Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1 (H1)
Cisco, Cisco Systems,and CCIE (Cisco Certified Internetwork Expert) are registered
trademarks of Cisco Systems, Inc.And of its affiliates in the USA and other countries .
This workbook is prepared for the individual candidates who have purchased it with
non-disclosure agreement. Imitation, copying, editing or posting contents of the
workbook over the internet is part of copyright and non-disclosure agreement
violation.
QUESTION
Configure the ACME Headquarters network (AS 12345) & New York Office (34567) as per the
following requirements.
SOLUTION
SW1(config)#vtp version 2
SW1(config)#vtp domain CCIE
SW1(config)#vtp password CCIErock$
SW1(config)#vtp mode server
SW1(config)#mac address-table aging-time 7200
SW2(config)#vtp version 2
SW2(config)#vtp domain CCIE
SW2(config)#vtp password CCIErock$
SW2(config)#vtp mode client
SW2(config)#mac address-table aging-time 7200
SW3(config)#vtp version 2
SW3(config)#vtp domain CCIE
SW3(config)#vtp password CCIErock$
SW3(config)#vtp mode transparent
SW4(config)#vtp version 2
SW4(config)#vtp domain CCIE
SW4(config)#vtp password CCIErock$
SW4(config)#vtp mode transparent
VERIFICATION
On SW1
On SW2
On SW3
On SW4
NOTE :-
1. Mac address-table aging-time is 300 by default on SW3 & SW4
2. 2 hours = 7200 seconds
3. VTP Password “CCIErock$” [you must apply this password without quotes( CCIErock$ )]
1. Complete the configuration of all vlans so that all routers that are located in ACME's headquarters
(AS12345) and New York office (AS 34567) can ping their directly connected neighbors.
2. All four switches (SW1-SW4) must have four dot1q trunks that do not rely on negotiation
DO NOT configure any ether channel
3. Ensure that the following unused ports on all four switches are shutdown and configured as access
ports in vlan 999
SOLUTION
SW1 ------ Configuration
SW1(config)#vlan 14
SW1(config-vlan)#exit
SW1(config)#vlan 15
SW1(config-vlan)#exit
SW1(config)#vlan 23
SW1(config-vlan)#exit
SW1(config)#vlan 24
SW1(config-vlan)#exit
SW1(config)#vlan 35
SW1(config-vlan)#exit
SW1(config)#vlan 46
SW1(config-vlan)#exit
SW1(config)#vlan 57
SW1(config-vlan)#exit
SW1(config)#vlan 67
SW1(config-vlan)#exit
SW1(config)#vlan 999
SW1(config-vlan)#exit
SW1(config)#
SW3(config)#vlan 34
SW3(config-vlan)#exit
SW3(config)#vlan 38
SW3(config-vlan)#exit
SW3(config)#vlan 49
SW3(config-vlan)#exit
SW3(config)#vlan 89
SW3(config-vlan)#exit
SW3(config)#vlan 111
SW3(config-vlan)#exit
SW3(config)#vlan 310
SW3(config-vlan)#exit
SW3(config)#vlan 411
SW3(config-vlan)#exit
SW3(config)#vlan 999
SW3(config-vlan)#exit
SW3(config)#
VERIFICATION
On SW1
On SW2
On SW3
On SW4
After completing this section , test all the direct connectivity (Router to Router Ping)
1. SW1 must be the root switch for all odd vlans and must be the backup for all even vlans
2. SW2 must be the root switch for all even vlans and must be the backup for all odd vlans
3. SW3 must be the root switch for all odd vlans and must be the backup for all even vlans
4. SW4 must be the root switch for all even vlans and must be the backup for all odd vlans
5. Explicitly configure the root and backup roles, assuming that other switches with default configuration
may eventually be added in the network in the future
6. All Switches must maintain one stp instance per vlan
7. Use stp mode that has only 3 possible port states.
8. All access ports must immediately transitioned to the forwarding state upon link up and they must still
participate in STP . Use single command per switch to enable this
9. Access ports must automatically shut down if they receive any BPDU and an administrator must still
manually re-enable the port. Use a single command per switch to enable this feature.
SOLUTION
SW1 ------ Configuration
VERIFICATION
On SW1
On SW2
On SW3
On SW4
QUESTION
Configure WAN Connectivity as per the following requirements
1. The WAN links must rely on a layer 2 protocol that supports link negotiation and authentication.
2. The Service provider expects both R18 and R19 to complete three way hand shake by providing the
expected response of a challenge that is sent by R63
3. R18 must use the username ACME-R18 and password CCIE
4. R19 must use the username ACME-R19 and password CCIE
SOLUTION
R18 ------ Configuration
VERIFICATION
On R18
On R19
QUESTION
Configure OSPFv2 area 0 in ACME HQ (AS12345) according to the following requirements
1. Configure the OSPF process id to 12345 and set the router id to interface loopback 0 on all seven routers
2. The interface loopback 0 at each router must be seen as an internal OSPF prefix by all other routers
3. Ensure that OSPF is not running on any interface that is facing another AS. Use any method to
accomplish this requirement.
4. SW 1 and SW2 must not participate in routing at all
5. Do not change the default OSPF cost of any interface in AS12345
6. R1 must see the following OSPF routes in the routing table
SOLUTION
R1 ------ Configuration
R2 ------ Configuration
R3 ------ Configuration
R4 ------ Configuration
R5 ------ Configuration
R6 ------ Configuration
R7 ------ Configuration
VERIFICATION
On R1
Configure EIGRP for ipv4 in the New York office (AS34567) according to the following requirements
Vlan 411
Interface loopback0 at SW4
Interface loopback0 at R11
5. Using a single command on one switch only ensure that R9 installs two equal cost route for the
following three path
Vlan 310
Interface loopback0 at SW3
Interface loopback0 at R10
SOLUTION
R8 ------ Configuration
R9 ------ Configuration
SW3(config)#interface vlan 34
SW3(config-if)#delay 100
SW4(config)#interface vlan 34
SW4(config-if)#delay 100
VERIFICATION
On R8
On R9
SOLUTION
R15 ------ Configuration
SW5(config)#Vlan 5
SW5(config)#Vlan 55
SW6(config)#Vlan 6
SW6(config)#Vlan 66
VERIFICATION
On R15
On R16
On R17
On SW5
On SW6
On R17
Interface tunnel 0
no ip redirects
Ip address 123.20.1.25 255.255.255.248
tunnel source ethernet 0/0
tunnel mode gre multipoint
On R18
Interface tunnel 0
no ip redirects
Ip address 123.20.1.26 255.255.255.248
tunnel source Serial1/0
tunnel mode gre multipoint
On R19
Interface tunnel 0
no ip redirects
Ip address 123.20.1.27 255.255.255.248
tunnel source Serial1/0
tunnel mode gre multipoint
SOLUTION
R17 ------ Configuration
VERIFICATION
On R17
On R18
On R19
After completing section 3.3 (DMVPN) you will get the above result
Configure the IBGP in ACME’s headquarters (AS 12345) according to the following requirements.
Configure EBGP between ACME's San Francisco and San Jose sites according to the following requirements
6. R20 is the CE router and uses EBGP to connect to the managed services that are provided by the PE
routers R2 and R3
7. R20 must establish separate EBGP peering with both R2 and R3 for every VRF
8. R20 must advertise the following prefix to all of its BGP peers
123.0.0.0/8 summary-only
10.0.0.0/8 summary-only
9. R20 must advertise a default route to all of its BGP peer except to 10.120.99.1 and 10.120.99.5
SOLUTION
For IBGP
R1 ------ Configuration
R1(config-router)#address-family ipv4
R1(config-router-af)#neighbor IBGP route-reflector-client
R1(config-router-af)#neighbor 123.2.2.2 activate
R1(config-router-af)#neighbor 123.3.3.3 activate
R1(config-router-af)#neighbor 123.6.6.6 activate
R1(config-router-af)#neighbor 123.7.7.7 activate
R1(config-router-af)#exit-address-family
R1(config-router)#exit
R1(config)#
R2 ------ Configuration
R2(config-router)#address-family ipv4
R2(config-router-af)#neighbor 123.1.1.1 activate
R2(config-router-af)#exit-address-family
R2(config-router)#exit
R2(config)#
R3 ------ Configuration
R3(config-router)#address-family ipv4
R3(config-router-af)#neighbor 123.1.1.1 activate
R3(config-router-af)#exit-address-family
R3(config-router)#exit
R3(config)#
R6 ------ Configuration
R6(config-router)#address-family ipv4
R6(config-router-af)#neighbor 123.1.1.1 activate
R6(config-router-af)#exit-address-family
R6(config-router)#exit
R6(config)#
R7 ------ Configuration
R7(config-router)#address-family ipv4
R7(config-router-af)#neighbor 123.1.1.1 activate
R7(config-router-af)#exit-address-family
R7(config-router)#exit
R7(config)#
For EBGP
R2 ------ Configuration
On R3 ------ Configuration
VERIFICATION
For IBGP
On R1
For EBGP
On R2
On R3
On R20
QUESTION
1. SW3 and SW4 must not establish any BGP session at any time
2. All four BGP routers must use their interface loopback0 as their bgp router-id
3. Disable the default ipv4 unicast address family for peering session establishment in all BGP routers
4. Configure full mesh IBGP peering between all four routers use any configuration method
5. R9 must be selected as the preferred exit point for traffic destined to remote AS's
6. R11 must be selected as the next preferred exit point in case R9 fails
7. No BGP speaker in AS 34567 must use network statement under the BGP router configuration.
8. Ensure that all the BGP next-hop is never marked as unreachable as long as interface loopback0 of
the remote peer is known via IGP
9. All four BGP routers must establish EBGP peering with their neighboring AS as shown in diagram 3
(BGP topology)
10. All four BGP routers must redistribute EIGRP into BGP
11. R9 and R11 must redistribute only the BGP default route into Eigrp
12. Ensure that R9 is the only router that sees the default as a BGP route and that all other routers
(R8, R10, R11) see it as an EIGRP external router.
SOLUTION
For IBGP
R8 ------ Configuration
R8(config-router)#address-family ipv4
R8(config-router-af)#neighbor 123.9.9.9 activate
R8(config-router-af)#neighbor 123.9.9.9 next-hop-self
R8(config-router-af)#neighbor 123.10.10.10 activate
R8(config-router-af)#neighbor 123.10.10.10 next-hop-self
R8(config-router-af)#neighbor 123.11.11.11 activate
R8(config-router-af)#neighbor 123.11.11.11 next-hop-self
R8(config-router-af)#exit-address-family
R8(config-router)#exit
R8(config)#
R9 ------ Configuration
R9(config-router)#address-family ipv4
R9(config-router-af)#neighbor 123.8.8.8 activate
R9(config-router-af)#neighbor 123.8.8.8 next-hop-self
R9(config-router-af)#neighbor 123.10.10.10 activate
R9(config-router-af)#neighbor 123.10.10.10 next-hop-self
R9(config-router-af)#neighbor 123.11.11.11 activate
R9(config-router-af)#neighbor 123.11.11.11 next-hop-self
R9(config-router-af)#exit-address-family
R9(config-router)#exit
R9(config)#
R10(config-router)#address-family ipv4
R10(config-router-af)#neighbor 123.8.8.8 activate
R10(config-router-af)#neighbor 123.8.8.8 next-hop-self
R10(config-router-af)#neighbor 123.9.9.9 activate
R10(config-router-af)#neighbor 123.9.9.9 next-hop-self
R10(config-router-af)#neighbor 123.11.11.11 activate
R10(config-router-af)#neighbor 123.11.11.11 next-hop-self
R10(config-router-af)#exit-address-family
R10(config-router)#exit
R10(config)#
R11(config-router)#address-family ipv4
R11(config-router-af)#neighbor 123.8.8.8 activate
R11(config-router-af)#neighbor 123.8.8.8 next-hop-self
R11(config-router-af)#neighbor 123.9.9.9 activate
R11(config-router-af)#neighbor 123.9.9.9 next-hop-self
R11(config-router-af)#neighbor 123.10.10.10 activate
R11(config-router-af)#neighbor 123.10.10.10 next-hop-self
R11(config-router-af)#exit-address-family
R11(config-router)#exit
R11(config)#
For EBGP
R8 ------ Configuration
R8(config-router)#address-family ipv4
R8(config-router-af)#neighbor 101.1.34.1 activate
R8(config-router-af)#redistribute eigrp 34567
R8(config-router-af)#exit-address-family
R8(config-router)#exit
R8(config)#
R9 ------ Configuration
R9(config-router)#address-family ipv4
R9(config-router-af)#neighbor 102.2.34.1 activate
R9(config-router-af)#neighbor 33.34.4.1 activate
R9(config-router-af)#redistribute eigrp 34567
R9(config-router-af)#neighbor 33.34.4.1 route-map DEFAULT in
R9(config-router-af)#exit-address-family
R9(config-router)#exit
R9(config)#
R9(config)#route-map DEFAULT
R9(config-route-map)#match ip address prefix-list DEFAULT
R9(config-route-map)#exit
R9(config)#
R10(config-router)#address-family ipv4
R10(config-router-af)#neighbor 201.1.34.1 activate
R10(config-router-af)#redistribute eigrp 34567
R10(config-router-af)#exit-address-family
R10(config-router)#exit
R10(config)#
R11(config-router)#address-family ipv4
R11(config-router-af)#neighbor 33.34.3.1 activate
R11(config-router-af)#neighbor 202.2.34.1 activate
R11(config-router-af)#redistribute eigrp 34567
R11(config-router-af)#exit-address-family
R11(config-router)#exit
R11(config)#
R11(config)#route-map DEFAULT
R11(config-route-map)#match ip address prefix-list DEFAULT
R11(config-route-map)#exit
R11(config)#
VERIFICATION
On R8
On R9
On R10
On R11
On R8
QUESTION
Configure EBGP in ACME's APAC region (AS45678 and AS 65222) according to the following
requirements.
Refer “ Diagram 3 : BGP routing “
1. SW5 and SW6 must not establish any BGP session at any time.
2. All BGP routers must use their interface loopback0 as the BGP router-id.
3. No IBGP peering session are allowed in AS 45678.
4. R15 must establish an EBGP peering with AS 10003 and must receive a default route as well as other
prefix.
5. R15 must redistribute BGP into EIGRP vice versa.
6. R15 must also advertise an aggregate prefix for 123.20.1.0/24 to AS 10003 and must suppress all
components prefixes.
7. R16 , R17 , R18 , R19 must establish an EBGP peering with AS 20003 and must receive a default route as
well as other prefix.
8. R16 , R17 , R18 , R19 must not advertise any prefix to AS 20003.
9. As long as R15 operational , R16 , R17 , R18 , R19 must prefer the EIGRP default route over the EBGP
default route.
10. Do not create any VRF in anywhere in order to accomplish the above requirements.
SOLUTION
R15 ------ Configuration
VERIFICATION
On R15
On R16
On R17
On R18
On R19
QUESTION
1. All ACME border routers in AS 12345 must filter the BGP prefixes that are advertised to their SP in VRF
INET and must allow all prefixes that belong to class A 123.0.0.0./8 and all other VRF's must propagate
all prefix
2. All ACME border routers in AS 34567 must filter the BGP prefixes that are advertised to their SP and
must allow only all prefixes that belong to the class A 123.0.0.0/8
3. Do not use any route-map or access-list to accomplish the above requirements
4. R13 must route traffic preferably via AS 20002, use any method to accomplish this requirement
5. All three remote sites in AS 65111 must be able to ping 1.2.3.4 and traceroute must reveal the exact
same path as shown in the following output
SOLUTION
R2 ------ Configuration
R3 ------ Configuration
R6 ------ Configuration
R7 ------ Configuration
R8 ------ Configuration
R9 ------ Configuration
VERIFICATION
On R12
After completing section 3.1 & 3.2 (MPLS), you wil get the above result
QUESTION
Configure OSPFv3 in the ACME New York office as per the following requirements.
1. Configure the OSPF process id 1 and set the router-id as interface loopback0
2. SW4 must be selected as the designated router on VLAN 34 and must have the best chance.
3. SW3 must be selected as the back-up designated router on VLAN 34 and must take over the
designated router if Switch4 is down.
SOLUTION
SW3(config)#ipv6 unicast-routing
SW3(config)#ipv6 router ospf 1
SW3(config-rtr)#router-id 123.33.33.33
SW3(config-rtr)#exit
SW3(config)#
SW3(config)#interface loopback 0
SW3(config-if)# Ipv6 ospf 1 area 0
SW3(config)#exit
SW3(config)#
SW3(config)#interface vlan 34
SW3(config-if)# Ipv6 ospf 1 area 0
SW3(config-if)#ipv6 ospf priority 254
SW3(config)#exit
SW3(config)#
SW4(config)#ipv6 unicast-routing
SW4(config)#Ipv6 router ospf 1
SW4(config-rtr)#Router-id 123.44.44.44
SW4(config-rtr)#exit
SW4(config)#
SW4(config)#Interface loopback 0
SW4(config-if)# Ipv6 ospf 1 area 0
SW4(config-if)#exit
SW4(config)#
SW4(config)#Interface vlan 34
SW4(config-if)# Ipv6 ospf 1 area 0
SW4(config-if)#Ipv6 ospf priority 255
SW4(config-if)#exit
SW4(config)#
R10(config)#ipv6 unicast-routing
R10(config)#Ipv6 router ospf 1
R10(config-rtr)#Router-id 123.10.10.10
R10(config-rtr)#exit
R10(config)#
R10(config)#Interface ethernet0/1
R10(config-if)#Ipv6 ospf 1 area 10
R10(config-if)#exit
R10(config)#
R10(config)#Interface loopback 0
R10(config-if)#Ipv6 ospf 1 area 10
R10(config-if)#exit
R10(config)#
R11(config)#ipv6 unicast-routing
R11(config)#Ipv6 router ospf 1
R11(config-rtr)#Router-id 123.11.11.11
R11(config-rtr)#exit
R11(config)#
R11(config)#Interface ethernet0/2
R11(config-if)#Ipv6 ospf 1 area 11
R11(config-if)#exit
R11(config)#
R11(config)#Interface loopback 0
R11(config-if)#Ipv6 ospf 1 area 11
R11(config-if)#exit
R11(config)#
VERIFICATION
On R10
On R11
On SW3
On SW4
QUESTION
SOLUTION
R10 ------ Configuration
VERIFICATION
On R12
On R14
QUESTION
Assume that Streaming server is connected in vlan 5 on SW5 and receiver are located at the DMVPN
spoke R18 and R19
Configure the ACME network as per the following requirements
1. Only network segments with active receivers that explicitly require the data must receive the multicast
traffic
2. Interface loopback0 of R15 must be configured as RP
3. Use a standard method of dynamically distributing the RP
4. Both R16 and R17 must participate in the multicast routing
5. For testing purpose ,Configure interface ethernet0/0 of both R18 and R19 to join group 232.1.1.1
SOLUTION
R15 ------ Configuration
R15(config)#ip multicast-routing
R15(config)#interface loopback 0
R15(config-if)#ip pim sparse-mode
R15(config-if)#exit
R15(config)#
SW5(config)#ip multicast-routing
SW5(config)#int vlan 5
SW5(config-if)#ip pim sparse-mode
SW5(config-if)#exit
SW5(config)#
SW5(config)#int vlan 55
SW5(config-if)#ip pim sparse-mode
SW5(config-if)#exit
SW5(config)#
SW6(config)#ip multicast-routing
SW6(config)#interface vlan 66
SW6(config-if)#ip pim sparse-mode
SW6(config-if)#exit
SW6(config)#
SW6(config)#interface vlan 6
SW6(config-if)#ip pim sparse-mode
SW6(config-if)#exit
SW6(config)#
R16(config)#ip multicast-routing
R17(config)#ip multicast-routing
R17(config)#interface tunnel 0
R17(config-if)# ip pim sparse-mode
R17(config-if)#exit
R17(config)#
R18(config)#ip multicast-routing
R18(config)#interface tunnel 0
R18(config-if)# ip pim sparse-mode
R18(config-if)#exit
R18(config)#
R19(config)#ip multicast-routing
R19(config)#interface tunnel 0
R19(config-if)# ip pim sparse-mode
R19(config-if)#exit
R19(config)#
VERIFICATION
On R15
On R16
On R17
On R18
On R19
On SW5
On SW6
After competing section 3.3(DMVPN), you will get the above result
QUESTION
The ACME HQ network (AS12345) uses MPLS L3VPN in order to clearly separate remote site
networks
The ACME corporate security policies are centralized and enforced at the San Jose site
(AS 65112) for all remote sites. the policies require that all traffic that is originated from
any remote sites (with the exception of New York office)
Configure MPLS L3 VPN in the ACME network according to the following requirements
SOLUTION
R1 ------ Configuration
R2 ------ Configuration
R3 ------ Configuration
R4 ------ Configuration
R5 ------ Configuration
R6 ------ Configuration
R7 ------ Configuration
VERIFICATION
On R1
On R2
On R3
On R4
On R5
On R6
On R7
QUESTION
Refer to "diagram 3 BGP topology" and "diagram 4 VPN technologie"
The global and regional service providers have agreed to transport the ACME VPN via PE to PE EBGP
peering that are already preconfigured.
Complete all the configuration of MPLS L3 VPN in the ACME network according to the following
requirements
GREEN
BLUE
RED
YELLOW
INET
3. R6 must establish an EBGP peering with the regional SP (AS 20001) for the following VRFs
GREEN
BLUE
INET
4. R7 must establish an EBGP peering with the regional SP (AS 20002) for the following VRFs
BLUE
RED
INET
5. All ip address used for EBGP peering must pass the BGP's directly connected check
6. No BGP speaker is AS 12345 may use the network or redistribute statement under any address-family of
the BGP router configuration
7. At the end of the exam scenario the interface ethernet 0/0 of the gateway router in any remote site
must be able to connect to the interface ethernet 0/0 of any other remote gateway that belongs to AS
65111 or AS 65222
SOLUTION
R1 ------ Configuration
R2 ------ Configuration
R3 ------ Configuration
R6 ------ Configuration
R7 ------ Configuration
R2 ------ Configuration
R3 ------ Configuration
R6 ------ Configuration
R7 ------ Configuration
VERIFICATION
On R12
On R2
On R3
On R6
On R7
QUESTION
Configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the following
requirements
1. Use the preconfigured interface tunnel 0 on all the three routers in order to accomplish this task
2. R17 must be configured as the hub router
3. R18 and R19 must be the spoke routers and must participate in the NHRP information exchange
4. Disable send icmp redirect message on all three tunnel 0 interfaces
5. Configure the following parameters on all the three tunnel 0 interfaces
SOLUTION
R17(config)#interface tunnel 0
R17(config-if)#bandwidth 1000
R17(config-if)#no ip redirects
R17(config-if)#ip mtu 1400
R17(config-if)#ip nhrp authentication 45678key
R17(config-if)#ip nhrp map multicast dynamic
R17(config-if)#ip nhrp network-id 45678
R17(config-if)#ip nhrp holdtime 300
R17(config-if)#ip tcp adjust-mss 1380
R17(config-if)#delay 1000
R17(config-if)#ip nhrp redirect
R17(config-if)#exit
R17(config)#
R18(config)#interface tunnel 0
R18(config-if)#bandwidth 1000
R18(config-if)#no ip redirects
R18(config-if)#ip mtu 1400
R18(config-if)#ip nhrp authentication 45678key
R18(config-if)#ip nhrp network-id 45678
R18(config-if)#ip nhrp holdtime 300
R18(config-if)#ip tcp adjust-mss 1380
R18(config-if)#delay 1000
R18(config-if)#ip nhrp nhs 123.20.1.25
R18(config-if)#ip nhrp map 123.20.1.25 203.3.17.2
R18(config-if)#ip nhrp map multicast 203.3.17.2
R18(config-if)#ip nhrp shortcut
R18(config-if)#exit
R18(config)#
R19(config)#Interface Tunnel 0
R19(config-if)#bandwidth 1000
R19(config-if)#no ip redirects
R19(config-if)#ip mtu 1400
R19(config-if)#ip nhrp authentication 45678key
R19(config-if)#ip nhrp network-id 45678
R19(config-if)#ip nhrp holdtime 300
R19(config-if)#ip tcp adjust-mss 1380
R19(config-if)#delay 1000
R19(config-if)#ip nhrp nhs 123.20.1.25
R19(config-if)#ip nhrp map 123.20.1.25 203.3.17.2
R19(config-if)#ip nhrp map multicast 203.3.17.2
R19(config-if)#ip nhrp shortcut
R19(config-if)#exit
R19(config)#
VERIFICATION
On R17
On R18
On R19
QUESTION
Secure the DMVPN tunnel using IPSEC according to the following requirements
SOLUTION
For Phase 1
R17 ------ Configuration
For Phase 2
R17 ------ Configuration
R17(config)#interface tunnel 0
R17(config-if)#tunnel protection ipsec profile DMVPNPROFILE
R17(config-if)#exit
R17(config)#
R18(config)#interface tunnel 0
R18(config-if)#tunnel protection ipsec profile DMVPNPROFILE
R18(config-if)#exit
R18(config)#
R19(config)#interface tunnel 0
R19(config-if)#tunnel protection ipsec profile DMVPNPROFILE
R19(config-if)#exit
R19(config)#
VERIFICATION
On R17
On R18
On R19
QUESTION
Configure R20 in the ACME San Jose office as per the following
1. All users who connect to R20 via the console port or via any of VTY lines using SSH must be prompted
with the below message before any other prompt is displayed
2. Do not include any extra spaces or any other characters as the ones shown above
SOLUTION
R20(config)#banner motd *
WARNING! ACCESS RESTRICTED!* ----> Copy Paste this statement from question to avoid spaces
R20(config)#
R20(config)#banner login *
WARNING! ACCESS RESTRICTED!* ----> Copy Paste this statement from question to avoid spaces
R20(config)#line vty 0 4
R20(config-line)#no motd-banner
R20(config-line)#exit
R20(config)#exit
R20#quit
NOTE : After “ WARNING! ACCESS RESTRICTED! “ do not enter or space . You can use * symbol or
return button or type “ m “ to come out
VERIFICATION
On R20
QUESTION
1. Ensure that interfaces ethernet 0/0 , ethernet 0/1 , ethernet 0/2 , ethernet 0/3 of SW3 forward traffic
that was sent from expected and legitimate host and servers.
2. Sw3 must dynamically learn only one mac address per port and must save the mac address in its startup
configuration
3. Sw3 must shut down the port if security violation occurs on any of these four ports
SOLUTION
SW3 ------ Configuration
VERIFICATION
On SW3
QUESTION
Configure R20 int the ACME San Jose office as per the following requirements
SOLUTION
R20(config)#service linenumber
R20(config)#username test password test
R20(config)#ip domain-name acme.org
R20(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
R20(config)#line vty 0 4
R20(config-line)#access-class 1 in
R20(config-line)#login local
R20(config-line)#transport input ssh
R20(config-line)#privilege level 1
R20(config-line)#exit
R20(config)#
VERIFICATION
On R10
On R20
QUESTION
Refer to “ Diagram 1 : Main Topology “
1. R20 must enable all private corporate traffic that is originated from any host with source ip address
10.1.0.0/16 or 10.2.0.0/16 to connect to any public destination that is located in AS 34567 or in any
source
2. All remote sites in AS 65111 and 65222 must be able to connect to these public destinations
3. R20 must swap the source ip address in these packets with the ip address of its interface loopback0
4. R20 must allow multiple concurrent connections
5. Use a standard ACL to accomplish the above requirements
SOLUTION
R20 ------ Configuration
R20(config)#interface loopback 0
R20(config-if)#ip nat outside
R20(config-if)#exit
R20(config)#
VERIFICATION
On R12
On R20
QUESTION
1. The output shown below must be seen on R17 during 10 sec after R15 successfully pings interface
loopback 0 of R19
SOLUTION
R17 ------ Configuration
R17(config)#interface tunnel 0
R17(config-if)#ip flow egress
R17(config-if)#exit
VERIFICATION
On R15
On R17
QUESTION
Configure ACME as per the following requirements
All NTP traffic must be sourced and destined to interface loopback 0 of the
corresponding devices
SOLUTION
SW3 ------ Configuration
SW3(config)#ntp master
SW3(config)#ntp source loopback 0
SW3(config)#interface loopback 0
SW3(config-if)#ntp disable ip
SW3(config-if)#exit
SW3(config)#
R10(config)#Interface loopback 0
R10(config-if)#Ntp disable ip
R10(config-if)#exit
R10(config)#
R12(config)#Interface loopback 0
R12(config-if)#Ntp disable ip
R12(config-if)#exit
R12(config)#
VERIFICATION
On SW3
On R10
On R12