPath, etc. • Nexus 5500 with all features like FCoE, FEX • Nexus 2000 connected to either the 5k or the 7k • Nexus 1000V distributed virtual switch in ESX

o There is no mention of any VMware product in the blueprint, so expect ESX and vCenter to be pre-‐installed on the UCS blades and FC boot to pre-‐configured disks

• MDS 9222i for connecting FC storage to UCS • ACE appliance • DCNM management software

Availability The live exam is available from September 1st.

Currently there are no dates when the lab is available.

Written exam The written exam has an extensive blueprint published to Cisco Learning Network (CLN) including a reading list.

The current published reading list: Data Center Fundamentals (ISBN-10: 1-58705-023-4)

NX-OS and Cisco Nexus Switching (ISBN-10: 1-58705-892-8)

Cisco Unified Computing System (UCS) (ISBN-10: 1-58714-193-0)

I/O Consolidation in the Data Center (ISBN-10: 1-58705-888-X)

Storage Networking Fundamentals (ISBN-10: 1-58705-162-1)



Please find the extensive blueprint published by Cisco on the bottom of this blog post.

Lab exam There is not much information available regarding the lab exam. Availability is not mentioned. There is however information regarding the hardware list and this is an immense list of expensive hardware you require:

Software Versions

• NXOS v6.0(2) on Nexus 7000 Switches • NXOS v5.1(3) on Nexus 5000 Switches • NXOS v4.2(1) on Nexus 1000V • NXOS v5.2(2) on MDS 9222i Switches • UCS Software release 2.0(1x) for UCS-‐6248 Fabric Interconnect and all UCS systems • Software Release A5(1.0) on ACE4710 • Cisco Data Center Manager software v5.2(2)

CCIE Storage? There are currently no plans for replacing CCIE Storage for CCIE Datacenter. Because of this, there will not be a large focus on MDS/FC configuration as there is another track for that.

What about P and A tracks? A CCNA Data Center and CCNP Data Center will be released soon!

Troubleshooting Troubleshooting will be a big part of the exam, which is also pretty clear in the blueprint. There is no confirmation yet how this will be introduced, either using tickets in the CCIE R&S or just by pre-‐configuration on the lab. I can imagine that they pre-‐configured a broken Nexus 1000V on an ESX installation on one of the JBODs. More information on how this troubleshooting is done will be available during other Q&A sessions. The implication is that it might be trouble tickets like the CCIE R&S.



An Introduction to the Proctor Labs CCIE Data Center hardware rack The IPexpert CCIE Data Center rack will support 100% of the features that are tested on the lab! We have based the topology to be close as possible on the CCIE Data Center rack layout, but have ensured that all features and functionality is there.

Our CCIE Data Center rack layout is based on the very limited information that has been made available by Cisco. IPexpert has been in close contact with the people involved in creating this lab exam, and therefore the layout of the rack is based on some early examples and the published components and software version blueprint.

As you will see the topology is very much based on a common datacenter design and has more 'static' layout than other CCIE tracks.

The blueprint specified the following components to be in the lab:

First is the NX-‐OS Networking equipment.

• Nexus7009 (with licensing) o (1) Sup o (1) 32 Port 10Gb (F1 Module) o (1) 32 Port 10Gb (M1 Module)

• Nexus5548 • Nexus2232

The Nexus 7000 will be configured with VDC's to simulate various different topologies and create multiple 'core switch' layers within the network.

Nexus 5548 will be used as a 'distribution' layer within the datacenter network. The Nexus 2k's can be configured as FEX for the Nexus 7000; Nexus 5000 and the Fabric Interconnects of the UCS system to connect the UCS C-‐series rack mount servers. The VDC's are a major component in the network as the number of devices is limited and the connectivity is very much based on a best practice design.

The below drawing illustrates an example topology from our new CCIE Data Center lab preparation workbook which is currently under development.

All these interconnections and switches are based within a single physical chassis with complete separation of the control and data plane protocols!



Second is the storage networking (SAN) equipment:

• Dual attached JBODs = Fibre Channel disks • MDS 9222i (dual fabric)

The MDS switches used in the lab are capable of a ton of features. The blueprint however only describes certain fibre-‐channel features which are considered 'basic' features like zoning, VSANs, oversubscription and ISLs. The other major topic on the blueprint is Fibre Channel Expansion over FCIP and iSCSI. These features are the IP features supported by the MDS platform. The 1G Ethernet connections are connected to the Nexus switches for testing the expansion features. Through that connection it's possible to connect the MDS switches across another connection than Fibre Channel. As the CCIE Storage track is not being replaced by the CCIE Data Center the focus on Storage Networking (SAN) features is not that big. The major topics are more in the features that aren't tested in any other CCIE track.

The JBODs mentioned in this list represent just plain simple hard-‐disks that are connected via Fibre Channel. They are used later as shared storage for the UCS system.

The third major component within the hardware blueprint is the Unified Computing System (UCS).

• UCS-‐6248 Fabric Interconnects • UCS-‐5108 Blade Chassis

o B200 M2 Blade Servers o Palo/VIC mezzanine card o Menlo/Emulex mezzanine card

• UCS C200 Series Server = Connected to Fabric Interconnects o VIC card for C-‐series



This is based on the C-‐series rackmount servers, connected to the Fabric Interconnects so the C-‐series can also be managed from the central UCS manager the same as the Blade chassis is managed.

The blades are equipped with different NICs. This also means a little different configuration. The VIC cards are the most interesting ones as they can virtualize NICs to present to the OS.

Ones inside the blades there is a pre-‐installed VMware ESX(i) environment with a Nexus 1000v distributed virtual switch. As this is a Cisco lab exam, you are not required to know anything about VMware. Of course you will need to be able to install this environment in your possible own lab, but when you step into the lab you will face a pre-‐installed VMware and 1000V. After that, the switch is not configured and you are required to configure it.

The final topic on the blueprint is called ANS (Application Networking Services). This means an ACE appliance is in your lab that you will need to configure. There is not much very interesting going on there and you will not see a lot of points on that appliance. You will need to know the topics as described on the lab blueprint and our workbook will focus a whole section on these specific topics.

The last components are used for management. You will not be configuring these devices, but just using them from your student workstation to access the network.

• Cisco Catalyst Switch 3750 = management ethernet connections • Cisco 2511 Terminal Server = console lines

What is not mentioned on the hardware blueprint list is that you will also need to be able to configure (or set-‐up) the DCNM software as is being given by Cisco when you purchase enough Nexus equipment. Again this is not extremely difficult, but you need to be aware of the basic configuration items related to this software.

Software Versions

• NXOS v6.0(2) on Nexus 7000 Switches • NXOS v5.1(3) on Nexus 5000 Switches • NXOS v4.2(1) on Nexus 1000v • NXOS v5.2(2) on MDS 9222i Switches • UCS Software release 2.0(1x) for UCS-‐6248 Fabric Interconnect and UCS system



• Software Release A5(1.0) for ACE 4710 • Cisco Data Center Manager software v5.2(2)

Above you'll find a reference overview of the used software versions. The exact versions are still unknown where we might be using newer software versions as our IPexpert lab will be using quite new hardware for virtualization purposes. Within the Nexus 7000 we will be using the new Supervisor 2E, meaning that we are able to build 8 VDC's and 1 management VDC meaning we have enough flexibility for some challenging topologies!

The next chapter of this workbook, Chapter 2: Data Center Networking Layer 2 Infrastructure (NX-‐OS) begins with the initial topic on the CCIE Data Center Blueprint regarding layer 2 switching, VLANs, Private-‐VLANs, Spanning-‐Tree and other layer 2 features on the NX-‐OS platform.



Chapter 2: Data Center Networking Layer 2 Infrastructure

(NX-‐OS)

Chapter 2: Data Center Networking Layer 2 Infrastructure (NX-‐OS) is intended to let you be familiar with the NX-‐OS CLI on the Nexus switches and afterwards configure Layer 2 Ethernet features on the physical Nexus switches within the topology as shown at the beginning of this workbook. We highly recommend to create your own diagram at the beginning of each lab so you are able to draw on your own diagram, making it much easier when you step into the real lab. Our devices start with a blank configuration, which will not be the case when you are in the real lab. Then devices are staged with configuration containing usernames/passwords, management IP addressing, core IP addressing and (possible) errors.



General Rules • Try to diagram out the task. Draw your own connections the way you like it

• Create a checklist to aid as you work thru the lab

• Take a very close read of the tasks to ensure you don’t miss any points during grading!

• Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this particular chapter

Estimated Time to Complete: 3 hours

Pre-‐setup • Connect to the Nexus 7000 switch and Nexus 5000 switches within the topology

• Use the central topology drawing at the start of this workbook

• This lab is intended to be used with online rack access provided by our partner Proctorlabs (www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as detailed below.

Topology



Configuration tasks

Task 1: General set-‐up 1. Erase the configuration from all 3 switches and reboot and

2. Configure the default parameters as mentioned in in the Generic Lab Topology

3. Configure the Nexus 7000 switch with a hostname of “SW1-‐1” and the Nexus 5500 switches with hostnames of “SW2” and “SW3”

4. Ensure the switches will not perform any DNS lookups

5. Configure “ipexpert.com” as the DNS domain name

6. Ensure that both encrypted and unencrypted management connections are allowed

7. Save the configuration using the wr command

8. On SW1-‐1 configure a message, containing the hostname and warning unauthorized users, that is shown each time a user logs in

9. Use the serial number of “SW1-‐1” as the ID which is used to advertise the switch using CDP

10. Ensure only CDP version 2 packets are sent from “SW1-‐1”

11. Disable CDP on the management ethernet interface

12. Ensure a log message is generated when more than 999 packets per second are sent or received on the management ethernet interface

Task 2: Implement VLANs

1. Configure all inter-‐switch links as described by the topology drawing at the beginning of this chapter to be in layer 2 trunk mode allowing VLANs 100 up to 499

2. After specifying the allowed range, remove VLAN 333 from this range with a single command, without specifying the previous range (or parts of it) again

3. Configure all switches to be in VTP domain “IPexpert”

4. Ensure VLANs are removed from switches that have no active hosts in that VLAN, except for VLAN 101. This VLAN 101 should always be active on the switch not depending on this configuration task

5. Enable the latest version of VTP

6. Store the VTP database configuration with filename ‘ipexpert.dat’



7. Ensure SW2 and SW3 will have new VLANs being pushed by SW1-‐1 and are not able to create new VLANs by themselves

8. Secure the VTP protocol with a password of ‘ipexpert’

9. Create VLANs 101, 102, 103 and 104 and ensure they are visible on all switches

10. Assign names to all VLANs by format of “IPexpertVLAN#” where # is the VLAN number

11. Configure SW1-‐1 so the following output is matched

12. (Ports section should show all active trunks):

SW1-1(config)# sh ip igmp snooping | in vlan IGMP Snooping information for vlan 1 IGMP Snooping information for vlan 101 IGMP Snooping information for vlan 102 IGMP Snooping information for vlan 103 IGMP Snooping information for vlan 104 IGMP Snooping information for vlan 105 IGMP Snooping information for vlan 1002 IGMP Snooping information for vlan 1003 IGMP Snooping information for vlan 1004 IGMP Snooping information for vlan 1005 SW1-1(config)# sh vlan brief VLAN Name Status Ports ---- -------------------------------- --------- -------------------------------

1 default active 101 VLAN0101 active 102 VLAN0102 active 103 VLAN0103 active 104 VLAN0104 active 1002 fddi-default suspended 1003 token-ring-default suspended 1004 fddinet-default suspended 1005 trnet-default suspended SW1-1(config)#

Task 3: Implement Private-‐VLANs Note: This lab will be using unused ports in the topology to simulate hosts being connected. For clarification of the tasks it’s advisable to read the entire task before starting your configuration.

1. A firewall is connected to Ethernet3/19 on SW1-‐1 which should receive all traffic from DMZ hosts. This port should be in VLAN 200. You are allowed to change configuration from the previous task to accomplish this.



2. Ensure that hosts in VLAN 201 are not able to communicate with each other, but only to the firewall connected to Ethernet3/19

3. Configure ports Ethernet3/20 and Ethernet3/21 in VLAN 201

4. Hosts in VLAN 202 and 203 are able to communicate to each other in the VLAN and to the firewall, but not to hosts in the other VLAN (202 can’t communicate with 203 and vice versa)

5. Configure ports Ethernet3/22 and Ethernet3/23 in VLAN202. Configure ports Ethernet3/24 and Ethernet3/25 in VLAN203

6. DMZ servers in VLAN 204 need to be secured. They are not allowed to communicate to each other, but they can communicate with the rest of the IP network by reaching a default gateway configured on SW1-‐1 with IP address 10.1.10.254/24

7. Hosts connected in VLAN 204 are connected on SW2. Configure the first trunk connection for this use. Configure Ethernet 1/21, 1/22 and 1/23 in VLAN205 on SW2 and ensure they are able to reach the default gateway to the network. Hosts are not allowed to communicate to each other.

8. Other hosts of VLAN 201 and 202 are also connected to SW2. Use the second trunk connection between SW1 and SW2 for this use. The hosts of VLAN201 are connected to ports Ethernet 1/24 and 1/25. The host of VLAN 202 is connected to Ethernet 1/26

Task 4: Implement Rapid Spanning-‐Tree protocol

1. Ensure non-‐core-‐facing interfaces on SW2 and SW3 are not generating any spanning-‐tree topology changes

2. Configure SW2 to be the root bridge for VLAN 101 and SW3 to be the backup root bridge

3. Ensure all switches are using optimal spanning-‐tree timers for the size of the layer 2 network to optimize network convergence. Do not configure timer values to complete this task.

4. Configure SW1 to be the root bridge for VLAN 102

5. Ensure that new bridges with a default spanning-‐tree configuration will never be elected as a root bridge in VLAN 102 when SW1 fails

6. When traffic steering is necessary, you are required to use values higher than 100,000

7. Configure the network in such a way that SW1 is using SW3 as the best path towards the root bridge of the network in VLAN 101

8. Ensure that the last interface (fourth link) between all switches is used as primary



9. Configure spanning-‐tree of VLAN 103 to converge in the shortest time possible

10. Configure all inter-‐switch-‐links to utilize IEEE 802.1w ‘Rapid Connectivity’

11. Remove all spanning-‐tree related configuration from interfaces and global configuration on all switches before continuing with the next task

Task 5: Implement Multiple Spanning-‐Tree protocol

1. Configure SW1, SW2 and SW3 to run the IEEE 802.1s protocol

2. Configure the following parameters on SW1

3. MST name of IPexpert

4. MST configuration number of 5

5. Map VLAN 10 through 99 to instance 1



8. Ensure MST is functioning properly on all switches

9. Assume Private VLANs are in use. Ensure that all secondary VLANs are in the same MSTI as their associated primary VLAN

10. Configure SW2 to be the root bridge for instance 1 by configuring the lowest possible value

11. Try making SW3 the primary root bridge for instance 1 using the dedicated command for this. What happens?

12. Make SW3 the backup root bridge for instance 1. You are allowed to configure other switches, but not SW3.

13. Ensure all switches are using optimal spanning-‐tree timers for the size of the layer 2 network to optimize network convergence.

14. When traffic steering is necessary, you are required to use values higher than 100,000

15. Configure the network in such a way that SW1 is using SW3 as the best path towards the root bridge of the network in instance 2

16. Ensure that all instances use a different interface between the switches to ensure load balancing between instances. Meaning instance 0 uses interface 1, etc.



17. Ensure BPDUs are discarded when the network is larger than 10 hops

18. Assume a switch with an old version of software is connected to Ethernet 1/16 on SW2. Configure this interface to pro-‐actively send pre-‐standard MST messages

Task 6: Spanning-‐Tree and UDLD features

1. Configure SW3 so that all ports, when not configured individually, are seen as network edge ports

2. Configure Ethernet 1/10 on SW3 so the port is put in error-‐disabled state when spanning-‐tree packets are received

3. Configure Ethernet1/11 on SW3 so the port will never process spanning-‐tree protocol data units, but will allow other layer 2 frames

4. Ensure that Ethernet 1/10 on SW2 will also never process spanning-‐tree protocol packets, but you are not allowed to configure the command required for this directly under the interface

5. Ensure Ethernet 1/11 on SW2 will never become a root port on the switch

6. Ethernet1/12 on SW2 should never become the designated port of the LAN segment

7. Assume the network is running MST and Ethernet 1/13 on SW3 is connected to a Rapid-‐PVST+ network. Ensure that this port will fail to interoperate with this other kind spanning-‐tree protocol for security reasons.

8. Use a Cisco-‐proprietary protocol which allows devices that are connected through fiber or copper cables to monitor the physical configuration of the cables and detect when a unidirectional link exists on Ethernet 1/12 on SW3

9. Use a method on Ethernet 1/12 on SW3 which disables one of the ports on the link, which prevents traffic from being discarded.

Task 7: Fabric Extenders

1. Use SW2 and FEX1 for these tasks

2. Name the fabric extender as “IPexpert Fabric Extender 1”

3. Ensure the LED on the FEX starts blinking for easier locating the FEX in a rack

4. Ensure the output of the following show command is matched on SW2:



SW2# show interface port-channel 4 fex-intf Fabric FEX Interface Interfaces --------------------------------------------------- Po4 Eth101/1/48 Eth101/1/47 Eth101/1/46 Eth101/1/45 Eth101/1/44 Eth101/1/43 Eth101/1/42 Eth101/1/41 Eth101/1/40 Eth101/1/39 Eth101/1/38 Eth101/1/37 Eth101/1/36 Eth101/1/35 Eth101/1/34 Eth101/1/33 Eth101/1/32 Eth101/1/31 Eth101/1/30 Eth101/1/29 Eth101/1/28 Eth101/1/27 Eth101/1/26 Eth101/1/25 Eth101/1/24 Eth101/1/23 Eth101/1/22 Eth101/1/21 Eth101/1/20 Eth101/1/19 Eth101/1/18 Eth101/1/17 Eth101/1/16 Eth101/1/15 Eth101/1/14 Eth101/1/13 Eth101/1/12 Eth101/1/11 Eth101/1/10 Eth101/1/9 Eth101/1/8 Eth101/1/7 Eth101/1/6 Eth101/1/5 Eth101/1/4 Eth101/1/3 Eth101/1/2 Eth101/1/1

Task 8: Misc features 1. Read this whole section first, before starting your configuration!

2. Configure Ethernet 5/16, 5/17 and 5/18 on SW1-‐1 with the settings from the following bullets (3 through 6).

3. Layer 2 trunk port with VLAN 101 through 104 allowed

4. Rx flowcontrol should be enabled

5. Disable the automatic cross/straight cable detection

6. ‘show interface’ should show usage statistics using sampling intervals of 30, 60 and 120 seconds

7. You are only allowed to have the settings for these interfaces showing up once in the configuration



Chapter 3: Data Center Networking Layer 3 Infrastructure (NX-‐OS)

Chapter 3: Data Center Networking Layer 3 Infrastructure is intended to let you be familiar with the NX-‐OS Layer 3 features on the Nexus platforms to create a basic routed network. The second part of this chapter consists of Data Center extension and Layer 2 routing features. We highly recommend to create your own diagram at the beginning of each lab so you are able to draw on your own diagram, making it much easier when you step into the real lab. The lab is divided in two pieces. During the first tasks you will be configuring a dynamically routed layer 3 network using EIGRP and OSPF protocols. The second part of this chapter is based on the Cisco proprietary technologies FabricPath and OTV. Multiple topology drawings are available for this chapter.










• Load the initial configuration of Chapter 2 on the Nexus 7000 switch to stage the Virtual Device Contexts needed for this lab

• When starting the second part of this lab for configuring Fabric Path and OTV the second set of initial configuration should be loaded on the Nexus 7000 to create a different topology with Virtual Device Contexts

• This lab is intended to be used with online rack access provided by our partner Proctor Labs (www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as detailed below



Drawing 1: Physical Topology Routing

Drawing 2: Logical Routing Topology



Configuration tasks

Task 1: Layer 3 topology set-‐up

• Configure the Nexus 5500 switches with hostnames of “SW2” and “SW3”. The Nexus 7000 VDC’s should already have hostnames through the loading of the initial configuration. Use switchto vdc and switchback to move between different switches on the Nexus 7000.

• Configure all switches so they can all carry the layer 2 VLANs as described in drawing 1

• Configure sufficient inter-‐switch-‐links to carry the VLANs between the switches

• Configure IP addressing on SVI and physical interfaces according to drawing 1

• Configure all switches to have a Loopback0 interface with an IP address of 198.18.0.Z/32 where Z is the router number / host address as specified in drawing 1

Task 2: Static routing

• Ensure SW1-‐3 can ping the loopback address of SW1-‐4 from its own loopback address

• SW1-‐1 should be able to ping the loopback address of SW1-‐2 and vice versa without using the directly connected link between those switches, but should use the path over SW1-‐3 and SW1-‐4 for this

• Configure SW1-‐2 to be a blackhole for the 192.0.1.0/24 prefix. Give this entry a tag of 666 and an increased preference of +1

• Ensure that all layer 3 interfaces on SW1-‐2 do not send out any unreachable messages

• Remove all static routes before continuing with the next tasks

Task 3: EIGRP

• Configure a secure EIGRP adjacency between SW1-‐2 and SW1-‐4

• Ensure Loopbacks are reachable and dynamically advertised. Ensure that there are no attempts to make adjacencies on the Loopback interfaces.

• Use 64999 as autonomous system number and IPEXPERT as the EIGRP process name



• Configure 4 static routes for 198.18.4.0/24 through 198.18.7.0/24 on SW1-‐4 and ensure they are reachable through a single EIGRP routing entry on SW1-‐2. Besides the single entry the 198.18.5.0/24 network should also be seen in the routing table of SW1-‐2.

• Use wide metrics with a scaling factor of 64

• Change the bandwidth that EIGRP may use on an interface 10% lower than default

• Update the link between SW1-‐2 and SW1-‐4 so the EIGRP neighbor is declared down after 4 hello packets. You are only allowed to change configuration on SW1-‐2 to accomplish this

• Routes which are declared active should become Stuck in Active after 5 minutes

• Routes should be advertised as unreachable when there are more than 50 hops in the network

• Update the K3 value on the SW1-‐2 to SW1-‐4 interfaces to 500

Task 4: OSPF

• Configure the OSPF network as shown in drawing 2. Use the dotted decimal notation to configure area 264

• Ensure that all OSPF routers can reach each other’s Loopback addresses

• Ignore the MTU size between SW1-‐1 and SW1-‐3 when forming an adjacency

• Ensure that SW2 will never become a designated router on any OSPF interface

• Ensure that SW3 will never become a designated router on any OSPF interface

• Ensure all adjacencies in area 0 are secured using a hashed version of “IPexpertSecure”

• Ensure area 1 is secure using a simple-‐text-‐password of “IPexpert”

• Configure 4 additional Loopback interfaces on SW2 with IP addresses of 198.18.128.1/24 through 198.18.131.1/24 and ensure they are seen as a single entry in the backbone area and other areas without overlapping other IP space

• Configure a Loopback1 interface on SW1-‐3 with an IP address of 198.18.13.1/24 and ensure this whole subnet is seen throughout the layer 3 network

• Type 3, 4 and 5 LSA’s are not allowed in area 1

• Ensure that routers do not attract traffic for 2 minutes after booting up



Task 5: Redistribution, BFD and ECMP

• Configure redistribution between EIGRP and OSPF on SW1-‐4 and SW1-‐2

• Ensure full reachability is achieved while maintaining all requirements from previous tasks

• Ensure all links towards area 0 are used when traffic is exiting area 1

• Ensure that all Dynamic Routing adjacencies on SW1-‐2 towards adjacent devices are terminated using a dedicated detection protocol

• BFD sessions between SW1-‐2 and SW3 should be secured using a hashed key of “IPexpertSecure”

• Ensure neighbor failures on SW1-‐2 are detected within 300ms

• Configure OSPF and EIGRP so they use the dedicated fast-‐hello failure detection mechanism

Task 6: Layer 3 switching features

• Ensure a static layer 2 to layer 3 mapping is created on VLAN 112 on SW1-‐1 for 198.18.112.24 to mac address abcd.1234.5678

• Configure SW2 so that it detects duplicate IP addresses and updates it’s cache on Ethernet1/5

• Ensure that SW1-‐1 reserves space for 2750 outstanding ARP entries in the ASIC to prevent the ARP replies are dropped when returned and attempted to install in the ASIC hardware

• Configure all switches so they use RFC 1191



Drawing 3: FabricPath / OTV Topology

Task 7: FabricPath and OTV

• Load the initial configuration file for part 2 of chapter 2, which will create a topology according to drawing 3

• Create VLAN 666 on all relevant switches in the topology

• Ensure hosts on VLAN 666 can communicate via layer 2 on all 4 edge switches using the technologies as mentioned in drawing 3

• Use the 198.18.10.0/24 subnet when a layer 3 link is required in the topology

• Configure VLAN interfaces (SVIs) with the following IP addresses: SW2: 198.18.66.1/24 SW3: 198.18.66.2/24 SW1-‐3: 198.18.66.3/24 SW1-‐4: 198.18.66.4/24

• Ensure traffic is using all links between the switches to reach from SW2 and SW3 to SW1-‐3 and SW1-‐4



• Verify this task is completed successfully by being able to ping all 198.18.66.x interfaces of all edge switches



Chapter 4: Data Center Networking High Availability (NX-‐OS)

Chapter 4: Data Center Networking High Availability (NX-‐OS) is intended to let you be familiar with the NX-‐OS High Availability features on the Nexus platforms to create a high available network. Various types of deployments of Port-‐channels and Virtual Port-‐channels are discussed in this chapter. The second part of this chapter focuses on First Hop Redundancy Protocols (FHRPs) and High Available features of dynamic routing protocols. The third part focuses on a special implementation of virtual port-‐channels in FabricPath networks.

We highly recommend creating your own diagram at the beginning of each lab so you are able to draw on your own diagram, making it much easier when you step into the real lab.

Multiple topology drawings are available for this chapter.










• Load the initial configuration of Chapter 4 on the Nexus 7000 switch to stage the Virtual Device Contexts needed for this lab

• When starting the third part of this lab regarding virtual Port-‐Channels within FabricPath networks the second set of initial configuration should be loaded on the Nexus 7000 to create a different topology with Virtual Device Contexts




Drawing 1: Physical Topology



Drawing 2: Logical Topology



Configuration tasks

Task 1: Topology set-‐up 1. Configure the Nexus 5500 switches with hostnames of “SW2” and “SW3”. The Nexus 7000 VDC’s

should already have hostnames through the loading of the initial configuration. Use switchto vdc and switchback to move between different switches on the Nexus 7000.

2. Create the VLANs as are required on the switches as shown in drawing 2

3. Configure IP addressing on SVI and interfaces according to drawing 2

4. Configure all switches to have a Loopback0 interface with an IP address of 198.18.0.Z/32 where Z is the router number / host address as specified in drawing 2

Task 2: Port-‐Channels 1. Configure Ethernet3/1 and Ethernet3/2 on SW1-1 and Ethernet1/1 and Ethernet

1/2 on SW2 to be a single logical connection to carry the VLAN required as stated in drawing 2. Use number 1 for this connection.

2. Configure Ethernet3/5 and Ethernet3/6 on SW1-2 and Ethernet1/1 and Ethernet1/2 on SW3 to be a single logical connection to carry the VLAN required as stated in drawing 2. Use number 2 for this connection.

3. Configure logical interface 1 to negotiate it’s bundling capabilities between the switches

4. SW2 should never actively start negotiating link bundling

5. Logical interface 1 is used for bandwidth reasons and should therefore shutdown when there is less than 20Gbps capacity available in the bundle

6. Logical interface 1 should mark interfaces as hot-‐standby when additional interfaces are added to the bundle

7. Configure Ethernet1/5 and Ethernet1/6 on SW2 and SW3 to negotiate a link bundle. Use number 3 for this interface.

8. Configure logical interface 3 with IP addressing in the 198.18.23.0/24 subnet. Use host IP addresses as previously used for these switches.

9. Ensure that when no dynamic link bundling advertisements are received on an interface on logical interface 3. The physical interface is brought up in an Individual state.



10. There are plans to increase the capacity between SW2 and SW3 to 80Gbps with additional interfaces for resiliency purposes. Ensure that Ethernet1/5 is always chosen to participate in the bundle and Ethernet1/6 should be selected as a hot-‐standby link when additional interfaces are added to the bundle.

11. Logical interface 3 should use a very fast detection mechanism to signal the removal of an interface in the bundle

12. Configure SW2 and SW3 to load-‐balance between the interfaces in link-‐bundles using the most packet header information as possible.

13. Remove any configuration related to interface bundle 1 and 2 from the switches before continuing with the next task

Task 3: Virtual Port-‐channels (vPCs) 1. Ensure it’s possible to create Multi-‐Chassis Link Aggregation Groups (link bundles) on SW1-1

and SW1-2. Use ID 100 for this.

2. SW1-2 should be the primary device

3. Ensure it’s possible to create Multi-‐Chassis Link Aggregation Groups (link bundles) on SW2 and SW3. Use ID 200 for this.

4. Send keep alive messages across the mgmt0 interfaces of domain 200 switches

5. Use a dedicated SVI with IP addressing in the subnet of 198.18.5.0/24 to send keep alive messages between switches in domain 100. Ensure that the keep alive messages are not using the global IP routing table. Use Ethernet3/10 on SW1-1 and Ethernet 3/12 on SW1-2 for this.

6. Configure Ethernet3/9 on SW1-1 and Ethernet3/11 on SW1-2 as peer-‐link

7. Bundle Ethernet1/7 and Ethernet1/8 on SW2 and SW3 and configure this as the peer-‐link

8. Ensure domain 100 brings up its vPCs once a peer fails or reboots. Delay this process for 5 minutes.

9. SW2 and SW3 should be seen as a single Spanning-‐Tree root with a priority of 8192

10. Configure an MC-‐LAG connection between SW1-1, SW1-2 and SW2. Use Ethernet3/1 on SW1-1. Ethernet3/3 on SW1-2 and Ethernet1/1 and Ethernet 1/2 on SW2. Use number 101 for this connection



11. Configure a vPC connection between SW2, SW3 and SW1-2. Use Ethernet3/5 and Ethernet3/7 on SW1-2, Ethernet1/3 on SW2 and Ethernet1/3 on SW3. Use number 102 for this connection.

12. Use the remaining connections between SW1-1, SW1-2, SW2 and SW3 and bundle them in a single logical interface with number 103.

13. Ensure all VLANs required for Drawing 2 are allowed on the vPC links

14. Use 1234.5678.90ab as the single MAC address that is used for the identification of domain 100 LACP packets

Task 4: Graceful Restart / Non-‐Stop Forwarding 1. Configure dynamic routing protocols according to drawing 2. Ensure Loopback interfaces of

SW2 and SW1-1 can ping each other and SW1-2 and SW3 can ping each other

2. Ensure that the routers running OSPF keep their routing information and keep forwarding traffic to neighbors when they are rebooting

3. An older router that will take a little over 2 minutes to reboot will be connected to SW2. Ensure that your configuration supports this

4. Ensure that SW3 supports ISSU

5. SW3 should keep routes from restarting neighbors for 5 minutes

6. Signal a restart as fast as possible on SW3

Task 5: HSRP 1. Ensure that hosts on VLAN 111 are always able to reach their default gateway, when one of

the 2 switches fails

2. Use a Cisco proprietary protocol for this use, which uses a single active default gateway

3. Use the .1 host IP address as the default gateway for this network segment

4. Make the switches primary and backup according to the best practice

5. Use a hashed key of “IPexpertYEAR1” to secure this protocol from now until December 31st the same year. At January 1st one year later the key should change to “IPexpertYEAR2”. Ensure that switches keep accepting the old key for at least 2 more hours



6. When the backup switch is active and the primary switch comes back online after a reboot. Ensure that it will take back the active role after the switch is up for 3 minutes

7. Give this process a name of “IPexpertVLAN111”

8. A switch should declare it’s neighbor down within 1 second

9. When one of the Ethernet uplinks fails the priority should be lowered with 1/10th of the configured priority value

10. When a second Ethernet uplink fails the switch should stop forwarding Layer 3 traffic and send traffic across the vPC peer-‐link

11. The default gateway MAC address should be the MAC address of one of the physical Ethernet interfaces

Task 6: VRRP 1. Ensure that hosts on VLAN 121 are always able to reach their default gateway, when one of


2. Use a standards based protocol for this use, which uses a single active default gateway

3. When clients on VLAN 121 issue an ARP request for the Default Gateway it should respond with MAC address 0000.5E00.0174 without configuring this MAC address in the configuration


5. Configure SW1-2 as the primary switch using a value of 200

6. Use a clear text password of “IPexpert” to secure the protocol

7. Ensure a higher priority backup router does not take over the role of a lower priority active router. Configure this only on the current primary switch.

8. Ensure that SW1-2 becomes the standby router after 30 seconds, when the Loopback address of SW3 disappears from the routing-‐table

9. Switches should declare their neighbors down in 10 seconds



Task 7: GLBP 1. Ensure that hosts on VLAN 222 are always able to reach their default gateway, when one of


2. Use a load balancing Cisco proprietary protocol


4. Both routers should be capable of forwarding traffic.

5. SW1-1 should be answering all ARP requests

6. When the Loopback address of one of the upstream switches disappears from the routing table the switches should no longer be AVF

7. Delay the take over of the AVF role for a standby switch for 3 minutes if any current AVF fails

8. The router should become the AVG after 30 seconds if it has a higher priority than the current AVG

9. Ensure the routers support In-‐Service-‐Software-‐Upgrades



Task 8: Virtual Port-‐Channels (vPCs) and FabricPath 1. Load the initial configuration of Chapter 4 Task 8 on the Nexus 7000 switch to stage the

Virtual Device Contexts needed for this lab

2. Configure the FabricPath network to stretch VLAN 666 between all Leaf switches

3. Ensure the PC connected to SW2 and SW3 is able to connect using a virtual Port-‐Channel with number 100 on all places where necessary to configure a number



Chapter 5: Data Center Storage Networking

Chapter 5: Data Center Storage networking is intended to let you be familiar with the Storage Networking features on the Cisco MDS switches. Configuring traditional Fibre Channel networks and basic Fibre Channel features.










Pre-‐setup • Connect to the MDS switches within the topology


• The switches start with a blank configuration. You will be creating parts of your own Initial Configuration for later labs.







Configuration tasks

Task 1: Initial set-‐up 1. Give the MDS switches in the topology the following hostnames: MDS1, MDS2. Configure the

default username and password according to the generic lab topology

2. Ensure that they can be reached through the management network using IP addresses in the range as stated in the initial set-‐up information at the beginning of the workbook. Use Host IP addresses of .10 and .11

3. Use the default gateway of the management subnet as Time Synchronization server

4. Do not use any automatic selection of interface type for this lab, unless specifically stated

5. Do not use any automatic speed selected for interfaces

6. Use 200MBps connections towards the JBODs

7. JBODs on MDS2 should automatically detect the interface speeds

8. Ensure Fabric Logins are done by the connected JBODs

9. Enable the links between the MDS switches as standard based ISLs

10. Configure a descriptive name on all interfaces consisting of the name and port of the device which is connected. You are prohibited to use the ‘description’ command.

11. Ensure the connection towards JBOD1 is easily physically located on MDS1

12. The fiber connected to fc1/10 is of low quality causing errors on the interface. Ensure the switch does not go into err-disable state, because of this reason.

13. Ensure that interfaces on the MDS switches are shutdown when no configuration is applied to them

14. All disks inside of the JBODs should be identified on the MDS switches with a simple name in the form of JxDy where X is the JBOD number and Y is the disk number.

15. The simple device names should be seen on both MDS switches, by only configuring one of the switches. The names should not be VSAN dependent.

16. Ensure applications that use the simple names will follow changes to the database

17. Interface fc1/1 on MDS1 will be used for a long reach link. Enable the most credit buffers as possible and enable recovery of credits



18. JBOD1 on MDS1 is only allowed to send packets with a maximum size of 2000 bytes

19. Enable B2B credit state change numbers on all JBOD interfaces

Task 2: VSANs 1. Create VSAN 10, 20, 30 and 40 with names of “IPX_VSAN_#”, where # is the VSAN number

2. Configure fc1/5 on MDS1 in VSAN 10 and fc1/6 on MDS2

3. Configure fc1/5 on MDS2 and fc1/6 on MDS1 in VSAN 20

4. Ensure that when WWPN 20:11:00:0a:31:00:aa:de is automatically placed in VSAN 30 when it comes online anywhere in the Fibre Channel fabric

5. Ensure that J1D1 is automatically placed in VSAN 40 when it comes online in the fabric

6. MDS1 should use the Source and Destination FCID for load balancing across equal cost paths in VSAN 10

7. MDS2 should use Exchange based load balancing across different interfaces in a port-‐channel in VSAN 20

8. Ensure that all ISLs of the MDS switches are capable of transferring multiple VSANs across the same interface

9. Configure fc1/1 and fc1/3 on both MDS switches as a single logical connection using number 101

10. Interfaces fc1/1 and fc1/3 should negotiate their bundling capabilities

11. Create a single logical connection consisting of fc1/2 and fc1/4 on both MDS1 and MDS2 switches with number 127

12. VSAN 30 should only use the logical interface 127

13. VSAN 40 should only use logical interface 101

14. VSAN 10 and VSAN 20 should be able to cross both ISL bundles between the MDS switches

15. VSAN 10 should always use bundle 101 as it’s primary connection to the other MDS

16. VSAN 20 should always use the bundle 127 as it’s primary connection to the other MDS

17. Packets traversing VSAN 30 should be guaranteed to reach their destination in the same order as they have left the source.



18. Traffic between J1D1 and J2D2 in VSAN 10 should always use the bundle 127 as long as the interface is up

19. The Lowest domain ID in VSAN 20 should be the Multicast root switch

20. Use incremental Dijkstra algorithm calculations in VSAN 30

21. Prevent unused ports from using the Default VSAN

22. Configure an IP connection between the MDS switches across the ISL links. Use VSAN 50 for this use, which can flow across all ISLs. Use an IP subnet of 198.18.50.x/24 with .1 and .2 as host IP addresses

Task 3: Zoning 1. Configure zoning in VSAN 10 so the following disks are able to communicate, ensure that the

simple names are kept in the configuration:

a. J1D2

b. J1D3

c. J1D4

2. Configure zoning for VSAN 10 so the following disks can see each other, use the WWPN of the disks:

a. J1D5

b. J1D6

3. Ensure all disks of interface fc1/6 on MDS2 are able to see each other in VSAN 10. Perform the configuration on MDS1.

4. FC frames sent to a destination FCID of 0xFFFFFF should only arrive at disk J1D5 and J1D6

5. Activate the zoning in VSAN 10

6. Copy the current zoneset of VSAN 10.

7. Remove the zone created in question 3 from the just copied zoneset and add another zone that adds all disks of JBOD2 using their FCIDs

8. Ensure that this second zoneset is not activated, but it seen on both MDS switches. You are not allowed to change any configuration on MDS1



9. Ensure that all changes to all zonesets are replicated between all switches in VSAN 10 every time a zoneset is activated

10. Use zoning compliant with FC-GS-4 and FC-SW-3 in VSAN 20

11. Use inline zone creation for VSAN 20

12. Zoning in VSAN 20 should ensure that the following disks are able to read data from each other, but never write:

a. J2D1

b. J2D2

c. J2D3

13. Create a zone in VSAN 20 that ensures the following disks are prioritized over other disks when ISLs are congested. Use the FWWN of the disks:

a. J2D4

b. J2D5

14. When devices are not specified in zones in VSAN 20, they should be allowed to read data from each other

15. J2D5 LUN 19 and J1D6 LUN 116 should be able to communicate to each other in VSAN 20. No other LUNs on those disks can communicate

16. Activate zoning in VSAN 20 and ensure its seen on both MDS1 and MDS2

Task 4: FC Domain 1. Configure FC Domain IDs in VSAN 10. MDS1 should be using a static ID of 34 and MDS2 should

prefer to use an ID of 0x34, but can use a different one when this is already taken

2. Ensure MDS1 is the principal switch in VSAN 10

3. Domain IDs for new switches should be handed out in a sequential order

4. Disruptive restarts from other switches should not affect MDS1

5. Ensure the J1D1 disk in VSAN 10 gets assigned an FCID in the range of 0x222200 to 0x2222FF

6. MDS2 should be assigning Domain IDs to other switches in the fabric for VSAN 20. MDS2 should use a range of 0xB0 to 0xCE.



7. MDS1 should prefer a Domain ID of 214 in VSAN 20

8. Ensure that VSAN 30 is prepared for fast-restart

Task 5: Fibre Channel Security Features 1. Rogue devices cannot be connected to VSAN 10 other than the current JBODs and MDS

switches. Assume you are not aware of the WWPNs and SWWNs of the current attached devices and switches.

2. Prepare VSAN 10 so the following PWWNs that will be added to in the future are able to access the Fibre Channel network:

a. 20:00:00:A3:BF:33:11:33 on MDS1 fc1/11

b. 20:00:00:A3:DE:11:66:2B on MDS2

c. 20:00:00:A3:FE:00:98:32 can be connected to either MDS

3. Configure a security mechanism in VSAN 20 to ensure all devices participating are manually configured before they are allowed access. You are only allowed to change configuration on MDS1 for this task. Be as specific as possible.

4. No other MDS switches other than MDS1 and MDS2 are allowed to participate in VSAN 30

5. Only the existing Domain IDs are allowed to be used in VSAN 30

6. Ensure the strongest Diffie-‐Hellman group is used between the MDS switches for link authentication

7. Accept a password of ‘IPexpertMDS1’ on MDS1 and a password of ‘IPexpertMDS2’ on MDS2. Be as specific as possible.

8. MDS1 should actively initiate authentication requests to MDS2 on fc1/1. When MDS2 fails to respond after 15 minutes the link should go down. MDS2 should not initiate authentication requests

9. Use an SHA1 hash on fc1/2 between the MDS switches. A fall-‐back to MD5 is supported. Both MDS switches should actively start negotiating the authentication capabilities

10. Disable authentication on the second member of port-channel 101

11. The link fc1/4 is authenticated, but it is not a strict requirement and is able to come online without any authentication.



Task 6: Advanced Features 1. Assume that there is a topology with more than 2 MDS switches. Ensure that Cisco Call Home

configuration is distributed between all switches. MDS2 has its own call-‐home configuration and should not be changed when other switches are changed. Other distributed configuration should not be affected by this configuration

2. Your manager has asked you to come up with a list of all SCSI hosts connected to VSAN 10. Save this list to a file called ‘VSAN10hosts.txt’ on the flash of MDS1.

3. The list of SCSI hosts should be generated every 24 hours and the text file on the flash should be updated with the updated list.

4. J1D1 and J2D1 are synchronized with each other. J1D1 is the primary disk and J2D1 is its backup. Ensure that hosts in VSAN 10 can automatically keep accessing the disk when the primary fails. When the failed disk is replaced and working again, it should return to being the primary disk.



Chapter 6: Data Center Storage Networking Extension

Chapter 6: Data Center Storage networking Extension is intended to let you be familiar with the Storage Networking features on the Cisco MDS switches. This chapter will be about configuring IP features like iSCSI, iSLB and FCIP including the relevant Security features for Fibre Channel extension across IP connections. We highly recommend creating your own diagram at the beginning of each lab so you are able to draw on your own diagram, making it much easier when you step into the real lab. Multiple topology drawings are available for this chapter.










Pre-‐setup

• Connect to the MDS switches within the topology


• The switches start with a blank configuration. You will be creating parts of your own Initial Configuration for later labs.








Configuration tasks

Task 1: Initial set-‐up

1. Leave the configurations of MDS1 and MDS2 in tact from the previous exercises.

2. Configure the Nexus 5000 switches SW2 and SW3 with the VLANs as stated in Drawing 2. MDS1 and MDS2 should be able to communicate over these VLANs to each other across SW2 and SW3.

3. Both GigabitEthernet interfaces on each MDS switch should have access to all VLANs required in this lab

4. When required, use IP addresses in the range of 198.18.X.Y/24 in this lab. Where X is the VLAN number and Y is the Host address as stated in Drawing 2

Task 2: FCIP

1. Configure a FCIP 1 connection between MDS1 and MDS2 using the GigabitEthernet1/1 interface

2. You are only allowed to use 1 TCP connection

3. VSAN 10 and 20 may be transported across this connection

4. Make sure MDS1 always initiates the connection

5. Use a non-‐default port for the FCIP 1 connection

6. When GigabitEthernet1/1 would fail, the GigabitEthernet1/2 interface should automatically take over the FCIP 1 connection. You are not allowed to change the FCIP configuration to accomplish this. The use of port-‐channels for this question is prohibited.

7. Create a FCIP 2 connections between MDS1 and MDS2 using the GigabitEthernet1/2 interface

8. Ensure this connection will receive a higher QoS priority than FCIP 1

9. VSAN 10, 20 and 50 may be transported across this connection

10. Ensure VSAN 10 uses FCIP 1 as primary link and VSAN 20 uses FCIP 2 as the primary link on MDS1, where MDS2 is configured vice versa

11. The FCIP 2 tunnel should be brought down when no TCP packets are received for 90 seconds



12. The FCIP 2 connection should use the highest possible compression

13. Ensure FCIP 1 supports a method that sends R_RDY messages locally, which causes that write actions are done faster

14. The FCIP 2 connection should be high available. A third FCIP connection is allowed for this task. Keep high availability in mind when configuring the third FCIP connection. When a failure occurs in the FCIP 2 connection this should not be noticed by the FSPF protocol. The use of Ethernet port-‐channels for this question is prohibited.

Task 3: FCIP Security

1. Protect the failover mechanism of the FCIP 1 connection using a MD5 hash of ‘SecureIPexpert’

2. Traffic crossing the FCIP 1 connection should be transferred encrypted across the IP network.

3. Use an MD5 hash, AES 128-bits encryption and use a pre-shared-key of ‘IPexpertEncrypt’

Task 4: SAN Extension Tuner

1. Use VSAN 50 and the FCIP 2 connection for this task

2. Simulate a continuous SCSI read flow across VSAN 50 using the FCIP 2 connection

3. Use 2 open I/O operations

4. Use 512KB data packets

5. Configure the traffic simulation in 2 directions

Task 5: iSCSI

1. Do not use any dynamic configuration option which might be available in this task

2. Use GigabitEthernet1/1 for this task on MDS1

3. Create an iSCSI portal on this interface using the iSCSI VLAN as mentioned in Drawing 2

4. Use a non-‐default port for the iSCSI portal

5. iSCSI traffic leaving this interface should be marked with DSCP 22



6. Configure an initiator with IP address 198.18.71.100

7. Manually assign a nWWN and a pWWN to the initiator

8. This initiator wants to access resources in VSAN 20, do not configure the VSAN under the initiator

9. Ensure that only the just configured iSCSI initiator can access the virtual J2D1 target

10. Use an IQN of “iqn.iscsi-disk-JBOD2-Disk1” for this target

11. This target should only be available on this iSCSI portal

12. The host should mutually authenticate the iSCSI session with a username of “iSCSI1” and a password of “IP3xp3rtiSCSI”

13. iSCSI initiators should be able to access J1D3 on LUN 0, where the J1D3 FC disk only advertises LUN 10

14. When the disk J1D3 fails, J2D3 should seamlessly take over. When the disk in J1D3 has been replaced it should automatically switch back to this primary target

15. Enable trespass support

16. Improve read performance on MDS1 for iSCSI traffic

17. Configure an iSCSI portal in the iSCSI VLAN as mentioned in Drawing 2 on MDS2 GigabitEthernet1/1

18. All iSCSI initiators on this new portal should appear as a single N-port in the Fibre Channel fabric

19. Enable data-digest on this portal

20. Configure 3 initiators on MDS2 named iqn.initiator-server-1, iqn.initiator-server-2 and iqn.initiator-server-3.

21. Give the 3 initiators access to J1D1 in VSAN 10 without configuring the VSAN database for VSAN 10

22. Use a single zone with 2 entries to accomplish this

Task 6: iSLB

1. Do not use any dynamic configuration option which might be available in this task

2. Configure an iSLB portal on GigabitEthernet1/2 on MDS1 and MDS2 on the iSLB VLAN as presented in Drawing 2

3. Configuration for iSLB targets and initiators may only be done on MDS2



4. When MDS2 fails, MDS1 should automatically take over all sessions

5. Ensure that both MDS switches are using weighted load balancing.

6. Manual zoning changes are not allowed

7. Configure 5 initiators with names of iqn.islb-initiator-host-1 through host-5

8. Ensure the initiators are assigned with a nWWN and 2 pWWNs which are automatically assigned by the MDS switch

9. Zones should have ‘IPexpert’ in their name

10. Host 3 is a database server, which will have more iSCSI connections than the other hosts. Ensure load balancing takes care of this.

11. All initiators should have access to J2D2 LUN 0x0 and 0x1 in VSAN 10 which should be presented as LUN 0xA and 0xB. Do not use the ‘virtual-target’ command.

12. Use J1D2 as a backup when J2D2 fails. The target should not switch back when J2D2 is repaired

13. The J1D1 disk in VSAN 20 should be made high-‐available on the 2 MDS switches. Ensure iqn.islb-initiator-host-3 is the only host that can access it on both MDS switches using the resilient iSLB portal. Do not use the ‘virtual-target’ command.

14. The use of auto-zoning is not allowed for the question above as is zoning based on Symbolic Name or IP addressing

15. Ensure all initiators are authenticated with a username of “host-1” through “host-5” with a password of “iSLBpassw0rd”

16. Do not remove any configuration from the MDS switches when continuing with the next chapter



Chapter 7: Data Center Unified Fabric

Chapter 7: Data Unified Fabric is intended to let you be familiar with the Storage Networking features available on the Cisco Nexus switches and combined with the Cisco MDS switches.

This chapter will be about implementing FCoE features inside of the Nexus switches and the backwards compatibility with Native FC connections. Besides that we will be looking at N-‐Port Virtualization configurations..

We highly recommend creating your own diagram at the beginning of each lab so you are able to draw on your own diagram, making it much easier when you step into the real lab. Multiple topology drawings are available for this chapter.










Pre-‐setup

• Connect to the MDS switches within the topology


• The Nexus switches start with a blank configuration. You will be creating parts of your own Initial Configuration for later labs.

• The MDS switches are using the configuration from the previous chapters





Drawing 2: Logical Topology VSAN 20



Configuration tasks

Task 1: Native Fibre Channel on Nexus

1. Leave the configurations of MDS1 and MDS2 in tact from the previous exercises.

2. Set the GigabitEthernet interfaces on MDS1 and MDS2 to shutdown, so all iSCSI and FCIP connections are down

3. SW2 and SW3 should participate in VSAN 10 and VSAN 20 using native Fibre Channel interface fc1/31 and fc1/32. Use fc1/13 and fc1/14 on the MDS switches.

4. Ensure the interfaces are seen as a single connection for the FSPF protocol

5. Request the lowest Domain ID possible, but accept any other as given out by the principal switch

6. Ensure all devices in VSAN 10 and VSAN 20 are visible on SW2 and SW3

7. Keep in mind the security mechanism active in VSAN 10 and VSAN 20

Task 2: Fibre Channel over Ethernet (FCoE)

1. Create a vPC consisting of Ethernet1/24 on both SW2 and SW3

2. Assume a host is connected to the vPC on SW2 and SW3.

3. This host should be able to communicate to disks in VSAN 10 on SW2 and disks in VSAN 20 on SW3.

4. Use VLAN 10 and VLAN 20 for this task

5. Ensure both SW2 and SW3 discard FCoE frames received across the interlink between the switches

6. SW2 should be used as the primary switch to connect to

7. Non-‐FCoE traffic is not allowed to cross the link. You are not allowed to use the switchport trunk allowed vlan command.



Task 3: Multi hop FCoE

1. Shutdown all ISL links on the MDS switches

2. Ensure that the Fibre Channel fabric keeps functioning in VSAN 20 without enabling direct interfaces between the MDS switches

3. Configure the network in such a way that it is compliant to Drawing 2

4. Turn on the VFID check on SW1-1 to prevent loopbacks

5. Ensure all FCoE connections are authenticated using an SHA-1 hash

6. SW1-1 is authenticating using a password of ‘Nexus7000password’

7. SW1-1 should authenticate SW2 with a password of ‘SecureNexus5000-1’

8. SW3 is using a password of ‘IPexpertIsAwesome’

9. SW1-1 should never initiate the authentication negotiation

10. Configure a feature that only the switches currently participating in VSAN 20 to be allowed in the VSAN 20 fabric.

Task 4: FCoE Quality of Service (QoS)

1. Ensure FCoE best practices are followed in this topology

2. Configure Quality of Service so all Nexus switches support the configured topology

3. Prevent one blocked receiver from affecting traffic that is sent to other non-‐congested blocking receivers on SW2

4. The link between SW2 and SW3 is 2000 meters long. Ensure the topology supports lossless Ethernet on this link.

5. Fibre Channel frames crossing the Nexus switches may never be fragmented



Drawing 3: NPV topology

Task 5: N-‐Port Virtualization (NPV) and N-‐Port ID Virtualization (NPIV)

1. Enable the ISL links between MDS1 and MDS2 again

2. Ensure the MDS switches are not limited to 239 Domain IDs per VSAN

3. MDS2 is the core switch and MDS1 the edge switch in this topology

4. Devices need to be connected in VSAN 10

5. JBOD1 interface on MDS1 should be using the first uplink to the core switch

6. JBOD2 interface on MDS1 should be using the third uplink to the core switch

7. Ensure traffic is automatically balanced across all uplinks



Task 6: FCoE NPV

1. Configure SW2 to support N-‐Port Virtualization. A reboot of the switch is not allowed to accomplish this task

2. Use Ethernet1/8 on SW3 as the link where the logins are received from SW2

3. Use VSAN 20 for this task



Chapter 8: Security Features

Chapter 8: Security Features is intended to let you be familiar with the Security features which are available on the Nexus platform. You will be configuring both AAA services and other management security as well as LAN security features like DHCP snooping and other protective features.









Pre-‐setup

• Connect to the Nexus switches within the topology


• The Nexus switches start with a blank configuration.

• This lab is intended to be used with online rack access provided by our partner Proctor labs (www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as detailed below







Configuration tasks

Task 1: Port Security

1. Configure a basic configuration for the 3 Nexus switches SW1, SW2 and SW3, using the defaults as stated at the beginning of this workbook.

2. Create VLANs where necessary in this chapter.

3. Configure a port-channel of the first 2 interfaces between each switch. Use a standards based protocol to negotiate the bundling parameters. The result should be equal to Drawing 2

4. Ensure that only 10 hosts are able to use Ethernet1/11 on SW2. The port should go into ‘errdisable’ when the 11th host is connected to the interface.

5. Ensure that the learnt MAC addresses are cleared on the Ethernet1/11 interface on SW2 after they did not send any traffic for 6 minutes.

6. Only the following MAC addresses are able to access Ethernet1/11 on SW3

a. 0010.4431.a1b3

b. 10:22:a0:f5:b3:de

c. 0011.99ff.22aa

d. 55:81:a0:9a:b0:0c

e. ba01.dad3.c0ff

7. Ensure packet count is logged for all violating packets on Ethernet1/11 on SW3

8. Ensure that no more than 100 MAC addresses are learnt on the port-channel between SW2 and SW3. The interfaces should keep working, but stop learning and deny access to possible new MAC addresses after the number has been reached.

9. On the port-channel between SW2 and SW3 the amount of MAC addresses should be divided between VLAN 10, 11, 12 and 13. Ensure VLAN 10 can use 2/3 of the maximum.

10. Ensure all MAC addresses on the port-channel between SW2 and SW3 are saved in the database

11. Create a routed interface of Ethernet1/7 on SW2 with IP address 198.18.100.1/24. Create a VLAN 100 interface on SW3 with IP address 198.18.100.2.

12. Ensure that only the host with MAC address 1234.5678.abcd can access Ethernet1/7 on SW3. It’s not allowed to configure this MAC address on SW3.



13. Ensure SW2 and SW3 are able to ping each other.

Task 2: DHCP Snooping, DAI, IP Source Guard

1. A DHCP server is connected in VLAN 50 on interface Ethernet3/10 on SW1. No other interfaces are allowed to send DHCP OFFER messages to clients.

2. Ensure the DHCP server receives the DHCP REQUEST packets with information about the port that the host is connected to in the DHCP packet

3. When a DHCP REQUEST message is received on an interface, the Source MAC address and the DHCP Client Hardware Address should be verified to match

4. Ensure VLAN 50 is protected for ARP Spoofing attacks on SW1

5. SW1 should not check ARP packets received on the port-channel interfaces

6. Ensure that ARP requests to IP addresses that fall in the range of 198.18.50.0/28 are always allowed

7. Ensure that SW1 keeps a log of the last 50 deny and accept messages

8. Ensure that SW1 also checks for invalid or unexpected IP addresses in ARP packets

9. Ensure that all IP traffic is checked for spoofing attacks on interface Ethernet3/11, Ethernet3/13 and Ethernet3/14 using the DHCP Snooping database.

10. A host with MAC address 4019.a201.b04e and a statically configured IP address of 198.18.50.254 is connected to Ethernet3/12 on SW1. Ensure this host is allowed access.

11. Configure a SVI with IP address 198.18.50.1/24 in VLAN 50 on SW1.

12. Ensure that all traffic entering the VLAN interface is checked against the routing table to ensure that the switch knows the Destination IP address of the packet and it has a routing entry towards this network. A default route would also qualify for this check.

Task 3: Access Control Lists

1. Use a protection on VLAN 50 of SW1 to protect it against denied traffic according to the following rules.

2. Be as specific as possible.

3. The 198.18.255.100 host is allowed to access hosts in VLAN 50.



4. Secure Web traffic coming from servers in 198.18.128.0/18 to VLAN 50 is allowed. Clients in VLAN 50 are using non-reserved ports.

5. The Server farm is located in the 198.19.0.0/16 subnet and the 198.18.192.0/24 subnet. Hosts in VLAN 50 want to access Web servers, DNS servers and Mail (to receive mail through POP3 and send mail) servers. You are prohibited to configure these applications in the ACL. Only two entries in the ACL are allowed for this question.

6. You are not allowed to apply the ACL to the VLAN interface

7. A host connected in VLAN 50 through interface Ethernet1/15 on SW2 is not allowed to access the IMAP server with IP address 198.19.0.25. Ensure this is enforced.

8. A rogue device is found that tries to log-‐in to management interfaces. Deny telnet and SSH traffic to the management interface of the switches from the 192.0.2.0/24 subnet. Ensure all other IP address are still able to manage the switches through all management services. Only a single ACL entry is allowed for this task.

9. Ensure all TCP traffic entering on Ethernet3/22 on SW1 is copied to Ethernet3/23 on SW1

10. In addition to the IP security of VLAN 50 your manager also wants to only allow valid MAC addresses from the Server farm to access hosts in VLAN 50. The servers have MAC addresses in the range of 0bad.c0ff.ee00 up to 0bad.c0ff.eeff.

11. Statistics should be collected per entry in VLAN 50

12. Ensure the control plane of SW2 and SW3 is optimized for Layer 3 routing

Task 4: AAA services

Always group configurations for AAA servers

There is a RADIUS server in the management network with IP address 172.16.100.201

The TACACS+ server in this network is 172.16.100.202

Both AAA servers are using a key of “IPexpertAAA”

Declare the RADIUS server dead after 22 minutes. Check if the RADIUS server is working every 2 minutes. Use a username of “ipexpert” and a password of “IPexpert123” for this task

Requests to AAA servers should timeout after 2 seconds

On SW2 configure default authentication to be done by the RADIUS server



SW2 should perform a fall-back to local user database in case the RADIUS server does not respond.

For access to the console port only the local user database should be used

On SW3 a Cisco proprietary protocol should be used for authenticating SSH users.

When users do not have a role assigned, they should not be able to log-‐in to the switch.

Users that try to log-‐in shout be notified when AAA servers are unreachable

Use the strongest encryption for the local username/password database available and ensure that existing passwords are converted

Ensure accounting is enabled on SW2

The TACACS+ users are configured with IOS-‐style privilege levels. Ensure SW3 honors these.

SW2 should require local user entries to use strong passwords. SW3 does not enforce this.

Create a user on SW3 with your first name as username which expires on December 31st of this year.

Task 5: 802.1X

1. Hosts that want to access SW1 are required to authenticate. Hosts are connected at interfaces Ethernet3/25 up to 3/31

2. Users should be authenticated by the RADIUS server

3. On Ethernet3/26 and Ethernet3/27 it should be possible to have multiple hosts connected

4. After an hour the authentication should be re-‐checked against the RADIUS server for all interfaces participating in the authentication. You are not allowed to use global configuration commands for this task.

5. Interface Ethernet3/31 has a printer connected that has no software to support this authentication. Ensure the interface is still authenticated against the RADIUS server.

6. The switch should allow up to 4 authentication attempts before denying access

7. Ensure all activity on the switch is logged with the RADIUS server



Task 6: Cisco TrustSec

1. Ensure all switches authenticate each other in the network

2. Ensure Cisco TrustSec is using RADIUS for authentication

3. Enable Cisco TrustSec on the 802.1X interfaces from Task 5

4. SW1 should authenticate itself with a password of “SW1p@ssw0rd”

5. SW2 should authenticate itself with a password of “SW2p@ssw0rd”

6. SW3 should authenticate itself with a password of “P@ssw0rdSW3”

7. Ensure switches authenticate each other without using the RADIUS server for exchanging SGT’s.

8. You are allowed to use a SVI on each switch in VLAN 99 with the IP subnet of 198.18.99.0/24

9. Leave all configuration in place on the switches when continuing with the next chapter.



Chapter 9: Management Features

Chapter 9: Management Features is intended to let you be familiar with the Management features which are available on the Nexus platform. You will be configuring Role Based Access Control (RBAC), SNMP, Syslog, NetFlow, NTP and many more.









Pre-‐setup



• The Nexus switches start with configuration from the previous chapter








Configuration tasks

Task 1: Role Based Access Control (RBAC)

• Perform configuration on SW1

• Create a username “user1” with a password of “User1p@ssw0rd”

• User1 should only be allowed to configure the following:

o VLANs

o VLAN Interfaces

o Spanning-Tree

o First Hop Redundancy Protocols

• You are not allowed to configure these features directly under the role configuration for user1

• User1 is only allowed to configure interfaces Ethernet3/1 through Ethernet3/10

• Configure username “user2” with password “User2User2”

• User2 is not allowed to change configuration, but is allowed to verify everything related to

o Access Lists

o Routing protocols

o Licensing

• You are not allowed to configure individual routing-protocols or configure a new feature-group for user2

• User2 can only configure Layer 3 protocols in VRF “VPN1”, “VPN2” and “VPN3”

• Configure username “maintenance” with password “MainTenanc3”

• User maintenance should only be allowed to configure management protocols and upgrade software

• Username “storage-admin” with password “st0rage-@Dmin” is allowed to configure Fibre Channel related configurations

• Username “nocuser” with password “NOCus3r” and a role-‐name of “NOC” is allowed to execute all show and is allowed to issue a Telnet or SSH from the CLI

• Ensure all switches share a common role configuration



Task 2: Traffic monitoring

• Regulations determine that all traffic entering SW1 through the port-‐channels connecting to SW2 and SW3 should be monitored, but only for VLAN 50 and 99.

• Traffic should be directed to a monitoring server connected to Ethernet3/19. VLAN tags should be retained.

• Ensure the MTU size for the monitoring is consistent at 1100 bytes, no matter what the MTU of the source packet is

• An interface on a third party switch is being monitored, but the monitoring server is connected to Ethernet3/20 on SW1. Use a Layer 2 transportation to pick up this traffic. Use VLAN 601 for this task.

• Interface Ethernet1/17 on SW2 should be monitored, but the monitoring server is connected to Ethernet3/17 on SW3. Use a Layer 3 transportation to accomplish this.

• Ensure this Layer 3 monitoring traffic receives a high priority treatment throughout the network

• Use the finest granularity possible for the Layer 3 monitoring session.

Task 3: NetFlow

• Use SW1 for this task. The port-‐channels to the other switches should be used for collecting information

• Create a flow record based on the IPv4 source and destination IP address

• Ensure the flow ID is captured and the pps (packets per second) 64-bit counter

• This information should be exported to the server with IP address of 172.16.100.109

• Ensure that 5 out of 150 packets are sampled that enter the port-‐channels of SW1

• Ensure that it’s possible for Layer 2 fields to be exported to the flow server

Task 4: Management protocols

• Ensure the management server 172.16.100.110 receives version 2c traps from SW1



• This server should also be able to read information from SW1 while using a classical community string of ‘IPexpert’

• Configure your name and current location on SW1

• Ensure that SW1 does not accept SNMPv3 unencrypted requests

• User ‘version3’ with password ‘version3password’ should be able to access SW1 using SNMP version 3

• Ensure that the version3 user has the same rights as the storage-admin user

• The Telnet and SSH sessions should see Informational messages

• Debugging messages should be visible in a separate logfile

• Ensure logfiles are using the most precise timestamps

• Logging up to Notifications level should be sent to 172.16.100.110 with a facility of local3

• SW1 should be synching it’s time to SW2 and SW3

• SW1 is a stratum 1 clock

• Devices other than SW2 and SW3 should not be able to synchronize time with SW1

• Ensure all time synchronization is secured via a key of ‘TimeIPX’

• Set the timezone to your current location

• SW1 should identify itself to other Cisco devices with it’s serial number

• All switches should send advertisements about themselves every 10 seconds

• Interface Ethernet1/10-20 on SW2 and SW3 has devices connected that are outside of your management domain. They should not be able to see any information about the devices that they are connected to.

Task 5: Device management

• The current configuration of SW1 should be stored so it can be re-‐used

• You should be able to compare differences with a newer version of the configuration compared to the now saved one

• The configuration of SW1 should also be saved to a TFTP server at IP address 172.16.100.103 on a weekly basis.



• This saving should be done every Sunday night at 10PM (22:00).

• Ensure the hostname and the date and time are included in the filename that is saved

• Users logging in to the switches should see a message that they are logging in to the “IPexpert CCIE Data Center Lab”

• Save a “show tech-support” to the flash and compress the file by creating the zip file manually.

• Also save a “show interfaces” output to flash and let this be automatically compressed

• Both outputs should be saved in a compressed Tar file

Task 6: Smart Call Home and GOLD

• During boot-up all switches should run the maximum level of diagnostics

• SW1 should generate a message towards the on-‐call support engineer when a critical issue occurs.

• Do not use an existing profile

• This message should be sent to [email protected] via the mail server mail.ciscocallhome.com.

• You can use 172.16.100.111 as the server to resolve names.

• The sender of the message should be your name and e-‐mail

• All urgency levels and any size should be sent

• Send periodic inventory notifications every day to [email protected]

• SW1 is the core switch and an important switch. Ensure this is noticed in the messages.

• Cisco TAC should receive XML messages via e-‐mail ([email protected]) and directly via HTTP.

• You are allowed to create one additional destination profile for the previous question



Chapter 10: Data Center Unified Computing Networking

Chapter 10: Data Center Unified Computing Networking is intended to let you be familiar with the Networking features which are available on the Unified Computing platform. You will be configuring VLANs, Port-‐Channels, switch modes, PIN groups and Polices related to the Networking features of the UCS system.












Pre-‐setup



• The UCS system and Fabric Interconnects start with a blank configuration

• This lab is intended to be used with online rack access provided by our partner Proctorlabs (www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as detailed below




Configuration tasks


• Ensure that the Fabric Interconnects are able to be managed with IP addresses 172.16.100.6, .7 and .8. The 172.16.100.8 address should be the Virtual IP address to manage the interconnect cluster.

• Ensure the UCS1 chassis is detected. Interface 1/1 through 1/4 are used for connecting the chassis

• The uplinks are connected to 1/9 and 1/10. Ensure these are bundled as a single logical connection

• Identify the port-‐channels by giving them easily rememberable names

• Ensure the Fabric Interconnects are easily found for physical maintenance by engineers

• Ensure the chassis and servers are also given easy readable names that are shown in the Equipment tree

Task 2: VLANs

• Create VLAN 11, 12, 13 and 15 with only using 2 create commands

• Create VLAN 1 through 10 except 8 on both Fabric Interconnects

• VLAN 16 is the primary Private VLAN

• VLAN 17 is an Isolated VLAN

• Configure a VLAN named “IPexpertVLAN” this VLAN should have number 20 on Fabric Interconnect A and number 21 on Fabric Interconnect B.

Task 3: vNIC templates

• Ensure vNICs on fabric interconnect A get MAC addresses assigned in the range of 00:05:12:AA:00:00 to 00:05:12:AA:00:11



• Create a vNIC template for management traffic in VLAN 10. This traffic should be untagged and should automatically switch over between fabrics. Ensure that after using the template to create a vNIC it does not stay connected with it.

• Create vNIC templates with vNIC#-$-XYZ where # is the vNIC number, $ is the fabric interconnect on which it’s active and XYZ is a short description what it’s used for

• The first vNIC pair should be active on fabric interconnect A and should carry all VLANs except the Private VLANs. This vNIC should be using the new settings once the template as changed after the creation of the vNIC.

• Create a redundant vNIC on Fabric Interconnect B with the same settings as the previous question.

• Ensure vNICs on fabric interconnect B get MAC addresses assigned in the range of 00:05:12:BB:00:00 to 00:05:12:BB:00:22

• The second vNIC template redundant pair should carry all the Private VLANs and should be offered with 2 paths to the host over different fabrics

• Create a third vNIC which is active on fabric B and has VLAN 11,12 and 13 enabled. Frames without a tag should be assigned to VLAN 10.

• Ensure the third vNIC is able to support Jumbo frames

Task 4: Policies and pin groups

• Ensure the first redundant vNIC pair allows CDP traffic

• Ensure the second redundant vNIC pair will not go down in case of an uplink failure

• Create a pin group for each of the Fabric Interconnects

• Ensure that the management vNIC is connected to the uplink of FI1-B

Task 5: Quality of Service

• The Private VLAN traffic should get a higher priority treatment throughout the UCS system

• The system needs to differentiate between 3 QoS classes and a class for FCoE traffic. Divide traffic evenly across the 3 classes



• Traffic entering on the third vNIC marked with 802.1p bits should be trusted in the UCS system

• Ensure traffic on the management vNIC will never use more than 95Mbps of bandwidth

• All classes should support Jumbo frames

Task 6: Disjoint Layer 2

• Create additional uplinks for Fabric A and Fabric B using ports 1/11 and 1/12

• Create VLANs 100 to 110 on the UCS system

• All even VLANs of this range should use Uplink1/11 on Fabric A and Uplink1/12 on Fabric B

• All odd VLANs of this range should use Uplink1/12 on Fabric A and Uplink1/11 on Fabric B

• Ensure vNICs are having access to these VLANs while maintaining the dispersion between uplinks without using pin groups

Task 7: Switch mode

Convert the Fabric Interconnect cluster to switching mode

Ensure all VLANs, templates, policies and settings are equal to the previous tasks



Chapter 11: Data Center Unified Computing Storage

Chapter 11: Data Center Unified Computing Storage is intended to let you be familiar with the Storage features that are available on the Unified Computing platform. You will be configuring VSANs, FCoE features, Quality of Service, SAN pinning and many more features





General Rules

• Try to diagram out the task. Draw your own connections the way you like it







Pre-‐setup



• The UCS system and Fabric Interconnects use the configuration of the previous chapter as are the MDS switches





Configuration tasks


• Ensure you keep the configuration of the previous chapter for the UCS system and the Nexus switches.

• Give the MDS switches in the topology the following hostnames: MDS1, MDS2. Configure the default username and password according to the generic lab topology

• Ensure that they can be reached through the management network using IP addresses in the range as stated in the initial set-‐up information at the beginning of the workbook. Use Host IP addresses of 172.16.100.9 and 172.16.100.10

• Enable the ISL links between the MDS switches on fc1/1 through fc1/4 and trunk all VSANs.

• Configure the JBOD interfaces fc1/5 and fc1/6 so FLOGI’s are seen from the JBOD into the FC Fabric

• The MDS switches should support Fabric Logins from the UCS Fabric Interconnects

• Configure the interfaces to the Fabric Interconnects to support the UCS system. The UCS Fabric Interconnects are connected to interfaces fc1/9 on the MDS switches

Task 2: VSANs

• Create a VSAN with an ID of 301. The VLAN connected to it should use an ID of 1000+VSANID.

• VSAN 301 should be available on both Fabrics.

• Hosts in VSAN 301 should be able to communicate with each other without any other zoning changes

• Create VSAN 302 on Fabric A and VSAN 303 on Fabric B with matching VLAN IDs.

• This VSAN should be named “SecondVSAN”.

• Create all these VSANs on both MDS switches



Task 3: Fibre Channel Trunks and Port Channels

• Ensure that all created VSANs are transported across the FC Uplinks

• Interface 32 on both Fabric Interconnects should become a native Fibre Channel interface

• Use fc1/32 as the connection to the MDS switches on both Fabric Interconnects

• In the near future the FC connection to the MDS switches will be expanded. Ensure that this can be done without any downtime by inserting a physical connection in a single logical connection.

• Ensure the MDS switch is aware of this change

Task 4: Pools

• Ensure vHBAs on fabric interconnect A get WWPNs assigned in the range of 20:11:00:05:12:AA:00:00 to 20:11:00:05:12:AA:00:11

• Ensure vHBAs on fabric interconnect B get WWPNs assigned in the range of 20:22:00:05:12:BB:00:00 to 20:22:00:05:12:BB:00:22

• WWNNs should be generated in the same range except with a prefix of 20:88:

• iSCSI Qualified Names should be generated with the following format: iqn.initiator.iscsi-boot-ipexpert:1 through :25

• iSCSI interfaces should get IP addresses assigned in the range of 198.18.200.10/24 through 198.18.200.35 with a default gateway of 198.18.200.254.

• The iSCSI name resolving should be done against 198.18.254.254 and 198.18.254.253

Task 5: vHBA templates

• Create vHBA templates connecting to VSAN 301 on both fabrics.

• The VSAN 301 vHBAs should be created using a method that only the template is used to create the vHBA and after that it’s disconnected from the template.

• Create vHBA templates connecting to VSAN “SecondVSAN” on Fabric A and B.

• The template should only be used for initially creating the vHBA, after the creation changes to the template should not be propagated to the vHBA, but it should always be possible to re-‐connect it again to have changes assigned to the vHBA from the template.



• The “SecondVSAN” templates should always be assigned to the FC forwarding class. Bandwidth should be limited to 100MBps.

• Create another vHBA template for VSAN 304 on Fabric B. You are not allowed to leave the vHBA Template wizard for this task

• Ensure vHBA’s are assigned with the correct WWN’s according to the previous task

Task 6: SAN Pinning and Storage Policies

• Create a pin group for each of the Fabric Interconnects

• Ensure that second vHBA is connected to the uplink of FI1-B

• Create a policy so the vHBA’s are using best practices for VMware servers. This special policy should support up to 512 LUNs per FC target

• This policy should also allow for maximum FLOGI and PLOGI retries

• Ring Sizes should be 128 for Transmit, Receive and SCSI queues

Task 7: Fibre Channel Boot policies

• Create a policy so that a server is able to boot from vHBA’s in VSAN 301.

• Before the server boots from SAN, it should try to boot from an ISO image mounted to the KVM session.

• Ensure that the server will still boot when one fabric is not available.

• When both Fabrics are operational, the server should select Fabric A. You can assume that the vHBA of Fabric A has a lower PCIe bus scan order.

• Use WWPN: 20:01:00:AA:BB:CC:DD:EE, LUN 20 as the target on Fabric A

• On Fabric B the WWPN for the boot disk is: 20:01:00:EE:DD:CC:BB:AA, LUN 21

• Create another policy for a server to boot from VSAN 304.

• VSAN 304 has 2 boot disks available for failover. Both are using the same WWPN as the previous policy, except they are using LUN 5 for both targets.



Task 8: iSCSI Boot policies

• When the Fibre Channel fabric is completely down the servers using VSAN 301 should still be able to access their boot disks through the use of the iSCSI protocol

• You do not need to configure the MDS switch for this task, assume this is pre-‐configured

• The names of the iSCSI vNICs that will be created in the service profile are “iSCSIvNIC1” and “iSCSIvNIC2”

• The iSCSI Targets should be authenticated with a username of “IPexpertISCSI” and a password of “iSCSIstorage”

• The iSCSI vNICs should have TCP Timestamps enabled and the connection should time-‐out after 30 seconds

Task 9: Local Disk policies

• When blades are equipped with local disks they should get a protected configuration so at least 1 disk is able to fail in the configuration.

• Create one additional policy that when the policy is applied to a blade where the local disks are already configured that this is overwritten with the new configuration

• Create a policy so that when a service profile is disassociated from a blade the disks are formatted and settings in the BIOS are set to default



Chapter 12: Data Center Unified Computing Servers and Blades

Chapter 12: Data Center Unified Computing Servers and Blades is intended to let you be familiar with the primary features of the Unified Computing System. In this lab we will be configuring all settings related to compute blades and servers. This means we will be configuring service profiles, templates and policies related to the compute nodes.





General Rules

• Try to diagram out the task. Draw your own connections the way you like it







Pre-‐setup



• The UCS system and Fabric Interconnects use the configuration of the previous chapter as are the MDS switches and Nexus switches





Configuration tasks

Task 1: Server pools

• Ensure you keep the configuration of the previous chapter for the UCS system, the Nexus switches and the MDS switches.

• Combine blades on the left side of the chassis in a pool named “LEFT”

• Create an automatic classification of compute nodes so all blades with 48GB of RAM are set together inside a pool called “48GB”

• Create a classification so all blades with a Cisco VIC card will be combined in a pool called “VIC”

• Ensure that all servers are placed inside a pool “IPexpertServers”

Task 2: UUID pools

• Servers should get an Identifier assigned through the use of a pool. The prefix should be automatically generated by the UCS Manager.

• The pool should be called “IPexpertIDs” and consist of a size of 32 identifiers.

• The suffix should start with “7442-C0FFEE”

• Create a second identifier pool where the identifiers should start with “01010202-ABCD-DEF0-0ABB-AA”, a total of 16 identifiers should be generated.

Task 3: Management IP addresses

• Create an IP address pool for addresses 172.16.100.20 up to 27 with a mask of /24 and a gateway of .254

• Assign IP addresses to the first 2 blades in the chassis by using the pool

• Assign static IP addresses to the other 2 blades. Blade 3 should have an IP address of 172.16.100.28 and blade 4 an IP address of 172.16.100.29

• The other addresses in the pool are used during the creation of service profiles



Task 4: Server policies

• Create a policy so the settings of the blade are set to the following parameters:

o Quiet boot is enabled

o Server is reset after a power loss

o The front panel should be locked out

o Hyper threading is enabled

o Virtualization support is enabled

o CPU performance is set to enterprise

o Server should be secured by a hardware feature to prevent viruses and malicious code to be executed

o Serial port is disabled

o RAID controller is enabled

o The server should be powered off when the OS is not booted after 20 minutes

• Create a policy so that changes are only applied to the servers after an acknowledgement by the user

• Create a policy so SoL is enabled with a speed of 19200

• Create a policy for SoL users with a username of IPexpert and a password of IPexpert

Task 5: Service Profile Templates

• Create a template called “SP_template1” to give a server state information which keeps connected to the profile when it’s deployed.

• Ensure UUIDs are assigned from the pool “IPexpertIDs”

• The World Wide Node Name should be assigned using the pre-‐configured pool

• The disks inside the blade should be configured with a RAID 1 configuration which is not overwritten if a current configuration is in place

• Redundant vHBA’s should be created to support boot from VSAN 301

• Ensure correct WWPNs are assigned

• The custom created VMware adapter policy should be used



• Pick names for the vHBA so the created boot policy will work without changes

• Create vNICs for management and 2 for data traffic. The Data vNICs should be redundant with 2 active paths across fabrics where the management should be protected.

• Ensure the vNICs are created with optimized settings for VMware

• All vNICs and vHBAs should be based on templates

• Leave placement of vNICs and vHBAs to the system

• Configure the system to boot from SAN in VSAN 301 based on a previously configured template.

• The user should confirm changes that require a reboot. Again this should be based on a previously configured policy

• Servers should be automatically booted up when this template is deployed to a server

• No servers need to be assigned now

• Servers need to be powered on after this template is applied as service profile

• Ensure BIOS settings are applied according to the policy created in Task 4

• Enable Serial over LAN with a speed of 19200bps without configuring this speed directly in the service profile

• Users accessing the Serial over LAN feature require to use a username and password of “IPexpert”

• The Management IP address of this service profile should be coming from the previously configured IP address pool

• Hard Disks should not be erased when the service profile is removed from the blade. Create a new policy to support this configuration called “NO_SCRUB”

Task 6: Service Profiles

• Assign the previously created template to all servers while using the server pool containing all the blades in the chassis

• You are not allowed to configure the pool under the template configuration

• Use a prefix of “UCS1-SP” for naming of the service profiles

Documents

IPxperes L’ ab t eparPr ation Workbook · 2019-05-03 · IPxperes L’ ab t eparPr ation Workbook for the Cisco® CCIE™ Data Center v1.0 Lab Exam Volume 1 Authored by: Rick Mur