- LearnITPro.Net - Together We … R&S LAB – C 2/A5 (Jacob’s & Jameson’s) Page 5 of 35 Created...
Transcript of - LearnITPro.Net - Together We … R&S LAB – C 2/A5 (Jacob’s & Jameson’s) Page 5 of 35 Created...
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 1 of 35 Created by John Brown, 19.02.2016
Contents Section 1 – Layer 2 Technologies .................................................................................................................. 2
1.1 Jameson’s Datacenter: Access port..................................................................................................... 2
1.2 Jameson’s Datacenter: Trunk ports .................................................................................................... 4
1.3 Jameson’s Datacenter: Link bundling .................................................................................................. 5
1.4 Jameson’s Branch Offices .................................................................................................................... 6
Section 2 – Layer 3 Technologies .................................................................................................................. 8
2.1 Jameson’s IGP, part 1 .......................................................................................................................... 8
2.2 Jameson’s IGP, part 2 ........................................................................................................................ 10
2.3 Jacob’s IGP ......................................................................................................................................... 12
2.4 Jameson’s Pre‐merge ........................................................................................................................ 14
2.5 Jacob’s Pre‐merge ............................................................................................................................. 16
2.6 Merge phase 1: BGP .......................................................................................................................... 17
2.7 Merge phase 2: IGP ........................................................................................................................... 18
2.8 Merge phase 2: Routing Policies ....................................................................................................... 19
2.9 IPv6 Routing, part 1 ........................................................................................................................... 20
2.10 IPv6 Routing, part 2 ......................................................................................................................... 21
2.11 Multicast in Jameson’s .................................................................................................................... 22
Section 3 – VPN Technologies ..................................................................................................................... 23
3.1 Jameson’s Branch Offices .................................................................................................................. 23
3.2 Jameson’s Pre‐merge VPN ................................................................................................................ 24
3.3 Merge phase 2: VPN .......................................................................................................................... 27
3.4 Inter‐VPN Routing ............................................................................................................................. 29
Section 4 – Infrastructure Security .............................................................................................................. 30
4.1 Device Security .................................................................................................................................. 30
4.2 Network Security ............................................................................................................................... 31
Section 5 – Infrastructure Services.............................................................................................................. 32
5.1 Centralized DHCP .............................................................................................................................. 32
5.2 Internet Gateway .............................................................................................................................. 33
5.3 First hop redundancy ........................................................................................................................ 34
5.4 Tracking reachability ......................................................................................................................... 35
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 2 of 35 Created by John Brown, 19.02.2016
Section 1 – Layer 2 Technologies
1.1 Jameson’s Datacenter: Access port There has been pre‐configured in Jameson’s Datacenter. SW3 is the server and the other three
switches are clients. Do not modify this configuration. Some other configuration was already started
but it is your responsibility to verify and complete them.
Configure all four switches in Jameson’s datacenter network (AS 65002) as per the following
requirements:
All unused ports must be configured in VLAN 999 and administratively shutdown. Refer to
“Table 1: Jameson’s VLAN to Port Mapping” to figure out which ports are used and unused.
Access‐ports must immediately transition to the forwarding state upon link up, as long as
they do not receive a BPDU. Use a unique command per switch to enable this feature.
If an access‐port received a BPDU, it must automatically shutdown, generate a syslog and a
SNMP trap (to solve this issue add. Use a unique command per switch to enable to this
feature.
Ports that were shutdown must always rely on a manual intervention to recover.
VLAN 911 (10.2.100.X/24) will be used as the management VLAN in Jameson’s datacenter.
Ensure that all datacenter switches are able to ping each other IP address in the
management VLAN.
SW5 and SW6 are low‐end access switches and they do not have much processing power.
Ensure that their only Layer 3 interfaces are Loopback0 and VLAN 911.
SW3 and SW4 are robust and powerful distribution switches. Ensure that they maintain a
Layer 3 interface for all local VLANs as well as all access VLANs, as specified in “Table 1:
Jameson’s VLAN to Port Mapping”.
Answers:
SW3
vtp domain CCIE
vtp mode server
vlan 999,911,34,100,153,173,156,164,184
interface e0/0
switchport mode access
switchport access vlan 173
interface e0/1
switchport mode access
switchport access vlan 156
interface e1/0
switchport mode access
switchport access vlan 153
interface range e0/2 - 3, e1/1 - 3, e3/2 - 3
switchport mode access
switchport access vlan 999
shutdown
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
snmp-server enable traps syslog
SW4
vtp domain CCIE
vtp mode client
interface e0/0
switchport mode access
switchport access vlan 184
interface e0/1
switchport mode access
switchport access vlan 156
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 3 of 35 Created by John Brown, 19.02.2016
interface range e0/2 - 3, e1/1 - 3, e3/2 - 3
switchport mode access
switchport access vlan 999
shutdown
interface e1/0
switchport mode access
switchport access vlan 164
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
snmp-server enable traps syslog
SW5
vtp domain CCIE
vtp mode client
interface range e0/0, e1/0 - 3
switchport mode access
switchport access vlan 999
shutdown
interface range e0/1 - 3
switchport mode access
switchport access vlan 100
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
snmp-server enable traps syslog
SW6
vtp domain CCIE
vtp mode client
interface range e0/0, e1/0 - 3
switchport mode access
switchport access vlan 999
shutdown
interface range e0/1 - 3
switchport mode access
switchport access vlan 100
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
snmp-server enable traps syslog
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 4 of 35 Created by John Brown, 19.02.2016
1.2 Jameson’s Datacenter: Trunk ports Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Table 1: Jameson’s VLAN to Port
Mapping”.
Configure Jameson’s datacenter network (AS 65002) as per the following requirements:
All inter‐switch links must be configured to use dot1q encapsulation.
Ensure that no switch attempt to negotiate the trunk parameters.
Ensure that all four switches send and receive untagged frames on VLAN 1.
All four switches must maintain a separate Spanning‐tree instance for each VLAN.
Spanning‐tree must immediately delete dynamically learned MAC address entries on a per‐
port basis upon receiving a topology change.
SW3 must be the root switch for all VLANs. SW4 must be the backup root switch for all
VLANs. Ensure that they both have the best chances of maintaining their respective role
even if any new normal‐range VLAN were to be added in the future.
Answers:
SW5
interface range e2/0 - 3
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree mode rapid-pvst
SW6
interface range e2/0 - 3
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree mode rapid-pvst
SW3
interface range e2/0 - 3, e3/0 - 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree mode rapid-pvst
spanning-tree vlan 1-4094 priority 0
SW4
interface range e2/0 - 3, e3/0 - 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree mode rapid-pvst
spanning-tree vlan 1-4094 priority 4096
www.its
tudy
grou
p.or
g
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 5 of 35 Created by John Brown, 19.02.2016
1.3 Jameson’s Datacenter: Link bundling Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”
Configure Jameson’s datacenter network as per the following requirements:
All four switches must bundle trunk ports so that they maintain a single logical link to each
other (excepted between SW5 and SW6), as shown in the “Diagram 2: Initial Topology”.
Ensure that no switch attempt to negotiate which ports should become active in the bundle.
The distribution switches SW3 and SW4 must balance traffic between all members of the
link bundle based on source and destination IP addresses.
The access switches SW5 and SW6 must balance the income traffic (that is originated from
server) between all members of the link bundle based on the servers’ MAC address.
Answers:
SW5
interface po35
interface po45
interface range e2/0 - 1
channel-group 45 mode on
interface range e2/2 - 3
channel-group 35 mode on
port-channel load-balance src-mac
SW6
interface po36
interface po46
interface range e2/0 - 1
channel-group 36 mode on
interface range e2/2 - 3
channel-group 46 mode on
port-channel load-balance src-mac
SW3
interface po34
interface po35
interface po36
interface range e2/0 - 1
channel-group 36 mode on
interface range e2/2 - 3
channel-group 35 mode on
interface range e3/0 - 1
channel-group 34 mode on
port-channel load-balance src-dst-ip
SW4
interface po34
interface po45
interface po46
interface range e2/0 - 1
channel-group 45 mode on
interface range e2/2 - 3
channel-group 46 mode on
interface range e3/0 - 1
channel-group 34 mode on
port-channel load-balance src-dst-ip
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 6 of 35 Created by John Brown, 19.02.2016
1.4 Jameson’s Branch Offices Refer to “Diagram 1: Jameson’s Layer 2 Connections”.
Configure interface Ethernet0/0 in Jameson’s branch routers R19, R20 and R21 as per the following
requirements:
The Ethernet WAN links must rely on a Layer 2 protocol that supports link negotiation and
authentication.
The service provider expects that the branch routers complete a three‐way handshake by
providing the expected response of a challenge that is sent by R49.
R19 must use the username “Jamesons‐R19” and password “CCIE” (without quotes).
R20 must use the username “Jamesons‐R20” and password “CCIE” (without quotes).
R21 must use the username “Jamesons‐R21” and password “CCIE” (without quotes).
The interface Eth0/0 of all three routers must receive an IP address from R49.
Ensure that all three routers can ping the IP address of each other’s interface Eth0/0.
You are allowed to configure a single static route in each branch router to achieve the
previous requirement.
Answers:
R19
vrf definition LOCALSP
rd 51:19
address-family ipv4
interface dialer1
vrf forwarding LOCALSP
encapsulation ppp
ppp chap password CCIE
ppp chap hostname Jamesons-R19
ip address negotiated
dialer pool 1
dialer-group 1
interface e0/0
pppoe-client dial-pool-number 1
vrf forwarding LOCALSP
no shutdown
ip route vrf LOCALSP 0.0.0.0 0.0.0.0 192.0.2.1
R20
vrf definition LOCALSP
rd 51:20
address-family ipv4
interface dialer1
vrf forwarding LOCALSP
encapsulation ppp
ppp chap password CCIE
ppp chap hostname Jamesons-R20
ip address negotiated
dialer pool 1
dialer-group 1
interface e0/0
vrf forwarding LOCALSP
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 7 of 35 Created by John Brown, 19.02.2016
pppoe-client dial-pool-number 1
no shutdown
ip route vrf LOCALSP 0.0.0.0 0.0.0.0 192.0.2.1
R21
vrf definition LOCALSP
rd 51:21
address-family ipv4
interface dialer1
vrf forwarding LOCALSP
encapsulation ppp
ppp chap password CCIE
ppp chap hostname Jamesons-R21
ip address negotiated
dialer pool 1
dialer-group 1
interface e0/0
vrf forwarding LOCALSP
pppoe-client dial-pool-number 1
no shutdown
ip route vrf LOCALSP 0.0.0.0 0.0.0.0 192.0.2.1
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 8 of 35 Created by John Brown, 19.02.2016
Section 2 – Layer 3 Technologies
2.1 Jameson’s IGP, part 1 Refer to “Diagram 2: Initial Topology”.
The configuration was already started. It is your responsibility to complete and verify all
requirements.
Configure Jameson’s network (AS 65001 and AS 65002) according to the following requirements:
Ensure that all routers use their interface Lo0 as OSPF router‐id.
Ensure that OSPF is not running on any interface that is facing another BGP AS.
SW5 and SW6 must not participate in OSPF at all.
Do not use the “network” statement under the “router ospf” configuration anywhere in the
core network (AS 65001).
Do not change the default OSPF cost of any interface anywhere.
Ensure that R1, SW1 and SW2 are elected the designated router on all of their interfaces,
and that they have the best chances of maintaining that role as long as their interfaces are up.
Ensure that R2 is elected the Backup Designated router on all of their interfaces, and that it
has the best chances of maintaining that role as long as its interfaces are up.
Answers:
Jameson’s Data Center Network (OSPF 65002 Area 0)
SW3
ip routing
router ospf 65002
router-id 10.255.1.33
network 10.0.0.0 0.255.255.255 area 0
SW4
ip routing
router ospf 65002
router-id 10.255.1.34
network 10.0.0.0 0.255.255.255 area 0
R15
router ospf 65002
router-id 10.255.1.15
network 10.2.0.1 0.0.0.0 area 0
network 10.2.0.5 0.0.0.0 area 0
network 10.255.1.15 0.0.0.0 area 0
R16
router ospf 65002
router-id 10.255.1.16
network 10.2.0.2 0.0.0.0 area 0
network 10.2.0.9 0.0.0.0 area 0
network 10.255.1.16 0.0.0.0 area 0
R17
router ospf 65002
router-id 10.255.1.17
network 10.0.0.0 0.255.255.255 area 0
Jameson’s Headquarters Network (OSPF 65002 Area 0)
R11
router ospf 65002
router-id 10.255.1.11
network 10.1.254.1 0.0.0.0 area 0
network 10.255.1.11 0.0.0.0 area 0
R12
router ospf 65002
router-id 10.255.1.12
network 10.1.254.2 0.0.0.0 area 0
network 10.255.1.12 0.0.0.0 area 0
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 9 of 35 Created by John Brown, 19.02.2016
SW1
ip routing
interface vlan 101
ip ospf priority 255
router ospf 65002
router-id 10.255.1.31
network 10.0.0.0 0.255.255.255 area 0
Jameson’s Main Office Network (OSPF 65002 Area 0)
R13
router ospf 65002
router-id 10.255.1.13
network 10.3.254.1 0.0.0.0 area 0
network 10.255.1.13 0.0.0.0 area 0
R14
router ospf 65002
router-id 10.255.1.14
network 10.3.254.2 0.0.0.0 area 0
network 10.255.1.14 0.0.0.0 area 0
SW2
ip routing
interface vlan 101
ip ospf priority 255
router ospf 65002
router-id 10.255.1.32
network 10.0.0.0 0.255.255.255 area 0
Jameson’s Core Network (OSPF 65001 Area 0)
R1
router ospf 65001
router-id 10.255.1.1
interface l0
ip ospf 65001 area 0
interface range e0/0 - 3,e1/0 - 2
ip ospf priority 255
ip ospf 65001 area 0
R2
router ospf 65001
router-id 10.255.1.2
interface l0
ip ospf 65001 area 0
interface e0/0 - 3, e1/0
ip ospf priority 254
ip ospf 65001 area 0
R3
router ospf 65001
router-id 10.255.1.3
interface l0
ip ospf 65001 area 0
interface range e0/2 - 3
ip ospf 65001 area 0
R4
router ospf 65001
router-id 10.255.1.4
interface l0
ip ospf 65001 area 0
interface e0/2
ip ospf 65001 area 0
ip ospf priority 255
interface e0/3
ip ospf 65001 area 0
R5
router ospf 65001
router-id 10.255.1.5
interface l0
ip ospf 65001 area 0
interface range e0/1 - 3
ip ospf 65001 area 0
R6
router ospf 65001
router-id 10.255.1.6
interface l0
ip ospf 65001 area 0
interface e0/1
ip ospf 65001 area 0
ip ospf priority 255
interface e0/3
ip ospf 65001 area 0
R7
router ospf 65001
router-id 10.255.1.7
interface l0
ip ospf 65001 area 0
interface e0/2
ip ospf 65001 area 0
R8
router ospf 65001
router-id 10.255.1.8
interface l0
ip ospf 65001 area 0
interface e0/2
ip ospf 65001 area 0
ip ospf priority 255
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 10 of 35 Created by John Brown, 19.02.2016
2.2 Jameson’s IGP, part 2 Refer to “Diagram 2: Initial Topology”.
Configure Jameson’s branch network according to the following requirements:
R17 must propagate a default route in its OSPF domain, but only if it already has a default
route in its routing table.
Do not redistribute BGP into OSPF and vice versa on R17.
Each branch router must establish an OSPF adjacency with R17 and must receive a default
route via OSPF. They may not receive any other LSA type 3 from the ABR.
Each branch router must advertise their interface Lo0 and Eth0/1 into OSPF.
None of the branch routers may attempt to elect a Designated Router on their Tunnel0
interface.
Answers:
R17
ip route 0.0.0.0 0.0.0.0 192.0.2.1
interface t0
ip address 10.100.0.1 255.255.255.0
no ip redirects
ip pim sparse-mode
ip nhrp authentication 65002key
ip nhrp map multicast dynamic
ip nhrp network-id 51
ip nhrp holdtime 300
delay 100
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel key 65002
ip ospf 65002 area 51
ip ospf network point-to-multipoint
router ospf 65002
default-information originate
area 51 stub no-summary
R19
interface t0
bandwidth 10000
ip address 10.100.0.19 255.255.255.0
no ip redirects
ip nhrp authentication 65002key
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp map multicast 192.0.2.2
ip nhrp network-id 51
ip nhrp holdtime 300
ip nhrp nhs 10.100.0.1
delay 100
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 65002
tunnel vrf LOCALSP
ip ospf network point-to-multipoint
router ospf 65002
router-id 10.255.1.19
netw 10.0.0.0 0.255.255.255 area 51
area 51 stub no-summary
R20
interface t0
bandwidth 10000
ip address 10.100.0.20 255.255.255.0
no ip redirects
ip nhrp authentication 65002key
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp map multicast 192.0.2.2
ip nhrp network-id 51
ip nhrp holdtime 300
ip nhrp nhs 10.100.0.1
delay 100
tunnel source Dialer1
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 11 of 35 Created by John Brown, 19.02.2016
tunnel mode gre multipoint
tunnel key 65002
tunnel vrf LOCALSP
ip ospf network point-to-multipoint
router ospf 65002
router-id 10.255.1.20
netw 10.0.0.0 0.255.255.255 area 51
area 51 stub no-summary
R21
interface t0
bandwidth 10000
ip address 10.100.0.21 255.255.255.0
no ip redirects
ip nhrp authentication 65002key
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp map multicast 192.0.2.2
ip nhrp network-id 51
ip nhrp holdtime 300
ip nhrp nhs 10.100.0.1
delay 100
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 65002
tunnel vrf LOCALSP
ip ospf network point-to-multipoint
router ospf 65002
router-id 10.255.1.21
netw 10.0.0.0 0.255.255.255 area 51
area 51 stub no-summary
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 12 of 35 Created by John Brown, 19.02.2016
2.3 Jacob’s IGP Refer to “Diagram 2: Initial Topology”.
Jacob’s network is partly preconfigured. It is your responsibility to verify and complete them.
Configure EIGRP for IPv4 in Jacob’s core network (AS 65006) according to the following
requirements:
All EIGRP routers must support 64‐bit metric calculations and Routing Information Base (RIB)
scaling in EIGRP topologies.
The interface Lo0 of each router must be seen as an internal EIGRP prefix by all other routers
in their local domain.
Ensure that EIGRP is not running on any interface that is facing another AS. Use any method
to accomplish this requirement.
Jacob’s core network must use the EIGRP autonomous system number 1.
R52 must inject its interface Lo52 into EIGRP as an external prefix.
All EIGRP core routers R50, R51 must add the administrative tag “172.172.172.172” to all
prefixes that they inject into EIGRP.
Ensure that operators can filter routes by using the route-tag wildcard mask.
The following output must be seen on R50:
Configure EIGRP for IPv4 in Jacob’s Headquarter network (AS 65005) according to the following
requirements:
All EIGRP routers must support 64‐bit metric calculations and Routing Information Base (RIB)
scaling in EIGRP topologies.
The interface Lo0 of each router must be seen as an internal EIGRP prefix by all other routers
in their local domain.
Ensure that EIGRP is not running on any interface that is facing another AS. Use any method
to accomplish this requirement.
Jacob’s core network must use the EIGRP autonomous system number 10.
Configure EIGRP for IPv4 in Jacob’s Office network (AS 65007) according to the following
requirements:
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 13 of 35 Created by John Brown, 19.02.2016
All EIGRP routers must support 64‐bit metric calculations and Routing Information Base (RIB)
scaling in EIGRP topologies.
The interface Lo0 of each router must be seen as an internal EIGRP prefix by all other routers
in their local domain.
Ensure that EIGRP is not running on any interface that is facing another AS. Use any method
to accomplish this requirement.
Jacob’s core network must use the EIGRP autonomous system number 10.
Answers:
Jacob’s Core Network (EIGRP CCIE AS 1)
R50
route-tag notation dotted-decimal
route-map RM-SETTAG172 permit 10
set tag 172.172.172.172
router eigrp CCIE
address-family ipv4 unicast autonomous-system 1
topology base
distribute-list route-map RM-SETTAG172 in
network 172.17.253.0 0.0.0.7
network 172.30.1.50 0.0.0.0
R51
route-tag notation dotted-decimal
route-map RM-SETTAG172 permit 10
set tag 172.172.172.172
router eigrp CCIE
address-family ipv4 unicast autonomous-system 1
topology base
distribute-list route-map RM-SETTAG172 in
network 172.17.253.0 0.0.0.7
network 172.30.1.51 0.0.0.0
R52
interface l52
ip address 52.52.52.52 255.255.255.255
route-map LB52 permit 10
match interface Loopback52
router eigrp CCIE
address-family ipv4 unicast autonomous-system 1
topology base
redistribute connected route-map LB52
network 172.17.253.0 0.0.0.7
network 172.30.1.52 0.0.0.0
Jacob’s Headquarters Network (EIGRP CCIE AS 10)
R55
router eigrp CCIE
address-family ipv4 unicast autonomous-system 10
network 172.18.254.0 0.0.0.255
network 172.30.0.0 0.0.255.255
R56
router eigrp CCIE
address-family ipv4 unicast autonomous-system 10
network 172.18.254.0 0.0.0.255
network 172.30.0.0 0.0.255.255
SW10
vlan 100,101
router eigrp CCIE
address-family ipv4 unicast autonomous-system 10
network 172.0.0.0 0.255.255.255
Jacob’s Office Network (EIGRP CCIE AS 10)
SW11
vlan 100,101
router eigrp CCIE
address-family ipv4 unicast autonomous-system 10
network 172.0.0.0 0.255.255.255
R58
router eigrp CCIE
address-family ipv4 unicast autonomous-system 10
network 172.17.254.0 0.0.0.255
network 172.30.0.0 0.0.255.255
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 14 of 35 Created by John Brown, 19.02.2016
2.4 Jameson’s Pre‐merge Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Pre‐merge Topology”.
Jameson’s decided to enable MPLS VPN in their network.
Configure Jameson’s network as per the following requirements:
R11, R12, R13 and R14 must redistribute OSPF into BGP and they must advertise a default
route into their respective OSPF domain. They may not redistribute BGP into OSPF.
R15 and R16 must mutually redistribute OSPF and BGP.
R11, R12, R13 and R14 must advertise only four prefixes via eBGP to Jameson’s core network
as follows:
○ R11 and R12 must advertise 10.1.0.0/16, 10.255.1.11/32, 10.255.1.12/32 and 10.255.1.101/32;
○ R13 and R14 must advertise 10.3.0.0/16, 10.255.1.13/32, 10.255.1.14/32 and 10.255.1.102/32;
R1 must reflect IPv4 BGP prefixes to all core routers except R2. All internal BGP peering must
be established using interface Lo0.
Ensure that each Jameson’s site receives BGP prefixes from other sites.
A very smaller output as the one shown below must be seen on R11, R12, R13 and R14 (only
the next‐hop, version and update‐group may differ).
Answers:
Jameson’s Core Network (BGP AS 65001)
R1
router bgp 65001
neighbor iBGP peer-group
neighbor iBGP remote-as 65001
neighbor iBGP update-source Loopback0
neighbor iBGP route-reflector-client
neighbor 10.255.1.3 peer-group iBGP
neighbor 10.255.1.4 peer-group iBGP
neighbor 10.255.1.5 peer-group iBGP
neighbor 10.255.1.6 peer-group iBGP
neighbor 10.255.1.7 peer-group iBGP
neighbor 10.255.1.8 peer-group iBGP
R3 – R8
router bgp 65001
neighbor 10.255.1.1 remote-as 65001
neighbor 10.255.1.1 update-source Loopback0
neighbor 10.255.1.1 next-hop-self
Jameson’s Headquarters Network (BGP AS 65002)
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 15 of 35 Created by John Brown, 19.02.2016
R11
ip prefix-list PREF-FILTER seq 5 permit 10.1.0.0/16
ip prefix-list PREF-FILTER seq 10 permit 10.255.1.11/32
ip prefix-list PREF-FILTER seq 15 permit 10.255.1.12/32
ip prefix-list PREF-FILTER seq 20 permit 10.255.1.31/32
router bgp 65002
aggregate-address 10.1.0.0 255.255.0.0 summary-only
redistribute ospf 65002
neighbor 10.254.0.53 remote-as 65001
neighbor 10.254.0.53 prefix-list PREF-FILTER out
neighbor 10.255.1.12 remote-as 65002
neighbor 10.255.1.12 update-source l0
router ospf 65002
default-information originate
R12
ip prefix-list PREF-FILTER seq 5 permit 10.1.0.0/16
ip prefix-list PREF-FILTER seq 10 permit 10.255.1.11/32
ip prefix-list PREF-FILTER seq 15 permit 10.255.1.12/32
ip prefix-list PREF-FILTER seq 20 permit 10.255.1.31/32
router bgp 65002
aggregate-address 10.1.0.0 255.255.0.0 summary-only
redistribute ospf 65002
neighbor 10.254.0.57 remote-as 65001
neighbor 10.254.0.57 prefix-list PREF-FILTER out
neighbor 10.255.1.11 remote-as 65002
neighbor 10.255.1.11 update-source l0
router ospf 65002
default-information originate
Jameson’s Main Office Network (BGP AS 65002)
R13
ip prefix-list PREF-FILTER seq 5 permit 10.3.0.0/16
ip prefix-list PREF-FILTER seq 10 permit 10.255.1.13/32
ip prefix-list PREF-FILTER seq 15 permit 10.255.1.14/32
ip prefix-list PREF-FILTER seq 20 permit 10.255.1.32/32
router bgp 65002
aggregate-address 10.3.0.0 255.255.0.0 summary-only
redistribute ospf 65002
neighbor 10.254.0.41 remote-as 65001
neighbor 10.254.0.41 prefix-list PREF-FILTER out
neighbor 10.255.1.14 remote-as 65002
neighbor 10.255.1.14 update-source l0
router ospf 65002
default-information originate
R14
ip prefix-list PREF-FILTER seq 5 permit 10.3.0.0/16
ip prefix-list PREF-FILTER seq 10 permit 10.255.1.13/32
ip prefix-list PREF-FILTER seq 15 permit 10.255.1.14/32
ip prefix-list PREF-FILTER seq 20 permit 10.255.1.32/32
router bgp 65002
aggregate-address 10.3.0.0 255.255.0.0 summary-only
redistribute ospf 65002
neighbor 10.254.0.45 remote-as 65001
neighbor 10.254.0.45 prefix-list PREF-FILTER out
neighbor 10.255.1.13 remote-as 65002
neighbor 10.255.1.13 update-source l0
router ospf 65002
default-information originate
Jameson’s Data Center Network (BGP AS 65002)
R15
router bgp 65002
redistribute ospf 65002
neighbor 10.254.0.73 remote-as 65001
neighbor 10.255.1.16 remote-as 65002
neighbor 10.255.1.16 update-source l0
router ospf 65002
redistribute bgp 65002 subnets
R16
router bgp 65002
redistribute ospf 65002
neighbor 10.254.0.77 remote-as 65001
neighbor 10.255.1.15 remote-as 65002
neighbor 10.255.1.15 update-source l0
router ospf 65002
redistribute bgp 65002 subnets
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 16 of 35 Created by John Brown, 19.02.2016
2.5 Jacob’s Pre‐merge Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Premerge Topology”.
Jameson’s decided to enable MPLS VPN in their network.
Configure Jameson’s network as per the following requirements:
R55, R56 and R58 must redistribute EIGRP and BGP
Answers:
R55
router bgp 65005
redistribute eigrp 10
neighbor 172.18.253.1 remote-as 65006
router eigrp CCIE
address-family ipv4 unicast autonomous-system 10
topology base
redistribute bgp 65005 metric 10000 100 255 1 1500
R56
router bgp 65005
redistribute eigrp 10
neighbor 172.18.253.5 remote-as 65006
router eigrp CCIE
address-family ipv4 unicast autonomous-system 10
topology base
redistribute bgp 65005 metric 10000 100 255 1 1500
R58
router bgp 65007
redistribute eigrp 10
neighbor 172.17.253.22 remote-as 65006
router eigrp CCIE
address-family ipv4 unicast autonomous-system 10
topology base
redistribute bgp 65007 metric 10000 100 255 1 1500
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 17 of 35 Created by John Brown, 19.02.2016
2.6 Merge phase 1: BGP Refer to the “Overall Scenario” and “Diagram 5: Merge Phase: 1”
Jameson’s and Jacob’s started the first phase of their merge and add a new border router in their
respective main site (R18 and R57).
Configure the network as per the following requirements:
Interface Lo0 of both R18 and R57 must be add into their respective IGP domain.
Interface Eth0/1 of both R18 and R57 must peer with its connected IGP neighbor.
Both R18 and R57 must advertise a summary prefix via eBGP to each other as follows:
○ R18 advertises 10.0.0.0/8
○ R57 advertises 172.0.0.0/8
Both R18 and R57 must propagate the received summary prefix into their respective IGP
domain.
Answers:
R18
ip prefix-list PREF-BACKDOOR seq 5 permit 10.0.0.0/8
router bgp 65002
aggregate-address 10.0.0.0 255.0.0.0
redistribute ospf 65002
neighbor 10.2.0.46 remote-as 65005
neighbor 10.2.0.46 prefix-list PREF-BACKDOOR out
router ospf 65002
router-id 10.255.1.18
network 10.2.0.42 0.0.0.0 area 0
network 10.255.1.18 0.0.0.0 area 0
redistribute bgp 65002 metric-type 1 subnets
R57
ip prefix-list PREF-BACKDOOR seq 5 permit 172.0.0.0/8
router bgp 65005
aggregate-address 172.0.0.0 255.0.0.0
redistribute eigrp 10
neighbor 10.2.0.45 remote-as 65002
neighbor 10.2.0.45 prefix-list PREF-BACKDOOR out
router eigrp CCIE
address-family ipv4 unicast autonomous-system 10
topology base
redistribute bgp 65005 metric 10000 100 255 1 1500
network 172.0.0.0 0.255.255.255
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 18 of 35 Created by John Brown, 19.02.2016
2.7 Merge phase 2: IGP Refer to “Diagram 2: Initial Topology” and “Diagram 6: Merge Phase 2”.
Jameson’s and Jacob’s are entering in the second phase of the merge and have deployed two new
border routers in their respective core network.
Configure the core networks as per the following requirements:
R9 and R10 must run OSPF on their interface Eth0/0 and Lo0.
R9 and R10 must run EIGRP on their interface Eth0/1.
R53 and R54 must run EIGRP on all of their interfaces.
Mutually redistribute EIGRP and OSPF on both R9 and R10
Avoid routing loops and ensure that all current and future prefixes are routed via their
optimal path. Do not use any access‐list or prefix‐list in order to achieve this requirement.
Do not change any administrative distance of any protocol in any router.
Answers:
R9
route-map RM-TO-EIGRP deny 10
match tag 172.172.172.172
route-map RM-TO-EIGRP perm 20
set tag 10.10.10.10
route-map RM-TO-OSPF deny 10
match tag 10.10.10.10
route-map RM-TO-OSPF perm 20
set tag 172.172.172.172
route-tag notation dotted-decimal
interface l0
ip ospf 65001 area 0
interface e0/1
ip ospf 65001 area 0
router ospf 65002
router-id 10.255.1.9
redistribute eigrp 1 route-map RM-TO-OSPF subnets
router eigrp CCIE
address-family ipv4 unicast autonomous-system 1
network 10.254.0.61 0.0.0.0
topology base
redistribute ospf 65001 metric 10000 100 255 1 1500 route-map RM-TO-EIGRP
R10
route-map RM-TO-EIGRP deny 10
match tag 172.172.172.172
route-map RM-TO-EIGRP perm 20
set tag 10.10.10.10
route-map RM-TO-OSPF deny 10
match tag 10.10.10.10
route-map RM-TO-OSPF perm 20
set tag 172.172.172.172
route-tag notation dotted-decimal
interface l0
ip ospf 65001 area 0
interface e0/1
ip ospf priority 255
ip ospf 65001 area 0
router ospf 65002
router-id 10.255.1.10
redistribute eigrp 1 route-map RM-TO-OSPF subnets
router eigrp CCIE
address-family ipv4 unicast autonomous-system 1
network 10.254.0.65 0.0.0.0
topology base
redistribute ospf 65001 metric 10000 100 255 1 1500 route-map RM-TO-EIGRP
R53, R54
route-tag notation dotted-decimal
router eigrp CCIE
address-family ipv4 unicast autonomous-system 1
network 172.0.0.0 0.255.255.255
network 10.0.0.0 0.255.255.255
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 19 of 35 Created by John Brown, 19.02.2016
2.8 Merge phase 2: Routing Policies Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 6: Merge Phase 2”.
Configure the network as per the following requirements:
Network managers have decided that the primary path for all traffic between Jameson’s
10.2.1.0/24 and Jacob’s 172.18.1.0/24 must be routed preferably via the BGP backdoor link
between R18 and R57. If this link should fail then traffic should fall back over the MPLS core
network.
All other traffic must be routed preferably via the MPLS core network.
Do not configure any route‐map nor access‐list in order to achieve this requirement.
Ensure that the following test reveals the same path as shown below:
Answers:
R18
ip prefix-list PREF-BACKDOOR seq 5 permit 172.18.1.0/24
R57
ip prefix-list PREF-BACKDOOR seq 5 permit 10.2.1.0/24
www.its
tudy
grou
p.or
g
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 20 of 35 Created by John Brown, 19.02.2016
2.9 IPv6 Routing, part 1 Refer to “Diagram 2: Initial Topology”.
Jameson’s started deploying IPv6 in dual‐stack mode in the datacenter.
Configure Jameson’s datacenter network as per the following requirements:
Establish OSPFv3 adjacencies in Area 0 between SW3, SW4, R15 and R16.
Do not use the command “ipv6 ospf” anywhere in order to accomplish the previos
requirement.
Interface VLAN 100 of SW3 must be configured with default route preference set to “high”.
Interface VLAN 100 of SW4 must be configured with default route preference set to
“medium”.
The interval between Router Advertisement transmissions on VLAN 100 must be set 20
seconds on both SW3 and SW4.
Answers:
SW3
router ospfv3 65002
router-id 10.255.1.33
interface l0
ipv6 address 2001:6500:2::33/128
ospfv3 65002 ipv6 area 0
interface vlan 153
ipv6 address 2001:6500:2:1533::33/64
ospfv3 65002 ipv6 area 0
interface vlan 34
ipv6 address 2001:6500:2:3334::33/64
ospfv3 65002 ipv6 area 0
interface vlan 100
ipv6 nd router-preference High
ipv6 nd ra interval 20
SW4
router ospfv3 65002
router-id 10.255.1.34
interface l0
ipv6 address 2001:6500:2::34/128
ospfv3 65002 ipv6 area 0
interface vlan 164
ipv6 address 2001:6500:2:1634::34/64
ospfv3 65002 ipv6 area 0
interface vlan 34
ipv6 address 2001:6500:2:3334::34/64
ospfv3 65002 ipv6 area 0
interface vlan 100
ipv6 nd router-preference Medium
ipv6 nd ra interval 20
R15
router ospfv3 65002
router-id 10.255.1.15
interface l0
ipv6 address 2001:6500:2::15/128
ospfv3 65002 ipv6 area 0
interface e0/0
ipv6 address 2001:6500:2:1533::15/64
ospfv3 65002 ipv6 area 0
interface e0/2
ipv6 address 2001:6500:2:1516::15/64
ospfv3 65002 ipv6 area 0
R16
router ospfv3 65002
router-id 10.255.1.16
interface l0
ipv6 address 2001:6500:2::16/128
ospfv3 65002 ipv6 area 0
interface e0/0
ipv6 address 2001:6500:2:1634::16/64
ospfv3 65002 ipv6 area 0
interface e0/2
ipv6 address 2001:6500:2:1516::16/64
ospfv3 65002 ipv6 area 0
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 21 of 35 Created by John Brown, 19.02.2016
2.10 IPv6 Routing, part 2 Configure Jameson’s datacenter network as per the following requirements:
SW3 and SW4 must provide first‐hop redundancy for hosts in VLAN 100 by sharing the
virtual link‐local address FE80:100::1.
SW3 must be elected as the active router and SW4 must be elected the standby router
In case SW3 is down, SW4 must take over the active role. If SW3 comes back online, it must
automatically recover the active role from SW4.
Ensure that HSRP Hello packets are exchanged every second and that the standby takes over
the active role if three consecutive Hello packets were missed from the active.
Answers:
R101
interface e0/0
ipv6 address autoconfig
SW3
interface vlan 100
ipv6 address 2001:6500:2:100::33/64
ospfv3 65002 ipv6 area 0
standby version 2
standby 6 ipv6 FE80:100::1
standby 6 preempt
standby 6 priority 105
standby 6 timers 1 3
SW4
interface vlan 100
ipv6 address 2001:6500:2:100::34/64
ospfv3 65002 ipv6 area 0
standby version 2
standby 6 ipv6 FE80:100::1
standby 6 preempt
standby 6 timers 1 3
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 22 of 35 Created by John Brown, 19.02.2016
2.11 Multicast in Jameson’s Refer to “Diagram 2: Initial Topology”.
An application running on server R101 (which is located in Jameson’s datacenter) uses multicast to
deliver specific traffic to users located in Jameson’s branch network.
Configure Jameson’s network as per following requirements:
Use PIM Sparse‐mode.
The interface Lo0 of R15 must be elected as the Rendezvous point for the whole multicast
domain.
R15 must announce its candidacy to advertise the group‐to‐RP mapping set to the router link
local address.
For interoperability reasons, the selection of R15 as the RP must adhere to open standard
and must use the default priority value as per the standard.
The source R101 uses the group address 239.1.1.1 to send traffic to interested receivers.
Receivers are located in the branch network and they are connected to the datacenter via
DMVPN.
Ensure that the following test is successful:
Answers:
SW3
ip multicast-routing
interface vlan 100
ip pim sparse-mode
interface vlan 34
ip pim sparse-mode
interface vlan 153
ip pim sparse-mode
interface vlan 173
ip pim sparse-mode
SW4
ip multicast-routing
interface vlan 100
ip pim sparse-mode
interface vlan 34
ip pim sparse-mode
interface vlan 164
ip pim sparse-mode
R15
ip multicast-routing
interface l0
ip pim sparse-mode
interface e0/0
ip pim sparse-mode
interface e0/2
ip pim sparse-mode
ip pim bsr-candidate Loopback0
ip pim rp-candidate Loopback0
R16
ip multicast-routing
interface e0/0
ip pim sparse-mode
interface e0/2
ip pim sparse-mode
R17
ip multicast-routing
interface e0/0
ip pim sparse-mode
interface t0
ip pim sparse-mode
R19
ip multicast-routing
interface t0
ip pim sparse-mode
interface e0/1
ip pim sparse-mode
ip igmp join-group 239.1.1.1
R20
ip multicast-routing
interface t0
ip pim sparse-mode
interface e0/1
ip pim sparse-mode
ip igmp join-group 239.1.1.1
R21
ip multicast-routing
interface t0
ip pim sparse-mode
interface e0/1
ip pim sparse-mode
ip igmp join-group 239.1.1.1
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 23 of 35 Created by John Brown, 19.02.2016
Section 3 – VPN Technologies
3.1 Jameson’s Branch Offices Refer to “Diagram 2: Initial Topology”.
Configure DMVPN Phase 3 in Jameson’s branch network as per the following requirements:
Use the preconfigured interface Tunnel0 on all four routers in order to accomplish this task.
R17 must be configured as the hub router.
R19, R20 and R21 must be the spoke routers and must participate in the NHRP information
exchange.
Ensure that spoke‐to‐spoke traffic does not transit via the hub.
Protect the tunneled traffic by attaching the preconfigured IPsec profile to the tunnel
interface on all tunnel end‐points.
Ensure that all spoke establish an OSPF adjacency through the tunnel with the hub R17,
without attempting to elect any Designated Router.
Ensure that the following test are successful:
Answers:
R17
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CCIE address 0.0.0.0
crypto ipsec transform-set DMVPN-TFSET esp-aes
mode transport
crypto ipsec profile DMVPN-PROFILE
set tranform-set DMVPN-TFSET
interface Tunnel0
ip nhrp redirect
tunnel protection ipsec profile DMVPN-PROFILE
R19 – R21
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto keyring CCIE vrf LOCALSP
pre-shared-key address 0.0.0.0 0.0.0.0 key CCIE
crypto ipsec transform-set DMVPN-TFSET esp-aes
mode transport
crypto ipsec profile DMVPN-PROFILE
set tranform-set DMVPN-TFSET
interface Tunnel0
ip nhrp shortcut
tunnel protection ipsec profile DMVPN-PROFILE
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 24 of 35 Created by John Brown, 19.02.2016
3.2 Jameson’s Pre‐merge VPN Refer to the “Overall Scenario” and “Diagram 4: Pre‐merge Topology”.
Jameson’s decided to enable MPLS VPN in their network.
They started configuring it but it is your responsibility to complete it and verify that it is fully
functional.
Configure Jameson’s network as per the following requirements:
Enable LDP in the core network as indicated in “Diagram 4: Pre‐merge Topology”.
Ensure that all LDP routers use their interface Lo0 as their LDP router‐id.
R1 must reflect VPNv4 prefixes to all PE’s.
The datacenter and main office network must be connected to the VPN “GREEN” via eBGP.
The headquarter network must be connected to the VPN “RED” via eBGP.
All six PE’s must use a consistent format “ASN.nn” for the VPN route distinguisher, where:
○ ASN is the Autonomous System Number of the connected CE
○ nn is any relevant number for the VPN site.
Ensure that R101 in the datacenter’s VLAN 100 can successfully ping SW2 in the main office
as shown below:
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 25 of 35 Created by John Brown, 19.02.2016
Answers:
R1
mpls ldp router-id Loopback0 force
router ospf 65001
mpls ldp autoconfig
router bgp 65001
address-family vpnv4
neighbor iBGP send-community both
neighbor iBGP route-reflector-client
neighbor 10.255.1.3 activate
neighbor 10.255.1.4 activate
neighbor 10.255.1.5 activate
neighbor 10.255.1.6 activate
neighbor 10.255.1.7 activate
neighbor 10.255.1.8 activate
R2
mpls ldp router-id Loopback0 force
router ospf 65001
mpls ldp autoconfig
R3
ip vrf GREEN
rd 65002:2
interface e0/0
ip vrf forwarding GREEN
ip address 10.254.0.73 255.255.255.252
mpls ldp router-id Loopback0 force
router ospf 65001
mpls ldp autoconfig
router bgp 65001
address-family vpnv4
neighbor 10.255.1.1 activate
neighbor 10.255.1.1 send-community both
address-family ipv4 vrf GREEN
neighbor 10.254.0.74 remote-as 65002
neighbor 10.254.0.74 activate
neighbor 10.254.0.74 as-override
R4
ip vrf GREEN
rd 65002:2
interface e0/0
ip vrf forwarding GREEN
ip address 10.254.0.77 255.255.255.252
mpls ldp router-id Loopback0 force
router ospf 65001
mpls ldp autoconfig
router bgp 65001
address-family vpnv4
neighbor 10.255.1.1 activate
neighbor 10.255.1.1 send-community both
address-family ipv4 vrf GREEN
neighbor 10.254.0.78 remote-as 65002
neighbor 10.254.0.78 activate
neighbor 10.254.0.78 as-override
R5
ip vrf GREEN
rd 65002:3
interface e0/0
ip vrf forwarding GREEN
ip address 10.254.0.41 255.255.255.252
mpls ldp router-id Loopback0 force
router ospf 65001
mpls ldp autoconfig
router bgp 65001
address-family vpnv4
neighbor 10.255.1.1 activate
neighbor 10.255.1.1 send-community both
address-family ipv4 vrf GREEN
neighbor 10.254.0.42 remote-as 65002
neighbor 10.254.0.42 activate
neighbor 10.254.0.42 as-override
R6
ip vrf GREEN
rd 65002:3
interface e0/0
ip vrf forwarding GREEN
ip address 10.254.0.45 255.255.255.252
mpls ldp router-id Loopback0 force
router ospf 65001
mpls ldp autoconfig
router bgp 65001
address-family vpnv4
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 26 of 35 Created by John Brown, 19.02.2016
neighbor 10.255.1.1 activate
neighbor 10.255.1.1 send-community both
address-family ipv4 vrf GREEN
neighbor 10.254.0.46 remote-as 65002
neighbor 10.254.0.46 activate
neighbor 10.254.0.46 as-override
R7
ip vrf RED
rd 65002:1
interface e0/0
ip vrf forwarding RED
ip address 10.254.0.53 255.255.255.252
mpls ldp router-id Loopback0 force
router ospf 65001
mpls ldp autoconfig
router bgp 65001
address-family vpnv4
neighbor 10.255.1.1 activate
neighbor 10.255.1.1 send-community both
address-family ipv4 vrf RED
neighbor 10.254.0.54 remote-as 65002
neighbor 10.254.0.54 activate
neighbor 10.254.0.54 as-override
R8
ip vrf RED
rd 65002:1
interface e0/0
ip vrf forwarding RED
ip address 10.254.0.57 255.255.255.252
mpls ldp router-id Loopback0 force
router ospf 65001
mpls ldp autoconfig
router bgp 65001
address-family vpnv4
neighbor 10.255.1.1 activate
neighbor 10.255.1.1 send-community both
address-family ipv4 vrf RED
neighbor 10.254.0.58 remote-as 65002
neighbor 10.254.0.58 activate
neighbor 10.254.0.58 as-override
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 27 of 35 Created by John Brown, 19.02.2016
3.3 Merge phase 2: VPN Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”.
Jameson’s and Jacob’s are entering in the second phase of the merge and have deployed two new
border routers in their respective core network.
Configure the network as per the following requirements:
The BGP AS number of Jacob’s original core network must be converted to use Jameson’s AS
number 65001, as indicated in “Diagram 6: Merge Phase 2”.
All BGP sessions between Jacob’s core and remote sites (including headquarters and office
networks) must be recovered using the new AS number.
Do not modify the BGP configuration of Jacob’s CEs (R55, R56 and R58) in order to accomplish
this requirement.
Enable LDP in the merged core network as indicated in “Diagram 6: Merge Phase2”,
including the four new border router (R9, R10, R53, R54) and Jacob’s core network.
Ensure that all LDP routers use their interface Lo0 as their LDP router‐id.
R1 must reflect VPNv4 prefixes to all PE’s, including to Jacob’s PE.
Jacob’s headquarters network must be added to the VPN GREEN.
Jacob’s office network must be added to the VPN BLUE.
All nine PE’s must use a consistent format “ASN.nn” for the VPN route distinguisher, where:
○ ASN is the Autonomous System Number of the connected CE
○ nn is any relevant number
Answers:
R9, R10
interface e0/0
mpls ip
R53, R54
mpls ldp router-id Loopback0 force
interface range e0/0 - 1
mpls ip
R1
router bgp 65001
neighbor 172.30.1.50 peer-group iBGP
neighbor 172.30.1.51 peer-group iBGP
neighbor 172.30.1.52 peer-group iBGP
address-family vpnv4
neighbor 172.30.1.50 activate
neighbor 172.30.1.51 activate
neighbor 172.30.1.52 activate
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 28 of 35 Created by John Brown, 19.02.2016
R50
mpls ldp router-id Loopback0 force
interface e0/0
mpls ip
ip vrf GREEN
rd 65005:18
interface e0/1
ip vrf forwarding GREEN
ip address 172.18.253.1 255.255.255.252
router bgp 65001
neighbor 10.255.1.1 remote-as 65001
neighbor 10.255.1.1 update-source Loopback0
address-family vpnv4
neighbor 10.255.1.1 activate
neighbor 10.255.1.1 send-community both
address-family ipv4 vrf GREEN
neighbor 172.18.253.2 remote-as 65005
neighbor 172.18.253.2 local-as 65006
neighbor 172.18.253.2 activate
R51
mpls ldp router-id Loopback0 force
interface e0/0
mpls ip
ip vrf GREEN
rd 65005:18
interface Ethernet0/1
ip vrf forwarding GREEN
ip address 172.18.253.5 255.255.255.252
router bgp 65001
neighbor 10.255.1.1 remote-as 65001
neighbor 10.255.1.1 update-source Loopback0
address-family vpnv4
neighbor 10.255.1.1 activate
neighbor 10.255.1.1 send-community both
address-family ipv4 vrf GREEN
neighbor 172.18.253.6 remote-as 65005
neighbor 172.18.253.6 local-as 65006
neighbor 172.18.253.6 activate
R52
mpls ldp router-id Loopback0 force
interface e0/0
mpls ip
ip vrf BLUE
rd 65007:17
interface Ethernet0/1
ip vrf forwarding BLUE
ip address 172.17.253.22 255.255.255.248
router bgp 65001
neighbor 10.255.1.1 remote-as 65001
neighbor 10.255.1.1 local-as 65001
neighbor 10.255.1.1 update-source Loopback0
address-family vpnv4
neighbor 10.255.1.1 activate
neighbor 10.255.1.1 send-community both
address-family ipv4 vrf BLUE
neighbor 172.17.253.21 remote-as 65007
neighbor 172.17.253.21 local-as 65006
neighbor 172.17.253.21 activate www.its
tudy
grou
p.or
g
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 29 of 35 Created by John Brown, 19.02.2016
3.4 Inter‐VPN Routing Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”.
Configure the network as per the following requirements:
Jameson’s headquarters (VPN RED), main office (VPN GREEN) and Jacob’ office (VPN BLUE)
must receive datacenter prefixes (VPN GREEN).
Jameson’s main office (VPN GREEN) may not receive headquarters (VPN RED) prefixes nor
Jacob’s headquarters (VPN GREEN) prefixes.
In order to simplify future changes, your solution may not be limited to specific prefixes.
Answers:
R3, R4
ip vrf GREEN
route-target export 65002:2
route-target import 65002:1
route-target import 65002:3
route-target import 65005:18
route-target import 65007:17
R5, R6
ip vrf GREEN
route-target export 65002:3
route-target import 65002:2
R7, R8
ip vrf RED
route-target export 65002:1
route-target import 65002:2
R50, R51
ip vrf GREEN
route-target export 65005:18
route-target import 65002:2
R52
ip vrf BLUE
route-target export 65007:17
route-target import 65002:2
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 30 of 35 Created by John Brown, 19.02.2016
Section 4 – Infrastructure Security
4.1 Device Security Refer to “Diagram 1: Initial Topology”.
Configure the network as per the following requirements:
Protect R17’s control‐plane from TTL expiry attacks so that illegitimate IP packets with a TTL
of 0 or 1 are dropped before the CPU processes them.
Legit packets include expected control protocols running on the link.
Answers:
R17
ip access-list extended ACL-TTL-EXCEEDED
deny ospf any any
deny pim any any
permit ip any any ttl lt 2
class-map match-all CM-TTL-EXCEEDED
match access-group name ACL-TTL-EXCEEDED
policy-map PM-CoPP
class CM-TTL-EXCEEDED
drop
class class-default
police cir 8000 conform-action transmit exceed-action transmit
control-plane
service-policy input PM-CoPP
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 31 of 35 Created by John Brown, 19.02.2016
4.2 Network Security Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.
Configure the network as per the following requirements:
SW5 and SW6 must filter DHCP message received by untrusted hosts by comparing the
source MAC address and the DHCP client hardware address. If the address match, the
switches must forward the packet. If the addresses do not match, the switches must drop
the packet.
Ensure that these access switches do not filter DHCP packets on their uplinks.
Ensure that the DHCP relay switches (refer to item 5.1) allow DHCP message received on
their interface VLAN 100 with the added Option 82 and uninitialized GIADDR field to be
accepted.
Answers:
SW5
ip dhcp snooping
ip dhcp snooping vlan 100
interface po35
ip dhcp snooping trusted
interface po45
ip dhcp snooping trusted
SW6
ip dhcp snooping
ip dhcp snooping vlan 100
interface po36
ip dhcp snooping trusted
interface po46
ip dhcp snooping trusted
SW3, SW4
interface vlan 100
ip dhcp relay information trusted
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 32 of 35 Created by John Brown, 19.02.2016
Section 5 – Infrastructure Services
5.1 Centralized DHCP Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.
Jameson’s R15 must centralize DHCP service for the datacenter’s hosts VLANs.
Configure the network as per the following requirements:
Ensure that the distribution switches SW3 and SW4 forward DHCP discover broadcast
message received from VLAN 100’s hosts to interface Lo0 of R15 as unicast messages.
R15 must assign hosts in VLAN 100 a valid IP address from the prefix 10.2.1.0/24.
Ensure that addresses that were statically configured will never be assigned to any host.
The DHCP offer must include the IP address 10.2.1.1/24 as the default gateway for VLAN 100
users.
Ensure that the server R101 effectively receives an IP address from the expected prefix
10.2.1.0/24 as well as its default gateway information.
Answers:
SW3
interface vlan 100
ip helper-address 10.255.1.15
SW4
interface vlan 100
ip helper-address 10.255.1.15
R15
ip dhcp excluded-address 10.2.1.1
ip dhcp excluded-address 10.2.1.253
ip dhcp excluded-address 10.2.1.254
ip dhcp pool VLAN-100
network 10.2.1.0 255.255.255.0
default-router 10.2.1.1
R101
interface e0/0
ip address dhcp
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 33 of 35 Created by John Brown, 19.02.2016
5.2 Internet Gateway Refer to “Diagram 1: Initial Topology”.
Configure the network as per the following requirements:
R17 is Jameson’s Internet gateway router.
Ensure that R17 enables all internal hosts (that is, hosts with source IP address in the range
of 10.0.0.0/8 or 172.0.0.0/8) to simultaneously connect to the Internet using the public IP
address of interface Eth0/0.
The following tests must be successful:
Answers:
R17
ip access-list standard ACL-NAT
permit 10.0.0.0 0.255.255.255
permit 172.0.0.0 0.255.255.255
interface e0/1
ip nat outside
interface e0/0
ip nat inside
ip nat inside source list ACL-NAT interface e0/1 overload
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 34 of 35 Created by John Brown, 19.02.2016
5.3 First hop redundancy Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.
Jameson’s datacenter SW3 and SW4 must offer first hop redundancy to VLAN 100’s host using
HSRP.
Configure the network as per the following requirements:
SW3 and SW4 must use the multicast address 224.0.0.102 in order to negotiate the active
and standby roles.
SW3 must be elected as the active router and SW4 must be elected as the standby router.
In case SW3 is down, SW4 must take over the active role. If SW3 comes back online, it must
automatically recover the active role from SW4.
Ensure that HSRP hello packets are exchanged every second and that the standby takes over
the active role if three consecutive Hello packets were missed from the active.
Both routers must share the virtual IP address 10.2.1.1 that will be used as default gateway
for VLAN 100’s hosts.
Answers:
SW3
interface vlan 100
standby version 2
standby 4 timers 1 3
standby 4 preempt
standby 4 ip 10.2.1.1
standby 4 priority 105
SW4
interface vlan 100
standby version 2
standby 4 timers 1 3
standby 4 preempt
standby 4 ip 10.2.1.1
www.itstu
dygr
oup.
org
CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)
Page 35 of 35 Created by John Brown, 19.02.2016
5.4 Tracking reachability Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.
Configure the network as per the following requirements:
SW3 and SW4 must monitor the reachability of their OSPF IPv4 default route and in case it is
not available, the HSRP priority must be decreased by 10.
Answers:
SW3
track 1 ip route 0.0.0.0 0.0.0.0 reachability
interface vlan 100
standby 4 track 1 decrement 10
SW4
track 1 ip route 0.0.0.0 0.0.0.0 reachability
interface vlan 100
standby 4 track 1 decrement 10
www.itstu
dygr
oup.
org