Cciereallab_RS CCIE V5 Workbook 2015 K6 Questions

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

CCIE R&S V5 Workbook K6 questions

Update 2015-01-09

© www.cciereallab.net HTU

UT H

All rights reserved.

Copyright 2015© cciereallab

www.cciereallab.net

-1-

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

Section 1（layer 2 technology）

1.1 Switch Administration 

Configure the ACME headquarters network（AS 12345）as per the following requirements： ●The vtp domain must be set to "CCIE” (without quotes)

●Enable VTP Version 2 ●SW1 must be the VTP server and sw2 must be the VTP client ●Secure all vtp update with an MD5 digest of the ASCII string “CCIErock$”(without quotes) ●In order to avoid as much as possible unknown unicast flooding in all vlans the administrator requires that any dynamic entries learned by either SW1 to SW2 must be retained for 2 hours before being refreshed



Configure the network of the new York office（AS 34567）as per the following requirements ●The vtp domain must be set to "CCIE” (without quotes)

●Use VTP version 2 ●SW3 and SW4 must not advertise their VLAN configuration but must forward VTP advertiserments that they receive out their trunk ports ●Secure all vtp update with an MD5 digest of the ASCII string “CCIErock$”(without quotes)

1.2 Layer 2 ports 

Configure your network as per the following requirements ●Complete the configuration of all vlans so that all routers that are located in ACME’s headquarters（AS12345）and new York office（AS 34567）can ping their directly connected neighbors ●All four switches （SW1-SW4）must have dot1q trunks that do not rely on any negotiation，do not configure any etherchannel ●Ensure that the following unused ports on all four switches are shutdown and configured as access ports in vlan 999

Copyright 2015© cciereallab

www.cciereallab.net

-2-

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

●E3/0 ，E3/1，E3/2，E3/3 are unused on SW1 and SW2 ●E1/0 ，E1/1，E1/2，E1/3 are unused on SW3 and SW4 ●E3/0 ，E3/1，E3/2，E3/3 are unused on SW3 and SW4

1.3 spanning-tree 

Configure the ACME network as per the following requirements ● SW1 must be the primary root bridge for all odd vlans and must be the secondly root bridge for all even vlans ● SW2 must be the primary root bridge for all even vlans and must be the secondly root bridge for all odd vlans ●SW3 must be the primary root bridge for all odd vlans and must be the secondly root bridge for all even vlans ●SW4 must be the primary root bridge for all even vlans and must be the secondly root bridge for all odd vlans ● Explicitly configure the root and backup roles ,assuming that other switches with default configuration may eventually be added in the network in the future ●All switch must maintain one STP instance per VLAN ●Use the STP mode that has only three possible port states. ●All access ports must immediately transition to the forwarding state upon linkup and they must still participate in stp. Use a single command per switch to enable this feature ●Access ports must automatically shut down if they receive any bpdu and an administrator must still manually re-enable the port. Use a single command per switch to enable this feature

1.4 wan switching ●The wan links must rely on a layer 2 protocol that supports link negotiation and authentication ●The service provider expects both R18 and R19 complete three-way handshake by providing the expected response of a challenge that is sent by R63 ●R18 must use the username ACME-R18 and password CCIE ●R19 must use the username ACME-R19 and password CCIE

Section 2（layer 3 technology）

2.1 OSPF in AS12345 Copyright 2015© cciereallab

www.cciereallab.net

-3-

www.cciereallab.net



CCIE R&S Lab V5 Workbook 2015

Configure ospfv2 area 0 in ACME headquarters（AS12345） according to the following requirements ●Configure the ospf process id to 12345 and set the router-id to interface lo0 on all seven routers ●The interface loopback0 at each router must be seen as an internal ospf prefix by all other routers ●Ensure that ospf is not running on any interface that is facing another AS. Use any method to accomplish this requirement ●SW1 and SW2must no participate in routing at all ●Do not change the default ospf cost of any interface in AS12345 ●R1 must see the following ospf routes in its routing table

2.2 EIGRP in AS 34567 

Configure eigrp for ipv4 in the new York office（AS 34567）according to the following requirements ●The EIGRP autonomous system 34567 ●The interface lo0 on each router must be seen as an internal EIGRP prefix by all other routers ●Ensure the eigrp is not running on any interface that is facing another AS use any method to accomplish this requirement ●Using a single command on one switch only ensure that R8 install two equal-cost route for the following three path ·vlan 411

Copyright 2015© cciereallab

www.cciereallab.net

-4-

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

·interface lo0 at SW4 ·interface lo0 at R11

●Using a single command on one switch only ensure that R9 install two equal-cost route for the following three path ·vlan 310 ·interface lo0 at SW3 ·interface lo0 at R10

2.3 EIGRP in AS 45678 Copyright 2015© cciereallab

www.cciereallab.net

-5-

www.cciereallab.net



CCIE R&S Lab V5 Workbook 2015

Configure EIGRP in AS 45678 as the following requirements ●The eigrp autonomous system number is 45678 ●The interface loopback0 at each router must be seen as an internal EIGRP prefix by all other routers ●Ensure the eigrp is not running on any interface that is facing another AS use any method to accomplish this requirement ●SW5 and SW6 are layer 3 switches and must also run EIGRP On all three routers (R15、R16 and R17),ensure that EIGRP user 64 bits for the metric calculation of any prefix ●Do not change the default bandwidth or delay on any physical interface in as 45678

2.4 EIGRP in AS 65222 ●The eigrp autonomous system number is 45678 ●The interface loopback0 at each router must be seen as an internal EIGRP prefix by all other routers ●Ensure the eigrp is not running on any interface that is facing another AS. Use any method to accomplish this requirement ●R17 is the DMVPN hub，R18，R19 as the spoke use the pre-configure tunnel 0

2.5 BGP in AS 12345 

BGP is partially preconfigured in ACME headquarters complete the configuration as required



Configure IBGP in ACME‘s headquarters （AS 12345） according to the following requirements ●R4 and R5 must no establish any BGP session at any time ●ALL bgp routers must use their interface lo0 as their bgp router-id ●no bgp default ipv4-unicast ●Disable the default ipv4 unicast address family for peering session establishment in all bgp routers ●R1 must be the ipv4 route-reflector for bgp AS 12345 ●R1 must use the peer-group named “iBGP”for all internal peerings



Configure EBGP between ACME`s San Francisco and San jose sites according the following requirements ●R20 is the CE router and used EBGP to connected to the manages services that are provided by the PE routers R2 and R3 ●R20 must establish a separate EBGP peerings with both R2 and R3 for every VRF

Copyright 2015© cciereallab

www.cciereallab.net

-6-

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

●R20 must advertise the following prefix to all of its BGP peers ……123.0.0.0/8 summary-only ……10.0.0.0/8 summary-only ●R20 must advertise a default route to all of its bgp peers except to 10.120.99.1 and 10.120.99.5

2.6 BGP in AS 34567 

BGP is partly pre-configured in the ACME New York office（AS 34567）complete the configuration as required



Configure IBGP in AS 34567 according to the following requirements ●SW3 and SW4 must not establish any BGP session at any time ●ALL for BGP routers must always use their interface lo0 as their bgp router-id ●no bgp default ipv4-unicast ●Configure full-mesh IBGP peering between all four routers use any configuration method ●R9 must be selected as the preferred exit point for traffic destined to remote AS’s ●R11 must be selected as the next preferred exit point in case R9 fails ●NO BGP speaker in AS 34567 may use the network statement under the BGP router configuration ●Ensure that all the BGP next-hop is never marked as unreachable as long as the interface lo0 of the remote peer is known via IGP



Configure EBGP in AS 34567 according to the following requirements ●All four BGP routers must establish EBGP peerings with their neighboring AS as shown on “digram 3：BGP topology” ●All four bgp routers must redistribute EIGRP into BGP ●Ensure that R9 is the only router that sees the default as a bgp route and that all other routers（R8，R10，R11）see it as an eigrp external router

2.7 BGP in AS 45678 and AS 65222 

Refer to “diagram 3：BGP routing”



Configure EBGP in the ACME APAC region （AS 45678 and AS 65222）according to the following requirements ●SW5 and SW6 must not establish any BGP session at any time ●ALL bgp routers must use their interface lo0 as their bgp router-id ●No ibgp peering sessions are allowed in AS 45678 ●R15 must establish an EBGP peering with AS 10003 and must receive a default route

Copyright 2015© cciereallab

www.cciereallab.net

-7-

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

as well as other prefix ●R15 must redistribute bgp into eigrp and vice versa ●R15 must also advertise an aggregate prefix for 123.20.1.0/24 to AS 10003 and must suppress all component prefixes ●R16，R17，R18，R19 must establish an EBGP peering with AS 20003 and must receive a default route as well as other prefix ●R16，17，18，19 must not advertise any prefix to AS 20003 ●As long as R15 operational ，R16，R17，R18，R19 must prefer the EIGRP default route over the EBGP default route ●Do not creat any VRF anywhere in order to accomplish the aboves requirements. Be aware that the completion of this task is contingent on the completion of some other tasks.

2.8 BGP routing policies 

Configure the acme network as per the following requirements ●All acme border routers in as 12345 must filter the bgp prefixs that are advertised to their SP in vrf INET and must allow on all prefix that belong to the class A 123.0.0.0/8 all other vrfs must propagate all prefix ●All acme border routers in as 34567 must filter the bgp prefixs that are advertised to their SP and must allow only all prefix belong to the class A 123.0.0.0/8 ●Do not use any route-map or access-list to accomplish the above requirements ●R13 must route traffic preferably via AS 20002 use any method to accomplish this requirement ●All three remote sites in as 65111 must be able to ping 1.2.3.4 and traccroute must reveal the exact same path as show in the following output

Copyright 2015© cciereallab

www.cciereallab.net

-8-

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

2.9 IPv6 OSPF 

Configure ospfv3 in the acme new York office as per the following requirements ●Configure the OSPF process ID to 1 and set the router-id to interface lo0 on all OSPFv3 devices. ●Do not enable OSPFv3 on any interface other than the interfaces that are indicated on the “Diagram.5” ●Place the interfaces in the OSPFv3 area as indicated on the diagram. Do not create any new area.Do not forget the Lo0 interfaces. ●Sw4 must the selected as the designated router on vlan 34 and must have the best chance ●SW3 must be selected as the backup designated router on vlan 34 and must take over the designated router if SW4 is down

2.10 BGP for IPv6 

Configure the ACME network as per the following requirements ●Establish the four EBGP peering as indicated on “diagram IPv6 routing” ●Do not use the network command inder the BGP address-family ipv6 on either R10 or R11 ●Both regional service provider will advertise the necessary prefixs ●Advertise the IPv6 prefix on interface E0/0 into BGP on both R12 and R14 ●Configure your network such that any IPv6 user that include can communicate with any ipv6 user that is located and vice-versa ●Do not use any static route or default route anywhere

Copyright 2015© cciereallab

www.cciereallab.net

-9-

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

●Use the following ping to verify your configuration R1 2: ping 2001:cc1e:beef:14:10:1:14:1 so e0/0

2.11 Layer 3 Multicast 

Assure that a streaming server is connected in vlan 5 on sw5 and that receivers are located at the DMVPN spokes belong R18 and R19



Configure the ACME network as per the following requirements ●Only network segments with active receivers that explicitly require the data must receive the multicast traffic ●Interface loopback of R15 must be configured as the RP ●Use a standard method of dynamically distributing the RP ●Both R16 and R17 must participate in the multicast routing ●To test configure interface E0/0 of both R18 and R19 to join the group 232.1.1.1 SW5#ping 232.1.1.1 so vlan 5 Reply to request 0 from 10.2.19.1 3 ms Reply to request 0 from 10.2.18.1 4 ms

Section 3 VPN technology

3.1 MPLS VPN part 1 

Refer to " Diagram 3:BGP Topology" and "Diagram 4: VPN Topology"



The ACME Headquarters network (AS 12345) uses MPLS L3VPN in order to clearly separate remote site networks.



The ACME corporate security policies are centralized and enforced at the San Jose site (AS 65112) for all remote sites. The Policies require that all traffic that is originated from any remote site (with the exception of the New York office)



Configure MPLS L3 VPN in the ACME network according to the following requirements: ●Enable LDP only on required interfaces on all seven routers in AS 12345

Copyright 2015© cciereallab

www.cciereallab.net

- 10 -

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

●Use the interface Lo0 to establish LDP Peerings ●Ensure that no MPLS interface that belongs to any router in AS 12345 is visible on a traceroute that originates outside of the AS ●R2,R3,R6 and R7 must be configured as PE routers ●R1,R4 and R5 must be configured as P routers

3.2 MPLS VPN part 2 

Refer to “diagram 3 BGP topology” and “diagram 4 vpn topology”



The global and regional service providers have agreed to transport the acme VPNs via PE to PE EBGP peering that are already full preconfigured



Complete the configure of mpls L3VPN in the ACME network according to the following requirements： ●R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 12345 ●R2 and R3 must establish an EBGP peering with both global service providers（AS 10001 and AS 10002）for the following VRF’s GREEN BLUE RED YELLOW INET

●R6 must establish an EBGP peering with the regional service provider（AS20001）for the following vrfs GREEN BULE INET ●R7 must establish an EBGP peering with the regional service provider （AS2002）for the following vrfs only BLUE RED INET ●All ip address used for EBGP peering must pass BGP’s directly connected check ●No bgp speaker in AS 12345 may use the network or the redistribute statement under any address-family of the BGP router configuration ●At the end of the exam scenario the interface e0/0 of the gateway router in any remote Copyright 2015© cciereallab

www.cciereallab.net

- 11 -

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

site must be able to connect to the interface e0/0 of any other remote gateway that belong to as 65111 or AS 65222 ●Use the following tests as example of connectivity checks R12#ping 10.2.19.1 so e0/0 R12#traceroute 10.2.19.1 so e0/0（10hops）

3.3 DMVPN 

Configure DMVPN phase 3 in the ACME APAC region（AS 45678 and 65222） as per the following requirements ●Use the preconfigured interface tunnel0 on all three routers in order to accomplish this task ●R17 must be configured as the hub router ●R18 and R19 must be the spoke routers and must participate in the NHRP information exchange ●Disable send icmp redirect message on all three tunnel0 interface ●Configure the following parameter on all three tunnel0 interface configure the bandwidth 1000kbps configure the delay to 10000 usc adjust the ip mtu to 1400 B adjust the TCP MSS to 1360B ●Authentication NHRP using the string 45678key ●Use the HRP network-id 45678 ●Configure the nhrp hold time to 5min ●Ensure that spoke-to-spoke traffic does not transit via the hub

Copyright 2015© cciereallab

www.cciereallab.net

- 12 -

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

3.4 Encryption 

Refer to "Diagram 4: VPN Topology"



Secure the DMVPN tunnel with IPsec according to the following requirements: ●Configure IKE Phase 1 according to the following requirements: ◎ Use AES encryption with the pre-shared key "CCIE"(without quotes) ◎ The key must appear in plain text in the configuration ◎ All IPsec tunnels must be authenticated using the same IKE Phase 1 pre-shared key ◎ Use 1024 bits for the key exchange using the Diffie-Hellman algorithm ◎ Configure a single policy with priority 10 ●Configure IKE Phase 2 according to the following requirements: ◎ Use CCIEXFORM as the transform-set name. ◎ Use DMVPNPROFILE as the IPsec profile name. ◎ Use IPsec in transport mode. ◎ Use the IPsec security protocol ESP and the algorithm AES with 128 bits. ●Ensure that the DMVPN cloud is secured using the above parameters. ◎ Use tunnel protection in your configuration.

Copyright 2015© cciereallab

www.cciereallab.net

- 13 -

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

section 4:Infrastructure Security

4.1 Device Security 

Refer to " Diagram 1:Main Topology"



Configure R20 in the ACME San Jose office as per the following requirements: ●All users who connect to R20 via the console port or via any VTY line using SSH must be prompted with the below message before any other prompt is displayed. WARNING! ACCESS RESTRICTED！ Do not include any extra spaces or any other characters as the ones shown above.

4.2 Network Security 

Refer to " Diagram 1:Main Topology"



Configure the ACME New York office as per the following requirements: ●Ensure that interfaces E0/0,E0/1,E0/2 and E0/3 of SW3 forward traffic that was sent from expected and legitimate hosts and servers. ●SW3 must dynamically learn only one MAC address per port and must save the MAC address in its startup configuration. ●SW3 must shut down the port if a security violation occurs on any of these four ports.

Section 5: Infrastructure Services

5.1 System Management Copyright 2015© cciereallab

www.cciereallab.net

- 14 -

www.cciereallab.net



CCIE R&S Lab V5 Workbook 2015

Configure R20 in the ACME San Jose office as per the following requirements ●Enable SSH access in R20 using the domain name "acme.org". ●Create the user "test" with the password "test" in the local database of R20. ●Ensure that R20 accepts SSH connections from clients with a source IP address in 123.10.2.0/24. All other source IP addresses must be denied. Use a standard access-list to configure this requirement. ●R20 must generate a syslog message for all SSH connection attempts ，regardless of whether it is permitted or denied. When authenticated , the user "test" must be granted with the privilege level 1 ●Do not enable the aaa new-model command in R20. ●Ensure that SSH is the only remote access method that is permitted on VTY lines of R20. ●Ensure that the console is not affected by your solution and that no "username" prompt is presented on the console port. ●Test your solution from any device that is located in AS 34567 and ensure that the following sequence of commands produces the same output:

测试方法： R10# SSH-1 test 123.20.20.20 WARNING! ACCESS RESTRICTED! Password： R20> sh privilege R20>privilege level is 1 R20>q Connection to 123.20.20.20 closed by foreign host

5.2 Network Services 

Configure the ACME as per the following requirements: ●R20 must enable all private corporate traffic that is originated from any host with source IP address in 10.1.0.0/16 or in 10.2.0.0/16 to connect to any public destination that is located in AS 34567 ●All remote sites in AS 65111 and AS 65222 must be able to connect to these public destinations. ●R20 must swap the source IP address in these packets with the IP address of its interface Lo0. ●R20 must allow multiple concurrent connections. ●Use a standard access-list to accomplish the above requirements. The following tests must succeed after the above requirements ( in addition to the previous requirements) are achieved:

Copyright 2015© cciereallab

www.cciereallab.net

- 15 -

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

5.3 Network Optimization 5.4 Configure R17 as per the following requirements: The output that is shown below must be seen after R15 successfully pinged interface L0 of R19 :

R15：Ping

on

R17

during

Pr

SrcP

10

seconds

123.19.19.19

!!!!! R17 # sh ip flow top Srcif srcipaddress Bytes e0/1 123.20.1.9 1 of 10 top talker shown .

DstIf

DstIPaddress

Tu0* 123.19.19.19 1 flows processed

01

0000

DstP 0800

500

5.5 Network Services 

Configure the ACME as per the following requirements: ●SW3 must provide an authoritative time source to the ACME network. ●R10 and R12 must synchronise their clock to SW3 using NTPv4 for IPv6. ●R10 and R12 must operate in client mode. ●SW3 must not capture or use any time information that is sent by R12 and R14. ·all NTP traffic must rely on IPV6 connectivity only ●All NTP traffic must be sourced and destined to the interface Lo0 of the corresponding devices.

Copyright 2015© cciereallab

www.cciereallab.net

- 16 -

www.cciereallab.net

CCIE R&S Lab V5 Workbook 2015

Copyright 2015© cciereallab

www.cciereallab.net

- 17 -