K8

Friends... Dont be panic about ip address alignment; keep on practicing it will be easy for you to manage

Setion1 layer 2

1.1 initial Faults 1.2 Implement Access Switch Ports of Switched Network
Configure all of the appropriate non-trunking switch ports on SW1-SW4 according to the following requirements: VTP domain should e !CC"#$ and password !cisco$ VTP%& should e configured with SW1 as ser%er' SW&( SW)( SW4 V*+, data ase should e updated - SW1 Configure the V*+, ". and ,ame according to the ta le elow /case sensiti%e0 Configure the access ports for each V*+, as per the diagram +ll 4 switches must run in transparent mode after s-nchroni1ation +ll unused ports including 2iga ports ha%e to e on access V*+, 333 and shutdown

V AN I! NA"#
14 16 &6 )4 47 46 43 63 188 &88 )88 788 333 51toSW1 51toSW) 5&toSW) 5)toSW1 54to57 SW1toSW) SW1toSW4 SW)toSW4 991 99& 99) Client :nused

1.$ Spannin%&'ree !omains for Switched Network

Configure the switches according to the following requirements: +ll switches must ha%e one instance per V*+,' #nsure that SW1 is the 5oot Switch and SW& the 9ackup Switch for all %lans 5emem er to incorporate %lans from later tasks' Configure instance per V*+, and rapid transition for forwarding' #nsure that SW1 has the est chance to ecome root( and SW& the ackup' :se default %alues for forwarding dela- and ma; age' #nsure that SW1-SW&-SW) do not send 9P.:s and do not process recei%ed 9P.:s on their port <a8=18 onl-'

1.( )onfi%urin% Switch 'runkin% and #ther&)hannel

:se the following requirements to configure the #ther-channel on SW1( SW&( SW) and SW4' Use encapsulation 802.1q for all trunks' VLAN 1 should be tagged across trunks. Disable D ! on all trunk interfaces. "n each s#itch$ configure three 200%b&s fault'tolerant links rel(ing on the )*** 802.+ad standard. raffic for#arded through these fault'tolerant links ,ust be load'balanced based on the source and destination %A- addresses.

1.* Implement a+er&2 switchport securit+.

Configure -our network as per the following requirements: #nsure that onl- the legitimate router interface is allowed to connect to <a8=1 and <a>8=& of SW1 SW1 must d-namicall- learn these legitimate ?+C addresses and automaticall- sa%e them in the configuration file' #nsure that SW1 does not need to relearn the legitimate ?+C addresses after SW1 restarted' SW1 must shut down the port if a securit- %iolation occurs on either of these two ports'

1., Implement Ad-anced AN Feature

<i%e users will connect to the network %ia V*+, 788 on fa8=1 to fa8=7 on SW4' Configure -our network as per the following requirements: #nsure that these fi%e ports start forwarding traffic as soon as the workstation is connected to them'

#nsure that these fi%e ports are allowed to communicate with their *a-er ) gatewa- /the V*+, 788 SV" on SW)0 and are prohi ited from directl- sending frames to each other' #nsure that none of these fi%e ports forwards flooded traffic due to an unknown unicast or unknown multicast' .o not use pri%ate %lans'

1.. /AN 'echnolo%+

Frame-relay configuration

:se the following requirements to configure 51 and 57( 51 and 54( 5& and 54 for <rame-5ela-' #na le PPP etween 5) and 57' Configure 9ack to 9ack frame-rela- etween 51 and 57' :se su -interface etween 51 and 57 shown in diagram' Configure 9ack to 9ack frame-rela- etween 51 and 54 using .*C" &88 Configure 9ack to 9ack frame-rela- etween 5& and 54 using .*C" &@@ 57 and 54 ha%e to e .C# t-pe' .o not disa le keepali%e' .o not use in%erse +5P to resol%e "P addresses'

Section 2 - Layer 3

2.1 Implement IP-( 0SPF

Configure >SP<%& as per A.iagram 1: "2P 5outing$ and according to the following requirements: The >SP< process ". must e 188 for all >SP< de%ices' The >SP< router ".s must e sta le and must e configured using the "P address of interface *oop ack8' *oop ack8 interfaces must e ad%ertised in the >SP< area shown in A.iagram 1: "2P 5outing$ and must appear as host routes' The V*+, 788 interface of SW) must e configured into >SP< area 788( ut no >SP< hello mae sent out of this interface' #nsure that SW1 is elected as the .esignated 5outer on all three V*+, interfaces /V*+, 14( )4 and 460 and ensure that it maintains the est chance of eing re-elected re elected as such' The g8=1 interface erface of 51 and the g8=8 interface of 5) must alwa-s remain in the .5>TB#5 state' >SP< area 1 must e configured as a stu area( which allows the inCection of e;ternal routes' #na le la el switching on the serial interfaces etween 51( 5) and 57 - using *.P' #nsure that the *.P sessions are alwa-s sourced from the loop ack8 interface on all de%ices' .o not create additional >SP< areas'

.o not use an- "P address not listed in A.iagram 1: "2P 5outing$ unless e;plicitl- required' .o not ena le >SP< on an- interfaces other than the ones shown in A.iagram 1: "2P 5outing$ unless e;plicitl- required'

2.2 Implement IP-( #I12P

Configure -our network as per the following requirements: Configure #"25P +S @@ and #"25P +S 188 as per A.iagram 1: "2P 5outingA .isa le automatic summari1ation oth autonomous s-stems' Sw4 must recei%e si; #"25P e;ternal prefi;es from 99' Configure the dela- for interface <8=1 of oth 54 and 57 to 188 milliseconds /18(888 tens of microseconds0 #na le *.P on the serial interfaces etween 51( 5&( 54 and 57 as well as on the <ast #thernet link etween 54 and 57' #nsure that the *.P sessions are alwa-s sourced from the loop ack8 interface en all de%ices'

2.$ Implement IP-( 2IP

Configure 5"P %ersion & as per A.iagram 1: "2P 5outing$ and according to the following requirements: .isa le automatic summari1ation' 5"P must e ena led onl- for the required interfacesD no other interfaces ma- send an- 5"P updates'

2.( 2edistri3ute #I12P into 0SPF

Configure -our network as per the following requirements: 5edistri ute >SP< into #"25P and %ice %ersa on 57 onl-' .o not redistri ute an-where else etween these two protocols' #nsure that of #"25P routers are still a le to reach an- >SP< prefi;( when the link etween 54 and 57 fail' The interface V*+, 788 of SW) must appear as prefi; in area 8 onl-' "t must ne%er appear in an- other areasD -our solution must work e%en if a new area was added to the >SP< domain' .o not modif- the administrator distance of >SP<'

2.* 2edistri3ution4 #I12P into 2IP

Configure -our network as per the following requirements: 5edistri ute #"25P 188 into 5"P%& and %ice %ersa on SW4' 5edistri ute >SP< into 5"P%& on SW1 onl-' .o not redistri ute 5"P%& into >SP<' #nsure that SW1 originates a default route e%er-where into the >SP< domain' #nsure that all de%ices / ut SW&0 in -our topolog- can reach 178')'@@'&74' .o not use an- static route to resol%e an- routing issue' +t this time in -our la ( -ou must e a le to reach e%er- internal "P addresses from an- de%ice / ut SW&0

2., Implement IP-( I51P

Configure -our network as per A.iagram &: 92P 5outing$ and according to the following requirements: With the e;ception of 51( all routers in 92P +S @@ must ha%e onl- one "92P neigh or' Secure all "92P sessions with a ?.7 hash( use the string AciscoA to that effect /without quotes0 +ll 92P connections should sur%i%e a ph-sical link failure 51 should alwa-s initiate the TCP session for the 92P connection for the 92P neigh or Configure Eno gp default ip%4-unicastE on all 92P speakers

2.. Implement IP-( e51P

Configure -our network as per A.iagram &: 92P 5outingA and according to the following requirements: #sta lish #92P etween +S @@ and +S &74 on oth 54 and 57 - using their ph-sical interfaces' The prefi;es of V*+,F188 and V*+,F&88 ma- appear as a 92P ne;t-hop address in 54 and 57 onl-' Configure +S 144 on to peer with +S @@' #nsure that SW4 installs in its routing ta le two equal-cost paths for an- 92P prefi;es originated in +S &74' #nsure that SW) load- alances an- traffic that is destined to +S &74 through oth 51 and 5&' :se the following command to %erif- this requirement: Eshow ip cef 13G'46'1'8=&4E

Implement MPL ! L"#P$

2.8 Implement "P S 6 $VPN

SW& is simulating two distant customer sites in 92P +S GGG that are interconnected with *)VP,( which is pro%ided - -our core network' The interface loop ack G1 of SW& simulates the S"T#1( which is connected to 5)( and the interface loop ack G& simulates the S"T#H( which is connected to 5&' 5efer to A.iagram ): for more details' Configure -our network as per the following requirements: 5& and 57 must e;change VP, prefi;es %ia 92P - using the route distinguisher &:& 5) and 57 must e;change VP, prefi;es %ia 92P - using the route distinguisher ):) 5& and 5) ma- not per directl- with one another'

Configure !mpls ldp e;plicit-null$ on oth P#s' SW& must maintain two separate routing ta les for each site as descri ed in the A.iagram )$ The onl- prefi; that SW& ma- see in its glo al routing ta le is its preconfigured "oop ack8 interface' @our configuration must full- recon%erge after a reload of an- P# router at the end of the e;am'

Verif- -our solution - using the following commands on SW&:

IP%&

2.7 IP-, Addressin%

10 &0 )0 40 70 40 +ll "P%4 addresses were preconfigured as follows: +ll glo al unicast addresses match &881:55:@@:SS::BB=??( where: 55 is the identifier of the routing domain /@@ for #"25P( 1@@ for >SP<0' @@ stands for -our two-digit rack num er( written in decimal format' SS is the third octet of the "PV4 address of the same interface( written in decimal format' BB is the fourth octet of the "PV4 address of the same interface( written in decimal format' ?? is the su net mask and must e =1&6 for loop ack interfaces and =44 for other interfaces'

1 &

Configure -our network as per A.iagram 4: "P%4 5outingA and according to the following requirements: Configure all routers #"25P%4 +S @@' :se the *oop ack 8 "P%4 address as the #"25P%4 router ".'

) 4 7 4 G 6

Configure the area 8 of >SP<%4 / etween the SW1 and SW) as shown the A.iagram of "P%4 5outingA0' The >SP<%4 process ". must e 188' *oop acks of SW1 and SW) in >SP<%) area8' *oop acks of 57( 5&( 54( and 51 in #"25P%4 +S @@' 5edistri ute >SP<%4 into #"25P%4 and on SW)' #nsure that there is full reacha ilit- among all "P%4 speakers'

2.18 IP-, 2outin%

Configure -our network as per A.iagram 4: "P%4 5outingA and according to the following requirements: Configure a tunnel etween 51 and 5) to transport "P%4 traffic from 5) to the #"25P%4 domain' The tunnel transport mode must e 25#( and it must e resilient to single ph-sical link failure' The tunnel must use the "P%4 prefi; &881:1):1):1)::=44 #;tend the #"25P%4 domain @@ to 5) o%er the tunnel' *oop ack of 5) in #"25P%4 +S @@' 5) must e a le to reach the *oop ack8 interface of SW1 %ia the tunnel'

Section 3 Multicast (6 points)

$.1 Implement multicast

Configure multicast in -our network as per the following requirements: #na le multicast for all interfaces elonging to ospf 188 and eigrp -- /including loop ack8 interfaces0 The network should e%er ha%e to flood and prune multicast traffic unnecessar-' +dd a loop ack1 interface on oth 5& and 5) with the same ip address &88'188'188'188' 5& must ad%ertise loop ack1 into #"25P @@( 5) must ad%ertise loop ack 1 into >SP< 188' #ach loop ack1 must e elected as the rende1%ous point in Their respecti%e domain and must also e used as the source of the mapping information roadcasts' :se a non-proprietar- method to disco%er and announce the 5P information' ?ulticast ser%ices are located in %lan 46( and recei%ers are located on the link etween 54 and 57' Simulate the recei%ers with a static Coin on the f8=1 interface of 54' 5ecei%ers must e a le to recei%e traffic sent to the group &)&'1'1'1 from SW1' #nsure that 5) is the actual 5P in use in the >SP< domain and that sends the source-acti%e cache to 5&'

$.2 Ad-anced multicast feature

Continue configuring multicast in -our network as per the following requirements: #nsure that oth 5Ps process Coin requests for group &)&'1'1'1 onl-' #nsure that onl- the authori1ed sources /located in V*+,F460 are allowed to register with the 5Ps .o not use an- route-map or named access-list to achie%e this task'

ection ' - (d%ance IP Features

(.1 First 9op 2edundanc+

Configure -our network as per the following requirements: 9oth 54 and 57 must pro%ide automatic default gatewa- ackup for hosts located on V*+, 47 using the %irtual "P address 18'@@'47'1=&4' #nsure that oth 54 and 57 participate at the same time in forwarding traffic destined to the %irtual "P address( with 54 weighted at 178 and processing three clients for e%er- one processed - 57' :se the password ACC"#1&)A /without quotes0 to secure the relationship etween 54 and 57( use the strongest securit- a%aila le' /.o not use a ke-chain to accomplish this requirement0'

(.2 2 Securit+
Consider that three ser%ers /S?TP( W#9( .,S0 connected to V*+, 788 on SW) must e reacha le from an- host an-where in the network' ?an- users are connected to V*+, 788 on SW) as well( and are allowed to connect to these local ser%ers' These users must also e allowed to connect to other S?TP( W#9 and .,S ser%ers located outside of V*+, 788' + num er of these users are a using the link with unnecessar- traffic' Configure -our network as per the following requirements: Create a filter on SW) to allow onl- legitimate traffic /S?TP-TCP port &7( W#9-TCP port 68( .,S:.P port 7)( "C?P all t-pes0 on V*+, 788 going from and to an- hosts /.o not specif- an- "P address in the filter0' +ll non-legitimate traffic must e dropped' :ser a single named access-list to accomplish this requirement of this task' .o not include an- denstatement in the access-list

'

(.$ Implement SS9

Configure 57 as per the following requirements: The administrator user Aadmin$ must e a le to use the SSB protocol in order to manage the router - using the password AccieA This user must recei%e the ena le prompt directl- when logging in to 57' The user AguestA must e a le to use the SSB protocol in order to connect to the router - using the password AciscoA' This user must recei%e the user-mode /non-ena le-mode0 prompt when logging in to 57' .isa le all non-SSB access methods on the VT@ lines of 57' .o not user the command Aaccess-classA to accomplish this' #na le a ma;imum of 14 users to connect concurrentl- at an- point in time' Configure the domain name Accie'comA on 57' Configure and ensure that the console does not require a username prompt and that it presents the user with the user-mode /non-ena le-mode0 prompt' .o not modif- the ena le password' Verif- -our solution - using 5) as the SSB client and %erif- if the following commands succeed as e;pected'

5ack185)Issh -l admin 118'7'7'7 5ack185)Issh -l guest 118'7'7'7

(.* P52
Configure -our network as per the following requirements: Create interface *oop ack146 in SW) with the "P address 146'8'8'6=)& and add it into #"2 5P @@ an- means a%aila le' Create interface *oop ack146 in 54 with the "P address 146'8'8'4=)& and add it into #"25P @@ - anmeans a%aila le' Traffic sourced from *oop ack146 of SW) and destined to *oop ack146 of 54 /and onl- this traffic0 must alwa-s lea%e SW) %ia interface V*+,16 no other interface ma- e%er transmit these packets' SW) must load- alance / etween 51 and 5&0 an- other traffic destined to *8146 of 54' "n case interface V*+, 16 of SW) is not operational packets etween *8146 of SW) and *ol46 of 54 must e dropped on SW)' :se a single num ered and e;tended access-list with a single entr- in order to accomplish this requirement' .o not modif- an- #"25P parameter an-where to accomplish this requirement' :se the following tests to %alidate -our solution

:se the following tests to %alidate -our solution 5ack18SW)Itrace

Protocol JipK: Target "P address: 146'8'8'4 Source address: 146'8'8'6 ,umeric displa- JnK: Timeout in seconds J)K: Pro e count J)K: ?inimum Time to *i%e J1K: ?a;imum Time to *i%e J)8K: Port ,um er J))4)4K: *oose( Strict( 5ecord( Timestamp( Ver oseJnoneK: T-pe escape sequence to a ort' Tracing the route to 146'8'8'4 1 18'18'16'1 4 msec 4 msec 4 msec & 18'18'14'4 8 msec L 4 msec 5ack18SW)Itrace 146'8'8'4 T-pe escape sequence to a ort' Tracing the route to 146'8'8'4 1 18'18'16'1 4 msec 18'18'&6'& 4 msec 18'18'16'1 4 msec & 18'18'&4'4 4 msec 18'18'14'4 4 msec L

(.( $VPN :oS

The ?P*S ena led routers in -our network ha%e een preconfigured to ser%ice three classes of traffic ased on the ?P*S e;perimental its' The P# routers are also pro%isioning three classes of traffic forwards the C# routers' 51 contains a polic- that will remark traffic for testing purposes' .o not modifthis polic-' Configure oth P# routers in -our network as per the following requirements: The traffic lea%ing the ?P*S core and going to the C# must e remarked using the latest %alue found in the ?P*S e;perimental its' 9oth P# routers must shape the traffic towards the C#s to )? =s C"5' @our solution must include the e;isting MoS pre-configurations' .o not create an- new non-default class-map to accomplish the a o%e requirements /"f -ou need to create an- new class-map( it must e the class-map default0' @ou ma- check -our solution - using an e;tended ping with the T>S %alue set to 148' Counters must increment accordingl- on the class M>S25>:P44G on the egress polic- of the remote P#'

(., !e-ice Securit+

Configure and appl- on 57 a single ingress polic--map named AC>,T5>*A that contains e;actl- three user-defined class-maps according to the following requirements: Configure a class-map called ASSBA according to the following requirements: 1' +n- SSB session initiated from V*+, 16 and destined to the interface Se8=8=1 of 57 must not e policed' &' Police to 14 k =s all other SSB traffic according to the following requirements: +' The conform-action must e AtransmitA' 9' The e;ceed-action must e AdropA' C' The urst %alue must not e configured' Configure a named access-list called ASSBA in order to classif- the a o%e SSB traffic' Configure another class-map called A9*>CNA according to the following requirements: +' BTTP /680 and BTTPS /44)0 traffic sourced from an- host located on V*+,788 and destined to an-where must e dropped'

9' Configure a named access-list called containing e;actl- two entries in order to classif- the a o%e BTT and BTTPS traffics' C' Configure another named access-list called A+**F"C?PA containing the single statement Apermit icmp an- an-A' .' The class-map A9*>CNE must drop the traffic matched - these two access-list /ABTTPA and A+**F"C?PA0' Configure another class-map called A"C?PF*"?"TA according to the following requirements: +' "C?P echo and echo-repl- to or from an-where must e policed to 188p=s( allowing 18 packets in urst' 9' Configure a named access-list called A"C?PF#CB>A in order to classif- the a o%e "C?P echo and echo-repl- traffic' .o not use an- Amatch notA statement in an- class-map' #nsure that an- de%ice / ut SW&0 can still ping the interfaces of 57' +ll class-map and access-list names are case sensiti%e and must not include an- quotes'

(.. N'P
Configure -our network as per the following requirements: 51 is the ,TP master /stratum 10' 5) and 57 must s-nchroni1e their clock to the clock of 51' #nsure that all three de%ices retain the clock etween re oots' +ll ,TP peer must use their *oop ack8 interface as the ,TP source'

Section 5 Network optimize (6 points)

*.1 0ptimi;e the network

Configure 51 as per the following requirements: Track all changes to the running configuration' ,otif- the s-slog ser%er 18'1@@'43'188 when an- configuration change happens' 5etain the last 18 entries in the configuration log' Suppress the displa- of password information in the configuration log files' #nsure that configuration changes are not sa%ed to the local file s-stem'

*.2 Implement ##"

"n order to a%oid hitting a /ficti%e0 software defect on 5)( the %endor support engineer recommends ouncing /shut=no shut0 oth 2iga it #thernet interfaces of 5) as soon as it restarts' Configure 5) as per the following requirements: Write a Cisco ">S ##? applet named A9>:,C#2"2A that automates the a o%e task' :se the AS@S-7-5#ST+5TA s-slog pattern in order to trigger the script when 5) has restarted' #nsure that the script ounces interface 2ig8=8 first then ounces interface 2ig8=1' Test router solution and ensure that there is an entr- in the ##? #%ents histor- similar to the following output' 5ack185)Ish e%ent manager histor- e%ents ,o' Time of #%ent #%ent T-pe ,ame 1 <ri ?ar 1 88:88:8) &88& s-slog applet: 9>:,C#2"2

Designed by POLICE4 for certcollection.org