CCIE Lab 400-101 H1

CCIE R&S v5 Lab v1.
1 (H1)
Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 1

CCIE R&S v5 Lab v1.1 (H1)
Disclaimer : CCCIE RSv5 lab Exam Workbook is designed to provide extensive

practical information to help candidates in the preparation for CISCO Systems CCIE
RSv5 Lab Exam. We do not take liability or responsibility to any person or entity with
respect to loss or damage caused by the information presented in the workbook
Cisco, Cisco Systems,and CCIE (Cisco Certified Internetwork Expert) are registered
trademarks of Cisco Systems, Inc.And of its affiliates in the USA and other countries .
The information presented in the workbook is not necessarily related to Cisco

Systems, Inc. This workbook is not affiliated, endorsed or sponsored by Cisco
Systems, Inc.This workbook provides detailed and comprehensive practical examples
for the preparation of CCIE RSv5 labs but cannot be used as a replacement of other
supplementary books or prescribed materials. Purpose of the workbook is to provide
more practical information about the CCIE RSv5 lab Exam.
This workbook is prepared for the individual candidates who have purchased it with
non-disclosure agreement. Imitation, copying, editing or posting contents of the
workbook over the internet is part of copyright and non-disclosure agreement
violation.


SECTION 1: LAYER 2 TECHNOLOGIES

SECTION 1.1: Switch Administration
QUESTION
Configure the ACME Headquarters network (AS 12345) & New York Office (34567) as per the
following requirements.
1. The VTP domain must be set to CCIE

2. Use VTP version 2
3. SW1 must be the VTP server and SW2 must be the VTP client
4. Secure all VTP updates with an MD5 digest of the ASCII string "CCIErocks$”
5. SW3 & SW4 must not advertise their VLAN configuration but must forward VTP advertisement
that they receive out on their trunk ports.
6. In order to avoid as much as possible unknown unicast flooding in all vlans the administrator
requires that any dynamic entries learned by other SW1 and SW2 must be retained for 2 hours
before being refreshed.
SOLUTION
SW1 ------ Configuration
SW1(config)#vtp version 2
SW1(config)#vtp domain CCIE
SW1(config)#vtp password CCIErock$
SW1(config)#vtp mode server
SW1(config)#mac address-table aging-time 7200
SW2(config)#vtp mode client
SW2(config)#mac address-table aging-time 7200

SW3(config)#vtp mode transparent
SW4(config)#vtp mode transparent

VERIFICATION
On SW1

On SW2

On SW3

On SW4
NOTE :-
1. Mac address-table aging-time is 300 by default on SW3 & SW4
2. 2 hours = 7200 seconds
3. VTP Password “CCIErock$” [you must apply this password without quotes( CCIErock$ )]

SECTION 1.2 – LAYER 2 PORTS – (SWITCH ACCESS PORT)
Configure All Switch Ports as per the following requirements :-
1. Complete the configuration of all vlans so that all routers that are located in ACME's headquarters
(AS12345) and New York office (AS 34567) can ping their directly connected neighbors.
2. All four switches (SW1-SW4) must have four dot1q trunks that do not rely on negotiation
DO NOT configure any ether channel
3. Ensure that the following unused ports on all four switches are shutdown and configured as access
ports in vlan 999
E3/0 - E3/3 are unused on SW1 and SW2

SOLUTION
SW1(config)#vlan 14
SW1(config-vlan)#exit
SW1(config)#vlan 15
SW1(config)#vlan 23
SW1(config)#vlan 24
SW1(config)#vlan 35
SW1(config)#vlan 46
SW1(config)#vlan 57
SW1(config)#vlan 67
SW1(config)#vlan 999
SW1(config)#

SW1(config)#interface range ethernet 2/0 – 3

SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk
SW1(config-if-range)#switchport nonegotiate
SW1(config-if-range)#exit
SW1(config)#

SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport access vlan 999
SW1(config-if-range)#shutdown
SW1(config)#
SW1(config)# interface ethernet 0/0

SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 14
SW1(config-if)#no shutdown
SW1(config-if)#exit
SW1(config)#
SW1(config)#interface ethernet 0/1

SW1(config-if)#exit
SW1(config)#

SW1(config-if)#exit
SW1(config)#

SW1(config-if)#exit
SW1(config)#


SW1(config-if)#exit

SW1(config-if)#exit
SW1(config)#

SW1(config-if)#exit
SW1(config)#

SW1(config-if)#exit
SW1(config)#

SW2(config)#

SW2(config)#


SW2(config-if)#exit
SW2(config)#

SW2(config-if)#exit
SW2(config)#

SW2(config-if)#exit
SW2(config)#

SW2(config-if)#exit
SW2(config)#

SW2(config-if)#exit
SW2(config)#

SW2(config-if)#exit
SW2(config)#


SW2(config-if)#exit
SW2(config)#

SW2(config-if)#exit
SW3(config)#vlan 34
SW3(config)#vlan 38
SW3(config)#vlan 49
SW3(config)#vlan 89
SW3(config)#

SW3(config)#
SW3(config)# interface range ethernet 1/0 - 3 , ethernet 3/0 – 3

SW3(config)#


SW3(config-if)#exit
SW3(config)#

SW3(config-if)#exit
SW3(config)#
SW3(config-if)#exit
SW3(config)#

SW3(config-if)#exit
SW3(config)#

SW4(config)#vlan 34
SW4(config)#vlan 38
SW4(config)#vlan 49
SW4(config)#vlan 89
SW4(config)#exit


SW4(config)#
SW4(config)# interface range ethernet 1/0 - 3 , ethernet 3/0 – 3

SW4(config)#
SW4(config-if)#exit
SW4(config)#

SW4(config-if)#exit
SW4(config)#

SW4(config-if)#exit
SW4(config)#

SW4(config-if)#exit
SW4(config)#

VERIFICATION
On SW1


On SW2


On SW3


On SW4

After completing this section , test all the direct connectivity (Router to Router Ping)

SECTION 1.3 – IMPLEMENT SPANNING TREE – (STP)
Configure the ACME network as per the following requirements.
1. SW1 must be the root switch for all odd vlans and must be the backup for all even vlans
2. SW2 must be the root switch for all even vlans and must be the backup for all odd vlans
3. SW3 must be the root switch for all odd vlans and must be the backup for all even vlans
4. SW4 must be the root switch for all even vlans and must be the backup for all odd vlans
5. Explicitly configure the root and backup roles, assuming that other switches with default configuration
may eventually be added in the network in the future
6. All Switches must maintain one stp instance per vlan
7. Use stp mode that has only 3 possible port states.
8. All access ports must immediately transitioned to the forwarding state upon link up and they must still
participate in STP . Use single command per switch to enable this
9. Access ports must automatically shut down if they receive any BPDU and an administrator must still
manually re-enable the port. Use a single command per switch to enable this feature.
SOLUTION
SW1(config)#spanning-tree mode rapid- pvst

SW1(config)#spanning-tree portfast default
SW1(config)#spanning-tree portfast bpduguard default
SW1(config)#Spanning-tree vlan 1,15,23,35,57,67,999 root primary

SW1(config)#Spanning-tree vlan 14,24,46 root secondary
SW1(config)#errdisable recovery cause bpduguard

SW2(config)#Spanning-tree vlan 14,24,46 root primary

SW2(config)#Spanning-tree vlan 1,15,23,35,57,67,999 root secondary


SW3(config)#Spanning-tree vlan 1,49,89,111,411,999 root primary

SW3(config)#Spanning-tree vlan 34,38,310 root secondary

SW4(config)#Spanning-tree vlan 34,38,310 root primary

SW4(config)#Spanning-tree vlan 1,49,89,111,411,999 root secondary

VERIFICATION
On SW1

On SW2

On SW3

On SW4

SECTION 1.4 – WAN SWITCHING
QUESTION
Configure WAN Connectivity as per the following requirements
1. The WAN links must rely on a layer 2 protocol that supports link negotiation and authentication.
2. The Service provider expects both R18 and R19 to complete three way hand shake by providing the
expected response of a challenge that is sent by R63
3. R18 must use the username ACME-R18 and password CCIE
4. R19 must use the username ACME-R19 and password CCIE
SOLUTION
R18 ------ Configuration
R18(config)#interface serial 1/0

R18(config-if)#encapsulation ppp
R18(config-if)#no peer neighbor-route
R18(config-if)#ppp chap hostname ACME-R18
R18(config-if)#ppp chap password CCIE
R18(config-if)#no shutdown
R18(config-if)#exit
R18(config
R19(config)#interface serial 1/0

R19(config-if)#encapsulation ppp
R19(config-if)#no peer neighbor-route
R19(config-if)#ppp chap hostname ACME-R19
R19(config-if)#ppp chap password CCIE
R19(config-if)#no shutdown
R19(config-if)#exit
R19(config)#

VERIFICATION
On R18
On R19

SECTION 2 – LAYER 3 TECHNOLOGIES

SECTION 2.1 IMPLEMENT OSPFv2 in AS 12345
QUESTION
Configure OSPFv2 area 0 in ACME HQ (AS12345) according to the following requirements
1. Configure the OSPF process id to 12345 and set the router id to interface loopback 0 on all seven routers
2. The interface loopback 0 at each router must be seen as an internal OSPF prefix by all other routers
3. Ensure that OSPF is not running on any interface that is facing another AS. Use any method to
accomplish this requirement.
4. SW 1 and SW2 must not participate in routing at all
5. Do not change the default OSPF cost of any interface in AS12345
6. R1 must see the following OSPF routes in the routing table

SOLUTION
R1(config)#router ospf 12345

R1(config-router)#router-id 123.1.1.1
R1(config-router)#network 123.10.1.1 0.0.0.0 area 0
R1(config-router)#exit
R1(config)#

R2(config)#

R3(config)#

R4(config)#


R5(config)#

R6(config)#

R7(config)#

VERIFICATION
On R1

SECTION 2.2 IMPLEMENT EIGRP in AS 34567
Configure EIGRP for ipv4 in the New York office (AS34567) according to the following requirements
1. The EIGRP Autonomous System is 34567

2. The interface loopback 0 on each router must be seen as an internal EIGRP prefix by all other routers
3. Ensure the EIGRP is not running on any interface that is facing another AS. Use any method to
accomplish this requirement
4. Using a single command on one switch only ensure that R8 installs two equal-cost route for the
following three path
 Vlan 411
 Interface loopback0 at SW4
 Interface loopback0 at R11
5. Using a single command on one switch only ensure that R9 installs two equal cost route for the
following three path
 Vlan 310
 Interface loopback0 at SW3
 Interface loopback0 at R10
SOLUTION
R8(config)#router eigrp 34567

R8(config-router)#network 123.10.2.1 0.0.0.0
R8(config-router)#no auto-summary
R8(config)#


R9(config)#

R10(config)#

R11(config)#
SW3(config)#router eigrp 34567

SW3(config-router)#network 123.10.2.13 0.0.0.0
SW3(config-router)#no auto-summary
SW3(config-router)#exit
SW3(config)#
SW3(config)#interface vlan 34
SW3(config-if)#delay 100


SW4(config)#
SW4(config-if)#delay 100

VERIFICATION
On R8

On R9

Configure EIGRP in AS 45678 according to the following requirements.

2. The interface loopback0 at each router must be seen as an internal EIGRP prefix by all other routers
3. Ensure the EIGRP is not running on any interface that is facing another AS. Use any method to
accomplish this requirement .
4. SW5 and SW6 are layer 3 switches and must configure EIGRP
5. On all three routers R15, 16, 17 must use EIGRP with 64bit metric version
6. Do not change the interface bandwidth on any physical interface in AS 45678
SOLUTION
R15(config)#router eigrp CCIE

R15(config-router)#address-family ipv4 unicast autonomous-system 45678
R15(config-router-af)#network 123.20.1.1 0.0.0.0
R15(config-router-af)# topology base
R15(config-router-af-topology)#no auto-summary
R15(config-router-af-topology)#exit-af-topology
R15(config-router-af)#exit-address-family
R15(config)#


R16(config)#

R17(config)#
SW5(config)#Vlan 5
SW5(config)#Vlan 55

SW5(config)#

SW6(config)#Vlan 6
SW6(config)#Vlan 66

SW6(config)#
VERIFICATION
On R15


On R16


On R17


On SW5


On SW6


Configure EIGRP in AS 65222 according to the following requirements.

2. The interface loopback0 at each router must be seen as an internal EIGRP prefix by all other routers
3. Ensure that EIGRP is not running on any interface that is facing another AS.Use any method to
accomplish this requirement
4. Ensure that R17 should be the DMVPN hub and R18, R19 should be as the spoke. Use the pre-configured
tunnel 0
Pre-configuration for tunnel 0 on routers R17, R18, R19
On R17
Interface tunnel 0
no ip redirects
Ip address 123.20.1.25 255.255.255.248
tunnel source ethernet 0/0
tunnel mode gre multipoint
On R18
Interface tunnel 0
no ip redirects
Ip address 123.20.1.26 255.255.255.248
tunnel source Serial1/0
On R19
Interface tunnel 0
no ip redirects
Ip address 123.20.1.27 255.255.255.248
tunnel source Serial1/0

SOLUTION

R17(config)#

R18(config-router)# network 10.1.18.1 0.0.0.0
R18(config-router)#eigrp stub connected
R18(config-router)# no auto-summary
R18(config)#

R19(config-router)#eigrp stub connected
R19(config-router)# no auto-summary
R19(config)#

VERIFICATION
On R17
On R18
On R19
After completing section 3.3 (DMVPN) you will get the above result

SECTION 2.5 IMPLEMENT BGP in AS 12345
BGP is partially pre-configured in ACME headquarters. Complete the configuration as required.
Configure the IBGP in ACME’s headquarters (AS 12345) according to the following requirements.
1. R4 and R5 must not establish any BGP session at any time

2. All BGP routers must use their interface loopback0 as their BGP router-id
3. Disable the default ipv4 unicast address family for peering session establishment in all BGP routers
4. R1 must be the ipv4 route-reflector for BGP AS 12345
5. R1 must use the peer-gorup named “IBGP” for all internal peerings
Configure EBGP between ACME's San Francisco and San Jose sites according to the following requirements
6. R20 is the CE router and uses EBGP to connect to the managed services that are provided by the PE
routers R2 and R3
7. R20 must establish separate EBGP peering with both R2 and R3 for every VRF
8. R20 must advertise the following prefix to all of its BGP peers
 123.0.0.0/8 summary-only
 10.0.0.0/8 summary-only
9. R20 must advertise a default route to all of its BGP peer except to 10.120.99.1 and 10.120.99.5

SOLUTION
For IBGP
R1(config)#router bgp 12345

R1(config-router)#bgp router-id 123.1.1.1
R1(config-router)#no bgp default ipv4-unicast
R1(config-router)#neighbor IBGP peer-group
R1(config-router)#neighbor IBGP remote-as 12345
R1(config-router)#neighbor IBGP update-source loopback 0
R1(config-router)#neighbor 123.2.2.2 peer-group IBGP
R1(config-router)#address-family ipv4
R1(config-router-af)#neighbor IBGP route-reflector-client
R1(config-router-af)#neighbor 123.2.2.2 activate
R1(config)#

R2(config-router)#neighbor 123.1.1.1 remote-as 12345
R2(config-router)#neighbor 123.1.1.1 update-source loopback 0
R2(config)#


R3(config)#

R6(config)#

R7(config)#

For EBGP

R2(config-router)#address-family ipv4 vrf BLUE
R2(config-router-af)#neighbor 10.120.13.2 remote-as 65112
R2(config-router)#
R2(config-router)#address-family ipv4 vrf GREEN

R2(config-router)#
R2(config-router)#address-family ipv4 vrf INET

R2(config-router)#
R2(config-router)#address-family ipv4 vrf RED
R2(config-router)#
R2(config-router)#address-family ipv4 vrf YELLOW

R2(config)#

On R3 ------ Configuration

R3(config-router)#address-family ipv4 vrf BLUE
R3(config-router)#
R3(config-router)#address-family ipv4 vrf GREEN

R3(config-router)#

R3(config-router)#

R3(config-router)#
R3(config-router)#address-family ipv4 vrf YELLOW

R3(config)#


R20(config-router)# bgp router-id 123.20.20.20
R20(config-router)#network 10.0.0.0
R20(config-router)#network 123.0.0.0
R20(config-router)#neighbor 10.120.12.1 default-originate
R20(config-router)#aggregate-address 123.0.0.0 255.0.0.0 summary-only

R20(config-router)# auto-summary
R20(config)#

VERIFICATION
For IBGP
On R1
For EBGP
On R2

On R3


On R20

SECTION 2.6 IMPLEMENT BGP in AS 34567
QUESTION
BGP is partially pre-configured in ACME New York office (AS 34567).

Complete the configuration as required.
Configure IBGP in AS 34567 according to the following requirements
1. SW3 and SW4 must not establish any BGP session at any time
2. All four BGP routers must use their interface loopback0 as their bgp router-id
3. Disable the default ipv4 unicast address family for peering session establishment in all BGP routers
4. Configure full mesh IBGP peering between all four routers use any configuration method
5. R9 must be selected as the preferred exit point for traffic destined to remote AS's
6. R11 must be selected as the next preferred exit point in case R9 fails
7. No BGP speaker in AS 34567 must use network statement under the BGP router configuration.
8. Ensure that all the BGP next-hop is never marked as unreachable as long as interface loopback0 of
the remote peer is known via IGP
Configure EBGP in AS 34567 according to the following requirements
9. All four BGP routers must establish EBGP peering with their neighboring AS as shown in diagram 3
(BGP topology)
10. All four BGP routers must redistribute EIGRP into BGP
11. R9 and R11 must redistribute only the BGP default route into Eigrp
12. Ensure that R9 is the only router that sees the default as a BGP route and that all other routers
(R8, R10, R11) see it as an EIGRP external router.

SOLUTION
For IBGP

R8(config-router-af)#neighbor 123.9.9.9 next-hop-self
R8(config)#


R9(config-router)#bgp default local-preference 102
R9(config)#

R10(config)#


R11(config-router)#bgp default local-preference 101
R11(config)#
For EBGP

R8(config-router-af)#redistribute eigrp 34567
R8(config)#


R9(config-router-af)#neighbor 33.34.4.1 route-map DEFAULT in
R9(config)#
R9(config)#ip prefix-list DEFAULT permit 0.0.0.0/0
R9(config)#route-map DEFAULT
R9(config-route-map)#match ip address prefix-list DEFAULT
R9(config-route-map)#exit
R9(config)#

R9(config-router)#redistribute bgp 34567 route-map DEFAULT metric 100000 10 255 1 1500
R9(config)#

R10(config)#


R11(config)#
R11(config)#ip prefix-list DEFAULT permit 0.0.0.0/0
R11(config)#route-map DEFAULT
R11(config-route-map)#match ip address prefix-list DEFAULT
R11(config-route-map)#exit
R11(config)#

R11(config-router)#redistribute bgp 34567 route-map DEFAULT
R11(config)#

VERIFICATION
On R8

On R9

On R10

On R11

On R8


SECTION 2.7 IMPLEMENT BGP in AS 45678 & 65222
QUESTION
Configure EBGP in ACME's APAC region (AS45678 and AS 65222) according to the following
requirements.
Refer “ Diagram 3 : BGP routing “
1. SW5 and SW6 must not establish any BGP session at any time.
2. All BGP routers must use their interface loopback0 as the BGP router-id.
3. No IBGP peering session are allowed in AS 45678.
4. R15 must establish an EBGP peering with AS 10003 and must receive a default route as well as other
prefix.
5. R15 must redistribute BGP into EIGRP vice versa.
6. R15 must also advertise an aggregate prefix for 123.20.1.0/24 to AS 10003 and must suppress all
components prefixes.
7. R16 , R17 , R18 , R19 must establish an EBGP peering with AS 20003 and must receive a default route as
well as other prefix.
8. R16 , R17 , R18 , R19 must not advertise any prefix to AS 20003.
9. As long as R15 operational , R16 , R17 , R18 , R19 must prefer the EIGRP default route over the EBGP
default route.
10. Do not create any VRF in anywhere in order to accomplish the above requirements.
SOLUTION

R15(config-router)#redistribute eigrp 45678
R15(config)#


R15(config-router)#address-family ipv4 autonomous-system 45678
R15(config-router-af)#topology base
R15(config-router-af-topology)#redistribute bgp 45678
R15(config)#

R16(config-router)#distance 171 203.3.16.1 0.0.0.0 1
R16(config)#
R16(config)#access-list 1 permit 0.0.0.0

R17(config)#

R18(config)#


R19(config)#
VERIFICATION
On R15

On R16

On R17

On R18

On R19


SECTION 2.8 BGP ROUTING POLICIES
QUESTION
Configure the ACME network as per the following requirements
1. All ACME border routers in AS 12345 must filter the BGP prefixes that are advertised to their SP in VRF
INET and must allow all prefixes that belong to class A 123.0.0.0./8 and all other VRF's must propagate
all prefix
2. All ACME border routers in AS 34567 must filter the BGP prefixes that are advertised to their SP and
must allow only all prefixes that belong to the class A 123.0.0.0/8
3. Do not use any route-map or access-list to accomplish the above requirements
4. R13 must route traffic preferably via AS 20002, use any method to accomplish this requirement
5. All three remote sites in AS 65111 must be able to ping 1.2.3.4 and traceroute must reveal the exact
same path as shown in the following output

SOLUTION
R2(config)#ip prefix-list FILTER permit 123.0.0.0/8 le 32

R2(config-router-af)#neighbor 101.1.123.1 prefix-list FILTER out
R2(config)#
R3(config)#Ip prefix-list FILTER permit 123.0.0.0/8 le 32
R3(config)#Router bgp 12345

R3(config-router)#Address-family ipv4 vrf INET
R3(config-router-af)#Neighbor 102.2.123.1 remote-as 10002
R3(config-router-af)#Neighbor 102.2.123.1 activate
R3(config-router-af)#Neighbor 102.2.123.1 prefix-list FILTER out
R3(config)#

R6(config)#


R7(config)#
R8(config)#ip prefix-list FILTER permit 123.0.0.0/8 le 32

R8(config-router)#Address-family ipv4
R8(config)#

R9(config-router-af)#neighbor 102.2.34.1 prefix-list FILTER out
R9(config)#

R10(config)#


R11(config)#

R12(config-router)#Redistribute connected
R12(config-router)#Neighbor 201.1.12.1 remote-as 20001
R12(config)#

R13(config-router)#Neighbor 202.2.13.1 weight 1
R13(config)#

R14(config)#

R20(config-router)#Neighbor 10.120.99.5 weight 1
R20(config)#

VERIFICATION
On R12
After completing section 3.1 & 3.2 (MPLS), you wil get the above result

SECTION 2.9 IMPLEMENT IPV6 OSPF
QUESTION
Configure OSPFv3 in the ACME New York office as per the following requirements.
1. Configure the OSPF process id 1 and set the router-id as interface loopback0
2. SW4 must be selected as the designated router on VLAN 34 and must have the best chance.
3. SW3 must be selected as the back-up designated router on VLAN 34 and must take over the
designated router if Switch4 is down.
Ipv6 address is Pre-Configured
SOLUTION
SW3(config)#ipv6 unicast-routing
SW3(config)#ipv6 router ospf 1
SW3(config-rtr)#router-id 123.33.33.33
SW3(config-rtr)#exit
SW3(config)#
SW3(config)#interface loopback 0
SW3(config-if)# Ipv6 ospf 1 area 0
SW3(config)#exit
SW3(config)#
SW3(config-if)#ipv6 ospf priority 254
SW3(config)#exit
SW3(config)#

SW3(config-if)#interface vlan 310

SW3(config-if)#exit
SW3(config)#
SW4(config)#ipv6 unicast-routing
SW4(config)#Ipv6 router ospf 1
SW4(config-rtr)#Router-id 123.44.44.44
SW4(config-rtr)#exit
SW4(config)#
SW4(config)#Interface loopback 0
SW4(config-if)#exit
SW4(config)#
SW4(config)#Interface vlan 34
SW4(config-if)#Ipv6 ospf priority 255
SW4(config-if)#exit
SW4(config)#
SW4(config-if)#Interface vlan 411

SW4(config-if)#exit
SW4(config)#
R10(config)#ipv6 unicast-routing
R10(config)#Ipv6 router ospf 1
R10(config-rtr)#Router-id 123.10.10.10
R10(config-rtr)#exit
R10(config)#
R10(config)#Interface ethernet0/1
R10(config-if)#Ipv6 ospf 1 area 10
R10(config-if)#exit
R10(config)#
R10(config)#Interface loopback 0
R10(config-if)#exit
R10(config)#

R11(config)#ipv6 unicast-routing
R11(config)#Ipv6 router ospf 1
R11(config-rtr)#Router-id 123.11.11.11
R11(config)#
R11(config)#Interface ethernet0/2
R11(config-if)#exit
R11(config)#
R11(config-if)#exit
R11(config)#
VERIFICATION
On R10


On R11
On SW3
On SW4

SECTION 2.10 IMPLEMENT BGP FOR IPV6
QUESTION
Configure ACME network as per the following requirements
1. Establish the four eBGP peering as indicated on "diagram IPV6 routing"

2. Do not use the network command under the BGP address-family ipv6 on either R10 or R11
3. Both regional Service Provider will advertise the necessary prefixes
4. Advertise the ipv6 prefix on interface Ethernet 0/0 into BGP on both R12 and R14
5. Configure your network such that any ipv6 that include can communicate with any ipv6 user that is
located and vice versa.
6. Do not use any static route or default route anywhere
7. Use the following ping to verify your configuration

SOLUTION

R10(config-router)#neighbor 2001:CC1E:BEF:10:201:1:34:1 remote-as 20001
R10(config-router-af)#neighbor 2001:CC1E:BEF:10:201:1:34:1 activate
R10(config-router-af)#redistribute ospf 1 match internal external
R10(config)#
R10(config)#ipv6 router ospf 1

R10(config-rtr)#redistribute bgp 34567
R10(config)#

R11(config-router-af)#redistribute ospf 1 match internal external
R11(config)#
R11(config)#ipv6 router ospf 1

R11(config-rtr)#redistribute bgp 34567
R11(config)#


R12(config-router-af)#neighbor 2001:CC1E:BEF:124:201:1:12:1 allowas-in
R12(config-router-af)#network 2001:CC1E:BEF:12::/64
R12(config)#

R14(config-router-af)#neighbor 2001:CC1E:BEF:144:202:2:14:1 allowas-in
R14(config-router-af)#network 2001:CC1E:BEF:14::/64
R14(config)#

VERIFICATION
On R12
On R14

SECTION 2.11 IMPLEMENT LAYER 3 MUTICAST
QUESTION
Assume that Streaming server is connected in vlan 5 on SW5 and receiver are located at the DMVPN
spoke R18 and R19
1. Only network segments with active receivers that explicitly require the data must receive the multicast
traffic
2. Interface loopback0 of R15 must be configured as RP
3. Use a standard method of dynamically distributing the RP
4. Both R16 and R17 must participate in the multicast routing
5. For testing purpose ,Configure interface ethernet0/0 of both R18 and R19 to join group 232.1.1.1
SOLUTION
R15(config)#ip multicast-routing
R15(config)#interface loopback 0
R15(config-if)#ip pim sparse-mode
R15(config-if)#exit
R15(config)#
R15(config)#interface ethernet 0/1

R15(config-if)#exit
R15(config)#

R15(config)#int ethernet 0/2

R15(config-if)#exit
R15(config)#
R15(config)#ip pim rp-candidate loopback 0

R15(config)#ip pim bsr-candidate loopback 0
SW5(config)#ip multicast-routing
SW5(config)#int vlan 5
SW5(config-if)#ip pim sparse-mode
SW5(config-if)#exit
SW5(config)#
SW5(config)#int vlan 55
SW5(config-if)#exit
SW5(config)#
SW6(config)#ip multicast-routing
SW6(config-if)#exit
SW6(config)#
SW6(config-if)#exit
SW6(config)#


R16(config-if)# ip pim sparse-mode
R16(config-if)#exit
R16(config)#

R16(config-if)#exit
R16(config)#
R17(config)#interface tunnel 0
R17(config-if)#exit
R17(config)#

R17(config-if)#exit
R17(config)#

R17(config-if)#exit
R17(config)#

R18(config-if)#exit
R18(config)#

R18(config-if)#ip igmp join-group 232.1.1.1
R18(config-if)#exit
R18(config)#
R19(config-if)#exit
R19(config)#

R19(config-if)#ip igmp join-group 232.1.1.1
R19(config-if)#exit
R19(config)#

VERIFICATION
On R15
On R16

On R17

On R18
On R19

On SW5

On SW6
After competing section 3.3(DMVPN), you will get the above result

SECTION 3 VPN TECHNOLOGY

SECTION 3.1 IMPLEMENT MPLS VPN – PART 1
QUESTION
Refer to "diagram 3 BGP topology" and "diagram 4 VPN technology"
The ACME HQ network (AS12345) uses MPLS L3VPN in order to clearly separate remote site
networks
The ACME corporate security policies are centralized and enforced at the San Jose site
(AS 65112) for all remote sites. the policies require that all traffic that is originated from
any remote sites (with the exception of New York office)
Configure MPLS L3 VPN in the ACME network according to the following requirements
1. Enable LDP only on required interfaces on all seven routers in AS 12345

2. Use the interface loopback 0 to establish LDP peering
3. Ensure that no MPLS interface that belongs to any router in AS12345 is visible on a traceroute
that originates outside of the AS
4. R2, R3, R6 and R7 must be configured as PE routers
5. R1, R4 and R5 must be configured as P routers

SOLUTION
R1(config)#Mpls ldp router-id loopback 0 force
R1(config)#No mpls ip propagate-ttl
R1(config)#Router ospf 12345

R1(config-router)#Mpls ldp autoconfig
R1(config)#

R2(config)#

R3(config)#


R4(config)#

R5(config)#

R6(config)#

R7(config)#

VERIFICATION
On R1

On R2
On R3

On R4

On R5

On R6
On R7

SECTION 3.2 IMPLEMENT MPLS VPN – PART 2
QUESTION
Refer to "diagram 3 BGP topology" and "diagram 4 VPN technologie"
The global and regional service providers have agreed to transport the ACME VPN via PE to PE EBGP
peering that are already preconfigured.
Complete all the configuration of MPLS L3 VPN in the ACME network according to the following
requirements
1. R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 12345

2. R2 and R3 must establish EBGP peering with both global Service Providers
(As 10001 and AS 10002) for the following VRF's
 GREEN
 BLUE
 RED
 YELLOW
 INET
3. R6 must establish an EBGP peering with the regional SP (AS 20001) for the following VRFs
 GREEN
 BLUE
 INET
4. R7 must establish an EBGP peering with the regional SP (AS 20002) for the following VRFs
 BLUE
 RED
 INET
5. All ip address used for EBGP peering must pass the BGP's directly connected check
6. No BGP speaker is AS 12345 may use the network or redistribute statement under any address-family of
the BGP router configuration

7. At the end of the exam scenario the interface ethernet 0/0 of the gateway router in any remote site
must be able to connect to the interface ethernet 0/0 of any other remote gateway that belongs to AS
65111 or AS 65222
8. Use the following tests as examples of connectivity checks
R12# ping 10.2.19.1 source ethernet0/0

!!!!!
R12# traceroute 10.2.19.1 source ethernet0/0
SOLUTION

R1(config-router)#address-family vpnv4
R1(config-router-af)#neighbor IBGP send-community extended
R1(config-router-af)#neighbor IBGP route-reflector-client
R1(config)#

R2(config-router)#Address-family vpnv4
R2(config-router-af)#Neighbor 123.1.1.1 send-community extended
R2(config)#


R3(config)#

R6(config)#

R7(config)#

R2(config-router)#Address-family ipv4 vrf BLUE
R2(config-router-af)#Exit-address-family
R2(config-router)#
R2(config-router)#Address-family ipv4 vrf GREEN

R2(config-router)#


R2(config-router)#
R2(config-router)#Address-family ipv4 vrf RED

R2(config-router)#
R2(config-router)#Address-family ipv4 vrf YELLOW

R2(config)#

R3(config-router)#

R3(config-router)#

R3(config-router)#
R3(config-router)#Address-family ipv4 vrf RED

R3(config-router)#

R3(config-router)#Address-family ipv4 vrf YELLOW

R3(config)#

R6(config-router)#

R6(config-router)#

R6(config)#

R7(config-router)#

R7(config-router)#


R7(config)#
VERIFICATION
On R12

On R2

On R3

On R6
On R7

SECTION 3.3 IMPLEMENT DMVPN
QUESTION
Configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the following
requirements
1. Use the preconfigured interface tunnel 0 on all the three routers in order to accomplish this task
2. R17 must be configured as the hub router
3. R18 and R19 must be the spoke routers and must participate in the NHRP information exchange
4. Disable send icmp redirect message on all three tunnel 0 interfaces
5. Configure the following parameters on all the three tunnel 0 interfaces
 Configure the bandwidth 1000 kbps

 Configure the delay to 10000 msec
 Adjust the ip MTU to 1400 Bytes
 Adjust the TCP MSS to 1380 Bytes
6. Authenticate NHRP using the string 45678key

7. Use the NHRP network-id 45678
8. Configure NHRP hold time to 5 min
9. Ensure that spoke-to-spoke traffic does not transit via the hub

SOLUTION
R17(config-if)#bandwidth 1000
R17(config-if)#no ip redirects
R17(config-if)#ip mtu 1400
R17(config-if)#ip nhrp authentication 45678key
R17(config-if)#ip nhrp map multicast dynamic
R17(config-if)#ip nhrp network-id 45678
R17(config-if)#ip nhrp holdtime 300
R17(config-if)#ip tcp adjust-mss 1380
R17(config-if)#delay 1000
R17(config-if)#ip nhrp redirect
R17(config-if)#exit
R17(config)#

R17(config-router)# address-family ipv4 unicast autonomous-system 45678
R17(config-router-af)#af-interface tunnel 0
R17(config-router-af-interface)#no split-horizon
R17(config-router-af-interface)#no next-hop-self
R17(config-router-af-interface)#exit-af-interface
R17(config)#

R18(config-if)#ip nhrp nhs 123.20.1.25
R18(config-if)#ip nhrp map 123.20.1.25 203.3.17.2
R18(config-if)#ip nhrp map multicast 203.3.17.2
R18(config-if)#ip nhrp shortcut
R18(config-if)#exit
R18(config)#
R19(config)#Interface Tunnel 0
R19(config-if)#ip nhrp nhs 123.20.1.25
R19(config-if)#ip nhrp map 123.20.1.25 203.3.17.2
R19(config-if)#ip nhrp map multicast 203.3.17.2
R19(config-if)#ip nhrp shortcut
R19(config-if)#exit
R19(config)#

VERIFICATION
On R17

On R18

On R19

SECTION 3.4 IMPLEMENT ENCRYPTION
QUESTION
Refer to "Diagram 4 VPN technology"
Secure the DMVPN tunnel using IPSEC according to the following requirements
1. Configure IKE Phase 1 as per the following
 Use AES encryption with the pre-shared key “ CCIE “

 The key must appear in plain text in the configuration
 All IPsec tunnels must be authenticated using the same IKE Phase 1 pre-shared key
 Use 1024 bits for the key exchange using the Diffie-Hellman algorithm
 Configure a single policy using priority 10
2. Configure IKE Phase 2 as per the following requirements
 Use CCIEXFORM as transform-set name

 use DMVPNPROFILE as IPSEC profile name
 use IPSEC in transport mode
 use the IPSEC protocol ESP and algorithm AES with 128 bits
3. Ensure that the DMVPN cloud is secured using above parameters.
 Use tunnel protection in your configuration.

SOLUTION
For Phase 1
R17(config)#crypto isakmp enable

R17(config)#crypto isakmp policy 10
R17(config-isakmp)#authentication pre-share
R17(config-isakmp)#encryption aes
R17(config-isakmp)#group 2
R17(config-isakmp)#exit
R17(config)#
R17(config)#crypto isakmp key CCIE address 203.3.18.2

R17(config)#crypto isakmp key CCIE address 203.3.19.2
R18(config)#Crypto isakmp enable

R18(config)#Crypto isakmp policy 10
R18(config-isakmp)#Authentication pre-share
R18(config-isakmp)#Group 2
R18(config)#
R18(config)#Crypto isakmp key CCIE address 203.3.17.2

R18(config)#
R19(config)#Crypto isakmp enable

R19(config)#Crypto isakmp policy 10
R19(config-isakmp)#Authentication pre-share
R19(config-isakmp)#Group 2
R19(config)#

R19(config)#Crypto isakmp key CCIE address 203.3.17.2

R19(config)#
For Phase 2
R17(config)#Crypto ipsec transform-set CCIEXFORM esp-aes 128

R17(cfg-crypto-trans)#mode transport
R17(cfg-crypto-trans)#exit
R17(config)#
R17(config)#crypto ipsec profile DMVPNPROFILE

R17(ipsec-profile)#set transform-set CCIEXFORM
R17(ipsec-profile)#exit
R17(config)#
R17(config-if)#tunnel protection ipsec profile DMVPNPROFILE
R17(config-if)#exit
R17(config)#

R18(config)#

R18(config)#
R18(config-if)#exit
R18(config)#


R19(config)#

R19(config)#
R19(config-if)#exit
R19(config)#
VERIFICATION
On R17

On R18
On R19

SECTION 4 INFRASTRUCTURE SECURITY

SECTION 4.1 DEVICE SECURITY
QUESTION
Refer to “ Diagram 1 : Main Topology “
Configure R20 in the ACME San Jose office as per the following
1. All users who connect to R20 via the console port or via any of VTY lines using SSH must be prompted
with the below message before any other prompt is displayed
 WARNING! ACCESS RESTRICTED!
2. Do not include any extra spaces or any other characters as the ones shown above
SOLUTION
R20(config)#banner motd *
WARNING! ACCESS RESTRICTED!* ----> Copy Paste this statement from question to avoid spaces
R20(config)#
R20(config)#banner login *
WARNING! ACCESS RESTRICTED!* ----> Copy Paste this statement from question to avoid spaces
R20(config)#line vty 0 4
R20(config-line)#no motd-banner
R20(config-line)#exit
R20(config)#exit
R20#quit
NOTE : After “ WARNING! ACCESS RESTRICTED! “ do not enter or space . You can use * symbol or
return button or type “ m “ to come out

VERIFICATION
On R20

SECTION 4.2 IMPLEMENT NETWORK SECURITY
QUESTION
Refer to “Diagram 1: Main Topology “
Configure ACME New York office as per the following
1. Ensure that interfaces ethernet 0/0 , ethernet 0/1 , ethernet 0/2 , ethernet 0/3 of SW3 forward traffic
that was sent from expected and legitimate host and servers.
2. Sw3 must dynamically learn only one mac address per port and must save the mac address in its startup
configuration
3. Sw3 must shut down the port if security violation occurs on any of these four ports
SOLUTION
SW3(config)#Interface range ethernet 0/0-3

SW3(config-if-range)#switchport port-security
SW3(config-if-range)#switchport port-security mac-address sticky
SW3(config-if-range)#switchport port-security maximum 1
SW3(config-if-range)#switchport port-security violation shutdown
SW3(config)#

VERIFICATION
On SW3

SECTION 5 INFRASTRUCTURE SERVICES

SECTION 5.1 IMPLEMENT SYSTEM MANAGEMENT
QUESTION
Configure R20 int the ACME San Jose office as per the following requirements
1. Enable SSH access in R20 using the domain name “ acme.org “

2. R20 must accept up to five remote authorized users to connect at the same time using SSH
3. Create the user "test" with password "test" in the local database of R20
4. Ensure that R20 accepts SSH connections with clients with source ip in 123.10.2.0/24. All other source
ip must be denied. Use standard ACL to configure this requirement.
5. R20 must produce a syslog message for all SSH connection attempts whether permitted or denied
6. When authenticate the username “ test “ must be granted privilege level 1
7. Do not enable aaa new-model command on R20
8. Ensure that SSH is the only remote access method permitted on VTY lines of R20
9. Ensure that the console is not affected by your solution and no username prompt is presented on the
console port
10. Test your solution from any device that is located in AS 34567 and ensure that the following sequence
of command produce the following output

SOLUTION
R20(config)#service linenumber
R20(config)#username test password test
R20(config)#ip domain-name acme.org
R20(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
R20(config)#ip ssh maxstartups 5

R20(config)#ip ssh logging events
R20(config)#ip ssh version 2
R20(config)#Access-list 1 permit 123.10.2.0 0.0.0.255 log

R20(config)#Access-list 1 deny any log
R20(config)#line vty 0 4
R20(config-line)#access-class 1 in
R20(config-line)#login local
R20(config-line)#transport input ssh
R20(config-line)#privilege level 1
R20(config-line)#exit
R20(config)#

VERIFICATION
On R10
On R20

SECTION 5.2 IMPLEMENT NETWORK SERVICES
QUESTION
1. R20 must enable all private corporate traffic that is originated from any host with source ip address
10.1.0.0/16 or 10.2.0.0/16 to connect to any public destination that is located in AS 34567 or in any
source
2. All remote sites in AS 65111 and 65222 must be able to connect to these public destinations
3. R20 must swap the source ip address in these packets with the ip address of its interface loopback0
4. R20 must allow multiple concurrent connections
5. Use a standard ACL to accomplish the above requirements
The following tests must succeed after the above requirements

(in addition to previous requirements) are achieved
R12# ping 1.2.3.4 source ethernet0/0

!!!!!
R20# ping 1.2.3.4 source loopback 1
!!!!!

SOLUTION
R20(config)#interface loopback 0
R20(config-if)#ip nat outside
R20(config-if)#exit
R20(config)#
R20(config)#interface range ethernet 0/0.12 - ethernet 0/0.15

R20(config-if-range)#ip nat inside
R20(config-if-range)#exit
R20(config)#
R20(config)#interface ethernet 0/0.99

R20(config-subif)#ip nat outside
R20(config-subif)#exit
R20(config)#
R20(config)#interface range ethernet 0/1.12 - ethernet 0/1.15

R20(config-if-range)#ip nat inside
R20(config-if-range)#exit
R20(config)#
R20(config)#interface ethernet 0/1.99

R20(config-subif)#ip nat outside
R20(config-subif)#exit
R20(config)#
R20(config)#access-list 2 permit 10.1.0.0 0.0.255.255

R20(config)#access-list 2 permit 10.2.0.0 0.0.255.255
R20(config)#ip nat inside source list 2 interface loopback 0 overload

VERIFICATION
On R12
On R20

SECTION 5.3 IMPLEMENT NETWORK OPTIMIZATION
QUESTION
Configure R17 as per the following requirements
1. The output shown below must be seen on R17 during 10 sec after R15 successfully pings interface
loopback 0 of R19

SOLUTION
R17(config)#ip flow-export version 9

R17(config)#ip flow-top-talkers
R17(config-flow-top-talkers)#top 10
R17(config-flow-top-talkers)#sort-by bytes
R17(config-flow-top-talkers)#cache-timeout 10
R17(config-flow-top-talkers)#match input-interface ethernet 0/2
R17(config-flow-top-talkers)#match source address 123.20.1.9 255.255.255.255
R17(config-flow-top-talkers)#exit
R17(config)#
R17(config-if)#ip flow egress
R17(config-if)#exit

VERIFICATION
On R15
On R17

SECTION 5.4 IMPLEMENT NETWORK SERVICES
QUESTION
Configure ACME as per the following requirements
1. SW3 must provide an authoritative time source to the ACME network

2. R10 and R12 must synchronize their clock to SW3 using NTP v4 for IPv6
3. R10 and R12 must operate in client mode
4. Sw3 must not capture or use any time information that is sent by R10 and R12
5. All NTP traffic must rely on IPv6 connectivity only
All NTP traffic must be sourced and destined to interface loopback 0 of the
corresponding devices
SOLUTION
SW3(config)#ntp master
SW3(config)#ntp source loopback 0
SW3(config)#interface loopback 0
SW3(config-if)#ntp disable ip
SW3(config-if)#exit
SW3(config)#
SW3(config)#ntp peer 2001:CC1E:BEF:0:123:10:10:10 version 4

SW3(config)#ntp peer 2001:CC1E:BEF:0:123:12:12:12 version 4

R10(config)#Ntp source loopback 0
R10(config-if)#Ntp disable ip
R10(config-if)#exit
R10(config)#
R10(config)#ntp server 2001:CC1E:BEF:0:123:33:33:33 version 4
R12(config)#Ntp source loopback 0
R12(config-if)#Ntp disable ip
R12(config-if)#exit
R12(config)#
R12(config)#ntp server 2001:CC1E:BEF:0:123:33:33:33 version 4

R12(config-router-af)#network 2001:CC1E:BEF:0:123:12:12:12/128
R12(config)#

VERIFICATION
On SW3
On R10

On R12


CCIE Lab 400-101 H1

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CCIE Lab 400-101 H1

Caricato da

Copyright:

Formati disponibili

CCIE R&S v5 Lab v1.

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 1

Disclaimer : CCCIE RSv5 lab Exam Workbook is designed to provide extensive

The information presented in the workbook is not necessarily related to Cisco

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 2

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 3

SECTION 1: LAYER 2 TECHNOLOGIES

1. The VTP domain must be set to CCIE

SW1 ------ Configuration

SW2 ------ Configuration

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 4

SW3 ------ Configuration

SW4 ------ Configuration

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 5

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 6

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 7

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 8

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 9

SECTION 1.2 – LAYER 2 PORTS – (SWITCH ACCESS PORT)

Configure All Switch Ports as per the following requirements :-

E3/0 - E3/3 are unused on SW1 and SW2

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 10

SW1(config)#interface range ethernet 2/0 – 3

SW1(config)#interface range ethernet 3/0 – 3

SW1(config)# interface ethernet 0/0

SW1(config)#interface ethernet 0/1

SW1(config)#interface ethernet 0/2

SW1(config)#interface ethernet 0/3

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 11

SW1(config)#interface ethernet 1/0

SW1(config)#interface ethernet 1/1

SW1(config)#interface ethernet 1/2

SW1(config)#interface ethernet 1/3

SW2 ------ Configuration

SW2(config)#interface range ethernet 2/0 – 3

SW2(config)#interface range ethernet 3/0 – 3

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 12

SW2(config)#interface ethernet 0/0

SW2(config)#interface ethernet 0/1

SW2(config)#interface ethernet 0/2

SW2(config)#interface ethernet 0/3

SW2(config)#interface ethernet 1/0

SW2(config)#interface ethernet 1/1

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 13

SW2(config)#interface ethernet 1/2

SW2(config)#interface ethernet 1/3

SW3 ------ Configuration

SW3(config)#interface range ethernet 2/0 – 3

SW3(config)# interface range ethernet 1/0 - 3 , ethernet 3/0 – 3

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 14

SW3(config)#interface ethernet 0/0

SW3(config)#interface ethernet 0/1

SW3(config)#interface ethernet 0/3

SW4 ------ Configuration

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 15

SW4(config)#interface range ethernet 2/0 – 3

SW4(config)# interface range ethernet 1/0 - 3 , ethernet 3/0 – 3

SW4(config)# interface ethernet 0/1

SW4(config)# interface ethernet 0/2

SW4(config)# interface ethernet 0/3

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 16

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 17

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 18

Web: www.ccielabcenter.com / Mail: care@ccielabcenter.com Page 19