H2 Ccie4career - Com v1.1 PDF

Ccie4career.
com CC Dreamer and Combat
CCIE4CAREER.COM - CCIE RS V5.0 H2 WORKBOOK

Ccie4career.com
Document Information
Author Combat, CC Dreamer

Skype ID:
More information,
Combat: ccie04final
please Contact
CC Dreamer: nguyenbich279
Change Authority Advanced Team Focus
Version 1.0
Date 6/26/2017
6/15: we changed a little bit and made H2 workbook
Comment History
become the best solution for our students.
6/26: update a little bit in some sessions.
1
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com CC Dreamer and Combat
CONTENTS
1. SECTION 1: Layer 2 technologies ................................................................................. 7
1.1 Section 1.1: Jameson’s Datacenter: Access Ports .......................................... 7
1.2 Section 1.2: Jameson’s Datacenter: Trunk Ports .......................................... 12
1.3 Section 1.3 Jameson’s Datacenter: Link bundling ....................................... 14
1.4 Section 1.4 Jameson’s Branch Offices ................................................................. 21
2. SECTION 2 Layer 3 Technologies ............................................................................... 24
2.1 Section 2.1 Jameson’s IGP, Part 1......................................................................... 24
2.2 Section 2.2 Jameson’s IGP, Part 2......................................................................... 31
2.3 Section 2.3 Jacob’s IGP ................................................................................................ 35
2.4 Jameson’s Pre-merge .................................................................................................... 39
2.5 Jacob’s Pre-merge ........................................................................................................... 47
2.6 Merge phase 1: BGP ........................................................................................................ 51
2.7 Merge phase 2: IGP ........................................................................................................ 53
2.8 Section 2.8 Merge phase 2: Routing Policies .................................................. 55
2.9 IPv6 Routing, Part 1 ....................................................................................................... 57
2.10 IPv6 Routing, Part 2 ................................................................................................... 61
2.11 Multicast in Jameson’s .............................................................................................. 63
3. SECTION 3 VPN Technology........................................................................................... 66
3.1 Jameson’s Branch Offices ........................................................................................... 66
3.2 Jameson’s Pre-merge VPN ......................................................................................... 68
3.3 Merge Phase 2: VPN ....................................................................................................... 73
3.4 Inter-VPN Routing ........................................................................................................... 77
4. SECTION 4 Infrastructure Security ........................................................................... 81
4.1 Section 4.1 Device Security ....................................................................................... 81
4.2 Network Security.............................................................................................................. 82
5. SECTION 5 Infrastructure Services ........................................................................... 84
5.1 Section 5.1 Centralized DHCP ................................................................................... 84
5.2 Section 5.2 Internet Gateway .................................................................................. 86
5.3 Section 5.3 First hop redundancy........................................................................... 89
5.4 Section 5.4 Tracking reachability ........................................................................... 91
2
CCIE4Career.com
Main Topology
3
CCIE4Career.com
BGP Topology
4
CCIE4Career.com
IPv6 Topology
5
CCIE4Career.com
Physical - VLAN Topology
6
CCIE4Career.com
1. SECTION 1: Layer 2 technologies

1.1 Section 1.1: Jameson’s Datacenter: Access Ports
Question:
Refer to “Table 1: Jameson’s Layer 2 connection and Table 1：Jameson’s VLAN to

port Mapping”
There has been pre-configured in Jameson’ s Datacenter. SW3 is the server and the
other three switches are clients. Do not modify this configuration. Some other
configuration was already started but it is your responsibility to verify and complete
them.
Configure all four switches in Jameson’s datacenter network (AS 65002) as per the
following requirements:
 All unused ports must be configured in VLAN 999 and administratively

shutdown.
 Access‐ports must immediately transition to the forwarding state upon link up,
as long as they do not receive a BPDU. Use a unique command per switch to
enable this feature.
 If an access‐port received a BPDU, it must automatically shut down, generate
a syslog and a SNMP trap. Use a unique command per switch to enable to this
feature.
 Ports that were shutdown must always rely on a manual intervention to
recover.
 VLAN 911 (10.2.1.X/24) will be used as the management VLAN in Jameson’s
datacenter. Ensure that all datacenter switches are able to ping each other IP
address in the management VLAN.
 SW5 and SW6 are low-end access switches and they do not have much
processing power. Ensure that their only Layer 3 interfaces are Loopback0 and
VLAN 911.
 SW3 and SW4 are robust and powerfully distribution switches. Ensure that
they maintain a Layer 3 interface for all local VLANs as well as all access VLANs,
as specified in “Table 1: Jameson’s VLAN to Port Mapping”.
 Unused interface had associated VLAN 999 and shutdown
 SW3 SW4 had configure VTP and VLAN on exam
7
CCIE4Career.com
Solution:
SW3:
vtp mode server
vtp domain jamesons
vtp password CISCO
vtp version 2
vlan 34,100,101,153,156,164,173,184,911,999
SW4/SW5/SW6
vtp mode client
vtp domain jamesons
vtp password CISCO
SW3 /exam had config/

interface e0/0
switchport access vlan 156
switchport mode access
!
interface e0/1
no shutdown
SW4 /exam had config/

interface e0/0
!
int e0/1
sw mode acc
no shut
SW3/SW4 /exam had config/

int range e0/2,e0/3,e1/2-3,e2/2,e3/0-3
sw acc vlan 999
sw mode acc
shutdown
8
CCIE4Career.com
SW5
int e0/0
sw acc vlan 173
sw mode acc
no shut
!
int range e0/1-3
sw acc vlan 101
sw mode acc
no shut
SW6
int e0/0
sw ac vlan 184
sw mode acc
no shut
!
int range e0/1-3
sw acc vlan 100
sw mode acc
no shut
SW5/SW6
int range e1/2-3,e2/0-3,e3/0-3
sw ac vlan 999
sw mod acc
shut
SW3/SW4/SW5/SW6
spanning-tree portfast default
spanning-tree portfast bpduguard default
snmp-server enable traps syslog
9
CCIE4Career.com
Verification:
Show vlan bri
Show int description
show vtp status
SW3#show vlan bri
VLAN Name Status Ports

---- -------------------------------- --------- ----------------------------
---
1 default active
34 VLAN0034 active
100 VLAN0100 active
101 VLAN0101 active
153 VLAN0153 active Et0/1
164 VLAN0164 active
173 VLAN0173 active
184 VLAN0184 active
900 VLAN0900 active
911 VLAN0911 active
999 VLAN0999 active Et0/2, Et0/3, Et1/2, Et1/3
Et2/2, Et2/3, Et3/0, Et3/1
Et3/2, Et3/3
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW3#
SW3#show vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : jamesons
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc00.6000
Configuration last modified by 10.2.0.13 at 6-14-17 18:46:55
Local updater ID is 10.2.0.13 on interface Vl34 (lowest numbered VLAN
interface found)
Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
Configuration Revision : 1
MD5 digest : 0x9A 0xD9 0x43 0xA9 0x8B 0x3C 0xA8 0x31
0x1D 0x6F 0x53 0xAD 0x22 0xFA 0xF9 0xEC
SW3#show int description

Interface Status Protocol Description
Et0/0 up up
Et0/1 up up
Et0/2 admin down down
10
CCIE4Career.com
Et1/0 up up
Et1/1 up up
Et2/0 up up
Et2/1 up up
Po35 up up
Po34 up up
Lo0 up up
Vl1 admin down down
Vl34 up up
Vl100 up up
Vl101 up up
Vl153 up up
Vl173 up up
Vl911 up up
11
CCIE4Career.com
1.2 Section 1.2: Jameson’s Datacenter: Trunk Ports

Question:
Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Table 1: Jameson’s VLAN

to Port Mapping”.
Configure Jameson’s datacenter network (AS 65002) as per the following

requirements:
 All inter-switch links must be configured to use dot1q encapsulation.

 Ensure that all four switches send and receive untagged frames on VLAN 1.
 All four switches must maintain a separate Spanning-tree instance for each
VLAN.
 Spanning-tree must immediately delete dynamically learned MAC address
entries on a per-port basis upon receiving a topology change.
 SW3 must be the root switch for all VLANs. SW4 must be the backup root
switch for all VLANs. Ensure that they both have the best chances of
maintaining their respective role even if any new normal-range VLAN were to
be added in the future.
Solution:
SW3/SW4
int range e2/0-1,e1/0-1
sw trunk en dot
sw mod trunk
sw trunk native vlan 1
no shut
SW5/SW6
int range e1/0-1
sw trunk en dot
sw mode trunk
sw trunk native vlan 1
no shut
SW3
span vlan 1-1005 pri 0
SW4
span vlan 1-1005 pri 4096
12
CCIE4Career.com
Verification:
SW3#show int
*Jun 14 20:15:09.328: %SYS-5-CONFIG_I: Configured from console by
console
SW3#show int trunk
SW3#show int trunk
Port Mode Encapsulation Status Native vlan

Et2/0 on 802.1q trunking 1
Et2/1 on 802.1q trunking 1
Po35 on 802.1q trunking 1
Port Vlans allowed on trunk

Et2/0 none
Et2/1 none
Po35 1-4094
Port Vlans allowed and active in management domain

Et2/0 none
Et2/1 none
Po35 1,34,100-101,153,156,164,173,184,900,911,999
Port Vlans in spanning tree forwarding state and not pruned

Et2/0 none
Et2/1 none
Po35 1,34,100-101,153,156,164,173,184,900,911,999
13
CCIE4Career.com
1.3 Section 1.3 Jameson’s Datacenter: Link bundling

Question:
Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial

Topology”
Configure Jameson’s datacenter network as per the following requirements:
 All four switches must bundle trunk ports so that they maintain a single logical
link to each other (excepted between SW5 and SW6), as shown in the
“Diagram 2: Initial Topology”.
 The distribution switches SW3 and SW4 must balance traffic between all
members of the link bundle based on source and destination IP addresses.
 The access switches SW5 and SW6 must balance the income traffic (that is
originated from server) between all members of the link bundle based on the
source mac address.
 It requests use LACP, SW3 and SW4 configure, SW5 and SW6 configure
passive.
Solution:
SW3
shut
int range e2/0-1
channel-protocol lacp
channel-group 34 mode active
int range e1/0-1
SW4
int range e1/0-1, e2/0-1
shut
int range e2/0-1
int range e1/0-1
channel-pro lacp
channel-gro 46 mode active
SW5
int range e1/0-1
shut
channel-pro lacp
channel-gr 35 mode passive
14
CCIE4Career.com
SW6
int range e1/0-1
channel-group 46 mode pass
SW3/SW4
no shut
port-channel load-balance src-dst-ip
SW5,SW6
int range e1/0-1
no shut
port-channel load-balance src-mac
R17/R18
int range e0/0-1
no shut
Verification:
SW3#show int trunk
Port Mode Encapsulation Status Native vlan

Port Vlans allowed on trunk

Po35 1-4094
Po34 1-4094
Port Vlans allowed and active in management domain

Po35 1,34,100-101,153,156,164,173,184,911,999
Po34 1,34,100-101,153,156,164,173,184,911,999
Port Vlans in spanning tree forwarding state and not pruned

Po35 1,34,100-101,153,156,164,173,184,911,999
Po34 1,34,100-101,153,156,164,173,184,911,999
SW3#
SW3#show int description

Interface Status Protocol Description
Et0/0 up up
Et0/1 up up
Et1/0 up up
Et1/1 up up
15
CCIE4Career.com
Et2/0 up up
Et2/1 up up
Et2/2 up up
Po35 up up
Po34 up up
Lo0 up up
Vl1 admin down down
Vl34 up up
Vl100 up up
Vl101 up up
Vl153 up up
Vl173 up up
Vl911 up up
SW3#show vlan
VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active
34 VLAN0034 active
100 VLAN0100 active
101 VLAN0101 active
164 VLAN0164 active
173 VLAN0173 active
184 VLAN0184 active
911 VLAN0911 active
999 VLAN0999 active Et0/2, Et0/3, Et1/2, Et1/3
Et2/2, Et2/3, Et3/0, Et3/1
Et3/2, Et3/3
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
34 enet 100034 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
101 enet 100101 1500 - - - - - 0 0
153 enet 100153 1500 - - - - - 0 0
156 enet 100156 1500 - - - - - 0 0
164 enet 100164 1500 - - - - - 0 0
173 enet 100173 1500 - - - - - 0 0
184 enet 100184 1500 - - - - - 0 0
911 enet 100911 1500 - - - - - 0 0
999 enet 100999 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 trcrf 101003 4472 1005 3276 - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trbrf 101005 4472 - - 15 ibm - 0 0
VLAN AREHops STEHops Backup CRF

---- ------- ------- ----------
16
CCIE4Career.com
1003 7 7 off
Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------
SW3#show span
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 1
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 1 (priority 0 sys-id-ext 1)

Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr
VLAN0034
Root ID Priority 34

Aging Time 300 sec

------------------- ---- --- --------- -------- --------------------------------
VLAN0100
Root ID Priority 100

Aging Time 300 sec

------------------- ---- --- --------- -------- --------------------------------
17
CCIE4Career.com
VLAN0101

Aging Time 300 sec

------------------- ---- --- --------- -------- --------------------------------
VLAN0153

Aging Time 300 sec

------------------- ---- --- --------- -------- --------------------------------
Et0/1 Desg FWD 100 128.2 Shr Edge
VLAN0156

Aging Time 300 sec

------------------- ---- --- --------- -------- --------------------------------
VLAN0164
18
CCIE4Career.com


Aging Time 300 sec

------------------- ---- --- --------- -------- --------------------------------
VLAN0173

Aging Time 300 sec

------------------- ---- --- --------- -------- --------------------------------
VLAN0184

Aging Time 300 sec

------------------- ---- --- --------- -------- --------------------------------
VLAN0911
19
CCIE4Career.com

Aging Time 300 sec

------------------- ---- --- --------- -------- --------------------------------
VLAN0999

Aging Time 300 sec

------------------- ---- --- --------- -------- --------------------------------
SW4#
SW4#ping 255.255.255.255 re 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 10.2.0.9, 1 ms


SW4#
20
CCIE4Career.com
1.4 Section 1.4 Jameson’s Branch Offices

Question:
Refer to “Diagram 1: Jameson’s Layer 2 Connections”.
Configure interface Ethernet0/0 in Jameson’s branch routers R19, R20 and R21 as
per the following requirements:
 The Ethernet WAN links must rely on a Layer 2 protocol that support link
negotiation and authentication.
 The service provider expect that the branch routers complete a three-way
handshake by providing the expected response of a challenge that is sent by
ISP.
 R19 must use the username “Jamesons-R19” and password “CCIE” (without
quotes).
quotes).
quotes).
 The interface Eth0/0 of all three routers must receive an IP address from ISP.
 Ensure that all three routers can ping the IP address of each other’s interface
Eth0/0.
 You are allowed to configure a single static route in each branch router to
achieve the previous requirement.
Solution:
R19
interface dialer1
ip address negotiated
encap ppp
dialer pool 1
ppp chap hostname Jamesons-R19
ppp chap pass 0 CCIE
!
int e0/0
pppoe enable group global
pppoe-client dial-pool-number 1
no shut
!
ip route 192.0.2.0 255.255.255.0 dialer 1
R20
int dialer 1
ip add nego
en ppp
dialer pool 1
21
CCIE4Career.com

!
int e0/0
no shut
!
ip route 192.0.2.0 255.255.255.0 dialer 1
R21
int dialer 1
ip add nego
en ppp
dialer pool 1
!
int e0/0
no shut
!
ip route 192.0.2.0 255.255.255.0 dialer 1
Explain:
Why you need the command: ip route 192.0.2.0 255.255.255.0 dialer 1
By default, when you checked in the router, you will get the output:
C 192.0.2.5/32 is directly connected, Dialer1
So when you want to ping the Ip address of R21 interface E0/0, it will be not success
(because you don’t have route in the routing table, so it is reason you need to add a
static route).
Verification:
R19#show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES TFTP up up
Ethernet0/1 10.16.1.1 YES TFTP up up
Ethernet0/2 unassigned YES TFTP administratively down down
Dialer1 192.0.2.6 YES IPCP up up
Loopback0 10.255.1.19 YES TFTP up up
22
CCIE4Career.com
Tunnel0 10.100.0.19 YES TFTP up down

Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
R19#
R19#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.16.1.0/24 is directly connected, Ethernet0/1
L 10.16.1.1/32 is directly connected, Ethernet0/1
C 10.255.1.19/32 is directly connected, Loopback0
S 192.0.2.0/24 is directly connected, Dialer1
R19#ping 192.0.2.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R19#ping 192.0.2.14
!!!!!
R19#ping 192.0.2.10
!!!!!
23
CCIE4Career.com
2. SECTION 2 Layer 3 Technologies

Rules and restrictions:
 After finishing each ò the following questions make sure that all configured
interfaces and subnets are consistently visible on all pertinent router and
switches.
 Do not redistribute route between any interior gateway protocol IGP and BGP
if not explicitly required.
 If not explicitly stated otherwise, you need to ping a BGP route only if it is
stated in a question otherwise the route should be only in the BGP table.
 At the end of this section all subnets in your topology in your topology
including the loopback interface must be reachable via Ping from anywhere in
your topology the back bone interfaces must be reachable only if they are
part of the solution to a question.
 The loopback interface must be seen as a host route /32 in the routing tables
unless stated otherwise in a question.
2.1 Section 2.1 Jameson’s IGP, Part 1

Question:
Refer to “Diagram 2: Initial Topology”. The configuration was already started. It is

your responsibility to complete and verify all requirements.
Configure Jameson’s network (AS 65001 and AS 65002) according to the following
requirements:
 Ensure that all routers use their interface Loopback 0 as OSPF router-id.
 Ensure that OSPF is not running on any interface that is facing another BGP
AS.
 SW5 and SW6 must not participate in OSPF at all.
 Do not use the “network” statement under the “router ospf” configuration
anywhere in the core network (AS 65001).
 Do not change the default OSPF cost of any interface anywhere.
 Ensure that R1, SW1 and SW2 are elected the Designated router on all of their
interfaces, and that they have the best chances of maintaining that role as
long as their interfaces are up.
 Ensure that R2 is elected the Backup Designated router on all of their
interfaces, and that it has the best chances of maintaining that role as long as
its interfaces are up.
 Request passive interface VLAN 100, VLAN 101, VLAN 911 on exam.
 OSPF process is 1.
24
CCIE4Career.com
Solution:
SW3/SW4
router ospf 1
passive-int vlan 100
R17
router ospf 1
router-id 10.255.1.17
!
interface l0
ip ospf 1 are 0
int e0/1
ip ospf 1 area 0
R18
router ospf 1
router-id 10.255.1.18
int l0
ip ospf 1 area 0
int e0/1
ip ospf 1 area 0
SW1/SW2 /exam had configured/

vlan 100
vlan 101
SW1
router ospf 1
router-id 10.255.1.101
int l0
ip ospf 1 area 0
int vlan 100
ip ospf 1 are 0
!
int vlan 101
ip ospf 1 area 0
ip ospf pri 255
25
CCIE4Career.com
R11
router ospf 1
router-id 10.255.1.11
int l0
ip ospf 1 area 0
int e0/1
ip ospf 1 area 0
R12
router ospf 1
router-id 10.255.1.12
!
int l0
ip ospf 1 area 0
int e0/1
ip ospf 1 area 0
SW2
router ospf 1
router-id 10.255.1.102
int l0
ip ospf 1 area 0
int vlan 100
ip ospf 1 are 0
int vlan 101
ip ospf 1 area 0
ip ospf priority 255
R13
router ospf 1
router-id 10.255.1.13
int l0
ip ospf 1 area 0
int e0/1
ip ospf 1 are 0
R14
router ospf 1
router-id 10.255.1.14
int l0
ip ospf 1 are 0
int e0/1
ip ospf 1 are 0
26
CCIE4Career.com
R1
router ospf 1
router-id 10.255.1.1
int l0
ip ospf 1 are 0
int range e0/0-3,e1/0
ip ospf 1 are 0
ip ospf pri 255
R3
router ospf 1
int l0
ip ospf 1 area 0
int e0/0
ip ospf 1 area 0
int e0/2
ip ospf 1 area 0
R4
router ospf 1
int l0
ip ospf 1 are 0
int e0/0
ip ospf 1 are 0
int e0/2
ip ospf 1 area 0
ip ospf pri 255
R5
router ospf 1
!
int l0
ip ospf 1 are 0
int rang e0/0-1
ip ospf 1 are 0
R6
router ospf 1
27
CCIE4Career.com
int l0
ip ospf 1 area 0
int e0/0
ip ospf 1 are 0
int e0/1
ip ospf 1 are 0
ip ospf pri 255
R7
router ospf 1
int l0
ip ospf 1 are 0
int e0/3
ip ospf 1 area 0
R8
router ospf 1
int l0
ip ospf 1 area 0
int e0/3
ip ospf 1 are 0
ip ospf pri 255
R9/R10
int range e0/0-1
no shut
R9
router ospf 1
int l0
ip ospf 1 area 0
int e0/0
ip ospf 1 are 0
R10
router ospf 1
int l0
ip ospf 1 area 0
int e0/0
28
CCIE4Career.com
ip ospf 1 area 0
ip ospf pri 255
R2
router ospf 1
int l0
ip ospf 1 are 0
int range e0/0-3,e1/0
ip ospf 1 are 0
ip ospf pri 254
Verification:
R1#show ip os int br
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 10.255.1.1/32 1 LOOP 0/0
Et0/0 1 0 10.254.0.1/30 10 DR 1/1
Et0/1 1 0 10.254.0.5/30 10 DR 1/1
Et0/2 1 0 10.254.0.13/30 10 DR 1/1
Et0/3 1 0 10.254.0.9/30 10 DR 1/1
Et1/0 1 0 10.254.0.17/30 10 DR 1/1
R1#show ip os ne
Neighbor ID Pri State Dead Time Address Interface

10.255.1.2 254 FULL/BDR 00:00:37 10.254.0.2 Ethernet0/0
10.255.1.9
Lo0 1 0 10.255.1.2/32 1 LOOP 0/0
Et0/0 1 0 10.254.0.2/30 10 BDR 1/1
Et0/1 1 0 10.254.0.21/30 10 BDR 1/1
Et0/2 1 0 10.254.0.33/30 10 BDR 1/1
Et0/3 1 0 10.254.0.25/30 10 BDR 1/1
Et1/0 1 0 10.254.0.29/30 10 BDR 1/1
R2#show ip os ne

10.255.1.1 255 FULL/DR 00:00:37 10.254.0.1 Ethernet0/0
10.255.1.6 255 FULL/DR 00:00:39 10.254.0.22 Ethernet0/1
10.255.1.4 255 FULL/DR 00:00:35 10.254.0.34 Ethernet0/2
10.255.1.8 255 FULL/DR 00:00:37 10.254.0.26 Ethernet0/3
10.22.1.10 255 FULL/DR 00:00:33 10.254.0.30 Ethernet1/0
SW1#show ip os int br
Lo0 1 0 10.255.1.101/32 1 LOOP 0/0
Vl101 1 0 10.1.254.254/24 1 DR 2/2
Vl100 1 0 10.1.1.254/24 1 DR 0/0
SW1#show ip os ne

10.255.1.11 1 FULL/DROTHER 00:00:39 10.1.254.1 Vlan101
29
CCIE4Career.com
10.255.1.12 1 FULL/BDR 00:00:31 10.1.254.2 Vlan101

SW1#
SW2#show ip os int br
Lo0 1 0 10.255.1.102/32 1 LOOP 0/0
Vl101 1 0 10.3.254.254/24 1 DR 2/2
Vl100 1 0 10.3.1.254/24 1 DR 0/0
SW2#show ip os ne

10.255.1.13 1 FULL/DROTHER 00:00:34 10.3.254.1 Vlan101
10.255.1.14 1 FULL/BDR 00:00:33 10.3.254.2 Vlan101
SW2#
Lo0 1 0 10.255.1.4/32 1 LOOP 0/0
Et0/2 1 0 10.254.0.34/30 10 DR 1/1
Et0/0 1 0 10.254.0.50/30 10 BDR 1/1
R4#show ip os ne

10.255.1.3 1 FULL/DR 00:00:39 10.254.0.49 Ethernet0/0
30
CCIE4Career.com
2.2 Section 2.2 Jameson’s IGP, Part 2

Question:
Refer to “Diagram 2: Initial Topology”. Configure Jameson’s branch network

according to the following requirements:
 R17 must propagate a default route in its OSPF domain, but only if it already
has a default route in its routing table.
 Do not redistribute BGP into OSPF and vice versa on R17.
 Each branch router must establish an OSPF adjacency with R17 and must
receive a default route via OSPF. They may not receive any other LSA type 3
from the ABR.
 Each branch router must advertise their interface Lo0 and Ethernet0/1 into
OSPF.
 None of the branch routers may attempt to elect a Designated Router on their
Tunnel 0 interface.
Solution:
R17 /exam had configured/

router bgp 65002
bgp router-id 10.255.1.17
nei 192.0.2.1 remote-as 12345
Explain
Help others network go to internet. It is needed configure for 3.1
section DMVPN
R17
int tunnel 0
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp redirect
tunnel source e0/0
tunnel mode gre multipoint
R19/20/21
int t0
ip nhrp map multicast 192.0.2.2
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp shortcut
ip nhrp nhs 10.100.0.1
tunnel source dialer 1
31
CCIE4Career.com
R17
router ospf 1
area 51 stub no-sum
default-information originate
!
int t0
ip ospf 1 area 51
ip ospf network point-to-multipoint
R19
router ospf 1
router-id 10.255.1.19
are 51 stub
!
int t0
ip ospf 1 area 51
ip ospf net point-to-multipoint
!
int l0
ip ospf 1 area 51
int e0/1
ip ospf 1 area 51
R20
router ospf 1
router-id 10.255.1.20
area 51 stub
!
int l0
ip ospf 1 are 51
int e0/1
ip ospf 1 are 51
int t0
ip ospf 1 area 51
R21
router ospf 1
router-id 10.255.1.21
area 51 stub
int l0
ip ospf 1 are 51
32
CCIE4Career.com
int e0/1
ip ospf 1 are 51
int t0
ip ospf 1 are 51
Verification:
R17#show ip os ne

10.255.1.103 1 FULL/DR 00:00:39 10.2.0.37
Ethernet0/1
10.255.1.19 0 FULL/ - 00:01:57 10.100.0.19 Tunnel0
10.255.1.21 0 FULL/ - 00:01:36 10.100.0.21 Tunnel0
10.255.1.20 0 FULL/ - 00:01:57 10.100.0.20 Tunnel0
Lo0 1 0 10.255.1.17/32 1 LOOP 0/0
Et0/1 1 0 10.2.0.38/30 10 BDR 1/1
Tu0 1 51 10.100.0.1/24 1000 P2MP 3/3
R19#show ip route
ia - IS-IS inter area, * - candidate default, U - per-user static
route
Gateway of last resort is 10.100.0.1 to network 0.0.0.0
O*IA 0.0.0.0/0 [110/1001] via 10.100.0.1, 00:02:12, Tunnel0

O 10.16.2.0/24 [110/2010] via 10.100.0.1, 00:02:12, Tunnel0
O 10.16.3.0/24 [110/2010] via 10.100.0.1, 00:01:33, Tunnel0
C 10.100.0.0/24 is directly connected, Tunnel0
O 10.100.0.1/32 [110/1000] via 10.100.0.1, 00:02:12, Tunnel0
L 10.100.0.19/32 is directly connected, Tunnel0
O 10.100.0.20/32 [110/2000] via 10.100.0.1, 00:02:12, Tunnel0
O 10.100.0.21/32 [110/2000] via 10.100.0.1, 00:01:33, Tunnel0
O 10.255.1.20/32 [110/2001] via 10.100.0.1, 00:02:12, Tunnel0
O 10.255.1.21/32 [110/2001] via 10.100.0.1, 00:01:33, Tunnel0
S 192.0.2.0/24 is directly connected, Dialer1
33
CCIE4Career.com
R17#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details

Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.0.2.6 10.100.0.19 UP 00:10:38 D
1 192.0.2.10 10.100.0.20 UP 00:10:26 D
1 192.0.2.14 10.100.0.21 UP 00:10:11 D
34
CCIE4Career.com
2.3 Section 2.3 Jacob’s IGP

Question:
Refer to “Diagram 2: Initial Topology”. Jacob’s network is partly preconfigured. It is

your responsibility to verify and complete them.
Configure EIGRP for IPv4 in Jacob’s core network (AS 65006) according to the
 All EIGRP routers must support 64-bit metric calculations and Routing
Information Base (RIB) scaling in EIGRP topologies.
 The interface Lo0 of each router must be seen as an internal EIGRP prefix by
all other routers in their local domain.
 Ensure that EIGRP is not running on any interface that is facing another AS.
Use any method to accomplish this requirement.
 Jacob’s core network must use the EIGRP autonomous system number 1.
 R52 must inject its interface loopback 52 into EIGRP as an external prefix.
 All EIGRP core routers R50, R51 must add the administrator tag
“172.172.172.172” to all prefixes that they inject into EIGRP. Ensure that
operators can filter routes by using the route tag wildcard mask.
 The following output must be seen on R50:
R50#show ip ei topology 52.52.52.52 255.255.255.255
EIGRP-IPv4 VR(JACOBS) Topology Entry for AS(1)/ID(172.30.1.50) for
52.52.52.52/32
State is Passive, Query origin flag is 1, 1 Successor(s), FD is
131153920, RIB is 1024640
Descriptor Blocks:
172.30.100.3 (Ethernet0/0), from 172.30.100.3, Send flag is 0x0
Composite metric is (131153920/163840), route is External
Vector metric:
Minimum bandwidth is 10000 Kbit
Total delay is 1001250000 picoseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
Originating router is 172.30.1.52
External data:
AS number of route is 0
External protocol is Connected, external metric is 0
Administrator tag is 172.172.172.172
Solution:
R53/R54
int range e0/0-1
no shut
35
CCIE4Career.com
R50/R51/R52/R53/R54
no router eigrp 1
R50
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
network 172.30.1.50 0.0.0.0
network 172.30.100.1 0.0.0.0
R51
router eigrp JACOBS
network 172.30.1.51 0.0.0.0
network 172.30.100.2 0.0.0.0
R52
router eigrp JACOBS
net 172.30.1.52 0.0.0.0
net 172.30.100.3 0.0.0.0
topology base
redistribute connected route-map CONNECTED
route-map CONNECTED
match interface loopback 52
R53
router eigrp JACOBS
network 172.30.1.53 0.0.0.0
net 172.30.100.4 0.0.0.0
R54
router eigrp JACOBS
network 172.30.1.54 0.0.0.0
net 172.30.100.5 0.0.0.0
36
CCIE4Career.com
R50/51/52/53/54/R9/R10
route-tag notation dotted-decimal
Explain:
This is really important command. It helps the output to become Tag:
172.172.172.172
R50/51/52
route-map TAG permit 10
set tag 172.172.172.172
!
router eigrp JACOBS
topology base
distribute-list route-map TAG out
!
SW10/SW11 /exam had configured it//

vlan 100
vlan 101
R57
router eigrp 10
network 172.18.2.1 0.0.0.0
network 172.30.1.57 0.0.0.0
Verification:
R50#show ip ei ne
EIGRP-IPv4 VR(JACOBS) Address-Family Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
3 172.30.100.5 Et0/0 11 00:04:58 2 100 0 12
2 172.30.100.4 Et0/0 11 00:05:09 5 100 0 14
1 172.30.100.3 Et0/0 11 00:05:19 2 100 0 19
0 172.30.100.2 Et0/0 11 00:05:27 1 100 0 17
37
CCIE4Career.com
R50#show ip route
Gateway of last resort is not set
52.0.0.0/32 is subnetted, 1 subnets

D EX 52.52.52.52 [170/1024640] via 172.30.100.3, 00:06:26, Ethernet0/0
D 172.30.1.51/32 [90/1024640] via 172.30.100.2, 00:06:58, Ethernet0/0
D 172.30.1.52/32 [90/1024640] via 172.30.100.3, 00:06:26, Ethernet0/0
D 172.30.1.53/32 [90/1024640] via 172.30.100.4, 00:08:45, Ethernet0/0
D 172.30.1.54/32 [90/1024640] via 172.30.100.5, 00:08:34, Ethernet0/0
R50#show ip ei topology 52.52.52.52 255.255.255.255

EIGRP-IPv4 VR(JACOBS) Topology Entry for AS(1)/ID(172.30.1.50) for 52.52.52.52/32
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 131153920, RIB is
1024640
Descriptor Blocks:
172.30.100.3 (Ethernet0/0), from 172.30.100.3, Send flag is 0x0
Composite metric is (131153920/163840), route is External
Vector metric:
Minimum bandwidth is 10000 Kbit
Total delay is 1001250000 picoseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
Originating router is 172.30.1.52
External data:
AS number of route is 0
External protocol is Connected, external metric is 0
Administrator tag is 172.172.172.172
38
CCIE4Career.com
2.4 Section 2.4 Jameson’s Pre-merge

Question:
Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Pre-
merge Topology”.
Jameson’s decided to enable MPLS VPN in their network Configure Jameson’s

network as per the following requirements:
 R11, R12, R13 and R14 must redistribute OSPF into BGP and they must
advertise a default route into their respective OSPF domain. They may not
redistribute BGP into OSPF. Need add always, it is request on exam.
 R15 and R16 must mutually redistribute OSPF and BGP.
 R11, R12, R13 and R14 must advertise only four prefixes via eBGP to
Jameson’s core network as follows:
o R11 and R12 must advertise 10.1.0.0/16, 10.255.1.11/32,
10.255.1.12/32 and 10.255.1.101/32;
o R13 and R14 must advertise 10.3.0.0/16, 10.255.1.13/32,
10.255.1.14/32 and 10.255.1.102/32;
 R1 must reflect IPv4 BGP prefixes to all core routers except R2. All internal
BGP peers must be established using interface Lo0.
 Ensure that each Jameson’s site receives BGP prefixes from other sites.
 A very smaller output as the one shown below must be seen on R11, R12, R13
and R14 (only the next-hop, version and update-group may differ).
R11#show ip bgp 10.2.0.0/16
BGP routing table entry for 10.2.0.0/16, version 18
Paths: (2 available, best #2, table default)
Advertised to update-groups:
2
Refresh Epoch 1
65001 65001, (aggregated by 65002 10.255.1.16)
10.255.1.12 (metric 11) from 10.255.1.12 (10.255.1.12)
Origin IGP, metric 0, localpref 100, valid, internal, atomic-aggregate
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
65001 65001, (aggregated by 65002 10.255.1.15)
10.254.0.53 from 10.254.0.53 (10.255.1.7)
Origin IGP, localpref 100, valid, external, atomic-aggregate, best
rx pathid: 0, tx pathid: 0x0
Configure Jameson’ s network as per the following requirements：
 Ensure that any prefix that originate in any of these main site will not advertise
back to same site via redundant gateway.
 The configuration must equally apply to any future prefixes that may be
advertised by any site
 R15 and R16 must advertise their OSPF default route to their PE.
39
CCIE4Career.com
Solution:
R1
router bgp 65001
nei IBGP peer-group
nei IBGP remote-as 65001
nei IBGP update-source loopback 0
nei IBGP route-reflector-client
nei 10.255.1.3 peer-group IBGP
R3
router bgp 65001
nei 10.255.1.1 remote-as 65001
nei 10.255.1.1 update-source l0
nei 10.255.1.1 next-hop-self
R4
router bgp 65001
nei 10.255.1.1 remote-as 65001
R5
router bgp 65001
nei 10.255.1.1 remote-as 65001
R6
router bgp 65001
nei 10.255.1.1 remote-as 65001
40
CCIE4Career.com
R7
router bgp 65001
nei 10.255.1.1 remote-as 65001
R8
router bgp 65001
nei 10.255.1.1 remote-as 65001
Explain:
Why do you need the command: next-hop-self under the BGP configuration?
Because the interface faced to the edge router, you don’t advertise it into the core
network, so if the route from
R3 (role as PE)
ip vrf GREEN
rd 65002:15
!
int e0/1
ip vrf forwarding GREEN
ip add 10.254.0.73 255.255.255.252
!
router bgp 65001
no nei 10.254.0.74 remote-as 65002
address-family ipv4 vrf GREEN
nei 10.254.0.74 remote-as 65002
nei 10.254.0.74 as-override
R4 (PE role)
ip vrf GREEN
rd 65002:16
!
int e0/1
ip add 10.254.0.77 255.255.255.252
router bgp 65001
no nei 10.254.0.78 remote-as 65002
41
CCIE4Career.com
nei 10.254.0.78 remote-as 65002

R5 (PE role)
ip vrf GREEN
rd 65002:13
int e0/2
ip add 10.254.0.41 255.255.255.252
!
router bgp 65001
no nei 10.254.0.42 remote-as 65002
nei 10.254.0.42 remote-as 65002
R6 (PE role)
ip vrf GREEN
rd 65002:14
!
int e0/2
ip add 10.254.0.45 255.255.255.252
!
router bgp 65001
no nei 10.254.0.46 remote-as 65002
nei 10.254.0.46 remote-as 65002
R7 (PE role)
ip vrf RED
rd 65002:11
!
int e0/0
ip vrf forwarding RED
ip add 10.254.0.53 255.255.255.252
!
router bgp 65001
no nei 10.254.0.54 remote-as 65002
address-family ipv4 vrf RED
nei 10.254.0.54 remote-as 65002
R8 (PE role)
42
CCIE4Career.com
ip vrf RED
rd 65002:12
int e0/0
ip vrf forwarding RED
ip add 10.254.0.57 255.255.255.252
router bgp 65001
no nei 10.254.0.58 remote-as 65002
address-family ipv4 vrf RED
nei 10.254.0.58 remote-as 65002
R11 (play as CE role)

router bgp 65002
nei 10.254.0.53 remote-as 65001
nei 10.255.1.12 remote-as 65002

router bgp 65002
nei 10.254.0.57 remote-as 65001
nei 10.255.1.11 remote-as 65002

router bgp 65002
nei 10.254.0.41 remote-as 65001
nei 10.255.1.14 remote-as 65002

router bgp 65002
nei 10.254.0.45 remote-as 65001
nei 10.255.1.13 remote-as 65002
43
CCIE4Career.com

router bgp 65002
nei 10.254.0.73 remote-as 65001
nei 10.255.1.16 remote-as 65002

router bgp 65002
nei 10.254.0.77 remote-as 65001
nei 10.255.1.15 remote-as 65002
R11/R12
router bgp 65002
redistribute ospf 1
aggregate-address 10.1.0.0 255.255.0.0 summary-only
!
router ospf 1
default-information originate always
R13/R14
router bgp 65002
redistribute ospf 1
!
router ospf 1
default-information originate always
R15/R16
router bgp 65002
redistribute ospf 1 match internal external 2
!
router ospf 1
redistribute bgp 65002 subnets metric-type 1
!
router bgp 65002
default-information originate
44
CCIE4Career.com
R15/R16
ip prefix-list AS65005 seq 5 deny 172.18.1.0/24
ip prefix-list AS65005 seq 10 permit 0.0.0.0/0 le 32
R15
router bgp 65002
nei 10.254.0.73 prefix AS65005 out
R16
router bgp 65002
nei 10.254.0.77 prefix AS65005 out
Verification:
R1#show ip bgp summary
BGP router identifier 10.255.1.1, local AS number 65001
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down

State/PfxRcd
10.255.1.3 4 65001 16 52 1 0 0 00:01:44 0
10.255.1.4 4 65001 16 51 1 0 0 00:01:43 0
10.255.1.5 4 65001 9 53 1 0 0 00:01:46 0
10.255.1.6 4 65001 9 52 1 0 0 00:01:46 0
10.255.1.7 4 65001 9 51 1 0 0 00:01:43 0
10.255.1.8 4 65001 9 51 1 0 0 00:01:41 0
R15#show ip bgp
BGP table version is 342, local router ID is 10.255.1.15
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path

* i 0.0.0.0 10.255.1.16 1 100 0 ?
*> 10.2.0.6 1 32768 ?
* i 10.0.0.0 10.255.1.16 1 100 0 ?
*> 10.2.0.6 1 32768 ?
* i 10.1.0.0/16 10.255.1.16 0 100 0 65001 65001 i
*> 10.254.0.73 0 65001 65001 i
s> 10.2.0.0/30 0.0.0.0 0 32768 ?
r i 10.2.0.0/16 10.255.1.16 0 100 0 i
r> 0.0.0.0 32768 i
s> 10.2.0.4/30 0.0.0.0 0 32768 ?
s> 10.2.0.8/30 10.2.0.6 12 32768 ?
s> 10.2.0.12/30 10.2.0.6 11 32768 ?
s> 10.2.0.36/30 10.2.0.6 11 32768 ?
s> 10.2.0.40/30 10.2.0.6 12 32768 ?
s> 10.2.1.0/24 10.2.0.6 11 32768 ?
s> 10.2.100.0/24 10.2.0.6 11 32768 ?
s> 10.2.101.0/24 10.2.0.6 11 32768 ?
45
CCIE4Career.com
* i 10.3.0.0/16 10.255.1.16 0 100 0 65001 65001 i

*> 10.254.0.73 0 65001 65001 i
* i 10.16.1.0/24 10.255.1.16 1031 100 0 ?
*> 10.2.0.6 1021 32768 ?
* i 10.16.2.0/24 10.255.1.16 1031 100 0 ?
*> 10.2.0.6 1021 32768 ?
* i 10.16.3.0/24 10.255.1.16 1031 100 0 ?
*> 10.2.0.6 1021 32768 ?
* i 10.100.0.1/32 10.255.1.16 21 100 0 ?
*> 10.2.0.6 11 32768 ?
* i 10.100.0.19/32 10.255.1.16 1021 100 0 ?
*> 10.2.0.6 1011 32768 ?
* i 10.100.0.20/32 10.255.1.16 1021 100 0 ?
*> 10.2.0.6 1011 32768 ?
* i 10.100.0.21/32 10.255.1.16 1021 100 0 ?
*> 10.2.0.6 1011 32768 ?
* i 10.255.1.11/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.12/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.13/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.14/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.15/32 10.255.1.16 11 100 0 ?
*> 0.0.0.0 0 32768 ?
* i 10.255.1.16/32 10.255.1.16 0 100 0 ?
*> 10.2.0.2 11 32768 ?
* i 10.255.1.17/32 10.255.1.16 22 100 0 ?
*> 10.2.0.6 12 32768 ?
* i 10.255.1.18/32 10.255.1.16 23 100 0 ?
*> 10.2.0.6 13 32768 ?
* i 10.255.1.19/32 10.255.1.16 1022 100 0 ?
*> 10.2.0.6 1012 32768 ?
* i 10.255.1.20/32 10.255.1.16 1022 100 0 ?
*> 10.2.0.6 1012 32768 ?
* i 10.255.1.21/32 10.255.1.16 1022 100 0 ?
*> 10.2.0.6 1012 32768 ?
* i 10.255.1.101/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.102/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.103/32 10.255.1.16 21 100 0 ?
*> 10.2.0.6 11 32768 ?
* i 10.255.1.104/32 10.255.1.16 22 100 0 ?
*> 10.2.0.6 12 32768 ?
* i 172.30.1.55/32 10.255.1.16 0 100 0 65001 65005 ?
*> 10.254.0.73 0 65001 65005 ?
* i 172.30.1.56/32 10.255.1.16 0 100 0 65001 65005 ?
*> 10.254.0.73 0 65001 65005 ?
* i 172.30.1.57/32 10.255.1.16 0 100 0 65001 65005 ?
*> 10.254.0.73 0 65001 65005 ?
* i 172.30.1.58/32 10.255.1.16 0 100 0 65001 65007 ?
*> 10.254.0.73 0 65001 65007 ?
* i 172.30.1.107/32 10.255.1.16 0 100 0 65001 65005 ?
*> 10.254.0.73 0 65001 65005 ?
* i 172.30.1.108/32 10.255.1.16 0 100 0 65001 65007 ?
*> 10.254.0.73 0 65001 65007 ?
46
CCIE4Career.com
2.5 Section 2.5 Jacob’s Pre-merge

Question:
Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Pre-
merge Topology”. Jacob’s decided to enable MPLS VPN in their network Configure
Jameson’s network as per the following requirements: based on Topology.
Solution:
R56
router bgp 65005
nei 172.18.253.5 remote-as 65006
nei 172.30.1.55 remote-as 65005
R55
router bgp 65005
nei 172.18.253.1 remote-as 65006
nei 172.30.1.56 remote-as 65005
R50//play a PE role, VRF green

ip vrf GREEN
rd 65005:55
int e0/1
ip add 172.18.253.1 255.255.255.252
router bgp 65006

nei 172.18.253.2 remote-as 65005
47
CCIE4Career.com
R51//PE , vrf GREEN, not yet define RT

ip vrf GREEN
rd 65005:56
interface Ethernet0/1
ip address 172.18.253.5 255.255.255.252
router bgp 65006

nei 172.18.253.6 remote-as 65005
R52 //PE, vrf BLUE

ip vrf BLUE
rd 65007:58
int e0/1
ip vrf forwarding BLUE
ip add 172.17.253.22 255.255.255.252
router bgp 65006

address-family ipv4 vrf BLUE
nei 172.17.253.21 remote-as 65007
R58 //in AS65007, act as CE role

router bgp 65007
nei 172.17.253.22 remote-as 65006
!
router bgp 65007
redistribute eigrp 10
!
R55/R56 //exam had configured//

ip prefix-list EIGRP seq 5 permit 172.0.0.0/8 le 32
!
route-map JACOBHQ permit 10
match ip address prefix-list EIGRP
!
route-map JACOBHQ1 deny 10
match ip address prefix-list EIGRP
route-map JACOBHQ1 permit 20
48
CCIE4Career.com
!
router bgp 65005
redistribute eigrp 10 route-map JACOBHQ
!
router eigrp 10
redistribute bgp 65005 metric 1 1 1 1 1 route-map JACOBHQ1
Verification:
R50#show bgp vpnv4 uni all

Route Distinguisher: 65002:15
*>i 0.0.0.0 10.255.1.3 1 100 0 65002 ?
*>i 10.0.0.0 10.255.1.3 1 100 0 65002 ?
*>i 10.2.0.0/16 10.255.1.3 0 100 0 65002 i
*>i 10.16.1.0/24 10.255.1.3 1021 100 0 65002 ?
*>i 10.16.2.0/24 10.255.1.3 1021 100 0 65002 ?
*>i 10.16.3.0/24 10.255.1.3 1021 100 0 65002 ?
*>i 10.100.0.1/32 10.255.1.3 11 100 0 65002 ?
*>i 10.100.0.19/32 10.255.1.3 1011 100 0 65002 ?
*>i 10.100.0.20/32 10.255.1.3 1011 100 0 65002 ?
*>i 10.100.0.21/32 10.255.1.3 1011 100 0 65002 ?
*>i 10.255.1.15/32 10.255.1.3 0 100 0 65002 ?
*>i 10.255.1.16/32 10.255.1.3 11 100 0 65002 ?
*>i 10.255.1.17/32 10.255.1.3 12 100 0 65002 ?
*>i 10.255.1.18/32 10.255.1.3 13 100 0 65002 ?
*>i 10.255.1.19/32 10.255.1.3 1012 100 0 65002 ?
*>i 10.255.1.20/32 10.255.1.3 1012 100 0 65002 ?
*>i 10.255.1.21/32 10.255.1.3 1012 100 0 65002 ?
*>i 10.255.1.103/32 10.255.1.3 11 100 0 65002 ?
*>i 10.255.1.104/32 10.255.1.3 12 100 0 65002 ?
*>i 172.18.1.0/24 10.255.1.3 1 100 0 65002 ?
*>i 0.0.0.0 10.255.1.4 1 100 0 65002 ?
*>i 10.0.0.0 10.255.1.4 1 100 0 65002 ?
*>i 10.2.0.0/16 10.255.1.4 0 100 0 65002 i
*>i 10.16.1.0/24 10.255.1.4 1031 100 0 65002 ?
*>i 10.16.2.0/24 10.255.1.4 1031 100 0 65002 ?
*>i 10.16.3.0/24 10.255.1.4 1031 100 0 65002 ?
*>i 10.100.0.1/32 10.255.1.4 21 100 0 65002 ?
*>i 10.100.0.19/32 10.255.1.4 1021 100 0 65002 ?
*>i 10.100.0.20/32 10.255.1.4 1021 100 0 65002 ?
*>i 10.100.0.21/32 10.255.1.4 1021 100 0 65002 ?
*>i 10.255.1.15/32 10.255.1.4 11 100 0 65002 ?
*>i 10.255.1.16/32 10.255.1.4 0 100 0 65002 ?
*>i 10.255.1.17/32 10.255.1.4 22 100 0 65002 ?
*>i 10.255.1.18/32 10.255.1.4 23 100 0 65002 ?
*>i 10.255.1.19/32 10.255.1.4 1022 100 0 65002 ?
*>i 10.255.1.20/32 10.255.1.4 1022 100 0 65002 ?
*>i 10.255.1.21/32 10.255.1.4 1022 100 0 65002 ?
*>i 10.255.1.103/32 10.255.1.4 21 100 0 65002 ?
*>i 10.255.1.104/32 10.255.1.4 22 100 0 65002 ?
*>i 172.18.1.0/24 10.255.1.4 1 100 0 65002 ?
49
CCIE4Career.com
Route Distinguisher: 65005:55 (default for vrf GREEN)

*>i 0.0.0.0 10.255.1.3 1 100 0 65002 ?
* i 10.255.1.4 1 100 0 65002 ?
*>i 10.0.0.0 10.255.1.3 1 100 0 65002 ?
* i 10.255.1.4 1 100 0 65002 ?
* i 10.2.0.0/16 10.255.1.4 0 100 0 65002 i
*>i 10.255.1.3 0 100 0 65002 i
*>i 10.16.1.0/24 10.255.1.3 1021 100 0 65002 ?
* i 10.255.1.4 1031 100 0 65002 ?
*>i 10.16.2.0/24 10.255.1.3 1021 100 0 65002 ?
* i 10.255.1.4 1031 100 0 65002 ?
*>i 10.16.3.0/24 10.255.1.3 1021 100 0 65002 ?
* i 10.255.1.4 1031 100 0 65002 ?
*>i 10.100.0.1/32 10.255.1.3 11 100 0 65002 ?
* i 10.255.1.4 21 100 0 65002 ?
*>i 10.100.0.19/32 10.255.1.3 1011 100 0 65002 ?
* i 10.255.1.4 1021 100 0 65002 ?
*>i 10.100.0.20/32 10.255.1.3 1011 100 0 65002 ?
* i 10.255.1.4 1021 100 0 65002 ?
*>i 10.100.0.21/32 10.255.1.3 1011 100 0 65002 ?
* i 10.255.1.4 1021 100 0 65002 ?
* i 10.255.1.15/32 10.255.1.4 11 100 0 65002 ?
*>i 10.255.1.3 0 100 0 65002 ?
* i 10.255.1.16/32 10.255.1.3 11 100 0 65002 ?
*>i 10.255.1.4 0 100 0 65002 ?
*>i 10.255.1.17/32 10.255.1.3 12 100 0 65002 ?
* i 10.255.1.4 22 100 0 65002 ?
*>i 10.255.1.18/32 10.255.1.3 13 100 0 65002 ?
* i 10.255.1.4 23 100 0 65002 ?
*>i 10.255.1.19/32 10.255.1.3 1012 100 0 65002 ?
* i 10.255.1.4 1022 100 0 65002 ?
*>i 10.255.1.20/32 10.255.1.3 1012 100 0 65002 ?
* i 10.255.1.4 1022 100 0 65002 ?
*>i 10.255.1.21/32 10.255.1.3 1012 100 0 65002 ?
* i 10.255.1.4 1022 100 0 65002 ?
* i 10.255.1.103/32 10.255.1.4 21 100 0 65002 ?
*>i 10.255.1.3 11 100 0 65002 ?
*>i 10.255.1.104/32 10.255.1.3 12 100 0 65002 ?
* i 10.255.1.4 22 100 0 65002 ?
*> 172.0.0.0/8 172.18.253.2 332800 0 65005 ?
*> 172.18.0.0 172.18.253.2 0 0 65005 i
*>i 172.18.1.0/24 10.255.1.3 1 100 0 65002 ?
* i 10.255.1.4 1 100 0 65002 ?
*> 172.30.1.55/32 172.18.253.2 0 0 65005 ?
*> 172.30.1.56/32 172.18.253.2 409600 0 65005 ?
*> 172.30.1.57/32 172.18.253.2 435200 0 65005 ?
*> 172.30.1.107/32 172.18.253.2 409600 0 65005 ?
50
CCIE4Career.com
2.6 Section 2.6 Merge phase 1: BGP

Question:
Refer to the “Overall Scenario” and “Diagram 5: Merge Phase: 1” Jameson’s and
Jacob’s started the first phase of their merge and add a new border router in their
respective main site (R18 and R57).
Configure the network as per the following requirements:
 Interface loopback 0 of both R18 and R57 must be add into their respective
IGP domain.
 Interface Eth0/1 of both R18 and R57 must peer with its connected IGP
neighbor.
 Both R18 and R57 must advertise a summary prefix via eBGP to each other as
follows:
R18 advertises 10.0.0.0/8
R57 advertises 172.0.0.0/8
 Both R18 and R57 must propagate the received summary prefix into their
respective IGP domain.
Solution:
R18
router bgp 65002
nei 10.2.0.46 remote-as 65005
network 10.2.100.0 mask 255.255.255.0
aggregate-address 10.0.0.0 255.0.0.0
router ospf 1
redistribute bgp 65002 subnets
R57
router bgp 65005
neighbor 10.2.0.45 remote-as 65002
network 172.18.1.0 mask 255.255.255.0
aggregate-address 172.0.0.0 255.0.0.0
!
router eigrp 10
redistribute bgp 65005 metric 10000 100 255 1 1500
51
CCIE4Career.com
Verification:
R18#show bgp ipv4 uni summary
4 network entries using 560 bytes of memory
4 path entries using 320 bytes of memory
4/4 BGP path/bestpath attribute entries using 576 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1480 total bytes of memory
BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs

State/PfxRcd
10.2.0.46 4 65005 7 6 5 0 0 00:01:03 2
R18#
R18#show bgp ipv4 uni nei 10.2.0.46 adver
R18#show bgp ipv4 uni nei 10.2.0.46 advertised-routes

*> 10.0.0.0 0.0.0.0 32768 i
*> 10.2.100.0/24 10.2.0.41 11 32768 i
Total number of prefixes 2

R18#
52
CCIE4Career.com
2.7 Section 2.7 Merge phase 2: IGP

Question:
Refer to “Diagram 2: Initial Topology” and “Diagram 6: Merge Phase 2”. Jameson’s
and Jacob’s are entering in the second phase of the merge and have deployed two
new border routers in their respective core network. Configure the core networks as
per the following requirements:
 R9 and R10 must run OSPF on their interface Eth0/0 and Loopback 0.
 R9 and R10 must run EIGRP on their interface Eth0/1.
 R53 and R54 must run EIGRP on all of their interfaces.
 Mutually redistribute EIGRP and OSPF on both R9 and R10
 Avoid routing loops and ensure that all current and future prefixes are routed
via their optimal path. Do not use any access-list or prefix-list in order to
achieve this requirement
 Do not change any administrative distance of any protocol in any router.
Solution:
R9
router eigrp JACOBS
network 10.254.0.61 0.0.0.0
R10
router eigrp JACOBS
network 10.254.0.65 0.0.0.0
R53
router eigrp JACOBS
network 10.254.0.62 0.0.0.0
R54
router eigrp JACOBS
network 10.254.0.66 0.0.0.0
53
CCIE4Career.com
R9/R10
router ospf 1
redistribute eigrp 1 subnets
route-map METRIC permit 10

match metric 10 +- 11
set metric 10000 100 255 1 1500
route-map METRIC permit 20
set metric 1000 100 255 1 1500
!
router eigrp JACOBS
topology base
redistribute ospf 1 route-map METRIC
Verification:
R50#traceroute 10.255.1.8
Tracing the route to 10.255.1.8
VRF info: (vrf in name/id, vrf out name/id)
1 172.30.100.5 [MPLS: Label 22 Exp 0] 2 msec 1 msec 2 msec
4 10.254.0.26 2 msec * 5 msec
54
CCIE4Career.com
2.8 Section 2.8 Merge phase 2: Routing Policies

Question:
Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 6:

Merge Phase 2”. Configure the network as per the following requirements:
 Network managers have decided that the primary path for all traffic between
Jameson’s 10.2.100.0/24 and Jacob’s 172.18.1.0/24 must be routed
preferably via the BGP backdoor link between R18 and R57. If this link
should fail, then traffic should fall back over the MPLS core network.
 All other traffic must be routed preferably via the MPLS core network.
 Do not configure any route-map nor access-list in order to achieve this
requirement
 Ensure that the following test reveals the same path as shown below:
R101#traceroute 172.18.1.254 numeric
1 10.2.100.253 2 msec 1 msec 1 msec
2 10.2.0.14 1 msec 2 msec 1 msec
3 10.2.0.42 2 msec 2 msec 1 msec
4 10.2.0.46 2 msec 2 msec 1 msec
5 172.18.2.254 2 msec * 3 msec
SW10#traceroute 10.2.100.253
1 172.18.2.1 0 msec 1 msec 0 msec
2 10.2.0.45 2 msec 1 msec 1 msec
3 10.2.0.41 1 msec 1 msec 2 msec
4 10.2.100.253 3 msec * 2 msec
R101#traceroute 172.18.2.254
1 10.2.100.253 2 msec 1 msec 1 msec
2 10.2.0.5 1 msec 1 msec 1 msec
3 10.254.0.73 2 msec 2 msec 1 msec
4 10.254.0.13 [MPLS: Labels 35/46 Exp 0] 2 msec 2 msec 2 msec
8 172.18.253.6 2 msec 2 msec 3 msec
9 172.18.254.254 3 msec * 3 msec
55
CCIE4Career.com
Solution:
R51
router bgp 65006
bgp default local-preference 200
Explain:
If you don’t add local-preference 200 on R51, so traffic from R101 will cannot
follow exactly output as request from Cisco. R1 is RR, maybe it will choose R50 as
best path go to Jacob’s Headquater Network.
Verification:
R101#traceroute 172.18.1.254 numeric
1 10.2.100.253 2 msec 1 msec 1 msec
2 10.2.0.14 1 msec 2 msec 1 msec
3 10.2.0.42 2 msec 2 msec 1 msec
4 10.2.0.46 2 msec 2 msec 1 msec
5 172.18.2.254 2 msec * 3 msec
SW10#traceroute 10.2.100.253
1 172.18.2.1 0 msec 1 msec 0 msec
2 10.2.0.45 2 msec 1 msec 1 msec
3 10.2.0.41 1 msec 1 msec 2 msec
4 10.2.100.253 3 msec * 2 msec
R101#traceroute 172.18.2.254
1 10.2.100.253 2 msec 1 msec 1 msec
2 10.2.0.5 1 msec 1 msec 1 msec
3 10.254.0.73 2 msec 2 msec 1 msec
8 172.18.253.6 2 msec 2 msec 3 msec
9 172.18.254.254 3 msec * 3 msec
56
CCIE4Career.com
2.9 Section 2.9 IPv6 Routing, Part 1

Question:
Refer to “Diagram 2: Initial Topology”. Jameson’s started deploying IPv6 in dual-

stack mode in the datacenter Configure Jameson’s datacenter network as per the
 Establish OSPFv3 adjacencies in Area 0 between SW3, SW4, R15 and R16.
 Do not use the command “ipv6 router ospf” anywhere in order to accomplish
the previous requirement.
 Interface VLAN 100 of SW3 must be configured with default route preference
set to “high”.
 Interface VLAN 100 of SW4 must be configured with default route preference
set to “medium”.
 The interval between Router Advertisement transmissions on VLAN 100 must
be set 20 seconds on both SW3 and SW4.
Solution:
R15
router ospfv3 1
address-family ipv6 unicast
router-id 10.255.1.15
!
interface e0/0
ospfv3 1 ipv6 area 0
!
int e0/2
R16
router ospfv3 1
router-id 10.255.1.16
!
int e0/0
int e0/2
ospfv3 1 ipv6 are 0
57
CCIE4Career.com
SW3
router ospfv3 1
router-id 10.255.1.103
!
int loopback 0
int vlan 153

int vlan 100

ipv6 nd ra interval 20
!
int vlan 34
int vlan 100
ipv6 nd router-preference high
SW4
router ospfv3 1
router-id 10.255.1.104
!
int loopback 0
!
int vlan 164
!
int vlan 100
ipv6 nd ra interval 20
!
int vlan 34
int vlan 100
ipv6 nd router-preference medium
58
CCIE4Career.com
Verification:
R15#show ipv6 ospf ne
OSPFv3 Router with ID (10.255.1.15) (Process ID 1)
Neighbor ID Pri State Dead Time Interface ID Interface

10.255.1.103 1 FULL/DR 00:00:38 30 Ethernet0/2
10.255.1.16 1 FULL/DR 00:00:35 3 Ethernet0/0
R15#
SW3#show ipv6 os ne
OSPFv3 Router with ID (10.255.1.103) (Process ID 1)
Neighbor ID Pri State Dead Time Interface ID Interface

10.255.1.15 1 FULL/BDR 00:00:38 5 Vlan153
10.255.1.104 1 FULL/DR 00:00:39 22 Vlan100
10.255.1.104 1 FULL/DR 00:00:37 21 Vlan34
SW3#show ipv6 route

IPv6 Routing Table - default - 11 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
LC 2001:CC1E:BEEF:10:255:1:103:103/128 [0/0]
via Loopback0, receive
O 2001:CC1E:BEEF:10:255:1:104:104/128 [110/1]
via FE80::A8BB:CCFF:FE80:8000, Vlan100
C 2001:CC1E:BEEF:34::/64 [0/0]
via Vlan34, directly connected
L 2001:CC1E:BEEF:34:10:2:0:13/128 [0/0]
via Vlan34, receive
C 2001:CC1E:BEEF:100::/64 [0/0]
L 2001:CC1E:BEEF:100:10:2:1:253/128 [0/0]
via Vlan100, receive
C 2001:CC1E:BEEF:153::/64 [0/0]
L 2001:CC1E:BEEF:153:10:2:0:6/128 [0/0]
via Vlan153, receive
O 2001:CC1E:BEEF:156::/64 [110/11]
via FE80::A8BB:CCFF:FE00:D020, Vlan153
O 2001:CC1E:BEEF:164::/64 [110/2]
L FF00::/8 [0/0]
via Null0, receive
SW3#show ipv6 int vlan 100

Vlan100 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE80:6000 [UNA]
Virtual link-local address(es):
FE80:100::1 [OOD]
Global unicast address(es):
2001:CC1E:BEEF:100:10:2:1:253, subnet is 2001:CC1E:BEEF:100::/64
Joined group address(es):
FF02::1
59
CCIE4Career.com
FF02::2
FF02::5
FF02::6
FF02::66
FF02::1:FF00:1
FF02::1:FF01:253
FF02::1:FF80:6000
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 20 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is High
Hosts use stateless autoconfig for addresses.
60
CCIE4Career.com
2.10 Section 2.10 IPv6 Routing, Part 2

Question:
Configure Jameson’s datacenter network as per the following requirements:
 SW3 and SW4 must provide first-hop redundancy for hosts in VLAN 100 by
sharing the virtual link-local address FE80:100::1.
 SW3 must be elected as the active router and SW4 must be elected the
standby router.
 In case SW3 is down, SW4 must take over the active role. If SW3 comes
back online, it must automatically recover the active role from SW4.
 Ensure that HSRP Hello packets are exchanged every 10 second and that the
standby takes over the active role if three consecutive Hello packets were
missed from the active.
Solution:
SW3
int vlan 100
standby ver 2
standby 1 ipv6 fe80:100::1
standby 1 timers 10 30
standby 1 priority 105
standby 1 preempt
SW4
int vlan 100
standby version 2
standby 1 ipv6 fe80:100::1
standby 1 timer 10 30
standby 1 preempt
Verification:
SW3#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl100 1 105 P Active local FE80::A8BB:CCFF:FE80:8000
FE80:100::1
Vl100 2 95 P Active local 10.2.100.254 10.2.100.1
61
CCIE4Career.com
SW3#show standby
Vlan100 - Group 1 (version 2)
State is Active
2 state changes, last state change 00:01:41
Link-Local Virtual IPv6 address is FE80:100::1 (conf)
Active virtual MAC address is aabb.cc80.6000 (MAC In Use)
Local virtual MAC address is aabb.cc80.6000 (bia)
Hello time 10 sec, hold time 30 sec
Next hello sent in 5.824 secs
Preemption enabled
Active router is local
Standby router is FE80::A8BB:CCFF:FE80:8000, priority 100 (expires in
30.128 sec)
Priority 105 (configured 105)
Group name is "hsrp-Vl100-1" (default)
State is Active
Virtual IP address is 10.2.100.1
Preemption enabled
Standby router is 10.2.100.254, priority 90 (expires in 30.240 sec)
Track object 1 state Down decrement 10
62
CCIE4Career.com
2.11 Section 2.11 Multicast in Jameson’s

Question:
Refer to “Diagram 2: Initial Topology”.
An application running on SW3 (which is located in Jameson’s datacenter) uses

multicast to deliver specific traffic to users located in Jameson’s branch network.
Configure Jameson’s network as per following requirements:
 Use PIM Sparse-mode.

 The interface Lo0 of R17 must be elected as the RP for the whole multicast
domain.
 R17 must announce its candidacy to advertise the group-to-RP mapping set
to the router link local address.
 For interoperability reasons, the selection of R17 as the RP must adhere to
open standard and must use the default priority value as per the standard.
 The source SW3 uses the group address 239.1.1.1 to send traffic to
interested receivers.
 Receivers are located in the branch network and they are connected to the
datacenter via DMVPN.
 Ensure that the following test is successful:
SW3#ping 239.1.1.1 source vlan
SW3#ping 239.1.1.1 source vlan 173
Packet sent with a source address of 10.2.0.37

Solution:
R17
ip multicast-routing
int e0/1
ip pim sparse-mode
int l0
ip pim sparse-mode
int tunnel 0
ip pim sparse-mode
!
ip pim bsr-candidate loopback0
ip pim rp-candidate loopback 0
63
CCIE4Career.com
R19/20/21
ip multicast-routing
int tunnel 0
ip pim sparse-mode
int e0/1
ip pim sparse-mode
ip igmp join-group 239.1.1.1
Verification:
R17#show ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C -
Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry, E -
Extranet,
X - Proxy Join Timer Running, A - Candidate for MSDP
Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group,
G - Received BGP C-Mroute, g - Sent BGP C-Mroute,
N - Received BGP Shared-Tree Prune, n - BGP C-Mroute
suppressed,
Q - Received BGP S-A Route, q - Sent BGP S-A Route,
V - RD & Vector, v - Vector, p - PIM Joins on route
Outgoing interface flags: H - Hardware switched, A - Assert winner, p
- PIM Join
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 239.1.1.1), 00:00:50/stopped, RP 10.255.1.17, flags: S

Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Tunnel0, Forward/Sparse, 00:00:50/00:02:39
(10.2.0.37, 239.1.1.1), 00:00:40/00:02:19, flags: T

Incoming interface: Ethernet0/1, RPF nbr 0.0.0.0
Tunnel0, Forward/Sparse, 00:00:40/00:02:49
(*, 224.0.1.40), 00:01:45/00:02:09, RP 0.0.0.0, flags: DCL

Incoming interface: Null, RPF nbr 0.0.0.0
Ethernet0/1, Forward/Sparse, 00:01:45/00:02:09
SW3#ping 239.1.1.1 source vlan

64
CCIE4Career.com


65
CCIE4Career.com
3. SECTION 3 VPN Technology

3.1 Jameson’s Branch Offices
Question:
Refer to “Diagram 2: Initial Topology”. Configure DMVPN Phase 3 in Jameson’s

branch network as per the following requirements:
Use the preconfigured interface Tunnel0 on all four routers in order to accomplish
this task.
 R17 must be configured as the hub router.

 R19, R20 and R21 must be the spoke routers and must participate in the
NHRP information exchange.
 Ensure that spoke-to-spoke traffic does not transit via the hub.
 Protect the tunneled traffic by attaching the preconfigured IPsec profile to the
tunnel interface on all tunnel end-points.
 Ensure that all spoke establish an OSPF adjacency through the tunnel with
the hub R17, without attempting to elect any Designated Router.
 Ensure that the following test are successful:
R19#traceroute 10.16.2.1 source e0/1 numeric
1 10.100.0.20 5 msec * 5 msec

1 10.100.0.21 5 msec * 6 msec
Solution:
R17
int tunnel 0
ip nhrp map multicast dynamic
ip nhrp redirect
tunnel source e0/0
R19/20/21
int tunnel 0
ip nhrp map multicast 192.0.2.2
ip nhrp map 10.100.0.1 192.0.2.2
66
CCIE4Career.com
ip nhrp nhs 10.100.0.1

ip nhrp shortcut
tunnel source dialer1
R17/18/19/20
int tunnel 0
tunnel protection ipsec profile DMVPNPROFILE
Verification:
R17#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details

Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.0.2.6 10.100.0.19 UP 02:17:23 D
1 192.0.2.10 10.100.0.20 UP 02:17:23 D
1 192.0.2.14 10.100.0.21 UP 02:17:23 D

1 10.100.0.20 5 msec * 5 msec

1 10.100.0.21 5 msec * 6 msec
67
CCIE4Career.com
3.2 Jameson’s Pre-merge VPN

Question:
Refer to the “Overall Scenario” and “Diagram 4: Pre-merge Topology”. Jameson’s

decided to enable MPLS VPN in their network. They started configuring it but it is
your responsibility to complete it and verify that it is fully functional.
Configure Jameson’s network as per the following requirements:
 Enable LDP in the core network as indicated in “Diagram 4: Pre-merge

Topology”
 Ensure that all LDP routers use their interface Loopback0 as their LDP router-
id.
 R1 must reflect VPNv4 prefixes to all PE’s.
 The datacenter and main office network must be connected to the VPN
“GREEN” via eBGP.
 The headquarter network must be connected to the VPN “RED” via eBGP.
 All six PE’s must use a consistent format “ASN.nn” for the VPN route-
distinguisher, where:
o ASN is the Autonomous System Number of the connected CE
o nn is any relevant number for the VPN site.
 Ensure that R101 in the datacenter’s VLAN 100 can successfully ping SW2 in
the main office as shown below:
1 10.2.100.253 1 msec 1 msec 1 msec
2 10.2.0.5 1 msec 1 msec 1 msec
3 10.254.0.73 2 msec 1 msec 1 msec
6 10.254.0.54 2 msec 3 msec 2 msec
7 10.1.254.254 3 msec * 4 msec
1 10.2.100.253 1 msec 1 msec 0 msec
2 10.2.0.5 1 msec 1 msec 2 msec
3 10.254.0.73 1 msec 1 msec 2 msec
6 10.254.0.42 2 msec 2 msec 1 msec
7 10.3.254.254 2 msec * 5 msec
68
CCIE4Career.com
Solution:
R1/R2
ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback 0
!
int range e0/0-3
mpls ip
int e1/0
mpls ip
R3/R4
ip cef
mpls ip
int range e0/0, e0/2
mpls ip
R5/R6
ip cef
mpls ip
int rang e0/0-1
mpls ip
R7/R8
ip cef
mpls ip
int e0/3
mpls ip
R9/R10 (as P router)

ip cef
mpls ip
int range e0/0-1
mpls ip
69
CCIE4Career.com
R1
router bgp 65001
address-family vpnv4
nei IBGP route-reflector-client
nei 10.255.1.3 activate
R3,R4,R5,R6,R7,R8 //R2 as P router don't config VPNV4

router bgp 65001
nei 10.255.1.1 act
R3 //bring RT to VRF to import and export Routes

ip vrf GREEN
rd 65002:15
route-target export 65002:1516
route-target import 65002:1112
Explain:
show ip bgp vpnv4 all

interesting, if don't have Route-target then Router will Send all Routes. but don't
have receive in other PE vrf table. R3 update to R1, R1 advertise to R5, but R5
don't insert to VRF routign table. check again the send-community both, R1 receive
and understanding RD but don't config RD, RT -->show ip bgp vpnv4 all
R4
ip vrf GREEN
rd 65002:16
70
CCIE4Career.com
R5
ip vrf GREEN
rd 65002:13
R6
ip vrf GREEN
rd 65002:14
R7
ip vrf RED
rd 65002:11
R8
ip vrf RED
rd 65002:12
Verification:
1 10.2.100.253 1 msec 1 msec 1 msec
2 10.2.0.5 1 msec 1 msec 1 msec
3 10.254.0.73 2 msec 1 msec 1 msec
6 10.254.0.54 2 msec 3 msec 2 msec
7 10.1.254.254 3 msec * 4 msec
1 10.2.100.253 1 msec 1 msec 0 msec
2 10.2.0.5 1 msec 1 msec 2 msec
3 10.254.0.73 1 msec 1 msec 2 msec
71
CCIE4Career.com

6 10.254.0.42 2 msec 2 msec 1 msec
7 10.3.254.254 2 msec * 5 msec
72
CCIE4Career.com
3.3 Merge Phase 2: VPN

Question:
Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”. Jameson’s and
Jacob’s are entering in the second phase of the merge and have deployed two new
border routers in their respective core network. Configure the network as per the
 The BGP AS number of Jacob’s original core network must be converted to

use Jameson’s AS number 65001, as indicated in “Diagram 6: Merge Phase
2”.
 All BGP sessions between Jacob’s core and remote sites (including
headquarters and office networks) must be recovered using the new AS
number.
 Do not modify the BGP configuration of Jacob’s CEs (R55, R56, R58) in order
to accomplish this requirement.
 Enable LDP in the merged core network as indicated in “Diagram 6: Merge
Phase2”, including the four new border router (R9, R10, R53, R54) and
Jacob’s core network.
 Ensure that all LDP routers use their interface Loopback0 as their LDP router-
id.
 R1 must reflect VPNv4 prefixes to all PE’s, including to Jacob’s PE.
 Jacob’s headquarters network must be added to the VPN GREEN.
 Jacob’s office network must be added to the VPN BLUE.
 All nine PE’s must use a consistent format “ASN.nn” for the VPN route
distinguisher, where:
o ASN is the Autonomous System Number of the connected CE
o nn is any relevant number
Solution:
R50/51/52 //as PE role

ip cef
mpls ip
mpls ldp router-id l0
int e0/0
mpls ip
R53/54 //as P role

ip cef
mpls ip
interface range e0/0-1
mpls ip
73
CCIE4Career.com
R50/51/52
router bgp 65006
no bgp default ipv4-unicast
nei 10.255.1.1 remote-as 65001
nei 10.255.1.1 local-as 65001
nei 10.255.1.1 act
R1 //RR connect back

router bgp 65001
no bgp default ipv4-unicast
nei 172.30.1.50 act
nei 172.30.1.51 act
nei 172.30.1.52 act
R50
ip vrf GREEN
rd 65005:55
R51
ip vrf GREEN
rd 65005:56
R52
ip vrf BLUE
rd 65007:58
74
CCIE4Career.com
Verification:
R1#show bgp vpnv4 uni all summary
70 network entries using 10640 bytes of memory
70 path entries using 5600 bytes of memory
32/32 BGP path/bestpath attribute entries using 4864 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
5 BGP extended community entries using 120 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 21296 total bytes of memory
BGP activity 83/13 prefixes, 83/13 paths, scan interval 60 secs

State/PfxRcd
10.255.1.3 4 65001 201 345 235 0 0 02:15:34 20
10.255.1.4 4 65001 201 344 235 0 0 02:15:30 20
10.255.1.5 4 65001 167 344 235 0 0 02:15:28 4
10.255.1.6 4 65001 167 342 235 0 0 02:15:24 4
10.255.1.7 4 65001 167 344 235 0 0 02:15:18 4
10.255.1.8 4 65001 166 345 235 0 0 02:15:16 4
172.30.1.50 4 65001 157 306 235 0 0 02:03:42 6
172.30.1.51 4 65001 163 497 235 0 0 02:03:40 6
172.30.1.52 4 65001 147 307 235 0 0 02:03:40 2
R1#show bgp vpnv4 uni all


*>i 10.1.0.0/16 10.255.1.7 0 100 0 65002 i
*>i 10.255.1.11/32 10.255.1.7 0 100 0 65002 ?
*>i 10.255.1.12/32 10.255.1.7 11 100 0 65002 ?
*>i 10.255.1.101/32 10.255.1.7 11 100 0 65002 ?
*>i 10.1.0.0/16 10.255.1.8 0 100 0 65002 i
*>i 10.255.1.11/32 10.255.1.8 11 100 0 65002 ?
*>i 10.255.1.12/32 10.255.1.8 0 100 0 65002 ?
*>i 10.255.1.101/32 10.255.1.8 11 100 0 65002 ?
*>i 10.3.0.0/16 10.255.1.5 0 100 0 65002 i
*>i 10.255.1.13/32 10.255.1.5 0 100 0 65002 ?
*>i 10.255.1.14/32 10.255.1.5 11 100 0 65002 ?
*>i 10.255.1.102/32 10.255.1.5 11 100 0 65002 ?
*>i 10.3.0.0/16 10.255.1.6 0 100 0 65002 i
*>i 10.255.1.13/32 10.255.1.6 11 100 0 65002 ?
*>i 10.255.1.14/32 10.255.1.6 0 100 0 65002 ?
*>i 10.255.1.102/32 10.255.1.6 11 100 0 65002 ?
*>i 0.0.0.0 10.255.1.3 1 100 0 65002 ?
*>i 10.0.0.0 10.255.1.3 1 100 0 65002 ?
*>i 10.2.0.0/16 10.255.1.3 0 100 0 65002 i
*>i 10.16.1.0/24 10.255.1.3 1021 100 0 65002 ?
*>i 10.16.2.0/24 10.255.1.3 1021 100 0 65002 ?
75
CCIE4Career.com
*>i 10.16.3.0/24 10.255.1.3 1021 100 0 65002 ?

*>i 10.100.0.1/32 10.255.1.3 11 100 0 65002 ?
*>i 10.100.0.19/32 10.255.1.3 1011 100 0 65002 ?
*>i 10.100.0.20/32 10.255.1.3 1011 100 0 65002 ?
*>i 10.100.0.21/32 10.255.1.3 1011 100 0 65002 ?
*>i 10.255.1.15/32 10.255.1.3 0 100 0 65002 ?
*>i 10.255.1.16/32 10.255.1.3 11 100 0 65002 ?
*>i 10.255.1.17/32 10.255.1.3 12 100 0 65002 ?
*>i 10.255.1.18/32 10.255.1.3 13 100 0 65002 ?
*>i 10.255.1.19/32 10.255.1.3 1012 100 0 65002 ?
*>i 10.255.1.20/32 10.255.1.3 1012 100 0 65002 ?
*>i 10.255.1.21/32 10.255.1.3 1012 100 0 65002 ?
*>i 10.255.1.103/32 10.255.1.3 11 100 0 65002 ?
*>i 10.255.1.104/32 10.255.1.3 12 100 0 65002 ?
*>i 172.18.1.0/24 10.255.1.3 1 100 0 65002 ?
*>i 0.0.0.0 10.255.1.4 1 100 0 65002 ?
*>i 10.0.0.0 10.255.1.4 1 100 0 65002 ?
*>i 10.2.0.0/16 10.255.1.4 0 100 0 65002 i
*>i 10.16.1.0/24 10.255.1.4 1022 100 0 65002 ?
*>i 10.16.2.0/24 10.255.1.4 1022 100 0 65002 ?
*>i 10.16.3.0/24 10.255.1.4 1022 100 0 65002 ?
*>i 10.100.0.1/32 10.255.1.4 12 100 0 65002 ?
*>i 10.100.0.19/32 10.255.1.4 1012 100 0 65002 ?
*>i 10.100.0.20/32 10.255.1.4 1012 100 0 65002 ?
*>i 10.100.0.21/32 10.255.1.4 1012 100 0 65002 ?
*>i 10.255.1.15/32 10.255.1.4 11 100 0 65002 ?
*>i 10.255.1.16/32 10.255.1.4 0 100 0 65002 ?
*>i 10.255.1.17/32 10.255.1.4 13 100 0 65002 ?
*>i 10.255.1.18/32 10.255.1.4 12 100 0 65002 ?
*>i 10.255.1.19/32 10.255.1.4 1013 100 0 65002 ?
*>i 10.255.1.20/32 10.255.1.4 1013 100 0 65002 ?
*>i 10.255.1.21/32 10.255.1.4 1013 100 0 65002 ?
*>i 10.255.1.103/32 10.255.1.4 12 100 0 65002 ?
*>i 10.255.1.104/32 10.255.1.4 11 100 0 65002 ?
*>i 172.18.1.0/24 10.255.1.4 1 100 0 65002 ?
*>i 172.0.0.0/8 172.30.1.50 332800 100 0 65005 ?
*>i 172.18.0.0 172.30.1.50 0 100 0 65005 i
*>i 172.30.1.55/32 172.30.1.50 0 100 0 65005 ?
*>i 172.30.1.56/32 172.30.1.50 409600 100 0 65005 ?
*>i 172.30.1.57/32 172.30.1.50 435200 100 0 65005 ?
*>i 172.30.1.107/32 172.30.1.50 409600 100 0 65005 ?
*>i 172.0.0.0/8 172.30.1.51 332800 200 0 65005 ?
*>i 172.18.0.0 172.30.1.51 0 200 0 65005 i
*>i 172.30.1.55/32 172.30.1.51 409600 200 0 65005 ?
*>i 172.30.1.56/32 172.30.1.51 0 200 0 65005 ?
*>i 172.30.1.57/32 172.30.1.51 435200 200 0 65005 ?
*>i 172.30.1.107/32 172.30.1.51 409600 200 0 65005 ?
*>i 172.17.0.0 172.30.1.52 0 100 0 65007 i
*>i 172.30.1.58/32 172.30.1.52 0 100 0 65007 ?
R1#
***Big note that: If don’t define RT or wrong RT then PE don’t receive VPNV4 route
from PE. Good.
76
CCIE4Career.com
3.4 Inter-VPN Routing

Question:
Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”. Configure the
network as per the following requirements:
 Jameson’s headquarters (VPN RED), main office (VPN GREEN) and Jacob’
office (VPN BLUE) must receive datacenter prefixes (VPN GREEN).
 Jameson’s main office (VPN GREEN) may not receive headquarters (VPN
RED) prefixes nor Jacob’s headquarters (VPN GREEN) prefixes.
 In order to simplify future changes, your solution may not be limited to
specific prefixes.
Solution:
R7/R8
ip vrf RED
R50/51
ip vrf GREEN
R52
ip vrf BLUE
Verification:
R11#show bgp ipv4 uni

* i 0.0.0.0 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.0.0.0 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
*> 10.1.0.0/16 0.0.0.0 32768 i
* i 10.255.1.12 0 100 0 i
s> 10.1.1.0/24 10.1.254.254 11 32768 ?
s> 10.1.254.0/24 0.0.0.0 0 32768 ?
* i 10.2.0.0/16 10.255.1.12 0 100 0 65001 65001 i
*> 10.254.0.53 0 65001 65001 i
* i 10.16.1.0/24 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
77
CCIE4Career.com
* i 10.16.2.0/24 10.255.1.12 0 100 0 65001 65001 ?

*> 10.254.0.53 0 65001 65001 ?
* i 10.16.3.0/24 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.100.0.1/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.100.0.19/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.100.0.20/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.100.0.21/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
*> 10.255.1.11/32 0.0.0.0 0 32768 ?
* i 10.255.1.12 11 100 0 ?
*> 10.255.1.12/32 10.1.254.2 11 32768 ?
* i 10.255.1.12 0 100 0 ?
* i 10.255.1.15/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.16/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.17/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.18/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.19/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.20/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.21/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
*> 10.255.1.101/32 10.1.254.254 11 32768 ?
* i 10.255.1.12 11 100 0 ?
* i 10.255.1.103/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.104/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 172.18.1.0/24 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
R11#show ip route bgp

B* 0.0.0.0/0 [20/0] via 10.254.0.53, 02:10:08

B 10.0.0.0/8 [20/0] via 10.254.0.53, 02:10:08
B 10.1.0.0/16 [200/0] via 0.0.0.0, 03:13:02, Null0
B 10.2.0.0/16 [20/0] via 10.254.0.53, 02:10:08
B 10.16.1.0/24 [20/0] via 10.254.0.53, 02:10:08
B 10.16.2.0/24 [20/0] via 10.254.0.53, 02:10:08
B 10.16.3.0/24 [20/0] via 10.254.0.53, 02:10:08
78
CCIE4Career.com
B 10.100.0.1/32 [20/0] via 10.254.0.53, 02:10:08

B 10.100.0.19/32 [20/0] via 10.254.0.53, 02:10:08
B 10.100.0.20/32 [20/0] via 10.254.0.53, 02:10:08
B 10.100.0.21/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.15/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.16/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.17/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.18/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.19/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.20/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.21/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.103/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.104/32 [20/0] via 10.254.0.53, 02:10:08
B 172.18.1.0 [20/0] via 10.254.0.53, 01:24:39
R13#show bgp ipv4 uni


* i 0.0.0.0 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.0.0.0 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.2.0.0/16 10.255.1.14 0 100 0 65001 65001 i
*> 10.254.0.41 0 65001 65001 i
*> 10.3.0.0/16 0.0.0.0 32768 i
* i 10.255.1.14 0 100 0 i
s> 10.3.1.0/24 10.3.254.254 11 32768 ?
s> 10.3.254.0/24 0.0.0.0 0 32768 ?
* i 10.16.1.0/24 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.16.2.0/24 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.16.3.0/24 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.100.0.1/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.100.0.19/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.100.0.20/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.100.0.21/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.13/32 10.255.1.14 11 100 0 ?
*> 0.0.0.0 0 32768 ?
* i 10.255.1.14/32 10.255.1.14 0 100 0 ?
*> 10.3.254.2 11 32768 ?
* i 10.255.1.15/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.16/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.17/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.18/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.19/32 10.255.1.14 0 100 0 65001 65001 ?
79
CCIE4Career.com
*> 10.254.0.41 0 65001 65001 ?

* i 10.255.1.20/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.21/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.102/32 10.255.1.14 11 100 0 ?
*> 10.3.254.254 11 32768 ?
* i 10.255.1.103/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.104/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 172.18.1.0/24 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
R13#show ip route bgp
B* 0.0.0.0/0 [20/0] via 10.254.0.41, 02:11:32

B 10.0.0.0/8 [20/0] via 10.254.0.41, 02:11:32
B 10.2.0.0/16 [20/0] via 10.254.0.41, 02:11:32
B 10.3.0.0/16 [200/0] via 0.0.0.0, 03:12:54, Null0
B 10.16.1.0/24 [20/0] via 10.254.0.41, 02:11:32
B 10.16.2.0/24 [20/0] via 10.254.0.41, 02:11:32
B 10.16.3.0/24 [20/0] via 10.254.0.41, 02:11:32
B 10.100.0.1/32 [20/0] via 10.254.0.41, 02:11:32
B 10.100.0.19/32 [20/0] via 10.254.0.41, 02:11:32
B 10.100.0.20/32 [20/0] via 10.254.0.41, 02:11:32
B 10.100.0.21/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.15/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.16/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.17/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.18/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.19/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.20/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.21/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.103/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.104/32 [20/0] via 10.254.0.41, 02:11:32
B 172.18.1.0 [20/0] via 10.254.0.41, 01:25:34
80
CCIE4Career.com
4. SECTION 4 Infrastructure Security

4.1 Section 4.1 Device Security
Question:
Refer to “Diagram 1: Initial Topology”.
 Protect R17’s control-plane from TTL expiry attacks so that match IP packets
with a TTL of 0 or 1 are dropped before the CPU processes them.
 Legit packets include expected control protocols running on the link.
Solution:
R17
ip access-list extended TTL
deny ospf any any
deny tcp any any eq bgp
deny tcp any eq bgp any
deny pim any any
deny esp any any
deny gre any any
deny udp any any eq 500
deny udp any any eq 4500
permit ip any any ttl eq 0
permit ip any any ttl eq 1
class-map match-all TTL
match access-group name TTL
policy-map TTL
class TTL
drop
!
Control-plane
service-policy input TTL
81
CCIE4Career.com
Verification:
17#show ip access-lists TTL
Extended IP access list TTL
10 deny ospf any any (1762 matches)
20 deny tcp any any eq bgp (275 matches)
30 deny tcp any eq bgp any
40 deny pim any any (683 matches)
50 deny esp any any
60 deny gre any any (17 matches)
70 deny udp any any eq isakmp (15 matches)
80 deny udp any any eq non500-isakmp
90 permit ip any any ttl eq 0
100 permit ip any any ttl eq 1 (217 matches)
R17#show policy-map control-plane

Control Plane
Service-policy input: TTL
Class-map: TTL (match-all)

217 packets, 6920 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name TTL
drop
Class-map: class-default (match-any)

3773 packets, 365532 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
4.2 Network Security

Question:

Topology”.
 SW5 and SW6 must filter DHCP message received by untrusted hosts by
comparing the source MAC address and the DHCP client hardware address. If
the address match, the switches must forward the packet. If the addresses
do not match, the switches must drop the packet.
 Ensure that these access switches do not filter DHCP packets on their
uplinks.
 Ensure that the DHCP relay switches (refer to item 5.1) allow DHCP message
received on their interface VLAN 100 with the added Option 82 and
uninitialized GIADDR field to be accepted.
82
CCIE4Career.com
Solution:
SW5
ip dhcp snooping
ip dhcp snooping vlan 100
ip dhcp snooping information option
interface port-channel 35
ip dhcp snooping trust
sw6
ip dhcp snooping
ip dhcp snooping vlan 100
ip dhcp snooping information option
interface port-channel 46
ip dhcp snooping trust
Verification:
SW6#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100
DHCP snooping is operational on following VLANs:
100
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.9000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------
Ethernet1/0 yes yes unlimited
Custom circuit-ids:
Custom circuit-ids:
Custom circuit-ids:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
Port-channel46 yes yes unlimited
Custom circuit-ids:
83
CCIE4Career.com
5. SECTION 5 Infrastructure Services

5.1 Section 5.1 Centralized DHCP
Question:

Topology”. Jameson’s R15 must centralize DHCP service for the datacenter’s hosts
VLANs. Configure the network as per the following requirements:
 Ensure that the distribution switches SW3 and SW4 forward DHCP discover
broadcast message received from VLAN 100’s hosts to interface Loopback0 of
R15 as unicast messages.
 R15 must assign hosts in VLAN 100 a valid IP address from the prefix
10.2.100.0/24.
 Ensure that addresses that were statically configured will never be assigned
to any host.
 The DHCP offer must include the IP address 10.2.100.1/24 as the default
gateway for VLAN 100 users.
 Ensure that the server R101 effectively receives an IP address from the
expected prefix 10.2.1.0/24 as well as its default gateway information.
Solution:
R15
ip dhcp pool R101
host 10.2.100.2 255.255.255.0
client-identifier 01aa.bbcc.00a0.00
default-router 10.2.100.1
!
ip dhcp pool VLAN 100
network 10.2.100.0 255.255.255.0
default-router 10.2.100.1
ip dhcp excluded-address 10.2.100.1
SW3/SW4
interface vlan 100
ip helper-address 10.255.1.15
ip dhcp relay information trusted
84
CCIE4Career.com
Verification:
R101#show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.2.100.2 YES DHCP up up
Ethernet0/1 unassigned YES NVRAM administratively down down
R15#show ip dhcp binding

Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.2.100.2 01aa.bbcc.00a0.00 Infinite Manual
85
CCIE4Career.com
5.2 Section 5.2 Internet Gateway

Question:
Refer to “Diagram 1: Initial Topology”. Configure the network as per the following
requirements:
 R17 is Jameson’s Internet gateway router.

 Ensure that R17 enables all internal hosts (that is: hosts with source IP
address in the range of 10.0.0.0/8 or 172.0.0.0/8) to simultaneously connect
to the Internet using the public IP address of interface Eth0/0.
 The following tests must be successful:
R101#ping 8.8.8.8
!!!!!
SW1#ping 8.8.8.8
!!!!!
SW2#ping 8.8.8.8
!!!!!
SW10#ping 8.8.8.8
!!!!!
SW11#ping 8.8.8.8
!!!!!
R19#ping 8.8.8.8
!!!!!
86
CCIE4Career.com
Solution:
R17
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.0.0.0 0.255.255.255
!
ip nat inside source list 1 interface e0/0 overload
interface e0/0
ip nat outside
interface e0/1
ip nat inside
interface t0
ip nat inside
R58
router eigrp 10
summary-metric 0.0.0.0/0 distance 80
Verification:
R58#show ip route
ia - IS-IS inter area, * - candidate default, U - per-user static
route
D* 0.0.0.0/0 is a summary, 00:02:01, Null0

B 10.0.0.0/8 [20/0] via 172.17.253.22, 00:02:07
B 10.2.0.0/16 [20/0] via 172.17.253.22, 00:02:07
B 10.16.1.0/24 [20/0] via 172.17.253.22, 00:02:07
B 10.16.2.0/24 [20/0] via 172.17.253.22, 00:02:07
B 10.16.3.0/24 [20/0] via 172.17.253.22, 00:02:07
B 10.100.0.1/32 [20/0] via 172.17.253.22, 00:02:07
B 10.100.0.19/32 [20/0] via 172.17.253.22, 00:02:07
B 10.100.0.20/32 [20/0] via 172.17.253.22, 00:02:07
B 10.100.0.21/32 [20/0] via 172.17.253.22, 00:02:07
B 10.255.1.15/32 [20/0] via 172.17.253.22, 00:02:07
B 10.255.1.16/32 [20/0] via 172.17.253.22, 00:02:07
B 10.255.1.17/32 [20/0] via 172.17.253.22, 00:02:07
B 10.255.1.18/32 [20/0] via 172.17.253.22, 00:02:07
B 10.255.1.19/32 [20/0] via 172.17.253.22, 00:02:07
B 10.255.1.20/32 [20/0] via 172.17.253.22, 00:02:07
87
CCIE4Career.com
B 10.255.1.21/32 [20/0] via 172.17.253.22, 00:02:07

B 10.255.1.103/32 [20/0] via 172.17.253.22, 00:02:07
B 10.255.1.104/32 [20/0] via 172.17.253.22, 00:02:07
B 172.17.0.0/16 [200/0] via 0.0.0.0, 00:02:07, Null0
D 172.17.1.0/24 [90/281856] via 172.17.254.254, 00:02:07, Ethernet0/0
B 172.18.1.0 [20/0] via 172.17.253.22, 00:02:07
C 172.30.1.58 is directly connected, Loopback0
D 172.30.1.108 [90/409600] via 172.17.254.254, 00:02:07, Ethernet0/0
88
CCIE4Career.com
5.3 Section 5.3 First hop redundancy

Question:

Topology”. Jameson’s datacenter’s SW3 and SW4 must offer first hop redundancy
to VLAN 100’s host using HSRP. Configure the network as per the following
requirements:
 SW3 and SW4 must use the multicast address 224.0.0.102 in order to
negotiate the active and standby roles.
 SW3 must be elected as the active router and SW4 must be elected as the
standby router.
 In case SW3 is down, SW4 must take over the active role. If SW3 comes
back online, it must automatically recover the active role from SW4.
 Ensure that HSRP hello packets are exchanged every 10 second and that the
standby takes over the active role if three consecutive Hello packets were
missed from the active.
 Both routers must share the virtual IP address 10.2.100.1 that will be used
as default gateway for VLAN 100’s hosts.
Solution:
SW3
interface vlan 100
standby 2 ip 10.2.100.1
standby 2 timers 10 30
standby 2 priority 105
standby 2 preempt
SW4
interface vlan 100
standby 2 ip 10.2.100.1
standby timers 10 30
standby 2 preempt
Verification:
SW3#show standby bri
SW3#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl100 1 105 P Active local FE80::A8BB:CCFF:FE80:8000
FE80:100::1
Vl100 2 105 P Active local 10.2.100.254 10.2.100.1
SW3#show standby
State is Active
89
CCIE4Career.com

Link-Local Virtual IPv6 address is FE80:100::1 (conf)
Preemption enabled
Standby router is FE80::A8BB:CCFF:FE80:8000, priority 100 (expires in 28.896 sec)
State is Active
Virtual IP address is 10.2.100.1
Preemption enabled
Standby router is 10.2.100.254, priority 100 (expires in 28.368 sec)
Track object 1 state Up decrement 10
90
CCIE4Career.com
5.4 Section 5.4 Tracking reachability

Question:

Topology”. Configure the network as per the following requirements:
 SW3 and SW4 must monitor the reachability of their OSPF IPv4 default route
and in case it is not available, the HSRP priority must be decreased by 10
Solution:
sw3/sw4
track 1 ip route 0.0.0.0 0.0.0.0 reachability
interface vlan 100
standby 2 track 1 decrement 10
Verification:
SW3#show track
Track 1
IP route 0.0.0.0 0.0.0.0 reachability
Reachability is Up (OSPF)
2 changes, last change 01:24:55
First-hop interface is Vlan173
Tracked by:
HSRP Vlan100 2
SW4#show track
Track 1
IP route 0.0.0.0 0.0.0.0 reachability
Reachability is Up (OSPF)
2 changes, last change 01:24:59
First-hop interface is Vlan34
Tracked by:
HSRP Vlan100 2
91
CCIE4Career.com
After you finished the LAB, Exam is requested you test as following:
R11#show ip bgp 10.2.0.0/16

BGP routing table entry for 10.2.0.0/16, version 568
Paths: (2 available, best #2, table default)
Advertised to update-groups:
20
Refresh Epoch 1
65001 65001, (aggregated by 65002 10.255.1.16)
10.255.1.12 (metric 11) from 10.255.1.12 (10.255.1.12)
Origin IGP, metric 0, localpref 100, valid, internal, atomic-aggregate
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
65001 65001, (aggregated by 65002 10.255.1.15)
10.254.0.53 from 10.254.0.53 (10.255.1.7)
Origin IGP, localpref 100, valid, external, atomic-aggregate, best
rx pathid: 0, tx pathid: 0x0
R101#ping 8.8.8.8
!!!!!
R19#ping 8.8.8.8
!!!!!
SW3#ping 239.1.1.1 so
SW1#ping 8.8.8.8
!!!!!
SW2#ping 8.8.8.8
!!!!!
92
CCIE4Career.com
SW2#
R101#
R101#ping 172.18.1.254
!!!!!
R101#
R101#traceroute 172.18.1.254
1 10.2.100.253 1 msec 1 msec 1 msec
2 10.2.0.14 1 msec 1 msec 0 msec
3 10.2.0.42 2 msec 2 msec 2 msec
4 10.2.0.46 2 msec 2 msec 2 msec
5 172.18.2.254 2 msec * 3 msec
R101#
R101#traceroute 172.18.2.254
1 10.2.100.253 2 msec 1 msec 1 msec
2 10.2.0.5 1 msec 1 msec 1 msec
3 10.254.0.73 2 msec 3 msec 2 msec
8 172.18.253.6 3 msec 3 msec 3 msec
9 172.18.254.254 3 msec * 4 msec
R101#traceroute 172.18.254.254
1 10.2.100.253 2 msec 2 msec 1 msec
2 10.2.0.5 2 msec 1 msec 2 msec
3 10.254.0.73 1 msec 2 msec 2 msec
8 172.18.253.6 3 msec 2 msec 2 msec
9 172.18.254.254 2 msec * 4 msec
93
CCIE4Career.com
Test backup path
R18
Router bgp 65002
Neighbor 10.2.0.46 shutdown
R101#ping 172.18.1.254
!!!!!
R101#traceroute 172.18.1.254
1 10.2.100.253 1 msec 1 msec 1 msec
2 10.2.0.5 2 msec 1 msec 1 msec
3 10.254.0.73 2 msec 1 msec 1 msec
8 172.18.253.6 3 msec 4 msec 4 msec
9 172.18.254.254 4 msec * 5 msec
Note: remember no shutdown bgp peer after you test backup path.
R18
Router bgp 65002
no neighbor 10.2.0.46 shutdown
================= The End==================
94
CCIE4Career.com

H2 Ccie4career - Com v1.1 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

H2 Ccie4career - Com v1.1 PDF

Caricato da

Copyright:

Formati disponibili

Ccie4career.

com CC Dreamer and Combat

CCIE4CAREER.COM - CCIE RS V5.0 H2 WORKBOOK

Author Combat, CC Dreamer

Physical - VLAN Topology

1. SECTION 1: Layer 2 technologies

Refer to “Table 1: Jameson’s Layer 2 connection and Table 1：Jameson’s VLAN to

 All unused ports must be configured in VLAN 999 and administratively

SW3 /exam had config/

SW4 /exam had config/

SW3/SW4 /exam had config/

VLAN Name Status Ports

SW3#show int description

1.2 Section 1.2: Jameson’s Datacenter: Trunk Ports

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Table 1: Jameson’s VLAN

Configure Jameson’s datacenter network (AS 65002) as per the following

 All inter-switch links must be configured to use dot1q encapsulation.

Port Mode Encapsulation Status Native vlan

Port Vlans allowed on trunk

Port Vlans allowed and active in management domain

Port Vlans in spanning tree forwarding state and not pruned

1.3 Section 1.3 Jameson’s Datacenter: Link bundling

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial

Configure Jameson’s datacenter network as per the following requirements:

Port Mode Encapsulation Status Native vlan

Port Vlans allowed on trunk

Port Vlans allowed and active in management domain

Port Vlans in spanning tree forwarding state and not pruned

SW3#show int description

VLAN Name Status Ports

VLAN AREHops STEHops Backup CRF

Primary Secondary Type Ports

Bridge ID Priority 1 (priority 0 sys-id-ext 1)

Interface Role Sts Cost Prio.Nbr Type

Bridge ID Priority 34 (priority 0 sys-id-ext 34)

Interface Role Sts Cost Prio.Nbr Type

Bridge ID Priority 100 (priority 0 sys-id-ext 100)

Interface Role Sts Cost Prio.Nbr Type

Bridge ID Priority 101 (priority 0 sys-id-ext 101)

Interface Role Sts Cost Prio.Nbr Type

Bridge ID Priority 153 (priority 0 sys-id-ext 153)

Interface Role Sts Cost Prio.Nbr Type

Bridge ID Priority 156 (priority 0 sys-id-ext 156)

Interface Role Sts Cost Prio.Nbr Type

Spanning tree enabled protocol rstp

Bridge ID Priority 164 (priority 0 sys-id-ext 164)

Interface Role Sts Cost Prio.Nbr Type

Bridge ID Priority 173 (priority 0 sys-id-ext 173)

Interface Role Sts Cost Prio.Nbr Type

Bridge ID Priority 184 (priority 0 sys-id-ext 184)

Interface Role Sts Cost Prio.Nbr Type

Bridge ID Priority 911 (priority 0 sys-id-ext 911)

Interface Role Sts Cost Prio.Nbr Type

Bridge ID Priority 999 (priority 0 sys-id-ext 999)

Interface Role Sts Cost Prio.Nbr Type

Reply to request 0 from 10.2.0.9, 1 ms

Reply to request 1 from 10.2.0.13, 5 ms

1.4 Section 1.4 Jameson’s Branch Offices

Refer to “Diagram 1: Jameson’s Layer 2 Connections”.

ppp chap hostname Jamesons-R20

Why you need the command: ip route 192.0.2.0 255.255.255.0 dialer 1

Tunnel0 10.100.0.19 YES TFTP up down

Gateway of last resort is not set