- LearnITPro.Net - Together We … R&S LAB – C 2/A5 (Jacob’s & Jameson’s) Page 5 of 35 Created...

CCIE R&S LAB – CFG H2/A5 (Jacob’s & Jameson’s)

of 35 Created by John Brown, 19.02.2016

Contents Section 1 – Layer 2 Technologies .................................................................................................................. 2

1.1 Jameson’s Datacenter: Access port..................................................................................................... 2

1.2 Jameson’s Datacenter: Trunk ports .................................................................................................... 4

1.3 Jameson’s Datacenter: Link bundling .................................................................................................. 5

1.4 Jameson’s Branch Offices .................................................................................................................... 6

Section 2 – Layer 3 Technologies .................................................................................................................. 8

2.1 Jameson’s IGP, part 1 .......................................................................................................................... 8

2.2 Jameson’s IGP, part 2 ........................................................................................................................ 10

2.3 Jacob’s IGP ......................................................................................................................................... 12

2.4 Jameson’s Pre‐merge ........................................................................................................................ 14

2.5 Jacob’s Pre‐merge ............................................................................................................................. 16

2.6 Merge phase 1: BGP .......................................................................................................................... 17

2.7 Merge phase 2: IGP ........................................................................................................................... 18

2.8 Merge phase 2: Routing Policies ....................................................................................................... 19

2.9 IPv6 Routing, part 1 ........................................................................................................................... 20

2.10 IPv6 Routing, part 2 ......................................................................................................................... 21

2.11 Multicast in Jameson’s .................................................................................................................... 22

Section 3 – VPN Technologies ..................................................................................................................... 23

3.1 Jameson’s Branch Offices .................................................................................................................. 23

3.2 Jameson’s Pre‐merge VPN ................................................................................................................ 24

3.3 Merge phase 2: VPN .......................................................................................................................... 27

3.4 Inter‐VPN Routing ............................................................................................................................. 29

Section 4 – Infrastructure Security .............................................................................................................. 30

4.1 Device Security .................................................................................................................................. 30

4.2 Network Security ............................................................................................................................... 31

Section 5 – Infrastructure Services.............................................................................................................. 32

5.1 Centralized DHCP .............................................................................................................................. 32

5.2 Internet Gateway .............................................................................................................................. 33

5.3 First hop redundancy ........................................................................................................................ 34

5.4 Tracking reachability ......................................................................................................................... 35

www.itstu

dygr

oup.

org



Section 1 – Layer 2 Technologies

1.1 Jameson’s Datacenter: Access port There has been pre‐configured in Jameson’s Datacenter. SW3 is the server and the other three

switches are clients. Do not modify this configuration. Some other configuration was already started

but it is your responsibility to verify and complete them.

Configure all four switches in Jameson’s datacenter network (AS 65002) as per the following

requirements:

All unused ports must be configured in VLAN 999 and administratively shutdown. Refer to

“Table 1: Jameson’s VLAN to Port Mapping” to figure out which ports are used and unused.

Access‐ports must immediately transition to the forwarding state upon link up, as long as

they do not receive a BPDU. Use a unique command per switch to enable this feature.

If an access‐port received a BPDU, it must automatically shutdown, generate a syslog and a

SNMP trap (to solve this issue add. Use a unique command per switch to enable to this

feature.

Ports that were shutdown must always rely on a manual intervention to recover.

VLAN 911 (10.2.100.X/24) will be used as the management VLAN in Jameson’s datacenter.

Ensure that all datacenter switches are able to ping each other IP address in the

management VLAN.

SW5 and SW6 are low‐end access switches and they do not have much processing power.

Ensure that their only Layer 3 interfaces are Loopback0 and VLAN 911.

SW3 and SW4 are robust and powerful distribution switches. Ensure that they maintain a

Layer 3 interface for all local VLANs as well as all access VLANs, as specified in “Table 1:

Jameson’s VLAN to Port Mapping”.

Answers:

SW3

vtp domain CCIE

vtp mode server

vlan 999,911,34,100,153,173,156,164,184

interface e0/0

switchport mode access

switchport access vlan 173

interface e0/1



interface e1/0



interface range e0/2 - 3, e1/1 - 3, e3/2 - 3



shutdown

spanning-tree portfast edge default

spanning-tree portfast edge bpduguard default

snmp-server enable traps syslog

SW4

vtp domain CCIE

vtp mode client

interface e0/0



interface e0/1



www.itstu

dygr

oup.

org



interface range e0/2 - 3, e1/1 - 3, e3/2 - 3



shutdown

interface e1/0






SW5

vtp domain CCIE

vtp mode client

interface range e0/0, e1/0 - 3



shutdown

interface range e0/1 - 3






SW6

vtp domain CCIE

vtp mode client

interface range e0/0, e1/0 - 3



shutdown







www.itstu

dygr

oup.

org



1.2 Jameson’s Datacenter: Trunk ports Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Table 1: Jameson’s VLAN to Port

Mapping”.

Configure Jameson’s datacenter network (AS 65002) as per the following requirements:

All inter‐switch links must be configured to use dot1q encapsulation.

Ensure that no switch attempt to negotiate the trunk parameters.

Ensure that all four switches send and receive untagged frames on VLAN 1.

All four switches must maintain a separate Spanning‐tree instance for each VLAN.

Spanning‐tree must immediately delete dynamically learned MAC address entries on a per‐

port basis upon receiving a topology change.

SW3 must be the root switch for all VLANs. SW4 must be the backup root switch for all

VLANs. Ensure that they both have the best chances of maintaining their respective role

even if any new normal‐range VLAN were to be added in the future.

Answers:

SW5


switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

spanning-tree mode rapid-pvst

SW6






SW3

interface range e2/0 - 3, e3/0 - 1





spanning-tree vlan 1-4094 priority 0

SW4

interface range e2/0 - 3, e3/0 - 1





spanning-tree vlan 1-4094 priority 4096

www.its

tudy

grou

p.or

g



1.3 Jameson’s Datacenter: Link bundling Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”

Configure Jameson’s datacenter network as per the following requirements:

All four switches must bundle trunk ports so that they maintain a single logical link to each

other (excepted between SW5 and SW6), as shown in the “Diagram 2: Initial Topology”.

Ensure that no switch attempt to negotiate which ports should become active in the bundle.

The distribution switches SW3 and SW4 must balance traffic between all members of the

link bundle based on source and destination IP addresses.

The access switches SW5 and SW6 must balance the income traffic (that is originated from

server) between all members of the link bundle based on the servers’ MAC address.

Answers:

SW5

interface po35

interface po45


channel-group 45 mode on



port-channel load-balance src-mac

SW6

interface po36

interface po46





port-channel load-balance src-mac

SW3

interface po34

interface po35

interface po36







port-channel load-balance src-dst-ip

SW4

interface po34

interface po45

interface po46







port-channel load-balance src-dst-ip

www.itstu

dygr

oup.

org



1.4 Jameson’s Branch Offices Refer to “Diagram 1: Jameson’s Layer 2 Connections”.

Configure interface Ethernet0/0 in Jameson’s branch routers R19, R20 and R21 as per the following

requirements:

The Ethernet WAN links must rely on a Layer 2 protocol that supports link negotiation and

authentication.

The service provider expects that the branch routers complete a three‐way handshake by

providing the expected response of a challenge that is sent by R49.

R19 must use the username “Jamesons‐R19” and password “CCIE” (without quotes).



The interface Eth0/0 of all three routers must receive an IP address from R49.

Ensure that all three routers can ping the IP address of each other’s interface Eth0/0.

You are allowed to configure a single static route in each branch router to achieve the

previous requirement.

Answers:

R19

vrf definition LOCALSP

rd 51:19

address-family ipv4

interface dialer1

vrf forwarding LOCALSP

encapsulation ppp

ppp chap password CCIE

ppp chap hostname Jamesons-R19

ip address negotiated

dialer pool 1

dialer-group 1

interface e0/0

pppoe-client dial-pool-number 1


no shutdown

ip route vrf LOCALSP 0.0.0.0 0.0.0.0 192.0.2.1

R20


rd 51:20

address-family ipv4

interface dialer1


encapsulation ppp




dialer pool 1

dialer-group 1

interface e0/0


www.itstu

dygr

oup.

org




no shutdown


R21


rd 51:21

address-family ipv4

interface dialer1


encapsulation ppp




dialer pool 1

dialer-group 1

interface e0/0



no shutdown


www.itstu

dygr

oup.

org



Section 2 – Layer 3 Technologies

2.1 Jameson’s IGP, part 1 Refer to “Diagram 2: Initial Topology”.

The configuration was already started. It is your responsibility to complete and verify all

requirements.

Configure Jameson’s network (AS 65001 and AS 65002) according to the following requirements:

Ensure that all routers use their interface Lo0 as OSPF router‐id.

Ensure that OSPF is not running on any interface that is facing another BGP AS.

SW5 and SW6 must not participate in OSPF at all.

Do not use the “network” statement under the “router ospf” configuration anywhere in the

core network (AS 65001).

Do not change the default OSPF cost of any interface anywhere.

Ensure that R1, SW1 and SW2 are elected the designated router on all of their interfaces,

and that they have the best chances of maintaining that role as long as their interfaces are up.

Ensure that R2 is elected the Backup Designated router on all of their interfaces, and that it

has the best chances of maintaining that role as long as its interfaces are up.

Answers:

Jameson’s Data Center Network (OSPF 65002 Area 0)

SW3

ip routing

router ospf 65002

router-id 10.255.1.33

network 10.0.0.0 0.255.255.255 area 0

SW4

ip routing

router ospf 65002

router-id 10.255.1.34

network 10.0.0.0 0.255.255.255 area 0

R15

router ospf 65002

router-id 10.255.1.15

network 10.2.0.1 0.0.0.0 area 0

network 10.2.0.5 0.0.0.0 area 0

network 10.255.1.15 0.0.0.0 area 0

R16

router ospf 65002

router-id 10.255.1.16

network 10.2.0.2 0.0.0.0 area 0

network 10.2.0.9 0.0.0.0 area 0

network 10.255.1.16 0.0.0.0 area 0

R17

router ospf 65002

router-id 10.255.1.17

network 10.0.0.0 0.255.255.255 area 0

Jameson’s Headquarters Network (OSPF 65002 Area 0)

R11

router ospf 65002

router-id 10.255.1.11

network 10.1.254.1 0.0.0.0 area 0

network 10.255.1.11 0.0.0.0 area 0

R12

router ospf 65002

router-id 10.255.1.12

network 10.1.254.2 0.0.0.0 area 0

network 10.255.1.12 0.0.0.0 area 0

www.itstu

dygr

oup.

org



SW1

ip routing

interface vlan 101

ip ospf priority 255

router ospf 65002

router-id 10.255.1.31

network 10.0.0.0 0.255.255.255 area 0

Jameson’s Main Office Network (OSPF 65002 Area 0)

R13

router ospf 65002

router-id 10.255.1.13

network 10.3.254.1 0.0.0.0 area 0

network 10.255.1.13 0.0.0.0 area 0

R14

router ospf 65002

router-id 10.255.1.14

network 10.3.254.2 0.0.0.0 area 0

network 10.255.1.14 0.0.0.0 area 0

SW2

ip routing

interface vlan 101


router ospf 65002

router-id 10.255.1.32

network 10.0.0.0 0.255.255.255 area 0

Jameson’s Core Network (OSPF 65001 Area 0)

R1

router ospf 65001

router-id 10.255.1.1

interface l0

ip ospf 65001 area 0

interface range e0/0 - 3,e1/0 - 2



R2

router ospf 65001


interface l0


interface e0/0 - 3, e1/0



R3

router ospf 65001


interface l0




R4

router ospf 65001


interface l0


interface e0/2



interface e0/3


R5

router ospf 65001


interface l0




R6

router ospf 65001


interface l0


interface e0/1



interface e0/3


R7

router ospf 65001


interface l0


interface e0/2


R8

router ospf 65001


interface l0


interface e0/2



www.itstu

dygr

oup.

org



2.2 Jameson’s IGP, part 2 Refer to “Diagram 2: Initial Topology”.

Configure Jameson’s branch network according to the following requirements:

R17 must propagate a default route in its OSPF domain, but only if it already has a default

route in its routing table.

Do not redistribute BGP into OSPF and vice versa on R17.

Each branch router must establish an OSPF adjacency with R17 and must receive a default

route via OSPF. They may not receive any other LSA type 3 from the ABR.

Each branch router must advertise their interface Lo0 and Eth0/1 into OSPF.

None of the branch routers may attempt to elect a Designated Router on their Tunnel0

interface.

Answers:

R17

ip route 0.0.0.0 0.0.0.0 192.0.2.1

interface t0

ip address 10.100.0.1 255.255.255.0

no ip redirects

ip pim sparse-mode

ip nhrp authentication 65002key

ip nhrp map multicast dynamic

ip nhrp network-id 51

ip nhrp holdtime 300

delay 100

tunnel source Ethernet0/1

tunnel mode gre multipoint

tunnel key 65002


ip ospf network point-to-multipoint

router ospf 65002

default-information originate

area 51 stub no-summary

R19

interface t0

bandwidth 10000

ip address 10.100.0.19 255.255.255.0

no ip redirects


ip nhrp map 10.100.0.1 192.0.2.2

ip nhrp map multicast 192.0.2.2



ip nhrp nhs 10.100.0.1

delay 100

tunnel source Dialer1


tunnel key 65002

tunnel vrf LOCALSP


router ospf 65002

router-id 10.255.1.19

netw 10.0.0.0 0.255.255.255 area 51


R20

interface t0

bandwidth 10000

ip address 10.100.0.20 255.255.255.0

no ip redirects


ip nhrp map 10.100.0.1 192.0.2.2





delay 100


www.itstu

dygr

oup.

org




tunnel key 65002

tunnel vrf LOCALSP


router ospf 65002

router-id 10.255.1.20

netw 10.0.0.0 0.255.255.255 area 51


R21

interface t0

bandwidth 10000

ip address 10.100.0.21 255.255.255.0

no ip redirects


ip nhrp map 10.100.0.1 192.0.2.2





delay 100



tunnel key 65002

tunnel vrf LOCALSP


router ospf 65002

router-id 10.255.1.21

netw 10.0.0.0 0.255.255.255 area 51


www.itstu

dygr

oup.

org



2.3 Jacob’s IGP Refer to “Diagram 2: Initial Topology”.

Jacob’s network is partly preconfigured. It is your responsibility to verify and complete them.

Configure EIGRP for IPv4 in Jacob’s core network (AS 65006) according to the following

requirements:

All EIGRP routers must support 64‐bit metric calculations and Routing Information Base (RIB)

scaling in EIGRP topologies.

The interface Lo0 of each router must be seen as an internal EIGRP prefix by all other routers

in their local domain.

Ensure that EIGRP is not running on any interface that is facing another AS. Use any method

to accomplish this requirement.

Jacob’s core network must use the EIGRP autonomous system number 1.

R52 must inject its interface Lo52 into EIGRP as an external prefix.

All EIGRP core routers R50, R51 must add the administrative tag “172.172.172.172” to all

prefixes that they inject into EIGRP.

Ensure that operators can filter routes by using the route-tag wildcard mask.

The following output must be seen on R50:

Configure EIGRP for IPv4 in Jacob’s Headquarter network (AS 65005) according to the following

requirements:








Configure EIGRP for IPv4 in Jacob’s Office network (AS 65007) according to the following

requirements:

www.itstu

dygr

oup.

org










Answers:

Jacob’s Core Network (EIGRP CCIE AS 1)

R50

route-tag notation dotted-decimal

route-map RM-SETTAG172 permit 10

set tag 172.172.172.172

router eigrp CCIE

address-family ipv4 unicast autonomous-system 1

topology base

distribute-list route-map RM-SETTAG172 in

network 172.17.253.0 0.0.0.7

network 172.30.1.50 0.0.0.0

R51


route-map RM-SETTAG172 permit 10

set tag 172.172.172.172

router eigrp CCIE


topology base

distribute-list route-map RM-SETTAG172 in

network 172.17.253.0 0.0.0.7

network 172.30.1.51 0.0.0.0

R52

interface l52

ip address 52.52.52.52 255.255.255.255

route-map LB52 permit 10

match interface Loopback52

router eigrp CCIE


topology base

redistribute connected route-map LB52

network 172.17.253.0 0.0.0.7

network 172.30.1.52 0.0.0.0

Jacob’s Headquarters Network (EIGRP CCIE AS 10)

R55

router eigrp CCIE


network 172.18.254.0 0.0.0.255

network 172.30.0.0 0.0.255.255

R56

router eigrp CCIE


network 172.18.254.0 0.0.0.255

network 172.30.0.0 0.0.255.255

SW10

vlan 100,101

router eigrp CCIE


network 172.0.0.0 0.255.255.255

Jacob’s Office Network (EIGRP CCIE AS 10)

SW11

vlan 100,101

router eigrp CCIE


network 172.0.0.0 0.255.255.255

R58

router eigrp CCIE


network 172.17.254.0 0.0.0.255

network 172.30.0.0 0.0.255.255

www.itstu

dygr

oup.

org



2.4 Jameson’s Pre‐merge Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Pre‐merge Topology”.

Jameson’s decided to enable MPLS VPN in their network.

Configure Jameson’s network as per the following requirements:

R11, R12, R13 and R14 must redistribute OSPF into BGP and they must advertise a default

route into their respective OSPF domain. They may not redistribute BGP into OSPF.

R15 and R16 must mutually redistribute OSPF and BGP.

R11, R12, R13 and R14 must advertise only four prefixes via eBGP to Jameson’s core network

as follows:

○ R11 and R12 must advertise 10.1.0.0/16, 10.255.1.11/32, 10.255.1.12/32 and 10.255.1.101/32;

○ R13 and R14 must advertise 10.3.0.0/16, 10.255.1.13/32, 10.255.1.14/32 and 10.255.1.102/32;

R1 must reflect IPv4 BGP prefixes to all core routers except R2. All internal BGP peering must

be established using interface Lo0.

Ensure that each Jameson’s site receives BGP prefixes from other sites.

A very smaller output as the one shown below must be seen on R11, R12, R13 and R14 (only

the next‐hop, version and update‐group may differ).

Answers:

Jameson’s Core Network (BGP AS 65001)

R1

router bgp 65001

neighbor iBGP peer-group

neighbor iBGP remote-as 65001

neighbor iBGP update-source Loopback0

neighbor iBGP route-reflector-client

neighbor 10.255.1.3 peer-group iBGP






R3 – R8

router bgp 65001

neighbor 10.255.1.1 remote-as 65001

neighbor 10.255.1.1 update-source Loopback0

neighbor 10.255.1.1 next-hop-self

Jameson’s Headquarters Network (BGP AS 65002)

www.itstu

dygr

oup.

org



R11

ip prefix-list PREF-FILTER seq 5 permit 10.1.0.0/16




router bgp 65002

aggregate-address 10.1.0.0 255.255.0.0 summary-only

redistribute ospf 65002


neighbor 10.254.0.53 prefix-list PREF-FILTER out


neighbor 10.255.1.12 update-source l0

router ospf 65002


R12





router bgp 65002







router ospf 65002


Jameson’s Main Office Network (BGP AS 65002)

R13





router bgp 65002







router ospf 65002


R14





router bgp 65002







router ospf 65002


Jameson’s Data Center Network (BGP AS 65002)

R15

router bgp 65002





router ospf 65002

redistribute bgp 65002 subnets

R16

router bgp 65002





router ospf 65002

redistribute bgp 65002 subnets

www.itstu

dygr

oup.

org



2.5 Jacob’s Pre‐merge Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Premerge Topology”.



R55, R56 and R58 must redistribute EIGRP and BGP

Answers:

R55

router bgp 65005

redistribute eigrp 10


router eigrp CCIE


topology base

redistribute bgp 65005 metric 10000 100 255 1 1500

R56

router bgp 65005



router eigrp CCIE


topology base


R58

router bgp 65007



router eigrp CCIE


topology base


www.itstu

dygr

oup.

org



2.6 Merge phase 1: BGP Refer to the “Overall Scenario” and “Diagram 5: Merge Phase: 1”

Jameson’s and Jacob’s started the first phase of their merge and add a new border router in their

respective main site (R18 and R57).

Configure the network as per the following requirements:

Interface Lo0 of both R18 and R57 must be add into their respective IGP domain.

Interface Eth0/1 of both R18 and R57 must peer with its connected IGP neighbor.

Both R18 and R57 must advertise a summary prefix via eBGP to each other as follows:

○ R18 advertises 10.0.0.0/8

○ R57 advertises 172.0.0.0/8

Both R18 and R57 must propagate the received summary prefix into their respective IGP

domain.

Answers:

R18

ip prefix-list PREF-BACKDOOR seq 5 permit 10.0.0.0/8

router bgp 65002

aggregate-address 10.0.0.0 255.0.0.0



neighbor 10.2.0.46 prefix-list PREF-BACKDOOR out

router ospf 65002

router-id 10.255.1.18

network 10.2.0.42 0.0.0.0 area 0

network 10.255.1.18 0.0.0.0 area 0

redistribute bgp 65002 metric-type 1 subnets

R57


router bgp 65005

aggregate-address 172.0.0.0 255.0.0.0



neighbor 10.2.0.45 prefix-list PREF-BACKDOOR out

router eigrp CCIE


topology base


network 172.0.0.0 0.255.255.255

www.itstu

dygr

oup.

org



2.7 Merge phase 2: IGP Refer to “Diagram 2: Initial Topology” and “Diagram 6: Merge Phase 2”.

Jameson’s and Jacob’s are entering in the second phase of the merge and have deployed two new

border routers in their respective core network.

Configure the core networks as per the following requirements:

R9 and R10 must run OSPF on their interface Eth0/0 and Lo0.

R9 and R10 must run EIGRP on their interface Eth0/1.

R53 and R54 must run EIGRP on all of their interfaces.

Mutually redistribute EIGRP and OSPF on both R9 and R10

Avoid routing loops and ensure that all current and future prefixes are routed via their

optimal path. Do not use any access‐list or prefix‐list in order to achieve this requirement.

Do not change any administrative distance of any protocol in any router.

Answers:

R9

route-map RM-TO-EIGRP deny 10

match tag 172.172.172.172

route-map RM-TO-EIGRP perm 20

set tag 10.10.10.10

route-map RM-TO-OSPF deny 10

match tag 10.10.10.10

route-map RM-TO-OSPF perm 20

set tag 172.172.172.172


interface l0


interface e0/1


router ospf 65002


redistribute eigrp 1 route-map RM-TO-OSPF subnets

router eigrp CCIE


network 10.254.0.61 0.0.0.0

topology base

redistribute ospf 65001 metric 10000 100 255 1 1500 route-map RM-TO-EIGRP

R10

route-map RM-TO-EIGRP deny 10

match tag 172.172.172.172

route-map RM-TO-EIGRP perm 20

set tag 10.10.10.10

route-map RM-TO-OSPF deny 10

match tag 10.10.10.10

route-map RM-TO-OSPF perm 20

set tag 172.172.172.172


interface l0


interface e0/1



router ospf 65002

router-id 10.255.1.10

redistribute eigrp 1 route-map RM-TO-OSPF subnets

router eigrp CCIE


network 10.254.0.65 0.0.0.0

topology base

redistribute ospf 65001 metric 10000 100 255 1 1500 route-map RM-TO-EIGRP

R53, R54


router eigrp CCIE


network 172.0.0.0 0.255.255.255

network 10.0.0.0 0.255.255.255

www.itstu

dygr

oup.

org



2.8 Merge phase 2: Routing Policies Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 6: Merge Phase 2”.


Network managers have decided that the primary path for all traffic between Jameson’s

10.2.1.0/24 and Jacob’s 172.18.1.0/24 must be routed preferably via the BGP backdoor link

between R18 and R57. If this link should fail then traffic should fall back over the MPLS core

network.

All other traffic must be routed preferably via the MPLS core network.

Do not configure any route‐map nor access‐list in order to achieve this requirement.

Ensure that the following test reveals the same path as shown below:

Answers:

R18


R57


www.its

tudy

grou

p.or

g



2.9 IPv6 Routing, part 1 Refer to “Diagram 2: Initial Topology”.

Jameson’s started deploying IPv6 in dual‐stack mode in the datacenter.

Configure Jameson’s datacenter network as per the following requirements:

Establish OSPFv3 adjacencies in Area 0 between SW3, SW4, R15 and R16.

Do not use the command “ipv6 ospf” anywhere in order to accomplish the previos

requirement.

Interface VLAN 100 of SW3 must be configured with default route preference set to “high”.

Interface VLAN 100 of SW4 must be configured with default route preference set to

“medium”.

The interval between Router Advertisement transmissions on VLAN 100 must be set 20

seconds on both SW3 and SW4.

Answers:

SW3

router ospfv3 65002

router-id 10.255.1.33

interface l0

ipv6 address 2001:6500:2::33/128

ospfv3 65002 ipv6 area 0

interface vlan 153

ipv6 address 2001:6500:2:1533::33/64


interface vlan 34

ipv6 address 2001:6500:2:3334::33/64


interface vlan 100

ipv6 nd router-preference High

ipv6 nd ra interval 20

SW4

router ospfv3 65002

router-id 10.255.1.34

interface l0

ipv6 address 2001:6500:2::34/128


interface vlan 164

ipv6 address 2001:6500:2:1634::34/64


interface vlan 34

ipv6 address 2001:6500:2:3334::34/64


interface vlan 100

ipv6 nd router-preference Medium

ipv6 nd ra interval 20

R15

router ospfv3 65002

router-id 10.255.1.15

interface l0

ipv6 address 2001:6500:2::15/128


interface e0/0

ipv6 address 2001:6500:2:1533::15/64


interface e0/2

ipv6 address 2001:6500:2:1516::15/64


R16

router ospfv3 65002

router-id 10.255.1.16

interface l0

ipv6 address 2001:6500:2::16/128


interface e0/0

ipv6 address 2001:6500:2:1634::16/64


interface e0/2

ipv6 address 2001:6500:2:1516::16/64


www.itstu

dygr

oup.

org



2.10 IPv6 Routing, part 2 Configure Jameson’s datacenter network as per the following requirements:

SW3 and SW4 must provide first‐hop redundancy for hosts in VLAN 100 by sharing the

virtual link‐local address FE80:100::1.

SW3 must be elected as the active router and SW4 must be elected the standby router

In case SW3 is down, SW4 must take over the active role. If SW3 comes back online, it must

automatically recover the active role from SW4.

Ensure that HSRP Hello packets are exchanged every second and that the standby takes over

the active role if three consecutive Hello packets were missed from the active.

Answers:

R101

interface e0/0

ipv6 address autoconfig

SW3

interface vlan 100

ipv6 address 2001:6500:2:100::33/64


standby version 2

standby 6 ipv6 FE80:100::1

standby 6 preempt

standby 6 priority 105

standby 6 timers 1 3

SW4

interface vlan 100

ipv6 address 2001:6500:2:100::34/64


standby version 2

standby 6 ipv6 FE80:100::1

standby 6 preempt


www.itstu

dygr

oup.

org



2.11 Multicast in Jameson’s Refer to “Diagram 2: Initial Topology”.

An application running on server R101 (which is located in Jameson’s datacenter) uses multicast to

deliver specific traffic to users located in Jameson’s branch network.

Configure Jameson’s network as per following requirements:

Use PIM Sparse‐mode.

The interface Lo0 of R15 must be elected as the Rendezvous point for the whole multicast

domain.

R15 must announce its candidacy to advertise the group‐to‐RP mapping set to the router link

local address.

For interoperability reasons, the selection of R15 as the RP must adhere to open standard

and must use the default priority value as per the standard.

The source R101 uses the group address 239.1.1.1 to send traffic to interested receivers.

Receivers are located in the branch network and they are connected to the datacenter via

DMVPN.

Ensure that the following test is successful:

Answers:

SW3

ip multicast-routing

interface vlan 100

ip pim sparse-mode

interface vlan 34

ip pim sparse-mode

interface vlan 153

ip pim sparse-mode

interface vlan 173

ip pim sparse-mode

SW4


interface vlan 100

ip pim sparse-mode

interface vlan 34

ip pim sparse-mode

interface vlan 164

ip pim sparse-mode

R15


interface l0

ip pim sparse-mode

interface e0/0

ip pim sparse-mode

interface e0/2

ip pim sparse-mode

ip pim bsr-candidate Loopback0

ip pim rp-candidate Loopback0

R16


interface e0/0

ip pim sparse-mode

interface e0/2

ip pim sparse-mode

R17


interface e0/0

ip pim sparse-mode

interface t0

ip pim sparse-mode

R19


interface t0

ip pim sparse-mode

interface e0/1

ip pim sparse-mode

ip igmp join-group 239.1.1.1

R20


interface t0

ip pim sparse-mode

interface e0/1

ip pim sparse-mode


R21


interface t0

ip pim sparse-mode

interface e0/1

ip pim sparse-mode


www.itstu

dygr

oup.

org



Section 3 – VPN Technologies

3.1 Jameson’s Branch Offices Refer to “Diagram 2: Initial Topology”.

Configure DMVPN Phase 3 in Jameson’s branch network as per the following requirements:

Use the preconfigured interface Tunnel0 on all four routers in order to accomplish this task.

R17 must be configured as the hub router.

R19, R20 and R21 must be the spoke routers and must participate in the NHRP information

exchange.

Ensure that spoke‐to‐spoke traffic does not transit via the hub.

Protect the tunneled traffic by attaching the preconfigured IPsec profile to the tunnel

interface on all tunnel end‐points.

Ensure that all spoke establish an OSPF adjacency through the tunnel with the hub R17,

without attempting to elect any Designated Router.

Ensure that the following test are successful:

Answers:

R17

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key CCIE address 0.0.0.0

crypto ipsec transform-set DMVPN-TFSET esp-aes

mode transport

crypto ipsec profile DMVPN-PROFILE

set tranform-set DMVPN-TFSET

interface Tunnel0

ip nhrp redirect

tunnel protection ipsec profile DMVPN-PROFILE

R19 – R21

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto keyring CCIE vrf LOCALSP

pre-shared-key address 0.0.0.0 0.0.0.0 key CCIE

crypto ipsec transform-set DMVPN-TFSET esp-aes

mode transport

crypto ipsec profile DMVPN-PROFILE

set tranform-set DMVPN-TFSET

interface Tunnel0

ip nhrp shortcut

tunnel protection ipsec profile DMVPN-PROFILE

www.itstu

dygr

oup.

org



3.2 Jameson’s Pre‐merge VPN Refer to the “Overall Scenario” and “Diagram 4: Pre‐merge Topology”.


They started configuring it but it is your responsibility to complete it and verify that it is fully

functional.


Enable LDP in the core network as indicated in “Diagram 4: Pre‐merge Topology”.

Ensure that all LDP routers use their interface Lo0 as their LDP router‐id.

R1 must reflect VPNv4 prefixes to all PE’s.

The datacenter and main office network must be connected to the VPN “GREEN” via eBGP.

The headquarter network must be connected to the VPN “RED” via eBGP.

All six PE’s must use a consistent format “ASN.nn” for the VPN route distinguisher, where:

○ ASN is the Autonomous System Number of the connected CE

○ nn is any relevant number for the VPN site.

Ensure that R101 in the datacenter’s VLAN 100 can successfully ping SW2 in the main office

as shown below:

www.itstu

dygr

oup.

org



Answers:

R1

mpls ldp router-id Loopback0 force

router ospf 65001

mpls ldp autoconfig

router bgp 65001

address-family vpnv4

neighbor iBGP send-community both

neighbor iBGP route-reflector-client

neighbor 10.255.1.3 activate






R2


router ospf 65001

mpls ldp autoconfig

R3

ip vrf GREEN

rd 65002:2

interface e0/0

ip vrf forwarding GREEN

ip address 10.254.0.73 255.255.255.252


router ospf 65001

mpls ldp autoconfig

router bgp 65001



neighbor 10.255.1.1 send-community both

address-family ipv4 vrf GREEN



neighbor 10.254.0.74 as-override

R4

ip vrf GREEN

rd 65002:2

interface e0/0


ip address 10.254.0.77 255.255.255.252


router ospf 65001

mpls ldp autoconfig

router bgp 65001








R5

ip vrf GREEN

rd 65002:3

interface e0/0


ip address 10.254.0.41 255.255.255.252


router ospf 65001

mpls ldp autoconfig

router bgp 65001








R6

ip vrf GREEN

rd 65002:3

interface e0/0


ip address 10.254.0.45 255.255.255.252


router ospf 65001

mpls ldp autoconfig

router bgp 65001


www.itstu

dygr

oup.

org









R7

ip vrf RED

rd 65002:1

interface e0/0

ip vrf forwarding RED

ip address 10.254.0.53 255.255.255.252


router ospf 65001

mpls ldp autoconfig

router bgp 65001




address-family ipv4 vrf RED




R8

ip vrf RED

rd 65002:1

interface e0/0

ip vrf forwarding RED

ip address 10.254.0.57 255.255.255.252


router ospf 65001

mpls ldp autoconfig

router bgp 65001




address-family ipv4 vrf RED




www.itstu

dygr

oup.

org



3.3 Merge phase 2: VPN Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”.

Jameson’s and Jacob’s are entering in the second phase of the merge and have deployed two new

border routers in their respective core network.


The BGP AS number of Jacob’s original core network must be converted to use Jameson’s AS

number 65001, as indicated in “Diagram 6: Merge Phase 2”.

All BGP sessions between Jacob’s core and remote sites (including headquarters and office

networks) must be recovered using the new AS number.

Do not modify the BGP configuration of Jacob’s CEs (R55, R56 and R58) in order to accomplish

this requirement.

Enable LDP in the merged core network as indicated in “Diagram 6: Merge Phase2”,

including the four new border router (R9, R10, R53, R54) and Jacob’s core network.

Ensure that all LDP routers use their interface Lo0 as their LDP router‐id.

R1 must reflect VPNv4 prefixes to all PE’s, including to Jacob’s PE.

Jacob’s headquarters network must be added to the VPN GREEN.

Jacob’s office network must be added to the VPN BLUE.

All nine PE’s must use a consistent format “ASN.nn” for the VPN route distinguisher, where:

○ ASN is the Autonomous System Number of the connected CE

○ nn is any relevant number

Answers:

R9, R10

interface e0/0

mpls ip

R53, R54



mpls ip

R1

router bgp 65001








www.itstu

dygr

oup.

org



R50


interface e0/0

mpls ip

ip vrf GREEN

rd 65005:18

interface e0/1


ip address 172.18.253.1 255.255.255.252

router bgp 65001








neighbor 172.18.253.2 local-as 65006


R51


interface e0/0

mpls ip

ip vrf GREEN

rd 65005:18

interface Ethernet0/1


ip address 172.18.253.5 255.255.255.252

router bgp 65001










R52


interface e0/0

mpls ip

ip vrf BLUE

rd 65007:17

interface Ethernet0/1

ip vrf forwarding BLUE

ip address 172.17.253.22 255.255.255.248

router bgp 65001







address-family ipv4 vrf BLUE



neighbor 172.17.253.21 activate www.its

tudy

grou

p.or

g



3.4 Inter‐VPN Routing Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”.


Jameson’s headquarters (VPN RED), main office (VPN GREEN) and Jacob’ office (VPN BLUE)

must receive datacenter prefixes (VPN GREEN).

Jameson’s main office (VPN GREEN) may not receive headquarters (VPN RED) prefixes nor

Jacob’s headquarters (VPN GREEN) prefixes.

In order to simplify future changes, your solution may not be limited to specific prefixes.

Answers:

R3, R4

ip vrf GREEN

route-target export 65002:2

route-target import 65002:1




R5, R6

ip vrf GREEN



R7, R8

ip vrf RED



R50, R51

ip vrf GREEN



R52

ip vrf BLUE



www.itstu

dygr

oup.

org



Section 4 – Infrastructure Security

4.1 Device Security Refer to “Diagram 1: Initial Topology”.


Protect R17’s control‐plane from TTL expiry attacks so that illegitimate IP packets with a TTL

of 0 or 1 are dropped before the CPU processes them.

Legit packets include expected control protocols running on the link.

Answers:

R17

ip access-list extended ACL-TTL-EXCEEDED

deny ospf any any

deny pim any any

permit ip any any ttl lt 2

class-map match-all CM-TTL-EXCEEDED

match access-group name ACL-TTL-EXCEEDED

policy-map PM-CoPP

class CM-TTL-EXCEEDED

drop

class class-default

police cir 8000 conform-action transmit exceed-action transmit

control-plane

service-policy input PM-CoPP

www.itstu

dygr

oup.

org



4.2 Network Security Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.


SW5 and SW6 must filter DHCP message received by untrusted hosts by comparing the

source MAC address and the DHCP client hardware address. If the address match, the

switches must forward the packet. If the addresses do not match, the switches must drop

the packet.

Ensure that these access switches do not filter DHCP packets on their uplinks.

Ensure that the DHCP relay switches (refer to item 5.1) allow DHCP message received on

their interface VLAN 100 with the added Option 82 and uninitialized GIADDR field to be

accepted.

Answers:

SW5

ip dhcp snooping

ip dhcp snooping vlan 100

interface po35

ip dhcp snooping trusted

interface po45


SW6

ip dhcp snooping

ip dhcp snooping vlan 100

interface po36


interface po46


SW3, SW4

interface vlan 100

ip dhcp relay information trusted

www.itstu

dygr

oup.

org



Section 5 – Infrastructure Services

5.1 Centralized DHCP Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.

Jameson’s R15 must centralize DHCP service for the datacenter’s hosts VLANs.


Ensure that the distribution switches SW3 and SW4 forward DHCP discover broadcast

message received from VLAN 100’s hosts to interface Lo0 of R15 as unicast messages.

R15 must assign hosts in VLAN 100 a valid IP address from the prefix 10.2.1.0/24.

Ensure that addresses that were statically configured will never be assigned to any host.

The DHCP offer must include the IP address 10.2.1.1/24 as the default gateway for VLAN 100

users.

Ensure that the server R101 effectively receives an IP address from the expected prefix

10.2.1.0/24 as well as its default gateway information.

Answers:

SW3

interface vlan 100

ip helper-address 10.255.1.15

SW4

interface vlan 100

ip helper-address 10.255.1.15

R15

ip dhcp excluded-address 10.2.1.1



ip dhcp pool VLAN-100

network 10.2.1.0 255.255.255.0

default-router 10.2.1.1

R101

interface e0/0

ip address dhcp

www.itstu

dygr

oup.

org



5.2 Internet Gateway Refer to “Diagram 1: Initial Topology”.


R17 is Jameson’s Internet gateway router.

Ensure that R17 enables all internal hosts (that is, hosts with source IP address in the range

of 10.0.0.0/8 or 172.0.0.0/8) to simultaneously connect to the Internet using the public IP

address of interface Eth0/0.

The following tests must be successful:

Answers:

R17

ip access-list standard ACL-NAT

permit 10.0.0.0 0.255.255.255

permit 172.0.0.0 0.255.255.255

interface e0/1

ip nat outside

interface e0/0

ip nat inside

ip nat inside source list ACL-NAT interface e0/1 overload

www.itstu

dygr

oup.

org



5.3 First hop redundancy Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.

Jameson’s datacenter SW3 and SW4 must offer first hop redundancy to VLAN 100’s host using

HSRP.


SW3 and SW4 must use the multicast address 224.0.0.102 in order to negotiate the active

and standby roles.

SW3 must be elected as the active router and SW4 must be elected as the standby router.

In case SW3 is down, SW4 must take over the active role. If SW3 comes back online, it must

automatically recover the active role from SW4.

Ensure that HSRP hello packets are exchanged every second and that the standby takes over

the active role if three consecutive Hello packets were missed from the active.

Both routers must share the virtual IP address 10.2.1.1 that will be used as default gateway

for VLAN 100’s hosts.

Answers:

SW3

interface vlan 100

standby version 2


standby 4 preempt

standby 4 ip 10.2.1.1

standby 4 priority 105

SW4

interface vlan 100

standby version 2


standby 4 preempt

standby 4 ip 10.2.1.1

www.itstu

dygr

oup.

org



5.4 Tracking reachability Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.


SW3 and SW4 must monitor the reachability of their OSPF IPv4 default route and in case it is

not available, the HSRP priority must be decreased by 10.

Answers:

SW3

track 1 ip route 0.0.0.0 0.0.0.0 reachability

interface vlan 100

standby 4 track 1 decrement 10

SW4

track 1 ip route 0.0.0.0 0.0.0.0 reachability

interface vlan 100

standby 4 track 1 decrement 10

www.itstu

dygr

oup.

org

- LearnITPro.Net - Together We … R&S LAB – C 2/A5 (Jacob’s & Jameson’s) Page 5 of 35 Created...

Documents

Transcript of - LearnITPro.Net - Together We … R&S LAB – C 2/A5 (Jacob’s & Jameson’s) Page 5 of 35 Created...