CCIE Routing and Switching Practice Labs.pdf

ou can use any combination of routers as long asyou fulfill the re"uirements within the topology diagram, as shown in +igure *#*. Howe%er, it is recommended to use the same model of routers because this can make life easier if you load configurationsdirectly from those supplied with your ownde%ices.

Lab T$p$&$"y This practice :ab uses the topology outlined in +igure *#*, which you need to re#create with your own e"uipment or by simply using the !! Assessor.

f your routers ha%e dif# ferent interface speeds than those used within this book, adust the bandwidth statements on the rele%ant interfaces to keep all interface speeds in line. This can ensure that you do not get un# wanted beha%ior due to differing 7$ metrics.

;-=<' 161 Lab (o&o)ogy iagra*

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!+#

S)itch -n#tructi$n# NT The !! Assessor to# pology %ersion ' is used for this lab. Additional interfaces a%ailable on the Assessor that are not re"uired for this lab were omitted from +igure *#*. f you are not using the !! Assessor, use +ig# ure *#* and +igure *#3 to determine how many interfaces you need to complete your own to# pology.

!onfigure F:A1 assignments from the configurations supplied or from Table *#( with the e4ception of Switch( +a)53. BThis will be configured during thelab.C T%L 162 ,L- -ssign*en t VL%N

S ) i tch 1

23

+a)52, +a)53 P

S ) it c h 2

S) i t ch 3

P

S ) i tc h 4

P

3L

+a)5L

See Questions

P

P

3N

+a)5N

See Questions

P

P

*))

P

+a)5*

P

())

P

+a)5(

P

P

+a)5L, +a)5N, 5+ F:A12))

5+ F:A12))

5+ F:A12))

2))

5+ F:A12))

P

!onnect your switches with -;3L thernet !ross 8%er cables, as shown in +igure *#(. NT Switch( will be config# ured during the actual lab "uestions for F:A13L and 3N interface +a)53.

;-=<' 162 Switch to Switch Connectivity

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!4#

;rame 'e&ay -n#tructi$n# !onfigure one of your routers you are going to use in the lab as a +rame -elay switch, or ha%e a dedicated router purely for this task. This lab uses a dedicated router within the !! Assessor Fersion ' topology for the +rame -elay switch. A fully meshed en%ironment is configured between all the +rame -elay routers@ pay attention in the lab as to which $F!s are actually re"uired. Reep the encapsulation and :ocal anagement nterface B:C settings to default for this e4ercise, but e4periment with the settings outside the labs because you could be re"uired to configure the +rame -elay switching within your actuallab. f you are using your own e"uipment, keep the =! cables at the frame switch end for simplicity and pro%ide a clock rate to all links from thisend. The +rame -elay connecti%ity after configuration represents the logical +rame -elay network, as shown in +igure*#2. ;-=<' 163 /ra*e Re)ay Logica) Connectivity

-P %..re## -n#tructi$n# >ou will find in the real !! lab that the maority of your $ addresses will be preconfigured@ for this e4ercise you are re"uired to configure your $ addresses, as shown in +igure *#3, or load the initial router configurations supplied. f you are manually configuring your e"uipment, ensure you include the following :oopback addressesD -* :o) *().*)).*.*5(3

-N :o) *().*)).N.*5(3

-( :o) *().*)).(.*5(3

S0* :o) *().*)).9.*5(3

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

-2 :o) *().*)).2.*5(3

S0( :o) *().*))./.*5(3

-3 :o) *().*)).3.*5(3

S02 :o) *().*))..*5(3

-L :o) *().*)).L.*5(3

S03 :o) *().*)).*).*5(3

!#

;-=<' 164 IP -ddressing iagra*

Pre6&ab Ta#0# E

'uild the lab topology as per +igure *#* and +igure *#(.

E

!onfigure your +rame -elay switch router to pro%ide the necessary =ata :ink !ontrol dentifiers B=:!C asper +igure *#2.

E

!onfigure the $ addresses on each router, as shown in +igure *#3, and add the :oopback addresses. Alterna# ti%ely, you can load the initial configuration files supplied if your router is compatible with those used to create * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!1#

this e4ercise. -* re"uires a secondary $ address on its 7igabitthernet )5* interface for this lab@ details can be found on the accompanying initial configuration for -*.

=enera& =ui.e&ine# E

$lease read the whole lab before you start.

E

=o not configure any static5default routes unless otherwise specified.

E

Mse only the =:!s pro%ided in the appropriate figures.

E

nsure full $ %isibility between routers for ping testing5telnet access to your de%ices with e4ception to the Switch :oopback addresses. These will not be %isible to the maority of your network because of theconfigura# tion tasks.

E

f you find yourself running out of time, choose "uestions that you are confident you can answer@ failing this choose "uestions with a higher point rating to ma4imize your potential score.

E

7et into a comfortable and "uiet en%ironment where you can focus for the ne4t /hours.

E

Take a 2)#minute break midway through thee4ercise. Ha%e a%ailable a !isco =ocumentation !=#-8 or access online the latest documentation from the following M-:D httpD55www.cisco.com5en5MS5product s5psN2L)5product sOin stallationOandO con f i gurationOguidesOli st.html.

E

NT Access only this M-:, not the whole !isco.com website@ because if you are permitted to use documentation during your !! lab e4am, it will be restricted. !on# sider opening se%eral windows with the pages you are likely to look at to sa%e time during your lab.

Practice Lab ne >ou will now answer "uestions in relation to the network topology, as shown in +igure *#L.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!2#

;-=<' 16 5 Lab (o&o)ogyiagra*

Secti$n 1> L%N S)itchin" an. ;rame 'e&ay ?2@ P$int#A E

!onfigure your switches as a collapsed backbone network with Switches * and ( performing core and distribu# tion functionality and Switches 2 and 3 as access switches in your topology. Switches 2 and 3 should connect only to the core switches. B( pointsC

E

Switch * and ( should run spanning tree in /)(.*w mode@ Switches 2 and 3 should operate in their default span# ning#tree mode. B( pointsC

E

!onfigure Switch * to be the root bridge and Switch ( the secondary root bridge for F:A1s * and 2)). nsure that Switches 2 and 3 can ne%er become root bridges for any F:A1s for which Switch * and Switch ( are root bridges by configuring only Switches * and (. B( pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!3#

E

nsure you fully utilize the a%ailable bandwidth between switches by grouping together your interswitch links as trunks. nsure that only dot*" and ther!hannel are supported. B2 pointsC

E

nsure traffic is distributed on indi%idual thernet trunks between switches based on the destination A! ad# dress of indi%idual flows. B( pointsC

E

nsure that user interfaces are shut down dynamically by all switches should they toggle e4cessi%ely@ if they re# main stable for 2L seconds, they should be reenabled. !onfigure +ast thernet $ort )5*) on each switch so that if multicast traffic is recei%ed on this port, the port is automatically disabled. B( pointsC

E

+ast thernet $orts )5**#*9 will be used for future connecti%ity on each switch. !onfigure these ports as access ports for F:A12)), which should begin forwarding traffic immediately on connection. =e%ices connected to these ports will dynamically recei%e $ addresses from a =H!$ ser%er due to be connected to $ort )5*/ on sw*. +or security purposes, this is the only port on the network from which =H!$ addresses should be allocated. n# sure the switches intercept the =H!$re"uests and add the ingress port and F:A1 and switch A! address prior to sending onward to the =H!$ ser%er. :imit =H!$ re"uests to N)) packets per minute per user port. BN pointsC

E

+or additional security ensure the user ports on Switches *3 and ***9 can communicate only with the network with &$ addresses gained from the =H!$ feature configured pre%iously. Mse a dynamic feature to ensure the only information forwarded upon connection is =H!$ re"uest packets, then any traffic that matches the =H!$ $ in# formation recei%ed from the =H!$ binding for additional security. B2 pointsC

E

-L and -N ha%e been preconfigured with $ addresses on their thernet interfaces. !onfigure -3 and its associ# ated switch port accordingly without using secondary addressing to communicate with -L and -N. !onfigure -3 with an $ address of *().*)).3L.35(3 to communicate with -L, and configure -3 with an $ address of *().*)).3N.35(3 to communicate with -N. !onfigure -3 7i)5* and Switch ( +)53 only. B2 pointsC

E

>our initial +rame -elay configuration has been supplied for the -*#-(#-2 connecti%ity and -(#-L. !onfigure each de%ice per +igure *#N to ensure each de%ice is reachable o%er the +rame -elay network. Mse only the indi# cated =:!s. B( pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!#

;-=<' 16 /ra*e Re)ay Connectivity

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"0#

Secti$n 2> -P(4 -=P Pr$t$c$&# ?22 P$int#A Secti$n 21> SP; ;-=<' 167 5SP/ (o&o)ogy

E

Mse a process = of *@ all 8S$+ configuration where possible should not be configured under the process =. =o not change the preconfigured interface types where applicable, The :oopback interfaces of -outers -*, -(, and -2 should be configured to be in Area ). -3 should be in Area 23 and -L in Area L. B( pointsC

E

All :oopback networks should not be ad%ertised as host routes. B* pointC

E

nsure that -* does not ad%ertise the preconfigured secondary address under interface 7igabit )5*of *().*)).*)).*5(3 to the 8S$+ network. =o not use any filtering techni"ues to achie%e this. B( pointsC * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

E

!""#

-L should use the +rame -elay link within Area L for its primary communication to the 8S$+ network. f this network should fail either at :ayer * or :ayer (, -L should form a neighbor relationship with -3 under Area L to maintain connecti%ity. >our solution should be dynamic ensuring that while the Area L +rame -elay link is operational there is no neighbor relationship between -3 and -L@ howe%er, the thernet interfaces of -3 and -L must remain up. To confirm the operational status of the +rame -elay network, you should ensure that the serial interface of -L is reachable by configuration of -L. >ou are permittedto define neighbor statements between -L and -3. B3 pointsC

Secti$n 22> -='P ;-=<' 16@ EI6RP (o&o)ogy

E

!onfigure 7-$ using an AS number of *. The :oopback interfaces of all routers a nd switches should be ad# %ertised within 7-$. B( pointsC * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'#

E

nsure that -3 does not install any of the 7-$ :oopback routes from any of the switches into its routing table@ as such these routes should also not be present in the 8S$+ network post redistribution. =o not use any route# filtering A!:s, prefi4 lists, or admin distance manipulation to achie%e this, and perform configuration only on -3. B2 pointsC

E

-3 will ha%e dual e"ual cost routes to F:A12)) Bnetwork *L).*)).2.)C from -L and -N. nsure -3 sends traffic to this destination network to -L rather than load sharing. f the route from -L becomes una%ailable, traffic should be sent to -N. >ou cannot policy route, alter the bandwidth, or delay statements on -36s interfaces, or use an offset list. $erform your configuration on -3 only. >our solution should be applied to all routes recei%ed from -L and -N as opposed to solely the route to network F:A12)). B2 pointsC

Secti$n 23> 'e.i#tributi$n E

$erform mutual redistribution of 7$ protocols on -3. All routes should be accessible with the e4ception of the switch :oopback networks because these should not be %isible %ia -3 from an earlier "uestion. 7-$ routes re# distributed within the 8S$+ network should remain with a fi4ed cost of L))) throughout the network. B2 pointsC

E

!onfigure -3 to redistribute only up to fi%e 7-$ routes and generate a system warning when the fourth route is redistributed. =o not use any access#lists in your solution. B( pointsC.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"+#

Secti$n 3> =P ?14 P$int#A ;-=<' 169 76P (o&o)ogy

E

!onfigure i'7$ peering as followsD -*#-2, -(#-2, -N#-L, Sw*#-N, and Sw*#-L. Mse minimal configuration and use :oopback interfaces for your peering. !onfigure e'7$ peering as followsD -2#-3, -3#-N, -3#-L, and -L#-(. Mse minimal configuration and use :oopback interfaces for your peering with the e4ception of -3 to -L. B( pointsC Mse the AS numbers supplied in +igure *#. B( pointsC

E

AS()) is to be used as a backup transit network for traffic between AS*)) and AS2))@ as such, if the +- net# work between -L and -( fails, ensure the peering between -( and -L is not maintained %ia the thernet net# work. =o not useany A!: type restrictions or change the e4isting peering. B( pointsC

E

!onfigure a new :oopback interface ( on -( of *2).*)).()).*5(3, and ad%ertise this into '7$ using the network command. !onfigure -( in such a way that if the +rame -elay connection between -( and -L fails, AS2)) no longer recei%es this route. =o not use any filtering between neighbors to achie%e this or neighbor#specific com# mands. B2 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"4#

E

!onfigure HS-$ between -L and -N on F:A12)) with -L acti%e for .*5(3. f the network*2).*)).()).)5(3 is no longer %isible to AS2)), -N should dynamically become the HS-$ acti%e. !onfigure -L to achie%e this solu# tion. B3 pointsC

E

!onfigure two new :oopback interfaces on -* and -( of*(N.*.*.*5(3 and *2).*.*.*5(3, respecti%ely, and ad%er# tise these into '7$ using the net&or0 command. -2 should be configured to enable only '7$ routes srcinated from -* up to network *(/.).).) and from abo%e network *(/.).).) srcinated from -(. Mse only a single A!: on -2 as part of your solution. B2 pointsC

Secti$n 4> -P( ?14 P$int#A ;-=<' 161+ IPv1 (o&o)ogy

E

!onfigure $%N addresses on your network as followsD ())9D!*LD!)D*)DD5N3  -* 7i)5) ())9D!*LD!)D**DD*5N3  -* S)5)5) * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"#

())9D!*LD!)D**DD(5N3  -( S)5) ())9D!*LD!)D**DD25N3  -2 S)5)5) ())9D!*LD!)D*(5N3 # -( +)5* ())9D!*LD!)D*3DD(5N3  -( S)5* ())9D!*LD!)D*3DDL5N3  -L S)5)5* ())9D!*LD!)D*LDD25N3  -2 7i)5) ())9D!*LD!)D*LDD35N3  -3 7i)5) ())9D!*LD!)D*NDDL5N3  -L 7i)5* ())9D!*LD!)D*NDDN5N3  -N 7i)5*

Secti$n 41> '-Pn" E

!onfigure -$ng ensuring your $%N routes are %isible throughout your -$ng domain. =o not disable split# horizon. B2 pointsC

Secti$n 42> SP;(3 E

!onfigure 8S$+%2 with a process = of * with all 8S$+ interfaces assigned to Area ). B( pointsC.

E

The $%N network is deemed to be stable@ therefore, reduce the number of :SAs flooded within the 8S$+ do# main. B( pointsC

Secti$n 43> 'e.i#tributi$n E

-edistribute -$ng routes into the 8S$+%2 demand Bone wayC. -$ routes should ha%e a fi4ed cost of L))) asso# ciated to them within the 8S$+ network. B* pointC

E

nsure the 8S$+2 network is reachable from the -$ network by a single route of ())9DD5*N, which should be seen within the -$ domain. !onfigure -L only to achie%e this. The 8S$+ domain should continue to recei%e specific -$ng subnets. B( pointsC

E

nsure that if the serial link fails between the 8S$+ and -$ng domain, routing is still possible between -L and -3 o%er F:A13L. =o not enable -$ on theF:A13L interfaces of -3 and -L. !onfigure -3 and -L to achie%e this, which should be considered as an alternati%e path only if a failure occurs. B2 pointsC * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

E

!"1#

nsure the summary route configured pre%iously is not seen back on the routing table of -L@ configure only -L to achie%e this. B* pointC

Secti$n 5> B$S ?@ P$int#A E

>ou are re"uired to configure QoS on switch* according to the !isco QoS baseline model. !reate aodular QoS configuration for all user ports B+ast thernet *#(3C that facilitates the following re"uirements B2 pointsCD *C All ports shouldtrust the =S!$ %aluesrecei%ed from their connectingde%ices. (C $ackets recei%ed from the user ports with =S!$ %alues of 3/, 3N, 23, 2(, (3, (/, *N, and *) should be remarked to =S!$ / B$H' !S*C in the e%ent of traffic flowing abo%e L bps on a per port basis. This traffic could be a combi# nation of any ofthe preceding =S!$ %alues with any source5destination combination. nsure a minimum burst %alue is configured abo%e the L bps.

E

E

Switch* will be connected to a new trusted domain in the future using interface gigabit )5*. A =S!$ %alue re# cei%ed locally on sw* of A+32 should be mapped to A+3( when destined for the new domain. B( pointsC !onfigure !isco odular QoS as follows on -* for the following traffic types based on their associated $er Hop 'eha%ior into classes. &ncorporate these into an o%erall policy that should be applied to the T* interface S)5)5). Assume a $F! of line rate on the +rame -elay network and allow each class the effecti%e bandwidth as detailed B( pointsCD C & a ##

P

-outing Fo&$

!SN +

nteracti%e Fideo

A+3*

%##i"ne.Spee.

3N Rbps (39 Rbps (39 Rbps

ission !ritical =ata

A+2*

(39 Rbps

!all#Signaling

!S2

3N Rbps

Transactional =ata

A+(*

(*N Rbps

1etwork#gmt

!S(

3N Rbps

'ulk =ata

Af**

3N Rbps

Sca%enger

!S*

*L Rbps

=efault

)

2/N Rbps

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

E

!"2#

!onfigure -( so that traffic can be monitored on the +rame -elay network with a %iew to a dynamic policy being generated in the future that trusts the =S!$ %alue of traffic identified on this media. B* pointC

Secti$n > Security ? P$int#A E

!onfigure -2 to identify and discard the following custom %irus@ the %irus is characterized by the AS! charac# ters HastingsO'eer within the payload and utilizes M=$ ports **NN3 to **NNN. The = ofthe %irus begins on the third character of the payload. The %irus srcinated on F:A1 23. B( pointsC

E

An infected host is on F:A1 ()) of *L).*)).(.*))@ ensure that only within '7$ AS*), traffic destined for this host is directed to null) of each local router. >ou cannot use any A!:s to block traffic to this host specifically but can use a static route pointing to null ) for traffic destined to *(.).(.) 5(3 on routers within AS*). -( can ha%e an additional static route pointing to null). Mse a '7$ feature on -( to ensure traffic to this source is blocked. $re%ent unnecessary replies when traffic is passed to the null) interface for users residing on F:A1*)). B2 pointsC

E

n a %iew of protecting the control plane on -outer -N, configure !o$$ so that $ $ackets with a TT: of ) or * are dropped rather than processed with a resulting !$ redirect sent to the srcinator. B* pointC

Secti$n 7> Mu&tica#t ?4 P$int#A E

!onfigure -outers -*, -(, -2, and -3 for $%3 ulticast@ configure -2 to send multicast ad%ertisements of its own time by use of 1T$ sourced from interface 7ig )5). !onfigure $ spare mode on all re"uired interfaces. -2 should also be used to ad%ertise its own gigabit interface $ address as an -$. -2 should also ad%ertise the $ address you are using for the 1T$ ad%ertisements that will be ((3.).*.*. =o not use the command nt/ serer in any configurations. -outers -*, -(, and -3 should all show a clock synchronized to that of -2. B3 pointsC

-P Ser(ice# ?4 P$int#A E

!onfigure the following commands on -outer -*D aaa new#model logging buffered logging *().*))..*

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"3#

!onfigure a policy on -outer -* so that if a user tries to remo%e AAA ser%ices or disable logging %ia the!:& that a syslog message of M1AMTH8-&U=#!8A1=#1T-=is generated. The policy should ensure ei# ther command is not e4ecuted and should consist of a single#line command for the !: pattern detection. The policy and !: should run asynchronously. The policy should also generate an email from the router to a mail ser%er residing on $ address *().*))..( Bto secu ri tyVlab#e4am.net from eemVlab#e 4 am.net subect WMser# ssueW with the message body consisting of details of who was logged on the time either of the commands were enteredC. B( pointsC !isco 0AAS de%ices a re to be installed on Switches * and ( in the future on F:A12)). !onfigure -outers -L and -N to pro%ide 0!!$%( redirection for clients residing on F:A12)) to ensure that all T!$ traffic other than telnet is redirected only to the 0As that will reside on addresses *L).*)).2.L) and .L* within F:A12)). >ou are not re"uired to configure the switches for 0!!$ and can assume that incoming 0AAS traffic from the net# work will arri%e at interfaces 7i)5) on both -L and -N. Secure your 0!!$ with this passwordD !!. B( pointsC

%#0 the Pr$ct$rD NT This section should be used only if you re"uire clues to complete the "uestions. n the actual !! lab, the $roctor will not enter into any discussions regarding the "uestions or answers@ he or she will be present to ensure you do not ha%e problems with the lab en%ironment and to maintain the timing ele# ment of the e4am.

Secti$n 1> L%N S)itchin" an. ;rame 'e&ay QD =o you want me to configure the collapsed backbone network by manipulating spanning tree to ensure Switch that * and Switch ( are the cores for each F:A1 in use? AD >ou are re"uested to configure root bridges in a later "uestion. QD All the switches are already connected, so  can6t change this unless  shut down some of the connections between switches. &s this acceptable? AD >es. QD f  e4plicitly configure Switches * and ( as root bridges, surely this will ne%er enable Switches 2 and 3 to become root bridges? AD 1o it won
* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&# .

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"#

QD !an  configure a A! address type access#list to block all multicast at :ayer (? AD 1o, this wouldn6t disable the port if multicast traffic was present on it@ look for a dynamic solution that does not re# "uire an A!:. command? QD !an  configure the s&it$%/ort 'lo$0 multi$ast

AD 1o, this would block the traffic but wouldn6t disable the port. QD 0ould you like me to F:A1 load balance to utilize bandwidth? AD 1o, the "uestion directs you how to use thetrunks. addresses? QD 0ould you like me configure Switch * to allocate =H!$

AD 1o, the "uestion relates to a fictitious =H!$ ser%er that would be connected to +a)5*/ on Switch*. A!:s? QD !an & manipulate a helper#address function to answer the =H!$ "uestion by using

AD 1o, use a recognized =H!$ security#related solution. QD !an  configure port security to bind my A! addresses? solution. AD 1o, use a feature that complements your =H!$ QD !an  ust configure -3 to trunk to Switch( and ha%e a subinterface in both F:A13L and F:A13N?

AD >es. QD 6%e configured my trunk on Switch( to -3 and  can6t ping between -3 and -L@ similarly  can6t ping between -3 and -N. &s there anything else  need to do? AD -emember the switches are in FT$ transparent mode@ you might want to check that Switch( hasre"uired the network. F:A1s configured to enable propagation within your switched okay? QD y +rame -elay network picks up the =:!s automatically. is this

AD 1o, you need to ensure that you do not use additional =:!s other than those specified. using? QD =o you want me to manually map to the =:!s  should be

AD >es.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'0#

Secti$n 2> -P(4 -=P Pr$t$c$&# Secti$n 21> SP; QD  am used to configuring 8S$+ under the process@ surely this is the only place  can configure the parameters? AD There ha%e been recent ad%ances in 8S$+ enabling you to configure it purely under specific areas of the router interfaces. rather like with $%N. Take a look at the commands a%ailable to you under the QD y neighbor relationship is down o%er the +rame -elay network.  notice  ha%e different 8S$+ network types pre# configured. !an  change these? AD 1o, use an alternati%e method of bringing the interface parameters back intoline. QD y secondary address is ad%ertised automatically under 8S$+@ can  use a distribute#list or prefi4 type list to block it? AD 1o, use an 8S$+ feature to disable the ad%ertisement of this secondary address. QD 6%e attempted to form a neighbor relationship with -3 from -L using a backup interface. s thisokay? AD 1o, the "uestion states that your solution should cater for either :ayer * or :ayer ( failures and that the thernet should remain up. 'ackup interfaces would be fine for a :ayer * failure but not for a :ayer ( type issue if you had problems with specific =:!s that caused neighbor failures o%er the +rame relay. This feature would also ensure the thernet network would be down until the backup interface is acti%ated. -L? QD How about an 8S$+ demand circuit between -3 and

AD 1o, this would in%ol%e a neighbor relationship being maintained. >ou need to allow only the neighbor relationship to be formed if a failure conditionoccurs. QD !an  use '+= between -3 and -L? AD 1o, this might aid in failure detection, but it does not meet the obecti%es of the "uestion. QD To confirm the operation status of -L6s serial interface, can  ust ping it? AD >ou can use !$ but you need to ensure your solution is dynamic. QD y +rame -elay is up on -L and  can ping across it to -( from -L, but  can6t ping my own +rame -elay inter# face. s this normal?

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'"#

AD >es, perform a debug of the +rame -elay packets if you need to@ remember what you need to gain $ connecti%ity on a +rame -elay network. QD f  use $ S:A to automatically ping -L to check the status, is this okay? AD >es. QD 8kay,  ha%e $ S:A running but 6m stuck. s this anything to do with tracking the response to the ping? AD >es. status? QD How about if  use policy routing with the ne4t hop based on the tracking

AD This is fine@ ust remember that this traffic will be based locally on the router when applying anypolicies. QD 6%e worked out how to do this and managed to get a neighbor up when the +rame -elay fails, but my 8S$+ con# necti%ity is still not perfect through the thernet. s this normal? AD 1ot if you ha%e configured correctly@ take a look at your topology and areas. Something might ha%e changedwhen -L connects o%er the thernet.

Secti$n 22> -='P QD f  ad%ertise my :oopbacks into 7-$ won6t that mean that -3 and -L will ha%e their :oopbacks ad%ertised by both 8S$+ and &7-$? AD >es, this is fine and is in accordance with the "uestion. QD To stop -3 from recei%ing the Switch :oopbacks can  stop ad%ertising them from the switches? AD 1o, you should use a feature on -3 to blockthem. QD !an  use a neighbor prefi4 list to block the :oopbacks? lists. AD 1o, you cannot use any type of A!:s or prefi4

QD 6%e noticed when  look at the specific :oopback routes that they ha%e a hop count associated with them. t6s un# count? usual to associate hop counts with 7-$, but can  block routes based on their hop AD >es. QD f  can6t change the bandwidth and delay on -3, can  use a route#map to manipulate the 7-$ R %alues associ# ated on a per neighbor basis? AD >es. * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!''#

Secti$n 23> 'e.i#tributi$n QD =o you re"uire a distribute#list to block the switch :oopbacks from entering the 8S$+ domain? AD 1o, you should ha%e blocked these from entering your $ routing table within -3 pre%iously, so additional blocking would not be re"uired. QD  ha%e only one redistribution point, and there is no benefit in creating filtering to protect against potential routing loops between protocols. s this acceptable? AD >es, in this scenario this would besuperfluous. QD !an  use a route#map to enable fi%e specific 7-$ routes to be redistributed into 8S$+? AD 1o, the "uestion doesn6t guide you to redistribute specific routes. Mse a more general method of allowing a specific number of routes.

Sect '7$? QD s it okay to disable auto synchronization in

AD >ou need to determine whether you need this feature on or off. -emember that you should ha%e synchronization on only when you are fully redistributing between '7$ and your&7$. QD =o you want me to configure ebgp multihop but limit it to a %alue of ( on -2 for a TT: security check? AD There is a specific security configuration feature within '7$ to perform the TT:check. QD f  use the TT: security hops with a %alue of (, is this all you are looking for? AD >ou need to ensure that your peering still works effecti%ely between -2 and -3 when you ha%e configured this fea# ture. QD  find that when the +rame -elay network fails my neighbor relationship is still maintained between -( and -L. This is because the :oopback routes are still a%ailable o%er the alternati%e path through the network. !an  block my :oopbacks or policy route at some point to effecti%ely break the peering? AD >ou do need to effecti%ely break the peering, but there is a far simpler method of achie%ing this that still maintains peers. unaltered communication between -( and -L. Think about what you need to configure when you ha%e '7$ of QD  might ha%e been a little generous with my srcinal multihop %alue between -( and -L. f  reduce this to a TT: (,  can break the peering. s this okay?

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'+#

AD >es. QD  think  can stop the :oopback on -( being ad%ertised by using the community %alue of no#e4port, but if  enable this to -(, it wouldn6t make to -L e%en when the +rame -elay isworking? AD !orrect, it wouldn6t be ad%ertised to -L AS2)) from -(. ;ust think about whether -( is the best place to send the community to srcinally. ad%ertising? QD +or the HS-$ "uestion is this some form of conditional

AD 1o, the clue is in the "uestion@ ust find a way of tracking the '7$ route and manipulate the HS-$ process. QD f & enable $ S:A to track a route in the routing table, can  use this to control HS-$? AD >es. QD >ou ha%en6t told me what address  should use for HS-$. s it okay to use the first address in the subnet? AD >es. QD  ha%e configured my two new :oopbacks@ can  use two route#maps inbound from -* and -( both pointing to dif# ferent A!:s so that each route#map calls only one A!:? AD 1o, you still ha%e twoA!:s. A!:? QD !an  set community %alues on the routes and match on these using a single

AD 1o, you are instructed to use an A!:@ your solution would re"uire additional configuration. QD !an & use a prefi4#list to achie%e this? AD 1o, you are instructed to use an A!:. ranges? QD So  need an A!: with a mask suitable for both

AD 1ot necessarily@ you would need to match only one re"uirement on the permit functionality@ the other could be met by deny.

Secti$n 4> -P( addresses? QD Should  use the eui#N3 address format when configuring my "uestion. AD 1o, if these were re"uired you would ha%e been instructed to do so in the

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'4#

QD 6%e configured my $%N addresses and created a +rame -elay map for these on my e4isting =:!s but still can6t ping across the +rame -elay network. Should  be able to? AD >es, if you debug your +rame -elay traffic, you will find you need additionalconfiguration. QD  ha%e configured -$ng between -*, -2, and -(@ -2 recei%es both spoke routes but -* does note see the -( $%N route and %ice %ersa. f this is split#horizon beha%ior and  can6t disable it, can  create subinterfaces on my +rame -e# lay network? AD 1o, use a feature that is common when running $%N o%er $%3 networks. QD !an  tunnel between -* and -(? AD >es. QD >ou are not re"uesting mutual redistribution between -$ng and 8S$+%2. How will my -$ng domain communi# cate with the 8S$+%2 domain? AD This issue is addressed in the followingtask. QD f  can6t use -$ng directly on F:A13L between -3 and -L, can  configure 8S$+%2 on F:A13L? interfaces. AD 1o, find a way to still run -$ng between routers without enabling it on the physical QD !an  tunnel between -3 and -L?

AD >es.

Secti$n 43> 'e.i#tributi$n QD  ha%e redistributed -$ng into 8$S+%2 on -L, which is the only suitable location, and noticed that in my 8S$+%2 domain & do not see the $%N network configured on the +rame -elay network between -( and -L. s thisokay? AD 1o, this network should be ad%ertised to the 8$S+%2 domain. Mse a feature within the 8$S+%2 process as you would to o%ercome this if this were $%3 redistribution. QD !an  redistribute a static $%N route on -L into -$ng for ())9DD5*N? AD 1o, static routes are permitted unless specified. 0hat would you do if this were $%3? QD f & can6t enable -$ng on F:A13L between -3 and -L, can  enable8S$+%2? point? AD 1o, this would also re"uire you to perform redistribution at this

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'#

QD How about tunneling again and enabling -$ng o%er the tunnel. s this 8R ? AD >es. QD  ha%e created my tunnel and found that this is now the primary route rather than an alternati%e path. !an  perform some kind of backup interface to make this come up only if a failure occurs on the +rame-elay? your AD 1o, you ha%en6t been gi%en sufficient information to make this udgment. This approach would also break it. $%3 network@ think why the thernet path is preferred and manipulate

QD !an  use a prefi4#list to block the summary and permit all other $%N routes? AD >es, this is fine.

Secti$n 5> B$S QD !an  ust trust =S!$ on my physicalports? AD 1o, this should be completed as part of your policy. QD Shall  rate#limit my ports to L on a per#port basis? AD 1o, this should be completed as part of yourpolicy. QD >ou ha%en6t indicated what the minimum burst size should be, is this correct? options. AD >es, ust use the a%ailable limits within the command

QD  belie%e  can use a =S!$ mutation map to con%ert the =S!$ %alues for the future, but the command wonou need to con%ert these to =S!$ %alues@ search your =ocumentation != or a%ailable !isco.compages. QD  am trying to assign bandwidth within my class with the speeds supplied, but  can see only a percentage option, is this correct? AD >es, you need to do some math. >ou are supplied with the information you re"uire and ust need to remember how fast a T* line is.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'1#

Secti$n > Security QD !an  use a route#map and A!:s to identify the traffic by portnumber? AD 1o, this would identify the M=:= traffic but not the %irus payload as per the "uestion. n%estigate the options open to you with 1'A-. QD !an  policy route traffic destined to the infected host to null)? AD 1o, you need to use a '7$#relatedfeature. QD A static route for *(.).(.)5(3 wont ha%e any bearing on traffic destined to the infected host, why isrele%ant? this AD Think about the way '7$ works. t6s the only routing protocol where you don6t need to be directly connected to updates. form a neighbor relationship@ as such you transport ne4t#hop information with your QD  ha%e configured !o$$ on -N and seem to ha%e lost all my routes. s this e4pected beha%ior? =o you want me to fi4 this as part of the !o$$ "uestion? AD f you ha%e lost your routes, think about why this has happened. >es, pro%ide a fi4 otherwise you would lose points in other sections.

Secti$n 7> Mu&tica#t QD f  can6t configure nt/ sereron -*, -(, and -3, there wones, you don6t need to specifically peer with -2 as the ser%er@ you should aim to recei%e the ntp stream though -2 should be configured tomulticast.

QD =o you want me to create and announce the group ((3.).*.* on -2? AD >es.

Secti$n @> -P Ser(ice# address? QD  guess this is an  "uestion looking at the email

AD !orrect.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'2#

QD =o you need me to set up a route to *().*))..)5(3? AD 1o. two? QD  can6t get both commands onto a single !: pattern e%ent. s it okay to configure

AD 1o, you are directed to configure a single !: pattern e%ent command that will pick up either command. QD =o you want a 7- type redirection for the 0!!$? AD 1o, you ha%e not been gi%en sufficient information for 7- mode, or indeed if you should configure tunnels and so "uestion. on@ keep your configuration simple and follow the traffic? QD Should  block telnet and then permit all other $

AD Think about what 0AAS achie%es. does it optimize all $ traffic or ust specific protocols? QD Should  configure 0!!$ ser%ices N* and N( on the switches for F:A12))? routers. AD 1o, you are directed to configure only the

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'3#

Lab !ebrie/ The lab debrief section now analyzes each "uestion showing you what was re"uired and how to achie%e the desired re# sults. >ou should use this section to produce an o%erall score for this practice lab.

Secti$n 1> L%N S)itchin" an. ;rame 'e&ay ?2@ P$int#A E

!onfigure your switches as a collapsed backbone network with Switches * and ( performing core and distribu# tion functionality and Switches 2 and 3 as access switches in your topology. Switches 2 and 3 should connect to only the core switches. B( pointsC

This is a simple start to the e4ercise. The switches are fully meshed to begin with@ to create a collapsed backbone topol# ogy, the core switches should be connected together, and each access switch should be dual#homed to the core switches. The only switches that should not connect directly to each other would be the access switches BSw2 and Sw3C. 'y shut# ting down the interfaces between Sw2 and Sw3, you create the re"uired topology. f you ha%e configured this correctly, as shown in 4ample *#*, you ha%e scored ( points. %en though the resulting topology is not looped at this stage, you can %erify route bridge assignment by using the s%o& s/anning tree root command. E%MPL 161 S)3 an. S)4C$n/i"urati$n SW3(config)# inter#a$e range #astEt%ernet 52324 SW3(config-if-range)#

s%ut

SW4(config)# inter#a$e range #astEt%ernet 52324 SW4(config-if-range)#

E

s%ut

Switch * and ( should run spanning tree in /)(.*w mode. Switches 2 and 3 should operate in their default span# ning#tree mode. B( pointsC

/)(.*w is rapid spanning tree@ this is backward compatible with the switches< default B$FSTC, so by configuring Switches * and ( into rapid spanning tree mode, spanning tree can still operate effecti%ely with Switches 2 and 3. f you ha%e configured this correctly, as shown in 4ample *#(, you ha%e earned another ( points.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'#

E%MPL 162 S)1 an. S)2C$n/i"urati$n SW1(config)#

s/anningtreemode ra/id/st

SW2(config)# s/anningtreemode ra/id/st

E

!onfigure Switch * to be the root bridge and Switch ( the secondary root bridge for F:A1s * and 2)). nsure that Switches 2 and 3 can ne%er become root bridges for any F:A1s for which Switch * and Switch ( are root bridges by configuring only Switches * and (. B( pointsC

This is a straightforward "uestion for the core switches. The root bridge prioritization root guard is configured on the ports that connect Switches * and ( to Switches 2 and 3@ this ensures that if a superior '$=M is recei%ed on these ports, it is ignored. f you ha%e configured this correctly, as shown in 4ample *#2, you ha%e ( points. E%MPL 163 S)1 an. S)2 '$$t ri."e C$n/i"urati$n SW1(config)# s/anningtree lan root  /rimar* SW1(config)# s/anningtreelan 3 root /rimar* 59 SW1(config-if)# inter#a$e 6astet%ernet SW1(config-if)#

s/anningtree guardroot

SW1(config-if)#

inter#a$e 6astet%ernet 52

SW1(config-if)#

s/anningtree guardroot

SW1(config-if)#

inter#a$e 6astet%ernet 52

SW1(config-if)#

s/anningtree guardroot

SW1(config-if)#

inter#a$e 6astet%ernet 522

SW1(config-if)#

s/anningtree guardroot

SW2(config)# s/anningtree lan root  se$ondar* SW2(config)# s/anningtreelan 3 root se$ondar* SW2(config-if)# inter#a$e 6astet%ernet 59 SW2(config-if)#

s/anningtree guardroot

SW2(config-if)#

52 inter#a$e 6astet%ernet

SW2(config-if)#

s/anningtree guardroot

SW2(config-if)#

inter#a$e 6astet%ernet 52

SW2(config-if)#

s/anningtree guardroot

SW2(config-if)#

inter#a$e 6astet%ernet 522

SW2(config-if)#

s/anningtree guardroot

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

E

!+0#

nsure that you fully utilize the a%ailablebandwidth between switches by grouping your interswitch links as trunks. nsure that only dot*" and ther!hannel are supported. B2 pointsC

This is another straightforward "uestion for all switches to create ther!hannels between de%ices. Msing the command $%annelgrou/n mode on under the physical interfaces ensures that only ther!hannel is supported, as opposed to pagp or lacp, and dot*" is the trunking protocol. +or :ayer ( ther!hannels, you don6t ha%e to create a port#channel interface first by using the inter#a$e /ort$%annelconfiguration command before assigning a physical port toa channel group. >ou can use the $%annelgrou/interface configuration command that automatically creates the port#channel interface, al# though a manual port channelconfiguration has been shown here for clarity. -emember that now that you ha%e ther# !hannels between switches, you will need to configure root guard on these interfaces to ensure that Switches 2 and 3 cannot become root bridges. This is o%er and abo%e the pre%ious physical interface configuration completed pre%iously. f you ha%e configured this correctly, as shown in 4ample *#3, you ha%e scored 2 points. E%MPL 164 S)itch 1, 2, 3, an. 4 therChanne& C$n/i"urati$n SW1(config)# inter#a$e Port$%annel SW1(config-if)#

dot s&it$%/ort trun0 en$a/sulation

SW1(config-if)#

s&it$%/ortmode trun0

SW1(config-if)# s/anningtree guardroot SW1(config-if)# inter#a$ePort$%annel2 SW1(config-if)#

s&it$%/ort trun0 en$a/sulation dot

SW1(config-if)#

s&it$%/ortmode trun0

SW1(config-if)# s/anningtree guardroot SW1(config-if)# inter#a$ePort$%annel3 SW1(config-if)#

dot s&it$%/ort trun0 en$a/sulation

SW1(config-if)#

s&it$%/ort modetrun0

SW1(config-if)#

inter#a$e range6astEt%ernet592

SW1(config-if)#

$%annelgrou/  mode on

SW1(config-if)#

inter#a$e range6astEt%ernet5222

SW1(config-if)#

$%annelgrou/ 2 mode on

SW1(config-if)#

inter#a$e range6astEt%ernet52324

SW1(config-if)#

on $%annelgrou/ 3 mode

SW2(config)# inter#a$e Port$%annel SW2(config-if)#

s&it$%/ort trun0 en$a/sulation dot

SW2(config-if)#

s&it$%/ort modetrun0

SW2(config-if)#

inter#a$e Port$%annel2

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

SW2(config-if)#

dot s&it$%/ort trun0 en$a/sulation

SW2(config-if)#

s&it$%/ort modetrun0

SW2(config-if)#

inter#a$e Port$%annel3

SW2(config-if)#

s&it$%/ort trun0 en$a/sulation dot

SW2(config-if)#

s&it$%/ort modetrun0

SW2(config-if)#

inter#a$e range6astEt%ernet592

SW2(config-if)#

$%annelgrou/  mode on

SW2(config-if)#

inter#a$e range6astEt%ernet5222

SW2(config-if)#

$%annelgrou/ 2 mode on

SW2(config-if)#

inter#a$e range6astEt%ernet52324

SW2(config-if)#

on $%annelgrou/ 3 mode

!+"#

SW3(config)# inter#a$e Port$%annel SW3(config-if)#

dot s&it$%/ort trun0 en$a/sulation

SW3(config-if)#

s&it$%/ort modetrun0

SW3(config-if)#

inter#a$e Port$%annel2

SW3(config-if)#

dot s&it$%/ort trun0 en$a/sulation

SW3(config-if)#

s&it$%/ort modetrun0

SW3(config-if)# SW3(config-if)#

inter#a$e range6astEt%ernet592 on $%annelgrou/  mode

SW3(config-if)#

inter#a$e range6astEt%ernet5222

SW3(config-if)#

on $%annelgrou/ 2 mode

SW4(config)# inter#a$e Port$%annel SW4(config-if)#

s&it$%/ort trun0 en$a/sulation dot

SW4(config-if)#

s&it$%/ort modetrun0

SW4(config-if)#

inter#a$e Port$%annel2

SW4(config-if)#

s&it$%/ort trun0 en$a/sulation dot

SW4(config-if)#

s&it$%/ort modetrun0

SW4(config-if)#

inter#a$e range6astEt%ernet592

SW4(config-if)#

$%annelgrou/  mode on

SW4(config-if)#

inter#a$e range6astEt%ernet5222

SW4(config-if)#

$%annelgrou/ 2 mode on

SW1# s%o& inter#a$es /ort$%annelstatus  Port Po1

Name

Status connecte

Vlan trun

Duplex a-full

Spee !"pe a-1$$

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!+'#

SW1# s%o& inter#a$es /ort$%annelstatus 2 Port Po2

Name

Status connecte

Vlan trun

Duplex a-full

Spee !"pe a-1$$

Vlan trun

Duplex a-full

Spee !"pe a-1$$

SW1# s%o& inter#a$es /ort$%annelstatus 3 Port Po3

Name

Status connecte

SW1# s%o& et%er$%annelsummar* Num%er of c&annel-groups in use' 3 Num%er of aggregators' 3 roup

Port-c&annel

Protocol

Ports

----------------------------------------------------------------------------1

Po1(S*)

-

+a$,1(P)

+a$,2$(P)

2

Po2(S*)

-

+a$,21(P)

+a$,22(P)

3

Po3(S*)

-

+a$,23(P)

+a$,24(P)

SW2# s%o& inter#a$es /ort$%annel status  Port Po

Name

tatus $onne$ted

lan

Du/le:

trun0 a#ull

/eed */e a

;2< s%o& inter#a$es /ort$%annel 2 status

Port Po2

Name

Status connecte

SW2# s%o& inter#a$es /ort$%annelstatus 3 Port Name Status Po3 connecte SW2# s%o& et%er$%annelsummar* Num%er of c&annel-groups in use' 3 Num%er of aggregators' 3

Vlan trun

Duplex a-full

Spee !"pe a-1$$

Vlan trun

Duplex a-full

Spee !"pe a-1$$

roup Port-c&annel Protocol Ports ----------------------------------------------------------------------------* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

1 2 3

Po1(S*) Po2(S*) Po3(S*)

-

+a$,1(P) +a$,21(P) +a$,23(P)

!++#

+a$,2$(P) +a$,22(P) +a$,24(P)

SW3# s%o& inter#a$e /ort$%annelstatus  PortName Po1

Status

Vlan connecte

Duplex Spee trun a-full

a-1$$

!"pe

Vlan trun

Spee !"pe a-1$$

SW3# s%o& inter#a$e /ort$%annelstatus 2 Port Po2

Name

Status connecte

Duplex a-full

SW3# s%o& et%er$%annelsummar* Num%er of c&annel-groups in use' 2 Num%er of aggregators' 2 roup Port-c&annel Protocol Ports ----------------------------------------------------------------------------1 Po1(S*) +a$,1(P) +a$,2$(P) 2 Po2(S*) +a$,21(P) +a$,22(P)

SW4# s%o& inter#a$e /ort$%annelstatus  Port Po1

Name

Status connecte

Vlan trun

Duplex a-full

Spee !"pe a-1$$

Vlan trun

Duplex a-full

Spee !"pe a-1$$

SW4# s%o& inter#a$e /ort$%annelstatus 2 Port Po2

Name

Status connecte

SW4# s%o& et%er$%annelsummar* Num%er of c&annel-groups in use' 2 Num%er of aggregators' 2 roup Port-c&annel Protocol Ports ----------------------------------------------------------------------------1 Po1(S*) +a$,1(P) +a$,2$(P) Po2(S*) +a$,21(P) +a$,22(P) 2 * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

E

!+4#

nsure traffic is distributed on indi%idual thernet trunks between switches based on the destination A! ad# dress of indi%idual flows. B( pointsC

A common problem with ther!hannels is traffic not being distributed e"ually among the physical interfaces. !onfigur# ing channel load balancing based on the destination A! address of an indi%idual flow is ust one method a%ailable to distribute traffic. f you ha%e configured this correctly, as shown in 4ample *#L, you ha%e scoredpoints. ( E%MPL 165 S)itch 1, 2, 3, an. 4 therChanne& L$a. a&ancin" C$n/i"urati$n SW1(config)# /ort$ %annelload'alan$edstma$ SW2(config)# /ort$%annel load'alan$e dstma$ SW3(config)# /ort$ %annel load'alan$e dstma$ SW4(config)# /ort$%annelload'alan$e dstma$ SW1# s%o& et%er$%annelload'alan$e .t&er/&annel 0oa-alancing perational State (st-mac)' Non-P' Destination 5/ aress P64' Destination 5/ aress P67' Destination P aress

E

nsure that user interfaces are shut down dynamically by all switches if they toggle e4cessi%ely@ if they remain stable for 2L seconds, they should be reenabled. !onfigure +ast thernet $ort )5*) on each switch so that if mul# ticast traffic is recei%ed on this port, the port is automatically disabled. B2 pointsC

nterfaces that flap can cause problems in a network. Toggling would usually indicate a problem such as a faulty con# necting 1&! or faulty cable@ placing the ports into error disable is amethod of stabilizing the en%ironment. To disable a port when multicast traffic is present, you need to configure storm control with the multicast option set to ). f you ha%e configured this correctly, as shown in 4ample *#N, you ha%e scored 2points. E%MPL 16 S)itch 1, 2, 3, an. 4C$n/i"urati$n SW1(config)# errdisa'le re$oer* $ause lin0#la/ 3SW1(config)# errdisa'le re$oer* interal

SW1(config)# inter#a$e 6astEt%ernet5 SW1(config-if)#

 storm$ontrol multi$ast leel

SW1(config-if)#

s%utdo&n storm$ontrol a$tion

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!+#

SW2(config)# errdisa'le re$oer* $ause lin0#la/ SW2(config)# errdisa'le re$oer* interal 3SW2(config)# inter#a$e 6astEt%ernet5 SW2(config-if)#

storm$ontrol multi$ast leel 

SW2(config-if)#

storm$ontrol a$tion s%utdo&n

SW3(config)# errdisa'le re$oer* $ause lin0#la/ 3SW3(config)# errdisa'le re$oer* interal

SW3(config)# inter#a$e 6astEt%ernet5 SW3(config-if)#

storm$ontrol multi$ast leel 

SW3(config-if)#

storm$ontrol a$tion s%utdo&n

SW4(config)# errdisa'le re$oer* $ause lin0#la/ SW4(config)# errdisa'le re$oer* interal 3SW3(config)# inter#a$e 6astEt%ernet5

E

SW3(config-if)#

storm$ontrol multi$ast leel 

SW3(config-if)#

storm$ontrol a$tion s%utdo&n

+ast thernet $orts )5**#*9 will be used for future connecti%ity on each switch. !onfigure these ports as access ports for F:A12)), which should begin forwarding traffic immediately on connection. =e%ices connected to these ports will dynamically recei%e $ addresses from a =H!$ ser%er due to be connected to $ort )5*/ on sw*. +or security purposes this is the only port on the network where =H!$ addresses should be allocated from. n# sure the switches intercept the =H!$re"uests and add the ingress port and F:A1 and switch A! address prior to sending forward to the =H!$ ser%er. :imit =H!$ re"uests to N)) packets per minute per user port. BN pointsC

This is a =H!$ Snooping "uestion. This is a useful security feature that protects the network from rogue =H!$ ser%ers. i/ d%$/ snoo/ing in#ormation o/tion 0hen the =H!$ option#/( feature is enabled on the switch with the command , a subscriber is identified by the switch port through which it connects to the network and by its A! address. =H!$ snooping also facilitates a rate limiting feature for =H!$ re"uests to pre%ent a =H!$ denial of ser%ice by e4cessi%e false re"uests from a host, which would ha%e the Wgobbler effectW of re"uesting numerous leases from the same port. The "uestion includes a couple of points that could easily be o%erlooked if you are suffering from e4am pressure, namely the ports are re"uired to be configured with s&it$%/ort %ostBor by configuring portfastC to set the port mode to access and to forward immediately. The rate limiting is configured in packets per second not per minute as implied, so you would need to pay attention to detail. f you ha%e configured this correctly, as shown in 4ample *#9, you ha%e scored Npoints.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!+1#

E%MPL 167 S)itch 1, 2, 3, an. 4 !CP Sn$$pin" C$n/i"urati$n SW1(config)# i/ d%$/ snoo/ing 3 SW1(config)# i/ d%$/ snoo/ing lan

SW1(config)# i/ d%$/ snoo/ing in#ormation o/tion SW1(config)# int #astEt%ernet58 SW1(config-if)#

i/ d%$/ snoo/ingtrust

57 SW1(config)# inter#a$e range #astEt%ernet

SW1(config-if-range)#

i/ d%$/ snoo/ing limit rate 

58 SW1(config)# inter#a$e range #astEt%ernet

SW1(config-if-range)#

s&it$%/ort%ost

SW1(config-if-range)#

s&it$%/ort a$$ess lan 3

SW2(config)# i/ d%$/ snoo/ing SW2(config)# i/ d%$/ snoo/ing lan 3 SW2(config)# i/ d%$/ snoo/ing in#ormation o/tion 57 SW2(config)# inter#a$e range #astEt%ernet

SW2(config-if-range)#

i/ d%$/ snoo/ing limit rate 

SW2(config-if-range)# SW2(config-if-range)#

s&it$%/ort%ost 3 s&it$%/ort a$$ess lan

SW3(config)# i/ d%$/ snoo/ing SW3(config)# i/ d%$/ snoo/ing lan 3 o/tion SW3(config)# i/ d%$/ snoo/ing in#ormation

SW3(config)# inter#a$e range #astEt%ernet 57 SW3(config-if-range)#

 i/ d%$/ snoo/ing limit rate

SW3(config-if-range)#

s&it$%/ort%ost

SW3(config-if-range)#

s&it$%/ort a$$ess lan 3

SW4(config)# i/ d%$/ snoo/ing SW4(config)# i/ d%$/ snoo/ing lan 3 SW4(config)# i/ d%$/ snoo/ing in#ormation o/tion 57 SW4(config)# inter#a$e range #astEt%ernet

SW4(config-if-range)#

 i/ d%$/ snoo/ing limit rate

SW4(config-if-range)#

s&it$%/ort%ost

SW4(config-if-range)#

3 s&it$%/ort a$$ess lan

SW1# s% i/ d%$/snoo/ing

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!+2#

S8itc& D9/P snooping is ena%le D9/P snooping is configure on follo8ing V05Ns' 3$$ nsertion of option :2 is ena%le circuit-i format' 6lan-mo-port remote-i format' 5/ ption :2 on untruste port is not allo8e Verification of &8ar fiel is ena%le nterface !ruste ;ate limit (pps) --------------------------------------------+ast.t&ernet$,11 no 1$ +ast.t&ernet$,12 no 1$ +ast.t&ernet$,13 no 1$ +ast.t&ernet$,14 no 1$ +ast.t&ernet$,1< no 1$ +ast.t&ernet$,17 no 1$ +ast.t&ernet$,1= no 1$ "es unlimite +ast.t&ernet$,1:

E

+or additional security ensure the user ports on Switches *#3 and **#*9 can communicate only with the network with &$ addresses gained from the =H!$ feature configured pre%iously. Mse a dynamic feature to ensure the only information forwarded upon connection is =H!$ re"uest packets and then any traffic that matches the =H!$ $ information recei%ed from the =H!$ binding for additional security. B2 pointsC

A complementary feature to =H!$ Snooping is $ Source 7uard. This feature binds the information recei%ed from the =H!$ address offered and effecti%ely builds a dynamic FA!: on a per port basis to enable only source traffic matched from the =H!$ offer to ingress the switch port for additionalsecurity. f you ha%e configured this correctly, as shown in 4ample *#/, youha%e scored 2 points. E%MPL 16@ S)itch 1, 2, 3, an. 4 -P S$urce =uar. C$n/i"urati$n 57 SW1(config)# inter#a$e range #ast

SW1(config-if-range)#

i/ eri#*sour$e

SW2(config)# inter#a$e range #ast 57 SW2(config-if-range)#

i/ eri#*sour$e

57 SW3(config)# inter#a$e range #ast

SW3(config-if-range)#

i/ eri#*sour$e

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!+3#

SW4(config)# inter#a$e range #ast 57 SW4(config-if-range)#

E

i/ eri#*sour$e

-L and -N ha%e been preconfigured with $ addresses on their thernet interfaces. !onfigure -3 and its associ# ated switch port accordingly without using secondary addressing to communicate with -L and -N. !onfigure -3 with an $ address of *().*)).3L.35(3 to communicate with -L, and configure -3 with an $ address of *().*)).3N.35(3 to communicate with -N. !onfigure -3 7i)5* and Switch ( +)53 only. B2 pointsC

This is ust a simple trunking "uestion on Switch( to -3 to enable -3 to connect to F:A13L and F:A13N. 8ne point to remember is that Switch( does not ha%e F:A13L and F:A13N configured locally within the default configuration, so you will need to create the F:A1s locally prior to configuring the trunk. f you ha%e configured this correctly, as shown in 4ample *#, you ha%e scored 2 points. E%MPL 169 S)itch2 an. '4 Trun0in"C$n/i"urati$n ;4(config)# inter#a$eGiga'itEt%ernet5.4;4(config-if)#

en$a/sulation dot=4-

;4(config-if)#

i/ address 2..4-.4 2--.2--.2--.

;4(config-if)#

inter#a$e Giga'itEt%ernet5.4

;4(config-if)#

en$a/sulation dot=4

;4(config-if)#

i/ address 2..4.4 2--.2--.2--.

SW2(config)# lan 4-4 SW2(config)# inter#a$e6astEt%ernet54

E

SW2(config-if)#

dot s&it$%/ort trun0 en$a/sulation

SW2(config-if)#

s&it$%/ort trun0 allo&ed lan 4-,4

SW2(config-if)#

s&it$%/ort modetrun0

>our initial configuration has been supplied for the -*#-(#-2connecti%ity and -(#-L. !onfigure each de%ice as per +igure *#N to ensure each de%ice is reachable o%er the +rame -elay network. 8nly use the indicated =:!&s. B( pointsC

The initial +rame -elay configuration has been supplied for you@ all you need to add is additional maps on -* and -( spokes to enable them to communicate with each other by directing traffic to the Hub router B-2C because the initial con# figuration usesno in%erse arp. !ommunication between -( and -L will work without modification by default. f you ha%e configured this correctly, as shown in 4ample *#*), you ha%e scored ( points.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!+#

E%MPL 161+ '1 an. '2 %..iti$na& ;rame 'e&ay C$n/i"urati$n an. Te#tin" ;1# $on# t ;1(config)# int s55 ;1(config-if)#

#ramerela* ma/ i/ 2..23.2 3 'road$ast

;2# $on# t .nter configuration commans> one per line?

.n 8it& /N!0,@?

;2(config)# int s5 ;2(config-if)#

#ramerela* ma/ i/ 2..23. 23 'road$ast

;1# /ing 2..23.2 !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 12$?1$$?123?2> timeout is 2 secons' BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C :,:,: ms

Secti$n 2> -P(4 -=P Pr$t$c$&# ?22 P$int#A Secti$n 21> SP; E

Mse a process = of *@ all 8S$+ configuration where possible should not be configured under the process =. =o not change the preconfigured interface types where applicable. The :oopback interfaces of -outers -*, -(, and -2 should be configured to be in Area ). -3 should be in Area 23 and -L in Area L. B( pointsC

-ecent ad%ances in 8S$+ ha%e enabled configuration of the network area directly under the interface as opposed to within the 8S$+ process. 4ample *#** details the 8S$+ configuration. E%MPL 1611 SP; C$n/i"urati$n 5 ;1(config)# inter#a$e Giga'itEt%ernet

;1(config-if)#

i/ os/#  area

;1(config)# inter#a$e erial55 ;1(config-if)#

i/ os/#  area

;1(config-if)#

inter#a$e )oo/'a$0

;1(config-if)#

i/ os/#  area

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!40#

;2(config)# inter#a$e )oo/'a$0 ;2(config-if)#

i/ os/#  area

;2(config-if)#

inter#a$e erial5

;2(config-if)#

i/ os/#  area

;2(config-if)#

inter#a$e erial5

;2(config-if)#

i/ os/#  area-

;2(config-if)#

inter#a$e 6astEt%ernet5

;2(config-if)#

i/ os/#  area2

;3(config)# inter#a$e loo/'a$0 ;3(config-if)#

i/ os/#  area

;3(config-if)#

inter#a$e erial55

;3(config-if)#

i/ os/#  area

;3(config-if)#

5 inter#a$e Giga'itEt%ernet

;3(config-if)#

i/ os/#  area34

;4(config)# inter#a$e )oo/'a$0 ;4(config-if)#

i/ os/#  area34

;4(config-if)# ;4(config-if)#

inter#a$e Giga'itEt%ernet 5 i/ os/#  area34

;4(config-if)#

inter#a$e Giga'itEt%ernet 5.4-

;4(config-if)#

i/ os/#  area-

;<(config)# inter#a$e )oo/'a$0 ;<(config-if)#

i/ os/#  area-

;<(config-if)#

5 inter#a$e Giga'itEt%ernet

;<(config-if)#

i/ os/#  area-

;<(config-if)#

inter#a$e erial55

;<(config-if)#

i/ os/#  area-

nitial configuration changes the 8S$+ network interface types on -outer -*, -(, and -2 +rame -elay interfaces@ this changes the hello and dead inter%al timers, which results in a mismatch with neighbor relationship ne%er being formed. 4ample *#*( showsthe differing interface parameters between routers and re"uired configuration on -outers -* and -2. 'ecause you cannot change the network type, you must manually adust the 8S$+Hello#inter%al. The most logical place to do this is on the hub -outer -2to ensure a common configuration. f you ha%e configured 8S$+ correctly, as shown in 4amples *#** and *#*(, you ha%e scored ( points.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!4"#

E%MPL 1612 SP; -nter/ace Parameter# an. C$n/i"urati$n 55 ;1# s%o& i/ os/# inter#a$e erial Serial$,$,$ is up> line protocol is up nternet 5ress 12$?1$$?123?1,24> 5rea $ Process D 1> ;outer D 12$?1$$?1?1> Net8or !"pe PN!!PN!> /ost' 74 .na%le %" interface config> incluing seconar" iparesses !ransmit Dela" is 1 sec> State PN!!PN! !imer inter6als configure> 9ello 1$> Dea 4$> Wait 4$> ;etransmit < oo%-res"nc timeout 4$ 9ello ue in $$'$$'$: Supports 0in-local Signaling (00S) /isco NS+ &elper support ena%le .!+ NS+ &elper support ena%le nex 1,2> floo Aueue lengt& $ Next $x$($),$x$($) 0ast floo scan lengt& is $> maximum is $ 0ast floo scan time is $ msec> maximum is $msec Neig&%or /ount is $> 5Eacent neig&%or count is $ Suppress &ello for $ neig&%or(s)

;3# s%o& i/ os/# inter#a$e erial 55 Serial$,$,$ is up> line protocol is up nternet 5ress 12$?1$$?123?3,24> 5rea $ Process D 1> ;outer D 12$?1$$?3?1> Net8or !"pe PN!!*0!PN!> .na%le %" interface config> incluing seconar" iparesses !ransmit Dela" is 1 sec> State PN!!*0!PN! !imer inter6als configure> 9ello 3$> Dea 12$> Wait 12$> ;etransmit < oo%-res"nc timeout 12$ 9ello ue in $$'$$'$: Supports 0in-local Signaling (00S) /isco NS+ &elper support ena%le .!+ NS+ &elper support ena%le nex 2,2> floo Aueue lengt& $ Next $x$($),$x$($) 0ast floo scan lengt& is $> maximum is $ 0ast floo scan time is $ msec> maximum is $msec Neig&%or /ount is $> 5Eacent neig&%or count is $ Suppress &ello for $ neig&%or(s)

/ost' 74

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!4'#

;3# $on# t ;3(config)# int erial55 ;3(config-if)# i/ os/# %ellointeral ;3# s%o& i/ os/#neig%'or Neig&%or D 12$?1$$?1?1 12$?1$$?2?1 12$?1$$?4?1

Pri $ $ 1

State +*00, +*00, +*00,D;

Dea !ime $$'$$'32 $$'$$'3< $$'$$'3

5ress 12$?1$$?123?1 12$?1$$?123?2 12$?1$$?34?4

nterface Serial$,$,$ Serial$,$,$ iga%it.t&ernet$,$

E All :oopback networks should not be ad%ertised as host routes. B* pointC :oopback interfaces within 8S$+ will by default be ad%ertised as host routes. To manipulate this beha%ior you need to o%erride the network type that the &8S associates with the :oopback interface. 4ample *#*2 shows the host routes learned on -(. 1ote that *().*)).*(2.252( is actually a host route generated by 8S$+ for the +rame -elay connection, so this is e4pected beha%ior and acceptable in the routing table. &f you ha%e configured this correctly, as shown in 4#ample *#*2, you ha%e scored * point. XA$: *#*2 8S$+ :oopback &nterface Host -outes and !onfiguration -(Y sh ip route G inc 52( 8

*().*)).L.*52( **)5NLI %ia *().*)).(L.L, ))D)3D23, Serial)5*

8 &A *().*)).3.*52( **)5NNI %ia *().*)).*(2.2, ))D))D3(, Serial)5) 8

*().*)).*(2.2, ))D)*D)), Serial)5)

8

*().*)).*.*52( **)5*(I %ia *().*)).*(2.2, ))D)*D)), Serial)5)

8

*().*)).2.*52( **)5NLI %ia *().*)).*(2.2, ))D)*D)), Serial)5)

8

*().*)).*(2.252( **)5N3I %ia *().*)).*(2.2, ))D)*D)), Serial)5)

;1# $on# t ;1(config)# int )oo/'a$0 ;1(config-if)# ;2#$on# t

i/ os/# net&or0/ointto/oint

;2(config)# inter#a$e )oo/'a$0 ;2(config-if)# ;3# $on# t

i/ os/# net&or0/ointto/oint

;3(config)# int )oo/'a$0

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;3(config-if)#

!4+#

i/ os/# net&or0/ointto/oint

;4# $on# t ;4(config)# int )oo/'a$0 ;4(config-if)#

i/ os/# net&or0/ointto/oint

;<# $on# t ;4(config)# int )oo/'a$0 ;4(config-if)#

i/ os/# net&or0/ointto/oint

;2# s% i/ route os/#  > in$lude 524 1<$?1$$?$?$,24 is su%nette> 2 su%nets  5 12$?1$$?4?$,24 F11$,77G 6ia 12$?1$$?123?3> $$'$$'43> Serial$,$  12$?1$$? $$'$1'4$> Serial$,1  12$?1$$?1?$,24 F11$,12G 6ia 12$?1$$?123?3> $$'$$'43> Serial$,$  12$?1$$?3?$,24 F11$,7 $$'$$'43> Serial$,$  12$?1$$?4 $$'$1'4$> Serial$,1  5 12$?1$$?34?$,24 F11$,7 $$'$$'43> Serial$,$ 12$?1$$?1$$?$,24 F11$,12G 6ia 12$?1$$?123?3> $$'$$'$> Serial$,$  5

E

nsure that -* does not ad%ertise the preconfigured secondary address under interface 7igabit )5*of *().*)).*)).*5(3 to the 8S$+ network. =o not use any filtering techni"ues to achie%e this. B( pointsC

The associated beha%ior with configuring 8S$+ directly under the interface is that it will by default ad%ertise any sec# ondary addresses assigned to the interface. -* has a preconfigured secondary address on interface 7igabit )5* that is therefore ad%ertised.'ecause you cannot filter this ad%ertisement, you need to inform 8S$+ not to include the secon# dary addresses under the interface command. f you ha%e configured this correctly, as shown in 4ample *#*3, you ha%e scored ( points. E%MPL 1614 SP; Sec$n.ary %..re## %.(erti#ement an. C$n/i"urati$n ;1# s%o& i/ os/# int Giga'itEt%ernet 5 iga%it.t&ernet$,1 is up> line protocol is up nternet 5ress 1<$?1$$?1?1,24> 5rea 1$$ Process D 1> ;outer D 12$?1$$?1?1> Net8or !"pe ;5D/5S!> /ost' 1 .na%le %" interface config> incluingseconar" ip aresses !ransmit Dela" is 1 sec> State D;> Priorit" 1 Designate ;outer (D) 12$?1$$?1?1> nterface aress 1<$?1$$?1?1

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!44#

No %acup esignate router on t&is net8or !imer inter6als configure> 9ello 1$> Dea 4$> Wait 4$> ;etransmit < oo%-res"nc timeout 4$ 9ello ue in $$'$$'$$ Supports 0in-local Signaling (00S) /isco NS+ &elper support ena%le .!+ NS+ &elper support ena%le nex 1,1> floo Aueue lengt& $ Next $x$($),$x$($) 0ast floo scan lengt& is $> maximum is $ 0ast floo scan time is $ msec> maximum is $msec Neig&%or /ount is $> 5Eacent neig&%or count is $ Suppress &ello for $ neig&%or(s) ;1(config)# inter#a$e Giga'itEt%ernet 5 ;1(config-if)#

i/ os/#  area  se$ondaries none

;2# s% i/ route2... H Su%net not in ta%le

E

-L should use the +rame -elay link within Area L for its primary communication to the 8S$+ network. f this network should fail either at :ayer * or :ayer (, -L should form a neighbor relationship with -3 under Area L to maintain connecti%ity. >our solution should be dynamic, ensuring that while the Area L +rame -elay link is operational, there is no neighbor relationship between -3 and -L@ howe%er, the thernet interfaces of -3 and -L must remain up. To confirm the operational status of the +rame -elay network, you should ensure that the serial interface of -L is reachable by configuration of -L. >ou are permittedto define neighbor statements between -L and -3. B3 pointsC

This is a comple4 scenario that can consume your time, but all the clues are in the "uestion, so some lateral thinking is re"uired. >ou can rule out a backup interface solution because the thernet needs to remain up, and the solution must cater for :ayer * and :ayer ( rather than purely :ayer *. Similarly, a demand scenario is also out because this would in# %ol%e a neighbor relationshipbeing formed. >ou are also re"uested to confirm operational status of the +rame -elay in# terface on -L with your o%erall solutionbeing dynamic. This would take a great deal of effort and trial and error, but you will find that you can use the $ S:A feature to monitor the $ address of the +rame -elay interface on -L by -L itself. f this responds to the automatic polling with !$, you know the frame relay is up at :ayers * and (. B:ayer ( would also need to be upfor a %alid response because the !$ packet would be sent o%er the +rame -elay network, and a local map to -L6s own $ address is re"uired for this.C f the polling fails, you know the interface is down. $ S:A * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!4#

can then be used to inform the router, and a forwarding decision can be manipulated@ this feature is known as $olicy# 'ased -outing B$'-C support with multiple Tracking 8ptions. This gi%es $'- access to all the obects that are a%ailable through the tracking process. The tracking process pro%ides the ability to track indi%idual obects, such as !$ ping reachability, and inform the re# "uired $'- process when an obect state changes. n summary, if the obect status changes, -L can simply manipulate the way it sends traffic by policy routing. The traffic it manipulates needs to be 8S$+ that should be directed to -3 to form the adacency o%er the thernet network BF:A13LC, so when -L +rame -elay is up and running, we ust need to break the adacency between -L and -3. 0hen the +rame -elay fails, we need to allow the adacency between -L and -3 to form. The first step in this solution is to configure the &$ S:A obect tracking on -L. -emember the additional map is needed locally, so it can ping its own serial interface@ this configuration is detailed in 4ample *#*L. E%MPL 1615 '5 -P SL% C$n/i"urati$n an. Statu# ;<(config)# inter#a$e erial55 ;<(config-if)#

#ramerela* ma/ i/ 2..2-.- -2 'road$ast

;<(config-if)#

e:it

;<(config)# i/ sla  ;<(config-ip-sla)# i$m/e$%o2..2-.no& ;<(config-ip-sla-ec&o)# i/ sla s$%edule  li#e #oreer starttime ;<(config)# tra$0  rtr rea$%a'ilit* ;<# s%o& i/ slastatisti$s

NT 8S$+ should ha%e al# ready been configured between -3 and -L within your srcinal peer# ing configuration. The neighbor adacency takes a while waiting for the dead time to e4pire B*() seconds after changing of the 8S$+ network typeC.

;oun !rip !ime (;!!) for nex 1 0atest ;!!' 4 millisecons 0atest operation start time' I21'1='1$?7:3 *!/ on +e% 1 2$$= 0atest operation return coe' J Num%er of successes' 2 Num%er of failures' $ peration time to li6e' +ore6er

8S$+ needs to be configured between -3 and -L with manual neighbor statements as directed in the "uestion, which ensures the routers unicast traffic to each other. To do this you need to change the network type to nonbroadcast. The unicast traffic between neighbors can be identified by an A!: that the $'- process can match, and then instead of al# lowing normal traffic flowbetween -L and -3 to form the neighbor relationship, the ne4t hop can be modified and as the 8S$+ TT: is set to * by default, thetraffic will effecti%ely be dropped by the ne4t hop and the 8S$+ between -L * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!41#

and -3 will ne%er establish. Similarly, when the obect tracking fails, the $'- process will be o%erridden and traffic can flow as normal. This will then allow -L and -3 to form an 8S$+ adacency. So by using the $'- commandset i/ ne:t %o/ eri#*aa ila'ilit* 2 ..2-.2  tra$0  can forward normal 8S$+ traffic to *().*)).(L.( B-( +rame -elay to , -L effecti%ely discard the trafficC if the tracked obect B*C is up. f the obect status changes to down, the $'- process is in# formed, and the 8$S+ traffic to *().*)).(L.( would follow the usual ne4t hop. -L must be configured to locally policy route traffic because normal $'- beha%ior is for traffic manipulation for traffic that flows through the router rather than traffic generated by the router itself. 4ample *#*N shows the re"uired 8S$+ configuration on -3 and -L, the $'- on -L, a debug of -( sending TT: e4pired to -L after the 8S$+ traffic is sent to -( instead of -L, and the resulting neighbor partial adacency that is formed between -3 and-L. E%MPL 161 '4 an. '5 SP; an. P' C$n/i"urati$n ;4(config)# inter#a$eGiga'itEt%ernet5.4;4(config-if)#

i/ os/# net&or0non'road$ast

;4(config-if)#

router os/#

;4(config-router)#

neig%'or 2..4-.-

;<(config)# inter#a$eGiga'itEt%ernet5 ;<(config-if)# i/ os/# net&or0non'road$ast ;<(config-if)#

router os/#

;<(config-router)#

neig%'or 2..4-.4

;<(config-router)#

e:it

;<(config)# a$$esslist  /ermit os/# %ost 2..4-.- %ost 2..4-.4 ;<(config)# routema/ E /ermit  ;<(config-route-map)#

mat$% i/ address

;<(config-route-map)#

set i/ ne:t%o/ eri#*aaila'ilit* 2..2-.2  tra$0 

;<(config-route-map)#

inter#a$eGiga'itEt%ernet5

;<(config-if)#

E i/ /oli$* routema/

;<(config-if)#

e:it

E ;<(config)# i/ lo$al /oli$* routema/

;2# de'ug i/ i$m/ /P pacet e%ugging is on ;2# I+e% 27 22'1='12?:4=' /P' time exceee (time to li6e) sent to 12$?1$$?4
* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!42#

est 8as 12$?1$$?4
Pri $ 1

State Dea !ime +*00, $$'$$'3= N!,D;!9.; $$'$1'4<

5ress nterface 12$?1$$?2
4ample *#*9 shows the 8S$+ adacency formed when the +rame -elay between -( and -L is shut down on -L. The $'- is o%erridden and normal routing occurs because the ne4t hop is not %erified by the obect tracking. >our routing table needs to be an e4act replica as that shown in 4ample *#*9. >ou must remember that when an 8S$+ adacency forms between -L and -(, you are oining Area L into Area 23 and a %irtual#link between -2 and -3 is re"uired to e4# tend area ). f you hadn6t configured a %irtual#link it would ha%e been an easy mistake that would take your points away. A difficult "uestion but a good one to practice with and e4amine how features operate and interact with each other, you may ha%e been scratching your head or cursing me but 6d be surprised if you didn6t learn something new from this "uestion. f you configured this correctly, including the %irtual link, you ha%e scored 3 pointsPdefinitely a "uestion worth lea%ing to the end of your e4am when hopefully you ha%e time left o%er to e4periment. E%MPL 1617 '3 an. '4 SP; Virtua& Lin0 C$n/i"urati$n an. Te#t '5 ;3(config)# router os/# ;3(config-router)#

area 34 irtuallin02..4.

;4(config)# router os/# ;4(config-router)#

area 34 irtuallin02..3.

;<(config)# inter#a$es55 ;<(config-if)# s%ut ;<(config-if)# IKan 2 21'<:'17?:11' HSP+-<-5DK/9' Process 1> N%r 12$?1$$?2?1 on Serial$,$,1 from +*00 to DWN> Neig&%or Do8n' nterface o8n or etac&e IKan 2 21'<:'1:?:$=' H0NJ-<-/95N.D' nterface Serial$,$,1> c&ange state to aministrati6el" o8n IKan 2 21'<:'1?:$=' H0N.P;!-<-*PDWN' 0ine protocol on nterface Serial$,$,1> c&ange state to o8n ;<(config-if)#

do s%o& i/ os/#neig%

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!43#

Neig&%or D Pri State Dea !ime 5ress nterface N,5 $ 5!!.P!,D;!9.; $$'$$'33 12$?1$$?4 N%r $?$?$?$ on iga%it.t&ernet$,$ from 5!!.P! to DWN> Neig&%or Do8n' Dea timer expire ;<(config-if)# IKan 2 22'$$'$:?13<' HSP+-<-5DK/9' Process1> N%r 12$?1$$?4?1 on iga%it.t&ernet$,$ from05DN to +*00> 0oaing Done ;<(config-if)# ;<# s% i/ routeos/# 1<$?1$$?$?$,24 is su%nette> 3 su%nets  5 1<$?1$$?2?$ F11$,7=G 6ia 12$?1$$?4 $$'$'41> iga%it.t&ernet$,$  5 1<$?1$$?1?$ F11$,7=G 6ia 12$?1$$?4 $$'$'41> iga%it.t&ernet$,$ 12$?$?$?$,: is 6aria%l" su%nette> 13 su%nets> 2 mass  5 12$?1$$?2 $$'$'41> iga%it.t&ernet$,$  5 12$?1$$?4?1,32 F11$,2G 6ia 12$?1$$?4 $$'$'41> iga%it.t&ernet$,$  5 12$?1$$?1?$,24 F11$,7=G 6ia 12$?1$$?4 $$'$'41> iga%it.t&ernet$,$  5 12$?1$$?2?$,24 F11$,7=G 6ia 12$?1$$?4 $$'$'41> iga%it.t&ernet$,$  5 12$?1$$?3?$,24 F11$,3G 6ia 12$?1$$?4 $$'$'41> iga%it.t&ernet$,$  5 12$?1$$?34?$,24 F11$,2G 6ia 12$?1$$?4 $$'$'41> iga%it.t&ernet$,$  5 12$?1$$?123?3,32 F11$,2G 6ia 12$?1$$?4 $$'$'41> iga%it.t&ernet$,$  5 12$?1$$?123?$,24 F11$,13$G 6ia 12$?1$$?4 $$'$'41> iga%it.t&ernet$,$

Secti$n 22> -='P E

!onfigure 7-$ using an AS number of *. The :oopback interfaces of all routers a nd switches should be ad# %ertised within 7-$. B( pointsC

1ot a difficult "uestion by any means@ ust one that has a magnitude of configuration and sets up your 7-$ network for the following "uestions. >ou need to remember to include your preconfigured :oopback interfaces and enable rout# ing on the :ayer 2 switches. Mse the s%o& i/ eigr/ neig%'orcommand to %erify your peering prior to mo%ing onto the ne4t "uestion. f you ha%e configured this correctly, as shown in 4ample *#*/, you ha%e scored ( points.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!4#

E%MPL 161@ -='P C$n/i"urati$n ;4# s% run > 'egeigr/ router eigrp 1 net8or 12$?1$$?4?1 $?$?$?$ net8or 12$?1$$?4
;<# s% run > 'egeigr/ router eigrp 1 passi6e-interface 0oop%ac$ net8or 12$?1$$?
;7# s% run > 'egeigr/ router eigrp 1 net8or 12$?1$$?7?1 $?$?$?$ net8or 12$?1$$?47?7 $?$?$?$ net8or 1<$?1$$?3?7 $?$?$?$ no auto-summar"

SW1(config)# i/ routing SW1(config)# e:it SW1# s% run >'eg eigr/ router eigrp 1 net8or 12$?1$$?=?1 $?$?$?$ net8or 1<$?1$$?3?= $?$?$?$ no auto-summar" SW2(config)# i/ routing SW2(config)# e:it SW2# s% run >'eg eigr/ router eigrp 1 net8or 12$?1$$?:?1 $?$?$?$ * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!0#

net8or 1<$?1$$?3?: $?$?$?$ no auto-summar" SW3(config)# i/ routing SW3(config)# e:it SW3# s% run >'eg eigr/ router eigrp 1 net8or 12$?1$$??1 $?$?$?$ net8or 1<$?1$$?3? $?$?$?$ no auto-summar" SW4(config)#i/ routing SW4(config)#e:it SW4# s% run >'eg eigr/ router eigrp 1 net8or 12$?1$$?1$?1 $?$?$?$ net8or 1<$?1$$?3?1$ $?$?$?$ no auto-summar"

E

nsure that -3 does not install any of the 7-$ :oopback routes from any of the switches into its routing table@ as such, these routes should also not be present in the 8S$+ network post redistribution. =o not use any route# filtering A!:s, prefi4 lists, or admin distance manipulation to achie%e this, and perform configuration only on -3. B2 pointsC

A distribute or prefi4 list would ha%e been the ob%ious choice here but this is not permitted. Mpon close inspection of the :oopback routes within 4ample *#*, you will notice that the routes ha%e a hopcount of ( associated with them. Hop count isn6t something you would naturally assimilate with 7-$, but you can configure the process to ignore routes recei%ed with a hop count larger thana configured threshold with the commandmetri$ ma:imum%o/s . 'y configuring the ma4imum hop count of * on -3, you cansimply stop the :oopback routes from entering the process. f you ha%e configured this correctly, as shown in 4ample *#*, you ha%e scored 2 points. E%MPL 1619 -='P maimum6h$p#C$n/i"urati$n ;4# s%o& i/ routeeigr/ 1<$?1$$?$?$,24 is su%nette> 3 su%nets D 1<$?1$$?3?$ F$,3$=2$G 6ia 12$?1$$?47?7> $$'$$'1$> iga%it.t&ernet$,1?47 F$,3$=2$G 6ia 12$?1$$?4 $$'$$'1$> iga%it.t&ernet$,1?4< 12$?$?$?$,: is 6aria%l" su%nette> 17 su%nets> 2 mass * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

D

D

D

D D D

12$?1$$?:?$,24 F$,1<:=2$G 6ia 12$?1$$?47?7> F$,1<:=2$G 6ia 12$?1$$?4 12$?1$$??$,24 F$,1<:=2$G 6ia 12$?1$$?47?7> F$,1<:=2$G 6ia 12$?1$$?4 12$?1$$?1$?$,24 F$,1<:=2$G 6ia 12$?1$$?47?7> F$,1<:=2$G 6ia 12$?1$$?4 12$?1$$? 12$?1$$?7?$,24 F$,1<717$G 6ia 12$?1$$?47?7> 12$?1$$?=?$,24 F$,1<:=2$G 6ia 12$?1$$?47?7> F$,1<:=2$G 6ia 12$?1$$?4

!"#

$$'$$'1$> iga%it.t&ernet$,1?47 $$'$$'1$> iga%it.t&ernet$,1?4< $$'$$'1$> iga%it.t&ernet$,1?47 $$'$$'1$> iga%it.t&ernet$,1?4< $$'$1'$=> iga%it.t&ernet$,1?47 $$'$1'$=> iga%it.t&ernet$,1?4< $$'$$'1$>

iga%it.t&ernet$,1?4<

$$'$$'1$>

iga%it.t&ernet$,1?47

$$'$$'1$> iga%it.t&ernet$,1?47 $$'$$'1$> iga%it.t&ernet$,1?4<

;4# s%o& i/ route2..8. ;outing entr" for 12$?1$$?:?$,24 Jno8n 6ia Leigrp 1L> istance $> metric 1<:=2$> t"peinternal ;eistri%uting 6ia ospf 1> eigrp 1 56ertise %" ospf 1 metric <$$$ su%nets 0ast upate from 12$?1$$?47?7 on iga%it.t&ernet$,1?47> $$'$$'1< ago ;outing Descriptor locs' I 12$?1$$?47?7> from 12$?1$$?47?7> $$ '$$'1< ago> 6ia iga%it.t&ernet$,1?47 ;oute metric is 1<:=2$> traffic s&are count is1 !otal ela" is <2$$ microsecons> minimum %an8it& is 1$$$$$ J%it ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 2 ;4# s%o& i/ route2..9. ;outing entr" for 12$?1$$??$,24 Jno8n 6ia Leigrp 1L> istance $> metric 1<:=2$> t"peinternal ;eistri%uting 6ia ospf 1> eigrp 1 56ertise %" ospf 1 metric <$$$ su%nets 0ast upate from 12$?1$$?47?7 on iga%it.t&ernet$,1?47> $$'$$'2< ago ;outing Descriptor locs' I 12$?1$$?47?7> from 12$?1$$?47?7> $$ '$$'2< ago> 6ia iga%it.t&ernet$,1?47 ;oute metric is 1<:=2$> traffic s&are count is1 * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!otal ela" is <2$$ microsecons> minimum %an8it& is 1$$$$$ ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 2

!'# J%it

;4(config)# router eigr/ ;4(config-router?< metri$ ma:imum%o/s ;4(config-router)# do s%o& i/ routeeigr/ 1<$?1$$?$?$,24 is su%nette> 3 su%nets D 1<$?1$$?3?$ F$,3$=2$G 6ia 12$?1$$?47?7> $$'$$'$4> iga%it.t&ernet$,1?47 F$,3$=2$G 6ia 12$?1$$?4 $$'$$'$4> iga%it.t&ernet$,1?4< 12$?$?$?$,: is 6aria%l" su%nette> 13 su%nets> 2 mass D 12$?1$$? $$'$$'$4> iga%it.t&ernet$,1?4< D 12$?1$$?7?$,24 F$,1<717$G 6ia 12$?1$$?47?7> $$'$$'$4> iga%it.t&ernet$,1?47

E

-3 will ha%e dual e"ual cost routes to F:A12)) Bnetwork *L).*)).2.)C from -L and -N. nsure -3 sends traffic to this destination network to -L rather than load sharing@ should the route from -L become una%ailable, traffic should be sent to -N. >ou may not policy route, alter the bandwidth, or delay statements on -36s interfacesor use an offset list. $erform your configuration on -3 only. >our solution should be applied to all routesrecei%ed from -L and -N as opposed to solely the route to network F:A12)). B2 pointsC

To recei%e identical routes your topology must ha%e identical interface types or bandwidth statements used on -3, -L, and -N. 4ample *#() shows the F:A12)) route B*L).*)).2.)5(3C recei%ed on -3 from both -L and -N with a metric of 2)9(). f you wanted to manipulate this route the usual bestpractice method would be to modify the bandwidth or delay on one of the thernet interfaces, but this is not permitted. n fact, you are only left with one method that can be applied on -3, which will influence all routes from -L and -N, as opposed to ust this indi%idual route. A route#map is re"uired to o%erride the 7-$ assigned metrics assigned to routes on oneinterface by manipulating the bandwidth as# signed to 7igabit *5).3L. 7igabit *5).3N will, by default,ha%e a lower bandwidth assigned to routes recei%ed from it from the permit () statement in the route#map. The route#map is applied inbound to the process as a distribute#list. 4# ample *# () also shows that when the interface 7igabit )5) is shut down on -L that the route for F:A12)) is still re# cei%ed from -N B-36s feasible successorC, so the route is still a%ailable but with a different metric. f you ha%e configured this correctly, as shown in 4ample *#(), you ha%e scored 2 points. B>ou could ha%e also manipulated the delay within the route#map or created a statement for each indi%idual interface as opposed to ust 7igabit *5).3L.C

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!+#

E%MPL 162+ -='P Metric Manipu&ati$n C$n/i"urati$n ;4# s% i/ route-..3. ;outing entr" for 1<$?1$$?3?$,24 Jno8n 6ia Leigrp 1L> istance $> metric 3$=2$> t"peinternal ;eistri%uting 6ia ospf 1> eigrp 1 56ertise %" ospf 1 metric <$$$ su%nets 0ast upate from 12$?1$$?4 $$'2<'4$ ago ;outing Descriptor locs' I 12$?1$$?47?7> from 12$?1$$?47?7> $$'2<'4$ ago> 6ia iga%it.t&ernet$,1?47 ;oute metric is 3$=2$> traffic s&are count is1 !otal ela" is 2$$ microsecons> minimum %an8it& is 1$$$$$ J%it ;elia%ilit" 2<4,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1 12$?1$$?4 from 12$?1$$?4 $$'2<'4$ ago> 6ia iga%it.t&ernet$,1?4< ;oute metric is 3$=2$> traffic s&are count is1 !otal ela" is 2$$ microsecons> minimum %an8it& is 1$$$$$ J%it ;elia%ilit" 2<2,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1

;4(config)# routema/C@(NGEME+IC/ermit  ;4(config-route-map)#

5.4mat$% inter#a$e giga'itEt%ernet

;4(config-route-map)#

set metri$ 2  2-- - 

;4(config-route-map)#

routema/ C@(NGEME+IC /ermit 2

;4(config-route-map)#

set metri$   2-- - 

;4(config-route-map)#

router eigr/

;4(config-router)#

distri'utelist routema/ C@(NGEME+IC in

;4(config-router)#

AB

;4# $lear i/ route ;4# s% i/ route-..3. ;outing entr" for 1<$?1$$?3?$,24 Jno8n 6ia Leigrp 1L> istance $> metric 12:2<7$ > t"pe internal ;eistri%uting 6ia ospf 1> eigrp 1 56ertise %" ospf 1 metric <$$$ su%nets 0ast upate from 12$?1$$?4 $$'$3'1$ ago ;outing Descriptor locs' I 12$?1$$?4 from 12$?1$$?4 $$'$3'1$ ago> 6ia iga%it.t&ernet$,1?4< ;oute metric is 12:2<7$> traffic s&are count is1 !otal ela" is 1$$ microsecons> minimum %an8it& is 2$$$ J%it * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!4#

;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1 ;<(config)# int gig5 ;<(config-if)#

s%utdo&n

;4# s% i/ route-..3. ;outing entr" for 1<$?1$$?3?$,24 Jno8n 6ia Leigrp 1L> istance $> metric 2<72<7$ > t"pe internal ;eistri%uting 6ia ospf 1> eigrp 1 56ertise %" ospf 1 metric <$$$ su%nets 0ast upate from 12$?1$$?47?7 on iga%it.t&ernet$,1?47> $$'$$'1$ ago ;outing Descriptor locs' I 12$?1$$?47?7> from 12$?1$$?47?7> $$'$$'1$ ago> 6ia iga%it.t&ernet$,1?47 ;oute metric is 2<72<7$> traffic s&are count is1 !otal ela" is 1$$ microsecons> minimum %an8it& is 1$$$ J%it ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1

Secti$n 23> 'e.i#tributi$n E

$erform mutual redistribution of 7$ protocols on -3. All routes should be accessible with the e4ception of the switch :oopback networks because these should not be %isible %ia -3 from an earlier "uestion. 7-$ routes re# distributed within the 8S$+ network should remain with a fi4ed cost of L))) throughout the network. B2 pointsC

A simple redistribution "uestion for the warm#up lab, you ha%e only asingle redistribution point B-3C, so ha%e nocon# cerns when using protocols such as 7-$ and 8S$+, with their inherent protection against routing loops. The fi4ed cost of L))) is achie%ed by ad%ertising redistributed routes into 8S$+ using a metric#type of (, which is the default, so no specific configuration is re"uired for this. The only points you need to consider when redistributing into 8S$+ are to use the su'nets command to ensureclassless redistribution and to use default#metrics in each protocol. f you ha%e con# figured this correctly, as shown in 4ample *#(*, you ha%e scored 2 points. E%MPL 1621 '4 'e.i#tributi$n C$n/i"urati$n an. Veri/icati$n ;4(config)# router eigr/ ;4(config-router)#

redistri'ute os/#

;4(config-router)#

de#aultmetri$   2--- 

;4(config-router)#

router os/#

;4(config-router)#

redistri'ute eigr/ su'nets 

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;4(config-router)#

!#

de#aultmetri$-

;1# s%o& i/ route os/# > in$lude E2  .2 1<$?1$$?3?$ F11$,<$$$G 6ia 12$?1$$?123?3> $$'$$'47> Serial$,$,$  .2 12$?1$$?7?$,24 F11$,<$$$G 6ia 12$?1$$?123?3> $$'$$'47> Serial$,$,$  .2 12$?1$$?47?$,24 F11$,<$$$G 6ia 12$?1$$?123?3> $$'$$'47> Serial$,$,$

SW1# s%o& i/ route eigr/ > in$lude E D .M 1<$?1$$?2?$ F1=$,2:4417G 6ia 1<$?1$$?3?7> $$'$1'43> Vlan3$$ D .M 1<$?1$$?1?$ F1=$,2:4417G 6ia 1<$?1$$?3?7> $$'$1'43> Vlan3$$ D .M 12$?1$$?2 $$'$1'43> Vlan3$$ D .M 12$?1$$?1?$,24 F1=$,2:4417G 6ia 1<$?1$$?3?7> $$'$1'43> Vlan3$$ D .M 12$?1$$?2?$,24 F1=$,2:4417G 6ia 1<$?1$$?3?7> $$'$1'43> Vlan3$$ D .M 12$?1$$?3?$,24 F1=$,2:4417G 6ia 1<$?1$$?3?7> $$'$1'43> Vlan3$$ D .M 12$?1$$?34?$,24 F1=$,2:4417G 6ia 1<$?1$$?3?7> $$'$1'43> Vlan3$$ D .M 12$?1$$?123?3,32 F1=$,2:4417G 6ia1<$?1$$?3?7> $$'$1'43> Vlan3$$ 12$?1$$?123?$,24 F1=$,2:4417G 6ia1<$?1$$?3?7> $$'$1'44> Vlan3$$ D .M

E

!onfigure -3 to only redistribute up to fi%e 7-$ routes, and generate a system warning when the fourth route is redistributed. =o not use any access#lists in your solution. B( pointsC.

>ou can limit the number of prefi4es redistributed into 8S$+ and generate a warning when the number of prefi4es reaches a defined ma4imum by use of theredistri'ute ma:imum/re#i: command. To generate the warning on the fourth route, you must configure a percentage threshold B/) percentC. f you ha%e configured this correctly, as shown in 4am# ple *#((, you ha%e scored (points. E%MPL 1622 '4 Pre/iC$n/i"urati$n ;4(config)# router os/# ;4(config-router)#

redistri'ute ma:imum/re#i:8 -

Secti$n 3> =P ?14 P$int#A E

!onfigure i'7$ peering as followsD -*#-2, -(#-2, -N#-L, Sw*#-N, and Sw*#-L. Mse minimal configuration and use :oopback interfaces for your peering. !onfigure e'7$ peering as followsD -2#-3, -3#-N, -3#-L, and -L#-(. Mse minimal configuration and use :oopback interfaces for your peering with the e4ception of -3 to -L. B( pointsC Mse the AS numbers supplied in +igure *#. +or your e'7$ peering on -2, use the TT: security fea# * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!1#

ture, which will not permit a session from -3 to become established if -3 is more than ( hops away. This feature must be configured only on -2 and not on -3. B( pointsC asy peering points to begin with but lots of typing to earn them. >ou must remember to use peer groups to minimize configuration where possible, namely on -2, -N, and Switch*, and follow the peering instructions closely as these are rele%ant for the following "uestions. >ou should ha%e noticed that -2 was re"uired to be a route reflector for i'7$ peers -* and -( in AS*) and thatno s*n$%roni1ationis re"uired because the underlying 7$ is not redistributed into '7$. -emember to %erify your peering withthe s%o& i/ 'g/ neig%'orcommand. The peering becomes complicated whe n the 2 -2. This command is TT: security feature is enabled by use of the command neig%'or 2..4. ttlse$urit* %o/son a neat feature that will not permit the peering session if the recei%ed neighbor TT: %alue is less than (L2 in this case, which would suggest that the incoming session could be some form of remote attack with spoofed source $ address of the srcinal neighbor. 'ecause you are not permitted to configure the same feature on -3, the peering will of course break, e%en if you ha%e configured the ebgp multihop feature on -3 with a %alue of (. B8f course this will simply incre# ment the TT: %alue from a default %alue of ).C 4ample *#(2 shows a debug on -2 for the ebgp peering@ the field highlighted is the TT: He4 %alue displayed from the hidden command BdumpC when performing the debug. >ou need to get the He4 %alue to += B(L2 decimalC to show -2 that the -3 can only be a ma4imum of two hops away by configuring the multihop %alue to (LL on -3. f you ha%e con# figured this correctly, as shownin 4ample *#(2, you ha%e scored (points. E%MPL 1623 =P Peerin"C$n/i"urati$n ;1# s% run > 'egin'g/ router %gp 1$ no s"nc&roniation neig&%or 12$?1$$?3?1 remote-as 1$ neig&%or 12$?1$$?3?1 upate-source 0oop%ac$ no auto-summar" ;2# s% run > 'egin'g/ router %gp 1$ no s"nc&roniation neig&%or 12$?1$$?3?1 remote-as 1$ neig&%or 12$?1$$?
* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!2#

;3# s% run > 'egin'g/ router %gp 1$ no s"nc&roniation neig&%or P peer-group neig&%or P remote-as 1$ neig&%or P upate-source 0oop%ac$ neig&%or P route-reflector-client neig&%or 12$?1$$?1?1 peer-group P neig&%or 12$?1$$?2?1 peer-group P neig&%or 12$?1$$?4?1 remote-as 2$$ neig&%or 12$?1$$?4?1 ttl-securit" &ops 2 neig&%or 12$?1$$?4?1 upate-source 0oop%ac$ no auto-summar" ;4# s% run > 'egin'g/ router %gp 2$$ no s"nc&roniation neig&%or 12$?1$$?3?1 remote-as 1$ neig&%or 12$?1$$?3?1 e%gp-multi&op 2 neig&%or 12$?1$$?3?1 upate-source 0oop%ac$ neig&%or 12$?1$$?7?1 remote-as 3$$ neig&%or 12$?1$$?7?1 e%gp-multi&op 2 neig&%or 12$?1$$?7?1 upate-source 0oop%ac$ neig&%or 12$?1$$?4 :4 SON $+4$$/$$' $+4$$/1$' /2$211.$ $+4$$/2$' $1$747=. $+4$$/3$' 5+D1+:5 $+4$$/4$' $2$4$21:

stC1=>

seAC27$$2= 47>

acC$> 8inC173

/2$4 $=4$$$$$ ???? $$1$$:$$ 4E??? $1$1$1$1 $3$3$3$3 57/4$$3 ??+R????????D?3 $$$$$$$$ 7$$24$$$ +1$$$$ ?T??????Q??AU?? ????

B !&e !!0 from ;4 is ecremente to $1 9ex C $1 ecimal as ;4 &as e%gp-multi&op 2 * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

B B B B B

!3#

configure an t&e P session 8ill not %e esta%lis&e as ;3 &as t&e !!0 securit" c&ec ena%le> from ;3s perspecti6e ;4 coul %e 2<4 &ops a8a"B /onfigure ;4 so t&e !!0 6alue 8ill rea 2<3 ecimal (+D &ex) %" configuringan e%gp multi&op 6alue of 2<< (t&is 6alue 8ill ecrement o8n to 2<3 8&en it is processe %" ;3)?

;4(config)# router 'g/2 2-;4(config)# neig%'or 2..3. e'g/multi%o/

;3# !/P srcC441$> stC1=> seAC3:2<3=$47> acC32$:<47$7 > 8inC17273 5/J $+=/7$' /2$4 $=4$$$$$ ???? $+=/=$' /2$211.$ $$1$$:$$ 4?3 $+=/$' .4$2:<7< +<2=.:. <$1$3+:= 13+/$$$$ ??e;R?P???X?? $+=/5$' B No8 a &ex 6alue of +D (2<3 Decimal) can %e seen at ;3 from ;4> t&is s&o8s t&at ;4 B can not %e furt&er t&an 2 &ops a8a" from ;3an t&e securit" c&ec passes an P B is esta%lis&e? ;3# s% i/ 'g/ neig%'or > in$lude %o/s) > .xternal P neig&%or ma" %e up to 2 &ops a8a"? /onnection is ./N Disa%le> inimum incoming !!0 2<3> utgoing !!0 2<<

;<# s% run > 'egin'g/ router %gp 3$$ no s"nc&roniation neig&%or 12$?1$$?2?1 remote-as 1$ neig&%or 12$?1$$?2?1 e%gp-multi&op 2 neig&%or 12$?1$$?2?1 upate-source 0oop%ac$ neig&%or 12$?1$$?7?1 remote-as 3$$ neig&%or 12$?1$$?7?1 upate-source 0oop%ac$ neig&%or 12$?1$$?4 'eg'g/ router %gp 3$$ * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!#

no s"nc&roniation neig&%or P peer-group neig&%or P remote-as 3$$ neig&%or P upate-source 0oop%ac$ neig&%or 12$?1$$?4?1 remote-as 2$$ neig&%or 12$?1$$?4?1 e%gp-multi&op 2 neig&%or 12$?1$$?4?1 upate-source 0oop%ac$ neig&%or 12$?1$$?'egin 'g/ router %gp 3$$ no s"nc&roniation neig&%or P peer-group neig&%or P remote-as 3$$ neig&%or 12$?1$$?
E

AS()) is to be used as a backup transit network for traffic between AS*)) and AS2))@ as such if the +- network between -L and -( fails, ensure the peering between -( and -L is not maintained %ia the thernet network. =o not use any A!: type restrictions or change the e4isting peering. B( pointsC

As -( and -L peer to each other using their :oopback interfaces, the peering is maintained if the +rame -elay network between -( and -L fails. 4ample *#(3 shows the path taken between -L and -( when the +rame -elay interface is shut e'g/multi%o/count used in the down on -L. To break the peering without using A!:s, you simply need to ensure the srcinal peering is set at ( and no greater. 4ample *#(3 also shows the !$ debug with the TT: e4piration mes# sages, which indicate the peering will ha%efailed, e%en though there is $ connecti%ity between :oopbacks. f your ebg# multihop count is set at ( between -( and -L, you ha%e scored ( points. E%MPL 1624 e=P TTL pirati$n ;<(config)
s%ut

;<# tra$e 2..2. !"pe escape seAuence to a%ort?

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!10#

!racing t&e route to 12$?1$$?2?1 1 12$?1$$?4
E

!onfigure a new :oopback interface ( on -( of *2).*)).()).*5(3, and ad%ertise this into '7$ using the network command. !onfigure -( in such a way that if the +rame -elay connection between -( and -L fails, AS2)) no longer recei%es this route. =o not use any filtering between neighbors to achie%e this or neighbor#specific com# mands. B2 pointsC

f the peering between -( and -L fails, the new network route will flow from AS*)) to AS2)) %ia AS()) instead of flowing directly from AS*)) to AS2))@ as such a simple use of communities can be used to ensure the route is not e4# ported to AS()). >ou simply need to apply a no#e4port %alue to the route as it is ad%ertised on -( toward -2@ this way the route is not ad%ertised to AS()) if a failure occurs. Mnder normal conditions, AS()) would still see the route from AS2)). f you ha%e configured this correctly, as shown in 4ample *#(L, you ha%e scored points. 2 E%MPL 1625 '$ute %.(erti#ement an. n$6ep$rt C$n/i"urati$n '2 $n ;<# s% i/ 'g/ rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op IYi13$?1$$?2$$?$,24 12$?1$$?4?1

etric 0ocPrf Weig&t Pat& $ 1$$ $ 2$$ 1$ i

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!1"#

;2(config)# inter#a$e)oo/'a$02 ;2(config-if)#

i/ address 3..2. 2--.2--.2--.

;2(config-if)#

router 'g/

;2(config-router)#

net&or0 3..2. mas0 2--.2--.2--.

;2(config-router)#

neig%'or 2..3. routema/ NEP+ out

;2(config-router)#

send$ommunit* neig%'or 2..3.

;2(config-router)#

e:it

;2(config)# a$$esslist - /ermit3..2.  ;2(config)# routema/ NEP+ /ermit

;2(config-route-map)#

mat$% i/ address-

;2(config-route-map)#

set $ommunit*noe:/ort

;2(config-route-map)#

routema/ NEP+ /ermit 2

;3# s% i/ 'g/3..2. P routing ta%le entr" for 13$?1$$?2$$?$,24> 6ersion 4 Pat&s' (1 a6aila%le> %est #1> ta%le Default-P-;outing-!a%le> not a6ertise .P peer)

to

56ertise to upate-groups' 2 0ocal> (;ecei6e from a ;;-client) 12$?1$$?2?1 (metric 7<) from 12$?1$$?2?1 (13$?1$$?2$$?1) rigin P> metric $> localpref 1$$> 6ali> internal> %est /ommunit"' no-export ;<# $on# t .nter configuration commans> one per line?

.n 8it& /N!0,@?

;<(config)# int s55 ;<(config-if)# s%ut ;<(config-if)#

AB

;<# s%o& i/'g/ ;<#

E

!onfigure HS-$ between -L and -N on F:A12)) with -L acti%e for .*5(3. f the network*2).*)).()).)5(3 is no longer %isible to AS2)), -N should dynamically become the HS-$ acti%e. !onfigure -L to achie%e this solu# tion. B3 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!1'#

The clue is in the "uestion@ all you need to do is track the specific route with the $ S:A obect tracking feature and in# form the HS-$ process whether the '7$ route is withdrawn. >ou might feel that this isn6t strictly a'7$ "uestion, but because the &8S section has been remo%ed from the e4am, it is possible that topics and features such as this crop up within other sections, so it6sbest to be aware of as many features as possible. 'ecause the "uestion doesn6t specifically instruct you to configure an e4act $ address for your HS-$, you are free to use an unallocated $ address. -L shouldbe the HS-$ acti%e under normal conditions, so this should be configured with the /reem/t command to reinstate control when the route becomes %isible once again post withdrawal. Similarly, -N also re"uires /reem/t to take control when the priority of -L decrements.-L hasn6t been configured with a priority in this e4ample because it uses the default %alue of *)). 4ample *#(N shows the configuration and testing steps in%ol%ed to withdraw the route by shutting down the +rame -elay interface on -L and toggling the HS-$ functionality between -L and -N. f you ha%e configuredthis correctly, as shown in 4ample *#(N, you ha%e scored points. 3 E%MPL 162 -P SL% Trac0in" an. S'P C$n/i"urati$n $n '5 an. ' 2--.2--.2--.rea$%a'ilit* ;<(config)# tra$0 2 i/ route 3..2.

;<(config-trac)# inter#a$eGiga'itEt%ernet5 ;<(config-if)# stand'*  i/-..3. ;<(config-if)# stand'*  /reem/t 2 ;<(config-if)# stand'*  tra$0 2 de$rement

;7(config)# inter#a$eGiga'itEt%ernet5 ;7(config-if)#

stand'*  i/-..3.

;7(config-if)#

stand'*  /riorit*9

;7(config-if)#

stand'* /reem/t

;<# s% stand'* giga'itEt%ernet 5 iga%it.t&ernet$,1 - roup 1 State is 5cti6e 23 state c&anges> last state c&ange $$'2$'11 Virtual P aress is 1<$?1$$?3?1 5cti6e 6irtual 5/ aress is $$$$?$c$=?ac$1 0ocal 6irtual 5/ aress is $$$$?$c$=?ac$1 (61 efault) 9ello time 3 sec> &ol time 1$ sec Next &ello sent in $?47$ secs * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!1+#

Preemption ena%le 5cti6e router is local Stan%" router is 1<$?1$$?3?7> priorit" $ (expires in :?4=2 sec) Priorit" 1$$ (efault 1$$) !rac o%Eect 2 state *p ecrement 2$ P reunanc" name is L&srp-i$,1-1L (efault) ;<# ;<# $on# t ;<(config)# int s55 ;<(config-if)# s%ut ;<(config-if)#

;<#HP-3-N!+/5!N' sent to neig&%or 12$?1$$?2?1 4,$ (&ol time expire) $ %"tes ;<#H9S;P-7-S!5!./95N.' iga%it.t&ernet$,1 rp 1 state 5cti6e -Y Spea ;<#H9S;P-7-S!5!./95N.' iga%it.t&ernet$,1 rp 1 state Spea -Y Stan%" ;<# s% stand'* giga'itEt%ernet 5 iga%it.t&ernet$,1 - roup 1 State is Stan%" 2< state c&anges> last state c&ange $$'$$'1$ Virtual P aress is 1<$?1$$?3?1 5cti6e 6irtual 5/ aress is $$$$?$c$=?ac$1 0ocal 6irtual 5/ aress is $$$$?$c$=?ac$1 (61 efault) 9ello time 3 sec> &ol time 1$ sec Next &ello sent in 1?::$ secs Preemption ena%le 5cti6e router is 1<$?1$$?3?7> priorit" $ (expires in :?:$ sec) Stan%" router is local Priorit" :$ (efault 1$$) !rac o%Eect 2 state Do8n ecrement 2$ P reunanc" name is L&srp-i$,1-1L (efault)

E

!onfigure two new :oopback interfaces on -* and -( of*(N.*.*.*5(3 and *2).*.*.*5(3, respecti%ely, and ad%er# tise these into '7$ using the net&or0 command. -2 should be configured to enable only '7$ routes srcinated from -* up to network *(/.).).) and from abo%e network *(/.).).) srcinated from -(. Mse only a single A!: on -2 as part of your solution. B2 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!14#

This is "uite an intricate "uestion because you are permitted to use only a single A!: to filter the routes on -2. The method in which you achie%e this is to use an A!: that matches networks up to *(/.).).) and permits this through one route#map while denying through a separate route#map. The route#maps should be applied on a per#neighbor basis, and both call up the same single A!:. 4ample *#(9 shows the configuration for the new :oopbacks on -* and -(and the filtering on -2. +urther testing is detailed in 4ample *#(/ to substantiate the filtering process on -2. f you ha%e con# figured this correctly, as shown in 4ample *#(9, you ha%e scored 2 points. E%MPL 1627 '$ute6Map ;i&terin" $n'3 ;1(config)# inter#a$e)oo/'a$0 ;1(config-if)#

i/ address 2...2--.2--.2--.

;1(config-if)#

router 'g/

;1(config-router)#

net&or0 2... mas0 2--.2--.2--.

;2(config)# inter#a$e)oo/'a$0 ;2(config-if)#

i/ address 3...2--.2--.2--.

;2(config-if)#

router 'g/

;2(config-router)#

2--.2--.2--. net&or0 3... mas0

27.2--.2--.2-;3(config)# a$$esslist  /ermit ...  ;3(config)# routema/ FP28 /ermit

;3(config-route-map)#

mat$% i/ add

 ;3(config)# routema/ ("E28 /ermit

;3(config-route-map)#

mat$% i/ add

;3(config-route-map)#

routema/ ("E28 /ermit 2

;3(config)# router 'g/ ;3(config-router)#

in neig%'or 2... routema/ FP28

;3(config-router)#

neig%'or 2..2. routema/ ("E28 in

;3# s% i/ 'g/ P ta%le 6ersion is :> local router D is12$?1$$?3?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

Next Net8or IYi127?1?1?$,24 IYi13$?1?1?$,24 IYi13$?1$$?2$$?$,24 ;3#

NT This additional testing configuration is not pre# sent on the supplied, final configuration.

9op 12$?1$$?1?1 12$?1$$?2?1 12$?1$$?2?1

etric 0ocPrf Weig&t $ 1$$ $ 1$$ $ 1$$

!1#

Pat& $ i $ i $ i

+urther testing of the filtering re"uires additional interfaces to be configured and ad%ertised on -* and -(.4ample *#(/ shows an interface higher than *(/.).).) ad%ertised on -* and one lower ad%ertised on -(@ -2 simply blocks these from entering '7$. E%MPL 162@ '$ute6Map ;i&terin"Veri/icati$n ;1(config)# inter#a$e)oo/'a$03 ;1(config-if)#

i/ address 32... 2--.2--.2--.

;1(config-if)#

router 'g/

;1(config-router)#

net&or0 32... mas0 2--.2--.2--.

;1(config-router)#

AB

adertised ;1# s% i/ 'g/ neig%'ors 2..3. P ta%le 6ersion is => local router D is127?1?1?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete

Net8or IY 127?1?1?$,24 IY 132?1?1?$,24

Next 9op $?$?$?$ $?$?$?$

etric 0ocPrf Weig&t Pat& $ 32=7: i $ 32=7: i

!otal num%er of prefixes 2 ;3# s% i/ 'g/ P ta%le 6ersion is 4> local router D is12$?1$$?3?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Net8or IYi127?1?1?$,24 IYi13$?1?1?$,24 IYi13$?1$$?2$$?$,24

Next 9op 12$?1$$?1?1 12$?1$$?2?1 12$?1$$?2?1

$

etric 0ocPrf Weig&t Pat& $ 1$$ $ i $ 1$$ $ i 1$$ $ i

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!11#

;2# $on# t ;2(config)# int )oo/'a$03 ;2(config-if)#

i/ add ...2--.2--.2--.

;2(config-if)#

router 'g/

;2(config-router)#

2--.2--.2--. net&or0 ... mas0

;2(config-router)#

AB

;2# s% i/ 'g/ neig%'or 2..3. adertised P ta%le 6ersion is <> local router D is13$?1$$?2$$?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op IY 1$$?1?1?$,24 $?$?$?$ IY 13$?1?1?$,24 $?$?$?$ IY 13$?1$$?2$$?$,24 $?$?$?$

etric 0ocPrf Weig&t Pat& $ 32=7: i $ 32=7: i $ 32=7: i

!otal num%er of prefixes 3 ;3# s% i/ 'g/ P ta%le 6ersion is 4> local router D is12$?1$$?3?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Next 9op Net8or IYi127?1?1?$,24 12$?1$$?1?1 IYi13$?1?1?$,24 12$?1$$?2?1 IYi13$?1$$?2$$?$,24 12$?1$$?2?1

etric 0ocPrf Weig&t $ 1$$ $ i $ 1$$ $ i $ 1$$ $ i

Pat&

Secti$n 4> -P( ?14 P$int#A The prere"uisite to the "uestions is configuration of the $%N addresses and +rame -elay. >ou should test your $%N connecti%ity to ensure you are ready to progress to the routing "uestions. >ou will of course need +rame -elay maps to achie%e connecti%ity. Mnlike $%3, though, you will need two maps, one to reach the $%N remote address o%er the $F! and one to map to the remote :ink :ocal addresses. 4ample *#( shows the initial testing o%er +rame -elay and

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!12#

re"uired $%N configuration to progress to the routing "uestions. !onsider using the s%o& i/ inter#a$es 'rie# command for a "uick check of your interface configuration. E%MPL 1629 -P( Te#tin" an. -nitia&C$n/i"urati$n ;1# de'ug #ramerela*/a$0et +rame ;ela" pacet e%ugging is on ;1# /ing i/27!C-!C!!!3 !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 2$$='/1<'/$'11''3>

timeout is 2

secons'

Serial$,$,$'.ncaps faile--no map entr" lin =(PV7) ;1# $on# t ;1(config)# int s55 ;1(config-if)#

'road$ast #ramerela* ma/ i/ 27!C-!C!!!3 3

;1(config-if)# ;1#

AB

;3# $on# t ;3(config)# int s55 ;3(config-if)#

'road$ast #ramerela* ma/ i/ 27!C-!C!!! 3

;3(config-if)#

AB

;1# /ing i/27!C-!C!!!3 !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 2$$='/1<'/$'11''3> timeout is 2 secons' BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C 4,4,4 ms ;1#

lin0lo$al ;3# s% i/ int s55 > in$lude P67 is ena%le> lin-local aress is +.:$''214'75++'+.+/'=3$ No Virtual lin-local aress(es)' ;3#

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!13#

lin0lo$al ;1# s% i/ inter#a$e s55 > in$lude P67 is ena%le> lin-local aress is +.:$''213'/3++'+.='.3/$ No Virtual lin-local aress(es)' ;1# lin0lo$al ;2# s% i/ inter#a$e s5 > in$lude P67 is ena%le> lin-local aress is +.:$''213'=+++'+.:4'..$ No Virtual lin-local aress(es)'

;2# s% i/ inter#a$es5 > in$ludelin0lo$al P67 is ena%le> lin-local aress is +.:$''213'=+++'+.:4'..$ No Virtual lin-local aress(es)' ;2# lin0lo$al ;<# s% i/ inter#a$e s55 > in$lude P67 is ena%le> lin-local aress is +.:$''214'75++'+.+/'+13$ No Virtual lin-local aress(es)' ;<#

;1(config)# i/ uni$astrouting ;1(config)# inter#a$e giga'itEt%ernet 5 ;1(config-if)#

i/ address 27!C-!C!!!54

;1(config-if)#

inter#a$eerial55

;1(config-if)#

i/ address 27!C-!C!!!54

;1(config-if)#

#ramerela* ma/ i/ 27!C-!C!!!3 3 'road$ast

;1(config-if)# #ramerela* ma/i/ 27!C-!C!!!2 3 'road$ast ;1(config-if)# #ramerela*ma/ i/ 6E8!!23!7666!6E84!"EE 3 'road$ast ;1(config-if)# #ramerela* ma/i/ 6E8!!24!(66!6E6C!739 3 'road$ast

;2(config)# i/ uni$astrouting ;2(config)# inter#a$e #astEt%ernet 5 ;2(config-if)#

i/ address 27!C-!C!2!!254

;2(config-if)#

inter#a$e serial5

;2(config-if)#

i/ address 27!C-!C!!!254

;2(config-if)#

#ramerela* ma/ i/ 27!C-!C!!! 23 'road$ast

;2(config-if)# #ramerela* ma/i/ 27!C-!C!!!3 23 'road$ast ;2(config-if)# #ramerela* ma/ i/ 27!C-!C!!!2 23 'road$ast 23 ;2(config-if)# #ramerela* ma/ i/ 6E8!!23!C366!6E7"!E3C 'road$ast * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;2(config-if)#

#ramerela* ma/ i/ 6E8!!24!(66!6E6C!739 'road$ast 23

;2(config-if)#

inter#a$e serial5

;2(config-if)#

i/ address 27!C-!C!4!!254

;2(config-if)#

#ramerela* ma/ i/ 6E8!!24!(66!6E6C!63 'road$ast 2-

;2(config-if)#

'road$ast #ramerela* ma/ i/ 27!C-!C!4!!- 2-

!1#

;3(config)# i/ uni$astrouting ;3(config)# inter#a$e giga'itEt%ernet 5 ;3(config-if)#

i/ address 27!C-!C!-!!354

;3(config-if)#

inter#a$e serial55

;3(config-if)#

i/ address 27!C-!C!!!354

;3(config-if)#

#ramerela* ma/ i/ 27!C-!C!!! 3 'road$ast

;3(config-if)#

'road$ast #ramerela* ma/ i/ 27!C-!C!!!2 32

;4(config)# i/ uni$astrouting 5 ;4(config)# inter#a$e giga'itEt%ernet

;4(config-if)#

i/ address 27!C-!C!-!!454

;<(config)# i/ uni$astrouting 5 ;<(config)# inter#a$e giga'itEt%ernet

;<(config)# i/ address27!C-!C!!!-54 ;<(config-if)#

inter#a$eerial55

;<(config-if)#

i/ address 27!C-!C!4!!-54

;<(config-if)#

#ramerela* ma/ i/ 27!C-!C!4!!2 -2 'road$ast

;<(config-if)#

#ramerela* ma/ i/ 6E8!!23!7666!6E84!"EE 'road$ast -2

;7(config)# i/ uni$astrouting 5 ;7(config)# inter#a$e giga'itEt%ernet

;7(config-if)#

i/ address 27!C-!C!!!54

Secti$n 41> '-Pn" E

!onfigure -$ng ensuring your $%N routes are %isible throughout your -$ng domain. =o not disable split# horizon. B2 pointsC * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!20#

-2 by default has split horizon enabled on the +rame -elay interface@ the hub recei%es both -* and -( thernet associ# ated &$%N routes but because of split#horizon will not ad%ertise these back out onto the same interface. As you are not permitted to disable split#horizon, you will need to create a tunnel between -* and -(. 4ample *#2) shows the initial -$ng configuration and routing tables of -* and -( without each other
i/ ri/ CCIEena'le

;1(config-if)#

inter#a$eerial55

;1(config-if)#

i/ ri/ CCIEena'le

;2(config)# inter#a$e #astEt%ernet 5 ;2(config-if)#

i/ ri/ CCIEena'le

;2(config-if)#

inter#a$e serial5

;2(config-if)#

i/ ri/ CCIEena'le

;2(config-if)# ;2(config-if)#

inter#a$e serial5 i/ ri/ CCIEena'le

;3(config)# inter#a$e giga'itEt%ernet 5 ;3(config-if)#

i/ ri/ CCIEena'le

;3(config-if)#

inter#a$e serial55

;3(config-if)#

i/ ri/ CCIEena'le

5 ;4(config)# inter#a$e giga'itEt%ernet

;4(config-if)#

i/ ri/ CCIEena'le

;<(config)# inter#a$e erial55 ;<(config-if)#

i/ ri/ CCIEena'le

;1# s%o& i/ routeri/ P67 ;outing !a%le - 1$ entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;

!2"#

N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external 2$$='/1<'/$'1<'',74 F12$,2G 6ia +.:$''214'75++'+.+/'=3$> Serial$,$,$

;2# s%o& i/ routeri/ P67 ;outing !a%le - 1$ entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external ; 2$$='/1<'/$'1<'',74 F12$,2G 6ia +.:$''214'75++'+.+/'=3$> Serial$,$ ;3# s%o& i/ routeri/ P67 ;outing !a%le - 1$ entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external ; 2$$='/1<'/$'1$'',74 F12$,2G 6ia +.:$''213'/3++'+.='.3/$> Serial$,$,$ ; 2$$='/1<'/$'12'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,$ ;1(config)# inter#a$eunnel ;1(config-if)#

i/ address 27!C-!C!3!!54

;1(config-if)#

i/ ri/ CCIEena'le

;1(config-if)#

tunnel sour$eerial55

;1(config-if)#

tunnel destination2..23.2

;1(config-if)#

tunnel modei/i/

;2(config)# inter#a$eunnel ;2(config-if)#

i/ address 27!C-!C!3!!254

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;2(config-if)#

i/ ri/ CCIEena'le

;2(config-if)#

tunnel sour$eerial5

;2(config-if)#

tunnel destination2..23.

;2(config-if)#

tunnel modei/i/

!2'#

;1# s%o& i/ routeri/ P67 ;outing !a%le - 11 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external ; 2$$='/1<'/$'12'',74 F12$,2G 6ia +.:$''=:74'=$2> !unnel1 ; 2$$='/1<'/$'14'',74 F12$,2G 6ia +.:$''=:74'=$2> !unnel1 2$$='/1<'/$'1<'',74 F12$,2G ; 6ia

+.:$''214'75++'+.+/'=3$> Serial$,$,$

;2# s%o& i/ routeri/ P67 ;outing !a%le - 13 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external ; 2$$='/1<'/$'1$'',74 F12$,2G 6ia +.:$''=:74'=$1> !unnel1 ; 2$$='/1<'/$'1<'',74 F12$,2G 6ia +.:$''214'75++'+.+/'=3$> Serial$,$

Secti$n 42> SP;(3 E

!onfigure 8S$+%2 with a process = of * with all 8S$+ interfaces assigned to area ). B( pointsC.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!2+#

This is a clear#cut 8S$+%2 configuration. f you ha%e configured this correctly, as shown in 4ample *#2*, you ha%e scored ( points. E%MPL 1631 '5 an. ' SP;(3C$n/i"urati$n ;<(config)# inter#a$e giga'itEt%ernet 5 ;<(config-if)#

i/ os/#  area

5 ;7(config)# inter#a$e giga'itEt%ernet

;7(config-if)#

i/ os/#  area

;<# s%o& i/ os/#neig%'or Neig&%or D 12$?1$$?7?1

Pri 1

State +*00,D;

Dea !ime $$'$$'3$

nterface D 3

nterface iga%it.t&ernet$,1

;7# s%o& i/ os/#neig%'or Neig&%or D 12$?1$$?
E

Pri 1

State +*00,D;

Dea !ime $$'$$'3

nterface D 3

nterface iga%it.t&ernet$,1

The $%N network is deemed to be stable@ as such, reduce the number of :SAs flooded within the 8S$+ domain. B( pointsC

To suppress the unnecessary flooding of link#state ad%ertisements in stable topologies, the i/ os/# #loodredu$tion command is re"uired under interface configuration mode. f you ha%e configured this correctly, as shown in4ample*# 2(, you ha%e scored (points. E%MPL 1632 '5 an. ' ;&$$.6'e.ucti$n C$n/i"urati$n ;<(config)# inter#a$e giga'itEt%ernet 5 ;<(config-if)#

i/ os/##loodredu$tion

;7(config)# inter#a$e giga'itEt%ernet 5 ;7(config-if)#

i/ os/##loodredu$tion

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!24#

Secti$n 43> 'e.i#tributi$n E

-edistribute -$ng routes into the 8S$+%2 demand Bone wayC@ -$ routes should ha%e a fi4ed cost of L))) asso# ciated to them within the 8S$+ network. B* pointC

As per %anilla 8S$+, the default beha%ior for 8S$+%2 is for redistributed routes to be ad%ertised with a fi4ed cost as type ( e4ternal routes, so a simple redistribution configuration with a default#metric of L))) on -L is re"uired. 4ample *#22 shows the re"uired configuration and routing table on -N for the redistributed -$ng routes. $ay attention to ensure you ha%e full route %isibility because the +rame -elay network on -L B())9D!*LD!)D*3DDC will not be present within the 8S$+%2 domain unless-L specifically redistributes its own connected interfaces. f you ha%e configured this correctly, as shown in 4ample *#22, youha%e scored * point. E%MPL 1633 '5 SP;(3 'e.i#tributi$n C$n/i"urati$n ;<(config)# i/ router os/# ;<(config-router)#

- redistri'ute ri/ CCIE metri$

;7# s% i/ routeos/# P67 ;outing !a%le - 1$ entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external .2 2$$='/1<'/$'1$'',74 F11$,<$$$G 6ia +.:$''214'75++'+.+/'+131> iga%it.t&ernet$,1 .2 2$$='/1<'/$'11'',74 F11$,<$$$G 6ia +.:$''214'75++'+.+/'+131> iga%it.t&ernet$,1 .2 2$$='/1<'/$'12'',74 F11$,<$$$G 6ia +.:$''214'75++'+.+/'+131> iga%it.t&ernet$,1 .2 2$$='/1<'/$'13'',74 F11$,<$$$G 6ia +.:$''214'75++'+.+/'+131> iga%it.t&ernet$,1 .2 2$$='/1<'/$'1<'',74 F11$,<$$$G 6ia +.:$''214'75++'+.+/'+131> iga%it.t&ernet$,1 ;<(config)# i/ router os/# ;<(config-rtr)#

in$lude$onne$ted redistri'ute ri/ CCIE metri$ -

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!2#

;7# s%o& i/ route27!C-!C!4!! P67 ;outing !a%le - 1$ entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external .2 2$$='/1<'/$'14'',74 F11$,<$$$G 6ia +.:$''214'75++'+.+/'+131> iga%it.t&ernet$,1

E

nsure the 8S$+2 network is reachable from the -$ network by a single route of ())9DD5*N, which should be seen within the -$ domain. !onfigure -L only to achie%e this. The 8S$+ domain should continue to recei%e specific -$ng subnets. B( pointsC

As you are not mutually redistributing protocols, you are re"uired to configure an $%N summary route into the -$ng domain on -L to pro%ide full connecti%ity from the -$ng domain into 8S$+%2. f you ha%e configured this correctly, as shown in 4ample *#23, you ha%e scored (points. E%MPL 1634 '5 '-Pn" Summary C$n/i"urati$n an. C$nnecti(ity Te#tin" ;<(config-if)#

int s55

;<(config-if)#

i/ ri/ CCIE summar*address 27!!5

;1# s%o& i/ routeri/ P67 ;outing !a%le - 13 entries ; 2$$='',17 F12$,3G 6ia +.:$''213'=+++'+.:4'..$> ; 2$$='/1<'/$'12'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> ; 2$$='/1<'/$'14'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> ; 2$$='/1<'/$'1<'',74 F12$,2G 6ia +.:$''214'75++'+.+/'=3$> ;1#

!unnel1 !unnel1 !unnel1 Serial$,$,$

;1# /ing i/27!C-!C!!!!"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 2$$='/1<'/$'17''<>

timeout is 2

secons'

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!21#

BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C 12,12,17 ms ;1# /ing i/27!C-!C!!! !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 2$$='/1<'/$'17''7> timeout is 2 secons' BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C 12,1<,17 ms

E

nsure if the serial link fails between the 8S$+ and -$ng domain that routing is still possible between -L and -3 o%er F:A13L. =o not enable -$ on the F:A13L interfaces of -3 and -LPconfigure -3 and -L to achie%e this, and this should be considered as an alternati%e path only if a failure occurs. B2 pointsC

-3 and -L both belong to the -$ng domain. f you can6t enable -$ng on the F:A13L interfaces, all you can do is cre# ate a tunnel between the de%ices. >ou might ha%e considered enabling 8S$+%2 between routers, but you ha%e not been gi%en sufficient information to perform this, and it would then create additional problems in terms of redistribution points. 4ample *#2L showsthe re"uired configuration to tunnel $%N through $%3 on -3and -L. >ou shouldnotice that certain routes will ha%e a lower hop count through the tunnel as opposed to through the physical -$ng network. The "uestion states that the newly configured link should be used only if a failure occurs. As such, you need to penalize the tunnel by use of an o##setlist applied directly to the tunnel interface of -3 and -L. -L will still recei%e the summary 5*N route configured earlier %ia the tunnel regardless of how high you set the hop count. The following "uestion ad# dresses this condition. f you ha%e configured this correctly, as shown in 4ample *#2L, you ha%e scored points. 2 E%MPL 1635 '4 an. '5 Tunne& C$n/i"urati$n an. Veri/icati$n ;4(config)# inter#a$eunnel ;4(config-if)#

i/ address 27!C-!C!7!!454

;4(config-if)#

i/ ri/ CCIEena'le

;4(config-if)#

tunnel sour$eGiga'itEt%ernet5.4-

;4(config-if)#

tunnel destination2..4-.-

;4(config-if)#

tunnel modei/i/

;<(config)# inter#a$eunnel ;<(config-if)#

i/ address 27!C-!C!7!!-54

;<(config-if)#

i/ ri/ CCIEena'le

;<(config-if)#

tunnel sour$eGiga'itEt%ernet5

;<(config-if)#

tunnel destination2..4-.4

;<(config-if)#

tunnel modei/i/

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!22#

;4# s%o& i/ routeri/ P67 ;outing !a%le - 12 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external ; 2$$='',17 F12$,4G 6ia +.:$''214'75++'+.+/'=3$> iga%it.t&ernet$,$ ; 2$$='/1<'/$'1$'',74 F12$,3G 6ia +.:$''214'75++'+.+/'=3$> iga%it.t&ernet$,$ ; 2$$='/1<'/$'11'',74 F12$,2G 6ia +.:$''214'75++'+.+/'=3$> iga%it.t&ernet$,$ ; 2$$='/1<'/$'12'',74 F12$,3G 6ia +.:$''214'75++'+.+/'=3$> iga%it.t&ernet$,$ 6ia +.:$''=:74'2D$<> !unnel$ ; 2$$='/1<'/$'13'',74 F12$,3G

;

6ia +.:$''214'75++'+.+/'=3$> iga%it.t&ernet$,$ 6ia +.:$''=:74'2D$<> !unnel$ 2$$='/1<'/$'14'',74 F12$,2G 6ia +.:$''=:74'2D$<> !unnel$

;<# s%o& i/ routeri/ P67 ;outing !a%le - 14 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external ; 2$$='',17 F12$, !unnel$ ; 2$$='/1<'/$'1$'',74 F12$,3G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 ; 2$$='/1<'/$'11'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 ; 2$$='/1<'/$'12'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

; ;

!23#

2$$='/1<'/$'13'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 2$$='/1<'/$'1<'',74 F12$,2G 6ia +.:$''=:74'2D$4> !unnel$

;<(config)# inter#a$eunnel ;<(config-if)#

i/ ri/ CCIE metri$o##set 4

;<(config-if)# do s%o& i/ routeri/ P67 ;outing !a%le - 14 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external ; 2$$='',17 F12$,:G 6ia +.:$''=:74'2D$4> !unnel$ ; 2$$='/1<'/$'1$'',74 F12$,3G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 ; ; ; ;

2$$='/1<'/$'11'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> 2$$='/1<'/$'12'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> 2$$='/1<'/$'13'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> 2$$='/1<'/$'1<'',74 F12$,3G 6ia +.:$''213'=+++'+.:4'..$>

Serial$,$,1 Serial$,$,1 Serial$,$,1 Serial$,$,1

;4(config)# inter#a$eunnel ;4(config-if)#

4 i/ ri/ CCIE metri$o##set

;4(config-if)# do s%o& i/ routeri/ P67 ;outing !a%le - 12 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external ; 2$$='',17 F12$,4G 6ia +.:$''214'75++'+.+/'=3$> iga%it.t&ernet$,$ * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

; ; ; ; ;

E

2$$='/1<'/$'1$'',74 F12$,3G 6ia +.:$''214'75++'+.+/'=3$> 2$$='/1<'/$'11'',74 F12$,2G 6ia +.:$''214'75++'+.+/'=3$> 2$$='/1<'/$'12'',74 F12$,3G 6ia +.:$''214'75++'+.+/'=3$> 2$$='/1<'/$'13'',74 F12$,3G 6ia +.:$''214'75++'+.+/'=3$> 2$$='/1<'/$'14'',74 F12$,3G 6ia +.:$''214'75++'+.+/'=3$>

!2#

iga%it.t&ernet$,$ iga%it.t&ernet$,$ iga%it.t&ernet$,$ iga%it.t&ernet$,$ iga%it.t&ernet$,$

nsure that the summary route configured pre%iously is not seen back on the routing table of -L. !onfigure only -L to achie%e this. B* pointC

As briefly discussed in the pre%ious "uestion, the summary route will return to -L through the newly created tunnel in# terface. This is e4pected beha%ior because of the method in which it was srcinally ad%ertised. A simple /re#i:list is re# "uired on -L to denythe summary and permit all other routes entering the tunnel interface. f you ha%e configured this correctly, as shown in 4ample *#2N, you ha%e scored 2 points. E%MPL 163 '5 !i#tribute6&i#t C$n/i"urati$n an. Veri/icati$n ;<# s%o& i/ routeri/ P67 ;outing !a%le - 14 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external ; 2$$='',17 F12$,:G 6ia +.:$''=:74'2D$4> !unnel$ ; 2$$='/1<'/$'1$'',74 F12$,3G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 ; 2$$='/1<'/$'11'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 ; 2$$='/1<'/$'12'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 ; 2$$='/1<'/$'13'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 ; 2$$='/1<'/$'1<'',74 F12$,3G * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

6ia

!30#

+.:$''213'=+++'+.:4'..$> Serial$,$,1

;<(config)# i/ /re#i:list")CFMM(+Hse  den*27!!5 28 ;<(config)# i/ /re#i:list ")CFMM(+H se - /ermit !!5 le

;<(config)# i/ router ri/CCIE ;<(config-router)#

distri'utelist /re#i:list ")CFMM(+Hunnel in

;<(config-router)# do s%o& i/ routeri/ P67 ;outing !a%le - 13 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external ; 2$$='/1<'/$'1$'',74 F12$,3G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 ; 2$$='/1<'/$'11'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 ; 2$$='/1<'/$'12'',74 F12$,2G ; ;

6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 2$$='/1<'/$'13'',74 F12$,2G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1 2$$='/1<'/$'1<'',74 F12$,3G 6ia +.:$''213'=+++'+.:4'..$> Serial$,$,1

Secti$n 5> B$S ?@ P$int#A E

>ou are re"uired to configure QoS on Switch* according to the !isco QoS baseline model. !r eate aodular QoS configuration for all user ports B+ast thernet *#(3C that facilitates the following re"uirements B2 pointsCD *C All ports shouldtrust the =S!$ %aluesrecei%ed from their connectingde%ices. (C $ackets recei%ed from the user ports with =S!$ %alues of 3/, 3N, 23, 2(, (3, (/, *N and *) should be remarked to =S!$ / B$H' !S*C if traffic flowing occurs abo%e L bps on a per port basis. This traffic could be a combination of any of the preceding =S!$ %alues with any source5destination combination. nsure a minimum burst %alue is configured abo%e the L bps.

t is acknowledged within the industry that a user port rarely generates more than L bps of traffic on astandard +astthernet connection. f traffic rates increase abo%e this threshold, it could be indicati%e of a =8S or 0orm attack.A * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!3"#

method of mitigating an attack is to create aSca%enger#!lass that simply remarks traffic =S!$ %alues when the thresh# old has been e4ceeded. This will not block traffic but will ensure that mission#critical traffic remains unaffected from an attack by trusting the =S!$ %alue for known traffic and re#marking unknown application traffic down to!S*. To answer the "uestion, you are re"uired to create a odular QoS policy that trusts the incoming =S!$ %alue recei%ed from the host within the policy rather than by configuring the trust %alue on a per#interface basis and by policing traffic at a rate of L bps. 0hen the minimum burst rate is e4ceeded, the =S!$ %alues will be remapped according to the /oli$ed ds$/ map to Sca%enger#!lass !S* B=S!$/C. >ou should note that all =S!$ baseline %alues are being remapped with the e4ception of =S!$(N, which is generally reser%ed for mission#critical data. This approach enables traffic asso# ciated traffic rates e4ceed L bps@ this approach also assumes that the %irus with this %alue to remain unchanged e%en when does not itself re#mark traffic to this %alue to increase its chances of causing damage. The e4clusion of =S!$(N though is not rele%ant to the configuration and methodology you use to answerthe "uestion. The "uestion re"uires you to configure a standard $ A!: that permits any traffic. +or traffic matching thisclassification, the =S!$ %alue in the incoming packet is trusted. f the matched traffic e4ceeds an a%erage traffic rate of L bps and a normalburst size of /))) bytes, its =S!$ is marked down according to the policed =S!$ map %alues and transmitted. f you ha%e config# ured this correctly, as shown in 4ample *#29, you ha%e scored 2 points. E%MPL 1637 '5 !i#tribute6&i#t C$n/i"urati$n an. Veri/icati$n SW1(config)# mls os SW1(config)# mls os ma/ /oli$edds$/ 48 4 34 32 24 28   8 to SW1(config)# a$$esslist /ermit an* SW1(config)# $lassma/P)ICE SW1(config-cmap)# mat$% a$$essgrou/ SW1(config-cmap)#

e:it

SW1(config)# /oli$*ma/+EM(+ SW1(config-pmap)# $lass P)ICE SW1(config-pmap-c)# trustds$/ SW1(config-pmap-c)#

/oli$e - 8 e:$eeda$tion /oli$edds$/transmit

SW1(config-pmap-c)#

e:it

SW1(config-pmap)#

e:it

524 SW1(config)# inter#a$e range #astEt%ernet

SW1(config-if-range)#

seri$e/oli$* in/ut +EM(+

SW1# s%o& /oli$*ma/+EM(+

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!3'#

Polic" ap ;.-5;J /lass P0/. police <$$$$$$ :$$$ excee-action police-scp-transmit trust scp

E

Switch* will be connected to a new trusted domain in the future using interface gigabit )5*. A =S!$ %alue re# cei%ed locally on sw* of A+32 should be mapped to A+3( when destined for the new domain. B( pointsC

This re"uires a =S!$ mutation map to con%ert =S!$ %alues between en%ironments. f you didn6t realize that A+32 is =S!$2/ and A+3( is =S!$2N, you would struggle to answer th is "uestion, but a search ofyour documentation != should ha%e assisted you. +or the mutation map to function correctly, you need to e4plicitly trust =S!$ %alues recei%ed on the interface on which you are configuring the map. f you ha%e configured this correctly, as shown in 4ample *#2/, you ha%e scored (points. E%MPL 163@ S)itch1 !SCP6mutati$n Map C$n/i"urati$n SW1(config)# mls os ma/ ds$/mutation (643(642 383to SW1(config)# inter#a$eGig5

E

SW1(config-if)#

mls os trustds$/

SW1(config-if)#

mls os ds$/mutation(643(642

!onfigure !isco odular QoS as follows on -* for the following traffic types based on their associated $er Hop 'eha%ior into classes. &ncorporate these into an o%erall policy that should be applied to the T* interface S)5)5). Assume a $F! of line rate on the +rame -elay network, and allow each class the effecti%e bandwidth as detailed B( pointsC D C& a# #

P 

-outing Fo&$

!SN +

nteracti%e Fideo

A+3*

%##i"ne.Spee.

3N Rbps (39 Rbps (39 Rbps

ission !ritical =ata

A+2*

(39 Rbps

!all#Signaling

!S2

3N Rbps

A+(*

(*N Rbps

Transactional =ata 1etwork#mgmt

!S(

3N Rbps

'ulk =ata

Af**

3N Rbps

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

Sca%enger

!S*

*L Rbps

=efault

)

2/N Rbps

!3+#

Two points are a%ailable here, so you know it6s either going to be comple4 or in%ol%e a great deal of configuration. This one is a bit of both, so there is a riskof configuration errors for those points to slip away. There is also some math in# %ol%ed because the /oli$*ma/re"uires a percentage %alue of bandwidth as opposed to actual speed, as you are using a T* interface you know that the ma4imum a%ailable bandwidth is *L33 Rbs and a line rate $F! is assumed, so the %alues re"uired are as followsD *Z [ *L Rbps, 2Z [ 3N Rbps, *3Z [ (*N Rbps, *NZ [ (39 Rbps, (LZ [ 2/N Rbps. A $lassma/ to match all %alues for the pro%ided classes is re"uired that is then associated with the /oli$*ma/. The o%er# all policy is then applied to the outgoing interface Serial)5)5), and a nice little gotcha is that you must configure the in# terface with the command ma:resered'and&idt%@ otherwise, the full bandwidth is not made a%ailable for the policy. Msually you would assign %oice traffic into a real#time "ueue B::QC, but the "uestion doesn6t dictate this, so ef# fecti%ely all traffic types are being assigned with different proportions of !'0+Q. f you ha%e configured this correctly, as shown in 4ample *#2, you ha%e scored ( points. E%MPL 1639 S)itch1 M$.u&ar B$SC$n/i"urati$n ;1# s% run $lassma/ B class-map matc&-all matc& ip scp ef class-map matc&-all matc& ip scp af11 class-map matc&-all matc& ip scp cs2 class-map matc&-all matc& ip scp af41 class-map matc&-all matc& ip scp cs7 class-map matc&-all matc& ip scp cs1 class-map matc&-all matc& ip scp af21 class-map matc&-all matc& ip scp af31

VP *0J-D5!5 N.!-5N VD. ;*!N S/5V.N.; !;5NS-D5!5 SSN-/;!

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!34#

class-map matc&-all /500-S matc& ip scp cs3 B en ;1# s% run /oli$*ma/ B polic"-map ZS class VP %an8it& percent 17 class VD. %an8it& percent 17 class *0J-D5!5 %an8it& percent 3 ranom-etect class !;5NS-D5!5 %an8it& percent 14 class N.!-5N %an8it& percent 3 class ;*!N %an8it& percent 3 class S/5V.N.; %an8it& percent 1 class SSN-/;! %an8it& percent 17 ranom-etect class /500-S %an8it& percent 3 class class-efault %an8it& percent 2< B en ;1# s% run int s55 > 'egin ma:resered'and&idt%  max-reser6e-%an8it& 1$$ ser6ice-polic" output ZS en ;1# s%o& /oli$*ma/= Polic" ap ZS * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!3#

/lass VP an8it& 17 (H) ax !&res&ol 74 (pacets) /lass VD. an8it& 17 (H) ax !&res&ol 74 (pacets) /lass *0J-D5!5 an8it& 3 (H) exponential 8eig&t  class min-t&res&ol max-t&res&ol mar-pro%a%ilit" ---------------------------------------------------------$ 1 2 3 4 < 7 = rs6p

-

-

1,1$ 1,1$ 1,1$ 1,1$ 1,1$ 1,1$ 1,1$ 1,1$ 1,1$

/lass !;5NS-D5!5 an8it& 14 (H) ax !&res&ol 74 (pacets) /lass N.!-5N an8it& 3 (H) ax !&res&ol 74 (pacets) /lass ;*!N an8it& 3 (H) ax !&res&ol 74 (pacets) /lass S/5V.N.; an8it& 1 (H) ax !&res&ol 74 (pacets) /lass SSN-/;! an8it& 17 (H) exponential 8eig&t  class min-t&res&ol max-t&res&ol mar-pro%a%ilit" ---------------------------------------------------------$ 1 2 3 4 <

-

-

1,1$ 1,1$ 1,1$ 1,1$ 1,1$ 1,1$

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

7 = rs6p

-

-

/lass /500-S an8it& 3 (H) ax !&res&ol 74 (pacets) /lass class-efault an8it& 2< (H) exponential 8eig&t  class min-t&res&ol max-t&res&ol

!31#

1,1$ 1,1$ 1,1$

mar-pro%a%ilit"

----------------------------------------------------------

E

$ 1 2 3 4 <

-

-

1,1$ 1,1$ 1,1$ 1,1$ 1,1$ 1,1$

7 = rs6p

-

-

1,1$ 1,1$ 1,1$

!onfigure -( so that traffic can be monitored on the +rame -elay network with a %iew to a dynamic policy being generated in the future that trusts the =S!$ %alue of traffic identified on this media. B* pointC

This is a simple "uestion that re"uires the commandauto dis$oer* os trustbe configured under the +rame -elay inter# face of -(. This command uses 1'A- to inspect the application traffic that flows through the router with a %iew of generating a QoS policy based on the traffic flow profile. The keyword trust in the command ensures that the =S!$ %alue of the traffic monitored on the network is trusted. f you ha%e configured this correctly, you ha%e scored * point.

Secti$n > Security ? P$int#A E

!onfigure -2 to identify and discard the following custom %irus. The %irus is characterized by the AS! charac# ters HastingsO'eer within the payload and utilizes M=$ ports **NN3 to **NNN. The = of the %irus begins on the third character of the payload. The %irus srcinated on F:A1 23. B3 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!32#

This fictitious %irus re"uires the use of 1'A- with $=: to inspect a packet payload to identify the %irus based on the informationsupplied within the "uestion. As the %irus islocated within the third AS! character, you need toinform the custom 1'A- list to ignore the first two characters, which ensures that it will begin to check the third packet. f you s%o& /oli$*ma/ ha%e configured this correctly, as shown in 4ample *#3), you ha%e scored 2 points. >ou can use the command to %erify your configuration. E%MPL 164+ '3 N%' C$n/i"urati$n ;3(config)# i/ n'ar $ustom @astings"eer 2 as$ii @astings"eer ud/ range 4  ;3(config)# $lassma/ mat$%allI+F ;3(config-cmap)# mat$% /roto$ol@astings"eer ;3(config-cmap)# /oli$*ma/")CI+F ;3(config-pmap)# $lass I+F ;3(config-pmap-c)#

dro/

;3(config-pmap-c)#

inter#a$e giga'it5

;3(config-if)#

E

eri$e/oli$* in/ut ")CI+F

There is an infected host on F:A1 ()) of *L).*)).(.*)). nsure that only within '7$ AS*), traffic destined for this host is directed to null) of each local router. >ou may not use any A!:s to block traffic to this host specifi# cally but may use a static route pointing to null ) for traffic destined to *(.).(.) 5(3 on routers within AS*). -( may ha%e an additional static route pointing to null). Mse a '7$ feature on -( to ensure traffic to this source is blocked. $re%ent unnecessary replies when traffic is passed to the null) interface for users residing on F:A1*)). B3 pointsC

This "uestion is representati%e of black#hole routing. This is an effecti%e method of discarding packets being sent to a known destination. This approach to discarding traffic is efficient because it enables the edge routers to route traffic rather than use A!:s, and it can be deployed dynamically by making use of the ne4t#hop field within '7$ updates. >ou are permitted to create a static route on -outers -*, -(, and -2 in AS*) for network *(.).(.)5(3 to null) and one addi# tional route on -(. This route would need to be directing traffic to the infected host to null), to update -outers -* and -2. -( simply ad%ertises the host route for the infectedhost to AS*) and sets the ne4t#hop for this to *(.).(.*. -outers -* and -2 then direct traffic to null) when traffic is destined to the infected host. To ensure the solution is only used in AS*), you need to set the community tonoe:/ort for the specific static route and tag the route with a %alue of *) to identify it. >ou must therefore send the community %alues to neighbor -2 on -(, but this should ha%e completed pre%i# ously for an earlier '7$ "uestion. Mse of the no i$m/ unrea$%a'lecommand on -*6s7igabitthernet interface pre%ents unnecessary replies when traffic is passed to the 1ull) interface. f you ha%e configured this correctly, as shown in 4# ample *#3*, you ha%e scored 2 points. * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!33#

E%MPL 1641 =P &ac0 $&e '$utin" C$n/i"urati$n an. Veri/icati$n null ;2(config)# i/ route 92..2. 2--.2--.2--.2- ;2(config)# i/ route -..2. 2--.2--.2--.2-- Null ag

;2(config)# router 'g/ ;2(config-router)#

")(C@)E redistri'ute stati$ routema/

;2(config-router)#

routema/ ")(C@)E /ermit 

;2(config-route-map)#

mat$% tag

;2(config-route-map)#

set i/ ne:t%o/92..2.

;2(config-route-map)#

set $ommunit*noe:/ort

;2(config-route-map)#

e:it

;2(config)# i/ route 92..2. 2--.2--.2--.2-null adertised ;2(config)# do s%o& i/ 'g/ neig% 2..3. P ta%le 6ersion is 7> local router D is13$?1$$?2$$?1 Status coes' s suppresse>  ampe> & &istor"> I 6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Next 9op etric 0ocPrf Weig&t Pat& Net8or IY 13$?1?1?$,24 $?$?$?$ $ 32=7: i

IY 13$?1$$?2$$?$,24 $?$?$?$ IY 1<$?1$$?2?1$$,32 12?$?2?1 !otal num%er of prefixes 3

$ $

32=7: 32=7:

i i

;2# s%o& i/ route-..2. ;outing entr" for 1<$?1$$?2?1$$,32 Jno8n 6ia LstaticL> istance 1> metric $ (connecte) !ag 1$ ;eistri%uting 6ia %gp 1$ 56ertise %" %gp 1$ route-map 05/J90. ;outing Descriptor locs' I irectl" connecte> 6ia Null$ ;oute metric is $> traffic s&are count is 1 ;oute tag 1$ ;3(config)# i/ route 92..2. 2--.2--.2--.2-null ;3(config)# do s%o& i/'g/ P ta%le 6ersion is 14> local router D is12$?1$$?3?1 Status coes' s suppresse>  ampe> & &istor"> I 6ali> Y %est> i - internal> r ;-failure> S Stale

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!3#

rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op etric 0ocPrf Weig&t Pat& IYi127?1?1?$,24 12$?1$$?1?1 $ 1$$ $ i IYi13$?1?1?$,24 12$?1$$?2?1 $ 1$$ $ i IYi13$?1$$?2$$?$,24 12$?1$$?2?1 $ 1$$ $ i I i1<$?1$$?2?1$$,32 12?$?2?1 $ 1$$ $ i

;1(config)# i/ route 92..2. 2--.2--.2--.2-null ;1(config)# inter#a$eGiga'it5 ;1(config-if)#

no i$m/ unrea$%a'le

;1(config-if)# do s%o& i/'g/ P ta%le 6ersion is :> local router D is127?1?1?1 Status coes' s suppresse>  ampe> & &istor"> I 6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op etric 0ocPrf Weig&t Pat& IY 127?1?1?$,24 $?$?$?$ $ 32=7: i IYi13$?1?1?$,24 12$?1$$?2?1 $ 1$$ $ i IYi13$?1$$?2$$?$,24 12$?1$$?2?1 I i1<$?1$$?2?1$$,32 12?$?2?1

$ $

1$$ 1$$

$ i $ i

;1# s%o& i/ route-..2. ;outing entr" for 1<$?1$$?2?1$$,32 Jno8n 6ia L%gp 1$L> istance 2$$> metric $> t"pe internal 0ast upate from 12?$?2?1 $$'$$'$2 ago ;outing Descriptor locs' I 12?$?2?1> from 12$?1$$?3?1> $$'$$'$2 ago ;oute metric is $> traffic s&are count is 1 5S 9ops $ ;1# s%o& i/ route92..2. ;outing entr" for 12?$?2?1,32 Jno8n 6ia LstaticL> istance 1> metric $ (connecte) ;outing Descriptor locs' I irectl" connecte> 6ia Null$ ;oute metric is $> traffic s&are count is 1

E

n a %iew of protecting the control plane on -outer -N, configure !o$$ so that $ $ackets with a TT: of ) or * are dropped rather than processed with a resulting !$ redirect sent to the source. B* pointC * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!0#

!isco 8S Software sends all packets with a TT: of ) or * to the process le%el to be processed. The de%ice must then send an &!$ TT: e4pire message to the source. 'y filtering packets that ha%e a TT: of ) and *, you can reduce the load on the process le%el. The control plane policing simply blocks packets with a TT: %alue of )and * as directed, but this will break your 7-$ and '7$ peering. So you must specifically permit these packets within yourA!:@ otherwise, you would ha%e ust lost %aluable points. f you found yourself running short on time and couldn6t ustify fur# ther time to in%estigate how to maintain your routing peering, remember that this is a *#point "uestion, worthlea%ing and coming back to if possible. f you ha%e configured this correctly, as shown in 4ample *#3(, you ha%e scored * point. E%MPL 1642 C$PP C$n/i"urati$n ;7(config)# i/ a$$esslist e:tended ) ;7(config-ext-nacl)# den* eigr/an* an* ;7(config-ext-nacl)# den* t$/an* an* e 'g/ ;7(config-ext-nacl)# den* t$/ an* e 'g/an* ;7(config-ext-nacl)# /ermit i/an* an* ttl e  ;7(config-ext-nacl)# ;7(config-cmap)#

$lassma/ D+P)5

mat$% a$$essgrou/name )

;7(config-cmap)# /oli$*ma/CoPP) ;7(config-pmap)# $lass D+P)5 ;7(config-pmap-c)#

dro/

;7(config-pmap-c)#

$ontrol/lane

;7(config-cp)#

CoPP) seri$e/oli$* in/ut

Secti$n 7> Mu&tica#t ?4 P$int#A E

!onfigure -outers -*, -(, -2, and -3 for $%3 ulticast. !onfigure -2 to send multicast ad%ertisements of its own time by use of 1T$ sourced from interface 7ig )5). !onfigure $ sparse mode on all re"uired interfaces. -2 should also be used to ad%ertise its own gigabit interface $ address as an -$. -2 should also ad%ertise the $ address you are using for the 1T$ ad%ertisements, which will be ((3.).*.*. =o not use the command nt/ sererin any configurations. -outers -*, -(, and -3 should all show a clock synchronized to that of -2. B3 pointsC

1T$ can be multicast on the reser%ed group $ address of ((3.).*.* rather than the more familiar broadcast or unicast scenarios. The "uestion re"uires you to configure -2 to become the 1T$ master and announce the group address to the 1T$ clients. As you are not permitted to use the command nt/ sereryou must configure the clients with the command nt/ multi$ast $lient . They will then ha%e the capability to oin the 1T$ group by use of $. t is good practice to TT: * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"#

scope your multicast announcements so that they do not propagate past the domain you re"uire. f you ha%en6t taken this into consideration in your solution, you would not be deducted points, but be aware of the facility in case you are met with a "uestion that specifies this. f you ha%e configured this correctly, as shown in 4ample *#32, you ha%e scored 3 points. E%MPL 1643 NTP Mu&tica#t C$n/i"urati$n an. Veri/icati$n ;3(config)# i/ multi$astrouting ;3(config)# nt/ master ;3(config)# inter#a$eGiga'itEt%ernet5 ;3(config-if)#

i/ /im s/arsemode

;3(config-if)#

nt/ multi$ast ttl 2

;3(config-if)#

inter#a$eerial55

;3(config-if)#

i/ /im s/arsemode

;3(config-if)#

4 i/ /im sendr/announ$e Giga'itEt%ernet5 s$o/e 2 grou/list

;3(config)# i/ /im sendr/dis$oer* Giga'itEt%ernet5 s$o/e 2 ;3(config)# a$$esslist 4 /ermit 224... ;3# s%o& nt/status /loc is s"nc&ronie> stratum :> reference is 12=?12=?=?1 nominal freA is 2<$?$$$$ 9> actual freA is 2<$?$$$$ 9> precision is 2II1: reference time is /:+1.71?25.131$ (21'1='21?17= *!/ !ue +e% 2= 2$$=) cloc offset is $?$$$$ msec> root ela" is $?$$ msec root ispersion is $?$2 msec> peer ispersion is $?$2 msec ;1(config)# i/ multi$astrouting ;1(config-if)#

inter#a$eerial55

;1(config-if)#

i/ /im s/arsemode

;1(config-if)#

nt/ multi$ast$lient

;1# s%o& nt/status /loc is s"nc&ronie> stratum > reference is 12$?1$$?34?3 nominal freA is 2<$?$$$$ 9> actual freA is 2<$?$$$$ 9> precision is 2II1: reference time is /:+1.=?+2321D (21'1='4 root ela" is 3?:: msec root ispersion is $?$7 msec> peer ispersion is $?$2 msec ;1(config-if)# ;1# s%o& i/ igm/grou/ P /onnecte roup em%ers&ip * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

roup 5ress 224?$?1?1 224?$?1?3 224?$?1?4$

nterface Serial$,$,$ Serial$,$,$ Serial$,$,$

!'#

*ptime .xpires 0ast ;eporter $$'4$'12 $$'$2'<$ 12$?1$$?123?1 $$'$='21 $$'$2'<1 12$?1$$?123?3 $$'4$'13 $$'$2'<2 12$?1$$?123?1

;2(config)# i/ multi$astrouting ;2(config-if)#

inter#a$eerial5

;2(config-if)#

i/ /im s/arsemode

;2(config-if)#

nt/ multi$ast$lient

+2< s%o& nt/ status Clo$0 is s*n$%roni1ed, stratum 9, re#eren$e is 2..34.3 nominal #re is 2-. @1, a$tual #re is 2-. @1, /re$ision is 28 re#eren$e time is C986E73.83"73E8 J2!7!39.-4 FC ue 6e' 27 27? $lo$0 o##set is .82 mse$, root dela* is 4.4 mse$ +2< s%o& i/ igm/ groun/ root dis/ersion is -87-. mse$, /eer dis/ersion is -87-.2 mse$ IGMP Conne$ted Grou/ Mem'ers%i/ Grou/ (ddress Inter#a$e F/time E:/ires )ast +e/orter 224... erial5 !4!8 !2!-9 2..23.2 22a4..%.4 a Merialo5 ae!4!d9 !!-9 2..23.2 224...39 erial5 !8!2 !2!-7 2..23.3

+4J$on#ig?< i/ multi$astrouting +4J$on#igi#?< inter#a$e Giga'itEt%ernet5 +4J$on#igi#?< i/ /im s/arsemode +4J$on#igi#?< nt/ multi$ast $lient

;4# s%o& nt/status /loc is s"nc&ronie> stratum > reference is 12$?1$$?34?3 nominal freA is 2<$?$$$$ 9> actual freA is 2<$?$$$$ 9> precision is 2II1: reference time is /:+1.+1?2=D1+2 (21'1'4 root ela" is 1?3= msec root ispersion is =:==?$: msec> peer ispersion is =:=7?34 msec ;4# s%o& i/ igm/grou/ P /onnecte roup em%ers&ip roup 5ress nterface 224?$?1?1 iga%it.t&ernet$,$

*ptime .xpires $$'41'2 $$'$2'42

0ast ;eporter 12$?1$$?34?4

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

224?$?1?3 224?$?1?4$

iga%it.t&ernet$,$ iga%it.t&ernet$,$

$$'$:'3< $$'41'$=

$$'$2'42 $$'$2'42

!+# 12$?1$$?34?3 12$?1$$?34?4

-P Ser(ice# ?4 P$int#A E

!onfigure the following commands on -outer -*D aaa new#model logging buffered logging *().*))..*

!onfigure a policy on -outer -* so that if a user tries to remo%e AAA ser%ices or disable logging %ia the !: that a sys# log message of M1AMTH8-&U=#!8A1=#1T-=is generated. The policy should ensure either command is not e4ecuted and should consist of a single#line command for the !: pattern detection. The policy and !: should run asynchronously. The policy should also generate an email from the router to amail ser%er residing on $address *().*))..( Bto securityVlab#e4am.net from eemVlab#e4am.net, with the subect WMser#ssue,W with the message body consisting of details of who was logged on the time either of the commands were enteredC. B( pointsC This is an intricate mbedded %ents anager BC "uestion. >ou are re"uired to configure an  applet with a !: pattern e%ent on a single line to match on either of the commandsBn o aaa ::: and no logging :::C. This is achie%ed by a pattern of KAno aaa>logging?.K . The following s*n$ no s0i/ *esparameters simply state that the policy and !: should run asynchronously and that the command entered should not be e4ecuted as directed. 0hen the commands are matched %ia the !: pattern, the policy re"uires the syslog message to be generated, a !: command action to run show users, and a final action to send an email with the details of the pre%ious s%o& command Bwhich is achie%ed by the command KL$liresultKC. 4ample *#33 details the re"uired configuration and resulting e4ecution of the  when the commands no aaa ne&model and no logging 'u##eredare entered and not e4ecuted on the router. f you ha%e config# ured this correctly, as shown in 4ample *#33, you ha%e scored ( points. E%MPL 1644 '1 M C$n/i"urati$n an. Veri/icati$n Te#tin" ;1(config)# aaa ne&model ;1(config)# logging'u##ered ;1(config)# logging2..99. ;1(config)# ;1(config)# eent manager a//letCCIE=FEIN

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!4#

;1(config-applet)#

eent $li /attern KAno aaa>logging?.K s*n$ no *es s0i/

;1(config-applet)#

a$tion . s*slog msg KFN(F@+IBEDCMM(NDENE+EDK

;1(config-applet)#

userK a$tion 2. $li $ommand Ks%o&

;1(config-applet)# KL$liresultK

a$tion 3. mail serer K2..99.2KKse$ur to i t*la'e:am.ne tK #rom Keem la'e:am.netKsu'e$tKFserIssueK'od*

;1(config-applet)# no aaa ne&model H95.-7-0' //.-Z*.S!N' *N5*!9;S.D-/5ND-.N!.;.D H95.-3-+PDS!P/NN./!' *na%le to connect to S!P ser6er' 12$?1$$??2 H95.-3-+PD.;;;' .rror executing applet //.-Z*.S!N statement 3?$ ;1(config)# no logging'u##ered H95.-7-0' //.-Z*.S!N' *N5*!9;S.D-/5ND-.N!.;.D H95.-3-+PDS!P/NN./!' *na%le to connect to S!P ser6er' 12$?1$$??2 H95.-3-+PD.;;;' .rror executing applet //.-Z*.S!N statement 3?$ ;1(config)# do s%o& run > in$lude aaa ne&model aaa ne8-moel ;1(config)# do s%o& run > in$lude logging 'u##ered logging %uffere 4$7 e%ugging

E

!isco 0AAS de%ices are to be installed on Switches * and ( in the future on F:A12)). !onfigure -outers -L and -N to pro%ide 0!!$%( redirection for clients residing on F:A12)) to ensure that all T!$ traffic other than telnet is redirected only to the 0As, which will reside on addresses *L).*)).2.L) and .L* within F:A12)). >ou are not re"uired to configure the switches for 0!!$ and can assume that incoming 0AAS traffic from the network will arri%e at interfaces 7i)5) on both -L and -N. Secure your 0!!$ with a password of !!. B( pointsC

0!!$ in this scenario could be configured on the routers or Switches * and (, but you are directed to configure the routers. 0!!$ ser%ice N( is used to redirect traffic sourced on F:A12)), which is applied to the F:A12)) interfaces of -L and -N. And 0!!$ ser%ice N* is used for the redirection of the incoming traffic, which is applied as directed to 7i)5) on both -L and -N. Telnet traffic is e4cluded Bgenerally, management traffic is not recommended to be optimizedC by creation of an e4tended A!:, which is applied to ser%ices N* and N( in a redirect#list. >ou need to remember to per# mit all other T!$ and not ust $ because the 0A can optimize only T!$ sessions. The 0A de%ices are included in a group#list for ser%ices N* and N(, and a password is applied as directed. BThe group#list will aid in load sharing and can stop a bogus 0!!$ de%ice from attempting to recei%e redirected traffic.C f youha%e configured this correctly, as shown in 4ample *#3L, you ha%e scored (points.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!#

E%MPL 1645 '5 an. ' FCCPC$n/i"urati$n ;<(config)#

i/ &$$/  /ass&ord CCIE

;<(config)# i/ &$$/ 2 /ass&ord  CCIE ;(( ;<(config)# i/ a$$esslist e:tended

;<(config-ext-nacl)#

remar0 ;((DENH E)NE

;<(config-ext-nacl)# den* t$/ an* an* e telnet ;<(config-ext-nacl)# den* t$/ an* e telnet an* ;<(config-ext-nacl)# /ermit t$/ an*an* ;<(config-ext-nacl)# e:it 2 redire$tlist;(( ;<(config)# i/ &$$/  grou/list

;<(config)# i/ &$$/ 2 grou/list 2 redire$tlist ;(( -..3.- ;<(config)# a$$esslist 2 /ermit ;<(config)# a$$esslist 2/ermit -..3.- ;<(config)# inter#a$eGi5 ;<(config-if)#

i/ &$$/ redire$tin

;<(config-if)# inter#a$eGi5 ;<(config-if)#

i/ &$$/2 redire$tin

;7(config)# i/ a$$essliste:tended;(( ;7(config-ext-nacl)#

remar0 ;((DENH E)NE

;7(config-ext-nacl)# den* t$/ an* an* e telnet ;7(config-ext-nacl)# den* t$/ an* e telnet an* ;7(config-ext-nacl)# /ermit t$/ an*an* ;7(config-ext-nacl)# e:it ;7(config)# i/ &$$/  grou/list 2 redire$tlist;(( ;7(config)# i/ &$$/ 2 grou/list 2 redire$tlist ;(( ;7(config)# a$$esslist 2 /ermit -..3.- ;7(config)# a$$esslist 2/ermit -..3.- ;7(config)# inter#a$eGi5 ;7(config-if)#

i/ &$$/ redire$tin

;7(config-if)#

# inter#a$eGi5

;7(config-if)#

i/ &$$/2 redire$tin

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!1#

Lab F'%P6

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!2#

Practice Lab ' The !! e4am commences with ( hours oftroubleshooting followed by L *5( hours of configuration and a final 2) minutes of additional "uestions. This lab has been timed to last for /hours of configuration andself#troubleshooting, so aim to complete the lab within this period. Then either score yourself at this point or continue until you feel you ha%e met all the obecti%es. >ou now are going to be guided through the e"uipment re"uirements and pre#lab tasks in preparation for taking this practicelab. f you don6t own si4 routers and four switches, consider using the e"uipment a%ailable and additional lab e4ercises and training facilities a%ailable within the !! -&S 2N) program. =etailed information on the 2N) program and !! -&S e4am can be found on the following M-:s,respecti%elyD httpsD55learningnetwork.cisco.com5community5learningOcenter5ciscoO2N)52N)#rs

httpsD55learningnetwork.cisco.com5community5certifications5ccieOroutingOswitching NT The 2/(Ls used in this lab were loaded with $382-adenter/rise09 m1.24..'in, and the 29(L was loaded with $372-adenter/rise09 m1.24..'in.

8uipment Li#t >ou will need the following hardware and software components to begin this practice lab. E

Si4 routers loaded with !isco 8S Software -elease *(.3 Ad%anced nterprise image and the minimum interface configuration as documented in Table (#*

T%L 261 $ardware Re%uired &er Router '$u t er

NT The 2LL) in this lab was loaded with $3-- i/seri$es09m1.22 2-.EE.'in, and the 2LN)s with $3- i/seri$es09m1.22 2-.EE.'in.

M$ . e &

thernet -:;

Seria& -:;

-*

2/(L

*

*

-(

29(L

*

*

-2

2/(L

*

*

-3

2/(L

(

P

-L

2/(L

(

P

-N

2/(L

(

P

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

NT 1otice in the initial con# figurations supplied that some interfaces will not ha%e $ addresses pre# configured. This is be# cause you will either not be using that interface or you must configure it from default within the e4ercise. The initial con# figurations supplied should be used to precon# figure your routers and switch before the lab starts.

E

!3#

8ne 2LL) switch with 8S *(.( $ Ser%ices and 2 2LN) Switches with 8S *(.( $ Ser%ices.

Settin"

Lab T$p$&$"y This practice :ab uses the topology as outlined in +igure (#*, which you will need to re#create with your own e"uipment or by using lab e"uipment on the !! -&S 2N) program.

f your routers ha%e dif# ferent interface speeds than those used in this book, adust the band# width statements on the rele%ant interfaces to keep all interface speeds in line. This will ensure that you do not get un# wanted beha%ior because of differing 7$ metrics.

;-=<' 261 Lab " (o&o)ogy iagra* * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!#

S)itch -n#tructi$n# !onfigure F:A1 assignments from the configurations supplied or from Table(#(. T%L 262 ,L- -ssign*en t VL%N

S ) it ch 1

23

+a)52, +a)53, +a)5L

3N

+a)5N

L2

F:A1L2

N2

P

S) i t ch 2

P +a)53

+a)5L

S ) i tc h 3

P P

P

F:A1L2

+a)5N

S) i t c h 4

P

P

F:A1N2

F:A1N2

*))

P

+a)5*

P

P

())

P

+a)5(

P

P

!onnect your switches with -;3L thernet cross o%er cables, as shown in +igure (#(.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"00#

;-=<' 262 Switch to Switch Connectivity

;rame 'e&ay -n#tructi$n# !onfigure one of the routers you are going to use in the lab as a +rame -elay switch, or ha%e a dedicated router purely for this task. This lab uses a dedicated router for the +rame -elay switch. A fully meshed en%ironment is configured be# tween all the +rame -elay routers. $ay attention in the lab as to which permanent %irtual circuits B$F!C are actually re# "uired. Reep the encapsulation and :ocal anagement nterface B:C settings to default for this e4ercise, but e4periment with the settings outside theselabs because you could be re"uired to configure the +rame -elay switching within your reallab. f you are using your own e"uipment, keep the =! cables at the frame switch end for simplicity and pro%ide a clock rate to all links from thisend. After configuration, the +rame -elay connecti%ity will represent the logical +rame -elay network, as shownin +igure (#2.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"0"#

;-=<' 263 /ra*e Re)ay Logica) Connectivity

-P %..re## -n#tructi$n# >ou will find in the actual !! lab that the maority of your $ addresses will be preconfigured. +or this e4ercise you are re"uired to configure your $ addresses, as shown in +igure (#3, or load the initial router configurations supplied. f you are manually configuring your e"uipment, ensure you include the following :oopback addresses B-* and -2 use the same $ address for :oopback (LLCD -* :o) *().*)).*.*5(3 :o(LL ()).()).()).())5(3

-N :o) *().*)).N.*5(3 S0* :o) *().*)).9.*5(3

-( :o) *().*)).(.*5(3

S0( :o) *().*))./.*5(3

-2 :o) *().*)).2.*5(3

S02 :o) *().*))..*5(3

:o(LL ()).()).()).())5(3

S03 :o) *().*)).*).*5(3

-3 :o) *().*)).3.*5(3 -L :o) *().*)).L.*5(3

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"0'#

;-=<' 264 IP -ddressing iagra*

Pre6&ab Ta#0# E

'uild the lab topology per +igure (#* and +igure (#(.

E

!onfigure your +rame -elay switch router to pro%ide the necessary =ata :ink !ontrol dentifiers B=:!C per +igure (#2.

E

!onfigure the $ addresses on each router as shown in +igure (#3 and add the :oopback addresses. Alternati%ely, you can load the initial configuration files supplied if your router is compatible with those used to create this e4# ercise.

=enera& =ui.e&ine# E

-ead the whole lab before you start.

E

=o not configure any static5default routes unless otherwise specified.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

NT Access only these M-:s, not the whole !isco.com website because if you are permitted to use documentation during your !! lab e4am, it will be restricted. !on# sider opening windows withse%eral the pages you are likely to look at to sa%e time during your lab.

!"0+#

E

Mse only the =:!s pro%ided in the appropriate figures.

E

nsure full $ %isibility between routers for ping testing5telnet access to your de%ices.

E

f you run out of time, choose "uestions that you are confident you can answer, or choose "uestions with a higher point rating to ma4imize your potential score.

E

7et into a comfortable and "uiet en%ironment where you can focus for the ne4t / hours.

E

Take a 2)#minute break midway through the e4ercise.

E

Ha%e a%ailable a !isco =ocumentation !=#-8 or access online the latest documentation from thefollowing M-:sD www.cisco.com5uni%ercd5home5home.htm httpD55www.cisco.com5en5MS5products5psN2L)5productsOinstallationOandOconfigurationOguidesOlist.html

Practice Lab T)$ >ou will now be answering "uestions in relation to the network topology, as shown in +igure (#L.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"04#

;-=<' 265 Lab (o&o)ogy iagra*

Secti$n 1> L%N S)itchin" an. ;rame6'e&ay ?24 P$int#A E

!onfigure your switched network to use /)(.*w Spanning Tree. Switch * should be the root bridge forF:A1s 23,3N,L2,N2,*)) and ()), with Switch ( being the secondary root bridge for all listed F:A1s. B2 pointsC

E

Switch 2 should use its interface directly connecting to Switch ( B+ast thernet )5(*C for traffic directed toward e%en#numbered F:A1s B23, 3N, *)), ())C and the interface directly connecting to Switch * B+ast thernet )5*C for odd#numbered F:A1s BL2, N2C. B2 pointsC

E

Switch 3 should use its interface directly connecting to Switch ( B+ast thernet)5*C for traffic destinedtoward e%en#numbered F:A1s B23, 3N, *)), ())C and the interface directly connected to Switch * B+ast thernet )5(*C for odd#numbered F:A1s BL2, N2C. B2 pointsC

E

nsure a cable fault between Switches * and ( could not result in one#way traffic between the two switches, re# sulting in spanning#tree issues. B( pointsC * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

E

!"0#

!onfigure Switch * and Switch ( to enable connecti%ity of two further switches in the future to be connected to ports +ast thernet )5*/ on each switch. The new switches should be able to tunnel their own configured F:A1s through a new F:A1 B2)C between Switch * and Switch (. There is no re"uirement to configure a root bridge or F:A1 load balancing for the new F:A1 between Switch * and Switch (. B3 pointsC !onfigure your switched network to monitor the F:A1()) interface associated with -( BSwitch ( +astthernet )5*C, and send only traffic destined to -( on this switch port across your network to Switch 2 port +astthernet )5*9Puse a new F:A1 B()C to assist in this configuration. There is no re"uirement to configure a root bridge or F:A1 load balancing for the new F:A1. B2pointsC

E

E

!onfigure the interface on Switch ( that connects to -L F:A1L2 B+ast thernet )5LC in such a way that if all the trunks on Switch ( connecting to Switch *, Switch 2, and Switch 3 should fail, this thernet port transitions into error#disable state. B2 pointsC

E

!onfigure interfaces +ast thernet )5 and )5*) on Switch * so that e%en if they are configured to belong to the same F:A1 they will not be able to forward unicast, broadcast, or multicast traffic to one another. =o not use any form of A!: or configure the ports to belong to a $F:A1. B* pointC

E

>our initial +rame#-elay configuration has been supplied for the -*#-(#-2 connecti%ity. !onfigure +rame -elay per +igure (#9 to ensure each de%ice is reachable o%er the +rame#-elay network. Mse only the indicated =:!s, and ensure that a proprietary method of reducing the payload o%er the +rame#-elay network is enabled on a per# packet basis. B( pointsC

;-=<' 26 /ra*e Re)ay Connec8 tivity

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"01#

Secti$n 2> -P(4 -=P Pr$t$c$&# ?2@ P$int#A Secti$n 21> -='P ;-=<' 267 EI6RP (o&o)ogy

E

!onfigure 7-$ per +igure (#9 using an AS of *@ each 7-$ router should ha%e its :oopback ) interface con# figured and ad%ertised within 7-$. B( pointsC

E

!onfigure -* to ad%ertise a summary route of *().*)).).)5*N outbound on its serial interface. -2 should see the srcinal F:A1*)) and :oopback ) indi%idual routes i n addition to the summary route. >ou may use only one summary route in your configuration. B2 pointsC

E

nsure the length of time that 7-$ considers neighbors to be %alid without recei%ing a hello packet on the +rame#-elay network between -*, -(, and -2 is ()) seconds@ do not change the hello#inter%al parameter. B( pointsC * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

E

!"02#

!onfigure new :oopback interfaces on -* and -( using a :oopback interface ( with an identical $ addressof *L).*)*.*.*5(3 on both routers@ ad%ertise this network into 7-$ on each router. nsure that -2 prefers the route from -( by manipulating the delay associated with this route. =o not manually adust the delay associated with the interface by use of the dela* command. >ou are only permitted to configure -( to influence the delay. B2 pointsC

Secti$n 22> SP; ;-=<' 26@ 5SP/ (o&o)ogy

E

!onfigure 8S$+ per +igure (#/ using a process = of *. All 8S$+ configuration, where possible, should not be configured under the process =. ach 8S$+ router should also ha%e its :oopback ) interface configured and ad# %ertised within 8S$+ as followsD B( pointsC -3 :oopback )  Area ) -L :oopback )  Area ) -N :oopback )  Area * Sw* :oopback )  Area (

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"03#

Sw( :oopback )  Area * Sw2 :oopback )  Area ( Sw3 :oopback ) Area E

Area ) is partitioned between -3 and -LPensure your network can accommodate this issue. >ou are not permit# ted to form any area ) neighbor relationship directly between -3 and -L to oin area ). B3 pointsC

Secti$n 22> '-P(2 ;-=<' 269 RIPv' (o&o)ogy

E

!onfigure -$%( between -( and -2, configure a new :oopback interface on -( B:oopback 2C with an $ ad# dress of *L).*)*.(.*5(3, and ad%ertise this and only this network to -2 from -(. B( pointsC

E

-2 should not ad%ertise any connected interfaces into -$%(@ do not filter routing ad%ertisements to achie%e this beha%ior. B( pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"0#

Secti$n 23> 'e.i#tributi$n $erform a one#way redistribution of -$%( into 7-$ on -2 using the following default metricD *L33()))) (LL * *L)). nsure that -* shows a ne4t hop for the -$%( ad%ertised route of*L).*)*.(.)5(3 of -( and perform configuration only on -2 for this task. B2 pointsC

E

E

$erform mutual redistribution of 7-$ and 8S$+ on -3 and -L. Mse a metric of L))) for redistributed routes into 8S$+ that should appear as e4ternal type ( routes and the following R %alues for 8S$+ routes redistributed into 7-$D *L33 ()))) (LL * *L)). B( pointsC

E

-2 will ha%e e"ual cost e4ternal 7-$ routes to the redistributed 8S$+ subnet *().*)).N2.)5(3 BF:A1 N2C. !onfigure only -2 to ensure that -2 routes %ia a ne4t hop of -L B*().*)).23.LC for this destination subnet. f this route fails, the route ad%ertised from -3 B*().*)).23.3C should be used dynamically. B2 pointsC

Secti$n 3> =P ?15 P$int#A ;-=<' 261+ 76P (o&o)ogy

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!""0#

E

!onfigure '7$ peering per +igure (# as followsD i'7$ -*#-2, -(#-2, -3#-N, -3#S0(. -L#Sw* -L#sw2. e'7$ -2#-3, -2#-L, Sw3#Sw2. -N#Sw3. Mse :oopback interfaces to peer on all routers with the e4ception of peering between -2#-3 and -2#-L. =o not use the command e'g/multi%o/ within your configurations. B2 pointsC

E

-outers -* and -( in AS*)) should be made to only passi%ely accept '7$ sessions. -2 should be configured to only acti%ely create '7$ sessions to -* and -( within AS*)). B2 pointsC

E

!onfigure the following :oopback interfaces on -2 and Sw3@ ad%ertise these networks into '7$ usingthe net&or0 commandD B( pointsC

-2  :oopback interface L B*L(.*)).*)).*5(3C Sw3  :oopback interface L B*L(.()).2(.*5(3C Sw3  :oopback interface N B*L(.()).22.*5(3C Sw3  :oopback interface 9 B*L(.()).23.*5(3C Sw3  :oopback interface / B*L(.()).2L.*5(3C E

!onfigure -2 to inform -3 that it does not want to recei%e routes ad%ertised from Sw3 for networks *L(.()).22.)5(3, *L(.()).23.)5(3, and *L(.()).2L.)5(3. Achie%e this in such a manner that -3 does not actually ad%ertise these routes toward -2. >ou may also configure -3. B3 pointsC

E

!onfigure a route#map on -L that prepends its local AS ( an additional two times for network *L(.()).2(.)5(3 when ad%ertised to -2. The route#map may contain multiple permit statements but only one prepend is permitted per line. B2 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"""#

Secti$n 4> -P( ?12 P$int#A ;-=<' 2611 IPv1 (o&o)ogy

E

!onfigure $%N addresses on your network as followsD ())9D!*LD!)D*)DD*5N3 # -* 7i)5) ())9D!*LD!)D**DD*5N3  -* tunnel) ())9D!*LD!)D**DD25N3  -2 tunnel) ())9D!*LD!)D*(DD(5N3 # -( tunnel) ())9D!*LD!)D*(DD25N3  -2 tunnel* ())9D!*LD!)D*2DD(5N3  -( fe)5* ())9D!*LD!)D*3DD25N3  -2 7i)5) * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!""'#

())9D!*LD!)D*3DD35N3  -3 7i)5) ())9D!*LD!)D*3DDL5N3  -L 7i)5) ())9D!*LD!)D*LDDL5N3  -3 7i)5* ())9D!*LD!)D*LDDN5N3  -N 7i)5)

Secti$n 41> -='P( E

!onfigure 7-$%N between -*, -(, and -2. 7-$%N should be enabled on the thernet interfaces of -* and -( and on all tunnel interfaces of -*, -(, and -2. 'uild your tunnels using i/i/ modePuse an AS number of N on all re"uired interfaces. B( pointsC

Secti$n 42> SP;(3 E

!onfigure 8S$+%2 per +igure (#**@ use an 8S$+%2 process of * on each router. B( pointsC

E

!onfigure Area * with $sec authentication, B( usepointsC essage =igest L, a security policy inde4 of L)), and a key of DECDECCEDD"("""""ED""

E

nsure the area router in Area * recei%es the following route@ you may configure -3 to achie%e thisD B( pointsC 8 ())9DD5*N **)5(I D X X X D %ia XX 7igabitthernet)5) XX DX XXD XXXDX XX XXXX,

Secti$n 43> 'e.i#tributi$n E

-edistribute 7-$%N into 8S$+%2 on -2. -edistributed 7-$%N routes should ha%e a metric of L))) associ# ated with them, regardless of which area they are seen in within the 8S$+%2 network. B( pointsC

E

!onfigure -2 so that both -* and -( ha%e the following $%N 7-$%N route in place. =o not redistribute 8S$+ into 7-$%N to achie%e this, and ensure all routers ha%e full %isibility. B( pointsC = ())9DD5*N )5XXXXXXXXXI %ia XXXXDDXXXXDXXXXDXXXXDXXXX, Tunnel)

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!""+#

Secti$n 5> B$S ? P$int#A E

( $ Fideo !onferencing units are to be installed onto Switch ( ports +astthernet )5*L and )5*N on F:A1 ()). The de%ices use T!$ ports 2(2)2(2* and M=$ ports 2(2)2(2L, and this traffic is unmarked from the de%ices as it enters the switch. !onfigure Switch ( to assign a =S!$ %alue of A+3* to %ideo traffic from both of these de%ices. nsure that the switch ports assigned to the de%ices do not participate in the usual spanning#tree checks, cannot form trunk links, and cannot be configured as therchannels. B2 pointsC

E

!onfigure -( to assign a strict priority "ueue with a 3) percent reser%ation of the 0A1 bandwidth for the Fideo !onferencing traffic in the pre%ious "uestion. a4imize the a%ailable bandwidth by ensuring the -T$ headers within the %ideo stream are compressed. The remainder of the bandwidth should be guaranteed for a default "ueue with 0-= enabled. Assume the full line rate of *.L33 bps as the a%ailable 0A1 bandwidth, and en# sure the complete bandwidth is utilized by both "ueues. B2 pointsC

Secti$n > Mu&tica#t ?7 P$int#A E

!onfigure -outers -*, -(, -2, and -3 for $%3 multicast. ach router should use $ sparse dense mode. 'oth -* and -( should be configured to be candidate specifically for the following >ou multicast groupsD ((L.((L.).*, ((L.((L.).(, ((L.((L.).2, and ((L.((L.).3 by use-$s of their :oopback ) interfaces. should limit the boundary of your multicast network so it does propagate further into your network than -3. -2 should be configured as a mapping agent to announce the rendez%ous points for the multicast network with the same boundary co nstraints. B2 pointsC

E

!onfigure -2 to ensure -3 has a candidate -$ as -* for groups ((L.((L.).* and ((L.((L.).( and -( for groups ((L.((L.).2 and ((L.((L.).2. B( pointsC

E

!onfigure -* to monitor traffic forwarded through itself for traffic destined to the multicast groupof ((L.((L.).*. f no packet for this group is recei%ed within a single *)#second inter%al, ensure an S1$ trap is sent to an S1$ management station on *().*)).*)).*)) using a community string of public. B( pointsC

Secti$n 7> Security ?7 P$int#A E

Allow -outer -N to passi%ely watch the S>1 connections that flow to only F:A1N2 for ser%ers that might re# side on this subnet. To pre%ent a potential denial of ser%ice B=oSC attack from a flood of S>1 re"uests, the router should be configured to randomly drop S>1 packets from any source to this F:A1 that ha%e not been correctly established within () seconds. B( pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

NT This section should be used only if you re"uire clues to complete the "uestions. n the actual !! lab, the proctor will not enter into any discussions regarding the "uestions or answers@ he or she will be present to ensure you do not ha%e problems with the lab en%ironment and to maintain the timing ele# ment of the e4am.

!""4#

E

!onfigure an A!: on -* to allow T!$ sessions generated on this router and through its thernet interface and to block T!$ sessions from entering on its +rame#-elay interface that were not initiated on it or through it srci# nally. =o not use the established feature within standard A!:s to achie%e this, and apply A!:s only on the +rame#-elay interface. The A!: should timeout a fter *)) seconds of locally initiated T!$ inacti%ity@ it should also enable !$ traffic inbound for testing purposes. B2 pointsC

E

!onfigure -* so it can perform S!$. The router should belong to a domain of toughtest.co.uk@ use local authenti# cation with a username and password of cisco, a key size of 9N/ bits, and an SSH timeout of ( minutes and retry %alue of (. B( pointsC.

%#0 the Pr$ct$rD Secti$n 1> L%N S)itchin" an. ;rame6'e&ay QD =o you ust want me to configure the root and secondary root bridges into /)(.*w spanning tree? tree. AD >ou should ensure that your network runs a consistent %ersion of spanning

QD !an  change the root bridge assignments of odd# and e%en#numbered F:A1s to ensure different interfaces are used on Switch 2 and Switch 3? "uestion. AD 1o, the root bridge assignment should remain as per the first

QD f a copper thernet cable fails between Switch * and Switch (, surely  wouldn6t encounter spanning#tree issues because there would not be any loops present. Am  correct in thinkingthis? AD 1ot entirely, consider a partial failure rather than a completebreakage. theif QD The switches are connected with thernet copper cables@ wouldn6t a feature like M=:= be beneficial only connections are fiber?

AD M=:= can operate o%er copper thernet in the same manner +iber. as switches? QD 0ould you like me to configure a nati%e F:A1 of 2) on trunks to the two new

AD 1o, a nati%e F:A1 would not facilitate transportation of multiple F:A1s o%er the single F:A1between 2) Switch * and Switch (. QD Are you looking for a 7- type tunnel between switches? AD 1o, use a :ayer ( switch tunnelingfeature. * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!""#

QD  assume you re"uire remote span configured for -( traffic. s it okay to send both TX and -X traffic to Switch (? AD -ead the "uestion carefully because this information has been pro%ided. QD 0ould you like me to configure M=:= aggressi%e mode on Switch ( to transition the re"uired port to error#disable mode if a trunk failure occurs? AD 1o, you need to configure a feature that will place a nontrunk link into error#disable mode if all the trunkson Switch ( fail. communicate? QD !an  ust shut down ports )5 and )5*) so that they can6t ports. AD 1ice try@ look for a security feature to disable communication between these

Secti$n 2> -P(4 -=P Pr$t$c$&# Secti$n 21> -='P QD f  configure a summary#address on -*, this route o%errides the F:A1*)) and :oopback ) routes from -* as re# cei%ed on -2. s this correct? AD >es, this is the e4pected beha%ior of summarization@ you need to enable a feature that enables the more specific routes to be recei%ed on -2. QD  think  can achie%e this with multiple summary routes but the "uestion restricts this. !an  use a new 7-$ proc# ess instead? AD 1o, use a feature that enables your specific routes to leak from the summary route. QD s it acceptable to adust the hold#time on the +rame#-elay interfaces to change the hello#inter%al? AD >es. QD !an  manipulate the delay associated to network *L).*)*.*.)5(3 because this ad%ertisement lea%es -( rather than by changing an interface delay on -(? AD >es.

Secti$n 22> SP; QD  am e4periencing neighbor adacency issues between -L and Switch *. s this part of "uestion? the * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!""1#

AD This is a byproduct of the "uestion if you use a 2LL) in your topology. $ractice your troubleshooting skills to de# termine what issues could be causing thisbeha%ior. QD 6%e checked my configs between -L and Switch * and they look good. Am  missing something from initial the configuration? AD 1o, if your configuration is correct, you should debug your adacencies to pro%ide information on what could be causing an issue. QD 6%e found an TM issue while debugging. s it okay to change an interface TM to fi4 this issue? AD >es. )? QD s it acceptable to pro%ide tunnels between -3 and -L to oin area ). AD 1o, this solution would in%ol%e a neighbor relationship being formed between the routers in Area

QD 6d normally use a %irtual link to e4tend Area ) into a transit area. !an  use this techni"ue to stretch Area ) be# tween -3 and -L? AD >ou can use %irtual links in your solution@ think about where the links need to be though, to ensure your topology correctly. operates

Secti$n 23> '-P(2 QD 6%e ust checked the routing table of -2 to find the only -$%( route recei%ed from -( is the route re"uired in the "uestion. !an  mo%e on or ha%e  missed something? AD -ead the "uestion again@ e%en if you ha%e only a single -$%( route in your routing table, it doesn6t mean it is the only -&$%( route recei%ed by -2. QD  can see that  am of course still generating additional routes from -( toward -2. !an  ust block these with a dis# tribute#list on -2? AD >es. QD !an  ust use the passi%e#interface feature on the interfaces on -2 to make sure they are not ad%ertised to-(? AD 1o, this would stop -$%( ad%ertisements from being sent out on these interfaces@ it wouldn6t stop the actual inter# face subnets from being ad%ertised to-(. QD !an  create an offset#list on -2 marking the attached networks on -2 as unreachable so that they are not ad%ertised to -(? * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!""2#

AD 1o@ look for a simple solution that blocks routing ad%ertisements from lea%ing interface. an QD So 6m okay to use the passi%e#interface feature on the +rame#-elay interface to stop ad%ertising outbound but still recei%e the specific route from -( inbound? AD >es.

Secti$n 23> 'e.i#tributi$n redistribution. QD 6%e followed the redistribution instructions, but  don6t recei%e the -$%( route on -* after

AD >ou will ha%e some underlying issues prior to recei%ing the route on -*@ use your troubleshooting skills to deter# mine the problem. QD 6%e noticed that due to the preconfigured :oopback interfaces on -* and -2 both of these routers ha%esame the 7-$ router#id. !an  manually change the router#id on one of the routers to see if this helps? AD >es. QD 6%e managed to get the -$%( route redistributed from -2 into 7-$ on -*, but the ne4t hop is showing as -2. -(? !an & policy#route on -* so that the ne4t hop for this route is directly %ia AD 1o, you need to ha%e the routing table reflect the ne4t hop of this route %ia -( and -2. not

QD !an  use the eigrp third#party ne4t#hop feature to lea%e the ne4t hop of the route unaltered from -(? AD >es. QD !an  modify the 8S$+ cost on the interface connecting -2 to the 8S$+ network to attempt to change the ne4t hop for the subnet *().*)).N2.)5(3? AD 1o, this would affect routes recei%ed on -2 from both -3 and -L e"ually because -3 and -L reside on the same subnet as -2. QD !an  use an offset#list or similar feature on -3 to penalize the route *().*)).N2.)5(3 as it ad%ertised to -2? AD 1o, you are permitted to configure only -2. QD s it acceptable to use a route#map on -2 and match a route source to penalize the route to *().*)).N2.)5(3? AD >es.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!""3#

Secti$n 3> =P QD f  can6t use ebgp#multihop on my peering on -N, Switch 2, and Switch 3, will my peering fail because  am peer# ing from my :oopback interfaces? AD >es, it will@ you need to configure a feature that o%errides this beha%ior. QD !an  try to use 1AT to fi4 mypeering? AD 1o, use a specific '7$ feature to disregard the TT: check. QD 6m e4periencing peering issues between -* and -2 and ha%e '7$ notifications displayed on the console. s this e4pected beha%ior? router#id. AD >es, you had a similar issue within 7-$@ check your

QD =o you want me to configure an A!: to limit '7$ connections to purely inbound or outbound on T!$ port *9? AD 1o, an A!: would actually break the peering entirely. Mse a '7$ feature to force the peering to becomedirec# tional. QD !an  ust configure a filter on -3 to stop ad%ertising specific routes to -2? AD 1o, you must dynamically inform -3 to not ad%ertise specific routes %ia -2. QD !an  use '7$ 8-+? AD >es.

Secti$n 4> -P( route? QD 0ould you like me to configure an additional $%N subnet on -3 to recei%e the ())9DD5*N

AD 1o, in%estigate an alternati%e method to create this route from the preconfigured subnets you already ha%e, ensuring that the route is recei%ed as illustrated in the "uestion. (? QD 0ould you like me to redistribute routes into 8S$+%2 as 4ternal Type * or Type

AD The "uestion pro%ides you with sufficient information to determine the redistribution typeuse. to

Secti$n 5> B$S 2(2L? QD =o the F! units use M=$ $orts 2(2) and 2(2L or 2(2) through * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!""#

AD They use the range 2(2) through2(2L. units? QD =o you want me to trust the ports assigned to the F!

AD The F! de%ices are not marking the traffic, so there is a need to trust theseports. QD 0ould you like me to disable trunking, channeling, and spanning#tree checks on the ports assigned to the F! units? AD >es, but remember there is a single command that will disable all these features. QD f  use the bandwidth percent command on -( in my 3)#percent guaranteed reser%ation, is this sufficient to answer the "uestion? used. AD 1o, the "uestion dictates that a priority "ueue be

QD 0ould you like me to configure -T$ compression within a frame#relay map#class? policy#map. AD 1o, you can achie%e all the re"uirements within the same QoS

Secti$n > Mu&tica#t QD f  configure -* and -( for the same multicast groups, wones, you will address this beha%ior in the following

QD To ha%e -* and -( as candidate -$s for different groups, can  ust configure group#lists on-2? AD f you were permitted to configure -* and -(, group#lists would achie%e the desired results, but you are permitted to configure only -2. 7roup#lists can assist in your solution on -2, but you need to find a method of assigning these specifically to -* and -(. "uestion? QD =o you want me to actually configure an 7$ oin#group on -* for ((L.((L.).* for the S1$

AD 1o, this isn6t re"uired@ traffic destined to this group will be sent to -* regardless because it is the candidate -$ for this group.

Secti$n 7> Security F:A1N2? QD =o you want me to configure an A!: to block S>1 packets coming into

AD 1o, S>1 packets should still enter into F:A1N2. >ou need to configure a feature that monitors the S>1 packets and closes down any half#opened connections. * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'0#

QD !an  use a refle4i%e A!: to drop S>1 packets that are not correctly established by the ser%ers? AD 1o, there is a specific T!$ feature used to protect ser%ers from a flood of S>1 packets that could cause a =oS at# tack. QD !an  ust use a standard A!: on -* on the frame#relay interface to permit sessions outbound and deny e%erything else inbound? AD 1o, this would block return path traffic initiated by -*. QD !an  use a refle4i%e A!: to dynamically permit the return traffic with a time limit of *)) seconds? AD >es. QD  ha%e configured S!$ with the re"uired SSH parameters, but  am not confident of my configuration@ any sugges# tions? AD f you ha%e time, try to copy the 8S image from flash on -* with -!$. f you are prompted for a password and gain access to the file, you ha%e configured this feature correctly.

Practice Lab !ebrie/ The lab debrief section now analyzes each "uestion showing you what was re"uired and how to achie%e the desired re# sults. >ou should use this section to produce an o%erall score for the practice lab.

Secti$n 1> L%N S)itchin" an. ;rame6'e&ay ?24 P$int#A E

!onfigure your switched network to use /)(.*w Spanning Tree. Switch * should be the root bridge forF:A1s 23,3N,L2,N2,*)), and ()), with Switch ( being the secondary root bridge for all listed F:A1s. B2 pointsC

/)(.*w is a rapid spanning tree@ the switches will be in the default mode of standard $FST and re"uire configuration to rapid#p%st mode. Switch * is re"uired to be the root bridge and Switch ( the secondary root bridge for F:A1s 3N, 23, L2, N2, *)), and ()). f you ha%e configured this correctly, as shown in 4ample (#*, you ha%e earned 2 points. 4ample (#* also shows confirmation of the root bridge and which interfaces are used to reach the root bridge from the neighboring switches,F:A1 23 is used as an e4ample but each F:A1 would be identical in this configuration. E%MPL 261 S)1, S)2, S)3 an. S)4 C$n/i"urati$n an. Veri/icati$n SW1(config)# s/anningtree modera/id/st /rimar* SW1(config)# s/anningtree lan 34,4,-3,3,,2 root

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'"#

SW2(config)# s/anningtree modera/id/st se$ondar* SW2(config)# s/anningtree lan 34,4,-3,3,,2 root

SW3(config)# s/anningtree modera/id/st SW4(config)# s/anningtree modera/id/st

SW1# s%o& s/anningtree lan 34 > in$lude root !&is %rige is t&e root SW1# s%o& s/anningtree lan 4 > in$lude root !&is %rige is t&e root SW1# s%o& s/anningtree lan -3 > in$lude root !&is %rige is t&e root SW1# s%o& s/anningtree lan 3 > in$lude root !&is %rige is t&e root SW1# s%o& s/anningtree lan  > in$lude root !&is %rige is t&e root root SW1# s%o& s/anningtree lan 2 > in$lude !&is %rige is t&e root

E

SW2# s%o& s/anningtree lan 34 > in$lude +oot 6;D +a$,23 ;oot +WD 1 12:?2<

P2p

6;D SW3# s%o& s/anningtree lan 34 > in$lude +oot +a$,1 ;oot +WD 1 12:?21

P2p

6;D SW4# s%o& s/anningtree lan 34 > in$lude +oot ;oot +WD 1 12:?23 +a$,21

P2p

Switch 2 should use its interface directly connecting to Switch ( B+ast thernet )5(*C for traffic directed toward e%en#numbered F:A1s B23, 3N, *)), ())C and the interface directly connecting to Switch * B+ast thernet )5*C for odd#numbered F:A1s BL2, N2C. B2 pointsC

This is a straightforward F:A1 load#balancing "uestion to ensure that trunk links are utilized ef ficiently and not logi# cally disabled by spanning tree. Switch 2 uses the interface directly connecting to Switch * B+ast thernet )5*C forall * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"''#

F:A1s as the lowest root cost path by default. To adust this beha%ior, this interface must effecti%ely be penalized forthe e%en#numbered F:A1s to ensure a more attracti%e path is %ia Switch ( B+ast thernet )5(*C. f you ha%e configured this correctly, as shown in 4ample (#(, you ha%e scored 2points. E%MPL 262 S)3 VL%N L$a. a&ancin" C$n/i"urati$n an. Veri/icati$n SW3(config)# inter#a$e 6astEt%ernet59

E

SW3(config-if)#

s/anningtree lan 34,4,,2 $os  t

SW3(config-if)#

do s%o& s/anningtreeroot

;oot 9ello ax Vlan ;oot D /ost !ime 5ge ---------------- -------------------- --------- ----- --V05N$$$1 32=7 $$13?:$7?4$$ 1 2 2$ V05N$$34 2471$ $$13?:$7?4$$ 3: 2 2$ V05N$$47 24722 $$13?:$7?4$$ 3: 2 2$ V05N$$<3 2472 $$13?:$7?4$$ 1 2 2$ V05N$$73 2473 $$13?:$7?4$$ 1 2 2$

+8 Dl" --1< 1< 1< 1< 1<

;oot Port -----------+a$,1 +a$,21 +a$,21 +a$,1 +a$,1

V05N$1$$ V05N$2$$

1< 1<

+a$,21 +a$,21

247=7 $$13?:$7?4$$ 24==7 $$13?:$7?4$$

3:

3:

2

2

2$ 2$

Switch 3 should use its interface directly connecting to Switch ( B+ast thernet)5*C for traffic destinedtoward e%en#numbered F:A1s B23, 3N, *)), ())C and the interface directly connected to Switch * B+ast thernet )5(*C for odd#numbered F:A1s BL2, N2C. B2 pointsC

+ollowing from the pre%ious "uestion, to ensure a balanced access topology for F:A1 load balancing, Switch 3 uses the interface directly connecting to Switch * B+ast thernet )5(*C for all F:A1s as the lowest root cost path by default, ren# dering the secondtrunk connecting to Switch ( unused unless a failo%er condition occurs. As per the pre%ious "uestion, the directly connected interface to Switch * needs to be penalized for the e%en#numbered F:A1s. f you ha%e config# ured this correctly, as shown in 4ample (#2, you ha%e scored 2 points. E%MPL 263 S)4 VL%N L$a. a&ancin" C$n/i"urati$n an. Veri/icati$n SW4(config)# inter#a$e 6astEt%ernet52 SW4(config-if)#

 s/anningtree lan 34,4,,2 $os t

SW4(config-if)#

do s%o& s/anningtreeroot

;oot

9ello ax +8

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

Vlan ;oot D /ost !ime 5ge Dl" ---------------- -------------------- --------- ----- --- --V05N$$$1 32=7 $$13?:$7?4$$ 1 2 2$ 1< V05N$$34 2471$ $$13?:$7?4$$ 3: 2 2$ 1< V05N$$47 24722 $$13?:$7?4$$ 3: 2 2$ 1< V05N$$<3 2472 $$13?:$7?4$$ 1 2 2$ 1< V05N$$73 2473 $$13?:$7?4$$ 1 2 2$ 1< V05N$1$$ 247=7 $$13?:$7?4$$ 3: 2 2$ 1< V05N$2$$ 24==7 $$13?:$7?4$$ 3: 2 2$ 1<

E

!"'+# ;oot Port -----------+a$,21 +a$,1 +a$,1 +a$,21 +a$,21 +a$,1 +a$,1

nsure that a cable fault between Switches * and ( could not result in one#way traffic between the two switches, resulting in spanning#tree issues.B( pointsC

M=:= detects unidirectional links on fiber#optic connections, in aggressi%e mode. M=:= also detects unidirectional links because of one#way traffic on twisted#pair links. 'y configuring the ports between Switch * and Switch ( into ag# gressi%e mode, the switches become M=:= neighbors, can detect one#way links, and shut down the link if this condition arises to mitigate spanning#tree issues.&f you ha%e configured this correctly, as shown in 4ample (#3, you ha%e scored ( points. E%MPL 264 S)1 an. S)2
udld /ort aggressie

SW2(config)# inter#a$e 6astEt%ernet523 SW2(config-if)#

udld /ort aggressie

SW1# s%o& udld 6astEt%ernet523 nterface +a$,23 --Port ena%le aministrati6e configuration setting' .na%le , in aggressi6e moe Port ena%le operational state' .na%le , in aggressi6e moe /urrent %iirectional state' iirectional /urrent operational state' 56ertisement - Single neig&%or etecte essage inter6al' 1< !ime out inter6al' < .ntr" 1

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'4#

--.xpiration time' 44 /ac&e De6ice inex' 1 /urrent neig&%or state' iirectional De6ice D' /5!$3
E

!onfigure Switch * and Switch ( to allowconnecti%ity of two further switches in the future to be connected to ports +ast thernet )5*/ on each switch. The new switches should be able to tunnel their own configured F:A1s through a new F:A1 B2)C between Switch * and Switch (. There is no re"uirement to configure a root bridge or F:A1 load balancing for the new F:A1 between Switch * and Switch (. B3 pointsC

This is a ser%ice pro%ider re"uirement whereby customers tunnel their own F:A1s through thepro%iders network@ To mitigate any F:A1 o%erlaps from other customers, a uni"ue ser%ice pro%ider F:A1 is used to transport the customer F:A1s. 4ample (#L shows F:A1 2) being used to transport F:A1s o%er a dot*"#tunnel. Mse thes%o& dottunnel command to %erify yourtunnel configuration on your switches. f you ha%e configured this correctly, as shown in 4# ample (#L, you ha%e scored 3points. E%MPL 265 S)1 an. S)2 B in BC$n/i"urati$n SW1(config)# lan 3 SW1(config-6lan)#

e:it

SW1(config)# inter#a$e 6astEt%ernet58 SW1(config-if)#

3 s&it$%/ort a$$ess lan

SW1(config-if)#

s&it$%/ort modedottunnel

SW2(config)# lan 3 SW2(config-6lan)#

e:it

SW2(config)# inter#a$e 6astEt%ernet58 SW2(config-if)#

s&it$%/ort a$$ess lan 3

SW2(config-if)#

s&it$%/ort modedottunnel

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'#

!onfigure your switched network to monitor the F:A1()) interface associated with -( BSwitch ( +astthernet )5*C and send only traffic destined to -( on this switch port across your network to Switch 2 port +astthernet )5*9Puse a new F:A1 B()C to assist in this configuration. There is no re"uirement to configure a root bridge or F:A1 load balancing for the new F:A1. B2 pointsC

E

This is a remote span "uestion@ the only comple4ity is based around the "uestion state ment of where you actually need to monitorPtrafficdestined to -(. As such, this means you need to configure the span paramete rs to only send the traffic transmitted out of the switch port toward -(, which is configured by the  parameter. f this optional parameter is not configured, both transmit and recei%e traffic is monitored. -emote span re"uires a F:A1 to propagate the span traffic between switches, which is why you need to configure F:A1 () on both Switches * and (. f you ha%e config# ured this correctly, as shown in 4ample (#N, you ha%e scored 2 points. E%MPL 26 S)2 an. S)2 'em$te Span C$n/i"urati$n an. Veri/icati$n SW2(config)# lan 2 SW2(config-6lan)#

remotes/an

SW2(config-6lan)#

e:it

SW2(config)# monitor session  sour$e inter#a$e #astEt%ernett:5 SW2(config)# monitor session  destination remote lan 2 SW2(config)# do s%o& monitor session  Session 1 --------!"pe ' ;emote Source Session Source Ports ' !M nl" ' +a$,1 Dest ;SP5N V05N ' 2$ SW3(config)# lan 2 SW3(config-6lan)#

e:it

SW3(config)# monitor session  sour$e remote lan 2 57 SW3(config)# monitor session  destination inter#a$e #ast  SW3(config)# do s%o& monitor session Session 1 --------!"pe ' ;emote Destination Source ;SP5N V05N ' 2$ Destination Ports ' +a$,1=

Session

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'1#

.ncapsulation ' Nati6e ngress ' Disa%le

E

!onfigure the interface on Switch (, which connects to -L F:A1L2 B+ast thernet )5LC in such a way that if all the trunks on Switch ( connecting to Switch *, Switch 2, and Switch 3 should fail, this thernet port transitions into error#disable state. B2 pointsC

The "uestion re"uires link#state tracking to be configured. This feature pro%ides redundancy in the network when used with ser%er 1! adapter teaming. f a link is lost on the primary interface, connecti%ity is transparently switched to the secondary interface. $orts connected to ser%ers are configured as downstream ports, and ports connected to other switches are configured as upstream ports. &f the upstream trunk ports on Switch ( fail, link#state tracking automatically puts the downstream port connected to -L into error#disable state. 4ample (#9 shows the associated configuration and testing by shutting down the trunk ports on Switch (,which connects to Switch *, Switch 2, and Switch 3, which forces +astthernet downstream port into error#disable state. f you ha%e configured this correctly, as shown in 4ample (#9, you ha%e scored 2points. E%MPL 267 S)2 Lin06State Trac0in" C$n/i"urati$n an. Veri/icati$n SW2(config)# lin0 state tra$0 SW2(config)# inter#a$e#ast5SW2(config-if)#

lin0 state grou/ do&nstream 

SW2(config-if)#

59 inter#a$e 6astEt%ernet

SW2(config-if)#

lin0 state grou/  u/stream

SW2(config-if)#

inter#a$e 6astEt%ernet52

SW2(config-if)#

u/stream lin0 state grou/ 

SW2(config-if)#

inter#a$e 6astEt%ernet 523

SW2(config-if)#

lin0 state grou/  u/stream

SW2# s%o& inter#a$e 6astEt%ernet 5- > in$lude $onne$ted +ast.t&ernet$,< is up> line protocol is up (connecte) SW2(config-if)#

int #ast59

SW2(config-if)#

s%ut

SW2(config-if)#

int #ast52

SW2(config-if)#

s%ut

SW2(config-if)#

int #ast523

SW2(config-if)#

s%ut

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'2#

errdisa'led SW2# s%o& inter#a$e 6astEt%ernet 5- > in$lude +ast.t&ernet$,< is o8n> line protocol is o8n (err-isa%le)

E

!onfigure interfaces +ast thernet )5 and )5*) on Switch * so that e%en if they are configured to belong to the same F:A1 they cannot forward unicast, broadcast, or multicast traffic to one another. =o not use any form of A!: or configure the ports to belong to a $F:A1. B* pointC

>ou are re"uired to configure the interfaces with the command s&it$%/ort /rote$tedto ensure that no traffic is forwarded between these ports. Traffic is forwarded as normal between a protected and nonprotected port. f you ha%e configured this correctly, you ha%e scored * point. E

>our initial +rame#-elay configuration has been supplied for the -*#-(#-2 connecti%ity. !onfigure +rame# -elay as per +igure (#N to ensure each de%ice is reachable o%er the +rame#-elay network. Mse only the indicated =:!s and ensure that a proprietary method of reducing the payload o%er the +rame#-elay network is enabled on a per packet basis. B( pointsC

The initial +rame#-elay configuration has been supplied for you@ all youneed to add is additional maps on -* and -( spokes to enable them tocommunicate with each other by directing traffic to the hub router B-2C as the initial configura# tion uses in%erse A-$. To reduce theconfigured payload, you re"uired enableinpayload#compression packet#by#packet within theno map statements. f you ha%e thisare correctly, astoshown 4ample (#/, you ha%e scored ( points. E%MPL 26@ '1 an. '2 %..iti$na& ;rame6'e&ay C$n/i"urati$n an. Te#tin" ;1(config)# inter#a$e erial55 ;1(config-if)#

#ramerela* ma/ i/ 2..23.2 3 'road$ast /a*load$om/ression /a$0et'*/a$0et

;2(config)# inter#a$e erial5 ;2(config-if)#

/a$0et'*/a$0et #ramerela* ma/ i/ 2..23. 23 'road$ast /a*load$om/ression

;3(config)# inter#a$e erial5 ;3(config-if?< #ramerela* ma/ i/ 2..23. 3 'road$ast /a*load$om/ression /a$0et'*/a$0et ;3(config-if)#

/a$0et'*/a$0et #ramerela* ma/ i/ 2..23.2 32 'road$ast /a*load$om/ression

;1# ping 12$?1$$?123?2 !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 12$?1$$?123?2> timeout is 2 secons' BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C :,:,: ms * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'3#

Secti$n 2> -P(4 -=P Pr$t$c$&# ?2@ P$int#A Secti$n 21> -='P E

!onfigure 7-$ per +igure (#9 using an AS of *. ach 7-$ router should ha%e its :oopback ) interface con# figured and ad%ertised within 7-$. B( pointsC

Mse %anilla 7-$ configuration in preparation for the following "uestions, the only comple4ity is spotting the split# horizon issue with -2 o%er the physical frame#relay network. 'y default, -2 will not ad%ertise the routes learned on its Serial interface from -* back out to -( and %ice %ersa because they all share the same interface. 'y disabling split# horizon for 7-$ on -2, the routes are permitted to propagate. f you ha%e configured this correctly, as shown in 4# ample (#, you ha%e scored (points. E%MPL 269 -='P C$n/i"urati$n an. Veri/icati$n ;1(config)# router eigr/ ;1(config-router)#

no autosummar*

;1(config-router)#

net 2......2--

;1(config-router)#

net 2..23....2--

;1(config-router)#

net 2......2--

;2(config)# router eigr/ ;2(config-router)#

no autosummar*

;2(config-router)#

...2-net&or0 2..2.

;2(config-router)#

net&or0 2..23. ...2--

;2(config-router)#

...2-net&or0 2..2.

;3(config-if)#

router eigr/

;3(config-router)#

no autosummar*

;3(config-router)#

...2-net&or0 2..3.

;3(config-router)#

...2-net&or0 2..23.

;3(config-router)#

net&or0 2..34. ...2--

;4(config-router)#

router eigr/

;4(config-router)#

no autosummar*

;4(config-router)#

...2-net&or0 2..4.

;4(config-router)#

net&or0 2..34. ...2--

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'#

;<(config)# router eigr/ ;<(config-router)#

no autosummar*

;<(config-router)#

...2-net&or0 2..-.

;<(config-router)#

net&or0 2..34. ...2--

;1# s%o& i/ routeeigr/ 12$?$?$?$,: is 6aria%l" su%nette> = su%nets> 1 mas D 12$?1$$?4?$,24 F$,23$$417G 6ia 12$?1$$?123?3> $$'14'<1> Serial$,$,$ D 12$?1$$? $$'$1'32> Serial$,$,$ D 12$?1$$?3?$,24 F$,22=:<7G 6ia 12$?1$$?123?3> $$'42'12> Serial$,$,$ D 12$?1$$?34?$,24 F$,21=2417G 6ia 12$?1$$?123?3> $$'41'<4> Serial$,$,$ ;3# s%o& i/ routeeigr/ 12$?$?$?$,: is 6aria%l" su%nette>  su%nets> 1 mas D 12$?1$$?4?$,24 F$,1<717$G 6ia 12$?1$$?34?4> $$'1'14> iga%it.t&ernet$,$ D 12$?1$$? $$'$<'<<> iga%it.t&ernet$,$ D D D D

12$?1$$?1?$,24 F$,22=:<7G 6ia 12$?1$$?123?1> $$'47'3<> Serial$,$,$ 12$?1$$?2?$,24 F$,22=:<7G 6ia 12$?1$$?123?2> $$'47'3<> Serial$,$,$ 12$?1$$?1$$?$,24 F$,21=2417G 6ia 12$?1$$?123?1> $$'47'3<> Serial$,$,$ 12$?1$$?2$$?$,24 F$,21=2417G 6ia 12$?1$$?123?2> $$'47'3<> Serial$,$,$

;2# s%o& i/ routeeigr/ 12$?$?$?$,: is 6aria%l" su%nette> : su%nets> 1 mas D 12$?1$$?4?$,24 F$,23$$417G 6ia 12$?1$$?123?3> $$'1'<<> Serial$,$ D 12$?1$$? $$'$7'37> Serial$,$ D 12$?1$$?3?$,24 F$,22=:<7G 6ia 12$?1$$?123?3> $$'4='17> Serial$,$ D 12$?1$$?34?$,24 F$,21=2417G 6ia 12$?1$$?123?3> $$'47'<:> Serial$,$ ;3(config)# inter#a$e erial55 ;3(config-if)#

 no i/ s/lit%ori1on eigr/

;1# s%o& i/ routeeigr/ 12$?$?$?$,: is 6aria%l" su%nette> 1$ su%nets> 1 mas D 12$?1$$?4?$,24 F$,23$$417G 6ia 12$?1$$?123?3> $$'14'<1> Serial$,$,$ D 12$?1$$? $$'$1'32> Serial$,$,$ D 12$?1$$?2?$,24 F$,2:$:<7G 6ia 12$?1$$?123?3> $$'3:'32> Serial$,$,$

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

D D D ;1#

!"+0#

12$?1$$?3?$,24 F$,22=:<7G 6ia 12$?1$$?123?3> $$'42'12> Serial$,$,$ 12$?1$$?34?$,24 F$,21=2417G 6ia 12$?1$$?123?3> $$'41'<4> Serial$,$,$ 12$?1$$?2$$?$,24 F$,27:4417G 6ia 12$?1$$?123?3> $$'3:'32> Serial$,$,$

;2# s%o& i/ routeeigr/ 12$?$?$?$,: is 6aria%l" su%nette> 1$ su%nets> 1 mas D 12$?1$$?4?$,24 F$,23$$417G 6ia 12$?1$$?123?3> $$'24'43> Serial$,$ D 12$?1$$? $$'11'24> Serial$,$ D 12$?1$$?1?$,24 F$,2:$:<7G 6ia 12$?1$$?123?3> $$'4:'24> Serial$,$ D 12$?1$$?3?$,24 F$,22=:<7G 6ia 12$?1$$?123?3> $$'<2'$4> Serial$,$ D 12$?1$$?34?$,24 F$,21=2417G 6ia 12$?1$$?123?3> $$'<1'47> Serial$,$ 12$?1$$?1$$?$,24 F$,27:4417G 6ia 12$?1$$?123?3> $$'4:'24> Serial$,$ D

E

!onfigure -* to ad%ertise a summary route of *().*)).).)5*N outbound on its serial interface. -2 should see the srcinal F:A1*)) and :oopback ) indi%idual routes i n addition to the summary route. >ou can only use one summary route in your configuration. B2 pointsC

Summarization will by default block all longer prefi4es co%ered by the supernet configured on an interface@ as such, the F:A1 *)) and :oopback ) route from -* would not be seen by -2. Allowing specific routes to be ad%ertised with summary routes can be a%alid re"uirement. 8ne method used to achie%e this is by configuring multiple summary routes, but the "uestion does not permit this approach. To facilitate the specific routes with the summary, a leak#map should be configured to match the F:A1 *)) and :oopback ) interfaces on -*. The leak#map, which is configured per a normal route#map, is then applied to the standard summaryroute statement on -*. f you ha%e configured this correctly, as shown in 4ample (#*), you ha%e scored 2points. E%MPL 261+ '1 Lea0 Map C$n/i"urati$n an. Veri/icati$n  ;1(config)# routema/ )E()(N)P /ermit

;1(config-route-map)#

mat$% i/ address

;1(config-route-map)#

e:it

;1(config)# a$$esslist  /ermit2... ;1(config)# a$$esslist  /ermit2... ;1(config)# inter#a$e erial55 ;1(config-if)#

i/ summar*address eigr/  2... 2--.2--.. lea0ma/ )E()(N)P

;3# s%o& i/ routeeigr/ 12$?$?$?$,: is 6aria%l" su%nette> 1$ su%nets> 2 mass 12$?1$$?4?$,24 D * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

D D D D D D

E

!"+"#

F$,1<717$G 6ia 12$?1$$?34?4> $$'1'14> iga%it.t&ernet$,$ 12$?1$$? $$'$<'<<> iga%it.t&ernet$,$ 12$?1$$?$?$,17 F$,21=2417G 6ia 12$?1$$?123?1> $$'34'3> Serial$,$,$ 12$?1$$?1?$,24 F$,22=:<7G 6ia 12$?1$$?123?1> $$'47'3<> Serial$,$,$ 12$?1$$?2?$,24 F$,22=:<7G 6ia 12$?1$$?123?2> $$'47'3<> Serial$,$,$ 12$?1$$?1$$?$,24 F$,21=2417G 6ia 12$?1$$?123?1> $$'47'3<> Serial$,$,$ 12$?1$$?2$$?$,24 F$,21=2417G 6ia 12$?1$$?123?2> $$'47'3<> Serial$,$,$

nsure the length of time that 7-$ considers neighbors to be %alid without recei%ing a hello packet on the +rame#-elay network between -*, -(, and -2 is ()) seconds@ do not change the hello#inter%al parameter. B( pointsC

7-$ considers neighbors to be %alid up to three times the hello inter%al, the +rame#-elay network is considered a slow speed link, and hello packets will be sent e%ery N) seconds. Msually you could tune the hold time by manipulating the hello inter%als onan interface, but this "uestion ensures you can achie%e the desired result only by manually chang# ing the hold#time to ()) underthe +rame#-elay interface of -outers -*, -(, and -2. 4ample (#** shows the re"uired configuration and %erification of hold time by displaying the neighbors< statistics as seen by -2. f you ha%e configured this correctly, as shown in 4ample (#**, you ha%e scored ( points. E%MPL 2611 -='P $&. Timer C$n/i"urati$n an. Veri/icati$n ;1(config)# inter#a$e erial55 ;1(config-if)# ;1(config-if)

i/ %oldtime eigr/ 2 

.nter configuration commans> one per line?

.n 8it& /N!0,@?

;2(config)# inter#a$e erial5 ;2(config-if)# ;2(config-if)

i/ %oldtime eigr/ 2 

;3(config)# inter#a$e erial55 ;3(config-if)#

i/ %oldtime eigr/ 2 

;3(config-if)# do s% i/ eigr/neig%'ors P-.;P neig&%ors for process 1 9 5ress nterface 3 2

12$?1$$?123?1 12$?1$$?123?2

Se$,$,$ Se$,$,$

9ol *ptime S;!! (sec) (ms) 1: $$'$$'<= 3 1 $$'$1'$$ 3

;! Z /nt 2$$ $ 2$$ $

SeA Num 2< 1:

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

1 $

E

12$?1$$?34?< 12$?1$$?34?4

i$,$ i$,$

12 12

$$'23'32 $$'23'3<

!"+'# 1 3<

2$$ 21$

$ 21 $ 22

!onfigure new :oopback interfaces on -* and -( using a:oopback interface ( with an identical $ address of *L).*)*.*.*5(3 on both routers@ ad%ertise this network into 7-$ on each router. nsure that -2 prefers the route from -( by manipulating the delay associated with this route. =o not manually adust the delay associated with the interface by use of the dela* command, and you are permitted to configure only -( to influence the delay. B2 pointsC

-2 will recei%e identical routes from both -* and -( for network *L).*)*.*.)5(3@ as such, both routes will be stored in the topology and routing table. -( could influence the metric calculated by -2 by manipulating the delay of the new :oopback interface or of the serial +rame#-elay interface connecting directly to -2, but this is not permitted. As con# figuration is re"uired solely on -(, theonly method a%ailable is to create an offset#list, which enables you to match spe# cific routes and append further delay to them as they are ad%ertised on -( toward -2. f the offset#list is not applied to the +rame#-elay interface, it would affect the whole process andnot ust ad%ertisements toward -2. 4ample (#*( shows the configuration re"uired to ad%ertise the new routes and theroutes as theyare recei%ed on -2. nitial delay is shown to be (L,)))\S. $ost configuration of the offset#list on -(, the delay is seen to increase to (L,))2\S for the route recei%ed from -(@ as such the route installed into the routing table of -2 is then the srcinal ad%ertised from -* with the more appealing %alue of (L,)))\S. f you ha%e configured this correctly, as shown in 4ample (#*(, you ha%e scored 2 points. E%MPL 2612 -='P C$n/i"urati$n an. Veri/icati$n ;1(config)# inter#a$e)ooo'a$02 ;1(config-if)#

2--.2--.2--. i/ address -...

;1(config-if)#

router eigr/

;1(config-router)#

net -......2--

;2(config)# inter#a$e)oo/'a$02 ;2(config-if)#

i/ address -... 2--.2--.2--.

;2(config-if)#

router eigr/

;2(config-router)#

net -......2--

;3# s%o& i/ route-... ;outing entr" for 1<$?1$1?1?$,24 Jno8n 6ia Leigrp 1L> istance $> metric 22=:<7> t"peinternal ;eistri%uting 6ia eigrp 1

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

0ast upate from 12$?1$$?123?2 on Serial$,$,$> $$'$2'<1 ;outing Descriptor locs' 12$?1$$?123?2> from 12$?1$$?123?2> $$'$2'<1 ago> 6ia ;oute metric is 22=:<7> traffic s&are count is1 !otal ela" is 2<$$$ microsecons> minimum %an8it& ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1 I 12$?1$$?123?1> from 12$?1$$?123?1> $$'$2'<1 ago> 6ia ;oute metric is 22=:<7> traffic s&are count is1 !otal ela" is 2<$$$ microsecons> minimum %an8it& ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1

!"++#

ago Serial$,$,$ is 1<44 J%it

Serial$,$,$ is 1<44 J%it

2--.2--.2--. ;3# s%o& i/ eigr/ to/olog* -... P-.;P (5S 1)' !opolog" entr" for 1<$?1$1?1?$,24 State is Passi6e> Zuer" srcin flag is 1> 2 Successor(s)> +D is 22=:<7 ;outing Descriptor locs' 12$?1$$?123?2 (Serial$,$,$)> from 12$?1$$?123?2> Sen flag is $x$ /omposite metric is (22=:<7,12:2<7)> ;oute is nternal

Vector metric' inimum %an8it& is 1<44 J%it !otal ela" is 2<$$$ microsecons ;elia%ilit" is 2<<,2<< 0oa is 1,2<< inimum !* is 1<$$ 9op count is 1 12$?1$$?123?1 (Serial$,$,$)> from 12$?1$$?123?1> Sen flag is /omposite metric is (22=:<7,12:2<7)> ;oute is nternal Vector metric' inimum %an8it& is 1<44 J%it !otal ela" is 2<$$$ microsecons ;elia%ilit" is 2<<,2<< 0oa is 1,2<< inimum !* is 1<$$ 9op count is 1

$x$

;2(config-router)# do s%o& inter#a$eerial5 Serial$,$ is up> line protocol is up 9ar8are is !7J Serial nternet aress is 12$?1$$?123?2,24 * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"+4#

!* 1<$$ %"tes> W 1<44 J%it> D0O 2$$$$ usec> relia%ilit" 2<<,2<<> txloa 1,2<<> rxloa 1,2<< ;2(config)# a$$esslist  /ermit-... ;2(config)# router eigr/ ;2(config-router)#

erial5 o##setlist  out 

;3# s%o& i/ route-... ;outing entr" for 1<$?1$1?1?$,24 Jno8n 6ia Leigrp 1L> istance $> metric 22=:<7> t"peinternal ;eistri%uting 6ia eigrp 1 0ast upate from 12$?1$$?123?1 on Serial$,$,$> $$'$$'1: ago ;outing Descriptor locs' I 12$?1$$?123?1> from 12$?1$$?123?1> $$'$$'1: ago> 6ia Serial$,$,$ ;oute metric is 22=:<7> traffic s&are count is1 !otal ela" is 2<$$$ microsecons> minimum %an8it& is 1<44 J%it ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1 ;3# s%o& i/ eigr/ to/olog* -... 2--.2--.2--. P-.;P (5S 1)' !opolog" entr" for 1<$?1$1?1?$,24 State is Passi6e> Zuer" srcin flag is 1> 1 Successor(s)> +D is 22=:<7 ;outing Descriptor locs' 12$?1$$?123?1 (Serial$,$,$)> from 12$?1$$?123?1> Sen flag is $x$ /omposite metric is (22=:<7,12:2<7)> ;oute is nternal Vector metric' inimum %an8it& is 1<44 J%it !otal ela" is 2<$$$ microsecons ;elia%ilit" is 2<<,2<< 0oa is 1,2<< inimum !* is 1<$$ 9op count is 1 12$?1$$?123?2 (Serial$,$,$)> from 12$?1$$?123?2> Sen flag is $x$ /omposite metric is (22=<7,12:3<7)> ;oute is nternal Vector metric' inimum %an8it& is 1<44 J%it !otal ela" is 2<$$3 microsecons ;elia%ilit" is 2<<,2<< 0oa is 1,2<<

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"+#

inimum !* is 1<$$ 9op count is 1

Secti$n 22> SP; E

!onfigure 8S$+ per +igure (#/ using a process = of *@ all 8S$+ configuration where possible should not be configured under the process =. ach 8S$+ router should also ha%e its :oopback ) interface configured and ad# %ertised within 8S$+ as followsD B( pointsC -3 :oopback )  Area ) -L :oopback )  Area ) -N :oopback )  Area * Sw* :oopback )  Area ( Sw( :oopback )  Area * Sw2 :oopback )  Area ( Sw3 :oopback )  Area

As per :ab *, the "uestion directs you to configure 8S$+ directly under the interfaces of the routers@ the switches still re"uire configuration under the 8S$+ process running this %ersion of 8S. =id you notice that Area ) is partitioned? f you s%o& i/ os/# ha%e configured this correctly, as shown in 4ample (#*2, you ha%e scored ( points. !onsider using the inter#a$ecommand to %erify your configuration. E%MPL 2613 -nitia& SP;C$n/i"urati$n ;4(config)# inter#a$e)oo/'a$0 ;4(config-if)#

i/ os/#  area 

;4(config-if)#

e:it

;4(config)# inter#a$e Giga'itEt%ernet 5 ;4(config-if)#

i/ os/#  area 

;<(config)# inter#a$e)oo/'a$0 ;<(config-if)#

i/ os/#  area 

;<(config-if)#

e:it

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"+1#

5 ;<(config)# inter#a$e Giga'itEt%ernet

;<(config-if)#

i/ os/#  area2

;7(config)# inter#a$e )oo/'a$0 ;7(config-if)#

i/ os/#  area

;7(config-if)#

5 inter#a$e Giga'itEt%ernet

;7(config-if)#

i/ os/#  area

;7(config-if)#

5 inter#a$e Giga'itEt%ernet

;7(config-if)#

i/ os/#  area3

SW1(config)# i/ routing SW1(config)# router os/# SW1(config-router)#

net&or0 2..7. ... area 2

SW1(config-router)#

2 net&or0 2..-3. ... area

SW2(config)# i/ routing SW2(config-if)#

router os/#

SW2(config-router)#

net 2..8. ... area 

SW2(config-router)#

net 2..4.2 ... area 

SW3(config)# i/ routing SW3(config)# router os/# SW3(config-router)#

net&or0 2..-3.3 ... area 2

SW3(config-router)#

3 net&or0 2..3.3 ... area

SW3(config-router)#

2 net&or0 2..9. ... area

SW4(config)# i/ routing SW4(config)# router os/# SW4(config-router)#

3 net&or0 2... ... area

SW4(config-router)#

net&or0 2..3.4 ... area 3

f you are using a 2LL) as one of your switches, you will e4perience neighbor relationship problems running 8S$+ to your routers or 2LN)s. This is because the default TM %alue is *L)3 on the 2LL) F:A1 interface and *L)) on the routers and 2LN)s. 4ample (#*3 shows the adacency issues with Switch * B2LL) in this scenarioC on -L@by debugging 8S$+ adacency it can be seen that Switch * has a larger default TM, which will ensure the neighbor adacency is only e%er partial. The e4ample also shows the Switch 2 B2LN)C default TM %alue on the same F:A1 L2 and the TM modification re"uired on Switch *. 1o e4tra points if you needed to configure this workaround. f you didn6t spot this, * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"+2#

you would lose points inthis section because of not ha%ing full neighbor adacencie s on Switch *. This type of issue shows ust how important it isto constantly %alidate your configurations rather than simply e4pecting e%erything to work. E%MPL 2614 '56S)1 SP; Nei"hb$r-##ue# ;<# s%o& i/ os/#neig%'or Neig&%or D 12$?1$$?=?1 t$,1 12$?1$$??1 t$,1

Pri 1 1

State Dea !ime .MS!5;!,D;!9.; $$'$$'3<

5ress 12$?1$$?<3?1

nterface iga%it.t&erne

+*00,D;

12$?1$$?<3?3

iga%it.t&erne

$$'$$'3:

;<# de'ug i/ os/#ada$en$* Ia" : 2$'3:'41?$<' SP+' N%r 12$?1$$?=?1 &as larger interface !* ;<# ;<# s%o& inter#a$eGiga'itEt%ernet5 > 'eginMF !* 1<$$ %"tes> W 1$$$$$ J%it> D0O 1$$ usec> SW1# s%o& inter#a$e lan -3 > 'egMF in !* 1<$4 %"tes> W 1$$$$$$ J%it> D0O 1$ usec MF SW3# s%o& inter#a$e lan -3 > 'eg !* 1<$$ %"tes> W 1$$$$$$ J%it> D0O 1$ usec>

SW1(config-if)#

int lan -3

SW1(config-if)#

i/ mtu -

;<# s%o& i/ os/#neig%'or Neig&%or D 12$?1$$?=?1 12$?1$$??1

E

Pri 1 1

State +*00,D;!9.; +*00,D;

Dea !ime $$'$$'34 $$'$$'3=

5ress 12$?1$$?<3?1 12$?1$$?<3?3

nterface iga%it.t&ernet$,1 iga%it.t&ernet$,1

Area ) is partitioned between -3 and -LPensure your network can accommodate this issue. >ou are not permit# ted to form any Area ) neighbor relationship directly between -3 and -L to oin Area ). B3 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"+3#

A fundamental rule of 8S$+ is not to design your network with a partitioned backbone Area ) or partition if of a failure condition occurs. A %irtual#link between -3 and -L would not work here because you would need to transit multiple 8S$+ areas. A tunnel between the two routers is alsonot permitted because this would form a direct neighbor rel ation# ship. >ou are re"uired to configure a %irtual#link between -L and Switch 2 to propagate Area 2 routes and similarly be# tween -3 and -N. 'y then creating anadditional %irtual#link between -N and Switch 2, the two effecti%e hal%es of the network ha%e been oined at an Area ) le%el. -emember to configure all %irtual#links to the router = of the remote router as opposed to the physical $ address on the corresponding interface. 4ample (#*L shows the re"uired configura# tion to create %irtual#links between -L#S02, -3#-N, and -N#S02. The resulting routing table %erification on Switch 3 shows all networks arebeing learned correctly post configuration. f you ha%e configured this correctly, as shown in 4# ample (#*L, you ha%e scored 3 points. E%MPL 2615 SP; Virtua&6Lin0 C$n/i"urati$n an. '$utin" Tab&e Veri/icati$n ;<(config)# router os/# ;<(config-router)#

area 2 irtuallin02..9.

SW3(config-router)#

router os/#

SW3(config-router)#

area 2 irtuallin02..-.

;4(config)# router os/# ;4(config-router)# ;7(config-if)#

area  irtuallin02...

router os/#

;7(config-router)#

area  irtuallin02..4.

;7(config-router)#

area 3 irtuallin02..9.

SW3(config-if)#

router os/#

SW3(config-router)#

area 3 irtuallin02...

SW4# s% i/ routeos/# 12$?$?$?$,: is 6aria%l" su%nette> 1$ su%nets> 2 mass  5 12$?1$$??1,32 F11$,2G 6ia 12$?1$$?73?3> $$'$$'<4> Vlan73  5 12$?1$$?:?1,32 F11$,3G 6ia 12$?1$$?73?7> $$'$$'<4> Vlan73  5 12$?1$$? $$'$$'<4> Vlan73  5 12$?1$$?4?1,32 F11$,3G 6ia 12$?1$$?73?7> $$'$$'<4> Vlan73  5 12$?1$$?=?1,32 F11$,3G 6ia 12$?1$$?73?3> $$'$$'<4> Vlan73 5 12$?1$$?7?1,32 F11$,2G 6ia 12$?1$$?73?7> $$'$$'<4> Vlan73 

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

 5  5

!"+#

12$?1$$?<3?$,24 F11$,2G 6ia 12$?1$$?73?3> $$'$$'<4> Vlan73 12$?1$$?47?$,24 F11$,2G 6ia 12$?1$$?73?7> $$'$$'<<> Vlan73

Secti$n 22> '-P(2 E

!onfigure -$%( between -( and -2, configure a new :oopback interface on -( B:oopback 2C with an $ ad# dress of *L).*)*.(.*5(3, and ad%ertise this and only this network to -2 from -(. B( pointsC

Although -$%( is capable of F:S,it is ne%ertheless based on a classful protocol that will by default ad%ertise all the connected interfaces of both -( and -2 when the classful network command is used to acti%ate the routing process. To restrict ad%ertisement to solely the new :oopback interface from -(, a basic distribute#list is re"uired. This should be applied either on the entire process or ust on the +rame#-elay interface connecting to -2. t should permit only the new :oopback subnet of *L).*)*.(.)5(3. f you6re low on time, you may check the routing table of -2 to find that the only -$%( route recei%ed is that of the new :oopback 2 interface on -(. This is because the F:A1 ()) and :oopback ) in# terfaces of -( already being learned %ia 7-$, which of course has a lower admin distance and will therefore not be listed as -$%( routes within the routing table. 4ample (#*N shows the basic -&$%( configuration on -( and -2 with debug of -$%( updates on -( to illustrate which routes are being ad%ertised to -2. The re"uired distribute#list configu# ration is also shown. f you ha%e configured this correctly, as shown in 4ample (#*N, you ha%e scored( points. E%MPL 261 '2 an. '3 '-P(2 C$n/i"urati$n an. Veri/icati$n ;2(config)# inter#a$e)oo/'a$03 ;2(config-if)#

i/ add -..2.2--.2--.2--.

;2(config-if)#

router ri/

;2(config-router)#

ersion 2

;2(config-router)#

no autosummar*

;2(config-router)#

net&or0 -...

;2(config-router)#

net&or02...

;3(config)# router ri/ ;3(config-router)#

ersion 2

;3(config-router)#

no autosummar*

;3(config-router)#

net&or02...

;3(config-router)# do s%o& i/ routeri/ 1<$?1$1?$?$,24 is su%nette> 2 su%nets ; 1<$?1$1?2?$ F12$,1G 6ia 12$?1$$?123?2> $$'$$'$<>

Serial$,$,$

;2# s% i/ routeri/ * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"40#

;2# de'ug i/ri/ Ia" : $<'$$'22?14=' ;P' sening 62 upate to 224?$?$? 6ia Serial$,$ (12$?1$$ ?123?2) : $<'$$'22?14=' ;P' %uil upate entries Ia" Ia" : $<'$$'22?14=' 12$?1$$?2?$,24 6ia $?$?$?$> metric 1> tag $ Ia" : $<'$$'22?14=' 12$?1$$?123?$,24 6ia $?$?$?$> metric 1> tag $ Ia" : $<'$$'22?14=' 12$?1$$?2$$?$,24 6ia $?$?$?$> metric 1> tag $ Ia" : $<'$$'22?14=' 1<$?1$1?1?$,24 6ia $?$?$?$> metric 1> tag $ Ia" : $<'$$'22?14=' 1<$?1$1?2?$,24 6ia $?$?$?$> metric 1> tag $ ;2(config)# router ri/ ;2(config-router)#

erial5 distri'utelist 2 out

;2(config-router)#

e:it

;2(config)# a$$esslist 2 /ermit-..2. ;2(config)# e:it Ia" : $<'$2'4$?2=1' ;P' sening 62 upate to 224?$?$? 6ia Serial$,$ (12$?1$$ ?123?2) Ia" : $<'$2'4$?2=1' ;P' %uil upate entries Ia" ;2#

: $<'$2'4$?2=1'

1<$?1$1?2?$,24 6ia $?$?$?$> metric 1> tag $

;3# s%o& i/ routeri/ 1<$?1$1?$?$,24 is su%nette> 2 su%nets 1<$?1$1?2?$ F12$,1G 6ia 12$?1$$?123?2> $$'$$'$2> ;

E

Serial$,$,$

-2 should not ad%ertise any connected interfaces into -$%(. =o not filter routing ad%ertisements to achie%e this beha%ior. B( pointsC

'ecause you are not permitted to filter routes as per the pre%ious "uestion, you simply configure the +rame#-elay inter# faces to be passi%e on -2. This allows routing updates to be recei%ed inbound but stops routing ad%ertisements out# bound. 4ample (#*9 shows the -$%( routes ad%ertised srcinally from -2 being recei%ed by -( with the re"uired configuration for -2@ if you ha%e configured this correctly, you ha%e scored ( points. E%MPL 2617 '3 '-P(2 C$n/i"urati$n an. Veri/icati$n ;2# de'ug i/ ri/ Ia" : $<'$<'1$?$31' ;P' recei6e 62 upate from 12$?1$$?123?3 on Serial$,$ Ia" : $<'$<'1$?$31' 12$?1$$?3?$,24 6ia $?$?$?$ in 1 &ops : $<'$<'1$?$31' 12$?1$$?34?$,24 6ia $?$?$?$ in 1 &ops Ia" * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

Ia"

: $<'$<'1$?$31'

12$?1$$?123?$,24 6ia $?$?$?$ in 1

!"4"# &ops

;3(config)# router ri/ ;3(config-router)#

/assieinter#a$eerial55

Secti$n 23> 'e.i#tributi$n E

$erform a one#way redistribution of -$%( into 7-$ on -2 using the following default metricD *L33()))) (LL * *L)). nsure that -* shows a ne4t hop for the -$%( ad%ertised route of*L).*)*.(.)5(3 of -(. $erform configuration only on -2 for this task. B2 pointsC

A simple redistribution "uestion, on inspection you6d belie%e the only comple4ity would be that ofmodifying the ne4t hop attribute for -*, which would by default show as -2 for the -$%( route ad%ertised by -(. n fact, you would find that the -$%( route would not be seen on -* post redistribution from -2. This is due toan inherent safety mechanism within 7-$ that willcause redistribution issues with routers that ha%e duplicate 7-$ router =s. $re#lab configura# tion ensured that both -* and -( ha%e the same :oopback (LL $ address, which will force the router = to be identical. 4ample (#*/ shows the redistributionconfiguration on -2. The -$%( route of*L).*)*.(.)5(3 is recei%ed on -2 but is absent on -*. nspection of the 7-$ topology table for theroute on -2 shows that it is being ad%ertised into 7-$ and that the router = of -2 is ()).()).()).())@ similarly, the router = of -* is also ()).()).()).()). 'y changing the router = of -2 to that of its :oopback ) interface B*().*)).2.*C, the route is then accepted by -*, but of course a ne4t hop is shown as -2, e%en though -( resides on the same $ subnet as -* and -( and is the srcinating router. The 7-$ third#party ne4t#hop feature can be used to modify the ne4t#hop attribute with a router redistributing another routing protocol into 7-$ in a similar manner to that of '7$. f you ha%e configured this correctly, as shown in 4# ample(# */, you ha%e scored 2 points. E%MPL 261@ '3 '-P(2 'e.i#tributi$n C$n/i"urati$n an. Veri/icati$n ;3(config)# router eigr/ ;3(config-router)#

redistri'uteri/

;3(config-router)#

de#aultmetri$ -44 2 2--- 

;3# s%o& i/ routeri/ 1<$?1$1?$?$,24 is su%nette> 2 su%nets ; 1<$?1$1?2?$ F12$,1G 6ia 12$?1$$?123?2> $$'$$'$<>

Serial$,$,$

;1# s%o& i/ route-..2. H Su%net not in ta%le

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;3# s%o& i/ eigr/ to/olog* -..2. 2--.2--.2--. P-.;P (5S 1)' !opolog" entr" for 1<$?1$1?2?$,24 State is Passi6e> Zuer" srcin flag is 1> 1 Successor(s)> +D is ;outing Descriptor locs' 12$?1$$?123?2> from ;eistri%ute> Sen flag is $x$ /omposite metric is (7===:<7,$)> ;oute is .xternal Vector metric' inimum %an8it& is 1<44 J%it !otal ela" is 2$$$$$ microsecons ;elia%ilit" is 2<<,2<< 0oa is 1,2<< inimum !* is 1<$$ 9op count is $ .xternal ata' riginating router is 2$$?2$$?2$$?2$$ (t&is s"stem) 5S num%er of route is $ .xternal protocol is ;P> external metric is 1 5ministrator tag is $ ($x$$$$$$$$)

!"4'#

7===:<7

;3# s%o& i/ eigr/ to/olog* > in$lude ID P-.;P !opolog" !a%le for 5S(1),D(2$$?2$$?2$$?2$$) ;3# ;1# s%o& i/ eigr/ to/olog* > in$lude ID ;1# P-.;P !opolog" !a%le for 5S(1),D(2$$?2$$?2$$?2$$) ;3(config)# router eigr/ ;3(config-router)#

eigr/ routerid2..3.

ID ;3# s%o& i/ eigr/ to/olog* > in$lude P-.;P !opolog" !a%le for 5S(1),D(12$?1$$?3?1)

;3# s%o& i/ eigr/ to/olog* -..2. 2--.2--.2--. P-.;P (5S 1)' !opolog" entr" for 1<$?1$1?2?$,24 State is Passi6e> Zuer" srcin flag is 1> 1 Successor(s)> +D is ;outing Descriptor locs' 12$?1$$?123?2> from ;eistri%ute> Sen flag is $x$ /omposite metric is (7===:<7,$)> ;oute is .xternal

7===:<7

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"4+#

Vector metric' inimum %an8it& is 1<44 J%it !otal ela" is 2$$$$$ microsecons ;elia%ilit" is 2<<,2<< 0oa is 1,2<< inimum !* is 1<$$ 9op count is $ .xternal ata' riginating router is 12$?1$$?3?1 (t&is s"stem) 5S num%er of route is $ .xternal protocol is ;P> external metric is 1 5ministrator tag is $ ($x$$$$$$$$) ;1# s%o& i/ route-..2. ;outing entr" for 1<$?1$1?2?$,24 Jno8n 6ia Leigrp 1L> istance 1=$> metric =2::<7> t"peexternal ;eistri%uting 6ia eigrp 1 0ast upate from 12$?1$$?123?3 on Serial$,$,$> $$'$3'$7 ago ;outing Descriptor locs' I 12$?1$$?123?3> from 12$?1$$?123?3> $$'$3'$7 ago> 6ia Serial$,$,$ ;oute metric is =2::<7> traffic s&are count is1 !otal ela" is 22$$$$ microsecons> minimum %an8it& is 1<44 J%it ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1 ;3(config-if)#

inter#a$eerial55

;3(config-if)#

 no i/ ne:t%o/sel# eigr/

;1# s%o& i/ route-..2. ;outing entr" for 1<$?1$1?2?$,24 Jno8n 6ia Leigrp 1L> istance 1=$> metric =2::<7> t"peexternal ;eistri%uting 6ia eigrp 1 0ast upate from 12$?1$$?123?2 onSerial$,$,$> $$'$$'24 ago ;outing Descriptor locs' I 12$?1$$?123?2> from 12$?1$$?123?3> $$'$$'24 ago> 6ia Serial$,$,$ ;oute metric is =2::<7> traffic s&are count is1 !otal ela" is 22$$$$ microsecons> minimum %an8it& is 1<44 J%it ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1 * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

E

!"44#

$erform mutual redistribution of 7-$ and 8S$+ on -3 and -L. Mse a metric of L))) for redistributed routes into 8S$+, which should appear as e4ternal Type ( routes and the following R %alues for 8S$+ rotes redistrib# uted into 7-$D *L33 ()))) (LL * *L)). B( pointsC

This is an unambiguous redistribution "uestion that sets thescene for the "uestion that follows. 4ample (#* shows the re"uired configuration on -3 and -L with %erification of e4ternal 7-$ recei%ed routes on -2. 'ecause the metrics are identical on -3 and -L, there are multiple routes with load sharing potential. f you ha%e configured this correctly, you ha%e scored ( points. E%MPL 2619 '4 an. '5 'e.i#tributi$n C$n/i"urati$n an. Veri/icati$n'3 $n ;4(config-router)#

router os/#

;4(config-router)#

redistri'ute eigr/ su'nets 

;4(config-router)#

de#aultmetri$-

;4(config-router)#

router eigr/

;4(config-router)#

redistri'ute os/#

;4(config-router)#

de#aultmetri$ -44 2 2--- 

;<(config-router)#

router os/#

;<(config-router)#

redistri'ute eigr/ su'nets 

;<(config-router)#

de#aultmetri$-

;<(config-router)#

router eigr/

;<(config-router)#

redistri'ute os/#

;<(config-router)#

de#aultmetri$ -44 2 2--- 

;3# s%o& i/ routeeigr/ 1<$?1$1?$?$,24 is su%nette> 2 su%nets D 1<$?1$1?1?$ F$,22=:<7G 6ia 12$?1$$?123?1> $$'$<'$<> Serial$,$,$ 12$?$?$?$,: is 6aria%l" su%nette> 2$ su%nets> 3 mass D .M 12$?1$$??1,32 F1=$,7=:$417G 6ia 12$?1$$?34?<> $$'$$'22> iga%it.t&ernet$,$ F1=$,7=:$417G 6ia 12$?1$$?34?4> $$'$$'22> iga%it.t&ernet$,$ D .M 12$?1$$?:?1,32 F1=$,7=:$417G 6ia 12$?1$$?34?<> $$'$$'22> iga%it.t&ernet$,$ F1=$,7=:$417G 6ia 12$?1$$?34?4> $$'$$'22> iga%it.t&ernet$,$ D .M 12$?1$$?1$?1,32 F1=$,7=:$417G 6ia 12$?1$$?34?<> $$'$$'22> iga%it.t&ernet$,$ F1=$,7=:$417G 6ia 12$?1$$?34?4> $$'$$'22> iga%it.t&ernet$,$ * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

D .M D D D .M D .M

D .M

D D D D .M

D .M

D .M

D D

E

!"4#

12$?1$$? $$'$1'<1> iga%it.t&ernet$,$ 12$?1$$?4?$,24 F$,1<717$G 6ia 12$?1$$?34?4> $$'$='1=> iga%it.t&ernet$,$ 12$?1$$? $$'$='1=> iga%it.t&ernet$,$ 12$?1$$?4?1,32 F1=$,7=:$417G 6ia 12$?1$$?34?<> $$'$$'23> iga%it.t&ernet$,$ 12$?1$$?=?1,32 F1=$,7=:$417G 6ia 12$?1$$?34?<> $$'$$'23> iga%it.t&ernet$,$ F1=$,7=:$417G 6ia 12$?1$$?34?4> $$'$$'23> iga%it.t&ernet$,$ 12$?1$$?7?1,32 F1=$,7=:$417G 6ia 12$?1$$?34?<> $$'$$'24> iga%it.t&ernet$,$ F1=$,7=:$417G 6ia 12$?1$$?34?4> $$'$$'24> iga%it.t&ernet$,$ 12$?1$$?$?$,17 F$,21=2417G 6ia 12$?1$$?123?1> $$'$<'$=> Serial$,$,$ 12$?1$$?1?$,24 F$,22=:<7G 6ia 12$?1$$?123?1> $$'$<'$=> Serial$,$,$ 12$?1$$?2?$,24 F$,22=:<7G 6ia 12$?1$$?123?2> $$'$<'$=> Serial$,$,$ 12$?1$$?73?$,24 F1=$,7=:$417G 6ia 12$?1$$?34?<> $$'$$'24> iga%it.t&ernet$,$ F1=$,7=:$417G 12$?1$$?<3?$,24 F1=$,7=:$417G F1=$,7=:$417G 12$?1$$?47?$,24 F1=$,7=:$417G F1=$,7=:$417G 12$?1$$?1$$?$,24 12$?1$$?2$$?$,24

6ia 12$?1$$?34?4> $$'$$'24> iga%it.t&ernet$,$ 6ia 12$?1$$?34?<> $$'$$'24> iga%it.t&ernet$,$ 6ia 12$?1$$?34?4> $$'$$'24> iga%it.t&ernet$,$ 6ia 12$?1$$?34?<> $$'$$'24> iga%it.t&ernet$,$ 6ia 12$?1$$?34?4> $$'$$'24> iga%it.t&ernet$,$ F$,21=2417G 6ia 12$?1$$?123?1> $$'$<'$=> Serial$,$,$ F$,21=2417G 6ia 12$?1$$?123?2> $$'$<'$:> Serial$,$,$

-2 will ha%e e"ual cost e4ternal 7-$ routes to the redistributed 8S$+ subnet *().*)).N2.)5(3 BF:A1 N2C. !onfigure only -2 to ensure that -2 routes %ia a ne4t hop of -L B*().*)).23.LC for this destination subnet. f this route fails, the route ad%ertised from -3 B*().*)).23.3C should be used dynamically. B2 pointsC

4ample (#() shows both routes for*().*)).N2.)5(3 recei%ed on -2 from -3 and -L@ because all routers share a com# mon media, the interface connecting to -3 or -L cannot be modified on -2 because this would affect both routes. Simi# larly, an offset#list to manipulate delay would be of nouse because you are permitted to configureonly -2. >ou are therefore re"uired to penalize the route recei%ed from -3 only to ensure the -L#generated route is preferred on -2. 'y configuring a route#map on -2 to match only the route#source of -3, you can increase the metric for the re"uired route B*().*)).N2.)5(3C. This simply enables the srcinal route recei%ed from -L to take precedence. 4ample (#() shows the * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"41#

re"uired configuration and %erification that the route is preferred %ia the -L, the topology table shows that the -3 route is also present and that -3 is effecti%ely the feasible successor for this network on this router. f the route from -L is withdrawn, the route from -L would enter the routing table automatically. >ou will need a second permit statement on the route#map Bpermit ()C toenable all other routes inbound to -2 to enter unaltered. 4ample (#() also details the rout# ing tables of each de%ice to confirm redistribution from 7-$ into 8S$+ or %ice %ersa. f you ha%e configured this cor# rectly, as shown in 4ample (#(), youha%e scored 2 points. E%MPL 262+ '3 '-P(2 'e.i#tributi$n C$n/i"urati$n an. Veri/icati$n ;3# s%o& i/ route2..3. ;outing entr" for 12$?1$$?73?$,24 Jno8n 6ia Leigrp 1L> istance 1=$> metric 7=:$417> t"peexternal ;eistri%uting 6ia eigrp 1 0ast upate from 12$?1$$?34?< on iga%it.t&ernet$,$> $$'$1'< ago ;outing Descriptor locs' 12$?1$$?34?<> from 12$?1$$?34?<> $$'$1'< ago> 6ia iga%it.t&ernet$,$ ;oute metric is 7=:$417> traffic s&are count is1 !otal ela" is 2$$1$$ microsecons> minimum %an8it& is 1<44 J%it ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1 I 12$?1$$?34?4> from 12$?1$$?34?4> $$ '$1'< ago> 6ia iga%it.t&ernet$,$ ;oute metric is 7=:$417> traffic s&are count is1 !otal ela" is 2$$1$$ microsecons> minimum %an8it& is 1<44 J%it ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1 ;3(config)# a$$esslist  /ermit2..34.4 ;3(config)# a$$esslist 2 /ermit2..3. ;3(config)# router eigr/ ;3(config-router)#

distri'utelist routema/ PEN()IE)(N3Giga'itEt%ernet5 in

;3(config-router)#

e:it

;3(config)# routema/ PEN()IE)(N3 /ermit  ;3(config-route-map)#

mat$% i/ address2

;3(config-route-map)#

 mat$% i/ routesour$e

;3(config-route-map)#

set metri$O-

;3(config-route-map)#

routema/ PEN()IE)(N3 /ermit 2

;3# s%o& i/ route2..3.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"42#

;outing entr" for 12$?1$$?73?$,24 Jno8n 6ia Leigrp 1L> istance 1=$> metric 7=:$417> t"peexternal ;eistri%uting 6ia eigrp 1 0ast upate from 12$?1$$?34?< on iga%it.t&ernet$,$> $$'$$'21 ago ;outing Descriptor locs' I 12$?1$$?34?<> from 12$?1$$?34?<> $$'$$'21 ago> 6ia iga%it.t&ernet$,$ ;oute metric is 7=:$417> traffic s&are count is1 !otal ela" is 2$$1$$ microsecons> minimum %an8it& is 1<44 J%it ;elia%ilit" 2<<,2<<> minimum !* 1<$$ %"tes 0oaing 1,2<<> 9ops 1 2--.2--.2--. ;3# s%o& i/ eigr/ to/olog* 2..3. P-.;P (5S 1)' !opolog" entr" for 12$?1$$?73?$,24 State is Passi6e> Zuer" srcin flag is 1> 1 Successor(s)> +D is 7=:$417 ;outing Descriptor locs' 12$?1$$?34?< (iga%it.t&ernet$,$)> from 12$?1$$?34?<> Sen flag is $x$ /omposite metric is (7=:$417,7===:<7)> ;oute is .xternal Vector metric' inimum %an8it& is 1<44 J%it

NT The full $ routing tables of each de%ice are pro# %ided within the accom# panying configurations to %erify your redistributed routes.

!otal ela" is 2$$1$$ microsecons ;elia%ilit" is 2<<,2<< 0oa is 1,2<< inimum !* is 1<$$ 9op count is 1 .xternal ata' riginating router is 12$?1$$? external metric is 2 5ministrator tag is $ ($x$$$$$$$$) 12$?1$$?34?4 (iga%it.t&ernet$,$)> from 12$?1$$?34?4> Sen flag is /omposite metric is (12:$$$$$$,7===:<7)> ;oute is .xternal Vector metric' inimum %an8it& is 2$ J%it !otal ela" is $ microsecons ;elia%ilit" is $,2<< 0oa is $,2<< inimum !* is $ 9op count is 1 .xternal ata' riginating router is 12$?1$$?4?1

$x$

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"43#

5S num%er of route is 1 .xternal protocol is SP+> external metric is 2 5ministrator tag is $ ($x$$$$$$$$)

Secti$n 3> =P ?15 P$int#A E

!onfigure '7$ peering per +igure (# as followsD i'7$ -*#-2, -(#-2, -3#-N, -3#S0(, -L#Sw*, -L#sw2, e'7$ -2#-3, -2#-L, Sw3#Sw2, -N#Sw3. Mse :oopback interfaces to peer on all routers with the e4ception of peering between -2#-3 and -2#-L. =o not use the command e'g/multi%o/ within your configurations. B2 pointsC

The restrictions within the i'7$ peering re"uire you to configure -2, -3, and -L as route reflectors within their own AS. Auto summarization is disabled to ensure '7$ does notsummarize routes, andsynchronization is disabled because the 7$ will not be synchronized to '7$ within this lab. The "uestion doesn6t dicta te that you must configure peer groups, but it is considered good practice when you ha%e more than one peer with a similar peering configuration. The "uestion does, howe%er, dictate that you must not use e'g/multi%o/. This feature would of course be re"uired for the peering from AS3)) to AS2)) and AS3)) to AS())because :oopback interfaces are used for the e4ternal peering, here unlike AS*)) to AS()) and AS2)), which peer from connectedinterfaces. 0ithout e'g/multi%o/the peering fails in and outbound from AS3)). The only way to fi4 this is to use a feature that disables connection %erification to establish an e'7$ peering session with a single#hop peer that uses a :oopback interface. Mse of the command neig%'or disa'le $onne$ted$%e$0 on -N, Sw2, and Sw3 for the re"uired peering allows the peering to be formed successfully. 4ample (# (* shows the basic peering configuration for '7$, the e'7$ failure condition obser%ed on peering to and from AS3)), and the re"uired configuration to rectify the condition. f you ha%e configured this correctly, you ha%e scored 2points. E%MPL 2621 =P Peerin" C$n/i"urati$n an. Veri/icati$n ;1(config)# router 'g/ ;1(config-router)#

no autosummar*

;1(config-router)#

no s*n$%roni1ation

;1(config-router)#

 neig%'or 2..3. remoteas

;1(config-router)#

)oo/'a$0 neig%'or 2..3. u/datesour$e

;2(config)# router 'g/ ;2(config-router)#

no autosummar*

;2(config-router)#

no s*n$%roni1ation

;2(config-router)#

neig%'or 2..3. remoteas 

;2(config-router)#

neig%'or 2..3. u/datesour$e )oo/'a$0

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"4#

;3(config)# router 'g/ ;3(config-router)#

no autosummar*

;3(config-router)# no s*n$%roni1ation ;3(config-router)# neig%'or ( /eergrou/ ;3(config-router)# neig%'or( remoteas ;3(config-router)#

)oo/'a$0 neig%'or ( u/datesour$e

;3(config-router)#

neig%'or 2... /eergrou/ (

;3(config-router)#

neig%'or 2..2. /eergrou/ (

;3(config-router)#

neig%'or (routere#le$tor$lient

;3(config-router)#

neig%'or 2..34.4 remoteas 2

;3(config-router)#

neig%'or 2..34.- remoteas 3

;4(config)# router 'g/2 ;4(config-router)#

router 'g/2

;4(config-router)#

no autosummar*

;4(config-router)# no s*n$%roni1ation ;4(config-router)# neig%'or (2 /eergrou/ ;4(config-router)# neig%'or(2 remoteas2 ;4(config-router)# neig%'or (2 u/datesour$e )oo/'a$0 ;4(config-router)#

neig%'or (2routere#le$tor$lient

;4(config-router)#

neig%'or 2... /eergrou/ (2

;4(config-router)#

(2 neig%'or 2..8. /eergrou/

;4(config-router)#

 neig%'or 2..34.3 remoteas

;<(config)# router 'g/3 ;<(config-router)#

no autosummar*

;<(config-router)# no s*n$%roni1ation ;<(config-router)# neig%'or (3 /eergrou/ ;<(config-router)# neig%'or(3 remoteas3 ;<(config-router)#

)oo/'a$0 neig%'or (3 u/datesour$e

;<(config-router)#

neig%'or (3routere#le$tor$lient

;<(config-router)#

(3 neig%'or 2..7. /eergrou/

;<(config-router)#

(3 neig%'or 2..9. /eergrou/

;<(config-router)#

neig%'or 2..34.3 remoteas 

;7(config)# router 'g/2 ;7(config-router)#

no autosummar*

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;7(config-router)#

no s*n$%roni1ation

;7(config-router)#

neig%'or 2..4. remoteas 2

;7(config-router)#

)oo/'a$0 neig%'or 2..4. u/datesour$e

;7(config-router)#

neig%'or 2... remoteas 4

;7(config-router)#

)oo/'a$0 neig%'or 2... u/datesour$e

!"0#

SW1(config)# router 'g/3 SW1(config-router)#

no autosummar*

SW1(config-router)#

no s*n$%roni1ation

SW1(config-router)#

3 neig%'or 2..-. remoteas

SW1(config-router)#

neig%'or 2..-. u/datesour$e )oo/'a$0

SW2(config)# router 'g/2 SW2(config-router)#

no autosummar*

SW2(config-router)#

no s*n$%roni1ation

SW2(config-router)#

2 neig%'or 2..4. remoteas

SW2(config-router)#

)oo/'a$0 neig%'or 2..4. u/datesour$e

SW3(config)# router 'g/3 SW3(config-router)# no autosummar* SW3(config-router)#

no s*n$%roni1ation

SW3(config-router)#

neig%'or 2..-. remoteas 3

SW3(config-router)#

)oo/'a$0 neig%'or 2..-. u/datesour$e

SW3(config-router)#

4 neig%'or 2... remoteas

SW3(config-router)#

neig%'or 2... u/datesour$e )oo/'a$0

SW4(config)# router 'g/4 SW4(config-router)#

no autosummar*

SW4(config-router)#

no s*n$%roni1ation

SW4(config-router)#

neig%'or 2... remoteas 2

SW4(config-router)#

neig%'or 2... u/datesour$e )oo/'a$0

SW4(config-router)#

3 neig%'or 2..9. remoteas

SW4(config-router)#

neig%'or 2..9. u/datesour$e )oo/'a$0

SW4# s% i/ 'g/ neig% 2... > in$lude E:ternal .xternal P neig&%or not irectl" connecte? SW4# s%o& i/ 'g/neig%'ors2..9. > in$lude E:ternal ? .xternal P neig&%or not irectl" connecte * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!""#

SW4# a$tie SW4# s% i/ 'g/ neig%'ors 2... > in$lude No acti6e !/P connection

SW4# s% i/ 'g/ neig%'ors 2..9. > in$lude a$tie No acti6e !/P connection SW4(config-router)#

neig%'or 2...disa'le$onne$ted$%e$0

SW4(config-router)#

neig%'or 2..9.disa'le$onne$ted$%e$0

;7(config-router)# neig%'or2...disa'le$onne$ted$%e$0 SW3(config-router)# neig%'or 2...disa'le$onne$ted$%e$0 SW4# s%o& i/ 'g/ neig%'ors 2... > in$lude Esta'lis%ed P state C .sta%lis&e> up for $$'$2'$1 Esta'lis%ed SW4# s%o& i/ 'g/ neig%'ors 2..9. > in$lude P state C .sta%lis&e> up for $$'$2'$<

>ou also find'7$ peering issues between -* andbecause -2. 4ample (#(( shows the routers are informing each other they ha%e will an incorrect identifier. This is simply both routers ha%e identical :oopback interface address of ()).()).()).()), which is used as the '7$ identifier. 'y changing the = of one router the peering is established. t doesn6t matter what you change the = to, but it needs to be uni"ue@ as such, the :oopback ) interface would be a good choice. 1o e4tra points for this task because this is part of the srcinal peering. E%MPL 2622 '1 an. '3 Peerin" -##ue C$n/i"urati$n an. Veri/icati$n J"GP ;1#  9!3!3.287! "GP3NI6IC(IN! sent to neig%'or 2..3. 253 ientifier 8rong) 4 %"tes /:/:/:/:

;3#  9!2-!3.43! "GP3NI6IC(IN! re$eied #rom neig%'or 2... 25 3 ( P ientifier 8rong) 4 %"tes /:/:/:/: ;1# s%o& i/ 'g/ summar* > in$lude identi#ier P router ientifier 2$$?2$$?2$$?2$$> local 5S num%er

1$$

identi#ier ;3# s%o& i/ 'g/ summar* > in$lude

P router ientifier 2$$?2$$?2$$?2$$> local 5S num%er 1$$

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'#

;1(config-router)# 'g/ routerid2... I1'34'4
E

-outers -* and -( in AS*)) should be made to passi%ely accept only '7$ sessions. -2 should be configured to acti%ely create only '7$ sessions to -* and -( within AS*)). B2 pointsC

A '7$ speaker by default will attempt to open a session on T!$port *9 with a configured peer, because such a normal peering arrangement will see two sessions being established to build a successful neighbor relationship. This beha%ior can be modified to effecti%ely allow sessions to be established only either inbound or outbound. The solution tothe "uestion is achie%ed by configuring the neig%'or trans/ort$onne$tionmodeto passi%e Bonly inbound connectionswill be establishedC on -* and -( and acti%e Bonly outbound sessions will be establishedC on -2 .>ou must manually acti# %ate each neighbor on each router for the solution to work effecti%ely. f you ha%e configured this correctly, as shown in 4ample (#(2, you ha%e scored 2 points. !onsider using the s%o& i/ 'g/ summar*command to %erify yourconfigura# XA$: (#(2 -*, -( and -2 !onnection#mode !onfiguration -*BconfigCY router bgp *)) -*Bconfig#routerCY neighbor *().*)).2.* transport connection#mode passi%e -*Bconfig#routerCY neighbor *().*)).2.* acti%ate -(BconfigCY router bgp *)) -(Bconfig#routerCY neighbor *().*)).2.* transport connection#mode passi%e -2Bconfi(gCY r2outer bgp *)) -(Bconfig#routerCY neighbor *().*)).2.* acti%ate -2Bconfig#routerCY neighbor AS*)) transport connection#mode acti%e -2Bconfig#routerCY neighbor *().*)).*.* acti%ate -2Bconfig#routerCY neighbor *().*)).(.* acti%ate E !onfigure the following :oopback interfaces on -2 and Sw3@ ad%ertise these networks into '7$ using the network commandD B( pointsC -2  :oopback interface L B*L(.*)).*)).*5(3C Sw3  :oopback interface L B*L(.()).2(.*5(3C Sw3  :oopback interface N B*L(.()).22.*5(3C

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"+#

Sw3  :oopback interface 9 B*L(.()).23.*5(3C Sw3  :oopback interface / B*L(.()).2L.*5(3C A simple "uestion that creates '7$ routes for the following task. f you ha%e configured this correctly, as shown in 4# ample (#(3, you ha%e scored ( points. E%MPL 2624 '3 an. S)4 Net)$r0 %.(erti#ement C$n/i"urati$n an. Veri/icati$n ;3(config)# inter#a$e)oo/'a$0;3(config-if)#

i/ address -2... 2--.2--.2--.

;3(config-if)#

router 'g/

;3(config-router)#

net&or0 -2... mas0 2--.2--.2--.

SW4(config)# inter#a$e)oo/'a$0SW4(config-if)#

2--.2--.2--. i/ address -2.2.32.

SW4(config-if)#

inter#a$e)oo/'a$0

SW4(config-if)#

i/ address -2.2.33. 2--.2--.2--.

SW4(config-if)#

inter#a$e)oo/'a$07

SW4(config-if)#

i/ address -2.2.34.2--.2--.2--.

SW4(config-if)#

inter#a$e)oo/'a$08

SW4(config-if)#

i/ address -2.2.3-.2--.2--.2--.

SW4(config-if)#

router 'g/4

SW4(config-router)#

2--.2--.2--. net&or0 -2.2.32. mas0

SW4(config-router)#

net&or0 -2.2.33. mas0 2--.2--.2--.

SW4(config-router)#

2--.2--.2--. net&or0 -2.2.34. mas0

SW4(config-router)#

net&or0 -2.2.3-. mas0 2--.2--.2--.

;3# s%o& i/'g/ P ta%le 6ersion is 1$> local router D is2$$?2$$?2$$?2$$ Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op IY 1<2?1$$?1$$?$,24 $?$?$?$ I 1<2?2$$?32?$,24 12$?1$$?34?4 IY 12$?1$$?34?< I 1<2?2$$?33?$,24 12$?1$$?34?4

etric 0ocPrf Weig&t Pat& $ 32=7: i $ 2$$ 4$$ i $ 3$$ 4$$ i $ 2$$ 4$$ i

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

IY 12$?1$$?34?< I 1<2?2$$?34?$,24 12$?1$$?34?4 IY 12$?1$$?34?< I 1<2?2$$?3
E

$ $ $ $ $

!"4# 3$$ 2$$ 3$$ 2$$ 3$$

4$$ 4$$ 4$$ 4$$ 4$$

i i i i i

!onfigure -2 to inform -3 that it does not want to recei%e routes ad%ertised from Sw3 for networks *L(.()).22.)5(3, *L(.()).23.)5(3 and *L(.()).2L.)5(3. Achie%e this in such a manner that -3 does not actually ad%ertise these routes toward -2. >ou may also configure -3. B3 pointsC

'7$ has a $refi4#'ased 8utbound -oute +iltering B8-+C mechanism that can send and recei%e capabilities to minimize '7$ updates sent between '7$ peers. Ad%ertisement of 8-+ capability indicates that a peer will accept a prefi4#list from a neighbor and apply the prefi4#list recei%ed from a neighbor locally to a%oid the unnecessary sending of routes that would be blocked bythe recei%er anyway. -2 is therefore configured with a prefi4#list that blocks the re"uired routes generated from Sw3, which is sent %ia 8-+ to -3. -3 is configured to recei%e this prefi4#list %ia 8-+, and the routes are blocked outbound at -3. 4ample (#(L shows the re"uired 8-+ and prefi4#list filtering with the resulting outbound ad%ertisement on -3. The '7$ table on -2 is also displayed showing the routes are no longer beingrecei%ed from -3 and solely from -L. f you ha%e configured this correctly, as shown in 4ample (#(L, you ha%e scored 3points. E%MPL 2625 =P '; C$n/i"urati$n an. Veri/icati$n ;3(config)# router 'g/ ;3(config-router)#

neig%'or 2..34.4 $a/a'ilit* or# /re#i:list send

;3(config-router)# neig%'or 2..34.4/re#i:list 6I)E+ in ;3(config)# i/ /re#i:list6I)E+ se - den* -2.2.33.524 ;3(config)# i/ /re#i:list 6I)E+ se  den* -2.2.34.524 -2.2.3-.524 ;3(config)# i/ /re#i:list 6I)E+ se - den*

;3(config)# i/ /re#i:list 6I)E+ se 2 /ermit ...532le ;4(config)# router 'g/2 ;4(config-router)#

re$eie neig%'or 2..34.3 $a/a'ilit* or# /re#i:list

;4(config-router)#

e:it

;4(config)# e:it adertisedroutes ;4# s%o& i/ 'g/ neig%'ors 2..34.3 P ta%le 6ersion is 1=> local router D is12$?1$$?4?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

Net8or IYi1<2?2$$?32?$,24

Next 9op 12$?1$$?1$?1

!"#

etric 0ocPrf Weig&t Pat& $ 1$$ $ 4$$ i

!otal num%er of prefixes 1 ;3# $lear i/ 'g/ ;3# s%o& i/'g/ P ta%le 6ersion is 7> local router D is2$$?2$$?2$$?2$$ Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete

IY IY I IY IY

Next 9op Net8or 1<2?1$$?1$$?$,24 $?$?$?$ 1<2?2$$?32?$,24 12$?1$$?34?4 12$?1$$?34?< 1<2?2$$?33?$,24 12$?1$$?34?< 1<2?2$$?34?$,24 12$?1$$?34?<

IY 1<2?2$$?3
E

12$?1$$?34?<

etric 0ocPrf Weig&t $ 32=7: $ $ $ $

Pat& i 2$$ 4$$ 3$$ 4$$ 3$$ 4$$ 3$$ 4$$

i i i i

$ 3$$ 4$$ i

!onfigure a route#map on -L that prepends it6s local AS ( an additional ( times for network *L(.()).2(.)5(3 when ad%ertised to -2. The route#map may contain multiple permit statements but only one prepend is permitted per line. B2 pointsC

A simple AS path prepend "uestion, or so it seems. 1ormally you would prepend the same AS number multiple times within the same permit statement, but the "uestion restricts this so you are forced to use multiple permit statements with the same AS prepend statement. 4ample (#(N shows the route *L(.()).2(.)5(3 as recei%ed ini tially on -2 from -L with an AS path of 2))#3)). After configuration of the route#map to prepend the route on -L twice, the network is recei%ed on -2 with an AS path of 2))#2))#3)). This might look like the route has indeed been prepended twice, but the "uestion re"uests an additional two times@ in fact, the route has been prepended only once. The problem is that the route# map /ermit  statement on -2 has been e4ecuted, and the route#map will then not e%aluate any additional route map entries and simply dropsout, so the permit () statement is ne%er actually e4ecuted. 'y configuring a $ontinue 2statement within the /ermit  line, the router is forced to e%aluate the permit () line. -ather than dropping out of the route#map after successful e4ecution of the /ermit  statement, the final %erification within 4ample (#(N shows the route recei%ed on -2 with successful prepend applied by -L. f you ha%e configured this correctly, as shown in 4ample (#(N, you ha%e scored 2points. * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"1#

E%MPL 262 '5 Prepen. C$n/i"urati$n an. Veri/icati$n ;3# s%o& i/'g/ P ta%le 6ersion is 7> local router D is2$$?2$$?2$$?2$$ Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete

IY IY I IY IY IY

Net8or Next 9op 1<2?1$$?1$$?$,24 $?$?$?$ 1<2?2$$?32?$,24 12$?1$$?34?4 12$?1$$?34?< 1<2?2$$?33?$,24 12$?1$$?34?< 1<2?2$$?34?$,24 12$?1$$?34?< 1<2?2$$?3
etric 0ocPrf Weig&t Pat& $ 32=7: i $ 2$$ 4$$ $ 3$$ 4$$ $ 3$$ 4$$ $ 3$$ 4$$ $ 3$$ 4$$

i i i i i

;<(config)# router 'g/3 ;<(config-router)#

out neig%'or 2..34.3 routema/ P+EPEND

;<(config-router)#

e:it

;<(config)# a$$esslist  /ermit-2.2.32.  ;<(config)# routema/ P+EPEND /ermit ;<(config-route-map)#

mat$% i/ address

;<(config-route-map)#

set as/at% /re/end3

;<(config-route-map)#

2 routema/ P+EPEND /ermit

;<(config-route-map)#

mat$% i/ address

;<(config-route-map)#

set as/at% /re/end3

;<(config-route-map)#

routema/ P+EPEND /ermit 3

;3# s%o& i/'g/ P ta%le 6ersion is 7> local router D is2$$?2$$?2$$?2$$ Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete

IY IY I IY IY

Net8or Next 9op 1<2?1$$?1$$?$,24 $?$?$?$ 1<2?2$$?32?$,24 12$?1$$?34?4 12$?1$$?34?< 1<2?2$$?33?$,24 12$?1$$?34?< 1<2?2$$?34?$,24 12$?1$$?34?<

etric 0ocPrf Weig&t Pat& $ 32=7: i $ 2$$ 4$$ i $ 3$$ 3$$ 4$$ $ 3$$ 4$$ i $ 3$$ 4$$ i

i

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

IY 1<2?2$$?3
12$?1$$?34?<

!"2#

$ 3$$ 4$$ i

 ;<(config)# routema/ P+EPEND /ermit

;<(config-route-map)#

$ontinue2

;3# $lear i/ 'g/ ;3# s%o& i/'g/ P ta%le 6ersion is 7> local router D is2$$?2$$?2$$?2$$ Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete

IY IY I IY IY IY

Next 9op Net8or 1<2?1$$?1$$?$,24 $?$?$?$ 1<2?2$$?32?$,24 12$?1$$?34?4 12$?1$$?34?< 1<2?2$$?33?$,24 12$?1$$?34?< 1<2?2$$?34?$,24 12$?1$$?34?< 1<2?2$$?3
etric 0ocPrf Weig&t $ 32=7: $ $ $ $ $

Pat& i 2$$ 4$$ 3$$ 3$$ 3$$ 4$$ 3$$ 4$$ 3$$ 4$$

i 3$$ 4$$ i i i i

Secti$n 4> -P( ?12 P$int#A E

!onfigure $%N addresses on your network as followsD ())9D!*LD!)D*)DD*5N3 # -* 7i)5) ())9D!*LD!)D**DD*5N3  -* tunnel) ())9D!*LD!)D**DD25N3  -2 tunnel) ())9D!*LD!)D*(DD(5N3 # -( tunnel) ())9D!*LD!)D*(DD25N3  -2 tunnel* ())9D!*LD!)D*2DD(5N3  -( fe)5* ())9D!*LD!)D*3DD25N3  -2 7i)5) ())9D!*LD!)D*3DD35N3  -3 7i)5) * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"3#

())9D!*LD!)D*3DDL5N3  -L 7i)5) ())9D!*LD!)D*LDDL5N3  -3 7i)5* ())9D!*LD!)D*LDDN5N3  -N 7i)5) The prere"uisite to the following "uestions is configuration of the $%N addresses and tunnel interfaces. >ou should test your &$%N connecti%ity post configuration to ensure you are ready toprogress to the routing "uestions. >ou will not re# "uire +rame#-elay maps to achie%e connecti%ity because tunneling is re"uired rather than $%N directly configured un# der the serial interfaces on -*, -(, and -2. 4ample (#(9 shows the initial $%N configuration@ tunnel specifics are pro%ided in later "uestions, so ust creating the tunnel interfaces and configuring an $%N address is re"uired at this point. 1o points are on offer here for this task, unfortunately. !onsider using the s%o& i/ inter#a$es 'rie# command for a "uick check of your interface configuration. E%MPL 2627 -P( -nitia&C$n/i"urati$n ;1(config)# i/ uni$astrouting ;1(config)# inter#a$eGiga'itEt%ernet5 i/ address 27!C-!C!!!54

;1(config-if)# ;1(config-if)#

inter#a$e tunnel

;1(config-if)#

i/ address 27!C-!C!!!54

;2(config)# i/ uni$astrouting ;2(config)# inter#a$e 6astEt%ernet5 ;2(config-if)#

i/ address 27!C-!C!3!!254

;2(config-if)#

inter#a$e tunnel

;2(config-if)#

i/ address 27!C-!C!2!!254

;3(config)# i/ uni$astrouting ;3(config)# int Giga'itEt%ernet5 ;3(config-if)#

i/ address 27!C-!C!4!!354

;3(config-if)#

inter#a$e tunnel

;3(config-if)#

i/ address 27!C-!C!!!354

;3(config-if)#

inter#a$e tunnel

;3(config-if)#

i/ address 27!C-!C!2!!354

;4(config)# i/ uni$astrouting ;4(config)# inter#a$eGiga'itEt%ernet5 * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;4(config-if)#

i/ address 27!C-!C!4!!454

;4(config-if)#

inter#a$eGiga'itEt%ernet5

;4(config-if)#

i/ address 27!C-!C!-!!454

!"#

;<(config)# i/ uni$astrouting ;<(config)# inter#a$eGiga'itEt%ernet5 ;<(config-if)#

i/ address 27!C-!C!4!!-54

;7(config)# i/ uni$astrouting ;7(config)# inter#a$eGiga'itEt%ernet5 ;7(config-if)#

i/ address 27!C-!C!-!!54

Secti$n 41> -='P( E

!onfigure 7-$%N between -*, -(, and -2. 7-$%N should be enabled on the thernet interfaces of -* and -( and on all tunnel interfaces of -*, -(, and -2. 'uild your tunnels using i/i/ modePuse an AS number of N on all re"uired interfaces. B( pointsC

This is a straightforward 7-$%N configuration that re"uires the AS number ofN applied to the re"uired interfaces. The tunnel mode information is supplied within this "uestion of i/i/ for a manually configured $%N tunnel. 8ne thing to remember with 7-$%Nis that you need to start the process with n a o s%ut command within the routing process. f you ha%e configured this correctly, as shown in 4ample (#(/, you ha%e scored ( points. E%MPL 262@ -='P( C$n/i"urati$n an. Veri/icati$n ;1(config)# inter#a$e Giga'itEt%ernet 5 ;1(config-if)#

i/ eigr/

;1(config-if)#

inter#a$eunnel

;1(config-if)#

i/ eigr/

;1(config-if)#

tunnel sour$eerial55

;1(config-if)#

tunnel destination2..23.3

;1(config-if)#

tunnel modei/i/

;1(config-if)#

i/ router eigr/

;1(config-router)#

no s%utdo&n

;2(config)# inter#a$e 6astEt%ernet5 ;2(config-if)#

i/ eigr/

;2(config-if)#

inter#a$eunnel

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;2(config-if)#

i/ eigr/

;2(config-if)#

tunnel sour$eerial5

;2(config-if)#

tunnel destination2..23.3

;2(config-if)#

tunnel modei/i/

;2(config-if)#

i/ router eigr/

;2(config-router)#

!"10#

no s%utdo&n

;3(config)# inter#a$eunnel ;3(config-if)#

i/ eigr/ 

;3(config-if)#

tunnel sour$eerial55

;3(config-if)#

tunnel destination2..23.

;3(config-if)#

tunnel modei/i/

;3(config-if)#

inter#a$eunnel

;3(config-if)#

i/ eigr/

;3(config-if)#

tunnel sour$eerial55

;3(config-if)#

tunnel destination2..23.2

;3(config-if)#

tunnel modei/i/

;3(config-if)#

i/ router eigr/

;3(config-router)#

no s%utdo&n

;1# s%o& i/ routeeigr/ P67 ;outing !a%le - : entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route>  - P67 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external D 2$$='/1<'/$'12'',74 F$,31$$44417G 6ia +.:$''=:74'=$3> !unnel$ D 2$$='/1<'/$'13'',74 F$,31$$=$$17G 6ia +.:$''=:74'=$3> !unnel$ ;2# s%o& i/ routeeigr/ P67 ;outing !a%le - : entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route>  - P67 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

D D

!"1"#

N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external 2$$='/1<'/$'1$'',74 F$,31$$=$$17G 6ia +.:$''=:74'=/$3> !unnel$ 2$$='/1<'/$'11'',74 F$,31$$44417G 6ia +.:$''=:74'=/$3> !unnel$

;3# s%o& i/ routeeigr/ P67 ;outing !a%le -  entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route>  - P67 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external D 2$$='/1<'/$'1$'',74 F$,2=2=$$17G 6ia +.:$''=:74'=$1> !unnel$ D 2$$='/1<'/$'13'',74 F$,2=2=$$17G 6ia +.:$''=:74'=/$2> !unnel1

Secti$n 42> SP;(3 E

!onfigure 8S$+%2 per +igure (#**@ use an 8S$+%2 process of * on each router. B( pointsC

Mse %anilla 8S$+%2 configuration between -2, -3, -L, and -N. f you ha%e configured this correctly, as shown in 4# ample (#(, you ha%e scored ( points. E%MPL 2629 SP;(3 C$n/i"urati$n an. Veri/icati$n ;3(config)# inter#a$e Giga'itEt%ernet 5 ;3(config-if)#

i/ os/#  area

;4(config)# inter#a$eGiga'itEt%ernet5 ;4(config-if)#

i/ os/#  area

;4(config-if)#

inter#a$e Giga'itEt%ernet5

;4(config-if)#

i/ os/#  area

;<(config)# inter#a$eGiga'itEt%ernet5 ;<(config-if)#

i/ os/#  area

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"1'#

;7(config)# inter#a$eGiga'itEt%ernet5 ;7(config-if)#

i/ os/#  area

;3# s%o& i/ routeos/# P67 ;outing !a%le - 11 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external  2$$='/1<'/$'1<'',74 F11$,2G 6ia +.:$''213'/3++'+.='.45$> iga%it.t&ernet$,$ ;<# s%o& i/ routeos/# P67 ;outing !a%le - < entries * - Per-user Static route /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  - P



1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external 2$$='/1<'/$'1<'',74 F11$,2G 6ia +.:$''213'/3++'+.='.45$> iga%it.t&ernet$,$

;7# s%o& i/ routeos/# P67 ;outing !a%le - < entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external  2$$='/1<'/$'14'',74 F11$,2G 6ia +.:$''213'/3++'+.='.451> iga%it.t&ernet$,$

NT The 8S$+%2 routing table of -3 is not shown in 4ample (#( because this router physically connects to each $%N network and as such will not disco%er any 8S$+%2 dynamic routes at this point in time.

E

!onfigure Area * with $sec authentication, use essage =igest L, a Security $olicy nde4 of L)), and a key of pointsC

DECDECCEDD"("""""ED"" . B(

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"1+#

Authentication is re"uired on -3 and -N because they both belong to Area *. The "uestion e4plicitly states the specific parameters re"uired, and you shouldn6t encounter any issues unless you incorrectly enter one of the keys. At 2( He4 characters long, this could easily be done while under a time constraint. f you ha%e configured this correctly, as shown in 4ample (#2), you ha%e scored ( points. E%MPL 263+ %rea 1 %uthenticati$nC$n/i"urati$n ;4(config)# i/ router os/# ;4(config-router)#

area  aut%enti$ation i/se$ s/i - mdD./$D.//1.$DD511$$.D$$$$

;7(config)# i/ router os/# ;7(config-router)#

E

area  aut%enti$ation i/se$ s/i - mdD./$D.//1.$DD511$$.D$$$$

nsure the area router in Area * recei%es the following route@ you may configure -3 to achie%e thisD B( pointsC 8 ())9DD5*N **)5(I %ia XXXXDDXXXXDXXXXDXXXXDXXXX,7igabitthernet)5)

The only area router within Area * is -N. -3 is the area border router within this area. 8 within the routing table is an 8S$+ nterarea route, so this route must be generated from another area. 'ecause Area ) is the only other area within the 8S$+%2 network, the route must be generated from this area as opposed to a redistributed route, which would show as an e4ternal route. A summary route generated on the area border -outer -3 of ())9DD5*N within area ) will pro%ide the re"uired route to be recei%ed on -N. f you ha%e configured this correctly, as shown in 4ample (#2*, you ha%e scored ( points.

E%MPL 2631 SP;(3 C$n/i"urati$n an. Veri/icati$n ;4(config)# i/ router os/# ;4(config-rtr)#

area  range27!!5

;7# s%o& i/ route os/# > in$lude I  2$$='',17 F11$,2G 6ia +.:$''213'/3++'+.='.451> iga%it.t&ernet$,$

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"14#

Secti$n 43> 'e.i#tributi$n E

-edistribute 7-$%N into 8S$+%2 on -2. -edistributed 7-$%N routes should ha%e a metric of L))) associ# ated with them, regardless of which area they are seen in within the 8S$+%2 network. B( pointsC

A one#way redistribution of 7-$%N to 8S$+%2 is re"uired on -2. The default redistribution beha%ior ensures that e4# ternal routes are ad%ertised as e4ternal Type (, which ha%e a fi4ed cost associated with them regardless of which area or location of the8S$+%2 network they are seen in. >ou simply re"uire the metric set to L))) on the 8S$+%2 process. >ou need to remember to ad%ertise connected routes also@ otherwise, the 8S$+%2 network will not see the directly connected tunnel interfaces on -2. f you ha%e configured this correctly, as shown in 4ample (#2(, you ha%e scored ( points. E%MPL 2632 '3 -p( 'e.i#tributi$n C$n/i"urati$n an. Veri/icati$n ;3(config)# i/ router os/# ;3(config-rtr)#

- redistri'ute eigr/  in$lude$onne$ted metri$

;4# s%o& i/ routeos/# P67 ;outing !a%le - 11 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external  2$$='',17 F11$,$G 6ia ''> Null$ .2 2$$='/1<'/$'1$'',74 F11$,<$$$G 6ia +.:$''214'75++'+.+/'=3$> iga%it.t&ernet$,$ .2 2$$='/1<'/$'11'',74 F11$,<$$$G 6ia +.:$''214'75++'+.+/'=3$> iga%it.t&ernet$,$ .2 2$$='/1<'/$'12'',74 F11$,<$$$G 6ia +.:$''214'75++'+.+/'=3$> iga%it.t&ernet$,$ .2 2$$='/1<'/$'13'',74 F11$,<$$$G 6ia +.:$''214'75++'+.+/'=3$> iga%it.t&ernet$,$

E

!onfigure -2 so that both -* and -( ha%e the following $%N 7-$%N route in place@ do not redistribute 8S$+ into 7-$%N to achie%e this, and ensure all routers ha%e full %isibility. B( pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"1#

= ())9DD5*N )5XXXXXXXXXI %ia XXXXDDXXXXDXXXXDXXXXDXXXX, Tunnel) >ou should ha%e noticed inthe pre%ious "uestion that mutual redistribution was not re"uired@ as such, the 7-$%N network would not ha%e reachability of the 8S$+%2 network. This "uestion ensures the -$ng network sends traffic to -2 for the summarized network of ())9DD5*N. 'ecause you are not permitted to redistribute 8S$+%2 with a summary ad# dress, you need to configure&7-$%N summarization on the tunnel interfaces on -2 toward -* and -(@ this will pro# %ide the correct route and hop count as per the "uestion. 4ample (#22 shows the re"uired configuration and %erification of the route, in addition to !$ reachability to the remote 8S$+%2 Area * network on -N. This test clearly demonstrates full end#to#end reachability from 7-$%N to 8S$+%2. f youha%e configured this correctly, as shown in 4ample (#22, you ha%e scored ( points. E%MPL 2633 '3 -p( SummariGati$n C$n/i"urati$n an. Veri/icati$n ;3(config)# inter#a$e tunnel ;3(config-if)#

i/ summar*addresseigr/  27!!5

;3(config-if)#

inter#a$e tunnel

;3(config-if)#

i/ summar*addresseigr/  27!!5

;1# s%o& i/ routeeigr/ P67 ;outing !a%le - 7 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route>  - P67 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external D 2$$='',17 F$,31$$44417G 6ia +.:$''=:74'=$3> !unnel$ ;1# /ing i/27!C-!C!-!! !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 2$$='/1<'/$'1<''7> timeout is 2 secons' BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C 4,=,: ms ;2# s%o& i/ routeeigr/

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"11#

P67 ;outing !a%le - 7 entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route>  - P67 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external D 2$$='',17 F$,31$$44417G 6ia +.:$''=:74'=/$3> !unnel$ ;2# /ing i/27!C-!C!-!! !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 2$$='/1<'/$'1<''7> timeout is 2 secons' BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C 4,=,: ms

Secti$n 5> B$S ? P$int#A E

Two $ %ideoconferencing units are to be installed onto Switch ( ports +astthernet )5*L and )5*N on F:A1 ()). The de%ices use T!$ $orts 2(2)2(2* and M=$ $orts 2(2)2(2L, and this traffic is unmarked from the de# %ices because it enters the switch. !onfigure Switch ( to assign a =S!$ %alue of A+3* to %ideo traffic from both of these de%ices. nsure that the switch ports assigned to the de%ices do not participate in the usual spanning#tree checks, cannot form trunk links, and cannot be configured as therchannels. B2 pointsC

This is a =S!$ coloring of application traffic "uestion. The T!$ and M=$ port information is pro%ided so access#lists matching these ports within a class#map are re"uired for identification of the %ideo traffic, and a policy#map colors the traffic to a =S!$ %alue of 3*. The o%erall QoS ser%ice#policy is applied to the %ideoconferencing ports of +astthernet )5*L and )5*N on Switch (. The ports are re"uired to be setto F:A1 ()) with spanning#tree checks disabled, and trunk# ing and channeling disabled using the commands&it$%/ort %ost. The ports can also be e4plicitly configured to disable each feature indi%idually but the s&it$%/ort %ostcommand does all this for you. f you ha%e configured this correctly, as shown in 4ample (#23, you ha%e scored 2 points. Mse thes%o& /oli$*ma/command to %erify yourconfiguration. E%MPL 2634 SP;(3 C$n/i"urati$n SW2(config)# inter#a$e range#astEt%ernet5- SW2(config-if-range)#

s&it$%/orta$$esslan 2

SW2(config-if-range)# s&it$%/ort%ost

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

SW2(config-if-range)#

!"12#

e:it

SW2(config)# mls os SW2(config)# $lassma/IDE SW2(config-cmap)#

mat$% a$$essgrou/

SW2(config-cmap)#

e:it

SW2(config)# a$$esslist  /ermit t$/ an* an* range 323 323 SW2(config)# a$$esslist  /ermit ud/ an* an* range 323 323SW2(config)# /oli$*ma/IDEM(+ SW2(config-pmap)# $lass IDE SW2(config-pmap-c)# set ds$/ (64 SW2(config-pmap-c)#

e:it

5- SW2(config)# inter#a$e range #astEt%ernet

SW2(config-if-range)#

E

seri$e/oli$* in/ut IDEM(+

!onfigure -( to assign a strict priority "ueue with a 3)#percent reser%ation of the 0A1 bandwidth for the %ideo# conferencing traffic in the pre%ious "uestion. a4imize the a%ailable bandwidth by ensuring the -T$ headers within the %ideo stream are compressed. The remainder of the bandwidth should be guaranteed for a default "ueue with 0-= enabled. Assume the full line rate of *.L33 bps as the a%ailable 0A1 bandwidth, and en# sure the complete bandwidth is utilized by both "ueues. B2 pointsC

+ollowing from the pre%ious "uestion, -( is re"uired to pro%ide QoS on the +rame#-elay link. A class#map matches the precolored %ideo traffic of =S!$ 3*@ a policy#map is then re"uired to call the class#map and assign a strict 3) percent priority "ueue with the command /riorit* /er$ent 4 . -T$ compression is configured within the policy#map for the %ideo traffic. The default "ueue has a guaranteed bandwidth reser%ation with the command 'and&idt% /er$ent  , and 0-= is enabled within this "ueue. 'oth"ueues are can use the full bandwidthof the 0A1 link only if the commandma: resered'and&idt% is configured underthe +rame#-elay interface. 8nly 9L percent of a%ailable bandwidth is used otherwise by default. f you ha%e configured this correctly, as shown in 4ample (#2L, you ha%e scored 2points. E%MPL 2635 '2 B$S C$n/i"urati$n an. Veri/icati$n ;2(config)# $lassma/ mat$%allIDE ;2(config-cmap)#

mat$% ds$/a#4

;2(config-cmap)#

/oli$*ma/IDE=

;2(config-pmap)#

$lass IDE

;2(config-pmap-c)#

/riorit* /er$ent4

;2(config-pmap-c)#

$om/ress %eader i/rt/

;2(config-pmap-c)#

$lass $lassde#ault

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;2(config-pmap-c)#

!"13#

'and&idt% /er$ent

;2(config-pmap-c)# randomdete$t ;2(config-pmap-c)# e:it ;2(config)# inter#a$eerial5 ;2(config-if)#

ma:resered'and&idt% 

;2(config-if)#

seri$e/oli$* out/ut IDE=

Secti$n > Mu&tica#t ?7 P$int#A E

!onfigure -outers -*, -(, -2, and -3 for $%3 multicast. ach router should use $ sparse dense mode. 'oth -* and -( should be configured to be !andidate -$s specifically for the following multicast groupsD ((L.((L.).*, ((L.((L.).(, ((L.((L.).2, and ((L.((L.).3 by use of their :oopback ) interfaces. >ou should limit the boundary of your multicast network so it does propagate further into your network than -3. -2 should be configured as a mapping agent to announce the rendez%ous points for the multicast network with the same boundary constraints. B2 pointsC

The "uestion dictates that -* and -( be rendez%ous points and ad%ertise the same groups to the multicast network. -2 is re"uired to announce the rendez%ous points, and -3 will by default elect -( as the -$ for each group because it has the higher :oopback address compared to -* for the same groups. TT: scoping is used within the configuration to limit the boundary of ad%ertisements on both the candidate -$s and the disco%ery agent up to -3.4ample (#2N shows the re# "uired configuration and -$ mappings as recei%ed on -3. f you ha%e configured this correctly, as shown in 4ample (#2N, you ha%e scored 2points. E%MPL 263 '1, '2, '3 an. '4 Mu&tica#t C$n/i"urati$n an. Veri/icati$n ;1(config)# i/ multi$astrouting ;1(config)# inter#a$e)oo/'a$0 ;1(config-if)#

i/ /im s/arsedensemode

;1(config-if)#

inter#a$eerial55

;1(config-if)#

i/ /im s/arsedensemode

;1(config-if)#

i/ /im sendr/announ$e )oo/'a$0 s$o/e 3 grou/list G+FP

G+FP ;1(config)# i/ a$$esslist standard

;1(config-st-nacl)#

/ermit 22-.22-..

;1(config-st-nacl)#

/ermit 22-.22-..2

;1(config-st-nacl)#

/ermit 22-.22-..3

;1(config-st-nacl)#

/ermit 22-.22-..4

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"1#

;2(config)# i/ multi$astrouting ;2(config)# inter#a$e)oo/'a$0 ;2(config-if)#

i/ /im s/arsedensemode

;2(config-if)#

inter#a$eerial5

;2(config-if)#

i/ /im s/arsedensemode

;2(config-if)#

i/ /im sendr/announ$e )oo/'a$0 s$o/e 3 grou/list G+FP

;2(config)# i/ a$$esslist standard G+FP ;2(config-st-nacl)#

/ermit 22-.22-..

;2(config-st-nacl)#

/ermit 22-.22-..2

;2(config-st-nacl)#

/ermit 22-.22-..3

;2(config-st-nacl)#

/ermit 22-.22-..4

;3(config)# i/ multi$astrouting ;3(config)# inter#a$e)oo/'a$0 ;3(config-if)#

i/ /im s/arsedensemode

;3(config)# inter#a$eGiga'itEt%ernet5 ;3(config-if)#

i/ /im s/arsedensemode

;3(config-if)#

inter#a$eerial55

;3(config-if)# ;3(config-if)#

i/ /im s/arsedensemode e:it

;3(config)# i/ /im sendr/dis$oer* lo s$o/e 2 ;4(config-if)#

i/ multi$astrouting

;4(config-if)#

inter#a$eGiga'itEt%ernet5

;4(config-if)#

i/ /im s/arsedensemode

;4# s%o& i/ /im r/ma//ing P roup-to-;P appings roup(s) 22 6261 nfo source' 12$?1$$?34?3 ()> *ptime' $$'$$'$3> expires' roup(s) 22 6261 nfo source' 12$?1$$?34?3 ()> *ptime' $$'$$'$3> expires' roup(s) 22 6261

electe 6ia 5uto-;P $$'$2'<2

electe 6ia 5uto-;P $$'$2'<7

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

nfo

source' 12$?1$$?34?3 ()> *ptime' $$'$$'$3> expires' roup(s) 22 6261 nfo source' 12$?1$$?34?3 ()> *ptime' $$'$$'$3> expires'

E

!"20#

electe 6ia 5uto-;P $$'$2'<<

electe 6ia 5uto-;P $$'$2'<<

!onfigure -2 to ensure that -3 has a candidate -$ as -* for groups ((L.((L.).* and ((L.((L.).( and -( for groups ((L.((L.).2 and ((L.((L.).3. B( pointsC

As detailed in the pre%ious e4ample, -( will by default become the candidate -$ as selected by the disco%ery agent B-2C because of ha%ing a higher :oopback $ address as used in the $ announcements compared to -*. 'y configuring a group#list on the disco%ery agent, -$ announcements can be filtered. !onfiguring two filter lists with each candidate -$ associated to them allows thedisco%ery agent to announce two different -$s. 4ample (#29 shows the re"uired configu# ration, a debug of the auto#rp announcements on -2 to detail the filtering and the resulting -$ mappings on -3. f you ha%e configured this correctly, as shown in 4ample (#29, you ha%e scored ( points. E%MPL 2637 '2 B$S C$n/i"urati$n an. Veri/icati$n ;3(config)# i/ /im r/announ$e#ilter r/list +grou/list+G+FP ;3(config)# i/ /im r/announ$e#ilter r/list +2 grou/list +2G+FP ;3(config)# i/ a$$esslist standard+ ;3(config-st-nacl)# /ermit 2... ;3(config-st-nacl)# e:it ;3(config)# i/ a$$essliststandard +2 ;3(config-st-nacl)# /ermit 2..2. ;3(config-st-nacl)# e:it ;3(config# i/ a$$essliststandard+G+FP ;3(config-st-nacl)# /ermit 22-.22-.. ;3(config-st-nacl)# /ermit 22-.22-..2 ;3(config-st-nacl)# e:it ;3(config)# i/ a$$essliststandard+2G+FP ;3(config-st-nacl)# /ermit 22-.22-..3 ;3(config-st-nacl)# /ermit 22-.22-..4 ;3# de'ug i//im autor/ P 5uto-;P e%ugging is on 5uto-;P($)' ;ecei6e ;P-announce> 1:1

from 12$?1$$?1?1> ;Pcnt 1>

&t

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

5uto-;P($)' 5uto-;P($)' 5uto-;P($)' 5uto-;P($)' 5uto-;P($)' 5uto-;P($)' 5uto-;P($)' 5uto-;P($)' 5uto-;P($)'

!"2"#

*pate (22 ;P'12$?1$$?1?1)>P62 61 *pate (22 ;P'12$?1$$?1?1)>P62 61 +iltere 22 from 12$?1$$?1?1> ;Pcnt 1> &t 1:1 *pate (22 ;P'12$?1$$?1?1)> P62 61 *pate (22 ;P'12$?1$$?1?1)> P62 61 +iltere 22
;4# s%o& i/ /im r/ma//ing P roup-to-;P appings roup(s) 22 6261 nfo source' 12$?1$$?34?3 ()> electe 6ia 5uto-;P *ptime' $$'$$'$:> expires' $$'$2'<2 roup(s) 22 6261 nfo source' 12$?1$$?34?3 ()> *ptime' $$'$$'$:> expires' roup(s) 22 6261 nfo source' 12$?1$$?34?3 ()> *ptime' $$'$$'4=> expires' roup(s) 22 6261 nfo source' 12$?1$$?34?3 ()> *ptime' $$'$$'4=> expires'

E

electe 6ia 5uto-;P $$'$2'<1

electe 6ia 5uto-;P $$'$2'12

electe 6ia 5uto-;P $$'$2'$

!onfigure -* to monitor traffic forwarded through itself for traffic destined to the multicast groupof ((L.((L.).*. f no packet for this group is recei%ed within a single *)#second inter%al, ensure an S1$ trap is sent to an S1$ management station on *().*)).*)).*)) using a community string of public. B( pointsC

The $ multicast heartbeat feature facilitates the monitoring of the deli%ery of $ multicast packets and failure notifica# tion based on configurable parameters. 'y configuring -* to enable the heartbeat monitoring for the group ((L.(LL.).* with the subparameters of * and *), the router monitors a packet lost within * inter%al of *) seconds and will send an S1$ trap to the S1$host *().*)).*)).*)), which is re"uired to be configured within the basic S1$ trap configu# ration. 4ample (#2/ details there"uired multicast heartbeat configuration and %erification of the S1$ trap by issueof * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"2'#

a ping to ((L.((L.).* from -2. %en though -* does not ha%e a %alid 7$ oin#group for this group, traffic is still di# rected to it, and the heartbeat process is acti%ated. f you ha%e configured this correctly, as shown in4ample (#2/, you ha%e scored (points. E%MPL 263@ '1 Mu&tica#t eartbeatC$n/i"urati$n ;1(config)# snm/serer %ost2...tra/s /u'li$ ;1(config)# snm/serer ena'le tra/s i/multi$ast ;1(config)# i/ multi$ast%eart'eat 22-.22-..   ;1# de'ug snm//a$0ets ;3# /ing 22-.22-.. ;1# NMP! =ueuing /a$0et to 2... SNP' V1 !rap> ent cisco.xperiment?2?3?1> ar 12$?1$$?1$$?1> gentrap 7>spectrap 1 ciscop;oute9earteat.ntr"?2?22
Secti$n 7> Security ?7 P$int#A E

Allow -outer -N to passi%ely watch the S>1 connections that flow to only F:A1N2 for ser%ers that might re# side on this subnet. To pre%ent a potential =oS attack from a flood of S>1 re"uests, the router should be configured to randomly drop S>1 packets from any source to this F:A1 that ha%e not been correctly estab# lished within () seconds. B( pointsC

The "uestion re"uires that the T!$ intercept feature be configured on -N. This protects T!$ ser%ers from T!$ S>1# flooding attacks with a wa%e of half#opened connections o%erwhelming the ser%ers !$M, the result of which can effec# ti%ely cause a =oS attack. The default beha%ior of the feature is to intercept the S>1 connections to a ser%er and effec# ti%ely pro4y the connection until it hasbeen correctly established. 'ecause you are re"uested to passi%ely monitor the connection, you are re"uired to configure the feature into watch mode by use of the globali/ t$/ inter$e/t mode &at$% command. >ou are also re"uested to ensure that the feature is enabled only on F:A1 N2 from any source, so an access# default beha%ior of the feature is to drop S>1 list is re"uired to which the intercept features restricts its monitoring. The connections based on the oldest first, but the "uestion dictated that random connections must be dropped. This is achie%ed with the global command i/ t$/ inter$e/t dro/mode random . To ensure the ()#second limit is metas opposed * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"2+#

i/ t$/ inter$e/t &at$%timeout .2 to the default 2) second, adustment of the timers is re"uired with the global command f you ha%e configured this correctly, as shown in 4ample (#2, you ha%e scored ( points. Mse ofthe s%o& t$/ inter$e/t $onne$tionscommand would be useful to %erify yourconfiguration.

E%MPL 2639 ' TCP -nterceptC$n/i"urati$n  ;7(config)# i/ t$/ inter$e/t list

;7(config)# a$$esslist  /ermit t$/ an* 2..3. ...2-&at$% ;7(config)# i/ t$/ inter$e/t mode

;7(config)# i/ t$/ inter$e/t dro/mode random 2 ;7(config)# i/ t$/ inter$e/t &at$%timeout

E

!onfigure an A!: on -* to allow T!$ sessions generated on this router and through its thernet interface and to block T!$ sessions from entering on its +rame#-elay interface that were not initiated on it or through it srci# nally. =o not use the established feature within standard A!:s to achie%e this, and only apply A!:s on the +rame#-elay interface. The A!: should timeout after *)) seconds of locally initiated T!$ inacti%ity@ it should also enable !$ traffic inbound for testing purposes.B2 pointsC

The "uestion re"uires that a refle4i%e A!: be configured on -*. This enables T!$ traffic for sessions srcinating from within the network but denies T!$ traffic for sessions srcinating from outside the network. The refle4i%e A!: contains only temporary entries, which are automatically created when a new T!$ session is initiated. The entries are simply re# mo%ed 2)) seconds after thesession ends by default. Howe%er, the "uestion re"uires this to be modified to *)) seconds. To facilitate the refle4i%e A!:, you must configure a standard A!: inbound on the +rame#-elay interface, which per# mits the re"uired traffic inbound to -* and only returns traffic matching the refle4i%e A!:. -e"uired traffic is of course 7-$, $, $%N tunneling, and as directed !$ for testing. t6s a cruel "uestion because if you forget to permit any of the re"uired traffic inbound, you6ll lose points from a pre%ious section that you might ha%e otherwise achie%ed full marks in. f you didn6t know what protocol $%N uses, you can simply use the log option your on inbound A!: on a fi# nal deny statement. This would show you that the tunneling from -2 inbound to -* uses $ protocol 3*,which must be included in your inbound A!:. 4ample (#3) shows the re"uired configuration and %erification of the refle4i%e A!:. 'ecause traffic is only e%aluated by the A!: as it passes through the router, Switch * has been configured to belong to F:A1*))to telnet through -* to 6 I)E+F on -* and cre# -2 in the e4ample. 0hen initiated by Switch *, the telnet session passes through the A!: ates an entry in the refle4i%e A!: DHN(MICCP. -eal#time details can be seen by issuing the s%o& a$$esslistscom# mand on -*. The refle4i%e A!: permits return traffic to the telnet session inbound on the +rame#-elay interface for the * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"24#

configured inacti%ity inter%al of *)) seconds. f you ha%e configured this correctly, as shown in 4ample (#3), you ha%e scored 3 points. E%MPL 264+ '1 'e/&ei(e %CL C$n/i"urati$n an. Veri/icati$n ;1(config-if)#

i/ a$$essliste:tended6I)E+IN

;1(config-ext-nacl)# /ermit i$m/ an*an* ;1(config-ext-nacl)# /ermit eigr/ an* an* ;1(config-ext-nacl)# /ermit /im an*an* ;1(config-ext-nacl)#

/ermit t$/ %ost 2..3. %ost 2...'g/ e

;1(config-ext-nacl)#

2..23. /ermit 4 %ost 2..23.3 %ost

;1(config-ext-nacl)#

ealuate DHN(MICCP;1(config-

ext-nacl)# i/ a$$essliste:tended6I)E+F ;1(config-extnacl)# /ermit t$/an* an* re#le$t DHN(MICCP ;1(config-extnacl)# e:it  ;1(config)# i/ re#le:ielist timeout

;1(config)# inter#a$e erial55 ;1(config-if)#

in i/ a$$essgrou/ 6I)E+IN

;1(config-if)#

out i/ a$$essgrou/ 6I)E+F

SW1(config)# inter#a$e lan SW1(config-if)#

i/ add 2...2--.2--.2--.

SW1(config-if)#

e:it

SW1(config)# i/ route 2..3. 2--.2--.2--.2-2... SW1(config)# e:it SW1# tra$e 2..3. !"pe escape seAuence to a%ort? !racing t&e route to 12$?1$$?3?1 1 12$?1$$?1$$?1 $ msec 4 msec $ msec 2 12$?1$$?1$$?1 B5 I B5 SW1# telnet 2..3. !r"ing 12$?1$$?3?1

??? pen

*ser 5ccess Verification Pass8or' * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"2#

;3Yena'le Pass8or' ;3#

NT The -efle4i%e A!: is %alid only for traffic flowing through the router@ as such, you might e4perience con# necti%ity issues if you initiate a telnet session from -* without manipu# lating the telnet source option. This beha%ior has no bearing on points scored and should be considered a by#product of the solution. f you face a similar "uestion in the actual e4am and tel# net connecti%ity was re# "uired from the router

;1# s%o& a$$esslists Stanar P access list 1 1$ permit 12$?1$$?1?$ (3 matc&es) 2$ permit 12$?1$$?1$$?$ (3 matc&es) Stanar P access list ;*PS 1$ permit 22
you are configuring, you would specifically be instructed to ensure the correct operation of tel# net on that router.

2$ permit pim an" an" (2 matc&es) 2< permit tcp &ost 12$?1$$?3?1 &ost 12$?1$$?1?1 eA %gp (127 matc&es) 3$ e6aluate DON5/-!/P .xtene P access list +0!.;-*! 1$ permit tcp an" an" reflect DON5/-!/P (1: matc&es)

E

!onfigure -* so it is capable of performing S!$. The router should belong to a domain of toughtest.co.uk@ use local authentication with a username and password of cisco, a key size of 9N/ bits, and an SSH timeout of ( min# utes and retry %alue of (. B( pointsC.

S!$ is Secure !opy $rotocol@ it6s similar to remote copy but re"uires SSH to be running on the router for security pur# poses. t6s a tough "uestion because this is the kind of feature for which you will need to check the documentation. >ou will need to realize aspects of SSH are considered prere"uisites to enable S!$. %en if you hadn6t configured SSH or S!$ pre%iously, you should realize that you would need to configure a domain =, local authentication with a username and password, a key of some form, and some SSH timeout and retry %alues based on the directions. 'e careful on the %alues because the timeout is entered in seconds andnot minutes. >our username and password combination re"uires a pri%ilege le%el of *L set for S!$. f you ha%e configured this correctly, as shown in 4ample (#3*, you ha%e scored ( points.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"21#

E%MPL 2641 '1 'CP C$n/i"urati$n ;1(config)# i/ domainnametoug%test.$o.u0 78 ;1(config)# $r*/to 0e* generate rsa modulus !&e name for t&e e"s 8ill %e' ;1?toug&test?co?u

H !&e e" moulus sie is =7: %its H enerating =7: %it ;S5 e"s> e"s 8ill %e non-exporta%le???FJG ;1(config)# aaa ne&model de#aultlo$al ;1(config)# aaa aut%enti$ation login

;1(config)# aaa aut%ori1atione:e$ de#ault lo$al ;1(config)# username $is$o /riilege - /ass&ord  $is$o ;1(config)# i/ ss% timeout2 2 ;1(config)# i/ ss% aut%enti$ationretries

;1(config)# i/ s$/ sererena'le ;1(config)# $$'<='2?343' HSS9-<-.N50.D' SS9 1? &as %een ena%le

Lab F'%P6

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"22#

Practice Lab +9(he ,P Lab The !! e4am commences with ( hours oftroubleshooting followed by L *5( hours of configuration and a final 2) minutes of additional "uestions. This lab has been timed to last for /hours of configuration andself#troubleshooting, so aim to complete thelab within this period. Then either score yourself at this point or continue until you feel you ha%e met all the obecti%es. >ou now are going to be guided through the e"uipment re"uirements and pre#lab tasks in preparation for taking this practicelab. f you don6t own si4 routers and four switches, consider using the e"uipment a%ailable and additional lab e4ercises and training facilities that can be found within the !! -&S 2N) program. =etailed information on the 2N) program and !! -&S e4am can be found on the following M-:s, respecti%elyD httpsD55learningnetwork.cisco.com5community5learningOcenter5ciscoO2N)52N)#rs

httpsD55learningnetwork.cisco.com5community5certifications5ccieOroutingOswitching NT The 2/(Ls used in this lab were loaded with c2/(L#ad%enterprisek# mz.*(3#N.T.bin, and the 29(L was loaded with c29(L#ad%enterprisek# mz.*(3#N.T.bin.

8uipment Li#t >ou need the following hardware and software components to begin this practicelabD E

Si4 routers loaded with !isco 8S Software -elease *(.3 Ad%anced nterprise image and the minimum interface configuration, as documented in Table 2#*

T%L 361 $ardware Re%uired &er Router '$u t er

NT The 2LL) in this lab was loaded with c2LL)# ipser%icesk#mz.*((# (L.S.bin, and the 2LN)s with c2LN)# ipser%icesk#mz.*((# (L.S.bin.

-* -(

M$ . e &

thernet -:;

2/(L 29(L

* P

Seria& -:;

* (

-2

2/(L

P

(

-3

2/(L

*

*

-L -N

2/(L 2/(L

* (

* P

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

NT 1otice i n the initial con# figurations supplied that some interfaces do not ha%e $ addresses pre# configured. This is be# cause either you do not use that interface or you need to configure this interface from default within the e4ercise. The initial configurations supplied should be used to preconfigure your routers and switches be# fore the lab starts.

E

!"23#

8ne 2LL) switch with !isco 8S Software -elease *(.( $ Ser%ices and three 2LN) switches with !isco 8S Software -elease *(.( $ Ser%ices.

Settin"

ou can use any combination of routers as long asyou fulfill the re"uirements within the topology diagram, as shownin +igure 2#*. Howe%er, it is recommended that you use the same model of routers because this makes life easier if you load configurations directly from those supplied into your ownde%ices.

Lab T$p$&$"y This practice lab uses the topology as outlined in +igure 2#*, which you must re#create with your own e"uipment.

f your routers ha%e dif# ferent interface speeds than those used within this book, adust the bandwidth statements on the rele%ant interfaces to keep all interface speeds in line. This ensures that you do not get unwanted beha%ior because of dif# fering nterior 7ateway $rotocol B&7$C metrics.

;-=<' 361 Lab T$p$&$"y !ia"ram

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"2#

S)itch -n#tructi$n# !onfigure F:A1 assignments from the configurations supplied on the !=#-8 or from Table2#(. T%L 362 ,L- -ssign* ent VL%N

S ) i tch 1

3L

+a)53, +a)5L, +a)5N

S ) i tch 2

S ) i tc h 3

P

P

())

+a)5*

P

P

3))

P

+a)5*

P

Trunk

+ a)5*

Trunk

+a)5()

+a)5N +a)5()

S) i t ch 4

P P P

P

P +a)5()

+a)5()

!onnect your switches with -;3L thernet !ross 8%er cables, as shown in +igure 2#(. ;-=<' 362 Switch8to8Switch Con8 nectivity

;rame 'e&ay -n#tructi$n# !onfigure one of the routers you are going to use in the lab as a +rame -elay switch, or ha%e a dedicated router purely for this task. This lab uses a dedicated router for the +rame -elay switch. A fully meshed en%ironment is configured be# tween all the +rame -elay routers. $ay attention in the lab as to which permanent %irtual circuits B$F!C are actually re# "uired. Reep the encapsulation and :ocal anagement nterface B:C settings to default for this e4ercise, but e4periment with the settings outside theselabs because you could be re"uired to configure the +rame -elay switching within your actuallab. f you are using your own e"uipment, keep the data circuit#terminating e"uipment B=!C cables at the frame switch end for simplicity and pro%ide a clock rate to all links from this end. * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"30#

After configuration, the +rame -elay connecti%ity represents the logical +rame -elay network, as shown in +igure2#2. ;-=<' 363 /ra*e Re)ay Logica) Connectivity

-P %..re## -n#tructi$n# n the actual !! lab, you find that the maority of your $ addresses are preconfigured. +or this e4ercise you are re# "uired to configure your $ addresses as shown in +igure 2#3 or to load the initial router configurations supplied. f you are manually configuring your e"uipment, be sure you include the following loopback addressesD -* :o) *().*)).*.*52( -( :o) *().*)).(.*52( -2 :o) *().*)).2.*52( -3 :o) *().*)).3.*52( -L :o) *().*)).L.*52( -N :o) *().*)).N.*52( S0* :o) *).*.*.*5(3 :o* *).*.(.*5(3 :o( *).*.2.*5(3 S0( :o) *).(.(.*5(3 * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"3"#

:o* *).(.2.*5(3 :o( *).(.3.*5(3 S02 :o) *).22.22.*5(3 :o* *).22.23.*5(3 :o( *).22.2L.*5(3 S03 :o) *).33.33.*5(3 :o* *).33.3L.*5(3 :o( *).33.3N.*5(3 ;-=<' 364 IP -ddressing iagra*

Pre6Lab Ta#0# E

'uild the lab topology pe r +igure 2#* and +igure 2#(.

E

!onfigure your +rame -elay switch router to pro%ide the necessary data#linkconnection identifiers B=:!C per +igure 2#2. * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

E

!"3'#

!onfigure the $ addresses on each router as shown in +igure 2#3 and add the loopback addresses. Alternati%ely, you can load the initial configuration files supplied if your router is compatible with those used to create this e4# ercise.

=enera& =ui.e&ine#

NT Access only these M-:s, not the whole !isco.com website because if you are permitted to use documentation during your !! lab e4am, it will be restricted. !on# sider opening se%eral windows with the pages you are likely to look at to sa%e time during your lab.

E

-ead the whole lab before you start.

E

=o not configure any static5default routes unless otherwise specified.

E

Mse only the =:!s pro%ided in the appropriate figures.

E

nsure full $ %isibility between routers for ping testing5Telnet access to your de%ices.

E

f you are running out of time, choose "uestions that you are confident you can answer. +ailing this, choose "ues# tions with a higher point rating to ma4imize your potential score.

E

7et into a comfortable and "uiet en%ironment where you can focus for the ne4t /hours.

E

Take a 2)#minute break midway through the e4ercise.

E

Ha%e a%ailable a !isco =ocumentation !=#-8, or access online the latest documentation from thefollowing M-:sD ww w.c is co c. om5un i %ercd 5 ho me 5ho m e .htm. www.cisco.com5en5MS5product s5 psN2L)5productsOin stallationOandOcon f i gurationOguidesOlist.html

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"3+#

Practice Lab Three ;-=<' 365 Lab (o&o)ogy iagra*

>ou will now be answering "uestions in relation to the network topologyas shown in +igure2#L.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"34#

Secti$n 1> L%N S)itchin" an. ;rame 'e&ay ? P$int#A ;-=<' 36 Switch (o&o)ogy iagra*

E

!onfigure your switched network per +igure 2#N. >our switched network is physically nonlooped and therefore does not re"uire any ST$ root bridge configuration. !onfigure S0* +a)5* to belong to F:A1()) and S0( +a)5* to belong to F:A13)). !onfigure nterface +a)5* on S0* to become a trunk port toward -* and +a)5N on S0( to become a trunk port toward -N@ ports should use /)(.*Q encapsulation. -estrict the F:A1s permis# sible to use the trunk on Switch * +a)5* to F:A1*), L), and ()) and F:A1(), *)) and 3)) on Switch ( +a)5N. nterface +a)5() of each switch has been preconfigured to be a trunk port. >ou should also configure -* and -N to terminate the F:A1s on each router. !onnecti%ity between switches will be pro%ided %ia -* and -N later in the lab. B2 pointsC

E

S02 interface +a)5* and S03 interface +a)5* are re"uired tocommunicate with each other on the same $ subnet of *.*.*.)5(3@ configure these interfaces with $ addresses *.*.*.*5(3 and *.*.*.(5(3, respecti%ely. The in# terfaces should be configured to communicate as if connected directly as a point#to#point link. !ctual IP end#to# end connecti"ity will be achie"ed in a later section .# B* pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"3#

;-=<' 367 /ra*e8Re)ay Connectivity iagra*

E

>our initial +rame#-elay configuration has been supplied for the -*#-(#-2, -2#-3, and -(#-L connecti%ity. !onfigure +rame#-elay per +igure 2#9 to ensure each de%ice is reachable o%er the +rame#-elay network. 8nly use the indicated =:!&s. B( pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"31#

Secti$n 2> MPLS an. SP; ?19 P$int#A ;-=<' 36@ /ra*e8Re)ay Connectivity iagra*

E

!onfigure 8S$+ on your routers per +igure 2#/ to enable your network to transport $:S and $#'7$. All re# "uired interfaces Bincluding :oopback )C should be configured to belong to Area ). nsure all 8S$+ configura# tion is entered under the interfaces. B2 pointsC

E

!onfigure $:S on all routers within the 8S$+ domain@ use :=$, ensuring that T=$ can be used on unused in# terfaces without specifically configuring these interfaces for T=$. -outers -* and -N will become your $ routers, whereas -(, -2, -3, and -L will become $ routers. B3 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"32#

;-=<' 369 ,R/ (o&o)ogy

E

>ou will be configuring two F$1s o%er your $:S networks per +igure 2# between $ routers of ':M and -=. At this point, assign the following interfaces on each $ router into separate routing instances within the routersD $ -* interface 7i)5) F:A1*) connection into F$1 ':M $ -* interface 7i)5) F:A1L) connection into F$1 -= $ -N interface 7i)5* F:A1() connection into F$1 ':M $ -N interface 7i)5* F:A1*)) connection into F$1 -= !onfigure F$1 ':M to use an -= of *)) and F$1 -= to use an -= of ()) for both importing and e4porting routes into your '7$ network, which will be configured later with an AS ofASNL))*. B3 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"33#

E

!reate a network between $ -outer -* and ! de%ice Sw* using a F:A1*) interface on Sw* that can be trunked toward -*@ this network will reside in the ':M F$1. Mse a subnet of *).*).*).)52) with .*52) assigned to the $ and .(52) assigned to the !. B( pointsC

E

!reate a network between $ -outer -N and ! de%ice Sw( using a F:A1() interface on Sw( that can be trunked toward -N@ this network will reside in the ':M F$1. Mse a subnet of *).*).().)52) with .*52) assigned to the $ and .(52) assigned to the !. B( pointsC

E

!reate a network between $ -outer -* and ! de%ice Sw2 using a F:A1L) interface on Sw2 that can be trunked toward -*@ this network will reside in the -= F$1. Mse a subnet of *2).L).L).)52) with .*52) assigned to the $ and .(52) assigned to the !. B( pointC

E

!reate a network between $ -outer -N and ! de%ice Sw3 using a F:A1*)) interface on Sw3 that can be trunked toward -N@ this network will reside in the -= F$1. Mse a subnet of *2).*)).*)).)52) with .*52) as# signed to the $ and .(52) assigned to the !. B( pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"3#

Secti$n 3> =P ?5 P$int#A ;-=<' 361+ 76P (o&o)ogy

E

!onfigure $#'7$ between your $ routers, per +igure 2#*), to enable your network to transport the F$1%3 addresses of your configured F$1s B':M and -=C. Mse loopback interfaces for peering between your $ routers. >ou will configure the actual F$1 routing in later "uestions. B3 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"0#

Secti$n 4> -='P an. MP6=P ?9 P$int#A ;-=<' 3611 EI6RP (o&o)ogy

E

!onfigure 7-$ per +igure 2#** between your $ -outer -N and ! Switch Sw(. Mse an 7-$ process number of * on -N and a process number of *) on Sw(. Mse F:A1() for 7-$ connecti%ity between -N and Sw(. Ad%ertise all preconfigured :oopback networks on Sw( to -N for the ':M F$1. B2 pointsC

E

!onfigure 7-$ per +igure 2#** between your $ -outer -* and ! Switch Sw*. Mse an 7-$ process number of * on -* and a process number of *) on Sw*. Mse F:A1*) for 7-$ connecti%ity between -* and Sw*. Ad%ertise all preconfigured :oopback networks on Sw* to -* for the ':M F$1. B2 pointsC

E

!onfigure your $ -outers -* and -N to transport 7-$ routes from your ! de%ices between the ':M F$1 using $#'7$. 7-$ networks residing on Sw* should be seen as internal 7-$ routes on Sw( and %ice %ersa. nsure all &7-$ routes ha%e a = of L) assigned to them within $#'7$. Mse a default#metric of *)))) *)) (LL * *L)) for '7$ routes when redistributed into 7-$. B2 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!""#

Secti$n 5> SP; an. MP6=P ?9 P$int#A ;-=<' 3612 5SP/ (o&o)ogy

E

!onfigure 8S$+ per +igure 2#*( for your F-+ -= with a process number of 2 on $ -outer -* and Sw2 using F:A1L) for connecti%ity. Mse a process = of ( on $ -outer -N and ! de%ice Sw3 using F:A1*)) for con# necti%ity. >ou should permit only internal 8S$+ routes to be ad%ertised across your F$1 and ensure the redistri# bution of '7$ routes into 8S$+ are assigned as Type * 4ternal routes with no manually adusted cost associated to them. t is acceptable for these routes to come through as 52( routes because of default 8S$+ beha%# ior of :oopback interfaces. B2 pointsC

E

>ou will notice that your 8S$+ A Bntra AreaC routes between ! de%ices Sw2 and Sw3 appear as Type * 4# ternal routes@ configure your 8S$+ network appropriately to ensure the routes are displayed correctly as A routes. >ou are not permitted to adust the 8S$+ redistribution into '7$ as directed in the pre%ious "uestion. aintain the 8S$+ process =s are pre%iously directed@ you are permitted to configure only -outer -*. BN pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"'#

Secti$n > MPLS ?7 P$int#A E

:eak network *).*.*.)5(3 from Sw* F-+ ':M on $ -* into the F-+ -= on $*@ similarly, leak *).33.33.)5(3 from F-+ -= into F-+ ':M on -N. 'oth Switch * and Switch 3 should recei%e the following routesD S0*Y show ip route G include *).33.33.) = X

*).33.33.)5(3 *9)5XXXXXXI %ia *).*).*).*, ))D))D(9, Flan*)

S0*Y S03Y show ip route G include *).*.*.) 8 *

*).*.*.)5(3 **)5XXI %ia *2).*)).*)).*, ))D)2D)3, Flan*))

S03Y Ferify your configuration by pinging from F-+ -= Sw3 *).33.33.* to F-+ ':M Sw* *).*.*.* sw*. BL pointsC E

!onfigure your $ -outers -* and -N to ensure that the $:S $ routers are not listed as intermediate hops when

t ace e s perf d y d s. p a r rout i orme on our ! e%ice B( ointsC

Secti$n 7> VPLS Simu&ati$n ?1+ P$int#A E

Switches 2 and 3 will ha%e been configured to belong to the subnet of *.*.*.)5(3 within a pre%ious "uestion. !re# ate an Xconnect attachment circuit on your $ -outers -* and -N for your ! de%ices BSw2 +e )5* *.*.*.*5(3 and Sw3 +e )5* *.*.*.(5(3C to communicate using a secure :ayer ( tunneling solution Buse %ersion 2C across your :ayer 2 network. >ou should use e4isting loopback interfaces on your $ routers for peering o%er your $:S network. Mse a class template that configures a cookie size of / and a password of cisco, which will be used by a pseudowire class that Xconnects your re"uired interfaces on your $ -outers -* and -N. 'e aware that the Sw2 resides in F:A1()), and Sw3 resides in F:A13)) in respecti%e $ router subinterfaces. B*) pointsC

Secti$n @> Mu&tica#t ?1+ P$int#A E

!onfigure your $:S network for multicast support of the -= F-+ using $ sparse mode. $ -outers -* and -N should be configured to tunnel multicast traffic using an =T address of (2(.).).** from ! de%ice Switch 2 F:A1L) to ! de%ice Sw3 F:A1*)) o%er the -= F-+. Switch 3 should be configured to reply to * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"+#

an !$ ping on its F:A1*)) interface directed to ((N.(.(.( from Switch 2 F:A1L). t can be assumed that the mF-+ bandwidth re"uirement is low@ configure =T appropriately. nsure that $ -outer -N6s associated F:A1*)) $ address is used as the rendez%ous point for the -= F-+ multicast traffic. B*) pointsC

Secti$n 9> -P( ? P$int#A E

!onfigure the following $%N address on the $ -outers -* and -N, and implement $%N o%er $:S between the N$ routers to ad%ertise the prefi4es between N$s. nsure your loopback $%N addresses are used to source any locally generated &$%N traffic. BN pointsC -* :o) ()*)D!*LD!)D*DD*5N3 -* 7i)5).*) ()*)D!*LD!)D**DD*5N3 -N :o) ()*)D!*LD!)DNDD*5N3 -N 7i*5).() ()*)D!*LD!)DN(DD*5N3

Secti$n 1+> B$S ?13 P$int#A E !reate the following QoS profile on your $ -outer -* for traffic egressing to your ! de%ice connected

to the ':M F-+@ use an appropriate method of prioritizing =S!$ traffic so that A+2* packets are statistically dropped more fre"uently than A+2( during congestion, and reduce the effects of T!$ global synchronization within your &SS&81#!-&T&!A: and solely reduce the effect of T!$ global synchronization within the =+AM:T classD B9 pointsC

C&a##

!SCP Va&ue

F8&!

+, !SL

&SS&81#!-&T&!A: =+AM:T E

H $/ an.)i.th%##i"ne.

2L

!SN, A+2*, A+2(, !S2 Any

3) (L

!reate the following QoS profile on your $ -outer -* for traffic ingressing fr om your ! de%ice connected to the ':M F-+ into the $:S network@ the total aggregate speed from the ! to $ should be restricted to * bpsD

C&a##

F8&!

C-' ?bp#A

2L),))) * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

&SS&81#!-&T&!A:

3)),)))

=+AM:T

(L),)))

E

!"4#

Traffic in the F8! class within the detailed !- should ha%e the $:S X$ set to L and abo%e discarded. Traffic in the &SS&81#!-&T&!A: class within the detailed !- should ha%e the $:S X$ set to 2 and abo%e set to 9. Traffic in the =+AM:T class within the detailed !- should ha%e the $:S X$ set to ) and abo%e set to 3. BN pointsC

Secti$n 11> Security ?13 P$int#A E

!reate three new loopback $ addresses of loopback* on -3, -L, and -NPuse $ addresses of 3.3.3.35(3, L.L.L.L5(3, and N.N.N.N5(3, respecti%ely. Mse 7-$ to ad%ertise the loopback networks between routers o%er a common 7- tunnel network of *)).*)).*)).X5(3 BX[router numberC sourced from each routerou are not permitted to enable 7-$ on your thernet interfaces between routers. Spoke routers must communicate with each other directly using dynamic $sec con# nections with the aid of 1H-$ at the hub, whereas hub#to#spoke $sec connections should be permanent. The hub router should pro%ide all necessary direct ne4t#hop information to the spoke routers when they are re"uired to communicate between themsel%es. 1H-$ should be authenticated with a password of S!-T. Mse an TM of *3*N for your secure traffic, an 1H-$ timeout of *)) seconds for spoke replies, and a delay of (mS on the tunnel network. Test your solution by e4tended pings sourced from the configured loopback interfaces. B*) pointsC

E

NT This section should be used only if you re"uire clues to complete the "uestions. n the actual !! lab, the proctor will not enter into any discussions about the "uestions or answers@ he or she will be present to ensure you do not ha%e problems with the lab en%ironment and to maintain the timing ele# ment of the e4am.

The network manager of your network cannot ustify a full security implementation but wants toimplement a so# lution that pro%ides a password prompt from -* only when the keyboard entry * is entered on the console port Bas opposed to the normal !-5nter keyC. !onfigure -* appropriately. 2 points

Practice Lab 3> %#0 the Pr$ct$rD Secti$n 1> L%N S)itchin" an. ;rame 'e&ay QD =o you want me to configure :ayer ( between Switch 2 and Switch 3 so that they can communicate on subnet the *.*.*.)5(3? * 2+1 + Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# pr$tecte. by c $pyri"ht P&ea#e #ee pa" /$rem$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"#

AD 1o, simply configure the switches as directed in the "uestion and :ayer ( connecti%ity will be pro%isioned later within the lab when your core network is configured. acceptable? QD 0ith my +rame -elay  can only reach my spoke routers from the Hub. s this

AD 1o, the "uestion states that each de%ice must be reachable o%er the frame#relay network@ this includes spoke#to# spoke communication.

Secti$n 2> MPLS an. SP; QD =o you re"uire 8S$+ for any interfaces on -* and -N that connect to theswitches? AD 1o, ust configure 8S$+ per the figure@ this is re"uired to ad%ertise your loopback addresses for $:S. QD =oes it matter what 8S$+ $rocess =  use on myrouters? AD 1o, the "uestion doesn6t direct you to use a specific process =, so you can use an = of your choice. QD =o you want the 8S$+ from the core routers e4tended into the -= F-+  created so  run end#to#end 8S$+ be# tween ! Switch* and ! switch(? 8S$+ AD 1o, you will ultimately achie%e this connecti%ity through an $:S F$1 and not by simply e4tending through your corede%ices. F-+? QD =o you want me to configure my -= F-+ with a route descriptor of *)) and ()) for the ':M $#'7$ AD >ou ha%e been pro%ided with additional information in the "uestion that enables you to facilitate use of e4tended communities. -=? QD So ust add in the $#'7$ AS number to the results. AD A combination of the two will achie%e the desired

QD  can6t ping to my F:A1*) interface on Switch* from -*. =o  need to perform any further configuration to make this work? AD 1o, ust remember that -* is now a $ router with multiple F-+ routing tables. >ou need to ensure you source your ping correctly@ otherwise, -* would use its default routing table Bwhich is used for the $:S connecti%ityC.

Secti$n 3> =P routers? QD =o you want me to configure a full mesh of '7$ between all * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"1#

AD 1o, $#'7$ is simply re"uired between the $ routers. other? QD =o you need me to configure the $s to send community %alues to each

AD >ou need to remember how $:S works and ensure that the route targets are propagated to successfully configure your F$1s. here? QD  usually configure ne4t#hop self on my '7$ configurations. s this acceptable configuration. AD >ou ha%en6t been instructed not to use this command at this point e%en though this is an i'7$

Secti$n 4> -='P an. MP6=P QD 7-$ re"uires the same AS number on neighbor routers to peer successfully. f  use a different number onand -N Switch(, they cannot peer correctly. AD !orrect. :ook for a method of making the AS number the same within your F-+ specific configuration-N. on

Secti$n 5> SP; an. MP6=P QD =o you want me to configure 8S$+, $:S, and '7$ initially within the 8S$+ section? AD 1o, ust initially as directed 8S$+@ this will enable your network to transport $:S and '7$ within later "ues# tions. QD !hanging the process = on 8S$+ peers wouldn6t affect any adacency. 0hy would  need to dothis? AD >ou are correct, but you ha%e been directed to do so in the "uestion. t will become e%ident why you ha%e been asked to do this in a later "uestion. QD 0hy would  want to ad%ertise the 8S$+ routes as 4ternal type#* routes within '7$@ surely the routes should ap# pear as standard interarea routes through the F$1? AD !orrect, this "uestion is a little misleading. The routes will come out as Type#* 4ternal routes on your ! de%ices, and it would appear that you ha%e modified this beha%ior with your redistribution configuration. This beha%ior should become apparent why in the following"uestion. QD  think if  change the redistribution of 8S$+ into '7$,  can make the 8S$+ routes appear as ntra#area routes.=o  score any points if  change the redistribution? AD 1o, by all means try to change the redistribution, though@ it might help you understand issue. the

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"2#

QD  changed the redistribution and the routes remain identical. This must ha%e something to do withdifferent the 8S$+ process =  had to configure@  can6t adust this, so  am stuck. AD >ou had a similar issue with 7-$ AS numbers@ ust in%estigate what is possible within your F-+ configuration. QD f & change the domain = on -*, is thatacceptable? AD +ind an appropriate %alue and try it out.

Secti$n > MPLS QD  can manage to leak routes between F-+s but my route comes out as a host route. !an  modify my :oopback in# mask? terface with the 8S$+ net&or0 command on Switch3, so it is ad%ertised with the correct AD >es

Secti$n 7> VPLS Simu&ati$n QD =o you want me to create a pseudowire with $:S encapsulation to connect Switch2 and Switch3 at :ayer(? AD 1o, you might ha%e found this "uestion in the $:S section if that were wanted@ the clue is in the "uestion as to which solution you shoulduse. QD s this $:S#specific, or could  do this o%er a standard :ayer 2 network? AD >ou could achie%e the same result o%er a standard :ayer 2 network@ ust e4ercise caution where you configure your parameters to achie%e the correct results in the appropriate F-+. QD Xconnect is usually associated with :(T$. !an  use this technology for my solution? AD >es. QD  ha%e my :(T$%2 tunnel up end#to#end, yet  cannot ping between switches.  suspect a spanning#tree type issue if the "uestion states F:A1 differences when  need to pro%ide :ayer ( adacency. Am  at liberty to manipulate span# ning tree? AD >es.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"3#

Secti$n @> Mu&tica#t routers? QD =o you want me to enable $ o%er my $ routers or ust $ configuring AD The "uestion states $:S network. To pro%ide end#to#end multicast support, you might find that $ end#to#end isre"uired.

QD =o you want $ on my $:S router loopbackinterfaces? network. AD >ou might find it is re"uired at certain points within your $:S

QD  ha%e a ulticast =istribution Tree tunnel between $ routers, but  don6t understand what the low bandwidth re# "uirement is. AD =T has differing re"uirements for high and low bandwidth sources@ you might or might not re"uire a =ata =T. QD To get Switch 3 to reply to a ping to ((N.(.(.(, can  ust configure an 7$ oin group appropriatelyits on F:A1*)) interface? AD >ou can.

Secti$n 9> -P( QD =o you want me to run $%N down to my ! switches and redistribute anything o%er $:S? AD >our switches are currently not capable of running&$%N. QD Should  ust ad%ertise my $%N prefi4es with the '7$ network command? AD >es, because there is no redistribution to be configured.

Secti$n 1+> B$S QD =o you want the first QoS policy outbound on the ':M F-+ interface on $ -outer -*? AD >es. flows? QD To prioritize =S!$ traffic, do you want me to configure some priority "ueuing within a class for A+2(

AD 1o, use a common techni"ue whereby traffic is dropped randomly as "ueues fill. A+2* packets should be dropped more fre"uently than A+2(,though. QD Are you looking for -andom arly=etect? * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!"#

AD >ou6re almost there@ this wouldn6t offer the inherent drop preference, though. correct? QD The second QoS policy limits traffic to * bs, yet the first will be line rate at * 7bp. s this

AD >es,  appreciate that this isn6t the real world@ it ust pro%ides you with two different configuration e4ercises. QD =o & use the same packet marking classes in each"uestion? AD >es. QD s this =iffSer% whereby you want me to modify the topmost bits in the X$ field? AD >es. QD =o you want the policy applied to the ! facing F-+ ':M interface as an input ser%ice policy? network. AD >es, this would then modify the traffic as it flows into the $:S

Secti$n 11> Security encrypted? QD =on6t  need an A!: to mark all traffic that should be

AD 1o, your solution will not re"uire an A!:, and all traffic flowing from the new subnets you created should auto# matically be encrypted. QD The clues in the "uestion suggest this is a =F$1 "uestion.  ha%e configured my solution correctly, yet  don6t get spoke routes on the spoke routers. s thisacceptable? AD 1o, you need full network %isibility from all de%ices and not ust the hub. beha%ior? QD This sounds like a split#horizon issue@ can  disable this

AD >es. okay? QD  still show a ne4t hop of the hub between spoke networks, is this

AD 1o@ the "uestion specifically states that spoke routers must be able to communicate with each other directly. QD !an & modify the ne4t hop from thehub? AD >es. prompt? QD =o you want me to get -* to somehow translate a !- into a * to then pro%ide a password

AD 1o, ust make the router pro%ide a prompt when it recei%es an AS! *, rather than a !- on the line con )port.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'00#

Practice Lab 3 !ebrie/ The lab debrief section now analyzes each "uestion showing you what was re"uired and how to achie%e the desired re# sults. >ou should use this section to produce an o%erall score for $ractice :ab 2.

Secti$n 1> L%N S)itchin" an. ;rame 'e&ay ? P$int#A E

!onfigure your switched network per +igure 2#N. >our switched network is physically nonlooped and therefore does not re"uire any ST$ root bridge configuration. !onfigure S0* +a)5* to belong to F:A1()) and S0( +a)5* to belong to F:A13)). !onfigure nterface +a)5* on S0* to become a trunk port toward -* and +a)5N on S0( to become a trunk port toward -N@ ports should use /)(.*Q encapsulation. -estrict the F:A1s permissible to use the trunk on Switch * +a)5* to F:A1*), L), and ()) and F:A1(), *)), and 3)) on Switch ( +a)5N. nterface +a)5() of each switch has been preconfigured to be a trunk port. >ou should also configure -* and -N to terminate the F:A1s on each router. !onnecti%ity between switches will be pro%ided %ia -* and -N later in the lab. B2 pointsC

This is a simple "uestion, but you are re"uired to complete multiple configuration items to gain your points. The con# figuration enables connecti%ity between switches when the $:S section has been completed later in the lab. To begin, $orts +a)5* of Switch * and Switch ( should be assigned the correct F:A1. BThe actual F:A1s would ha%e been cre# ated pre%iously in theinitial configuration.C 1e4t, the trunking is configured as directed with allowed F:A1s of *), L), and ()) for Switch * and (), *)), and 3)) for Switch (. -* and -N are configured with the corresponding F:A1 num# bers as subinterfaces to terminate the trunk connections from switch* and switch( using an identical reference for the dot*" encapsulation. f you ha%e configured thiscorrectly as shown in 4ample 2#*, you ha%e scored 2 points. E%MPL 361 S)1, S)2, '1, an. 'C$n/i"urati$n NT -* and -N use the F:A1 number for the encapsulation and the sub interface number. >our sub interface number does not need to match the F:A1 number, but it is considered good prac# tice to do so.

S8itc&1# s%o& run inter#a$e 6astEt%ernet 59 B interface +ast.t&ernet$,1 s8itc&port access 6lan 2$$ s8itc&port moe access S8itc&1# s%o& run inter#a$e 6astEt%ernet 5 B interface +ast.t&ernet$,1 s8itc&port trun encapsulation ot1A s8itc&port trun allo8e 6lan 1$><$>2$$

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

s8itc&port

!'0"#

moe trun

59 S8itc&2# s%o& run inter#a$e 6astEt%ernet B interface +ast.t&ernet$,1 s8itc&port access 6lan 4$$ s8itc&port moe access

S8itc&2# s%o& run inter#a$e 6astEt%ernet 5 B interface +ast.t&ernet$,7 s8itc&port trun encapsulation ot1A s8itc&port trun allo8e 6lan 2$>1$$>4$$ s8itc&port moe trun ;1# s%o& run > 'egin inter#a$e Giga'itEt%ernet5 B interface iga%it.t&ernet$,$ no ip aress B interface iga%it.t&ernet$,$?1$ encapsulation ot1Z 1$ B interface iga%it.t&ernet$,$?<$ encapsulation ot1Z <$ B interface iga%it.t&ernet$,$?2$$ encapsulation ot1Z 2$$

;7# s%o& run > 'egin inter#a$e Giga'itEt%ernet5 B interface iga%it.t&ernet$,1 no ip aress B interface iga%it.t&ernet$,1?2$ encapsulation ot1Z 2$ B interface iga%it.t&ernet$,$?1$$ encapsulation ot1Z 1$$ * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'0'#

B interface iga%it.t&ernet$,1?4$$ encapsulation ot1Z 4$$

E

S02 interface +a)5* and S03 interface +a)5* are re"uired tocommunicate with each other on the same $ subnet of *.*.*.)5(3. !onfigure these interfaces with $ addresses *.*.*.*5(3 and *.*.*.(5(3, respecti%ely. The in# terfaces should be configured to communicate as if connected directly as a point#to#point link. !ctual IP end#to# end connecti"ity will be achie"ed in a later section .# B* pointsC

A straightforward configuration task to change the operation of the ports to nonswitchport :ayer 2 mode where an $ address can be configured, end#to#end connecti%ity is achie%ed through the $ network at a later stage. f you ha%e con# figured this correctly, as shown in 4ample 2#(, you ha%e scored *point. E%MPL 362 S)3 an. S)4C$n/i"urati$n 59 S8itc&3# s%o& run inter#a$e 6astEt%ernet Q inter#a$e 6astEt%ernet 59 no s8itc&port

ip aress 1?1?1?1 2<
E

aress

1?1?1?2 2<
>our initial +rame#-elay configuration has been supplied for the -*#-(#-2, -2#-3, and -(#-L connecti%ity. !onfigure +rame#-elay, per +igure 2#9, to ensure each de%ice is reachable o%er the +rame#-elay network. 8nly use the indicated =:!s. B( pointsC

The initial +rame#-elay configuration has been supplied for you@ all youneed to do is create additional maps on -* and -( spoke routers to enable them to communicate with each other by directing traffic toward the Hub -outer -2 Bbecause the initial configuration uses no in%erse arpC. f you ha%e configured this correctly, as shown in 4ample 2#2, you ha%e scored ( points. E%MPL 363 '1 an. '2 %..iti$na& ;rame6'e&ay C$n/i"urati$n an. Veri/icati$n ;1(config)# inter#a$e erial55 ;1(config-if)#

'road$ast #ramerela* ma/ i/ 2..23.2 3

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'0+#

;2(config)# inter#a$e erial5 ;2(config-if)#

#ramerela* ma/ i/ 2..23. 23 'road$ast

;1# /ing 2..23.2 !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 12$?1$$?123?2> timeout is 2 secons' BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C :,:,: ms

Secti$n 2> MPLS an. SP; ?19 P$int#A E

!onfigure 8S$+ on your routers, per +igure 2#/, to enable your network to transport $:S and $#'7$. All re"uired interfaces Bincluding :oopback )C should be configured to belong to Area ). nsure all 8S$+ configura# tion is entered under the interfaces. B2 pointsC

8S$+ is used as the 7$ in which to ad%ertise the router loopback addresses, which will of course be used for the$:S connecti%ity. The "uestion directs you to configure 8S$+ directly under the interfaces of the routers. 4ample 2#3 shows the :oopback interfaces of each router from -*6s perspecti%e ad%ertised as host routes as re"uired for $:S. f you ha%e s%o& i/ os/# inter#a$e configured this correctly, as shown in 4ample 2#3, you ha%e scored 2 points. !onsider using the command to %erify your configuration. E%MPL 364 SP; C$n/i"urati$n an. Veri/icati$n ;1(config-if)#

int lo

;1(config-if)#

i/ os/#  area

;1(config-if)#

int s55

;1(config-if)#

i/ os/#  area

;2(config-if)#

int lo

;2(config-if)#

i/ os/#  area 

;2(config-if)#

int s5

;2(config-if)#

i/ os/#  area

;2(config-if)#

int s5

;2(config-if)#

i/ os/#  area

;3(config-if)#

int lo

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;3(config-if)#

i/ os/#  area

;3(config-if)#

int s55

;3(config-if)#

i/ os/#  area

;3(config-if)#

int s55

;3(config-if)#

i/ os/#  area

;4(config-if)#

int lo

;4(config-if)#

i/ os/#  area

;4(config-if)#

int gi5

;4(config-if)#

i/ os/#  area

;4(config-if)#

int s55

;4(config-if)#

i/ os/#  area

;<(config-if)#

int lo

;<(config-if)#

i/ os/#  area

;<(config-if)#

int gi5

;<(config-if)#

i/ os/#  area

;<(config-if)#

int s55

;<(config-if)#

i/ os/#  area

;7(config-if)#

int lo

;7(config-if)#

i/ os/#  area

;7(config-if)#

int gi5

;7(config-if)#

i/ os/#  area

!'04#

;1# s%o& i/ routeos/# 12$?$?$?$,: is 6aria%l" su%nette> 12 su%nets> 2 mass  12$?1$$?2 $$'34'1:> Serial$,$,$  12$?1$$? $$'34'1:> Serial$,$,$  12$?1$$?4?1,32 F11$,12G 6ia 12$?1$$?123?3> $$'34'1:> Serial$,$,$  12$?1$$?7?1,32 F11$,13$G 6ia 12$?1$$?123?3> $$'34'1:> Serial$,$,$ F11$,13$G 6ia 12$?1$$?123?2> $$'34'1:> Serial$,$,$  12$?1$$?3?1,32 F11$,7 $$'34'1:> Serial$,$,$  12$?1$$?2?1,32 F11$,7 $$'34'1:> Serial$,$,$  12$?1$$?4 $$'34'1:> Serial$,$,$ F11$,12G 6ia 12$?1$$?123?2> $$'34'1:> Serial$,$,$ 12$?1$$?34?$,24 F11$,12:G 6ia 12$?1$$?123?3> $$'34'1:> Serial$,$,$ 

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

 

E

12$?1$$?123?3,32 F11$,74G 6ia 12$?1$$?123?3> $$'34'1:> 12$?1$$?123?2,32 F11$,74G 6ia 12$?1$$?123?2> $$'34'1:>

!'0# Serial$,$,$ Serial$,$,$

!onfigure $:S on all routers within the 8S$+ domain@ use :=$ ensuring that T=$ can be used on unused in# terfaces without specifically configuring these interfaces for T=$. -outers -* and -N will become your $ routers, whereas -(, -2, -3, and -L will become $ routers. B3 pointsC

!onfiguration is re"uired on each router for them to become :S-s B:abel Switch -outersC. The :S-s must ha%e :oop# back interfaces with an address mask of 2( bits, and these interfaces must be reachable within the global $ routing table Bwhich the pre%ious "uestion achie%edC. -* and -N are the $ B$ro%ider dgeC routers, which will be used to connect to switches in later "uestions simulating ! B!ustomer dgeC de%ices. -(, -2, -3, a nd -L become the $ B$ro%iderC routers, which will be used to switch labeled packets between the $ routers. The "uestion tells you to use :=$ B:abel =istribution $rotocolC but facilitate the future use of T=$ BTag =istribution $rotocolC without further configuration on unused interfaces. This is achie%ed by configuring T=$ globally and :=$ under each interface used for $:S within this lab. BThe default global and interface configuration is :=$C. The $ routers re"uire only $:S configured on their serial interfaces toward the $ routers. f you ha%e configured this correctly, as shown in 4ample 2#L, you ha%e scored 3points. E%MPL 365 MPLS C$n/i"urati$n td/ ;1(config)# m/ls la'el /roto$ol

;1(config)# inter#a$e erial55 ;1(config-if)#

m/ls la'el /roto$olld/

;1(config-if)#

m/ls i/

;2(config)# m/ls la'el /roto$ol td/ ;2(config)# inter#a$e erial5 ;2(config-if)#

m/ls la'el /roto$olld/

;2(config-if)#

m/ls i/

;2(config-if)#

m/ls la'el /roto$olld/

;2(config-if)#

m/ls i/

;3(config)# m/ls la'el /roto$ol td/ ;3(config)# inter#a$e erial55 ;3(config-if)#

m/ls la'el /roto$olld/

;3(config-if)#

m/ls i/

;3(config-if)#

inter#a$eerial55

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;3(config-if)#

m/ls la'el /roto$olld/

;3(config-if)#

m/ls i/

!'01#

td/ ;4(config)# m/ls la'el /roto$ol

;4(config)# inter#a$eGiga'itEt%ernet5 ;4(config-if)#

m/ls la'el /roto$olld/

;4(config-if)#

m/ls i/

;4(config-if)#

inter#a$eerial55

;4(config-if)#

m/ls la'el /roto$olld/

;4(config-if)#

m/ls i/

;<(config)# m/ls la'el /roto$ol td/ ;<(config)# inter#a$eGiga'itEt%ernet5 ;<(config-if)#

m/ls la'el /roto$olld/

;<(config-if)#

m/ls i/

;<(config-if)#

inter#a$eerial55

;<(config-if)#

m/ls la'el /roto$olld/

;<(config-if)#

m/ls i/

td/ ;7(config)# m/ls la'el /roto$ol

;7(config)# inter#a$eGiga'itEt%ernet5 ;7(config-if)#

m/ls la'el /roto$olld/

;7(config-if)#

m/ls i/

4ample 2#N shows %erification of the configuration with the :=$ peering between each router. 1otice that the loop# back addresses are used for :=$ peer identification. E%MPL 36 MPLS C$n/i"urati$nVeri/icati$n ;1# s%o& m/ls ld/neig%'or Peer 0DP ent' 12$?1$$?2?1'$U 0ocal 0DP ent 12$?1$$?1?1'$ !/P connection' 12$?1$$?2?1?4$41: - 12$?1$$?1?1?747 State' perU sgs sent,rc6' 7,=1U Do8nstream *p time' $$'4='2$ 0DP isco6er" sources' Serial$,$,$> Src P ar' 12$?1$$?123?2 5resses %oun to peer 0DP ent' 12$?1$$?123?2 12$?1$$?2
CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'02#

!/P connection' 12$?1$$?3?1?<137 - 12$?1$$?1?1?747 State' perU sgs sent,rc6' 7:,7:U Do8nstream *p time' $$'4='1: 0DP isco6er" sources' Serial$,$,$> Src P ar' 12$?1$$?123?3 5resses %oun to peer 0DP ent' 12$?1$$?123?3 12$?1$$?3?1 12$?1$$?34?3 ;2# s%o& m/ls ld/neig%'or Peer 0DP ent' 12$?1$$?3?1'$U 0ocal 0DP ent 12$?1$$?2?1'$ !/P connection' 12$?1$$?3?1?171 - 12$?1$$?2?1?747 State' perU sgs sent,rc6' =1,7:U Do8nstream *p time' $$'47'33 0DP isco6er" sources' Serial$,$> Src P ar' 12$?1$$?123?3 Serial$,1> Src P ar' 12$?1$$?34?3 5resses %oun to peer 0DP ent' 12$?1$$?123?3 12$?1$$?3?1 12$?1$$?34?3 Peer 0DP ent' 12$?1$$? Src P ar' 12$?1$$?2 Src P ar' 12$?1$$?123?1 5resses %oun to peer 0DP ent' 12$?1$$?123?1 12$?1$$?1?1 Peer 0DP ent' 12$?1$$?4?1'$U 0ocal 0DP ent 12$?1$$?2?1'$ !/P connection' 12$?1$$?4?1?4=4$1 - 12$?1$$?2?1?747 State' perU sgs sent,rc6' <4,<=U Do8nstream *p time' $$'32'2: 0DP isco6er" sources' * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

Serial$,1> Src P ar' 12$?1$$?34?4 5resses %oun to peer 0DP ent' 12$?1$$?4?1 4?4?4?4 12$?1$$?4
!'03#

1$$?1$$?1$$?4

;3# s%o& m/ls ld/neig%'or Peer 0DP ent' 12$?1$$?2?1'$U 0ocal 0DP ent 12$?1$$?3?1'$ !/P connection' 12$?1$$?2?1?747 - 12$?1$$?3?1?171 State' perU sgs sent,rc6' 7,=2U Do8nstream *p time' $$'4='11 0DP isco6er" sources' Serial$,$,$> Src P ar' 12$?1$$?123?2 Serial$,$,1> Src P ar' 12$?1$$?2 Src P ar' 12$?1$$?123?1 5resses %oun to peer 0DP ent' 12$?1$$?123?1 12$?1$$?1?1 Peer 0DP ent' 12$?1$$? Src P ar' 12$?1$$?2 Src P ar' 12$?1$$?34?4 5resses %oun to peer 0DP ent' 4?4?4?4 12$?1$$?4
CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'0#

12$?1$$?34?4 ;4# s%o& m/ls ld/neig%'or Peer 0DP ent' 12$?1$$?7?1'$U 0ocal 0DP ent 12$?1$$?4?1'$ !/P connection' 12$?1$$?7?1?<<234 - 12$?1$$?4?1?747 State' perU sgs sent,rc6' =4,=7U Do8nstream *p time' $$'43'<2 0DP isco6er" sources' iga%it.t&ernet$,$> Src P ar' 12$?1$$?4 Src P ar' 12$?1$$?4 Src P ar' 12$?1$$?2 Src P ar' 12$?1$$?2 Src P ar' 12$?1$$?34?3 5resses %oun to peer 0DP ent' 12$?1$$?123?3 12$?1$$?3?1 12$?1$$?34?3 ;<# s%o& m/ls ld/neig%'or Peer 0DP ent' 12$?1$$?2?1'$U 0ocal 0DP

ent 12$?1$$?
* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'"0#

!/P connection' 12$?1$$?2?1?747 - 12$?1$$? Src P ar' 12$?1$$?2 Src P ar' 12$?1$$?4 Src P ar' 12$?1$$?4 Src P ar' 12$?1$$?34?4 5resses %oun to peer 0DP ent' 12$?1$$?4?1 4?4?4?4 12$?1$$?4 Src P ar' 12$?1$$?34?3 5resses %oun to peer 0DP ent' 12$?1$$?123?3 12$?1$$?3?1 12$?1$$?34?3 ;7# s%o& m/ls ld/neig%'or Peer 0DP ent' 12$?1$$?
CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'""#

iga%it.t&ernet$,$> Src P ar' 12$?1$$?4 Src P ar' 12$?1$$?4
E

>ou will be configuring two F$1s o%er your $:S networks per +igure 2# between $ routers of ':M and -=. At this point, assign the following interfaces on each $ router into separate routing instances within the routersD $ -* interface 7i)5) F:A1*) connection into F$1 ':M $ -* interface 7i)5) F:A1L) connection into F$1 -= $ -N interface 7i)5* F:A1() connection into F$1 ':M $ -N interface 7i)5* F:A1*)) connection into F$1 -= !onfigure F$1 ':M to use an -= of *)) and F$1 -= to use an -= of ()) for both importing and e4porting routes into your '7$ network, which will be configured later with an AS ofASNL))*. B3 pointsC

>ou are re"uired to create %irtual routing forwarding BF-+C instances on the $ routers and assign the subinterfaces on each $ router into these. This will ultimately pro%ide end#to#end %irtual pri%ate networking BF$1C connecti%ity o%er the $:S network for your ! de%ices tocommunicate. >ou are directed to use a route descriptor B-=C of *)) for the ':M F-+ and ()) for the-= F-+ and must combine this with the '7$ autonomous system BASC number of NL))* to import and e4port route target e4tended communities for the specified F-+s. The actual '7$ configuration will be configured later in the lab. f you ha%e configured this correctly, as shown in 4ample 2#9, you ha%e scored points. 3 E%MPL 367 V'; C$n/i"urati$n ;1(config)# i/ r# ")FE ;1(config-6rf)#

rd -!

;1(config-6rf)#

routetarget e:/ort -!

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;1(config-6rf)#

!'"'#

routetarget im/ort -!

;1(config-6rf)#Q ;1(config6rf)# i/ r# +ED ;1(config6rf)# rd -!2 ;1(config-6rf)#

routetarget e:/ort -!2

;1(config-6rf)#

routetarget im/ort -!2

;1(config-6rf)#

e:it

;1(config)# inter#a$eGiga'itEt%ernet5. ;1(config-su%if)#

i/ r# #or&arding")FE

;1(config-su%if)#

inter#a$eGiga'itEt%ernet5.-

;1(config-su%if)#

i/ r# #or&arding+ED

+J$on#ig?< i/ r# ")FE +J$on#igr#?< rd -! +J$on#igr#?< routetarget e:/ort -! +J$on#igr#?< routetarget im/ort -!

+J$on#igr#?< i/ r# +ED +J$on#igr#?< rd -!2 +J$on#igr#?< routetarget e:/ort -!2 +J$on#igr#?< routetarget im/ort -!2 +J$on#igr#?< e:it +J$on#ig?< inter#a$e Giga'itEt%ernet5.2 +J$on#igsu'i#?< i/ r# #or&arding ")FE +J$on#ig?< inter#a$e Giga'itEt%ernet5. i/ r# #or&arding +ED

E

!reate a network between $ -outer -* and ! de%ice Sw* using a F:A1*) interface on Sw* that can be trunked toward -*. This network will reside in the ':M F$1. Mse a subnet of *).*).*).)52) with .*52) as# signed to the $ and .(52) assigned to the !. B( pointsC

This is a simple configuration task to assign $ connecti%ity between the $ and !de%ices for future routing between the de%ices and remote F$1 connecti%ity %ia -N. The new F:A1*) must be created on Sw*, and this F:A1 should ha%e already been permitted to flow through to -* as an allowed F:A1. The subinterface of 7igabit)5).*) on -* has been assigned to the ':M F-+ during the pre%ious "uestion, so connecti%ity between Sw* and -* should nowbe possible Bwhen $ addresses are assignedC. 0hen testing, remember that -* must use the appropriate F-+ toconfirm * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'"+#

connecti%ity because a normal ping would be sourced from the global routing table and will fail. f you ha%e configured this correctly, as shown in 4ample 2#/, you ha%e scored ( points. E%MPL 36@ L< V'; -P %..re##in" an. L$ca& C$nnecti(ity Te#tin" ;1(config)# inter#a$eGiga'itEt%ernet5. ;1(config-su%if)# S8itc&1(config)#

i/ add ...2--.2--.2--.2-2 lan 

S8itc&1(config-6lan)# S8itc&1(config)#

e:it

inter#a$e lan

S8itc&1(config-if)#

no s%utdo&n

S8itc&1(config-if)#

i/ add ...22--.2--.2--.2-2

;1# /ing r# ")FE...2 !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 1$?1$?1$?2> timeout is 2 secons' ??BBB Success rate is 7$ percent (3,<)> roun-trip min,a6g,max C 1,1,1 ms

E

!reate a network between $ router -N and ! de%ice Sw( using a F:A1() interface on Sw( that can be trunked toward -N. This network will reside in the ':M F$1. Mse a subnet of *).*).().)52) with .*52) as# signed to the $ and .(52) assigned to the !. B( pointsC

This is a simple configuration task as per the pre%ious "uestion to assign connecti%ity between the $ and !de%ices for future routing between the de%ices and remote F$1 connecti%ity %ia -*. The new F:A1() must be created on Sw(, and this F:A1 already should ha%e been permitted to flow through to -Nas an allowed F:A1. The subinterface of 7i# gabit)5*.() on -Nhas been assigned to the ':M F-+ during apre%ious "uestion, so connecti%ity between Sw( and -N should now be possible. 0hen testing, remember that -N must use the appropriate F-+ to confirm connecti%ity. f you ha%e configured this correctly, as shown in 4ample 2#, you ha%e scored ( points. E%MPL 369 L< V'; -P %..re##in" an. L$ca& C$nnecti(ity Te#tin" ;7(config)# inter#a$eGiga'itEt%ernet5.2 ;7(config-su%if)# S8itc&2(config)#

i/ add ..2.2--.2--.2--.2-2 lan 2

S8itc&2(config-6lan)#

e:it

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

S8itc&2(config)#

S8itc&2(config-if)#

no s%utdo&n

S8itc&2(config-if)#

i/ add ..2.22--.2--.2--.2-2

;7# /ing

vrf

BLUE

!'"4#

inter#a$e lan2

..2.2

!"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 1$?1$?2$?2> timeout is 2 secons' ??BBB Success rate is 7$ percent (3,<)> roun-trip min,a6g,max C 1,1,1 ms

E

!reate a network between $ -outer -* and ! de%ice Sw2 using a F:A1L) interface on Sw2 that can be trunked toward -*@ this network will reside in the -= F$1. Mse a subnet of *2).L).L).)52) with .*52) assigned to the $ and .(52) assigned to the !. B( pointC

Here
;1# /ing r# +ED3.-.-.2

!"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 13$?<$?<$?2> timeout is 2 secons' * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'"#

??BBB Success rate is 7$ percent (3,<)> roun-trip min,a6g,max C 1,1,1 ms

E

!reate a network between $ -outer -N and ! de%ice Sw3 using a F:A1*)) interface on Sw3 that can be trunked toward -N@ this network will reside in the -= F$1. Mse a subnet of *2).*)).*)).)52) with .*52) as# signed to the $ and .(52) assigned to the !. B( pointsC

This is the final configuration task to assign connecti%ity between the $ and ! de%ices for future routing between the de%ices and remote F$1 connecti%ity %ia -*. The new F:A1*)) must be created on Sw3, and thisF:A1 should ha%e already been permitted to flow through Sw2 to -N as an allowed F:A1. The subinterface of7igabit)5*.*)) on -N has been assigned to the -= F-+ during a pre%ious "uestion, so connecti%ity between Sw3 and -N should now be possi# ble. 0hen testing, remember that -N must use the appropriate F-+ to confirm connecti%ity. f you ha%e configured this correctly, as shown in 4ample 2#**, you ha%e scored ( points. E%MPL 3611 '! V'; -P %..re##in" an. L$ca& C$nnecti(ity Te#tin" ;7(config)# inter#a$e Giga'itEt%ernet5. ;7(config-su%if)# S8itc&4(config)#

i/ add 3...2--.2--.2--.2-2 lan 

S8itc&4(config-6lan)# S8itc&4(config)#

e:it

inter#a$e lan

S8itc&4(config-if)#

no s%utdo&n

S8itc&4(config-if)#

i/ add 3...22--.2--.2--.2-2

;7# /ing

vrf

RED

3...2

!"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 13$?1$$?1$$?2> timeout is 2 secons' ??BBB Success rate is 7$ percent (3,<)> roun-trip min,a6g,max C 1,1,1 ms

Secti$n 3> =P ?5 P$int#A E

!onfigure $#'7$ between your $ routers, per +igure 2#*), to enable your network to transport the F$1%3 addresses of your configured F$1s B':M and -=C. Mse loopback interfaces for peering between your $ routers. >ou will configure the actual F$1 routing in later "uestions. B3 pointsC

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'"1#

$:S re"uires the use of ultiprotocol '7$ B$#'7$C between the $ routers to e4change F$1%3 addresses in addi# tion to &$%3 addresses. The F$1s will be mapped into the configuration later, so this "uestion isa straightforward peer# ing and F$1%3 setup task. The configuration re"uires you to peer from your loopback interfaces, which are ad%ertised %ia your $ routers within 8S$+ and that e4tended communities are used between $ routers to ad%ertise your F$1%3 addresses successfully. >ou should be aware that -oute Targets B-TC are implemented by the use of the '7$ e4tended community BN3 bitsC and as such thesend$ommunit* 'ot%%alue must be configured within $#'7$. Then e:t%o/sel# command is optional and strictly re"uired only when you ha%e an e'7$ configuration to preser%e the ne4t#hop informa# tion to peers@ you won
no s*n$%roni1ation

;1(config-router)#

no autosummar*

;1(config-router)#

neig%'or 2... remoteas -

;1(config-router)#

)oo/'a$0 neig%'or 2... u/datesour$e

;1(config-router)#

address#amil*/n4

;1(config-router-af)#

neig%'or 2... a$tiate;1(config-

router-af)# neig%'or 2...ne:t%o/sel#;1(config-router'ot% af)# neig%'or2... send$ommunit* ;7(config)# router 'g/- ;7(config-router)#

no s*n$

;7(config-router)#

no autosummar*

;7(config-router)#

neig%'or 2... remoteas -

;7(config-router)#

neig%'or 2... u/datesour$e )oo/'a$0

;7(config-router)#

address#amil*/n4

;7(config-router-af)#

a$tiate neig%'or 2...

;7(config-router-af)#

neig%'or 2... ne:t%o/sel#

;7(config-router-af)#

'ot% neig%'or 2... send$ommunit*

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'"2#

Secti$n 4> -='P an. MP6=P ?9 P$int#A E

!onfigure 7-$ per +igure 2#** between your $ -outer -N and ! Switch Sw(. Mse an 7-$ process number of * on -N and a process number of *) on Sw(. Mse F:A1() for 7-$ connecti%ity between -N and Sw(. Ad%ertise all preconfigured :oopback networks on Sw( to -N for the ':M F$1. B2 pointsC

Mntil now the "uestions ha%e merely dealt with setting up the infrastructure for $:S connecti%ity. 1ow you are re# "uested to ad%ertise routes from your ! Switch Sw( to $ -outer -N, which will ultimately be ad%ertised throughout the ':M F$1 tothe remote $ -outer -* and ! Switch Sw*. The "uestions become harder from this point. >ou6ll realize that to peer successfully with 7-$ you would need tobe operating within the same autonomous system BASC number, yet the "uestion enforces you torun differing AS numbers. $ routers would normally connect to multiple cus# tomers, so it is unreasonable to e4pect that each &7-$ domain should run the same AS number. As such, there is a fi4, which is a manual AS mapping under the F$1#specific configuration Baddress#amil* i/4 r# ")FE C where the AS number is stipulated. t is also within this section that the networks are enabled for 7-$ to operate o%er. 4ample 2# *2 details the 7-$ configuration and resulting neighbor relationship and route propagation between -N and Sw(. f you ha%e configured this correctly, as shown in 4ample 2#*2, you ha%e scored 2 points. NT The $ addressing for F:A1() on Sw( and associated subinterfaces on -N has pre%iously been configured. The ':M F-+ has also been associated to the -N subinterface pre%iously.

E%MPL 3613 ' an. S)itch2 -='P C$n/i"urati$n an. Veri/icati$n ;7(config)# router eigr/ ;7(config-router)#

address#amil* i/4 vrf

BLUE

;7(config-router-af)#

autonomouss*stem

;7(config-router-af)#

no autosummar*

;7(config-router-af)#

...3 net&or0 ..2.

S8itc&2(config)#

i/ routing

S8itc&2(config)#

router eigr/

S8itc&2(config-router)#

no autosummar*

S8itc&2(config-router)#

net&or0 ..2. ...3

S8itc&2(config-router)#

...2-net&or0 .2.2.

S8itc&2(config-router)#

...2-net&or0 .2.3.

S8itc&2(config-router)#

net&or0 .2.4. ...2--

;7# s%o& i/ eigr/ vrf BLUE neig%'ors P-.;P neig&%ors for process 1$ 5ress nterface 9

9ol

*ptime

S;!!

;!

Z

SeA

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

$ 1$?1$?2$?2 ;7#

i$,1?2$

;7# s%o& i/ route vrf BLUE eigr/ 1$?$?$?$,: is 6aria%l" su%nette> D 1$?2?2?$,24 F$,1<717$G 6ia 1$?1$?2$?2> D 1$?2?3?$,24 F$,1<717$G 6ia 1$?1$?2$?2> D 1$?2?4?$,24 F$,1<717$G 6ia 1$?1$?2$?2>

E

NT The $ addressing for F:A1*) on Sw* and associated subinterfaces on -*configured. has pre%iously been The ':M F-+ has also been associated to the -* subinterface pre%iously.

(sec) 11 $$'$4'1:

(ms) 1

!'"3#

2$$

/nt Num $ 1

4 su%nets> 2 mass $$'$4'37> iga%it.t&ernet$,1?2$ $$'$4'37> iga%it.t&ernet$,1?2$ $$'$4'37>

iga%it.t&ernet$,1?2$

!onfigure 7-$ per +igure 2#** between your $ -outer -* and ! Switch Sw*. Mse an 7-$ process number of * on -* and a process number of *) on Sw*. Mse F:A1*) for 7-$ connecti%ity between -* and Sw*. Ad%ertise all preconfigured :oopback networks on Sw* to -* for the ':M F$1. B2 pointsC

$er the pre%ious "uestion, you are re"uested to ad%ertise routes from your ! Switch Sw* to $ -outer -*, which will ultimately be ad%ertised throughout the ':M F$1 to the remote $ -outer -N and ! Switch Sw(. 8nce again you are re"uired to manually configure the 7-$ AS number within the address#family %rf section of the $. 4ample 2#*3 details the 7-$ configuration and resulting neighbor relationship and route propagation between -* and Sw*. f you ha%e configured this correctly, as shown in 4ample 2#*3, you ha%e scored 2 points. E%MPL 3614 '1 an. S)itch1 -='P C$n/i"urati$n an. Veri/icati$n ;1(config)# router eigr/ ;1(config-router)#

address#amil* i/4 vrf

BLUE

;1(config-router-af)#

autonomouss*stem

;1(config-router-af)#

no autosummar*

;1(config-router-af)#

...3 net&or0 ...

;1(config-6rf)#

int gi5.

;1(config-su%if)# ;1(config-su%if)#

i/ r# #or&arding")FE i/ add ...2--.2--.2--.2-2

S8itc&1(config)#

i/ routing

S8itc&1(config)#

router eigr/

S8itc&1(config-router)#

no autosummar*

S8itc&1(config-router)#

net&or0 ... ...3

S8itc&1(config-router)#

net&or0 ......2--

S8itc&1(config-router)#

...2-net&or0 ..2.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

S8itc&1(config-router)#

;1# s%o& i/ eigr/ r# ")FEneig%'ors P-.;P neig&%ors for process 1$ 9 5ress nterface $ 1$?1$?1$?2 ;1#

i$,$?1$

;1# s%o& i/ eigr/ r# ")FEneig%'ors P-.;P neig&%ors for process 1$ 9 5ress nterface $

1$?1$?1$?2

!'"#

net&or0 ..3. ...2--

i$,$?1$

9ol *ptime S;!! (sec) (ms) 13 $$'$$'24 1

9ol *ptime (sec) 13 $$'$$'24

S;!! (ms) 1

;! Z SeA /nt Num 2$$ $ 1

;! 2$$

Z SeA /nt Num $ 1

eigr/ ;1# s%o& i/ route r# ")FE 1$?$?$?$,: is 6aria%l" su%nette> 4 su%nets> 2 mass D 1$?1?3?$,24 F$,1<3:<7G 6ia 1$?1$?1$?2> $$'$1'1:> iga%it.t&ernet$,$?1$ D 1$?1?2?$,24

D

E

F$,1<3:<7G 6ia 1$?1$?1$?2> $$'$1'1:> iga%it.t&ernet$,$?1$ 1$?1?1?$,24 iga%it.t&ernet$,$?1$ F$,1<3:<7G 6ia 1$?1$?1$?2> $$'$1'1:>

!onfigure your $ -outers -* and -N to transport 7-$ routes from your ! de%ices between the ':M F$1 using $#'7$. 7-$ networks residing on Sw* should be seen as internal 7-$ routes on Sw( and %ice %ersa. nsure all &7-$ routes ha%e a = of L) assigned to them within $#'7$. Mse a default#metric of *)))) *)) (LL * *L)) for '7$ routes when redistributed into 7-$. B2 pointsC

The full end#to#end F$1 routing is achie%ed at this point by redistributing 7-$ into the appropriate address#family for the F-+. The "uestion dictates the metrics you should use. n reality, the metrics are not re"uired because the e4# tended community %aluesof $#'7$ pre%iously configured will effecti%ely transport the internal metrics of 7-$ and ensure the routes are shown as internal 7-$ routes at the remote location, e%en though they ha%e been redistributed %ia another routing protocol. The "uestion is ust looking for accuracy and gi%ing you the opportunity to%iew routes with the metrics and later without if you choose to. 4ample 2#*L detailsthe configuration re"uired on the $ routers and resulting routes on the! de%ices Sw* and Sw(. f you ha%e configured this correctly, as shown in 4ample 2#*L, you ha%e scored 2 points.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!''0#

E%MPL 3615 P an. C MP6=P 'e.i#tributi$n C$n/i"urati$n an. Veri/icati$n ;1(config)# router eigr/ ;1(config-router)#

")FE address#amil* i/4 r#

;1(config-router-af)#

redistri'ute 'g/ - metri$   2-- 

;1(config-router-af)#

router 'g/-

;1(config-router)#

address#amil* i/4 r# ")FE

;1(config-router-af)#

- redistri'ute eigr/  metri$

;7(config)# router eigr/ ;7(config-router)#

address#amil* i/4 r# ")FE

;7(config-router-af)#

redistri'ute 'g/ - metri$   2-- 

;7(config-router-af)#

router 'g/-

;7(config-router)#

address#amil* i/4 r# ")FE

;7(config-router-af)#

- redistri'ute eigr/  metri$

SW1# s%o& i/ routeeigr/ D 1$?2?2?$,24 F$,1<7417G 6ia 1$?1$?1$?1> D 1$?2?3?$,24 F$,1<7417G 6ia 1$?1$?1$?1> D 1$?2?4?$,24 F$,1<7417G 6ia 1$?1$?1$?1> D 1$?1$?2$?$,3$ F$,2:417G 6ia 1$?1$?1$?1> SW2# s%o& i/ routeeigr/ D 1$?1?3?$,24 D 1$?1?2?$,24 D 1$?1?1?$,24 1$?1$?1$?$,3$ D

F$,1<4112G F$,1<4112G F$,1<4112G F$,27112G

6ia 1$?1$?2$?1> 6ia 1$?1$?2$?1> 6ia 1$?1$?2$?1> 6ia 1$?1$?2$?1>

$$'32'$<> Vlan1$ $$'32'$<> Vlan1$ $$'32'$<> Vlan1$ $$'32'$<> Vlan1$

$$'33'$=> $$'33'$=> $$'33'$=> $$'33'$=>

Vlan2$ Vlan2$ Vlan2$ Vlan2$

4ample 2#*N details the '7$ routes recei%ed on the $ routers with the assigned = %alue of L)@ it also details the $:S forwarding table for the ':M F-+. 1otice the i'7$ routes on the $ routers from the remote $ router with the = of L)@ these are the routes that are propagated to 7-$ ! de%ices. f you ha%e configured this correctly, as shown in 4ample 2#*N,you ha%e scored 2 points. E%MPL 361 P MP6=P an. MPLSVeri/icati$n ;7# s%o& i/ 'g/ /n4 r#")FE P ta%le 6ersion is 1=> local router D is12$?1$$?7?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!''"#

rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op etric 0ocPrf Weig&t Pat& ;oute Distinguis&er' 7<$$1'1$$ (efault for 6rf 0*.) IYi1$?1?1?$,24 12$?1$$?1?1 <$ 1$$ $  IYi1$?1?2?$,24 12$?1$$?1?1 <$ 1$$ $  IYi1$?1?3?$,24 12$?1$$?1?1 <$ 1$$ $  IY 1$?2?2?$,24 1 $?1$?2$?2 <$ 32=7:  IY 1$?2?3?$,24 1 $?1$?2$?2 <$ 32=7:  IY 1$?2?4?$,24 1 $?1$?2$?2 <$ 32=7:  IYi1$?1$?1$?$,3$ 12$?1$$?1?1 $ 1$$ $  IY 1$?1$?2$?$,3$ $?$?$?$ $ 32=7:  ;1# s%o& i/ 'g/ /n4 r#")FE P ta%le 6ersion is 1=> local router D is12$?1$$?1?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete

Net8or Next 9op etric 0ocPrf Weig&t Pat& ;oute Distinguis&er' 7<$$1'1$$ (efault for 6rf 0*.) IY 1$?1?1?$,24 1 $?1$?1$?2 <$ 32=7:  IY 1$?1?2?$,24 1 $?1$?1$?2 <$ 32=7:  IY 1$?1?3?$,24 1 $?1$?1$?2 <$ 32=7:  IYi1$?2?2?$,24 12$?1$$?7?1 <$ 1$$ $  IYi1$?2?3?$,24 12$?1$$?7?1 <$ 1$$ $  IYi1$?2?4?$,24 12$?1$$?7?1 <$ 1$$ $  IY 1$?1$?1$?$,3$ $?$?$?$ $ 32=7:  IYi1$?1$?2$?$,3$ 12$?1$$?7?1 $ 1$$ $ 

")FE ;1# s%o& m/ls #or&ardingta'le r# 0ocal utgoing Prefix tag tag or V/ or !unnel  27 *ntagge 1$?1?3?$,24FVG 2= *ntagge 1$?1?2?$,24FVG 2: 5ggregate 1$?1$?1$?$,3$FVG 2 *ntagge 1$?1?1?$,24FVG

"tes tag s8itc&e $ $ $ $

utgoing Next 9op interface i$,$?1$ 1$?1$?1$?2 i$,$?1$ 1$?1$?1$?2 i$,$?1$

1$?1$?1$?2

")FE ;7# s%o& m/ls #or&ardingta'le r#

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

0ocal tag 27 2= 2: 2

utgoing tag or V/ *ntagge *ntagge *ntagge 5ggregate

Prefix or !unnel  1$?2?2?$,24FVG 1$?2?3?$,24FVG 1$?2?4?$,24FVG 1$?1$?2$?$,3$FVG

"tes tag s8itc&e $ $ $ $

!'''#

utgoing Next 9op interface i$,1?2$ 1$?1$?2$?2 i$,1?2$ 1$?1$?2$?2 i$,1?2$ 1$?1$?2$?2

Secti$n 5> SP; an. MP6=P ?9 P$int#A E

NT The $ addressing for F:A1L) on Sw2 and associated subinterface on -* and F:A1*)) on Sw3 and associated sub# interface on -N has pre# %iously been configured. The -= F-+ has also been associated to the -* and -N subinterfaces pre%iously.

!onfigure 8S$+ per +igure 2#*( for your F-+ -= with a process number of 2 on $ -outer -* and Sw2 using F:A1L) for connecti%ity. Mse a process = of ( on $ -outer -N and ! de%ice Sw3 using F:A1*)) for con# necti%ity. >ou should permit only internal 8S$+ routes to be ad%ertised across your F$1 and ensure the redistri# bution of '7$ routes into 8S$+ are assigned as Type * e4ternal routes with no manually adusted cost associated to them. t is acceptable for these routes to come through as 52( routes because of default 8S$+ beha%ior of :oopback interfaces. B2 pointsC

>ou are re"uested to configure 8S$+ o%er your $:S network between ! de%ices Sw2 and Sw3 %ia your $-outers -* and -N. +igure 2#*( indicates that all loopback interfaces are to be included in 8S$+ on both ! de%ices. >ou should be aware that 8S$+ will ad%ertise these as host routes, but the "uestion states that this is acceptable beha%ior. Similarly to the &7-$ "uestion, you are re"uested to manipulate the redistribution of the 7$ into '7$, but in reality the routes would appear to ha%enot been redistributed through another routing protocol by default. This direction is ac# tually a red herring for the ne4t "uestion when the routes at the ! de%ices appear as e4ternal routes when they should in fact be internal routes. >ou are re"uested to permit only internal 8S$+ routes to be redistributed into '7$, which is a simple mat$% internal parameter on the redistribution configuration. >ou should, of course, remember that the $:S network is seen asan 8S$+ super backbone, and as such you had noconfiguration for Area ) to enable Area * to com# municate with Area ( o%er$:S. 4ample 2#*9 details the re"uired configuration and %erification. f you ha%e config# ured this correctly, as shown in 4ample 2#*9, you ha%e scored 2 points. E%MPL 3617 V'; '! SP; C$n/i"urati$n an. Veri/icati$n SW3(config)# i/ routing SW3(config)# router os/#3 SW3(config-router)#

net&or0 3.-.-. ...3 area 

SW3(config-router)#

 net&or0 .33.33. ...2-- area

SW3(config-router)#

net&or0 .33.34. ...2-- area 

SW3(config-router)#

 net&or0 .33.3-. ...2-- area

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!''+#

SW4(config)# i/ routing SW4(config)# router os/#2 SW4(config-router)#

 net&or0 3... ...3 area

SW4(config-router)#

net&or0 .44.44. ...2-- area 2

SW4(config-router)#

2 net&or0 .44.4-. ...2-- area

SW4(config-router)#

net&or0 .44.4. ...2-- area 2

;1(config)# router os/# 3 r#+ED ;1(config-router)#

 net&or0 3.-.-. ...3 area

;1(config-router)#

redistri'ute 'g/ - su'nets metri$t*/e 

;1(config-router)#

router 'g/-

;1(config-router)#

+ED address#amil* i/4 r#

;1(config-router-af)#

redistri'ute os/# 3 mat$% internal

;7(config)# router os/# 2 r#+ED ;7(config-router)#

 net 3... ...3 area

;7(config-router)#

redistri'ute 'g/ - su'nets metri$t*/e 

;7(config-router)#

router 'g/-

;7(config-router)# address#amil* i/4 r# +ED internal ;7(config-router-af)# redistri'ute os/# 2 mat$% ;1# s%o& i/ route r# RED os/# ;outing

!a%le' ;.D

1$?$?$?$,32 is su%nette> 7 su%nets  5 1$?33?34?1 F11$,2G 6ia 13$?<$?<$?2> $$'$4'4:> iga%it.t&ernet$,$?<$  5 1$?33?3 $$'$4'4:> iga%it.t&ernet$,$?<$  5 1$?33?33?1 F11$,2G 6ia 13$?<$?<$?2> $$'$4'4:> iga%it.t&ernet$,$?<$ ;7# s%o& i/ route r# RED os/# ;outing

!a%le' ;.D

1$?$?$?$,32 is su%nette>  5 1$?44?47?1 F11$,2G 6ia  5 1$?44?4
7 su%nets 13$?1$$?1$$?2> 13$?1$$?1$$?2> 13$?1$$?1$$?2>

$$'$2'32> iga%it.t&ernet$,1?1$$ $$'$2'32> iga%it.t&ernet$,1?1$$ $$'$2'32> iga%it.t&ernet$,1?1$$

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!''4#

SW3# s%o& i/ routeos/# 13$?1$$?$?$,3$ is su%nette> 1 su%nets  .1 13$?1$$?1$$?$ F11$,2G 6ia 13$?<$?<$?1> $$'$7'$:> Vlan<$ 1$?$?$?$,: is 6aria%l" su%nette> 7 su%nets> 2 mass  .1 1$?44?47?1,32 F11$,3G 6ia 13$?<$?<$?1> $$'$2'<4> Vlan<$  .1 1$?44?4 $$'$2'<4> Vlan<$  .1 1$?44?44?1,32 F11$,3G 6ia 13$?<$?<$?1> $$'$2'<<> Vlan<$ SW4# s%o& i/ routeos/# 13$?<$?$?$,3$ is su%nette> 1 su%nets  .1 13$?<$?<$?$ F11$,2G 6ia 13$?1$$?1$$?1> $$'$3'3=> Vlan1$$ 1$?$?$?$,: is 6aria%l" su%nette> 7 su%nets> 2 mass  .1 1$?33?34?1,32 F11$,3G 6ia 13$?1$$?1$$?1> $$'$3'3=> Vlan1$$  .1 1$?33?3 $$'$3'3=> Vlan1$$ 1$?33?33?1,32 F11$,3G 6ia 13$?1$$?1$$?1> $$'$3'3=> Vlan1$$  .1

E

>ou will notice that your 8S$+ A Bintra#areaC routes between ! de%ices Sw2 and Sw3 appear as Type * 4ter# nal routes@ configure your 8S$+ network appropriately to ensure the routes are displayed correctly as A routes. >ou are not permitted to adust the 8S$+ redistribution into '7$ as directed in the pre%ious "uestion. aintain the 8S$+ process =s as pre%iously directed, and you are permitted to configure only -outer -*. BN pointsC

This is a tricky "uestion and one that will really eat into your timePthe kind of "uestion that if the answer doesn6t ump out at you and the points don6t look appealing enough, it6s one to park and come back to. >ou can lea%e "uestions like this confidently because you ha%e your routes in place and following "uestions don6t build from this one. As stated pre# %iously, the redistribution into Type* is actually somewhat misleading. 0hen you look at the routes in 4ample2#*/ for the $ routers, you will see that they are actually A routes at this point, so it is only when these routes are ad%ertised to the ! de%ices that the Type * 4ternal route change occurs. E%MPL 361@ V'; '! SP;'$ute# ;1# s%o& i/ route r# RED os/# ;outing

!a%le' ;.D

1$?$?$?$,32 is su%nette> 7 su%nets  5 1$?33?34?1 F11$,2G 6ia 13$?<$?<$?2> $$' $4'4:>  5 1$?33?3 $$' $4'4:> 1$?33?33?1 F11$,2G 6ia 13$?<$?<$?2> $$'$4'4:>  5

iga%it.t&ernet$,$?<$ iga%it.t&ernet$,$?<$ iga%it.t&ernet$,$?<$

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;7# s%o& i/ route r# ;outing

RED

!''#

os/#

!a%le' ;.D

1$?$?$?$,32 is su%nette> 7 su%nets  5 1$?44?47?1 F11$,2G 6ia 13$?1$$?1$$?2>  5 1$?44?4  5 1$?44?44?1 F11$,2G 6ia 13$?1$$?1$$?2>

$$'$2'32> $$'$2'32> $$'$2'32>

iga%it.t&ernet$,1?1$$ iga%it.t&ernet$,1?1$$ iga%it.t&ernet$,1?1$$

SW3# s%o& i/ routeos/# 13$?1$$?$?$,3$ is su%nette> 1 su%nets  .1 13$?1$$?1$$?$ F11$,2G 6ia 13$?<$?<$?1> $$' $7'$:> Vlan<$ 1$?$?$?$,: is 6aria%l" su%nette> 7 su%nets> 2 mass  .1 1$?44?47?1,32 F11$,3G 6ia 13$?<$?<$?1> $$' $2'<4> Vlan<$  .1 1$?44?4 $$' $2'<4> Vlan<$  .1 1$?44?44?1,32 F11$,3G 6ia 13$?<$?<$?1> $$' $2'<<> Vlan<$ SW4# s%o& i/ routeos/# 13$?<$?$?$,3$ is su%nette>

1 su%nets

 .1

13$?<$?<$?$ F11$ ,2G 6ia 13$?1$$?1$$?1> $$'$3'3=> Vlan1$$ 1$?$?$?$,: is 6aria%l" su%nette> 7 su%nets> 2 mass  .1 1$?33?34?1,32 F11$,3G 6ia 13$?1$$?1$$?1> $$'$3'3=> Vlan1$$  .1 1$?33?3 $$'$3'3=> Vlan1$$ 1$?33?33?1,32 F11$,3G 6ia 13$?1$$?1$$?1> $$'$3'3=> Vlan1$$  .1

The clue is actually in the "uestion aintain the 8S$+ process =s as pre%iously directed. Statements like this should make you think, W8kay. so if  did change the process =, it would most likely work@ why would that do it and how else can  achie%e that?W 8S$+ has a domain =@ by default. this is the same as the process =. f the process =s are different on $ routers that form the F$1, the :SA is changed to a type L and the routes become e4ternal. >ou might not ha%e known that, but it6s the kind of thing that you gain through research and rack time. 'ecause you are not permitted to change the process =, you are only left with the option of changing the domain =. 4ample 2#* details the domain = information on your $ routers, the configuration re"uired to change thedomain = on one of your $
* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!''1#

E%MPL 3619 !$main -! C$n/i"urati$n an. SP; '$ute Veri/icati$n Domain ;1# s%o& i/ os/# 3 > in$lude Domain D t"pe $x$$$<> 6alue $?$?$?3

;7# s%o& i/ os/# 2 > in$lude Domain Domain D t"pe $x$$$<> 6alue $?$?$?2 ;1(config)# router os/# 3 r#+ED ;1(config-router)#

domainid

0.0.0.2

SW3# s%o& i/ routeos/# 13$?1$$?$?$,3$ is su%nette> 1 su%nets  5 13$?1$$?1$$?$ F11$,2G 6ia 13$?<$?<$?1> $$' $$'$> Vlan<$ 1$?$?$?$,: is 6aria%l" su%nette> 7 su%nets> 2 mass  5 1$?44?47?1,32 F11$,3G 6ia 13$?<$?<$?1> $$' $$'$> Vlan<$  5 1$?44?4 $$' $$'$> Vlan<$  5 1$?44?44?1,32 F11$,3G 6ia 13$?<$?<$?1> $$' $$'$> Vlan<$ SW3#

SW4# s%o& i/ routeos/# 13$?<$?$?$,3$ is su%nette> 1 su%nets  5 13$?<$?<$?$ F11$ ,2G 6ia 13$?1$$?1$$?1> $$'$$'$=> Vlan1$$ 1$?$?$?$,: is 6aria%l" su%nette> 7 su%nets> 2 mass  5 1$?33?34?1,32 F11$,3G 6ia 13$?1$$?1$$?1> $$'$$'$=> Vlan1$$  5 1$?33?3 $$'$$'$=> Vlan1$$ 1$?33?33?1,32 F11$,3G 6ia 13$?1$$?1$$?1> $$'$$'$=> Vlan1$$  5

Secti$n > MPLS ?7 P$int#A E

:eak network *).*.*.)5(3 from Sw* F-+ ':M on $ -* into the F-+ -= on $*@ similarly, leak *).33.33.)5(3 from F-+ -= into F-+ ':M on -N. 'oth Switch * and Switch 3 should recei%e the following routesD S0*Y s%o& i/ route > in$lude.44.44. = X

*).33.33.)5(3 *9)5XXXXXXI %ia *).*).*).*, ))D))D(9, Flan*)

S0*Y * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!''2#

S03Y s%o& i/ route > in$lude... 8 *

*).*.*.)5(3 **)5XXI %ia *2).*)).*)).*, ))D)2D)3, Flan*))

S03Y Ferify your configuration by pinging from F-+ -= Sw3 *).33.33.* to F-+ ':M Sw* *).*.*.* sw*. BL pointsC This is a straightforward F-+ 4port "uestion with a slight twist for the attenti%e in that the 8S$+ route *).33.33.)5(3 srcinates from a :oopback interface on Switch3, so 8S$+ must be manipulated to treat this interface as a point#to#point network to ad%ertise the 5(3 mask. The route#leaking is achie%ed by creation of e4port maps on the $ -outers -* and -N, permitting the re"uired routes from each F-+ to the e4isting ':M and -= F-+ ad%ertisements by adding them to the appropriate -oute Target B-TC within $#'7$ by use of the set e:t$ommunit* rt ! additie com# mand. 4ample 2#() details the re"uired configuration on $ -outers -*, -N, and ! de%ice Sw3@ the resulting %erifi# cation of the route ad%ertisements and testing are also shown. f you ha%e configured this correctly, as shown in 4ample 2#(), you ha%e scored L points. E%MPL 362+ Se&ecti(e V'; p$rt C$n/i"urati$n an. Veri/icati$n S84(config)# inter#a$e)oo/'a$0 S84(config-if)#

i/ os/# net&or0/ointto/oint

;1(config)# i/ r# ")FE ;1(config-6rf)#

e:/ort ma/;

;1(config-6rf)#

...2-a$$esslist  /ermit ...

;1(config-6rf)#

e:it

;1(config)# routema/ ; /ermit  ;1(config-route-map)#

mat$% i/ address

;1(config-route-map)#

set e:t$ommunit* rt -!2 additie

;7(config)# i/ r# +ED ;7(config-6rf)#

e:/ort ma/;4

;7(config-6rf)#

a$$esslist  /ermit .44.44. ...2--

;7(config-6rf)#

e:it

;7(config)# routema/ ;4 /ermit  ;7(config-route-map)#

mat$% i/ address

;7(config-route-map)#

additie set e:t$ommunit* rt -!

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!''3#

B ;1 is no8 sening 1$?1?1?$ into V;+ ;.D an ;7 1$?44?44?$ into V;+ 0*. ;1# s%o& i/ 'g/ /n4 r#+ED P ta%le 6ersion is 33> local router D is12$?1$$?1?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op etric 0ocPrf Weig&t Pat& ;oute Distinguis&er' 7<$$1'2$$ (efault for 6rf ;.D) IY 1$?33?33?1,32 13$?<$?<$?2 2 32=7:  IY 1$?33?34?1,32 13$?<$?<$?2 2 32=7:  IY 1$?33?3
B No sign of t&e 1$?1?1?$ route> clear t&e P session to ic start t&e export map ;1# $lear i/ 'g/ ;1# s%o& i/ 'g/ /n4 r#+ED P ta%le 6ersion is 34> local router D is12$?1$$?1?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op etric 0ocPrf Weig&t Pat& ;oute Distinguis&er' 7<$$1'2$$ (efault for 6rf ;.D) IY 1$?1?1?$,24 1$?1$?1$?2 <$ 32=7:  IY 1$?33?33?1,32 13$?<$?<$?2 2 32=7:  IY 1$?33?34?1,32 13$?<$?<$?2 2 32=7:  IY 1$?33?3
* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!''#

;7# s%o& i/ 'g/ /n4 r#")FE P ta%le 6ersion is 3<> local router D is12$?1$$?7?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op etric 0ocPrf Weig&t Pat& ;oute Distinguis&er' 7<$$1'1$$ (efault for 6rf 0*.) IYi1$?1?1?$,24 12$?1$$?1?1 <$ 1$$ $  IYi1$?1?2?$,24 12$?1$$?1?1 <$ 1$$ $  IYi1$?1?3?$,24 12$?1$$?1?1 <$ 1$$ $  IY 1$?2?2?$,24 1$?1$?2$?2 <$ 32=7:  IY 1$?2?3?$,24 1$?1$?2$?2 <$ 32=7:  IY 1$?2?4?$,24 1$?1$?2$?2 <$ 32=7:  IYi1$?1$?1$?$,3$ 12$?1$$?1?1 $ 1$$ $  IY 1$?1$?2$?$,3$ $?$?$?$ $ 32=7:  IY 1$?44?44?1,32 13$?1$$?1$$?2 2 32=7:  B Notice t&e 1$?44?44?$ route is actuall" liste as a &ost route> c&ange t&e 0oop%ac interface on S84 to a point-to-point for SP+ to a6ertise it correctl" SW4(config)# inter#a$elo SW4(config-if)#

i/ os/# net&or0/ointto/oint

.44.44. ;7# s%o& i/ 'g/ /n4 r# ")FE > in$lude IY 1$?44?44?$,24 13$?1$$?1$$?2

2

32=7: 

S8itc&1# s%o& i/ route > in$lude .44.44. D .M 1$?44?44?$,24 F1=$,2:1:<7G 6ia 1$?1$?1$?1> $$'$$'<1> Vlan1$ S8itc&1# SW4# s%o& i/ route > in$lude ...  .1 1$?1?1?$,24 F11$,<1G 6ia 13$?1$$?1$$?1> $$'$2'4<> Vlan1$$ B No8 test 8it& an extene ping to ensure t& e 0oop%ac interface is use as t&e source SW1# /ing Protocol FipG' !arget P aress' 1$?44?44?1 ;epeat count F
CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'+0#

Datagram sie F1$$G' !imeout in secons F2G' .xtene commans FnG' " Source aress or interface' 1$?1?1?1 !"pe of ser6ice F$G' Set D+ %it in P &eaer FnoG' Valiate repl" ata FnoG' Data pattern F$x5/DG' 0oose> Strict> ;ecor> !imestamp> Ver%oseFnoneG' S8eep range of sies FnG' !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 1$?44?44?1> timeout is 2 secons' Pacet sent 8it& a source aress of 1$?1?1?1 BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C :,,12 ms ")FE ;1# s%o& m/ls #or&ardingta'le r# 0ocal utgoing Prefix tag tag or V/ or !unnel 

34 3< 37 3=

*ntagge *ntagge 5ggregate *ntagge

1$?1?3?$,24FVG 1$?1?2?$,24FVG 1$?1$?1$?$,3$FVG 1$?1?1?$,24FVG

"tes tag utgoing s8itc&e interface $ $ $ <$

i$,$?1$ i$,$?1$ i$,$?1$

+ED ;1# s%o& m/ls #or&ardingta'le r# 0ocal utgoing Prefix "tes tag utgoing tag tag or V/ or !unnel  s8itc&e interface 3: 5ggregate 13$?<$?<$?$,3$FVG $ 3 *ntagge 1$?33?34?1,32FVG $ i$,$?<$ 4$ *ntagge 1$?33?3
Next 9op

1$?1$?1$?2 1$?1$?1$?2 1$?1$?1$?2

Next 9op

13$?<$?<$?2 13$?<$?<$?2 13$?<$?<$?2

B Note t&e ;outes are not leae 8it&in t&e P0S for8aring-ta%le ")FE ;7# s%o& m/ls #or&ardingta'le r# 0ocal utgoing Prefix tag tag or V/ or !unnel  34 *ntagge 1$?2?2?$,24FVG 3< *ntagge 1$?2?3?$,24FVG 37 *ntagge 1$?2?4?$,24FVG

"tes tag utgoing s8itc&e interface $ i$,1?2$ $ i$,1?2$ $ i$,1?2$

Next 9op 1$?1$?2$?2 1$?1$?2$?2 1$?1$?2$?2

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

3=

5ggregate

1$?1$?2$?$,3$FVG

!'+"#

$

+ED ;7# s%o& m/ls #or&ardingta'le r# 0ocal utgoing Prefix "tes tag utgoing Next 9op tag tag or V/ or !unnel  s8itc&e i nterface 3: 5ggregate 13$?1$$?1$$?$,3$FVG $ 3 *ntagge 1$?44?47?1,32FVG $ i$,1?1$$ 13$?1$$?1$$?2 4$ *ntagge 1$?44?4
B Note t&e ;outes are not leae 8it&in t&e P0S for8aring-ta%le

E

!onfigure your $ -outers -* and -N to ensure that the $:S $ routers are not listed as intermediate hops when a trace route is performed on your ! de%ices. B( pointsC

'y default, the $:S network will be shown when a traceroute is performed. This can be changed, so only $ routers are shown as ne4t hops with theno m/ls i/ /ro/ogatettlglobal command within your $ routers. 4ample 2#(* shows the default beha%ior and modified beha%ior after configuration from a trace route command issued on ! de%ice S0*. f you ha%e configured this correctly, as shown in 4ample 2#(*, you ha%e scored (points. E%MPL 3621 MPLS Tracer$ute C$n/i"urati$n an. Te#tin" SW1# tra$eroute.2.2. !"pe escape seAuence to a%ort? !racing t&e route to 1$?2?2?1 1 2 3 4 <

1$?1$?1$?1 $ msec $ msec $ msec 12$?1$$?123?2 12 msec 12 msec 17msec 12$?1$$?2
;1(config)# no m/ls i/ /ro/agatettl ;7(config)# no m/ls i/ /ro/agatettl SW1# tra$eroute.2.2. !"pe escape seAuence to a%ort? * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'+'#

!racing t&e route to 1$?2?2?1 1 1$?1$?1$?1 4 msec $ msec $ msec 2 1$?1$?2$?1 12 msec : msec 12 msec 3 1$?1$?2$?2 4 msec I 4 msec

Secti$n 7> VPLS Simu&ati$n ?1+ P$int#A E

Switches 2 and 3 will ha%e been configured to belong to the subnet of *.*.*.)5(3 in a pre%ious "uestion. !reate an Xconnect attachment circuit on your $ -outers -* and -N for your ! de%ices BSw2 +e )5* *.*.*.*5(3 and Sw3 +e )5* *.*.*.(5(3C to communicate using a secure :ayer ( tunneling solution Buse %ersion 2C across your :ayer 2 network. >ou should use e4isting :oopback interfaces on your $ routers for peering o%er your $:S network. Mse a class template that configures a cookie size of / and a password of cisco, which will be used by a pseudowire class which Xconnects your re"uired interfaces on your $ -outers -* and -N. 'e aware that the Sw2 resides in F:A1()) and Sw3 resides in F:A13)) in respecti%e $ router subinterfaces. B*) pointsC

This "uestion simulates F$:S and re"uires that :(T$%2 B:ayer ( Tunneling $rotocol %2C is configured between your $ routers connecting the twosubinterfaces that connect to Sw2 and Sw3interfaces %ia Sw* and Sw3 BF:A1()) and F:A13)), respecti%elyC. >ou might ha%e considered using a F$:S#type solution, but the "uestion dictates a secure :ayer ( tunneling solution and alsopro%ides you with an Xconnect clue and a %ersion number. As such, it can only be :(T$%2. Sw2 and Sw3 will use a pseudowire to communicate o%er the $ network and logically will connect in the same :ayer ( domain. The $ routers ha%e as directed a l2t/$lass named S!M-. This configures the password to cisco and cookie size to /@ thisclass calls the pseudowire class P;C)(, which configures the encapsulation to l2t/3 in secure mode and sets the :oopback interfaces of the $ routers to be used for peering. The:$onne$t subinterface command binds the local$ interface to the remote $ :oopback with a %c#id B%irtual channel =C, which in the e4am# ple matches the subinterface number ofthe specific $ router. B>ou could ha%e used any = here.C t should be noted that !isco 4press +orwarding B!+C must be enabled for the :(T$%2 feature to function correctly. 4ample 2#(( de# tails the re"uired $ configuration on -outers -* and -(. E%MPL 3622 P L2TP(3C$n/i"urati$n ;1(config)# l2t/$lassECF+E ;1(config-l2tp-class)# ;1(config-l2tp-class)# ;1(config-l2tp-class)#

/ass&ord $is$o $oo0ie si1e8 /seudo&ire$lassP;C)(

;1(config-p8-class)#

en$a/sulationl2t/3

;1(config-p8-class)#

/roto$ol l2t/3ECF+E

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;1(config-p8-class)# ;1(config-su%if)#

!'++#

i/ lo$al inter#a$e )oo/'a$0

;1(config-p8-class)#

inter#a$e Giga'itEt%ernet5.2

P;C)( :$onne$t 2... 2 /&$lass

;7(config)# l2t/$lassECF+E /ass&ord $is$o

;7(config-l2tp-class)#

$oo0ie si1e8

;7(config-l2tp-class)# ;7(config-l2tp-class)# ;7(config-p8-class)# ;7(config-p8-class)# ;7(config-p8-class)# ;7(config-p8-class)# ;7(config-su%if)#

/seudo&ire$lassP;C)( en$a/sulationl2t/3 /roto$ol l2t/3ECF+E i/ lo$al inter#a$e )oo/'a$0

inter#a$e Giga'itEt%ernet5.4

P;C)( :$onne$t 2... 2 /&$lass

4ample 2#(2 shows the successful :(T$%2 session established between $ -* to $ -N, yet the ping test from Sw2to *.*.*.( fails. As the session is up, you can safely assume that there is a connecti%ity type issue between either Sw2 and $ -* or Sw3 and $ -N, or possibly between both connections. The "uestion does bring your attention to the fact that both ! de%ices reside in Sw( different so this should you a+astthernet starting point in interfaces your in%estigation. 0hen and logging is enabled on Sw* and BtheseF:A1s, ! de%ices bring Sw2 gi%e and Sw3 )5* into F:A1()) F:A13)), respecti%elyC, you can see spanning#tree inconsistencies e4ist between F:A1()) being bridged to F:A13)) %ia your :(T$%2 solution. !loser inspection re%eals that spanning tree has actually blocked ports on Sw* and Sw( from $ -outers -* and -N, respecti%ely, e%en though you ha%e pre%iously allowed the local F:A1 ()) and 3)) through the trunk on $ -outers -* and -N, respecti%ely. The problem is actually resol%edby enabling '$=M filtering on Sw* with the s/anningtree '/du#ilter ena'le command on the trunk interface toward the $ -outer -*. nabling '$=M filtering on an interface is e"ui%alent to disabling the spanning tree on an interface@ it is possible to create bridg# ing loops if this command is not correctly used. f you ha%e configured this correctly, per 4amples 2#(( and 2#(2, you ha%e scored *) points. E%MPL 3623 P an. C L2TP(3 Veri/icati$n Te#tin" an. C$n/i"urati$n ;1# s%o& l2tsession 02!P Session nformation !otal tunnels 1 sessions 1 0ocD ;emD ;emote Name <1447

371$

;7

State

;emote 5ress est

Port

12$?1$$?7?1

Sessions 02!P /lass, VPDN roup $ 1

S./*;.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

0ocD

;emD

<1$$3

71

!unD

*sername> ntf,

<1447

2$$> i$,$?2$$'2$$

!'+4#

State 0ast /&g *niA D Vci> /ircuit est $$'24'4$ 1

;7# s%o& l2tsession 02!P !unnel an Session nformation !otal tunnels 1 sessions 1 0ocD ;emD ;emote Name

State

<1447 371$ ;1 0ocD 71

est ;emD

<1$$3

!unD 371$

;emote 5ress

Port

12$?1$$?1?1

Sessions 02!P /lass, VPDN roup $ 1

*sername> ntf,

State Vci> 2$$> i$,1?4$$'4$$ est

S./*;.

0ast /&g *niA D /ircuit $$'2<'27 1

SW3# /ing ...2

!"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 1?1?1?2> timeout is 2 secons' ????? Bae sure "ou are logging on "our /. e6ices SW1(config)# logging $onsole SW1# $3'22'1' HSP5N!;..-2-;./VPVD.;;' ;ecei6e PD* 8it&inconsistent peer 6lan i 4$$ on +ast.t&ernet$,1 V05N2$$? $3'22'1' HSP5N!;..-2-0/JPVD0/50' locing +ast.t&ernet$,1on V05N$2$$? nconsistent local 6lan? 'lo$0ed/orts SW1# s%o& s/anningtree

loce nterfaces 0ist Name -------------------- -----------------------------------V05N$2$$ +a$,1 ) in t&e s"stem ' 1 Num%er of %loce ports (segments

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'+#

SW2#$3'22'21' HSP5N!;..-2-;./VPVD.;;' ;ecei6e PD* 8it& inconsistent peer 6lan i 2$$ on +ast.t&ernet$,7 V05N4$$? $3'22'21' HSP5N!;..-2-0/JPVDP..;' locing +ast.t&ernet$,7 on V05N$2$$?nconsistent peer 6lan? 'lo$0ed/orts SW2# s%o& s/anningtree

loce Name -------------------V05N$2$$ V05N$4$$

nterfaces 0ist -----------------------------------+a$,7 +a$,7

Num%er of %loce ports (segments) in t&e s"stem ' 2 SW3# /ing ...2 !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 1?1?1?2> timeout is 2 secons' ????? Success rate is $ percent ($,<) SW1# s%o& s/anningtree'lo$0ed/orts loce nterfaces 0ist Name -------------------- -----------------------------------V05N$2$$ +a$,1 Num%er of %loce ports (segments) in t&e s"stem ' 1 SW1(config)# int #ast5 SW1(config-if)# s/anningtree '/du#ilter ena'le SW1(config-if)#$3'33'<=' HSP5N!;..-2-*N0/J/NSS!P;!' *n%locing +ast.t&ernet$,1 on V05N$2$$? Port consistenc" restore? SW3# /ing ...2 !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 1?1?1?2> timeout is 2 secons' ?BBBB Success rate is :$ percent (4,<)> roun-trip min,a6g,max C :,12,1= ms

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'+1#

Secti$n @> Mu&tica#t ?1+ P$int#A E

!onfigure your $:S network for multicast support of the -= F-+ using $ sparse mode. $ -outers -* and -N should be configured to tunnel multicast traffic using an =T address of (2(.).).** from ! de%ice Switch 2 F:A1L) to ! de%ice Sw3 F:A1*)) o%er the -= F-+. Switch 3 should be configured to reply to an !$ ping on its F:A1*)) interface directed to ((N.(.(.( from Switch 2 F:A1L). t can be assumed that the mF-+ bandwidth re"uirement is low@ configure =T appropriately. nsure that $ -outer -N6s associated F:A1*)) $ address is used as the rendez%ous point B-$Cfor the -= F-+ multicast traffic. B*) pointsC

ulticast support for $:S F$1s is pro%ided by configuring multicast routing within the core network. As directed, $ sparse mode is re"uired in your solution and should be enabled on all $ router $:S interfaces and $ facing $ router $:S interfaces. $ sparse mode is also configured on the ! interfaces on F:A1L) and F:A1*)) on Switches 2 and 3, respecti%ely, and corresponding $ terminating interfaces on the $ -outers -* and -N. $ sparse mode is finally configured on the loopback interfaces of the $ -outers -* and -N as ulticast =istribution Tree B=TC will tunnel between theseinterfaces. i/ multi$astroutingdistri'uted and =on6t forget that multicast routing is enabled on the ! switches with the command . The mdt de#ault grou/addressis configured to (2(.).).** on $ -outers -* and on the routers with i/ multi$astrouting -N within the -= F-+. Source Specific ulticast BSSC is enabled on all $:S routers with the command i/ /im ssm de#ault to allow transport of multicast information between all $ and $routers.

The "uestion states that the mF-+ BulticastF-+C bandwidth re"uirement is low, which simply means that a =ata =T is not re"uired in this solution. BThese are used for high#bandwidth sources and limit the traffic recei%ed to the routers< part of the multicast tree.C >ou should also realize that a =ata =T is not re"uired because there was no men# tion of threshold %aluesor access#lists within the "uestion, which are re"uired for =ata =T configurations. The address of *2).*)).*)).* B-N F-+ -=C is used asthe -$ for the mF-+, and this isconfigured on both ! BSwitch2 and Switch3C de%ices and both $ routers B-* and -NC within the -= F-+. ! de%ice Switch 3 is finally configured withi/ igm/ oingrou/ 22.2.2.2 under its F:A1 *)) interface for it to reply to a multicast ping from ! de%ice Switch 2 o%er the $:SF$1. The "uestion iscomprehensi%e in the amount of items that re"uire configuration,and it would be an easy mistaketo miss tasks such as enabling $ on the $ :oopback interfaces, where you might not immediately assume it is re"uired. As with all "uestions, testing is key. 4ample 2#(3 details the re"uired configuration for the solution.

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'+2#

E%MPL 3624 Mu&tica#tC$n/i"urati$n B nitial ulticast Setup for t&e P0S /ore ;outers ;1(config)# i/ multi$astrouting ;1(config-6rf)#

inter#a$e)oo/'a$0

;1(config-if)#

i/ /im s/arsemode

;1(config-if)#

inter#a$eerial55

;1(config-if)#

i/ /im s/arsemode

;2(config)# i/ multi$astrouting ;2(config)# inter#a$es5 ;2(config-if)#

i/ /im s/arsemode

;2(config-if)#

inter#a$es5

;2(config-if)#

i/ /im s/arsemode

;3(config)# i/ multi$astrouting ;3(config)# inter#a$es55 ;3(config-if)#

i/ /im s/arsemode

;3(config-if)#

inter#a$es55

;3(config-if)#

i/ /im s/arsemode

;4(config)# i/ multi$astrouting ;4(config)# inter#a$e gig5 ;4(config-if)#

i/ /im s/arsemode

;4(config-if)#

inter#a$es55

;4(config-if)#

i/ /im s/arsemode

;<(config)# i/ multi$astrouting ;<(config)# inter#a$e gig5 ;<(config-if)#

i/ /im s/arsemode

;<(config-if)#

inter#a$es55

;<(config-if)#

i/ /im s/arsemode

;7(config)# i/ multi$astrouting ;7(config)# inter#a$e)oo/'a$0 ;7(config-if)#

i/ /im s/arsemode

;7(config)# inter#a$eGiga'itEt%ernet5

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;7(config-if)#

!'+3#

i/ /im s/arsemode

B P. Specific mV;+ an D! /onfiguration ;1(config)# i/ multi$astrouting r# +ED ;1(config)# i/ r# +ED ;1(config-6rf)#

mdt de#ault232...

;1(config-6rf)#

inter#a$e Giga'itEt%ernet5.-

;1(config-su%if)#

i/ /im s/arsemode

;1(config-su%if)#

e:it

;1(config)# i/ /im r# +ED r/address3... ;1(config)# i/ /im ssmde#ault ;7(config)# i/ r# +ED ;7(config-6rf)#

mdt de#ault232...

;7(config-6rf)#

inter#a$e Giga'itEt%ernet5.

;7(config-su%if)#

i/ /im s/arsemode

;7(config-su%if)#

e:it

;7(config)# i/ /im r# +ED r/address3... ;7(config)# i/ /im ssmde#ault B /. Specific /onfiguration SW3(config)# i/ multi$astroutingdistri'uted SW3(config)# int lan - SW3(config-if)#

i/ /im s/arsemode

SW3(config-if)#

e:it

SW3(config)# i/ /im r/address3... SW4(config)# i/ multi$astroutingdistri'uted SW4(config)# inter#a$e lan SW4(config-if)#

i/ /im s/arsemode

SW4(config-if)#

i/ igm/ oingrou/22.2.2.2

SW4(config-if)#

e:it

SW4(config)# i/ /im r/address3...

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'+#

4ample 2#(L details the testing for the solution@ the =T tunnel is detailed and shown as an interface used for $ ad# acency between the $ routers. f you ha%e configured your solution per 4ample 2#(L and can successfully ping be# tween Switch 2and Switch 3, you ha%e scored *) points. E%MPL 3625 Mu&tica#tTe#tin" ;7# s%o& i/ /im r# +EDneig% P Neig&%or !a%le oe'  - iir /apa%le> D; - Designate ;outer> N - Default D; Priorit"> S - State ;efres& /apa%le nterface *ptime,.xpires Ver Neig&%or 5ress Prio,oe 13$?1$$?1$$?2 iga%it.t&ernet$,1?1$$ $$'$2'$:,$$'$1'34 62 1 , D; S 12$?1$$?1?1 !unnel1 $$'$$'$<,$$'$1'3 62

D;

1 , S

;1# /ing r# +ED22.2.2.2 !"pe escape seAuence to a%ort? Sening 1> 1$$-%"te /P .c&os to 227?2?2?2> timeout is 2 secons' ;epl" to reAuest $ from 13$?1$$?1$$?2> 12 ms SW3# /ing 22.2.2.2 !"pe escape seAuence to a%ort? Sening 1> 1$$-%"te /P .c&os to 227?2?2?2> timeout is 2 secons' ;epl" to reAuest $ from 13$?1$$?1$$?2>  ms SW3# s%o& i/ /imr/ roup' 227?2?2?2> ;P' 13$?1$$?1$$?1> 62> uptime $$'$$'3=> ex pires ne6er roup' 224?$?1?4$> ;P' 13$?1$$?1$$?1> 62> uptime $1'$1'24> expires ne6er ;1# s%o& i/ /im mdt'g/ Peer (;oute Distinguis&er  P64) D! group 232?$?$?11 2'7<$$1'2$$'12$?1$$?7?1 ;7# s%o& i/ /im mdt'g/ (;oute Peer Distinguis&er  P64)

Next 9op 12$?1$$?7?1

Next

9op

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

D! group 232?$?$?11 2'7<$$1'2$$'12$?1$$?1?1

!'40#

12$?1$$?1?1

Secti$n 9> -P( ? P$int#A E

!onfigure the following $%N address on the $ -outers -* and -N, and implement $%N o%er $:S between the N$ routers to ad%ertise the prefi4es between N$s. nsure your :oopback $%N addresses are used to source any locally generated &$%N traffic. BN pointsC -* :o) ()*)D!*LD!)D*DD*5N3 -* 7i)5).*) ()*)D!*LD!)D**DD*5N3 -N :o) ()*)D!*LD!)DNDD*5N3 -N 7i*5).() ()*)D!*LD!)DN(DD*5N3

A relati%ely straightforward $%N "uestion, there is no $%N redistribution or comple4 issues to deal with. The"uestion directs you to configure $%N onto your F-+ ':M interfaces of the $ routers. >ou would usually e4tend this $%N domain into your !de%ices, but the switches in this lab cannot run $%N.$%N o%er $:S backbones enables isolated $%N domains to communicate with each other o%er an $:S $%3 core network. To ensure the :oopback $%N ad# dresses of the $ routers are used to source locally generated $%N traffic, the $ routers are configured with m/ls i/ sour$einter#a$e )oo/'a$0 . $#'7$ is used to ad%ertise the $%N prefi4es between $ routers, and the configuration is %irtually identical to that of $%3. Aggregate label binding and ad%ertisement is enabled for $%N prefi4es using the neig%'or sendla'elcommand. !onnected $FN routes are redistributedusing '7$ with the net&or0 command under the $%N address#amil*, and $%N routing and $%N cef must be enabled on your $ routers. f you ha%e configured your routers correctly, per 4ample 2#(N, you ha%e scored N points. E%MPL 362 P -P( C$n/i"urati$n an. Veri/icati$n ;1(config)# i/ uni$astrouting ;1(config)# i/ $e# )oo/'a$0 ;1(config)# m/ls i/ sour$einter#a$e

;1(config)# inter#a$eloo/'a$0 ;1(config-if)# i/ add 2!C-!C!!!54 ;1(config-if)#

inter#a$e Giga'itEt%ernet5.

;1(config-su%if)#

i/ address 2!C-!C!!!54

;1(config-su%if)#

router 'g/-

;1(config-router)#

no 'g/ de#aulti/4uni$ast

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;1(config-router)#

!'4"#

address#amil*i/

;1(config-router-af)#

neig%'or 2...a$tiate

;1(config-router-af)# neig%'or2...sendla'el ;1(config-router-af)# net&or02!C-!C!!!54 ;1(config-router-af)#

net&or02!C-!C!!!54

;1(config-router-af)#

e:itaddress#amil*

;7(config)# i/ uni$astrouting ;7(config)# i/ $e# ;7(config)# m/ls i/ sour$einter#a$e )oo/'a$0 ;7(config)# inter#a$e loo/'a$0 ;7(config-if)#

i/ add 2!C-!C!!!54

;7(config-if)#

inter#a$e Giga'itEt%ernet5.2

;7(config-su%if)#

i/ address 2!C-!C!2!!54

;7(config-su%if)#

router 'g/-

;7(config-router)#

no 'g/ de#aulti/4uni$ast

;7(config-router)#

address#amil*i/

;7(config-router-af)#

neig%'or 2...a$tiate

;7(config-router-af)# neig%'or2...sendla'el ;7(config-router-af)# net&or02!C-!C!2!!54 ;7(config-router-af)#

net&or02!C-!C!!!54

;7(config-router-af)#

e:itaddress#amil*

;1# s%o& i/ 'g/ i/uni$ast P ta%le 6ersion is <> local router D is12$?1$$?1?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op etric 0ocPrf Weig&t Pat& IY 2$1$'/1<'/$'1'',74 '' $ 32=7: i IYi2$1$'/1<'/$'7'',74 ''++++'12$?1$$?7?1 $ 1$$ $ i IY 2$1$'/1<'/$'11'',74 '' $ 32=7: i IYi2$1$'/1<'/$'72'',74 ''++++'12$?1$$?7?1 * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

$

1$$

!'4'#

$ i

;7# s%o& i/ 'g/ i/uni$ast P ta%le 6ersion is <> local router D is12$?1$$?7?1 Status coes' s suppresse>  ampe> & &istor"> I6ali> Y %est> i - internal> r ;-failure> S Stale rigin coes' i - P> e - .P>  - incomplete Net8or Next 9op etric 0ocPrf Weig&t Pat& IYi2$1$'/1<'/$'1'',74 ''++++'12$?1$$?1?1 $ 1$$ $ i IY 2$1$'/1<'/$'7'',74 '' $ 32=7: i IYi2$1$'/1<'/$'11'',74 ''++++'12$?1$$?1?1 IY 2$1$'/1<'/$'72'',74 $ ''

1$$

$

$ i 32=7: i

;1# /ing i/2!C-!C!2!!

!"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 2$1$'/1<'/$'72''1> BBBBB

timeout is 2

secons'

;1# /ing i/ !!C!!! Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C :,:,12 ms

!"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 2$1$'/1<'/$'7''1> timeout is 2 secons' BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C :,:,12 ms ;7# /ing i/2!C-!C!!! !"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 2$1$'/1<'/$'11''1> timeout is 2 secons' BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C :,:,12 ms ;7# /ing i/2!C-!C!!! * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'4+#

!"pe escape seAuence to a%ort? Sening <> 1$$-%"te /P .c&os to 2$1$'/1<'/$'1''1> timeout is 2 secons' BBBBB Success rate is 1$$ percent (<,<)> roun-trip min,a6g,max C :,,12 ms ;1# s%o& i/route P67 ;outing !a%le - : entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external / 2$1$'/1<'/$'1'',74 F$,$G 6ia ''> 0oop%ac$ 0 2$1$'/1<'/$'1''1,12: F$,$G 6ia ''> 0oop%ac$  2$1$'/1<'/$'7'',74 F2$$,$G / 0  0 0

6ia ''++++'12$?1$$?7?1> P67-mpls 2$1$'/1<'/$'11'',74 F$,$G 6ia ''> iga%it.t&ernet$,$?1$ 2$1$'/1<'/$'11''1,12: F$,$G 6ia ''> iga%it.t&ernet$,$?1$ 2$1$'/1<'/$'72'',74 F2$$,$G 6ia ''++++'12$?1$$?7?1> P67-mpls +.:$'',1$ F$,$G 6ia ''> Null$ ++$$'',: F$,$G 6ia ''> Null$

;7# s%o& i/route P67 ;outing !a%le - : entries /oes' / - /onnecte> 0 - 0ocal> S - Static> ; - ;P>  P * - Per-user Static route 1 - SS 01> 2 - SS 02> 5 - SS interarea> S - SS summar"  - SP+ intra>  - SP+ inter> .1 - SP+ ext 1> .2 - SP+ ext2 N1 - SP+ NSS5 ext 1> N2 - SP+ NSS5 ext2 D - .;P> .M - .;P external 2$1$'/1<'/$'1'',74 F2$$,$G  * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

/ 0  / 0 0 0

!'44#

6ia ''++++'12$?1$$?1?1> P67-mpls 2$1$'/1<'/$'7'',74 F$,$G 6ia ''> 0oop%ac$ 2$1$'/1<'/$'7''1,12: F$,$G 6ia ''> 0oop%ac$ 2$1$'/1<'/$'11'',74 F2$$,$G 6ia ''++++'12$?1$$?1?1> P67-mpls 2$1$'/1<'/$'72'',74 F$,$G 6ia ''> iga%it.t&ernet$,1?1$ 2$1$'/1<'/$'72''1,12: F$,$G 6ia ''> iga%it.t&ernet$,1?2$ +.:$'',1$ F$,$G 6ia ''> Null$ ++$$'',: F$,$G 6ia ''> Null$

Secti$n 1+> B$S ?13 P$int#A E

following !reate F-+. the Mse an appropriate QoS profilemethod on yourof$ -outer -*=S!$ for traffic egressing to yourpackets ! de%ice connected to the ':M prioritizing traffic so that A+2* are statistically dropped more fre"uently than A+2( during congestion and reduce the effects of T!$ global synchronization within your &SS&81#!-&T&!A: and solely reduce the effect of T!$ global synchronization within the =+AM:T classD B9 pointsC

C&a##

!SCP Va&ue

F8&!

+, !SL

&SS&81#!-&T&!A: =+AM:T

H $/ an.)i.th%##i"ne.

2L

!SN, A+2*, A+2(, !S2 Any

3) (L

This is a 2 !lass $#to#! QoS "uestion that re"uires assigning traffic to "ueues based on =S!$ %alues into the listed classes and assignment of bandwidth on a per#class basis. =S!$ prioritization is achie%ed in the &SS&81#!-&T&!A: class by enabling 0-= with the randomdete$t ds$/'asedcommand, whereby lower#priority =S!$ traffic will be dropped more aggressi%ely than higher priority under congestion, thus reducing the effect of global synchronization. A similar non#=S!$based effect is achie%ed within the =+AM:T class by use of the randomdete$t command. The pol# icy#map is applied outbound on the $ interface connecting to the ':M F-+ ! de%ice. 4ample 2#(9 details the re# "uired configuration on $ -outer -*. f you ha%e configured thiscorrectly, you ha%e scored 9points. * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'4#

E%MPL 3627 P t$ C B$SC$n/i"urati$n ;1(config)# $lassma/ mat$%an*ICE ;1(config-cmap)# mat$% i/ ds$/ e# ;1(config-cmap)# mat$% i/ds$/ $s;1(config-cmap)#

$lassma/ mat$%an*MIINC+IIC()

;1(config-cmap)#

mat$% i/ ds$/$s

;1(config-cmap)#

mat$% i/ ds$/a#3

;1(config-cmap)#

mat$% i/ ds$/a#32

;1(config-cmap)#

mat$% i/ ds$/$s3

;1(config-cmap)#

/oli$*ma/PECE

;1(config-pmap)# $lass ICE ;1(config-pmap-c)# /riorit* /er$ent3;1(config-pmap-c)#

$lass MIINC+IIC()

;1(config-pmap-c)#

'and&idt% /er$ent4

;1(config-pmap-c)#

randomdete$tds$/'ased

;1(config-pmap-c)# $lass $lassde#ault ;1(config-pmap-c)# 'and&idt% /er$ent2;1(config-pmap-c)# randomdete$t ;1(config-pmap-c)# e:it ;1(config-pmap)# e:it ;1(config)# inter#a$eGiga'itEt%ernet5. ;1(config-su%if)#

E

seri$e/oli$* out/ut CEPE

!reate the following QoS profile on your $ -outer -* for traffic ingressing fr om your ! de%ice connected to the ':M F-+ into the $:S network. The total aggregate speed from the ! to $ should be restricted to * bpsD

C&a##

C-' ?bp#A

F8&!

2L),)))

&SS&81#!-&T&!A:

3)),)))

=+AM:T

(L),)))

Traffic in the F8! class within the detailed !- should ha%e the $:S X$ set to L and abo%e discarded. Traffic in the &SS&81#!-&T&!A:class within the detailed !- should ha%e the $:S X$ set to 2 and abo%e set to 9. Traffic in the =+AM:T class within the detailed !- should ha%e the $:S X$ set to ) and abo%e set to 3. BN pointsC * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa "em$re 259 .etai&# /$r

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'41#

This is a =iffSer% Tunneling "uestion which re"uires that the classes you ha%e configured in the pre%ious "uestion be policed to an aggregate of * bps and ha%e their $:S X$ %alues adusted. The policy#map is applied to the input in# terface of the $ router, which connects to the ':M F-+ ! de%ice and affects the traffic as it flows through the $:S network. 4ample 2#(/ detailsthe re"uired configuration on $ -outer -*. f you ha%e configured this correctly, you ha%e scored N points. E%MPL 362@ C t$ P B$SC$n/i"urati$n ;1(config)# /oli$*ma/CEPE@(PE ;1(config-pmap)# $lass ICE ;1(config-pmap-c)# /oli$e $ir3- ;1(config-pmap-c-police)#

$on#orma$tion setm/lse:/to/mosttransmit

;1(config-pmap-c-police)#

e:$eeda$tiondro/

;1(config-pmap-c-police)# $lass MIINC+IIC() ;1(config-pmap-c)# /oli$e $ir4 ;1(config-pmap-c-police)#

$on#orma$tion setm/lse:/to/mosttransmit 3

;1(config-pmap-c-police)#

7 e:$eeda$tion setm/lse:/to/mosttransmit

;1(config-pmap-c-police)#

$lass $lassde#ault

;1(config-pmap-c)# /oli$e $ir2-  ;1(config-pmap-c-police)# $on#orma$tion setm/lse:/to/mosttransmit ;1(config-pmap-c-police)#

e:$eeda$tion setm/lse:/to/mosttransmit 4

;1(config-pmap-c-police)#

inter#a$eGiga'itEt%ernet5.

;1(config-su%if)#

seri$e/oli$* in/ut CEPE@(PE

Secti$n 11> Security ?13 P$int#A E

!reate three new :oopback $ addresses of loopback* on -3, -L, and -NPuse $ addresses of3.3.3.35(3, L.L.L.L5(3, and N.N.N.N5(3, respecti%ely. Mse 7-$ to ad%ertise the loopback networks between routers o%er a common 7- tunnel network of *)).*)).*)).X 5 (3 BX [ router numberC sourced from each routerou are not permitted to enable 7-$ on your thernet interfaces between routers. Spoke routers must be able to communicate with each other directly using dynamic $sec connections with the aid of 1H-$ at the hub,whereas hub#to#spoke $sec connections should be permanent. The hub router should pro%ide all necessary direct ne4t#hop information to the spoke routers when they are re"uired to communicate between themsel%es. 1H-$ should be authenticated with a password of * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'42#

S!-T. Mse an TM of *3*N for your secure traffic, an 1H-$ timeout of *)) seconds for spoke replies, and a delay of (mS on the tunnel network. Test your solution by e4tended pings sourced from the configured :oopback interfaces. B*) pointsC This is a classic =ynamic ultipoint F$1 B=F$1C "uestion in which a hub#and#spoke design is used with 1e4t Hop -esolution $rotocol B1H-$C for the spoke routers to communicate with each other. >ou ha%e numerous tasks to per# form, so this could bethe kind of "uestion that is best sa%ed until later and tackled if you ha%e time. The "uestion dic# tates that you configure a tunnel network *)).*)).*)).)5(3 in which to ad%ertise each router
broadcast domain for all three routers, and the authentication password is set to S!-T as directed within the "uestion. The command i/ n%r/ ma/ multi$ast d*nami$ permits the registration of the multicast address for 7-$ during boot up or initiation of spoke#to#hub sessions. Thei/ n%r/ %oldtime command sets the 1H-$ time for a spoke to keep the 1H-$ reply to *)) seconds and is configured on the hub#and#spokerouters. The re"uired configuration for the :oopback and tunnel interfaces and the =F$1 is detailed in 4ample2#(. E%MPL 3629 !MVPN C$n/i"urati$n ;4(config)# inter#a$eloo/'a$0 ;4(config-if)# i/ add4.4.4.4 2--.2--.2--. ;4(config-if)#

routereigr/ 

;4(config-router)#

no autosummar*

;4(config-router)#

net&or0 ......2--

;4(config-router)#

net&or0 4.4.4. ...2--

;<(config)# inter#a$eloo/'a$0 ;<(config-if)# i/ address -.-.-.- 2--.2--.2--. ;<(config-if)#

routereigr/ 

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;<(config-router)#

no autosummar*

;<(config-router)#

net&or0 ... ...2--

;<(config-router)#

net&or0 -.-.-....2--

!'43#

;7(config)# inter#a$eloo/'a$0 ;7(config-if)#

i/ address ...2--.2--.2--.

;7(config-if)#

router eigr/

;7(config-router)#

no autosummar*

;7(config-router)#

...2-net&or0 ...

;7(config-router)#

net&or0 ......2--

;7(config)# $r*/to isa0m/ /oli$* ;7(config-isamp)#

aut%enti$ation/res%are

;7(config-isamp)#

$r*/to isa0m/ 0e* CCIE address ...

;7(config-isamp)#

es/md-%ma$ $r*/to i/se$ trans#ormset DMPN es/des

;7(cfg-cr"pto-trans)#

$r*/to i/se$/ro#ileIPEC

;7(ipsec-profile)# set trans#ormsetDMPN ;7(ipsec-profile)# inter#a$e unnel ;7(config-if)# ;7(config-if)#

i/ address ... 2--.2--.2--. i/ mtu 4

;7(config-if)#

i/ n%r/ aut%enti$ation EC+E

;7(config-if)# i/ n%r/ ma/ multi$ast d*nami$ ;7(config-if)# i/ n%r/ net&or0id ;7(config-if)#

i/ n%r/ %oldtime

;7(config-if)#

dela* 2

;7(config-if)#

5 tunnel sour$e gig

;7(config-if)#

tunnel mode gremulti/oint

;7(config-if)#

tunnel 0e*

;7(config-if)#

tunnel /rote$tion i/se$ /ro#ile IPEC

;4(config)# $r*/to isa0m/ /oli$*  ;4(config-isamp)#

aut%enti$ation/res%are

;4(config-isamp)#

... $r*/to isa0m/ 0e* CCIE address

;4(config-isamp)#

$r*/to i/se$ trans#ormset DMPN es/des es/md-%ma$

;4(cfg-cr"pto-trans)#

$r*/to i/se$/ro#ileIPEC

;4(ipsec-profile)# set trans#ormsetDMPN ;4(ipsec-profile)# inter#a$e unnel ;4(config-if)#

2--.2--.2--. i/ address ...4

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

;4(config-if)#

i/ mtu 4

;4(config-if)#

i/ n%r/ aut%enti$ation EC+E

;4(config-if)#

2..4-. i/ n%r/ ma/ ...

;4(config-if)#

i/ n%r/ ma/ multi$ast2..4-.

;4(config-if)#

i/ n%r/ net&or0id

;4(config-if)#

i/ n%r/ %oldtime

;4(config-if)#

i/ n%r/ n%s...

;4(config-if)#

dela* 2

;4(config-if)#

tunnel sour$e gig 5

;4(config-if)#

tunnel mode gremulti/oint

;4(config-if)#

tunnel 0e*

;4(config-if)#

IPEC tunnel /rote$tion i/se$ /ro#ile

!'4#

 ;<(config)# $r*/to isa0m/ /oli$*

;<(config-isamp)#

aut%enti$ation/res%are

;<(config-isamp)#

... $r*/to isa0m/ 0e* CCIE address

;<(config-isamp)#

$r*/to i/se$ trans#ormset DMPN es/des es/md-%ma$

;<(cfg-cr"pto-trans)#

$r*/to i/se$/ro#ileIPEC

;<(ipsec-profile)# set trans#ormsetDMPN ;<(ipsec-profile)# inter#a$e unnel ;<(config-if)#

i/ address ...2--.2--.2--.

;<(config-if)#

i/ mtu 4

;<(config-if)#

EC+E i/ n%r/ aut%enti$ation

;<(config-if)#

2..4-. i/ n%r/ ma/ ...

;<(config-if)#

i/ n%r/ ma/ multi$ast2..4-.

;<(config-if)#

i/ n%r/ net&or0id

;<(config-if)#

i/ n%r/ %oldtime

;<(config-if)#

i/ n%r/ n%s...

;<(config-if)#

dela* 2

;<(config-if)#

5 tunnel sour$e gig

;<(config-if)#

tunnel mode gremulti/oint

;<(config-if)# tunnel 0e* ;<(config-if)# tunnel protection

ipsec

profile PS./

4ample 2#2) details the 7-$ routes recei%ed on all routers. As can be seen, the hub router shows both spoke net# works, yet each spoke router disco%ers only the hub network@ this is a classic split#horizon issue. The hub -outer -N must be configured to disable the split#horizon beha%ior to ensure the spoke routers recei%e each other
CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'0#

e%er, the "uestion dictates that spoke routers should be able to communicate directly. As shown in 4ample 2#2), the ne4t hop for spoke networks show as the hub router *)).*)).*)).N for each spoke network. The commandno i/ ne:t %o/sel# eigr/ on the hub -outer -N ensures that the spoke routers are used as ne4t hops when spoke#to#spoke commu# nication is re"uired, and this will enable the dynamic $sec peering between spokes as directed in the "uestion. E%MPL 363+ !MVPN Sp$0e6t$6Sp$0e'$utin" ;4# s%o& i/ routeeigr/ 7?$?$?$,24 is su%nette> 1 su%nets D 7?7?7?$ F$,2:<$:4417G 6ia 1$$?1$$?1$$?7> $$'$2'42>

!unnel$

;<# s%o& i/ routeeigr/ 7?$?$?$,24 is su%nette> 1 su%nets D 7?7?7?$ F$,2:<$:4417G 6ia 1$$?1$$?1$$?7> $$'$$'<$>

!unnel$

;7# s%o& i/ routeeigr/ 4?$?$?$,24 is su%nette> 1 su%nets D 4?4?4?$ F$,2:<$:4417G 6ia 1$$?1$$?1$$?4> $$'$3'$7> 1 su%nets D

$$'$1'$2>

!unnel$ !unnel$

B;7 &as %ot& spoe routes "et eac& spoe (;4 an ;<) onl" &a6e t&e &u% net8orroute> Ba classic split &ori- on issue? ;7(config)# inter#a$etunnel ;7(config-if)#

 no i/ s/lit%ori1on eigr/

;4# s%o& i/ routeeigr/ D D 7?7?7?$ F$,2:<$:4417G ;<# s%o& i/ routeeigr/ 4?$?$?$,24 is su%nette> D 4?4?4?$ F$,2:<<7417G 7?$?$?$,24 is su%nette> D 7?7?7?$ F$,2:<$:4417G ;<#

1 su%nets 6ia 1$$?1$$?1$$?7> $$'$$'22> 1 su%nets 6ia 1$$?1$$?1$$?7> $$'$4'14>

1 su%nets 6ia 1$$?1$$?1$$?7> $$'$$'33> 1 su%nets 6ia 1$$?1$$?1$$?7> $$'$2'2$>

!unnel$ !unnel$

!unnel$ !unnel$

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'"#

B !&e next-&op for spoe to spoe routes s&o8s as t&e &u%router (1$$?1$$?1$$?7) "et Bt&e Auestion states traffic must flo8 irectl" %et8een spoes so t&e next-&opmust %e Bmoifie ;7(config)# inter#a$e tunnel ;7(config-if)#

 no i/ ne:t%o/sel# eigr/

;4# s%o& i/ routeeigr/ D D 7?7?7?$ F$,2:<$:4417G

1 su%nets 6ia 1$$?1$$?1$$?<> $$'$$'2:> 1 su%nets 6ia 1$$?1$$?1$$?7> $$'$$'2>

;<# s%o& i/ routeeigr/ 4?$?$?$,24 is su%nette> D 4?4?4?$ F$,2:<<7417G 7?$?$?$,24 is su%nette> D 7?7?7?$ F$,2:<$:4417G

1 su%nets 6ia 1$$?1$$?1$$?4> $$'$$'3> 1 su%nets 6ia 1$$?1$$?1$$?7> $$'$$'3>

!unnel$ !unnel$

!unnel$ !unnel$

4ample 2#2* shows the isakmp $sec connection on spoke -outer -L to the hub. To bring up a dynamic isakmp $sec interface. connection to the other spoke -outer -3, an e4tended ping is re"uired from :oopback interface to :oopback This "uestion was e4tremely comple4 and is the reason why it was weighted so hea%ily. >ou had multiple items to con# figure within the standard =F$1 solution, such as split#horizon. t should make you realize the importance of reading the "uestion a numberof times and taking the time to test your configurations to ensure you ha%e successfully answered the "uestion. f you ha%e configured your routers correctly, as detailed in 4amples 2#( and 2#2), congratulations, and you ha%e earned a hefty *)points. E%MPL 3631 !MVPN Sp$0e6t$6Sp$0eTe#tin" ;<# s%o& $r*/toma/ /r"pto ap L!unnel$-&ea-$L 7<<37 ipsec-isamp Profile name' PS./ Securit" association lifetime' 47$:$$$ P+S (O,N)' N !ransform setsC[ DVPN> T

ilo%"tes,37$$ secons

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

/r"pto

!''#

ap L!unnel$-&ea-$L 7<<3= ipsec-isamp ap is a P;+0. NS!5N/.? Peer C 12$?1$$?4 T nterfaces using cr"pto map !unnel$-&ea-$' !unnel$

;<# s%o& $r*/to isa0m/sa P64 /r"pto S5JP S5 12$?1$$?4
12$?1$$?4
ZD0.

st

src

state

4$$1 $ 5/!V. conn-i slot status

P67 /r"pto S5JP S5 B;< spoe router onl" &as a connection to t&e 9u% router? 5n extene ping source from t&e loop%ac inter- face of one spoe to anot&er is reAuire to %ring up t&e "namic spoe to spoe connection?

;<#/ing Protocol FipG' !arget P aress' 4.4.4.4 ;epeat count F Strict> ;ecor> !imestamp> Ver%oseFnoneG' S8eep range of sies FnG' !"pe escape seAuence to a%ort? * 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'+#

Sening <> 1$$-%"te /P .c&os to 4?4?4?4> timeout is 2 secons' Pacet sent 8it& a source aress of roun-trip min,a6g,max C 1,2,4 ms ;<# s%o& $r*/to isa0m/sa P64 /r"pto S5JP S5 st src 12$?1$$?4
state ZD0. ZD0.

conn-i slot status 4$$2 $ 5/!V. 4$$1 $ 5/!V.

state ZD0. ZD0.

conn-i slot status 4$$2 $ 5/!V. 4$$1 $ 5/!V.

P67 /r"pto S5JP S5 ;<# s%o& $r*/to isa0m/sa P64 /r"pto S5JP S5 st src 12$?1$$?4
E

The network manager of your network cannot ustify a full security implementation but wants toimplement a so# lution that pro%ides only a password prompt from -* when the keyboard entry * is entered on the console port Bas opposed to the normal !-5nter keyC. !onfigure -* appropriately. B2 pointsC

This "uestion makes use of thea$tiation$%ara$tercommand on the console port. This is a nasty "uestion because the !: entry re"uires an AS! entry@ you6d need to search to disco%er that AS! numeric figures B) to C are prefi4ed by the binary %alue of ))**, so a %alue of * B)))*C would be ))**)))*@ as such the decimal con%ersion is 2( ] *N ] * [ 3. A good "uestion to use theB?C on the !: for clues and your documentation != or search facility in the lab if you were not aware of this feature. f you ha%e configured this correctly per 4ample 2#2(, you ha%e scored points. 2 E%MPL 3632 '1 C$n#$&e %cti(ati$n6Character C$n/i"urati$n ;1(config)#

line

con 0

;1(config-line)# a$tiation$%ara$ter R /95; or \$-12=Y 5cti6ation c&aracter or its ecimal eAui6alent ;1(config-line)#

a$tiation$%ara$ter 49

* 2+ 1+ Ci#c $ Sy#tem#, -nc %&& ri"ht# re#er(e. Thi# pub&icati$n i# p r$tecte. by c$pyri"ht P&ea#e #ee pa /$r "em$re 259 .etai&#

CC- '$utin" an. S)itchin" (4+ C$n/i"urati$n Practice Lab# by Martin J. uggan

!'4#

Lab 3 Frap6