Professional Documents
Culture Documents
IPexpert-CCIE-Data-Center-Volume-1 1-9 PDF
IPexpert-CCIE-Data-Center-Volume-1 1-9 PDF
IPexpert-CCIE-Data-Center-Volume-1 1-9 PDF
Authored by: Rick Mur - CCIE3 #21946 (R&S / SP / Storage), JNCIE-SP #851
IPexperts
Lab Preparation Workbook for Ciscos CCIE
Data Center Lab
Before We Begin
This product is part of the IPexpert suite of materials that provide CCIE candidates and network
engineers with a comprehensive training program. For information about the full solution, contact an
IPexpert Training Advisor today.
Telephone: +1.810.326.1444
Email: sales@ipexpert.com
Congratulations! You now possess one of the ULTIMATE CCIETM Lab preparation and network
operation resources available today! This resource was produced by senior engineers, technical
instructors, and author boasting decades of internetworking experience. Although there is no way to
100% guarantee success rate on the CCIE Data Center Lab exam, we feel VERY confident that your
chances of passing the Lab will improve dramatically after completing this industry-recognized
Workbook!
Technical Support from IPexpert, and your CCIE community!
IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our
online communities have attracted a membership of over 20,000 of your peers from around the world!
At blog.ipexpert.com, you can keep up to date with everything IPexpert does and read the latest in
technical articles from world-renowned IPexpert instructors. At OnlineStudyList.com, you may subscribe
to multiple SPAM-free, moderated CCIE-focused email lists.
Feedback
Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert,
we look to you our valued clients for the real world, frontline evaluation that we believe is necessary
so that we may always improve. Please send an email with your thoughts to feedback@ipexpert.com or
call 1.866.225.8064 (international callers dial +1.810.326.1444).
In addition, for those using this book as CCIETM preparation, when you pass the CCIETM Lab exam, we
want to hear about it! Email your CCIETM number to success@ipexpert.com and let us know how
IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations.
This is a legally binding agreement between you and IPEXPERT, the Licensor, from whom you have
licensed the IPEXPERT training materials (the Training Materials). By using the Training Materials, you
agree to be bound by the terms of this License, except to the extent these terms have been modified by
a written agreement (the Governing Agreement) signed by you (or the party that has licensed the
Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License
terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use
the Training Materials, and you should promptly contact the Licensor for return instructions.
The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual
authorized to use the Training Materials throughout the term of this License.
Exclusions of Warranties
THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED AS IS. LICENSOR HEREBY DISCLAIMS
ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES
DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN
IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This
agreement gives you specific legal rights, and you may have other rights that vary from state to state.
Entire Agreement
This is the entire agreement between the parties and may not be modified except in writing signed by
both parties.
Contents
IPexperts ...................................................................................................................................................... 1
Lab Preparation Workbook for Ciscos CCIE Data Center Lab .................................................................. 1
Before We Begin ....................................................................................................................................... 1
Feedback ................................................................................................................................................... 2
Additional CCIETM Preparation Material ................................................................................................... 2
Issues with this Book ................................................................................................................................ 2
IPEXPERT END-USER LICENSE AGREEMENT.............................................................................................. 3
Copyright and Proprietary Rights ............................................................................................................. 3
Exclusions of Warranties .......................................................................................................................... 4
Choice of Law and Jurisdiction ................................................................................................................. 4
Limitation of Claims and Liability.............................................................................................................. 4
Entire Agreement ..................................................................................................................................... 5
U.S. Government - Restricted Rights ........................................................................................................ 5
Default Lab Topology ................................................................................................................................ 9
Default passwords and IP addresses ........................................................................................................ 9
Chapter 1: Introduction to CCIE Data Center.............................................................................................. 10
Who Should Read this Book?.................................................................................................................. 11
How to Use this Book ............................................................................................................................. 11
An Introduction to CCIE Data Center ...................................................................................................... 11
Availability .............................................................................................................................................. 12
Written exam .......................................................................................................................................... 12
The current published reading list:......................................................................................................... 12
Lab exam ................................................................................................................................................. 13
Software Versions ................................................................................................................................... 13
CCIE Storage? .......................................................................................................................................... 13
What about P and A tracks? ................................................................................................................... 13
Troubleshooting ..................................................................................................................................... 13
An Introduction to the Proctor Labs CCIE Data Center hardware rack .................................................. 14
Software Versions ................................................................................................................................... 16
Chapter 2: Data Center Networking Layer 2 Infrastructure ....................................................................... 18
(NX-OS) ........................................................................................................................................................ 18
General Rules .......................................................................................................................................... 19
Pre-setup ................................................................................................................................................ 19
Topology ................................................................................................................................................. 19
Configuration tasks ................................................................................................................................. 20
Task 1: General set-up ........................................................................................................................ 20
Task 2: Implement VLANs ................................................................................................................... 20
Task 3: Implement Private-VLANs....................................................................................................... 21
Task 4: Implement Rapid Spanning-Tree protocol ............................................................................. 22
Task 5: Implement Multiple Spanning-Tree protocol ......................................................................... 23
Task 6: Spanning-Tree and UDLD features ......................................................................................... 24
Task 7: Fabric Extenders ..................................................................................................................... 24
Task 8: Misc features .......................................................................................................................... 25
Chapter 3: Data Center Networking Layer 3 Infrastructure (NX-OS) .......................................................... 26
General Rules .......................................................................................................................................... 27
Pre-setup ................................................................................................................................................ 27
Chapter 1:
Introduction to CCIE
Data Center
Chapter 1: Introduction to CCIE Data Center introduces the team of authors, consultants, and editors
that completed this book and describes the books purpose. This chapter also provides suggestions for
the usage of this written work.
10
11
The scope of the exam is pretty much based on the usual suspects, so in summary you should be aware
of the:
Availability
Written exam
The written exam has an extensive blueprint published to Cisco Learning Network (CLN) including a
reading list.
12
Please find the extensive blueprint published by Cisco on the bottom of this blog post.
Lab exam
There is not much information available regarding the lab exam. Availability is not mentioned. There is
however information regarding the hardware list and this is an immense list of expensive hardware you
require:
Software Versions
CCIE Storage?
There are currently no plans for replacing CCIE Storage for CCIE Datacenter. Because of this, there will
not be a large focus on MDS/FC configuration as there is another track for that.
Troubleshooting
Troubleshooting will be a big part of the exam, which is also pretty clear in the blueprint. There is no
confirmation yet how this will be introduced, either using tickets in the CCIE R&S or just by preconfiguration on the lab. I can imagine that they pre-configured a broken Nexus 1000V on an ESX
installation on one of the JBODs. More information on how this troubleshooting is done will be available
during other Q&A sessions. The implication is that it might be trouble tickets like the CCIE R&S.
13
The Nexus 7000 will be configured with VDC's to simulate various different topologies and create
multiple 'core switch' layers within the network.
Nexus 5548 will be used as a 'distribution' layer within the datacenter network. The Nexus 2k's can be
configured as FEX for the Nexus 7000; Nexus 5000 and the Fabric Interconnects of the UCS system to
connect the UCS C-series rack mount servers. The VDC's are a major component in the network as the
number of devices is limited and the connectivity is very much based on a best practice design.
The below drawing illustrates an example topology from our new CCIE Data Center lab preparation
workbook which is currently under development.
All these interconnections and switches are based within a single physical chassis with complete
separation of the control and data plane protocols!
14
The MDS switches used in the lab are capable of a ton of features. The blueprint however only describes
certain fibre-channel features which are considered 'basic' features like zoning, VSANs, oversubscription
and ISLs. The other major topic on the blueprint is Fibre Channel Expansion over FCIP and iSCSI. These
features are the IP features supported by the MDS platform. The 1G Ethernet connections are connected
to the Nexus switches for testing the expansion features. Through that connection it's possible to
connect the MDS switches across another connection than Fibre Channel. As the CCIE Storage track is
not being replaced by the CCIE Data Center the focus on Storage Networking (SAN) features is not that
big. The major topics are more in the features that aren't tested in any other CCIE track.
The JBODs mentioned in this list represent just plain simple hard-disks that are connected via Fibre
Channel. They are used later as shared storage for the UCS system.
The third major component within the hardware blueprint is the Unified Computing System (UCS).
15
This is based on the C-series rackmount servers, connected to the Fabric Interconnects so the C-series
can also be managed from the central UCS manager the same as the Blade chassis is managed.
The blades are equipped with different NICs. This also means a little different configuration. The VIC
cards are the most interesting ones as they can virtualize NICs to present to the OS.
Ones inside the blades there is a pre-installed VMware ESX(i) environment with a Nexus 1000v
distributed virtual switch. As this is a Cisco lab exam, you are not required to know anything about
VMware. Of course you will need to be able to install this environment in your possible own lab, but
when you step into the lab you will face a pre-installed VMware and 1000V. After that, the switch is not
configured and you are required to configure it.
The final topic on the blueprint is called ANS (Application Networking Services). This means an ACE
appliance is in your lab that you will need to configure. There is not much very interesting going on there
and you will not see a lot of points on that appliance. You will need to know the topics as described on
the lab blueprint and our workbook will focus a whole section on these specific topics.
The last components are used for management. You will not be configuring these devices, but just using
them from your student workstation to access the network.
What is not mentioned on the hardware blueprint list is that you will also need to be able to configure
(or set-up) the DCNM software as is being given by Cisco when you purchase enough Nexus equipment.
Again this is not extremely difficult, but you need to be aware of the basic configuration items related to
this software.
Software Versions
16
Above you'll find a reference overview of the used software versions. The exact versions are still
unknown where we might be using newer software versions as our IPexpert lab will be using quite new
hardware for virtualization purposes. Within the Nexus 7000 we will be using the new Supervisor 2E,
meaning that we are able to build 8 VDC's and 1 management VDC meaning we have enough flexibility
for some challenging topologies!
The next chapter of this workbook, Chapter 2: Data Center Networking Layer 2 Infrastructure (NX-OS)
begins with the initial topic on the CCIE Data Center Blueprint regarding layer 2 switching, VLANs,
Private-VLANs, Spanning-Tree and other layer 2 features on the NX-OS platform.
17
Chapter 2: Data
Center Networking
Layer 2
Infrastructure
(NX-OS)
Chapter 2: Data Center Networking Layer 2 Infrastructure (NX-OS) is intended to let you be familiar
with the NX-OS CLI on the Nexus switches and afterwards configure Layer 2 Ethernet features on the
physical Nexus switches within the topology as shown at the beginning of this workbook. We highly
recommend to create your own diagram at the beginning of each lab so you are able to draw on your
own diagram, making it much easier when you step into the real lab. Our devices start with a blank
configuration, which will not be the case when you are in the real lab. Then devices are staged with
configuration containing usernames/passwords, management IP addressing, core IP addressing and
(possible) errors.
18
General Rules
Try to diagram out the task. Draw your own connections the way you like it
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter
3 hours
Pre-setup
Connect to the Nexus 7000 switch and Nexus 5000 switches within the topology
This lab is intended to be used with online rack access provided by our partner Proctorlabs
(www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as
detailed below.
Topology
19
Configuration tasks
Task 1: General set-up
1. Erase the configuration from all 3 switches and reboot and
2. Configure the default parameters as mentioned in in the Generic Lab Topology
3. Configure the Nexus 7000 switch with a hostname of SW1-1 and the Nexus 5500 switches with
hostnames of SW2 and SW3
4. Ensure the switches will not perform any DNS lookups
5. Configure ipexpert.com as the DNS domain name
6. Ensure that both encrypted and unencrypted management connections are allowed
7. Save the configuration using the wr command
8. On SW1-1 configure a message, containing the hostname and warning unauthorized users, that
is shown each time a user logs in
9. Use the serial number of SW1-1 as the ID which is used to advertise the switch using CDP
10. Ensure only CDP version 2 packets are sent from SW1-1
11. Disable CDP on the management ethernet interface
12. Ensure a log message is generated when more than 999 packets per second are sent or received
on the management ethernet interface
20
7. Ensure SW2 and SW3 will have new VLANs being pushed by SW1-1 and are not able to create
new VLANs by themselves
8. Secure the VTP protocol with a password of ipexpert
9. Create VLANs 101, 102, 103 and 104 and ensure they are visible on all switches
10. Assign names to all VLANs by format of IPexpertVLAN# where # is the VLAN number
11. Configure SW1-1 so the following output is matched
12. (Ports section should show all active trunks):
SW1-1(config)# sh ip igmp snooping
IGMP Snooping information for vlan
IGMP Snooping information for vlan
IGMP Snooping information for vlan
IGMP Snooping information for vlan
IGMP Snooping information for vlan
IGMP Snooping information for vlan
IGMP Snooping information for vlan
IGMP Snooping information for vlan
IGMP Snooping information for vlan
IGMP Snooping information for vlan
SW1-1(config)# sh vlan brief
| in vlan
1
101
102
103
104
105
1002
1003
1004
1005
VLAN Name
---- -----------------------------------1
default
101 VLAN0101
102 VLAN0102
103 VLAN0103
104 VLAN0104
1002 fddi-default
1003 token-ring-default
1004 fddinet-default
1005 trnet-default
Status
Ports
--------- -------------------------active
active
active
active
active
suspended
suspended
suspended
suspended
SW1-1(config)#
21
2. Ensure that hosts in VLAN 201 are not able to communicate with each other, but only to the
firewall connected to Ethernet3/19
3. Configure ports Ethernet3/20 and Ethernet3/21 in VLAN 201
4. Hosts in VLAN 202 and 203 are able to communicate to each other in the VLAN and to the
firewall, but not to hosts in the other VLAN (202 cant communicate with 203 and vice versa)
5. Configure ports Ethernet3/22 and Ethernet3/23 in VLAN202. Configure ports Ethernet3/24 and
Ethernet3/25 in VLAN203
6. DMZ servers in VLAN 204 need to be secured. They are not allowed to communicate to each
other, but they can communicate with the rest of the IP network by reaching a default gateway
configured on SW1-1 with IP address 10.1.10.254/24
7. Hosts connected in VLAN 204 are connected on SW2. Configure the first trunk connection for
this use. Configure Ethernet 1/21, 1/22 and 1/23 in VLAN205 on SW2 and ensure they are able
to reach the default gateway to the network. Hosts are not allowed to communicate to each
other.
8. Other hosts of VLAN 201 and 202 are also connected to SW2. Use the second trunk connection
between SW1 and SW2 for this use. The hosts of VLAN201 are connected to ports Ethernet 1/24
and 1/25. The host of VLAN 202 is connected to Ethernet 1/26
22
23
17. Ensure BPDUs are discarded when the network is larger than 10 hops
18. Assume a switch with an old version of software is connected to Ethernet 1/16 on SW2.
Configure this interface to pro-actively send pre-standard MST messages
24
Eth101/1/45
Eth101/1/41
Eth101/1/37
Eth101/1/33
Eth101/1/29
Eth101/1/25
Eth101/1/21
Eth101/1/17
Eth101/1/13
Eth101/1/9
Eth101/1/5
Eth101/1/1
25
Chapter 3: Data
Center Networking
Layer 3
Infrastructure (NXOS)
Chapter 3: Data Center Networking Layer 3 Infrastructure is intended to let you be familiar with the
NX-OS Layer 3 features on the Nexus platforms to create a basic routed network. The second part of this
chapter consists of Data Center extension and Layer 2 routing features. We highly recommend to create
your own diagram at the beginning of each lab so you are able to draw on your own diagram, making it
much easier when you step into the real lab. The lab is divided in two pieces. During the first tasks you
will be configuring a dynamically routed layer 3 network using EIGRP and OSPF protocols. The second
part of this chapter is based on the Cisco proprietary technologies FabricPath and OTV. Multiple
topology drawings are available for this chapter.
26
General Rules
Try to diagram out the task. Draw your own connections the way you like it
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter
3 hours
Pre-setup
Connect to the Nexus 7000 switch and Nexus 5000 switches within the topology
Load the initial configuration of Chapter 2 on the Nexus 7000 switch to stage the Virtual Device
Contexts needed for this lab
When starting the second part of this lab for configuring Fabric Path and OTV the second set of
initial configuration should be loaded on the Nexus 7000 to create a different topology with
Virtual Device Contexts
This lab is intended to be used with online rack access provided by our partner Proctor Labs
(www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as
detailed below
27
28
Configuration tasks
Task 1: Layer 3 topology set-up
Configure the Nexus 5500 switches with hostnames of SW2 and SW3. The Nexus 7000 VDCs
should already have hostnames through the loading of the initial configuration. Use switchto
vdc and switchback to move between different switches on the Nexus 7000.
Configure all switches so they can all carry the layer 2 VLANs as described in drawing 1
Ensure SW1-3 can ping the loopback address of SW1-4 from its own loopback address
SW1-1 should be able to ping the loopback address of SW1-2 and vice versa without using the
directly connected link between those switches, but should use the path over SW1-3 and SW1-4
for this
Configure SW1-2 to be a blackhole for the 192.0.1.0/24 prefix. Give this entry a tag of 666 and
an increased preference of +1
Ensure that all layer 3 interfaces on SW1-2 do not send out any unreachable messages
Remove all static routes before continuing with the next tasks
Task 3: EIGRP
Ensure Loopbacks are reachable and dynamically advertised. Ensure that there are no attempts
to make adjacencies on the Loopback interfaces.
Use 64999 as autonomous system number and IPEXPERT as the EIGRP process name
29
Change the bandwidth that EIGRP may use on an interface 10% lower than default
Update the link between SW1-2 and SW1-4 so the EIGRP neighbor is declared down after 4 hello
packets. You are only allowed to change configuration on SW1-2 to accomplish this
Routes which are declared active should become Stuck in Active after 5 minutes
Routes should be advertised as unreachable when there are more than 50 hops in the network
Task 4: OSPF
Configure the OSPF network as shown in drawing 2. Use the dotted decimal notation to
configure area 264
Ensure that all OSPF routers can reach each others Loopback addresses
Ignore the MTU size between SW1-1 and SW1-3 when forming an adjacency
Ensure that SW2 will never become a designated router on any OSPF interface
Ensure that SW3 will never become a designated router on any OSPF interface
Ensure all adjacencies in area 0 are secured using a hashed version of IPexpertSecure
Ensure that routers do not attract traffic for 2 minutes after booting up
30
Ensure full reachability is achieved while maintaining all requirements from previous tasks
Ensure all links towards area 0 are used when traffic is exiting area 1
Ensure that all Dynamic Routing adjacencies on SW1-2 towards adjacent devices are terminated
using a dedicated detection protocol
BFD sessions between SW1-2 and SW3 should be secured using a hashed key of
IPexpertSecure
Configure OSPF and EIGRP so they use the dedicated fast-hello failure detection mechanism
Ensure a static layer 2 to layer 3 mapping is created on VLAN 112 on SW1-1 for
198.18.112.24 to mac address abcd.1234.5678
Configure SW2 so that it detects duplicate IP addresses and updates its cache on
Ethernet1/5
Ensure that SW1-1 reserves space for 2750 outstanding ARP entries in the ASIC to prevent the
ARP replies are dropped when returned and attempted to install in the ASIC hardware
31
Load the initial configuration file for part 2 of chapter 2, which will create a topology
according to drawing 3
Ensure hosts on VLAN 666 can communicate via layer 2 on all 4 edge switches using the
technologies as mentioned in drawing 3
Use the 198.18.10.0/24 subnet when a layer 3 link is required in the topology
Ensure traffic is using all links between the switches to reach from SW2 and SW3 to SW1-3 and
SW1-4
32
Verify this task is completed successfully by being able to ping all 198.18.66.x interfaces of
all edge switches
33
Chapter 4: Data
Center Networking
High Availability
(NX-OS)
Chapter 4: Data Center Networking High Availability (NX-OS) is intended to let you be familiar with the
NX-OS High Availability features on the Nexus platforms to create a high available network. Various
types of deployments of Port-channels and Virtual Port-channels are discussed in this chapter. The
second part of this chapter focuses on First Hop Redundancy Protocols (FHRPs) and High Available
features of dynamic routing protocols. The third part focuses on a special implementation of virtual
port-channels in FabricPath networks.
We highly recommend creating your own diagram at the beginning of each lab so you are able to draw
on your own diagram, making it much easier when you step into the real lab.
Multiple topology drawings are available for this chapter.
34
General Rules
Try to diagram out the task. Draw your own connections the way you like it
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter
3 hours
Pre-setup
Connect to the Nexus 7000 switch and Nexus 5000 switches within the topology
Load the initial configuration of Chapter 4 on the Nexus 7000 switch to stage the Virtual Device
Contexts needed for this lab
When starting the third part of this lab regarding virtual Port-Channels within FabricPath
networks the second set of initial configuration should be loaded on the Nexus 7000 to create a
different topology with Virtual Device Contexts
This lab is intended to be used with online rack access provided by our partner Proctor Labs
(www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as
detailed below
35
36
37
Configuration tasks
Task 1: Topology set-up
1. Configure the Nexus 5500 switches with hostnames of SW2 and SW3. The Nexus 7000 VDCs
should already have hostnames through the loading of the initial configuration. Use switchto
vdc and switchback to move between different switches on the Nexus 7000.
2. Create the VLANs as are required on the switches as shown in drawing 2
3. Configure IP addressing on SVI and interfaces according to drawing 2
4. Configure all switches to have a Loopback0 interface with an IP address of 198.18.0.Z/32
where Z is the router number / host address as specified in drawing 2
Task 2: Port-Channels
1. Configure Ethernet3/1 and Ethernet3/2 on SW1-1 and Ethernet1/1 and Ethernet
1/2 on SW2 to be a single logical connection to carry the VLAN required as stated in drawing
2. Use number 1 for this connection.
2. Configure Ethernet3/5 and Ethernet3/6 on SW1-2 and Ethernet1/1 and
Ethernet1/2 on SW3 to be a single logical connection to carry the VLAN required as stated in
drawing 2. Use number 2 for this connection.
3. Configure logical interface 1 to negotiate its bundling capabilities between the
switches
4. SW2 should never actively start negotiating link bundling
5. Logical interface 1 is used for bandwidth reasons and should therefore shutdown
when there is less than 20Gbps capacity available in the bundle
6. Logical interface 1 should mark interfaces as hot-standby when additional interfaces
are added to the bundle
7. Configure Ethernet1/5 and Ethernet1/6 on SW2 and SW3 to negotiate a link bundle. Use
number 3 for this interface.
8. Configure logical interface 3 with IP addressing in the 198.18.23.0/24 subnet.
Use host IP addresses as previously used for these switches.
9. Ensure that when no dynamic link bundling advertisements are received on an interface on
logical interface 3. The physical interface is brought up in an Individual state.
38
10. There are plans to increase the capacity between SW2 and SW3 to 80Gbps with additional
interfaces for resiliency purposes. Ensure that Ethernet1/5 is always chosen to participate
in the bundle and Ethernet1/6 should be selected as a hot-standby link when additional
interfaces are added to the bundle.
11. Logical interface 3 should use a very fast detection mechanism to signal the removal of
an interface in the bundle
12. Configure SW2 and SW3 to load-balance between the interfaces in link-bundles using the most
packet header information as possible.
13. Remove any configuration related to interface bundle 1 and 2 from the switches before
continuing with the next task
39
11. Configure a vPC connection between SW2, SW3 and SW1-2. Use Ethernet3/5 and
Ethernet3/7 on SW1-2, Ethernet1/3 on SW2 and Ethernet1/3 on SW3. Use number
102 for this connection.
12. Use the remaining connections between SW1-1, SW1-2, SW2 and SW3 and bundle them in
a single logical interface with number 103.
13. Ensure all VLANs required for Drawing 2 are allowed on the vPC links
14. Use 1234.5678.90ab as the single MAC address that is used for the identification of domain
100 LACP packets
Task 5: HSRP
1. Ensure that hosts on VLAN 111 are always able to reach their default gateway, when one of
the 2 switches fails
2. Use a Cisco proprietary protocol for this use, which uses a single active default gateway
3. Use the .1 host IP address as the default gateway for this network segment
4. Make the switches primary and backup according to the best practice
5. Use a hashed key of IPexpertYEAR1 to secure this protocol from now until December 31st
the same year. At January 1st one year later the key should change to IPexpertYEAR2.
Ensure that switches keep accepting the old key for at least 2 more hours
40
6. When the backup switch is active and the primary switch comes back online after a reboot.
Ensure that it will take back the active role after the switch is up for 3 minutes
7. Give this process a name of IPexpertVLAN111
8. A switch should declare its neighbor down within 1 second
9. When one of the Ethernet uplinks fails the priority should be lowered with 1/10th of the
configured priority value
10. When a second Ethernet uplink fails the switch should stop forwarding Layer 3 traffic and send
traffic across the vPC peer-link
11. The default gateway MAC address should be the MAC address of one of the physical Ethernet
interfaces
Task 6: VRRP
1. Ensure that hosts on VLAN 121 are always able to reach their default gateway, when one of
the 2 switches fails
2. Use a standards based protocol for this use, which uses a single active default gateway
3. When clients on VLAN 121 issue an ARP request for the Default Gateway it should respond
with MAC address 0000.5E00.0174 without configuring this MAC address in the
configuration
4. Use the .254 host IP address as the default gateway for this network segment
5. Configure SW1-2 as the primary switch using a value of 200
6. Use a clear text password of IPexpert to secure the protocol
7. Ensure a higher priority backup router does not take over the role of a lower priority active
router. Configure this only on the current primary switch.
8. Ensure that SW1-2 becomes the standby router after 30 seconds, when the Loopback address
of SW3 disappears from the routing-table
9. Switches should declare their neighbors down in 10 seconds
41
Task 7: GLBP
1. Ensure that hosts on VLAN 222 are always able to reach their default gateway, when one of
the 2 switches fails
2. Use a load balancing Cisco proprietary protocol
3. Use the .55 host IP address as the default gateway for this network segment
4. Both routers should be capable of forwarding traffic.
5. SW1-1 should be answering all ARP requests
6. When the Loopback address of one of the upstream switches disappears from the routing table
the switches should no longer be AVF
7. Delay the take over of the AVF role for a standby switch for 3 minutes if any current AVF
fails
8. The router should become the AVG after 30 seconds if it has a higher priority than the
current AVG
9. Ensure the routers support In-Service-Software-Upgrades
42
43
Chapter 5: Data
Center Storage
Networking
Chapter 5: Data Center Storage networking is intended to let you be familiar with the Storage
Networking features on the Cisco MDS switches. Configuring traditional Fibre Channel networks and
basic Fibre Channel features.
We highly recommend creating your own diagram at the beginning of each lab so you are able to draw
on your own diagram, making it much easier when you step into the real lab.
Multiple topology drawings are available for this chapter.
44
General Rules
Try to diagram out the task. Draw your own connections the way you like it
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter
5 hours
Pre-setup
The switches start with a blank configuration. You will be creating parts of your own Initial
Configuration for later labs.
This lab is intended to be used with online rack access provided by our partner Proctor Labs
(www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as
detailed below
45
46
Configuration tasks
Task 1: Initial set-up
1. Give the MDS switches in the topology the following hostnames: MDS1, MDS2. Configure the
default username and password according to the generic lab topology
2. Ensure that they can be reached through the management network using IP addresses in the
range as stated in the initial set-up information at the beginning of the workbook. Use Host IP
addresses of .10 and .11
3. Use the default gateway of the management subnet as Time Synchronization server
4. Do not use any automatic selection of interface type for this lab, unless specifically stated
5. Do not use any automatic speed selected for interfaces
6. Use 200MBps connections towards the JBODs
7. JBODs on MDS2 should automatically detect the interface speeds
8. Ensure Fabric Logins are done by the connected JBODs
9. Enable the links between the MDS switches as standard based ISLs
10. Configure a descriptive name on all interfaces consisting of the name and port of the device
which is connected. You are prohibited to use the description command.
11. Ensure the connection towards JBOD1 is easily physically located on MDS1
12. The fiber connected to fc1/10 is of low quality causing errors on the interface. Ensure the
switch does not go into err-disable state, because of this reason.
13. Ensure that interfaces on the MDS switches are shutdown when no configuration is applied to
them
14. All disks inside of the JBODs should be identified on the MDS switches with a simple name in the
form of JxDy where X is the JBOD number and Y is the disk number.
15. The simple device names should be seen on both MDS switches, by only configuring one of the
switches. The names should not be VSAN dependent.
16. Ensure applications that use the simple names will follow changes to the database
17.
Interface fc1/1 on MDS1 will be used for a long reach link. Enable the most credit
buffers as possible and enable recovery of credits
47
18. JBOD1 on MDS1 is only allowed to send packets with a maximum size of 2000 bytes
19. Enable B2B credit state change numbers on all JBOD interfaces
Task 2: VSANs
1. Create VSAN 10, 20, 30 and 40 with names of IPX_VSAN_#, where # is the VSAN number
2. Configure fc1/5 on MDS1 in VSAN 10 and fc1/6 on MDS2
3. Configure fc1/5 on MDS2 and fc1/6 on MDS1 in VSAN 20
4. Ensure that when WWPN 20:11:00:0a:31:00:aa:de is automatically placed in VSAN 30
when it comes online anywhere in the Fibre Channel fabric
5. Ensure that J1D1 is automatically placed in VSAN 40 when it comes online in the fabric
6. MDS1 should use the Source and Destination FCID for load balancing across equal cost paths in
VSAN 10
7. MDS2 should use Exchange based load balancing across different interfaces in a port-channel in
VSAN 20
8. Ensure that all ISLs of the MDS switches are capable of transferring multiple VSANs across the
same interface
9. Configure fc1/1 and fc1/3 on both MDS switches as a single logical connection using number
101
10. Interfaces fc1/1 and fc1/3 should negotiate their bundling capabilities
11. Create a single logical connection consisting of fc1/2 and fc1/4 on both MDS1 and MDS2
switches with number 127
12. VSAN 30 should only use the logical interface 127
13. VSAN 40 should only use logical interface 101
14. VSAN 10 and VSAN 20 should be able to cross both ISL bundles between the MDS switches
15. VSAN 10 should always use bundle 101 as its primary connection to the other MDS
16. VSAN 20 should always use the bundle 127 as its primary connection to the other MDS
17. Packets traversing VSAN 30 should be guaranteed to reach their destination in the same order
as they have left the source.
48
18. Traffic between J1D1 and J2D2 in VSAN 10 should always use the bundle 127 as long as
the interface is up
19. The Lowest domain ID in VSAN 20 should be the Multicast root switch
20. Use incremental Dijkstra algorithm calculations in VSAN 30
21.
22. Configure an IP connection between the MDS switches across the ISL links. Use VSAN 50 for
this use, which can flow across all ISLs. Use an IP subnet of 198.18.50.x/24 with .1 and
.2 as host IP addresses
Task 3: Zoning
1. Configure zoning in VSAN 10 so the following disks are able to communicate, ensure that the
simple names are kept in the configuration:
a. J1D2
b. J1D3
c. J1D4
2. Configure zoning for VSAN 10 so the following disks can see each other, use the WWPN of the
disks:
a. J1D5
b. J1D6
3. Ensure all disks of interface fc1/6 on MDS2 are able to see each other in VSAN 10. Perform
the configuration on MDS1.
4. FC frames sent to a destination FCID of 0xFFFFFF should only arrive at disk J1D5 and J1D6
5. Activate the zoning in VSAN 10
6. Copy the current zoneset of VSAN 10.
7. Remove the zone created in question 3 from the just copied zoneset and add another
zone that adds all disks of JBOD2 using their FCIDs
8. Ensure that this second zoneset is not activated, but it seen on both MDS switches. You are
not allowed to change any configuration on MDS1
49
9. Ensure that all changes to all zonesets are replicated between all switches in VSAN 10 every
time a zoneset is activated
10. Use zoning compliant with FC-GS-4 and FC-SW-3 in VSAN 20
11. Use inline zone creation for VSAN 20
12. Zoning in VSAN 20 should ensure that the following disks are able to read data from each
other, but never write:
a. J2D1
b. J2D2
c. J2D3
13. Create a zone in VSAN 20 that ensures the following disks are prioritized over other disks when
ISLs are congested. Use the FWWN of the disks:
a. J2D4
b. J2D5
14. When devices are not specified in zones in VSAN 20, they should be allowed to read data
from each other
15. J2D5 LUN 19 and J1D6 LUN 116 should be able to communicate to each other in VSAN
20. No other LUNs on those disks can communicate
16. Activate zoning in VSAN 20 and ensure its seen on both MDS1 and MDS2
Task 4: FC Domain
1. Configure FC Domain IDs in VSAN 10. MDS1 should be using a static ID of 34 and MDS2 should
prefer to use an ID of 0x34, but can use a different one when this is already taken
2. Ensure MDS1 is the principal switch in VSAN 10
3. Domain IDs for new switches should be handed out in a sequential order
4. Disruptive restarts from other switches should not affect MDS1
5. Ensure the J1D1 disk in VSAN 10 gets assigned an FCID in the range of 0x222200 to
0x2222FF
6. MDS2 should be assigning Domain IDs to other switches in the fabric for VSAN 20. MDS2
should use a range of 0xB0 to 0xCE.
Copyright by IPexpert. All rights reserved.
50
51
52
Chapter 6: Data
Center Storage
Networking
Extension
Chapter 6: Data Center Storage networking Extension is intended to let you be familiar with the
Storage Networking features on the Cisco MDS switches. This chapter will be about configuring IP
features like iSCSI, iSLB and FCIP including the relevant Security features for Fibre Channel extension
across IP connections. We highly recommend creating your own diagram at the beginning of each lab so
you are able to draw on your own diagram, making it much easier when you step into the real lab.
Multiple topology drawings are available for this chapter.
53
General Rules
Try to diagram out the task. Draw your own connections the way you like it
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter
5 hours
54
Pre-setup
The switches start with a blank configuration. You will be creating parts of your own
Initial Configuration for later labs.
This lab is intended to be used with online rack access provided by our partner Proctor
Labs (www.proctorlabs.com). Connect to the terminal server and complete the configuration
tasks as detailed below
55
56
Configuration tasks
1. Leave the configurations of MDS1 and MDS2 in tact from the previous exercises.
2. Configure the Nexus 5000 switches SW2 and SW3 with the VLANs as stated in Drawing
2. MDS1 and MDS2 should be able to communicate over these VLANs to each other
across SW2 and SW3.
3. Both GigabitEthernet interfaces on each MDS switch should have access to all VLANs
required in this lab
4. When required, use IP addresses in the range of 198.18.X.Y/24 in this lab. Where X
is the VLAN number and Y is the Host address as stated in Drawing 2
Task 2: FCIP
1. Configure
FCIP
1 connection
GigabitEthernet1/1 interface
between
MDS1
and
MDS2
using
the
a FCIP 2 connections
GigabitEthernet1/2 interface
between
MDS1
and
MDS2
using
the
8. Ensure this connection will receive a higher QoS priority than FCIP 1
9. VSAN 10, 20 and 50 may be transported across this connection
10. Ensure VSAN 10 uses FCIP 1 as primary link and VSAN 20 uses FCIP 2 as the
primary link on MDS1, where MDS2 is configured vice versa
11. The FCIP 2 tunnel should be brought down when no TCP packets are received for 90
seconds
57
12. The FCIP 2 connection should use the highest possible compression
13. Ensure FCIP 1 supports a method that sends R_RDY messages locally, which causes
that write actions are done faster
14. The FCIP 2 connection should be high available. A third FCIP connection is allowed
for this task. Keep high availability in mind when configuring the third FCIP
connection. When a failure occurs in the FCIP 2 connection this should not be noticed
by the FSPF protocol. The use of Ethernet port-channels for this question is prohibited.
1. Protect the failover mechanism of the FCIP 1 connection using a MD5 hash of
SecureIPexpert
2. Traffic crossing the FCIP 1 connection should be transferred encrypted across the IP
network.
3. Use an MD5 hash, AES 128-bits encryption and use a pre-shared-key of
IPexpertEncrypt
Task 5: iSCSI
1. Do not use any dynamic configuration option which might be available in this task
2. Use GigabitEthernet1/1 for this task on MDS1
3. Create an iSCSI portal on this interface using the iSCSI VLAN as mentioned in
Drawing 2
58
14. When the disk J1D3 fails, J2D3 should seamlessly take over. When the disk in J1D3 has
been replaced it should automatically switch back to this primary target
15. Enable trespass support
16. Improve read performance on MDS1 for iSCSI traffic
17. Configure an iSCSI portal in the iSCSI VLAN as mentioned in Drawing 2 on MDS2
GigabitEthernet1/1
18. All iSCSI initiators on this new portal should appear as a single N-port in the
Fibre Channel fabric
19. Enable data-digest on this portal
20. Configure 3 initiators on MDS2 named iqn.initiator-server-1,
iqn.initiator-server-2 and iqn.initiator-server-3.
21. Give the 3 initiators access to J1D1 in VSAN 10 without configuring the VSAN
database for VSAN 10
22. Use a single zone with 2 entries to accomplish this
Task 6: iSLB
1. Do not use any dynamic configuration option which might be available in this task
2. Configure an iSLB portal on GigabitEthernet1/2 on MDS1 and MDS2 on the iSLB
VLAN as presented in Drawing 2
3. Configuration for iSLB targets and initiators may only be done on MDS2
Copyright by IPexpert. All rights reserved.
59
4. When MDS2 fails, MDS1 should automatically take over all sessions
5. Ensure that both MDS switches are using weighted load balancing.
6. Manual zoning changes are not allowed
7. Configure 5 initiators with names of iqn.islb-initiator-host-1 through
host-5
8. Ensure the initiators are assigned with a nWWN and 2 pWWNs which are automatically
assigned by the MDS switch
9. Zones should have IPexpert in their name
10. Host 3 is a database server, which will have more iSCSI connections than the other
11. All initiators should have access to J2D2 LUN 0x0 and 0x1 in VSAN 10 which
should be presented as LUN 0xA and 0xB. Do not use the virtual-target
command.
12. Use J1D2 as a backup when J2D2 fails. The target should not switch back when J2D2
is repaired
13. The J1D1 disk in VSAN 20 should be made high-available on the 2 MDS switches.
Ensure iqn.islb-initiator-host-3 is the only host that can access it on both
MDS switches using the resilient iSLB portal. Do not use the virtual-target
command.
14. The use of auto-zoning is not allowed for the question above as is zoning based on
Symbolic Name or IP addressing
15. Ensure all initiators are authenticated with a username of host-1 through
host-5 with a password of iSLBpassw0rd
16. Do not remove any configuration from the MDS switches when continuing with the next
chapter
60
Chapter 7: Data
Center Unified
Fabric
Chapter 7: Data Unified Fabric is intended to let you be familiar with the Storage Networking features
available on the Cisco Nexus switches and combined with the Cisco MDS switches.
This chapter will be about implementing FCoE features inside of the Nexus switches and the backwards
compatibility with Native FC connections. Besides that we will be looking at N-Port Virtualization
configurations..
We highly recommend creating your own diagram at the beginning of each lab so you are able to draw
on your own diagram, making it much easier when you step into the real lab. Multiple topology
drawings are available for this chapter.
61
General Rules
Try to diagram out the task. Draw your own connections the way you like it
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter
2 hours
62
Pre-setup
The Nexus switches start with a blank configuration. You will be creating parts of your
own Initial Configuration for later labs.
The MDS switches are using the configuration from the previous chapters
This lab is intended to be used with online rack access provided by our partner Proctor
Labs (www.proctorlabs.com). Connect to the terminal server and complete the configuration
tasks as detailed below
63
64
Configuration tasks
Task 1: Native Fibre Channel on Nexus
1. Leave the configurations of MDS1 and MDS2 in tact from the previous exercises.
2. Set the GigabitEthernet interfaces on MDS1 and MDS2 to shutdown, so all iSCSI
and FCIP connections are down
3. SW2 and SW3 should participate in VSAN 10 and VSAN 20 using native Fibre Channel
interface fc1/31 and fc1/32. Use fc1/13 and fc1/14 on the MDS switches.
4. Ensure the interfaces are seen as a single connection for the FSPF protocol
5. Request the lowest Domain ID possible, but accept any other as given out by the
principal switch
6. Ensure all devices in VSAN 10 and VSAN 20 are visible on SW2 and SW3
7. Keep in mind the security mechanism active in VSAN 10 and VSAN 20
7. Non-FCoE traffic is not allowed to cross the link. You are not allowed to use the
switchport trunk allowed vlan command.
65
10.
4. The link between SW2 and SW3 is 2000 meters long. Ensure the topology supports
lossless Ethernet on this link.
5. Fibre Channel frames crossing the Nexus switches may never be fragmented
66
67
1. Configure SW2 to support N-Port Virtualization. A reboot of the switch is not allowed to
accomplish this task
2. Use Ethernet1/8 on SW3 as the link where the logins are received from SW2
68
Chapter 8: Security
Features
Chapter 8: Security Features is intended to let you be familiar with the Security features which are
available on the Nexus platform. You will be configuring both AAA services and other management
security as well as LAN security features like DHCP snooping and other protective features.
We highly recommend creating your own diagram at the beginning of each lab so you are able to draw
on your own diagram, making it much easier when you step into the real lab. Multiple topology
drawings are available for this chapter.
69
General Rules
Try to diagram out the task. Draw your own connections the way you like it
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter
4 hours
Pre-setup
This lab is intended to be used with online rack access provided by our partner Proctor
labs (www.proctorlabs.com). Connect to the terminal server and complete the configuration
tasks as detailed below
70
71
Configuration tasks
Task 1: Port Security
1. Configure a basic configuration for the 3 Nexus switches SW1, SW2 and SW3, using the
defaults as stated at the beginning of this workbook.
2. Create VLANs where necessary in this chapter.
3. Configure a port-channel of the first 2 interfaces between each switch. Use a
standards based protocol to negotiate the bundling parameters. The result should be
equal to Drawing 2
4. Ensure that only 10 hosts are able to use Ethernet1/11 on SW2. The port should go
into errdisable when the 11th host is connected to the interface.
5. Ensure that the learnt MAC addresses are cleared on the Ethernet1/11 interface on
SW2 after they did not send any traffic for 6 minutes.
6. Only the following MAC addresses are able to access Ethernet1/11 on SW3
a. 0010.4431.a1b3
b. 10:22:a0:f5:b3:de
c. 0011.99ff.22aa
d. 55:81:a0:9a:b0:0c
e. ba01.dad3.c0ff
7. Ensure packet count is logged for all violating packets on Ethernet1/11 on SW3
8. Ensure that no more than 100 MAC addresses are learnt on the port-channel
between SW2 and SW3. The interfaces should keep working, but stop learning and deny
access to possible new MAC addresses after the number has been reached.
9. On the port-channel between SW2 and SW3 the amount of MAC addresses should be
divided between VLAN 10, 11, 12 and 13. Ensure VLAN 10 can use 2/3 of the
maximum.
10. Ensure all MAC addresses on the port-channel between SW2 and SW3 are saved in the
database
11. Create a routed interface of Ethernet1/7 on SW2 with IP address 198.18.100.1/24.
Create a VLAN 100 interface on SW3 with IP address 198.18.100.2.
12. Ensure that only the host with MAC address 1234.5678.abcd can access
Ethernet1/7 on SW3. Its not allowed to configure this MAC address on SW3.
Copyright by IPexpert. All rights reserved.
72
13. Ensure SW2 and SW3 are able to ping each other.
6. Ensure that ARP requests to IP addresses that fall in the range of 198.18.50.0/28 are
always allowed
7. Ensure that SW1 keeps a log of the last 50 deny and accept messages
8. Ensure that SW1 also checks for invalid or unexpected IP addresses in ARP packets
9. Ensure that all IP traffic is checked for spoofing attacks on interface Ethernet3/11,
Ethernet3/13 and Ethernet3/14 using the DHCP Snooping database.
10. A host with MAC address 4019.a201.b04e and a statically configured IP address of
198.18.50.254 is connected to Ethernet3/12 on SW1. Ensure this host is allowed
access.
11. Configure a SVI with IP address 198.18.50.1/24 in VLAN 50 on SW1.
12. Ensure that all traffic entering the VLAN interface is checked against the routing
table to ensure that the switch knows the Destination IP address of the packet and
it has a routing entry towards this network. A default route would also qualify for this
check.
1. Use a protection on VLAN 50 of SW1 to protect it against denied traffic according to the
following rules.
2. Be as specific as possible.
3. The 198.18.255.100 host is allowed to access hosts in VLAN 50.
73
5. The
Server
farm
6. You are not allowed to apply the ACL to the VLAN interface
7. A host connected in VLAN 50 through interface Ethernet1/15 on SW2 is not allowed
to access the IMAP server with IP address 198.19.0.25. Ensure this is enforced.
8. A rogue device is found that tries to log-in to management interfaces. Deny telnet
and SSH traffic to the management interface of the switches from the 192.0.2.0/24
subnet. Ensure all other IP address are still able to manage the switches through all
management services. Only a single ACL entry is allowed for this task.
9. Ensure all
10. In addition to the IP security of VLAN 50 your manager also wants to only allow valid
MAC addresses from the Server farm to access hosts in VLAN 50. The servers have MAC
addresses in the range of 0bad.c0ff.ee00 up to 0bad.c0ff.eeff.
11. Statistics should be collected per entry in VLAN 50
12. Ensure the control plane of SW2 and SW3 is optimized for Layer 3 routing
74
SW2 should perform a fall-back to local user database in case the RADIUS server does
not respond.
For access to the console port only the local user database should be used
On SW3 a Cisco proprietary protocol should be used for authenticating SSH users.
When users do not have a role assigned, they should not be able to log-in to the switch.
Users that try to log-in shout be notified when AAA servers are unreachable
Use the strongest encryption for the local username/password database available and
ensure that existing passwords are converted
Ensure accounting is enabled on SW2
The TACACS+ users are configured with IOS-style privilege levels. Ensure SW3 honors
these.
SW2 should require local user entries to use strong passwords. SW3 does not enforce this.
Create a user on SW3 with your first name as username which expires on December 31st of
this year.
Task 5: 802.1X
1. Hosts that want to access SW1 are required to authenticate. Hosts are connected at
interfaces Ethernet3/25 up to 3/31
2. Users should be authenticated by the RADIUS server
3. On Ethernet3/26 and Ethernet3/27 it should be possible to have multiple hosts
connected
4. After an hour the authentication should be re-checked against the RADIUS server
for all interfaces participating in the authentication. You are not allowed to use
global configuration commands for this task.
5. Interface Ethernet3/31 has a printer connected that has no software to support this
authentication. Ensure the interface is still authenticated against the RADIUS
server.
6. The switch should allow up to 4 authentication attempts before denying access
7. Ensure all activity on the switch is logged with the RADIUS server
75
7. Ensure switches authenticate each other without using the RADIUS server for
exchanging SGTs.
8. You are allowed to use a SVI on each switch in VLAN 99 with the IP subnet of
198.18.99.0/24
9. Leave all configuration in place on the switches when continuing with the next chapter.
76
Chapter 9:
Management
Features
Chapter 9: Management Features is intended to let you be familiar with the Management features
which are available on the Nexus platform. You will be configuring Role Based Access Control (RBAC),
SNMP, Syslog, NetFlow, NTP and many more.
We highly recommend creating your own diagram at the beginning of each lab so you are able to draw
on your own diagram, making it much easier when you step into the real lab. Multiple topology
drawings are available for this chapter.
77
General Rules
Try to diagram out the task. Draw your own connections the way you like it
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter
4 hours
Pre-setup
The Nexus switches start with configuration from the previous chapter
This lab is intended to be used with online rack access provided by our partner Proctor
Labs (www.proctorlabs.com). Connect to the terminal server and complete the configuration
tasks as detailed below
78
79
Configuration tasks
Task 1: Role Based Access Control (RBAC)
VLANs
VLAN Interfaces
Spanning-Tree
You are not allowed to configure these features directly under the role configuration for
user1
User2 is not allowed to change configuration, but is allowed to verify everything related to
o
Access Lists
Routing protocols
Licensing
User2 can only configure Layer 3 protocols in VRF VPN1, VPN2 and VPN3
80
Regulations determine that all traffic entering SW1 through the port-channels connecting to
SW2 and SW3 should be monitored, but only for VLAN 50 and 99.
Ensure the MTU size for the monitoring is consistent at 1100 bytes, no matter what the
MTU of the source packet is
An interface on a third party switch is being monitored, but the monitoring server is
connected to Ethernet3/20 on SW1. Use a Layer 2 transportation to pick up this traffic.
Use VLAN 601 for this task.
Ensure this Layer 3 monitoring traffic receives a high priority treatment throughout
the network
Use the finest granularity possible for the Layer 3 monitoring session.
Task 3: NetFlow
Use SW1 for this task. The port-channels to the other switches should be used for collecting
information
Create a flow record based on the IPv4 source and destination IP address
Ensure the flow ID is captured and the pps (packets per second) 64-bit counter
Ensure that 5 out of 150 packets are sampled that enter the port-channels of SW1
Ensure that its possible for Layer 2 fields to be exported to the flow server
Ensure the management server 172.16.100.110 receives version 2c traps from SW1
81
This server should also be able to read information from SW1 while using a classical
community string of IPexpert
User version3 with password version3password should be able to access SW1 using
SNMP version 3
Ensure that the version3 user has the same rights as the storage-admin user
Devices other than SW2 and SW3 should not be able to synchronize time with SW1
SW1 should identify itself to other Cisco devices with its serial number
Interface Ethernet1/10-20 on SW2 and SW3 has devices connected that are outside of
your management domain. They should not be able to see any information about the
devices that they are connected to.
You should be able to compare differences with a newer version of the configuration
compared to the now saved one
82
Ensure the hostname and the date and time are included in the filename that is saved
Users logging in to the switches should see a message that they are logging in to the
IPexpert CCIE Data Center Lab
Save a show tech-support to the flash and compress the file by creating the zip file
manually.
During boot-up all switches should run the maximum level of diagnostics
SW1 should generate a message towards the on-call support engineer when a critical
issue occurs.
mail.ciscocallhome.com.
SW1 is the core switch and an important switch. Ensure this is noticed in the messages.
You are allowed to create one additional destination profile for the previous
question
83